CA2772630C  Methods, systems, and computer readable media for adaptive packet filtering  Google Patents
Methods, systems, and computer readable media for adaptive packet filtering Download PDFInfo
 Publication number
 CA2772630C CA2772630C CA2772630A CA2772630A CA2772630C CA 2772630 C CA2772630 C CA 2772630C CA 2772630 A CA2772630 A CA 2772630A CA 2772630 A CA2772630 A CA 2772630A CA 2772630 C CA2772630 C CA 2772630C
 Authority
 CA
 Canada
 Prior art keywords
 rules
 rule
 disjoint
 firewall
 packet
 Prior art date
 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
 Active
Links
 238000001914 filtration Methods 0 abstract claims description title 71
 230000003044 adaptive Effects 0 abstract claims description title 17
 239000002609 media Substances 0 abstract claims description title 11
 230000004044 response Effects 0 abstract claims description 9
 230000001419 dependent Effects 0 claims description 47
 238000004422 calculation algorithm Methods 0 claims description 31
 230000000875 corresponding Effects 0 claims description 5
 238000000034 methods Methods 0 description 28
 238000000638 solvent extraction Methods 0 description 7
 239000011162 core materials Substances 0 description 5
 230000015654 memory Effects 0 description 5
 230000001965 increased Effects 0 description 3
 239000010936 titanium Substances 0 description 3
 239000004734 Polyphenylene sulfide Substances 0 description 2
 XCCTYIAWTASOJWXVFCMESISAN Uridine5'Diphosphate Chemical compound data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0naXNvLTg4NTktMSc/Pgo8c3ZnIHZlcnNpb249JzEuMScgYmFzZVByb2ZpbGU9J2Z1bGwnCiAgICAgICAgICAgICAgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJwogICAgICAgICAgICAgICAgICAgICAgeG1sbnM6cmRraXQ9J2h0dHA6Ly93d3cucmRraXQub3JnL3htbCcKICAgICAgICAgICAgICAgICAgICAgIHhtbG5zOnhsaW5rPSdodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rJwogICAgICAgICAgICAgICAgICB4bWw6c3BhY2U9J3ByZXNlcnZlJwp3aWR0aD0nMzAwcHgnIGhlaWdodD0nMzAwcHgnID4KPCEtLSBFTkQgT0YgSEVBREVSIC0tPgo8cmVjdCBzdHlsZT0nb3BhY2l0eToxLjA7ZmlsbDojRkZGRkZGO3N0cm9rZTpub25lJyB3aWR0aD0nMzAwJyBoZWlnaHQ9JzMwMCcgeD0nMCcgeT0nMCc+IDwvcmVjdD4KPHBhdGggY2xhc3M9J2JvbmQtMCcgZD0nTSAxODAuNTk3LDEyMi4zNzYgMTg4LjEyNSwxMTUuOTI1IDE4Ni4yNDMsMTE0LjIyNiAxODAuNTk3LDEyMi4zNzYnIHN0eWxlPSdmaWxsOiMwMDAwMDA7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0wJyBkPSdNIDE4OC4xMjUsMTE1LjkyNSAxOTEuODg4LDEwNi4wNzYgMTk1LjY1NCwxMDkuNDczIDE4OC4xMjUsMTE1LjkyNScgc3R5bGU9J2ZpbGw6I0ZGMDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTAnIGQ9J00gMTg4LjEyNSwxMTUuOTI1IDE4Ni4yNDMsMTE0LjIyNiAxOTEuODg4LDEwNi4wNzYgMTg4LjEyNSwxMTUuOTI1JyBzdHlsZT0nZmlsbDojRkYwMDAwO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMScgZD0nTSAxODAuNTk3LDEyMi4zNzYgMTU1LjM4MSwxMTkuNzAxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjQnIGQ9J00gMTgwLjU5NywxMjIuMzc2IDE4NS44NDYsMTQ3LjE4Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTInIGQ9J00gMTU1LjM4MSwxMTkuNzAxIDE1MS4zNjgsMTEwLjE5NSAxNDkuMTcsMTExLjQ2MSAxNTUuMzgxLDExOS43MDEnIHN0eWxlPSdmaWxsOiMwMDAwMDA7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yJyBkPSdNIDE1MS4zNjgsMTEwLjE5NSAxNDIuOTYsMTAzLjIyIDE0Ny4zNTUsMTAwLjY4OSAxNTEuMzY4LDExMC4xOTUnIHN0eWxlPSdmaWxsOiNGRjAwMDA7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yJyBkPSdNIDE1MS4zNjgsMTEwLjE5NSAxNDkuMTcsMTExLjQ2MSAxNDIuOTYsMTAzLjIyIDE1MS4zNjgsMTEwLjE5NScgc3R5bGU9J2ZpbGw6I0ZGMDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTMnIGQ9J00gMTU1LjM4MSwxMTkuNzAxIDE0NS4wNDQsMTQyLjg1Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTQnIGQ9J00gMTQyLjUxMSwxNDMuMTM0IDE0Mi42MTYsMTQzLjYzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAxMzkuOTc3LDE0My40MSAxNDAuMTg3LDE0NC40MDMnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDEzNy40NDQsMTQzLjY4NyAxMzcuNzU5LDE0NS4xNzYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDEzNC45MSwxNDMuOTY0IDEzNS4zMywxNDUuOTQ5JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAxMzIuMzc3LDE0NC4yNDEgMTMyLjkwMiwxNDYuNzIyJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAxMjkuODQ0LDE0NC41MTcgMTMwLjQ3MywxNDcuNDk0JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAxMjcuMzEsMTQ0Ljc5NCAxMjguMDQ1LDE0OC4yNjcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDEyNC43NzcsMTQ1LjA3MSAxMjUuNjE2LDE0OS4wNCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTQnIGQ9J00gMTIyLjI0MywxNDUuMzQ4IDEyMy4xODgsMTQ5LjgxMycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTQnIGQ9J00gMTE5LjcxLDE0NS42MjQgMTIwLjc2LDE1MC41ODYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNCcgZD0nTSAxNDUuMDQ0LDE0Mi44NTcgMTUyLjQ4NCwxNDkuNTcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNCcgZD0nTSAxNTIuNDg0LDE0OS41NyAxNTkuOTI1LDE1Ni4yODInIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC01JyBkPSdNIDEyMC4yMzUsMTQ4LjEwNSAxMTYuOTk0LDE1OC4wNDcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC01JyBkPSdNIDExNi45OTQsMTU4LjA0NyAxMTMuNzUzLDE2Ny45ODgnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC02JyBkPSdNIDEwOC40MjgsMTczLjA1IDk5LjY4ODksMTc0Ljg5OCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTYnIGQ9J00gOTkuNjg4OSwxNzQuODk4IDkwLjk1MDEsMTc2Ljc0Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTcnIGQ9J00gODguNDYsMTgxLjY4OSA5MC4xOSwxODkuODY3JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNycgZD0nTSA5MC4xOSwxODkuODY3IDkxLjkyLDE5OC4wNDYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC04JyBkPSdNIDg5LjE1MjgsMTcyLjcxMiA4Ny40MjI4LDE2NC41MzMnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC04JyBkPSdNIDg3LjQyMjgsMTY0LjUzMyA4NS42OTI3LDE1Ni4zNTUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC04JyBkPSdNIDg0LjE5MDksMTczLjc2MSA4Mi40NjA5LDE2NS41ODMnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC04JyBkPSdNIDgyLjQ2MDksMTY1LjU4MyA4MC43MzA5LDE1Ny40MDUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC05JyBkPSdNIDg0LjE4MTgsMTc4LjE3OSA3NS40NDI5LDE4MC4wMjcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC05JyBkPSdNIDc1LjQ0MjksMTgwLjAyNyA2Ni43MDQsMTgxLjg3Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEwJyBkPSdNIDU4Ljk1ODcsMTc4LjQ4NSA1NC4wNzQ5LDE3My4wNScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEwJyBkPSdNIDU0LjA3NDksMTczLjA1IDQ5LjE5MTIsMTY3LjYxNScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTExJyBkPSdNIDQ5LjE5MTIsMTYwLjgwOCA1NC41NzgzLDE1NS45NjcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMScgZD0nTSA1NC41NzgzLDE1NS45NjcgNTkuOTY1MywxNTEuMTI2JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTInIGQ9J00gNDIuNDIyOSwxNjAuMDg0IDM3LjUzOTIsMTU0LjY0OScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEyJyBkPSdNIDM3LjUzOTIsMTU0LjY0OSAzMi42NTU0LDE0OS4yMTUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMycgZD0nTSA0MC43Mjc5LDE2NS4wMDUgMzQuOTYzLDE3MC4xODUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMycgZD0nTSAzNC45NjMsMTcwLjE4NSAyOS4xOTgxLDE3NS4zNjYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMycgZD0nTSA0NC4xMTc5LDE2OC43NzcgMzguMzUyOSwxNzMuOTU4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTMnIGQ9J00gMzguMzUyOSwxNzMuOTU4IDMyLjU4OCwxNzkuMTM4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTUnIGQ9J00gMTY3LjgyLDE1Ny41NjkgMTc2LjgzMywxNTIuMzc4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTUnIGQ9J00gMTc2LjgzMywxNTIuMzc4IDE4NS44NDYsMTQ3LjE4Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDE4Ny42OTEsMTQ4LjI4NyAxODcuODk4LDE0Ny44MjQnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNicgZD0nTSAxODkuNTM3LDE0OS4zODkgMTg5Ljk1MSwxNDguNDYzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gMTkxLjM4MywxNTAuNDkxIDE5Mi4wMDMsMTQ5LjEwMScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDE5My4yMjksMTUxLjU5MiAxOTQuMDU2LDE0OS43NCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDE5NS4wNzUsMTUyLjY5NCAxOTYuMTA5LDE1MC4zNzgnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNicgZD0nTSAxOTYuOTIxLDE1My43OTYgMTk4LjE2MSwxNTEuMDE3JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gMTk4Ljc2NywxNTQuODk3IDIwMC4yMTQsMTUxLjY1Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDIwMC42MTMsMTU1Ljk5OSAyMDIuMjY3LDE1Mi4yOTQnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwRkY7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNicgZD0nTSAyMDIuNDU5LDE1Ny4xMDEgMjA0LjMxOSwxNTIuOTMzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gMjA0LjMwNSwxNTguMjAzIDIwNi4zNzIsMTUzLjU3MScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE3JyBkPSdNIDIwOS40NDEsMTYxLjc0OSAyMTAuNTM0LDE3Mi4yNDYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwRkY7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNycgZD0nTSAyMTAuNTM0LDE3Mi4yNDYgMjExLjYyOCwxODIuNzQ0JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjUnIGQ9J00gMjEyLjY2NSwxNTQuODY2IDIyMS4wOTgsMTQ4Ljc1Micgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTI1JyBkPSdNIDIyMS4wOTgsMTQ4Ljc1MiAyMjkuNTMxLDE0Mi42MzcnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xOCcgZD0nTSAyMTAuMTM5LDE4MC42OTEgMjAxLjg0OCwxODYuNzAzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTgnIGQ9J00gMjAxLjg0OCwxODYuNzAzIDE5My41NTcsMTkyLjcxNCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE4JyBkPSdNIDIxMy4xMTYsMTg0Ljc5NyAyMDQuODI1LDE5MC44MDknIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xOCcgZD0nTSAyMDQuODI1LDE5MC44MDkgMTk2LjUzNCwxOTYuODInIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xOScgZD0nTSAyMTEuNjI4LDE4Mi43NDQgMjE5LjU0MiwxODYuMjc3JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTknIGQ9J00gMjE5LjU0MiwxODYuMjc3IDIyNy40NTcsMTg5LjgxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjAnIGQ9J00gMjQwLjYxMiwxODguODU0IDI0Ny45NjMsMTgzLjUyNScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIwJyBkPSdNIDI0Ny45NjMsMTgzLjUyNSAyNTUuMzEzLDE3OC4xOTYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yMScgZD0nTSAyNTQuMjc5LDE4MC41MTEgMjYzLjg4NCwxODQuNzk4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjEnIGQ9J00gMjYzLjg4NCwxODQuNzk4IDI3My40ODgsMTg5LjA4Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIxJyBkPSdNIDI1Ni4zNDcsMTc1Ljg4IDI2NS45NTEsMTgwLjE2Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIxJyBkPSdNIDI2NS45NTEsMTgwLjE2NyAyNzUuNTU1LDE4NC40NTUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yMicgZD0nTSAyNTUuMzEzLDE3OC4xOTYgMjUyLjY4NywxNTIuOTc0JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjMnIGQ9J00gMjUyLjY4NywxNTIuOTc0IDIyOS41MzEsMTQyLjYzNycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIzJyBkPSdNIDI0Ny4xNDYsMTU2LjA1NCAyMzAuOTM3LDE0OC44MTknIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8dGV4dCB4PScxODkuOTczJyB5PScxMDcuNzc0JyBzdHlsZT0nZm9udC1zaXplOjhweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+T0g8L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMTM1LjExMicgeT0nMTAxLjk1NCcgc3R5bGU9J2ZvbnQtc2l6ZTo4cHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkYwMDAwJyA+PHRzcGFuPk9IPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzEwOC40MjgnIHk9JzE3Ni40NDEnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9Jzg0LjE4MTgnIHk9JzE4MS42ODknIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGN0YwMCcgPjx0c3Bhbj5QPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9Jzg1LjIwMzYnIHk9JzIwNi40OTgnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PSDwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PSc3OC4zNzA0JyB5PScxNTYuODgnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzU4LjgwOTQnIHk9JzE4Ni45MzcnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzQyLjQyMjknIHk9JzE2OC4wNzYnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGN0YwMCcgPjx0c3Bhbj5QPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzU3LjA1NzknIHk9JzE1MS4xMjYnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PSDwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScyMS4yNDY5JyB5PScxNDkuMjE1JyBzdHlsZT0nZm9udC1zaXplOjhweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+SE88L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMjIuOTk4NCcgeT0nMTg1LjAyNicgc3R5bGU9J2ZvbnQtc2l6ZTo4cHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkYwMDAwJyA+PHRzcGFuPk88L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMTU5LjkyNScgeT0nMTY0LjA3JyBzdHlsZT0nZm9udC1zaXplOjhweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+TzwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScyMDUuMzM4JyB5PScxNjEuNzQ5JyBzdHlsZT0nZm9udC1zaXplOjhweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiMwMDAwRkYnID48dHNwYW4+TjwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScxODcuMTUnIHk9JzIwMS44NTYnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzIyNy40NTcnIHk9JzE5Ny4zMDcnIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6IzAwMDBGRicgPjx0c3Bhbj5OSDwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScyNzQuNTIyJyB5PScxOTIuNzU5JyBzdHlsZT0nZm9udC1zaXplOjhweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+TzwvdHNwYW4+PC90ZXh0Pgo8L3N2Zz4K data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0naXNvLTg4NTktMSc/Pgo8c3ZnIHZlcnNpb249JzEuMScgYmFzZVByb2ZpbGU9J2Z1bGwnCiAgICAgICAgICAgICAgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJwogICAgICAgICAgICAgICAgICAgICAgeG1sbnM6cmRraXQ9J2h0dHA6Ly93d3cucmRraXQub3JnL3htbCcKICAgICAgICAgICAgICAgICAgICAgIHhtbG5zOnhsaW5rPSdodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rJwogICAgICAgICAgICAgICAgICB4bWw6c3BhY2U9J3ByZXNlcnZlJwp3aWR0aD0nODVweCcgaGVpZ2h0PSc4NXB4JyA+CjwhLS0gRU5EIE9GIEhFQURFUiAtLT4KPHJlY3Qgc3R5bGU9J29wYWNpdHk6MS4wO2ZpbGw6I0ZGRkZGRjtzdHJva2U6bm9uZScgd2lkdGg9Jzg1JyBoZWlnaHQ9Jzg1JyB4PScwJyB5PScwJz4gPC9yZWN0Pgo8cGF0aCBjbGFzcz0nYm9uZC0wJyBkPSdNIDUwLjY2OTIsMzQuMTczMyA1Mi44MDIyLDMyLjM0NTMgNTIuMjY4NywzMS44NjQgNTAuNjY5MiwzNC4xNzMzJyBzdHlsZT0nZmlsbDojMDAwMDAwO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMCcgZD0nTSA1Mi44MDIyLDMyLjM0NTMgNTMuODY4MiwyOS41NTQ4IDU0LjkzNTIsMzAuNTE3MyA1Mi44MDIyLDMyLjM0NTMnIHN0eWxlPSdmaWxsOiNGRjAwMDA7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0wJyBkPSdNIDUyLjgwMjIsMzIuMzQ1MyA1Mi4yNjg3LDMxLjg2NCA1My44NjgyLDI5LjU1NDggNTIuODAyMiwzMi4zNDUzJyBzdHlsZT0nZmlsbDojRkYwMDAwO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMScgZD0nTSA1MC42NjkyLDM0LjE3MzMgNDMuNTI0NSwzMy40MTUzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjQnIGQ9J00gNTAuNjY5MiwzNC4xNzMzIDUyLjE1NjIsNDEuMjAyNicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTInIGQ9J00gNDMuNTI0NSwzMy40MTUzIDQyLjM4NzUsMzAuNzIxOSA0MS43NjQ5LDMxLjA4MDUgNDMuNTI0NSwzMy40MTUzJyBzdHlsZT0nZmlsbDojMDAwMDAwO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMicgZD0nTSA0Mi4zODc1LDMwLjcyMTkgNDAuMDA1NCwyOC43NDU3IDQxLjI1MDUsMjguMDI4NCA0Mi4zODc1LDMwLjcyMTknIHN0eWxlPSdmaWxsOiNGRjAwMDA7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yJyBkPSdNIDQyLjM4NzUsMzAuNzIxOSA0MS43NjQ5LDMxLjA4MDUgNDAuMDA1NCwyOC43NDU3IDQyLjM4NzUsMzAuNzIxOScgc3R5bGU9J2ZpbGw6I0ZGMDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTMnIGQ9J00gNDMuNTI0NSwzMy40MTUzIDQwLjU5NTgsMzkuOTc2Micgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTQnIGQ9J00gMzkuODc4LDQwLjA1NDYgMzkuOTA3Nyw0MC4xOTUxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAzOS4xNjAyLDQwLjEzMyAzOS4yMTk3LDQwLjQxNDEnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDM4LjQ0MjQsNDAuMjExNCAzOC41MzE2LDQwLjYzMzEnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDM3LjcyNDYsNDAuMjg5OCAzNy44NDM2LDQwLjg1MjEnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDM3LjAwNjgsNDAuMzY4MiAzNy4xNTU1LDQxLjA3MTEnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC00JyBkPSdNIDM2LjI4OSw0MC40NDY2IDM2LjQ2NzQsNDEuMjkwMScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTQnIGQ9J00gMzUuNTcxMiw0MC41MjUgMzUuNzc5NCw0MS41MDkxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAzNC44NTM0LDQwLjYwMzQgMzUuMDkxMyw0MS43MjgxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAzNC4xMzU2LDQwLjY4MTggMzQuNDAzMyw0MS45NDcxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNCcgZD0nTSAzMy40MTc4LDQwLjc2MDIgMzMuNzE1Miw0Mi4xNjYxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTQnIGQ9J00gNDAuNTk1OCwzOS45NzYyIDQyLjcwMzksNDEuODc4MScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE0JyBkPSdNIDQyLjcwMzksNDEuODc4MSA0NC44MTIxLDQzLjc4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNScgZD0nTSAzMy41NjY1LDQxLjQ2MzEgMzIuNjQ4Myw0NC4yNzk5JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtNScgZD0nTSAzMi42NDgzLDQ0LjI3OTkgMzEuNzMsNDcuMDk2Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTYnIGQ9J00gMzAuMjIxMiw0OC41MzA3IDI3Ljc0NTIsNDkuMDU0NScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTYnIGQ9J00gMjcuNzQ1Miw0OS4wNTQ1IDI1LjI2OTIsNDkuNTc4Mycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTcnIGQ9J00gMjQuNTYzNyw1MC45Nzg2IDI1LjA1MzgsNTMuMjk1OCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTcnIGQ9J00gMjUuMDUzOCw1My4yOTU4IDI1LjU0NCw1NS42MTI5JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtOCcgZD0nTSAyNC43Niw0OC40MzUgMjQuMjY5OCw0Ni4xMTc4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtOCcgZD0nTSAyNC4yNjk4LDQ2LjExNzggMjMuNzc5Niw0My44MDA2JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtOCcgZD0nTSAyMy4zNTQxLDQ4LjczMjQgMjIuODYzOSw0Ni40MTUyJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtOCcgZD0nTSAyMi44NjM5LDQ2LjQxNTIgMjIuMzczOCw0NC4wOTgnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC05JyBkPSdNIDIzLjM1MTUsNDkuOTg0IDIwLjg3NTUsNTAuNTA3Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTknIGQ9J00gMjAuODc1NSw1MC41MDc3IDE4LjM5OTUsNTEuMDMxNScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEwJyBkPSdNIDE2LjIwNSw1MC4wNzA2IDE0LjgyMTIsNDguNTMwOCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEwJyBkPSdNIDE0LjgyMTIsNDguNTMwOCAxMy40Mzc1LDQ2Ljk5MScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTExJyBkPSdNIDEzLjQzNzUsNDUuMDYyNCAxNC45NjM4LDQzLjY5MDgnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjdGMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMScgZD0nTSAxNC45NjM4LDQzLjY5MDggMTYuNDkwMiw0Mi4zMTkxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTInIGQ9J00gMTEuNTE5OCw0NC44NTcxIDEwLjEzNjEsNDMuMzE3Mycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGN0YwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEyJyBkPSdNIDEwLjEzNjEsNDMuMzE3MyA4Ljc1MjM3LDQxLjc3NzUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNGRjAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xMycgZD0nTSAxMS4wMzk2LDQ2LjI1MTMgOS40MDYxOCw0Ny43MTkyJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTMnIGQ9J00gOS40MDYxOCw0Ny43MTkyIDcuNzcyNzgsNDkuMTg3JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTMnIGQ9J00gMTIuMDAwMSw0Ny4zMjAxIDEwLjM2NjcsNDguNzg4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkY3RjAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTMnIGQ9J00gMTAuMzY2Nyw0OC43ODggOC43MzMyNiw1MC4yNTU4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTUnIGQ9J00gNDcuMDQ4OSw0NC4xNDQ3IDQ5LjYwMjYsNDIuNjczNicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE1JyBkPSdNIDQ5LjYwMjYsNDIuNjczNiA1Mi4xNTYyLDQxLjIwMjYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNicgZD0nTSA1Mi42NzkyLDQxLjUxNDcgNTIuNzM3OCw0MS4zODM1JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gNTMuMjAyMiw0MS44MjY5IDUzLjMxOTQsNDEuNTY0NCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDUzLjcyNTIsNDIuMTM5IDUzLjkwMSw0MS43NDU0JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gNTQuMjQ4Miw0Mi40NTEyIDU0LjQ4MjUsNDEuOTI2Mycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDU0Ljc3MTMsNDIuNzYzMyA1NS4wNjQxLDQyLjEwNzInIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjFweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xNicgZD0nTSA1NS4yOTQzLDQzLjA3NTUgNTUuNjQ1Nyw0Mi4yODgyJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gNTUuODE3Myw0My4zODc2IDU2LjIyNzMsNDIuNDY5MScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MXB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE2JyBkPSdNIDU2LjM0MDMsNDMuNjk5OCA1Ni44MDg5LDQyLjY1JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gNTYuODYzMyw0NC4wMTE5IDU3LjM5MDQsNDIuODMxJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTYnIGQ9J00gNTcuMzg2Myw0NC4zMjQxIDU3Ljk3Miw0My4wMTE5JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoxcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTcnIGQ9J00gNTguODQxNyw0NS4zMjg4IDU5LjE1MTQsNDguMzAzMScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDBGRjtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE3JyBkPSdNIDU5LjE1MTQsNDguMzAzMSA1OS40NjExLDUxLjI3NzUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yNScgZD0nTSA1OS43NTUsNDMuMzc4OCA2Mi4xNDQ0LDQxLjY0NjMnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwRkY7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yNScgZD0nTSA2Mi4xNDQ0LDQxLjY0NjMgNjQuNTMzOCwzOS45MTM4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTgnIGQ9J00gNTkuMDM5NCw1MC42OTU4IDU2LjY5MDIsNTIuMzk5MScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE4JyBkPSdNIDU2LjY5MDIsNTIuMzk5MSA1NC4zNDEsNTQuMTAyNCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE4JyBkPSdNIDU5Ljg4MjksNTEuODU5MiA1Ny41MzM3LDUzLjU2MjUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xOCcgZD0nTSA1Ny41MzM3LDUzLjU2MjUgNTUuMTg0NSw1NS4yNjU4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMTknIGQ9J00gNTkuNDYxMSw1MS4yNzc1IDYxLjcwMzYsNTIuMjc4NScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTE5JyBkPSdNIDYxLjcwMzYsNTIuMjc4NSA2My45NDYxLDUzLjI3OTYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwRkY7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yMCcgZD0nTSA2Ny42NzM1LDUzLjAwODcgNjkuNzU2MSw1MS40OTg3JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMEZGO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjAnIGQ9J00gNjkuNzU2MSw1MS40OTg3IDcxLjgzODcsNDkuOTg4Nycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIxJyBkPSdNIDcxLjU0NTgsNTAuNjQ0OCA3NC4yNjcxLDUxLjg1OTUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yMScgZD0nTSA3NC4yNjcxLDUxLjg1OTUgNzYuOTg4Myw1My4wNzQzJyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRkYwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjEnIGQ9J00gNzIuMTMxNiw0OS4zMzI2IDc0Ljg1MjgsNTAuNTQ3NCcgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIxJyBkPSdNIDc0Ljg1MjgsNTAuNTQ3NCA3Ny41NzQsNTEuNzYyMScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0ZGMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTIyJyBkPSdNIDcxLjgzODcsNDkuOTg4NyA3MS4wOTQ2LDQyLjg0MjUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMwMDAwMDA7c3Ryb2tlLXdpZHRoOjJweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yMycgZD0nTSA3MS4wOTQ2LDQyLjg0MjUgNjQuNTMzOCwzOS45MTM4JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoycHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMjMnIGQ9J00gNjkuNTI0OCw0My43MTU0IDY0LjkzMjIsNDEuNjY1Mycgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MnB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+Cjx0ZXh0IHg9JzUzLjMyNTcnIHk9JzMwLjAzNjEnIHN0eWxlPSdmb250LXNpemU6MnB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PSDwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PSczNy43ODE4JyB5PScyOC4zODcxJyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+T0g8L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMzAuMjIxMicgeT0nNDkuNDkxNicgc3R5bGU9J2ZvbnQtc2l6ZToycHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkYwMDAwJyA+PHRzcGFuPk88L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMjMuMzUxNScgeT0nNTAuOTc4Nicgc3R5bGU9J2ZvbnQtc2l6ZToycHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkY3RjAwJyA+PHRzcGFuPlA8L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMjMuNjQxJyB5PSc1OC4wMDc5JyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+T0g8L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nMjEuNzA1JyB5PSc0My45NDkzJyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+TzwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScxNi4xNjI3JyB5PSc1Mi40NjU2JyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+TzwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScxMS41MTk4JyB5PSc0Ny4xMjE1JyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjdGMDAnID48dHNwYW4+UDwvdHNwYW4+PC90ZXh0Pgo8dGV4dCB4PScxNS42NjY0JyB5PSc0Mi4zMTkxJyBzdHlsZT0nZm9udC1zaXplOjJweDtmb250LXN0eWxlOm5vcm1hbDtmb250LXdlaWdodDpub3JtYWw7ZmlsbC1vcGFjaXR5OjE7c3Ryb2tlOm5vbmU7Zm9udC1mYW1pbHk6c2Fucy1zZXJpZjt0ZXh0LWFuY2hvcjpzdGFydDtmaWxsOiNGRjAwMDAnID48dHNwYW4+T0g8L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nNS41MTk5NScgeT0nNDEuNzc3NScgc3R5bGU9J2ZvbnQtc2l6ZToycHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkYwMDAwJyA+PHRzcGFuPkhPPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzYuMDE2MjEnIHk9JzUxLjkyMzknIHN0eWxlPSdmb250LXNpemU6MnB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzQ0LjgxMjEnIHk9JzQ1Ljk4NjQnIHN0eWxlPSdmb250LXNpemU6MnB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzU3LjY3OTInIHk9JzQ1LjMyODgnIHN0eWxlPSdmb250LXNpemU6MnB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6IzAwMDBGRicgPjx0c3Bhbj5OPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9JzUyLjUyNicgeT0nNTYuNjkyNScgc3R5bGU9J2ZvbnQtc2l6ZToycHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojRkYwMDAwJyA+PHRzcGFuPk88L3RzcGFuPjwvdGV4dD4KPHRleHQgeD0nNjMuOTQ2MScgeT0nNTUuNDAzNycgc3R5bGU9J2ZvbnQtc2l6ZToycHg7Zm9udC1zdHlsZTpub3JtYWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2ZpbGwtb3BhY2l0eToxO3N0cm9rZTpub25lO2ZvbnQtZmFtaWx5OnNhbnMtc2VyaWY7dGV4dC1hbmNob3I6c3RhcnQ7ZmlsbDojMDAwMEZGJyA+PHRzcGFuPk5IPC90c3Bhbj48L3RleHQ+Cjx0ZXh0IHg9Jzc3LjI4MTEnIHk9JzU0LjExNDknIHN0eWxlPSdmb250LXNpemU6MnB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0ZGMDAwMCcgPjx0c3Bhbj5PPC90c3Bhbj48L3RleHQ+Cjwvc3ZnPgo= O[C@@H]1[C@H](O)[C@@H](COP(O)(=O)OP(O)(O)=O)O[C@H]1N1C(=O)NC(=O)C=C1 XCCTYIAWTASOJWXVFCMESISAN 0 description 2
 230000001976 improved Effects 0 description 2
 229920000069 poly(pphenylene sulfide)s Polymers 0 description 2
 238000004458 analytical methods Methods 0 description 1
 230000015556 catabolic process Effects 0 description 1
 238000004891 communication Methods 0 description 1
 238000006731 degradation Methods 0 description 1
 230000004059 degradation Effects 0 description 1
 238000007689 inspection Methods 0 description 1
 238000005457 optimization Methods 0 description 1
 239000000047 products Substances 0 description 1
 230000001681 protective Effects 0 description 1
 230000001603 reducing Effects 0 description 1
 238000006722 reduction reaction Methods 0 description 1
 230000001131 transforming Effects 0 description 1
Abstract
Description
DESCRIPTION
METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR
ADAPTIVE PACKET FILTERING
PRIORITY CLAIM
This application claims the benefit of U.S. Provisional Patent Application Serial No. 611237,974, filed August 28, 2009 and U.S. Patent Application Serial No. 12/871,806, filed August 30, 2010.
TECHNICAL FIELD
The subject matter described herein relates to network firewall filtering.
More particularly, the subject matter described herein relates to methods, systems, and computer readable media for adaptive packet filtering.
BACKGROUND
A firewall generally processes a packet against a list of ordered rules to find the first rule match. The list of ordered rules represents an aggregate security policy, and arbitrarily changing the order of the rules can result in a violation of the aggregate security policy. The Wake Forest University (VVFU) = techniques described in U.S. patent application publication nos.
2006/0248580 and 2006/0195896 provide the methods to optimally reorder the list while preserving the aggregate security policy, thereby improving the = performance of the firewall. The INFU techniques also include methods to break apart rules into functionally independent lists containing (groups of) dependent rules such that a function parallel firewall can simultaneously process one packet against multiple lists, which can substantially improve the performance of the firewall. However, these improvements provided by VVFU
techniques can be dwarfed by the performance degradation as the number of rules in the list becomes very large.
A key reason for the lack of scalability of most firewall implementations is due to the common use of linear search algorithms for comparing packets against a list of rules. In the worst case, a packet is matched at the last Nth rule in the list, so it must also be compared against all N1 prior rules for a total of N
comparisons. This poses a computational resource problem when the size of N is very large on a single processing node (including when such nodes are arranged in a data, function, hierarchical or hybridparallel system), where the time required for processing each packet can quickly increase latency and reduce throughput to unacceptable levels. In fact, the WFU techniques provide good results in part because the reordering of, or the reduction in size of, rules on each processing node allows for a larger percentage of the total rules to reside in each processor's cache(s), which then substantially increases their performance relative to when only a small portion of those rules are cached.
The problem of searching firewall rule sets is well understood and highly researched, and there are some published techniques for sublinear (substantially faster than linear) techniques applicable to firewall rules.
However, these sublinear techniques generally involve changing the underlying representation of rules. Examples of such an approach might be to use a graph, trie or treelike structure instead of a list to represent a set of rules, which would allow a match to be determined using tree search algorithms by traversing down the graph, trie or tree (see E. Fulp, TrieBased Policy Representations for Network Firewalls, Proceedings of the IEEE
International Symposium on Computer Communications, 2005 and AlShaer et al., Modeling and Management of Firewall Policies, IEEE Transactions on Network and Service Management, 2004) . These approaches have potential but can add complexity or limitations that may reduce their practical usefulness in a commercial high performance firewall product.
SUMMARY
Adaptive packet filtering (APF), a set of techniques for processing firewall rules and packets, is described herein. APF offers improved processing performance compared to the WFU techniques in most cases, and can be combined with the WFU techniques or other parallel, pipelining and optimization techniques to achieve even greater performance.
The subject matter described herein includes methods, systems, and computer readable media for adaptive packet filtering. One method includes identifying at least one subset of rules in an ordered set of firewall packet
2filtering rules that defines a firewall policy such that the subset contains disjoint rules. Disjoint rules are defined as rules whose order can be changed without changing the integrity of the firewall policy. Rules in the subset are sorted to statistically decrease the number of comparisons that will be applied to each packet that a firewall encounters. Packets are filtered at the firewall using the sorted rules in the subset by using binary search, interpolated search, informed search, or hash lookup search algorithms to compare each packet to the sorted rules in the subset until the packet is allowed or denied and ceasing the comparing for the packet in response to the packet being allowed or denied and thereby achieving sublinear searching for packets filtered using the sorted rules in the subset.
The subject matter described herein for adaptive packet filtering can be implemented in a nontransitory computer readable medium having stored thereon executable instructions that when executed by the processor of a =
computer control the computer to perform steps. Exemplary computer readable media suitable for implementing the subject matter described herein include chip memory devices, disk memory devices, programmable logic devices and application specific integrated circuits. In addition,, a computer readable medium that implements a subject matter described herein may be located on a single device or computing platform or may be distributed across multiple devices or computing platforms.
Further, the subject matter described herein for adaptive packet filtering can be implemented on a particular machine, such as a network firewall including one or more network interfaces for receiving packets and packet filtering hardware and software for optimizing rules as described herein and for filtering packets using the optimized arrangement of rules.
According to an aspect, the subject matter described herein includes a method for adaptive packet filtering, the method comprising:
identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups comprising disjoint rules, wherein disjoint rules are defined as rules whose order can be changed without changing an integrity of the firewall policy, wherein each rule comprises n tuples, the n tuples for each rule comprising at least a
3, .
first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group comprises rules that are disjoint from all other rules in the disjoint rule group wherein each of the rules in 5 the ordered set is classified into a disjoint rule group;
sorting the rules within the disjoint rule groups using a comparison function that considers, for each sort of each rule, an aggregate of the n tuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm;
10 filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied; and 15 consolidating disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refraining from sorting the rules in the dependent rule groups, wherein filtering the packets includes filtering the packets using the disjoint rule groups and the dependent rule groups.
20 According to another aspect, the subject matter described herein includes a system for adaptive packet filtering, the system comprising:
a firewall rule subset identifier/rule sorter for identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups containing disjoint rules, where disjoint rules 25 are defined as rules whose order can be changed without changing integrity of the firewall policy, wherein each rule includes n tuples, the n tuples for each rule including at least a first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group 30 contains rules that are disjoint from all other rules in the disjoint rule group and wherein each of the rules in the ordered set of packet filtering rules is classified into a disjoint rule group and for sorting the rules in the disjoint rule groups using a comparison function that considers, for each 3asort of each rule, an aggregate of the n tuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm; and a packet filter for filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied, wherein the firewall rule subset identifier/rule sorter merges disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refrains from sorting the rules in the dependent rule groups and wherein the packet filter filters the packets using the disjoint rule groups and the dependent rule groups, thereby achieving sublinear searching for the disjoint rule groups and achieving linear searching for the dependent rule groups.
According to another aspect, the subject matter described herein includes a nontransitory computer readable medium having stored thereon on executable instructions that when implemented by at least one processor of a computer controls the computer to perform steps comprising:
identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups containing disjoint rules, where disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy, wherein each rule includes n tuples, the n tuples for each rule including at least a first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group contains rules that are disjoint from all other rules in the disjoint rule group wherein each of the rules in the ordered set is classified into a disjoint rule group;
sorting the rules within the disjoint rule groups using a comparison function that considers, for each sort of each rule, an aggregate of the n 3btuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm;
filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied; and consolidating disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refraining from sorting the rules in the dependent rule groups and wherein filtering the packets includes filtering the packets using the disjoint rule groups and the dependent rule groups, thereby achieving sublinear searching for the disjoint rule groups and achieving linear searching for the dependent rule group.
BRIEF DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the subject matter described herein will now be described with reference to the accompanying drawings of which:
Figure 1 is a block diagram of a system for adaptive packet filtering according to an embodiment of the subject matter described herein;
3cFigure 2 is a block diagram of application of the present subject matter to a pipelined processing approach according to an embodiment of the subject matter described herein;
Figure 3 is a block diagram illustrating application of the present subject matter to a combination of pipelined and data parallel processing approaches according to an embodiment of the subject matter described herein; and Figure 4 is a block diagram illustrating application of the present subject matter to a shortcircuiting pipelined processing approach according to an embodiment of the subject matter described herein; and Figure 5 is a block diagram illustrating application of the present subject matter to a combination of pipelined and function parallel processing approaches according to an embodiment of the subject matter described herein.
DETAILED DESCRIPTION
Methods, systems, and computer readable media for adaptive packet filtering are disclosed. Figure 1 is a block diagram illustrating an exemplary system for adaptive packet filtering according to an embodiment of the subject matter described herein. Referring to Figure 1, a firewall 100 may function at the boundary between an external network and a protected network. Firewall 100 may include one or more network interfaces 102 for receiving packets from the external network. Firewall 100 may also include one or more network interfaces 104 for transmitting allowed packets to the protective network. In one implementation, firewall 100 may filter Internet protocol (IP) packets based on a combination of source and destination addresses in the IP
headers of the packets. However, the subject matter described herein is not limited to filtering any particular protocol. Any packet network protocol with parameters for which firewall filtering rules can be defined is intended to be within the scope of the subject matter described herein.
As used herein, the term "firewall" includes any network security device or system of devices that inspects network traffic data that originates, terminates, or traverses the device system in any capacity and compares that
4traffic data (headers, payload, raw bits, etc.) to a set of one or more rules, signatures, or conditions, either inline (i.e., in real time) or offline (i.e., capture and replay of the traffic data). The term "firewall" is also intended to include an intrusion detection device that analyzes network traffic in real time or historically to detect the presence of intrusion events in a network. The term "firewall" is also intended to include a deep packet inspection device that analyzes network traffic in real time or historically to detect the presence of certain packet content in a network.
Firewall 100 includes a firewall rule subset identifier/rule sorter 106 for identifying at least one subset of rules in an ordered set of firewall packet filtering rules that defines a firewall policy such that the subset contains disjoint rules, where disjoint rules are defined as rules whose order can be changed without changing the firewall policy. Firewall rule subset identifier/rule sorter 106 may sort the rules in the subset or subsets to statistically decrease the number of comparison that will be applied to each packet that the firewall encounters. Exemplary methods for grouping and sorting rules will be described below.
Although in the example illustrated in Figure 1 rule subset identifier/rule sorter 106 is illustrated as a component of firewall 100, the subject matter described herein is not limited to such an implementation. Rule subset identifier/rule sorter 106 can be implemented on any computing platform capable of sorting firewall rules using the methods described herein, and the sorted rule set can be provided to firewall 100 through any suitable means, such as communication over a network. In one implementation, rule subset identifier/rule sorter 106 may be implemented on a management platform separate from firewall 100.
Firewall 100 further includes a packet filter 108 for filtering packets at the firewall using the rules in the subset by using binary search, interpolated search, informed search, hash lookup search algorithms, or other sublinear algorithms to compare each packet to each of the sorted rules in the subset until the packet is allowed or denied and ceasing the comparing for the packet in response to the packet being allowed or denied and thereby achieving
5sublinear searching for the packets filtered using the sorted rules in the subset.
Once the subsets of disjoint rules have been identified by rule subset identifier/rule sorter 106, the rule subsets can be distributed across plural firewall processors in order to improve packet filtering efficiency. Figure 2 is a block diagram illustrating an exemplary pipelined approach where rules and different subsets are distributed across plural firewall processors for processing packets in a pipelined manner. Referring to Figure 2, firewalls 200 and 202 each include separate processors 204 and 206 for executing packet filters 108. In this example, rule subset identifier/rule sorter 106 identifies two rule subsets, subset A 208 and subset B 210. The rules within each subset 208 and 210 are disjoint and sorted to statistically decrease the number of comparisons that will be applied to each packet using the methods described herein. However, the rules in subset B 210 are dependent on the rules in rule subset A 208. Accordingly, rule subset identifier/rule sorter 106 distributes the rule across firewall processors 204 such that the rules in rule subset A 208 are applied before the rules in rule subset B 210. Because the rules in different subsets are distributed across plural processors in a pipeline manner, packet filtering efficiency is improved over a singleprocessor approach because the different processors can simultaneously apply rules to different packets. In the example illustrated in Figure 2, packets that pass the filtering of rule subset A
208 are processed by processor 206, which applies rule subset B 210, at the same time that processor 204 applies rule subset A to new incoming packets.
In yet another embodiment, rule subset identifier/rule sorter 106 may distribute the grouped, sorted rules across firewall processors such that a combination of pipelined and data parallel processing techniques are used.
Figure 3 illustrates an example where firewalls 300, 302, 304, and 306 each include separate processors 308, 310, 312, and 314 for applying their respective packet filters. In the illustrated example, rule subset identifier/rule sorter 106 distributes rule subset A 316 to firewall 300, rule subset B 318 to firewalls 302 and 304, and rule subset C 320 to firewall 306. The rules within each subset A, B and C are disjoint. The rules in subset B are dependent
6upon the rules in subset A. The rules in subset C are dependent upon the rules in subsets A and B.
In operation, packets entering firewall 300 are filtered using rule subset A 316. The packets that are allowed by rule subset A 316 are divided between firewalls 302 and 304 such that the application of the rules in rule subset B
to different packets is performed in parallel. This is referred to as a data parallel approach. The packets that pass the filtering by rule subset B 318 are passed to firewall 306 for application of the rules in rule subset C 320.
Accordingly, Figure 3 illustrates an example where the rule subsets that are identified and sorted by rule subset identifier/rule sorter 106 are distributed across the firewall processors for a combination of pipelined and data parallel processing.
In yet another embodiment, the rules subsets that are identified and in which the rules are sorted using rule subset identifier/rule sorter 106 may be distributed across firewall processors in a shortcircuiting pipelined manner.
Figure 4 is an example of shortcircuiting pipelined filtering using rule subsets that are identified and sorted by rule subset identifier/rule sorter 106.
Referring to Figure 4, a first firewall 400 and a second firewall 402, respectively including processors 404 and 406, filter packets using packet filters 108. In the illustrated example, packet filter 108 uses rule subset A 408 and packet filter 108 uses rule subset B 410. Rule subsets A and B 408 and 410 may respectively implement different levels of a firewall hierarchy such that packets that pass the filtering by rule subset A 408 are allowed into the protected network. Packets that are identified by rule subset A 408 is requiring further filtering are distributed to rule subset B 410 for that filtering.
Thus, rule subset identifier/rule sorter 106 can also be used with shortcircuiting pipelined firewall techniques without departing from the scope of the subject matter described herein.
In yet another embodiment, rule subset identifier/rule sorter 106 may distribute the grouped, sorted rules across firewall processors such that a combination of pipelined and function parallel processing techniques are used. Figure 5 illustrates an example where firewalls 500, 502, 504, and 506 each include separate processors 508, 510, 512, and 514 for applying their
7respective packet filters. In the illustrated example, rule subset identifier/rule sorter 106 distributes rule subset A 516 to firewall 500, rule subset B 518 to firewalls 502, and rule subset C 520 to firewall 504, and rule subset D 522 to firewall 506. The rules within each subset A, B, C and D are disjoint. The rules in subset B and C are dependent upon the rules in subset A. The rules in subset D are dependent upon the rules in subsets A, B and C.
In operation, packets entering firewall 500 are filtered using rule subset A 516. The packets that are allowed by rule subset A 516 are copied to both firewalls 502 and 504 such that the application of the rules in rule subsets B
518 and C 520 to the packets is performed in parallel. This is referred to as a function parallel approach. The packets that pass the filtering by rule subsets B 518 and C 520 are passed to firewall 506 for application of the rules in rule subset D 522. Accordingly, Figure 5 illustrates an example where the rule subsets that are identified and sorted by rule subset identifier/rule sorter are distributed across the firewall processors for a combination of pipelined and function parallel processing.
Technique APF analyzes and orders the list of firewall rules inplace to contain functionally dependent groups, where each group contains a subset of rules that are disjoint, dependent or both, without substantially changing the underlying representation of rules and while preserving the aggregate security policy. APF then uses varying criteria to sort each group containing disjoint rules, then uses sublinear search algorithms when comparing packets against the rules within that group. APF uses linear search algorithms when comparing packets within a group containing dependent rules or when otherwise appropriate. A detailed computational complexity analysis of APF
would need to be completed. However, on average, it is hypothesized that only 0(log(N)) comparisons would be needed to process a rule list of size N.
In the theoretical best case when all rules are disjoint, this translates to about 20 comparisons (instead of 1,000,000) for a list of N = 1,000,000 rules and about 30 comparisons for a list of N = 1,000,000,000 rules. In the worst case when all rules are dependent, APF performs the same as linear search firewall
8cores. In practice, APF should process a packet against a very large list of rules (N = millions) in the same amount of time that other techniques can process against a very small list (N = hundreds, or thousands). APF does not inherently use parallel techniques; therefore, it can be combined with WFU
techniques or other parallel/pipelining techniques to increase performance.
The following table shows preliminary results comparing a single linear search firewall) with a single APF core as the number of rules is increased.
linear firewall core APF core N = # rules in PPS = packets Latency in PPS = packets Latency in the core per second at microseconds per second at microseconds max at max max at max throughout throughput throughout throughput with 0 loss with 0 loss with 0 loss with 0 loss _ 1 844,595 12.3 811,688 12.3 10 730,994 , 11.9 766,871 12.3 100 314,861 13.9 718,391 12.0 1,000 29,357 44.6 683,060 12.0 10,000 930 1,112.4 464,684 12.0 100,000 Fail Fail 292,740 17.4 1,000,000 252,525 14.3 10,000,000 132,556 18.6 Detailed Technique This section describes an exemplary algorithm for implementing the subject matter described herein.
A firewall rule is defined as an ntuple criteria and an associated action for matching packets. For example, a 5tuple rule that matches Internet Protocol version 4 (IPv4) packets might consist of 5 IPv4 header fields (source address, source port, destination address, destination port and protocol) and an action (allow, deny), and might specify the rule RI as:
Rule Source Addr Source Port Dest Addr Dest Port Protocol Action R1 192.168.1.1 12345 10.1.1.1 80 TCP DENY
A firewall rule set is defined as an ordered list of n rules R1 ,R2,R3,... ,Rn where the i in Ri is the index of the rule in the list.
Packets that traverse the firewall are checked against each rule in the rule set until the
9first matching rule is found and its associated action is applied. An example rule set is S/ which contains:
Rule Source Addr Source Port Dest Addr Dest Port Protocol Action R1 192.168.1.1 12345 10.1.1.1 80 TCP DENY
R2 192.168.2.2 ANY 10.2.2.2 25 TCP ALLOW
R3 192.168.3.3 ANY 10.3.3.3 53 UDP ALLOW
R4 ANY ANY 10.1.1.1 ANY ANY ALLOW
An example TCP packet from source 192.168.4.4 port 54321 to destination
10.1.1.1 port 80 would be checked against but not match R'1, R2 and R3;
would be checked against and match R4 and be allowed; and, would not be checked against R5 because R4 was the first matching rule.
A firewall security policy is defined as the set of all possible packets that can traverse the firewall along with their specified outcomes as defined by the rule set. Changing the rules in a rule set usually results in a change of its security policy.
Within a rule set, a firewall rule is dependent on another rule if swapping the order of the two rules results in a change in the security policy of the rule set. Otherwise, the two rules are disjoint if swapping the order does not result in a change the security policy. For example, in rule set S/ above, rules RI and R4 are dependent because placing R4 ahead of RI would render RI ineffective, thereby changing the security policy. Rules RI and R2 are disjoint because placing R2 ahead of RI does not change the security policy.
A permutation of a rule set is defined as a new rule set which contains the same rules as the original rule set, but which lists a different ordering of the rules from the original rule set without changing the original security policy.
For example, in the rule set SI above, swapping the order of the disjoint rules RI and R2 would result in a permutation rule set SI':
Rule Source Addr Source Port Dest Addr Dest Port Protocol Action R2 192.168.2.2 ANY 10.2.2.2 25 TCP ALLOW
_ RI ¨ 192.168.1.1 12345 10.1.1.1 80 TCP DENY
R3 192.168.3.3 ANY 10.3.3.3 53 UDP ALLOW
R4 ANY ANY 10.1.1.1 ANY ANY ALLOW
Two rules are spatially disjoint if they are disjoint and their corresponding tuples are either identical or do not overlap. For example, in the rule set SI above, rules RI and R2 are disjoint but not spatially disjoint because the source ports 12345 and ANY overlap. However, rules R2 and R3 are both disjoint and spatially disjoint because the source ports ANY and ANY
are identical, and the other 4 tuples do not overlap. (Other examples follow.) A transform function is an algorithm that can be applied to a rule to create a sortable key for that rule, which can then be used to sort the rules by their keys using a key comparison function. For example, the transform function Tfn could concatenate the tuples of a rule into a bit array that is interpreted as a large integer, and a corresponding comparison function Cfn could be a simple integer comparison function. (Other examples follow.) A rule subset is defined as an ordered grouping of one or more rules within a rule set. For example, in rule set S9 above, the rule subsets might be:
Subset Rules TI RI, R2, R3 A rule group is defined as a rule subset with a group type (dependent, disjoint), transform function, comparison function, and a search algorithm hint (linear, sublinear). The group type can be dependent if the group contains dependent rules, or can be disjoint if the group strictly contains disjoint rules.
For example, the rule set S/ above might contain the following disjoint rule group:
Group Group Type Rules Transform Fn Comparison Fn Hint GI Disjoint R1, R2, R3 Tfn Cfn Sublinear A rule set may be partitioned into a list of ordered rule groups such that the security policy of the rule set is not changed when each rule group is decomposed in the listed order. This partitioning is accomplished by applying
11a rule subset identification method to a given rule set. An example of such a method is:
1. For a given rule set S containing n rules R1,R2,...,Rn:
a. Create a new empty disjoint rule group Gj (initially G1) in S.
b. Place the first ungrouped rule Ri (initially R1) into Gj.
c. For each remaining ungrouped rule Ri in S:
I. If Ri is disjoint from rules in Gj and placing Ri into Gj does not modify the security policy of S, then place Ri into Gj.
ii. Otherwise, leave Ri ungrouped.
d. If S contains ungrouped rules, then go to step 1.a.
2. The rule set S now contains m disjoint rule groups Gi,G2,G3,...,Gm which group together the n (possibly reordered) rules R1,R2,...,Rn.
Applying the above method to rule set Si might result in its partitioning into the following list of disjoint ordered rule groups:
Group Group Type Rules Transform Fn Comparison Fn Hint G1 Disjoint RI, R2, R3 Linear G2 Disjoint R4 Linear G3 Disjoint R5 Linear Decomposing the disjoint rule groups would result in Gi,G2,G3= [R1,R2,R3], [R4], [R5] = R1,R2,R3,R4,R5 = Si.
A partitioned rule set containing disjoint rule groups may then be sorted by applying a transform function to each rule within each disjoint group to derive a sortable key for each rule. Then, the rules may be reordered within their disjoint groups using their sortable keys. The resulting sorted groups may be searched using sublinear searching algorithms. An example of the sorting method is:
1. For each disjoint group Gj in rule set 5:
a. For each rule Ri in GI
i. Apply Transform Tfn to Ri to derive a sortable key Ki.
b. Sort the rules in Gj using the comparison function Cfn on the sortable keys K.
123. The rule set S now contains m sorted disjoint rule groups G1 ,G2,G3,...,Gm.
Applying the above method to the partitioned rule set Si might result in a new permutation rule set Sli that contains the following list of sorted rule groups where the ordering of rules within G1 might change from R1,R2,R3 to R3,R1,R2:
Group Group Type Rules Transform Fn Comparison Fn Hint GI Disjoint R3, R1, R2 Tfn Cfn Sublinear G2 Disjoint R4 Tfn Cfn Sublinear G3 Disjoint R5 Tfn Cfn Sublinear The permutated rule set containing disjoint rule groups may be consolidated to reduce the number of groups that contain a rule count at or below a certain threshold, such as 1 rule, by merging two or more consecutive disjoint groups into a larger dependent group that may be searched using linear searching algorithms. An example of the consolidation method is:
1. For each group Gj in rule set S:
a. If the sum of the number of rules in Gj and its subsequent group Gj+1 is less than or equal to a specified threshold (e.g. 1), then the two groups are merged, their rules are concatenated, and the group type is set to dependent.
2. The rule set S now contains m or fewer rule groups of both dependent and disjoint types.
Applying the above method to the permuted rule set Si" might merge the disjoint group G3 into G2:
Group Group Type Rules Transform Fn Comparison Fn Hint GI Disjoint R3, R1, R2 Tfn Cfn Sublinear G2 Dependent R4, R5 (none) (none) Linear The APF packet filtering method matches packets against a given rule set by sequentially iterating over each of the ordered rule groups, then performing the specified sublinear or linear search within each group. An example of a rule filtering method is:
131. For each packet that traverses the firewall:
b. For each group Gj in rule set S:
i. If Gj is a dependent group, then perform linear search within that group until there is a first rule match.
ii. If Gj is a disjoint group:
1. Apply transform Tto the packet to derive a lookup key K.
2. Use the comparison function C and sublinear search within the group until there is a first rule match on key K.
iii. If there is a first rule match, then process the packet according to its specified action. Otherwise, continue to the next group Gji1.
Additional Notes 0 The primary purpose of the partitioning of rules is to create rule groups that, in aggregate, enable the fastest possible searching of each packet against the rules in the rule set. In most cases, the optimal partitioning should be the grouping of maximal subsets of spatially disjoint rules.
However, in some cases where these disjoint groups are small (e.g.
less than 10 rules), consolidating the disjoint groups into a single larger group containing rules that are ordered using other criteria (such as hit probabilities or hardware cache friendliness) and employing linear or interpolated search algorithms may improve performance. A critical concept is the flexibility to organize the rules within the rule set in different ways that enable the use of the most efficient and applicable search algorithm that is available that accounts for the hardware capabilities, which is the motivation behind the term "adaptive" in Adaptive Packet Filtering.
0 Rule sets may be partitioned, sorted and consolidated inplace.
When partitioning a rule set into rule groups, each disjoint group should generally contain the maximal subsets of disjoint rules in order to reduce the number of disjoint groups in the rule set.
14= When partitioning a rule set into rule groups and/or sorting those groups, the transform and comparison functions may be different for each rule group.
= When partitioning a rule set into rule groups and/or sorting those groups, the algorithms may account for the hit probabilities of each rule and the aggregate hit probabilities of each group.
= When filtering packets, the search performed within any given rule group may employ the fastest available search algorithm applicable to that group even if it may be different from the specified search algorithm hint.
= When filtering packets, a sublinear binary search within a disjoint rule group may account for hit probabilities at each pivot so that each recursion could maximize the probability of a rule match.
= When filtering packets, a constanttime search within a disjoint rule group is possible by defining a hashing function as the transform function such that the hash values for all rules within a group are unique within that group.
Examples This section provides examples of the following items described in the algorithm in the previous section.
1) Example of the rule breakup 2) Example of transform function 3) Definition of rule representation 4) Difference between sublinear and linear 5) Explanation of disjoint rules 1) Examples of the rule breakup Define Si = (R1, R2, R3, R4, RS) and R1  from 1.2.3.4 to 3.4.5.6 deny R2 = from 2.3.4.5 to 4.5.6.7 allow
15R3  from 3.4.5.6 to 5.6.7.8 allow R4  from *.*.*.* to 3.4.5.6 allow R5 = from *.*.*.* to *.*.*.* deny Then Si' contains 3 groups of disjoint rules:
Si' = (G1, G2, G3) G1 = (R1, R2, R3) G2 = (R4) G3 = (R5) Or, S1' can contain 2 groups of disjoint and dependent rules:
Si' = (G1, G2) G1 = (R1, R2, R3), disjoint, sublinear G2 = (R4, R5), dependent, linear or Define S2 = (R1, R2, R3, R4, R5, R6, R7, R8, R9) and R1 = from 1.2.3.4 to 3.4.5.6 deny R2 = from 2.3.4.5 to 4.5.6.7 allow R3 = from 1.2.3.4 to 4.5.6.7 deny R4  from 1.*.*.* to *.*.*.* allow R5 = from 3.4.5.6 to 5.6.7.8 deny R6 = from 2.*.*.* to *.*.*.* deny R7 = from *.***.* to 3.4.5.6 allow R8  from *.*.*.* to 5.6.7.8 allow R9 = from *.*.*.* to *.*.*.* deny Then S2' contains 4 groups of "spatially disjoint" rules:
S2' = (G1, G2, G3, G4) G1 = (R1, R2, R3, R5) G2 = (R4, R6) G3 = (R7, R8) G4 = (R9) Or, S2' can contain 2 groups of disjoint and dependent rules:
S2' = (G1, G2) G1 = (R1, R2, R3, R5), disjoint, sublinear G2 = (R4, R6, R7, R8, R9), dependent, linear 2) Example of transform function A rule R usually consists of an Ntuple, most basically a 3tuple such as "from 1.2.3.4 to 3.4.5.6 deny"
16* tuple a = source IP address, e.g. "1.2.3.4"
* tuple b = destination IP address, e.g. "3.4.5.6"
' tuple c = action, e.g. "deny"
Each of these tuples have underlying scalar integer/bit vector representation, so in the above example:
* source IP address = "1.2.3.4" = 32 bit integer 0016909060 * destination IP address = "3.4.5.6" = 32 bit integer 0050595078 * action = "deny" = 8 bit integer 000 One possible transform function is a transform to scalar key which concatenates the digits of each of the tuples into a large integer value:
* T(a, b, c) = abc * T(1.2.3.4, 3.4.5.6, deny) = 0016909060 0050595078 000 =
Another possible transform function is a transform to scalar key which concatenates the bits of each of the tuples into a large integer/bit vector:
* a = 1.2.3.4 = 00000001000000100000001100000100 (32 bits) * b = 3.4.5.6 = 00000011000001000000010100000110 (32 bits) * c = 0 = 00000000 (8 bits) T(a, b, c) = abc =
Another possible transform function is an identity function (i.e.
transformation function that does not do anything), then defining a multidimensional comparison function for sorting purposes. An example of this is a comparison function that is radixbased for each tuple, which would essentially result in a rule set that is radix sorted by each tuple.
Note that the transform function must convert the rule into a sortable key, which does not necessarily have to be a scalar key (i.e. it can be a multidimensional key that uses a multidimensional comparison function for sorting).
3) Definition of rule representation.
Rule representation is the way a rule and a rule set are conceptually represented in software. The most common representation of a rule is as an Ntuple object or structure that simply holds all the tuples together:
struct rule f unsigned char ip_proto;
unsigned int ip_src_addr;
unsigned int ip_dst_addr;
unsigned short ip_src_port;
17unsigned short ip_dst_port;
unsigned char action;
;
The most common representation of a rule set is an array or linked list that hold the rules in a fixed order, and allows for iteration forwards and backwards in the array or list.
Example of array:
memory location 0 1 2 3 4 5 6 7 8 value R1 R2 R3 R4 R5 R6 R7 R8 R9 Example of linked list:
memory location 0 1 2 3 4 5 6 7 8 value R1 R9 R2 R8 R3 R5 R4 R6 R7 linked list prey  0 2 4 6 5 7 8 3 rule R1 R2 R3 R4 R5 R6 R7 R8 R9 next 2 4 6 5 7 8 3 1 An alternate rule representation is to hold the rule and rule set in a trie or other graph structure. An example of this is described in "Balancing TrieBased Policy Representations for Network Firewalls."Stephen J. Tarsa and Errin W. Fulp. Proceedings of the IEEE International Symposium on Computer Communications, 2006 Another alternate rule set representation is a hierarchical one as described in OPTVVALL, described in Acharya et at., "OPTVVALL: A Hierarchical TrafficWare Firewall," available at:
http://wwµcisoc.org/isoc/conferences/ndss/07/papers/OPTINALL.pdf, where rule sets are broken down into mutually exclusive rule subsets which are arranged in a hierarchical order. Despite some similarities in terminology, OPTWALL and APF are different. For example, APF does not change the underlying rule or rule set representation. It simply reorders the rules in place and keeps track of the beginning and ending rules in each subset T externally from the rule or rule set. For example, say that a given rule is a standard structure and the rule set is an array form so that the rule set contains the following in the computer's memory:
Rule set S:
Location 0 1 2 3 4 5 6 7 8 value R1 R2 R3 R4 R5 R6 R7 R8 R9 Suppose that the above rule set S can be divided into subsets containing disjoint rules:
Ti = R2, R9, R1, R3
18T2 = R5, R7 T3 = R2, R4, R8 so that S' = Ti, T2, T3 = R2, R9, R1, R3, R5, R7, R2, R4, R8 Then the order of the rules in memory can be changed in place:
Rule set S':
location 0 1 2 3 4 5 6 7 8 value R2 R9 R1 R3 R5 R7 R2 R4 R8 Ti T2 T3 The memory ranges for T1 (03), T2 (45) and T3 (68) are stored outside of the rule and rule set data structures.
4) Difference between linear and sublinear.
A linear algorithm is one whose computational time increases linearly as the size of the set is increased. The best example of this is when looking up a word in a dictionary. If the dictionary is unsorted, then the order of the words would be arbitrary. Therefore, when looking up the word "zebra," one could start from the beginning and search until the end to find it. If the dictionary contains 1,000 entries, you would need to examine all 1,000 words in the worst case.
A sublinear algorithm is one whose computational time increases sublinearly as the size of the set is increased. In the above example, if the dictionary were sorted alphabetically, then one could still use a linear search by starting from the beginning and searching until the end to find "zebra." However, one could also use a sublinear binary search algorithm by looking in the middle of the dictionary, then seeing if the middle entry comes alphabetically before or after (or is equal), then recursively selecting the middle of the appropriate half again and again to find the word "zebra." Since at each recursion 1/2 of the remaining words are eliminated, it would take about 10g2(1 000) or about 10 examinations to find the entry in the worst case.
Another example of a sublinear algorithm is hashing. Suppose that the above dictionary contains only 5 letter words. If we define a hash function that sums the alphabet order of each letter in the word (z = 26, e = 05, b = 02, r = 18, a =
01), then hash("zebra") = 26 + 05 + 02 + 18 + 01 = 52. The computer could have an array containing all the words in the dictionary where each word's position in the array is the hash value of the word (subject to collisions).
In the above example, the array's 52nd position would have the word "zebra," so it would take only 1 comparison to determine a match without collision. This hash technique can be selectively used in APE.
5) Explanation of disjoint rules.
19A rule R1 is "disjoint" from another rule R2 if their positions in the rule set S
can be exchanged without altering the overall security policy. An example of this is rule set S containing:
R1 ¨ from 1.*.*.* to 2.3.4.5 deny R2 = from 1.2.3.4 to 1.2.3.4 allow has the same security policy as rule set S' containing:
R2 = from 1.2.3.4 to 1.2.3.4 allow R1 ¨ from 1.*.*.* to 2.3.4.5 deny because P = P'; therefore, R1 and R2 are disjoint.
The technique set forth above does not explain the concept of "spatially disjoint' rules. This is important if the transform function T cannot account for overlapping tuple values, which can be very common in practical settings.
A rule R1 is *spatially disjoint' from another rule R2 if they are "disjoint"
and their corresponding tuples do not unevenly overlap (must be exactly equal, or do not overlap at all). In the above example, R1 and R2 are disjoint but not spatially disjoint because the first tuple of R1 (1.*.*.*) and R2 (1.2.3.4) are not equal but do overlap, i.e. the value of 1.2.3.4 would match the first tuple of both R1 and R2. An example of spatially disjoint rules are:
R3 = from 1.2.3.4 to 3.4.5.6 deny R4 = from 2.3.4.5 to 3.4.5.6 allow Here, the first tuple of R1 (1.2.3.4) and the first tuple of R2 (2.3.4.5) do not overlap, the second tuple of R1 (3.4.5.6) and R2 (3.4.5.6) are equal, and the >> third tuple of R1 (deny) and R2 (allow) do not overlap.
The importance of "spatially disjoint' rules is dependent upon the definition of a transform function T, so it may be possible to define T such that rules need not be "spatially disjoint" so long as rules are "disjoint"
It will be understood that various details of the presently disclosed subject matter may be changed without departing from the scope of the presently disclosed subject matter. Furthermore, the foregoing description is for the purpose of illustration only, and not for the purpose of limitation.
20
Claims (31)
identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups comprising disjoint rules, wherein disjoint rules are defined as rules whose order can be changed without changing an integrity of the firewall policy, wherein each rule comprises n tuples, the n tuples for each rule comprising at least a first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group comprises rules that are disjoint from all other rules in the disjoint rule group wherein each of the rules in the ordered set is classified into a disjoint rule group;
sorting the rules within the disjoint rule groups using a comparison function that considers, for each sort of each rule, an aggregate of the n tuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm;
filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied; and consolidating disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refraining from sorting the rules in the dependent rule groups, wherein filtering the packets includes filtering the packets using the disjoint rule groups and the dependent rule groups.
wherein two rules are spatially disjoint if the two rules are disjoint and the two rules have corresponding tuples that are either identical or do not overlap;
and wherein sorting the rules includes sorting the rules within spatially disjoint groupings.
(a) creating an empty disjoint rule group and placing a first ungrouped rule in the ordered set into the empty disjoint rule group; and (b) for each ungrouped rule in the ordered set:
(i) placing the ungrouped rule in the disjoint rule group if the rule is disjoint from all rules in the disjoint rule group; and (ii) leaving the ungrouped rule ungrouped if the rule is not disjoint from all of the rules in the disjoint rule group and repeating steps (a) and (b) until all rules in the ordered set of packet filtering rules are grouped into disjoint rule groups.
a firewall rule subset identifier/rule sorter for identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups containing disjoint rules, where disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy, wherein each rule includes n tuples, the n tuples for each rule including at least a first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group contains rules that are disjoint from all other rules in the disjoint rule group and wherein each of the rules in the ordered set of packet filtering rules is classified into a disjoint rule group and for sorting the rules in the disjoint rule groups using a comparison function that considers, for each sort of each rule, an aggregate of the n tuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm; and a packet filter for filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied, wherein the firewall rule subset identifier/rule sorter merges disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refrains from sorting the rules in the dependent rule groups and wherein the packet filter filters the packets using the disjoint rule groups and the dependent rule groups, thereby achieving sublinear searching for the disjoint rule groups and achieving linear searching for the dependent rule groups.
wherein two rules are spatially disjoint if the two rules are disjoint and the two rules have corresponding tuples that are either identical or do not overlap;
and wherein sorting the rules in the disjoint rule groups further comprises sorting the rules within spatially disjoint groupings.
(a) creating an empty disjoint rule group and placing a first ungrouped rule in the ordered set into the empty disjoint rule group; and (b) for each ungrouped rule in the ordered set:
(i) placing the ungrouped rule in the disjoint rule group if the rule is disjoint from all rules in the disjoint rule group; and (ii) leaving the ungrouped rule ungrouped if the rule is not disjoint from all of the rules in the disjoint rule group and repeating steps (a) and (b) until all rules in the ordered set of packet filtering rules are grouped into disjoint rule groups.
identifying, from rules in an ordered set of firewall packet filtering rules that defines a firewall policy, disjoint rule groups containing disjoint rules, where disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy, wherein each rule includes n tuples, the n tuples for each rule including at least a first tuple comprising an entire source address, a second tuple comprising an entire destination address, and a third tuple comprising an action, wherein each disjoint rule group contains rules that are disjoint from all other rules in the disjoint rule group wherein each of the rules in the ordered set is classified into a disjoint rule group;
sorting the rules within the disjoint rule groups using a comparison function that considers, for each sort of each rule, an aggregate of the n tuples and an entirety of each of the n tuples in each rule being sorted so that the rules can be searched using a sublinear search algorithm;
filtering packets at a firewall using sorted rules in the disjoint rule groups by searching the sorted rules in the disjoint rule groups using the sublinear search algorithm that uses the comparison function until each packet is allowed or denied and ceasing the searching in response to each packet being allowed or denied; and consolidating disjoint rule groups having less than a threshold number of rules to form dependent rule groups and refraining from sorting the rules in the dependent rule groups and wherein filtering the packets includes filtering the packets using the disjoint rule groups and the dependent rule groups, thereby achieving sublinear searching for the disjoint rule groups and achieving linear searching for the dependent rule group.
Priority Applications (3)
Application Number  Priority Date  Filing Date  Title 

US12/871,806 US8495725B2 (en)  20090828  20100830  Methods, systems, and computer readable media for adaptive packet filtering 
US12/871,806  20100830  
PCT/US2010/054520 WO2011038420A2 (en)  20090828  20101028  Methods, systems, and computer readable media for adaptive packet filtering 
Publications (2)
Publication Number  Publication Date 

CA2772630A1 CA2772630A1 (en)  20110331 
CA2772630C true CA2772630C (en)  20190430 
Family
ID=45936539
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

CA2772630A Active CA2772630C (en)  20090828  20101028  Methods, systems, and computer readable media for adaptive packet filtering 
Country Status (1)
Country  Link 

CA (1)  CA2772630C (en) 

2010
 20101028 CA CA2772630A patent/CA2772630C/en active Active
Also Published As
Publication number  Publication date 

CA2772630A1 (en)  20110331 
Similar Documents
Publication  Publication Date  Title 

AU2001247735B2 (en)  Methods and apparatus for heuristic firewall  
US7136926B1 (en)  Method and apparatus for highspeed network rule processing  
US9596222B2 (en)  Method and apparatus encoding a rule for a lookup request in a processor  
US8886680B2 (en)  Deterministic finite automata graph traversal with nodal bit mapping  
BremlerBarr et al.  Spaceefficient TCAMbased classification using gray coding  
US7673041B2 (en)  Method to perform exact string match in the data plane of a network processor  
US7305708B2 (en)  Methods and systems for intrusion detection  
US7054315B2 (en)  Efficiency masked matching  
US8037517B2 (en)  Method, systems, and computer program products for implementing functionparallel network firewall  
JP2007533207A (en)  Apparatus and method for twostage packet classification using most specific filter matching and transport level sharing  
Ficara et al.  An improved DFA for fast regular expression matching  
US7881291B2 (en)  Packet classification acceleration using spectral analysis  
EP1897324B1 (en)  Multipattern packet content inspection mechanisms employing tagged values  
EP1515501B1 (en)  Data structure for rangespecified algorithms  
Kumar et al.  Advanced algorithms for fast and scalable deep packet inspection  
US7389377B2 (en)  Access control list processor  
EP2486704B1 (en)  Configurable frame processing pipeline in a packet switch  
US7386525B2 (en)  Data packet filtering  
US20070022479A1 (en)  Network interface and firewall device  
Lin et al.  Using string matching for deep packet inspection  
Hua et al.  Variablestride multipattern matching for scalable deep packet inspection  
US7474653B2 (en)  Decision cache using multikey lookup  
Yu et al.  Fast and memoryefficient regular expression matching for deep packet inspection  
US7831607B2 (en)  Interval symbol architecture for programmable intelligent search memory  
US7408932B2 (en)  Method and apparatus for twostage packet classification using most specific filter matching and transport level sharing 
Legal Events
Date  Code  Title  Description 

EEER  Examination request 
Effective date: 20151009 