From a6e8842c428da924c1f34baa4e1d9ed1678ee7e5 Mon Sep 17 00:00:00 2001
From: ssup2 <supsup5642@gmail.com>
Date: Sun, 15 Nov 2020 13:02:45 +0000
Subject: [PATCH] Reborn to network-node-manager

---
 README.md                                     |  74 +--
 controllers/rule_common.go                    | 116 ++++
 controllers/rule_drop_invalid_input.go        | 108 ++++
 controllers/rule_external_cluster.go          | 465 +++++++++++++++
 controllers/service_controller.go             | 557 ++++--------------
 ....yml => network-node-manager_iptables.yml} |   0
 deploy/network-node-manager_ipvs.yml          |  97 +++
 img/network-node-manager.pptx                 | Bin 0 -> 50608 bytes
 img/network-node-manager_Architecture.PNG     | Bin 0 -> 22437 bytes
 .../connection_reset_issue_pod_out_cluster.md |  27 +
 ...xternal_IP_access_issue_IPVS_proxy_mode.md |  52 ++
 main.go                                       |   3 +
 pkg/configs/configs.go                        |  43 +-
 pkg/configs/configs_test.go                   |  26 +
 pkg/iptables/iptables.go                      |  12 +
 15 files changed, 1099 insertions(+), 481 deletions(-)
 create mode 100644 controllers/rule_common.go
 create mode 100644 controllers/rule_drop_invalid_input.go
 create mode 100644 controllers/rule_external_cluster.go
 rename deploy/{network-node-manager.yml => network-node-manager_iptables.yml} (100%)
 create mode 100644 deploy/network-node-manager_ipvs.yml
 create mode 100644 img/network-node-manager.pptx
 create mode 100644 img/network-node-manager_Architecture.PNG
 create mode 100644 issues/connection_reset_issue_pod_out_cluster.md
 create mode 100644 issues/external_IP_access_issue_IPVS_proxy_mode.md

diff --git a/README.md b/README.md
index 0a0a212..921b937 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # Network Node Manager
 
-network-node-manager is the kubernetes controller that solves External-IP (Load Balancer IP) issue with IPVS proxy mode. IPVS proxy mode has various problems, and one of them is that the External-IP assigned through the LoadBalancer type service with externalTrafficPolicy=Local option cannot access inside the cluster. More details on this issue can be found at [here](https://github.com/kubernetes/kubernetes/issues/75262). network-node-manager solves this issue. network-node-manager is based on [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder).
+network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes. By simply deploying and configuring network-node-manager, you can solve kubernetes network issues that cannot be resolved by kubernetes or resolved by the higher kubernetes Version. Below is a list of kubernetes's issues to be resolved by network-node-manager. network-node-manager is based on [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder).
+
+* [External-IP access issue with IPVS proxy mode](issues/external_IP_access_issue_IPVS_proxy_mode.md)
+* [Connection reset issue between pod and out of cluster](issues/connection_reset_issue_pod_out_cluster.md)
 
 ## Deploy
 
@@ -9,55 +12,56 @@ network-node-manager now supports below CPU architectures.
 * amd64
 * arm64
 
-Deploy network-node-managers through below command.
+Deploy network-node-managers through below command according to kube-proxy mode.
 
 ```
-kubectl apply -f https://raw.githubusercontent.com/kakao/network-node-manager/master/deploy/network-node-manager.yml
+iptables proxy mode : kubectl apply -f https://raw.githubusercontent.com/kakao/network-node-manager/master/deploy/network-node-manager_iptables.yml
+IPVS proxy mode     : kubectl apply -f https://raw.githubusercontent.com/kakao/network-node-manager/master/deploy/network-node-manager_ipvs.yml
 ```
 
 ## Configuration
 
-### IPv6
+### Network Stack (IPv4, IPv6)
 
-network-node-manager supports IPv6. However, IPv6 is not enabled by default. To use IPv6, set "NET_STACK" environment in the DaemonSet manifests of network-node-manager as follows.
+* Default : "ipv4"
+* iptables proxy mode manifest : "ipv4"
+* IPVS proxy mode manifest : "ipv4"
 
 ```
-...
-env:
-- name: NET_STACK
-  value: ipv4,ipv6
-- name: NODE_NAME
-  valueFrom:
-...
+IPv4      : kubectl -n kube-system set env daemonset/network-node-manager NET_STACK=ipv4
+IPv6      : kubectl -n kube-system set env daemonset/network-node-manager NET_STACK=ipv6
+IPv4,IPv6 : kubectl -n kube-system set env daemonset/network-node-manager NET_STACK=ipv4,ipv6
 ```
 
-## How it works?
+### External-IP to Cluster-IP DNAT Rule
 
-network-node-manager works on all worker nodes and adds the DNAT rules that converts destination IP of a packet from External-IP to Cluster-IP to iptables. network-node-manager adds two DNAT rules for each LoadBalancer type service. One is added to the prerouting chain and the other is added to the output chain. The DNAT rule in the prerouting chain is for the pod that uses pod-only network namespace. On the other hand, The DNAT rule in the output chain is for the pod that uses host network namespace. All DNAT rules only target packets from pods on the host. Below is an example.
+* Related issue : [External-IP access issue with IPVS proxy mode](issues/external_IP_access_issue_IPVS_proxy_mode.md)
+* Default : false
+* iptables proxy mode manifest : false
+* IPVS proxy mode manifest : true
 
 ```
-$ kubectl -n default get service 
-NAME           TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                      AGE
-lb-service-1   LoadBalancer   10.231.42.164   10.19.20.201   80:31751/TCP,443:30126/TCP   16d
-lb-service-2   LoadBalancer   10.231.2.62     10.19.22.57    80:32352/TCP,443:31549/TCP   16d
-
-$ iptables -nvL -t nat
-...
-Chain NMANAGER_IPVS_LB_OUTPUT (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 KUBE-MARK-MASQ  all  --  *      *       0.0.0.0/0            10.19.20.201         /* default/lb-service-1 */ ADDRTYPE match src-type LOCAL
-    0     0 DNAT       all  --  *      *       0.0.0.0/0            10.19.20.201         /* default/lb-service-1 */ ADDRTYPE match src-type LOCAL to:10.231.42.164
-    2   120 KUBE-MARK-MASQ  all  --  *      *       0.0.0.0/0            10.19.22.57          /* default/lb-service-2 */ ADDRTYPE match src-type LOCAL
-    2   120 DNAT       all  --  *      *       0.0.0.0/0            10.19.22.57          /* default/lb-service-2 */ ADDRTYPE match src-type LOCAL to:10.231.2.62
-
-Chain NMANAGER_IPVS_LB_PREROUTING (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 KUBE-MARK-MASQ  all  --  *      *       10.240.2.128/25      10.19.20.201         /* default/lb-service-1 */
-    0     0 DNAT       all  --  *      *       10.240.2.128/25      10.19.20.201         /* default/lb-service-1 */ to:10.231.42.164
-    1    60 KUBE-MARK-MASQ  all  --  *      *       10.240.2.128/25      10.19.22.57          /* default/lb-service-2 */
-    1    60 DNAT       all  --  *      *       10.240.2.128/25      10.19.22.57          /* default/lb-service-2 */ to:10.231.2.62
-...
+On  : kubectl -n kube-system set env daemonset/network-node-manager RULE_EXTERNAL_CLUSTER=true
+Off : kubectl -n kube-system set env daemonset/network-node-manager RULE_EXTERNAL_CLUSTER=false
+```
+
+### Drop Invalid Packet Rule in INPUT chain
+
+* Related issue : [Connection reset issue between pod and out of cluster](issues/connection_reset_issue_pod_out_cluster.md)
+* Default : true
+* iptables proxy mode manifest : true
+* IPVS proxy mode manifest : true
+
 ```
+On  : kubectl -n kube-system set env daemonset/network-node-manager RULE_DROP_INVALID_INPUT=true
+Off : kubectl -n kube-system set env daemonset/network-node-manager RULE_DROP_INVALID_INPUT=false
+```
+
+## How it works?
+
+![kpexec Architecture](img/network-node-manager_Architecture.PNG)
+
+network-node-manager runs on all kubernetes cluster nodes in host network namespace with network privileges and manage the node network configuration. network-node-manager watches the kubernetes object through kubenetes API server like a general kubernetes controller and manage the node network configuration. Now network-node-manager only watches service object.
 
 ## License
 
diff --git a/controllers/rule_common.go b/controllers/rule_common.go
new file mode 100644
index 0000000..a868815
--- /dev/null
+++ b/controllers/rule_common.go
@@ -0,0 +1,116 @@
+package controllers
+
+import (
+	"github.com/go-logr/logr"
+
+	"github.com/kakao/network-node-manager/pkg/configs"
+	"github.com/kakao/network-node-manager/pkg/iptables"
+)
+
+// Constants
+const (
+	ChainFilterInput   = "INPUT"
+	ChainNATPrerouting = "PREROUTING"
+	ChainNATOutput     = "OUTPUT"
+
+	ChainNATKubeMarkMasq = "KUBE-MARK-MASQ"
+
+	ChainFilterBaseInput   = "NMANAGER_INPUT"
+	ChainNATBasePrerouting = "NMANAGER_PREROUTING"
+	ChainNATBaseOutput     = "NMANAGER_OUTPUT"
+
+	ChainFilterDropInvalidInput       = "NMANAGER_DROP_INVALID_INPUT"
+	ChainNATExternalClusterPrerouting = "NMANAGER_EX_CLUS_PREROUTING"
+	ChainNATExternalClusterOutput     = "NMANAGER_EX_CLUS_OUTPUT"
+)
+
+func initBaseChains(logger logr.Logger) error {
+	// Get network stack config
+	configIPv4Enabled, configIPv6Enabled, err := configs.GetConfigNetStack()
+	if err != nil {
+		return err
+	}
+
+	// IPv4
+	if configIPv4Enabled {
+		// Create base chain in tables
+		out, err := iptables.CreateChainIPv4(iptables.TableFilter, ChainFilterBaseInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv4(iptables.TableNAT, ChainNATBasePrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv4(iptables.TableNAT, ChainNATBaseOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Create jump rule to each chain in tables
+		ruleJumpFilterInput := []string{"-j", ChainFilterBaseInput}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableFilter, ChainFilterInput, "", ruleJumpFilterInput...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpNATPre := []string{"-j", ChainNATBasePrerouting}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATPrerouting, "", ruleJumpNATPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpNATOut := []string{"-j", ChainNATBaseOutput}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATOutput, "", ruleJumpNATOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+	}
+
+	// IPv6
+	if configIPv6Enabled {
+		// Create base chain in nat table
+		out, err := iptables.CreateChainIPv6(iptables.TableFilter, ChainFilterBaseInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv6(iptables.TableNAT, ChainNATBasePrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv6(iptables.TableNAT, ChainNATBaseOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Create jump rule to each chain in nat table
+		ruleJumpFilterInput := []string{"-j", ChainFilterBaseInput}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableFilter, ChainFilterInput, "", ruleJumpFilterInput...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpNATPre := []string{"-j", ChainNATBasePrerouting}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATPrerouting, "", ruleJumpNATPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpNATOut := []string{"-j", ChainNATBaseOutput}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATOutput, "", ruleJumpNATOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/controllers/rule_drop_invalid_input.go b/controllers/rule_drop_invalid_input.go
new file mode 100644
index 0000000..d2d4b21
--- /dev/null
+++ b/controllers/rule_drop_invalid_input.go
@@ -0,0 +1,108 @@
+package controllers
+
+import (
+	"github.com/go-logr/logr"
+
+	"github.com/kakao/network-node-manager/pkg/iptables"
+)
+
+func createRulesDropInvalidInput(logger logr.Logger) error {
+	if err := initBaseChains(logger); err != nil {
+		logger.Error(err, "failed to init base chain for externalIP to clusterIP Rules")
+		return err
+	}
+
+	// IPv4
+	if configIPv4Enabled {
+		// Create chain
+		out, err := iptables.CreateChainIPv4(iptables.TableFilter, ChainFilterDropInvalidInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set drop rule
+		ruleDrop := []string{"-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP"}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableFilter, ChainFilterDropInvalidInput, "", ruleDrop...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set jump rule
+		ruleJump := []string{"-j", ChainFilterDropInvalidInput}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableFilter, ChainFilterBaseInput, "", ruleJump...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	// IPv6
+	if configIPv6Enabled {
+		// Create chain
+		out, err := iptables.CreateChainIPv6(iptables.TableFilter, ChainFilterDropInvalidInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set drop rule
+		ruleDrop := []string{"-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP"}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableFilter, ChainFilterDropInvalidInput, "", ruleDrop...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set jump rule
+		ruleJump := []string{"-j", ChainFilterDropInvalidInput}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableFilter, ChainFilterBaseInput, "", ruleJump...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func deleteRulesDropInvalidInput(logger logr.Logger) error {
+	// IPv4
+	if configIPv4Enabled {
+		// Delete jump rule
+		ruleJump := []string{"-j", ChainFilterDropInvalidInput}
+		out, err := iptables.DeleteRuleIPv4(iptables.TableFilter, ChainFilterBaseInput, "", ruleJump...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Delete chain
+		out, err = iptables.DeleteChainIPv4(iptables.TableFilter, ChainFilterDropInvalidInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	// IPv6
+	if configIPv6Enabled {
+		// Delete jump rule
+		ruleJump := []string{"-j", ChainFilterDropInvalidInput}
+		out, err := iptables.DeleteRuleIPv6(iptables.TableFilter, ChainFilterBaseInput, "", ruleJump...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Delete chain
+		out, err = iptables.DeleteChainIPv6(iptables.TableFilter, ChainFilterDropInvalidInput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/controllers/rule_external_cluster.go b/controllers/rule_external_cluster.go
new file mode 100644
index 0000000..2c367f8
--- /dev/null
+++ b/controllers/rule_external_cluster.go
@@ -0,0 +1,465 @@
+package controllers
+
+import (
+	"errors"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	"github.com/go-logr/logr"
+	"github.com/kakao/network-node-manager/pkg/ip"
+	"github.com/kakao/network-node-manager/pkg/iptables"
+)
+
+func initRulesExternalCluster(logger logr.Logger) error {
+	if err := initBaseChains(logger); err != nil {
+		logger.Error(err, "failed to init base chain for externalIP to clusterIP Rules")
+		return err
+	}
+
+	// IPv4
+	if configIPv4Enabled {
+		// Create chain in nat table
+		out, err := iptables.CreateChainIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv4(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set jump rule to each chain in nat table
+		ruleJumpPre := []string{"-j", ChainNATExternalClusterPrerouting}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATBasePrerouting, "", ruleJumpPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpOut := []string{"-j", ChainNATExternalClusterOutput}
+		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATBaseOutput, "", ruleJumpOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+	// IPv6
+	if configIPv6Enabled {
+		// Create chain in nat table
+		out, err := iptables.CreateChainIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.CreateChainIPv6(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set jump rule to each chain in nat table
+		ruleJumpPre := []string{"-j", ChainNATExternalClusterPrerouting}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATBasePrerouting, "", ruleJumpPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpOut := []string{"-j", ChainNATExternalClusterOutput}
+		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATBaseOutput, "", ruleJumpOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func destoryRulesExternalCluster(logger logr.Logger) error {
+	// IPv4
+	if configIPv4Enabled {
+		// Delete jump rule to each chain in nat table
+		ruleJumpPre := []string{"-j", ChainNATExternalClusterPrerouting}
+		out, err := iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATBasePrerouting, "", ruleJumpPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpOut := []string{"-j", ChainNATExternalClusterOutput}
+		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATBaseOutput, "", ruleJumpOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Delete chain in nat table
+		out, err = iptables.DeleteChainIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.DeleteChainIPv4(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+	// IPv6
+	if configIPv6Enabled {
+		// Delete jump rule to each chain in nat table
+		ruleJumpPre := []string{"-j", ChainNATExternalClusterPrerouting}
+		out, err := iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATBasePrerouting, "", ruleJumpPre...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleJumpOut := []string{"-j", ChainNATExternalClusterOutput}
+		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATBaseOutput, "", ruleJumpOut...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Delete chain in nat table
+		out, err = iptables.DeleteChainIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		out, err = iptables.DeleteChainIPv6(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func cleanupRulesExternalCluster(logger logr.Logger, svcs *corev1.ServiceList, podCIDRIPv4, podCIDRIPv6 string) error {
+	// IPv4
+	if configIPv4Enabled {
+		// Make up service map
+		svcMap := make(map[string]*corev1.Service)
+		for _, svc := range svcs.Items {
+			if ip.IsIPv4Addr(svc.Spec.ClusterIP) && svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
+				svcMap[svc.Namespace+"/"+svc.Name] = svc.DeepCopy()
+			}
+		}
+
+		// Cleanup prerouting chain
+		preRules, err := iptables.GetRulesIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			return err
+		}
+		for _, rule := range preRules {
+			// Get service info from rule and k8s, and delete iptables rules
+			nsName, src, dest, jump, dnatDest := getSvcInfoFromRule(rule)
+			svc, ok := svcMap[nsName]
+			if !ok {
+				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup prerouting chain IPv4 rule")
+				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+				continue
+			}
+
+			// Compare service info and delete iptables rules
+			for _, ingress := range svc.Status.LoadBalancer.Ingress {
+				externalIP := ingress.IP + "/32"
+				if (jump == ChainNATKubeMarkMasq && (src == podCIDRIPv4 && dest == externalIP)) ||
+					(jump == "DNAT" && (src == podCIDRIPv4 && dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
+					continue
+				}
+				logger.WithValues("rule", rule).Info("service info is diff. cleanup prerouting chain IPv4 rule")
+				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+			}
+		}
+
+		// Cleanup output chain
+		outRules, err := iptables.GetRulesIPv4(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			return err
+		}
+		for _, rule := range outRules {
+			// Get service info from rule and k8s, and delete iptables rules
+			nsName, _, dest, jump, dnatDest := getSvcInfoFromRule(rule)
+			svc, ok := svcMap[nsName]
+			if !ok {
+				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup output chain IPv4 rule")
+				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+				continue
+			}
+
+			// Compare service info and delete diff iptables rules
+			for _, ingress := range svc.Status.LoadBalancer.Ingress {
+				externalIP := ingress.IP + "/32"
+				if (jump == ChainNATKubeMarkMasq && dest == externalIP) ||
+					(jump == "DNAT" && (dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
+					continue
+				}
+				logger.WithValues("rule", rule).Info("service info is diff. cleanup output chain IPv4 rule")
+				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+			}
+		}
+	}
+	// IPv6
+	if configIPv6Enabled {
+		// Make up service map
+		svcMap := make(map[string]*corev1.Service)
+		for _, svc := range svcs.Items {
+			if ip.IsIPv6Addr(svc.Spec.ClusterIP) && svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
+				svcMap[svc.Namespace+"/"+svc.Name] = svc.DeepCopy()
+			}
+		}
+
+		// Cleanup prerouting chain
+		preRules, err := iptables.GetRulesIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting)
+		if err != nil {
+			return err
+		}
+		for _, rule := range preRules {
+			// Get service info from rule and k8s, and delete iptables rules
+			nsName, src, dest, jump, dnatDest := getSvcInfoFromRule(rule)
+			svc, ok := svcMap[nsName]
+			if !ok {
+				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup prerouting chain IPv6 rule")
+				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+				continue
+			}
+
+			// Compare service info and delete iptables rules
+			for _, ingress := range svc.Status.LoadBalancer.Ingress {
+				externalIP := ingress.IP + "/128"
+				if (jump == ChainNATKubeMarkMasq && (src == podCIDRIPv6 && dest == externalIP)) ||
+					(jump == "DNAT" && (src == podCIDRIPv6 && dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
+					continue
+				}
+				logger.WithValues("rule", rule).Info("service info is diff. cleanup prerouting chain IPv6 rule")
+				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+			}
+		}
+
+		// Cleanup output
+		outRules, err := iptables.GetRulesIPv6(iptables.TableNAT, ChainNATExternalClusterOutput)
+		if err != nil {
+			return err
+		}
+		for _, rule := range outRules {
+			// Get service info from rule and k8s, and delete iptables rules
+			nsName, _, dest, jump, dnatDest := getSvcInfoFromRule(rule)
+			svc, ok := svcMap[nsName]
+			if !ok {
+				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup output chain IPv6 rule")
+				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+				continue
+			}
+
+			// Compare service info and delete diff iptables rules
+			for _, ingress := range svc.Status.LoadBalancer.Ingress {
+				externalIP := ingress.IP + "/128"
+				if (jump == ChainNATKubeMarkMasq && dest == externalIP) ||
+					(jump == "DNAT" && (dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
+					continue
+				}
+				logger.WithValues("rule", rule).Info("service info is diff. cleanup output chain IPv6 rule")
+				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
+				if err != nil {
+					logger.Error(err, out)
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func createRulesExternalCluster(logger logr.Logger, req *ctrl.Request, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6 string) error {
+	// Don't use spec.ipFamily to distingush between IPv4 and IPv6 Address
+	// for kubernetes version that dosen't support IPv6 dualstack
+	if configIPv4Enabled && ip.IsIPv4Addr(clusterIP) {
+		// IPv4
+		// Set prerouting
+		rulePreMasq := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err := iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		rulePreDNAT := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set output
+		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	} else if configIPv6Enabled && ip.IsIPv6Addr(clusterIP) {
+		// IPv6
+		// Set prerouting
+		rulePreMasq := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err := iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		rulePreDNAT := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Set output
+		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	} else {
+		if ip.IsVaildIP(clusterIP) {
+			logger.WithValues("clusterIP", clusterIP).Error(errors.New("invalid IP"), "invaild IP")
+		}
+	}
+
+	return nil
+}
+
+func deleteRulesExternalCluster(logger logr.Logger, req *ctrl.Request, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6 string) error {
+	// Don't use spec.ipFamily to distingush between IPv4 and IPv6 Address
+	// for kubernetes version that dosen't support IPv6 dualstack
+	if configIPv4Enabled && ip.IsIPv4Addr(clusterIP) {
+		// IPv4
+		// Unset prerouting
+		rulePreMasq := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err := iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		rulePreDNAT := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Unset output
+		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	} else if configIPv6Enabled && ip.IsIPv6Addr(clusterIP) {
+		// IPv6
+		// Unset prerouting
+		rulePreMasq := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err := iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		rulePreDNAT := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATExternalClusterPrerouting, req.String(), rulePreDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+
+		// Unset output
+		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMarkMasq}
+		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutMasq...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
+		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATExternalClusterOutput, req.String(), ruleOutDNAT...)
+		if err != nil {
+			logger.Error(err, out)
+			return err
+		}
+	} else {
+		if ip.IsVaildIP(clusterIP) {
+			logger.WithValues("clusterIP", clusterIP).Error(errors.New("invalid IP"), "invaild IP")
+		}
+	}
+	return nil
+}
+
+func getPodCIDR(cidrs []string) (ipv4CIDR string, ipv6CIDR string) {
+	for _, cidr := range cidrs {
+		addr := strings.Split(cidr, "/")[0]
+		if ip.IsIPv4Addr(addr) {
+			ipv4CIDR = cidr
+		} else if ip.IsIPv6Addr(addr) {
+			ipv6CIDR = cidr
+		}
+	}
+	return
+}
+
+func getSvcInfoFromRule(rule string) (nsName, src, dest, jump, dnatDest string) {
+	nsName = iptables.GetRuleComment(rule)
+	src = iptables.GetRuleSrc(rule)
+	dest = iptables.GetRuleDest(rule)
+	jump = iptables.GetRuleJump(rule)
+	dnatDest = iptables.GetRuleDNATDest(rule)
+	return
+}
diff --git a/controllers/service_controller.go b/controllers/service_controller.go
index 6c4983b..21b0e87 100644
--- a/controllers/service_controller.go
+++ b/controllers/service_controller.go
@@ -18,9 +18,8 @@ package controllers
 
 import (
 	"context"
-	"errors"
 	"os"
-	"strings"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
@@ -31,8 +30,6 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/kakao/network-node-manager/pkg/configs"
-	"github.com/kakao/network-node-manager/pkg/ip"
-	"github.com/kakao/network-node-manager/pkg/iptables"
 )
 
 // ServiceReconciler reconciles a Service object
@@ -42,22 +39,15 @@ type ServiceReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// Constants
-const (
-	ChainNATPrerouting     = "PREROUTING"
-	ChainNATOutput         = "OUTPUT"
-	ChainNATKubeMasquerade = "KUBE-MARK-MASQ"
-
-	ChainNATIPVSLBPrerouting = "NMANAGER_IPVS_LB_PREROUTING"
-	ChainNATIPVSLBOutput     = "NMANAGER_IPVS_LB_OUTPUT"
-)
-
 // Variables
 var (
 	configNodeName    string
 	configIPv4Enabled bool
 	configIPv6Enabled bool
 
+	configRuleExternalCluster  bool
+	configRuleDropInvalidInput bool
+
 	initFlag    = false
 	podCIDRIPv4 string
 	podCIDRIPv6 string
@@ -91,478 +81,157 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			logger.Error(err, "config error")
 			os.Exit(1)
 		}
-		logger.WithValues("node name", configNodeName).Info("config node name")
 		configIPv4Enabled, configIPv6Enabled, err = configs.GetConfigNetStack()
 		if err != nil {
 			logger.Error(err, "config error")
 			os.Exit(1)
 		}
-		logger.WithValues("IPv4", configIPv4Enabled).WithValues("IPv6", configIPv6Enabled).Info("config network stack")
-
-		// Get nodes's pod CIDR
-		node := &corev1.Node{}
-		if err := r.Client.Get(ctx, types.NamespacedName{Name: configNodeName}, node); err != nil {
-			logger.Error(err, "failed to get the pod's node info from API server")
-			os.Exit(1)
-		}
-		podCIDRIPv4, podCIDRIPv6 = getPodCIDR(node.Spec.PodCIDRs)
-		logger.WithValues("pod CIDR IPV4", podCIDRIPv4).WithValues("pod CIDR IPv6", podCIDRIPv6).Info("pod CIDR")
-
-		// Init iptables
-		if err := initIptables(logger); err != nil {
-			logger.Error(err, "failed to init iptables")
-			os.Exit(1)
-		}
-
-		// Get all services
-		svcs := &corev1.ServiceList{}
-		if err := r.Client.List(ctx, svcs, client.InNamespace("")); err != nil {
-			logger.Error(err, "failed to get all services from API server")
+		configRuleExternalCluster, err = configs.GetConfigRuleExternalCluster()
+		if err != nil {
+			logger.Error(err, "config error")
 			os.Exit(1)
 		}
-
-		// Cleanup iptables for deleted services
-		if err := cleanupIptables(logger, svcs, podCIDRIPv4, podCIDRIPv6); err != nil {
-			logger.Error(err, "failed to cleanup iptables")
+		configRuleDropInvalidInput, err = configs.GetConfigRuleDropInvalidInput()
+		if err != nil {
+			logger.Error(err, "config error")
 			os.Exit(1)
 		}
-	}
 
-	// Get service info
-	svc := &corev1.Service{}
-	if err := r.Client.Get(ctx, req.NamespacedName, svc); err != nil {
-		if apierror.IsNotFound(err) {
-			// Not found service means that the service is removed.
-			// Delete iptables rules by using cache
-
-			// Get service from cache
-			oldSvc, exist := serviceCache[req]
-			if !exist {
-				// If there is no service info in cache, skip it
-				return ctrl.Result{}, nil
-			}
-
-			// Delete iptables rules
-			for _, oldIngress := range oldSvc.Status.LoadBalancer.Ingress {
-				oldClusterIP := oldSvc.Spec.ClusterIP
-				oldExternalIP := oldIngress.IP
-
-				// Delete iptables rules
-				logger.WithValues("externalIP", oldExternalIP).Info("delete iptables rules")
-				if err := deleteIptablesRules(logger, &req, oldClusterIP, oldExternalIP, podCIDRIPv4, podCIDRIPv6); err != nil {
-					return ctrl.Result{}, err
-				}
+		logger.WithValues("node name", configNodeName).Info("config node name")
+		logger.WithValues("IPv4", configIPv4Enabled).WithValues("IPv6", configIPv6Enabled).Info("config network stack")
+		logger.WithValues("flag", configRuleExternalCluster).Info("config rule externalIP to clusterIP")
+		logger.WithValues("flag", configRuleDropInvalidInput).Info("config rule drop invalid in input chain")
+
+		// Run rules first
+		if configRuleDropInvalidInput {
+			if err := createRulesDropInvalidInput(logger); err != nil {
+				logger.Error(err, "failed to create rule drop invalid input")
+				os.Exit(1)
 			}
-			return ctrl.Result{}, nil
 		} else {
-			logger.Error(err, "failed to get service info")
-			return ctrl.Result{}, err
-		}
-	}
-
-	// Check service is LoadBalancer type
-	if svc.Spec.Type != corev1.ServiceTypeLoadBalancer {
-		return ctrl.Result{}, nil
-	}
-
-	// Create iptables rules
-	for _, ingress := range svc.Status.LoadBalancer.Ingress {
-		clusterIP := svc.Spec.ClusterIP
-		externalIP := ingress.IP
-
-		// Cache service to use when deleting service
-		serviceCache[req] = *svc.DeepCopy()
-
-		// Create iptables rules
-		logger.WithValues("externalIP", externalIP).Info("create iptables rules")
-		if err := createIptablesRules(logger, &req, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6); err != nil {
-			return ctrl.Result{}, err
-		}
-	}
-
-	return ctrl.Result{}, nil
-}
-
-func (r *ServiceReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	// Set controller manager
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Service{}).
-		Complete(r)
-}
-
-func initIptables(logger logr.Logger) error {
-	logger.Info("create iptables chains")
-
-	// IPv4
-	if configIPv4Enabled {
-		// Create chain in nat table
-		logger.Info("create the IPVS IPv4 chains")
-		out, err := iptables.CreateChainIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		out, err = iptables.CreateChainIPv4(iptables.TableNAT, ChainNATIPVSLBOutput)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-
-		// Set jump rule to each chain in nat table
-		logger.Info("create jump rules for the IPVS IPv4 chains")
-		ruleJumpPre := []string{"-j", ChainNATIPVSLBPrerouting}
-		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATPrerouting, "", ruleJumpPre...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleJumpOut := []string{"-j", ChainNATIPVSLBOutput}
-		out, err = iptables.CreateRuleFirstIPv4(iptables.TableNAT, ChainNATOutput, "", ruleJumpOut...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	}
-	// IPv6
-	if configIPv6Enabled {
-		// Create chain in nat table
-		logger.Info("create the IPVS IPv6 chains")
-		out, err := iptables.CreateChainIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		out, err = iptables.CreateChainIPv6(iptables.TableNAT, ChainNATIPVSLBOutput)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-
-		// Set jump rule to each chain in nat table
-		logger.Info("create jump rules for the IPVS IPv6 chains")
-		ruleJumpPre := []string{"-j", ChainNATIPVSLBPrerouting}
-		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATPrerouting, "", ruleJumpPre...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleJumpOut := []string{"-j", ChainNATIPVSLBOutput}
-		out, err = iptables.CreateRuleFirstIPv6(iptables.TableNAT, ChainNATOutput, "", ruleJumpOut...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	}
-
-	return nil
-}
-
-func cleanupIptables(logger logr.Logger, svcs *corev1.ServiceList, podCIDRIPv4, podCIDRIPv6 string) error {
-	logger.Info("cleanup iptables for deleted services")
-
-	// IPv4
-	if configIPv4Enabled {
-		// Make up service map
-		svcMap := make(map[string]*corev1.Service)
-		for _, svc := range svcs.Items {
-			if ip.IsIPv4Addr(svc.Spec.ClusterIP) && svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
-				svcMap[svc.Namespace+"/"+svc.Name] = svc.DeepCopy()
+			if err := deleteRulesDropInvalidInput(logger); err != nil {
+				logger.Error(err, "failed to delete rule drop invalid input")
+				os.Exit(1)
 			}
 		}
 
-		// Cleanup prerouting chain
-		preRules, err := iptables.GetRulesIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting)
-		if err != nil {
-			return err
-		}
-		for _, rule := range preRules {
-			// Get service info from rule and k8s, and delete iptables rules
-			nsName, src, dest, jump, dnatDest := getSvcInfoFromRule(rule)
-			svc, ok := svcMap[nsName]
-			if !ok {
-				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup prerouting chain IPv4 rule")
-				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				if err != nil {
-					logger.Error(err, out)
+		// Run rules periodically
+		ticker := time.NewTicker(60 * time.Second)
+		go func() {
+			for {
+				<-ticker.C
+				if configRuleDropInvalidInput {
+					if err := createRulesDropInvalidInput(logger); err != nil {
+						logger.Error(err, "failed to cleanup rule drop invalid input")
+					}
 				}
-				continue
 			}
+		}()
 
-			// Compare service info and delete iptables rules
-			for _, ingress := range svc.Status.LoadBalancer.Ingress {
-				externalIP := ingress.IP + "/32"
-				if (jump == ChainNATKubeMasquerade && (src == podCIDRIPv4 && dest == externalIP)) ||
-					(jump == "DNAT" && (src == podCIDRIPv4 && dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
-					continue
-				}
-				logger.WithValues("rule", rule).Info("service info is diff. cleanup prerouting chain IPv4 rule")
-				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				if err != nil {
-					logger.Error(err, out)
-				}
+		if configRuleExternalCluster {
+			// Get nodes's pod CIDR
+			node := &corev1.Node{}
+			if err := r.Client.Get(ctx, types.NamespacedName{Name: configNodeName}, node); err != nil {
+				logger.Error(err, "failed to get the pod's node info from API server")
+				os.Exit(1)
 			}
-		}
+			podCIDRIPv4, podCIDRIPv6 = getPodCIDR(node.Spec.PodCIDRs)
+			logger.WithValues("pod CIDR IPV4", podCIDRIPv4).WithValues("pod CIDR IPv6", podCIDRIPv6).Info("pod CIDR")
 
-		// Cleanup output chain
-		outRules, err := iptables.GetRulesIPv4(iptables.TableNAT, ChainNATIPVSLBOutput)
-		if err != nil {
-			return err
-		}
-		for _, rule := range outRules {
-			// Get service info from rule and k8s, and delete iptables rules
-			nsName, _, dest, jump, dnatDest := getSvcInfoFromRule(rule)
-			svc, ok := svcMap[nsName]
-			if !ok {
-				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup output chain IPv4 rule")
-				iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				continue
+			// Initialize externalIP to clusterIP rules
+			if err := initRulesExternalCluster(logger); err != nil {
+				logger.Error(err, "failed to initalize rule externalIP to clusterIP")
+				os.Exit(1)
 			}
 
-			// Compare service info and delete diff iptables rules
-			for _, ingress := range svc.Status.LoadBalancer.Ingress {
-				externalIP := ingress.IP + "/32"
-				if (jump == ChainNATKubeMasquerade && dest == externalIP) ||
-					(jump == "DNAT" && (dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
-					continue
-				}
-				logger.WithValues("rule", rule).Info("service info is diff. cleanup output chain IPv4 rule")
-				out, err := iptables.DeleteRuleRawIPv4(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				if err != nil {
-					logger.Error(err, out)
-				}
+			// Get all services
+			svcs := &corev1.ServiceList{}
+			if err := r.Client.List(ctx, svcs, client.InNamespace("")); err != nil {
+				logger.Error(err, "failed to get all services from API server")
+				os.Exit(1)
 			}
-		}
-	}
-	// IPv6
-	if configIPv6Enabled {
-		// Make up service map
-		svcMap := make(map[string]*corev1.Service)
-		for _, svc := range svcs.Items {
-			if ip.IsIPv6Addr(svc.Spec.ClusterIP) && svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
-				svcMap[svc.Namespace+"/"+svc.Name] = svc.DeepCopy()
-			}
-		}
 
-		// Cleanup prerouting chain
-		preRules, err := iptables.GetRulesIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting)
-		if err != nil {
-			return err
-		}
-		for _, rule := range preRules {
-			// Get service info from rule and k8s, and delete iptables rules
-			nsName, src, dest, jump, dnatDest := getSvcInfoFromRule(rule)
-			svc, ok := svcMap[nsName]
-			if !ok {
-				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup prerouting chain IPv6 rule")
-				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				if err != nil {
-					logger.Error(err, out)
-				}
-				continue
+			// Cleanup externalIP to clusterIP rules for deleted services
+			if err := cleanupRulesExternalCluster(logger, svcs, podCIDRIPv4, podCIDRIPv6); err != nil {
+				logger.Error(err, "failed to cleanup rule externalIP to clusterIP")
+				os.Exit(1)
 			}
-
-			// Compare service info and delete iptables rules
-			for _, ingress := range svc.Status.LoadBalancer.Ingress {
-				externalIP := ingress.IP + "/128"
-				if (jump == ChainNATKubeMasquerade && (src == podCIDRIPv6 && dest == externalIP)) ||
-					(jump == "DNAT" && (src == podCIDRIPv6 && dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
-					continue
-				}
-				logger.WithValues("rule", rule).Info("service info is diff. cleanup prerouting chain IPv6 rule")
-				out, err := iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				if err != nil {
-					logger.Error(err, out)
-				}
+		} else {
+			// Destroy externalIP to clusterIP rules
+			if err := destoryRulesExternalCluster(logger); err != nil {
+				logger.Error(err, "failed to destroy rule externalIP to clusterIP")
+				os.Exit(1)
 			}
 		}
+	}
 
-		// Cleanup output
-		outRules, err := iptables.GetRulesIPv6(iptables.TableNAT, ChainNATIPVSLBOutput)
-		if err != nil {
-			return err
+	// Loop
+	if configRuleExternalCluster {
+		// In case the iptables chain is deleted, initalize again
+		if err := initRulesExternalCluster(logger); err != nil {
+			logger.Error(err, "failed to initalize rule externalIP to clusterIP")
+			os.Exit(1)
 		}
-		for _, rule := range outRules {
-			// Get service info from rule and k8s, and delete iptables rules
-			nsName, _, dest, jump, dnatDest := getSvcInfoFromRule(rule)
-			svc, ok := svcMap[nsName]
-			if !ok {
-				logger.WithValues("rule", rule).Info("there is no service info in k8s. cleanup output chain IPv6 rule")
-				iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-				continue
-			}
 
-			// Compare service info and delete diff iptables rules
-			for _, ingress := range svc.Status.LoadBalancer.Ingress {
-				externalIP := ingress.IP + "/128"
-				if (jump == ChainNATKubeMasquerade && dest == externalIP) ||
-					(jump == "DNAT" && (dest == externalIP && dnatDest == svc.Spec.ClusterIP)) {
-					continue
+		// Get service info
+		svc := &corev1.Service{}
+		if err := r.Client.Get(ctx, req.NamespacedName, svc); err != nil {
+			if apierror.IsNotFound(err) {
+				// Not found service means that the service is removed.
+				// Delete iptables rules by using cache
+
+				// Get service from cache
+				oldSvc, exist := serviceCache[req]
+				if !exist {
+					// If there is no service info in cache, skip it
+					return ctrl.Result{}, nil
 				}
-				logger.WithValues("rule", rule).Info("service info is diff. cleanup output chain IPv6 rule")
-				iptables.DeleteRuleRawIPv6(iptables.TableNAT, iptables.ChangeRuleToDelete(rule)...)
-			}
-		}
-	}
 
-	return nil
-}
+				// Delete rules
+				for _, oldIngress := range oldSvc.Status.LoadBalancer.Ingress {
+					oldClusterIP := oldSvc.Spec.ClusterIP
+					oldExternalIP := oldIngress.IP
 
-func createIptablesRules(logger logr.Logger, req *ctrl.Request, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6 string) error {
-	// Don't use spec.ipFamily to distingush between IPv4 and IPv6 Address
-	// for kubernetes version that dosen't support IPv6 dualstack
-	if configIPv4Enabled && ip.IsIPv4Addr(clusterIP) {
-		// IPv4
-		// Set prerouting
-		rulePreMasq := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err := iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		rulePreDNAT := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-
-		// Set output
-		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.CreateRuleLastIPv4(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	} else if configIPv6Enabled && ip.IsIPv6Addr(clusterIP) {
-		// IPv6
-		// Set prerouting
-		rulePreMasq := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err := iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		rulePreDNAT := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
+					// Delete rules
+					logger.WithValues("externalIP", oldExternalIP).WithValues("clusterIP", oldClusterIP).Info("delete rule externalIp to clusterIP")
+					if err := deleteRulesExternalCluster(logger, &req, oldClusterIP, oldExternalIP, podCIDRIPv4, podCIDRIPv6); err != nil {
+						return ctrl.Result{}, err
+					}
+				}
+				return ctrl.Result{}, nil
+			} else {
+				logger.Error(err, "failed to get service info")
+				return ctrl.Result{}, err
+			}
 		}
 
-		// Set output
-		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.CreateRuleLastIPv6(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	} else {
-		if ip.IsVaildIP(clusterIP) {
-			logger.WithValues("clusterIP", clusterIP).Error(errors.New("invalid IP"), "invaild IP")
+		// Check service is LoadBalancer type
+		if svc.Spec.Type != corev1.ServiceTypeLoadBalancer {
+			return ctrl.Result{}, nil
 		}
-	}
 
-	return nil
-}
+		// Create rules
+		for _, ingress := range svc.Status.LoadBalancer.Ingress {
+			clusterIP := svc.Spec.ClusterIP
+			externalIP := ingress.IP
 
-func deleteIptablesRules(logger logr.Logger, req *ctrl.Request, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6 string) error {
-	// Don't use spec.ipFamily to distingush between IPv4 and IPv6 Address
-	// for kubernetes version that dosen't support IPv6 dualstack
-	if configIPv4Enabled && ip.IsIPv4Addr(clusterIP) {
-		// IPv4
-		// Unset prerouting
-		rulePreMasq := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err := iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		rulePreDNAT := []string{"-s", podCIDRIPv4, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
+			// Cache service to use deleting service
+			serviceCache[req] = *svc.DeepCopy()
 
-		// Unset output
-		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.DeleteRuleIPv4(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	} else if configIPv6Enabled && ip.IsIPv6Addr(clusterIP) {
-		// IPv6
-		// Unset prerouting
-		rulePreMasq := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err := iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		rulePreDNAT := []string{"-s", podCIDRIPv6, "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATIPVSLBPrerouting, req.String(), rulePreDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-
-		// Unset output
-		ruleOutMasq := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", ChainNATKubeMasquerade}
-		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutMasq...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-		ruleOutDNAT := []string{"-m", "addrtype", "--src-type", "LOCAL", "-d", externalIP, "-j", "DNAT", "--to-destination", clusterIP}
-		out, err = iptables.DeleteRuleIPv6(iptables.TableNAT, ChainNATIPVSLBOutput, req.String(), ruleOutDNAT...)
-		if err != nil {
-			logger.Error(err, out)
-			return err
-		}
-	} else {
-		if ip.IsVaildIP(clusterIP) {
-			logger.WithValues("clusterIP", clusterIP).Error(errors.New("invalid IP"), "invaild IP")
+			// Create rules
+			logger.WithValues("externalIP", externalIP).WithValues("clusterIP", clusterIP).Info("create iptables rules")
+			if err := createRulesExternalCluster(logger, &req, clusterIP, externalIP, podCIDRIPv4, podCIDRIPv6); err != nil {
+				return ctrl.Result{}, err
+			}
 		}
 	}
-	return nil
-}
 
-func getPodCIDR(cidrs []string) (ipv4CIDR string, ipv6CIDR string) {
-	for _, cidr := range cidrs {
-		addr := strings.Split(cidr, "/")[0]
-		if ip.IsIPv4Addr(addr) {
-			ipv4CIDR = cidr
-		} else if ip.IsIPv6Addr(addr) {
-			ipv6CIDR = cidr
-		}
-	}
-	return
+	return ctrl.Result{}, nil
 }
 
-func getSvcInfoFromRule(rule string) (nsName, src, dest, jump, dnatDest string) {
-	nsName = iptables.GetRuleComment(rule)
-	src = iptables.GetRuleSrc(rule)
-	dest = iptables.GetRuleDest(rule)
-	jump = iptables.GetRuleJump(rule)
-	dnatDest = iptables.GetRuleDNATDest(rule)
-	return
+func (r *ServiceReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	// Set controller manager
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Service{}).
+		Complete(r)
 }
diff --git a/deploy/network-node-manager.yml b/deploy/network-node-manager_iptables.yml
similarity index 100%
rename from deploy/network-node-manager.yml
rename to deploy/network-node-manager_iptables.yml
diff --git a/deploy/network-node-manager_ipvs.yml b/deploy/network-node-manager_ipvs.yml
new file mode 100644
index 0000000..f1cf0eb
--- /dev/null
+++ b/deploy/network-node-manager_ipvs.yml
@@ -0,0 +1,97 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: network-node-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: network-node-manager
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: network-node-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: network-node-manager-role
+subjects:
+- kind: ServiceAccount
+  name: network-node-manager
+  namespace: kube-system
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: network-node-manager
+  namespace: kube-system
+  labels:
+    control-plane: network-node-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: network-node-manager
+  template:
+    metadata:
+      labels:
+        control-plane: network-node-manager
+    spec:
+      serviceAccountName: network-node-manager
+      hostNetwork: true
+      containers:
+      - command:
+        - /network-node-manager
+        args:
+        - --metrics-addr=0
+        image: kakaocorp/network-node-manager:latest
+        name: network-node-manager
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: RULE_EXTERNAL_CLUSTER
+          value: "true"
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
diff --git a/img/network-node-manager.pptx b/img/network-node-manager.pptx
new file mode 100644
index 0000000000000000000000000000000000000000..7b4408a21b056e47589d46ce005cfcaf4b03345c
GIT binary patch
literal 50608
zcmeFZV|Q-bwk;exGuDi4+qP}nwry+1w(VrbPG)S|wr=*?`@HWycdt^;4>)&xcuMJg
zjQ*jwGFq*zw_3*|CkYIK3;+fI0RRAi51_);XR-|l0C4>S000R90!UNP*2c-$#z|Mn
z-Okuio5s!B3NIf7h%6TX===Hqcl|Gpz(lIH;wc?`$W_)2uam>sAHU(NJh!~ziUNj$
zPrqdvc<Dr`db|Ct4r%@h-~fT)O}Y(}E!P~T{R+>|gbFjDDait)#qc#MpsaMMQ~f@i
z%Nh+*s#`KAlBAiqT5>m+&9#k_O<C&au=!O|t01#!wx<&ahaE#he#P<Mty*}&HX~JH
zIfL-eJ{{fziUkNv&9&EhU6;f#18VyBPr*8=M6#$MRPAI)ks6SR?)vaQp9P|U4|vUk
znk0&W%Ccmg9>Xh{3nIiZ9Nxt=dPE^5DUhkhp(mVL?%A^@@J^vaSqVz0Y^WX1ekaoG
z59xAJ^DzhdOW`w~u#t*uF^?~V(oF@=-^ow~-bCo=K*uuOFXT2@*GD{QNHL~+uyqU8
zeo=y~;yu5#Dg{*e#zs6*6br1l4!v@GHubup^a}NTX+Ug7sUqN2S;>9c@F4e^7z^K&
zZvQBOYTi7Hc+g<n&H0s1KXoXKG0(^=d6mPkz-Y*7_&Uc|90<mM%@TJ~>Mu16Ys6uW
zH)jr<#&JO+@Np=iv!cwZ+qtx=++TN8&2`wtyX4powa5#+`l`~517Fr}9%f_qqdS(a
zM+W6Ig_zKetcS<2Q<>;2`VD4KnmW*m-x}w#qD%Gro&Nd)29W!2z+m?5ln49`47=ZX
z5B&`cx(>!xj<huY`2Bx?@V^)Z{%z}(32PF-^xuF0x`jXC&ALWGFl%KibeuKv3Sh|4
zfw_StRy^C?mA9?0PaV)TF~N(wMWk-~XoGx}R1d4uTVKu}x74e)Md@aPi`s(6P{7It
zCJXf=Nq<gDr!vP(h(^%8mOfJ8M!okp)>Ywz2VQ6!RJ_-T6F&RCgH%^k=~gXiTlpDg
znh!&68r|R`nV6;{Xg;^lE3PJo0n-SXvshzTnG|WWG1`p5X*kNSTwF<ZTqI@uz)Uoa
zEY+~kEYBOWVT|M&orj-gU(#kTu6ci)Rpz|^aEfLhbry%)mY}N-3AG`|o+z?9dCTCh
zGP(;M-WTXc<%l@kGG@U2ZO#PIE;HYL=gZPJnIeBbVQ1$=Yv*9>_|2#KPUf~Y|6tSe
z)GgapI{4u&(hJ|PcaE9ucLF>C&@%?<Ga{vS-rv$NLeA$SEXW)ezFR9qL`4fq=AIKs
z%~$VT<HMr689KNUhv#KV!P}61s)GA++2Nhr86Y2>vf%U%NhDmPQg-RNgv!Srk2n2|
z=}HL{W6U$P3xF8aBt-n0RTbf9<yMlC`PD+g?8}P+DMI~9HtSjmq;a%qXRx91nh5~~
z9z9;uK6N^17+nY})j`*!2;ymzg4U4|%oYot^X;-X48+2ZPEDS2N+ki7piX~aa5U@Q
z!R6D(Y+tHo(I{o&Nk{s7$-+L!09+glRDK7<b7r*LS|150KD0Ec5S0pVt^)PZ4zr~G
zhUO4=Gx?HqT&91sj?pe#Xh_6HWE$e9!xHc}8U_hwyB1`e8HO4YFiud2Dd>Mj?j=#X
zirl5+xv~_hRFzpW8ouY|K2GLg;K)F1Xx19@aB4~VL0F88JGlLpC0%pY_Xwl9t%&HJ
zfd|3A3^w))AKdG5wEwg%9747%%{gyBg?7JyU1k^=*0w|w0yMd8{YEM$<}EWAh!_hq
zOO#@g7Zhr6HCazM8#QVryo~WRP25x#FP$e-=A&<1q-lGR2-q!0f=6%FEdi1k4NO8N
zL`oZ-VPUtGk!_tZ_Gk1`K4f3Kc<Yg2-n`d)iY##6kzww<S3nBfqbS=cAhVJMpFX(U
z`5?<1PF$V>aD)b5Hk#-o<sV>%?>hxQa^<(5u8tX#f6A=`F*v=Z-ls{xnymvO2N!%2
zdlwtj)YsJfS^yb(I6xJdl0k)heIU*%fu4Q>?;nu`_iup!r}w%C+sl}j73}=AxAWf8
z_O<s%E4=42A~Qg2&V2h?xker}4Oyb{L78N%-Q1q?M#z{LYOO`@YTi6kiB)7)XKV*1
zh$@#HP#QlcUJ=r`Jz}Jmr5dB5q-OtcN6H;%;=_Fdmx;#3$eC8qEt<@$@iU|J%Vd-7
z_LDdW+cj)WG1$@4C!@#)m-P+!?|6mq&aQCrJ2$4jxdrcEIpSz#Ze;98`%jAbYryc2
zRQZc+D&y%b2k2mep9H=FXLLAI^O78<sEh3Wly!Xq=u?K98(@sPYJGZd6cO18hQ@e!
zylw(tz%98epp7B2X)K?BAqx-l4D|LLojmM7CLu@Rkj5D4<NFJ``nLF%KuU5a&=big
zBM$bdNqDe`tcx*5917LhcuX;-a2)m$Iq9;+nP(i%>@x$m!zyBT1$*67m(C>|(^_4=
zZ6613xEHJ02>luf-ZzBGra-yl8w^;abhkElJ_u~nwtUKI+9$n)MdL}8u1W5u|6pOv
zpmo~%-tm8OEzv;9#UwZYKqV6Z0Lp)l$zRc+{|h)Y$7A-JQ8vIwcp+9DBWx95pU^#4
zLx%T;8nY^y6Ur+XD8%FDX)$${ui?<e;y``{v$|vGzytuS>_?h-eBvXMD?2+s6tr(}
zlN(tm=949)c0OhIdy+4J<7Q7doRL*zn5&<!9wRhXRf>%{X<(hN>iQr6nrlj9qM2u=
z3O8Hkm_&c<?CE};23nMiDoQ@kq-VJ;Wj9(kG5%y8CCV6_ET|uYda%-3Y-m+(dFUmp
z+B0N6rNY&Rcrinjh3>f0t(oh=iY*aGO&Z;yqSRm%%Q~>HFxiwUR%VP+sbbVnHjVx%
z@}!eKYuHq8#4Fojspu_ls;){A!&6@IVNtUfn}c()u*jtRT3<zwP2RLz@X5a=wS_9$
zPS^hDLyv5TlXTBxQF~#vGErNT{HyT|+u3<V+>*GML4BSiahldVL#j_wBNhy>z)_$>
zIc>Cx1{`jj{q5!;Bj-~ezawWPu^7A9Nln)EqNV`ClPZcVObJr%SbjTr9uR?qVSwP4
zerL<63t>zARI1`7v8@BI+aQ01scgI$t0gwUVR6mF4#OB*$TRe$_@xP1NI?SVw?JMY
zCq7t02ag^iDAo(|%fL(Vl3)6r-9iQW1N5aTk6M0NcG76%5QT(s*;MV2-5u&s`bJZ_
z+J$*h(!9(X*V$THXnU>PT@eeImI6sxGmafyf!E491cMNK>QGDq<b+C;c}TU(DpHM<
zY{%yG!a^8jQesD_HG6h*@zSpRX5-t1dA7N`@>4;DrSS*X<#jg7_PF<2#NA_fx37GF
zY);xqQ*2}<H_aJZF4-K+#4Z8Ph{bqS;%MV!!ei|ehrY;?$8x3E(=LY(3+_f#Gx~-Y
zV`Alfd&t8vvCdVw(PjD8$NTF-i|yBaDE8SToUi-G)t8#B&+FUD6YbXfgDJFa`B#FN
z2Y!Ly3?4|5J7Amyp5BiKuF*E4<(}ZL>bOZ*ny@ejItvI8aVp|YK6Z2ka3l*Yc=1qv
z{8TSFj7po;*m?&O=V0v)8o0>&v|He+o99y1XZ}@9av5J!%{}#Mmxuzk7Ie};#V2b{
z+~ZI!hnr$YwTsTd2CK^XC23jcne^%R&gS{B4wu(Hy=L2$CUn_5ugy`rm0%fnPN&l~
z3+kw03;es7YY+3gMGXUWDvqgQsK_PP%e4%YjO6P4)$+A<TF1!?`*<mdCT$*8Fiqh`
zg$#jZ|JCutW|rthptc3CBBvm5Su<Q;RMsk>XT{*h4nR-yfeyaRQD?fTfsg<$z4$=%
zJHQkWpwl*()*nQ_?b%2GVZG5q;2<5!Ne05e*biY8q-d>}6!c(%0o&rD47_U4MU&Vy
z<Gv8%rV+fh=tQBC7Vmh*+AM5!1-g2#7W!1#c1Ug<Wm;1~dqHhM?O7-zKPsCZ$L4>k
zw`dG)2>EESR6Wd>{_$x4l02@*eUNcFsT59i5IjNj;1R(>fX7!AM-wXjHKLk%@)FVU
z3kfP<6G58*<=qbHMvFf+$Pv(aySr%oDUimq)RzKteB*6kb^5db8rfa4kT!n%B5rC&
zL(G*0`6M7{1iDCK3HT5&q7Awblm9pNmSIu|o!&lRybPIZ7%~Z+0T5)Ou5R)NUI;?>
z*7<O+fK`0=%*wRwg34#lq)$6iZU+ApEAtxy;3FO!8w4J*p9m9xjUN|Yd|~!AVa&cD
zjy?QP(427F+PP^*mTg1M*VnmdB?{7wbac4bHV5FXHb55NpirOk3Y?NZ!lSazK&fmX
z1P`7z!w=9?foyB3#^`VsRuV+Zt_OsS*VWKBr~@WD|1*Iyz9|GdEfn-%_%X3pz^7}$
zYzW3nI+?ctQ%odl!~7>k5)W|v_y-!p{Qbh^D~!3T2+HvNOvbOri<Ku{4co8xw}z|F
zhsV&=#T8uLuFs>2>KN<O$XmHqM1(SQ#s~moqVsw&h)glD9LQJ@{aO;kDQ6_i=#y#g
z#;$Y~?u;J$^IqQP>-YFMUWTMru6+jBoC==lfkn0)l^zWAvLhoYbXCCA9iwwTg75P2
ziyLkSe)iysPi48){LIaR&itdE44E~#DZVhR`6-uu!NtiOn=&l{((t`_qQt!L_!{xh
zLKf^$!-9Eqmx*fj)A3h6)pt4Wm{Qc7Y#L0CAvQ4QHN#MScKdu=oIY&34oO4&z$RXA
zAakC21(urd>M*Q%2{E2^RZB_b<T+aX=Vb-pD#MQE_$Qw#!h8t91|d3l7%&<=6q!kO
zL^K|_Kdn|!{)m6PXRO$j%n}aj3GP`9@Kum|R2aN=ZnN+w>dP5kPF0{+d)|m^m>$j%
z{Pl<<-~%$a7y%@o&2|Wnh|S0`H$l%hJ}c@AGPFq6=P%>P_a~eeRovj*my)9;>|i{`
zFIcXtB(8h!<AAURIqN4Sao1$0Y5@<p4us;E)~kXzP_}77M0P3oO+f|3DduOiI43rt
zu&1y>A-f}=X(76h{dC6o%fQPYo+M|qDHMyqQ;*C0J2BEzIWa@l4DP=j<-IXJV;K1O
zQ$6@Rv-|64xwrAl9S(jY{8l~&LLf|f&35uebn&Z(*9L7Y*Mj?_?4G%x%)apTo4<Cr
zkp($9W<QMa&VWzWx^>Ea?W>Mt^lW<f^p3EqDD880c}ZDW6t(yyU%bU>;i~6v`M*Gk
zx9k)i03dMq@A?0)YUn&m(vh$&-tP*t?#n-K?h=rY3$f;hD<=T5o~#?!<uQ)uG*<om
zEQ>CGy=VK<P9W<$xR>2Ij@PxZ?hjm&$NJO{VaA3pegAR-VueDb1Tp6(%sC{5@Jb*#
z<!8jSaG_mMULRJRhs~6`!9l0n`yj6nS&suFI&2*&9d7QI169DX#7%>h9GJI)lR__#
z+itDQ_ve+Z&&gO5S=0i3S{-h6t`lBvc3m1%Ss7Whz&nR^T`!ib<izKV6(^oc+P$1R
z)slYquMD+QHzx^t)RMi=!TrKEpUuP9la-ahT&m(g);)*%O6auIf=`BKFMA()%}R-k
zCUR>QTC}=fr>D^*+>x#<ZtOpcw<1?m@9L#Q6I*!Grgf&Wrz>iDyxzPvJJ5%YoM$uc
zhi~dKGg)+*N|b$NHdVk&G*f#tupe_eIWuDCuH0<9TxDf<`+akKvWut3T*o(aKke*Z
zPPX6CIH#~P->^+{swvpI6wKQz+U=KYL#u6$LU})K-gv)MV>6jxUkvKBm`^6(cTYxZ
z1ani~0LTUiL6(8)ahRZz$YqV~lESwNE5h9vex)uLetK<ahqXRN450<SIMH)!`mp?p
z$#CsDWw^P3H{+19IIKxFg7QNN^Te=R$|fL=64Z(pfCnF-|HwFm9AK&OQFXOnUAJ>Q
zs$i}A<xP*>sdG;<_gp+1S*5%F8ue;jywz~GdHX@dQ+P1wpu}>tpsNC&8tZ<<2}WaR
zTA_n8n-sY0wHBd3J^OS*UG7HH^GI<PU@Dt(b?)@cqy6suuC2-vuD#x=E;CJ&($#Qc
z^y2Ubcd*z3>&tSijmy1Jty`-bH(43j<V5u0hU+mzp7%yq<`1oI_Wf(Y0ouY=P06t-
z?dc;;j`Y|8>)eYaQ`!$nrc2q^nlbn33GgGdafezjMp{MVhlZL6YSR9r5BIOZ_WSn6
z@!7N0Q<151PVEhS=Q&naZGoHiyU#n_?zhL5ucsPcx7oMPr?1D2uXo$4@30@i^}Ovp
zeSN0l;I|ieud3lgoj@?qK!AY8dZ$yy2FOK#=u<=A{_uWH2WT(SWPs<xQ2J0nni^E;
znHPYcagqd+g6f)~-ownGP2nXk+0)^0^I*v7PJ_`Mh>_#I{9HRU@A=6>TgLl7oVdB-
zh8!Bx@*y897oo0b;OKA)DxHS8;S=9(wct%kJJ#@gy-D1wOrM$Uc_MPBLv?#HdhIN2
z?`XoYcW%I>p{pd>QWYsOz92l=wjjvH8R=Tz4Zo$e_Ih4E1hMnlcO$%icNm#*cg9(L
zb<c6q_2RH!Tp+RfL>hQ!j>QK)?*1`Ut%!}QRd~LzKPFzqcSZeK21L1d>r9A<G*e@G
z(BWXm+wO|&&bz8ixmtEkc7cu#D~vZHZ-^j<A%`_cWq^F=#22_DT9~CbRknz75yX$h
zx<GOXLxh^Z(rHKmQ2-8_O<(^rj^XNQ=i_W|X4CHT?$ZDx^qzL_`BQHBD!R=kwC$Aa
z5D}9)GJsG3OH_|Zkb^C>b3u6iwp6d|aZev7)QSpo!r%V47t$TuDG-^8p$u|zLN&*s
zK3%Aps__J_-^*=0*n`kZ<(ElaxCiV-9;oCD?eL5VZEDxi+>UkrK{3P4DjSCqB_<;|
z^U0MDhc;D<MvL;Sw852xcvps``AYUt4jQ(_WGby^N!NXl2W|13@s;Y_Oosi-6DP+s
zHZhN->CjAdx_u00F+F3LxD>n@NnCUQn!CAwAQS$on`rWLZW%%HfGLbq<4H4e2iqy#
z44F#;;IV}m+pphCQ39yX!wY9PL|!ezmmg%>oIJLLNei;Afrn_l3HmbdDe~;VxPZ)!
zcq3{WYycHyG%@1lo$QdXMST9X)Ll{V)wK!CMO+3yV;edSkm!0wh)Zc$s2`UdKH>K&
z$gh0jbY;NTA>36>A%my_24(VqkVW{y_!r?LA<!}%28-lA!{QXD8Uf<*r{i2P92S4v
zwzE3f5tS6`ts5w{3gFcyh>o-gtg7cL)uJxbi{9>&7AY*?pcXO5MeJ1Ek^F*>Ka%E|
zbWdD}8qKH~mv6g}a$};UNW4Ht(>B&(mx@rMFP0z#5Q&==<}0L2qPK;(*^e(4+4DBY
z!>m~$-a}L}d7m@!s{J{-mcA6|nwSdPK!a^#=s7s_8N2m)-NF0d^PFni^LAxBCvSRT
zfzXP?!DiGJT`0m8Z_HG_o==ylZw{@mnb7V-^6@IJyu-fGphLCinz|}EH)=^h+CP3}
zbf-<t#tOZG44}%>O#$p-S`fJ+t4dc{=nqy_R9OTVT`y)WEFm}K%$O%YRAZ|3I36H>
z&X8)58-H!th?L!BYmhdhvBQitH#0~l^zIT@@6|$JyjOWw&wHP!kJQAJHUy=Zw&&nB
zi<zAGT6#J75h<U+NLgoJvAser_!`L1u09^W(Pvr$v(kAT17vo$>j{xJF4`doQPkZO
z@S;*q3yfARzp<bPYR)thp|}4lGQ{bReAiGjA4o(l3`xvxb1#&2=^>?^D}NWz=cb%(
z?gYJIQ?N|oypT%unPpz8{DkNq#^D^q;kSj8d2ZXKVt3VKb3;%=szsY5r5U|NRP{6Z
zJ{+j+I&uFd?0j4+x+^I05wN?Gaw%Q=$PX!MkHeRv48;ZT%)=gqg>i?^$H2BNA<C<a
z<MO*`XhNWEvtLLs5S`$Ky$VE9$V75%5TB)q8&Q;5yWN!XdBh{u>WI;P$Z~N;kf6OI
z78V@i2|W(#4#WzB(!+b7`-^M^s56XD1XvmfQ|%UiG%LL4+vW2V*(A@e#n=hrlk)*U
zW56Axto@<*k*l<A)2^l5&>&N*4D^juwO#5^C$L&Zz*C~$w&Q-xk}&F?nqj+H$8dzG
z=Fv5}lpypqZMu}`$Dr821RysfePJir=iQY5j(X-7OyZp)ziB)z0-e^5_OMs5#~d~`
zg3=mTH5?ogkA?acR_gXQw~VdNH=G^%lpMNLfgO<X4Gsp!30<16SeLM1NX#KW`}u9_
zlCD`=xWw-|Jl}6ePu8Uut?4El3=m2<VwRUNjQr5|D`j_#nsZTq9RHF{u#Yw58EnIz
zpp`8gKxF0c2g!AiBvpGkD6ptaxm%&lIa;EK8-&GMx@z^rQzUCN5FkXP6WmtzXF>qf
zH>q`0@=plOWIgiY9f8Yc?y=~W<Tt<dI|oh^`;m6QHQX#s->C5ft*!kSS@)zBD9ogi
zLof|GI}dHt2)o^Ar-Y*j9*f#Vl*!EEtkkPdStPgEdxy2wa8}`sJ3S-=EEmb{bWFAt
zEI;e1f_Er1-yyvd*B6u5=f6*YPPR_p;40M3ZdvbYgvojL5x=}_;LBHWT<)5QZ~=lI
z6-4lZzYvR@5CEl@k)#xYzs!*AutIsQV^_Uqzqmt`>#U}EPn~>5IXjt%lC8i?Q?%rF
zfx{+Ip&}P}pK+jP;OThY`_Bb!>>j|%8$J}M`mjA##&`=8qFtWFNkM)l*5T_6Zk&ar
zAxwm5Odqrb^G)eOB!<P6$IZ+y3zRL2j-Oi;wKIPH1pwv)%@cTpVWJu+K*)*YOPhJl
zcUjQFd;oguLhXlGp6(w{)yjrnbXh&0wd{`yR4&l#9qlZ^<YlF@k^G7d+}C6HRm6BE
zStU9ayZ60`T;~H>loR-%)xNb_o>JG!m0m+1iPKF>lt*`z&ee{W8@z98D0Rt5PX`0u
zn*CxG7?>*y7?`LqsQz;M{^m(aEv3vr{2FpUlZNKw0!t89xTEy)RV)!5fqHr<if;N3
z&J?Q>EXJx2=ZQGbNy;yHgywIcMC2<`2=RBpH$ib|-H_RWlQOR}TWB+!uw!&(R&;Gc
zwVj=Z20787E{N(uBtfPUk)ep=X8p{qLhWwjVL0NF4&S{o9%cGBE$RYJPYpnE7tTu6
z4T-XD%mM2JQHewb<i^!<X+GVsOskC2DYNgM58@)G4sRs8`%x=hnbiRn5`r7C#Knx^
zui4r$Z2<IX^Jg$aode;z|JdQ4MHFLcv*+lVeB9i=lzmV}DVe5zfmfH+{oof{aTbR1
zl~@4)+8gj3oNW#Qhe;A!oyc~E6o1CH(grFKf;Iyxbo|kSg=yasS5ioNN!V6_FFU1h
zJ;f-bb(`n@liB(RIDf(r5{B{ohTh>>8_r!r&<7#`pILi}GAitM!f92}4+Zmdl|-ey
zKk3ET_>AN1Q{)f*D)utv4dQiWbjzXv$y5+PDJd|hYJ}!qwV7<&@7tD9E}VnPO6M5>
zyO{-~6?57XGX)x;>}Azp><Ee=WtE}|oMBBFepHJ@WjhKe1kHdyx}%S6a@dvt8eI~N
z7a7m8jJlMGB2F!cA{1tRGArTP28rG2!eE?9V;#cIRoiLA4?~$LjWTs7q*;y=cM~!$
zS=4N0rkxo=n!T5r_Bd6vqAsj-8I+NSNp;9kV9Jxq$F|JW3grq4!6gdJHlKLnl=hu5
z^=uHWk3vV>)qdJjkuAQVA)i%;w7@6Us{Eu^MF&xkFao*}qq6`B(?jOm*ZC<faCuW2
zDOh}-AZ6LUib7g)K1S2Z**f=N3^UFg)$y~nFG=}#sUX#0<-n&*Jbo{Mq#1&k9ax88
z`&?qEC+-lOOUacAB!FWU1IzxrcG^it>w<Fy8Op{28H#0oICW!G6Pi5IQ4patAAvwL
zBo~C<&UTr%OUBkurbXvxbD7;_=i5u-8;L*#=vmGTt`>+8Bt%QsbV56GRdrk@1(KL;
zEKQ41LiPpb;fSTRWur6B#Lqgltv95L)9S+&V+{rIUxKrRuoYOtBLR>Ql7Jj$BFLOZ
z95qd=-GopkDASL%oxI6ZD`|jXk`u)9iq7mcs*BrKR>`_D1={@`6^^F<q!|m2LQwt)
zYDMvY@M3$Vl9a~MzpYaf*GJnHg*zPsY9^kfz50EQ*qs*Kvjw=T5*s&-5u+4GP6P05
zJDJu6^g+2r;LpZxyAxVytvTIK;yHn~&2wG~PgLWpk}R9M-jnoKjr{Qx^wO~HRsdTz
zBZ`DC->b`yb?8ta7Rgi!;0I3Qp%U<R?EWBdQY)>kXTojvNceXjK1~g|xpZ)I#-aGg
z4r{I!6oKw&M{9u}hTkjXviWd=1c~-xkOie3tQw5(?>JIltYH%(WkY`H1#K1Q-+dtM
zbygtlZKK!^poVb(L7=l4m2QtnPEmsqgqd}Wbwo#WZ@StH4?N?mM(J!M#OP1HJaRB@
zyCtt7(S<*{s0=qWd4nE&OgU^SOKWM`v?791z&JKFXrZj)o1mcf3Qz3BZ8knkIdaPB
zyv)Egl4}z<@s33Wie-41rZkv$H7yBOSV`tr7&69`Q?;z)+w6wHj42d?+>L-=W-<*8
zBV2|>Jc$TNs&qE&Zt%}>fC{(Zbv6jHJgN+S5zcn=;SubF)cGM(XKt(1K`bCZZmEeT
zKu!m_E;h;_6}-7rotAG+`~tG1re~N!E^`UCQkp>kKg1Whrs6f4c=7Nai7}Fb+a&TZ
z#mkIJXEje~Ga}@qJapZRu<;#<IJOvxAYBeDME4ix?4i7jp9K}p$D;`%XomjLhO*(&
zH1eZ#!5%e1Pewtd*viJV+*MASJHF=7xG1lZ!^L@i+q?>OzO1nk3MfFJ1T=BR3pNvw
zts=^hXNR584tx4ppOedU&UWm@%7b2=M8ICq%$ZPw3{qkV(qFcsxXP!7+>8CE3Vh5V
z@71)=O)~+(B1#jMsyCD5@luISc7hGJ&ePZ5Hb<_@Ga3J9!RRlE<X?gjzvKWNeDGDk
z7yiUX;RU}C%SI#wbhgt6pdf>Fpfw^xgTYtV4PIj{I2_K=WX2Wuul^g$v;|U>ALJTl
z&cG4*k~{-5eQz%>mw?~>s947cBYol!Ltjrvw<3%poEv0@3W;zleZ<k&q1p^H{zY=d
z$_)Hu(4rV)CX5a67^C*$Hdf<tKc8VGQro;tFYwb&lUHa?SV6n{q;=ywGF1X8DS>wu
zaM|PtW1_m;2a!z;4eb}b>LrV>2Gp;CuI+T1`m?4P*W$~Tv=#5XFR;H8j2g3A?(n_^
zv~v&u09*hFz<&tM|5VTZZ@Kxu3>$#o4zBM7|GTfwq+W^dS0m&q;0oTM#k``LAmdUv
zh#MmR0nmWcI?x=E!M@4Xb~$;KM)C%pYbqzrw|gR}l2x~hfYXjF`jAOdL4r@UIHmpI
zzR9b#wFso^Pm`Poa0xKp2J(^VnW<b~D8YH5FrpTd!>YUO6?%VpppKpa)v?_y`Vus*
zz!C#xx$6wj_?*+=`g|ZNqilT@yYm{yJuNu2?+uGIA!RG;f+*Z-j#+P~o8t8@IEoFw
z#E!;wrpy2ln}W;FeFhQ;3iW>4KAv~^JL0g6(m9AGq%dzc_y*#T_Z+Y~h<M>pH{|19
z>^!Ui^&x^q3X(;czN17&ms=H4bI4r|k|1Y4QTT#J5PK9P0Zcfz&fIXeadfl+6JMnp
z*uQ(p{99vUS-w?CN7{cF1^?-0_)CtI)^~I=c5tNqx4}OZN)260Oi_4W+Ivo{rQv+B
zr!OJ`@bUUJIZ}H2TR@ePWT%IdOOF<XgQNg+Y&v@CpvE|GZ~=RI^5777v)7|CT;kaH
zcWjQgBN<ZB1Zq;SwV6m;TNfJ>7azuk21?zoMN3ZwG|@WDXJhp?g*f7KPX3LD4C9x}
ztmI5;NqT-CY<K_I@mrFZ150RJUngd&L7fk<2*?<sxSe5Qr4-Gepdv3G7me2FT}u8i
z?_ZW6@|Xy2(djQ9LET_0*0eRKP$u2cTDquPqNFc8W=vY(s=y_4Lp(bI1n2lbkHgfg
zQAp-H;)THoG5j!Z9s`A-YB>#;3nvYW`@Xh&A^VG-+eHHWfIpNB5^fUE#I^U64>T0x
z@1Rxh0@S09hwa@+`+mi|Uz*Cd;#3Pu^-o@EfH3eEQoWSIeii{O2k9Bs_@u(#it^Z!
z2r8X2=d*YRcoNmZ%dHps-X(>23OTUNU?^lQR?&CLSh~Zw^2o<clND9$4s~^5F{@8)
zpXhwGn9gP#c?P1<7WHpXhqr~@kTehPSZrGjB;fvDEv0-`Q2f#D^9rMhxB|mZWgi|2
ziko8;n5S>pm5+&vH<40-8kMh%^$=TCE}S?u=e+jYGKvN#xsQw_XD63>hF?9VR!|Kq
z_tHX&&9bkLYS$%*c(wxML3&I*kn|Y>@kh5U=nS{|ZS|YIIt@kpk8(&){g5$*q^z>&
z33yxbYjm*@S3Vha7qJ1W8~jc*P9n3`K7#558FzYh(hMAviXSJqA~C=5;AXtGARKhp
z!Qye$jjxucH?)sr2%tX#vw8zR`Y(<W0Ft}CdzjsBYn-0<Dtdbb%cJO$k>QH*d9^ql
zhwn>g5=z-SzkpFbx0PA!=ARJQ<}vC=c3s19LBS$=g`^<xq$y9^2cvkl5SSeQ1TpEf
zpKFS6X~V<P%j}t58)*j3?o3a=c5r@de9+T7&qD$BNvUvoaj^jma>jzcX_CtI%4JFq
zZhu}%Q8X%68oW)XDIJ%{)phVLe;SsjtSD&7Ds+Br%=Px_u=J#XZ!-6sfvhHb#-Wc`
zhH)K{yNz)zQO_wz@3aw3D+|xfa;Z{JE@Je9u97V~Butp>RhRtX<JUo2<%`A89FAV&
z%fBo<h;ileKU!4Pn#P>_jKjH#2s=ZPsf!Z8UlCL^`D95-lx3>RqYH{<1gn>`adSo$
z-l|k;>~m;Rm?W39U@oC0A8(7WL3TuG$fX!e9*nR#+Zq#>!V3sr8=|ynK-$s7{xN8e
zfj4MfzpuYv;v7R&3fdH>n3QP%gOtagAruDN(;Y$}gzX}wlSN`3#bllRHNW-oFj-M$
zby$1sxin$Ur$$%VbD9g0?h(&TMQJ*QBQ5`Ma$<-UEt$n5PU-TAcx+WLFV*o0-t%<g
z@>&07CVSem%<jcCJBo2dsIznL-Y|!QR?n4g0;xVn*9h0Ko3rF6P1&uZUaey7&0g|T
znY#qdn%b0>hJt;8rKu>tO`*18uyJ=d7wQcjyM+3_rseZ>|6y^<RPJCUP#5eE0GcXH
z4B7@?o{}X+?F%C4;!L2tH?T-kv4lBAQCSig;Xd0k>2G{6NMUI*^4Ju)#-MysWbQn4
z$U!kO69NAy8~5rSKtOTa`gw@XX?A>!8?6v4E#VCQP^}ulPTag}N<iTjCr!o&f&sH|
zh5R#TdknhprQDm$>xjE8Asym=N{`X-PKyxL^K2ydCYYL1EhP5`m>PGOn)scjm>p)u
z&PV!Am5|g8JE@(f2DRGboIWlfErt9ou<Uy^s9`IqEA#K;2;#gyXKAyK>^y@`kJ?S2
z*+PvF=D9_b&eco*5^7=k8S4^9w;-AS6`oA6PFvkfI^meSM#Suj#*xYPUB6ZFs{H~c
zTfS>9X_c3NQ%WSpScDufyIdHLwQt&8*s|oGc*v-MEKM(?zVP7lI%S9X3j8(JO$U2S
z;fg;ICl>KE6AyV<0Tm9A_~v)ht6$q=J1%j(dc=OPhONhgBf@%8$A~3O0jt%bSF(7i
znWzy4QnP(pXH<Z}@#D8=Rl01<frMLw(?FuWh%ui;SRW^B^?4ivV?btRU6OSQ*8TZG
z<NgZ;Ewu_4(0(YOVtPfebqdJZ1yf^wpxz_KGE@%}Q2U-Bkpx7)XBqVX=_;wT6l#Zz
zP$MTDf1nDB`5D9XDnN$}0<<RSeLPJM4nzPE)iN-uVMI*jzSxy-3j_RPWj%u)3U#n`
zt7GjHk{U8TV2XF6ZBC%`)bD%<$l3^uTC26riH|{0&`5%TFJMzQo*$Bc<~wBE)ct6d
zSPFIR=S4acO0`iqRns7w=O1UnY}nDfqa?gJQy+|<_rKWmFLNNlStj#Mo7)0OuoI9q
zo6;T}!KK;KYGK_jb4N=6C682#z9)`<_pZCgXD>dahcMI57G#+;w;A=klkf)JY>hti
zj?=z>dkFv23Y7MkRz3Gkwmsj)8pXdz*T&Y#*irG{JyQSw%)c3>;(9Im>0m;x0=oid
zyj>Fd(F<f~4gUzz7J2^DD1|ABd9k)s3;Xj}KNR~x^7TG%^09N`G!iNlnYytZP<VzI
zch_v^TMD=biU2JbW*4rv!w<3kdah;v6Qz*q29>5<B-Bh7zOQPyEZvBAmPEcd6*m^3
zFwT%3bs0pMR&Aaw-Db?!V^E&eBInW#?A&Seuevv7{YXImGLw!AToxtlucFuWcJ9~-
zG@$Kj=CedpN}y8|m4Y%O!;5+TGd*o#?Tzw#<Np~N!qjPY=WkCL4fOw2k4Wje+d4b_
zs~-91;IFVWs!ZC<@xgZ!-u$3+WQoBhl^{Tzf49$VRG#DcZD9LT(bIY{BhD|5z^teo
z0S`nBg#s}&zZ@dGyj+N%3s&^J6S%{YlUy!Wynpa*Zzb)e`-N-Ma;YN*mLu#rB{DL>
zgP9mG2zIIQT0>q#yKI~t@)_9xX_ZDqxGdD`#N*_)$Wo`bWzv1waSfRccbWEg{(SyC
zC0T@RV;t~DMRh2h=aN%6Fu7&|^B~bR&fUdwM2dtl3b=+^#B}0arfY`uIG^&887IWt
z2qZsCA(d~BvAfUiBxfvZEM86<LW!?T_#;=yVwbllP+yqSvO=;1%y&;j+Apu4rLU!<
z_YD{xiwC&3VDI|DpYFN~B>+BWX9{+gxs#Y+irOg!qE_mXl!uo5CURMd%3f3|NjIj3
zSW)emCA?o$1nd}<Sfv5Sm%<CqnVc?P+OX5I5p}wjS)+-uGMUKFfr3mFh4_gRi`pM)
zE-yxp81iki)3WjnpaTYe7<UI#T`2eExXIwOOxPNEO_+AjC{ua@^&&;PVK{Kzq+mG+
zbgcw-wIN>3?Hzv>k4hiY!MLX5cG4J<FJmf_x$oA3kRUiE;G@dU)3((f!hp}~p%u6L
z1u8^Vw(sL8lYk;@*E}3zj17r+=X5%%2x*95!S5=xV`qjQ{l_a`2fBO83U<bXA8V}Q
zVx4G0TFmgyArj9T4~8N}_e$6bRyPL(m}alu6^w@OqySz9UE~qx4i9u^6Vm0wG=c!K
zUOoKIp<X`x3Avn=S2|e`k8oJ8PV3E0jXa5B8;{D%nw{@c;}|F~nl%E6@mKL%<+NZ2
z`QTVA$Ffx6mXURKzndIwiDHvQ8$|_56~!4!6G`fWln#xlVtRVbbn-*yC*6zjuQ&n=
z_EMXwCP)n{#S<=KfNnubmH@Z=yqScQS%v!YF$)td$dp90+hwf)5Sp)!+PQgZ#`3kD
zalPxyH}Nm0lc0JUjdl`Z`HRbD{Jb!tgADzn*B&fm(XY-6IKV5D;oeAXcr0sJR~eax
z<TOyt^WvsIE>lEOP8Aqu+O$jM3z<5JO;XCK4_-9XM~8<>>f^?9$zILbW6F1gU2o0C
z1QYccDu-LIIW=BqzAtb;(FC1P_CQ!$by-&TQSVVX^U=?BMn)>bsAD%I_cWrUTVwaL
zHDA90>pydLVJ6|G^E;bazwc803(o#JHvCu4{+s9XpHuArpYt<nx(lk04j%kk`x?9N
zf}|=ijL8|Hw^#TcFlK)hY>j9?|9CB9CLnOn`{Prq!B@J#O~C-IGekoLZzMx6>xy~3
zdUyd9#Pl9@cw4+b1O4&BVMfbrKr6=0E?!uk%M#rohO=lHh6#Thel%4aZ8oSasZ14N
z65CVZtbDcf-kOh-ad6Z^j8rqQwVUw6Ftpk+<VP<T$?c11(C&;n2cfA%@Zh}SBHn?k
zZ?n=kB4D}o{Q1V?-+EqSvg7J$zK`lb-yV<uc9Qz9DEwPU{yIrb{2I5xWJL~n0)724
z;KZF4c}Rk<ptsRpYKfV02QUFc4BNLO#hygbM26R>4gv|EYlf!1%!f)Ig{qCtFV`xZ
zO)@U#5t@*haoXOLNa4rwGr`gAIqU9@rQOpORi93n3D$5{DT=cl2>xadkEo#7;j6I5
z14;~o2ylR&U)nfE;XvnXFZPlo8X5e}4o4P!n@4QbPuh4wZT3&&JZ=F*vFk1f!lw=T
z90Y?-5g~Q%wd5sdUwYYD3~Fy2nY*t?#^;S4`fDlXTOtHP3VR-e;LyvQ{jb8{mVK5@
z#0Z5;k;hL?#0*j{4OE6GWW34aBvy2ZNYP6;I{=6%xBk<YliMZT->0Lt;|)s{4XWd~
zGDYI)nQ}ow;ZnRsqj>E3^+&z;VF7gT*$!|KDLo^TM#)mf{2jC2O33<#EQRrIw?TgD
ziaYI-gEb_pf1&_+E$=H-e7)SFt9UQ94XaRq%`gKaN*P*xLkv-O_95xVYN587R$@Ow
z$?@pn#0GK(RW*$GBTX5m=B^k$2vEor@HfW=K%J~vu%;jHsigX=JF?x0>8sDuQ|RCU
zF+*%tMLsN+)6NQeO)l7eMQ*}9D~<tSvKa%j42!8C-VoB0O@oCPoNz@gOvj)A(66OB
z3(da;!UQy>9L1{2>Qv%t`#HRJs`<94Wp#m_nWk3UU4cR*vJvR92dKo0wSJ`(sEpLT
zd&kG>+X%)x-Qp<*#WGa1uj^nG9R8G{iB@N&8tx{D?stw~6*spCF*ZiMqKc-Ht?RYs
z2RZ4^+{TA|_DB^D6BUx77v}hdb^RgD0rBUWO;#?dKNr`4iqZg+A6u#y*`S+wVnFA&
zF%;yuhL+|M^!zMag|biMSdYr>L8(cw#Y#1KLak>f5W`WGa;KJfTeeHAD&JwJ%Alr9
z{{}E>5_@eI;CWiM7HS7L6`7-62@s3)G{U9}yqetM?@O>+%Wt3BB;**@a)lr0MGOrG
ze;V)-s~`5-#*8p2S;Otn$qnz+!|C$I>x@mZ=v&LQ>QTw|#o)>50cEXEJ3x~))(zku
z>u1gL1;(zv{e&sx$C9H?jK{d=Y@BYEFuLy38gti@wX1T0p^I{b;r)EG@zO$bL54_I
z&r&njS;j5_4qu2GdY%tkx||c6zQRL>5uo`12RgsPri=RcytFnm%t9?CF<WA1K-@Nj
zf}2;v@>M~G_NmLw-tEb>EiGEctomA<%}8qe{ADC$A<T?GH)gf@6~R{MWW1t}u$7mr
z|H1h1Sq=?rgR$)aO=Mu8xRZ6?zP9`L-G;?eyY}>HS@A}bQpM$hlCABu+zY$<*?d;_
zrSsW=m+Xs5Fhq&xmied2%`mAgs;`e9I}Ps2aFy6K-}8a26mRJ0j#5N#PqRA%XFd6j
z?pqsba`?6UyXT+R??UK5Ay<p6bTIN8Yyc4cXRu-X2iQ)iZP;K6BX^7LVylclxO{b;
zmCB&3(TfEUS*(KpI*++fHue35jfokA%padGgon>(7cbF87L<=CtQ-%tYwnTOwB^s<
z(4kWzjhR?1Z^Omwd6;>Xc{P!VvDM8870xuk1iM>`f7ZgJ-WQMd#y@X4@^s~lteT<_
zLVz33)(7hzrT8*+`*yV<lcKO&lV{JRhq#1LBw338gdv%t#QgBeCUjE8){F497;PSg
zjys!us(6pFgpIiHr!oC!K3+oPgH!y2eG8^rE4F7KyeO5b06l-yp6nZcLdt4_a3e8t
ziB`0lH!30~>G~S7C$9efcmjN(AWzZw_`0iY<g-GM0FV9a(#-x5Z_)Wv;(1HKTq5=j
zxAdiaR2~{EZ{es)z4&1L!wyL@5biwkxN+07Tv)h16EgNg(Lq;zWQvIPPl540{OF$y
zCDt%K6calLiJe}v6((JuL+tfBz7JUDO-#8{7@#!{b~WvWNtaSMxJJHQ$@giR#M?~j
zkzL?r$b;+n*St@*B=MZE*0Z$v(?BA2_^H0gSx}R0d3G@U^U^y7<`&JD^HU;&_E`P1
zP`1vKf2=jdCf+hDWKxz(G2RT-x+XO*DI+?4CXkX3IK;=Amw)Na;39GZBFye_hL6x4
z?Okf~B>QZ}wTas}YSLZd;{XbY={KvTJsmNTToY;)YC-bX65|ex4Z9lK1XYF8$0WUJ
zvZFU=VqeNUW=rAXNP@!By?U759_yOFZjA0<d)EFA%39YT=%nsKj_FA=ZP<5zoovbV
zx)S2x=K00tNhAH_O0-9z7AiKrzFdmfgZvV5X_0Q;6YjN9>wK0R)D!o9v6P5Q&`#2<
z0RQr?=U**Hr*>3QqQ;zx2v!&rrXU5>g9J|iW~a4-nl}rNkZn%LX3u8LKX8jN9OBG=
zoMy*UeqUNt)PO<KE)qOnj}6>c2cZ>q)YJ<a1*+8$pt(fdyD4C2xdeemhiX>^Rc*ro
zG-%+~+i=zgjR)QNh^4b+=f9s3ipGcPW{INHZ)dry)@APoXym_?)_<mUxVv`2aRW30
zRHL~AS{r%QayIafWe@C~%xi6FZ?JsXx?6zUXuq^aXjHE%9JnZ75=G%6%XvRe%$s{M
zE_mI~Zf%nfc;8NM_OJE2A2U?t-@HknZC=Bi#yR<L&X;t6f)-LGAJSf_zz7z#eayjG
zyN{Wqt(!KiC_To_C{-kNmD5wSRnwV$a4TI^(o-zG)p>xt2I!y#)*(HBBUr(tj0S{}
z#mz@FKnl!;s5Dua1QngMXD+_mo#I+@1inb}AfxVpH>o?5**7llhRt7;zC{y?rrMy+
z+9HmZJlJ?+bkrvu+drOsk3C!H%O|txJVi0Aa*kHuz!e^?Twll2B&%EHyR93a*WA6~
zvoY!H!@GCATGA^nnk}m+LN=O_D=yO`I_mQ&JAKltJgN%XE?%j&6n&z0!U{U9(tDO)
z-U87$zd8f4(4;@>LjY|3bv6-SAthKs0$@I8k9w`b%ZS1}K+%#Rj>*2-)IR_AEPPy@
z?MwKLWUz?;Gm<g=^@)s{=63@c*@yO?7iR5fQl~LNl|Z4^#=8_VgX{$`aU;HQa+8Bo
zp)e`H%$g3B8rHfO8T@_QKnsewSFWkimn3%Pl-J3`MO49{t={Npk~W>OVJmaobqZ_p
z@&lZE8dN)okn}n-!9_M1;I`_w%e#ua$89T324Wb*z4b8|4~2v`vN)W?ckh{(N~pRE
z^o>6hpu9g8s+Oz?5)wKBQQdmK_gDv>Acw~iY&kGU#$K|H-b=>WvpT=RLgprSPx8da
zE9-;5;Y6+Ury4fg3z2+4JT&A3uLY+*QDgAZ45|ULJhRtR2Ti<>SOM{L;6;h9nBSgV
zYPFd{c!&+N7UuJx0_dBb(8Mm>-5L5nTiLibCGyYcgabr9Z{$BPcYYjZ;JCQb*;y46
zZBUV)1R@WW_@qLQd9G;+1O@9Ld0G`3`RT~#v!6BS23O_b0IJlRO{!EqJ_1!PR8#X&
z_W3cGCJ86Axw2zv2O;6&M*DICuQE~X*dg11E;c|s1Hy(4<_xe36Y)3DTS1><@8%<?
za_#p`WF%3~Qi8kWV7N<&c0)kh2>mR)BH)2sfpY~`4AmZ?cvHvoeG~)wL#*i)<Mkp=
zh##CZRPuJyJ8JZVRR~zO(h~T*z^ixrLB``fN=A@Lc8J=NJHaInqN>W6f)Ewm(-!8-
z4&3OlyM(64fCcbjvM)?)wjtO;F3;J8@eBoqhMX9`kvr_C8ZH7#J+3@)Iwr?x5(B8#
zWyIj#zr0N|tty@GA#T&U?%XsFi^+^D@AB)by(~f?6If1O*N^$I4v24X0;rNB76pLf
zXKLLlCl3SwO2c^V_w+hLC4ij0A%+S-sToZ_6adQIcrB#gsAKq!DT&c=(V5KJpoghh
z{S$WL50M5#<epV&+1dT0h8sIyE-rPu!p$cF>Vf1=H+S?Lh5onDo6+r`ByPktCIp+9
z)kXvjBFG)S)kb}4{R7uTn;(0=Rh5f7Q5Bq6rrV1gTC-j%r*`c9otE~l)R)zR8%?bl
zjjiXEgV@6*qIc9W9j<ejwbF%>OKpXvwg)2Xg*9|kQ8lLrQ5qE~74<4J74`Bn77i;T
zhX)Qa3r$|$4OYK~mUg2@LO>9P1)WP4dd)fn3(pDxgmB7QAztSKMI_qGE9#3!HC$34
zPmyc~y1RhsjY8eU4VFeVZPHura)$bKw_?EV%EmWEPSZh1+urJd>G{<PZAYEGlJC9M
zVpxi6oWOfx)mb~xzuZ8EYMw|#3*4I>T6$IXSK&A}1^QCnJ8G1#MA}rU(nX{f8<YiE
zZcRj3SXr6XSsl|PcvMv<EqpYt;?I^xN;a!B4{gDGy>CsfpTJA)d5Cm>qW8iUr^e8H
zVuh?}XT!jWBuzl+LSgqL9~yw^a}1bf&iejsONo~}-USjA000>4e?}PQzYs=!&0<dk
zy_@zP8|*=&qJb(@I)zQfV}=Pb;~ZFuh+RdsM8a^`hWr-`G`>kHjWvD})w!^Q7&#La
z`D6;uq|VSSr;`bhdNUy>k5L|4cb!OqZ}->xOUwJScz+%L28_VCV=BfD!Zg6#0(ZXy
zTuPd$CuZf4A3Xn(U-MD=xYQg>8YyLt&+W1<l(iueOV>{z^nTdXZ3ac*5#8NZxtjDJ
zFu3mBC%dL7w03xXExmxIAlLAQoGhfbon!2O9Mbl^=tkXZ6zZHB&QF+!o#bH<f3XNH
zf7V*O=tmsN1{{K$gy|oj@F&X64R7WP+Sb&$9$R1e4gyeM&EGWtuGIT_&|U+eak>^c
z`k1-U<(=L5vjr`cSh@as<ll341)}6u(TxN!ju)CJ2$RYsHgH^}Spscy{LJ4TBpEHS
z9Y+}hVn)TtrZ0Uv8qeL}?}uZ1x>BvPF%`d1amGHYRql7DDA5@a-EkK4s~xF}`|RBZ
zGALWKtT(Uc<YZcK+hZAj*Y{jkmcS)l>%-!wEA)y90UB>%<U~4=MydR56p4I&Y>g8V
z%?kdiu=HBtSvxh63A)LFIo4XYb^RsM(<pfIk6KR_BI)aO!ydOW0J8#V58L+hh7GnL
zvm!@(tgKAe*lNCAp0>9<l&%*vC*2Jpw3=`*p@)H0uTu#N)>IJ}C$A!=?hQ0r$mdbm
z)-I07P3=IN4$y(nFqUxaz+`5I8wCF8GG2A^?dH5-Vu%Pl@i9H}vCawTbkx*eT4WXk
zO>I3>2KyZ=Ab%DraEgOJ&>2YUe*5>5ROyW~+mR*`gO*zBx96Aab_QN!YE>}QIq^C>
z=5k#tOaLg>kO&-H<s+7YD38fS21rr=0#W{R`PX<#4zvuf6sccflwU0%`8S1kZF;FZ
zrb#fd8f0a9Z$y6atluP*WG&*d0In5(3dxij4ppy&UK31;o=kQ<)<2e@zUe6!(W#C>
zsPK3q5Ub^i-Zj*zi?DDDL~ddcXD)sm)X(u;HclUru(A`kOg$~l)TDk)kW3C+5!or5
zsUqq`vYV>tC=yFqpQ7s^MV1p)C>bCcbbMJ-6jaCyC5s9a9FxXsh{Q|i+(a8h)YS`K
z@T$0!mJE;mU_Mn_$-Bg)eCx3;)2B4sku@JYn>z-g<l%{)(nKoFy<o_SI2QJ#KxynL
zx!*m$DpML^EH%p!74?l-V8HGtHymcQ*y)e5EzIqy?gdEW?{jDBo3qcRpzJJ-#y$)Z
z;8%xnjMTTGpP&wD<1befg>y_2ImA2!Yl}uaI$vio$Q^IBrvF0?);`GBf_{8iuZ3^e
z)-p4w&O0vO{>wF;QI2c;;lmAOH$Qt%nXD_Xu5ua7d2cN`VW1{e(pW_eX}q$Nq_Tln
zoxGkn87+8s$U=N^|7!MW8%&6#9?P+xqZIVe1$M@^^-Tdl0K962#K|){L`6tvU!7kM
zlz1GZIUKRh^87bIf=M@NUBkZg*}=u>k<44mT84`6DHL3MI~3IIq1{e)YWZB@)!tC)
zvS+IAt!QZNit|wk;~#g|b#CnEmG6H&XcSmmE@y88>^QQXlzN~^T^u)-)-e?>qH1uE
zPgJvZR@S=#p{zn#fYqTy^L)TrMa4O&b#6#`30-`f=4t$Vfnb)Qz0s8-`rQG7rhBn1
zd2G96&VYr!tM`A{d+X@9o+Mqc#LUdhWHF<~Xvr2cGlRvl#mr<e%VK7!#LUbL7L&!e
z^>e?T?zhvsGxN^be`fYpWt~#$mg+|6W_}ToUqn_;Gi^Gd#Os)lLsGo{w%Zr}m-8s0
zp=&iXDD))>Dk}6J1-Q8Wnn&wZmF#CfV0Kbm5tTbkTo+r;t63K}Sn_^Yuv{1VCbPz+
zwF5cG!~|OcjyxM2i%Q7jGJ~80-)ETShHH^+Hdy$IyrejTjcb(FDrY0ydH>?ux#`^A
zx^S;E^^wxWTPMCAOBEbe8+f+mCbP0$GU@>rh-pO7DkMo|`Ay8S!ux&0>Jy@_7X<PP
zGZZ5Xazr(yD=kuZIJy?mUbjO(3aXhGQ?`3-EtMq$*Y`;cyGd0S)p0svm+Hj6g!I1W
ziezK5*``+F9u7sZSOmH<;Zq*bR5Jv-cqUR>6HD=%3#w_+t|^s})}P<kze5Hx9I@t8
zC*gUP9jyR9#^6y8<{z#uTD+*)1a>2fhE6(Mkin&OW23#LcQAnyrVr9M#>d-G+8Kp;
z8Rfm8Z73F3FWIBT#6-eRvB=2RfW6bN1wUbGfY$xAD-?I}^~*lD4QR`te8NWF|GBgC
z7Mx$~V1)mTD<BD*5SjqkfCGNYE<)%RX@7tga9}*8Nhx#{!QF47r_h6arta<4h2qg8
zX&5NMU7*0{5T^n8LNP*GZh&(Q-1xmOwTk|Yc^%a{aDUxQ9-c{R_jS1Y*HJn~EMTW>
zv3GbHDiz3|9l7Zo{*yF3g-Y?$K@u&U`nwrp0vmP*Usj~l*0Bi(uOP&1FWFRzXqLiq
zrq9F^Nh?!W<`CwBk!^~YSp=t0$W@-+@K4S<qY*7tZqxkI`MvNsrlF*aQtO~6&;B6-
zmf13skKsReb6aQ6(dQ0Tj;PbVP35cNhzgu&X)UPgCUGh()H+jXDCE7?bU?way>-qs
zO^>G@xm~mJy*RlF=_E4OAs%TZ_N@q>iHV`f?8_OakZ!I!C1$=NAp@nPa1!$C4trt6
zi=Steenr^ejT%IBh@|UYX!Z0-XgPHfB&As%M5UFRD}3aFe~iq~*IzUd%pU!M(9)X5
zjZo){qB|&=s`_=6tCR4}-GTST14fWJ_#tiwlG{U%t96eR5nqrD+KUD6hpHj`l2@h$
z>(_1GnfuO{e;K$THMByQ1XT|~195Ktqd~;|w?Q<nNWh8;R6pj|IQLl2W~2?1MjfUW
zOav#t1eh(#sGWN1RwYnZ&`SvBIx&W*ftRF|md-(l5#}7vI#6yC@!gq0*p`HsI%ux$
z{<!kq<hEw1LfnD9Es^dGRITnXFcklh4M}$L<#NJpmewdywg()YDpKt-w#dEk>0z3U
zrC7OIGFV25e5iYdtz@e*vE3%EWV4V}1_xac@3a8}4FgVYniWD+PwbqBjc8Ph%^00c
zAPVO`Oljq8s#tI5-e|-mS$rx~`ls+&u)uiT)w9X2e^IQY)Vo$Zp_51(0a{~7oEwJE
zhoxrtp;t9bQc0r^kt}!9w}ZV`i|ic<*S4Z1X*F-3yS2SPAAY-iD-toxL6?W9;ayK{
zJ)$}}347Fbr^$}L&S5g*1V^#>)J?kh$w$F7A0q5!>~K@#^?ZN`=-cEN()5GGV1w^V
z?nwAEMsz|iUgs;vqf=m|Vl;KJ`Qej6;3-~D`(0uc)tg?p2KW*t7T(+ssbKx6c780<
z*eTyC5n1#G)(qI&70tqyx~w%!J}MPtE13^pLe6`BMimei)>4I_%_CF_*-j~UyRVmH
zl?SW;Mr=EG57urXkQ~=##A~1$t&tm_Pt$hU+|xxvl`+MgHCsA@Yn@Ke*hd$Et4Da@
z@(R1ML7+e%=IkgMTe1X;)>xpBU6O~;bY&c5vstai!MasJ0B~BeYF5iYE<Z^v$a7SB
z42h<<82K$$e3(7kbMU@=Joa|c<})XrX($}3_nM{<Q;8c*8JrLWhU^cG^QN^wa|yk%
z@(K}j3XAQ|zMi1`YFefr3t(!NU-Y`l47B7tSi7*R*!GZUGUSQKvTiOk>ZYx%TnYZH
zLq8`cr%-m7WcHdRX$VTbyYIC1<!yC$;(dAp2v&xij;KO5ebK|E0I?*ZfY=a~zNB@P
z3WQl%CD`1|^ipq$s(zq*{@;f&^>>SQjzG@8^MAtm=lN?ijDehgkZJA%a{gg&HLatV
zlL@&rcX*CI&QjXc3LB6|*}A%xak!l^LCsR58fmq<Amp0J!PAiyPE|vuF`s2G4>r7z
z@UhQ4<hk$4wNBxH%#g9igLHOh$?IMzrb(<c+VIRSee7-sP0Uz(sK(vJ<bE12f_OT3
z)?gsgdY9Cw5kdb>eiDkXJ1%p7We41<C<H=aZ%oQot;Qga4n3w(S+oGIFs#^Kg84k@
zH7RwIa)p7^B|^_x3zS511QZG%F!eUZ?1<z`S#%Kn_xa1%n9uRBEvN}sgRV4@yxKen
z+PJx?Q`H;0AA8PXzYv`IH7=q<K}Vz&fQ2#?I9V??K#_PBka@hyIk}Tl3X|MM>%$HU
z)4cXxB&4%LNAz~UlHos&$K*S3uZ3w`R2(Q$@^G1sYV?WSkp|RgcMkiDReD8*IFzVH
z33yT^kk=<m<mslrVOtPb8FtGOR2Y`2Zf1RJI6lFcg38MI5TB@)gnaJC3(rEs%YXLj
zM)yrr)4R*D8BasWxEn=UwEnFg2u9A7rq}C94dzxI!KU*R3)MR<p8>DHjj3tMNndN0
zI`B~Nv(~0mL?MC`DW}W~xRc1E(^KJO&}8|`$B8OQY_k-`q~g3d(Ju0<<EjLsT`Oq;
zYLg^a0>ca!fhtKt(E}b)nEb)l>_x$@;wxAsX+I53w4-COR-A0;8JZXgu_*3k!Rtbr
zwj<O_*^3=oUZD#T9k}JW**1H=;nB{Zx3Ap8{myA%bpn=+vGYUL#`_x;6(bF2K0cW*
zE_Cf3d<uHH2(NZhpU!FOjGKaEm$B4bKc?Ke;IW6v?V_K6vbBYZ(XC50*;IYhqBf~)
z6qS--)70aGMr_NCqK$aJ1s+3|bA|5%(5*14T@;Y22}Q(w@RK2=H8O%ho%pkVbvXa&
zNDEc~OK^i<cY^#-UDxlX_<pI4Pqc~1t#o}&x+?ri!s4}_uXpd=BRLY|U$M_Cb@f8o
zLK+sM82@_$k!~qDokhZFDU%_nRRjyhZz4%dn^fXnfcIf{g7Nob+JKKO?R#iLjZE_e
zoTQ+H2|_FKdTA;?@n?r=3Zx-PWz}=O*)K$?vSDQB#_s+w`3iSxTMt|w%6Vib^GoFR
z0p*KBzEH-%q~E=f;i{|*o2i`#0_?jCU{Pk7QTAg>PQbJ)uz5hgCY;<?ca~r5SP5G1
zFW$U<6AzgEjJ1oQEssvb6OV{dM8>~=?|TdF=9{o1unnZ}Bk<@eb7Rl$`g!S%nSXk^
z>_1^_;URLRImo_ur6Jh7rjDK1;U5n(?U)r?LP|fOe^kjc^=?sC+rO1<A^*-<NN#Cu
zpi6J<DMOEA3YEyEHkwxA)8E-<6N=_0P`^EgkG5iGK>frK7P!=F&FudsqS>A|6wU}n
z3g+_@5)Xr2adYE4T0w+)_+`YQ8sVYaZQkPR?U{o47rr}sPyM4(9@&QHb}))aa^}s%
zlp~KluTEzZL?PT5zl-TJ=k@39FNYm`$JvoYz5VY-jYf+bR_+)yHY0}ZQ=W?>CrRNY
z6>{Nv)09!(zS0NB^s%9SW!8l|!8U5L0k_0$$d24>tr97Z=@a@S9Y^iHDApOeGw-a2
zkQXX?POkY%hRy3HM(!V|6Iuq+#0INOwGhb?1Ku_3uR%22e=$$iNAb3%f=q8)kWE1j
zI^!=Y_&+Tt|8J}q)(?No1~qN_S!qmPsg?H+*Fpq?(HK-{a8`EDBDq*}&qCHp_y}I7
znLh#{LF+xSrIOWRZ49?$(&cliP+}|aWVWKu*6w{1eoH^Ds0!<+K&j{K&fW()z>BdT
zEp9%CEe79UUA=WwZ_0R~NNpY)1DeW4GAkOjQ~;)^t5dhErSufyNhb{?l{yIYa}A5z
zLl^8_wgy_?RSO3-K2392-NwQksS1mvzMnkx1w^t8H=1F%$E@Dzj1TRHr@;`FQ$7!S
z+&!;X8s`?--wFn5+60o~un`NN@q#H-K>e!0Mip<tYkB@1yF|OS>}0UC@Ci&M2C-RO
z-Acf<Z1*qo8zC>H?(&uamG})hZ&>+Z5pgVAAj<9jSDTbd60|lX8EbDqw)7MnS6ID+
zb+yblV}yt>DhWAXN-L)@7^l3<C19qaq3IG;7A`NFfrcv2cZ#d|Ktv?GYNOnSSgnqz
z&n^{uCz!TOt~o@`^tIsu&ul~#3N&DnlQXgqMcu9T>xF=40kSy14E-WB8m57ql*=x{
zgFJDTH#(XK3-tP>>ho2K?L8bJS+erxMAxMu2`9AB7{q|fZ@RQ2FO^jr%@u&dTGtjy
zjgHwcQNxBy1F33WUPu`+qg!{vjt7*nY$6GmNhoo7aH^ho;(7^6t?>Ef(0%qk#W|D*
z7oLa>AjIz@T-+3}e1HU)kfZzfV1LCWY;eT*r~yMObd&$qWX}YiGz|FO_jIgft05ND
z;jS1xdGwcGen9wQ{%x0cOmam@vfnyv;lI45!M?WF;he=xZi}HeWJDYeyU^i0V%4U;
zv?U@qL*dN6T3k=6cQAfs9=p*AjM0;XsoO0UC3l#fHTZp8eE-M^wr=N%yp#2nPN8VD
z3N~&az)djQn)5_K)gD)2-sX_0!47-Gsw0*C#>uO~E_p2ED9ZR_aO!SuW8FH9MgC;s
z?@xfAgZRw;Jp2~rW_yttr6;9&8Xvli;}^jjxyimabt;_Fw_~wwAiu*F`}y(VlN2ke
zEl8A{u%SEOTa%y%OUrK3`<x;^0a+yb%YR(};Uu`daNdL<wpTMBH_UB29q=r!LRKn(
zU+E2MwRN33(r?x3G}*LEl`YarHJSJ4XI9cG@e7TB%FK<<g=V~EUyu2?dIVZkM_+ay
zUSmiGNq`@tM#+5J;lA<rFq7yyVL%f=$Uyt4Iej2d!MrrL?dcbjSdz{jZg>ZAWB$GU
zWBDAeJPjJxa)|$las7uhQm?LSzsiN_LsI=NVli1N#0U!VwuN@yRhPpZyIf?54~kLA
z=37i|eCS%zAq}lT>enJgVV(k~^GAlj#)L{ndgk;g-+TWMU%S`m{Fz@tPd=`-{eI2)
zoNAx{D-00kDOB9<8$-OCToRziZL8V6lU#7gdN>)99KHsk1CSriAs*+_^mIh?wa00X
zchv#+hSosH;Y%=9iJYZ|TH??-If-PGKdRwfB?c;q3K!LL_{XiLv8D^U*3z_a6kW#g
z`vliJn9OMFd`W|Q??B7rKvEQyVBzCd!$c2+#Vc%dOjd5AdkJY5+*%tvR+q^_;+39>
z4H593tea&5g;F;7)5c!_M4!gk$jKd?&#?m81D&1VS4UL_cZa|BF5TVSspaz>Vo3Y4
z9p0VM8+&!h1=db3(6{*3cGnUL#`MR=`!MhO18VDiguMdyMMECEO%T6}N*IYDKUVcD
zPJILC*R97XbNgx@RIzSbS*=zJ7-`87D8pQPpPjCAVMfp2Up8&dci^ukkp#dnvM7E`
zGqa03m>8_)PYH68p+rSZ2}>#E*i1?b4}t1SdPyzPW1Hh})@4dArz%}qvAxRrY=Fr)
z$`NTwuCi$O1KH|3`(9h883n~Ric)D<Urs6LQ9bchmqRjExW^cPL~0F;N0lJr9?Q8L
zz|%#03@w?Yezv0?Kb!DU1wY%2<9b;se{Z?d;BHjY={mJH51dd*U;GnxGvwUpK0V`b
z5)O;|SCD<v305}@d$>qOTx=o3A8b&))D8@mylV6f3oI(FX&^}auy=gh(e7GFedK?v
zGrza&&U|`$ROar4suZnG+a4)~+DsNcC^Za+;O&q|7_$INMsHAuI-EZ&Nd~VzWc0Eq
zNhXeEgKOlJ5&7QEF=B>fZi0mK{vg2nBg>w>yKAuVNAC*#Q?#!C)QJgFa@O9(*#|V&
z7PO7ePeg84R~$h5d3dWjW$Pg=UHc(PUF#9fe2sYPqEhR^1-0?&NRry;x$l_Di&9Kq
zJEf)+V`NXH0p!^Wf{>0I7WJiNt@PGu<ybhfALK!yfjR`Z_IE?WsyuDh#j_h30guOX
z8y7u3Wla(W-H`Y%ZT6nApTyZ7g&aie$T!EGOb$|pw@Fxq$2a;q6+~a24BT9{h3NEP
zv`^V@^d|LXQh6#WTQ;J!>ZYqBi^_2bf^8DZ{cUV*Eo<$51bGhIl&Iw=E_&^?Aon1y
zgXV*?!;8s{=(m>dAST_D%m|#FbEnPCP|An3BLvnZDRzoF=47$EX`w|U!yX?KKk(9j
zJs}9LVH_@kT%}S_Mi|Ne0{VaOfSp<X@&3<jP_Fuq-~f;%U4ct3RQgjb85TX1_!gK>
zRYLhvgYGJv3<D)|620eXAq>yGN(t6ZSFX~R9{#zzbLvn2TU}J_#9qEYdo!97f&>mQ
zV{(%*3kXjJDp=Tl#_*#YFcg$lMI`VN)TmEAw3c0TaSr*9PxE|LpNm2vSF%U=th#bl
z+Rt0jQDnmR;CBO$+k`OaRGw&|?I@>eqSLAETE4)qVfJGlyzTJ5m2bwd9(@pyg;Ui;
z6-6&_Idj5w))e2J3>$!o<BPlns;hi9?(LvtQ@Mr^4V^xGh}sea(wyE-xGR0*nTZq?
zQ7#SpZs!{(TqniX82+67obyT9X9lMv4xb>EBd5sE%2(Hz0t3pytPg>K_?+1zA|zc-
zuT28{UQs20p5dG<!wJmX?e6!%&gALN@xdzZhn>aS(?Pn2=Vxy>4=B6NEO7hi<}UI_
zu3jnhPenCmbJadYPE3U4e56dnaE(QgDJ@=-$#LGWbBQPTCg`?>0WXGb)=5y2{_BWS
zyVdk^hU?xypkNy?qU436sCd+OGLLS~k|yF;49?_<)yx7ib&6xX<QJua;}T1;)9<T>
zIn%`G7Wx#jv5!14slVMwz!QJkdQs2up6)CB;?hKW#Djbsg=>9rdVVDqO-dn^zIQcG
zJnp!z0TYe{-N=~Urk|h518)<C#GdEuRQcDF^&PD;k4tx}+*TF&Zy<`l=pwb}?5Xz3
zK0{7eM^K2lx>5(a``eIy#-fItel-7?mbI<F%zQJB>=8Dhsmw^;fz?<z!ubKc=KGQ!
z!ib>)#P65N-LDI3nQGiW`PQxa?|a=Uu++Ge#*BWy@L~6zw^#gJO3r#W&@W=emaheB
zbu*6RRE;jPqGj~E-Fp^#e~(d~`DU$$>aN<UR<EC;CaqomBh<TaN4))`_g9-@sb4ee
zC>3ER@4?>g*h*utsqa4y{&n0r5TQXJ3lt>S`%iG4{t!#sQ&;U)xo`(BU`~l3&$Q+>
zlLH1MyjS{bDJ^DT3@BHyOJ`|U>bMbM7qDT`UAn4~4<-0qM4EDXnf>#+YV(w4M~8ev
z;^u~}GWr@a*EKLD-i9uo6a18cUiODAYk<5VxEEJF5aFEg<}ZH0Ip4cM6;rAJj^Wm7
z7m|1LM2tb-W|`01^11_))0x5t_@`6~L}4w66K|AV2L()uG8jSBbvUuZ1oKRQ2OvRv
z4$Br2NM$pLg(br#j>039eJAz%28EAk(0{z^*lTJK4pJ1f=KcQjSD>;a!mr#QSV_oU
z&y?aoDY7swm+}s>$r>{Y5qcA#BzcpYZu;-<QuG5Cz9hmP6QHI0$e1igocD}DKcKm7
zo&$=gwA|a49Oij2f2iv^{we814IRD2rO^|q?SS1Y7(*zD>xG#_HP<O=jGl~S^ERJS
zAi=bL+(I|mL3zOpy;a4=U1XzL6=!}!DiWz8l5D;#HHaoag<$@2P5E}hN%PCl6eGH4
zyvq~U(N_dK?~3MXpD8})i1W1YaS++faD~}p2)^IOtVpc#3sygeW^5^$OxnZ%{Y;*9
zQLc<-b6TEU>z(5m9G^~auctwb#a{t}8t~0yD3g+N8fosHHupU-HR5I`>GWpZ+7z9v
zh2?7J>@O0VafmW5L$8e2?LI15JApSLP{GpbI8zl5A5ej<lNcNuCihb~#HZAsyBZ#D
z9K3I=t{)=h5|l28i6Zsee^Co(#whs}Q5bM3vS|$&jTsql>s3{zm86$DobQ~Pyc{rb
z^9pSxs=_L8;VVJs?J!X_6{)-a=4((L<}f*$LGP43XW+a8teEf*T-olB)(?5!HiatG
z>U|z5lNB<m<Yl0TlAUF!pVtxS&p1$)9{G%*r@Ejq<$Pr^nju9-r^Mi1s}&d3^4+E6
zmx!#)_b1FL$~-3Mf<#OUOp#hx#KwLhB569hYBs2H3;7nPZ;A2X<KWVkzavz@Rb=7I
z6~T}?YIA54*;YMr>@NV27EJ{0=4dq2Y&1UvJY;Q;54~69=TuYS)>{P-T42@`j~T{_
zu<x;Crd`82s472Te^f!LxPE^M*I8*AeGb>TF4^~yV6JG!dXRPPZ&cZ-=u(w!#{$I-
zn!uIluG9?Zs5a)K#f}O@efM-uZ9d~l`nKbBx@TlLP<H~OV^DT?)#XTBZ^m+VNc5wX
zl#15F&fZPehX+#HWfW`O3wdjls~S+<dY#tEvZ*;DFIHVutw64Ts2#0>sPzz2u41&5
z*m^8x%gV-2>!Q1lce%z8h&8+2jk9MI&Fh2mH|dl+<S5)aurE5AI-e;e&`mUBZ^hu)
zidX$=a9ixmCwF#*nI}++3TM^HbYb$v+w7kJhM{bac06^y;oeQ@`Lb_uZZ}`$n<iHu
zQZSf(oq0U;Jdp^>hCt*5Z6ABH9y@nDmimnb&$4BXhUA<>1%;{7BKlMUf?AOmZQCzV
zjV4@WkDf6)A<YCo*7HVRdb>OIy?NZfB7j``_;+Lr|F3i@I=VNUuuU-Xh$!NeKakY0
z_<XtN^DM;hmOI%S-v6a%Pb4OPwDg|>{6E<){|@kl#VKi*W8pdfPXM1FeU=g$gWRMK
z1o+lae*u2vVfDWOK9cen2=MXZ9O^)T5B*PoANL3FW2F7}@c#mQFbp^l;0N2${ss7b
zb~T@VHp7L}j=l6dzbqS|8qOHHXP}nOkoxyYAFb@u?y$uSWMf1jkh|iZ_*4}X4Fo?s
zS`_TT_@m}e4-<4hdn+xSWDaKmlz-v{e9IHZfLK2z_cDudF~YhRzBjDQdvYN~r{LuJ
zU@M~VKK9Z&AXx;zH5ZzqCa|J=g&otV*6#Kj@;tKuT2*W9BTql!#LMZg@&4?`{`v7H
zXM?_~lgF6Pm-qLNFW2yEzJgF2;EvG}*TjDV{Gz`ApN$EZjF0jU;3uX8dC7tRA95}d
z1o(t@G`**Wp4LfJks0flAi$Sp_y^!W{0;DX@a8OwNB;)+D}M+4n8M>SP5D27zx@aB
z!{h!A_?Tr`f*8kycXdV1>5MTii2g70kh;Dtuf8!kGjgZ}&#ml=H+qjt-$(|eX~~^{
zGbKJ~J<yI8xjt4+Bbj!iEW8bhEyoY@cB_^!zWsEGWmr`zmm{JjKHxYF5@flpd>CQ^
zqFk|I@J9ZJJM3S^^Zo*S#IZksAIAa$d`}fqeB6j35t}OYaM8a5ewkvKHXZ-E)9`%&
z2=Egd75@$J&pvGa0eosS5a55;>SY|p{u|&+fB-+p=DX6TwQmjn>Lm-M4NeQfx?0S(
zHD=_sN#Vv<$XDxOnZ%iLUxllwE8hufw>5=WDGc7s)Bg3Ku*}mZ!vZ<XgP=vS|1F{9
z?@8(Zlu+`wu0PiBpE3x2^9rC0IaH`EpWLq>>SCz)!x9pQmIK9d%HoMdG<Hd><Rn#O
zeV)UU#SjfG$a12(;%^UjZR>@-k$tYeFStq~45=W)9gqA}<ObiEn2cbeoRF(9vFCtK
zo$Ai@_Fn2VV)1F-Td{MIk)Bo*IeC5POD)qPERY)y<;$2GK%NOvTCG-AyQmdScGmmg
zl?k@b$j(a#c305z@|$Bvzg9u_D;BYWE8eGP0*cfV{vZ}7HXIV8Lfa_>>DiOlWu;Y)
zNPwGmV<ernO09zYa&WxqqoAeGT0h>g*Dv#N+Cg2scUxK-f^a%e$q%Cu_}aSW!nleG
z<Cz5$YXK|kjM@sL8MQ<koX?HVNj1yAwSE6()ZxFLuk#P}{`bk(`LAo?&kX$MCi|bP
zg+J*8|KqjrhbZ_zUJHL{KL6vj@Q0`IKVA!e*607nYvE6d!hd5eF#W65$A2=%{+8_e
zw>8NBUk(2q?IzhOSKb-WUGSeRUhxkdl*iUsL9ikQ--~T_Tg3RJkR_t)C#wv_78alw
z*sNy`XWB4QQQGT&lp7WeM*dszinDV*rDOjfV{(KFI}x%+OmZY_p_q#@oKK9={^{ts
zK?H24t-p%TU=$UP(PLQaN->QP@}+$_gI`1Ij5FC(&TdM^6s<I&6EcNcz{XoGxr)}<
zbF@Fq3u(|kS3|qDo4z3M-}>A<B)@n_#>3DcDzO?swX)@COg-^GTGqFMcMIHEyw3*2
zladf3BnOS_0&$->*&~|1>i<h${)@=(3`$Vo-kSIy+`c~n`@g#_|MbHjt(<DETY*xU
z{z^0mJ~LgGel8;+hmmQF2i4MYy9VTgQkmSpy7BWnohE+!TP>}|*a%3^?FA-Cbg>+}
zquD*S_|05%GxJ;H^ggEyk<bqo6Ip_w#7ui2ua}$m<A@n%9#YQ?X%Xjm^Orf)T)k76
zdhOZsHM=8Iq(Z{aBq6L+oVF1KD@j2toy{3vEXQO#A&N6TK<Zg&^>bDXdZ;jAs#Hml
zXXu4vh;8f9n4ujw47WmMZ?|m;!Xuc~9Ac9beo_#eoVfO0JAx$EjO_3gr=86BfNq40
zSI|K!<7_{y*-jN%uq7!Zh&2Ola##@r#9duK1#Ro_Y0Dm5u|E$CyO~}v!E9&>8rfQ_
z&DtU;XcWq{obt*cZOtqYHq1`PbXcplXAhB^TMhRCG6g@62Rtwc!sFwQVYybapq`q+
zwwBPcbRz69v@KCovhv;J2PRme<-MWN#0`y;Tf0o7liOs)8s<F=OloQ@P1Ej7`N6SS
zycZ9ihu!7$UfY|4{)FvO^+OAL0-3}D4`Sam#=#BGa0|pEIF4EyDQrAQBYDqId#bIL
zU+h~49cg#AB<!TQo|JV7Jv?J|#wKdAk}W@-nljNp7{LQ{6f{Pv;(5fxep*Jl>o|eg
zGZqW5k1LoEE}zOI*>f5B$!RniLS`7OcK_~3U7!8ro>|0MVYI|0KfWK7q4Uw^TG8tm
z871A3XM|M#5q}dtERkCbqDX@0w5Ji-)LZDN++UW|EV51|`G>$ZSzOL1KPYxaVuYHX
zuqQQd<E7AckG1X8UpniG1gO|n1>}A_tnwN~@m#;!_Xf};K(ey<lL{@)xn=&qS8K6p
z3%+eZ4a`g-&74Y+d(2$baUm>Tno?-8JaH@3n?6y@uWU<ho1^DUUOQ0P2PU&19t6Um
zSwgJ~Q8Yc_37ir!ezfdMC+l`eMAiQgVW!NDxb7hCt^>V{Ch`2yd2ynJ-}}Ml@}_fp
zRy`m)o0L^Rn2=Z=i~nR@2O7jMl(o7e6;M&a*cx9B%?f_I{aH4|+%yqs5^}GphPYl!
z(JUz8-lXBU?<49y%Ehp=BZwQ5>udpKnCcjx*XD0WbxD^S*4u^i)wyZ+t959HE9XUE
zk^$AL#wx7g@%QYs1INc!ybD;5D>SPjXZj0h6yz9UV#W9gU?@2KWx8*_8D>IcR+v$^
zy1!8)l;0rl!IG&uZC#!fZllpQ%@@@{L{wL-(t{x}@axLsBKVapgRc(`?-swH_&hK3
zV+}O>FMIDkmER%rJ;5E1=I86b<DZ@(-`x$GvXo6}0zNAbC1tUOOT~o1e7HK_-F~~n
zD~jbbZ=?%Gxid=>bFv#?bbHIPgl{o7%P_L{YySOGQ8(7uxvs2qvy;-jaWVL0_KV!j
zHH73Oy-tCtPFU()C%D5F-^xSih}!bY`f9etM_s<x{Y$6&!>hT`?haUd(OJhjlFR|h
z;Th+q)ohCFjm~$wxy*jG^~Rg)yw5XdDrLFcX^mw#neo=m61|pMQOfU`V)x>-j2j-S
z=ZmZF-nX95n<!Jxqh!J$I$}uwXY}Jb5z3XH&1N7*HJ+PX6AlAa$A%M8$G%46x=rGV
zg7p!Qr-SvhbTCw4spb5alvuFO&L>)U0qkPO5dG^N=}cy<_y=Y~8Nwk5>inOIB_<?R
zEmWgU;YB~VS5UQuMlAY)$}m!TLv~w`4Q<eKh{)@Ln~=l$FeU4pK@*sKpASWPvZQEX
z5UBR>*%u>i%5{wQ@%a~*S_XzW6)PQ`k=ji?4Mi5g5LqpLVuUQRNidsIiDg}7lG+9?
zJ4rgIBB6b{=d!C>|Ex{E3Oy6JWx8T;a=j`^I5T}!_%H!y@wHH?4kdH;4xmLNPbd%n
z*mvJuGs_LQ-@6ABXEI9~yD&gmdUqASjV*ifk69<xAPOiPv~w@H&XnNk;4HL=&Q->;
zijIMl*fx&38Wv66r4UhmSTgoTEQ6HrLXH)a0NaxXeBm0cB}s*#{G<$MG5#iBmqD~L
z28RBV_M0pQAj!sBFJB7ue#H12B;RjxLC{CO`~VCEZFnMoik7`A<ep|ZNLlU-#d!n8
zzWzO7q<&HZuLT4?l%T-Q-y>uHgergEUhki}{sF&{lii?FD~QlrZCm__Yqm{9;wERz
z<frt%!DLfh`zx4ivF`7%-5j^N<w)V)aa6c3JjhuPr+G$m3!qTzM{WnKknhhudBDPC
zR`e7n$U~qgIE*^W?0JS0KRR*<#g{J)8Ojf5<3(8YX-XaothD3lq?(S{PL0Xk#^P(L
zVoG5Hkx&T|>IFll?x<qzt{!5}g1c$kd2TbNi%4iRMl{EA5b-f!WEY3E7}5j{^32jV
z`~Ia06rsUKu0ZL09R&Z_f78Xn)Yg>c&+DHc&8en>J%I!+XpN3U(#zhKrZHXIwREXQ
z+hSHyMr&@@{cAh_?dgP-S;idq96TIcU?6QM0(uiM>Zg*V=0trAT7Um19CvfKj*XhZ
zIZGAgl5w)EA3hrwD4lgc_anQpDKfP9>w^9H33Wkn^lTUoIPHz`fQ=ST6q%p|0DD$!
zGB@>1Tm9pk7tU31xU@X#6pa%^Q@eDDOTJ2+5TUV0Rx#ywa|mXmas!4QS<*|i%P39L
zLM>Z0BY6xIDjw)YZfJ;OjGIZCY+=8Lk|y5m4bw{&WfhVK`BUqSK62J21C3b{Cq{nx
zoR4E##IW!W(_k%S0)5qAE_3!($FtR!+coGyQ?*32^G<$rW-!yh1~UXJ2EO`NFO*g3
zFEKw506zb2wrg5FT7dV3{^mo%IPOAceA3aN<<(OMIg<Rloqt}k!ERUXMg7<1$(dVQ
zjomg9t@gsNOY3<vAM5@ef=`V$V<(#%$1Z8u8{cY8osl=&syE74-66tp6@r~Dh$hL|
zpiH`!v1q)JwyYB%Q}gHxPe%?h8fX`dyh9?00rCztd2lMbiHOxG&7hrMUY^@xruAbw
z{ob~$nV{`abv(0(9-Ypm<-})jI8>P~dNDs5%9F8Vy*=z48Q<(2<?nhaMPIx+dB4A1
zbz~C-sym=3!x0^i?U>@dKPzRw-kqr1<<LW9`}{tPp^3@zdG5~^7I5flf;>;zhT)(_
z*QJrNh#53U{|GpWNKhsePfex+*<3r2*7z{3W#kAxK9P8CTPuBcTTEabT~O@;t;Tfi
zBw=xR$XoNYjo<h)>bP(e(<`ksO<5x2r<imiN16pAQFLqh*{{x`Riv$sjh4eg3lEqB
zVs~RH#mQbHQQ#b7*Nf(^Pmph+QoM7fY{OSl`E;E`p4GS%!YZe5ci7zMV6Pgz>zol9
zc%5rDsYAHXOTpQ3<a!vn^#&+{jEe_&%uM$<%gIyXpN+S*kyGHwiO>g>xk*)8E$l*T
z3eQy$6^8Ndh`6F{3qH9Vis|)cq{OXyFNHZ|@VOSrd>Qa14T;UeJ#*Us;=hWOcaI8_
z!H9UzBwOy#+1_YBGX*LYPx>@0-7M?x&_+CH^DWF!?}z0ItHOrsC5GE2lV~Ot$7&PK
zwpp8NNW?eb<G3e5OuR1m?Nz0E=gGXiah2YeN%PIzVuj_%g9Na(>M$I|U5Jq-AU?a3
zLYf<McY6*@h?#L{__lDA!H<YKhuki+C`fe@WvnwP9w=5$3bI7rlTUexa?MVu#x(ZM
z_Jsy@yw>u}>E8ydLSUA!tRB&|s#)8nbX;is)i?u8gDUiRGOM*f+a+p^|Kwt+_^?bj
z?!C7W*ea^gY5bE@oozanHZ@M<S<v_c+~|)GX-OVZkI4G<-@$W{o5>F8z)#F9wz_qK
zLG`BoU$E8nN$t=(X2mUg4DhLRo7ne<(7i&UMal+bdp`;(YHt9FSTqLcE)!Z+4Y8@2
zCe>T$SeOnp1J*4y%a}Qq(Bt4s8fzli=zm*WM^pbe?wt8)Eu0Yr7HwCbfn8?Z@UD#T
zTN#-N4>7a~J43$dkzGhd{8XwN?YJ&(sW+!dQMH;T2OUT+UwIVu4W3iUz+Bx|5326M
z|N6L#G0I^h!6i(Qacs*>_t3zN>Nb2m^1R9-obHjGtuSN2{s$eOvtgGm(%3D+0N{Jv
z#B}mtP&kiEE=QiPQrDJ&$#*^25wWtsRNsaQSE`U%VA9o4nhtJ>AU?Th?re!PYHgVl
zzkW}7^4I=$HYZ7sY`VE5%e!TokU*ltV_U0dK}>~KnRD2HbfmP7$;@dK*IZypf>JUU
z4G~I_KiiXOP*R%jQJKN33w_3A8P|!1^Nt$6oZozrgM#Q235Oj$Xj?FQlm}vQ5-bcV
ze{q2nBx30lqsHTaiDg4-g*wj;<2eq<ptVIF@8k^KNICY2H+#pb^HXor$JPufWOele
zxi2wN2@#RY<F7sa&tFCExYlAM<%dt#XLXws-KaYi0NL_+Wa}?D|3FE25H9|8kO7pw
z1t1uc0RVqB&<Ow&d*e?|_72V<gmASrvNN=_VYYHGHGf}v-vXe@O3FwAz`(!&2A~Jv
zeHHK#009pE*AsL=f}T*YP*9MNQ1CD?(6ET`h=>UA2na~X=%`4@Xvhc%sMx4z7?@aC
zScoV%xY(Gu=$KfTfBg|K2+(IBq2QpP;4qO8kTCzt$9oq54Hgg!27mw~2Y{o2L7;)X
z_x(i*1A_ux?OzxCzYZ{P&^1ECz{0^JfKF&Y1%QJ=K!8I+{B_l!vwc9n2SB1hp_8$S
zLSrZ!!jL;+vVD)sg{2Uy>Bdr-zNBO~a`K0R$Hu|M!>6LAp{1ke;N;@w;pO`%E+Hu;
zEhGE+i>jKshNhOWiK&^ng{76Vi>upLcMs2iz@Xre(6I3Mgv6xel++(-dHDr}Ma4f$
zN^9%t8ycIMTUvX1`}zk4hlWRHX6NP?7MGS+ws&^-_78p?9vxp@|Gv4syMK6m`b)0A
z<ox^bH^KgIa-o6b0*8czfQ0!=E->(~pay{k2}Q;VjV`JTW9W!M&h{M^Q!FmGrW=le
zUF8zX$Y~lLo04Oj>gq4i{z&$p6U_hrNV0zu>>qNi01zR-K>s`lG=MPRmA&a9Xxn<+
zb5lH^uT@}WzE6RJ&*tkDXJ1XE{|T;bza+9W?$%rrkmvFseMe3SMfc=Mx3bf{?X13}
z%2=*sah{y1B?KmxUw!C};KAH7-*>DNvFc2Kt#N}YWU$rrCWX#SVkc!$l{zk+;L^ZN
zMTuCS#6_LPYwJhD1*W&uWk`g#qvf_R#);5}=JtkYKj>kvk~ML=k4H^hDgGk5#$g7k
zw5(`RNj3h`4YN;2Zw5DS9ZJ<MO3_*Hi|vLx_K2$|3(Cj7#90Jh{b|QkY944BkdN0(
z%%y9Htg8!c_Gbv6y%)p|Fx+dxqJUQiu*0N68*NUolkx%jw42_nmxB>P^uALYP%X2k
zH}+`mwIeILlC96M(UOw0)A$E?;J<745x7t`KPgd~PjE7Q+#&8L)O@jQnC6rt!EvA2
z@B>t4Eu2%%8YeICY^6!R1A-{#wwirjkWzRjcnjFiGM#tS1HD;|i#JY)>8D-N1*O18
zcAk}kanGH=h_%@Pk3-Kb$MgpsyGSrSjnwyA3peZJW8$;v5zozAF{4nTK4T&)2st#x
zW57J1#Vn{W=%w&ZQ-sSqAe7JM)8S;krIvXRiz^f7`Prs?Qv;feF$SaoB}N!g9<Dk1
zfQXG_(q+tc)Z`0gcHL`Jm;k>+qo-NS&S*M6ks|o!^4;~uazh|`893U^{4_W>{io=X
z-W!~f8<gI6K=_q=@f${1gJkW@X}j<a9fwAxmO}|WY{fd!k7x*Xr6!0f+!NjXvs+-g
zIp_L*pIT#eZoKA!LufcJ<Cr_ZGwq@6<FqRY;>*`7sc-?~g7xD~#EKVN$2$ghrlrAx
zV+E+v{t_K=u-`ir_m;Ff&`^z;{ku1vD+pb0Yz?nzZy$O~AAlzV!S}t~HCh^j1-*7x
zEn#mL@!Y(;5SXphLKVbEc@ML_8<cYmMEo*~F5{m+&FYT=8*1C5Ep7F)lfS4@p}+(~
z6n-pz5xE3b?8sH2XgnlHw=bT7apS9Yyr}4k!Khq8uXTo2AwK-LJWxV<(YfUCLviu)
zfqv76eu$9`KOb28i2p&3t6oM|@<VOZXd7^cFYR{+wGy;@#P&O&2L;xhqW5~qTYl;`
z3fn7P|Fne^INkmupD!cDDUsk~53}-*)UY&V|L5-Fg`OklL#60VqI&&6A&9G>7yQZ?
z*PU^KkF5(#?ZVF9VU7-DVFe_uNS&6e!w`jT8>Cm0Ap#Usfm(N+g@*}N=pJfu$J{lm
z4SgBjaUq5sErf_!*4x?P@ej&=W}Q(Rh*v1V#q&bU8+z7FDw^*A6B)tV)rPT2QxDAV
z$cHLRt7i_Ys>aLR1lENQ9r^7f^)P(}SJ`3pok*6%q%)^X9G0$|aKIX@{m>>l!Fu#C
zOp36viK*``?Q?eS-7~vF>*WM7B<@C&TJ_Vvu80$$t2`)rZ4Iez<OF6|HpC+v4-D79
z;&h|}frJlDQlJewY>ltTACB-PlMF4L?OpT5Oy}AQK3xyZ_+HZ_BCD5X+*f6LyIvLz
zsz2a7i>!@rXY=cHTvhas;fT$>Ry68pd#H$S*@HRs%M!EoxpKJH2r~P4<+!i*0vVqD
z?x;HpPe_)pQ|*Q8E-123XOK&%2lxpBy1RFBF5dxtO7IW0o1dDe1r+j6xSkvtyqL57
zFi&hmD8t}cVIANeYo-<_^+8n~9#n<Vy+4<`OLa9qC8EB3Xj3}1=10`p6yTO7`#!_@
z*d;^N1JEcjfZ^P4wHn<a!F4}>mYS>ZRxV!mrkOtzTHoG80LB&LEl9VwS#+DTwZeFV
z_f=lQ@PA9b>8#rJyQX8ZeFcqF_Oo%CK|O-S+p=*A`77k45~~G^TAd{=y?(|^24fIK
zqCb%^5}kk6rIW<nSmz4rJgDd)MrMw)4K2NbYvGB`&UV1@2Zb7A`_&NE@BNtGXBOxa
zk~*f1fbD|X=KA2{g{#vuaVHO@you9zpm4PN4rR-J7fsqVXfApqYrop;@BHq$W?8g+
zj8I~QQs(X@dYRGc>F!ZDbAhn3zShDx<B=;0N$Mu{EH$cjV~gIPE;QvA3dD@jYnj^Y
zdty6r>&ExtY=8|K6J4Umj&a+E`XMs3S50(mt360eIOW<QEID`k%A&Zyi4nmhbbiNE
z$?P$BzH5f~@(yspe~?m{YsayC=6+!BX-y97-I@5Y6NRkcXg0HXmb?<Tzyw_MV(jOU
z`BAV+XCqB5q2e4qef16q^lNDMyUOkr;<$>+4q_2dDkZ6Yt?Qn#Qg2FTvV~vi2pSoJ
zvq=4bHh>^S&u+{V-&r+ezJ`;<I>oWBwkqGY$g!#`dthh}m9gkpFf;PmT|&%hyy>6|
zZ%~kaqoG{$!AlA_?@AC@KYMBre{it#F({l;Wnyp%ptP+=cNx<)wemKlk8>L(+ofkk
zzrxu8tZ=peEnQMP*pY9<Gx~Z~{1fmx9rg~eW)O5903uDl5x6@lbE4oMgZCVtAHY#H
zHqP!yW*v^9mMoJ?k`C<CoB_c3zCVKh=F|U{O~@p~>n-eumP!4qms@QSU0dIhFCc(3
z9ZJ)9LlR~ZGIsQo5~9J?@kRWyyz!~9$30!joufWl?osWHyfOTw1^;s!TCkp|jfoS(
zFWMUtk{6zbmYpzxPfwC%#oiw;*ZcTiSc`PDS67eKK9DdD)ygsBTbrA%;X>R=FX9b2
zR=kkpyW?z=oGyA*x`TFOav7DgjzQ~b^^&dL;7aqIboD?lG5eCaN3}*2FI~Abu;thF
z)(H?C)q8l%wcKF56yVYVMtE%t`YwKM&F+KqBhVIWEJGVg<Ql^ugG?A;DC@Y&JI2=!
zxfMoOJ4`!IFWKxz(Bt}9f}q`ab^(#soF<|k+6~t77|hV$&_UDPiQ&uYjXm!|L_Mm0
zSuVV~C}v>;zv7cW+61lw4`rlH$qK{R0>cnD)Vs}lV{3Qat29GhKg;ySt-Zdg-EE^r
zyXC`&M;Qmeg*Ee#p@<q=KRmHNaeXtKc?T>^zQp9ULtUl!=%Y8Vpe-G0bu`RR1bE+Z
zThK(ttMIHBij>R5+?TdZKyURn*gY5z0Ew>}%I}4U7VF1-H#R;Z&RTwrTPtuv{@IWF
zZDSCGX#*QrO-+~jXE@u!NETO1?mbEvA4}wnjSJ3OTBbCPDxCMpgMRP0FKl}k+Gm6)
z7G=6_EnXD|`cgaubZu}nT_qQ?1R2jTyJW*X=qcbT*)Xd}#yB|PZ;3UrQhM_}_BqDM
z6~1(e-ZuTXMTvL^SY(G}Az%81dP{MK-&Dwsiay%s&RlF|S?uxlX@9&T>ot^t*%u0K
z^I_>rQ*5r`$}H8i0=I~qPS*}h@HPxjA&?n4hct1F3xD+5MH=jR2Y~L`I+8wqk`Pbg
z^b#G*G+aYt!`ymjtx}T$U(Haqp&Xget7hjx&eBcPc8o2*Xkz@UNQ{rg-a-rBBwXo*
z$8OkcK2ep%Ky(g(WHv>$8GQlLzCIrLPhFJUs&>PiBTp~=jT2AT%<vzgEm`Lrp&r`p
zo2ePz=_Ft8-7<EeOO>t&dfb{;1QR!CrgPgDj5S?GJvd>L<@OAdEHE2QAc^6BabCyt
zW+Q;`)zI{kT0y(F$!zouqZ0>IG|Vblz6daLTq`mw*}Ko5#>VZ3z2+Rg@9n%*54>6&
zP=a^w>|YQ<ZN4Hdu2YQu)m>}F{ngW>F^CDjXP*$=kiOeE%9${9JhD;#wt5oyGcVi-
zo;L5>|63CXKiN_&*<o^4O6d1P<LtzE@KTt|pSN|Pt6)6a_1KA(gUO~;W*DjAkyIVo
z%S+h|zg?lt0T2KGwjrbJ{EA@_z$iMLI-1c~ImRD<*68&q$?vF0E3D{Ws~ZU&nZPE{
zbjVF{#)3*TiD7Pd$iCwK)DV0;V;vEp8D|o1`rz!6I~7@G*zlp3G{7J17QC_3>d>Tl
z`h@^fdPa`Au#}!0F`1?}tqXvB(1FtJ%W--0hCEdeqdRL7bxLY#+8*hTXzh<|0Wtgz
z*f#Q3eFqfByl{Udd8yBT!=~xie{z2Z^nP`G2aL+z`eB`5d-g}7S^6^1-js#@($rF_
zr+~wRhC(JJM3*AHs|10h1$T%_w=en8)Y_mErCd=GRl?A9*R^I79gU;$0kJy_L=Ir5
z^FR2a6V6F&OD&)Ci0u>MuqWM=P-da2yUTSeG#P;_L{@Sx8n>we7~5_qC)`-c%4{D$
z=n`|P%|2V9;{irIL)Avf6fhY?$Mq(sHiuj(%H$jrArOLwU8%oi316<S`CZQ>5AF&_
z-Y8fNbB;!6?pjv#t*CAWRk}p{uq|v2p06bRQTZ$CrG(j#1y3ioH)&|H*{?@G=N&L*
zulNq=YJLX{v=i*!)fkq8=JnLsi;AkK#&nwOJ4-bs2H&=v({+Exw$TK<lbV{TDVP~d
zWeLE4rFk^<>pv0$k=_AIiy*BR392;}Jt%EOgk@=Z6Kp@4x-m{X=|H7s6=Y_l?Fw5k
zd3ZDYeBoHgqToAfeZAcdCB#8{@Kg6`Im<9=Q9^qNcteeX5t(~&y|VB3v@5L8;=D-6
zvuv!ei2NBtE}l1`{zacv>@j-GeUx=L2SppCsE=DpPw4IZ?*RXw!VlrX+n*jV-U6$T
z-vL{tC~xHL#KI9-NM_621KA{6V^pXd>_?5Iqhype!dEN<=Yf%Xb~?MHs!MOA?jGKJ
zu5DEjov4iE!4=ez@@YQ#Y-@Bj&<F;y{$*_$1|MKx!U4ZgV14_6@U6hBs!&%yILmCb
z2E!fxQFiD;qqqWPP*Mclr_$13v`1@yW2i18!Z~%4OQm-}uvTXO=#el2Ckn)|bt4CG
z)-~)-fpopS+zBoYL)ayjFZ=GJC(bu-rLA$f0d*n#%gz35Vqk8G+-uGNKZChUQ8HKD
zghJSAV3f=R=7ny{K|#|)|5kcnRLZV>Ovn$y1p3AlyK-Z(+-%F)x_Y~lNTRCO*?@|G
z!Z9E2JLtNZn^j8=eKZ-u8Sz>HUz*^ZH;tulvStiFjd2CcM<`Ys%s^viYqC#2L<lC+
z<#}jpcJ<3FV&{@pP@+A*Pb(m>mn&tC6?fgSTVT(GIBRiN={rl3Len4#vCg^CH_^h?
z7D|RD+}V~Lu3yDiQ{IZ%I+w2VRY9&KX!`EO3iEIMrCMuNv0W)@@!Hn-HckUtxV!37
zIF4~iYlS3?9|6Uw9$1_tp&MM6mZFu`#I#ejY!#L6X1!{g(c3O9_i^t4FwAxSyJ$-m
z^yN1;Z#L~=p@YmyizZL3Q7_x(4o1I=@Zrmt@25hvC-KX=6%A2y<E7Soz-EqBxem#z
z&iZqvvmA7tURvq=XlNa%32Z8rTn%nIq`|Hee_8iQ{SSEol;hiSP~t|b%E&HVa&-=v
z;4(QVJ|R0&(O6$1^g}!oZP;jH`e#@D1;t*&m0sbKfb8!6gTmIAK0zD8hbTK<ymdFf
z$4Dv}4l1m-l}>+O5qzFKqn_u~)jB@;qCj&N`(Ur&uk95atuA7Q@6<dT`g6rehD6IW
z2ITF2%SL<$G&0$|*zYo=uX9LK)y~<HwHu9eyXCgln&L46coBwv6@t~=jJ!?7i3eSH
zW9$%M5^0}#st)c|>kSQF7jd5{Y-u}TU%H2n$9&qrpQDC2o)$ZK_=UBL!-vy7Dv0xO
zzUV5r4Lh^KBipFi4}OWhIjXUZmCt+#G(}(-7+|Cgw*w!L49!hlop;xbVC_kt#i3qU
ziUTOUk-GfM%<+bvN{A#FzTZIjE|9?5PO!9l6&(J0%V%D|eR@1jtqhQPxVl`_OBkK?
zC39E*l<=I~I$t042vY?&?ThEm(!W7;1zoijgQjc6-Ad^sjiG%B%wQ}`;@;uKToOMI
z9Qf#AR}QxQoxFv}SZ^xlva;CKaeI`168f<9Y@)?_+aq7CK_j6j_Bg_}J_@MO@?#Gn
zDz`CKNI4j0=^b#HYC#iMan$FxxaPMj^+NT8@(O)(@q!TZV!a0nC6GV}p*=7YKwPnZ
z(R7u&0jb*X(kz9uB{l;y3_6p6{(MN)&8%xb)!%yb+!x|)<Op1sJG5OUSB|-t($g&+
zDKU<{=vE5*POc$5a#xV|NQ5MZ<TB+@_=aG%^O9NkD*p}r73M9#^XnVb;2Y-^bHXLd
zmU-ZdAaxygln|-r^6JK##^`H-#CEiX$x?Uk3Xpeo@%iMKq44rN>hi1JqS3U=1@_4z
zdPi=1u;_LN@BHqUjXjWKscv;f31n|J7MOxr==^{F!fU2HZ<LO?=xmZ`&cb$OGIx_p
zU{(}<5qBL#5mIT(u<-x{$u<uta=c~N=>e6Mxf^A7eQX}i5zGR=guPClEaJDL+08Hg
z3rLGKS<A>-A^gQ$o8j4dKr|WqH$&WQcUi-=Uqm~e^<~5WpI}mKV|%-<+{cbt*Q(PK
zIR&w0>V*nMd)q8Ii#$!Tc!C@NLtM(ReS-Z0CL(QKIN+b#W%kPKn}`tVJD@ta>>coP
zqeicD8|4x6M(OD);2j`Q;h}UUTC{e8?F&_17gpTXI^RG`7UtR36yh4BO1u}#F#U#i
zvf>x!OY-nld6s#%qb{unJ-%-l4;Jk6Vb>n22PCRT4wBcIm(t8RMey}Gzj>ToRhnBR
zj84tg*JF?F8%}BWU%jTwFrgf^CsCt!OV?~{?7zQaNe!$}O;k`-#pPMzx0CZiz5`a2
zLtLK=A+00{Xxv0i36Z6=y7l3#94%`?1sJw1io*|~8o0WRufc-|bRdE!6y0vR20cYw
zrypiTlk&gJpDq`y8527lh?I`?`?UikdGSc-Za7Z-a4k}tK4S7!<d4%CREJ4ks(!6D
zJuYCOAvNxBYy^@l=EgBk2EMR0UFXP{OZzwfU+tZBRFq#A?}w6Z2}K$K=@dj-DQS=f
z>5@(XNhw9TyF~;6LAtx7n*pRtKv2SwypQ<)euHCN-~aAf_Z=2%&CFWo^X%vB^PHM}
zzFV7M!Yva1n(3n=;(Q`Ok}<;oup}2YHh1H*#mY&L>Mg7+LnAAso3D^_4nAB$M<^>B
z+Jls#?(+gO!}^*KJd4t2sv3$8#TvztmlnO<jK=*uhsZxG921;@^d`?hdq?vh4)N-p
zPSRN^Mm=fP>@<4fILr>+EpnMGiKn>xs<KF&+&zXC#^$`;o`StekND3(o%^mp;hO#v
z!H3*?*V|g1%Rl#XKAjJduBm{#j}hsG_H}$tZ0V|6n3d}1`{jJ)X|GxgSJ-q*r7o4Z
z3}u?;GxU-e7NQEkbqqR)#^H2b&Mj%9iZQZ_(Gy3Zu1v>x#&4c3LiTk(i9~V6+M1B|
zf$beeocq2_h(=^LgywGon=A3SPBp0HX|cDX?b%Ri=5|1;UHll=#z}G@(kfc-9w#-R
zxTvB}ULjoh0G`qQY8)7kK>Aur1p!eH=jF;8o(<}T5?5@<ygX{ZAqB1M*rH|C6|{Gu
zf`;QOeb@+GaNwfgQaZCw`I9l>c#*E}ir=j8Us_L@kGs-$|M03~+C(bXka1Z8(|#St
zI(7nL=i56B*3>Z+0VL7;a|>1K?m`9HoYy-7`EQe!bTCMeN0T693<5K+N2wCz9w9a^
z;w_59;7_cZOiZKB*~~8sTa7VRN$l;qW~So!?IPhE+NNEkH4#qTP0v7sR=TJzQK!Im
zZg9g!$o6Ue#=WD*3nq0hA*S<Ro|cg+eZ0-cYe~z@RNxcoheY;T4ulXXi4dhrvhki^
z)EXEZwlUj`nG%<x-kWzBWpQvf?O<jbun9c+w4aV$lP|cdJ6t;TqN1iY2&}5m(r1<5
zMJc}6E~VPoCpR1#kTgGwYhKShuvr#Dc0ej2Q}@iIqPoJii;At2BB=dSxvyQ`R~w6r
zwZj@$m#8B-icPfY5+p>uMUHEDwR1}j!dJ<6l3g6qAZhFF7-@SG5Mt)Ex;4~8G@|xu
zbQbX<GbubaMf&L`o^1*z3Rj!X#bv>mcP;ZFDvnb|@|Z3UZ&>9_5>!>7<B0?ki(dgh
zLP`3#c+F7Axh^iysd6$Ws+sIcsB5N5s^o$~Zw!N>U>-sxlRR7!+H5NvSQAnsR_hV|
zuslj?xwM@tn()2?Iw7ez0*k{iRl$_m0im1!@=0AxEz!6SQtyZz!#iGKQDi-iDG>_O
z9683PHrN*BZ@%uBJs>|a1Vp7j>!S?O?&yIh$z8=swSrT#S$o$QYaV_C-MrP**$Z-C
zJreioy0_DRbVz>s;;O6%sV?`id#$f3B;jR2@+*7Cq%h1Dk7YJ}8=6zvVNDu$M-z1;
zt2$e_HF3}ApVnyD9FR6U!jy$DKXAzOD=U4|h4Le@ksd<c+8H{<isuewm)3KF*i#Fr
zLbFxN%XWC?8=i6B+Go}RHiG@jWJTwJbX$)zr(~HzKJ;};2`TG1zsLbw5aLhFf?GU{
zZ3Au<6dK}5P^IQ|iy)HU(WX1*jBB<zynYIdh0UJBXP}UQOFTghCbOWfm#vQE0jWr#
z`?PAtRXZmy<7o8o6w>G;D(8&sITM%WPEswcEL901vO8lRT`0jUGy}{cRS|~5=twH)
zRXu)l`l377SN3!vrsRIJd(y{OfX%d%muDc7tkWwU^E@YbXP`@7^Frppa%2r5U_{7d
zhR{NXc42tFsO4!9?(9~%)%=u7fEY)|TMR>IL<)P!xusxJi~?Xc#Wdwgt!RPQPSSk!
zI@aI~T!`n0<g-AQiKeg5CMprV-K?+Z&j5=)-ecM`P^Ru&|1sT`5M+jYr%wpAVJ!~A
zc?Lo~l0W4UMn2{Y`|;k#c-mO8AQp{YSeA~=2=|7Lg~&3B*4e@9)yA)#7hD@knJ3G|
zy{##66P{jUVCTQV{q_umvAC0T`pnB$XeX`o47BJ}G#}>o0BJ|=#Yx8eERxG3;Rdks
zmga*Pq|zFBmFcHg*g0khArL9RUDz&D^C7E&`&*o{<5|VyPU=Nmz4zYV_770>vh610
zL4;QsjgIK9elzE*<ppcJ<|!QnSm}^F)CH4K?Wh5R)JcZmXr8%(_PbI?k{Q&-y<Q_P
z*eU?I?ssfX<!C;Pv)4T4hS)teFtwp#Ov3^rEVJKsD8JsMkl!cg-afZQU?Fmn;&^wQ
zKSX(6w?%D;e_ee>Y<|PxhCF)^y-qrIoZfbD@~X9N1+bQ}gUFtN?lv@~LFB<+pQ?rC
zlRfdh23dDZPw@}Zj;+1<4`vVShF|NOrOgMncnE*&tc+?IOX`kM@>IDC7xSF{S^#>a
zGH+p2lh@lcpU@zp)&_Kb#Ka)UPRtyihbjYljQGnZi(UL!b&QXHZa6<*pD?IVXV4Sb
zop<N`%S$h^kA-&1V{)g;AvR2<T4u%}bt<E9$ZHlIdoyx_p6vY#2o6LCq~opT>48e`
z1^YhobK6*Wp9n23pz3d&7CU=vqU{SoOj&<yz=h57=xf6+UPqT?shakL=tWNA$2zTQ
ziwF5%TTN{RD<E^{yQ4xZiXQS@4S2b;+ngA3(vm=1T{Fo1B34yEBOyG}qpMK9J?*W{
z6Pn>U8%%fZ9hyhQ-K2}vJ11#z3?MBN_e}AHyaZB&;txoULa?rv_^H_rAScgw_Bq>5
zwJo_bLrfi*YbQ=t0}HZv*uN@;^!ihH?soHA%|(UYB&iPEoXYGq&(_v-2mDX4aNDE2
z2jV=cA0boh4;L)g=!bVL6w7&^GOp_9n*GVMyt1qZu7gRfxMg3OZ2~s3Ys6nu@0{dD
z;A3bM`|h5MHqu~C1xS7b_GNx-5@CPUB_J=%2D%H)lfy%7T0F^y_GWM%xYP(o4&NKL
zTCBi}FSC$-Hc2H6H-*8`*@{JYlg{TsoAyipdVC0V<9Pq$`G!jnua+-`sao3RZrX%H
z9BK1RPf^K6M+e}<E-U=M@Q-{psUVGjco}pF1V}~$aT(2-OIfQx=$`qnL-+m@6aT-^
zz5j*o{V#OyzYE=4!km8C1_bQwFXJC90|9&f>{B5?z}{oq^ME~Om-B!<jk7|8hK)uW
zLu4Re@7=+Sc|Nz{o{{>^;|2eyU2l%^qV{0zs2nM21-`YWj7j250|j|%AW0IFHvJn7
z>ZVbN`(j79aw0Olk|@S~e9`pFc!kI-6J1l&>^F#Q`mRPjr%W#f&x<(MYSyz6TK2GT
z#SJ}6SLxN$(9b85qkA0-7Z<I{nb#}LDC2yOle~&2<0{VBHp0W+7#S`j3=^6G&wgT=
zX8RS&NL(yQGHR<YwUpe871yV8SiRm!YmHmVQ(7fZ#I%hPJx#j1&83*g7B4O}z9n<3
zr1gCU^*~<n5Fn;I9LwXKfEH_qcARZ39PcmnZdb*+Tl%@{nBF7Ju{?Cl^1Iohc~(qW
z!QK3cwenIqhecc;z}TjS-dQBfFWWw7Zh4I~yGP%VzJ#!lk3=_Ybs8LY8TUxh*6+}g
z=74RjK$&0@HP>$&Bg(>!I$g9Ee_}EwO|5D3aZ)WGn>2Ou7aE;Re00uA4I;jH9jQ74
zo~$FrM1y;$!7?{qe$p}t>eD9HQbTZf^@LqmFWaGX*)D?$ONTxrcNU+Gmslg6=t;={
z17(ix9SfbV`BEEW{t{Xu@rPjnk_u~%40wK<dDDGyZ28MN>_x%JitkO)oQxAa4!S7y
zk*nR3z@FG*QPz>So99e?O|~6O_wMNA+I(1wdeJM@;rl8**i%FQMUL(vgSt=(8r^YT
zFW*>lWlZ~!ZrKfO!SGY$kR-G;+0`k8dgMWgw!6<LaQlsYk%wNy7aXQLILAv3zkaYy
z%#A5R`Gp%R?Yb$^;!yD0Gp*_T+qZQ!>RDDJT1I2O;*Bm2E>RgeJ2Z%YIwcLS!z6lv
ztIY8@%aN!sF{Nu8rI9YmOp@me=>C5WYyT)5^C%k#XuAvqtN|)d=lZ73=EjfCqxQbZ
znMNy%$N{PjwbY-G-#xO898${6K|!@!@E&QNDVZ7REM_iJ)_l-UYc5S?Pyf<o{4M9A
zU9HQsTEOOg(3Yjh@RT2(v40de7Rf`mVY=srPiMhWyN1euFZ^L;ZM`PM{pIMm7KNl9
z<toxl`<ep~%%jpaKjvy|XR|2UMje}B#IeIlQ;6{{(x{!GkXfKFP<my?B+K8;IkPZ2
zgj7l)K!OWfYiquBg;jr71a7Ew7(rT^KiSHAB}>3SnfhjR`cgjlF8nO9N}>sN^bTJ&
z-B*n}OlG1Q<kimgVtw0m!!@`xNBQvL()(ILF%flnT9KsKj7^vi#KD^WIqEDfSdWLM
z=Pz4H9n%(|m19#|Ij8Pcp;wQ@Zlb$!_Hx|ALQ3iT7@C{)(3jD|@eA6gT3X&`s0I@(
z?#c_Km${@(JFf9bjwkmc_eNAX#-;?HeBe5)!?-%!;-^g-Qhw6urjO;2Ak%Je#koUS
z3M?t-{T7}iqJo7%J>R3YRgs#{S-IuFOCUs@-Zz%9AE{n|$`(R)=Hx!UV5{lOG~@f=
z6mZzjE~Vn=oGS&~sl^Kd;s3{_j`{|c#>$Samc|a>oVuy`&U#Ax@(j_M5RUdE(Z2AO
zK>b^D_{=zt5!I8*RM&AcBz>;6Vg-GR`x76OB@*M=&lDDF6xK?A?x{$1b|(;93;Q|k
z^@w6iyE_qMJpx}I^wq8QbawRj)4}bwKgSnBd(7nC{x+Bhi)tKOLg3&?nS`Dx3Wv@y
zg#xXP>}X7SVwFzU({A%xgy#;aD~Ss$Ub6zDzWvhP1Uuz0b*S_uLz@Mf{>)cIL)!t0
z{B|fF!4k<Nw@pV5Y36YHrKejz-HElU(+@j=BSFzu9Pzf)z{5epg-anKNY|U;x<BO?
zkbcsc%A}_}yS7hKaj@jxT+!#({&~Hqp-AYsrN{Gd_wb}<a@h;R0JQt*!}uh*8b*&^
zU%TR5%7HJ2y{%iSehzjEJq>Fe<zmgMfb&A2Vsc1YJ1YB=c-KWlfpT(Q-*Ki#_B}J9
z@*PI6K3Pjt73s5^pn78vT08N`*}&UKmh^|;%GyTj;`h+<?TQvp^ULb-p+R#WKk)5Y
zB*^xjreF?UP;&Sxp)YVCu}G+I-5X^FCcCF!OOA^t3-(Qz`qI++sIF+rR}<7}qgxiT
zpQj$v_JQPme04`5C$S4<mqj3ivg_>LMsl^<+>DI6Zz{D>eA~imtn?fCBb*+kH=1PA
z)?`67F1%kD>h2hy79_-k^{$xOIBaKj*LL$W@7n0x|Jv<n#uyxXn{If!STWvpQX3(q
zX!$Y8T6>kY8o32$8P58E{E5)hT%tR&oI4zRQ%Sko1JBbNSJsWERw@UZ8HN&#AI~b)
zb{EQ;er@;Mc$R9)bCMYzd!0j>Ae>=P*e8dc_-XZZkn9^HiUjovCQQb1?~Qjduc8uC
zdNz$#RFP80`vl+hs9>iB^jHe!wZtS0iFEg1W_~nUDeo<gN=Oqkv96A_=$6r$%P6Ek
z;WC>N_A9~QdfqLg!GU{M!T)NJYNt%)hPesHQ;8F<>B^2FzpxSup}LP@;9B_&p4Yq<
z!ra+>78Kks_<?t?1T7k4ZVc>Q6<=R-|6E8_@|ux<`o@wRyt4*bxqWJ7jh9L!v%?$B
z)6r;A?t;;1VvB;AS57^QyFs=`B8Fw}KYV_#0}lwr9oa={#KmHYm07C52kDy&N7M5#
zMpD8LzHyO`by1lgL}S*~>0_B?9w^zdEtToJt@+WcN<-6{sK{@e$f<F4#eyzAG{u8<
zQ=D{@xJI$PP`i>lp^~c<2-kQsp}9KA&?q~h`XurdWha7G2j2{$A=27JW>_o>`V(eR
z72T7#)Z3OvMmL;8M;Pi<8@cWl5YWpGK17m<iq?c1rB4}a2IDixddz5DwQ8#h6|G?S
z(jk?`eOqQ@<W*uxC=G)0*pe{?I2MlU9TzA%Bb&O%VxWXEcUN&!PFfCW{Eco`=N*bS
zkHh4WZkc;%a($*~D15Z^mf&ltQr=?`K`W=gu`c9%D%LLbtQu|&q|8<=VFFo{H&1am
zXqwtry6dg__}<P6_ON)J234IdKUx`XYwPf0ttQp3@ZE5>4N<UhTBpLd;8O|p?m!z2
z31~zRQ&CB$(()<qLa(*FA7lNXylv4Zs58>XqC4GaDJ$Gwdc%BvUQAT(*T=CA!sx4?
z0pk`MpyB(^xMgc^?C|fn^*U0=Vv6l@z&7#`w)mGIL8jZq&y+VieVSO>*F3$$m+y`o
z3M+v_i_Zl6rQTI5(r2kjEbP>~z0Z1E=gOt*TqHWuchmbdTW55P^}xY|w@n3dC7gy#
zGnRq9D)(GX(45JaPc38Pg1Nbtc;>O5sFRjPhRj!O?{$r%h`B0>x5n&t_tgy|Q4hIe
zN^l{5ViVG%z01xLfeU_;FIX$K-L5FzmcpNOWzGO^q%^!W>flpXZ$sNw|25WdX9vms
zc)<=w0przllASEwxTAUlW+uD(z+g7Cn!IhjE~)zV__^3ZuTxcgRcyX{xB>Fw*Hnbo
zTE+0>ZT(JsO-nIYs@V&&ImeSbYmf<Qho$d7DcY?jQbu4Cu3^@kd%*EIxwJBySz9fM
zuq0Xa%@%K<&bW0@Np>X#BtbD`f&Ybn#N(4tm*{#lmpL&nGc7E;hHXm5&t$4e$-=76
zT-%3LOPlcOBcEwRt1(62_iF8`grq!u=+e$~iX2tX*CwqaNP1GYRP*bT+StS=d^UjU
znh7u)!2zMb{d+(_-`4iq$V8Ee2uGg|`ZvTL7{C6%d}ZHnlA997sZ;wP^x8cad}jes
z<nB;!COwLs*}V}&xA)*h7ymkoEfybJ(U?3{6;_q`0W=zGdV-3Tfjjl|SZ4!evNB4U
z_b#WsuTAhs^&rE3&x?jIg8V9e&M9A;Ndu*lTD$$RlSM_1ih4!(P;?C!&b1F?py)D@
zRKX^z8&u(mKBD4J@~f9ENJlNTZVCF`Cy-4{3Z^rXEJHQ!Crs_QHgUO61Vwv_@r6=b
z05#?`QU%WP6V)8`jg2z`C;zCumj~6pool$$1c{e)2;nt!3JO);cu34uh*k&P$4sD{
zewyih>pqFJ<nvof^z-JWQT51WZIqqmdfJAM>j#M8ySc)}wamSiR*ua1uVt*SZa@t9
z>xkQC`v&(GA+A+Q`Spzlk@%Ie*SDmuehqqEkQ7;i^9X+B2^Hf+y%?ly;7SBsZLc;F
z#H!qH%b&PHv)5b9+~AU3M+O{Mh)Qdg4?J}Wz6*&N$0e)o>{pu`n&j7*X_Pi6Fhtu#
zw{xGg&Q*`Tj8rTvc+G^abnWgvX$}uBffM%HTel^mX6d3np-j0l`0vuKuxrV(#QAs;
znrQNn*SD&rkx@MG^oA@*)bfXUVUc@<a7pTLy9{o#48!G;_RDxbFgOF(o|t1NeAT%9
zX>@$O4K?w&I#|AcWvWN9#Sw?8ce?MZ2d6`;2sv7n?p(9KsN}6JpSzgr5Sb)GY#RR4
zktgh48iSYh?|${Jbro+}Tc#~HMf7Zg)PqB+4Wb^#%kEJ<yDb<qm*^BB?=ClIwU~nu
zd6*;biao8-dvdpg=AfiZsyoJ@i+^1(-mYs_V9Im}NDTXn8Kik5Dt0392sQx^D(=OH
z)X>J>_<v6+v_o=_6!|vDbZq;2AZOK3Glo?3@G`v4dWi(zt3D~)$@(gu8FjtD`Xe(2
z*bu!A;~2?#qatyal(y#CR0+pU+v(YRdHL;ILbbWwYuA$1#QRZ5uG7FX%VzAkiPtlQ
zE#7#>kEZi<$Sghr)5X4Xw!Z5{Z?@eV+x91SkOa|aw>ZsBmoNrRqTO6C#q4AWui+F1
z=OYHFRph94ZW~}aCev)2A<?7xJaKNGz!EP}CbU-olNW9x`DZJLB3%_QrWQ|AM^yW&
zhJLtoMdQY_x(mTfAcDvIC}_+{AP?J(Yp;K8{diZ(YgB#RS``naA3Y(X84uDtGDj$G
z9$a1#=aradHEdaA4c5ip8ugGvF3b<dLcH3sdXI0h7cGl=@wFX%i<_IXyyGsbe}}93
z=sl57b}dsIv=5VN4n9AUJCm(}M_$d-;*u8%jv~8Szf{vCKn4=K%#th+YMSOQz<XHA
zPg^^s(G$rl71u?BF3)!|wttX$Dy6>V1}U;jZVhf@(kYR;nP9ShWZGWm{e`sQcpU;A
zb>QHcLC_6QRsLp^IiN}JV0~W{L4Ek`oz@*2Ye!>iN8S6bw#E)R-<r6B^p5~Dh+_tD
zq6oAAJQF}JkPELXz*_6O4$ryl4s1a`)(P&<K%sHq%9k$`1A%0LQ`X<|iF}*402kMH
zG`F$-)upL-ZL`OKl6}DCDSjZ>0VnVN%}Dak5%lx)Bv8dXSbJz%UvBjRSANX}0ulT`
z^9Szh0_~i0zB3Gq$ht4|>H`jtqNn301hC+QMVy-gi`dCa=KS?NWzzhBxS((ZJx~uz
zD^01`r2uMY6L1A^PVd62{Q7s=cMNPz|I%STm7!rbfeLZ}GQv<^K!HFc^cPI~M_T5*
zn!bPdWo0ECBoqz<n157zpu}+C0^cg@Tr)t~(%i`S9~VNu`Mn>h<N9wo0kdBgz-vF6
zna_5?%<r;LKjf+Tr9)sv8KGwC0uAL~pZ<fp;Fj-So$G)9vOYso!%J8I$M^v)=0`(~
zxqm@Eug~wyU)HBKeQw)x0QYU$|08bb)}L|b`iZbj2Q~{j^uCh?|BO2q9D~KdraXq?
zPDTHWJJ&UY#ldF&gyO^{|BO2q2!zGK=0Jqvo=g83cdoPti-S!f2gN1G{TX*ISqF=Q
z&9wx@H7WlY_g(c2mIs^T1<FfM`@ish+45jhL_m3YTHkrl=k}+B5wOO=YU@K`^$-4R
z-1(CRi-T3OhT@V8|76=Q`vO=MU?}X3$pzc~=>aeF1sD3kU-kvR?`5#fE|7oQ%lv)_
z_&u4x{BOv=?`VHdCVBWb<nwOlzpM>Pi@za5rBGp;!|!dTv-}$}R9^J&$;?)NLxxIr
z{ymw~`fteReae4X&$n#;h76UK{FBY!1R9|)A=|$pUyy73d$hRSU!i~htiTEhLammy
z|Bk-ck$r!>q2K(T3oFA1<(fKN;QrHZoFgyv7_c=^3M07$#dW*>0(ZgA3(#LS2v{W}
zD7n||I~i8j=(}yd7rKBFcD#QpdjWfcuu&OM$kWW9%=qPy1pD(Hl#r48o$$ktd9Vh+
z{!|1l?wI!<1AhGB2o?al4GRTm6nzK$uqg{${KwruXklP-SA3xs|Fbs;Tl&Xsii@So
eOD~lEXVXGK8VQhy1SZVDA3m@c3#|C|>Hh#4)S2c0

literal 0
HcmV?d00001

diff --git a/img/network-node-manager_Architecture.PNG b/img/network-node-manager_Architecture.PNG
new file mode 100644
index 0000000000000000000000000000000000000000..503b184f15d15074e59a2c76020678c153dac17a
GIT binary patch
literal 22437
zcmeGEc{r4B{67r0YeSZ@Q`u87_I(nOC6dZcjD1M5@1e2{BZO>YNeE+?B_zyb-)A&g
zVlvjj*p2PJM)mo8zQ5mnJkRm`^&H22|NdyXxX$<aKHukiKVRn+eqURS`Yh|&BS(%<
ztKU_5aOB8w%_B#SQk^~p{3K9m^e*tvQP&4*w~rvZ*=K==6ShkCl#U!Jg`eBCI0-zT
zd3M*(^~e#LX3C$VXy-huBS-XQ)m4-pdYKW^bn+Yx-49mzz_QHZMX^oXA$B^qRc|-G
zc@K(FQf>~p^oq&$3Ij1C#&E_XHi#x!JR&54kH&}IPLyPBmv$%f)fWb>5Dj>8#^~Ia
z*DsVwx?si4q0NRzI}85ZX6^-xMgDU;L9O-f8=eOWzD2l#k55OzIA#b8gaZD0_tUEF
z&;PGU8;VkX1VSa9)lT^RYtV<UV{QGy0i?*T4&lbnHNKmRgzhxClpmj*ou7`@R&Hm5
z$=oSjl6e!&TcV0l&UpM*Ero8UOssZ7!@=H?bGpx5{+v>WO?lD4vbWzjg+3v5Mmr&3
zqa5L+xZS4nnD&8W3Q-=$eCxUhWqKK^+Sr_>fX%uTTECyi<3a|+dgNV6ptPOMCFe2!
z&C#w9D%vUu7>GNV7T*EhC&7jN*tmrE(hZi=mi%mun<+Ec)L-Y*G~dBt`9gDgfSLB?
zPC>d)_;DbF@kdIV4&UhN<kS4@!%nNlwf#*^5=`!cSLL9RTqmQX#;U`Pg7}t^<%bI~
zvggy>HNCw%GfD;CYU(Nu+?#jG2NBq}hl&H->CQ1Sh0*P^@lm8!_|~S3v9U8qKTd{+
z1#(_Exy3Un?BbzBq3@HglP)&Np0@DY1%7aX3mpaeYA*DYB5R2U_Yx)#bSG)+qCg*b
z0%nhcelNjEE0(umTZ8Iy=eUn8EPuklg7S8yn0mt2_%+$xW$<Gd=);{|uvQDr;hsr=
z)DsrR>V0#XdkTshYPWZ%!HwHnXmEq~LMi&@kFxKMxz=0!0pwT0eiL7vH?K5Q-(ENr
zxFJKF)hw{7iJ=IJjEirs#vyjCR>O7tCd-grHf$Zs=DX6zLATe#Iest3GWPmtga6LT
z^6FyU($nJZ)wjidQ)SV>t3Q^f&BEwDs{MyBrpOo|OhwD-SX?#n)@~Lw2i{pIPvP2M
z4ow-~Tl6%33nC1D0h9E0CCCbx9U2DERdU0j<dc(lG)Z3ul>yO*f_EpndII-Xox(vj
zjLXKm`VBDi%`DlZ-!E1_C~M(*rP)!?t{o3!VcL~yXdc|jq3wtK=66z~jeb0f_XgJ#
z2nC}KxQ-wg-|&s$6r=pskU?J~VGCzrzx{&>(mDJSy<)#xM>PxjEmD^pE5Us(-oSSu
zAbbc{M=oiJ^F8{|GB7P~V{>2_X0cO-jooum6h2g&+G0UAp@rtQ>xc7ZQ%tK|8B<*D
zb4X41S(z2=`;~dDVf`W70u*~&h*_U696QuV#?<R95RY$U_s7nZDZ~zqP|j*kwm^zP
zkL4u4CMt=eEFf)&jY1C=9LEdkr1}44dbc}cUihfU?NzarG2bO8&cIz#*MJVVzJBF`
zo9E(4O`h_$Ymb6wroyQT9dp+fUuN{$#t&!bi?kM;Qzitj)h;PvT&6<h&ewCo>`q9+
zvzEPH<$sw)-o0UX^~z=SCd=oyjs<PJ)i<m0(z<<hG}D_{iM_c*y;qg7+sb4<qUa-y
z0{n<6kCe;8JFD=@48_%lY@Kfd+TZu5a^j>6X#bT@?bS-FaI0*s_!slmUzO;U_ORxG
z{=QQpdBXL2gTW1uvJ)`lw&-s>nrmHkcWtzO4gAl+)@ASE=|f{(SH24{Fk}P}$qfQW
z@uR#^xmqJC1xunb?L3+@sn?^<`QFC-k9BAz+|@P;r;n+QKNCuyVxY$LY5-?*fC>Gj
zc81=m?-Zm!$xz79^8D4f>$=WQIj&Bb%w`wnHdHpucwr+Eh34uqk1<#F_XZhs<U!v2
zaET09gW&Y$*3$`@rV(oetADg(HbTH~Qlz`520q|YGX2GDzw3dP#(Ujk%}QMUgrD6O
z2-0bCSex=oP+}Xszv%0vCvVSuV^2;b^l7Z!)#?>_EY2K$1#3yK(wH2Fo8*VUxh|fV
zYu$MfUHZf!&im~qp!J(qH~gbZXv#Rt{!u}<JMq_DzD(aLZuUFJF=%aVnX!?8v(F@h
zY91ged0xze471E`)BuwCvZd}Pjuy=idYrPx1xAIwmTZ@};(ePflWQ^L$<xZ(3a<HU
zh7t1~$p4Lg>a)Ak_Z1WGKf5)3x%jvYl@|wLy-$puwX(dYDec5nzH_(06)X%F=$5Xi
zjwZ>6KejACv1*}Jac?iF;@OP`UtVV0g@U0^7{vg`Vs`NQOyf(>w|PSG*WZ2q$Ff9Z
zMy+TRS%^k`L1_qf+;+W(G{1ce@`V4c04MR;H?^LL#)SKWm+3OKJMJcFRGVo=YZ#r;
z6gJ8o)@L`iFD<TVFy!J5GCJ6zVO?*p%09!d3C}C)VgIXmTG~?YLUdH?9$S{3Ab&G{
z_u{U8w)=hfQu`W@mYu^HIsrqWgAX4iF|4it(N5kfrSZyNrB+C16w<T*Zn9<nnZfyY
z=JTAX+=U^9p?|HLFE^#Li9g#^$hzzVJFeyu1AG0vt|rahtL=^T;hnta=x}-U1-t^n
zac59&X>AV{0_{IrBAt1I3WdWhYZ^w*@#?us8~U7>zdV2Ck3)FXHp}O_+-8T>xM6rK
zHh4vrDuDik>A?8)%mFz?c5=;!M&cEgpC#ry!7syNOIOme!^YMlxb*O(%s5`RwVZ&Y
zb9iB_GE~1i5j|Dgwccf<XQmlpm&kMW9y={Q68drH$;v;@=IbxFIGHW03g{iGeXnXN
znqNGs?1So7CqkdotQ$$ukV<c^dr7_Yi61~c$U5;+jLK=iMk~4<eItQB;q<D7S#n71
z+via)pq+GS1mkGid}n_{WoX*n*co&GlKs!wtv;uLE$Ee9N2>kxCvgM!2tVWcSRts(
z|9|wD|C_^Bn?BfII*<fX0a{7(y*Yj1faC$be;G6pH1wf_+sekB(WNT=DDTti{hu1v
zi@MN?8>MOf>x~CHjmEEJB$gqg{JV9bUe1S+<1m=O19$O>I7(dnQ9u~EqE1c>+)nH=
z-)%KtSm6H-K3D}izXc*C+#RvJ#5q|n@lW(pJlO6rcR=`Wd?!9~MGB~szfdWbl*2W4
z3L41;PSmarKhd>1=38Hxs`RJBH!+8?<{pL7^&x%X%1=*6al1gSFrJX)8q70`*q=p6
z2Cnc2mX!w@5n9ONO@XBUjaS~S7JfyS{Db9C@WRVk*iUD8y6<957uNxaYiS`RVUI$E
z;Ji<8z8NdzYV`BdR`KG+fKkoQ=)<@OoosLG*9lmOOOyR9+9gM|OAKjTvq;;W4&0w6
z3?TN`2nTzO2cKM*j8%hM(5t(xG`T1D!x59kBo5y5jf=dPzkypj;ir)KcDuF$kboj5
zdRQz?|3vK=t217_vH?6jHsw*)Th0UyUb-KDQXMMIgcE^`-Jk48mCd9Bk?)RG1ERYO
z;3*&@Xza{XbsYFD9(H*{(Rq9Uu)|a7KQ|Ay5eMJ>mP5Ekz6)_PA8dvP#&nF&?Cy;p
z?6r>TTJW5usKd?9K>fG;$kN{_2@vaTCQ|0NF3Azk1n_76B&W%FdTeyyV80@SbDuqz
z&@mDF&Fq9#Tj$pUoe1A!kq7+wk2#54`x9I@>CeYfj}7J9V=SkWO<E=XFt44U#Xz%3
zGR?8`W7LVcFeqNO5-9XW#Bbhsyf#nG(q)DxA~3q+;QUqZ?Q-x=`9}hyqhO6?l-gb7
zWa{s%<z*c2z{?Q75!ycK88zt<tea@;O>x(Fbw>X|91gp`+jHQziVfVurZn!<HP&s>
z(~n)u7N);Qh~TL0QD&Lf*F<iym8EDSC#8QYE<jK3)qCE>SII7S;m-^Znv&AXXwM{{
zOjGhz8EMtq%Dz08D|GrZUxpy$ZEg%6*tK0;b>P+SbVlsx((nAyVeN#@6EwXF>PM(n
z=;vZp2G@rB>oi&H=9APJxo988(#7Rn(rmj(j7l&8(GtWGO<FzvS&Uea^79cYS5#)L
zDlw8v8fH!fGL%uJzmxKg=i@1LwHq~-qpEk2%uIOh(g^H3Dp#DR>ET#yz~$Re(Nur#
zxUkt2TS?Pu-M_vBSoV+Dl!;;Whkj~=-nQUaAwsVPGD&A+%rvp}mj?8uObw+#>J-FV
zwJm&6l3WbJP1I?LO6Pt0xfHbqchq?+8ZPVh)uof?;~k+IOLmy;%U=;7+24ciO<J{?
ze9e>{3xuiUettaQ;^frAgO`oX!;K#|W#ZxFsYn*vtWPi*BDkC-{A#DDA^J;OY|V=h
zS+2N<O++()3zYf(rQ$btQ_pD#Y@If#p$Qe?*itumDjV)V7gr$df$B<r!p*PW+12)z
zqJyc|-<@+<y6j^2az*x8%=Kc|VG{=7hONmdzr@R#S6rTOz~8C#RmJA%U5PF|x$_Ey
z_M9)Fixo0EoyV&`LdCC7S!u0Hnbl1J+D-QMJD;P^&_t1BsoGhEKQDj1vz_AHP*Y!a
z4lAgpkFVbxs}pGSTpHVGUyo5wFnabv(T2WNY5zl9o^-l$>FZw+JN<wl#|0Z8c7XVk
zOewrgsx3<|wCcCv)4!YuRj8=dW|N3N|Hg0d{)3ek1|7%Zg%upM*ff4s?A)2h1>?Ll
zZ?0E{smIeFA<M?kmT1%G94D8C?Ts-4n&InO@hiexgzGoYU4TWIe6i3f9(KJI*`lDk
zcup~(MTs#*E(W~6g-?<5Ty*3jeqGN+1dy|cpT+}xeb?!F6gEfhuq=sKXO0Q-Y2Jue
zX$?_?NXO6KM>cO=iOn0{KON&X7%N2I0SE}yx)pB#TJ!?HHDLiZi7*GG@xVN#OAU6s
z@;quL`j#v0LdA}noS;Oz8<|y`6MV5bmvU28T0Jmfu|k-}w<e_lBvXuDnP`pWf;N&O
z4@E#8cP7(^J<UJwljoV-JK+7Z+#Wo-KB0mSc209)?>5}c62SArAy+?me$?>AM@dyh
zbhR$|Y3UG`LAOwXmSrtVy84=PPlH9nC+`>5aDMfP&C8P_0&;IQijFY>sUC_31{lB6
z2*b`|BqmXO*<guvHuAD%zw(2xm0MF6ic|#nj5OO~V=I!+@M`+#7gi)0q_JY(skF}X
z(QdXM;3+C8bMH5&)$I+vb<%XWfjU(lQTb@~)9N~gq3<KC)YLC>O>s|TJ>8blDfQ2U
z@AutoGjQbRbJa-bo#g;kXw0>@IG?bjZ=KixjC(KUL{hV8qRE>ISh~qJbQo|csq}y|
zxay)~Vr@P%%3fcW4JWjEM%~r&;-^}B8qe9ITXm!QF`uSJu!d8(n@0RqKStq(I0;#6
zdiR-Tk9R8DB7XiQ7@jK{$oN!PjLB@uv5sHY0;ucaged0J(iUsTvlw2maIQW(`ylsy
zqg=%D)2N2qpVvLLd2~&(Ip{Cd7rb2O(Hyk*zvr#e_JG>I)0z0}!qCwj=Fqt$m2JFH
zZWC*)(8j}eCLk^%D3H1i*gUg8BAIKrT&kP(wP(eYyI%Rdu**+Re=VA7?cj@Oh9W7$
z{&96cG4rWIwK?8bZiI>}a^{5~<MIY<1ZyVE(w{$X-D(GPSeoK1j{gyXySczo`+Dem
zPsEmS7EWz+%~NNP8`Q7175{mSM^oeLB>KQX+Hfw!J*M^eDrhVy;~u{*L<}HR9d80M
zJAeagHU$4eD<-4&wW2K3xCFh=X86jAP_6m{0lh3`|5&bBXdAt|CD^VS`Ciky!f+=z
zlvO){vq|=w5xZP?#M0TVFSVSzV2YxShyz*K`8Cw75r)uVCJjd;pfLK>WieF;)_9U7
zI6JW^YWToh^zHm;PBP$M{Rc6~M8G4iWn$F_y(bP_tO0B31#)Z9Gq&R{I_#F_0=j}=
zPX4uS+Hh^^Si!wf`ZG*t-p<9h(OZKoBBuNp@2kUc5$48=R{69=<5#fw+BkuOd+px0
zC;P~(8%ZWZ8@+-_l&zIfr0~^3;cJZP!!Oy**EE%W=OdLZ7j`auQ05P{;n)3Ob+g72
z9Q{YnY$D=#%kTbv`@`m`Gt{B_G)S~omYuPBJV+tF?QLuvVCiFBMZEf3FMt_3WdNsg
zoqqG><|{#&q57sPi-7uus`Kj-VoGeks{vkjONF8ngx1~Nr$rze@!vYJ+#tf6O^ixX
znZ3X|{p`^|&>J3&;xBBj=T&u(hZ5xmS_FT{8g`7`r@u&>;__5qf>&4ef^4`bw(G(3
zsY9{p{Ywuz&ZeE!Df3lMw(?g5&z*oTV+w0hk2u=_^(mDD)Mp{&-=&#ss=iZk5s8Gl
zJaVPCR=wSJQIRfA$S=fS{`T`$<}|>6Y5YqVJ<Qg))haA0+_<|!SRAcO;YavAciq__
zrUf`k{z!T)j2{Tx`4m{^y}vyzb+F-l;PJ+UB=xfL*GJ6jE}Qa7Ezs-L<I|_R8T4BZ
z?d;6bIlbrK>PhuW{?4m|dOE}k`||G?r!DygFxAo=3|K!vw#!fl_OAKg_rvN*lniik
z=+|&UmyMh-_o)l#Xq4WW?BT)tc!Kc3ig3Xm&arB>#2*59v%g#T(HH+?e1C(mw-k7w
zEjJ7_49mC4*v5u!5<Kv;_vWal6fLLxFh-hIdS-S>F`D#IhB)giw!6tpko^)$vi4&g
zN1;3X)vsUXV~<T|UIo&+@stB{@d0kzw?KES#$gXGL}>E+HNMa4QSK3akrG+~cTL${
z{qJmk@q8Gx;$}^cQ^0nI`O}LZUWW95;shG<zN*L9++23|YZwV_d9D1ckU7NsCl@!L
zK1_3*apqThVVZIaGmwS6spkJItku@w8=~)FISLP0%TD3in^F7mAdZ(47wvLC8!&5v
z!OxwR7uC~9GR=TsYf{dyh+oz~Zb3pFxLgF(Q~O=Pe@Q9&hV-0A!(07kl(}%b1gXaF
z3CYUO7kI8Uh!U0KYR<MCu?*U{1hO1&v|yD%t?j}K-T+|@`71(3Mms6Ra-12+Z~kcI
zcU$LWo{zGh`|&EXWWl&R<%0t@eq9@`u#==A^Nl{mR6Q8!pjz|;!r$`W{otvS+9G!w
zpt<VhZXo5tSH|xo(Ocdg5&K@e>kfMt+M;~8{#5So|Cy+5F={I?ek)s3?3C<7lI~@i
zYorFQuXb2wx`WFpNpG4!gp!tD5zHdEgX#y*TiIcB@0eYk+WL*1>npuya}savXD<R7
z_Ram~#UkTR9^~@xj-g_^=fKV5%W}K4V0rP<9^Ne-oNnMZ=XzII>31YHngtR@U0OVL
z@HMcI8NX#&Zd%N-b3QH{q^6V5K#FoU+08U}#M+dPrcS`OrZU5vgh?wM!sZU!2UMY7
zKqwoz8*&d};RoEWhWnZ`AuxPomxqzZH!&?|n2b@`T9<Rc>Qy!vky2lPfcm2TT4@)r
zm-}6#eT$Jt&j1Fre;`>QVRR0Wl;M_#!*L#Ahr>0>)^=BWmMTINHijW7I)UT?CWL2w
z;K4p2&2vnq?%<nqr+aYVgzXkvz-GRV|J+wv&G8oV;@ghUaKL0&9&`i_k1?T>+?&Q#
zwjw!E_+ij%=1j>j4h8nBDCvg6&@G7to9jsY`2jWvP4e}<3EIHnkvdQ3+^9{!R8xfg
zXEjsC5B4`HjoA-hXh~|jqGZ8<$b&^?N82-sf!B$3OAU4PI2|FBAE56*Do!{dZ3Vlc
znx|Nr9SZ0nnhBzvqKvTcfpjXx<%oXsBZwis?{0i*98F+_XrJ7rKY;B=P^dw|^G2s1
z8KRjXsGk=A9_i*cFRTMPv1QrG%szL>Uc&Xa&c=bHNb`{dW{CF1U2!r|(b*PF*0ieN
zjRsnv=tmH(!XL_yh1tzvEbw{RW-Se$Yj2mS9+#$vz(Dx>r&1QUv{1Fc>vWW9rmlhb
zFhKi+3g8hnCEG0$7n`oZOJaj~8Fw;^T_O=3cV$B6EdIW3GtQhX3v?6}q#KyUB+-h8
z)bDH|U1zsLgaR9|Nu)2%crGoQ{m`JfC%~YuKsG@7E`_=aUym7*1I8%+9Wx1r;@Pgj
zK#;FeifxIcd9#O9##gg10!t_i0W4>Y(ze7$g64lF*(Ry0>+q5=#?Gb=+l#J&l^;O(
z-~-fw#f!kr%L-L0s^=(!LV-aQ2DB`PgC_nC>emzo2HEPOl1e8KH`{-As}sK2H359N
zzlj3%TPj$sMGK<}BOz%Pe7p*8TSn_Vg)4VGP5;yRF69+9dIp@Jm|8*ponq49H(zv(
zN`(ErogW1@T<HPi*+}<a(|13UP;805FUGro=6Nlmeq4b251XMDR$zZpE0Zw#DT<#B
z@}5|K05IG!!MuL{IPQ20D<IO}8x{_nCYd{odrzkkAC=Pr8H?ZxuK9q;afQ3^8*lo8
zA)OXLHLd;15%#8PbKe$NK`0P0WKKrAzkV0L_K+UvVAKvOdM!WkT^IM>A%2pg6exsn
z{`6rpnHzws);j{m?6ouk9e+UPuijX8LW}FGYJh4*U2#IzP&D_pB<k)D-vcopgau7#
z9IxwH_WAQ-g0uNNqPP^oAmUjXKtgGgVg5>XkKL7mMs;y*e$CL<wtjN&-a<_-%MGhF
z7UDg;SSP8sR@Tsnsup2Dt3amg;+wuPaT;-S)8VTvKHp}<jK0k|(?<=o^;@`<RVccF
zeHZOj&$0Nc`VMTJca^U|YA0ZV7WpyC@PG&Xdg@jc^(`-!DV=&sd!+;I*YXO=J2+7^
zo97F(;y>lo;bADW&6=;Hlo_13d`TK>XMVqU0Rg^NAd}WE*i32fcT_n95!SKhjfKs!
zYZrDh8c?k|ghyYEcPhFJ9wvhBe^N1;wbO$JzYP_^g$3T~SgQ0e7NHutv3ab~HEJij
z5<&yZed*FFBl;8<z3GQ6#x+E8h2K*CF*xD#(r3nU9A@Y=;QUgQtXG3#4fnmXnY2Os
zij4ZRRNwo)g-|&B`e<CWXO@fUPTsDvo~iIs%I*|!Ht^ldyE+hZFgW1?yLSOiw--Ea
z+!jmD?kcNiEroM}k7C48M=@|8i5rlCYES^&6`mKkeF<z#th!&<Suk=g;!%7)EkPH_
zu;<b^$<E?xVte1P2w)FylqyHWx~(zn@Qt<XJiPsmjB2lE+&qgPREYLn`IzVL7!JE6
zN`_S>R&U_4eMVN^<oIUI=aBre$1BaRn87!xsj<U7!KC=Tazypxtmo|_IE%syh{TuV
zW`j^pOD=_gEZ1;9M#y;=g_neDH^AP7KD(R~oGM&a=W}eLXEb*?cWhu4<K=33Y}0uz
zDyFGwIw^|H@>y!&-x_5$NsSFw#T)TFJ>9<czUk}yhl0-)%=fb(t!x~}qi_k$W#N-?
z5ACN6@aqq<p+23%6*BK2!lkBroYc7tjt=X(<<(8^=2I_4I+d%|cC)sU27?Wva_TRH
zs8x9NWa%Yd!b;RF89{>v)Et~zYh9x7dl?*abD$=Tyn7glDtCcFGv^dQ;m#TQ(>fG;
zIF}^AD;Cv9<oc>P_bw|Mw(h8M-Ks$fdbE-yA|Xyh3vmO#^DqP&b_Zf`b)Fxjn5f$5
za&MB^n9p({hl4z|znnB*pErs#vHK($fK;1Yy<<=MnF+0IDDe^ww~(N|L<=jDfWXKK
z^wZ7KldKMfrCrh(<^p5{t_AQ*6oc}ui2yhVZ`V9d+}UEM+oavm`!>Bk!nBuX^H&Cb
z4z|p8m4cDvv1z=FQ3GS~5C%LZhSE*wn5?zgG=+{PLEmE@7uNM8=iei6{*YyKDE`#N
zx%d8kZtOQZ-*Bl^>JYI+nj3C0PfGD|vB5e}?mL6Xr#${7gQIuZw6LJ{oB$Dy-oDm`
zNrn{UTc2KnZXl~Z-?v)}%1XSP)srX;yCK;Aow45vB1OoW)X*a7c7soqRc#h_V^X#s
z488NCuckr~lwn651R@#WGpLIs_(XSTl8&$T?G40Tcx>z$#T5xPtm6XZwNwt)hvDHw
z&a;(K>oI+{6){7b7k(_P13GxDl03p>isk&p4<D*pBgwV|42RA|)+1~CZ;v$V_An>q
zwr`pGPiR(PH5am_6d}0Wj0Sg8J8cjrNsL?<LpyQKfobrR|7L~<1ksm>C%04!+<2De
z-sgkfZmrLNmIgq_Nph|a$1955!$>#EZRR3Hqb^n?)G`g~j}AXInJ&oMpm=`3N8!vi
zNEC)jN5eLRi01;ZV_`l~O8c1sC6x#ZOE#GLCNEN{h?qV+ew9o=uf#!y^-P#x4IDOM
zlD!Q28HK{Y;%6cyl#YWIhcJ6F&`W5p9}0{PZ1b7_u>p8WsfWT?NphS06%2evmhEhX
z%p~6gpTmGAmCtQUc3zygqfzF@Wc5o)S}?Rpr^WkQHJ@7%yPmfKA5*6Uz0{{;Sp>Z*
zwh*PRCL=yVyTc}XmYy0_Bve3y>U~<Z^Wf8hV$AyR&Bk)=etU%>+MV|*Mx$~#Ol5+-
zzl6>LbBm(yZ*L5^C{4xK8vYDuAD7amrp{#?(+b0O%|^1Di%x4jRUg_dBidIY`dk*`
zfqto`&KJ7btndWzAaef8?F9ire{N*uu3Aggt4ZCCyyK-$4Nuix+B~*jI8RasBP~qE
zMNulIj-NcJ9k3meHE7v2I|Y2QpmroK*}lv8Lp2MU3p*Fn5|H@E62hU4zqso+PdIEc
zPVQNb+nM)PS;BYa=YFPkix|xt$;Up%hpiibV9xNywolfFLtw&rEzBl$XzS}w9Fxy|
zsArs?W351<J+?<}lf3_`f4<YDFzmFXy?Fbbg3+00j?7Lp0s1?RHbZb7jgPrq^tz+c
zuQ?T(tQRjcOkas44k3e(Q2D;_%5=K7`DrVqd6jx>5PM7H^(qE?)8e9<W04rfNU9=S
z5;v)~Vu2c%ZE`7I$w@wI5asUpj*NhAUihzUjeIlbjj){xM@@x(48_IJ&@5csL&}22
z24fMi(vne``o#ebR4g$!lkL{&ilOqZI~9((l3cp;dT?V^jxhHQ(LB=-+&YF?#-JqO
zT4d?vZd0t0|D78|v_3lA9Q0Z}8?6BSu+t~H4#qBKhV9*a(|21H(YNuy*f$JYi3DV6
zM7%98R>HMjHy87HrU4Vn<;Kfu%&rXIf7l~ZxgGX^?Z?yaBMJ`<p|GNP7pIp!BHoq=
zg|!)eAURS|{h>*CJ>T|z{XLg`<vARWv?SXD;%tm^MqgLdyBbMhwi*>Dlqe?zXY!`n
zn{mO;oGRDM$bY6*(srpp^x6RaIkNCwyPNr>5To=|!`i~DyC%w+I~TCr7;KU+IW|G!
zCum1!HCsz|J%=Rn`n0=-(`T+q{-nE3>7gq4FaL(ne`ILi;gJotN6c`XYZckn9TDn-
zTaFxU4Kuj3>7YJ>Sj%blzv0o<H^*(3h_HJ)wNJGj(>}S??)6?jACx&<;6B1s`2%;3
z<inm#$lLiMKdBIVlbnaFB*#{b2;UBXD|vMJAcUc-^5PC$lspNhm`$|i;;NZrQQdFx
z*H4k}5qRC#Fo&*xu5HU4RSZ+p_g75Mp3*Fuuk<aXENkvz<6|ZVBO=pAM30F7p9E+l
zwq}APqEz!#R;uXpnNr26{@`>2x8wFqZmY&@s%$iI%KcCMvLdt#p@0;hujUaQOYGM(
z=Uq&Hz1$s4rneHmq(yb)<df?T?lTeC?1B3_PRntXZ=QyG^;|8QpJG)F#V9yM)#M7>
zKSI<T-D|1OsD$stc`Iw4^O?-@Uw@VEAs!$w?QJJ6Sr`f|=v83@RV5Ra(@g;hT~atY
z1mC%B*E2KLmRqUjmR5gdxWGiOW;e`5W&C21!udg6md1gD5vBY)1#mCZ`S-^eQ2SV)
zmibcWs8E^KnmJiMMz}yED1m>r({J!8RJaA;C)iQ}g4uP`DXmU)D;i3y&`1Rl<1n%<
z62|=~7tpDwL?4&bN^efqN=jmTsH*h-SLlnOroKyOTFCL}tt<s)j(}^Yf;NKNe;Hpu
zL}CJ73u0N5pe7;1xtJpUjZb#l59WP7qi+TJ6e_-hr|XCe3C~A(nHmjkvJkHPO*<)4
zA9-1AuMye8KT{^JC}YtFguZCWNP{^9^~JvR>Kc_AZ#(0l7m8jZ$_2Eh@RT@j)b`s;
zAv{pCftKz0hFfkQ`m>%!r`KP|mwDn8V5F}FnVr=%;uy?om8{$tDK|QB>3aVP$NBb-
zDWI-A8$Xl*v%CFxJOmdBJzL9(t=vq%HFDhATi&mP|AZp*e0=e@u5}$b(BnQtyGGW5
z0~ebA>&(1s1vw0x9oW+vB#La6)JO|paxE3YGks)Ox;TgwF3P;V7$SYi6uQpqRKsso
zYWl{oJZD-+H)T3AfBnZF4doq+yZagGPORs@A9*s^V{+X~B&tV$?V{ma;5}PrG8nZ=
zV!vVTU<&tD8AP!|g66Puw?E%3>Jh2?uaO^@iYxQV{(hQt;fi$03~E&@YrcXZTxX+F
zau(qMIdFWBn^2x|83@A>!gZ4Cn?4MMA`?^M6q6usr!m6F(x1txClpqr!)**hCBn2@
zm!>S9QAB57WWg@x4)H(K&l+0La7lm*M;^D=MFEHHG^oUlUbVsUVvTzgd-sO`l^IY;
ztSjWzKR0!+H^HX+9&;(SAbp|tuaSQt;1Lf}FZpD7Fk`1&oOBk&bMK7n{dXIn77r+>
z;Qf%=XU-o~m@CLgO!1|jUI&G(HvD5mCm40JNK+@3(IHXsYUO;91guABA<e58Z`NP=
z*j%@xK5YIAXNC#xu1%K#Tl;(T@Nt-71;P97pdzKn1X9EwnouHsy&9>osnVHdktK{C
zzCc^D5JgW0CyI4~(&5t-Rg`s_uYD4r*!=7M_`g*Tt84UNI=f}Yf=q^)6o5}Utb3wl
z_>Dq!I8>$cQm?W!b{{5xQ8H?Nuf4zh&eVVh>B1Jzfh~mw(cx8%AMSDM^M^J&1{_T5
zJ9_KiTH;xb(+{5#n-Z$cy^Sgcswsdnq?-<5!6|x}T~i)TzD-V>6cW9F9{#P9&Ydz%
z=#N=&mHEBl0ie>T`Mo-5r_7{Sr!u7qR#62WzD`GV^enBkI}=xDa&Kdb#mKNr0BEM0
zdQ9Oe@|(`qX)~g;o_09Q97x)L#0{0o4P^CJzpFG<5(q$T9a;d;{qYwKNISIc-_V7>
zHu?MMF!inn5!Twa+z+J;g|UPbns5GzIKQ844^;t`G{BF?9+sCtNBMkNz-TstQtq<+
zeo8w`AK4(<h<|uGWaDq?_<xxCKa%>b+=m+W|8|{njVSRP2f&X+?&JS@BwjN=QtKfC
z(%(wuABUn%w}Au#gw<Z{--6{$_-g!UjjQb{0DN>D3)mqRIn;mNCZwcHr~5u#-NM7o
zI{_HlvFI~Yu;*P%KvNBrpnSXT`>j>r1luXyYciaey-tVy{5u5+P+88A);Z4wX)MQf
z2kD!6PhI`su)lSX>0i%-ltLvlOamRC`l89Xg_P@b<`};ve68^BWFcBBHMi3?37>A^
z;F2a0xVMh|6w!REPO*7`9w7d=;#GUS{WiMw^|VOHK#@!V|2Gje8ZlXw3npjE3{O9<
zKN@jdRo<#MH+b|)h}@>6?*TKm^f>We>>pnnptAO!)dG%pUGSXjOl~TcQEB-Vwv~ME
z(lWmD=nDyWfYt%*xEx~z;$A`$)#hG|`j7lKr1`^+iicH_`F84*Sf@*mh_y+sGwMsF
zGM`q(v{>iO!tlcXvR5g2iRKf5Uou#EqphKJL^h$<w#b}DG}P@mD*lZ43Bx&dQ42YV
zB*dSbEkLE6f9UiMY^w~zFS$K%g$C+6Z*bhH2H8SVj-s*yvw_2FhLbI#tbrCR#W!;|
z?;3$xY?A^An9}zb;RZ{<TQkkJNv0Hv|B+Ic%;{pAm53(RiMP2ar^VL{=M$mzPHSJ1
zM1xRN?*tEB^<G#-`ooh;CC`!!xj)Z!jOg$h1|Lq!0PdN%e7sZlPq35|?Q~xB9<WVP
zOu&HpBh<bpm7MV3I$wScdiCGB_l-q>E6sz3=S`?qrAo;uHLVx?%?}u)KC?%Bf}XLm
z^U{+0eC&NKdzOPUzw4K*uHk@fj4-heuGkn6jc_T9ckvgD>F!cf;>JBF$@u(1Fhmxr
zw8IKUNw=@7qWvxFduP&@eVsEhspo8u4TRZolyU-nu1jTPx;KFpy+@69kRz)_%r6k}
ztaE3#!F-Kh)OvriMQ~N<2Jl3K?gUQe&YeYRvS2M81<)EhYnAbrJG<1J)Qng3#5)zT
zDx*mu9+O)v%7(OI#YSRLw4)CSBdyl6vnu~Kasag(+9;Gp0p)^@0*>J6r#5|IR~Z;(
zx$vT|N93d4SEB*=lQBDq0NBd&`o7kr0^hGoE~C>K)N`A2YIo+t)_ecNH{v&u#+qBo
zhHmVf9r@o=9sSsqe#Sc*r0O3H9-mdCIwb?Ax%`|F*_S9;ckF?Dr@-mfFSli|S<xQP
zq@$GmGX|<}L9&+&%-1@pfW7!SJehng1~euu$th%a#ComC%d+H+Ha-)!!J_B<^NDsv
zsfPiBA?=^dE-_CesMTx;`X<WaI*OPt>>axSCpkCmqjSGwFGu<55TSlPojSXbRg;zd
zV2PV<tW?-MHvAFyeEuRFY^^ibmV?_4FU@THoe#ul3Uktw1v;vo5~xz%-bAXe5?_tl
z{&c+nVYSwq-8LM_m2aRFSURSraj&5(7u(%1bWrK$3}s=vMCe+!^eGtEKqYS)N||Lf
zmljh?MNnabhDyBoAEJ_>%5+>jqpPI+vlAq88h0PO3u`*_EEZ>wr?!05-l1EsO1=L1
zND<k@wln??`gQvDEvJPWd68zSKQrLWM=r|aC6xT5@^ey*3s{S8)k#j)ZvO5}!A~oe
zii6vyH|*CWh|mDlc4<a`m6ArNze^OqQ3j2>=CbgvmSWa^dzI08ekfd*9~C~fy;cZ0
z;UrGJiPs~t<~ajop<R`)34t^%?&iNUb`BPT{trZOS&hFDnRTZY#&L^nE_aQtiBotd
zi>CDWuO;h|BW`_acDarPj}Y^)cV+Vwad1Vs8Z9s(fEs7HMPlinM$(}{1s_*YgB)LN
zKb^vnJIHFU>}rbD(34x!KXvq$p6n@EdqHKr?CaUuPG*&gCtR~RqdS(qK;{OoBhSHo
zkKaqxi^Q-hT~8SReZZJ-+ZibVsH`3A@5~W=b)lzboAgVgW|!LQEB9ha@%O}dD7>S`
z_|jh08d_BKG*aETfZx)v;6}RyhLy*<Go1Ns{c5Hu=Vow~1Z~jkeP~Nr!c%+Xn;Lgh
zw!*|eooB#Lj*pDV0)`S`{NTs5d_vVD+V--9o{ao$ZV{<D;1H5wdhi&vKQ_$TRhDem
zB@v9WO_KeaMn<1sh02^}gFknA?9YB&0V_STEaou0R<xngA!8|bEUjX$K-Cb#s#XM#
z-O_OA@q6Ln>vmy!FsoAaLI=T3!S!UimYbKc9K|CaCf5Nf!wA>afy_J4yqdx!7ECQK
zO!arRzBo<p=Q4J$;d3fV53??+62KZ5$DIH8bji=|lN$eIs!>Mf0c&Yt&ip$efh&rk
zA?HQ(ztjId2?2~3V+O{ssJd%7xO-oBD&UN_E^=upt&-kg;p@&nnf%xfSXga(O>mEh
zlg}FE1nz1!pcUBX7wT(;+R+*O0Zuc?AKp)~mvRJY8<`2_+rN<P_*4R2br^!T)GDkV
zH5;-kf~Zq=&UoOKY5mpr`X4npTo>LIU>+9VF5)0u`*TvmMdz0#0p`f6RO>(=YfNaY
z5a*rI42;)_e|FDk_ah-?iz(m(+`9somBu?B?e06B-3XfD?asd=fB%lSV(ZJtj*xUs
z*OM6WhTwV+1G)coeIKR{28GaHA@<nkufts(CV;s21X;%UpA|82yrk~nn;tTibQ}3%
zwJ2RK$(xdduE?Y=;tyn3a<93BxISA<_zW!brUT3I=tn#FZ(dQd5@@);2;ZE8B1}KJ
z017OZ%q_5fzdQexnRPBWBapy|MoVxGczzbHFgNar#nc-J{dX_Tr*?;XRv^1NC5e6Q
z&fYLYW~6U?eYXVB$*qFn$8B>mn2a+*E0V6@KA3MafM*%Z8H=j2z?qq8Ga;R69+L$b
z3ah$-5hpcUWGZ_L7Fy)VC&+?mH93;mY(s`|1cx1dr28o5;lEK&c+q_uzLC2j37pt+
z2VT!_<=|8!vUZD1r5Zh>6=}Ue&V9<xh4oqx)8hIcSpZ)*!@!3qox$LHQ6cJ)+B(%P
z%IK)*iR-2H7{bjTN8NG~$Y-B1<MW1;_33x+e|gevf*qL}wzOBg#SxV+`RT5cwnW94
zi=X`CTXbt()e?#Uxi=dV=O5fo0o^L*D5AssHQ}u%sr;`Go;?xR1eGvNsqMD(Xat7q
zRL?jB1U0M$`W^K@gUza1<3}mU>_t2_o|!a|sTMJ>1ZwzdAHwm%cR0fpsJJy)!eHsS
zU*)il@sz*dw2|^En7<-n_^-mZcw27K?i>F=`)I$tG^%KulyHEZq=9QXt?|QL;uTGy
z=Xy1L^=y-HsSbAaiIyonB71gGCI4uOgpJDSgcE4jtMk}D)nRsK%UtTWzXf7v7?4M3
z{ZrP#P8Z)KwJ*uM`KLO5^K;0|Y+XU>pSn}*s$%o?f&T|oizaU|2M<L;dH<2jPCvO(
zgs^P2D|^_Wlpw@x$-Bz`TN)E*uJ46_B=`Hlf^w3q_z`IVt|6sO>YIZpDW7Q6NnCZL
zp0PDVr(pAznv03KT(a<AJrV5$m8&@)8;!(BGlr<DKvVCmZ=GF!?3bqiUap)VA++eB
z-BVm@4&8ruJ=tJo02fgIR2)^~a(^u1T`tWk&UOKq$CFqyInphb%>C~vZnmpl(<|!H
z`TMNg7_ymvdl^l{K-yQZM4iL4ruG9Iwe_<rFP0n6Oa}H5SfNG*jgl3QfwO(eA>H0L
z5j18Wsc@9@*oM@8-w)*CNm9m!N&#~`FT-^7D~xpHoCOb9qJ5fbU)O5ed_DYzRQ)OJ
zD@=iH{b6?mCsFz<cPc=EQL#rpczqN-o}cSZ^8OHwq53x~?W@WEc^mQlXE0=0<vKdd
z3df-7+ISO5Z*n@i@C;P%!6_yh(Oi-7l;E0<KTT=1*D_Tbo;7N;cdAS)wl09ZbIPp7
z4V2RS{dQvPZj|MvV{$eY?{DwklCPcJ9^)yD`y2W0UEj8^F{eH0zp>~W)i?dlG;eyf
zQ@&IGKcXuC^(2?k#H;d%+Q%sVfpml99e0<vKZ6DB;+^7~Ug?`?TQo?WbWQwodImr5
z>PTFA4(E(;tYhUaet?-HvIz|?-pi`|mgU2vE<5~osaEjR8F49v@syYAv45Jb$Z%fp
zjm`PYjGi(7Vh~xrJaRFrN6aay_&?==ZCg`C5Vs>{MQnBo#dkp^%B<*7U|;)&<|Omf
z<*6T76Cw1A*QL6u_bt!+luaAi16LmoTu9}9C*Mj+tK9KoFP`}6bMg{?vy6k##>_&+
z+GUJ=6>LYmxOjSf@HIxZVbA0glUdUw2#@q1v?Gdm{!KxF4eyt_Q==ACA8ytVS=xvn
zd!09t+fF(&6jw=R>hG0uvglJ2P-bXCSi+j8C1_`}K{x%1{e~WfhHRZJ_j`ohQa7DE
zhTS$KmttbwduyNF!*UNsK_4rxZ-qyXzjNk6UG8Phca1JlE&FraC!xDKaJR-hsGfC?
zxlsUratG|-m+tNMl;lkyKWX?+L`zF9Py9fAUiv)tnTgYVN#SnBH0tRXN_K|0WuJZi
z)D3afCNDcM=gszwXIdy8TV><uQb(p<m0Zk~p#7`zkC$(8aUE}Z4c%otd&>IBuVfVR
z3;lfMecvyvdT>&tX!ViC?B<zOli>3um&*Q>E^oqJoeW2^7ba%v7IZhR`98+FJ-dJY
zr_b6C+!*3`k>7oHh_7{FhB=A>f4MRHU8H6NqHoDfB+Mmfe5zwEayX}ITU|liK`2@-
zS_ylS*y00ZYJ;pT(oB#Gy?n%MeC=HNxlZFh(X5WILT&o`qCUcw^D6{ltIb6a{*RU9
z%NX!HeUeu{cMSLKxmN(Z`|)k>qBPbi=Gknw_rsi1F4u2E7%OY=Tb;TYg62~(A;IJb
zn(KLNKdxaPJfpsG^i`G5v2*c6!DS(7hlZ))(*kR`m&H60m=n+|fAbX<!nc3|-9=pm
zL2UZk@VqR0ui4r`EN0AEH=2%XGTARgl=B>lj`rH^hU@JfLECq@)RbXOCx|l_ZiD-J
zUePc*6iC>bs`VsWD1=5B`3~mjv_3{XVq<f!M%JvaeL9s?{Er>R2N*p#TxgZ@K}JJX
z&$&6Wylc5gpy5Brm1ym*rmIt@RE=GE!mQ<+R+A8wU79TZoA=qW*>#;-#-|?M(Cf{w
zG(N?5jM<;=$)I9)K}an5qi%v=Sp2iJfZmN$mjsrm?M7#f_g2eKDSeP<M6wVB|6QrU
zkInmwx^7eHmrAvY4OV`21!cI$*b(<)pTjh+&nWAlNM;}!POMhxQ7@D3wCDEAa)b<h
zzo7jsQ`fBGGHSXG@o9QfTSaE#=6z%3qPoT7;B{Z>IZ-fKfyzMmZ?2XsuvhVZq}UF>
zAKfCVP`olQ{Vud5+JXD4J6UOdwbR1l>HkpgkUQ<vu&PSK4$%PH^3`8Pit5=#GDcAt
zX1owjse;T9eUS%C0nHN_$1@*=iB-LBX{^2>N)|)tbSK<4KWn5Azj?|4Lc`Atd4J%g
z<IrpSy_?nIhSi_WK6f*_al=inKF&K>T%<LNF9*0t0hCC*smqo<89{St_a?I%RQrul
z-B!-z*@j%tm|x{dmeif=7Y`Szf8EARp#l>_dY*<@<62Uu<{0)_YW*gn^S`dtc&F?-
z-V@N^x2?kr6SX~J=%DQmpP4=#02dby^Kdhw;cKVv{7@tl#;#ucM5ST^qQIVy(FWFN
zuOB2-mHVXp*F&Fv;R)I9ZXFpp|I8exlk7=yr$smkHw@6YRCiOS%~MG$W2Z;YwfkU#
z8lc2NY7B6B_OSO27VRvpT2k_T<QvcL;&+)-<%Dm=6kCq)ChABZD>qgkPWa5EGQ6jy
znsK6b*Ax_|e`o!g@G2dU4Yz`M!;Ly(z0#@%H|eM9!$ml8S2i{Zl?&1;o8<qtb)dKR
zal!Shn*}{$iaoFstBL<s!80YL1cKqyC)S(N=``YwX6&i_J_;X9PqGF~T9MwG<644z
zli0FRA(;$5*2>YX2D9L3C2a#vc196qh?^G9Dm`aa%$eL@AeNzQ{#n)61$Na;|3#*7
zk@LAZ3yC!k@eeZ3dS>{$6G?CJCPGHEe@iE;B#6^^h@S|VMe(&gVv=gm7IE!ENh3Zz
zM_%#GabnptFe^7Clbrz;g>E^vEr@L&ei4Y7WUuWH%<o~Jln)xOQROh5&YgVIYm^X=
zwa-OQLpN3JwBpe+%W_1Ad%b<;?9+fXTm5NlL632zr?}3#E<9QT;`!I<cLR5zFaAp5
zUlg2sTBpp-K}iud5a;DB1=$<DH&YUxAJd$DD9e0*?D>UKaaEZI3&+tg$WL2&$FO9E
zW3Ja|%{%E#yXa;$SDQ}Llqx()pOU@hZF=-IsPkkJu0DK*)1JMe)ekS7--!7_-vpPi
zrQDIH;6<c!nVZ?6JDkHQ@oMH4h`C!jhFzW{pn;0H5E!YGoWZ|Uv)`KfI$%iqB?t`~
zoO~kGJ>hC1v~Fjg`_dyRn|vGX1@Qw`KZq<(uiWRZ^kwK{Z})zSe_vc9U3IApq-q2R
zdp~tj^8_Nvm}|pfr1(qvkSp)wRS53U`Ix0UMge9JdzfO+V4p(2wB3Aax7hy;rV!GZ
z_xE1^|7Ucgxpg%Fv)%XzvU#`+*%sd)4Oye)d(tT8@|%Bn86&kOxw{mKby5zks)1|l
zIU7Uz=A&j3DA-xx%L1rBFvF7o+!S*M02W39nF;^}Ex-8}ttec-)}OOM0l6Q}qqv^0
zV@m%2K9$#e(Wjf0Z~zia*lax5t7>5uW8D(|UuSGq{4FsGm+Q|u54n8s3&OQCoU`9y
zzQ015QoLa;N7$4s8Za994{FuDL<jbU6F|m#`hjdX*jEqnkBr+WsRoz)!10~2PuoQ2
zz`7d%;`SJT1aAKy2v%5614z|}a?cr<lq9pkVgsCt<?{q&ciJkhz9T+@bPD|Zv@$W~
z97Fdp6v)6-*@15vqyYH+xhKF~_@4mUcbI+WaKeWx0BqVdcZ><RhX8!&fiT!)o_#P0
z-0K|W6~%=CH+b;R-!e1I1K`>a04$4t&T$Az&0*~UAM9$IQc=#rM8Ew+8(QuG@6%HN
zzxa;;;Fox%fC)go!qD!&QLjdaXlF%d;5!J7s8r4^Yrh|?&4HU&s!CN<jhg|iEJzwa
zcCY(>o8zVoYjQ^%f@O_%0i<-&3AX*85zcwb`p;QiSAT~3;q`Wv@1AdLrHn8CGk$>3
z3*xKlQ+~|l;s+vB)Z`!TLqGl0kMGRm{@vin$;SDy#=yYUZn-5#PI<4AA`6&|IM9xG
z-8kX7JJ7lXK5e!0*@+|E2@qHJ1aJ?p%asG5IH3I4ycrO3%5?m1=&}NUbSAOc0QV^D
zS@z%UDSu-HQ0AgIUUmooJFil1Ng6hzHS|A+W=bJe5M_G~;m#~u$ki>Kamw8b*8QYy
zt`nLqRR97BaC!hJy@Q4YVp#`li>7qLFz~$)DVIZtEiUxam=AOnz!y7FzA*BJdaS|U
z*L5CKl(rAhnK*y&wP#ssm*$|EmiFF)YdB0Y5(4Y;sP_Pv-oPq99*?A;<Le)z5`mkg
zf%T=ojR%AZ)9U<Y7X{*D69Z0KJG}=O#3;wHFp#R1rK&0v2Kt`#2KdxPcS?E^2sqxg
zf`P6wh>03OU~MQEaH-yPY^?=Gf!RWU%K%AlfScl4k~YA{6_Qpz@Y_&u;K1#?Z!Iw3
z8y%1`5I1mTK2=Hq1Oapt_}+~QpN&-oia9Qd1-SB0_&giVLg_=Hn7Ktk+}RSSB*)Hg
zz&Aan@9A_V0Y|Q)Hax=}l&g~)Z)C(NQzZ{f&E_H+L{?81x4C?yaFfdE4B((!_wc#i
zVc1_@e>f|TlqBKdz!zAS>Nl(Oe`F|Wrd2-mD>}15NO68ztbHY1W<$2OAub1>xdQ{X
zI$f;gG-d`6@DCw90p)=Rncp`pQxAw8g1o12I>nz?+Be!6TeBgkqx_m^rA;QlV!`?e
zlgBByFthoAE3mukjNNLo+47_ohVp4SKd#YI=^P0|w!(tKR*J*=ekX-_-di+b)dD@T
zRou8weibr)!sQ-;=7Lcq1bLjuwHo8LIHL#w0?u@FZ002+G}g@5$=906@4#R`P$N7D
zW3kwJjlw{Xo>81c<__TAh7dv;uZ<KlrwNbGUs(idVX(f^zE7vClCV)|P318^uCCua
z)Hb?qI#a~IkabV%zM+q2xTv^YzH4WcFn{Bj3cj<Ki}d{^P!ukDPRh7S7?=aO4Y4Mq
zr$qbnjP6&7_T^&AX&Z1^)46eP<Bs?Iqltp&6pn%rMfx=t;n6Hq+V=M_CpPZ^-|`6T
zes-zGb-H__@1{wjIh~G1m|T2Un&-xy-;Bv-+ubl)YRTU<NbOGsGMGmg%R|QK5n=1)
zcLtYNli1AtM^5yWo~b=CW%Q*!+P&8&1^<QI4z%xk(rR9YhMX0yUS=4-_D-{crU}@a
zPKE;vI>Ny<8bm%Md1f&MaESY<_Pp{D3O)hI`eB(wJJYvb0oC>urwZFfQqzF1j?7<!
z9_qD6c#6T&&B_e++<u|vDb#eWVn9e{u|gBRT2>&lIcO*WrDwFQqFv_`8tGwId_GzB
z$g)F3uu@MDH!^%|QFw>yWY%+z7oRrYF-;|5veq>oLlxzbQ8hVIGH!t-K#X2p9x~mq
zJA=JTW90IFolemW)L=J`HT#yq&Xq~K9ZuFY37dh)R4`=*tU<`a=4m-x?aSb~Ro@$C
zgSRyO=R~y$56K{W0+OekuQyr8>0XBI{)Z?GHAVMq8Nu!Fe&9v}_r}wj;`LNBGJ_9N
z(Co=zvHwHo?&+!G2&s(HpNPJ|hlu&X%%x<69%|i4K1CUSqW<(FD56x8sjcu#1wqf4
zf$oR?ZWhNt=;FD*dm&XCtkp&L@O63n(T=E|%H%uKgF@^%AI^&xJ-`3#8a03PeJbT~
zS^2>*=&@wy?X!=d97cHH%SkM!8S^v-)~f@0<pRsKOd0_J=pAr7ay$&<-a6WtxTHwO
zB^|HE80hf2LH>&?2RM_M+-PyzDH~ove&5Kf!$`GdhzjO?NXzKiUNi5*LRALMa=}!z
zL|5|x1PAz##<YfeGTB?Y<a6+KlRRcd$cxz5qV}25n1%{b$<FQ1yN|F#9<y<-{t2Kr
z&>}C%P?VtC2LVV3QmqUcoGyc@aA-6U!U<F+Eg}p7YLOHVR<1caY_(;e{`n@=bty%q
z2<4az_UUlqklE-hCNAaKU$=FBuI2DMrats(ztf?Vc*`84S5m+co289c=E4U5d{1hr
zQT0Fn#6<sR{;V&-Il-cfk}?u>Eg8+NdKE8jsrXsOFSW`pxFRQL7o0gRRU?}(5LMnM
zN(Mjni7NG*)JMRI)|_!sK3#%jdtqyZu3T7l&doYLUGu6gc4Kn-c8X+SCPkq~CcI<z
zm@SCEgjUk3r@v2Ib8z77g%xS_;H&4X`)CP%X8sz*Ae4uaf4}OQ`I^bJXA=aM*IF(k
zuC0_(!2r2g!lz61UE)nTf>jPb#H^uEszSuB#iv+TR2lpu3EUT#>;!DZJ3Pwy3Kf0j
z1~gv#=ChTp_nevM(F`+|Ss2Y4z6|9@3w2dAupmXKQWP}46_n|GQYo08H~|0FIexwQ
z&{DgUhv!`y6MP>Er_Z!KpxX1g-&?s-a>cH=uo+^hLyZdQ<806$=(Ft*e#FN}WqDA4
zUzq&KQf0xIBrsP7z3P9%W`Ne3q-afW#+3k_{W7wv+VmMBRKZrY@kwzzx)Ph+GjB9s
zqt~-n+MU|dVZN=-K^ES7=&y>nbS+Yt`R(3jmW!%`umOHYH_?<~7IHp(a1!1l8XDyO
zw(>Bn)Ty8^NqfozXM=t+PYREppkb$@`g$f$uZ}C;mHPiG;>^R@&bl~mTHACPHA+LP
zwpvn4q$NaA)uP5ewAM-`s8Tayv=nJ<ZBYp`joM-x##URSp`9vTElClAG7(ivQ(I9Y
zu`hk^Py0UafA`6g+~=Ho&%Nh&PJZ7{LP3?sf6CG5vc`0aDeh|e>24=ash&*1$xFfV
zw{5Qm{8gZ|)+jBk|HFo)ao*EAlTqERb>O{CeThG7_`VPF`BBEg)7GwtyhBph%I{Y6
z*q+ldE*m}qiuio5SV;BqUE+Pzq%945Ndo+f0dICaR^ApnmmScp-BT!;1@@b>-0_Je
z-*$L?AFssrBQIqB&bkGjdU>aKYFTd0Ly(Hjca7>Fzm}yDs~0M>-H0Ey3CdyKyVb|B
z+0lU(Z`R^B(%#%LUQXLGD)>Y8H-`hr47*BF7oDwX(CZX*6!Rkek)vxYX{oQ>!~XcY
zO81+(gi*$LV34x-As`FIXbSm~i_^Wii9swbIy9zTlKo2(@n7Q;$L$ZRbR4lVeDhlY
zT*5TYB-i>t45Rl~<v@ofuQSYozes4QDz|~X%Yj^%oU8VAhJRcktD1P|DW3)hxWU`K
zk#i^ZUj9UK>Vq?D5qO^Eo8}*KwaROLH&*P*v4}<}toF&NQ_}}a(e0xaVRq>PIWeOa
zE;@NOc&JtX+m+p`mP*MqQ?`1Qb}Vs-ZWYfT)AC}-4s`cz_p~S;FZ8hY-hW?PZ%3<6
zUouiP=k=9fd6<F>ThrX#n066Uv=W9M8d<0K?dG_u2;tebJW|b~rG|?Aw4?Ke{DfDH
zs(!)Jbf|F(LCVR?EEUlg&Ors&Z`J-ST@e{TB2(cg4PMfVx$NnXtg<+)2k{ZKWgy9e
zhj8Piv+LIDuPVInj<2VgT*>?1Wh64geS&9^gU(N#5^K}jf)}DXsr6=_$x=2<lJnGl
zLaiDUpe8y~@PLG+rON(33c=0Q{o8rGIhUAoKr`3HkNQJuh<J|ZTKhTSgaX^K%>IlN
z^-z;P87uu(>p$JAW}sr!@k2?$(~fDyb!z6gG7+Ii@Q}kqhYgsbet5^tMISpib=7Pd
z{1o4y^GQ0?edLR;ph9A{y_$lAjXqv<R*rTtFBXp3Mnr4m-~2~rTkS{g9>V#C%q@xj
zYXTd`{I${^*ox0DIUxt2yUB?5C?siAx(HXvWRB8&4nkn9NvB%Y$Yd#A=|`4wU1R4+
zY31<3TEY;C^(@pBF*>e3jcy`33EVdjJ=X*l1q4ldCepyZ2d4MsVwfGRNl-q!)t@|`
z`LD2EeVN$Cl6#3lmG-x6^s`a@Reqp0*HSci$;~Q7`e4Gz+)Jr8=a2T18*E$R3zV&@
z+|g<Sojo4pi^tBFQ;uR}b+aT|9+wPc*ZPCF1DU7+@;Gt2lUJZK`1a&f(m$5?SK0@o
z6B7=CekSFj?2+5Q)5WN_HF}gv{i*Y(=zbdSPA2hnZgKRTjNx`{ZnoLNmL27}Kjf#9
zQQ6alpbMBJQyoJtEiVCyb@T0>3YrpI{~5pII_#uSY;pT#Dyxem)e!;mPGJPw7O7U9
z1TG(?>i=zQ7gZ!hKG*XN$gVZ6W=O)6$4sSHksVs;Tnb}C>P)N9k^DEEC>L)d1iNFe
znM5c!ls7*$l;B2?hZdvIrso__vW2VYPNMBlB-03>PzI5_8Fl^rU~?L4-ly@y<N8G@
ze38r<4aBx({|9qTpTdLkt-4#!=g5q-`PajSv4s9;y9{@!YNwKw%nF*Z4qLeJctzJJ
zt@j1!c>pJk6>9zGy5u5t{1DHsI=r<XUdX|DuokMK{%-1slv6n?LRHJ7EVg^(r`1iO
z7{i7l3$*et51H9QY%V?#?)BENBQkLGTGlq0Pg_kDYLHY4##-V*NlMHzCpx}V4AWAo
z0+pnH5)AX?c;N^H-Lv|Yn3XmR=!Ug@yE@lEBGNfg^1+eT6jh)xMK=0!_k(r-E^>y1
zB>Tb%b2GbgNbti624GS8L38pxk{!H1m4gCC8;e&86N~|H#!RsR-S%N|L->OCW&HX?
z#xqwE(tjV)oEJApy+A}@zHG3+eWWaf0rFzlTN_{q;2$pXnWtGdYUFUt!`QnYELh2!
zpeD`quH}h<G8)+^pl4dw3X(BfA8M89I2;kqQNNsaYgdSF1C+Uvt@mM?kt}7P8O=O?
z3hDn)tHs&D<d*yT)BNo@&<vm(#|;)3o?}j{(lc0hK8L=mpu_m$*w?0Cr?>IN+UmP+
z?5s9NbA(ok6t)9Au|#C*j>LUpW^d<e(`sYx3&<RCq!L{mYbgp!Zssu#%-Jq|3?L*w
z`l;-)HJf*qYo4hBw&tX3^TvRMts`FXvTwu+=Ne)*T2Q3${;NVAhU=Eaeuq5Ai*=()
zK=#UQwr2X*3V@|I_^|*5T1%B6EXE&6IDuoXze-kX-P0z56{ae8LIUZoO`urr3^Nsg
z2U=YmGwb{TMHvm9Ln?{Vo6zdRfhbpxth)9&yg7=aNUvyzD4d~$#rj)#tM50v!<(LJ
zckw}oBdS!}dxppGBcdG^x7Pv@mc-}#fGMz$N3hcrtrm9EN?q=K<j#|ZRmycB=8dmm
zAVU9;JX+lWIcD9k)mz-$(vis*!lXtAXse)(?EwqYO#yXy8vs%*8xl@9&{xU)#*eED
zqoXf3KQ~YyEM^cOM+z&@GkDkWXLcm^$Wmj%b0tJ-=2}xb-%L}YVT|a(Fwm93AI2<R
z$2Z7e5=C6^Se3Ve72=P%Axkvf_w48>5oY26F5#?-=p5hRC!58r@ij3HiZZ`Nggsdp
z)zAh#gr}Sp67qff!!gY`?ibxBoEx(ScvJrJ*ybyCxDhD!r~KCNE3+-DZIHJ8Y(pT?
zTHPkD88?PA0!rEU!{F^lhy~FF)b)?!X`CB4m?;quA=Xf)1gYqJ7`Kz`U>boe8M+;e
zdglhQA`E1qIQI7}l~<w9<pQ!L;D><l$Oc5A-4PKf4e>5_$F>mK5+WYaVa^al^Xu3J
m;$?mv|NpDZyIqrC_6~^lm1z&Y*9B-@A!`f!3)SXV<Ngcv_hwE2

literal 0
HcmV?d00001

diff --git a/issues/connection_reset_issue_pod_out_cluster.md b/issues/connection_reset_issue_pod_out_cluster.md
new file mode 100644
index 0000000..2c6ab3e
--- /dev/null
+++ b/issues/connection_reset_issue_pod_out_cluster.md
@@ -0,0 +1,27 @@
+# Connection Reset Issue between Pod and Out of Cluster
+
+In general, when a container transmits a packet to outside the cluster, the packet is SNAT'ed. After that, when receiving a response packet from outside the container, the response packet must be DNAT'ed and delivered to the pod. However, due to the conntrack bug of the kernel, the response packet is regarded as an invliad packet, so there is a problem that the respose packet is not DNAT'ed and transmiited to the host. The host considers the response packet sent to the host as an incorrectly transmitted packet and disconnects the TCP connection by sending a reset packet.
+
+## How to solve it
+
+network-node-manager adds DROP rule for invalid packet to INPUT chain in filter table. Below are rules set by network-node-manager.
+
+```
+$ iptables -nvL -t filter
+...
+Chain INPUT (policy ACCEPT 3229 packets, 597K bytes)
+ pkts bytes target     prot opt in     out     source               destination
+ 246K   56M NMANAGER_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+...
+Chain NMANAGER_INPUT (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+ 246K   56M NMANAGER_DROP_INVALID_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+
+Chain NMANAGER_DROP_INVALID_INPUT (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
+```
+
+## References
+
+* https://github.com/moby/libnetwork/issues/1090 
diff --git a/issues/external_IP_access_issue_IPVS_proxy_mode.md b/issues/external_IP_access_issue_IPVS_proxy_mode.md
new file mode 100644
index 0000000..b15b967
--- /dev/null
+++ b/issues/external_IP_access_issue_IPVS_proxy_mode.md
@@ -0,0 +1,52 @@
+# External-IP Access Issue with IPVS Proxy Mode
+
+When using IPVS proxy mode, External-IP assigned through the LoadBalancer type service with externalTrafficPolcy=Local option cannot be accessed from inside the cluster. Currently kubernetes is not preparing any patch to fix this issue.
+
+## How to solve it
+
+network-node-manager adds two DNAT rules for each LoadBalancer type service. One is added to the prerouting chain and the other is added to the output chain. The DNAT rule in the prerouting chain is for the pod that uses pod-only network namespace. On the other hand, The DNAT rule in the output chain is for the pod that uses host network namespace. All DNAT rules only target packets from pods on the host. Below are example rules set by network-node-manager.
+
+```
+$ kubectl -n default get service
+NAME           TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                      AGE
+lb-service-1   LoadBalancer   10.231.42.164   10.19.20.201   80:31751/TCP,443:30126/TCP   16d
+lb-service-2   LoadBalancer   10.231.2.62     10.19.22.57    80:32352/TCP,443:31549/TCP   16d
+
+$ iptables -nvL -t nat
+...
+Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+  190 20813 NMANAGER_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+
+Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+  651 41106 NMANAGER_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+...
+Chain NMANAGER_OUTPUT (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+  650 41046 NMANAGER_EX_CLUS_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+
+Chain NMANAGER_PREROUTING (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+  190 20813 NMANAGER_EX_CLUS_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
+...
+Chain NMANAGER_EX_CLUS_OUTPUT (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 KUBE-MARK-MASQ  all  --  *      *       0.0.0.0/0            10.19.20.201         /* default/lb-service-1 */ ADDRTYPE match src-type LOCAL
+    0     0 DNAT       all  --  *      *       0.0.0.0/0            10.19.20.201         /* default/lb-service-1 */ ADDRTYPE match src-type LOCAL to:10.231.42.164
+    2   120 KUBE-MARK-MASQ  all  --  *      *       0.0.0.0/0            10.19.22.57          /* default/lb-service-2 */ ADDRTYPE match src-type LOCAL
+    2   120 DNAT       all  --  *      *       0.0.0.0/0            10.19.22.57          /* default/lb-service-2 */ ADDRTYPE match src-type LOCAL to:10.231.2.62
+
+Chain NMANAGER_EX_CLUS_PREROUTING (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 KUBE-MARK-MASQ  all  --  *      *       10.240.2.128/25      10.19.20.201         /* default/lb-service-1 */
+    0     0 DNAT       all  --  *      *       10.240.2.128/25      10.19.20.201         /* default/lb-service-1 */ to:10.231.42.164
+    1    60 KUBE-MARK-MASQ  all  --  *      *       10.240.2.128/25      10.19.22.57          /* default/lb-service-2 */
+    1    60 DNAT       all  --  *      *       10.240.2.128/25      10.19.22.57          /* default/lb-service-2 */ to:10.231.2.62
+...
+```
+
+## References
+
+* https://github.com/kubernetes/kubernetes/issues/75262
+
diff --git a/main.go b/main.go
index 6843d13..bd0d4c0 100644
--- a/main.go
+++ b/main.go
@@ -50,6 +50,7 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
+	// Initalize controller manager
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
@@ -62,6 +63,7 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Initialize service controller
 	if err = (&controllers.ServiceReconciler{
 		Client: mgr.GetClient(),
 		Log:    ctrl.Log.WithName("controllers").WithName("Service"),
@@ -72,6 +74,7 @@ func main() {
 	}
 	// +kubebuilder:scaffold:builder
 
+	// Run service controller
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")
diff --git a/pkg/configs/configs.go b/pkg/configs/configs.go
index 79e70bd..4a3d177 100644
--- a/pkg/configs/configs.go
+++ b/pkg/configs/configs.go
@@ -7,11 +7,16 @@ import (
 )
 
 const (
-	EnvNodeName = "NODE_NAME"
+	EnvNodeName    = "NODE_NAME"
+	EnvConfigTrue  = "true"
+	EnvConfigFalse = "false"
 
 	EnvNetStack     = "NET_STACK"
 	EnvNetStackIPv4 = "ipv4"
 	EnvNetStackIPv6 = "ipv6"
+
+	EnvRuleExternalCluster  = "RULE_EXTERNAL_CLUSTER"
+	EnvRuleDropInvalidInput = "RULE_DROP_INVALID_INPUT"
 )
 
 func GetConfigNodeName() (string, error) {
@@ -41,8 +46,42 @@ func GetConfigNetStack() (bool, bool, error) {
 		} else if config == EnvNetStackIPv6 {
 			ipv6 = true
 		} else {
-			return false, false, fmt.Errorf("wrong network stack config : %s", config)
+			return false, false, fmt.Errorf("wrong config for network stack : %s", config)
 		}
 	}
 	return ipv4, ipv6, nil
 }
+
+func GetConfigRuleExternalCluster() (bool, error) {
+	// organize configs
+	config := os.Getenv(EnvRuleExternalCluster)
+	config = strings.ToLower(config)
+	if config == "" {
+		return false, nil
+	}
+
+	// return configs
+	if config == EnvConfigFalse {
+		return false, nil
+	} else if config == EnvConfigTrue {
+		return true, nil
+	}
+	return false, fmt.Errorf("wrong config for externalIP to clusterIP DNAT : %s", config)
+}
+
+func GetConfigRuleDropInvalidInput() (bool, error) {
+	// organize configs
+	config := os.Getenv(EnvRuleDropInvalidInput)
+	config = strings.ToLower(config)
+	if config == "" {
+		return true, nil
+	}
+
+	// return configs
+	if config == EnvConfigFalse {
+		return false, nil
+	} else if config == EnvConfigTrue {
+		return true, nil
+	}
+	return false, fmt.Errorf("wrong config for drop invalid packet in INPUT chain : %s", config)
+}
diff --git a/pkg/configs/configs_test.go b/pkg/configs/configs_test.go
index 238f620..70ae957 100644
--- a/pkg/configs/configs_test.go
+++ b/pkg/configs/configs_test.go
@@ -62,3 +62,29 @@ func TestGetConfigNetStack(t *testing.T) {
 		t.Errorf("wrong result - %s", "ipv6,ipv4")
 	}
 }
+
+func TestGetConfigRuleExternalCluster(t *testing.T) {
+	os.Setenv(EnvRuleExternalCluster, "")
+	flag, _ := GetConfigRuleExternalCluster()
+	if flag {
+		t.Errorf("wrong result - %s", "")
+	}
+
+	os.Setenv(EnvRuleExternalCluster, "false")
+	flag, _ = GetConfigRuleExternalCluster()
+	if flag {
+		t.Errorf("wrong result - %s", "false")
+	}
+
+	os.Setenv(EnvRuleExternalCluster, "true")
+	flag, _ = GetConfigRuleExternalCluster()
+	if !flag {
+		t.Errorf("wrong result - %s", "true")
+	}
+
+	os.Setenv(EnvRuleExternalCluster, "none")
+	_, err := GetConfigRuleExternalCluster()
+	if err == nil {
+		t.Errorf("wrong result - %s", "none")
+	}
+}
diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go
index deadc50..8bc80f1 100644
--- a/pkg/iptables/iptables.go
+++ b/pkg/iptables/iptables.go
@@ -16,7 +16,9 @@ const (
 	iptablesCmdIPv6     = "ip6tables"
 	iptablesSaveCmdIPv4 = "iptables-save"
 	iptablesSaveCmdIPv6 = "ip6tables-save"
+
 	iptablesErrNoRule   = "No chain/target/match by that name"
+	iptablesErrNoTarget = "Couldn't load target"
 
 	TableNAT    Table = "nat"
 	TableFilter Table = "filter"
@@ -113,6 +115,13 @@ func deleteChain(iptablesCmd string, table Table, chain string) (string, error)
 		return string(out), nil
 	}
 
+	// Flush chain
+	cmd = exec.Command(iptablesCmd, append(args, "-F", chain)...)
+	out, err = cmd.CombinedOutput()
+	if err != nil {
+		return string(out), err
+	}
+
 	// Delete chain
 	cmd = exec.Command(iptablesCmd, append(args, "-X", chain)...)
 	out, err = cmd.CombinedOutput()
@@ -288,6 +297,9 @@ func deleteRule(iptablesCmd string, table Table, chain string, comment string, r
 		if strings.Contains(string(out), iptablesErrNoRule) {
 			// If rule isn't exist, return success
 			return string(out), nil
+		} else if strings.Contains(string(out), iptablesErrNoTarget) {
+			// If target isn't exit, return success
+			return string(out), nil
 		}
 		return string(out), err
 	}