From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	FILL_THIS_FORM,HTML_MESSAGE,T_TVD_MIME_EPI autolearn=no
	autolearn_force=no version=3.4.4
Received: (qmail 7989 invoked from network); 4 Feb 2021 16:15:44 -0000
Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12)
  by inbox.vuxu.org with ESMTPUTF8; 4 Feb 2021 16:15:44 -0000
Received: from fantadrom.bsd.lv (localhost [127.0.0.1])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 8192b722
	for <ml@inbox.vuxu.org>;
	Thu, 4 Feb 2021 11:15:39 -0500 (EST)
Received: from mail.aisha.cc (mail.aisha.cc [108.61.81.40])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 53a89b2c
	for <discuss@mandoc.bsd.lv>;
	Thu, 4 Feb 2021 11:15:18 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aisha.cc; s=excisionRSA;
	t=1612455317;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=rx6CgTHEtxtcFxkyyWU2QX0sPT4Zj6dlIID3zKr2PzI=;
	b=ly0M82bkZG8WHn7M3FJG/s3/vZWocihYIK9FKt20WYSc6am7KM7lzniYZWlhkMwGVj+BvI
	TY/ubgv77xitO78zCyHC9HH0u8RiMrv4bQsNAh4AijJM9BnW4A691E9panZ/lcQrmW438l
	UDRhpqIvz/TqfMTcZtq2/XOv3tc2QZtVvq2GVEJFxh+joRtxvzgwQ3J2kf6kyKSwjdHMn8
	J/SyEgLx1P+ZfoXP04JNl+KygN+Ab5v6z5QZx/SiAicGX3yJT6Kx9jo2mjGk0MmU29vDFC
	cc/hLfb/Zh9KMrBQwS9gHWjnV1dMKTDJAj3dId7XgVy2YjooJlTyi2uQjNqy5w==
Received: from [192.168.1.111] (c-73-215-141-174.hsd1.nj.comcast.net [73.215.141.174])
	by mail.aisha.cc (OpenSMTPD) with ESMTPSA id 698c88f7 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=aisha@aisha.cc
	for <discuss@mandoc.bsd.lv>;
	Thu, 4 Feb 2021 11:15:15 -0500 (EST)
To: discuss@mandoc.bsd.lv
From: Aisha Tammy <openbsd@aisha.cc>
Subject: Segmentation fault on trying to view nft.8 man page on Gentoo
Message-ID: <d939c333-2286-5945-2bd9-6417c8c36403@aisha.cc>
Date: Thu, 4 Feb 2021 11:15:14 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
X-Mailinglist: mandoc-discuss
Reply-To: discuss@mandoc.bsd.lv
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------87631BA5FD91D649B46242DF"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------87631BA5FD91D649B46242DF
Content-Type: multipart/alternative;
 boundary="------------A4DD954534B4D236AF76EF0E"


--------------A4DD954534B4D236AF76EF0E
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi,
   It seems that the latest release of mandoc (1.14.5) on Gentoo has 
trouble
viewing the nft.8 man page (attached), it crashes with segmentation fault.
I am able to view it on OpenBSD with man -l nft.8, after copying it over.
(I can provide access to a gentoo virtual machine where this bug is 
replicable.)

I presume this must be a bug in the release version that has since been 
fixed.

Can we get another release which we can use so that we can avoid this bug?

Thanks a lot,
Aisha


--------------A4DD954534B4D236AF76EF0E
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Hi,<br>
      It seems that the latest release of mandoc (<span
      class="kk-ebuild-link">1.14.5</span><span class="kk-slot"
      title="subslot 0">) on Gentoo has trouble <br>
      viewing the nft.8 man page (attached), it crashes with
      segmentation fault.<br>
      I am able to view it on OpenBSD with man -l nft.8, after copying
      it over.<br>
      (I can provide access to a gentoo virtual machine where this bug
      is replicable.)<br>
      <br>
      I presume this must be a bug in the release version that has since
      been fixed.<br>
      <br>
      Can we get another release which we can use so that we can avoid
      this bug?<br>
      <br>
      Thanks a lot,<br>
      Aisha<br>
      <br>
    </span>
  </body>
</html>

--------------A4DD954534B4D236AF76EF0E--

--------------87631BA5FD91D649B46242DF
Content-Type: text/plain; charset=UTF-8;
 name="nft.8"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="nft.8"

J1wiIHQKLlwiICAgICBUaXRsZTogbmZ0Ci5cIiAgICBBdXRob3I6IFtzZWUgdGhlICJBVVRI
T1JTIiBzZWN0aW9uXQouXCIgR2VuZXJhdG9yOiBEb2NCb29rIFhTTCBTdHlsZXNoZWV0cyB2
MS43OS4xIDxodHRwOi8vZG9jYm9vay5zZi5uZXQvPgouXCIgICAgICBEYXRlOiAwMS8xNS8y
MDIxCi5cIiAgICBNYW51YWw6IFwgXCYKLlwiICAgIFNvdXJjZTogXCBcJgouXCIgIExhbmd1
YWdlOiBFbmdsaXNoCi5cIgouVEggIk5GVCIgIjgiICIwMS8xNS8yMDIxIiAiXCBcJiIgIlwg
XCYiCi5cIiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLQouXCIgKiBEZWZpbmUgc29tZSBwb3J0YWJpbGl0eSBzdHVm
ZgouXCIgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0KLlwiIH5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+
fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+Ci5cIiBodHRwOi8vYnVncy5kZWJp
YW4ub3JnLzUwNzY3MwouXCIgaHR0cDovL2xpc3RzLmdudS5vcmcvYXJjaGl2ZS9odG1sL2dy
b2ZmLzIwMDktMDIvbXNnMDAwMTMuaHRtbAouXCIgfn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+
fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn4KLmllIFxuKC5nIC5k
cyBBcSBcKGFxCi5lbCAgICAgICAuZHMgQXEgJwouXCIgLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLlwiICogc2V0
IGRlZmF1bHQgZm9ybWF0dGluZwouXCIgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLlwiIGRpc2FibGUgaHlwaGVu
YXRpb24KLm5oCi5cIiBkaXNhYmxlIGp1c3RpZmljYXRpb24gKGFkanVzdCB0ZXh0IHRvIGxl
ZnQgbWFyZ2luIG9ubHkpCi5hZCBsCi5cIiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQouXCIgKiBNQUlOIENPTlRF
TlQgU1RBUlRTIEhFUkUgKgouXCIgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLlNIICJOQU1FIgpuZnQgXC0gQWRt
aW5pc3RyYXRpb24gdG9vbCBvZiB0aGUgbmZ0YWJsZXMgZnJhbWV3b3JrIGZvciBwYWNrZXQg
ZmlsdGVyaW5nIGFuZCBjbGFzc2lmaWNhdGlvbgouU0ggIlNZTk9QU0lTIgouc3AKLm5mClxm
Qm5mdFxmUiBbIFxmQlwtbk5zY2FlU3VweWp0XGZSIF0gWyBcZkJcLUlcZlIgXGZJZGlyZWN0
b3J5XGZSIF0gWyBcZkJcLWZcZlIgXGZJZmlsZW5hbWVcZlIgfCBcZkJcLWlcZlIgfCBcZklj
bWRcZlIgXCYuLi5dClxmQm5mdFxmUiBcZkJcLWhcZlIKXGZCbmZ0XGZSIFxmQlwtdlxmUgou
ZmkKLlNIICJERVNDUklQVElPTiIKLnNwCm5mdCBpcyB0aGUgY29tbWFuZCBsaW5lIHRvb2wg
dXNlZCB0byBzZXQgdXAsIG1haW50YWluIGFuZCBpbnNwZWN0IHBhY2tldCBmaWx0ZXJpbmcg
YW5kIGNsYXNzaWZpY2F0aW9uIHJ1bGVzIGluIHRoZSBMaW51eCBrZXJuZWwsIGluIHRoZSBu
ZnRhYmxlcyBmcmFtZXdvcmtcJi4gVGhlIExpbnV4IGtlcm5lbCBzdWJzeXN0ZW0gaXMga25v
d24gYXMgbmZfdGFibGVzLCBhbmQgXChvcW5mXChjcSBzdGFuZHMgZm9yIE5ldGZpbHRlclwm
LgouU0ggIk9QVElPTlMiCi5zcApUaGUgY29tbWFuZCBhY2NlcHRzIHNldmVyYWwgZGlmZmVy
ZW50IG9wdGlvbnMgd2hpY2ggYXJlIGRvY3VtZW50ZWQgaGVyZSBpbiBncm91cHMgZm9yIGJl
dHRlciB1bmRlcnN0YW5kaW5nIG9mIHRoZWlyIG1lYW5pbmdcJi4gWW91IGNhbiBnZXQgaW5m
b3JtYXRpb24gYWJvdXQgb3B0aW9ucyBieSBydW5uaW5nIFxmQm5mdCBcLVwtaGVscFxmUlwm
LgouUFAKXGZCR2VuZXJhbCBvcHRpb25zOlxmUgouUFAKXGZCXC1oXGZSLCBcZkJcLVwtaGVs
cFxmUgouUlMgNApTaG93IGhlbHAgbWVzc2FnZSBhbmQgYWxsIG9wdGlvbnNcJi4KLlJFCi5Q
UApcZkJcLXZcZlIsIFxmQlwtXC12ZXJzaW9uXGZSCi5SUyA0ClNob3cgdmVyc2lvblwmLgou
UkUKLlBQClxmQlwtVlxmUgouUlMgNApTaG93IGxvbmcgdmVyc2lvbiBpbmZvcm1hdGlvbiwg
aW5jbHVkaW5nIGNvbXBpbGVcLXRpbWUgY29uZmlndXJhdGlvblwmLgouUkUKLlBQClxmQlJ1
bGVzZXQgaW5wdXQgaGFuZGxpbmcgb3B0aW9ucyB0aGF0IHNwZWNpZnkgdG8gaG93IHRvIGxv
YWQgcnVsZXNldHM6XGZSCi5QUApcZkJcLWZcZlIsIFxmQlwtXC1maWxlIFxmUlxmQlxmSWZp
bGVuYW1lXGZSXGZSCi5SUyA0ClJlYWQgaW5wdXQgZnJvbQpcZklmaWxlbmFtZVxmUlwmLiBJ
ZgpcZklmaWxlbmFtZVxmUgppcyBcLSwgcmVhZCBmcm9tIHN0ZGluXCYuCi5SRQouUFAKXGZC
XC1pXGZSLCBcZkJcLVwtaW50ZXJhY3RpdmVcZlIKLlJTIDQKUmVhZCBpbnB1dCBmcm9tIGFu
IGludGVyYWN0aXZlIHJlYWRsaW5lIENMSVwmLiBZb3UgY2FuIHVzZSBxdWl0IHRvIGV4aXQs
IG9yIHVzZSB0aGUgRU9GIG1hcmtlciwgbm9ybWFsbHkgdGhpcyBpcyBDVFJMXC1EXCYuCi5S
RQouUFAKXGZCXC1JXGZSLCBcZkJcLVwtaW5jbHVkZXBhdGggZGlyZWN0b3J5XGZSCi5SUyA0
CkFkZCB0aGUgZGlyZWN0b3J5ClxmSWRpcmVjdG9yeVxmUgp0byB0aGUgbGlzdCBvZiBkaXJl
Y3RvcmllcyB0byBiZSBzZWFyY2hlZCBmb3IgaW5jbHVkZWQgZmlsZXNcJi4gVGhpcyBvcHRp
b24gbWF5IGJlIHNwZWNpZmllZCBtdWx0aXBsZSB0aW1lc1wmLgouUkUKLlBQClxmQlwtY1xm
UiwgXGZCXC1cLWNoZWNrXGZSCi5SUyA0CkNoZWNrIGNvbW1hbmRzIHZhbGlkaXR5IHdpdGhv
dXQgYWN0dWFsbHkgYXBwbHlpbmcgdGhlIGNoYW5nZXNcJi4KLlJFCi5QUApcZkJSdWxlc2V0
IGxpc3Qgb3V0cHV0IGZvcm1hdHRpbmcgdGhhdCBtb2RpZnkgdGhlIG91dHB1dCBvZiB0aGUg
bGlzdCBydWxlc2V0IGNvbW1hbmQ6XGZSCi5QUApcZkJcLWFcZlIsIFxmQlwtXC1oYW5kbGVc
ZlIKLlJTIDQKU2hvdyBvYmplY3QgaGFuZGxlcyBpbiBvdXRwdXRcJi4KLlJFCi5QUApcZkJc
LXNcZlIsIFxmQlwtXC1zdGF0ZWxlc3NcZlIKLlJTIDQKT21pdCBzdGF0ZWZ1bCBpbmZvcm1h
dGlvbiBvZiBydWxlcyBhbmQgc3RhdGVmdWwgb2JqZWN0c1wmLgouUkUKLlBQClxmQlwtdFxm
UiwgXGZCXC1cLXRlcnNlXGZSCi5SUyA0Ck9taXQgY29udGVudHMgb2Ygc2V0cyBmcm9tIG91
dHB1dFwmLgouUkUKLlBQClxmQlwtU1xmUiwgXGZCXC1cLXNlcnZpY2VcZlIKLlJTIDQKVHJh
bnNsYXRlIHBvcnRzIHRvIHNlcnZpY2UgbmFtZXMgYXMgZGVmaW5lZCBieSAvZXRjL3NlcnZp
Y2VzXCYuCi5SRQouUFAKXGZCXC1OXGZSLCBcZkJcLVwtcmV2ZXJzZWRuc1xmUgouUlMgNApU
cmFuc2xhdGUgSVAgYWRkcmVzcyB0byBuYW1lcyB2aWEgcmV2ZXJzZSBETlMgbG9va3VwXCYu
IFRoaXMgbWF5IHNsb3cgZG93biB5b3VyIGxpc3Rpbmcgc2luY2UgaXQgZ2VuZXJhdGVzIG5l
dHdvcmsgdHJhZmZpY1wmLgouUkUKLlBQClxmQlwtdVxmUiwgXGZCXC1cLWd1aWRcZlIKLlJT
IDQKVHJhbnNsYXRlIG51bWVyaWMgVUlEL0dJRCB0byBuYW1lcyBhcyBkZWZpbmVkIGJ5IC9l
dGMvcGFzc3dkIGFuZCAvZXRjL2dyb3VwXCYuCi5SRQouUFAKXGZCXC1uXGZSLCBcZkJcLVwt
bnVtZXJpY1xmUgouUlMgNApQcmludCBmdWxseSBudW1lcmljYWwgb3V0cHV0XCYuCi5SRQou
UFAKXGZCXC15XGZSLCBcZkJcLVwtbnVtZXJpY1wtcHJpb3JpdHlcZlIKLlJTIDQKRGlzcGxh
eSBiYXNlIGNoYWluIHByaW9yaXR5IG51bWVyaWNhbGx5XCYuCi5SRQouUFAKXGZCXC1wXGZS
LCBcZkJcLVwtbnVtZXJpY1wtcHJvdG9jb2xcZlIKLlJTIDQKRGlzcGxheSBsYXllciA0IHBy
b3RvY29sIG51bWVyaWNhbGx5XCYuCi5SRQouUFAKXGZCXC1UXGZSLCBcZkJcLVwtbnVtZXJp
Y1wtdGltZVxmUgouUlMgNApTaG93IHRpbWUsIGRheSBhbmQgaG91ciB2YWx1ZXMgaW4gbnVt
ZXJpYyBmb3JtYXRcJi4KLlJFCi5QUApcZkJDb21tYW5kIG91dHB1dCBmb3JtYXR0aW5nOlxm
UgouUFAKXGZCXC1lXGZSLCBcZkJcLVwtZWNob1xmUgouUlMgNApXaGVuIGluc2VydGluZyBp
dGVtcyBpbnRvIHRoZSBydWxlc2V0IHVzaW5nClxmQmFkZFxmUiwKXGZCaW5zZXJ0XGZSCm9y
ClxmQnJlcGxhY2VcZlIKY29tbWFuZHMsIHByaW50IG5vdGlmaWNhdGlvbnMganVzdCBsaWtl
ClxmQm5mdCBtb25pdG9yXGZSXCYuCi5SRQouUFAKXGZCXC1qXGZSLCBcZkJcLVwtanNvblxm
UgouUlMgNApGb3JtYXQgb3V0cHV0IGluIEpTT05cJi4gU2VlIGxpYm5mdGFibGVzXC1qc29u
KDUpIGZvciBhIHNjaGVtYSBkZXNjcmlwdGlvblwmLgouUkUKLlBQClxmQlwtZFxmUiwgXGZC
XC1cLWRlYnVnXGZSIFxmSWxldmVsXGZSCi5SUyA0CkVuYWJsZSBkZWJ1Z2dpbmcgb3V0cHV0
XCYuIFRoZSBkZWJ1ZyBsZXZlbCBjYW4gYmUgYW55IG9mClxmQnNjYW5uZXJcZlIsClxmQnBh
cnNlclxmUiwKXGZCZXZhbFxmUiwKXGZCbmV0bGlua1xmUiwKXGZCbW5sXGZSLApcZkJwcm90
b1wtY3R4XGZSLApcZkJzZWd0cmVlXGZSLApcZkJhbGxcZlJcJi4gWW91IGNhbiBjb21iaW5l
IG1vcmUgdGhhbiBvbmUgYnkgc2VwYXJhdGluZyBieSB0aGUKXGZJLFxmUgpzeW1ib2wsIGZv
ciBleGFtcGxlClxmSVwtZCBldmFsLG1ubFxmUlwmLgouUkUKLlNIICJJTlBVVCBGSUxFIEZP
Uk1BVFMiCi5TUyAiTEVYSUNBTCBDT05WRU5USU9OUyIKLnNwCklucHV0IGlzIHBhcnNlZCBs
aW5lXC13aXNlXCYuIFdoZW4gdGhlIGxhc3QgY2hhcmFjdGVyIG9mIGEgbGluZSwganVzdCBi
ZWZvcmUgdGhlIG5ld2xpbmUgY2hhcmFjdGVyLCBpcyBhIG5vblwtcXVvdGVkIGJhY2tzbGFz
aCAoXGUpLCB0aGUgbmV4dCBsaW5lIGlzIHRyZWF0ZWQgYXMgYSBjb250aW51YXRpb25cJi4g
TXVsdGlwbGUgY29tbWFuZHMgb24gdGhlIHNhbWUgbGluZSBjYW4gYmUgc2VwYXJhdGVkIHVz
aW5nIGEgc2VtaWNvbG9uICg7KVwmLgouc3AKQSBoYXNoIHNpZ24gKCMpIGJlZ2lucyBhIGNv
bW1lbnRcJi4gQWxsIGZvbGxvd2luZyBjaGFyYWN0ZXJzIG9uIHRoZSBzYW1lIGxpbmUgYXJl
IGlnbm9yZWRcJi4KLnNwCklkZW50aWZpZXJzIGJlZ2luIHdpdGggYW4gYWxwaGFiZXRpYyBj
aGFyYWN0ZXIgKGFcLXosQVwtWiksIGZvbGxvd2VkIHplcm8gb3IgbW9yZSBhbHBoYW51bWVy
aWMgY2hhcmFjdGVycyAoYVwteixBXC1aLDBcLTkpIGFuZCB0aGUgY2hhcmFjdGVycyBzbGFz
aCAoLyksIGJhY2tzbGFzaCAoXGUpLCB1bmRlcnNjb3JlIChfKSBhbmQgZG90IChcJi4pXCYu
IElkZW50aWZpZXJzIHVzaW5nIGRpZmZlcmVudCBjaGFyYWN0ZXJzIG9yIGNsYXNoaW5nIHdp
dGggYSBrZXl3b3JkIG5lZWQgdG8gYmUgZW5jbG9zZWQgaW4gZG91YmxlIHF1b3RlcyAoIilc
Ji4KLlNTICJJTkNMVURFIEZJTEVTIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZC
aW5jbHVkZVxmUiBcZklmaWxlbmFtZVxmUgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCk90
aGVyIGZpbGVzIGNhbiBiZSBpbmNsdWRlZCBieSB1c2luZyB0aGUgXGZCaW5jbHVkZVxmUiBz
dGF0ZW1lbnRcJi4gVGhlIGRpcmVjdG9yaWVzIHRvIGJlIHNlYXJjaGVkIGZvciBpbmNsdWRl
IGZpbGVzIGNhbiBiZSBzcGVjaWZpZWQgdXNpbmcgdGhlIFxmQlwtSVxmUi9cZkJcLVwtaW5j
bHVkZXBhdGhcZlIgb3B0aW9uXCYuIFlvdSBjYW4gb3ZlcnJpZGUgdGhpcyBiZWhhdmlvdXIg
ZWl0aGVyIGJ5IHByZXBlbmRpbmcgXChvcVwmLi9cKGNxIHRvIHlvdXIgcGF0aCB0byBmb3Jj
ZSBpbmNsdXNpb24gb2YgZmlsZXMgbG9jYXRlZCBpbiB0aGUgY3VycmVudCB3b3JraW5nIGRp
cmVjdG9yeSAoaVwmLmVcJi4gcmVsYXRpdmUgcGF0aCkgb3IgLyBmb3IgZmlsZSBsb2NhdGlv
biBleHByZXNzZWQgYXMgYW4gYWJzb2x1dGUgcGF0aFwmLgouc3AKSWYgXGZCXC1JXGZSL1xm
QlwtXC1pbmNsdWRlcGF0aFxmUiBpcyBub3Qgc3BlY2lmaWVkLCB0aGVuIG5mdCByZWxpZXMg
b24gdGhlIGRlZmF1bHQgZGlyZWN0b3J5IHRoYXQgaXMgc3BlY2lmaWVkIGF0IGNvbXBpbGUg
dGltZVwmLiBZb3UgY2FuIHJldHJpZXZlIHRoaXMgZGVmYXVsdCBkaXJlY3RvcnkgdmlhIFxm
QlwtaFxmUi9cZkJcLVwtaGVscFxmUiBvcHRpb25cJi4KLnNwCkluY2x1ZGUgc3RhdGVtZW50
cyBzdXBwb3J0IHRoZSB1c3VhbCBzaGVsbCB3aWxkY2FyZCBzeW1ib2xzIChcZSosPyxbXSlc
Ji4gSGF2aW5nIG5vIG1hdGNoZXMgZm9yIGFuIGluY2x1ZGUgc3RhdGVtZW50IGlzIG5vdCBh
biBlcnJvciwgaWYgd2lsZGNhcmQgc3ltYm9scyBhcmUgdXNlZCBpbiB0aGUgaW5jbHVkZSBz
dGF0ZW1lbnRcJi4gVGhpcyBhbGxvd3MgaGF2aW5nIHBvdGVudGlhbGx5IGVtcHR5IGluY2x1
ZGUgZGlyZWN0b3JpZXMgZm9yIHN0YXRlbWVudHMgbGlrZSBcZkJpbmNsdWRlICIvZXRjL2Zp
cmV3YWxsL3J1bGVzLyJcZlJcJi4gVGhlIHdpbGRjYXJkIG1hdGNoZXMgYXJlIGxvYWRlZCBp
biBhbHBoYWJldGljYWwgb3JkZXJcJi4gRmlsZXMgYmVnaW5uaW5nIHdpdGggZG90IChcJi4p
IGFyZSBub3QgbWF0Y2hlZCBieSBpbmNsdWRlIHN0YXRlbWVudHNcJi4KLlNTICJTWU1CT0xJ
QyBWQVJJQUJMRVMiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJkZWZpbmVcZlIg
XGZJdmFyaWFibGVcZlIgXGZCPVxmUiBcZklleHByXGZSClxmQiR2YXJpYWJsZVxmUgouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLnNwClN5bWJvbGljIHZhcmlhYmxlcyBjYW4gYmUgZGVmaW5l
ZCB1c2luZyB0aGUgXGZCZGVmaW5lXGZSIHN0YXRlbWVudFwmLiBWYXJpYWJsZSByZWZlcmVu
Y2VzIGFyZSBleHByZXNzaW9ucyBhbmQgY2FuIGJlIHVzZWQgaW5pdGlhbGl6ZSBvdGhlciB2
YXJpYWJsZXNcJi4gVGhlIHNjb3BlIG9mIGEgZGVmaW5pdGlvbiBpcyB0aGUgY3VycmVudCBi
bG9jayBhbmQgYWxsIGJsb2NrcyBjb250YWluZWQgd2l0aGluXCYuCi5QUApcZkJVc2luZyBz
eW1ib2xpYyB2YXJpYWJsZXNcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKZGVm
aW5lIGludF9pZjEgPSBldGgwCmRlZmluZSBpbnRfaWYyID0gZXRoMQpkZWZpbmUgaW50X2lm
cyA9IHsgJGludF9pZjEsICRpbnRfaWYyIH0KCmZpbHRlciBpbnB1dCBpaWYgJGludF9pZnMg
YWNjZXB0Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNIICJBRERSRVNTIEZBTUlMSUVT
Igouc3AKQWRkcmVzcyBmYW1pbGllcyBkZXRlcm1pbmUgdGhlIHR5cGUgb2YgcGFja2V0cyB3
aGljaCBhcmUgcHJvY2Vzc2VkXCYuIEZvciBlYWNoIGFkZHJlc3MgZmFtaWx5LCB0aGUga2Vy
bmVsIGNvbnRhaW5zIHNvIGNhbGxlZCBob29rcyBhdCBzcGVjaWZpYyBzdGFnZXMgb2YgdGhl
IHBhY2tldCBwcm9jZXNzaW5nIHBhdGhzLCB3aGljaCBpbnZva2UgbmZ0YWJsZXMgaWYgcnVs
ZXMgZm9yIHRoZXNlIGhvb2tzIGV4aXN0XCYuCi5UUwp0YWIoOik7Cmx0IGx0Cmx0IGx0Cmx0
IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0LgpUewouc3AKXGZCaXBcZlIKVH06VHsKLnNwCklQdjQg
YWRkcmVzcyBmYW1pbHlcJi4KVH0KVHsKLnNwClxmQmlwNlxmUgpUfTpUewouc3AKSVB2NiBh
ZGRyZXNzIGZhbWlseVwmLgpUfQpUewouc3AKXGZCaW5ldFxmUgpUfTpUewouc3AKSW50ZXJu
ZXQgKElQdjQvSVB2NikgYWRkcmVzcyBmYW1pbHlcJi4KVH0KVHsKLnNwClxmQmFycFxmUgpU
fTpUewouc3AKQVJQIGFkZHJlc3MgZmFtaWx5LCBoYW5kbGluZyBJUHY0IEFSUCBwYWNrZXRz
XCYuClR9ClR7Ci5zcApcZkJicmlkZ2VcZlIKVH06VHsKLnNwCkJyaWRnZSBhZGRyZXNzIGZh
bWlseSwgaGFuZGxpbmcgcGFja2V0cyB3aGljaCB0cmF2ZXJzZSBhIGJyaWRnZSBkZXZpY2Vc
Ji4KVH0KVHsKLnNwClxmQm5ldGRldlxmUgpUfTpUewouc3AKTmV0ZGV2IGFkZHJlc3MgZmFt
aWx5LCBoYW5kbGluZyBwYWNrZXRzIGZyb20gaW5ncmVzc1wmLgpUfQouVEUKLnNwIDEKLnNw
CkFsbCBuZnRhYmxlcyBvYmplY3RzIGV4aXN0IGluIGFkZHJlc3MgZmFtaWx5IHNwZWNpZmlj
IG5hbWVzcGFjZXMsIHRoZXJlZm9yZSBhbGwgaWRlbnRpZmllcnMgaW5jbHVkZSBhbiBhZGRy
ZXNzIGZhbWlseVwmLiBJZiBhbiBpZGVudGlmaWVyIGlzIHNwZWNpZmllZCB3aXRob3V0IGFu
IGFkZHJlc3MgZmFtaWx5LCB0aGUgXGZCaXBcZlIgZmFtaWx5IGlzIHVzZWQgYnkgZGVmYXVs
dFwmLgouU1MgIklQVjQvSVBWNi9JTkVUIEFERFJFU1MgRkFNSUxJRVMiCi5zcApUaGUgSVB2
NC9JUHY2L0luZXQgYWRkcmVzcyBmYW1pbGllcyBoYW5kbGUgSVB2NCwgSVB2NiBvciBib3Ro
IHR5cGVzIG9mIHBhY2tldHNcJi4gVGhleSBjb250YWluIGZpdmUgaG9va3MgYXQgZGlmZmVy
ZW50IHBhY2tldCBwcm9jZXNzaW5nIHN0YWdlcyBpbiB0aGUgbmV0d29yayBzdGFja1wmLgou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjEuXCBcJklQdjQvSVB2Ni9JbmV0IGFkZHJlc3MgZmFt
aWx5IGhvb2tzCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpUewpIb29rClR9OlR7CkRl
c2NyaXB0aW9uClR9Ci5UJgpsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdC4K
VHsKLnNwCnByZXJvdXRpbmcKVH06VHsKLnNwCkFsbCBwYWNrZXRzIGVudGVyaW5nIHRoZSBz
eXN0ZW0gYXJlIHByb2Nlc3NlZCBieSB0aGUgcHJlcm91dGluZyBob29rXCYuIEl0IGlzIGlu
dm9rZWQgYmVmb3JlIHRoZSByb3V0aW5nIHByb2Nlc3MgYW5kIGlzIHVzZWQgZm9yIGVhcmx5
IGZpbHRlcmluZyBvciBjaGFuZ2luZyBwYWNrZXQgYXR0cmlidXRlcyB0aGF0IGFmZmVjdCBy
b3V0aW5nXCYuClR9ClR7Ci5zcAppbnB1dApUfTpUewouc3AKUGFja2V0cyBkZWxpdmVyZWQg
dG8gdGhlIGxvY2FsIHN5c3RlbSBhcmUgcHJvY2Vzc2VkIGJ5IHRoZSBpbnB1dCBob29rXCYu
ClR9ClR7Ci5zcApmb3J3YXJkClR9OlR7Ci5zcApQYWNrZXRzIGZvcndhcmRlZCB0byBhIGRp
ZmZlcmVudCBob3N0IGFyZSBwcm9jZXNzZWQgYnkgdGhlIGZvcndhcmQgaG9va1wmLgpUfQpU
ewouc3AKb3V0cHV0ClR9OlR7Ci5zcApQYWNrZXRzIHNlbnQgYnkgbG9jYWwgcHJvY2Vzc2Vz
IGFyZSBwcm9jZXNzZWQgYnkgdGhlIG91dHB1dCBob29rXCYuClR9ClR7Ci5zcApwb3N0cm91
dGluZwpUfTpUewouc3AKQWxsIHBhY2tldHMgbGVhdmluZyB0aGUgc3lzdGVtIGFyZSBwcm9j
ZXNzZWQgYnkgdGhlIHBvc3Ryb3V0aW5nIGhvb2tcJi4KVH0KVHsKLnNwCmluZ3Jlc3MKVH06
VHsKLnNwCkFsbCBwYWNrZXRzIGVudGVyaW5nIHRoZSBzeXN0ZW0gYXJlIHByb2Nlc3NlZCBi
eSB0aGlzIGhvb2tcJi4gSXQgaXMgaW52b2tlZCBiZWZvcmUgbGF5ZXIgMyBwcm90b2NvbCBo
YW5kbGVycywgaGVuY2UgYmVmb3JlIHRoZSBwcmVyb3V0aW5nIGhvb2ssIGFuZCBpdCBjYW4g
YmUgdXNlZCBmb3IgZmlsdGVyaW5nIGFuZCBwb2xpY2luZ1wmLiBJbmdyZXNzIGlzIG9ubHkg
YXZhaWxhYmxlIGZvciBJbmV0IGZhbWlseSAoc2luY2UgTGludXgga2VybmVsIDVcJi4xMClc
Ji4KVH0KLlRFCi5zcCAxCi5TUyAiQVJQIEFERFJFU1MgRkFNSUxZIgouc3AKVGhlIEFSUCBh
ZGRyZXNzIGZhbWlseSBoYW5kbGVzIEFSUCBwYWNrZXRzIHJlY2VpdmVkIGFuZCBzZW50IGJ5
IHRoZSBzeXN0ZW1cJi4gSXQgaXMgY29tbW9ubHkgdXNlZCB0byBtYW5nbGUgQVJQIHBhY2tl
dHMgZm9yIGNsdXN0ZXJpbmdcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNl
LWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYyLlwgXCZBUlAg
YWRkcmVzcyBmYW1pbHkgaG9va3MKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7Ckhv
b2sKVH06VHsKRGVzY3JpcHRpb24KVH0KLlQmCmx0IGx0Cmx0IGx0LgpUewouc3AKaW5wdXQK
VH06VHsKLnNwClBhY2tldHMgZGVsaXZlcmVkIHRvIHRoZSBsb2NhbCBzeXN0ZW0gYXJlIHBy
b2Nlc3NlZCBieSB0aGUgaW5wdXQgaG9va1wmLgpUfQpUewouc3AKb3V0cHV0ClR9OlR7Ci5z
cApQYWNrZXRzIHNlbmQgYnkgdGhlIGxvY2FsIHN5c3RlbSBhcmUgcHJvY2Vzc2VkIGJ5IHRo
ZSBvdXRwdXQgaG9va1wmLgpUfQouVEUKLnNwIDEKLlNTICJCUklER0UgQUREUkVTUyBGQU1J
TFkiCi5zcApUaGUgYnJpZGdlIGFkZHJlc3MgZmFtaWx5IGhhbmRsZXMgRXRoZXJuZXQgcGFj
a2V0cyB0cmF2ZXJzaW5nIGJyaWRnZSBkZXZpY2VzXCYuCi5zcApUaGUgbGlzdCBvZiBzdXBw
b3J0ZWQgaG9va3MgaXMgaWRlbnRpY2FsIHRvIElQdjQvSVB2Ni9JbmV0IGFkZHJlc3MgZmFt
aWxpZXMgYWJvdmVcJi4KLlNTICJORVRERVYgQUREUkVTUyBGQU1JTFkiCi5zcApUaGUgTmV0
ZGV2IGFkZHJlc3MgZmFtaWx5IGhhbmRsZXMgcGFja2V0cyBmcm9tIHRoZSBkZXZpY2UgaW5n
cmVzcyBwYXRoXCYuIFRoaXMgZmFtaWx5IGFsbG93cyB5b3UgdG8gZmlsdGVyIHBhY2tldHMg
b2YgYW55IGV0aGVydHlwZSBzdWNoIGFzIEFSUCwgVkxBTiA4MDJcJi4xcSwgVkxBTiA4MDJc
Ji4xYWQgKFFcLWluXC1RKSBhcyB3ZWxsIGFzIElQdjQgYW5kIElQdjYgcGFja2V0c1wmLgou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjMuXCBcJk5ldGRldiBhZGRyZXNzIGZhbWlseSBob29r
cwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0Qi4KVHsKSG9vawpUfTpUewpEZXNjcmlwdGlv
bgpUfQouVCYKbHQgbHQuClR7Ci5zcAppbmdyZXNzClR9OlR7Ci5zcApBbGwgcGFja2V0cyBl
bnRlcmluZyB0aGUgc3lzdGVtIGFyZSBwcm9jZXNzZWQgYnkgdGhpcyBob29rXCYuIEl0IGlz
IGludm9rZWQgYWZ0ZXIgdGhlIG5ldHdvcmsgdGFwcyAoaWVcJi4gXGZCdGNwZHVtcFxmUiks
IHJpZ2h0IGFmdGVyIFxmQnRjXGZSIGluZ3Jlc3MgYW5kIGJlZm9yZSBsYXllciAzIHByb3Rv
Y29sIGhhbmRsZXJzLCBpdCBjYW4gYmUgdXNlZCBmb3IgZWFybHkgZmlsdGVyaW5nIGFuZCBw
b2xpY2luZ1wmLgpUfQouVEUKLnNwIDEKLlNIICJSVUxFU0VUIgouc3AKLmlmIG4gXHtcCi5S
UyA0Ci5cfQoubmYKe1xmQmxpc3RcZlIgfCBcZkJmbHVzaFxmUn0gXGZCcnVsZXNldFxmUiBb
XGZJZmFtaWx5XGZSXQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwClRoZSBcZkJydWxlc2V0
XGZSIGtleXdvcmQgaXMgdXNlZCB0byBpZGVudGlmeSB0aGUgd2hvbGUgc2V0IG9mIHRhYmxl
cywgY2hhaW5zLCBldGNcJi4gY3VycmVudGx5IGluIHBsYWNlIGluIGtlcm5lbFwmLiBUaGUg
Zm9sbG93aW5nIFxmQnJ1bGVzZXRcZlIgY29tbWFuZHMgZXhpc3Q6Ci5UUwp0YWIoOik7Cmx0
IGx0Cmx0IGx0LgpUewouc3AKXGZCbGlzdFxmUgpUfTpUewouc3AKUHJpbnQgdGhlIHJ1bGVz
ZXQgaW4gaHVtYW5cLXJlYWRhYmxlIGZvcm1hdFwmLgpUfQpUewouc3AKXGZCZmx1c2hcZlIK
VH06VHsKLnNwCkNsZWFyIHRoZSB3aG9sZSBydWxlc2V0XCYuIE5vdGUgdGhhdCwgdW5saWtl
IGlwdGFibGVzLCB0aGlzIHdpbGwgcmVtb3ZlIGFsbCB0YWJsZXMgYW5kIHdoYXRldmVyIHRo
ZXkgY29udGFpbiwgZWZmZWN0aXZlbHkgbGVhZGluZyB0byBhbiBlbXB0eSBydWxlc2V0IFwt
IG5vIHBhY2tldCBmaWx0ZXJpbmcgd2lsbCBoYXBwZW4gYW55bW9yZSwgc28gdGhlIGtlcm5l
bCBhY2NlcHRzIGFueSB2YWxpZCBwYWNrZXQgaXQgcmVjZWl2ZXNcJi4KVH0KLlRFCi5zcCAx
Ci5zcApJdCBpcyBwb3NzaWJsZSB0byBsaW1pdCBcZkJsaXN0XGZSIGFuZCBcZkJmbHVzaFxm
UiB0byBhIHNwZWNpZmljIGFkZHJlc3MgZmFtaWx5IG9ubHlcJi4gRm9yIGEgbGlzdCBvZiB2
YWxpZCBmYW1pbHkgbmFtZXMsIHNlZSB0aGUgc2VjdGlvbiBjYWxsZWQgXChscUFERFJFU1Mg
RkFNSUxJRVNcKHJxIGFib3ZlXCYuCi5zcApCeSBkZXNpZ24sIFxmQmxpc3QgcnVsZXNldFxm
UiBjb21tYW5kIG91dHB1dCBtYXkgYmUgdXNlZCBhcyBpbnB1dCB0byBcZkJuZnQgXC1mXGZS
XCYuIEVmZmVjdGl2ZWx5LCB0aGlzIGlzIHRoZSBuZnRcLWVxdWl2YWxlbnQgb2YgXGZCaXB0
YWJsZXNcLXNhdmVcZlIgYW5kIFxmQmlwdGFibGVzXC1yZXN0b3JlXGZSXCYuCi5TSCAiVEFC
TEVTIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKe1xmQmFkZFxmUiB8IFxmQmNyZWF0
ZVxmUn0gXGZCdGFibGVcZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFibGVcZlIgW1xmQnsgZmxh
Z3NcZlIgXGZJZmxhZ3NcZlIgXGZCOyB9XGZSXQp7XGZCZGVsZXRlXGZSIHwgXGZCbGlzdFxm
UiB8IFxmQmZsdXNoXGZSfSBcZkJ0YWJsZVxmUiBbXGZJZmFtaWx5XGZSXSBcZkl0YWJsZVxm
UgpcZkJsaXN0IHRhYmxlc1xmUiBbXGZJZmFtaWx5XGZSXQpcZkJkZWxldGUgdGFibGVcZlIg
W1xmSWZhbWlseVxmUl0gXGZCaGFuZGxlXGZSIFxmSWhhbmRsZVxmUgouZmkKLmlmIG4gXHtc
Ci5SRQouXH0KLnNwClRhYmxlcyBhcmUgY29udGFpbmVycyBmb3IgY2hhaW5zLCBzZXRzIGFu
ZCBzdGF0ZWZ1bCBvYmplY3RzXCYuIFRoZXkgYXJlIGlkZW50aWZpZWQgYnkgdGhlaXIgYWRk
cmVzcyBmYW1pbHkgYW5kIHRoZWlyIG5hbWVcJi4gVGhlIGFkZHJlc3MgZmFtaWx5IG11c3Qg
YmUgb25lIG9mIFxmQmlwXGZSLCBcZkJpcDZcZlIsIFxmQmluZXRcZlIsIFxmQmFycFxmUiwg
XGZCYnJpZGdlXGZSLCBcZkJuZXRkZXZcZlJcJi4gVGhlIFxmQmluZXRcZlIgYWRkcmVzcyBm
YW1pbHkgaXMgYSBkdW1teSBmYW1pbHkgd2hpY2ggaXMgdXNlZCB0byBjcmVhdGUgaHlicmlk
IElQdjQvSVB2NiB0YWJsZXNcJi4gVGhlIFxmQm1ldGEgZXhwcmVzc2lvbiBuZnByb3RvXGZS
IGtleXdvcmQgY2FuIGJlIHVzZWQgdG8gdGVzdCB3aGljaCBmYW1pbHkgKGlwdjQgb3IgaXB2
NikgY29udGV4dCB0aGUgcGFja2V0IGlzIGJlaW5nIHByb2Nlc3NlZCBpblwmLiBXaGVuIG5v
IGFkZHJlc3MgZmFtaWx5IGlzIHNwZWNpZmllZCwgXGZCaXBcZlIgaXMgdXNlZCBieSBkZWZh
dWx0XCYuIFRoZSBvbmx5IGRpZmZlcmVuY2UgYmV0d2VlbiBhZGQgYW5kIGNyZWF0ZSBpcyB0
aGF0IHRoZSBmb3JtZXIgd2lsbCBub3QgcmV0dXJuIGFuIGVycm9yIGlmIHRoZSBzcGVjaWZp
ZWQgdGFibGUgYWxyZWFkeSBleGlzdHMgd2hpbGUgXGZCY3JlYXRlXGZSIHdpbGwgcmV0dXJu
IGFuIGVycm9yXCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEK
Lm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNC5cIFwmVGFibGUgZmxhZ3MK
LlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7CkZsYWcKVH06VHsKRGVzY3JpcHRpb24K
VH0KLlQmCmx0IGx0LgpUewouc3AKZG9ybWFudApUfTpUewouc3AKdGFibGUgaXMgbm90IGV2
YWx1YXRlZCBhbnkgbW9yZSAoYmFzZSBjaGFpbnMgYXJlIHVucmVnaXN0ZXJlZClcJi4KVH0K
LlRFCi5zcCAxCi5QUApcZkJBZGQsIGNoYW5nZSwgZGVsZXRlIGEgdGFibGVcZlIuIAouc3AK
LmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKIyBzdGFydCBuZnQgaW4gaW50ZXJhY3RpdmUgbW9k
ZQpuZnQgXC1cLWludGVyYWN0aXZlCgojIGNyZWF0ZSBhIG5ldyB0YWJsZVwmLgpjcmVhdGUg
dGFibGUgaW5ldCBteXRhYmxlCgojIGFkZCBhIG5ldyBiYXNlIGNoYWluOiBnZXQgaW5wdXQg
cGFja2V0cwphZGQgY2hhaW4gaW5ldCBteXRhYmxlIG15aW4geyB0eXBlIGZpbHRlciBob29r
IGlucHV0IHByaW9yaXR5IDA7IH0KCiMgYWRkIGEgc2luZ2xlIGNvdW50ZXIgdG8gdGhlIGNo
YWluCmFkZCBydWxlIGluZXQgbXl0YWJsZSBteWluIGNvdW50ZXIKCiMgZGlzYWJsZSB0aGUg
dGFibGUgdGVtcG9yYXJpbHkgXC1cLSBydWxlcyBhcmUgbm90IGV2YWx1YXRlZCBhbnltb3Jl
CmFkZCB0YWJsZSBpbmV0IG15dGFibGUgeyBmbGFncyBkb3JtYW50OyB9CgojIG1ha2UgdGFi
bGUgYWN0aXZlIGFnYWluOgphZGQgdGFibGUgaW5ldCBteXRhYmxlCi5maQouaWYgbiBce1wK
LlJFCi5cfQouc3AKLlRTCnRhYig6KTsKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5z
cApcZkJhZGRcZlIKVH06VHsKLnNwCkFkZCBhIG5ldyB0YWJsZSBmb3IgdGhlIGdpdmVuIGZh
bWlseSB3aXRoIHRoZSBnaXZlbiBuYW1lXCYuClR9ClR7Ci5zcApcZkJkZWxldGVcZlIKVH06
VHsKLnNwCkRlbGV0ZSB0aGUgc3BlY2lmaWVkIHRhYmxlXCYuClR9ClR7Ci5zcApcZkJsaXN0
XGZSClR9OlR7Ci5zcApMaXN0IGFsbCBjaGFpbnMgYW5kIHJ1bGVzIG9mIHRoZSBzcGVjaWZp
ZWQgdGFibGVcJi4KVH0KVHsKLnNwClxmQmZsdXNoXGZSClR9OlR7Ci5zcApGbHVzaCBhbGwg
Y2hhaW5zIGFuZCBydWxlcyBvZiB0aGUgc3BlY2lmaWVkIHRhYmxlXCYuClR9Ci5URQouc3Ag
MQouU0ggIkNIQUlOUyIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCntcZkJhZGRcZlIg
fCBcZkJjcmVhdGVcZlJ9IFxmQmNoYWluXGZSIFtcZklmYW1pbHlcZlJdIFxmSXRhYmxlXGZS
IFxmSWNoYWluXGZSIFtcZkJ7IHR5cGVcZlIgXGZJdHlwZVxmUiBcZkJob29rXGZSIFxmSWhv
b2tcZlIgW1xmQmRldmljZVxmUiBcZklkZXZpY2VcZlJdIFxmQnByaW9yaXR5XGZSIFxmSXBy
aW9yaXR5XGZSIFxmQjtcZlIgW1xmQnBvbGljeVxmUiBcZklwb2xpY3lcZlIgXGZCO1xmUl0g
XGZCfVxmUl0Ke1xmQmRlbGV0ZVxmUiB8IFxmQmxpc3RcZlIgfCBcZkJmbHVzaFxmUn0gXGZC
Y2hhaW5cZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFibGVcZlIgXGZJY2hhaW5cZlIKXGZCbGlz
dCBjaGFpbnNcZlIgW1xmSWZhbWlseVxmUl0KXGZCZGVsZXRlIGNoYWluXGZSIFtcZklmYW1p
bHlcZlJdIFxmSXRhYmxlXGZSIFxmQmhhbmRsZVxmUiBcZkloYW5kbGVcZlIKXGZCcmVuYW1l
IGNoYWluXGZSIFtcZklmYW1pbHlcZlJdIFxmSXRhYmxlXGZSIFxmSWNoYWluXGZSIFxmSW5l
d25hbWVcZlIKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApDaGFpbnMgYXJlIGNvbnRhaW5l
cnMgZm9yIHJ1bGVzXCYuIFRoZXkgZXhpc3QgaW4gdHdvIGtpbmRzLCBiYXNlIGNoYWlucyBh
bmQgcmVndWxhciBjaGFpbnNcJi4gQSBiYXNlIGNoYWluIGlzIGFuIGVudHJ5IHBvaW50IGZv
ciBwYWNrZXRzIGZyb20gdGhlIG5ldHdvcmtpbmcgc3RhY2ssIGEgcmVndWxhciBjaGFpbiBt
YXkgYmUgdXNlZCBhcyBqdW1wIHRhcmdldCBhbmQgaXMgdXNlZCBmb3IgYmV0dGVyIHJ1bGUg
b3JnYW5pemF0aW9uXCYuCi5UUwp0YWIoOik7Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0
IGx0Cmx0IGx0LgpUewouc3AKXGZCYWRkXGZSClR9OlR7Ci5zcApBZGQgYSBuZXcgY2hhaW4g
aW4gdGhlIHNwZWNpZmllZCB0YWJsZVwmLiBXaGVuIGEgaG9vayBhbmQgcHJpb3JpdHkgdmFs
dWUgYXJlIHNwZWNpZmllZCwgdGhlIGNoYWluIGlzIGNyZWF0ZWQgYXMgYSBiYXNlIGNoYWlu
IGFuZCBob29rZWQgdXAgdG8gdGhlIG5ldHdvcmtpbmcgc3RhY2tcJi4KVH0KVHsKLnNwClxm
QmNyZWF0ZVxmUgpUfTpUewouc3AKU2ltaWxhciB0byB0aGUgXGZCYWRkXGZSIGNvbW1hbmQs
IGJ1dCByZXR1cm5zIGFuIGVycm9yIGlmIHRoZSBjaGFpbiBhbHJlYWR5IGV4aXN0c1wmLgpU
fQpUewouc3AKXGZCZGVsZXRlXGZSClR9OlR7Ci5zcApEZWxldGUgdGhlIHNwZWNpZmllZCBj
aGFpblwmLiBUaGUgY2hhaW4gbXVzdCBub3QgY29udGFpbiBhbnkgcnVsZXMgb3IgYmUgdXNl
ZCBhcyBqdW1wIHRhcmdldFwmLgpUfQpUewouc3AKXGZCcmVuYW1lXGZSClR9OlR7Ci5zcApS
ZW5hbWUgdGhlIHNwZWNpZmllZCBjaGFpblwmLgpUfQpUewouc3AKXGZCbGlzdFxmUgpUfTpU
ewouc3AKTGlzdCBhbGwgcnVsZXMgb2YgdGhlIHNwZWNpZmllZCBjaGFpblwmLgpUfQpUewou
c3AKXGZCZmx1c2hcZlIKVH06VHsKLnNwCkZsdXNoIGFsbCBydWxlcyBvZiB0aGUgc3BlY2lm
aWVkIGNoYWluXCYuClR9Ci5URQouc3AgMQouc3AKRm9yIGJhc2UgY2hhaW5zLCBcZkJ0eXBl
XGZSLCBcZkJob29rXGZSIGFuZCBcZkJwcmlvcml0eVxmUiBwYXJhbWV0ZXJzIGFyZSBtYW5k
YXRvcnlcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIg
YW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY1LlwgXCZTdXBwb3J0ZWQgY2hhaW4g
dHlwZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCIGx0Qi4KVHsKVHlwZQpUfTpU
ewpGYW1pbGllcwpUfTpUewpIb29rcwpUfTpUewpEZXNjcmlwdGlvbgpUfQouVCYKbHQgbHQg
bHQgbHQKbHQgbHQgbHQgbHQKbHQgbHQgbHQgbHQuClR7Ci5zcApmaWx0ZXIKVH06VHsKLnNw
CmFsbApUfTpUewouc3AKYWxsClR9OlR7Ci5zcApTdGFuZGFyZCBjaGFpbiB0eXBlIHRvIHVz
ZSBpbiBkb3VidFwmLgpUfQpUewouc3AKbmF0ClR9OlR7Ci5zcAppcCwgaXA2LCBpbmV0ClR9
OlR7Ci5zcApwcmVyb3V0aW5nLCBpbnB1dCwgb3V0cHV0LCBwb3N0cm91dGluZwpUfTpUewou
c3AKQ2hhaW5zIG9mIHRoaXMgdHlwZSBwZXJmb3JtIE5hdGl2ZSBBZGRyZXNzIFRyYW5zbGF0
aW9uIGJhc2VkIG9uIGNvbm50cmFjayBlbnRyaWVzXCYuIE9ubHkgdGhlIGZpcnN0IHBhY2tl
dCBvZiBhIGNvbm5lY3Rpb24gYWN0dWFsbHkgdHJhdmVyc2VzIHRoaXMgY2hhaW4gXC0gaXRz
IHJ1bGVzIHVzdWFsbHkgZGVmaW5lIGRldGFpbHMgb2YgdGhlIGNyZWF0ZWQgY29ubnRyYWNr
IGVudHJ5IChOQVQgc3RhdGVtZW50cyBmb3IgaW5zdGFuY2UpXCYuClR9ClR7Ci5zcApyb3V0
ZQpUfTpUewouc3AKaXAsIGlwNgpUfTpUewouc3AKb3V0cHV0ClR9OlR7Ci5zcApJZiBhIHBh
Y2tldCBoYXMgdHJhdmVyc2VkIGEgY2hhaW4gb2YgdGhpcyB0eXBlIGFuZCBpcyBhYm91dCB0
byBiZSBhY2NlcHRlZCwgYSBuZXcgcm91dGUgbG9va3VwIGlzIHBlcmZvcm1lZCBpZiByZWxl
dmFudCBwYXJ0cyBvZiB0aGUgSVAgaGVhZGVyIGhhdmUgY2hhbmdlZFwmLiBUaGlzIGFsbG93
cyB0byBlXCYuZ1wmLiBpbXBsZW1lbnQgcG9saWN5IHJvdXRpbmcgc2VsZWN0b3JzIGluIG5m
dGFibGVzXCYuClR9Ci5URQouc3AgMQouc3AKQXBhcnQgZnJvbSB0aGUgc3BlY2lhbCBjYXNl
cyBpbGx1c3RyYXRlZCBhYm92ZSAoZVwmLmdcJi4gXGZCbmF0XGZSIHR5cGUgbm90IHN1cHBv
cnRpbmcgXGZCZm9yd2FyZFxmUiBob29rIG9yIFxmQnJvdXRlXGZSIHR5cGUgb25seSBzdXBw
b3J0aW5nIFxmQm91dHB1dFxmUiBob29rKSwgdGhlcmUgYXJlIHRocmVlIGZ1cnRoZXIgcXVp
cmtzIHdvcnRoIG5vdGljaW5nOgouc3AKLlJTIDQKLmllIG4gXHtcClxoJy0wNCdcKGJ1XGgn
KzAzJ1xjCi5cfQouZWwgXHtcCi5zcCAtMQouSVAgXChidSAyLjMKLlx9ClRoZSBuZXRkZXYg
ZmFtaWx5IHN1cHBvcnRzIG1lcmVseSBhIHNpbmdsZSBjb21iaW5hdGlvbiwgbmFtZWx5Clxm
QmZpbHRlclxmUgp0eXBlIGFuZApcZkJpbmdyZXNzXGZSCmhvb2tcJi4gQmFzZSBjaGFpbnMg
aW4gdGhpcyBmYW1pbHkgYWxzbyByZXF1aXJlIHRoZQpcZkJkZXZpY2VcZlIKcGFyYW1ldGVy
IHRvIGJlIHByZXNlbnQgc2luY2UgdGhleSBleGlzdCBwZXIgaW5jb21pbmcgaW50ZXJmYWNl
IG9ubHlcJi4KLlJFCi5zcAouUlMgNAouaWUgbiBce1wKXGgnLTA0J1woYnVcaCcrMDMnXGMK
Llx9Ci5lbCBce1wKLnNwIC0xCi5JUCBcKGJ1IDIuMwouXH0KVGhlIGFycCBmYW1pbHkgc3Vw
cG9ydHMgb25seSB0aGUKXGZCaW5wdXRcZlIKYW5kClxmQm91dHB1dFxmUgpob29rcywgYm90
aCBpbiBjaGFpbnMgb2YgdHlwZQpcZkJmaWx0ZXJcZlJcJi4KLlJFCi5zcAouUlMgNAouaWUg
biBce1wKXGgnLTA0J1woYnVcaCcrMDMnXGMKLlx9Ci5lbCBce1wKLnNwIC0xCi5JUCBcKGJ1
IDIuMwouXH0KVGhlIGluZXQgZmFtaWx5IGFsc28gc3VwcG9ydHMgdGhlClxmQmluZ3Jlc3Nc
ZlIKaG9vayAoc2luY2UgTGludXgga2VybmVsIDVcJi4xMCksIHRvIGZpbHRlciBJUHY0IGFu
ZCBJUHY2IHBhY2tldCBhdCB0aGUgc2FtZSBsb2NhdGlvbiBhcyB0aGUgbmV0ZGV2ClxmQmlu
Z3Jlc3NcZlIKaG9va1wmLiBUaGlzIGluZXQgaG9vayBhbGxvd3MgeW91IHRvIHNoYXJlIHNl
dHMgYW5kIG1hcHMgYmV0d2VlbiB0aGUgdXN1YWwKXGZCcHJlcm91dGluZ1xmUiwKXGZCaW5w
dXRcZlIsClxmQmZvcndhcmRcZlIsClxmQm91dHB1dFxmUiwKXGZCcG9zdHJvdXRpbmdcZlIK
YW5kIHRoaXMKXGZCaW5ncmVzc1xmUgpob29rXCYuCi5SRQouc3AKVGhlIFxmQnByaW9yaXR5
XGZSIHBhcmFtZXRlciBhY2NlcHRzIGEgc2lnbmVkIGludGVnZXIgdmFsdWUgb3IgYSBzdGFu
ZGFyZCBwcmlvcml0eSBuYW1lIHdoaWNoIHNwZWNpZmllcyB0aGUgb3JkZXIgaW4gd2hpY2gg
Y2hhaW5zIHdpdGggc2FtZSBcZkJob29rXGZSIHZhbHVlIGFyZSB0cmF2ZXJzZWRcJi4gVGhl
IG9yZGVyaW5nIGlzIGFzY2VuZGluZywgaVwmLmVcJi4gbG93ZXIgcHJpb3JpdHkgdmFsdWVz
IGhhdmUgcHJlY2VkZW5jZSBvdmVyIGhpZ2hlciBvbmVzXCYuCi5zcApTdGFuZGFyZCBwcmlv
cml0eSB2YWx1ZXMgY2FuIGJlIHJlcGxhY2VkIHdpdGggZWFzaWx5IG1lbW9yaXphYmxlIG5h
bWVzXCYuIE5vdCBhbGwgbmFtZXMgbWFrZSBzZW5zZSBpbiBldmVyeSBmYW1pbHkgd2l0aCBl
dmVyeSBob29rIChzZWUgdGhlIGNvbXBhdGliaWxpdHkgbWF0cmljZXMgYmVsb3cpIGJ1dCB0
aGVpciBudW1lcmljYWwgdmFsdWUgY2FuIHN0aWxsIGJlIHVzZWQgZm9yIHByaW9yaXRpemlu
ZyBjaGFpbnNcJi4KLnNwClRoZXNlIG5hbWVzIGFuZCB2YWx1ZXMgYXJlIGRlZmluZWQgYW5k
IG1hZGUgYXZhaWxhYmxlIGJhc2VkIG9uIHdoYXQgcHJpb3JpdGllcyBhcmUgdXNlZCBieSB4
dGFibGVzIHdoZW4gcmVnaXN0ZXJpbmcgdGhlaXIgZGVmYXVsdCBjaGFpbnNcJi4KLnNwCk1v
c3Qgb2YgdGhlIGZhbWlsaWVzIHVzZSB0aGUgc2FtZSB2YWx1ZXMsIGJ1dCBicmlkZ2UgdXNl
cyBkaWZmZXJlbnQgb25lcyBmcm9tIHRoZSBvdGhlcnNcJi4gU2VlIHRoZSBmb2xsb3dpbmcg
dGFibGVzIHRoYXQgZGVzY3JpYmUgdGhlIHZhbHVlcyBhbmQgY29tcGF0aWJpbGl0eVwmLgou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjYuXCBcJlN0YW5kYXJkIHByaW9yaXR5IG5hbWVzLCBm
YW1pbHkgYW5kIGhvb2sgY29tcGF0aWJpbGl0eSBtYXRyaXgKLlRTCmFsbGJveCB0YWIoOik7
Cmx0QiBsdEIgbHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpWYWx1ZQpUfTpUewpGYW1pbGllcwpU
fTpUewpIb29rcwpUfQouVCYKbHQgbHQgbHQgbHQKbHQgbHQgbHQgbHQKbHQgbHQgbHQgbHQK
bHQgbHQgbHQgbHQKbHQgbHQgbHQgbHQKbHQgbHQgbHQgbHQuClR7Ci5zcApyYXcKVH06VHsK
LnNwClwtMzAwClR9OlR7Ci5zcAppcCwgaXA2LCBpbmV0ClR9OlR7Ci5zcAphbGwKVH0KVHsK
LnNwCm1hbmdsZQpUfTpUewouc3AKXC0xNTAKVH06VHsKLnNwCmlwLCBpcDYsIGluZXQKVH06
VHsKLnNwCmFsbApUfQpUewouc3AKZHN0bmF0ClR9OlR7Ci5zcApcLTEwMApUfTpUewouc3AK
aXAsIGlwNiwgaW5ldApUfTpUewouc3AKcHJlcm91dGluZwpUfQpUewouc3AKZmlsdGVyClR9
OlR7Ci5zcAowClR9OlR7Ci5zcAppcCwgaXA2LCBpbmV0LCBhcnAsIG5ldGRldgpUfTpUewou
c3AKYWxsClR9ClR7Ci5zcApzZWN1cml0eQpUfTpUewouc3AKNTAKVH06VHsKLnNwCmlwLCBp
cDYsIGluZXQKVH06VHsKLnNwCmFsbApUfQpUewouc3AKc3JjbmF0ClR9OlR7Ci5zcAoxMDAK
VH06VHsKLnNwCmlwLCBpcDYsIGluZXQKVH06VHsKLnNwCnBvc3Ryb3V0aW5nClR9Ci5URQou
c3AgMQouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1i
cmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjcuXCBcJlN0YW5kYXJkIHByaW9yaXR5IG5h
bWVzIGFuZCBob29rIGNvbXBhdGliaWxpdHkgZm9yIHRoZSBicmlkZ2UgZmFtaWx5Ci5UUwph
bGxib3ggdGFiKDopOwpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBs
dCBsdC4KVHsKLnNwCk5hbWUKVH06VHsKLnNwClZhbHVlClR9OlR7Ci5zcApIb29rcwpUfQpU
ewouc3AKZHN0bmF0ClR9OlR7Ci5zcApcLTMwMApUfTpUewouc3AKcHJlcm91dGluZwpUfQpU
ewouc3AKZmlsdGVyClR9OlR7Ci5zcApcLTIwMApUfTpUewouc3AKYWxsClR9ClR7Ci5zcApv
dXQKVH06VHsKLnNwCjEwMApUfTpUewouc3AKb3V0cHV0ClR9ClR7Ci5zcApzcmNuYXQKVH06
VHsKLnNwCjMwMApUfTpUewouc3AKcG9zdHJvdXRpbmcKVH0KLlRFCi5zcCAxCi5zcApCYXNp
YyBhcml0aG1ldGljIGV4cHJlc3Npb25zIChhZGRpdGlvbiBhbmQgc3VidHJhY3Rpb24pIGNh
biBhbHNvIGJlIGFjaGlldmVkIHdpdGggdGhlc2Ugc3RhbmRhcmQgbmFtZXMgdG8gZWFzZSBy
ZWxhdGl2ZSBwcmlvcml0aXppbmcsIGVcJi5nXCYuIFxmQm1hbmdsZSBcLSA1XGZSIHN0YW5k
cyBmb3IgXGZCXC0xNTVcZlJcJi4gVmFsdWVzIHdpbGwgYWxzbyBiZSBwcmludGVkIGxpa2Ug
dGhpcyB1bnRpbCB0aGUgdmFsdWUgaXMgbm90IGZ1cnRoZXIgdGhhbiAxMCBmb3JtIHRoZSBz
dGFuZGFyZCB2YWx1ZVwmLgouc3AKQmFzZSBjaGFpbnMgYWxzbyBhbGxvdyB0byBzZXQgdGhl
IGNoYWluXChjcXMgXGZCcG9saWN5XGZSLCBpXCYuZVwmLiB3aGF0IGhhcHBlbnMgdG8gcGFj
a2V0cyBub3QgZXhwbGljaXRseSBhY2NlcHRlZCBvciByZWZ1c2VkIGluIGNvbnRhaW5lZCBy
dWxlc1wmLiBTdXBwb3J0ZWQgcG9saWN5IHZhbHVlcyBhcmUgXGZCYWNjZXB0XGZSICh3aGlj
aCBpcyB0aGUgZGVmYXVsdCkgb3IgXGZCZHJvcFxmUlwmLgouU0ggIlJVTEVTIgouc3AKLmlm
IG4gXHtcCi5SUyA0Ci5cfQoubmYKe1xmQmFkZFxmUiB8IFxmQmluc2VydFxmUn0gXGZCcnVs
ZVxmUiBbXGZJZmFtaWx5XGZSXSBcZkl0YWJsZVxmUiBcZkljaGFpblxmUiBbXGZCaGFuZGxl
XGZSIFxmSWhhbmRsZVxmUiB8IFxmQmluZGV4XGZSIFxmSWluZGV4XGZSXSBcZklzdGF0ZW1l
bnRcZlIgXCYuLi4gW1xmQmNvbW1lbnRcZlIgXGZJY29tbWVudFxmUl0KXGZCcmVwbGFjZSBy
dWxlXGZSIFtcZklmYW1pbHlcZlJdIFxmSXRhYmxlXGZSIFxmSWNoYWluXGZSIFxmQmhhbmRs
ZVxmUiBcZkloYW5kbGVcZlIgXGZJc3RhdGVtZW50XGZSIFwmLi4uIFtcZkJjb21tZW50XGZS
IFxmSWNvbW1lbnRcZlJdClxmQmRlbGV0ZSBydWxlXGZSIFtcZklmYW1pbHlcZlJdIFxmSXRh
YmxlXGZSIFxmSWNoYWluXGZSIFxmQmhhbmRsZVxmUiBcZkloYW5kbGVcZlIKLmZpCi5pZiBu
IFx7XAouUkUKLlx9Ci5zcApSdWxlcyBhcmUgYWRkZWQgdG8gY2hhaW5zIGluIHRoZSBnaXZl
biB0YWJsZVwmLiBJZiB0aGUgZmFtaWx5IGlzIG5vdCBzcGVjaWZpZWQsIHRoZSBpcCBmYW1p
bHkgaXMgdXNlZFwmLiBSdWxlcyBhcmUgY29uc3RydWN0ZWQgZnJvbSB0d28ga2luZHMgb2Yg
Y29tcG9uZW50cyBhY2NvcmRpbmcgdG8gYSBzZXQgb2YgZ3JhbW1hdGljYWwgcnVsZXM6IGV4
cHJlc3Npb25zIGFuZCBzdGF0ZW1lbnRzXCYuCi5zcApUaGUgYWRkIGFuZCBpbnNlcnQgY29t
bWFuZHMgc3VwcG9ydCBhbiBvcHRpb25hbCBsb2NhdGlvbiBzcGVjaWZpZXIsIHdoaWNoIGlz
IGVpdGhlciBhIFxmSWhhbmRsZVxmUiBvciB0aGUgXGZJaW5kZXhcZlIgKHN0YXJ0aW5nIGF0
IHplcm8pIG9mIGFuIGV4aXN0aW5nIHJ1bGVcJi4gSW50ZXJuYWxseSwgcnVsZSBsb2NhdGlv
bnMgYXJlIGFsd2F5cyBpZGVudGlmaWVkIGJ5IFxmSWhhbmRsZVxmUiBhbmQgdGhlIHRyYW5z
bGF0aW9uIGZyb20gXGZJaW5kZXhcZlIgaGFwcGVucyBpbiB1c2Vyc3BhY2VcJi4gVGhpcyBo
YXMgdHdvIHBvdGVudGlhbCBpbXBsaWNhdGlvbnMgaW4gY2FzZSBhIGNvbmN1cnJlbnQgcnVs
ZXNldCBjaGFuZ2UgaGFwcGVucyBhZnRlciB0aGUgdHJhbnNsYXRpb24gd2FzIGRvbmU6IFRo
ZSBlZmZlY3RpdmUgcnVsZSBpbmRleCBtaWdodCBjaGFuZ2UgaWYgYSBydWxlIHdhcyBpbnNl
cnRlZCBvciBkZWxldGVkIGJlZm9yZSB0aGUgcmVmZXJyZWQgb25lXCYuIElmIHRoZSByZWZl
cnJlZCBydWxlIHdhcyBkZWxldGVkLCB0aGUgY29tbWFuZCBpcyByZWplY3RlZCBieSB0aGUg
a2VybmVsIGp1c3QgYXMgaWYgYW4gaW52YWxpZCBcZkloYW5kbGVcZlIgd2FzIGdpdmVuXCYu
Ci5zcApBIFxmSWNvbW1lbnRcZlIgaXMgYSBzaW5nbGUgd29yZCBvciBhIGRvdWJsZVwtcXVv
dGVkICgiKSBtdWx0aVwtd29yZCBzdHJpbmcgd2hpY2ggY2FuIGJlIHVzZWQgdG8gbWFrZSBu
b3RlcyByZWdhcmRpbmcgdGhlIGFjdHVhbCBydWxlXCYuIFxmQk5vdGU6XGZSIElmIHlvdSB1
c2UgYmFzaCBmb3IgYWRkaW5nIHJ1bGVzLCB5b3UgaGF2ZSB0byBlc2NhcGUgdGhlIHF1b3Rh
dGlvbiBtYXJrcywgZVwmLmdcJi4gXGUiZW5hYmxlIHNzaCBmb3Igc2VydmVyc1xlIlwmLgou
VFMKdGFiKDopOwpsdCBsdApsdCBsdApsdCBsdApsdCBsdC4KVHsKLnNwClxmQmFkZFxmUgpU
fTpUewouc3AKQWRkIGEgbmV3IHJ1bGUgZGVzY3JpYmVkIGJ5IHRoZSBsaXN0IG9mIHN0YXRl
bWVudHNcJi4gVGhlIHJ1bGUgaXMgYXBwZW5kZWQgdG8gdGhlIGdpdmVuIGNoYWluIHVubGVz
cyBhIGxvY2F0aW9uIGlzIHNwZWNpZmllZCwgaW4gd2hpY2ggY2FzZSB0aGUgcnVsZSBpcyBp
bnNlcnRlZCBhZnRlciB0aGUgc3BlY2lmaWVkIHJ1bGVcJi4KVH0KVHsKLnNwClxmQmluc2Vy
dFxmUgpUfTpUewouc3AKU2FtZSBhcyBcZkJhZGRcZlIgZXhjZXB0IHRoZSBydWxlIGlzIGlu
c2VydGVkIGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIGNoYWluIG9yIGJlZm9yZSB0aGUgc3Bl
Y2lmaWVkIHJ1bGVcJi4KVH0KVHsKLnNwClxmQnJlcGxhY2VcZlIKVH06VHsKLnNwClNpbWls
YXIgdG8gXGZCYWRkXGZSLCBidXQgdGhlIHJ1bGUgcmVwbGFjZXMgdGhlIHNwZWNpZmllZCBy
dWxlXCYuClR9ClR7Ci5zcApcZkJkZWxldGVcZlIKVH06VHsKLnNwCkRlbGV0ZSB0aGUgc3Bl
Y2lmaWVkIHJ1bGVcJi4KVH0KLlRFCi5zcCAxCi5QUApcZkJhZGQgYSBydWxlIHRvIGlwIHRh
YmxlIG91dHB1dCBjaGFpblxmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpuZnQg
YWRkIHJ1bGUgZmlsdGVyIG91dHB1dCBpcCBkYWRkciAxOTJcJi4xNjhcJi4wXCYuMC8yNCBh
Y2NlcHQgIyBcKihBcWlwIGZpbHRlclwqKEFxIGlzIGFzc3VtZWQKIyBzYW1lIGNvbW1hbmQs
IHNsaWdodGx5IG1vcmUgdmVyYm9zZQpuZnQgYWRkIHJ1bGUgaXAgZmlsdGVyIG91dHB1dCBp
cCBkYWRkciAxOTJcJi4xNjhcJi4wXCYuMC8yNCBhY2NlcHQKLmZpCi5pZiBuIFx7XAouUkUK
Llx9Ci5QUApcZkJkZWxldGUgcnVsZSBmcm9tIGluZXQgdGFibGVcZlIuIAouc3AKLmlmIG4g
XHtcCi5SUyA0Ci5cfQoubmYKIyBuZnQgXC1hIGxpc3QgcnVsZXNldAp0YWJsZSBpbmV0IGZp
bHRlciB7CiAgICAgICAgY2hhaW4gaW5wdXQgewogICAgICAgICAgICAgICAgdHlwZSBmaWx0
ZXIgaG9vayBpbnB1dCBwcmlvcml0eSAwOyBwb2xpY3kgYWNjZXB0OwogICAgICAgICAgICAg
ICAgY3Qgc3RhdGUgZXN0YWJsaXNoZWQscmVsYXRlZCBhY2NlcHQgIyBoYW5kbGUgNAogICAg
ICAgICAgICAgICAgaXAgc2FkZHIgMTBcJi4xXCYuMVwmLjEgdGNwIGRwb3J0IHNzaCBhY2Nl
cHQgIyBoYW5kbGUgNQogICAgICAgICAgXCYuXCYuXCYuCiMgZGVsZXRlIHRoZSBydWxlIHdp
dGggaGFuZGxlIDUKIyBuZnQgZGVsZXRlIHJ1bGUgaW5ldCBmaWx0ZXIgaW5wdXQgaGFuZGxl
IDUKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU0ggIlNFVFMiCi5zcApuZnRhYmxlcyBv
ZmZlcnMgdHdvIGtpbmRzIG9mIHNldCBjb25jZXB0c1wmLiBBbm9ueW1vdXMgc2V0cyBhcmUg
c2V0cyB0aGF0IGhhdmUgbm8gc3BlY2lmaWMgbmFtZVwmLiBUaGUgc2V0IG1lbWJlcnMgYXJl
IGVuY2xvc2VkIGluIGN1cmx5IGJyYWNlcywgd2l0aCBjb21tYXMgdG8gc2VwYXJhdGUgZWxl
bWVudHMgd2hlbiBjcmVhdGluZyB0aGUgcnVsZSB0aGUgc2V0IGlzIHVzZWQgaW5cJi4gT25j
ZSB0aGF0IHJ1bGUgaXMgcmVtb3ZlZCwgdGhlIHNldCBpcyByZW1vdmVkIGFzIHdlbGxcJi4g
VGhleSBjYW5ub3QgYmUgdXBkYXRlZCwgaVwmLmVcJi4gb25jZSBhbiBhbm9ueW1vdXMgc2V0
IGlzIGRlY2xhcmVkIGl0IGNhbm5vdCBiZSBjaGFuZ2VkIGFueW1vcmUgZXhjZXB0IGJ5IHJl
bW92aW5nL2FsdGVyaW5nIHRoZSBydWxlIHRoYXQgdXNlcyB0aGUgYW5vbnltb3VzIHNldFwm
LgouUFAKXGZCVXNpbmcgYW5vbnltb3VzIHNldHMgdG8gYWNjZXB0IHBhcnRpY3VsYXIgc3Vi
bmV0cyBhbmQgcG9ydHNcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKbmZ0IGFk
ZCBydWxlIGZpbHRlciBpbnB1dCBpcCBzYWRkciB7IDEwXCYuMFwmLjBcJi4wLzgsIDE5Mlwm
LjE2OFwmLjBcJi4wLzE2IH0gdGNwIGRwb3J0IHsgMjIsIDQ0MyB9IGFjY2VwdAouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLnNwCk5hbWVkIHNldHMgYXJlIHNldHMgdGhhdCBuZWVkIHRvIGJl
IGRlZmluZWQgZmlyc3QgYmVmb3JlIHRoZXkgY2FuIGJlIHJlZmVyZW5jZWQgaW4gcnVsZXNc
Ji4gVW5saWtlIGFub255bW91cyBzZXRzLCBlbGVtZW50cyBjYW4gYmUgYWRkZWQgdG8gb3Ig
cmVtb3ZlZCBmcm9tIGEgbmFtZWQgc2V0IGF0IGFueSB0aW1lXCYuIFNldHMgYXJlIHJlZmVy
ZW5jZWQgZnJvbSBydWxlcyB1c2luZyBhbiBAIHByZWZpeGVkIHRvIHRoZSBzZXRzIG5hbWVc
Ji4KLlBQClxmQlVzaW5nIG5hbWVkIHNldHMgdG8gYWNjZXB0IGFkZHJlc3NlcyBhbmQgcG9y
dHNcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKbmZ0IGFkZCBydWxlIGZpbHRl
ciBpbnB1dCBpcCBzYWRkciBAYWxsb3dlZF9ob3N0cyB0Y3AgZHBvcnQgQGFsbG93ZWRfcG9y
dHMgYWNjZXB0Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhlIHNldHMgYWxsb3dlZF9o
b3N0cyBhbmQgYWxsb3dlZF9wb3J0cyBuZWVkIHRvIGJlIGNyZWF0ZWQgZmlyc3RcJi4gVGhl
IG5leHQgc2VjdGlvbiBkZXNjcmliZXMgbmZ0IHNldCBzeW50YXggaW4gbW9yZSBkZXRhaWxc
Ji4KLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQmFkZCBzZXRcZlIgW1xmSWZhbWls
eVxmUl0gXGZJdGFibGVcZlIgXGZJc2V0XGZSIFxmQnsgdHlwZVxmUiBcZkl0eXBlXGZSIHwg
XGZCdHlwZW9mXGZSIFxmSWV4cHJlc3Npb25cZlIgXGZCO1xmUiBbXGZCZmxhZ3NcZlIgXGZJ
ZmxhZ3NcZlIgXGZCO1xmUl0gW1xmQnRpbWVvdXRcZlIgXGZJdGltZW91dFxmUiBcZkI7XGZS
XSBbXGZCZ2NcLWludGVydmFsXGZSIFxmSWdjXC1pbnRlcnZhbFxmUiBcZkI7XGZSXSBbXGZC
ZWxlbWVudHMgPSB7XGZSIFxmSWVsZW1lbnRcZlJbXGZCLFxmUiBcJi4uLl0gXGZCfSA7XGZS
XSBbXGZCc2l6ZVxmUiBcZklzaXplXGZSIFxmQjtcZlJdIFtcZkJwb2xpY3lcZlIgXGZJcG9s
aWN5XGZSIFxmQjtcZlJdIFtcZkJhdXRvXC1tZXJnZSA7XGZSXSBcZkJ9XGZSCntcZkJkZWxl
dGVcZlIgfCBcZkJsaXN0XGZSIHwgXGZCZmx1c2hcZlJ9IFxmQnNldFxmUiBbXGZJZmFtaWx5
XGZSXSBcZkl0YWJsZVxmUiBcZklzZXRcZlIKXGZCbGlzdCBzZXRzXGZSIFtcZklmYW1pbHlc
ZlJdClxmQmRlbGV0ZSBzZXRcZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFibGVcZlIgXGZCaGFu
ZGxlXGZSIFxmSWhhbmRsZVxmUgp7XGZCYWRkXGZSIHwgXGZCZGVsZXRlXGZSfSBcZkJlbGVt
ZW50XGZSIFtcZklmYW1pbHlcZlJdIFxmSXRhYmxlXGZSIFxmSXNldFxmUiBcZkJ7XGZSIFxm
SWVsZW1lbnRcZlJbXGZCLFxmUiBcJi4uLl0gXGZCfVxmUgouZmkKLmlmIG4gXHtcCi5SRQou
XH0KLnNwClNldHMgYXJlIGVsZW1lbnQgY29udGFpbmVycyBvZiBhIHVzZXJcLWRlZmluZWQg
ZGF0YSB0eXBlLCB0aGV5IGFyZSB1bmlxdWVseSBpZGVudGlmaWVkIGJ5IGEgdXNlclwtZGVm
aW5lZCBuYW1lIGFuZCBhdHRhY2hlZCB0byB0YWJsZXNcJi4gVGhlaXIgYmVoYXZpb3VyIGNh
biBiZSB0dW5lZCB3aXRoIHRoZSBmbGFncyB0aGF0IGNhbiBiZSBzcGVjaWZpZWQgYXQgc2V0
IGNyZWF0aW9uIHRpbWVcJi4KLlRTCnRhYig6KTsKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQu
ClR7Ci5zcApcZkJhZGRcZlIKVH06VHsKLnNwCkFkZCBhIG5ldyBzZXQgaW4gdGhlIHNwZWNp
ZmllZCB0YWJsZVwmLiBTZWUgdGhlIFNldCBzcGVjaWZpY2F0aW9uIHRhYmxlIGJlbG93IGZv
ciBtb3JlIGluZm9ybWF0aW9uIGFib3V0IGhvdyB0byBzcGVjaWZ5IGEgc2V0cyBwcm9wZXJ0
aWVzXCYuClR9ClR7Ci5zcApcZkJkZWxldGVcZlIKVH06VHsKLnNwCkRlbGV0ZSB0aGUgc3Bl
Y2lmaWVkIHNldFwmLgpUfQpUewouc3AKXGZCbGlzdFxmUgpUfTpUewouc3AKRGlzcGxheSB0
aGUgZWxlbWVudHMgaW4gdGhlIHNwZWNpZmllZCBzZXRcJi4KVH0KVHsKLnNwClxmQmZsdXNo
XGZSClR9OlR7Ci5zcApSZW1vdmUgYWxsIGVsZW1lbnRzIGZyb20gdGhlIHNwZWNpZmllZCBz
ZXRcJi4KVH0KLlRFCi5zcCAxCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1m
bGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmOC5cIFwmU2V0IHNw
ZWNpZmljYXRpb25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29y
ZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdC4KVHsKLnNwCnR5cGUKVH06VHsKLnNwCmRhdGEgdHlwZSBvZiBzZXQgZWxl
bWVudHMKVH06VHsKLnNwCnN0cmluZzogaXB2NF9hZGRyLCBpcHY2X2FkZHIsIGV0aGVyX2Fk
ZHIsIGluZXRfcHJvdG8sIGluZXRfc2VydmljZSwgbWFyawpUfQpUewouc3AKdHlwZW9mClR9
OlR7Ci5zcApkYXRhIHR5cGUgb2Ygc2V0IGVsZW1lbnQKVH06VHsKLnNwCmV4cHJlc3Npb24g
dG8gZGVyaXZlIHRoZSBkYXRhIHR5cGUgZnJvbQpUfQpUewouc3AKZmxhZ3MKVH06VHsKLnNw
CnNldCBmbGFncwpUfTpUewouc3AKc3RyaW5nOiBjb25zdGFudCwgZHluYW1pYywgaW50ZXJ2
YWwsIHRpbWVvdXQKVH0KVHsKLnNwCnRpbWVvdXQKVH06VHsKLnNwCnRpbWUgYW4gZWxlbWVu
dCBzdGF5cyBpbiB0aGUgc2V0LCBtYW5kYXRvcnkgaWYgc2V0IGlzIGFkZGVkIHRvIGZyb20g
dGhlIHBhY2tldCBwYXRoIChydWxlc2V0KVwmLgpUfTpUewouc3AKc3RyaW5nLCBkZWNpbWFs
IGZvbGxvd2VkIGJ5IHVuaXRcJi4gVW5pdHMgYXJlOiBkLCBoLCBtLCBzClR9ClR7Ci5zcApn
Y1wtaW50ZXJ2YWwKVH06VHsKLnNwCmdhcmJhZ2UgY29sbGVjdGlvbiBpbnRlcnZhbCwgb25s
eSBhdmFpbGFibGUgd2hlbiB0aW1lb3V0IG9yIGZsYWcgdGltZW91dCBhcmUgYWN0aXZlClR9
OlR7Ci5zcApzdHJpbmcsIGRlY2ltYWwgZm9sbG93ZWQgYnkgdW5pdFwmLiBVbml0cyBhcmU6
IGQsIGgsIG0sIHMKVH0KVHsKLnNwCmVsZW1lbnRzClR9OlR7Ci5zcAplbGVtZW50cyBjb250
YWluZWQgYnkgdGhlIHNldApUfTpUewouc3AKc2V0IGRhdGEgdHlwZQpUfQpUewouc3AKc2l6
ZQpUfTpUewouc3AKbWF4aW11bSBudW1iZXIgb2YgZWxlbWVudHMgaW4gdGhlIHNldCwgbWFu
ZGF0b3J5IGlmIHNldCBpcyBhZGRlZCB0byBmcm9tIHRoZSBwYWNrZXQgcGF0aCAocnVsZXNl
dClcJi4KVH06VHsKLnNwCnVuc2lnbmVkIGludGVnZXIgKDY0IGJpdCkKVH0KVHsKLnNwCnBv
bGljeQpUfTpUewouc3AKc2V0IHBvbGljeQpUfTpUewouc3AKc3RyaW5nOiBwZXJmb3JtYW5j
ZSBbZGVmYXVsdF0sIG1lbW9yeQpUfQpUewouc3AKYXV0b1wtbWVyZ2UKVH06VHsKLnNwCmF1
dG9tYXRpYyBtZXJnZSBvZiBhZGphY2VudC9vdmVybGFwcGluZyBzZXQgZWxlbWVudHMgKG9u
bHkgZm9yIGludGVydmFsIHNldHMpClR9OlR7Ci5zcApUfQouVEUKLnNwIDEKLlNIICJNQVBT
Igouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCYWRkIG1hcFxmUiBbXGZJZmFtaWx5
XGZSXSBcZkl0YWJsZVxmUiBcZkltYXBcZlIgXGZCeyB0eXBlXGZSIFxmSXR5cGVcZlIgfCBc
ZkJ0eXBlb2ZcZlIgXGZJZXhwcmVzc2lvblxmUiBbXGZCZmxhZ3NcZlIgXGZJZmxhZ3NcZlIg
XGZCO1xmUl0gW1xmQmVsZW1lbnRzID0ge1xmUiBcZkllbGVtZW50XGZSW1xmQixcZlIgXCYu
Li5dIFxmQn0gO1xmUl0gW1xmQnNpemVcZlIgXGZJc2l6ZVxmUiBcZkI7XGZSXSBbXGZCcG9s
aWN5XGZSIFxmSXBvbGljeVxmUiBcZkI7XGZSXSBcZkJ9XGZSCntcZkJkZWxldGVcZlIgfCBc
ZkJsaXN0XGZSIHwgXGZCZmx1c2hcZlJ9IFxmQm1hcFxmUiBbXGZJZmFtaWx5XGZSXSBcZkl0
YWJsZVxmUiBcZkltYXBcZlIKXGZCbGlzdCBtYXBzXGZSIFtcZklmYW1pbHlcZlJdCi5maQou
aWYgbiBce1wKLlJFCi5cfQouc3AKTWFwcyBzdG9yZSBkYXRhIGJhc2VkIG9uIHNvbWUgc3Bl
Y2lmaWMga2V5IHVzZWQgYXMgaW5wdXRcJi4gVGhleSBhcmUgdW5pcXVlbHkgaWRlbnRpZmll
ZCBieSBhIHVzZXJcLWRlZmluZWQgbmFtZSBhbmQgYXR0YWNoZWQgdG8gdGFibGVzXCYuCi5U
Uwp0YWIoOik7Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0LgpUewouc3AK
XGZCYWRkXGZSClR9OlR7Ci5zcApBZGQgYSBuZXcgbWFwIGluIHRoZSBzcGVjaWZpZWQgdGFi
bGVcJi4KVH0KVHsKLnNwClxmQmRlbGV0ZVxmUgpUfTpUewouc3AKRGVsZXRlIHRoZSBzcGVj
aWZpZWQgbWFwXCYuClR9ClR7Ci5zcApcZkJsaXN0XGZSClR9OlR7Ci5zcApEaXNwbGF5IHRo
ZSBlbGVtZW50cyBpbiB0aGUgc3BlY2lmaWVkIG1hcFwmLgpUfQpUewouc3AKXGZCZmx1c2hc
ZlIKVH06VHsKLnNwClJlbW92ZSBhbGwgZWxlbWVudHMgZnJvbSB0aGUgc3BlY2lmaWVkIG1h
cFwmLgpUfQpUewouc3AKXGZCYWRkIGVsZW1lbnRcZlIKVH06VHsKLnNwCkNvbW1hXC1zZXBh
cmF0ZWQgbGlzdCBvZiBlbGVtZW50cyB0byBhZGQgaW50byB0aGUgc3BlY2lmaWVkIG1hcFwm
LgpUfQpUewouc3AKXGZCZGVsZXRlIGVsZW1lbnRcZlIKVH06VHsKLnNwCkNvbW1hXC1zZXBh
cmF0ZWQgbGlzdCBvZiBlbGVtZW50IGtleXMgdG8gZGVsZXRlIGZyb20gdGhlIHNwZWNpZmll
ZCBtYXBcJi4KVH0KLlRFCi5zcCAxCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFj
ZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmOS5cIFwmTWFw
IHNwZWNpZmljYXRpb25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5
d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnR5cGUK
VH06VHsKLnNwCmRhdGEgdHlwZSBvZiBtYXAgZWxlbWVudHMKVH06VHsKLnNwCnN0cmluZzog
aXB2NF9hZGRyLCBpcHY2X2FkZHIsIGV0aGVyX2FkZHIsIGluZXRfcHJvdG8sIGluZXRfc2Vy
dmljZSwgbWFyaywgY291bnRlciwgcXVvdGFcJi4gQ291bnRlciBhbmQgcXVvdGEgY2FuXChj
cXQgYmUgdXNlZCBhcyBrZXlzClR9ClR7Ci5zcAp0eXBlb2YKVH06VHsKLnNwCmRhdGEgdHlw
ZSBvZiBzZXQgZWxlbWVudApUfTpUewouc3AKZXhwcmVzc2lvbiB0byBkZXJpdmUgdGhlIGRh
dGEgdHlwZSBmcm9tClR9ClR7Ci5zcApmbGFncwpUfTpUewouc3AKbWFwIGZsYWdzClR9OlR7
Ci5zcApzdHJpbmc6IGNvbnN0YW50LCBpbnRlcnZhbApUfQpUewouc3AKZWxlbWVudHMKVH06
VHsKLnNwCmVsZW1lbnRzIGNvbnRhaW5lZCBieSB0aGUgbWFwClR9OlR7Ci5zcAptYXAgZGF0
YSB0eXBlClR9ClR7Ci5zcApzaXplClR9OlR7Ci5zcAptYXhpbXVtIG51bWJlciBvZiBlbGVt
ZW50cyBpbiB0aGUgbWFwClR9OlR7Ci5zcAp1bnNpZ25lZCBpbnRlZ2VyICg2NCBiaXQpClR9
ClR7Ci5zcApwb2xpY3kKVH06VHsKLnNwCm1hcCBwb2xpY3kKVH06VHsKLnNwCnN0cmluZzog
cGVyZm9ybWFuY2UgW2RlZmF1bHRdLCBtZW1vcnkKVH0KLlRFCi5zcCAxCi5TSCAiRUxFTUVO
VFMiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgp7XGZCYWRkXGZSIHwgXGZCY3JlYXRl
XGZSIHwgXGZCZGVsZXRlXGZSIHwgXGZCZ2V0XGZSIH0gXGZCZWxlbWVudFxmUiBbXGZJZmFt
aWx5XGZSXSBcZkl0YWJsZVxmUiBcZklzZXRcZlIgXGZCe1xmUiBcZklFTEVNRU5UXGZSW1xm
QixcZlIgXCYuLi5dIFxmQn1cZlIKClxmSUVMRU1FTlRcZlIgOj0gXGZJa2V5X2V4cHJlc3Np
b25cZlIgXGZJT1BUSU9OU1xmUiBbXGZCOlxmUiBcZkl2YWx1ZV9leHByZXNzaW9uXGZSXQpc
ZklPUFRJT05TXGZSIDo9IFtcZkJ0aW1lb3V0XGZSIFxmSVRJTUVTUEVDXGZSXSBbXGZCZXhw
aXJlc1xmUiBcZklUSU1FU1BFQ1xmUl0gW1xmQmNvbW1lbnRcZlIgXGZJc3RyaW5nXGZSXQpc
ZklUSU1FU1BFQ1xmUiA6PSBbXGZJbnVtXGZSXGZCZFxmUl1bXGZJbnVtXGZSXGZCaFxmUl1b
XGZJbnVtXGZSXGZCbVxmUl1bXGZJbnVtXGZSW1xmQnNcZlJdXQouZmkKLmlmIG4gXHtcCi5S
RQouXH0KLnNwCkVsZW1lbnRcLXJlbGF0ZWQgY29tbWFuZHMgYWxsb3cgdG8gY2hhbmdlIGNv
bnRlbnRzIG9mIG5hbWVkIHNldHMgYW5kIG1hcHNcJi4gXGZJa2V5X2V4cHJlc3Npb25cZlIg
aXMgdHlwaWNhbGx5IGEgdmFsdWUgbWF0Y2hpbmcgdGhlIHNldCB0eXBlXCYuIFxmSXZhbHVl
X2V4cHJlc3Npb25cZlIgaXMgbm90IGFsbG93ZWQgaW4gc2V0cyBidXQgbWFuZGF0b3J5IHdo
ZW4gYWRkaW5nIHRvIG1hcHMsIHdoZXJlIGl0IG1hdGNoZXMgdGhlIGRhdGEgcGFydCBpbiBp
dFwoY3FzIHR5cGUgZGVmaW5pdGlvblwmLiBXaGVuIGRlbGV0aW5nIGZyb20gbWFwcywgaXQg
bWF5IGJlIHNwZWNpZmllZCBidXQgaXMgb3B0aW9uYWwgYXMgXGZJa2V5X2V4cHJlc3Npb25c
ZlIgdW5pcXVlbHkgaWRlbnRpZmllcyB0aGUgZWxlbWVudFwmLgouc3AKXGZCY3JlYXRlXGZS
IGNvbW1hbmQgaXMgc2ltaWxhciB0byBcZkJhZGRcZlIgd2l0aCB0aGUgZXhjZXB0aW9uIHRo
YXQgbm9uZSBvZiB0aGUgbGlzdGVkIGVsZW1lbnRzIG1heSBhbHJlYWR5IGV4aXN0XCYuCi5z
cApcZkJnZXRcZlIgY29tbWFuZCBpcyB1c2VmdWwgdG8gY2hlY2sgaWYgYW4gZWxlbWVudCBp
cyBjb250YWluZWQgaW4gYSBzZXQgd2hpY2ggbWF5IGJlIG5vblwtdHJpdmlhbCBpbiB2ZXJ5
IGxhcmdlIGFuZC9vciBpbnRlcnZhbCBzZXRzXCYuIEluIHRoZSBsYXR0ZXIgY2FzZSwgdGhl
IGNvbnRhaW5pbmcgaW50ZXJ2YWwgaXMgcmV0dXJuZWQgaW5zdGVhZCBvZiBqdXN0IHRoZSBl
bGVtZW50IGl0c2VsZlwmLgouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxh
ZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjEwLlwgXCZFbGVtZW50
IG9wdGlvbnMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7Ck9wdGlvbgpUfTpUewpE
ZXNjcmlwdGlvbgpUfQouVCYKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcAp0aW1lb3V0ClR9
OlR7Ci5zcAp0aW1lb3V0IHZhbHVlIGZvciBzZXRzL21hcHMgd2l0aCBmbGFnIFxmQnRpbWVv
dXRcZlIKVH0KVHsKLnNwCmV4cGlyZXMKVH06VHsKLnNwCnRoZSB0aW1lIHVudGlsIGdpdmVu
IGVsZW1lbnQgZXhwaXJlcywgdXNlZnVsIGZvciBydWxlc2V0IHJlcGxpY2F0aW9uIG9ubHkK
VH0KVHsKLnNwCmNvbW1lbnQKVH06VHsKLnNwCnBlciBlbGVtZW50IGNvbW1lbnQgZmllbGQK
VH0KLlRFCi5zcCAxCi5TSCAiRkxPV1RBQkxFUyIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0K
Lm5mCntcZkJhZGRcZlIgfCBcZkJjcmVhdGVcZlJ9IFxmQmZsb3d0YWJsZVxmUiBbXGZJZmFt
aWx5XGZSXSBcZkl0YWJsZVxmUiBcZklmbG93dGFibGVcZlIgXGZCeyBob29rXGZSIFxmSWhv
b2tcZlIgXGZCcHJpb3JpdHlcZlIgXGZJcHJpb3JpdHlcZlIgXGZCOyBkZXZpY2VzID0ge1xm
UiBcZklkZXZpY2VcZlJbXGZCLFxmUiBcJi4uLl0gXGZCfSA7IH1cZlIKXGZCbGlzdCBmbG93
dGFibGVzXGZSIFtcZklmYW1pbHlcZlJdCntcZkJkZWxldGVcZlIgfCBcZkJsaXN0XGZSfSBc
ZkJmbG93dGFibGVcZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFibGVcZlIgXGZJZmxvd3RhYmxl
XGZSClxmQmRlbGV0ZVxmUiBcZkJmbG93dGFibGVcZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFi
bGVcZlIgXGZCaGFuZGxlXGZSIFxmSWhhbmRsZVxmUgouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwCkZsb3d0YWJsZXMgYWxsb3cgeW91IHRvIGFjY2VsZXJhdGUgcGFja2V0IGZvcndhcmRp
bmcgaW4gc29mdHdhcmVcJi4gRmxvd3RhYmxlcyBlbnRyaWVzIGFyZSByZXByZXNlbnRlZCB0
aHJvdWdoIGEgdHVwbGUgdGhhdCBpcyBjb21wb3NlZCBvZiB0aGUgaW5wdXQgaW50ZXJmYWNl
LCBzb3VyY2UgYW5kIGRlc3RpbmF0aW9uIGFkZHJlc3MsIHNvdXJjZSBhbmQgZGVzdGluYXRp
b24gcG9ydDsgYW5kIGxheWVyIDMvNCBwcm90b2NvbHNcJi4gRWFjaCBlbnRyeSBhbHNvIGNh
Y2hlcyB0aGUgZGVzdGluYXRpb24gaW50ZXJmYWNlIGFuZCB0aGUgZ2F0ZXdheSBhZGRyZXNz
IFwtIHRvIHVwZGF0ZSB0aGUgZGVzdGluYXRpb24gbGlua1wtbGF5ZXIgYWRkcmVzcyBcLSB0
byBmb3J3YXJkIHBhY2tldHNcJi4gVGhlIHR0bCBhbmQgaG9wbGltaXQgZmllbGRzIGFyZSBh
bHNvIGRlY3JlbWVudGVkXCYuIEhlbmNlLCBmbG93dGFibGVzIHByb3ZpZGVzIGFuIGFsdGVy
bmF0aXZlIHBhdGggdGhhdCBhbGxvdyBwYWNrZXRzIHRvIGJ5cGFzcyB0aGUgY2xhc3NpYyBm
b3J3YXJkaW5nIHBhdGhcJi4gRmxvd3RhYmxlcyByZXNpZGUgaW4gdGhlIGluZ3Jlc3MgaG9v
ayB0aGF0IGlzIGxvY2F0ZWQgYmVmb3JlIHRoZSBwcmVyb3V0aW5nIGhvb2tcJi4gWW91IGNh
biBzZWxlY3Qgd2hpY2ggZmxvd3MgeW91IHdhbnQgdG8gb2ZmbG9hZCB0aHJvdWdoIHRoZSBm
bG93IGV4cHJlc3Npb24gZnJvbSB0aGUgZm9yd2FyZCBjaGFpblwmLiBGbG93dGFibGVzIGFy
ZSBpZGVudGlmaWVkIGJ5IHRoZWlyIGFkZHJlc3MgZmFtaWx5IGFuZCB0aGVpciBuYW1lXCYu
IFRoZSBhZGRyZXNzIGZhbWlseSBtdXN0IGJlIG9uZSBvZiBpcCwgaXA2LCBvciBpbmV0XCYu
IFRoZSBpbmV0IGFkZHJlc3MgZmFtaWx5IGlzIGEgZHVtbXkgZmFtaWx5IHdoaWNoIGlzIHVz
ZWQgdG8gY3JlYXRlIGh5YnJpZCBJUHY0L0lQdjYgdGFibGVzXCYuIFdoZW4gbm8gYWRkcmVz
cyBmYW1pbHkgaXMgc3BlY2lmaWVkLCBpcCBpcyB1c2VkIGJ5IGRlZmF1bHRcJi4KLnNwClRo
ZSBcZkJwcmlvcml0eVxmUiBjYW4gYmUgYSBzaWduZWQgaW50ZWdlciBvciBcZkJmaWx0ZXJc
ZlIgd2hpY2ggc3RhbmRzIGZvciAwXCYuIEFkZGl0aW9uIGFuZCBzdWJ0cmFjdGlvbiBjYW4g
YmUgdXNlZCB0byBzZXQgcmVsYXRpdmUgcHJpb3JpdHksIGVcJi5nXCYuIGZpbHRlciArIDUg
ZXF1YWxzIHRvIDVcJi4KLlRTCnRhYig6KTsKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcApc
ZkJhZGRcZlIKVH06VHsKLnNwCkFkZCBhIG5ldyBmbG93dGFibGUgZm9yIHRoZSBnaXZlbiBm
YW1pbHkgd2l0aCB0aGUgZ2l2ZW4gbmFtZVwmLgpUfQpUewouc3AKXGZCZGVsZXRlXGZSClR9
OlR7Ci5zcApEZWxldGUgdGhlIHNwZWNpZmllZCBmbG93dGFibGVcJi4KVH0KVHsKLnNwClxm
Qmxpc3RcZlIKVH06VHsKLnNwCkxpc3QgYWxsIGZsb3d0YWJsZXNcJi4KVH0KLlRFCi5zcCAx
Ci5TSCAiU1RBVEVGVUwgT0JKRUNUUyIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCntc
ZkJhZGRcZlIgfCBcZkJkZWxldGVcZlIgfCBcZkJsaXN0XGZSIHwgXGZCcmVzZXRcZlJ9IFxm
SXR5cGVcZlIgW1xmSWZhbWlseVxmUl0gXGZJdGFibGVcZlIgXGZJb2JqZWN0XGZSClxmQmRl
bGV0ZVxmUiBcZkl0eXBlXGZSIFtcZklmYW1pbHlcZlJdIFxmSXRhYmxlXGZSIFxmQmhhbmRs
ZVxmUiBcZkloYW5kbGVcZlIKXGZCbGlzdCBjb3VudGVyc1xmUiBbXGZJZmFtaWx5XGZSXQpc
ZkJsaXN0IHF1b3Rhc1xmUiBbXGZJZmFtaWx5XGZSXQouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwClN0YXRlZnVsIG9iamVjdHMgYXJlIGF0dGFjaGVkIHRvIHRhYmxlcyBhbmQgYXJlIGlk
ZW50aWZpZWQgYnkgYW4gdW5pcXVlIG5hbWVcJi4gVGhleSBncm91cCBzdGF0ZWZ1bCBpbmZv
cm1hdGlvbiBmcm9tIHJ1bGVzLCB0byByZWZlcmVuY2UgdGhlbSBpbiBydWxlcyB0aGUga2V5
d29yZHMgInR5cGUgbmFtZSIgYXJlIHVzZWQgZVwmLmdcJi4gImNvdW50ZXIgbmFtZSJcJi4K
LlRTCnRhYig6KTsKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcApcZkJhZGRcZlIK
VH06VHsKLnNwCkFkZCBhIG5ldyBzdGF0ZWZ1bCBvYmplY3QgaW4gdGhlIHNwZWNpZmllZCB0
YWJsZVwmLgpUfQpUewouc3AKXGZCZGVsZXRlXGZSClR9OlR7Ci5zcApEZWxldGUgdGhlIHNw
ZWNpZmllZCBvYmplY3RcJi4KVH0KVHsKLnNwClxmQmxpc3RcZlIKVH06VHsKLnNwCkRpc3Bs
YXkgc3RhdGVmdWwgaW5mb3JtYXRpb24gdGhlIG9iamVjdCBob2xkc1wmLgpUfQpUewouc3AK
XGZCcmVzZXRcZlIKVH06VHsKLnNwCkxpc3RcLWFuZFwtcmVzZXQgc3RhdGVmdWwgb2JqZWN0
XCYuClR9Ci5URQouc3AgMQouU1MgIkNUIEhFTFBFUiIKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mClxmQmN0IGhlbHBlclxmUiBcZkloZWxwZXJcZlIgXGZCeyB0eXBlXGZSIFxmSXR5
cGVcZlIgXGZCcHJvdG9jb2xcZlIgXGZJcHJvdG9jb2xcZlIgXGZCO1xmUiBbXGZCbDNwcm90
b1xmUiBcZklmYW1pbHlcZlIgXGZCO1xmUl0gXGZCfVxmUgouZmkKLmlmIG4gXHtcCi5SRQou
XH0KLnNwCkN0IGhlbHBlciBpcyB1c2VkIHRvIGRlZmluZSBjb25uZWN0aW9uIHRyYWNraW5n
IGhlbHBlcnMgdGhhdCBjYW4gdGhlbiBiZSB1c2VkIGluIGNvbWJpbmF0aW9uIHdpdGggdGhl
IFxmQmN0IGhlbHBlciBzZXRcZlIgc3RhdGVtZW50XCYuIFxmSXR5cGVcZlIgYW5kIFxmSXBy
b3RvY29sXGZSIGFyZSBtYW5kYXRvcnksIGwzcHJvdG8gaXMgZGVyaXZlZCBmcm9tIHRoZSB0
YWJsZSBmYW1pbHkgYnkgZGVmYXVsdCwgaVwmLmVcJi4gaW4gdGhlIGluZXQgdGFibGUgdGhl
IGtlcm5lbCB3aWxsIHRyeSB0byBsb2FkIGJvdGggdGhlIGlwdjQgYW5kIGlwdjYgaGVscGVy
IGJhY2tlbmRzLCBpZiB0aGV5IGFyZSBzdXBwb3J0ZWQgYnkgdGhlIGtlcm5lbFwmLgouc3AK
Lml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFn
IDEKLmJyCi5CIFRhYmxlXCBcJjExLlwgXCZjb25udHJhY2sgaGVscGVyIHNwZWNpZmljYXRp
b25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpE
ZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dC4KVHsKLnNwCnR5cGUKVH06VHsKLnNwCm5hbWUgb2YgaGVscGVyIHR5cGUKVH06VHsKLnNw
CnF1b3RlZCBzdHJpbmcgKGVcJi5nXCYuICJmdHAiKQpUfQpUewouc3AKcHJvdG9jb2wKVH06
VHsKLnNwCmxheWVyIDQgcHJvdG9jb2wgb2YgdGhlIGhlbHBlcgpUfTpUewouc3AKc3RyaW5n
IChlXCYuZ1wmLiBpcCkKVH0KVHsKLnNwCmwzcHJvdG8KVH06VHsKLnNwCmxheWVyIDMgcHJv
dG9jb2wgb2YgdGhlIGhlbHBlcgpUfTpUewouc3AKYWRkcmVzcyBmYW1pbHkgKGVcJi5nXCYu
IGlwKQpUfQouVEUKLnNwIDEKLlBQClxmQmRlZmluaW5nIGFuZCBhc3NpZ25pbmcgZnRwIGhl
bHBlclxmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpVbmxpa2UgaXB0YWJsZXMs
IGhlbHBlciBhc3NpZ25tZW50IG5lZWRzIHRvIGJlIHBlcmZvcm1lZCBhZnRlciB0aGUgY29u
bnRyYWNrCmxvb2t1cCBoYXMgY29tcGxldGVkLCBmb3IgZXhhbXBsZSB3aXRoIHRoZSBkZWZh
dWx0IDAgaG9vayBwcmlvcml0eVwmLgoKdGFibGUgaW5ldCBteWhlbHBlcnMgewogIGN0IGhl
bHBlciBmdHBcLXN0YW5kYXJkIHsKICAgICB0eXBlICJmdHAiIHByb3RvY29sIHRjcAogIH0K
ICBjaGFpbiBwcmVyb3V0aW5nIHsKICAgICAgdHlwZSBmaWx0ZXIgaG9vayBwcmVyb3V0aW5n
IHByaW9yaXR5IDA7CiAgICAgIHRjcCBkcG9ydCAyMSBjdCBoZWxwZXIgc2V0ICJmdHBcLXN0
YW5kYXJkIgogIH0KfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiQ1QgVElNRU9V
VCIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQmN0IHRpbWVvdXRcZlIgXGZJbmFt
ZVxmUiBcZkJ7IHByb3RvY29sXGZSIFxmSXByb3RvY29sXGZSIFxmQjsgcG9saWN5ID0ge1xm
UiBcZklzdGF0ZVxmUlxmQjpcZlIgXGZJdmFsdWVcZlIgW1xmQixcZlIgXCYuLi5dIFxmQn0g
O1xmUiBbXGZCbDNwcm90b1xmUiBcZklmYW1pbHlcZlIgXGZCO1xmUl0gXGZCfVxmUgouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLnNwCkN0IHRpbWVvdXQgaXMgdXNlZCB0byB1cGRhdGUgY29u
bmVjdGlvbiB0cmFja2luZyB0aW1lb3V0IHZhbHVlc1wmLlRpbWVvdXQgcG9saWNpZXMgYXJl
IGFzc2lnbmVkIHdpdGggdGhlIFxmQmN0IHRpbWVvdXQgc2V0XGZSIHN0YXRlbWVudFwmLiBc
Zklwcm90b2NvbFxmUiBhbmQgXGZJcG9saWN5XGZSIGFyZSBtYW5kYXRvcnksIGwzcHJvdG8g
aXMgZGVyaXZlZCBmcm9tIHRoZSB0YWJsZSBmYW1pbHkgYnkgZGVmYXVsdFwmLgouc3AKLml0
IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEK
LmJyCi5CIFRhYmxlXCBcJjEyLlwgXCZjb25udHJhY2sgdGltZW91dCBzcGVjaWZpY2F0aW9u
cwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVz
Y3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQK
bHQgbHQgbHQuClR7Ci5zcApwcm90b2NvbApUfTpUewouc3AKbGF5ZXIgNCBwcm90b2NvbCBv
ZiB0aGUgdGltZW91dCBvYmplY3QKVH06VHsKLnNwCnN0cmluZyAoZVwmLmdcJi4gaXApClR9
ClR7Ci5zcApzdGF0ZQpUfTpUewouc3AKY29ubmVjdGlvbiBzdGF0ZSBuYW1lClR9OlR7Ci5z
cApzdHJpbmcgKGVcJi5nXCYuICJlc3RhYmxpc2hlZCIpClR9ClR7Ci5zcAp2YWx1ZQpUfTpU
ewouc3AKdGltZW91dCB2YWx1ZSBmb3IgY29ubmVjdGlvbiBzdGF0ZQpUfTpUewouc3AKdW5z
aWduZWQgaW50ZWdlcgpUfQpUewouc3AKbDNwcm90bwpUfTpUewouc3AKbGF5ZXIgMyBwcm90
b2NvbCBvZiB0aGUgdGltZW91dCBvYmplY3QKVH06VHsKLnNwCmFkZHJlc3MgZmFtaWx5IChl
XCYuZ1wmLiBpcCkKVH0KLlRFCi5zcCAxCi5QUApcZkJkZWZpbmluZyBhbmQgYXNzaWduaW5n
IGN0IHRpbWVvdXQgcG9saWN5XGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCnRh
YmxlIGlwIGZpbHRlciB7CiAgICAgICAgY3QgdGltZW91dCBjdXN0b210aW1lb3V0IHsKICAg
ICAgICAgICAgICAgIHByb3RvY29sIHRjcDsKICAgICAgICAgICAgICAgIGwzcHJvdG8gaXAK
ICAgICAgICAgICAgICAgIHBvbGljeSA9IHsgZXN0YWJsaXNoZWQ6IDEyMCwgY2xvc2U6IDIw
IH0KICAgICAgICB9CgogICAgICAgIGNoYWluIG91dHB1dCB7CiAgICAgICAgICAgICAgICB0
eXBlIGZpbHRlciBob29rIG91dHB1dCBwcmlvcml0eSBmaWx0ZXI7IHBvbGljeSBhY2NlcHQ7
CiAgICAgICAgICAgICAgICBjdCB0aW1lb3V0IHNldCAiY3VzdG9tdGltZW91dCIKICAgICAg
ICB9Cn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5QUApcZkJ0ZXN0aW5nIHRoZSB1cGRhdGVk
IHRpbWVvdXQgcG9saWN5XGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiUgY29u
bnRyYWNrIFwtRQoKSXQgc2hvdWxkIGRpc3BsYXk6CgpbVVBEQVRFXSB0Y3AgICAgICA2IDEy
MCBFU1RBQkxJU0hFRCBzcmM9MTcyXCYuMTZcJi4xOVwmLjEyOCBkc3Q9MTcyXCYuMTZcJi4x
OVwmLjEKc3BvcnQ9MjIgZHBvcnQ9NDEzNjAgW1VOUkVQTElFRF0gc3JjPTE3MlwmLjE2XCYu
MTlcJi4xIGRzdD0xNzJcJi4xNlwmLjE5XCYuMTI4CnNwb3J0PTQxMzYwIGRwb3J0PTIyCi5m
aQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNTICJDVCBFWFBFQ1RBVElPTiIKLnNwCi5pZiBu
IFx7XAouUlMgNAouXH0KLm5mClxmQmN0IGV4cGVjdGF0aW9uXGZSIFxmSW5hbWVcZlIgXGZC
eyBwcm90b2NvbFxmUiBcZklwcm90b2NvbFxmUiBcZkI7IGRwb3J0XGZSIFxmSWRwb3J0XGZS
IFxmQjsgdGltZW91dFxmUiBcZkl0aW1lb3V0XGZSIFxmQjsgc2l6ZVxmUiBcZklzaXplXGZS
IFxmQjsgWypsM3Byb3RvXGZSIFxmSWZhbWlseVxmUiBcZkI7XGZSXSBcZkJ9XGZSCi5maQou
aWYgbiBce1wKLlJFCi5cfQouc3AKQ3QgZXhwZWN0YXRpb24gaXMgdXNlZCB0byBjcmVhdGUg
Y29ubmVjdGlvbiBleHBlY3RhdGlvbnNcJi4gRXhwZWN0YXRpb25zIGFyZSBhc3NpZ25lZCB3
aXRoIHRoZSBcZkJjdCBleHBlY3RhdGlvbiBzZXRcZlIgc3RhdGVtZW50XCYuIFxmSXByb3Rv
Y29sXGZSLCBcZklkcG9ydFxmUiwgXGZJdGltZW91dFxmUiBhbmQgXGZJc2l6ZVxmUiBhcmUg
bWFuZGF0b3J5LCBsM3Byb3RvIGlzIGRlcml2ZWQgZnJvbSB0aGUgdGFibGUgZmFtaWx5IGJ5
IGRlZmF1bHRcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQou
bnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYxMy5cIFwmY29ubnRyYWNrIGV4
cGVjdGF0aW9uIHNwZWNpZmljYXRpb25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0
Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnByb3Rv
Y29sClR9OlR7Ci5zcApsYXllciA0IHByb3RvY29sIG9mIHRoZSBleHBlY3RhdGlvbiBvYmpl
Y3QKVH06VHsKLnNwCnN0cmluZyAoZVwmLmdcJi4gaXApClR9ClR7Ci5zcApkcG9ydApUfTpU
ewouc3AKZGVzdGluYXRpb24gcG9ydCBvZiBleHBlY3RlZCBjb25uZWN0aW9uClR9OlR7Ci5z
cAp1bnNpZ25lZCBpbnRlZ2VyClR9ClR7Ci5zcAp0aW1lb3V0ClR9OlR7Ci5zcAp0aW1lb3V0
IHZhbHVlIGZvciBleHBlY3RhdGlvbgpUfTpUewouc3AKdW5zaWduZWQgaW50ZWdlcgpUfQpU
ewouc3AKc2l6ZQpUfTpUewouc3AKc2l6ZSB2YWx1ZSBmb3IgZXhwZWN0YXRpb24KVH06VHsK
LnNwCnVuc2lnbmVkIGludGVnZXIKVH0KVHsKLnNwCmwzcHJvdG8KVH06VHsKLnNwCmxheWVy
IDMgcHJvdG9jb2wgb2YgdGhlIGV4cGVjdGF0aW9uIG9iamVjdApUfTpUewouc3AKYWRkcmVz
cyBmYW1pbHkgKGVcJi5nXCYuIGlwKQpUfQouVEUKLnNwIDEKLlBQClxmQmRlZmluaW5nIGFu
ZCBhc3NpZ25pbmcgY3QgZXhwZWN0YXRpb24gcG9saWN5XGZSLiAKLnNwCi5pZiBuIFx7XAou
UlMgNAouXH0KLm5mCnRhYmxlIGlwIGZpbHRlciB7CiAgICAgICAgY3QgZXhwZWN0YXRpb24g
ZXhwZWN0IHsKICAgICAgICAgICAgICAgIHByb3RvY29sIHVkcAogICAgICAgICAgICAgICAg
ZHBvcnQgOTg3NgogICAgICAgICAgICAgICAgdGltZW91dCAybQogICAgICAgICAgICAgICAg
c2l6ZSA4CiAgICAgICAgICAgICAgICBsM3Byb3RvIGlwCiAgICAgICAgfQoKICAgICAgICBj
aGFpbiBpbnB1dCB7CiAgICAgICAgICAgICAgICB0eXBlIGZpbHRlciBob29rIGlucHV0IHBy
aW9yaXR5IGZpbHRlcjsgcG9saWN5IGFjY2VwdDsKICAgICAgICAgICAgICAgIGN0IGV4cGVj
dGF0aW9uIHNldCAiZXhwZWN0IgogICAgICAgIH0KfQouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwCi5TUyAiQ09VTlRFUiIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQmNvdW50
ZXJcZlIgW1xmSXBhY2tldHMgYnl0ZXNcZlJdCi5maQouaWYgbiBce1wKLlJFCi5cfQouc3AK
Lml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFn
IDEKLmJyCi5CIFRhYmxlXCBcJjE0LlwgXCZDb3VudGVyIHNwZWNpZmljYXRpb25zCi5UUwph
bGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlv
bgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnBhY2tldHMK
VH06VHsKLnNwCmluaXRpYWwgY291bnQgb2YgcGFja2V0cwpUfTpUewouc3AKdW5zaWduZWQg
aW50ZWdlciAoNjQgYml0KQpUfQpUewouc3AKYnl0ZXMKVH06VHsKLnNwCmluaXRpYWwgY291
bnQgb2YgYnl0ZXMKVH06VHsKLnNwCnVuc2lnbmVkIGludGVnZXIgKDY0IGJpdCkKVH0KLlRF
Ci5zcCAxCi5TUyAiUVVPVEEiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJxdW90
YVxmUiBbXGZCb3ZlclxmUiB8IFxmQnVudGlsXGZSXSBbXGZJdXNlZFxmUl0KLmZpCi5pZiBu
IFx7XAouUkUKLlx9Ci5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEK
Lm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMTUuXCBcJlF1b3RhIHNwZWNp
ZmljYXRpb25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApU
fTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdC4K
VHsKLnNwCnF1b3RhClR9OlR7Ci5zcApxdW90YSBsaW1pdCwgdXNlZCBhcyB0aGUgcXVvdGEg
bmFtZQpUfTpUewouc3AKVHdvIGFyZ3VtZW50cywgdW5zaWduZWQgaW50ZWdlciAoNjQgYml0
KSBhbmQgc3RyaW5nOiBieXRlcywga2J5dGVzLCBtYnl0ZXNcJi4gIm92ZXIiIGFuZCAidW50
aWwiIGdvIGJlZm9yZSB0aGVzZSBhcmd1bWVudHMKVH0KVHsKLnNwCnVzZWQKVH06VHsKLnNw
CmluaXRpYWwgdmFsdWUgb2YgdXNlZCBxdW90YQpUfTpUewouc3AKVHdvIGFyZ3VtZW50cywg
dW5zaWduZWQgaW50ZWdlciAoNjQgYml0KSBhbmQgc3RyaW5nOiBieXRlcywga2J5dGVzLCBt
Ynl0ZXMKVH0KLlRFCi5zcCAxCi5TSCAiRVhQUkVTU0lPTlMiCi5zcApFeHByZXNzaW9ucyBy
ZXByZXNlbnQgdmFsdWVzLCBlaXRoZXIgY29uc3RhbnRzIGxpa2UgbmV0d29yayBhZGRyZXNz
ZXMsIHBvcnQgbnVtYmVycywgZXRjXCYuLCBvciBkYXRhIGdhdGhlcmVkIGZyb20gdGhlIHBh
Y2tldCBkdXJpbmcgcnVsZXNldCBldmFsdWF0aW9uXCYuIEV4cHJlc3Npb25zIGNhbiBiZSBj
b21iaW5lZCB1c2luZyBiaW5hcnksIGxvZ2ljYWwsIHJlbGF0aW9uYWwgYW5kIG90aGVyIHR5
cGVzIG9mIGV4cHJlc3Npb25zIHRvIGZvcm0gY29tcGxleCBvciByZWxhdGlvbmFsIChtYXRj
aCkgZXhwcmVzc2lvbnNcJi4gVGhleSBhcmUgYWxzbyB1c2VkIGFzIGFyZ3VtZW50cyB0byBj
ZXJ0YWluIHR5cGVzIG9mIG9wZXJhdGlvbnMsIGxpa2UgTkFULCBwYWNrZXQgbWFya2luZyBl
dGNcJi4KLnNwCkVhY2ggZXhwcmVzc2lvbiBoYXMgYSBkYXRhIHR5cGUsIHdoaWNoIGRldGVy
bWluZXMgdGhlIHNpemUsIHBhcnNpbmcgYW5kIHJlcHJlc2VudGF0aW9uIG9mIHN5bWJvbGlj
IHZhbHVlcyBhbmQgdHlwZSBjb21wYXRpYmlsaXR5IHdpdGggb3RoZXIgZXhwcmVzc2lvbnNc
Ji4KLlNTICJERVNDUklCRSBDT01NQU5EIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYK
XGZCZGVzY3JpYmVcZlIgXGZJZXhwcmVzc2lvblxmUiB8IFxmSWRhdGEgdHlwZVxmUgouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLnNwClRoZSBcZkJkZXNjcmliZVxmUiBjb21tYW5kIHNob3dz
IGluZm9ybWF0aW9uIGFib3V0IHRoZSB0eXBlIG9mIGFuIGV4cHJlc3Npb24gYW5kIGl0cyBk
YXRhIHR5cGVcJi4gQSBkYXRhIHR5cGUgbWF5IGFsc28gYmUgZ2l2ZW4sIGluIHdoaWNoIG5m
dCB3aWxsIGRpc3BsYXkgbW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGUgdHlwZVwmLgouUFAK
XGZCVGhlIGRlc2NyaWJlIGNvbW1hbmRcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQou
bmYKJCBuZnQgZGVzY3JpYmUgdGNwIGZsYWdzCnBheWxvYWQgZXhwcmVzc2lvbiwgZGF0YXR5
cGUgdGNwX2ZsYWcgKFRDUCBmbGFnKSAoYmFzZXR5cGUgYml0bWFzaywgaW50ZWdlciksIDgg
Yml0cwoKcHJlZGVmaW5lZCBzeW1ib2xpYyBjb25zdGFudHM6CmZpbiAgICAgICAgICAgICAg
ICAgICAgICAgICAgIDB4MDEKc3luICAgICAgICAgICAgICAgICAgICAgICAgICAgMHgwMgpy
c3QgICAgICAgICAgICAgICAgICAgICAgICAgICAweDA0CnBzaCAgICAgICAgICAgICAgICAg
ICAgICAgICAgIDB4MDgKYWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgMHgxMAp1cmcg
ICAgICAgICAgICAgICAgICAgICAgICAgICAweDIwCmVjbiAgICAgICAgICAgICAgICAgICAg
ICAgICAgIDB4NDAKY3dyICAgICAgICAgICAgICAgICAgICAgICAgICAgMHg4MAouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLnNwCi5TSCAiREFUQSBUWVBFUyIKLnNwCkRhdGEgdHlwZXMgZGV0
ZXJtaW5lIHRoZSBzaXplLCBwYXJzaW5nIGFuZCByZXByZXNlbnRhdGlvbiBvZiBzeW1ib2xp
YyB2YWx1ZXMgYW5kIHR5cGUgY29tcGF0aWJpbGl0eSBvZiBleHByZXNzaW9uc1wmLiBBIG51
bWJlciBvZiBnbG9iYWwgZGF0YSB0eXBlcyBleGlzdCwgaW4gYWRkaXRpb24gc29tZSBleHBy
ZXNzaW9uIHR5cGVzIGRlZmluZSBmdXJ0aGVyIGRhdGEgdHlwZXMgc3BlY2lmaWMgdG8gdGhl
IGV4cHJlc3Npb24gdHlwZVwmLiBNb3N0IGRhdGEgdHlwZXMgaGF2ZSBhIGZpeGVkIHNpemUs
IHNvbWUgaG93ZXZlciBtYXkgaGF2ZSBhIGR5bmFtaWMgc2l6ZSwgZlwmLmlcJi4gdGhlIHN0
cmluZyB0eXBlXCYuIFNvbWUgdHlwZXMgYWxzbyBoYXZlIHByZWRlZmluZWQgc3ltYm9saWMg
Y29uc3RhbnRzXCYuIFRob3NlIGNhbiBiZSBsaXN0ZWQgdXNpbmcgdGhlIG5mdCBcZkJkZXNj
cmliZVxmUiBjb21tYW5kOgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKJCBuZnQgZGVz
Y3JpYmUgY3Rfc3RhdGUKZGF0YXR5cGUgY3Rfc3RhdGUgKGNvbm50cmFjayBzdGF0ZSkgKGJh
c2V0eXBlIGJpdG1hc2ssIGludGVnZXIpLCAzMiBiaXRzCgpwcmVcLWRlZmluZWQgc3ltYm9s
aWMgY29uc3RhbnRzIChpbiBoZXhhZGVjaW1hbCk6CmludmFsaWQgICAgICAgICAgICAgICAg
ICAgICAgICAgMHgwMDAwMDAwMQpuZXcgXCYuXCYuXCYuCi5maQouaWYgbiBce1wKLlJFCi5c
fQouc3AKVHlwZXMgbWF5IGJlIGRlcml2ZWQgZnJvbSBsb3dlciBvcmRlciB0eXBlcywgZlwm
LmlcJi4gdGhlIElQdjQgYWRkcmVzcyB0eXBlIGlzIGRlcml2ZWQgZnJvbSB0aGUgaW50ZWdl
ciB0eXBlLCBtZWFuaW5nIGFuIElQdjQgYWRkcmVzcyBjYW4gYWxzbyBiZSBzcGVjaWZpZWQg
YXMgYW4gaW50ZWdlciB2YWx1ZVwmLgouc3AKSW4gY2VydGFpbiBjb250ZXh0cyAoc2V0IGFu
ZCBtYXAgZGVmaW5pdGlvbnMpLCBpdCBpcyBuZWNlc3NhcnkgdG8gZXhwbGljaXRseSBzcGVj
aWZ5IGEgZGF0YSB0eXBlXCYuIEVhY2ggdHlwZSBoYXMgYSBuYW1lIHdoaWNoIGlzIHVzZWQg
Zm9yIHRoaXNcJi4KLlNTICJJTlRFR0VSIFRZUEUiCi5UUwphbGxib3ggdGFiKDopOwpsdEIg
bHRCIGx0QiBsdEIuClR7Ck5hbWUKVH06VHsKS2V5d29yZApUfTpUewpTaXplClR9OlR7CkJh
c2UgdHlwZQpUfQouVCYKbHQgbHQgbHQgbHQuClR7Ci5zcApJbnRlZ2VyClR9OlR7Ci5zcApp
bnRlZ2VyClR9OlR7Ci5zcAp2YXJpYWJsZQpUfTpUewouc3AKXC0KVH0KLlRFCi5zcCAxCi5z
cApUaGUgaW50ZWdlciB0eXBlIGlzIHVzZWQgZm9yIG51bWVyaWMgdmFsdWVzXCYuIEl0IG1h
eSBiZSBzcGVjaWZpZWQgYXMgYSBkZWNpbWFsLCBoZXhhZGVjaW1hbCBvciBvY3RhbCBudW1i
ZXJcJi4gVGhlIGludGVnZXIgdHlwZSBkb2VzIG5vdCBoYXZlIGEgZml4ZWQgc2l6ZSwgaXRz
IHNpemUgaXMgZGV0ZXJtaW5lZCBieSB0aGUgZXhwcmVzc2lvbiBmb3Igd2hpY2ggaXQgaXMg
dXNlZFwmLgouU1MgIkJJVE1BU0sgVFlQRSIKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIg
bHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9OlR7ClNpemUKVH06VHsKQmFzZSB0
eXBlClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNwCkJpdG1hc2sKVH06VHsKLnNwCmJpdG1h
c2sKVH06VHsKLnNwCnZhcmlhYmxlClR9OlR7Ci5zcAppbnRlZ2VyClR9Ci5URQouc3AgMQou
c3AKVGhlIGJpdG1hc2sgdHlwZSAoXGZCYml0bWFza1xmUikgaXMgdXNlZCBmb3IgYml0bWFz
a3NcJi4KLlNTICJTVFJJTkcgVFlQRSIKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRC
IGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9OlR7ClNpemUKVH06VHsKQmFzZSB0eXBl
ClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNwClN0cmluZwpUfTpUewouc3AKc3RyaW5nClR9
OlR7Ci5zcAp2YXJpYWJsZQpUfTpUewouc3AKXC0KVH0KLlRFCi5zcCAxCi5zcApUaGUgc3Ry
aW5nIHR5cGUgaXMgdXNlZCBmb3IgY2hhcmFjdGVyIHN0cmluZ3NcJi4gQSBzdHJpbmcgYmVn
aW5zIHdpdGggYW4gYWxwaGFiZXRpYyBjaGFyYWN0ZXIgKGFcLXpBXC1aKSBmb2xsb3dlZCBi
eSB6ZXJvIG9yIG1vcmUgYWxwaGFudW1lcmljIGNoYXJhY3RlcnMgb3IgdGhlIGNoYXJhY3Rl
cnMgLywgXC0sIF8gYW5kIFwmLlwmLiBJbiBhZGRpdGlvbiwgYW55dGhpbmcgZW5jbG9zZWQg
aW4gZG91YmxlIHF1b3RlcyAoIikgaXMgcmVjb2duaXplZCBhcyBhIHN0cmluZ1wmLgouUFAK
XGZCU3RyaW5nIHNwZWNpZmljYXRpb25cZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQou
bmYKIyBJbnRlcmZhY2UgbmFtZQpmaWx0ZXIgaW5wdXQgaWlmbmFtZSBldGgwCgojIFdlaXJk
IGludGVyZmFjZSBuYW1lCmZpbHRlciBpbnB1dCBpaWZuYW1lICIoZXRoMCkiCi5maQouaWYg
biBce1wKLlJFCi5cfQouc3AKLlNTICJMSU5LIExBWUVSIEFERFJFU1MgVFlQRSIKLlRTCmFs
bGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9
OlR7ClNpemUKVH06VHsKQmFzZSB0eXBlClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNwCkxp
bmsgbGF5ZXIgYWRkcmVzcwpUfTpUewouc3AKbGxhZGRyClR9OlR7Ci5zcAp2YXJpYWJsZQpU
fTpUewouc3AKaW50ZWdlcgpUfQouVEUKLnNwIDEKLnNwClRoZSBsaW5rIGxheWVyIGFkZHJl
c3MgdHlwZSBpcyB1c2VkIGZvciBsaW5rIGxheWVyIGFkZHJlc3Nlc1wmLiBMaW5rIGxheWVy
IGFkZHJlc3NlcyBhcmUgc3BlY2lmaWVkIGFzIGEgdmFyaWFibGUgYW1vdW50IG9mIGdyb3Vw
cyBvZiB0d28gaGV4YWRlY2ltYWwgZGlnaXRzIHNlcGFyYXRlZCB1c2luZyBjb2xvbnMgKDop
XCYuCi5QUApcZkJMaW5rIGxheWVyIGFkZHJlc3Mgc3BlY2lmaWNhdGlvblxmUi4gCi5zcAou
aWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIEV0aGVybmV0IGRlc3RpbmF0aW9uIE1BQyBhZGRy
ZXNzCmZpbHRlciBpbnB1dCBldGhlciBkYWRkciAyMDpjOTpkMDo0MzoxMjpkOQouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiSVBWNCBBRERSRVNTIFRZUEUiCi5UUwphbGxib3gg
dGFiKDopOwpsdEIgbHRCIGx0QiBsdEIuClR7Ck5hbWUKVH06VHsKS2V5d29yZApUfTpUewpT
aXplClR9OlR7CkJhc2UgdHlwZQpUfQouVCYKbHQgbHQgbHQgbHQuClR7Ci5zcApJUFY0IGFk
ZHJlc3MKVH06VHsKLnNwCmlwdjRfYWRkcgpUfTpUewouc3AKMzIgYml0ClR9OlR7Ci5zcApp
bnRlZ2VyClR9Ci5URQouc3AgMQouc3AKVGhlIElQdjQgYWRkcmVzcyB0eXBlIGlzIHVzZWQg
Zm9yIElQdjQgYWRkcmVzc2VzXCYuIEFkZHJlc3NlcyBhcmUgc3BlY2lmaWVkIGluIGVpdGhl
ciBkb3R0ZWQgZGVjaW1hbCwgZG90dGVkIGhleGFkZWNpbWFsLCBkb3R0ZWQgb2N0YWwsIGRl
Y2ltYWwsIGhleGFkZWNpbWFsLCBvY3RhbCBub3RhdGlvbiBvciBhcyBhIGhvc3QgbmFtZVwm
LiBBIGhvc3QgbmFtZSB3aWxsIGJlIHJlc29sdmVkIHVzaW5nIHRoZSBzdGFuZGFyZCBzeXN0
ZW0gcmVzb2x2ZXJcJi4KLlBQClxmQklQdjQgYWRkcmVzcyBzcGVjaWZpY2F0aW9uXGZSLiAK
LnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMgZG90dGVkIGRlY2ltYWwgbm90YXRpb24K
ZmlsdGVyIG91dHB1dCBpcCBkYWRkciAxMjdcJi4wXCYuMFwmLjEKCiMgaG9zdCBuYW1lCmZp
bHRlciBvdXRwdXQgaXAgZGFkZHIgbG9jYWxob3N0Ci5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKLlNTICJJUFY2IEFERFJFU1MgVFlQRSIKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIg
bHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9OlR7ClNpemUKVH06VHsKQmFzZSB0
eXBlClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNwCklQdjYgYWRkcmVzcwpUfTpUewouc3AK
aXB2Nl9hZGRyClR9OlR7Ci5zcAoxMjggYml0ClR9OlR7Ci5zcAppbnRlZ2VyClR9Ci5URQou
c3AgMQouc3AKVGhlIElQdjYgYWRkcmVzcyB0eXBlIGlzIHVzZWQgZm9yIElQdjYgYWRkcmVz
c2VzXCYuIEFkZHJlc3NlcyBhcmUgc3BlY2lmaWVkIGFzIGEgaG9zdCBuYW1lIG9yIGFzIGhl
eGFkZWNpbWFsIGhhbGZ3b3JkcyBzZXBhcmF0ZWQgYnkgY29sb25zXCYuIEFkZHJlc3NlcyBt
aWdodCBiZSBlbmNsb3NlZCBpbiBzcXVhcmUgYnJhY2tldHMgKCJbXSIpIHRvIGRpZmZlcmVu
dGlhdGUgdGhlbSBmcm9tIHBvcnQgbnVtYmVyc1wmLgouUFAKXGZCSVB2NiBhZGRyZXNzIHNw
ZWNpZmljYXRpb25cZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKIyBhYmJyZXZp
YXRlZCBsb29wYmFjayBhZGRyZXNzCmZpbHRlciBvdXRwdXQgaXA2IGRhZGRyIDo6MQouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLlBQClxmQklQdjYgYWRkcmVzcyBzcGVjaWZpY2F0aW9uIHdp
dGggYnJhY2tldCBub3RhdGlvblxmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgoj
IHdpdGhvdXQgW10gdGhlIHBvcnQgbnVtYmVyICgyMikgd291bGQgYmUgcGFyc2VkIGFzIHBh
cnQgb2YgdGhlCiMgaXB2NiBhZGRyZXNzCmlwNiBuYXQgcHJlcm91dGluZyB0Y3AgZHBvcnQg
MjIyMiBkbmF0IHRvIFsxY2U6OmQwXToyMgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5T
UyAiQk9PTEVBTiBUWVBFIgouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIgbHRCLgpU
ewpOYW1lClR9OlR7CktleXdvcmQKVH06VHsKU2l6ZQpUfTpUewpCYXNlIHR5cGUKVH0KLlQm
Cmx0IGx0IGx0IGx0LgpUewouc3AKQm9vbGVhbgpUfTpUewouc3AKYm9vbGVhbgpUfTpUewou
c3AKMSBiaXQKVH06VHsKLnNwCmludGVnZXIKVH0KLlRFCi5zcCAxCi5zcApUaGUgYm9vbGVh
biB0eXBlIGlzIGEgc3ludGFjdGljYWwgaGVscGVyIHR5cGUgaW4gdXNlcnNwYWNlXCYuIEl0
cyB1c2UgaXMgaW4gdGhlIHJpZ2h0XC1oYW5kIHNpZGUgb2YgYSAodHlwaWNhbGx5IGltcGxp
Y2l0KSByZWxhdGlvbmFsIGV4cHJlc3Npb24gdG8gY2hhbmdlIHRoZSBleHByZXNzaW9uIG9u
IHRoZSBsZWZ0XC1oYW5kIHNpZGUgaW50byBhIGJvb2xlYW4gY2hlY2sgKHVzdWFsbHkgZm9y
IGV4aXN0ZW5jZSlcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcg
MQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYxNi5cIFwmVGhlIGZvbGxv
d2luZyBrZXl3b3JkcyB3aWxsIGF1dG9tYXRpY2FsbHkgcmVzb2x2ZSBpbnRvIGEgYm9vbGVh
biB0eXBlIHdpdGggZ2l2ZW4gdmFsdWUKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7
CktleXdvcmQKVH06VHsKVmFsdWUKVH0KLlQmCmx0IGx0Cmx0IGx0LgpUewouc3AKZXhpc3Rz
ClR9OlR7Ci5zcAoxClR9ClR7Ci5zcAptaXNzaW5nClR9OlR7Ci5zcAowClR9Ci5URQouc3Ag
MQouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVh
ay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjE3LlwgXCZleHByZXNzaW9ucyBzdXBwb3J0IGEg
Ym9vbGVhbiBjb21wYXJpc29uCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpUewpFeHBy
ZXNzaW9uClR9OlR7CkJlaGF2aW91cgpUfQouVCYKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5z
cApmaWIKVH06VHsKLnNwCkNoZWNrIHJvdXRlIGV4aXN0ZW5jZVwmLgpUfQpUewouc3AKZXh0
aGRyClR9OlR7Ci5zcApDaGVjayBJUHY2IGV4dGVuc2lvbiBoZWFkZXIgZXhpc3RlbmNlXCYu
ClR9ClR7Ci5zcAp0Y3Agb3B0aW9uClR9OlR7Ci5zcApDaGVjayBUQ1Agb3B0aW9uIGhlYWRl
ciBleGlzdGVuY2VcJi4KVH0KLlRFCi5zcCAxCi5QUApcZkJCb29sZWFuIHNwZWNpZmljYXRp
b25cZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKIyBtYXRjaCBpZiByb3V0ZSBl
eGlzdHMKZmlsdGVyIGlucHV0IGZpYiBkYWRkciBcJi4gaWlmIG9pZiBleGlzdHMKCiMgbWF0
Y2ggb25seSBub25cLWZyYWdtZW50ZWQgcGFja2V0cyBpbiBJUHY2IHRyYWZmaWMKZmlsdGVy
IGlucHV0IGV4dGhkciBmcmFnIG1pc3NpbmcKCiMgbWF0Y2ggaWYgVENQIHRpbWVzdGFtcCBv
cHRpb24gaXMgcHJlc2VudApmaWx0ZXIgaW5wdXQgdGNwIG9wdGlvbiB0aW1lc3RhbXAgZXhp
c3RzCi5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNTICJJQ01QIFRZUEUgVFlQRSIKLlRT
CmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3Jk
ClR9OlR7ClNpemUKVH06VHsKQmFzZSB0eXBlClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNw
CklDTVAgVHlwZQpUfTpUewouc3AKaWNtcF90eXBlClR9OlR7Ci5zcAo4IGJpdApUfTpUewou
c3AKaW50ZWdlcgpUfQouVEUKLnNwIDEKLnNwClRoZSBJQ01QIFR5cGUgdHlwZSBpcyB1c2Vk
IHRvIGNvbnZlbmllbnRseSBzcGVjaWZ5IHRoZSBJQ01QIGhlYWRlclwoY3FzIHR5cGUgZmll
bGRcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4t
YnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYxOC5cIFwmS2V5d29yZHMgbWF5IGJlIHVz
ZWQgd2hlbiBzcGVjaWZ5aW5nIHRoZSBJQ01QIHR5cGUKLlRTCmFsbGJveCB0YWIoOik7Cmx0
QiBsdEIuClR7CktleXdvcmQKVH06VHsKVmFsdWUKVH0KLlQmCmx0IGx0Cmx0IGx0Cmx0IGx0
Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0
Cmx0IGx0Cmx0IGx0Cmx0IGx0LgpUewouc3AKZWNob1wtcmVwbHkKVH06VHsKLnNwCjAKVH0K
VHsKLnNwCmRlc3RpbmF0aW9uXC11bnJlYWNoYWJsZQpUfTpUewouc3AKMwpUfQpUewouc3AK
c291cmNlXC1xdWVuY2gKVH06VHsKLnNwCjQKVH0KVHsKLnNwCnJlZGlyZWN0ClR9OlR7Ci5z
cAo1ClR9ClR7Ci5zcAplY2hvXC1yZXF1ZXN0ClR9OlR7Ci5zcAo4ClR9ClR7Ci5zcApyb3V0
ZXJcLWFkdmVydGlzZW1lbnQKVH06VHsKLnNwCjkKVH0KVHsKLnNwCnJvdXRlclwtc29saWNp
dGF0aW9uClR9OlR7Ci5zcAoxMApUfQpUewouc3AKdGltZVwtZXhjZWVkZWQKVH06VHsKLnNw
CjExClR9ClR7Ci5zcApwYXJhbWV0ZXJcLXByb2JsZW0KVH06VHsKLnNwCjEyClR9ClR7Ci5z
cAp0aW1lc3RhbXBcLXJlcXVlc3QKVH06VHsKLnNwCjEzClR9ClR7Ci5zcAp0aW1lc3RhbXBc
LXJlcGx5ClR9OlR7Ci5zcAoxNApUfQpUewouc3AKaW5mb1wtcmVxdWVzdApUfTpUewouc3AK
MTUKVH0KVHsKLnNwCmluZm9cLXJlcGx5ClR9OlR7Ci5zcAoxNgpUfQpUewouc3AKYWRkcmVz
c1wtbWFza1wtcmVxdWVzdApUfTpUewouc3AKMTcKVH0KVHsKLnNwCmFkZHJlc3NcLW1hc2tc
LXJlcGx5ClR9OlR7Ci5zcAoxOApUfQouVEUKLnNwIDEKLlBQClxmQklDTVAgVHlwZSBzcGVj
aWZpY2F0aW9uXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMgbWF0Y2ggcGlu
ZyBwYWNrZXRzCmZpbHRlciBvdXRwdXQgaWNtcCB0eXBlIHsgZWNob1wtcmVxdWVzdCwgZWNo
b1wtcmVwbHkgfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiSUNNUCBDT0RFIFRZ
UEUiCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0QiBsdEIuClR7Ck5hbWUKVH06VHsK
S2V5d29yZApUfTpUewpTaXplClR9OlR7CkJhc2UgdHlwZQpUfQouVCYKbHQgbHQgbHQgbHQu
ClR7Ci5zcApJQ01QIENvZGUKVH06VHsKLnNwCmljbXBfY29kZQpUfTpUewouc3AKOCBiaXQK
VH06VHsKLnNwCmludGVnZXIKVH0KLlRFCi5zcCAxCi5zcApUaGUgSUNNUCBDb2RlIHR5cGUg
aXMgdXNlZCB0byBjb252ZW5pZW50bHkgc3BlY2lmeSB0aGUgSUNNUCBoZWFkZXJcKGNxcyBj
b2RlIGZpZWxkXCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEK
Lm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMTkuXCBcJktleXdvcmRzIG1h
eSBiZSB1c2VkIHdoZW4gc3BlY2lmeWluZyB0aGUgSUNNUCBjb2RlCi5UUwphbGxib3ggdGFi
KDopOwpsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7ClZhbHVlClR9Ci5UJgpsdCBsdApsdCBs
dApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdC4KVHsKLnNwCm5ldFwtdW5y
ZWFjaGFibGUKVH06VHsKLnNwCjAKVH0KVHsKLnNwCmhvc3RcLXVucmVhY2hhYmxlClR9OlR7
Ci5zcAoxClR9ClR7Ci5zcApwcm90XC11bnJlYWNoYWJsZQpUfTpUewouc3AKMgpUfQpUewou
c3AKcG9ydFwtdW5yZWFjaGFibGUKVH06VHsKLnNwCjMKVH0KVHsKLnNwCmZyYWdcLW5lZWRl
ZApUfTpUewouc3AKNApUfQpUewouc3AKbmV0XC1wcm9oaWJpdGVkClR9OlR7Ci5zcAo5ClR9
ClR7Ci5zcApob3N0XC1wcm9oaWJpdGVkClR9OlR7Ci5zcAoxMApUfQpUewouc3AKYWRtaW5c
LXByb2hpYml0ZWQKVH06VHsKLnNwCjEzClR9Ci5URQouc3AgMQouU1MgIklDTVBWNiBUWVBF
IFRZUEUiCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0QiBsdEIuClR7Ck5hbWUKVH06
VHsKS2V5d29yZApUfTpUewpTaXplClR9OlR7CkJhc2UgdHlwZQpUfQouVCYKbHQgbHQgbHQg
bHQuClR7Ci5zcApJQ01QdjYgVHlwZQpUfTpUewouc3AKaWNtcHhfY29kZQpUfTpUewouc3AK
OCBiaXQKVH06VHsKLnNwCmludGVnZXIKVH0KLlRFCi5zcCAxCi5zcApUaGUgSUNNUHY2IFR5
cGUgdHlwZSBpcyB1c2VkIHRvIGNvbnZlbmllbnRseSBzcGVjaWZ5IHRoZSBJQ01QdjYgaGVh
ZGVyXChjcXMgdHlwZSBmaWVsZFwmLgouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3Bh
Y2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjIwLlwgXCZr
ZXl3b3JkcyBtYXkgYmUgdXNlZCB3aGVuIHNwZWNpZnlpbmcgdGhlIElDTVB2NiB0eXBlOgou
VFMKYWxsYm94IHRhYig6KTsKbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpWYWx1ZQpUfQou
VCYKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQg
bHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQg
bHQKbHQgbHQuClR7Ci5zcApkZXN0aW5hdGlvblwtdW5yZWFjaGFibGUKVH06VHsKLnNwCjEK
VH0KVHsKLnNwCnBhY2tldFwtdG9vXC1iaWcKVH06VHsKLnNwCjIKVH0KVHsKLnNwCnRpbWVc
LWV4Y2VlZGVkClR9OlR7Ci5zcAozClR9ClR7Ci5zcApwYXJhbWV0ZXJcLXByb2JsZW0KVH06
VHsKLnNwCjQKVH0KVHsKLnNwCmVjaG9cLXJlcXVlc3QKVH06VHsKLnNwCjEyOApUfQpUewou
c3AKZWNob1wtcmVwbHkKVH06VHsKLnNwCjEyOQpUfQpUewouc3AKbWxkXC1saXN0ZW5lclwt
cXVlcnkKVH06VHsKLnNwCjEzMApUfQpUewouc3AKbWxkXC1saXN0ZW5lclwtcmVwb3J0ClR9
OlR7Ci5zcAoxMzEKVH0KVHsKLnNwCm1sZFwtbGlzdGVuZXJcLWRvbmUKVH06VHsKLnNwCjEz
MgpUfQpUewouc3AKbWxkXC1saXN0ZW5lclwtcmVkdWN0aW9uClR9OlR7Ci5zcAoxMzIKVH0K
VHsKLnNwCm5kXC1yb3V0ZXJcLXNvbGljaXQKVH06VHsKLnNwCjEzMwpUfQpUewouc3AKbmRc
LXJvdXRlclwtYWR2ZXJ0ClR9OlR7Ci5zcAoxMzQKVH0KVHsKLnNwCm5kXC1uZWlnaGJvclwt
c29saWNpdApUfTpUewouc3AKMTM1ClR9ClR7Ci5zcApuZFwtbmVpZ2hib3JcLWFkdmVydApU
fTpUewouc3AKMTM2ClR9ClR7Ci5zcApuZFwtcmVkaXJlY3QKVH06VHsKLnNwCjEzNwpUfQpU
ewouc3AKcm91dGVyXC1yZW51bWJlcmluZwpUfTpUewouc3AKMTM4ClR9ClR7Ci5zcAppbmRc
LW5laWdoYm9yXC1zb2xpY2l0ClR9OlR7Ci5zcAoxNDEKVH0KVHsKLnNwCmluZFwtbmVpZ2hi
b3JcLWFkdmVydApUfTpUewouc3AKMTQyClR9ClR7Ci5zcAptbGQyXC1saXN0ZW5lclwtcmVw
b3J0ClR9OlR7Ci5zcAoxNDMKVH0KLlRFCi5zcCAxCi5QUApcZkJJQ01QdjYgVHlwZSBzcGVj
aWZpY2F0aW9uXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMgbWF0Y2ggSUNN
UHY2IHBpbmcgcGFja2V0cwpmaWx0ZXIgb3V0cHV0IGljbXB2NiB0eXBlIHsgZWNob1wtcmVx
dWVzdCwgZWNob1wtcmVwbHkgfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiSUNN
UFY2IENPREUgVFlQRSIKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCIGx0Qi4KVHsK
TmFtZQpUfTpUewpLZXl3b3JkClR9OlR7ClNpemUKVH06VHsKQmFzZSB0eXBlClR9Ci5UJgps
dCBsdCBsdCBsdC4KVHsKLnNwCklDTVB2NiBDb2RlClR9OlR7Ci5zcAppY21wdjZfY29kZQpU
fTpUewouc3AKOCBiaXQKVH06VHsKLnNwCmludGVnZXIKVH0KLlRFCi5zcCAxCi5zcApUaGUg
SUNNUHY2IENvZGUgdHlwZSBpcyB1c2VkIHRvIGNvbnZlbmllbnRseSBzcGVjaWZ5IHRoZSBJ
Q01QdjYgaGVhZGVyXChjcXMgY29kZSBmaWVsZFwmLgouc3AKLml0IDEgYW4tdHJhcAoubnIg
YW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBc
JjIxLlwgXCZrZXl3b3JkcyBtYXkgYmUgdXNlZCB3aGVuIHNwZWNpZnlpbmcgdGhlIElDTVB2
NiBjb2RlCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7ClZh
bHVlClR9Ci5UJgpsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdC4KVHsKLnNw
Cm5vXC1yb3V0ZQpUfTpUewouc3AKMApUfQpUewouc3AKYWRtaW5cLXByb2hpYml0ZWQKVH06
VHsKLnNwCjEKVH0KVHsKLnNwCmFkZHJcLXVucmVhY2hhYmxlClR9OlR7Ci5zcAozClR9ClR7
Ci5zcApwb3J0XC11bnJlYWNoYWJsZQpUfTpUewouc3AKNApUfQpUewouc3AKcG9saWN5XC1m
YWlsClR9OlR7Ci5zcAo1ClR9ClR7Ci5zcApyZWplY3RcLXJvdXRlClR9OlR7Ci5zcAo2ClR9
Ci5URQouc3AgMQouU1MgIklDTVBWWCBDT0RFIFRZUEUiCi5UUwphbGxib3ggdGFiKDopOwps
dEIgbHRCIGx0QiBsdEIuClR7Ck5hbWUKVH06VHsKS2V5d29yZApUfTpUewpTaXplClR9OlR7
CkJhc2UgdHlwZQpUfQouVCYKbHQgbHQgbHQgbHQuClR7Ci5zcApJQ01QdlggQ29kZQpUfTpU
ewouc3AKaWNtcHY2X3R5cGUKVH06VHsKLnNwCjggYml0ClR9OlR7Ci5zcAppbnRlZ2VyClR9
Ci5URQouc3AgMQouc3AKVGhlIElDTVB2WCBDb2RlIHR5cGUgYWJzdHJhY3Rpb24gaXMgYSBz
ZXQgb2YgdmFsdWVzIHdoaWNoIG92ZXJsYXAgYmV0d2VlbiBJQ01QIGFuZCBJQ01QdjYgQ29k
ZSB0eXBlcyB0byBiZSB1c2VkIGZyb20gdGhlIGluZXQgZmFtaWx5XCYuCi5zcAouaXQgMSBh
bi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIK
LkIgVGFibGVcIFwmMjIuXCBcJmtleXdvcmRzIG1heSBiZSB1c2VkIHdoZW4gc3BlY2lmeWlu
ZyB0aGUgSUNNUHZYIGNvZGUKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7CktleXdv
cmQKVH06VHsKVmFsdWUKVH0KLlQmCmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0LgpUewouc3AK
bm9cLXJvdXRlClR9OlR7Ci5zcAowClR9ClR7Ci5zcApwb3J0XC11bnJlYWNoYWJsZQpUfTpU
ewouc3AKMQpUfQpUewouc3AKaG9zdFwtdW5yZWFjaGFibGUKVH06VHsKLnNwCjIKVH0KVHsK
LnNwCmFkbWluXC1wcm9oaWJpdGVkClR9OlR7Ci5zcAozClR9Ci5URQouc3AgMQouU1MgIkNP
Tk5UUkFDSyBUWVBFUyIKLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcg
MQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYyMy5cIFwmb3ZlcnZpZXcg
b2YgdHlwZXMgdXNlZCBpbiBjdCBleHByZXNzaW9uIGFuZCBzdGF0ZW1lbnQKLlRTCmFsbGJv
eCB0YWIoOik7Cmx0QiBsdEIgbHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9OlR7
ClNpemUKVH06VHsKQmFzZSB0eXBlClR9Ci5UJgpsdCBsdCBsdCBsdApsdCBsdCBsdCBsdAps
dCBsdCBsdCBsdApsdCBsdCBsdCBsdApsdCBsdCBsdCBsdC4KVHsKLnNwCmNvbm50cmFjayBz
dGF0ZQpUfTpUewouc3AKY3Rfc3RhdGUKVH06VHsKLnNwCjQgYnl0ZQpUfTpUewouc3AKYml0
bWFzawpUfQpUewouc3AKY29ubnRyYWNrIGRpcmVjdGlvbgpUfTpUewouc3AKY3RfZGlyClR9
OlR7Ci5zcAo4IGJpdApUfTpUewouc3AKaW50ZWdlcgpUfQpUewouc3AKY29ubnRyYWNrIHN0
YXR1cwpUfTpUewouc3AKY3Rfc3RhdHVzClR9OlR7Ci5zcAo0IGJ5dGUKVH06VHsKLnNwCmJp
dG1hc2sKVH0KVHsKLnNwCmNvbm50cmFjayBldmVudCBiaXRzClR9OlR7Ci5zcApjdF9ldmVu
dApUfTpUewouc3AKNCBieXRlClR9OlR7Ci5zcApiaXRtYXNrClR9ClR7Ci5zcApjb25udHJh
Y2sgbGFiZWwKVH06VHsKLnNwCmN0X2xhYmVsClR9OlR7Ci5zcAoxMjggYml0ClR9OlR7Ci5z
cApiaXRtYXNrClR9Ci5URQouc3AgMQouc3AKRm9yIGVhY2ggb2YgdGhlIHR5cGVzIGFib3Zl
LCBrZXl3b3JkcyBhcmUgYXZhaWxhYmxlIGZvciBjb252ZW5pZW5jZToKLnNwCi5pdCAxIGFu
LXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgou
QiBUYWJsZVwgXCYyNC5cIFwmY29ubnRyYWNrIHN0YXRlIChjdF9zdGF0ZSkKLlRTCmFsbGJv
eCB0YWIoOik7Cmx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKVmFsdWUKVH0KLlQmCmx0IGx0
Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0LgpUewouc3AKaW52YWxpZApUfTpUewouc3AKMQpU
fQpUewouc3AKZXN0YWJsaXNoZWQKVH06VHsKLnNwCjIKVH0KVHsKLnNwCnJlbGF0ZWQKVH06
VHsKLnNwCjQKVH0KVHsKLnNwCm5ldwpUfTpUewouc3AKOApUfQpUewouc3AKdW50cmFja2Vk
ClR9OlR7Ci5zcAo2NApUfQouVEUKLnNwIDEKLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5v
LXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYyNS5c
IFwmY29ubnRyYWNrIGRpcmVjdGlvbiAoY3RfZGlyKQouVFMKYWxsYm94IHRhYig6KTsKbHRC
IGx0Qi4KVHsKS2V5d29yZApUfTpUewpWYWx1ZQpUfQouVCYKbHQgbHQKbHQgbHQuClR7Ci5z
cApvcmlnaW5hbApUfTpUewouc3AKMApUfQpUewouc3AKcmVwbHkKVH06VHsKLnNwCjEKVH0K
LlRFCi5zcCAxCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEKLm5y
IGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMjYuXCBcJmNvbm50cmFjayBzdGF0
dXMgKGN0X3N0YXR1cykKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7CktleXdvcmQK
VH06VHsKVmFsdWUKVH0KLlQmCmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0
Cmx0IGx0LgpUewouc3AKZXhwZWN0ZWQKVH06VHsKLnNwCjEKVH0KVHsKLnNwCnNlZW5cLXJl
cGx5ClR9OlR7Ci5zcAoyClR9ClR7Ci5zcAphc3N1cmVkClR9OlR7Ci5zcAo0ClR9ClR7Ci5z
cApjb25maXJtZWQKVH06VHsKLnNwCjgKVH0KVHsKLnNwCnNuYXQKVH06VHsKLnNwCjE2ClR9
ClR7Ci5zcApkbmF0ClR9OlR7Ci5zcAozMgpUfQpUewouc3AKZHlpbmcKVH06VHsKLnNwCjUx
MgpUfQouVEUKLnNwIDEKLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcg
MQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYyNy5cIFwmY29ubnRyYWNr
IGV2ZW50IGJpdHMgKGN0X2V2ZW50KQouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0Qi4KVHsK
S2V5d29yZApUfTpUewpWYWx1ZQpUfQouVCYKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQg
bHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcApuZXcKVH06
VHsKLnNwCjEKVH0KVHsKLnNwCnJlbGF0ZWQKVH06VHsKLnNwCjIKVH0KVHsKLnNwCmRlc3Ry
b3kKVH06VHsKLnNwCjQKVH0KVHsKLnNwCnJlcGx5ClR9OlR7Ci5zcAo4ClR9ClR7Ci5zcAph
c3N1cmVkClR9OlR7Ci5zcAoxNgpUfQpUewouc3AKcHJvdG9pbmZvClR9OlR7Ci5zcAozMgpU
fQpUewouc3AKaGVscGVyClR9OlR7Ci5zcAo2NApUfQpUewouc3AKbWFyawpUfTpUewouc3AK
MTI4ClR9ClR7Ci5zcApzZXFhZGoKVH06VHsKLnNwCjI1NgpUfQpUewouc3AKc2VjbWFyawpU
fTpUewouc3AKNTEyClR9ClR7Ci5zcApsYWJlbApUfTpUewouc3AKMTAyNApUfQouVEUKLnNw
IDEKLnNwClBvc3NpYmxlIGtleXdvcmRzIGZvciBjb25udHJhY2sgbGFiZWwgdHlwZSAoY3Rf
bGFiZWwpIGFyZSByZWFkIGF0IHJ1bnRpbWUgZnJvbSAvZXRjL2Nvbm5sYWJlbFwmLmNvbmZc
Ji4KLlNTICJEQ0NQIFBLVFRZUEUgVFlQRSIKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIg
bHRCIGx0Qi4KVHsKTmFtZQpUfTpUewpLZXl3b3JkClR9OlR7ClNpemUKVH06VHsKQmFzZSB0
eXBlClR9Ci5UJgpsdCBsdCBsdCBsdC4KVHsKLnNwCkRDQ1AgcGFja2V0IHR5cGUKVH06VHsK
LnNwCmRjY3BfcGt0dHlwZQpUfTpUewouc3AKNCBiaXQKVH06VHsKLnNwCmludGVnZXIKVH0K
LlRFCi5zcCAxCi5zcApUaGUgRENDUCBwYWNrZXQgdHlwZSBhYnN0cmFjdHMgdGhlIGRpZmZl
cmVudCBsZWdhbCB2YWx1ZXMgb2YgdGhlIHJlc3BlY3RpdmUgZm91ciBiaXQgZmllbGQgaW4g
dGhlIERDQ1AgaGVhZGVyLCBhcyBzdGF0ZWQgYnkgUkZDNDM0MFwmLiBOb3RlIHRoYXQgcG9z
c2libGUgdmFsdWVzIDEwXC0xNSBhcmUgY29uc2lkZXJlZCByZXNlcnZlZCBhbmQgdGhlcmVm
b3JlIG5vdCBhbGxvd2VkIHRvIGJlIHVzZWRcJi4gSW4gaXB0YWJsZXNcKihBcSBcZkJkY2Nw
XGZSIG1hdGNoLCB0aGVzZSB2YWx1ZXMgYXJlIGFsaWFzZWQgXGZJSU5WQUxJRFxmUlwmLiBX
aXRoIG5mdGFibGVzLCBvbmUgbWF5IHNpbXBseSBtYXRjaCBvbiB0aGUgbnVtZXJpYyB2YWx1
ZSByYW5nZSwgaVwmLmVcJi4gXGZCMTBcLTE1XGZSXCYuCi5zcAouaXQgMSBhbi10cmFwCi5u
ciBhbi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVc
IFwmMjguXCBcJmtleXdvcmRzIG1heSBiZSB1c2VkIHdoZW4gc3BlY2lmeWluZyB0aGUgREND
UCBwYWNrZXQgdHlwZQouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0Qi4KVHsKS2V5d29yZApU
fTpUewpWYWx1ZQpUfQouVCYKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQK
bHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcApyZXF1ZXN0ClR9OlR7Ci5zcAowClR9
ClR7Ci5zcApyZXNwb25zZQpUfTpUewouc3AKMQpUfQpUewouc3AKZGF0YQpUfTpUewouc3AK
MgpUfQpUewouc3AKYWNrClR9OlR7Ci5zcAozClR9ClR7Ci5zcApkYXRhYWNrClR9OlR7Ci5z
cAo0ClR9ClR7Ci5zcApjbG9zZXJlcQpUfTpUewouc3AKNQpUfQpUewouc3AKY2xvc2UKVH06
VHsKLnNwCjYKVH0KVHsKLnNwCnJlc2V0ClR9OlR7Ci5zcAo3ClR9ClR7Ci5zcApzeW5jClR9
OlR7Ci5zcAo4ClR9ClR7Ci5zcApzeW5jYWNrClR9OlR7Ci5zcAo5ClR9Ci5URQouc3AgMQou
U0ggIlBSSU1BUlkgRVhQUkVTU0lPTlMiCi5zcApUaGUgbG93ZXN0IG9yZGVyIGV4cHJlc3Np
b24gaXMgYSBwcmltYXJ5IGV4cHJlc3Npb24sIHJlcHJlc2VudGluZyBlaXRoZXIgYSBjb25z
dGFudCBvciBhIHNpbmdsZSBkYXR1bSBmcm9tIGEgcGFja2V0XChjcXMgcGF5bG9hZCwgbWV0
YSBkYXRhIG9yIGEgc3RhdGVmdWwgbW9kdWxlXCYuCi5TUyAiTUVUQSBFWFBSRVNTSU9OUyIK
LnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQm1ldGFcZlIge1xmQmxlbmd0aFxmUiB8
IFxmQm5mcHJvdG9cZlIgfCBcZkJsNHByb3RvXGZSIHwgXGZCcHJvdG9jb2xcZlIgfCBcZkJw
cmlvcml0eVxmUn0KW1xmQm1ldGFcZlJdIHtcZkJtYXJrXGZSIHwgXGZCaWlmXGZSIHwgXGZC
aWlmbmFtZVxmUiB8IFxmQmlpZnR5cGVcZlIgfCBcZkJvaWZcZlIgfCBcZkJvaWZuYW1lXGZS
IHwgXGZCb2lmdHlwZVxmUiB8IFxmQnNrdWlkXGZSIHwgXGZCc2tnaWRcZlIgfCBcZkJuZnRy
YWNlXGZSIHwgXGZCcnRjbGFzc2lkXGZSIHwgXGZCaWJybmFtZVxmUiB8IFxmQm9icm5hbWVc
ZlIgfCBcZkJwa3R0eXBlXGZSIHwgXGZCY3B1XGZSIHwgXGZCaWlmZ3JvdXBcZlIgfCBcZkJv
aWZncm91cFxmUiB8IFxmQmNncm91cFxmUiB8IFxmQnJhbmRvbVxmUiB8IFxmQmlwc2VjXGZS
IHwgXGZCaWlma2luZFxmUiB8IFxmQm9pZmtpbmRcZlIgfCBcZkJ0aW1lXGZSIHwgXGZCaG91
clxmUiB8IFxmQmRheVxmUiB9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKQSBtZXRhIGV4
cHJlc3Npb24gcmVmZXJzIHRvIG1ldGEgZGF0YSBhc3NvY2lhdGVkIHdpdGggYSBwYWNrZXRc
Ji4KLnNwClRoZXJlIGFyZSB0d28gdHlwZXMgb2YgbWV0YSBleHByZXNzaW9uczogdW5xdWFs
aWZpZWQgYW5kIHF1YWxpZmllZCBtZXRhIGV4cHJlc3Npb25zXCYuIFF1YWxpZmllZCBtZXRh
IGV4cHJlc3Npb25zIHJlcXVpcmUgdGhlIG1ldGEga2V5d29yZCBiZWZvcmUgdGhlIG1ldGEg
a2V5LCB1bnF1YWxpZmllZCBtZXRhIGV4cHJlc3Npb25zIGNhbiBiZSBzcGVjaWZpZWQgYnkg
dXNpbmcgdGhlIG1ldGEga2V5IGRpcmVjdGx5IG9yIGFzIHF1YWxpZmllZCBtZXRhIGV4cHJl
c3Npb25zXCYuIE1ldGEgbDRwcm90byBpcyB1c2VmdWwgdG8gbWF0Y2ggYSBwYXJ0aWN1bGFy
IHRyYW5zcG9ydCBwcm90b2NvbCB0aGF0IGlzIHBhcnQgb2YgZWl0aGVyIGFuIElQdjQgb3Ig
SVB2NiBwYWNrZXRcJi4gSXQgd2lsbCBhbHNvIHNraXAgYW55IElQdjYgZXh0ZW5zaW9uIGhl
YWRlcnMgcHJlc2VudCBpbiBhbiBJUHY2IHBhY2tldFwmLgouc3AKbWV0YSBpaWYsIG9pZiwg
aWlmbmFtZSBhbmQgb2lmbmFtZSBhcmUgdXNlZCB0byBtYXRjaCB0aGUgaW50ZXJmYWNlIGEg
cGFja2V0IGFycml2ZWQgb24gb3IgaXMgYWJvdXQgdG8gYmUgc2VudCBvdXQgb25cJi4KLnNw
CmlpZiBhbmQgb2lmIGFyZSB1c2VkIHRvIG1hdGNoIG9uIHRoZSBpbnRlcmZhY2UgaW5kZXgs
IHdoZXJlYXMgaWlmbmFtZSBhbmQgb2lmbmFtZSBhcmUgdXNlZCB0byBtYXRjaCBvbiB0aGUg
aW50ZXJmYWNlIG5hbWVcJi4gVGhpcyBpcyBub3QgdGhlIHNhbWUgXChlbSBhc3N1bWluZyB0
aGUgcnVsZQouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKZmlsdGVyIGlucHV0IG1ldGEg
aWlmICJmb28iCi5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhlbiB0aGlzIHJ1bGUgY2Fu
IG9ubHkgYmUgYWRkZWQgaWYgdGhlIGludGVyZmFjZSAiZm9vIiBleGlzdHNcJi4gQWxzbywg
dGhlIHJ1bGUgd2lsbCBjb250aW51ZSB0byBtYXRjaCBldmVuIGlmIHRoZSBpbnRlcmZhY2Ug
ImZvbyIgaXMgcmVuYW1lZCB0byAiYmFyIlwmLgouc3AKVGhpcyBpcyBiZWNhdXNlIGludGVy
bmFsbHkgdGhlIGludGVyZmFjZSBpbmRleCBpcyB1c2VkXCYuIEluIGNhc2Ugb2YgZHluYW1p
Y2FsbHkgY3JlYXRlZCBpbnRlcmZhY2VzLCBzdWNoIGFzIHR1bi90YXAgb3IgZGlhbHVwIGlu
dGVyZmFjZXMgKHBwcCBmb3IgZXhhbXBsZSksIGl0IG1pZ2h0IGJlIGJldHRlciB0byB1c2Ug
aWlmbmFtZSBvciBvaWZuYW1lIGluc3RlYWRcJi4KLnNwCkluIHRoZXNlIGNhc2VzLCB0aGUg
bmFtZSBpcyB1c2VkIHNvIHRoZSBpbnRlcmZhY2UgZG9lc25cKGNxdCBoYXZlIHRvIGV4aXN0
IHRvIGFkZCBzdWNoIGEgcnVsZSwgaXQgd2lsbCBzdG9wIG1hdGNoaW5nIGlmIHRoZSBpbnRl
cmZhY2UgZ2V0cyByZW5hbWVkIGFuZCBpdCB3aWxsIG1hdGNoIGFnYWluIGluIGNhc2UgaW50
ZXJmYWNlIGdldHMgZGVsZXRlZCBhbmQgbGF0ZXIgYSBuZXcgaW50ZXJmYWNlIHdpdGggdGhl
IHNhbWUgbmFtZSBpcyBjcmVhdGVkXCYuCi5zcApMaWtlIHdpdGggaXB0YWJsZXMsIHdpbGRj
YXJkIG1hdGNoaW5nIG9uIGludGVyZmFjZSBuYW1lIHByZWZpeGVzIGlzIGF2YWlsYWJsZSBm
b3IgXGZCaWlmbmFtZVxmUiBhbmQgXGZCb2lmbmFtZVxmUiBtYXRjaGVzIGJ5IGFwcGVuZGlu
ZyBhbiBhc3RlcmlzayAoKikgY2hhcmFjdGVyXCYuIE5vdGUgaG93ZXZlciB0aGF0IHVubGlr
ZSBpcHRhYmxlcywgbmZ0YWJsZXMgZG9lcyBub3QgYWNjZXB0IGludGVyZmFjZSBuYW1lcyBj
b25zaXN0aW5nIG9mIHRoZSB3aWxkY2FyZCBjaGFyYWN0ZXIgb25seSBcLSB1c2VycyBhcmUg
c3VwcG9zZWQgdG8ganVzdCBza2lwIHRob3NlIGFsd2F5cyBtYXRjaGluZyBleHByZXNzaW9u
c1wmLiBJbiBvcmRlciB0byBtYXRjaCBvbiBsaXRlcmFsIGFzdGVyaXNrIGNoYXJhY3Rlciwg
b25lIG1heSBlc2NhcGUgaXQgdXNpbmcgYmFja3NsYXNoIChcZSlcJi4KLnNwCi5pdCAxIGFu
LXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgou
QiBUYWJsZVwgXCYyOS5cIFwmTWV0YSBleHByZXNzaW9uIHR5cGVzCi5UUwphbGxib3ggdGFi
KDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpU
eXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCmxlbmd0aApUfTpUewouc3AKTGVuZ3RoIG9m
IHRoZSBwYWNrZXQgaW4gYnl0ZXMKVH06VHsKLnNwCmludGVnZXIgKDMyXC1iaXQpClR9ClR7
Ci5zcApuZnByb3RvClR9OlR7Ci5zcApyZWFsIGhvb2sgcHJvdG9jb2wgZmFtaWx5LCB1c2Vm
dWwgb25seSBpbiBpbmV0IHRhYmxlClR9OlR7Ci5zcAppbnRlZ2VyICgzMiBiaXQpClR9ClR7
Ci5zcApsNHByb3RvClR9OlR7Ci5zcApsYXllciA0IHByb3RvY29sLCBza2lwcyBpcHY2IGV4
dGVuc2lvbiBoZWFkZXJzClR9OlR7Ci5zcAppbnRlZ2VyICg4IGJpdCkKVH0KVHsKLnNwCnBy
b3RvY29sClR9OlR7Ci5zcApFdGhlclR5cGUgcHJvdG9jb2wgdmFsdWUKVH06VHsKLnNwCmV0
aGVyX3R5cGUKVH0KVHsKLnNwCnByaW9yaXR5ClR9OlR7Ci5zcApUQyBwYWNrZXQgcHJpb3Jp
dHkKVH06VHsKLnNwCnRjX2hhbmRsZQpUfQpUewouc3AKbWFyawpUfTpUewouc3AKUGFja2V0
IG1hcmsKVH06VHsKLnNwCm1hcmsKVH0KVHsKLnNwCmlpZgpUfTpUewouc3AKSW5wdXQgaW50
ZXJmYWNlIGluZGV4ClR9OlR7Ci5zcAppZmFjZV9pbmRleApUfQpUewouc3AKaWlmbmFtZQpU
fTpUewouc3AKSW5wdXQgaW50ZXJmYWNlIG5hbWUKVH06VHsKLnNwCmlmbmFtZQpUfQpUewou
c3AKaWlmdHlwZQpUfTpUewouc3AKSW5wdXQgaW50ZXJmYWNlIHR5cGUKVH06VHsKLnNwCmlm
YWNlX3R5cGUKVH0KVHsKLnNwCm9pZgpUfTpUewouc3AKT3V0cHV0IGludGVyZmFjZSBpbmRl
eApUfTpUewouc3AKaWZhY2VfaW5kZXgKVH0KVHsKLnNwCm9pZm5hbWUKVH06VHsKLnNwCk91
dHB1dCBpbnRlcmZhY2UgbmFtZQpUfTpUewouc3AKaWZuYW1lClR9ClR7Ci5zcApvaWZ0eXBl
ClR9OlR7Ci5zcApPdXRwdXQgaW50ZXJmYWNlIGhhcmR3YXJlIHR5cGUKVH06VHsKLnNwCmlm
YWNlX3R5cGUKVH0KVHsKLnNwCnNkaWYKVH06VHsKLnNwClNsYXZlIGRldmljZSBpbnB1dCBp
bnRlcmZhY2UgaW5kZXgKVH06VHsKLnNwCmlmYWNlX2luZGV4ClR9ClR7Ci5zcApzZGlmbmFt
ZQpUfTpUewouc3AKU2xhdmUgZGV2aWNlIGludGVyZmFjZSBuYW1lClR9OlR7Ci5zcAppZm5h
bWUKVH0KVHsKLnNwCnNrdWlkClR9OlR7Ci5zcApVSUQgYXNzb2NpYXRlZCB3aXRoIG9yaWdp
bmF0aW5nIHNvY2tldApUfTpUewouc3AKdWlkClR9ClR7Ci5zcApza2dpZApUfTpUewouc3AK
R0lEIGFzc29jaWF0ZWQgd2l0aCBvcmlnaW5hdGluZyBzb2NrZXQKVH06VHsKLnNwCmdpZApU
fQpUewouc3AKcnRjbGFzc2lkClR9OlR7Ci5zcApSb3V0aW5nIHJlYWxtClR9OlR7Ci5zcApy
ZWFsbQpUfQpUewouc3AKaWJybmFtZQpUfTpUewouc3AKSW5wdXQgYnJpZGdlIGludGVyZmFj
ZSBuYW1lClR9OlR7Ci5zcAppZm5hbWUKVH0KVHsKLnNwCm9icm5hbWUKVH06VHsKLnNwCk91
dHB1dCBicmlkZ2UgaW50ZXJmYWNlIG5hbWUKVH06VHsKLnNwCmlmbmFtZQpUfQpUewouc3AK
cGt0dHlwZQpUfTpUewouc3AKcGFja2V0IHR5cGUKVH06VHsKLnNwCnBrdF90eXBlClR9ClR7
Ci5zcApjcHUKVH06VHsKLnNwCmNwdSBudW1iZXIgcHJvY2Vzc2luZyB0aGUgcGFja2V0ClR9
OlR7Ci5zcAppbnRlZ2VyICgzMiBiaXQpClR9ClR7Ci5zcAppaWZncm91cApUfTpUewouc3AK
aW5jb21pbmcgZGV2aWNlIGdyb3VwClR9OlR7Ci5zcApkZXZncm91cApUfQpUewouc3AKb2lm
Z3JvdXAKVH06VHsKLnNwCm91dGdvaW5nIGRldmljZSBncm91cApUfTpUewouc3AKZGV2Z3Jv
dXAKVH0KVHsKLnNwCmNncm91cApUfTpUewouc3AKY29udHJvbCBncm91cCBpZApUfTpUewou
c3AKaW50ZWdlciAoMzIgYml0KQpUfQpUewouc3AKcmFuZG9tClR9OlR7Ci5zcApwc2V1ZG9c
LXJhbmRvbSBudW1iZXIKVH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNwCmlw
c2VjClR9OlR7Ci5zcAp0cnVlIGlmIHBhY2tldCB3YXMgaXBzZWMgZW5jcnlwdGVkClR9OlR7
Ci5zcApib29sZWFuICgxIGJpdCkKVH0KVHsKLnNwCmlpZmtpbmQKVH06VHsKLnNwCklucHV0
IGludGVyZmFjZSBraW5kClR9OlR7Ci5zcApUfQpUewouc3AKb2lma2luZApUfTpUewouc3AK
T3V0cHV0IGludGVyZmFjZSBraW5kClR9OlR7Ci5zcApUfQpUewouc3AKdGltZQpUfTpUewou
c3AKQWJzb2x1dGUgdGltZSBvZiBwYWNrZXQgcmVjZXB0aW9uClR9OlR7Ci5zcApJbnRlZ2Vy
ICgzMiBiaXQpIG9yIHN0cmluZwpUfQpUewouc3AKZGF5ClR9OlR7Ci5zcApEYXkgb2Ygd2Vl
awpUfTpUewouc3AKSW50ZWdlciAoOCBiaXQpIG9yIHN0cmluZwpUfQpUewouc3AKaG91cgpU
fTpUewouc3AKSG91ciBvZiBkYXkKVH06VHsKLnNwClN0cmluZwpUfQouVEUKLnNwIDEKLnNw
Ci5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxh
ZyAxCi5icgouQiBUYWJsZVwgXCYzMC5cIFwmTWV0YSBleHByZXNzaW9uIHNwZWNpZmljIHR5
cGVzCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpUewpUeXBlClR9OlR7CkRlc2NyaXB0
aW9uClR9Ci5UJgpsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdAps
dCBsdApsdCBsdApsdCBsdApsdCBsdApsdCBsdC4KVHsKLnNwCmlmYWNlX2luZGV4ClR9OlR7
Ci5zcApJbnRlcmZhY2UgaW5kZXggKDMyIGJpdCBudW1iZXIpXCYuIENhbiBiZSBzcGVjaWZp
ZWQgbnVtZXJpY2FsbHkgb3IgYXMgbmFtZSBvZiBhbiBleGlzdGluZyBpbnRlcmZhY2VcJi4K
VH0KVHsKLnNwCmlmbmFtZQpUfTpUewouc3AKSW50ZXJmYWNlIG5hbWUgKDE2IGJ5dGUgc3Ry
aW5nKVwmLiBEb2VzIG5vdCBoYXZlIHRvIGV4aXN0XCYuClR9ClR7Ci5zcAppZmFjZV90eXBl
ClR9OlR7Ci5zcApJbnRlcmZhY2UgdHlwZSAoMTYgYml0IG51bWJlcilcJi4KVH0KVHsKLnNw
CnVpZApUfTpUewouc3AKVXNlciBJRCAoMzIgYml0IG51bWJlcilcJi4gQ2FuIGJlIHNwZWNp
ZmllZCBudW1lcmljYWxseSBvciBhcyB1c2VyIG5hbWVcJi4KVH0KVHsKLnNwCmdpZApUfTpU
ewouc3AKR3JvdXAgSUQgKDMyIGJpdCBudW1iZXIpXCYuIENhbiBiZSBzcGVjaWZpZWQgbnVt
ZXJpY2FsbHkgb3IgYXMgZ3JvdXAgbmFtZVwmLgpUfQpUewouc3AKcmVhbG0KVH06VHsKLnNw
ClJvdXRpbmcgUmVhbG0gKDMyIGJpdCBudW1iZXIpXCYuIENhbiBiZSBzcGVjaWZpZWQgbnVt
ZXJpY2FsbHkgb3IgYXMgc3ltYm9saWMgbmFtZSBkZWZpbmVkIGluIC9ldGMvaXByb3V0ZTIv
cnRfcmVhbG1zXCYuClR9ClR7Ci5zcApkZXZncm91cF90eXBlClR9OlR7Ci5zcApEZXZpY2Ug
Z3JvdXAgKDMyIGJpdCBudW1iZXIpXCYuIENhbiBiZSBzcGVjaWZpZWQgbnVtZXJpY2FsbHkg
b3IgYXMgc3ltYm9saWMgbmFtZSBkZWZpbmVkIGluIC9ldGMvaXByb3V0ZTIvZ3JvdXBcJi4K
VH0KVHsKLnNwCnBrdF90eXBlClR9OlR7Ci5zcApQYWNrZXQgdHlwZTogXGZCaG9zdFxmUiAo
YWRkcmVzc2VkIHRvIGxvY2FsIGhvc3QpLCBcZkJicm9hZGNhc3RcZlIgKHRvIGFsbCksIFxm
Qm11bHRpY2FzdFxmUiAodG8gZ3JvdXApLCBcZkJvdGhlclxmUiAoYWRkcmVzc2VkIHRvIGFu
b3RoZXIgaG9zdClcJi4KVH0KVHsKLnNwCmlma2luZApUfTpUewouc3AKSW50ZXJmYWNlIGtp
bmQgKDE2IGJ5dGUgc3RyaW5nKVwmLiBTZWUgVFlQRVMgaW4gaXBcLWxpbmsoOCkgZm9yIGEg
bGlzdFwmLgpUfQpUewouc3AKdGltZQpUfTpUewouc3AKRWl0aGVyIGFuIGludGVnZXIgb3Ig
YSBkYXRlIGluIElTTyBmb3JtYXRcJi4gRm9yIGV4YW1wbGU6ICIyMDE5XC0wNlwtMDYgMTc6
MDAiXCYuIEhvdXIgYW5kIHNlY29uZHMgYXJlIG9wdGlvbmFsIGFuZCBjYW4gYmUgb21pdHRl
ZCBpZiBkZXNpcmVkXCYuIElmIG9taXR0ZWQsIG1pZG5pZ2h0IHdpbGwgYmUgYXNzdW1lZFwm
LiBUaGUgZm9sbG93aW5nIHRocmVlIHdvdWxkIGJlIGVxdWl2YWxlbnQ6ICIyMDE5XC0wNlwt
MDYiLCAiMjAxOVwtMDZcLTA2IDAwOjAwIiBhbmQgIjIwMTlcLTA2XC0wNiAwMDowMDowMCJc
Ji4gV2hlbiBhbiBpbnRlZ2VyIGlzIGdpdmVuLCBpdCBpcyBhc3N1bWVkIHRvIGJlIGEgVU5J
WCB0aW1lc3RhbXBcJi4KVH0KVHsKLnNwCmRheQpUfTpUewouc3AKRWl0aGVyIGEgZGF5IG9m
IHdlZWsgKCJNb25kYXkiLCAiVHVlc2RheSIsIGV0Y1wmLiksIG9yIGFuIGludGVnZXIgYmV0
d2VlbiAwIGFuZCA2XCYuIFN0cmluZ3MgYXJlIG1hdGNoZWQgY2FzZVwtaW5zZW5zaXRpdmVs
eSwgYW5kIGEgZnVsbCBtYXRjaCBpcyBub3QgZXhwZWN0ZWQgKGVcJi5nXCYuICJNb24iIHdv
dWxkIG1hdGNoICJNb25kYXkiKVwmLiBXaGVuIGFuIGludGVnZXIgaXMgZ2l2ZW4sIDAgaXMg
U3VuZGF5IGFuZCA2IGlzIFNhdHVyZGF5XCYuClR9ClR7Ci5zcApob3VyClR9OlR7Ci5zcApB
IHN0cmluZyByZXByZXNlbnRpbmcgYW4gaG91ciBpbiAyNFwtaG91ciBmb3JtYXRcJi4gU2Vj
b25kcyBjYW4gb3B0aW9uYWxseSBiZSBzcGVjaWZpZWRcJi4gRm9yIGV4YW1wbGUsIDE3OjAw
IGFuZCAxNzowMDowMCB3b3VsZCBiZSBlcXVpdmFsZW50XCYuClR9Ci5URQouc3AgMQouUFAK
XGZCVXNpbmcgbWV0YSBleHByZXNzaW9uc1xmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9
Ci5uZgojIHF1YWxpZmllZCBtZXRhIGV4cHJlc3Npb24KZmlsdGVyIG91dHB1dCBtZXRhIG9p
ZiBldGgwCmZpbHRlciBmb3J3YXJkIG1ldGEgaWlma2luZCB7ICJ0dW4iLCAidmV0aCIgfQoK
IyB1bnF1YWxpZmllZCBtZXRhIGV4cHJlc3Npb24KZmlsdGVyIG91dHB1dCBvaWYgZXRoMAoK
IyBpbmNvbWluZyBwYWNrZXQgd2FzIHN1YmplY3QgdG8gaXBzZWMgcHJvY2Vzc2luZwpyYXcg
cHJlcm91dGluZyBtZXRhIGlwc2VjIGV4aXN0cyBhY2NlcHQKLmZpCi5pZiBuIFx7XAouUkUK
Llx9Ci5zcAouU1MgIlNPQ0tFVCBFWFBSRVNTSU9OIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5c
fQoubmYKXGZCc29ja2V0XGZSIHtcZkJ0cmFuc3BhcmVudFxmUiB8IFxmQm1hcmtcZlIgfCBc
ZkJ3aWxkY2FyZFxmUn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApTb2NrZXQgZXhwcmVz
c2lvbiBjYW4gYmUgdXNlZCB0byBzZWFyY2ggZm9yIGFuIGV4aXN0aW5nIG9wZW4gVENQL1VE
UCBzb2NrZXQgYW5kIGl0cyBhdHRyaWJ1dGVzIHRoYXQgY2FuIGJlIGFzc29jaWF0ZWQgd2l0
aCBhIHBhY2tldFwmLiBJdCBsb29rcyBmb3IgYW4gZXN0YWJsaXNoZWQgb3Igbm9uXC16ZXJv
IGJvdW5kIGxpc3RlbmluZyBzb2NrZXQgKHBvc3NpYmx5IHdpdGggYSBub25cLWxvY2FsIGFk
ZHJlc3MpXCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEKLm5y
IGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMzEuXCBcJkF2YWlsYWJsZSBzb2Nr
ZXQgYXR0cmlidXRlcwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7Ck5hbWUK
VH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQK
bHQgbHQgbHQuClR7Ci5zcAp0cmFuc3BhcmVudApUfTpUewouc3AKVmFsdWUgb2YgdGhlIElQ
X1RSQU5TUEFSRU5UIHNvY2tldCBvcHRpb24gaW4gdGhlIGZvdW5kIHNvY2tldFwmLiBJdCBj
YW4gYmUgMCBvciAxXCYuClR9OlR7Ci5zcApib29sZWFuICgxIGJpdCkKVH0KVHsKLnNwCm1h
cmsKVH06VHsKLnNwClZhbHVlIG9mIHRoZSBzb2NrZXQgbWFyayAoU09MX1NPQ0tFVCwgU09f
TUFSSylcJi4KVH06VHsKLnNwCm1hcmsKVH0KVHsKLnNwCndpbGRjYXJkClR9OlR7Ci5zcApJ
bmRpY2F0ZXMgd2hldGhlciB0aGUgc29ja2V0IGlzIHdpbGRjYXJkXC1ib3VuZCAoZVwmLmdc
Ji4gMFwmLjBcJi4wXCYuMCBvciA6OjApXCYuClR9OlR7Ci5zcApib29sZWFuICgxIGJpdCkK
VH0KLlRFCi5zcCAxCi5QUApcZkJVc2luZyBzb2NrZXQgZXhwcmVzc2lvblxmUi4gCi5zcAou
aWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIE1hcmsgcGFja2V0cyB0aGF0IGNvcnJlc3BvbmQg
dG8gYSB0cmFuc3BhcmVudCBzb2NrZXRcJi4gInNvY2tldCB3aWxkY2FyZCAwIgojIG1lYW5z
IHRoYXQgemVyb1wtYm91bmQgbGlzdGVuZXIgc29ja2V0cyBhcmUgTk9UIG1hdGNoZWQgKHdo
aWNoIGlzIHVzdWFsbHkKIyBleGFjdGx5IHdoYXQgeW91IHdhbnQpXCYuCnRhYmxlIGluZXQg
eCB7CiAgICBjaGFpbiB5IHsKICAgICAgICB0eXBlIGZpbHRlciBob29rIHByZXJvdXRpbmcg
cHJpb3JpdHkgXC0xNTA7IHBvbGljeSBhY2NlcHQ7CiAgICAgICAgc29ja2V0IHRyYW5zcGFy
ZW50IDEgc29ja2V0IHdpbGRjYXJkIDAgbWFyayBzZXQgMHgwMDAwMDAwMSBhY2NlcHQKICAg
IH0KfQoKIyBUcmFjZSBwYWNrZXRzIHRoYXQgY29ycmVzcG9uZHMgdG8gYSBzb2NrZXQgd2l0
aCBhIG1hcmsgdmFsdWUgb2YgMTUKdGFibGUgaW5ldCB4IHsKICAgIGNoYWluIHkgewogICAg
ICAgIHR5cGUgZmlsdGVyIGhvb2sgcHJlcm91dGluZyBwcmlvcml0eSBcLTE1MDsgcG9saWN5
IGFjY2VwdDsKICAgICAgICBzb2NrZXQgbWFyayAweDAwMDAwMDBmIG5mdHJhY2Ugc2V0IDEK
ICAgIH0KfQoKIyBTZXQgcGFja2V0IG1hcmsgdG8gc29ja2V0IG1hcmsKdGFibGUgaW5ldCB4
IHsKICAgIGNoYWluIHkgewogICAgICAgIHR5cGUgZmlsdGVyIGhvb2sgcHJlcm91dGluZyBw
cmlvcml0eSBcLTE1MDsgcG9saWN5IGFjY2VwdDsKICAgICAgICB0Y3AgZHBvcnQgODA4MCBt
YXJrIHNldCBzb2NrZXQgbWFyawogICAgfQp9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AK
LlNTICJPU0YgRVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQm9z
ZlxmUiBbXGZCdHRsXGZSIHtcZkJsb29zZVxmUiB8IFxmQnNraXBcZlJ9XSB7XGZCbmFtZVxm
UiB8IFxmQnZlcnNpb25cZlJ9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhlIG9zZiBl
eHByZXNzaW9uIGRvZXMgcGFzc2l2ZSBvcGVyYXRpbmcgc3lzdGVtIGZpbmdlcnByaW50aW5n
XCYuIFRoaXMgZXhwcmVzc2lvbiBjb21wYXJlcyBzb21lIGRhdGEgKFdpbmRvdyBTaXplLCBN
U1MsIG9wdGlvbnMgYW5kIHRoZWlyIG9yZGVyLCBERiwgYW5kIG90aGVycykgZnJvbSBwYWNr
ZXRzIHdpdGggdGhlIFNZTiBiaXQgc2V0XCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1u
by1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMzIu
XCBcJkF2YWlsYWJsZSBvc2YgYXR0cmlidXRlcwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0
QiBsdEIuClR7Ck5hbWUKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQg
bHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcAp0dGwKVH06VHsKLnNwCkRvIFRUTCBj
aGVja3Mgb24gdGhlIHBhY2tldCB0byBkZXRlcm1pbmUgdGhlIG9wZXJhdGluZyBzeXN0ZW1c
Ji4KVH06VHsKLnNwCnN0cmluZwpUfQpUewouc3AKdmVyc2lvbgpUfTpUewouc3AKRG8gT1Mg
dmVyc2lvbiBjaGVja3Mgb24gdGhlIHBhY2tldFwmLgpUfTpUewouc3AKVH0KVHsKLnNwCm5h
bWUKVH06VHsKLnNwCk5hbWUgb2YgdGhlIE9TIHNpZ25hdHVyZSB0byBtYXRjaFwmLiBBbGwg
c2lnbmF0dXJlcyBjYW4gYmUgZm91bmQgYXQgcGZcJi5vcyBmaWxlXCYuIFVzZSAidW5rbm93
biIgZm9yIE9TIHNpZ25hdHVyZXMgdGhhdCB0aGUgZXhwcmVzc2lvbiBjb3VsZCBub3QgZGV0
ZWN0XCYuClR9OlR7Ci5zcApzdHJpbmcKVH0KLlRFCi5zcCAxCi5QUApcZkJBdmFpbGFibGUg
dHRsIHZhbHVlc1xmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpJZiBubyBUVEwg
YXR0cmlidXRlIGlzIHBhc3NlZCwgbWFrZSBhIHRydWUgSVAgaGVhZGVyIGFuZCBmaW5nZXJw
cmludCBUVEwgdHJ1ZSBjb21wYXJpc29uXCYuIFRoaXMgZ2VuZXJhbGx5IHdvcmtzIGZvciBM
QU5zXCYuCgoqIGxvb3NlOiBDaGVjayBpZiB0aGUgSVAgaGVhZGVyXCooQXFzIFRUTCBpcyBs
ZXNzIHRoYW4gdGhlIGZpbmdlcnByaW50IG9uZVwmLiBXb3JrcyBmb3IgZ2xvYmFsbHlcLXJv
dXRhYmxlIGFkZHJlc3Nlc1wmLgoqIHNraXA6IERvIG5vdCBjb21wYXJlIHRoZSBUVEwgYXQg
YWxsXCYuCi5maQouaWYgbiBce1wKLlJFCi5cfQouUFAKXGZCVXNpbmcgb3NmIGV4cHJlc3Np
b25cZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKIyBBY2NlcHQgcGFja2V0cyB0
aGF0IG1hdGNoIHRoZSAiTGludXgiIE9TIGdlbnJlIHNpZ25hdHVyZSB3aXRob3V0IGNvbXBh
cmluZyBUVExcJi4KdGFibGUgaW5ldCB4IHsKICAgIGNoYWluIHkgewogICAgICAgIHR5cGUg
ZmlsdGVyIGhvb2sgaW5wdXQgcHJpb3JpdHkgMDsgcG9saWN5IGFjY2VwdDsKICAgICAgICBv
c2YgdHRsIHNraXAgbmFtZSAiTGludXgiCiAgICB9Cn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9
Ci5zcAouU1MgIkZJQiBFWFBSRVNTSU9OUyIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5m
ClxmQmZpYlxmUiB7XGZCc2FkZHJcZlIgfCBcZkJkYWRkclxmUiB8IFxmQm1hcmtcZlIgfCBc
ZkJpaWZcZlIgfCBcZkJvaWZcZlJ9IFtcZkJcJi5cZlIgXCYuLi5dIHtcZkJvaWZcZlIgfCBc
ZkJvaWZuYW1lXGZSIHwgXGZCdHlwZVxmUn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApB
IGZpYiBleHByZXNzaW9uIHF1ZXJpZXMgdGhlIGZpYiAoZm9yd2FyZGluZyBpbmZvcm1hdGlv
biBiYXNlKSB0byBvYnRhaW4gaW5mb3JtYXRpb24gc3VjaCBhcyB0aGUgb3V0cHV0IGludGVy
ZmFjZSBpbmRleCBhIHBhcnRpY3VsYXIgYWRkcmVzcyB3b3VsZCB1c2VcJi4gVGhlIGlucHV0
IGlzIGEgdHVwbGUgb2YgZWxlbWVudHMgdGhhdCBpcyB1c2VkIGFzIGlucHV0IHRvIHRoZSBm
aWIgbG9va3VwIGZ1bmN0aW9uc1wmLgouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3Bh
Y2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjMzLlwgXCZm
aWIgZXhwcmVzc2lvbiBzcGVjaWZpYyB0eXBlcwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0
QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYK
bHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcApvaWYKVH06VHsKLnNwCk91dHB1
dCBpbnRlcmZhY2UgaW5kZXgKVH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNw
Cm9pZm5hbWUKVH06VHsKLnNwCk91dHB1dCBpbnRlcmZhY2UgbmFtZQpUfTpUewouc3AKc3Ry
aW5nClR9ClR7Ci5zcAp0eXBlClR9OlR7Ci5zcApBZGRyZXNzIHR5cGUKVH06VHsKLnNwCmZp
Yl9hZGRydHlwZQpUfQouVEUKLnNwIDEKLnNwClVzZSBcZkJuZnRcZlIgXGZCZGVzY3JpYmVc
ZlIgXGZCZmliX2FkZHJ0eXBlXGZSIHRvIGdldCBhIGxpc3Qgb2YgYWxsIGFkZHJlc3MgdHlw
ZXNcJi4KLlBQClxmQlVzaW5nIGZpYiBleHByZXNzaW9uc1xmUi4gCi5zcAouaWYgbiBce1wK
LlJTIDQKLlx9Ci5uZgojIGRyb3AgcGFja2V0cyB3aXRob3V0IGEgcmV2ZXJzZSBwYXRoCmZp
bHRlciBwcmVyb3V0aW5nIGZpYiBzYWRkciBcJi4gaWlmIG9pZiBtaXNzaW5nIGRyb3AKCklu
IHRoaXMgZXhhbXBsZSwgXCooQXFzYWRkciBcJi4gaWlmXCooQXEgbG9va3MgdXAgcm91dGlu
ZyBpbmZvcm1hdGlvbiBiYXNlZCBvbiB0aGUgc291cmNlIGFkZHJlc3MgYW5kIHRoZSBpbnB1
dCBpbnRlcmZhY2VcJi4Kb2lmIHBpY2tzIHRoZSBvdXRwdXQgaW50ZXJmYWNlIGluZGV4IGZy
b20gdGhlIHJvdXRpbmcgaW5mb3JtYXRpb25cJi4KSWYgbm8gcm91dGUgd2FzIGZvdW5kIGZv
ciB0aGUgc291cmNlIGFkZHJlc3MvaW5wdXQgaW50ZXJmYWNlIGNvbWJpbmF0aW9uLCB0aGUg
b3V0cHV0IGludGVyZmFjZSBpbmRleCBpcyB6ZXJvXCYuCkluIGNhc2UgdGhlIGlucHV0IGlu
dGVyZmFjZSBpcyBzcGVjaWZpZWQgYXMgcGFydCBvZiB0aGUgaW5wdXQga2V5LCB0aGUgb3V0
cHV0IGludGVyZmFjZSBpbmRleCBpcyBhbHdheXMgdGhlIHNhbWUgYXMgdGhlIGlucHV0IGlu
dGVyZmFjZSBpbmRleCBvciB6ZXJvXCYuCklmIG9ubHkgXCooQXFzYWRkciBvaWZcKihBcSBp
cyBnaXZlbiwgdGhlbiBvaWYgY2FuIGJlIGFueSBpbnRlcmZhY2UgaW5kZXggb3IgemVyb1wm
LgoKIyBkcm9wIHBhY2tldHMgdG8gYWRkcmVzcyBub3QgY29uZmlndXJlZCBvbiBpbmNvbWlu
ZyBpbnRlcmZhY2UKZmlsdGVyIHByZXJvdXRpbmcgZmliIGRhZGRyIFwmLiBpaWYgdHlwZSAh
PSB7IGxvY2FsLCBicm9hZGNhc3QsIG11bHRpY2FzdCB9IGRyb3AKCiMgcGVyZm9ybSBsb29r
dXAgaW4gYSBzcGVjaWZpYyBcKihBcWJsYWNraG9sZVwqKEFxIHRhYmxlICgweGRlYWQsIG5l
ZWRzIGlwIGFwcHJvcHJpYXRlIGlwIHJ1bGUpCmZpbHRlciBwcmVyb3V0aW5nIG1ldGEgbWFy
ayBzZXQgMHhkZWFkIGZpYiBkYWRkciBcJi4gbWFyayB0eXBlIHZtYXAgeyBibGFja2hvbGUg
OiBkcm9wLCBwcm9oaWJpdCA6IGp1bXAgcHJvaGliaXRlZCwgdW5yZWFjaGFibGUgOiBkcm9w
IH0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU1MgIlJPVVRJTkcgRVhQUkVTU0lPTlMi
Ci5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJydFxmUiBbXGZCaXBcZlIgfCBcZkJp
cDZcZlJdIHtcZkJjbGFzc2lkXGZSIHwgXGZCbmV4dGhvcFxmUiB8IFxmQm10dVxmUiB8IFxm
Qmlwc2VjXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCkEgcm91dGluZyBleHByZXNz
aW9uIHJlZmVycyB0byByb3V0aW5nIGRhdGEgYXNzb2NpYXRlZCB3aXRoIGEgcGFja2V0XCYu
Ci5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFr
LWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMzQuXCBcJlJvdXRpbmcgZXhwcmVzc2lvbiB0eXBl
cwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVz
Y3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQK
bHQgbHQgbHQuClR7Ci5zcApjbGFzc2lkClR9OlR7Ci5zcApSb3V0aW5nIHJlYWxtClR9OlR7
Ci5zcApyZWFsbQpUfQpUewouc3AKbmV4dGhvcApUfTpUewouc3AKUm91dGluZyBuZXh0aG9w
ClR9OlR7Ci5zcAppcHY0X2FkZHIvaXB2Nl9hZGRyClR9ClR7Ci5zcAptdHUKVH06VHsKLnNw
ClRDUCBtYXhpbXVtIHNlZ21lbnQgc2l6ZSBvZiByb3V0ZQpUfTpUewouc3AKaW50ZWdlciAo
MTYgYml0KQpUfQpUewouc3AKaXBzZWMKVH06VHsKLnNwCnJvdXRlIHZpYSBpcHNlYyB0dW5u
ZWwgb3IgdHJhbnNwb3J0ClR9OlR7Ci5zcApib29sZWFuClR9Ci5URQouc3AgMQouc3AKLml0
IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEK
LmJyCi5CIFRhYmxlXCBcJjM1LlwgXCZSb3V0aW5nIGV4cHJlc3Npb24gc3BlY2lmaWMgdHlw
ZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7ClR5cGUKVH06VHsKRGVzY3JpcHRp
b24KVH0KLlQmCmx0IGx0LgpUewouc3AKcmVhbG0KVH06VHsKLnNwClJvdXRpbmcgUmVhbG0g
KDMyIGJpdCBudW1iZXIpXCYuIENhbiBiZSBzcGVjaWZpZWQgbnVtZXJpY2FsbHkgb3IgYXMg
c3ltYm9saWMgbmFtZSBkZWZpbmVkIGluIC9ldGMvaXByb3V0ZTIvcnRfcmVhbG1zXCYuClR9
Ci5URQouc3AgMQouUFAKXGZCVXNpbmcgcm91dGluZyBleHByZXNzaW9uc1xmUi4gCi5zcAou
aWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIElQIGZhbWlseSBpbmRlcGVuZGVudCBydCBleHBy
ZXNzaW9uCmZpbHRlciBvdXRwdXQgcnQgY2xhc3NpZCAxMAoKIyBJUCBmYW1pbHkgZGVwZW5k
ZW50IHJ0IGV4cHJlc3Npb25zCmlwIGZpbHRlciBvdXRwdXQgcnQgbmV4dGhvcCAxOTJcJi4x
NjhcJi4wXCYuMQppcDYgZmlsdGVyIG91dHB1dCBydCBuZXh0aG9wIGZkMDA6OjEKaW5ldCBm
aWx0ZXIgb3V0cHV0IHJ0IGlwIG5leHRob3AgMTkyXCYuMTY4XCYuMFwmLjEKaW5ldCBmaWx0
ZXIgb3V0cHV0IHJ0IGlwNiBuZXh0aG9wIGZkMDA6OjEKCiMgb3V0Z29pbmcgcGFja2V0IHdp
bGwgYmUgZW5jYXBzdWxhdGVkL2VuY3J5cHRlZCBieSBpcHNlYwpmaWx0ZXIgb3V0cHV0IHJ0
IGlwc2VjIGV4aXN0cwouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiSVBTRUMgRVhQ
UkVTU0lPTlMiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJpcHNlY1xmUiB7XGZC
aW5cZlIgfCBcZkJvdXRcZlJ9IFsgXGZCc3BudW1cZlIgXGZJTlVNXGZSIF0gIHtcZkJyZXFp
ZFxmUiB8IFxmQnNwaVxmUn0KXGZCaXBzZWNcZlIge1xmQmluXGZSIHwgXGZCb3V0XGZSfSBb
IFxmQnNwbnVtXGZSIFxmSU5VTVxmUiBdICB7XGZCaXBcZlIgfCBcZkJpcDZcZlJ9IHtcZkJz
YWRkclxmUiB8IFxmQmRhZGRyXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCkFuIGlw
c2VjIGV4cHJlc3Npb24gcmVmZXJzIHRvIGlwc2VjIGRhdGEgYXNzb2NpYXRlZCB3aXRoIGEg
cGFja2V0XCYuCi5zcApUaGUgXGZJaW5cZlIgb3IgXGZJb3V0XGZSIGtleXdvcmQgbmVlZHMg
dG8gYmUgdXNlZCB0byBzcGVjaWZ5IGlmIHRoZSBleHByZXNzaW9uIHNob3VsZCBleGFtaW5l
IGluYm91bmQgb3Igb3V0Ym91bmQgcG9saWNpZXNcJi4gVGhlIFxmSWluXGZSIGtleXdvcmQg
Y2FuIGJlIHVzZWQgaW4gdGhlIHByZXJvdXRpbmcsIGlucHV0IGFuZCBmb3J3YXJkIGhvb2tz
XCYuIFRoZSBcZklvdXRcZlIga2V5d29yZCBhcHBsaWVzIHRvIGZvcndhcmQsIG91dHB1dCBh
bmQgcG9zdHJvdXRpbmcgaG9va3NcJi4gVGhlIG9wdGlvbmFsIGtleXdvcmQgc3BudW0gY2Fu
IGJlIHVzZWQgdG8gbWF0Y2ggYSBzcGVjaWZpYyBzdGF0ZSBpbiBhIGNoYWluLCBpdCBkZWZh
dWx0cyB0byAwXCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEK
Lm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmMzYuXCBcJklwc2VjIGV4cHJl
c3Npb24gdHlwZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3Jk
ClR9OlR7CkRlc2NyaXB0aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0
Cmx0IGx0IGx0Cmx0IGx0IGx0LgpUewouc3AKcmVxaWQKVH06VHsKLnNwClJlcXVlc3QgSUQK
VH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNwCnNwaQpUfTpUewouc3AKU2Vj
dXJpdHkgUGFyYW1ldGVyIEluZGV4ClR9OlR7Ci5zcAppbnRlZ2VyICgzMiBiaXQpClR9ClR7
Ci5zcApzYWRkcgpUfTpUewouc3AKU291cmNlIGFkZHJlc3Mgb2YgdGhlIHR1bm5lbApUfTpU
ewouc3AKaXB2NF9hZGRyL2lwdjZfYWRkcgpUfQpUewouc3AKZGFkZHIKVH06VHsKLnNwCkRl
c3RpbmF0aW9uIGFkZHJlc3Mgb2YgdGhlIHR1bm5lbApUfTpUewouc3AKaXB2NF9hZGRyL2lw
djZfYWRkcgpUfQouVEUKLnNwIDEKLlNTICJOVU1HRU4gRVhQUkVTU0lPTiIKLnNwCi5pZiBu
IFx7XAouUlMgNAouXH0KLm5mClxmQm51bWdlblxmUiB7XGZCaW5jXGZSIHwgXGZCcmFuZG9t
XGZSfSBcZkJtb2RcZlIgXGZJTlVNXGZSIFsgXGZCb2Zmc2V0XGZSIFxmSU5VTVxmUiBdCi5m
aQouaWYgbiBce1wKLlJFCi5cfQouc3AKQ3JlYXRlIGEgbnVtYmVyIGdlbmVyYXRvclwmLiBU
aGUgXGZCaW5jXGZSIG9yIFxmQnJhbmRvbVxmUiBrZXl3b3JkcyBjb250cm9sIGl0cyBvcGVy
YXRpb24gbW9kZTogSW4gXGZCaW5jXGZSIG1vZGUsIHRoZSBsYXN0IHJldHVybmVkIHZhbHVl
IGlzIHNpbXBseSBpbmNyZW1lbnRlZFwmLiBJbiBcZkJyYW5kb21cZlIgbW9kZSwgYSBuZXcg
cmFuZG9tIG51bWJlciBpcyByZXR1cm5lZFwmLiBUaGUgdmFsdWUgYWZ0ZXIgXGZCbW9kXGZS
IGtleXdvcmQgc3BlY2lmaWVzIGFuIHVwcGVyIGJvdW5kYXJ5IChyZWFkOiBtb2R1bHVzKSB3
aGljaCBpcyBub3QgcmVhY2hlZCBieSByZXR1cm5lZCBudW1iZXJzXCYuIFRoZSBvcHRpb25h
bCBcZkJvZmZzZXRcZlIgYWxsb3dzIHRvIGluY3JlbWVudCB0aGUgcmV0dXJuZWQgdmFsdWUg
YnkgYSBmaXhlZCBvZmZzZXRcJi4KLnNwCkEgdHlwaWNhbCB1c2VcLWNhc2UgZm9yIFxmQm51
bWdlblxmUiBpcyBsb2FkXC1iYWxhbmNpbmc6Ci5QUApcZkJVc2luZyBudW1nZW4gZXhwcmVz
c2lvblxmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIHJvdW5kXC1yb2JpbiBi
ZXR3ZWVuIDE5MlwmLjE2OFwmLjEwXCYuMTAwIGFuZCAxOTJcJi4xNjhcJi4yMFwmLjIwMDoK
YWRkIHJ1bGUgbmF0IHByZXJvdXRpbmcgZG5hdCB0byBudW1nZW4gaW5jIG1vZCAyIG1hcCBc
ZQogICAgICAgIHsgMCA6IDE5MlwmLjE2OFwmLjEwXCYuMTAwLCAxIDogMTkyXCYuMTY4XCYu
MjBcJi4yMDAgfQoKIyBwcm9iYWJpbGl0eVwtYmFzZWQgd2l0aCBvZGQgYmlhcyB1c2luZyBp
bnRlcnZhbHM6CmFkZCBydWxlIG5hdCBwcmVyb3V0aW5nIGRuYXQgdG8gbnVtZ2VuIHJhbmRv
bSBtb2QgMTAgbWFwIFxlCiAgICAgICAgeyAwXC0yIDogMTkyXCYuMTY4XCYuMTBcJi4xMDAs
IDNcLTkgOiAxOTJcJi4xNjhcJi4yMFwmLjIwMCB9Ci5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKLlNTICJIQVNIIEVYUFJFU1NJT05TIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYK
XGZCamhhc2hcZlIge1xmQmlwIHNhZGRyXGZSIHwgXGZCaXA2IGRhZGRyXGZSIHwgXGZCdGNw
IGRwb3J0XGZSIHwgXGZCdWRwIHNwb3J0XGZSIHwgXGZCZXRoZXIgc2FkZHJcZlJ9IFtcZkJc
Ji5cZlIgXCYuLi5dIFxmQm1vZFxmUiBcZklOVU1cZlIgWyBcZkJzZWVkXGZSIFxmSU5VTVxm
UiBdIFsgXGZCb2Zmc2V0XGZSIFxmSU5VTVxmUiBdClxmQnN5bWhhc2hcZlIgXGZCbW9kXGZS
IFxmSU5VTVxmUiBbIFxmQm9mZnNldFxmUiBcZklOVU1cZlIgXQouZmkKLmlmIG4gXHtcCi5S
RQouXH0KLnNwClVzZSBhIGhhc2hpbmcgZnVuY3Rpb24gdG8gZ2VuZXJhdGUgYSBudW1iZXJc
Ji4gVGhlIGZ1bmN0aW9ucyBhdmFpbGFibGUgYXJlIFxmQmpoYXNoXGZSLCBrbm93biBhcyBK
ZW5raW5zIEhhc2gsIGFuZCBcZkJzeW1oYXNoXGZSLCBmb3IgU3ltbWV0cmljIEhhc2hcJi4g
VGhlIFxmQmpoYXNoXGZSIHJlcXVpcmVzIGFuIGV4cHJlc3Npb24gdG8gZGV0ZXJtaW5lIHRo
ZSBwYXJhbWV0ZXJzIG9mIHRoZSBwYWNrZXQgaGVhZGVyIHRvIGFwcGx5IHRoZSBoYXNoaW5n
LCBjb25jYXRlbmF0aW9ucyBhcmUgcG9zc2libGUgYXMgd2VsbFwmLiBUaGUgdmFsdWUgYWZ0
ZXIgXGZCbW9kXGZSIGtleXdvcmQgc3BlY2lmaWVzIGFuIHVwcGVyIGJvdW5kYXJ5IChyZWFk
OiBtb2R1bHVzKSB3aGljaCBpcyBub3QgcmVhY2hlZCBieSByZXR1cm5lZCBudW1iZXJzXCYu
IFRoZSBvcHRpb25hbCBcZkJzZWVkXGZSIGlzIHVzZWQgdG8gc3BlY2lmeSBhbiBpbml0IHZh
bHVlIHVzZWQgYXMgc2VlZCBpbiB0aGUgaGFzaGluZyBmdW5jdGlvblwmLiBUaGUgb3B0aW9u
YWwgXGZCb2Zmc2V0XGZSIGFsbG93cyB0byBpbmNyZW1lbnQgdGhlIHJldHVybmVkIHZhbHVl
IGJ5IGEgZml4ZWQgb2Zmc2V0XCYuCi5zcApBIHR5cGljYWwgdXNlXC1jYXNlIGZvciBcZkJq
aGFzaFxmUiBhbmQgXGZCc3ltaGFzaFxmUiBpcyBsb2FkXC1iYWxhbmNpbmc6Ci5QUApcZkJV
c2luZyBoYXNoIGV4cHJlc3Npb25zXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5m
CiMgbG9hZCBiYWxhbmNlIGJhc2VkIG9uIHNvdXJjZSBpcCBiZXR3ZWVuIDIgaXAgYWRkcmVz
c2VzOgphZGQgcnVsZSBuYXQgcHJlcm91dGluZyBkbmF0IHRvIGpoYXNoIGlwIHNhZGRyIG1v
ZCAyIG1hcCBcZQogICAgICAgIHsgMCA6IDE5MlwmLjE2OFwmLjEwXCYuMTAwLCAxIDogMTky
XCYuMTY4XCYuMjBcJi4yMDAgfQoKIyBzeW1tZXRyaWMgbG9hZCBiYWxhbmNpbmcgYmV0d2Vl
biAyIGlwIGFkZHJlc3NlczoKYWRkIHJ1bGUgbmF0IHByZXJvdXRpbmcgZG5hdCB0byBzeW1o
YXNoIG1vZCAyIG1hcCBcZQogICAgICAgIHsgMCA6IDE5MlwmLjE2OFwmLjEwXCYuMTAwLCAx
IDogMTkyXCYuMTY4XCYuMjBcJi4yMDAgfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5T
SCAiUEFZTE9BRCBFWFBSRVNTSU9OUyIKLnNwClBheWxvYWQgZXhwcmVzc2lvbnMgcmVmZXIg
dG8gZGF0YSBmcm9tIHRoZSBwYWNrZXRcKGNxcyBwYXlsb2FkXCYuCi5TUyAiRVRIRVJORVQg
SEVBREVSIEVYUFJFU1NJT04iCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJldGhl
clxmUiB7XGZCZGFkZHJcZlIgfCBcZkJzYWRkclxmUiB8IFxmQnR5cGVcZlJ9Ci5maQouaWYg
biBce1wKLlJFCi5cfQouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAx
Ci5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjM3LlwgXCZFdGhlcm5ldCBo
ZWFkZXIgZXhwcmVzc2lvbiB0eXBlcwouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIu
ClR7CktleXdvcmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQg
bHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcApkYWRkcgpUfTpUewouc3AKRGVzdGluYXRp
b24gTUFDIGFkZHJlc3MKVH06VHsKLnNwCmV0aGVyX2FkZHIKVH0KVHsKLnNwCnNhZGRyClR9
OlR7Ci5zcApTb3VyY2UgTUFDIGFkZHJlc3MKVH06VHsKLnNwCmV0aGVyX2FkZHIKVH0KVHsK
LnNwCnR5cGUKVH06VHsKLnNwCkV0aGVyVHlwZQpUfTpUewouc3AKZXRoZXJfdHlwZQpUfQou
VEUKLnNwIDEKLlNTICJWTEFOIEhFQURFUiBFWFBSRVNTSU9OIgouc3AKLmlmIG4gXHtcCi5S
UyA0Ci5cfQoubmYKXGZCdmxhblxmUiB7XGZCaWRcZlIgfCBcZkJjZmlcZlIgfCBcZkJwY3Bc
ZlIgfCBcZkJ0eXBlXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5pdCAxIGFuLXRy
YXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBU
YWJsZVwgXCYzOC5cIFwmVkxBTiBoZWFkZXIgZXhwcmVzc2lvbgouVFMKYWxsYm94IHRhYig6
KTsKbHRCIGx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlw
ZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcApp
ZApUfTpUewouc3AKVkxBTiBJRCAoVklEKQpUfTpUewouc3AKaW50ZWdlciAoMTIgYml0KQpU
fQpUewouc3AKY2ZpClR9OlR7Ci5zcApDYW5vbmljYWwgRm9ybWF0IEluZGljYXRvcgpUfTpU
ewouc3AKaW50ZWdlciAoMSBiaXQpClR9ClR7Ci5zcApwY3AKVH06VHsKLnNwClByaW9yaXR5
IGNvZGUgcG9pbnQKVH06VHsKLnNwCmludGVnZXIgKDMgYml0KQpUfQpUewouc3AKdHlwZQpU
fTpUewouc3AKRXRoZXJUeXBlClR9OlR7Ci5zcApldGhlcl90eXBlClR9Ci5URQouc3AgMQou
U1MgIkFSUCBIRUFERVIgRVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5m
ClxmQmFycFxmUiB7XGZCaHR5cGVcZlIgfCBcZkJwdHlwZVxmUiB8IFxmQmhsZW5cZlIgfCBc
ZkJwbGVuXGZSIHwgXGZCb3BlcmF0aW9uXGZSIHwgXGZCc2FkZHJcZlIgeyBcZkJpcFxmUiB8
IFxmQmV0aGVyXGZSIH0gfCBcZkJkYWRkclxmUiB7IFxmQmlwXGZSIHwgXGZCZXRoZXJcZlIg
fQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNw
YWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCYzOS5cIFwm
QVJQIGhlYWRlciBleHByZXNzaW9uCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4K
VHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCmh0eXBlClR9OlR7Ci5zcApBUlAgaGFyZHdh
cmUgdHlwZQpUfTpUewouc3AKaW50ZWdlciAoMTYgYml0KQpUfQpUewouc3AKcHR5cGUKVH06
VHsKLnNwCkV0aGVyVHlwZQpUfTpUewouc3AKZXRoZXJfdHlwZQpUfQpUewouc3AKaGxlbgpU
fTpUewouc3AKSGFyZHdhcmUgYWRkcmVzcyBsZW4KVH06VHsKLnNwCmludGVnZXIgKDggYml0
KQpUfQpUewouc3AKcGxlbgpUfTpUewouc3AKUHJvdG9jb2wgYWRkcmVzcyBsZW4KVH06VHsK
LnNwCmludGVnZXIgKDggYml0KQpUfQpUewouc3AKb3BlcmF0aW9uClR9OlR7Ci5zcApPcGVy
YXRpb24KVH06VHsKLnNwCmFycF9vcApUfQpUewouc3AKc2FkZHIgZXRoZXIKVH06VHsKLnNw
CkV0aGVybmV0IHNlbmRlciBhZGRyZXNzClR9OlR7Ci5zcApldGhlcl9hZGRyClR9ClR7Ci5z
cApkYWRkciBldGhlcgpUfTpUewouc3AKRXRoZXJuZXQgdGFyZ2V0IGFkZHJlc3MKVH06VHsK
LnNwCmV0aGVyX2FkZHIKVH0KVHsKLnNwCnNhZGRyIGlwClR9OlR7Ci5zcApJUHY0IHNlbmRl
ciBhZGRyZXNzClR9OlR7Ci5zcAppcHY0X2FkZHIKVH0KVHsKLnNwCmRhZGRyIGlwClR9OlR7
Ci5zcApJUHY0IHRhcmdldCBhZGRyZXNzClR9OlR7Ci5zcAppcHY0X2FkZHIKVH0KLlRFCi5z
cCAxCi5TUyAiSVBWNCBIRUFERVIgRVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mClxmQmlwXGZSIHtcZkJ2ZXJzaW9uXGZSIHwgXGZCaGRybGVuZ3RoXGZSIHwgXGZC
ZHNjcFxmUiB8IFxmQmVjblxmUiB8IFxmQmxlbmd0aFxmUiB8IFxmQmlkXGZSIHwgXGZCZnJh
Z1wtb2ZmXGZSIHwgXGZCdHRsXGZSIHwgXGZCcHJvdG9jb2xcZlIgfCBcZkJjaGVja3N1bVxm
UiB8IFxmQnNhZGRyXGZSIHwgXGZCZGFkZHJcZlIgfQouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWst
ZmxhZyAxCi5icgouQiBUYWJsZVwgXCY0MC5cIFwmSVB2NCBoZWFkZXIgZXhwcmVzc2lvbgou
VFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVzY3Jp
cHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQg
bHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQg
bHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcAp2ZXJzaW9uClR9OlR7Ci5zcApJUCBo
ZWFkZXIgdmVyc2lvbiAoNCkKVH06VHsKLnNwCmludGVnZXIgKDQgYml0KQpUfQpUewouc3AK
aGRybGVuZ3RoClR9OlR7Ci5zcApJUCBoZWFkZXIgbGVuZ3RoIGluY2x1ZGluZyBvcHRpb25z
ClR9OlR7Ci5zcAppbnRlZ2VyICg0IGJpdCkgRklYTUUgc2NhbGluZwpUfQpUewouc3AKZHNj
cApUfTpUewouc3AKRGlmZmVyZW50aWF0ZWQgU2VydmljZXMgQ29kZSBQb2ludApUfTpUewou
c3AKZHNjcApUfQpUewouc3AKZWNuClR9OlR7Ci5zcApFeHBsaWNpdCBDb25nZXN0aW9uIE5v
dGlmaWNhdGlvbgpUfTpUewouc3AKZWNuClR9ClR7Ci5zcApsZW5ndGgKVH06VHsKLnNwClRv
dGFsIHBhY2tldCBsZW5ndGgKVH06VHsKLnNwCmludGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNw
CmlkClR9OlR7Ci5zcApJUCBJRApUfTpUewouc3AKaW50ZWdlciAoMTYgYml0KQpUfQpUewou
c3AKZnJhZ1wtb2ZmClR9OlR7Ci5zcApGcmFnbWVudCBvZmZzZXQKVH06VHsKLnNwCmludGVn
ZXIgKDE2IGJpdCkKVH0KVHsKLnNwCnR0bApUfTpUewouc3AKVGltZSB0byBsaXZlClR9OlR7
Ci5zcAppbnRlZ2VyICg4IGJpdCkKVH0KVHsKLnNwCnByb3RvY29sClR9OlR7Ci5zcApVcHBl
ciBsYXllciBwcm90b2NvbApUfTpUewouc3AKaW5ldF9wcm90bwpUfQpUewouc3AKY2hlY2tz
dW0KVH06VHsKLnNwCklQIGhlYWRlciBjaGVja3N1bQpUfTpUewouc3AKaW50ZWdlciAoMTYg
Yml0KQpUfQpUewouc3AKc2FkZHIKVH06VHsKLnNwClNvdXJjZSBhZGRyZXNzClR9OlR7Ci5z
cAppcHY0X2FkZHIKVH0KVHsKLnNwCmRhZGRyClR9OlR7Ci5zcApEZXN0aW5hdGlvbiBhZGRy
ZXNzClR9OlR7Ci5zcAppcHY0X2FkZHIKVH0KLlRFCi5zcCAxCi5TUyAiSUNNUCBIRUFERVIg
RVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQmljbXBcZlIge1xm
QnR5cGVcZlIgfCBcZkJjb2RlXGZSIHwgXGZCY2hlY2tzdW1cZlIgfCBcZkJpZFxmUiB8IFxm
QnNlcXVlbmNlXGZSIHwgXGZCZ2F0ZXdheVxmUiB8IFxmQm10dVxmUn0KLmZpCi5pZiBuIFx7
XAouUkUKLlx9Ci5zcApUaGlzIGV4cHJlc3Npb24gcmVmZXJzIHRvIElDTVAgaGVhZGVyIGZp
ZWxkc1wmLiBXaGVuIHVzaW5nIGl0IGluIFxmQmluZXRcZlIsIFxmQmJyaWRnZVxmUiBvciBc
ZkJuZXRkZXZcZlIgZmFtaWxpZXMsIGl0IHdpbGwgY2F1c2UgYW4gaW1wbGljaXQgZGVwZW5k
ZW5jeSBvbiBJUHY0IHRvIGJlIGNyZWF0ZWRcJi4gVG8gbWF0Y2ggb24gdW51c3VhbCBjYXNl
cyBsaWtlIElDTVAgb3ZlciBJUHY2LCBvbmUgaGFzIHRvIGFkZCBhbiBleHBsaWNpdCBcZkJt
ZXRhIHByb3RvY29sIGlwNlxmUiBtYXRjaCB0byB0aGUgcnVsZVwmLgouc3AKLml0IDEgYW4t
dHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5C
IFRhYmxlXCBcJjQxLlwgXCZJQ01QIGhlYWRlciBleHByZXNzaW9uCi5UUwphbGxib3ggdGFi
KDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpU
eXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBs
dApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnR5cGUKVH06VHsKLnNwCklDTVAgdHlwZSBm
aWVsZApUfTpUewouc3AKaWNtcF90eXBlClR9ClR7Ci5zcApjb2RlClR9OlR7Ci5zcApJQ01Q
IGNvZGUgZmllbGQKVH06VHsKLnNwCmludGVnZXIgKDggYml0KQpUfQpUewouc3AKY2hlY2tz
dW0KVH06VHsKLnNwCklDTVAgY2hlY2tzdW0gZmllbGQKVH06VHsKLnNwCmludGVnZXIgKDE2
IGJpdCkKVH0KVHsKLnNwCmlkClR9OlR7Ci5zcApJRCBvZiBlY2hvIHJlcXVlc3QvcmVzcG9u
c2UKVH06VHsKLnNwCmludGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNwCnNlcXVlbmNlClR9OlR7
Ci5zcApzZXF1ZW5jZSBudW1iZXIgb2YgZWNobyByZXF1ZXN0L3Jlc3BvbnNlClR9OlR7Ci5z
cAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcApnYXRld2F5ClR9OlR7Ci5zcApnYXRld2F5
IG9mIHJlZGlyZWN0cwpUfTpUewouc3AKaW50ZWdlciAoMzIgYml0KQpUfQpUewouc3AKbXR1
ClR9OlR7Ci5zcApNVFUgb2YgcGF0aCBNVFUgZGlzY292ZXJ5ClR9OlR7Ci5zcAppbnRlZ2Vy
ICgxNiBiaXQpClR9Ci5URQouc3AgMQouU1MgIklHTVAgSEVBREVSIEVYUFJFU1NJT04iCi5z
cAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJpZ21wXGZSIHtcZkJ0eXBlXGZSIHwgXGZC
bXJ0XGZSIHwgXGZCY2hlY2tzdW1cZlIgfCBcZkJncm91cFxmUn0KLmZpCi5pZiBuIFx7XAou
UkUKLlx9Ci5zcApUaGlzIGV4cHJlc3Npb24gcmVmZXJzIHRvIElHTVAgaGVhZGVyIGZpZWxk
c1wmLiBXaGVuIHVzaW5nIGl0IGluIFxmQmluZXRcZlIsIFxmQmJyaWRnZVxmUiBvciBcZkJu
ZXRkZXZcZlIgZmFtaWxpZXMsIGl0IHdpbGwgY2F1c2UgYW4gaW1wbGljaXQgZGVwZW5kZW5j
eSBvbiBJUHY0IHRvIGJlIGNyZWF0ZWRcJi4gVG8gbWF0Y2ggb24gdW51c3VhbCBjYXNlcyBs
aWtlIElHTVAgb3ZlciBJUHY2LCBvbmUgaGFzIHRvIGFkZCBhbiBleHBsaWNpdCBcZkJtZXRh
IHByb3RvY29sIGlwNlxmUiBtYXRjaCB0byB0aGUgcnVsZVwmLgouc3AKLml0IDEgYW4tdHJh
cAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRh
YmxlXCBcJjQyLlwgXCZJR01QIGhlYWRlciBleHByZXNzaW9uCi5UUwphbGxib3ggdGFiKDop
OwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBl
ClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnR5
cGUKVH06VHsKLnNwCklHTVAgdHlwZSBmaWVsZApUfTpUewouc3AKaWdtcF90eXBlClR9ClR7
Ci5zcAptcnQKVH06VHsKLnNwCklHTVAgbWF4aW11bSByZXNwb25zZSB0aW1lIGZpZWxkClR9
OlR7Ci5zcAppbnRlZ2VyICg4IGJpdCkKVH0KVHsKLnNwCmNoZWNrc3VtClR9OlR7Ci5zcApJ
R01QIGNoZWNrc3VtIGZpZWxkClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5z
cApncm91cApUfTpUewouc3AKR3JvdXAgYWRkcmVzcwpUfTpUewouc3AKaW50ZWdlciAoMzIg
Yml0KQpUfQouVEUKLnNwIDEKLlNTICJJUFY2IEhFQURFUiBFWFBSRVNTSU9OIgouc3AKLmlm
IG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCaXA2XGZSIHtcZkJ2ZXJzaW9uXGZSIHwgXGZCZHNj
cFxmUiB8IFxmQmVjblxmUiB8IFxmQmZsb3dsYWJlbFxmUiB8IFxmQmxlbmd0aFxmUiB8IFxm
Qm5leHRoZHJcZlIgfCBcZkJob3BsaW1pdFxmUiB8IFxmQnNhZGRyXGZSIHwgXGZCZGFkZHJc
ZlJ9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhpcyBleHByZXNzaW9uIHJlZmVycyB0
byB0aGUgaXB2NiBoZWFkZXIgZmllbGRzXCYuIENhdXRpb24gd2hlbiB1c2luZyBcZkJpcDYg
bmV4dGhkclxmUiwgdGhlIHZhbHVlIG9ubHkgcmVmZXJzIHRvIHRoZSBuZXh0IGhlYWRlciwg
aVwmLmVcJi4gXGZCaXA2IG5leHRoZHIgdGNwXGZSIHdpbGwgb25seSBtYXRjaCBpZiB0aGUg
aXB2NiBwYWNrZXQgZG9lcyBub3QgY29udGFpbiBhbnkgZXh0ZW5zaW9uIGhlYWRlcnNcJi4g
UGFja2V0cyB0aGF0IGFyZSBmcmFnbWVudGVkIG9yIGVcJi5nXCYuIGNvbnRhaW4gYSByb3V0
aW5nIGV4dGVuc2lvbiBoZWFkZXJzIHdpbGwgbm90IGJlIG1hdGNoZWRcJi4gUGxlYXNlIHVz
ZSBcZkJtZXRhIGw0cHJvdG9cZlIgaWYgeW91IHdpc2ggdG8gbWF0Y2ggdGhlIHJlYWwgdHJh
bnNwb3J0IGhlYWRlciBhbmQgaWdub3JlIGFueSBhZGRpdGlvbmFsIGV4dGVuc2lvbiBoZWFk
ZXJzIGluc3RlYWRcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcg
MQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY0My5cIFwmSVB2NiBoZWFk
ZXIgZXhwcmVzc2lvbgouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7CktleXdv
cmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQg
bHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQg
bHQKbHQgbHQgbHQuClR7Ci5zcAp2ZXJzaW9uClR9OlR7Ci5zcApJUCBoZWFkZXIgdmVyc2lv
biAoNikKVH06VHsKLnNwCmludGVnZXIgKDQgYml0KQpUfQpUewouc3AKZHNjcApUfTpUewou
c3AKRGlmZmVyZW50aWF0ZWQgU2VydmljZXMgQ29kZSBQb2ludApUfTpUewouc3AKZHNjcApU
fQpUewouc3AKZWNuClR9OlR7Ci5zcApFeHBsaWNpdCBDb25nZXN0aW9uIE5vdGlmaWNhdGlv
bgpUfTpUewouc3AKZWNuClR9ClR7Ci5zcApmbG93bGFiZWwKVH06VHsKLnNwCkZsb3cgbGFi
ZWwKVH06VHsKLnNwCmludGVnZXIgKDIwIGJpdCkKVH0KVHsKLnNwCmxlbmd0aApUfTpUewou
c3AKUGF5bG9hZCBsZW5ndGgKVH06VHsKLnNwCmludGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNw
Cm5leHRoZHIKVH06VHsKLnNwCk5leHRoZHIgcHJvdG9jb2wKVH06VHsKLnNwCmluZXRfcHJv
dG8KVH0KVHsKLnNwCmhvcGxpbWl0ClR9OlR7Ci5zcApIb3AgbGltaXQKVH06VHsKLnNwCmlu
dGVnZXIgKDggYml0KQpUfQpUewouc3AKc2FkZHIKVH06VHsKLnNwClNvdXJjZSBhZGRyZXNz
ClR9OlR7Ci5zcAppcHY2X2FkZHIKVH0KVHsKLnNwCmRhZGRyClR9OlR7Ci5zcApEZXN0aW5h
dGlvbiBhZGRyZXNzClR9OlR7Ci5zcAppcHY2X2FkZHIKVH0KLlRFCi5zcCAxCi5QUApcZkJV
c2luZyBpcDYgaGVhZGVyIGV4cHJlc3Npb25zXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mCiMgbWF0Y2hpbmcgaWYgZmlyc3QgZXh0ZW5zaW9uIGhlYWRlciBpbmRpY2F0ZXMg
YSBmcmFnbWVudAppcDYgbmV4dGhkciBpcHY2XC1mcmFnCi5maQouaWYgbiBce1wKLlJFCi5c
fQouc3AKLlNTICJJQ01QVjYgSEVBREVSIEVYUFJFU1NJT04iCi5zcAouaWYgbiBce1wKLlJT
IDQKLlx9Ci5uZgpcZkJpY21wdjZcZlIge1xmQnR5cGVcZlIgfCBcZkJjb2RlXGZSIHwgXGZC
Y2hlY2tzdW1cZlIgfCBcZkJwYXJhbWV0ZXJcLXByb2JsZW1cZlIgfCBcZkJwYWNrZXRcLXRv
b1wtYmlnXGZSIHwgXGZCaWRcZlIgfCBcZkJzZXF1ZW5jZVxmUiB8IFxmQm1heFwtZGVsYXlc
ZlJ9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhpcyBleHByZXNzaW9uIHJlZmVycyB0
byBJQ01QdjYgaGVhZGVyIGZpZWxkc1wmLiBXaGVuIHVzaW5nIGl0IGluIFxmQmluZXRcZlIs
IFxmQmJyaWRnZVxmUiBvciBcZkJuZXRkZXZcZlIgZmFtaWxpZXMsIGl0IHdpbGwgY2F1c2Ug
YW4gaW1wbGljaXQgZGVwZW5kZW5jeSBvbiBJUHY2IHRvIGJlIGNyZWF0ZWRcJi4gVG8gbWF0
Y2ggb24gdW51c3VhbCBjYXNlcyBsaWtlIElDTVB2NiBvdmVyIElQdjQsIG9uZSBoYXMgdG8g
YWRkIGFuIGV4cGxpY2l0IFxmQm1ldGEgcHJvdG9jb2wgaXBcZlIgbWF0Y2ggdG8gdGhlIHJ1
bGVcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4t
YnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY0NC5cIFwmSUNNUHY2IGhlYWRlciBleHBy
ZXNzaW9uCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpU
ewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsK
LnNwCnR5cGUKVH06VHsKLnNwCklDTVB2NiB0eXBlIGZpZWxkClR9OlR7Ci5zcAppY21wdjZf
dHlwZQpUfQpUewouc3AKY29kZQpUfTpUewouc3AKSUNNUHY2IGNvZGUgZmllbGQKVH06VHsK
LnNwCmludGVnZXIgKDggYml0KQpUfQpUewouc3AKY2hlY2tzdW0KVH06VHsKLnNwCklDTVB2
NiBjaGVja3N1bSBmaWVsZApUfTpUewouc3AKaW50ZWdlciAoMTYgYml0KQpUfQpUewouc3AK
cGFyYW1ldGVyXC1wcm9ibGVtClR9OlR7Ci5zcApwb2ludGVyIHRvIHByb2JsZW0KVH06VHsK
LnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNwCnBhY2tldFwtdG9vXC1iaWcKVH06VHsK
LnNwCm92ZXJzaXplZCBNVFUKVH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNw
CmlkClR9OlR7Ci5zcApJRCBvZiBlY2hvIHJlcXVlc3QvcmVzcG9uc2UKVH06VHsKLnNwCmlu
dGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNwCnNlcXVlbmNlClR9OlR7Ci5zcApzZXF1ZW5jZSBu
dW1iZXIgb2YgZWNobyByZXF1ZXN0L3Jlc3BvbnNlClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBi
aXQpClR9ClR7Ci5zcAptYXhcLWRlbGF5ClR9OlR7Ci5zcAptYXhpbXVtIHJlc3BvbnNlIGRl
bGF5IG9mIE1MRCBxdWVyaWVzClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9Ci5URQou
c3AgMQouU1MgIlRDUCBIRUFERVIgRVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mClxmQnRjcFxmUiB7XGZCc3BvcnRcZlIgfCBcZkJkcG9ydFxmUiB8IFxmQnNlcXVl
bmNlXGZSIHwgXGZCYWNrc2VxXGZSIHwgXGZCZG9mZlxmUiB8IFxmQnJlc2VydmVkXGZSIHwg
XGZCZmxhZ3NcZlIgfCBcZkJ3aW5kb3dcZlIgfCBcZkJjaGVja3N1bVxmUiB8IFxmQnVyZ3B0
clxmUn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1u
by1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNDUu
XCBcJlRDUCBoZWFkZXIgZXhwcmVzc2lvbgouVFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBs
dEIuClR7CktleXdvcmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKVHlwZQpUfQouVCYKbHQg
bHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQg
bHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcApzcG9ydApUfTpUewou
c3AKU291cmNlIHBvcnQKVH06VHsKLnNwCmluZXRfc2VydmljZQpUfQpUewouc3AKZHBvcnQK
VH06VHsKLnNwCkRlc3RpbmF0aW9uIHBvcnQKVH06VHsKLnNwCmluZXRfc2VydmljZQpUfQpU
ewouc3AKc2VxdWVuY2UKVH06VHsKLnNwClNlcXVlbmNlIG51bWJlcgpUfTpUewouc3AKaW50
ZWdlciAoMzIgYml0KQpUfQpUewouc3AKYWNrc2VxClR9OlR7Ci5zcApBY2tub3dsZWRnZW1l
bnQgbnVtYmVyClR9OlR7Ci5zcAppbnRlZ2VyICgzMiBiaXQpClR9ClR7Ci5zcApkb2ZmClR9
OlR7Ci5zcApEYXRhIG9mZnNldApUfTpUewouc3AKaW50ZWdlciAoNCBiaXQpIEZJWE1FIHNj
YWxpbmcKVH0KVHsKLnNwCnJlc2VydmVkClR9OlR7Ci5zcApSZXNlcnZlZCBhcmVhClR9OlR7
Ci5zcAppbnRlZ2VyICg0IGJpdCkKVH0KVHsKLnNwCmZsYWdzClR9OlR7Ci5zcApUQ1AgZmxh
Z3MKVH06VHsKLnNwCnRjcF9mbGFnClR9ClR7Ci5zcAp3aW5kb3cKVH06VHsKLnNwCldpbmRv
dwpUfTpUewouc3AKaW50ZWdlciAoMTYgYml0KQpUfQpUewouc3AKY2hlY2tzdW0KVH06VHsK
LnNwCkNoZWNrc3VtClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcAp1cmdw
dHIKVH06VHsKLnNwClVyZ2VudCBwb2ludGVyClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQp
ClR9Ci5URQouc3AgMQouU1MgIlVEUCBIRUFERVIgRVhQUkVTU0lPTiIKLnNwCi5pZiBuIFx7
XAouUlMgNAouXH0KLm5mClxmQnVkcFxmUiB7XGZCc3BvcnRcZlIgfCBcZkJkcG9ydFxmUiB8
IFxmQmxlbmd0aFxmUiB8IFxmQmNoZWNrc3VtXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWst
ZmxhZyAxCi5icgouQiBUYWJsZVwgXCY0Ni5cIFwmVURQIGhlYWRlciBleHByZXNzaW9uCi5U
UwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlw
dGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBs
dCBsdC4KVHsKLnNwCnNwb3J0ClR9OlR7Ci5zcApTb3VyY2UgcG9ydApUfTpUewouc3AKaW5l
dF9zZXJ2aWNlClR9ClR7Ci5zcApkcG9ydApUfTpUewouc3AKRGVzdGluYXRpb24gcG9ydApU
fTpUewouc3AKaW5ldF9zZXJ2aWNlClR9ClR7Ci5zcApsZW5ndGgKVH06VHsKLnNwClRvdGFs
IHBhY2tldCBsZW5ndGgKVH06VHsKLnNwCmludGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNwCmNo
ZWNrc3VtClR9OlR7Ci5zcApDaGVja3N1bQpUfTpUewouc3AKaW50ZWdlciAoMTYgYml0KQpU
fQouVEUKLnNwIDEKLlNTICJVRFBcLUxJVEUgSEVBREVSIEVYUFJFU1NJT04iCi5zcAouaWYg
biBce1wKLlJTIDQKLlx9Ci5uZgpcZkJ1ZHBsaXRlXGZSIHtcZkJzcG9ydFxmUiB8IFxmQmRw
b3J0XGZSIHwgXGZCY2hlY2tzdW1cZlJ9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLml0
IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEK
LmJyCi5CIFRhYmxlXCBcJjQ3LlwgXCZVRFBcLUxpdGUgaGVhZGVyIGV4cHJlc3Npb24KLlRT
CmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7CkRlc2NyaXB0
aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0LgpUewou
c3AKc3BvcnQKVH06VHsKLnNwClNvdXJjZSBwb3J0ClR9OlR7Ci5zcAppbmV0X3NlcnZpY2UK
VH0KVHsKLnNwCmRwb3J0ClR9OlR7Ci5zcApEZXN0aW5hdGlvbiBwb3J0ClR9OlR7Ci5zcApp
bmV0X3NlcnZpY2UKVH0KVHsKLnNwCmNoZWNrc3VtClR9OlR7Ci5zcApDaGVja3N1bQpUfTpU
ewouc3AKaW50ZWdlciAoMTYgYml0KQpUfQouVEUKLnNwIDEKLlNTICJTQ1RQIEhFQURFUiBF
WFBSRVNTSU9OIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCc2N0cFxmUiB7XGZC
c3BvcnRcZlIgfCBcZkJkcG9ydFxmUiB8IFxmQnZ0YWdcZlIgfCBcZkJjaGVja3N1bVxmUn0K
LmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFj
ZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNDguXCBcJlND
VFAgaGVhZGVyIGV4cHJlc3Npb24KLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpU
ewpLZXl3b3JkClR9OlR7CkRlc2NyaXB0aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0
Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0LgpUewouc3AKc3BvcnQKVH06VHsKLnNwClNv
dXJjZSBwb3J0ClR9OlR7Ci5zcAppbmV0X3NlcnZpY2UKVH0KVHsKLnNwCmRwb3J0ClR9OlR7
Ci5zcApEZXN0aW5hdGlvbiBwb3J0ClR9OlR7Ci5zcAppbmV0X3NlcnZpY2UKVH0KVHsKLnNw
CnZ0YWcKVH06VHsKLnNwClZlcmlmaWNhdGlvbiBUYWcKVH06VHsKLnNwCmludGVnZXIgKDMy
IGJpdCkKVH0KVHsKLnNwCmNoZWNrc3VtClR9OlR7Ci5zcApDaGVja3N1bQpUfTpUewouc3AK
aW50ZWdlciAoMzIgYml0KQpUfQouVEUKLnNwIDEKLlNTICJEQ0NQIEhFQURFUiBFWFBSRVNT
SU9OIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCZGNjcFxmUiB7XGZCc3BvcnRc
ZlIgfCBcZkJkcG9ydFxmUiB8IFxmQnR5cGVcZlJ9Ci5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjQ5LlwgXCZEQ0NQIGhlYWRlciBleHByZXNzaW9uCi5U
UwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlw
dGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsK
LnNwCnNwb3J0ClR9OlR7Ci5zcApTb3VyY2UgcG9ydApUfTpUewouc3AKaW5ldF9zZXJ2aWNl
ClR9ClR7Ci5zcApkcG9ydApUfTpUewouc3AKRGVzdGluYXRpb24gcG9ydApUfTpUewouc3AK
aW5ldF9zZXJ2aWNlClR9ClR7Ci5zcAp0eXBlClR9OlR7Ci5zcApQYWNrZXQgdHlwZQpUfTpU
ewouc3AKZGNjcF9wa3R0eXBlClR9Ci5URQouc3AgMQouU1MgIkFVVEhFTlRJQ0FUSU9OIEhF
QURFUiBFWFBSRVNTSU9OIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCYWhcZlIg
e1xmQm5leHRoZHJcZlIgfCBcZkJoZHJsZW5ndGhcZlIgfCBcZkJyZXNlcnZlZFxmUiB8IFxm
QnNwaVxmUiB8IFxmQnNlcXVlbmNlXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5p
dCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAx
Ci5icgouQiBUYWJsZVwgXCY1MC5cIFwmQUggaGVhZGVyIGV4cHJlc3Npb24KLlRTCmFsbGJv
eCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7CkRlc2NyaXB0aW9uClR9
OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0
IGx0IGx0LgpUewouc3AKbmV4dGhkcgpUfTpUewouc3AKTmV4dCBoZWFkZXIgcHJvdG9jb2wK
VH06VHsKLnNwCmluZXRfcHJvdG8KVH0KVHsKLnNwCmhkcmxlbmd0aApUfTpUewouc3AKQUgg
SGVhZGVyIGxlbmd0aApUfTpUewouc3AKaW50ZWdlciAoOCBiaXQpClR9ClR7Ci5zcApyZXNl
cnZlZApUfTpUewouc3AKUmVzZXJ2ZWQgYXJlYQpUfTpUewouc3AKaW50ZWdlciAoMTYgYml0
KQpUfQpUewouc3AKc3BpClR9OlR7Ci5zcApTZWN1cml0eSBQYXJhbWV0ZXIgSW5kZXgKVH06
VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNwCnNlcXVlbmNlClR9OlR7Ci5zcApT
ZXF1ZW5jZSBudW1iZXIKVH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KLlRFCi5zcCAx
Ci5TUyAiRU5DUllQVEVEIFNFQ1VSSVRZIFBBWUxPQUQgSEVBREVSIEVYUFJFU1NJT04iCi5z
cAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJlc3BcZlIge1xmQnNwaVxmUiB8IFxmQnNl
cXVlbmNlXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5pdCAxIGFuLXRyYXAKLm5y
IGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwg
XCY1MS5cIFwmRVNQIGhlYWRlciBleHByZXNzaW9uCi5UUwphbGxib3ggdGFiKDopOwpsdEIg
bHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5U
JgpsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCnNwaQpUfTpUewouc3AKU2VjdXJpdHkgUGFy
YW1ldGVyIEluZGV4ClR9OlR7Ci5zcAppbnRlZ2VyICgzMiBiaXQpClR9ClR7Ci5zcApzZXF1
ZW5jZQpUfTpUewouc3AKU2VxdWVuY2UgbnVtYmVyClR9OlR7Ci5zcAppbnRlZ2VyICgzMiBi
aXQpClR9Ci5URQouc3AgMQouU1MgIklQQ09NUCBIRUFERVIgRVhQUkVTU0lPTiIKLnNwClxm
QmNvbXBcZlIge1xmQm5leHRoZHJcZlIgfCBcZkJmbGFnc1xmUiB8IFxmQmNwaVxmUn0KLnNw
Ci5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxh
ZyAxCi5icgouQiBUYWJsZVwgXCY1Mi5cIFwmSVBDb21wIGhlYWRlciBleHByZXNzaW9uCi5U
UwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlw
dGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsK
LnNwCm5leHRoZHIKVH06VHsKLnNwCk5leHQgaGVhZGVyIHByb3RvY29sClR9OlR7Ci5zcApp
bmV0X3Byb3RvClR9ClR7Ci5zcApmbGFncwpUfTpUewouc3AKRmxhZ3MKVH06VHsKLnNwCmJp
dG1hc2sKVH0KVHsKLnNwCmNwaQpUfTpUewouc3AKY29tcHJlc3Npb24gUGFyYW1ldGVyIElu
ZGV4ClR9OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9Ci5URQouc3AgMQouU1MgIlJBVyBQ
QVlMT0FEIEVYUFJFU1NJT04iCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJAXGZS
XGZJYmFzZVxmUlxmQixcZlJcZklvZmZzZXRcZlJcZkIsXGZSXGZJbGVuZ3RoXGZSCi5maQou
aWYgbiBce1wKLlJFCi5cfQouc3AKVGhlIHJhdyBwYXlsb2FkIGV4cHJlc3Npb24gaW5zdHJ1
Y3RzIHRvIGxvYWQgXGZJbGVuZ3RoXGZSIGJpdHMgc3RhcnRpbmcgYXQgXGZJb2Zmc2V0XGZS
IGJpdHNcJi4gQml0IDAgcmVmZXJzIHRvIHRoZSB2ZXJ5IGZpcnN0IGJpdCBcKGVtIGluIHRo
ZSBDIHByb2dyYW1taW5nIGxhbmd1YWdlLCB0aGlzIGNvcnJlc3BvbmRzIHRvIHRoZSB0b3Bt
b3N0IGJpdCwgaVwmLmVcJi4gMHg4MCBpbiBjYXNlIG9mIGFuIG9jdGV0XCYuIFRoZXkgYXJl
IHVzZWZ1bCB0byBtYXRjaCBoZWFkZXJzIHRoYXQgZG8gbm90IGhhdmUgYSBodW1hblwtcmVh
ZGFibGUgdGVtcGxhdGUgZXhwcmVzc2lvbiB5ZXRcJi4gTm90ZSB0aGF0IG5mdCB3aWxsIG5v
dCBhZGQgZGVwZW5kZW5jaWVzIGZvciBSYXcgcGF5bG9hZCBleHByZXNzaW9uc1wmLiBJZiB5
b3UgZVwmLmdcJi4gd2FudCB0byBtYXRjaCBwcm90b2NvbCBmaWVsZHMgb2YgYSB0cmFuc3Bv
cnQgaGVhZGVyIHdpdGggcHJvdG9jb2wgbnVtYmVyIDUsIHlvdSBuZWVkIHRvIG1hbnVhbGx5
IGV4Y2x1ZGUgcGFja2V0cyB0aGF0IGhhdmUgYSBkaWZmZXJlbnQgdHJhbnNwb3J0IGhlYWRl
ciwgZm9yIGluc3RhbmNlIGJ5IHVzaW5nIFxmQm1ldGEgbDRwcm90byA1XGZSIGJlZm9yZSB0
aGUgcmF3IGV4cHJlc3Npb25cJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNl
LWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY1My5cIFwmU3Vw
cG9ydGVkIHBheWxvYWQgcHJvdG9jb2wgYmFzZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBs
dEIuClR7CkJhc2UKVH06VHsKRGVzY3JpcHRpb24KVH0KLlQmCmx0IGx0Cmx0IGx0Cmx0IGx0
LgpUewouc3AKbGwKVH06VHsKLnNwCkxpbmsgbGF5ZXIsIGZvciBleGFtcGxlIHRoZSBFdGhl
cm5ldCBoZWFkZXIKVH0KVHsKLnNwCm5oClR9OlR7Ci5zcApOZXR3b3JrIGhlYWRlciwgZm9y
IGV4YW1wbGUgSVB2NCBvciBJUHY2ClR9ClR7Ci5zcAp0aApUfTpUewouc3AKVHJhbnNwb3J0
IEhlYWRlciwgZm9yIGV4YW1wbGUgVENQClR9Ci5URQouc3AgMQouUFAKXGZCTWF0Y2hpbmcg
ZGVzdGluYXRpb24gcG9ydCBvZiBib3RoIFVEUCBhbmQgVENQXGZSLiAKLnNwCi5pZiBuIFx7
XAouUlMgNAouXH0KLm5mCmluZXQgZmlsdGVyIGlucHV0IG1ldGEgbDRwcm90byB7dGNwLCB1
ZHB9IEB0aCwxNiwxNiB7IDUzLCA4MCB9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhl
IGFib3ZlIGNhbiBhbHNvIGJlIHdyaXR0ZW4gYXMKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0K
Lm5mCmluZXQgZmlsdGVyIGlucHV0IG1ldGEgbDRwcm90byB7dGNwLCB1ZHB9IHRoIGRwb3J0
IHsgNTMsIDgwIH0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAppdCBpcyBtb3JlIGNvbnZl
bmllbnQsIGJ1dCBsaWtlIHRoZSByYXcgZXhwcmVzc2lvbiBub3RhdGlvbiBubyBkZXBlbmRl
bmNpZXMgYXJlIGNyZWF0ZWQgb3IgY2hlY2tlZFwmLiBJdCBpcyB0aGUgdXNlcnMgcmVzcG9u
c2liaWxpdHkgdG8gcmVzdHJpY3QgbWF0Y2hpbmcgdG8gdGhvc2UgaGVhZGVyIHR5cGVzIHRo
YXQgaGF2ZSBhIG5vdGlvbiBvZiBwb3J0c1wmLiBPdGhlcndpc2UsIHJ1bGVzIHVzaW5nIHJh
dyBleHByZXNzaW9ucyB3aWxsIGVycm5vdXNseSBtYXRjaCB1bnJlbGF0ZWQgcGFja2V0cywg
ZVwmLmdcJi4gbWlzXC1pbnRlcnByZXRpbmcgRVNQIHBhY2tldHMgU1BJIGZpZWxkIGFzIGEg
cG9ydFwmLgouUFAKXGZCUmV3cml0ZSBhcnAgcGFja2V0IHRhcmdldCBoYXJkd2FyZSBhZGRy
ZXNzIGlmIHRhcmdldCBwcm90b2NvbCBhZGRyZXNzIG1hdGNoZXMgYSBnaXZlbiBhZGRyZXNz
XGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCmlucHV0IG1ldGEgaWlmbmFtZSBl
bnAyczAgYXJwIHB0eXBlIDB4MDgwMCBhcnAgaHR5cGUgMSBhcnAgaGxlbiA2IGFycCBwbGVu
IDQgQG5oLDE5MiwzMiAweGMwYTg4ZjEwIEBuaCwxNDQsNDggc2V0IDB4MTEyMjMzNDQ1NTY2
IGFjY2VwdAouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiRVhURU5TSU9OIEhFQURF
UiBFWFBSRVNTSU9OUyIKLnNwCkV4dGVuc2lvbiBoZWFkZXIgZXhwcmVzc2lvbnMgcmVmZXIg
dG8gZGF0YSBmcm9tIHZhcmlhYmxlXC1zaXplZCBwcm90b2NvbCBoZWFkZXJzLCBzdWNoIGFz
IElQdjYgZXh0ZW5zaW9uIGhlYWRlcnMsIFRDUCBvcHRpb25zIGFuZCBJUHY0IG9wdGlvbnNc
Ji4KLnNwCm5mdGFibGVzIGN1cnJlbnRseSBzdXBwb3J0cyBtYXRjaGluZyAoZmluZGluZykg
YSBnaXZlbiBpcHY2IGV4dGVuc2lvbiBoZWFkZXIsIFRDUCBvcHRpb24gb3IgSVB2NCBvcHRp
b25cJi4KLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQmhiaFxmUiB7XGZCbmV4dGhk
clxmUiB8IFxmQmhkcmxlbmd0aFxmUn0KXGZCZnJhZ1xmUiB7XGZCbmV4dGhkclxmUiB8IFxm
QmZyYWdcLW9mZlxmUiB8IFxmQm1vcmVcLWZyYWdtZW50c1xmUiB8IFxmQmlkXGZSfQpcZkJy
dFxmUiB7XGZCbmV4dGhkclxmUiB8IFxmQmhkcmxlbmd0aFxmUiB8IFxmQnR5cGVcZlIgfCBc
ZkJzZWdcLWxlZnRcZlJ9ClxmQmRzdFxmUiB7XGZCbmV4dGhkclxmUiB8IFxmQmhkcmxlbmd0
aFxmUn0KXGZCbWhcZlIge1xmQm5leHRoZHJcZlIgfCBcZkJoZHJsZW5ndGhcZlIgfCBcZkJj
aGVja3N1bVxmUiB8IFxmQnR5cGVcZlJ9ClxmQnNyaFxmUiB7XGZCZmxhZ3NcZlIgfCBcZkJ0
YWdcZlIgfCBcZkJzaWRcZlIgfCBcZkJzZWdcLWxlZnRcZlJ9ClxmQnRjcCBvcHRpb25cZlIg
e1xmQmVvbFxmUiB8IFxmQm5vcFxmUiB8IFxmQm1heHNlZ1xmUiB8IFxmQndpbmRvd1xmUiB8
IFxmQnNhY2tcLXBlcm1cZlIgfCBcZkJzYWNrXGZSIHwgXGZCc2FjazBcZlIgfCBcZkJzYWNr
MVxmUiB8IFxmQnNhY2syXGZSIHwgXGZCc2FjazNcZlIgfCBcZkJ0aW1lc3RhbXBcZlJ9IFxm
SXRjcF9vcHRpb25fZmllbGRcZlIKXGZCaXAgb3B0aW9uXGZSIHsgbHNyciB8IHJhIHwgcnIg
fCBzc3JyIH0gXGZJaXBfb3B0aW9uX2ZpZWxkXGZSCi5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKVGhlIGZvbGxvd2luZyBzeW50YXhlcyBhcmUgdmFsaWQgb25seSBpbiBhIHJlbGF0aW9u
YWwgZXhwcmVzc2lvbiB3aXRoIGJvb2xlYW4gdHlwZSBvbiByaWdodFwtaGFuZCBzaWRlIGZv
ciBjaGVja2luZyBoZWFkZXIgZXhpc3RlbmNlIG9ubHk6Ci5zcAouaWYgbiBce1wKLlJTIDQK
Llx9Ci5uZgpcZkJleHRoZHJcZlIge1xmQmhiaFxmUiB8IFxmQmZyYWdcZlIgfCBcZkJydFxm
UiB8IFxmQmRzdFxmUiB8IFxmQm1oXGZSfQpcZkJ0Y3Agb3B0aW9uXGZSIHtcZkJlb2xcZlIg
fCBcZkJub3BcZlIgfCBcZkJtYXhzZWdcZlIgfCBcZkJ3aW5kb3dcZlIgfCBcZkJzYWNrXC1w
ZXJtXGZSIHwgXGZCc2Fja1xmUiB8IFxmQnNhY2swXGZSIHwgXGZCc2FjazFcZlIgfCBcZkJz
YWNrMlxmUiB8IFxmQnNhY2szXGZSIHwgXGZCdGltZXN0YW1wXGZSfQpcZkJpcCBvcHRpb25c
ZlIgeyBsc3JyIHwgcmEgfCByciB8IHNzcnIgfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNw
Ci5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxh
ZyAxCi5icgouQiBUYWJsZVwgXCY1NC5cIFwmSVB2NiBleHRlbnNpb24gaGVhZGVycwouVFMK
YWxsYm94IHRhYig6KTsKbHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpU
fQouVCYKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQuClR7Ci5zcApoYmgK
VH06VHsKLnNwCkhvcCBieSBIb3AKVH0KVHsKLnNwCnJ0ClR9OlR7Ci5zcApSb3V0aW5nIEhl
YWRlcgpUfQpUewouc3AKZnJhZwpUfTpUewouc3AKRnJhZ21lbnRhdGlvbiBoZWFkZXIKVH0K
VHsKLnNwCmRzdApUfTpUewouc3AKZHN0IG9wdGlvbnMKVH0KVHsKLnNwCm1oClR9OlR7Ci5z
cApNb2JpbGl0eSBIZWFkZXIKVH0KVHsKLnNwCnNyaApUfTpUewouc3AKU2VnbWVudCBSb3V0
aW5nIEhlYWRlcgpUfQouVEUKLnNwIDEKLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNw
YWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY1NS5cIFwm
VENQIE9wdGlvbnMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3Jk
ClR9OlR7CkRlc2NyaXB0aW9uClR9OlR7ClRDUCBvcHRpb24gZmllbGRzClR9Ci5UJgpsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCmVvbApU
fTpUewouc3AKRW5kIGlmIG9wdGlvbiBsaXN0ClR9OlR7Ci5zcApraW5kClR9ClR7Ci5zcApu
b3AKVH06VHsKLnNwCjEgQnl0ZSBUQ1AgTm9wIHBhZGRpbmcgb3B0aW9uClR9OlR7Ci5zcApr
aW5kClR9ClR7Ci5zcAptYXhzZWcKVH06VHsKLnNwClRDUCBNYXhpbXVtIFNlZ21lbnQgU2l6
ZQpUfTpUewouc3AKa2luZCwgbGVuZ3RoLCBzaXplClR9ClR7Ci5zcAp3aW5kb3cKVH06VHsK
LnNwClRDUCBXaW5kb3cgU2NhbGluZwpUfTpUewouc3AKa2luZCwgbGVuZ3RoLCBjb3VudApU
fQpUewouc3AKc2Fja1wtcGVybQpUfTpUewouc3AKVENQIFNBQ0sgcGVybWl0dGVkClR9OlR7
Ci5zcApraW5kLCBsZW5ndGgKVH0KVHsKLnNwCnNhY2sKVH06VHsKLnNwClRDUCBTZWxlY3Rp
dmUgQWNrbm93bGVkZ2VtZW50IChhbGlhcyBvZiBibG9jayAwKQpUfTpUewouc3AKa2luZCwg
bGVuZ3RoLCBsZWZ0LCByaWdodApUfQpUewouc3AKc2FjazAKVH06VHsKLnNwClRDUCBTZWxl
Y3RpdmUgQWNrbm93bGVkZ2VtZW50IChibG9jayAwKQpUfTpUewouc3AKa2luZCwgbGVuZ3Ro
LCBsZWZ0LCByaWdodApUfQpUewouc3AKc2FjazEKVH06VHsKLnNwClRDUCBTZWxlY3RpdmUg
QWNrbm93bGVkZ2VtZW50IChibG9jayAxKQpUfTpUewouc3AKa2luZCwgbGVuZ3RoLCBsZWZ0
LCByaWdodApUfQpUewouc3AKc2FjazIKVH06VHsKLnNwClRDUCBTZWxlY3RpdmUgQWNrbm93
bGVkZ2VtZW50IChibG9jayAyKQpUfTpUewouc3AKa2luZCwgbGVuZ3RoLCBsZWZ0LCByaWdo
dApUfQpUewouc3AKc2FjazMKVH06VHsKLnNwClRDUCBTZWxlY3RpdmUgQWNrbm93bGVkZ2Vt
ZW50IChibG9jayAzKQpUfTpUewouc3AKa2luZCwgbGVuZ3RoLCBsZWZ0LCByaWdodApUfQpU
ewouc3AKdGltZXN0YW1wClR9OlR7Ci5zcApUQ1AgVGltZXN0YW1wcwpUfTpUewouc3AKa2lu
ZCwgbGVuZ3RoLCB0c3ZhbCwgdHNlY3IKVH0KLlRFCi5zcCAxCi5zcApUQ1Agb3B0aW9uIG1h
dGNoaW5nIGFsc28gc3VwcG9ydHMgcmF3IGV4cHJlc3Npb24gc3ludGF4IHRvIGFjY2VzcyBh
cmJpdHJhcnkgb3B0aW9uczoKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQnRjcCBv
cHRpb25cZlIKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouaWYgbiBce1wKLlJTIDQKLlx9
Ci5uZgpcZkJ0Y3Agb3B0aW9uXGZSIFxmQkBcZlJcZkludW1iZXJcZlJcZkIsXGZSXGZJb2Zm
c2V0XGZSXGZCLFxmUlxmSWxlbmd0aFxmUgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5p
dCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAx
Ci5icgouQiBUYWJsZVwgXCY1Ni5cIFwmSVAgT3B0aW9ucwouVFMKYWxsYm94IHRhYig6KTsK
bHRCIGx0QiBsdEIuClR7CktleXdvcmQKVH06VHsKRGVzY3JpcHRpb24KVH06VHsKSVAgb3B0
aW9uIGZpZWxkcwpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQu
ClR7Ci5zcApsc3JyClR9OlR7Ci5zcApMb29zZSBTb3VyY2UgUm91dGUKVH06VHsKLnNwCnR5
cGUsIGxlbmd0aCwgcHRyLCBhZGRyClR9ClR7Ci5zcApyYQpUfTpUewouc3AKUm91dGVyIEFs
ZXJ0ClR9OlR7Ci5zcAp0eXBlLCBsZW5ndGgsIHZhbHVlClR9ClR7Ci5zcApycgpUfTpUewou
c3AKUmVjb3JkIFJvdXRlClR9OlR7Ci5zcAp0eXBlLCBsZW5ndGgsIHB0ciwgYWRkcgpUfQpU
ewouc3AKc3NycgpUfTpUewouc3AKU3RyaWN0IFNvdXJjZSBSb3V0ZQpUfTpUewouc3AKdHlw
ZSwgbGVuZ3RoLCBwdHIsIGFkZHIKVH0KLlRFCi5zcCAxCi5QUApcZkJmaW5kaW5nIFRDUCBv
cHRpb25zXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCmZpbHRlciBpbnB1dCB0
Y3Agb3B0aW9uIHNhY2tcLXBlcm0ga2luZCAxIGNvdW50ZXIKLmZpCi5pZiBuIFx7XAouUkUK
Llx9Ci5QUApcZkJtYXRjaGluZyBJUHY2IGV4dGhkclxmUi4gCi5zcAouaWYgbiBce1wKLlJT
IDQKLlx9Ci5uZgppcDYgZmlsdGVyIGlucHV0IGZyYWcgbW9yZVwtZnJhZ21lbnRzIDEgY291
bnRlcgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLlBQClxmQmZpbmRpbmcgSVAgb3B0aW9uXGZS
LiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCmZpbHRlciBpbnB1dCBpcCBvcHRpb24g
bHNyciBleGlzdHMgY291bnRlcgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiQ09O
TlRSQUNLIEVYUFJFU1NJT05TIgouc3AKQ29ubnRyYWNrIGV4cHJlc3Npb25zIHJlZmVyIHRv
IG1ldGEgZGF0YSBvZiB0aGUgY29ubmVjdGlvbiB0cmFja2luZyBlbnRyeSBhc3NvY2lhdGVk
IHdpdGggYSBwYWNrZXRcJi4KLnNwClRoZXJlIGFyZSB0aHJlZSB0eXBlcyBvZiBjb25udHJh
Y2sgZXhwcmVzc2lvbnNcJi4gU29tZSBjb25udHJhY2sgZXhwcmVzc2lvbnMgcmVxdWlyZSB0
aGUgZmxvdyBkaXJlY3Rpb24gYmVmb3JlIHRoZSBjb25udHJhY2sga2V5LCBvdGhlcnMgbXVz
dCBiZSB1c2VkIGRpcmVjdGx5IGJlY2F1c2UgdGhleSBhcmUgZGlyZWN0aW9uIGFnbm9zdGlj
XCYuIFRoZSBcZkJwYWNrZXRzXGZSLCBcZkJieXRlc1xmUiBhbmQgXGZCYXZncGt0XGZSIGtl
eXdvcmRzIGNhbiBiZSB1c2VkIHdpdGggb3Igd2l0aG91dCBhIGRpcmVjdGlvblwmLiBJZiB0
aGUgZGlyZWN0aW9uIGlzIG9taXR0ZWQsIHRoZSBzdW0gb2YgdGhlIG9yaWdpbmFsIGFuZCB0
aGUgcmVwbHkgZGlyZWN0aW9uIGlzIHJldHVybmVkXCYuIFRoZSBzYW1lIGlzIHRydWUgZm9y
IHRoZSBcZkJ6b25lXGZSLCBpZiBhIGRpcmVjdGlvbiBpcyBnaXZlbiwgdGhlIHpvbmUgaXMg
b25seSBtYXRjaGVkIGlmIHRoZSB6b25lIGlkIGlzIHRpZWQgdG8gdGhlIGdpdmVuIGRpcmVj
dGlvblwmLgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCY3RcZlIge1xmQnN0YXRl
XGZSIHwgXGZCZGlyZWN0aW9uXGZSIHwgXGZCc3RhdHVzXGZSIHwgXGZCbWFya1xmUiB8IFxm
QmV4cGlyYXRpb25cZlIgfCBcZkJoZWxwZXJcZlIgfCBcZkJsYWJlbFxmUn0KXGZCY3RcZlIg
W1xmQm9yaWdpbmFsXGZSIHwgXGZCcmVwbHlcZlJdIHtcZkJsM3Byb3RvXGZSIHwgXGZCcHJv
dG9jb2xcZlIgfCBcZkJieXRlc1xmUiB8IFxmQnBhY2tldHNcZlIgfCBcZkJhdmdwa3RcZlIg
fCBcZkJ6b25lXGZSIHwgXGZCaWRcZlJ9ClxmQmN0XGZSIHtcZkJvcmlnaW5hbFxmUiB8IFxm
QnJlcGx5XGZSfSB7XGZCcHJvdG9cLXNyY1xmUiB8IFxmQnByb3RvXC1kc3RcZlJ9ClxmQmN0
XGZSIHtcZkJvcmlnaW5hbFxmUiB8IFxmQnJlcGx5XGZSfSB7XGZCaXBcZlIgfCBcZkJpcDZc
ZlJ9IHtcZkJzYWRkclxmUiB8IFxmQmRhZGRyXGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0K
LnNwClRoZSBjb25udHJhY2tcLXNwZWNpZmljIHR5cGVzIGluIHRoaXMgdGFibGUgYXJlIGRl
c2NyaWJlZCBpbiB0aGUgc3ViXC1zZWN0aW9uIENPTk5UUkFDSyBUWVBFUyBhYm92ZVwmLgou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjU3LlwgXCZDb25udHJhY2sgZXhwcmVzc2lvbnMKLlRT
CmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7CkRlc2NyaXB0
aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0
IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0
IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0
IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0Cmx0IGx0IGx0LgpUewouc3AKc3RhdGUKVH06VHsKLnNw
ClN0YXRlIG9mIHRoZSBjb25uZWN0aW9uClR9OlR7Ci5zcApjdF9zdGF0ZQpUfQpUewouc3AK
ZGlyZWN0aW9uClR9OlR7Ci5zcApEaXJlY3Rpb24gb2YgdGhlIHBhY2tldCByZWxhdGl2ZSB0
byB0aGUgY29ubmVjdGlvbgpUfTpUewouc3AKY3RfZGlyClR9ClR7Ci5zcApzdGF0dXMKVH06
VHsKLnNwClN0YXR1cyBvZiB0aGUgY29ubmVjdGlvbgpUfTpUewouc3AKY3Rfc3RhdHVzClR9
ClR7Ci5zcAptYXJrClR9OlR7Ci5zcApDb25uZWN0aW9uIG1hcmsKVH06VHsKLnNwCm1hcmsK
VH0KVHsKLnNwCmV4cGlyYXRpb24KVH06VHsKLnNwCkNvbm5lY3Rpb24gZXhwaXJhdGlvbiB0
aW1lClR9OlR7Ci5zcAp0aW1lClR9ClR7Ci5zcApoZWxwZXIKVH06VHsKLnNwCkhlbHBlciBh
c3NvY2lhdGVkIHdpdGggdGhlIGNvbm5lY3Rpb24KVH06VHsKLnNwCnN0cmluZwpUfQpUewou
c3AKbGFiZWwKVH06VHsKLnNwCkNvbm5lY3Rpb24gdHJhY2tpbmcgbGFiZWwgYml0IG9yIHN5
bWJvbGljIG5hbWUgZGVmaW5lZCBpbiBjb25ubGFiZWxcJi5jb25mIGluIHRoZSBuZnRhYmxl
cyBpbmNsdWRlIHBhdGgKVH06VHsKLnNwCmN0X2xhYmVsClR9ClR7Ci5zcApsM3Byb3RvClR9
OlR7Ci5zcApMYXllciAzIHByb3RvY29sIG9mIHRoZSBjb25uZWN0aW9uClR9OlR7Ci5zcApu
Zl9wcm90bwpUfQpUewouc3AKc2FkZHIKVH06VHsKLnNwClNvdXJjZSBhZGRyZXNzIG9mIHRo
ZSBjb25uZWN0aW9uIGZvciB0aGUgZ2l2ZW4gZGlyZWN0aW9uClR9OlR7Ci5zcAppcHY0X2Fk
ZHIvaXB2Nl9hZGRyClR9ClR7Ci5zcApkYWRkcgpUfTpUewouc3AKRGVzdGluYXRpb24gYWRk
cmVzcyBvZiB0aGUgY29ubmVjdGlvbiBmb3IgdGhlIGdpdmVuIGRpcmVjdGlvbgpUfTpUewou
c3AKaXB2NF9hZGRyL2lwdjZfYWRkcgpUfQpUewouc3AKcHJvdG9jb2wKVH06VHsKLnNwCkxh
eWVyIDQgcHJvdG9jb2wgb2YgdGhlIGNvbm5lY3Rpb24gZm9yIHRoZSBnaXZlbiBkaXJlY3Rp
b24KVH06VHsKLnNwCmluZXRfcHJvdG8KVH0KVHsKLnNwCnByb3RvXC1zcmMKVH06VHsKLnNw
CkxheWVyIDQgcHJvdG9jb2wgc291cmNlIGZvciB0aGUgZ2l2ZW4gZGlyZWN0aW9uClR9OlR7
Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcApwcm90b1wtZHN0ClR9OlR7Ci5zcApM
YXllciA0IHByb3RvY29sIGRlc3RpbmF0aW9uIGZvciB0aGUgZ2l2ZW4gZGlyZWN0aW9uClR9
OlR7Ci5zcAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcApwYWNrZXRzClR9OlR7Ci5zcApw
YWNrZXQgY291bnQgc2VlbiBpbiB0aGUgZ2l2ZW4gZGlyZWN0aW9uIG9yIHN1bSBvZiBvcmln
aW5hbCBhbmQgcmVwbHkKVH06VHsKLnNwCmludGVnZXIgKDY0IGJpdCkKVH0KVHsKLnNwCmJ5
dGVzClR9OlR7Ci5zcApieXRlIGNvdW50IHNlZW4sIHNlZSBkZXNjcmlwdGlvbiBmb3IgXGZC
cGFja2V0c1xmUiBrZXl3b3JkClR9OlR7Ci5zcAppbnRlZ2VyICg2NCBiaXQpClR9ClR7Ci5z
cAphdmdwa3QKVH06VHsKLnNwCmF2ZXJhZ2UgYnl0ZXMgcGVyIHBhY2tldCwgc2VlIGRlc2Ny
aXB0aW9uIGZvciBcZkJwYWNrZXRzXGZSIGtleXdvcmQKVH06VHsKLnNwCmludGVnZXIgKDY0
IGJpdCkKVH0KVHsKLnNwCnpvbmUKVH06VHsKLnNwCmNvbm50cmFjayB6b25lClR9OlR7Ci5z
cAppbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcApjb3VudApUfTpUewouc3AKbnVtYmVyIG9m
IGN1cnJlbnQgY29ubmVjdGlvbnMKVH06VHsKLnNwCmludGVnZXIgKDMyIGJpdCkKVH0KVHsK
LnNwCmlkClR9OlR7Ci5zcApDb25uZWN0aW9uIGlkClR9OlR7Ci5zcApjdF9pZApUfQouVEUK
LnNwIDEKLlBQClxmQnJlc3RyaWN0IHRoZSBudW1iZXIgb2YgcGFyYWxsZWwgY29ubmVjdGlv
bnMgdG8gYSBzZXJ2ZXJcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKbmZ0IGFk
ZCBzZXQgZmlsdGVyIHNzaF9mbG9vZCBcKihBcXsgdHlwZSBpcHY0X2FkZHI7IGZsYWdzIGR5
bmFtaWM7IH1cKihBcQpuZnQgYWRkIHJ1bGUgZmlsdGVyIGlucHV0IHRjcCBkcG9ydCAyMiBh
ZGQgQHNzaF9mbG9vZCBcKihBcXsgaXAgc2FkZHIgY3QgY291bnQgb3ZlciAyIH1cKihBcSBy
ZWplY3QKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU0ggIlNUQVRFTUVOVFMiCi5zcApT
dGF0ZW1lbnRzIHJlcHJlc2VudCBhY3Rpb25zIHRvIGJlIHBlcmZvcm1lZFwmLiBUaGV5IGNh
biBhbHRlciBjb250cm9sIGZsb3cgKHJldHVybiwganVtcCB0byBhIGRpZmZlcmVudCBjaGFp
biwgYWNjZXB0IG9yIGRyb3AgdGhlIHBhY2tldCkgb3IgY2FuIHBlcmZvcm0gYWN0aW9ucywg
c3VjaCBhcyBsb2dnaW5nLCByZWplY3RpbmcgYSBwYWNrZXQsIGV0Y1wmLgouc3AKU3RhdGVt
ZW50cyBleGlzdCBpbiB0d28ga2luZHNcJi4gVGVybWluYWwgc3RhdGVtZW50cyB1bmNvbmRp
dGlvbmFsbHkgdGVybWluYXRlIGV2YWx1YXRpb24gb2YgdGhlIGN1cnJlbnQgcnVsZSwgbm9u
XC10ZXJtaW5hbCBzdGF0ZW1lbnRzIGVpdGhlciBvbmx5IGNvbmRpdGlvbmFsbHkgb3IgbmV2
ZXIgdGVybWluYXRlIGV2YWx1YXRpb24gb2YgdGhlIGN1cnJlbnQgcnVsZSwgaW4gb3RoZXIg
d29yZHMsIHRoZXkgYXJlIHBhc3NpdmUgZnJvbSB0aGUgcnVsZXNldCBldmFsdWF0aW9uIHBl
cnNwZWN0aXZlXCYuIFRoZXJlIGNhbiBiZSBhbiBhcmJpdHJhcnkgYW1vdW50IG9mIG5vblwt
dGVybWluYWwgc3RhdGVtZW50cyBpbiBhIHJ1bGUsIGJ1dCBvbmx5IGEgc2luZ2xlIHRlcm1p
bmFsIHN0YXRlbWVudCBhcyB0aGUgZmluYWwgc3RhdGVtZW50XCYuCi5TUyAiVkVSRElDVCBT
VEFURU1FTlQiCi5zcApUaGUgdmVyZGljdCBzdGF0ZW1lbnQgYWx0ZXJzIGNvbnRyb2wgZmxv
dyBpbiB0aGUgcnVsZXNldCBhbmQgaXNzdWVzIHBvbGljeSBkZWNpc2lvbnMgZm9yIHBhY2tl
dHNcJi4KLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCntcZkJhY2NlcHRcZlIgfCBcZkJk
cm9wXGZSIHwgXGZCcXVldWVcZlIgfCBcZkJjb250aW51ZVxmUiB8IFxmQnJldHVyblxmUn0K
e1xmQmp1bXBcZlIgfCBcZkJnb3RvXGZSfSBcZkljaGFpblxmUgouZmkKLmlmIG4gXHtcCi5S
RQouXH0KLnNwClxmQmFjY2VwdFxmUiBhbmQgXGZCZHJvcFxmUiBhcmUgYWJzb2x1dGUgdmVy
ZGljdHMgXChlbSB0aGV5IHRlcm1pbmF0ZSBydWxlc2V0IGV2YWx1YXRpb24gaW1tZWRpYXRl
bHlcJi4KLlRTCnRhYig6KTsKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQKbHQgbHQK
bHQgbHQuClR7Ci5zcApcZkJhY2NlcHRcZlIKVH06VHsKLnNwClRlcm1pbmF0ZSBydWxlc2V0
IGV2YWx1YXRpb24gYW5kIGFjY2VwdCB0aGUgcGFja2V0XCYuIFRoZSBwYWNrZXQgY2FuIHN0
aWxsIGJlIGRyb3BwZWQgbGF0ZXIgYnkgYW5vdGhlciBob29rLCBmb3IgaW5zdGFuY2UgYWNj
ZXB0IGluIHRoZSBmb3J3YXJkIGhvb2sgc3RpbGwgYWxsb3dzIHRvIGRyb3AgdGhlIHBhY2tl
dCBsYXRlciBpbiB0aGUgcG9zdHJvdXRpbmcgaG9vaywgb3IgYW5vdGhlciBmb3J3YXJkIGJh
c2UgY2hhaW4gdGhhdCBoYXMgYSBoaWdoZXIgcHJpb3JpdHkgbnVtYmVyIGFuZCBpcyBldmFs
dWF0ZWQgYWZ0ZXJ3YXJkcyBpbiB0aGUgcHJvY2Vzc2luZyBwaXBlbGluZVwmLgpUfQpUewou
c3AKXGZCZHJvcFxmUgpUfTpUewouc3AKVGVybWluYXRlIHJ1bGVzZXQgZXZhbHVhdGlvbiBh
bmQgZHJvcCB0aGUgcGFja2V0XCYuIFRoZSBkcm9wIG9jY3VycyBpbnN0YW50bHksIG5vIGZ1
cnRoZXIgY2hhaW5zIG9yIGhvb2tzIGFyZSBldmFsdWF0ZWRcJi4gSXQgaXMgbm90IHBvc3Np
YmxlIHRvIGFjY2VwdCB0aGUgcGFja2V0IGluIGEgbGF0ZXIgY2hhaW4gYWdhaW4sIGFzIHRo
b3NlIGFyZSBub3QgZXZhbHVhdGVkIGFueW1vcmUgZm9yIHRoZSBwYWNrZXRcJi4KVH0KVHsK
LnNwClxmQnF1ZXVlXGZSClR9OlR7Ci5zcApUZXJtaW5hdGUgcnVsZXNldCBldmFsdWF0aW9u
IGFuZCBxdWV1ZSB0aGUgcGFja2V0IHRvIHVzZXJzcGFjZVwmLiBVc2Vyc3BhY2UgbXVzdCBw
cm92aWRlIGEgZHJvcCBvciBhY2NlcHQgdmVyZGljdFwmLiBJbiBjYXNlIG9mIGFjY2VwdCwg
cHJvY2Vzc2luZyByZXN1bWVzIHdpdGggdGhlIG5leHQgYmFzZSBjaGFpbiBob29rLCBub3Qg
dGhlIHJ1bGUgZm9sbG93aW5nIHRoZSBxdWV1ZSB2ZXJkaWN0XCYuClR9ClR7Ci5zcApcZkJj
b250aW51ZVxmUgpUfTpUewouc3AKQ29udGludWUgcnVsZXNldCBldmFsdWF0aW9uIHdpdGgg
dGhlIG5leHQgcnVsZVwmLiBUaGlzIGlzIHRoZSBkZWZhdWx0IGJlaGF2aW91ciBpbiBjYXNl
IGEgcnVsZSBpc3N1ZXMgbm8gdmVyZGljdFwmLgpUfQpUewouc3AKXGZCcmV0dXJuXGZSClR9
OlR7Ci5zcApSZXR1cm4gZnJvbSB0aGUgY3VycmVudCBjaGFpbiBhbmQgY29udGludWUgZXZh
bHVhdGlvbiBhdCB0aGUgbmV4dCBydWxlIGluIHRoZSBsYXN0IGNoYWluXCYuIElmIGlzc3Vl
ZCBpbiBhIGJhc2UgY2hhaW4sIGl0IGlzIGVxdWl2YWxlbnQgdG8gdGhlIGJhc2UgY2hhaW4g
cG9saWN5XCYuClR9ClR7Ci5zcApcZkJqdW1wXGZSIFxmSWNoYWluXGZSClR9OlR7Ci5zcApD
b250aW51ZSBldmFsdWF0aW9uIGF0IHRoZSBmaXJzdCBydWxlIGluIFxmSWNoYWluXGZSXCYu
IFRoZSBjdXJyZW50IHBvc2l0aW9uIGluIHRoZSBydWxlc2V0IGlzIHB1c2hlZCB0byBhIGNh
bGwgc3RhY2sgYW5kIGV2YWx1YXRpb24gd2lsbCBjb250aW51ZSB0aGVyZSB3aGVuIHRoZSBu
ZXcgY2hhaW4gaXMgZW50aXJlbHkgZXZhbHVhdGVkIG9yIGEgXGZCcmV0dXJuXGZSIHZlcmRp
Y3QgaXMgaXNzdWVkXCYuIEluIGNhc2UgYW4gYWJzb2x1dGUgdmVyZGljdCBpcyBpc3N1ZWQg
YnkgYSBydWxlIGluIHRoZSBjaGFpbiwgcnVsZXNldCBldmFsdWF0aW9uIHRlcm1pbmF0ZXMg
aW1tZWRpYXRlbHkgYW5kIHRoZSBzcGVjaWZpYyBhY3Rpb24gaXMgdGFrZW5cJi4KVH0KVHsK
LnNwClxmQmdvdG9cZlIgXGZJY2hhaW5cZlIKVH06VHsKLnNwClNpbWlsYXIgdG8gXGZCanVt
cFxmUiwgYnV0IHRoZSBjdXJyZW50IHBvc2l0aW9uIGlzIG5vdCBwdXNoZWQgdG8gdGhlIGNh
bGwgc3RhY2ssIG1lYW5pbmcgdGhhdCBhZnRlciB0aGUgbmV3IGNoYWluIGV2YWx1YXRpb24g
d2lsbCBjb250aW51ZSBhdCB0aGUgbGFzdCBjaGFpbiBpbnN0ZWFkIG9mIHRoZSBvbmUgY29u
dGFpbmluZyB0aGUgZ290byBzdGF0ZW1lbnRcJi4KVH0KLlRFCi5zcCAxCi5QUApcZkJVc2lu
ZyB2ZXJkaWN0IHN0YXRlbWVudHNcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYK
IyBwcm9jZXNzIHBhY2tldHMgZnJvbSBldGgwIGFuZCB0aGUgaW50ZXJuYWwgbmV0d29yayBp
biBmcm9tX2xhbgojIGNoYWluLCBkcm9wIGFsbCBwYWNrZXRzIGZyb20gZXRoMCB3aXRoIGRp
ZmZlcmVudCBzb3VyY2UgYWRkcmVzc2VzXCYuCgpmaWx0ZXIgaW5wdXQgaWlmIGV0aDAgaXAg
c2FkZHIgMTkyXCYuMTY4XCYuMFwmLjAvMjQganVtcCBmcm9tX2xhbgpmaWx0ZXIgaW5wdXQg
aWlmIGV0aDAgZHJvcAouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiUEFZTE9BRCBT
VEFURU1FTlQiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZklwYXlsb2FkX2V4cHJl
c3Npb25cZlIgXGZCc2V0XGZSIFxmSXZhbHVlXGZSCi5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKVGhlIHBheWxvYWQgc3RhdGVtZW50IGFsdGVycyBwYWNrZXQgY29udGVudFwmLiBJdCBj
YW4gYmUgdXNlZCBmb3IgZXhhbXBsZSB0byBzZXQgaXAgRFNDUCAoZGlmZnNlcnYpIGhlYWRl
ciBmaWVsZCBvciBpcHY2IGZsb3cgbGFiZWxzXCYuCi5QUApcZkJyb3V0ZSBzb21lIHBhY2tl
dHMgaW5zdGVhZCBvZiBicmlkZ2luZ1xmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5u
ZgojIHJlZGlyZWN0IHRjcDpodHRwIGZyb20gMTkyXCYuMTYwXCYuMFwmLjAvMTYgdG8gbG9j
YWwgbWFjaGluZSBmb3Igcm91dGluZyBpbnN0ZWFkIG9mIGJyaWRnaW5nCiMgYXNzdW1lcyAw
MDoxMToyMjozMzo0NDo1NSBpcyBsb2NhbCBNQUMgYWRkcmVzc1wmLgpicmlkZ2UgaW5wdXQg
bWV0YSBpaWYgZXRoMCBpcCBzYWRkciAxOTJcJi4xNjhcJi4wXCYuMC8xNiB0Y3AgZHBvcnQg
ODAgbWV0YSBwa3R0eXBlIHNldCB1bmljYXN0IGV0aGVyIGRhZGRyIHNldCAwMDoxMToyMjoz
Mzo0NDo1NQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLlBQClxmQlNldCBJUHY0IERTQ1AgaGVh
ZGVyIGZpZWxkXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCmlwIGZvcndhcmQg
aXAgZHNjcCBzZXQgNDIKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU1MgIkVYVEVOU0lP
TiBIRUFERVIgU1RBVEVNRU5UIgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZJZXh0
ZW5zaW9uX2hlYWRlcl9leHByZXNzaW9uXGZSIFxmQnNldFxmUiBcZkl2YWx1ZVxmUgouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLnNwClRoZSBleHRlbnNpb24gaGVhZGVyIHN0YXRlbWVudCBh
bHRlcnMgcGFja2V0IGNvbnRlbnQgaW4gdmFyaWFibGVcLXNpemVkIGhlYWRlcnNcJi4gVGhp
cyBjYW4gY3VycmVudGx5IGJlIHVzZWQgdG8gYWx0ZXIgdGhlIFRDUCBNYXhpbXVtIHNlZ21l
bnQgc2l6ZSBvZiBwYWNrZXRzLCBzaW1pbGFyIHRvIFRDUE1TU1wmLgouUFAKXGZCY2hhbmdl
IHRjcCBtc3NcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKdGNwIGZsYWdzIHN5
biB0Y3Agb3B0aW9uIG1heHNlZyBzaXplIHNldCAxMzYwCiMgc2V0IGEgc2l6ZSBiYXNlZCBv
biByb3V0ZSBpbmZvcm1hdGlvbjoKdGNwIGZsYWdzIHN5biB0Y3Agb3B0aW9uIG1heHNlZyBz
aXplIHNldCBydCBtdHUKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU1MgIkxPRyBTVEFU
RU1FTlQiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJsb2dcZlIgW1xmQnByZWZp
eFxmUiBcZklxdW90ZWRfc3RyaW5nXGZSXSBbXGZCbGV2ZWxcZlIgXGZJc3lzbG9nXC1sZXZl
bFxmUl0gW1xmQmZsYWdzXGZSIFxmSWxvZ1wtZmxhZ3NcZlJdClxmQmxvZ1xmUiBcZkJncm91
cFxmUiBcZkluZmxvZ19ncm91cFxmUiBbXGZCcHJlZml4XGZSIFxmSXF1b3RlZF9zdHJpbmdc
ZlJdIFtcZkJxdWV1ZVwtdGhyZXNob2xkXGZSIFxmSXZhbHVlXGZSXSBbXGZCc25hcGxlblxm
UiBcZklzaXplXGZSXQpcZkJsb2cgbGV2ZWwgYXVkaXRcZlIKLmZpCi5pZiBuIFx7XAouUkUK
Llx9Ci5zcApUaGUgbG9nIHN0YXRlbWVudCBlbmFibGVzIGxvZ2dpbmcgb2YgbWF0Y2hpbmcg
cGFja2V0c1wmLiBXaGVuIHRoaXMgc3RhdGVtZW50IGlzIHVzZWQgZnJvbSBhIHJ1bGUsIHRo
ZSBMaW51eCBrZXJuZWwgd2lsbCBwcmludCBzb21lIGluZm9ybWF0aW9uIG9uIGFsbCBtYXRj
aGluZyBwYWNrZXRzLCBzdWNoIGFzIGhlYWRlciBmaWVsZHMsIHZpYSB0aGUga2VybmVsIGxv
ZyAod2hlcmUgaXQgY2FuIGJlIHJlYWQgd2l0aCBkbWVzZygxKSBvciByZWFkIGluIHRoZSBz
eXNsb2cpXCYuCi5zcApJbiB0aGUgc2Vjb25kIGZvcm0gb2YgaW52b2NhdGlvbiAoaWYgXGZJ
bmZsb2dfZ3JvdXBcZlIgaXMgc3BlY2lmaWVkKSwgdGhlIExpbnV4IGtlcm5lbCB3aWxsIHBh
c3MgdGhlIHBhY2tldCB0byBuZm5ldGxpbmtfbG9nIHdoaWNoIHdpbGwgbXVsdGljYXN0IHRo
ZSBwYWNrZXQgdGhyb3VnaCBhIG5ldGxpbmsgc29ja2V0IHRvIHRoZSBzcGVjaWZpZWQgbXVs
dGljYXN0IGdyb3VwXCYuIE9uZSBvciBtb3JlIHVzZXJzcGFjZSBwcm9jZXNzZXMgbWF5IHN1
YnNjcmliZSB0byB0aGUgZ3JvdXAgdG8gcmVjZWl2ZSB0aGUgcGFja2V0cywgc2VlIGxpYm5l
dGZpbHRlcl9xdWV1ZSBkb2N1bWVudGF0aW9uIGZvciBkZXRhaWxzXCYuCi5zcApJbiB0aGUg
dGhpcmQgZm9ybSBvZiBpbnZvY2F0aW9uIChpZiBsZXZlbCBhdWRpdCBpcyBzcGVjaWZpZWQp
LCB0aGUgTGludXgga2VybmVsIHdyaXRlcyBhIG1lc3NhZ2UgaW50byB0aGUgYXVkaXQgYnVm
ZmVyIHN1aXRhYmx5IGZvcm1hdHRlZCBmb3IgcmVhZGluZyB3aXRoIGF1ZGl0ZFwmLiBUaGVy
ZWZvcmUgbm8gZnVydGhlciBmb3JtYXR0aW5nIG9wdGlvbnMgKHN1Y2ggYXMgcHJlZml4IG9y
IGZsYWdzKSBhcmUgYWxsb3dlZCBpbiB0aGlzIG1vZGVcJi4KLnNwClRoaXMgaXMgYSBub25c
LXRlcm1pbmF0aW5nIHN0YXRlbWVudCwgc28gdGhlIHJ1bGUgZXZhbHVhdGlvbiBjb250aW51
ZXMgYWZ0ZXIgdGhlIHBhY2tldCBpcyBsb2dnZWRcJi4KLnNwCi5pdCAxIGFuLXRyYXAKLm5y
IGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwg
XCY1OC5cIFwmbG9nIHN0YXRlbWVudCBvcHRpb25zCi5UUwphbGxib3ggdGFiKDopOwpsdEIg
bHRCIGx0Qi4KVHsKS2V5d29yZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5U
JgpsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNw
CnByZWZpeApUfTpUewouc3AKTG9nIG1lc3NhZ2UgcHJlZml4ClR9OlR7Ci5zcApxdW90ZWQg
c3RyaW5nClR9ClR7Ci5zcApsZXZlbApUfTpUewouc3AKU3lzbG9nIGxldmVsIG9mIGxvZ2dp
bmcKVH06VHsKLnNwCnN0cmluZzogZW1lcmcsIGFsZXJ0LCBjcml0LCBlcnIsIHdhcm4gW2Rl
ZmF1bHRdLCBub3RpY2UsIGluZm8sIGRlYnVnLCBhdWRpdApUfQpUewouc3AKZ3JvdXAKVH06
VHsKLnNwCk5GTE9HIGdyb3VwIHRvIHNlbmQgbWVzc2FnZXMgdG8KVH06VHsKLnNwCnVuc2ln
bmVkIGludGVnZXIgKDE2IGJpdCkKVH0KVHsKLnNwCnNuYXBsZW4KVH06VHsKLnNwCkxlbmd0
aCBvZiBwYWNrZXQgcGF5bG9hZCB0byBpbmNsdWRlIGluIG5ldGxpbmsgbWVzc2FnZQpUfTpU
ewouc3AKdW5zaWduZWQgaW50ZWdlciAoMzIgYml0KQpUfQpUewouc3AKcXVldWVcLXRocmVz
aG9sZApUfTpUewouc3AKTnVtYmVyIG9mIHBhY2tldHMgdG8gcXVldWUgaW5zaWRlIHRoZSBr
ZXJuZWwgYmVmb3JlIHNlbmRpbmcgdGhlbSB0byB1c2Vyc3BhY2UKVH06VHsKLnNwCnVuc2ln
bmVkIGludGVnZXIgKDMyIGJpdCkKVH0KLlRFCi5zcCAxCi5zcAouaXQgMSBhbi10cmFwCi5u
ciBhbi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVc
IFwmNTkuXCBcJmxvZ1wtZmxhZ3MKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7CkZs
YWcKVH06VHsKRGVzY3JpcHRpb24KVH0KLlQmCmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0IGx0Cmx0
IGx0Cmx0IGx0LgpUewouc3AKdGNwIHNlcXVlbmNlClR9OlR7Ci5zcApMb2cgVENQIHNlcXVl
bmNlIG51bWJlcnNcJi4KVH0KVHsKLnNwCnRjcCBvcHRpb25zClR9OlR7Ci5zcApMb2cgb3B0
aW9ucyBmcm9tIHRoZSBUQ1AgcGFja2V0IGhlYWRlclwmLgpUfQpUewouc3AKaXAgb3B0aW9u
cwpUfTpUewouc3AKTG9nIG9wdGlvbnMgZnJvbSB0aGUgSVAvSVB2NiBwYWNrZXQgaGVhZGVy
XCYuClR9ClR7Ci5zcApza3VpZApUfTpUewouc3AKTG9nIHRoZSB1c2VyaWQgb2YgdGhlIHBy
b2Nlc3Mgd2hpY2ggZ2VuZXJhdGVkIHRoZSBwYWNrZXRcJi4KVH0KVHsKLnNwCmV0aGVyClR9
OlR7Ci5zcApEZWNvZGUgTUFDIGFkZHJlc3NlcyBhbmQgcHJvdG9jb2xcJi4KVH0KVHsKLnNw
CmFsbApUfTpUewouc3AKRW5hYmxlIGFsbCBsb2cgZmxhZ3MgbGlzdGVkIGFib3ZlXCYuClR9
Ci5URQouc3AgMQouUFAKXGZCVXNpbmcgbG9nIHN0YXRlbWVudFxmUi4gCi5zcAouaWYgbiBc
e1wKLlJTIDQKLlx9Ci5uZgojIGxvZyB0aGUgVUlEIHdoaWNoIGdlbmVyYXRlZCB0aGUgcGFj
a2V0IGFuZCBpcCBvcHRpb25zCmlwIGZpbHRlciBvdXRwdXQgbG9nIGZsYWdzIHNrdWlkIGZs
YWdzIGlwIG9wdGlvbnMKCiMgbG9nIHRoZSB0Y3Agc2VxdWVuY2UgbnVtYmVycyBhbmQgdGNw
IG9wdGlvbnMgZnJvbSB0aGUgVENQIHBhY2tldAppcCBmaWx0ZXIgb3V0cHV0IGxvZyBmbGFn
cyB0Y3Agc2VxdWVuY2Usb3B0aW9ucwoKIyBlbmFibGUgYWxsIHN1cHBvcnRlZCBsb2cgZmxh
Z3MKaXA2IGZpbHRlciBvdXRwdXQgbG9nIGZsYWdzIGFsbAouZmkKLmlmIG4gXHtcCi5SRQou
XH0KLnNwCi5TUyAiUkVKRUNUIFNUQVRFTUVOVCIKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0K
Lm5mClxmQnJlamVjdFxmUiBbIFxmQndpdGhcZlIgXGZJUkVKRUNUX1dJVEhcZlIgXQoKXGZJ
UkVKRUNUX1dJVEhcZlIgOj0gXGZCaWNtcCB0eXBlXGZSIFxmSWljbXBfY29kZVxmUiB8CiAg
ICAgICAgICAgICAgICAgXGZCaWNtcHY2IHR5cGVcZlIgXGZJaWNtcHY2X2NvZGVcZlIgfAog
ICAgICAgICAgICAgICAgIFxmQmljbXB4IHR5cGVcZlIgXGZJaWNtcHhfY29kZVxmUiB8CiAg
ICAgICAgICAgICAgICAgXGZCdGNwIHJlc2V0XGZSCi5maQouaWYgbiBce1wKLlJFCi5cfQou
c3AKQSByZWplY3Qgc3RhdGVtZW50IGlzIHVzZWQgdG8gc2VuZCBiYWNrIGFuIGVycm9yIHBh
Y2tldCBpbiByZXNwb25zZSB0byB0aGUgbWF0Y2hlZCBwYWNrZXQgb3RoZXJ3aXNlIGl0IGlz
IGVxdWl2YWxlbnQgdG8gZHJvcCBzbyBpdCBpcyBhIHRlcm1pbmF0aW5nIHN0YXRlbWVudCwg
ZW5kaW5nIHJ1bGUgdHJhdmVyc2FsXCYuIFRoaXMgc3RhdGVtZW50IGlzIG9ubHkgdmFsaWQg
aW4gYmFzZSBjaGFpbnMgdXNpbmcgdGhlIFxmQmlucHV0XGZSLCBcZkJmb3J3YXJkXGZSIG9y
IFxmQm91dHB1dFxmUiBob29rcywgYW5kIHVzZXJcLWRlZmluZWQgY2hhaW5zIHdoaWNoIGFy
ZSBvbmx5IGNhbGxlZCBmcm9tIHRob3NlIGNoYWluc1wmLgouc3AKLml0IDEgYW4tdHJhcAou
bnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxl
XCBcJjYwLlwgXCZkaWZmZXJlbnQgSUNNUCByZWplY3QgdmFyaWFudHMgYXJlIG1lYW50IGZv
ciB1c2UgaW4gZGlmZmVyZW50IHRhYmxlIGZhbWlsaWVzCi5UUwphbGxib3ggdGFiKDopOwps
dEIgbHRCIGx0Qi4KVHsKVmFyaWFudApUfTpUewpGYW1pbHkKVH06VHsKVHlwZQpUfQouVCYK
bHQgbHQgbHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcAppY21wClR9OlR7Ci5zcAppcApU
fTpUewouc3AKaWNtcF9jb2RlClR9ClR7Ci5zcAppY21wdjYKVH06VHsKLnNwCmlwNgpUfTpU
ewouc3AKaWNtcHY2X2NvZGUKVH0KVHsKLnNwCmljbXB4ClR9OlR7Ci5zcAppbmV0ClR9OlR7
Ci5zcAppY21weF9jb2RlClR9Ci5URQouc3AgMQouc3AKRm9yIGEgZGVzY3JpcHRpb24gb2Yg
dGhlIGRpZmZlcmVudCB0eXBlcyBhbmQgYSBsaXN0IG9mIHN1cHBvcnRlZCBrZXl3b3JkcyBy
ZWZlciB0byBEQVRBIFRZUEVTIHNlY3Rpb24gYWJvdmVcJi4gVGhlIGNvbW1vbiBkZWZhdWx0
IHJlamVjdCB2YWx1ZSBpcyBcZkJwb3J0XC11bnJlYWNoYWJsZVxmUlwmLgouc3AKTm90ZSB0
aGF0IGluIGJyaWRnZSBmYW1pbHksIHJlamVjdCBzdGF0ZW1lbnQgaXMgb25seSBhbGxvd2Vk
IGluIGJhc2UgY2hhaW5zIHdoaWNoIGhvb2sgaW50byBpbnB1dCBvciBwcmVyb3V0aW5nXCYu
Ci5TUyAiQ09VTlRFUiBTVEFURU1FTlQiCi5zcApBIGNvdW50ZXIgc3RhdGVtZW50IHNldHMg
dGhlIGhpdCBjb3VudCBvZiBwYWNrZXRzIGFsb25nIHdpdGggdGhlIG51bWJlciBvZiBieXRl
c1wmLgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCY291bnRlclxmUiBcZkJwYWNr
ZXRzXGZSIFxmSW51bWJlclxmUiBcZkJieXRlc1xmUiBcZkludW1iZXJcZlIKXGZCY291bnRl
clxmUiB7IFxmQnBhY2tldHNcZlIgXGZJbnVtYmVyXGZSIHwgXGZCYnl0ZXNcZlIgXGZJbnVt
YmVyXGZSIH0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5TUyAiQ09OTlRSQUNLIFNUQVRFTUVO
VCIKLnNwClRoZSBjb25udHJhY2sgc3RhdGVtZW50IGNhbiBiZSB1c2VkIHRvIHNldCB0aGUg
Y29ubnRyYWNrIG1hcmsgYW5kIGNvbm50cmFjayBsYWJlbHNcJi4KLnNwCi5pZiBuIFx7XAou
UlMgNAouXH0KLm5mClxmQmN0XGZSIHtcZkJtYXJrXGZSIHwgXGZCZXZlbnRcZlIgfCBcZkJs
YWJlbFxmUiB8IFxmQnpvbmVcZlJ9IFxmQnNldFxmUiBcZkl2YWx1ZVxmUgouZmkKLmlmIG4g
XHtcCi5SRQouXH0KLnNwClRoZSBjdCBzdGF0ZW1lbnQgc2V0cyBtZXRhIGRhdGEgYXNzb2Np
YXRlZCB3aXRoIGEgY29ubmVjdGlvblwmLiBUaGUgem9uZSBpZCBoYXMgdG8gYmUgYXNzaWdu
ZWQgYmVmb3JlIGEgY29ubnRyYWNrIGxvb2t1cCB0YWtlcyBwbGFjZSwgaVwmLmVcJi4gdGhp
cyBoYXMgdG8gYmUgZG9uZSBpbiBwcmVyb3V0aW5nIGFuZCBwb3NzaWJseSBvdXRwdXQgKGlm
IGxvY2FsbHkgZ2VuZXJhdGVkIHBhY2tldHMgbmVlZCB0byBiZSBwbGFjZWQgaW4gYSBkaXN0
aW5jdCB6b25lKSwgd2l0aCBhIGhvb2sgcHJpb3JpdHkgb2YgXC0zMDBcJi4KLnNwClVubGlr
ZSBpcHRhYmxlcywgd2hlcmUgdGhlIGhlbHBlciBhc3NpZ25tZW50IGhhcHBlbnMgaW4gdGhl
IHJhdyB0YWJsZSwgdGhlIGhlbHBlciBuZWVkcyB0byBiZSBhc3NpZ25lZCBhZnRlciBhIGNv
bm50cmFjayBlbnRyeSBoYXMgYmVlbiBmb3VuZCwgaVwmLmVcJi4gaXQgd2lsbCBub3Qgd29y
ayB3aGVuIHVzZWQgd2l0aCBob29rIHByaW9yaXRpZXMgZXF1YWwgb3IgYmVmb3JlIFwtMjAw
XCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJy
ZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNjEuXCBcJkNvbm50cmFjayBzdGF0ZW1lbnQg
dHlwZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpLZXl3b3JkClR9OlR7
CkRlc2NyaXB0aW9uClR9OlR7ClZhbHVlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdApsdCBs
dCBsdApsdCBsdCBsdApsdCBsdCBsdC4KVHsKLnNwCmV2ZW50ClR9OlR7Ci5zcApjb25udHJh
Y2sgZXZlbnQgYml0cwpUfTpUewouc3AKYml0bWFzaywgaW50ZWdlciAoMzIgYml0KQpUfQpU
ewouc3AKaGVscGVyClR9OlR7Ci5zcApuYW1lIG9mIGN0IGhlbHBlciBvYmplY3QgdG8gYXNz
aWduIHRvIHRoZSBjb25uZWN0aW9uClR9OlR7Ci5zcApxdW90ZWQgc3RyaW5nClR9ClR7Ci5z
cAptYXJrClR9OlR7Ci5zcApDb25uZWN0aW9uIHRyYWNraW5nIG1hcmsKVH06VHsKLnNwCm1h
cmsKVH0KVHsKLnNwCmxhYmVsClR9OlR7Ci5zcApDb25uZWN0aW9uIHRyYWNraW5nIGxhYmVs
ClR9OlR7Ci5zcApsYWJlbApUfQpUewouc3AKem9uZQpUfTpUewouc3AKY29ubnRyYWNrIHpv
bmUKVH06VHsKLnNwCmludGVnZXIgKDE2IGJpdCkKVH0KLlRFCi5zcCAxCi5QUApcZkJzYXZl
IHBhY2tldCBuZm1hcmsgaW4gY29ubnRyYWNrXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mCmN0IG1hcmsgc2V0IG1ldGEgbWFyawouZmkKLmlmIG4gXHtcCi5SRQouXH0KLlBQ
ClxmQnNldCB6b25lIG1hcHBlZCB2aWEgaW50ZXJmYWNlXGZSLiAKLnNwCi5pZiBuIFx7XAou
UlMgNAouXH0KLm5mCnRhYmxlIGluZXQgcmF3IHsKICBjaGFpbiBwcmVyb3V0aW5nIHsKICAg
ICAgdHlwZSBmaWx0ZXIgaG9vayBwcmVyb3V0aW5nIHByaW9yaXR5IFwtMzAwOwogICAgICBj
dCB6b25lIHNldCBpaWYgbWFwIHsgImV0aDEiIDogMSwgInZldGgxIiA6IDIgfQogIH0KICBj
aGFpbiBvdXRwdXQgewogICAgICB0eXBlIGZpbHRlciBob29rIG91dHB1dCBwcmlvcml0eSBc
LTMwMDsKICAgICAgY3Qgem9uZSBzZXQgb2lmIG1hcCB7ICJldGgxIiA6IDEsICJ2ZXRoMSIg
OiAyIH0KICB9Cn0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5QUApcZkJyZXN0cmljdCBldmVu
dHMgcmVwb3J0ZWQgYnkgY3RuZXRsaW5rXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0K
Lm5mCmN0IGV2ZW50IHNldCBuZXcscmVsYXRlZCxkZXN0cm95Ci5maQouaWYgbiBce1wKLlJF
Ci5cfQouc3AKLlNTICJOT1RSQUNLIFNUQVRFTUVOVCIKLnNwClRoZSBub3RyYWNrIHN0YXRl
bWVudCBhbGxvd3MgdG8gZGlzYWJsZSBjb25uZWN0aW9uIHRyYWNraW5nIGZvciBjZXJ0YWlu
IHBhY2tldHNcJi4KLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mClxmQm5vdHJhY2tcZlIK
LmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApOb3RlIHRoYXQgZm9yIHRoaXMgc3RhdGVtZW50
IHRvIGJlIGVmZmVjdGl2ZSwgaXQgaGFzIHRvIGJlIGFwcGxpZWQgdG8gcGFja2V0cyBiZWZv
cmUgYSBjb25udHJhY2sgbG9va3VwIGhhcHBlbnNcJi4gVGhlcmVmb3JlLCBpdCBuZWVkcyB0
byBzaXQgaW4gYSBjaGFpbiB3aXRoIGVpdGhlciBwcmVyb3V0aW5nIG9yIG91dHB1dCBob29r
IGFuZCBhIGhvb2sgcHJpb3JpdHkgb2YgXC0zMDAgb3IgbGVzc1wmLgouc3AKU2VlIFNZTlBS
T1hZIFNUQVRFTUVOVCBmb3IgYW4gZXhhbXBsZSB1c2FnZVwmLgouU1MgIk1FVEEgU1RBVEVN
RU5UIgouc3AKQSBtZXRhIHN0YXRlbWVudCBzZXRzIHRoZSB2YWx1ZSBvZiBhIG1ldGEgZXhw
cmVzc2lvblwmLiBUaGUgZXhpc3RpbmcgbWV0YSBmaWVsZHMgYXJlOiBwcmlvcml0eSwgbWFy
aywgcGt0dHlwZSwgbmZ0cmFjZVwmLgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZC
bWV0YVxmUiB7XGZCbWFya1xmUiB8IFxmQnByaW9yaXR5XGZSIHwgXGZCcGt0dHlwZVxmUiB8
IFxmQm5mdHJhY2VcZlJ9IFxmQnNldFxmUiBcZkl2YWx1ZVxmUgouZmkKLmlmIG4gXHtcCi5S
RQouXH0KLnNwCkEgbWV0YSBzdGF0ZW1lbnQgc2V0cyBtZXRhIGRhdGEgYXNzb2NpYXRlZCB3
aXRoIGEgcGFja2V0XCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFn
IDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNjIuXCBcJk1ldGEgc3Rh
dGVtZW50IHR5cGVzCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCIGx0Qi4KVHsKS2V5d29y
ZApUfTpUewpEZXNjcmlwdGlvbgpUfTpUewpWYWx1ZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQg
bHQKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcApwcmlvcml0eQpUfTpUewouc3AKVEMgcGFj
a2V0IHByaW9yaXR5ClR9OlR7Ci5zcAp0Y19oYW5kbGUKVH0KVHsKLnNwCm1hcmsKVH06VHsK
LnNwClBhY2tldCBtYXJrClR9OlR7Ci5zcAptYXJrClR9ClR7Ci5zcApwa3R0eXBlClR9OlR7
Ci5zcApwYWNrZXQgdHlwZQpUfTpUewouc3AKcGt0X3R5cGUKVH0KVHsKLnNwCm5mdHJhY2UK
VH06VHsKLnNwCnJ1bGVzZXQgcGFja2V0IHRyYWNpbmcgb24vb2ZmXCYuIFVzZSBcZkJtb25p
dG9yIHRyYWNlXGZSIGNvbW1hbmQgdG8gd2F0Y2ggdHJhY2VzClR9OlR7Ci5zcAowLCAxClR9
Ci5URQouc3AgMQouU1MgIkxJTUlUIFNUQVRFTUVOVCIKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mClxmQmxpbWl0IHJhdGVcZlIgW1xmQm92ZXJcZlJdIFxmSXBhY2tldF9udW1iZXJc
ZlIgXGZCL1xmUiBcZklUSU1FX1VOSVRcZlIgW1xmQmJ1cnN0XGZSIFxmSXBhY2tldF9udW1i
ZXJcZlIgXGZCcGFja2V0c1xmUl0KXGZCbGltaXQgcmF0ZVxmUiBbXGZCb3ZlclxmUl0gXGZJ
Ynl0ZV9udW1iZXJcZlIgXGZJQllURV9VTklUXGZSIFxmQi9cZlIgXGZJVElNRV9VTklUXGZS
IFtcZkJidXJzdFxmUiBcZklieXRlX251bWJlclxmUiBcZklCWVRFX1VOSVRcZlJdCgpcZklU
SU1FX1VOSVRcZlIgOj0gXGZCc2Vjb25kXGZSIHwgXGZCbWludXRlXGZSIHwgXGZCaG91clxm
UiB8IFxmQmRheVxmUgpcZklCWVRFX1VOSVRcZlIgOj0gXGZCYnl0ZXNcZlIgfCBcZkJrYnl0
ZXNcZlIgfCBcZkJtYnl0ZXNcZlIKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApBIGxpbWl0
IHN0YXRlbWVudCBtYXRjaGVzIGF0IGEgbGltaXRlZCByYXRlIHVzaW5nIGEgdG9rZW4gYnVj
a2V0IGZpbHRlclwmLiBBIHJ1bGUgdXNpbmcgdGhpcyBzdGF0ZW1lbnQgd2lsbCBtYXRjaCB1
bnRpbCB0aGlzIGxpbWl0IGlzIHJlYWNoZWRcJi4gSXQgY2FuIGJlIHVzZWQgaW4gY29tYmlu
YXRpb24gd2l0aCB0aGUgbG9nIHN0YXRlbWVudCB0byBnaXZlIGxpbWl0ZWQgbG9nZ2luZ1wm
LiBUaGUgb3B0aW9uYWwgXGZCb3ZlclxmUiBrZXl3b3JkIG1ha2VzIGl0IG1hdGNoIG92ZXIg
dGhlIHNwZWNpZmllZCByYXRlXCYuIERlZmF1bHQgXGZCYnVyc3RcZlIgaXMgNVwmLiBpZiB5
b3Ugc3BlY2lmeSBcZkJidXJzdFxmUiwgaXQgbXVzdCBiZSBub25cLXplcm8gdmFsdWVcJi4K
LnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWst
ZmxhZyAxCi5icgouQiBUYWJsZVwgXCY2My5cIFwmbGltaXQgc3RhdGVtZW50IHZhbHVlcwou
VFMKYWxsYm94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7ClZhbHVlClR9OlR7CkRlc2NyaXB0
aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0LgpUewouc3AKcGFja2V0
X251bWJlcgpUfTpUewouc3AKTnVtYmVyIG9mIHBhY2tldHMKVH06VHsKLnNwCnVuc2lnbmVk
IGludGVnZXIgKDMyIGJpdCkKVH0KVHsKLnNwCmJ5dGVfbnVtYmVyClR9OlR7Ci5zcApOdW1i
ZXIgb2YgYnl0ZXMKVH06VHsKLnNwCnVuc2lnbmVkIGludGVnZXIgKDMyIGJpdCkKVH0KLlRF
Ci5zcCAxCi5TUyAiTkFUIFNUQVRFTUVOVFMiCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5u
ZgpcZkJzbmF0IHRvXGZSIFxmSWFkZHJlc3NcZlIgW1xmQjpcZlJcZklwb3J0XGZSXSBbXGZJ
UFJGX0ZMQUdTXGZSXQpcZkJzbmF0IHRvXGZSIFxmSWFkZHJlc3NcZlIgXGZCXC1cZlIgXGZJ
YWRkcmVzc1xmUiBbXGZCOlxmUlxmSXBvcnRcZlIgXGZCXC1cZlIgXGZJcG9ydFxmUl0gW1xm
SVBSRl9GTEFHU1xmUl0KXGZCc25hdFxmUiB7IFxmQmlwXGZSIHwgXGZCaXA2XGZSIH0gXGZC
dG9cZlIgXGZJYWRkcmVzc1xmUiBcZkJcLVxmUiBcZklhZGRyZXNzXGZSIFtcZkI6XGZSXGZJ
cG9ydFxmUiBcZkJcLVxmUiBcZklwb3J0XGZSXSBbXGZJUFJfRkxBR1NcZlJdClxmQmRuYXQg
dG9cZlIgXGZJYWRkcmVzc1xmUiBbXGZCOlxmUlxmSXBvcnRcZlJdIFtcZklQUkZfRkxBR1Nc
ZlJdClxmQmRuYXQgdG9cZlIgXGZJYWRkcmVzc1xmUiBbXGZCOlxmUlxmSXBvcnRcZlIgXGZC
XC1cZlIgXGZJcG9ydFxmUl0gW1xmSVBSX0ZMQUdTXGZSXQpcZkJkbmF0XGZSIHsgXGZCaXBc
ZlIgfCBcZkJpcDZcZlIgfSBcZkJ0b1xmUiBcZklhZGRyZXNzXGZSIFtcZkI6XGZSXGZJcG9y
dFxmUiBcZkJcLVxmUiBcZklwb3J0XGZSXSBbXGZJUFJfRkxBR1NcZlJdClxmQm1hc3F1ZXJh
ZGUgdG9cZlIgW1xmQjpcZlJcZklwb3J0XGZSXSBbXGZJUFJGX0ZMQUdTXGZSXQpcZkJtYXNx
dWVyYWRlIHRvXGZSIFtcZkI6XGZSXGZJcG9ydFxmUiBcZkJcLVxmUiBcZklwb3J0XGZSXSBb
XGZJUFJGX0ZMQUdTXGZSXQpcZkJyZWRpcmVjdCB0b1xmUiBbXGZCOlxmUlxmSXBvcnRcZlJd
IFtcZklQUkZfRkxBR1NcZlJdClxmQnJlZGlyZWN0IHRvXGZSIFtcZkI6XGZSXGZJcG9ydFxm
UiBcZkJcLVxmUiBcZklwb3J0XGZSXSBbXGZJUFJGX0ZMQUdTXGZSXQoKXGZJUFJGX0ZMQUdT
XGZSIDo9IFxmSVBSRl9GTEFHXGZSIFtcZkIsXGZSIFxmSVBSRl9GTEFHU1xmUl0KXGZJUFJf
RkxBR1NcZlIgIDo9IFxmSVBSX0ZMQUdcZlIgW1xmQixcZlIgXGZJUFJfRkxBR1NcZlJdClxm
SVBSRl9GTEFHXGZSICA6PSBcZklQUl9GTEFHXGZSIHwgXGZCZnVsbHlcLXJhbmRvbVxmUgpc
ZklQUl9GTEFHXGZSICAgOj0gXGZCcGVyc2lzdGVudFxmUiB8IFxmQnJhbmRvbVxmUgouZmkK
LmlmIG4gXHtcCi5SRQouXH0KLnNwClRoZSBuYXQgc3RhdGVtZW50cyBhcmUgb25seSB2YWxp
ZCBmcm9tIG5hdCBjaGFpbiB0eXBlc1wmLgouc3AKVGhlIFxmQnNuYXRcZlIgYW5kIFxmQm1h
c3F1ZXJhZGVcZlIgc3RhdGVtZW50cyBzcGVjaWZ5IHRoYXQgdGhlIHNvdXJjZSBhZGRyZXNz
IG9mIHRoZSBwYWNrZXQgc2hvdWxkIGJlIG1vZGlmaWVkXCYuIFdoaWxlIFxmQnNuYXRcZlIg
aXMgb25seSB2YWxpZCBpbiB0aGUgcG9zdHJvdXRpbmcgYW5kIGlucHV0IGNoYWlucywgXGZC
bWFzcXVlcmFkZVxmUiBtYWtlcyBzZW5zZSBvbmx5IGluIHBvc3Ryb3V0aW5nXCYuIFRoZSBk
bmF0IGFuZCByZWRpcmVjdCBzdGF0ZW1lbnRzIGFyZSBvbmx5IHZhbGlkIGluIHRoZSBwcmVy
b3V0aW5nIGFuZCBvdXRwdXQgY2hhaW5zLCB0aGV5IHNwZWNpZnkgdGhhdCB0aGUgZGVzdGlu
YXRpb24gYWRkcmVzcyBvZiB0aGUgcGFja2V0IHNob3VsZCBiZSBtb2RpZmllZFwmLiBZb3Ug
Y2FuIHVzZSBub25cLWJhc2UgY2hhaW5zIHdoaWNoIGFyZSBjYWxsZWQgZnJvbSBiYXNlIGNo
YWlucyBvZiBuYXQgY2hhaW4gdHlwZSB0b29cJi4gQWxsIGZ1dHVyZSBwYWNrZXRzIGluIHRo
aXMgY29ubmVjdGlvbiB3aWxsIGFsc28gYmUgbWFuZ2xlZCwgYW5kIHJ1bGVzIHNob3VsZCBj
ZWFzZSBiZWluZyBleGFtaW5lZFwmLgouc3AKVGhlIFxmQm1hc3F1ZXJhZGVcZlIgc3RhdGVt
ZW50IGlzIGEgc3BlY2lhbCBmb3JtIG9mIHNuYXQgd2hpY2ggYWx3YXlzIHVzZXMgdGhlIG91
dGdvaW5nIGludGVyZmFjZVwoY3FzIElQIGFkZHJlc3MgdG8gdHJhbnNsYXRlIHRvXCYuIEl0
IGlzIHBhcnRpY3VsYXJseSB1c2VmdWwgb24gZ2F0ZXdheXMgd2l0aCBkeW5hbWljIChwdWJs
aWMpIElQIGFkZHJlc3Nlc1wmLgouc3AKVGhlIFxmQnJlZGlyZWN0XGZSIHN0YXRlbWVudCBp
cyBhIHNwZWNpYWwgZm9ybSBvZiBkbmF0IHdoaWNoIGFsd2F5cyB0cmFuc2xhdGVzIHRoZSBk
ZXN0aW5hdGlvbiBhZGRyZXNzIHRvIHRoZSBsb2NhbCBob3N0XChjcXMgb25lXCYuIEl0IGNv
bWVzIGluIGhhbmR5IGlmIG9uZSBvbmx5IHdhbnRzIHRvIGFsdGVyIHRoZSBkZXN0aW5hdGlv
biBwb3J0IG9mIGluY29taW5nIHRyYWZmaWMgb24gZGlmZmVyZW50IGludGVyZmFjZXNcJi4K
LnNwCldoZW4gdXNlZCBpbiB0aGUgaW5ldCBmYW1pbHkgKGF2YWlsYWJsZSB3aXRoIGtlcm5l
bCA1XCYuMiksIHRoZSBkbmF0IGFuZCBzbmF0IHN0YXRlbWVudHMgcmVxdWlyZSB0aGUgdXNl
IG9mIHRoZSBpcCBhbmQgaXA2IGtleXdvcmQgaW4gY2FzZSBhbiBhZGRyZXNzIGlzIHByb3Zp
ZGVkLCBzZWUgdGhlIGV4YW1wbGVzIGJlbG93XCYuCi5zcApCZWZvcmUga2VybmVsIDRcJi4x
OCBuYXQgc3RhdGVtZW50cyByZXF1aXJlIGJvdGggcHJlcm91dGluZyBhbmQgcG9zdHJvdXRp
bmcgYmFzZSBjaGFpbnMgdG8gYmUgcHJlc2VudCBzaW5jZSBvdGhlcndpc2UgcGFja2V0cyBv
biB0aGUgcmV0dXJuIHBhdGggd29uXChjcXQgYmUgc2VlbiBieSBuZXRmaWx0ZXIgYW5kIHRo
ZXJlZm9yZSBubyByZXZlcnNlIHRyYW5zbGF0aW9uIHdpbGwgdGFrZSBwbGFjZVwmLgouc3AK
Lml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFn
IDEKLmJyCi5CIFRhYmxlXCBcJjY0LlwgXCZOQVQgc3RhdGVtZW50IHZhbHVlcwouVFMKYWxs
Ym94IHRhYig6KTsKbHRCIGx0QiBsdEIuClR7CkV4cHJlc3Npb24KVH06VHsKRGVzY3JpcHRp
b24KVH06VHsKVHlwZQpUfQouVCYKbHQgbHQgbHQKbHQgbHQgbHQuClR7Ci5zcAphZGRyZXNz
ClR9OlR7Ci5zcApTcGVjaWZpZXMgdGhhdCB0aGUgc291cmNlL2Rlc3RpbmF0aW9uIGFkZHJl
c3Mgb2YgdGhlIHBhY2tldCBzaG91bGQgYmUgbW9kaWZpZWRcJi4gWW91IG1heSBzcGVjaWZ5
IGEgbWFwcGluZyB0byByZWxhdGUgYSBsaXN0IG9mIHR1cGxlcyBjb21wb3NlZCBvZiBhcmJp
dHJhcnkgZXhwcmVzc2lvbiBrZXkgd2l0aCBhZGRyZXNzIHZhbHVlXCYuClR9OlR7Ci5zcApp
cHY0X2FkZHIsIGlwdjZfYWRkciwgZVwmLmdcJi4gYWJjZDo6MTIzNCwgb3IgeW91IGNhbiB1
c2UgYSBtYXBwaW5nLCBlXCYuZ1wmLiBtZXRhIG1hcmsgbWFwIHsgMTAgOiAxOTJcJi4xNjhc
Ji4xXCYuMiwgMjAgOiAxOTJcJi4xNjhcJi4xXCYuMyB9ClR9ClR7Ci5zcApwb3J0ClR9OlR7
Ci5zcApTcGVjaWZpZXMgdGhhdCB0aGUgc291cmNlL2Rlc3RpbmF0aW9uIGFkZHJlc3Mgb2Yg
dGhlIHBhY2tldCBzaG91bGQgYmUgbW9kaWZpZWRcJi4KVH06VHsKLnNwCnBvcnQgbnVtYmVy
ICgxNiBiaXQpClR9Ci5URQouc3AgMQouc3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3Bh
Y2UtZmxhZyAxCi5uciBhbi1icmVhay1mbGFnIDEKLmJyCi5CIFRhYmxlXCBcJjY1LlwgXCZO
QVQgc3RhdGVtZW50IGZsYWdzCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpUewpGbGFn
ClR9OlR7CkRlc2NyaXB0aW9uClR9Ci5UJgpsdCBsdApsdCBsdApsdCBsdC4KVHsKLnNwCnBl
cnNpc3RlbnQKVH06VHsKLnNwCkdpdmVzIGEgY2xpZW50IHRoZSBzYW1lIHNvdXJjZVwtL2Rl
c3RpbmF0aW9uXC1hZGRyZXNzIGZvciBlYWNoIGNvbm5lY3Rpb25cJi4KVH0KVHsKLnNwCnJh
bmRvbQpUfTpUewouc3AKSW4ga2VybmVsIDVcJi4wIGFuZCBuZXdlciB0aGlzIGlzIHRoZSBz
YW1lIGFzIGZ1bGx5XC1yYW5kb21cJi4gSW4gZWFybGllciBrZXJuZWxzIHRoZSBwb3J0IG1h
cHBpbmcgd2lsbCBiZSByYW5kb21pemVkIHVzaW5nIGEgc2VlZGVkIE1ENSBoYXNoIG1peCB1
c2luZyBzb3VyY2UgYW5kIGRlc3RpbmF0aW9uIGFkZHJlc3MgYW5kIGRlc3RpbmF0aW9uIHBv
cnRcJi4KVH0KVHsKLnNwCmZ1bGx5XC1yYW5kb20KVH06VHsKLnNwCklmIHVzZWQgdGhlbiBw
b3J0IG1hcHBpbmcgaXMgZ2VuZXJhdGVkIGJhc2VkIG9uIGEgMzJcLWJpdCBwc2V1ZG9cLXJh
bmRvbSBhbGdvcml0aG1cJi4KVH0KLlRFCi5zcCAxCi5QUApcZkJVc2luZyBOQVQgc3RhdGVt
ZW50c1xmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIGNyZWF0ZSBhIHN1aXRh
YmxlIHRhYmxlL2NoYWluIHNldHVwIGZvciBhbGwgZnVydGhlciBleGFtcGxlcwphZGQgdGFi
bGUgbmF0CmFkZCBjaGFpbiBuYXQgcHJlcm91dGluZyB7IHR5cGUgbmF0IGhvb2sgcHJlcm91
dGluZyBwcmlvcml0eSAwOyB9CmFkZCBjaGFpbiBuYXQgcG9zdHJvdXRpbmcgeyB0eXBlIG5h
dCBob29rIHBvc3Ryb3V0aW5nIHByaW9yaXR5IDEwMDsgfQoKIyB0cmFuc2xhdGUgc291cmNl
IGFkZHJlc3NlcyBvZiBhbGwgcGFja2V0cyBsZWF2aW5nIHZpYSBldGgwIHRvIGFkZHJlc3Mg
MVwmLjJcJi4zXCYuNAphZGQgcnVsZSBuYXQgcG9zdHJvdXRpbmcgb2lmIGV0aDAgc25hdCB0
byAxXCYuMlwmLjNcJi40CgojIHJlZGlyZWN0IGFsbCB0cmFmZmljIGVudGVyaW5nIHZpYSBl
dGgwIHRvIGRlc3RpbmF0aW9uIGFkZHJlc3MgMTkyXCYuMTY4XCYuMVwmLjEyMAphZGQgcnVs
ZSBuYXQgcHJlcm91dGluZyBpaWYgZXRoMCBkbmF0IHRvIDE5MlwmLjE2OFwmLjFcJi4xMjAK
CiMgdHJhbnNsYXRlIHNvdXJjZSBhZGRyZXNzZXMgb2YgYWxsIHBhY2tldHMgbGVhdmluZyB2
aWEgZXRoMCB0byB3aGF0ZXZlcgojIGxvY2FsbHkgZ2VuZXJhdGVkIHBhY2tldHMgd291bGQg
dXNlIGFzIHNvdXJjZSB0byByZWFjaCB0aGUgc2FtZSBkZXN0aW5hdGlvbgphZGQgcnVsZSBu
YXQgcG9zdHJvdXRpbmcgb2lmIGV0aDAgbWFzcXVlcmFkZQoKIyByZWRpcmVjdCBpbmNvbWlu
ZyBUQ1AgdHJhZmZpYyBmb3IgcG9ydCAyMiB0byBwb3J0IDIyMjIKYWRkIHJ1bGUgbmF0IHBy
ZXJvdXRpbmcgdGNwIGRwb3J0IDIyIHJlZGlyZWN0IHRvIDoyMjIyCgojIGluZXQgZmFtaWx5
OgojIGhhbmRsZSBpcCBkbmF0OgphZGQgcnVsZSBpbmV0IG5hdCBwcmVyb3V0aW5nIGRuYXQg
aXAgdG8gMTBcJi4wXCYuMlwmLjk5CiMgaGFuZGxlIGlwNiBkbmF0OgphZGQgcnVsZSBpbmV0
IG5hdCBwcmVyb3V0aW5nIGRuYXQgaXA2IHRvIGZlODA6OmRlYWQKIyB0aGlzIG1hc3F1ZXJh
ZGVzIGJvdGggaXB2NCBhbmQgaXB2NjoKYWRkIHJ1bGUgaW5ldCBuYXQgcG9zdHJvdXRpbmcg
bWV0YSBvaWYgcHBwMCBtYXNxdWVyYWRlCi5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNT
ICJUUFJPWFkgU1RBVEVNRU5UIgouc3AKVHByb3h5IHJlZGlyZWN0cyB0aGUgcGFja2V0IHRv
IGEgbG9jYWwgc29ja2V0IHdpdGhvdXQgY2hhbmdpbmcgdGhlIHBhY2tldCBoZWFkZXIgaW4g
YW55IHdheVwmLiBJZiBhbnkgb2YgdGhlIGFyZ3VtZW50cyBpcyBtaXNzaW5nIHRoZSBkYXRh
IG9mIHRoZSBpbmNvbWluZyBwYWNrZXQgaXMgdXNlZCBhcyBwYXJhbWV0ZXJcJi4gVHByb3h5
IG1hdGNoaW5nIHJlcXVpcmVzIGFub3RoZXIgcnVsZSB0aGF0IGVuc3VyZXMgdGhlIHByZXNl
bmNlIG9mIHRyYW5zcG9ydCBwcm90b2NvbCBoZWFkZXIgaXMgc3BlY2lmaWVkXCYuCi5zcAou
aWYgbiBce1wKLlJTIDQKLlx9Ci5uZgpcZkJ0cHJveHkgdG9cZlIgXGZJYWRkcmVzc1xmUlxm
QjpcZlJcZklwb3J0XGZSClxmQnRwcm94eSB0b1xmUiB7XGZJYWRkcmVzc1xmUiB8IFxmQjpc
ZlJcZklwb3J0XGZSfQouZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwClRoaXMgc3ludGF4IGNh
biBiZSB1c2VkIGluIFxmQmlwL2lwNlxmUiB0YWJsZXMgd2hlcmUgbmV0d29yayBsYXllciBw
cm90b2NvbCBpcyBvYnZpb3VzXCYuIEVpdGhlciBJUCBhZGRyZXNzIG9yIHBvcnQgY2FuIGJl
IHNwZWNpZmllZCwgYnV0IGF0IGxlYXN0IG9uZSBvZiB0aGVtIGlzIG5lY2Vzc2FyeVwmLgou
c3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCdHByb3h5XGZSIHtcZkJpcFxmUiB8IFxm
QmlwNlxmUn0gXGZCdG9cZlIgXGZJYWRkcmVzc1xmUltcZkI6XGZSXGZJcG9ydFxmUl0KXGZC
dHByb3h5IHRvIDpcZlJcZklwb3J0XGZSCi5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKVGhp
cyBzeW50YXggY2FuIGJlIHVzZWQgaW4gXGZCaW5ldFxmUiB0YWJsZXNcJi4gVGhlIFxmQmlw
L2lwNlxmUiBwYXJhbWV0ZXIgZGVmaW5lcyB0aGUgZmFtaWx5IHRoZSBydWxlIHdpbGwgbWF0
Y2hcJi4gVGhlIFxmQmFkZHJlc3NcZlIgcGFyYW1ldGVyIG11c3QgYmUgb2YgdGhpcyBmYW1p
bHlcJi4gV2hlbiBvbmx5IFxmQnBvcnRcZlIgaXMgZGVmaW5lZCwgdGhlIGFkZHJlc3MgZmFt
aWx5IHNob3VsZCBub3QgYmUgc3BlY2lmaWVkXCYuIEluIHRoaXMgY2FzZSB0aGUgcnVsZSB3
aWxsIG1hdGNoIGZvciBib3RoIGZhbWlsaWVzXCYuCi5zcAouaXQgMSBhbi10cmFwCi5uciBh
bi1uby1zcGFjZS1mbGFnIDEKLm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwm
NjYuXCBcJnRwcm94eSBhdHRyaWJ1dGVzCi5UUwphbGxib3ggdGFiKDopOwpsdEIgbHRCLgpU
ewpOYW1lClR9OlR7CkRlc2NyaXB0aW9uClR9Ci5UJgpsdCBsdApsdCBsdC4KVHsKLnNwCmFk
ZHJlc3MKVH06VHsKLnNwCklQIGFkZHJlc3MgdGhlIGxpc3RlbmluZyBzb2NrZXQgd2l0aCBJ
UF9UUkFOU1BBUkVOVCBvcHRpb24gaXMgYm91bmQgdG9cJi4KVH0KVHsKLnNwCnBvcnQKVH06
VHsKLnNwClBvcnQgdGhlIGxpc3RlbmluZyBzb2NrZXQgd2l0aCBJUF9UUkFOU1BBUkVOVCBv
cHRpb24gaXMgYm91bmQgdG9cJi4KVH0KLlRFCi5zcCAxCi5QUApcZkJFeGFtcGxlIHJ1bGVz
ZXQgZm9yIHRwcm94eSBzdGF0ZW1lbnRcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQou
bmYKdGFibGUgaXAgeCB7CiAgICBjaGFpbiB5IHsKICAgICAgICB0eXBlIGZpbHRlciBob29r
IHByZXJvdXRpbmcgcHJpb3JpdHkgXC0xNTA7IHBvbGljeSBhY2NlcHQ7CiAgICAgICAgdGNw
IGRwb3J0IG50cCB0cHJveHkgdG8gMVwmLjFcJi4xXCYuMQogICAgICAgIHVkcCBkcG9ydCBz
c2ggdHByb3h5IHRvIDoyMjIyCiAgICB9Cn0KdGFibGUgaXA2IHggewogICAgY2hhaW4geSB7
CiAgICAgICB0eXBlIGZpbHRlciBob29rIHByZXJvdXRpbmcgcHJpb3JpdHkgXC0xNTA7IHBv
bGljeSBhY2NlcHQ7CiAgICAgICB0Y3AgZHBvcnQgbnRwIHRwcm94eSB0byBbZGVhZDo6YmVl
Zl0KICAgICAgIHVkcCBkcG9ydCBzc2ggdHByb3h5IHRvIDoyMjIyCiAgICB9Cn0KdGFibGUg
aW5ldCB4IHsKICAgIGNoYWluIHkgewogICAgICAgIHR5cGUgZmlsdGVyIGhvb2sgcHJlcm91
dGluZyBwcmlvcml0eSBcLTE1MDsgcG9saWN5IGFjY2VwdDsKICAgICAgICB0Y3AgZHBvcnQg
MzIxIHRwcm94eSB0byA6c3NoCiAgICAgICAgdGNwIGRwb3J0IDk5IHRwcm94eSBpcCB0byAx
XCYuMVwmLjFcJi4xOjk5OQogICAgICAgIHVkcCBkcG9ydCAxNTUgdHByb3h5IGlwNiB0byBb
ZGVhZDo6YmVlZl06c211eAogICAgfQp9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNT
ICJTWU5QUk9YWSBTVEFURU1FTlQiCi5zcApUaGlzIHN0YXRlbWVudCB3aWxsIHByb2Nlc3Mg
VENQIHRocmVlXC13YXlcLWhhbmRzaGFrZSBwYXJhbGxlbCBpbiBuZXRmaWx0ZXIgY29udGV4
dCB0byBwcm90ZWN0IGVpdGhlciBsb2NhbCBvciBiYWNrZW5kIHN5c3RlbVwmLiBUaGlzIHN0
YXRlbWVudCByZXF1aXJlcyBjb25uZWN0aW9uIHRyYWNraW5nIGJlY2F1c2Ugc2VxdWVuY2Ug
bnVtYmVycyBuZWVkIHRvIGJlIHRyYW5zbGF0ZWRcJi4KLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mClxmQnN5bnByb3h5XGZSIFtcZkJtc3NcZlIgXGZJbXNzX3ZhbHVlXGZSXSBbXGZC
d3NjYWxlXGZSIFxmSXdzY2FsZV92YWx1ZVxmUl0gW1xmSVNZTlBST1hZX0ZMQUdTXGZSXQou
ZmkKLmlmIG4gXHtcCi5SRQouXH0KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNl
LWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY2Ny5cIFwmc3lu
cHJveHkgc3RhdGVtZW50IGF0dHJpYnV0ZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIu
ClR7Ck5hbWUKVH06VHsKRGVzY3JpcHRpb24KVH0KLlQmCmx0IGx0Cmx0IGx0LgpUewouc3AK
bXNzClR9OlR7Ci5zcApNYXhpbXVtIHNlZ21lbnQgc2l6ZSBhbm5vdW5jZWQgdG8gY2xpZW50
c1wmLiBUaGlzIG11c3QgbWF0Y2ggdGhlIGJhY2tlbmRcJi4KVH0KVHsKLnNwCndzY2FsZQpU
fTpUewouc3AKV2luZG93IHNjYWxlIGFubm91bmNlZCB0byBjbGllbnRzXCYuIFRoaXMgbXVz
dCBtYXRjaCB0aGUgYmFja2VuZFwmLgpUfQouVEUKLnNwIDEKLnNwCi5pdCAxIGFuLXRyYXAK
Lm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4tYnJlYWstZmxhZyAxCi5icgouQiBUYWJs
ZVwgXCY2OC5cIFwmc3lucHJveHkgc3RhdGVtZW50IGZsYWdzCi5UUwphbGxib3ggdGFiKDop
OwpsdEIgbHRCLgpUewpGbGFnClR9OlR7CkRlc2NyaXB0aW9uClR9Ci5UJgpsdCBsdApsdCBs
dC4KVHsKLnNwCnNhY2tcLXBlcm0KVH06VHsKLnNwClBhc3MgY2xpZW50IHNlbGVjdGl2ZSBh
Y2tub3dsZWRnZW1lbnQgb3B0aW9uIHRvIGJhY2tlbmQgKHdpbGwgYmUgZGlzYWJsZWQgaWYg
bm90IHByZXNlbnQpXCYuClR9ClR7Ci5zcAp0aW1lc3RhbXAKVH06VHsKLnNwClBhc3MgY2xp
ZW50IHRpbWVzdGFtcCBvcHRpb24gdG8gYmFja2VuZCAod2lsbCBiZSBkaXNhYmxlZCBpZiBu
b3QgcHJlc2VudCwgYWxzbyBuZWVkZWQgZm9yIHNlbGVjdGl2ZSBhY2tub3dsZWRnZW1lbnQg
YW5kIHdpbmRvdyBzY2FsaW5nKVwmLgpUfQouVEUKLnNwIDEKLlBQClxmQkV4YW1wbGUgcnVs
ZXNldCBmb3Igc3lucHJveHkgc3RhdGVtZW50XGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAou
XH0KLm5mCkRldGVybWluZSB0Y3Agb3B0aW9ucyB1c2VkIGJ5IGJhY2tlbmQsIGZyb20gYW4g
ZXh0ZXJuYWwgc3lzdGVtCgogICAgICAgICAgICAgIHRjcGR1bXAgXC1wbmkgZXRoMCBcLWMg
MSBcKihBcXRjcFt0Y3BmbGFnc10gPT0gKHRjcFwtc3lufHRjcFwtYWNrKVwqKEFxCiAgICAg
ICAgICAgICAgICAgIHBvcnQgODAgJgogICAgICAgICAgICAgIHRlbG5ldCAxOTJcJi4wXCYu
MlwmLjQyIDgwCiAgICAgICAgICAgICAgMTg6NTc6MjRcJi42OTMzMDcgSVAgMTkyXCYuMFwm
LjJcJi40MlwmLjgwID4gMTkyXCYuMFwmLjJcJi40M1wmLjQ4NzU3OgogICAgICAgICAgICAg
ICAgICBGbGFncyBbU1wmLl0sIHNlcSAzNjA0MTQ1ODIsIGFjayA3ODg4NDE5OTQsIHdpbiAx
NDQ4MCwKICAgICAgICAgICAgICAgICAgb3B0aW9ucyBbbXNzIDE0NjAsc2Fja09LLAogICAg
ICAgICAgICAgICAgICBUUyB2YWwgMTQwOTA1NjE1MSBlY3IgOTY5MDIyMSwKICAgICAgICAg
ICAgICAgICAgbm9wLHdzY2FsZSA5XSwKICAgICAgICAgICAgICAgICAgbGVuZ3RoIDAKClN3
aXRjaCB0Y3BfbG9vc2UgbW9kZSBvZmYsIHNvIGNvbm50cmFjayB3aWxsIG1hcmsgb3V0XC1v
ZlwtZmxvdyBwYWNrZXRzIGFzIHN0YXRlIElOVkFMSURcJi4KCiAgICAgICAgICAgICAgZWNo
byAwID4gL3Byb2Mvc3lzL25ldC9uZXRmaWx0ZXIvbmZfY29ubnRyYWNrX3RjcF9sb29zZQoK
TWFrZSBTWU4gcGFja2V0cyB1bnRyYWNrZWRcJi4KCiAgICAgICAgdGFibGUgaXAgeCB7CiAg
ICAgICAgICAgICAgICBjaGFpbiB5IHsKICAgICAgICAgICAgICAgICAgICAgICAgdHlwZSBm
aWx0ZXIgaG9vayBwcmVyb3V0aW5nIHByaW9yaXR5IHJhdzsgcG9saWN5IGFjY2VwdDsKICAg
ICAgICAgICAgICAgICAgICAgICAgdGNwIGZsYWdzIHN5biBub3RyYWNrCiAgICAgICAgICAg
ICAgICB9CiAgICAgICAgfQoKQ2F0Y2ggVU5UUkFDS0VEIChTWU4gIHBhY2tldHMpIGFuZCBJ
TlZBTElEICgzV0hTIEFDSyBwYWNrZXRzKSBzdGF0ZXMgYW5kIHNlbmQKdGhlbSB0byBTWU5Q
Uk9YWVwmLiBUaGlzIHJ1bGUgd2lsbCByZXNwb25kIHRvIFNZTiBwYWNrZXRzIHdpdGggU1lO
K0FDSwpzeW5jb29raWVzLCBjcmVhdGUgRVNUQUJMSVNIRUQgZm9yIHZhbGlkIGNsaWVudCBy
ZXNwb25zZSAoM1dIUyBBQ0sgcGFja2V0cykgYW5kCmRyb3AgaW5jb3JyZWN0IGNvb2tpZXNc
Ji4gRmxhZ3MgY29tYmluYXRpb25zIG5vdCBleHBlY3RlZCBkdXJpbmcgIDNXSFMgd2lsbCBu
b3QKbWF0Y2ggYW5kIGNvbnRpbnVlIChlXCYuZ1wmLiBTWU4rRklOLCBTWU4rQUNLKVwmLiBG
aW5hbGx5LCBkcm9wIGludmFsaWQgcGFja2V0cywgdGhpcwp3aWxsIGJlIG91dFwtb2ZcLWZs
b3cgcGFja2V0cyB0aGF0IHdlcmUgbm90IG1hdGNoZWQgYnkgU1lOUFJPWFlcJi4KCiAgICB0
YWJsZSBpcCBmb28gewogICAgICAgICAgICBjaGFpbiB6IHsKICAgICAgICAgICAgICAgICAg
ICB0eXBlIGZpbHRlciBob29rIGlucHV0IHByaW9yaXR5IGZpbHRlcjsgcG9saWN5IGFjY2Vw
dDsKICAgICAgICAgICAgICAgICAgICBjdCBzdGF0ZSB7IGludmFsaWQsIHVudHJhY2tlZCB9
IHN5bnByb3h5IG1zcyAxNDYwIHdzY2FsZSA5IHRpbWVzdGFtcCBzYWNrXC1wZXJtCiAgICAg
ICAgICAgICAgICAgICAgY3Qgc3RhdGUgaW52YWxpZCBkcm9wCiAgICAgICAgICAgIH0KICAg
IH0KClRoZSBvdXRjb21lIHJ1bGVzZXQgb2YgdGhlIHN0ZXBzIGFib3ZlIHNob3VsZCBiZSBz
aW1pbGFyIHRvIHRoZSBvbmUgYmVsb3dcJi4KCiAgICAgICAgdGFibGUgaXAgeCB7CiAgICAg
ICAgICAgICAgICBjaGFpbiB5IHsKICAgICAgICAgICAgICAgICAgICAgICAgdHlwZSBmaWx0
ZXIgaG9vayBwcmVyb3V0aW5nIHByaW9yaXR5IHJhdzsgcG9saWN5IGFjY2VwdDsKICAgICAg
ICAgICAgICAgICAgICAgICAgdGNwIGZsYWdzIHN5biBub3RyYWNrCiAgICAgICAgICAgICAg
ICB9CgogICAgICAgICAgICAgICAgY2hhaW4geiB7CiAgICAgICAgICAgICAgICAgICAgICAg
IHR5cGUgZmlsdGVyIGhvb2sgaW5wdXQgcHJpb3JpdHkgZmlsdGVyOyBwb2xpY3kgYWNjZXB0
OwogICAgICAgICAgICAgICAgICAgICAgICBjdCBzdGF0ZSB7IGludmFsaWQsIHVudHJhY2tl
ZCB9IHN5bnByb3h5IG1zcyAxNDYwIHdzY2FsZSA5IHRpbWVzdGFtcCBzYWNrXC1wZXJtCiAg
ICAgICAgICAgICAgICAgICAgICAgIGN0IHN0YXRlIGludmFsaWQgZHJvcAogICAgICAgICAg
ICAgICAgfQogICAgICAgIH0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU1MgIkZMT1cg
U1RBVEVNRU5UIgouc3AKQSBmbG93IHN0YXRlbWVudCBhbGxvd3MgdXMgdG8gc2VsZWN0IHdo
YXQgZmxvd3MgeW91IHdhbnQgdG8gYWNjZWxlcmF0ZSBmb3J3YXJkaW5nIHRocm91Z2ggbGF5
ZXIgMyBuZXR3b3JrIHN0YWNrIGJ5cGFzc1wmLiBZb3UgaGF2ZSB0byBzcGVjaWZ5IHRoZSBm
bG93dGFibGUgbmFtZSB3aGVyZSB5b3Ugd2FudCB0byBvZmZsb2FkIHRoaXMgZmxvd1wmLgou
c3AKXGZCZmxvdyBhZGQgQFxmUlxmSWZsb3d0YWJsZVxmUgouU1MgIlFVRVVFIFNUQVRFTUVO
VCIKLnNwClRoaXMgc3RhdGVtZW50IHBhc3NlcyB0aGUgcGFja2V0IHRvIHVzZXJzcGFjZSB1
c2luZyB0aGUgbmZuZXRsaW5rX3F1ZXVlIGhhbmRsZXJcJi4gVGhlIHBhY2tldCBpcyBwdXQg
aW50byB0aGUgcXVldWUgaWRlbnRpZmllZCBieSBpdHMgMTZcLWJpdCBxdWV1ZSBudW1iZXJc
Ji4gVXNlcnNwYWNlIGNhbiBpbnNwZWN0IGFuZCBtb2RpZnkgdGhlIHBhY2tldCBpZiBkZXNp
cmVkXCYuIFVzZXJzcGFjZSBtdXN0IHRoZW4gZHJvcCBvciByZVwtaW5qZWN0IHRoZSBwYWNr
ZXQgaW50byB0aGUga2VybmVsXCYuIFNlZSBsaWJuZXRmaWx0ZXJfcXVldWUgZG9jdW1lbnRh
dGlvbiBmb3IgZGV0YWlsc1wmLgouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKXGZCcXVl
dWVcZlIgW1xmQm51bVxmUiBcZklxdWV1ZV9udW1iZXJcZlJdIFtcZkJieXBhc3NcZlJdClxm
QnF1ZXVlXGZSIFtcZkJudW1cZlIgXGZJcXVldWVfbnVtYmVyX2Zyb21cZlIgXC0gXGZJcXVl
dWVfbnVtYmVyX3RvXGZSXSBbXGZJUVVFVUVfRkxBR1NcZlJdCgpcZklRVUVVRV9GTEFHU1xm
UiA6PSBcZklRVUVVRV9GTEFHXGZSIFtcZkIsXGZSIFxmSVFVRVVFX0ZMQUdTXGZSXQpcZklR
VUVVRV9GTEFHXGZSICA6PSBcZkJieXBhc3NcZlIgfCBcZkJmYW5vdXRcZlIKLmZpCi5pZiBu
IFx7XAouUkUKLlx9Ci5zcAouaXQgMSBhbi10cmFwCi5uciBhbi1uby1zcGFjZS1mbGFnIDEK
Lm5yIGFuLWJyZWFrLWZsYWcgMQouYnIKLkIgVGFibGVcIFwmNjkuXCBcJnF1ZXVlIHN0YXRl
bWVudCB2YWx1ZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpWYWx1ZQpU
fTpUewpEZXNjcmlwdGlvbgpUfTpUewpUeXBlClR9Ci5UJgpsdCBsdCBsdApsdCBsdCBsdAps
dCBsdCBsdC4KVHsKLnNwCnF1ZXVlX251bWJlcgpUfTpUewouc3AKU2V0cyBxdWV1ZSBudW1i
ZXIsIGRlZmF1bHQgaXMgMFwmLgpUfTpUewouc3AKdW5zaWduZWQgaW50ZWdlciAoMTYgYml0
KQpUfQpUewouc3AKcXVldWVfbnVtYmVyX2Zyb20KVH06VHsKLnNwClNldHMgaW5pdGlhbCBx
dWV1ZSBpbiB0aGUgcmFuZ2UsIGlmIGZhbm91dCBpcyB1c2VkXCYuClR9OlR7Ci5zcAp1bnNp
Z25lZCBpbnRlZ2VyICgxNiBiaXQpClR9ClR7Ci5zcApxdWV1ZV9udW1iZXJfdG8KVH06VHsK
LnNwClNldHMgY2xvc2luZyBxdWV1ZSBpbiB0aGUgcmFuZ2UsIGlmIGZhbm91dCBpcyB1c2Vk
XCYuClR9OlR7Ci5zcAp1bnNpZ25lZCBpbnRlZ2VyICgxNiBiaXQpClR9Ci5URQouc3AgMQou
c3AKLml0IDEgYW4tdHJhcAoubnIgYW4tbm8tc3BhY2UtZmxhZyAxCi5uciBhbi1icmVhay1m
bGFnIDEKLmJyCi5CIFRhYmxlXCBcJjcwLlwgXCZxdWV1ZSBzdGF0ZW1lbnQgZmxhZ3MKLlRT
CmFsbGJveCB0YWIoOik7Cmx0QiBsdEIuClR7CkZsYWcKVH06VHsKRGVzY3JpcHRpb24KVH0K
LlQmCmx0IGx0Cmx0IGx0LgpUewouc3AKYnlwYXNzClR9OlR7Ci5zcApMZXQgcGFja2V0cyBn
byB0aHJvdWdoIGlmIHVzZXJzcGFjZSBhcHBsaWNhdGlvbiBjYW5ub3QgYmFjayBvZmZcJi4g
QmVmb3JlIHVzaW5nIHRoaXMgZmxhZywgcmVhZCBsaWJuZXRmaWx0ZXJfcXVldWUgZG9jdW1l
bnRhdGlvbiBmb3IgcGVyZm9ybWFuY2UgdHVuaW5nIHJlY29tbWVuZGF0aW9uc1wmLgpUfQpU
ewouc3AKZmFub3V0ClR9OlR7Ci5zcApEaXN0cmlidXRlIHBhY2tldHMgYmV0d2VlbiBzZXZl
cmFsIHF1ZXVlc1wmLgpUfQouVEUKLnNwIDEKLlNTICJEVVAgU1RBVEVNRU5UIgouc3AKVGhl
IGR1cCBzdGF0ZW1lbnQgaXMgdXNlZCB0byBkdXBsaWNhdGUgYSBwYWNrZXQgYW5kIHNlbmQg
dGhlIGNvcHkgdG8gYSBkaWZmZXJlbnQgZGVzdGluYXRpb25cJi4KLnNwCi5pZiBuIFx7XAou
UlMgNAouXH0KLm5mClxmQmR1cCB0b1xmUiBcZklkZXZpY2VcZlIKXGZCZHVwIHRvXGZSIFxm
SWFkZHJlc3NcZlIgXGZCZGV2aWNlXGZSIFxmSWRldmljZVxmUgouZmkKLmlmIG4gXHtcCi5S
RQouXH0KLnNwCi5pdCAxIGFuLXRyYXAKLm5yIGFuLW5vLXNwYWNlLWZsYWcgMQoubnIgYW4t
YnJlYWstZmxhZyAxCi5icgouQiBUYWJsZVwgXCY3MS5cIFwmRHVwIHN0YXRlbWVudCB2YWx1
ZXMKLlRTCmFsbGJveCB0YWIoOik7Cmx0QiBsdEIgbHRCLgpUewpFeHByZXNzaW9uClR9OlR7
CkRlc2NyaXB0aW9uClR9OlR7ClR5cGUKVH0KLlQmCmx0IGx0IGx0Cmx0IGx0IGx0LgpUewou
c3AKYWRkcmVzcwpUfTpUewouc3AKU3BlY2lmaWVzIHRoYXQgdGhlIGNvcHkgb2YgdGhlIHBh
Y2tldCBzaG91bGQgYmUgc2VudCB0byBhIG5ldyBnYXRld2F5XCYuClR9OlR7Ci5zcAppcHY0
X2FkZHIsIGlwdjZfYWRkciwgZVwmLmdcJi4gYWJjZDo6MTIzNCwgb3IgeW91IGNhbiB1c2Ug
YSBtYXBwaW5nLCBlXCYuZ1wmLiBpcCBzYWRkciBtYXAgeyAxOTJcJi4xNjhcJi4xXCYuMiA6
IDEwXCYuMVwmLjFcJi4xIH0KVH0KVHsKLnNwCmRldmljZQpUfTpUewouc3AKU3BlY2lmaWVz
IHRoYXQgdGhlIGNvcHkgc2hvdWxkIGJlIHRyYW5zbWl0dGVkIHZpYSBkZXZpY2VcJi4KVH06
VHsKLnNwCnN0cmluZwpUfQouVEUKLnNwIDEKLlBQClxmQlVzaW5nIHRoZSBkdXAgc3RhdGVt
ZW50XGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMgc2VuZCB0byBtYWNoaW5l
IHdpdGggaXAgYWRkcmVzcyAxMFwmLjJcJi4zXCYuNCBvbiBldGgwCmlwIGZpbHRlciBmb3J3
YXJkIGR1cCB0byAxMFwmLjJcJi4zXCYuNCBkZXZpY2UgImV0aDAiCgojIGNvcHkgcmF3IGZy
YW1lIHRvIGFub3RoZXIgaW50ZXJmYWNlCm5ldGRldHYgaW5ncmVzcyBkdXAgdG8gImV0aDAi
CmR1cCB0byAiZXRoMCIKCiMgY29tYmluZSB3aXRoIG1hcCBkc3QgYWRkciB0byBnYXRld2F5
cwpkdXAgdG8gaXAgZGFkZHIgbWFwIHsgMTkyXCYuMTY4XCYuN1wmLjEgOiAiZXRoMCIsIDE5
MlwmLjE2OFwmLjdcJi4yIDogImV0aDEiIH0KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAou
U1MgIkZXRCBTVEFURU1FTlQiCi5zcApUaGUgZndkIHN0YXRlbWVudCBpcyB1c2VkIHRvIHJl
ZGlyZWN0IGEgcmF3IHBhY2tldCB0byBhbm90aGVyIGludGVyZmFjZVwmLiBJdCBpcyBvbmx5
IGF2YWlsYWJsZSBpbiB0aGUgbmV0ZGV2IGZhbWlseSBpbmdyZXNzIGhvb2tcJi4gSXQgaXMg
c2ltaWxhciB0byB0aGUgZHVwIHN0YXRlbWVudCBleGNlcHQgdGhhdCBubyBjb3B5IGlzIG1h
ZGVcJi4KLnNwClxmQmZ3ZCB0b1xmUiBcZklkZXZpY2VcZlIKLlNTICJTRVQgU1RBVEVNRU5U
Igouc3AKVGhlIHNldCBzdGF0ZW1lbnQgaXMgdXNlZCB0byBkeW5hbWljYWxseSBhZGQgb3Ig
dXBkYXRlIGVsZW1lbnRzIGluIGEgc2V0IGZyb20gdGhlIHBhY2tldCBwYXRoXCYuIFRoZSBz
ZXQgc2V0bmFtZSBtdXN0IGFscmVhZHkgZXhpc3QgaW4gdGhlIGdpdmVuIHRhYmxlIGFuZCBt
dXN0IGhhdmUgYmVlbiBjcmVhdGVkIHdpdGggb25lIG9yIGJvdGggb2YgdGhlIGR5bmFtaWMg
YW5kIHRoZSB0aW1lb3V0IGZsYWdzXCYuIFRoZSBkeW5hbWljIGZsYWcgaXMgcmVxdWlyZWQg
aWYgdGhlIHNldCBzdGF0ZW1lbnQgZXhwcmVzc2lvbiBpbmNsdWRlcyBhIHN0YXRlZnVsIG9i
amVjdFwmLiBUaGUgdGltZW91dCBmbGFnIGlzIGltcGxpZWQgaWYgdGhlIHNldCBpcyBjcmVh
dGVkIHdpdGggYSB0aW1lb3V0LCBhbmQgaXMgcmVxdWlyZWQgaWYgdGhlIHNldCBzdGF0ZW1l
bnQgdXBkYXRlcyBlbGVtZW50cywgcmF0aGVyIHRoYW4gYWRkaW5nIHRoZW1cJi4gRnVydGhl
cm1vcmUsIHRoZXNlIHNldHMgc2hvdWxkIHNwZWNpZnkgYm90aCBhIG1heGltdW0gc2V0IHNp
emUgKHRvIHByZXZlbnQgbWVtb3J5IGV4aGF1c3Rpb24pLCBhbmQgdGhlaXIgZWxlbWVudHMg
c2hvdWxkIGhhdmUgYSB0aW1lb3V0IChzbyB0aGVpciBudW1iZXIgd2lsbCBub3QgZ3JvdyBp
bmRlZmluaXRlbHkpIGVpdGhlciBmcm9tIHRoZSBzZXQgZGVmaW5pdGlvbiBvciBmcm9tIHRo
ZSBzdGF0ZW1lbnQgdGhhdCBhZGRzIG9yIHVwZGF0ZXMgdGhlbVwmLiBUaGUgc2V0IHN0YXRl
bWVudCBjYW4gYmUgdXNlZCB0byBlXCYuZ1wmLiBjcmVhdGUgZHluYW1pYyBibGFja2xpc3Rz
XCYuCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgp7XGZCYWRkXGZSIHwgXGZCdXBkYXRl
XGZSfSBcZkJAXGZSXGZJc2V0bmFtZVxmUiBcZkJ7XGZSIFxmSWV4cHJlc3Npb25cZlIgW1xm
QnRpbWVvdXRcZlIgXGZJdGltZW91dFxmUl0gW1xmQmNvbW1lbnRcZlIgXGZJc3RyaW5nXGZS
XSBcZkJ9XGZSCi5maQouaWYgbiBce1wKLlJFCi5cfQouUFAKXGZCRXhhbXBsZSBmb3Igc2lt
cGxlIGJsYWNrbGlzdFxmUi4gCi5zcAouaWYgbiBce1wKLlJTIDQKLlx9Ci5uZgojIGRlY2xh
cmUgYSBzZXQsIGJvdW5kIHRvIHRhYmxlICJmaWx0ZXIiLCBpbiBmYW1pbHkgImlwIlwmLgoj
IFRpbWVvdXQgYW5kIHNpemUgYXJlIG1hbmRhdG9yeSBiZWNhdXNlIHdlIHdpbGwgYWRkIGVs
ZW1lbnRzIGZyb20gcGFja2V0IHBhdGhcJi4KIyBFbnRyaWVzIHdpbGwgdGltZW91dCBhZnRl
ciBvbmUgbWludXRlLCBhZnRlciB3aGljaCB0aGV5IG1pZ2h0IGJlCiMgcmVcLWFkZGVkIGlm
IGxpbWl0IGNvbmRpdGlvbiBwZXJzaXN0c1wmLgpuZnQgYWRkIHNldCBpcCBmaWx0ZXIgYmxh
Y2tob2xlIFxlCiAgICAieyB0eXBlIGlwdjRfYWRkcjsgZmxhZ3MgZHluYW1pYzsgdGltZW91
dCAxbTsgc2l6ZSA2NTUzNjsgfSIKCiMgZGVjbGFyZSBhIHNldCB0byBzdG9yZSB0aGUgbGlt
aXQgcGVyIHNhZGRyXCYuCiMgVGhpcyBtdXN0IGJlIHNlcGFyYXRlIGZyb20gYmxhY2tob2xl
IHNpbmNlIHRoZSB0aW1lb3V0IGlzIGRpZmZlcmVudApuZnQgYWRkIHNldCBpcCBmaWx0ZXIg
Zmxvb2QgXGUKICAgICJ7IHR5cGUgaXB2NF9hZGRyOyBmbGFncyBkeW5hbWljOyB0aW1lb3V0
IDEwczsgc2l6ZSAxMjgwMDA7IH0iCgojIHdoaXRlbGlzdCBpbnRlcm5hbCBpbnRlcmZhY2Vc
Ji4KbmZ0IGFkZCBydWxlIGlwIGZpbHRlciBpbnB1dCBtZXRhIGlpZm5hbWUgImludGVybmFs
IiBhY2NlcHQKCiMgZHJvcCBwYWNrZXRzIGNvbWluZyBmcm9tIGJsYWNrbGlzdGVkIGlwIGFk
ZHJlc3Nlc1wmLgpuZnQgYWRkIHJ1bGUgaXAgZmlsdGVyIGlucHV0IGlwIHNhZGRyIEBibGFj
a2hvbGUgY291bnRlciBkcm9wCgojIGFkZCBzb3VyY2UgaXAgYWRkcmVzc2VzIHRvIHRoZSBi
bGFja2xpc3QgaWYgbW9yZSB0aGFuIDEwIHRjcCBjb25uZWN0aW9uCiMgcmVxdWVzdHMgb2Nj
dXJyZWQgcGVyIHNlY29uZCBhbmQgaXAgYWRkcmVzc1wmLgpuZnQgYWRkIHJ1bGUgaXAgZmls
dGVyIGlucHV0IHRjcCBmbGFncyBzeW4gdGNwIGRwb3J0IHNzaCBcZQogICAgYWRkIEBmbG9v
ZCB7IGlwIHNhZGRyIGxpbWl0IHJhdGUgb3ZlciAxMC9zZWNvbmQgfSBcZQogICAgYWRkIEBi
bGFja2hvbGUgeyBpcCBzYWRkciB9IGRyb3AKCiMgaW5zcGVjdCBzdGF0ZSBvZiB0aGUgc2V0
c1wmLgpuZnQgbGlzdCBzZXQgaXAgZmlsdGVyIGZsb29kCm5mdCBsaXN0IHNldCBpcCBmaWx0
ZXIgYmxhY2tob2xlCgojIG1hbnVhbGx5IGFkZCB0d28gYWRkcmVzc2VzIHRvIHRoZSBibGFj
a2hvbGVcJi4KbmZ0IGFkZCBlbGVtZW50IGZpbHRlciBibGFja2hvbGUgeyAxMFwmLjJcJi4z
XCYuNCwgMTBcJi4yM1wmLjFcJi40MiB9Ci5maQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNT
ICJNQVAgU1RBVEVNRU5UIgouc3AKVGhlIG1hcCBzdGF0ZW1lbnQgaXMgdXNlZCB0byBsb29r
dXAgZGF0YSBiYXNlZCBvbiBzb21lIHNwZWNpZmljIGlucHV0IGtleVwmLgouc3AKLmlmIG4g
XHtcCi5SUyA0Ci5cfQoubmYKXGZJZXhwcmVzc2lvblxmUiBcZkJtYXBcZlIgXGZCe1xmUiBc
ZklNQVBfRUxFTUVOVFNcZlIgXGZCfVxmUgoKXGZJTUFQX0VMRU1FTlRTXGZSIDo9IFxmSU1B
UF9FTEVNRU5UXGZSIFtcZkIsXGZSIFxmSU1BUF9FTEVNRU5UU1xmUl0KXGZJTUFQX0VMRU1F
TlRcZlIgIDo9IFxmSWtleVxmUiBcZkI6XGZSIFxmSXZhbHVlXGZSCi5maQouaWYgbiBce1wK
LlJFCi5cfQouc3AKVGhlIFxmSWtleVxmUiBpcyBhIHZhbHVlIHJldHVybmVkIGJ5IFxmSWV4
cHJlc3Npb25cZlJcJi4KLlBQClxmQlVzaW5nIHRoZSBtYXAgc3RhdGVtZW50XGZSLiAKLnNw
Ci5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMgc2VsZWN0IEROQVQgdGFyZ2V0IGJhc2VkIG9u
IFRDUCBkcG9ydDoKIyBjb25uZWN0aW9ucyB0byBwb3J0IDgwIGFyZSByZWRpcmVjdGVkIHRv
IDE5MlwmLjE2OFwmLjFcJi4xMDAsCiMgY29ubmVjdGlvbnMgdG8gcG9ydCA4ODg4IGFyZSBy
ZWRpcmVjdGVkIHRvIDE5MlwmLjE2OFwmLjFcJi4xMDEKbmZ0IGFkZCBydWxlIGlwIG5hdCBw
cmVyb3V0aW5nIGRuYXQgdGNwIGRwb3J0IG1hcCB7IDgwIDogMTkyXCYuMTY4XCYuMVwmLjEw
MCwgODg4OCA6IDE5MlwmLjE2OFwmLjFcJi4xMDEgfQoKIyBzb3VyY2UgYWRkcmVzcyBiYXNl
ZCBTTkFUOgojIHBhY2tldHMgZnJvbSBuZXQgMTkyXCYuMTY4XCYuMVwmLjAvMjQgd2lsbCBh
cHBlYXIgYXMgb3JpZ2luYXRpbmcgZnJvbSAxMFwmLjBcJi4wXCYuMSwKIyBwYWNrZXRzIGZy
b20gbmV0IDE5MlwmLjE2OFwmLjJcJi4wLzI0IHdpbGwgYXBwZWFyIGFzIG9yaWdpbmF0aW5n
IGZyb20gMTBcJi4wXCYuMFwmLjIKbmZ0IGFkZCBydWxlIGlwIG5hdCBwb3N0cm91dGluZyBz
bmF0IHRvIGlwIHNhZGRyIG1hcCB7IDE5MlwmLjE2OFwmLjFcJi4wLzI0IDogMTBcJi4wXCYu
MFwmLjEsIDE5MlwmLjE2OFwmLjJcJi4wLzI0IDogMTBcJi4wXCYuMFwmLjIgfQouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLnNwCi5TUyAiVk1BUCBTVEFURU1FTlQiCi5zcApUaGUgdmVyZGlj
dCBtYXAgKHZtYXApIHN0YXRlbWVudCB3b3JrcyBhbmFsb2dvdXMgdG8gdGhlIG1hcCBzdGF0
ZW1lbnQsIGJ1dCBjb250YWlucyB2ZXJkaWN0cyBhcyB2YWx1ZXNcJi4KLnNwCi5pZiBuIFx7
XAouUlMgNAouXH0KLm5mClxmSWV4cHJlc3Npb25cZlIgXGZCdm1hcFxmUiBcZkJ7XGZSIFxm
SVZNQVBfRUxFTUVOVFNcZlIgXGZCfVxmUgoKXGZJVk1BUF9FTEVNRU5UU1xmUiA6PSBcZklW
TUFQX0VMRU1FTlRcZlIgW1xmQixcZlIgXGZJVk1BUF9FTEVNRU5UU1xmUl0KXGZJVk1BUF9F
TEVNRU5UXGZSICA6PSBcZklrZXlcZlIgXGZCOlxmUiBcZkl2ZXJkaWN0XGZSCi5maQouaWYg
biBce1wKLlJFCi5cfQouUFAKXGZCVXNpbmcgdGhlIHZtYXAgc3RhdGVtZW50XGZSLiAKLnNw
Ci5pZiBuIFx7XAouUlMgNAouXH0KLm5mCiMganVtcCB0byBkaWZmZXJlbnQgY2hhaW5zIGRl
cGVuZGluZyBvbiBsYXllciA0IHByb3RvY29sIHR5cGU6Cm5mdCBhZGQgcnVsZSBpcCBmaWx0
ZXIgaW5wdXQgaXAgcHJvdG9jb2wgdm1hcCB7IHRjcCA6IGp1bXAgdGNwXC1jaGFpbiwgdWRw
IDoganVtcCB1ZHBcLWNoYWluICwgaWNtcCA6IGp1bXAgaWNtcFwtY2hhaW4gfQouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLnNwCi5TSCAiQURESVRJT05BTCBDT01NQU5EUyIKLnNwClRoZXNl
IGFyZSBzb21lIGFkZGl0aW9uYWwgY29tbWFuZHMgaW5jbHVkZWQgaW4gbmZ0XCYuCi5TUyAi
TU9OSVRPUiIKLnNwClRoZSBtb25pdG9yIGNvbW1hbmQgYWxsb3dzIHlvdSB0byBsaXN0ZW4g
dG8gTmV0bGluayBldmVudHMgcHJvZHVjZWQgYnkgdGhlIG5mX3RhYmxlcyBzdWJzeXN0ZW0s
IHJlbGF0ZWQgdG8gY3JlYXRpb24gYW5kIGRlbGV0aW9uIG9mIG9iamVjdHNcJi4gV2hlbiB0
aGV5IG9jY3VyLCBuZnQgd2lsbCBwcmludCB0byBzdGRvdXQgdGhlIG1vbml0b3JlZCBldmVu
dHMgaW4gZWl0aGVyIEpTT04gb3IgbmF0aXZlIG5mdCBmb3JtYXRcJi4KLnNwClRvIGZpbHRl
ciBldmVudHMgcmVsYXRlZCB0byBhIGNvbmNyZXRlIG9iamVjdCwgdXNlIG9uZSBvZiB0aGUg
a2V5d29yZHMgXGZJdGFibGVzXGZSLCBcZkljaGFpbnNcZlIsIFxmSXNldHNcZlIsIFxmSXJ1
bGVzXGZSLCBcZkllbGVtZW50c1xmUiwgXGZJcnVsZXNldFxmUlwmLgouc3AKVG8gZmlsdGVy
IGV2ZW50cyByZWxhdGVkIHRvIGEgY29uY3JldGUgYWN0aW9uLCB1c2Uga2V5d29yZCBcZklu
ZXdcZlIgb3IgXGZJZGVzdHJveVxmUlwmLgouc3AKSGl0IF5DIHRvIGZpbmlzaCB0aGUgbW9u
aXRvciBvcGVyYXRpb25cJi4KLlBQClxmQkxpc3RlbiB0byBhbGwgZXZlbnRzLCByZXBvcnQg
aW4gbmF0aXZlIG5mdCBmb3JtYXRcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYK
JSBuZnQgbW9uaXRvcgouZmkKLmlmIG4gXHtcCi5SRQouXH0KLlBQClxmQkxpc3RlbiB0byBk
ZWxldGVkIHJ1bGVzLCByZXBvcnQgaW4gSlNPTiBmb3JtYXRcZlIuIAouc3AKLmlmIG4gXHtc
Ci5SUyA0Ci5cfQoubmYKJSBuZnQgXC1qIG1vbml0b3IgZGVzdHJveSBydWxlcwouZmkKLmlm
IG4gXHtcCi5SRQouXH0KLlBQClxmQkxpc3RlbiB0byBib3RoIG5ldyBhbmQgZGVzdHJveWVk
IGNoYWlucywgaW4gbmF0aXZlIG5mdCBmb3JtYXRcZlIuIAouc3AKLmlmIG4gXHtcCi5SUyA0
Ci5cfQoubmYKJSBuZnQgbW9uaXRvciBjaGFpbnMKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5Q
UApcZkJMaXN0ZW4gdG8gcnVsZXNldCBldmVudHMgc3VjaCBhcyB0YWJsZSwgY2hhaW4sIHJ1
bGUsIHNldCwgY291bnRlcnMgYW5kIHF1b3RhcywgaW4gbmF0aXZlIG5mdCBmb3JtYXRcZlIu
IAouc3AKLmlmIG4gXHtcCi5SUyA0Ci5cfQoubmYKJSBuZnQgbW9uaXRvciBydWxlc2V0Ci5m
aQouaWYgbiBce1wKLlJFCi5cfQouc3AKLlNIICJFUlJPUiBSRVBPUlRJTkciCi5zcApXaGVu
IGFuIGVycm9yIGlzIGRldGVjdGVkLCBuZnQgc2hvd3MgdGhlIGxpbmUocykgY29udGFpbmlu
ZyB0aGUgZXJyb3IsIHRoZSBwb3NpdGlvbiBvZiB0aGUgZXJyb25lb3VzIHBhcnRzIGluIHRo
ZSBpbnB1dCBzdHJlYW0gYW5kIG1hcmtzIHVwIHRoZSBlcnJvbmVvdXMgcGFydHMgdXNpbmcg
Y2FyZXRzICheKVwmLiBJZiB0aGUgZXJyb3IgcmVzdWx0cyBmcm9tIHRoZSBjb21iaW5hdGlv
biBvZiB0d28gZXhwcmVzc2lvbnMgb3Igc3RhdGVtZW50cywgdGhlIHBhcnQgaW1wb3Npbmcg
dGhlIGNvbnN0cmFpbnRzIHdoaWNoIGFyZSB2aW9sYXRlZCBpcyBtYXJrZWQgdXNpbmcgdGls
ZGVzICh+KVwmLgouc3AKRm9yIGVycm9ycyByZXR1cm5lZCBieSB0aGUga2VybmVsLCBuZnQg
Y2Fubm90IGRldGVjdCB3aGljaCBwYXJ0cyBvZiB0aGUgaW5wdXQgY2F1c2VkIHRoZSBlcnJv
ciBhbmQgdGhlIGVudGlyZSBjb21tYW5kIGlzIG1hcmtlZFwmLgouUFAKXGZCRXJyb3IgY2F1
c2VkIGJ5IHNpbmdsZSBpbmNvcnJlY3QgZXhwcmVzc2lvblxmUi4gCi5zcAouaWYgbiBce1wK
LlJTIDQKLlx9Ci5uZgo8Y21kbGluZT46MToxOVwtMjI6IEVycm9yOiBJbnRlcmZhY2UgZG9l
cyBub3QgZXhpc3QKZmlsdGVyIG91dHB1dCBvaWYgZXRoMAogICAgICAgICAgICAgICAgICBe
Xl5eCi5maQouaWYgbiBce1wKLlJFCi5cfQouUFAKXGZCRXJyb3IgY2F1c2VkIGJ5IGludmFs
aWQgY29tYmluYXRpb24gb2YgdHdvIGV4cHJlc3Npb25zXGZSLiAKLnNwCi5pZiBuIFx7XAou
UlMgNAouXH0KLm5mCjxjbWRsaW5lPjoxOjI4XC0zNjogRXJyb3I6IFJpZ2h0IGhhbmQgc2lk
ZSBvZiByZWxhdGlvbmFsIGV4cHJlc3Npb24gKD09KSBtdXN0IGJlIGNvbnN0YW50CmZpbHRl
ciBvdXRwdXQgdGNwIGRwb3J0ID09IHRjcCBkcG9ydAogICAgICAgICAgICAgICAgICAgICAg
ICB+fiBeXl5eXl5eXl4KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5QUApcZkJFcnJvciByZXR1
cm5lZCBieSB0aGUga2VybmVsXGZSLiAKLnNwCi5pZiBuIFx7XAouUlMgNAouXH0KLm5mCjxj
bWRsaW5lPjowOjBcLTIzOiBFcnJvcjogQ291bGQgbm90IHByb2Nlc3MgcnVsZTogT3BlcmF0
aW9uIG5vdCBwZXJtaXR0ZWQKZmlsdGVyIG91dHB1dCBvaWYgd2xhbjAKXl5eXl5eXl5eXl5e
Xl5eXl5eXl5eXl4KLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcAouU0ggIkVYSVQgU1RBVFVT
Igouc3AKT24gc3VjY2VzcywgbmZ0IGV4aXRzIHdpdGggYSBzdGF0dXMgb2YgMFwmLiBVbnNw
ZWNpZmllZCBlcnJvcnMgY2F1c2UgaXQgdG8gZXhpdCB3aXRoIGEgc3RhdHVzIG9mIDEsIG1l
bW9yeSBhbGxvY2F0aW9uIGVycm9ycyB3aXRoIGEgc3RhdHVzIG9mIDIsIHVuYWJsZSB0byBv
cGVuIE5ldGxpbmsgc29ja2V0IHdpdGggM1wmLgouU0ggIlNFRSBBTFNPIgouc3AKLmlmIG4g
XHtcCi5SUyA0Ci5cfQoubmYKbGlibmZ0YWJsZXMoMyksIGxpYm5mdGFibGVzXC1qc29uKDUp
LCBpcHRhYmxlcyg4KSwgaXA2dGFibGVzKDgpLCBhcnB0YWJsZXMoOCksIGVidGFibGVzKDgp
LCBpcCg4KSwgdGMoOCkKLmZpCi5pZiBuIFx7XAouUkUKLlx9Ci5zcApUaGVyZSBpcyBhbiBv
ZmZpY2lhbCB3aWtpIGF0OiBodHRwczovL3dpa2lcJi5uZnRhYmxlc1wmLm9yZwouU0ggIkFV
VEhPUlMiCi5zcApuZnRhYmxlcyB3YXMgd3JpdHRlbiBieSBQYXRyaWNrIE1jSGFyZHkgYW5k
IFBhYmxvIE5laXJhIEF5dXNvLCBhbW9uZyBtYW55IG90aGVyIGNvbnRyaWJ1dG9ycyBmcm9t
IHRoZSBOZXRmaWx0ZXIgY29tbXVuaXR5XCYuCi5TSCAiQ09QWVJJR0hUIgouc3AKQ29weXJp
Z2h0IFwoY28gMjAwOFwtMjAxNCBQYXRyaWNrIE1jSGFyZHkgPGthYmVyQHRyYXNoXCYubmV0
PiBDb3B5cmlnaHQgXChjbyAyMDEzXC0yMDE4IFBhYmxvIE5laXJhIEF5dXNvIDxwYWJsb0Bu
ZXRmaWx0ZXJcJi5vcmc+Ci5zcApuZnRhYmxlcyBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2Fu
IHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0
aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdmVyc2lvbiAyIGFzIHB1Ymxpc2hlZCBi
eSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uXCYuCi5zcApUaGlzIGRvY3VtZW50YXRp
b24gaXMgbGljZW5zZWQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBDcmVhdGl2ZSBDb21tb25z
IEF0dHJpYnV0aW9uXC1TaGFyZUFsaWtlIDRcJi4wIGxpY2Vuc2UsIENDIEJZXC1TQSA0XCYu
MCBodHRwOi8vY3JlYXRpdmVjb21tb25zXCYub3JnL2xpY2Vuc2VzL2J5XC1zYS80XCYuMC9c
Ji4K
--------------87631BA5FD91D649B46242DF--
--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv


From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 11607 invoked from network); 4 Feb 2021 16:47:42 -0000
Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12)
  by inbox.vuxu.org with ESMTPUTF8; 4 Feb 2021 16:47:42 -0000
Received: from fantadrom.bsd.lv (localhost [127.0.0.1])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id bdf8a733
	for <ml@inbox.vuxu.org>;
	Thu, 4 Feb 2021 11:47:36 -0500 (EST)
Received: from fx.arvanta.net (static-213-198-238-194.adsl.eunet.rs [213.198.238.194])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id b9899b0f
	for <discuss@mandoc.bsd.lv>;
	Thu, 4 Feb 2021 11:46:40 -0500 (EST)
Received: from arya.arvanta.net (arya.arvanta.net [10.5.1.6])
	by fx.arvanta.net (Postfix) with ESMTP id D349E17179
	for <discuss@mandoc.bsd.lv>; Thu,  4 Feb 2021 17:46:37 +0100 (CET)
Date: Thu, 4 Feb 2021 17:46:37 +0100
From: Milan =?utf-8?Q?P=2E_Stani=C4=87?= <mps@arvanta.net>
To: discuss@mandoc.bsd.lv
Subject: Re: Segmentation fault on trying to view nft.8 man page on Gentoo
Message-ID: <YBwk7bUvlWMm5fM4@arya.arvanta.net>
References: <d939c333-2286-5945-2bd9-6417c8c36403@aisha.cc>
X-Mailinglist: mandoc-discuss
Reply-To: discuss@mandoc.bsd.lv
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <d939c333-2286-5945-2bd9-6417c8c36403@aisha.cc>

Hi,

On Thu, 2021-02-04 at 11:15, Aisha Tammy wrote:
> Hi,
> =A0 It seems that the latest release of mandoc (1.14.5) on Gentoo has tro=
uble
> viewing the nft.8 man page (attached), it crashes with segmentation fault.
> I am able to view it on OpenBSD with man -l nft.8, after copying it over.
> (I can provide access to a gentoo virtual machine where this bug is
> replicable.)
About year ago we had such bug on alpine linux and I reported it here:
https://marc.info/?l=3Dmandoc-discuss&m=3D158605350702994&w=3D2=20

Bug is fixed with Ingos patch.

> I presume this must be a bug in the release version that has since been
> fixed.
>=20
> Can we get another release which we can use so that we can avoid this bug?
>=20
> Thanks a lot,
> Aisha
>=20

> '\" t
> .\"     Title: nft
> .\"    Author: [see the "AUTHORS" section]
> .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
> .\"      Date: 01/15/2021
> .\"    Manual: \ \&
> .\"    Source: \ \&
> .\"  Language: English
> .\"
> .TH "NFT" "8" "01/15/2021" "\ \&" "\ \&"
> .\" -----------------------------------------------------------------
> .\" * Define some portability stuff
> .\" -----------------------------------------------------------------
> .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> .\" http://bugs.debian.org/507673
> .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
> .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> .ie \n(.g .ds Aq \(aq
> .el       .ds Aq '
> .\" -----------------------------------------------------------------
> .\" * set default formatting
> .\" -----------------------------------------------------------------
> .\" disable hyphenation
> .nh
> .\" disable justification (adjust text to left margin only)
> .ad l
> .\" -----------------------------------------------------------------
> .\" * MAIN CONTENT STARTS HERE *
> .\" -----------------------------------------------------------------
> .SH "NAME"
> nft \- Administration tool of the nftables framework for packet filtering=
 and classification
> .SH "SYNOPSIS"
> .sp
> .nf
> \fBnft\fR [ \fB\-nNscaeSupyjt\fR ] [ \fB\-I\fR \fIdirectory\fR ] [ \fB\-f=
\fR \fIfilename\fR | \fB\-i\fR | \fIcmd\fR \&...]
> \fBnft\fR \fB\-h\fR
> \fBnft\fR \fB\-v\fR
> .fi
> .SH "DESCRIPTION"
> .sp
> nft is the command line tool used to set up, maintain and inspect packet =
filtering and classification rules in the Linux kernel, in the nftables fra=
mework\&. The Linux kernel subsystem is known as nf_tables, and \(oqnf\(cq =
stands for Netfilter\&.
> .SH "OPTIONS"
> .sp
> The command accepts several different options which are documented here i=
n groups for better understanding of their meaning\&. You can get informati=
on about options by running \fBnft \-\-help\fR\&.
> .PP
> \fBGeneral options:\fR
> .PP
> \fB\-h\fR, \fB\-\-help\fR
> .RS 4
> Show help message and all options\&.
> .RE
> .PP
> \fB\-v\fR, \fB\-\-version\fR
> .RS 4
> Show version\&.
> .RE
> .PP
> \fB\-V\fR
> .RS 4
> Show long version information, including compile\-time configuration\&.
> .RE
> .PP
> \fBRuleset input handling options that specify to how to load rulesets:\fR
> .PP
> \fB\-f\fR, \fB\-\-file \fR\fB\fIfilename\fR\fR
> .RS 4
> Read input from
> \fIfilename\fR\&. If
> \fIfilename\fR
> is \-, read from stdin\&.
> .RE
> .PP
> \fB\-i\fR, \fB\-\-interactive\fR
> .RS 4
> Read input from an interactive readline CLI\&. You can use quit to exit, =
or use the EOF marker, normally this is CTRL\-D\&.
> .RE
> .PP
> \fB\-I\fR, \fB\-\-includepath directory\fR
> .RS 4
> Add the directory
> \fIdirectory\fR
> to the list of directories to be searched for included files\&. This opti=
on may be specified multiple times\&.
> .RE
> .PP
> \fB\-c\fR, \fB\-\-check\fR
> .RS 4
> Check commands validity without actually applying the changes\&.
> .RE
> .PP
> \fBRuleset list output formatting that modify the output of the list rule=
set command:\fR
> .PP
> \fB\-a\fR, \fB\-\-handle\fR
> .RS 4
> Show object handles in output\&.
> .RE
> .PP
> \fB\-s\fR, \fB\-\-stateless\fR
> .RS 4
> Omit stateful information of rules and stateful objects\&.
> .RE
> .PP
> \fB\-t\fR, \fB\-\-terse\fR
> .RS 4
> Omit contents of sets from output\&.
> .RE
> .PP
> \fB\-S\fR, \fB\-\-service\fR
> .RS 4
> Translate ports to service names as defined by /etc/services\&.
> .RE
> .PP
> \fB\-N\fR, \fB\-\-reversedns\fR
> .RS 4
> Translate IP address to names via reverse DNS lookup\&. This may slow dow=
n your listing since it generates network traffic\&.
> .RE
> .PP
> \fB\-u\fR, \fB\-\-guid\fR
> .RS 4
> Translate numeric UID/GID to names as defined by /etc/passwd and /etc/gro=
up\&.
> .RE
> .PP
> \fB\-n\fR, \fB\-\-numeric\fR
> .RS 4
> Print fully numerical output\&.
> .RE
> .PP
> \fB\-y\fR, \fB\-\-numeric\-priority\fR
> .RS 4
> Display base chain priority numerically\&.
> .RE
> .PP
> \fB\-p\fR, \fB\-\-numeric\-protocol\fR
> .RS 4
> Display layer 4 protocol numerically\&.
> .RE
> .PP
> \fB\-T\fR, \fB\-\-numeric\-time\fR
> .RS 4
> Show time, day and hour values in numeric format\&.
> .RE
> .PP
> \fBCommand output formatting:\fR
> .PP
> \fB\-e\fR, \fB\-\-echo\fR
> .RS 4
> When inserting items into the ruleset using
> \fBadd\fR,
> \fBinsert\fR
> or
> \fBreplace\fR
> commands, print notifications just like
> \fBnft monitor\fR\&.
> .RE
> .PP
> \fB\-j\fR, \fB\-\-json\fR
> .RS 4
> Format output in JSON\&. See libnftables\-json(5) for a schema descriptio=
n\&.
> .RE
> .PP
> \fB\-d\fR, \fB\-\-debug\fR \fIlevel\fR
> .RS 4
> Enable debugging output\&. The debug level can be any of
> \fBscanner\fR,
> \fBparser\fR,
> \fBeval\fR,
> \fBnetlink\fR,
> \fBmnl\fR,
> \fBproto\-ctx\fR,
> \fBsegtree\fR,
> \fBall\fR\&. You can combine more than one by separating by the
> \fI,\fR
> symbol, for example
> \fI\-d eval,mnl\fR\&.
> .RE
> .SH "INPUT FILE FORMATS"
> .SS "LEXICAL CONVENTIONS"
> .sp
> Input is parsed line\-wise\&. When the last character of a line, just bef=
ore the newline character, is a non\-quoted backslash (\e), the next line i=
s treated as a continuation\&. Multiple commands on the same line can be se=
parated using a semicolon (;)\&.
> .sp
> A hash sign (#) begins a comment\&. All following characters on the same =
line are ignored\&.
> .sp
> Identifiers begin with an alphabetic character (a\-z,A\-Z), followed zero=
 or more alphanumeric characters (a\-z,A\-Z,0\-9) and the characters slash =
(/), backslash (\e), underscore (_) and dot (\&.)\&. Identifiers using diff=
erent characters or clashing with a keyword need to be enclosed in double q=
uotes (")\&.
> .SS "INCLUDE FILES"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBinclude\fR \fIfilename\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Other files can be included by using the \fBinclude\fR statement\&. The d=
irectories to be searched for include files can be specified using the \fB\=
-I\fR/\fB\-\-includepath\fR option\&. You can override this behaviour eithe=
r by prepending \(oq\&./\(cq to your path to force inclusion of files locat=
ed in the current working directory (i\&.e\&. relative path) or / for file =
location expressed as an absolute path\&.
> .sp
> If \fB\-I\fR/\fB\-\-includepath\fR is not specified, then nft relies on t=
he default directory that is specified at compile time\&. You can retrieve =
this default directory via \fB\-h\fR/\fB\-\-help\fR option\&.
> .sp
> Include statements support the usual shell wildcard symbols (\e*,?,[])\&.=
 Having no matches for an include statement is not an error, if wildcard sy=
mbols are used in the include statement\&. This allows having potentially e=
mpty include directories for statements like \fBinclude "/etc/firewall/rule=
s/"\fR\&. The wildcard matches are loaded in alphabetical order\&. Files be=
ginning with dot (\&.) are not matched by include statements\&.
> .SS "SYMBOLIC VARIABLES"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBdefine\fR \fIvariable\fR \fB=3D\fR \fIexpr\fR
> \fB$variable\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Symbolic variables can be defined using the \fBdefine\fR statement\&. Var=
iable references are expressions and can be used initialize other variables=
\&. The scope of a definition is the current block and all blocks contained=
 within\&.
> .PP
> \fBUsing symbolic variables\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> define int_if1 =3D eth0
> define int_if2 =3D eth1
> define int_ifs =3D { $int_if1, $int_if2 }
>=20
> filter input iif $int_ifs accept
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "ADDRESS FAMILIES"
> .sp
> Address families determine the type of packets which are processed\&. For=
 each address family, the kernel contains so called hooks at specific stage=
s of the packet processing paths, which invoke nftables if rules for these =
hooks exist\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBip\fR
> T}:T{
> .sp
> IPv4 address family\&.
> T}
> T{
> .sp
> \fBip6\fR
> T}:T{
> .sp
> IPv6 address family\&.
> T}
> T{
> .sp
> \fBinet\fR
> T}:T{
> .sp
> Internet (IPv4/IPv6) address family\&.
> T}
> T{
> .sp
> \fBarp\fR
> T}:T{
> .sp
> ARP address family, handling IPv4 ARP packets\&.
> T}
> T{
> .sp
> \fBbridge\fR
> T}:T{
> .sp
> Bridge address family, handling packets which traverse a bridge device\&.
> T}
> T{
> .sp
> \fBnetdev\fR
> T}:T{
> .sp
> Netdev address family, handling packets from ingress\&.
> T}
> .TE
> .sp 1
> .sp
> All nftables objects exist in address family specific namespaces, therefo=
re all identifiers include an address family\&. If an identifier is specifi=
ed without an address family, the \fBip\fR family is used by default\&.
> .SS "IPV4/IPV6/INET ADDRESS FAMILIES"
> .sp
> The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of pa=
ckets\&. They contain five hooks at different packet processing stages in t=
he network stack\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&1.\ \&IPv4/IPv6/Inet address family hooks
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Hook
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> prerouting
> T}:T{
> .sp
> All packets entering the system are processed by the prerouting hook\&. I=
t is invoked before the routing process and is used for early filtering or =
changing packet attributes that affect routing\&.
> T}
> T{
> .sp
> input
> T}:T{
> .sp
> Packets delivered to the local system are processed by the input hook\&.
> T}
> T{
> .sp
> forward
> T}:T{
> .sp
> Packets forwarded to a different host are processed by the forward hook\&.
> T}
> T{
> .sp
> output
> T}:T{
> .sp
> Packets sent by local processes are processed by the output hook\&.
> T}
> T{
> .sp
> postrouting
> T}:T{
> .sp
> All packets leaving the system are processed by the postrouting hook\&.
> T}
> T{
> .sp
> ingress
> T}:T{
> .sp
> All packets entering the system are processed by this hook\&. It is invok=
ed before layer 3 protocol handlers, hence before the prerouting hook, and =
it can be used for filtering and policing\&. Ingress is only available for =
Inet family (since Linux kernel 5\&.10)\&.
> T}
> .TE
> .sp 1
> .SS "ARP ADDRESS FAMILY"
> .sp
> The ARP address family handles ARP packets received and sent by the syste=
m\&. It is commonly used to mangle ARP packets for clustering\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&2.\ \&ARP address family hooks
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Hook
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> input
> T}:T{
> .sp
> Packets delivered to the local system are processed by the input hook\&.
> T}
> T{
> .sp
> output
> T}:T{
> .sp
> Packets send by the local system are processed by the output hook\&.
> T}
> .TE
> .sp 1
> .SS "BRIDGE ADDRESS FAMILY"
> .sp
> The bridge address family handles Ethernet packets traversing bridge devi=
ces\&.
> .sp
> The list of supported hooks is identical to IPv4/IPv6/Inet address famili=
es above\&.
> .SS "NETDEV ADDRESS FAMILY"
> .sp
> The Netdev address family handles packets from the device ingress path\&.=
 This family allows you to filter packets of any ethertype such as ARP, VLA=
N 802\&.1q, VLAN 802\&.1ad (Q\-in\-Q) as well as IPv4 and IPv6 packets\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&3.\ \&Netdev address family hooks
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Hook
> T}:T{
> Description
> T}
> .T&
> lt lt.
> T{
> .sp
> ingress
> T}:T{
> .sp
> All packets entering the system are processed by this hook\&. It is invok=
ed after the network taps (ie\&. \fBtcpdump\fR), right after \fBtc\fR ingre=
ss and before layer 3 protocol handlers, it can be used for early filtering=
 and policing\&.
> T}
> .TE
> .sp 1
> .SH "RULESET"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBlist\fR | \fBflush\fR} \fBruleset\fR [\fIfamily\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The \fBruleset\fR keyword is used to identify the whole set of tables, ch=
ains, etc\&. currently in place in kernel\&. The following \fBruleset\fR co=
mmands exist:
> .TS
> tab(:);
> lt lt
> lt lt.
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> Print the ruleset in human\-readable format\&.
> T}
> T{
> .sp
> \fBflush\fR
> T}:T{
> .sp
> Clear the whole ruleset\&. Note that, unlike iptables, this will remove a=
ll tables and whatever they contain, effectively leading to an empty rulese=
t \- no packet filtering will happen anymore, so the kernel accepts any val=
id packet it receives\&.
> T}
> .TE
> .sp 1
> .sp
> It is possible to limit \fBlist\fR and \fBflush\fR to a specific address =
family only\&. For a list of valid family names, see the section called \(l=
qADDRESS FAMILIES\(rq above\&.
> .sp
> By design, \fBlist ruleset\fR command output may be used as input to \fBn=
ft \-f\fR\&. Effectively, this is the nft\-equivalent of \fBiptables\-save\=
fR and \fBiptables\-restore\fR\&.
> .SH "TABLES"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBcreate\fR} \fBtable\fR [\fIfamily\fR] \fItable\fR [\fB{ f=
lags\fR \fIflags\fR \fB; }\fR]
> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBtable\fR [\fIfamily\fR] \fIt=
able\fR
> \fBlist tables\fR [\fIfamily\fR]
> \fBdelete table\fR [\fIfamily\fR] \fBhandle\fR \fIhandle\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Tables are containers for chains, sets and stateful objects\&. They are i=
dentified by their address family and their name\&. The address family must=
 be one of \fBip\fR, \fBip6\fR, \fBinet\fR, \fBarp\fR, \fBbridge\fR, \fBnet=
dev\fR\&. The \fBinet\fR address family is a dummy family which is used to =
create hybrid IPv4/IPv6 tables\&. The \fBmeta expression nfproto\fR keyword=
 can be used to test which family (ipv4 or ipv6) context the packet is bein=
g processed in\&. When no address family is specified, \fBip\fR is used by =
default\&. The only difference between add and create is that the former wi=
ll not return an error if the specified table already exists while \fBcreat=
e\fR will return an error\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&4.\ \&Table flags
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Flag
> T}:T{
> Description
> T}
> .T&
> lt lt.
> T{
> .sp
> dormant
> T}:T{
> .sp
> table is not evaluated any more (base chains are unregistered)\&.
> T}
> .TE
> .sp 1
> .PP
> \fBAdd, change, delete a table\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # start nft in interactive mode
> nft \-\-interactive
>=20
> # create a new table\&.
> create table inet mytable
>=20
> # add a new base chain: get input packets
> add chain inet mytable myin { type filter hook input priority 0; }
>=20
> # add a single counter to the chain
> add rule inet mytable myin counter
>=20
> # disable the table temporarily \-\- rules are not evaluated anymore
> add table inet mytable { flags dormant; }
>=20
> # make table active again:
> add table inet mytable
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new table for the given family with the given name\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified table\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> List all chains and rules of the specified table\&.
> T}
> T{
> .sp
> \fBflush\fR
> T}:T{
> .sp
> Flush all chains and rules of the specified table\&.
> T}
> .TE
> .sp 1
> .SH "CHAINS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBcreate\fR} \fBchain\fR [\fIfamily\fR] \fItable\fR \fIchai=
n\fR [\fB{ type\fR \fItype\fR \fBhook\fR \fIhook\fR [\fBdevice\fR \fIdevice=
\fR] \fBpriority\fR \fIpriority\fR \fB;\fR [\fBpolicy\fR \fIpolicy\fR \fB;\=
fR] \fB}\fR]
> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBchain\fR [\fIfamily\fR] \fIt=
able\fR \fIchain\fR
> \fBlist chains\fR [\fIfamily\fR]
> \fBdelete chain\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle\fR
> \fBrename chain\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fInewname\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Chains are containers for rules\&. They exist in two kinds, base chains a=
nd regular chains\&. A base chain is an entry point for packets from the ne=
tworking stack, a regular chain may be used as jump target and is used for =
better rule organization\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new chain in the specified table\&. When a hook and priority value =
are specified, the chain is created as a base chain and hooked up to the ne=
tworking stack\&.
> T}
> T{
> .sp
> \fBcreate\fR
> T}:T{
> .sp
> Similar to the \fBadd\fR command, but returns an error if the chain alrea=
dy exists\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified chain\&. The chain must not contain any rules or be =
used as jump target\&.
> T}
> T{
> .sp
> \fBrename\fR
> T}:T{
> .sp
> Rename the specified chain\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> List all rules of the specified chain\&.
> T}
> T{
> .sp
> \fBflush\fR
> T}:T{
> .sp
> Flush all rules of the specified chain\&.
> T}
> .TE
> .sp 1
> .sp
> For base chains, \fBtype\fR, \fBhook\fR and \fBpriority\fR parameters are=
 mandatory\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&5.\ \&Supported chain types
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Type
> T}:T{
> Families
> T}:T{
> Hooks
> T}:T{
> Description
> T}
> .T&
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt.
> T{
> .sp
> filter
> T}:T{
> .sp
> all
> T}:T{
> .sp
> all
> T}:T{
> .sp
> Standard chain type to use in doubt\&.
> T}
> T{
> .sp
> nat
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> prerouting, input, output, postrouting
> T}:T{
> .sp
> Chains of this type perform Native Address Translation based on conntrack=
 entries\&. Only the first packet of a connection actually traverses this c=
hain \- its rules usually define details of the created conntrack entry (NA=
T statements for instance)\&.
> T}
> T{
> .sp
> route
> T}:T{
> .sp
> ip, ip6
> T}:T{
> .sp
> output
> T}:T{
> .sp
> If a packet has traversed a chain of this type and is about to be accepte=
d, a new route lookup is performed if relevant parts of the IP header have =
changed\&. This allows to e\&.g\&. implement policy routing selectors in nf=
tables\&.
> T}
> .TE
> .sp 1
> .sp
> Apart from the special cases illustrated above (e\&.g\&. \fBnat\fR type n=
ot supporting \fBforward\fR hook or \fBroute\fR type only supporting \fBout=
put\fR hook), there are three further quirks worth noticing:
> .sp
> .RS 4
> .ie n \{\
> \h'-04'\(bu\h'+03'\c
> .\}
> .el \{\
> .sp -1
> .IP \(bu 2.3
> .\}
> The netdev family supports merely a single combination, namely
> \fBfilter\fR
> type and
> \fBingress\fR
> hook\&. Base chains in this family also require the
> \fBdevice\fR
> parameter to be present since they exist per incoming interface only\&.
> .RE
> .sp
> .RS 4
> .ie n \{\
> \h'-04'\(bu\h'+03'\c
> .\}
> .el \{\
> .sp -1
> .IP \(bu 2.3
> .\}
> The arp family supports only the
> \fBinput\fR
> and
> \fBoutput\fR
> hooks, both in chains of type
> \fBfilter\fR\&.
> .RE
> .sp
> .RS 4
> .ie n \{\
> \h'-04'\(bu\h'+03'\c
> .\}
> .el \{\
> .sp -1
> .IP \(bu 2.3
> .\}
> The inet family also supports the
> \fBingress\fR
> hook (since Linux kernel 5\&.10), to filter IPv4 and IPv6 packet at the s=
ame location as the netdev
> \fBingress\fR
> hook\&. This inet hook allows you to share sets and maps between the usual
> \fBprerouting\fR,
> \fBinput\fR,
> \fBforward\fR,
> \fBoutput\fR,
> \fBpostrouting\fR
> and this
> \fBingress\fR
> hook\&.
> .RE
> .sp
> The \fBpriority\fR parameter accepts a signed integer value or a standard=
 priority name which specifies the order in which chains with same \fBhook\=
fR value are traversed\&. The ordering is ascending, i\&.e\&. lower priorit=
y values have precedence over higher ones\&.
> .sp
> Standard priority values can be replaced with easily memorizable names\&.=
 Not all names make sense in every family with every hook (see the compatib=
ility matrices below) but their numerical value can still be used for prior=
itizing chains\&.
> .sp
> These names and values are defined and made available based on what prior=
ities are used by xtables when registering their default chains\&.
> .sp
> Most of the families use the same values, but bridge uses different ones =
=66rom the others\&. See the following tables that describe the values and =
compatibility\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&6.\ \&Standard priority names, family and hook compatibility =
matrix
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Value
> T}:T{
> Families
> T}:T{
> Hooks
> T}
> .T&
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt.
> T{
> .sp
> raw
> T}:T{
> .sp
> \-300
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> all
> T}
> T{
> .sp
> mangle
> T}:T{
> .sp
> \-150
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> all
> T}
> T{
> .sp
> dstnat
> T}:T{
> .sp
> \-100
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> prerouting
> T}
> T{
> .sp
> filter
> T}:T{
> .sp
> 0
> T}:T{
> .sp
> ip, ip6, inet, arp, netdev
> T}:T{
> .sp
> all
> T}
> T{
> .sp
> security
> T}:T{
> .sp
> 50
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> all
> T}
> T{
> .sp
> srcnat
> T}:T{
> .sp
> 100
> T}:T{
> .sp
> ip, ip6, inet
> T}:T{
> .sp
> postrouting
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&7.\ \&Standard priority names and hook compatibility for the =
bridge family
> .TS
> allbox tab(:);
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> Name
> T}:T{
> .sp
> Value
> T}:T{
> .sp
> Hooks
> T}
> T{
> .sp
> dstnat
> T}:T{
> .sp
> \-300
> T}:T{
> .sp
> prerouting
> T}
> T{
> .sp
> filter
> T}:T{
> .sp
> \-200
> T}:T{
> .sp
> all
> T}
> T{
> .sp
> out
> T}:T{
> .sp
> 100
> T}:T{
> .sp
> output
> T}
> T{
> .sp
> srcnat
> T}:T{
> .sp
> 300
> T}:T{
> .sp
> postrouting
> T}
> .TE
> .sp 1
> .sp
> Basic arithmetic expressions (addition and subtraction) can also be achie=
ved with these standard names to ease relative prioritizing, e\&.g\&. \fBma=
ngle \- 5\fR stands for \fB\-155\fR\&. Values will also be printed like thi=
s until the value is not further than 10 form the standard value\&.
> .sp
> Base chains also allow to set the chain\(cqs \fBpolicy\fR, i\&.e\&. what =
happens to packets not explicitly accepted or refused in contained rules\&.=
 Supported policy values are \fBaccept\fR (which is the default) or \fBdrop=
\fR\&.
> .SH "RULES"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBinsert\fR} \fBrule\fR [\fIfamily\fR] \fItable\fR \fIchain=
\fR [\fBhandle\fR \fIhandle\fR | \fBindex\fR \fIindex\fR] \fIstatement\fR \=
&... [\fBcomment\fR \fIcomment\fR]
> \fBreplace rule\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fBhandle\fR \f=
Ihandle\fR \fIstatement\fR \&... [\fBcomment\fR \fIcomment\fR]
> \fBdelete rule\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fBhandle\fR \fI=
handle\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Rules are added to chains in the given table\&. If the family is not spec=
ified, the ip family is used\&. Rules are constructed from two kinds of com=
ponents according to a set of grammatical rules: expressions and statements=
\&.
> .sp
> The add and insert commands support an optional location specifier, which=
 is either a \fIhandle\fR or the \fIindex\fR (starting at zero) of an exist=
ing rule\&. Internally, rule locations are always identified by \fIhandle\f=
R and the translation from \fIindex\fR happens in userspace\&. This has two=
 potential implications in case a concurrent ruleset change happens after t=
he translation was done: The effective rule index might change if a rule wa=
s inserted or deleted before the referred one\&. If the referred rule was d=
eleted, the command is rejected by the kernel just as if an invalid \fIhand=
le\fR was given\&.
> .sp
> A \fIcomment\fR is a single word or a double\-quoted (") multi\-word stri=
ng which can be used to make notes regarding the actual rule\&. \fBNote:\fR=
 If you use bash for adding rules, you have to escape the quotation marks, =
e\&.g\&. \e"enable ssh for servers\e"\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new rule described by the list of statements\&. The rule is appende=
d to the given chain unless a location is specified, in which case the rule=
 is inserted after the specified rule\&.
> T}
> T{
> .sp
> \fBinsert\fR
> T}:T{
> .sp
> Same as \fBadd\fR except the rule is inserted at the beginning of the cha=
in or before the specified rule\&.
> T}
> T{
> .sp
> \fBreplace\fR
> T}:T{
> .sp
> Similar to \fBadd\fR, but the rule replaces the specified rule\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified rule\&.
> T}
> .TE
> .sp 1
> .PP
> \fBadd a rule to ip table output chain\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> nft add rule filter output ip daddr 192\&.168\&.0\&.0/24 accept # \*(Aqip=
 filter\*(Aq is assumed
> # same command, slightly more verbose
> nft add rule ip filter output ip daddr 192\&.168\&.0\&.0/24 accept
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBdelete rule from inet table\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # nft \-a list ruleset
> table inet filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 ct state established,related accept # handle 4
>                 ip saddr 10\&.1\&.1\&.1 tcp dport ssh accept # handle 5
>           \&.\&.\&.
> # delete the rule with handle 5
> # nft delete rule inet filter input handle 5
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "SETS"
> .sp
> nftables offers two kinds of set concepts\&. Anonymous sets are sets that=
 have no specific name\&. The set members are enclosed in curly braces, wit=
h commas to separate elements when creating the rule the set is used in\&. =
Once that rule is removed, the set is removed as well\&. They cannot be upd=
ated, i\&.e\&. once an anonymous set is declared it cannot be changed anymo=
re except by removing/altering the rule that uses the anonymous set\&.
> .PP
> \fBUsing anonymous sets to accept particular subnets and ports\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> nft add rule filter input ip saddr { 10\&.0\&.0\&.0/8, 192\&.168\&.0\&.0/=
16 } tcp dport { 22, 443 } accept
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Named sets are sets that need to be defined first before they can be refe=
renced in rules\&. Unlike anonymous sets, elements can be added to or remov=
ed from a named set at any time\&. Sets are referenced from rules using an =
@ prefixed to the sets name\&.
> .PP
> \fBUsing named sets to accept addresses and ports\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_port=
s accept
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The sets allowed_hosts and allowed_ports need to be created first\&. The =
next section describes nft set syntax in more detail\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBadd set\fR [\fIfamily\fR] \fItable\fR \fIset\fR \fB{ type\fR \fItype\f=
R | \fBtypeof\fR \fIexpression\fR \fB;\fR [\fBflags\fR \fIflags\fR \fB;\fR]=
 [\fBtimeout\fR \fItimeout\fR \fB;\fR] [\fBgc\-interval\fR \fIgc\-interval\=
fR \fB;\fR] [\fBelements =3D {\fR \fIelement\fR[\fB,\fR \&...] \fB} ;\fR] [=
\fBsize\fR \fIsize\fR \fB;\fR] [\fBpolicy\fR \fIpolicy\fR \fB;\fR] [\fBauto=
\-merge ;\fR] \fB}\fR
> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBset\fR [\fIfamily\fR] \fItab=
le\fR \fIset\fR
> \fBlist sets\fR [\fIfamily\fR]
> \fBdelete set\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle\fR
> {\fBadd\fR | \fBdelete\fR} \fBelement\fR [\fIfamily\fR] \fItable\fR \fIse=
t\fR \fB{\fR \fIelement\fR[\fB,\fR \&...] \fB}\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Sets are element containers of a user\-defined data type, they are unique=
ly identified by a user\-defined name and attached to tables\&. Their behav=
iour can be tuned with the flags that can be specified at set creation time=
\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new set in the specified table\&. See the Set specification table b=
elow for more information about how to specify a sets properties\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified set\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> Display the elements in the specified set\&.
> T}
> T{
> .sp
> \fBflush\fR
> T}:T{
> .sp
> Remove all elements from the specified set\&.
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&8.\ \&Set specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> data type of set elements
> T}:T{
> .sp
> string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark
> T}
> T{
> .sp
> typeof
> T}:T{
> .sp
> data type of set element
> T}:T{
> .sp
> expression to derive the data type from
> T}
> T{
> .sp
> flags
> T}:T{
> .sp
> set flags
> T}:T{
> .sp
> string: constant, dynamic, interval, timeout
> T}
> T{
> .sp
> timeout
> T}:T{
> .sp
> time an element stays in the set, mandatory if set is added to from the p=
acket path (ruleset)\&.
> T}:T{
> .sp
> string, decimal followed by unit\&. Units are: d, h, m, s
> T}
> T{
> .sp
> gc\-interval
> T}:T{
> .sp
> garbage collection interval, only available when timeout or flag timeout =
are active
> T}:T{
> .sp
> string, decimal followed by unit\&. Units are: d, h, m, s
> T}
> T{
> .sp
> elements
> T}:T{
> .sp
> elements contained by the set
> T}:T{
> .sp
> set data type
> T}
> T{
> .sp
> size
> T}:T{
> .sp
> maximum number of elements in the set, mandatory if set is added to from =
the packet path (ruleset)\&.
> T}:T{
> .sp
> unsigned integer (64 bit)
> T}
> T{
> .sp
> policy
> T}:T{
> .sp
> set policy
> T}:T{
> .sp
> string: performance [default], memory
> T}
> T{
> .sp
> auto\-merge
> T}:T{
> .sp
> automatic merge of adjacent/overlapping set elements (only for interval s=
ets)
> T}:T{
> .sp
> T}
> .TE
> .sp 1
> .SH "MAPS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBadd map\fR [\fIfamily\fR] \fItable\fR \fImap\fR \fB{ type\fR \fItype\f=
R | \fBtypeof\fR \fIexpression\fR [\fBflags\fR \fIflags\fR \fB;\fR] [\fBele=
ments =3D {\fR \fIelement\fR[\fB,\fR \&...] \fB} ;\fR] [\fBsize\fR \fIsize\=
fR \fB;\fR] [\fBpolicy\fR \fIpolicy\fR \fB;\fR] \fB}\fR
> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBmap\fR [\fIfamily\fR] \fItab=
le\fR \fImap\fR
> \fBlist maps\fR [\fIfamily\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Maps store data based on some specific key used as input\&. They are uniq=
uely identified by a user\-defined name and attached to tables\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new map in the specified table\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified map\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> Display the elements in the specified map\&.
> T}
> T{
> .sp
> \fBflush\fR
> T}:T{
> .sp
> Remove all elements from the specified map\&.
> T}
> T{
> .sp
> \fBadd element\fR
> T}:T{
> .sp
> Comma\-separated list of elements to add into the specified map\&.
> T}
> T{
> .sp
> \fBdelete element\fR
> T}:T{
> .sp
> Comma\-separated list of element keys to delete from the specified map\&.
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&9.\ \&Map specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> data type of map elements
> T}:T{
> .sp
> string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark,=
 counter, quota\&. Counter and quota can\(cqt be used as keys
> T}
> T{
> .sp
> typeof
> T}:T{
> .sp
> data type of set element
> T}:T{
> .sp
> expression to derive the data type from
> T}
> T{
> .sp
> flags
> T}:T{
> .sp
> map flags
> T}:T{
> .sp
> string: constant, interval
> T}
> T{
> .sp
> elements
> T}:T{
> .sp
> elements contained by the map
> T}:T{
> .sp
> map data type
> T}
> T{
> .sp
> size
> T}:T{
> .sp
> maximum number of elements in the map
> T}:T{
> .sp
> unsigned integer (64 bit)
> T}
> T{
> .sp
> policy
> T}:T{
> .sp
> map policy
> T}:T{
> .sp
> string: performance [default], memory
> T}
> .TE
> .sp 1
> .SH "ELEMENTS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBcreate\fR | \fBdelete\fR | \fBget\fR } \fBelement\fR [\fI=
family\fR] \fItable\fR \fIset\fR \fB{\fR \fIELEMENT\fR[\fB,\fR \&...] \fB}\=
fR
>=20
> \fIELEMENT\fR :=3D \fIkey_expression\fR \fIOPTIONS\fR [\fB:\fR \fIvalue_e=
xpression\fR]
> \fIOPTIONS\fR :=3D [\fBtimeout\fR \fITIMESPEC\fR] [\fBexpires\fR \fITIMES=
PEC\fR] [\fBcomment\fR \fIstring\fR]
> \fITIMESPEC\fR :=3D [\fInum\fR\fBd\fR][\fInum\fR\fBh\fR][\fInum\fR\fBm\fR=
][\fInum\fR[\fBs\fR]]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Element\-related commands allow to change contents of named sets and maps=
\&. \fIkey_expression\fR is typically a value matching the set type\&. \fIv=
alue_expression\fR is not allowed in sets but mandatory when adding to maps=
, where it matches the data part in it\(cqs type definition\&. When deletin=
g from maps, it may be specified but is optional as \fIkey_expression\fR un=
iquely identifies the element\&.
> .sp
> \fBcreate\fR command is similar to \fBadd\fR with the exception that none=
 of the listed elements may already exist\&.
> .sp
> \fBget\fR command is useful to check if an element is contained in a set =
which may be non\-trivial in very large and/or interval sets\&. In the latt=
er case, the containing interval is returned instead of just the element it=
self\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&10.\ \&Element options
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Option
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> timeout
> T}:T{
> .sp
> timeout value for sets/maps with flag \fBtimeout\fR
> T}
> T{
> .sp
> expires
> T}:T{
> .sp
> the time until given element expires, useful for ruleset replication only
> T}
> T{
> .sp
> comment
> T}:T{
> .sp
> per element comment field
> T}
> .TE
> .sp 1
> .SH "FLOWTABLES"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBcreate\fR} \fBflowtable\fR [\fIfamily\fR] \fItable\fR \fI=
flowtable\fR \fB{ hook\fR \fIhook\fR \fBpriority\fR \fIpriority\fR \fB; dev=
ices =3D {\fR \fIdevice\fR[\fB,\fR \&...] \fB} ; }\fR
> \fBlist flowtables\fR [\fIfamily\fR]
> {\fBdelete\fR | \fBlist\fR} \fBflowtable\fR [\fIfamily\fR] \fItable\fR \f=
Iflowtable\fR
> \fBdelete\fR \fBflowtable\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIh=
andle\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Flowtables allow you to accelerate packet forwarding in software\&. Flowt=
ables entries are represented through a tuple that is composed of the input=
 interface, source and destination address, source and destination port; an=
d layer 3/4 protocols\&. Each entry also caches the destination interface a=
nd the gateway address \- to update the destination link\-layer address \- =
to forward packets\&. The ttl and hoplimit fields are also decremented\&. H=
ence, flowtables provides an alternative path that allow packets to bypass =
the classic forwarding path\&. Flowtables reside in the ingress hook that i=
s located before the prerouting hook\&. You can select which flows you want=
 to offload through the flow expression from the forward chain\&. Flowtable=
s are identified by their address family and their name\&. The address fami=
ly must be one of ip, ip6, or inet\&. The inet address family is a dummy fa=
mily which is used to create hybrid IPv4/IPv6 tables\&. When no address fam=
ily is specified, ip is used by default\&.
> .sp
> The \fBpriority\fR can be a signed integer or \fBfilter\fR which stands f=
or 0\&. Addition and subtraction can be used to set relative priority, e\&.=
g\&. filter + 5 equals to 5\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new flowtable for the given family with the given name\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified flowtable\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> List all flowtables\&.
> T}
> .TE
> .sp 1
> .SH "STATEFUL OBJECTS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBdelete\fR | \fBlist\fR | \fBreset\fR} \fItype\fR [\fIfami=
ly\fR] \fItable\fR \fIobject\fR
> \fBdelete\fR \fItype\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle=
\fR
> \fBlist counters\fR [\fIfamily\fR]
> \fBlist quotas\fR [\fIfamily\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Stateful objects are attached to tables and are identified by an unique n=
ame\&. They group stateful information from rules, to reference them in rul=
es the keywords "type name" are used e\&.g\&. "counter name"\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBadd\fR
> T}:T{
> .sp
> Add a new stateful object in the specified table\&.
> T}
> T{
> .sp
> \fBdelete\fR
> T}:T{
> .sp
> Delete the specified object\&.
> T}
> T{
> .sp
> \fBlist\fR
> T}:T{
> .sp
> Display stateful information the object holds\&.
> T}
> T{
> .sp
> \fBreset\fR
> T}:T{
> .sp
> List\-and\-reset stateful object\&.
> T}
> .TE
> .sp 1
> .SS "CT HELPER"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBct helper\fR \fIhelper\fR \fB{ type\fR \fItype\fR \fBprotocol\fR \fIpr=
otocol\fR \fB;\fR [\fBl3proto\fR \fIfamily\fR \fB;\fR] \fB}\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Ct helper is used to define connection tracking helpers that can then be =
used in combination with the \fBct helper set\fR statement\&. \fItype\fR an=
d \fIprotocol\fR are mandatory, l3proto is derived from the table family by=
 default, i\&.e\&. in the inet table the kernel will try to load both the i=
pv4 and ipv6 helper backends, if they are supported by the kernel\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&11.\ \&conntrack helper specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> name of helper type
> T}:T{
> .sp
> quoted string (e\&.g\&. "ftp")
> T}
> T{
> .sp
> protocol
> T}:T{
> .sp
> layer 4 protocol of the helper
> T}:T{
> .sp
> string (e\&.g\&. ip)
> T}
> T{
> .sp
> l3proto
> T}:T{
> .sp
> layer 3 protocol of the helper
> T}:T{
> .sp
> address family (e\&.g\&. ip)
> T}
> .TE
> .sp 1
> .PP
> \fBdefining and assigning ftp helper\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> Unlike iptables, helper assignment needs to be performed after the conntr=
ack
> lookup has completed, for example with the default 0 hook priority\&.
>=20
> table inet myhelpers {
>   ct helper ftp\-standard {
>      type "ftp" protocol tcp
>   }
>   chain prerouting {
>       type filter hook prerouting priority 0;
>       tcp dport 21 ct helper set "ftp\-standard"
>   }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "CT TIMEOUT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBct timeout\fR \fIname\fR \fB{ protocol\fR \fIprotocol\fR \fB; policy =
=3D {\fR \fIstate\fR\fB:\fR \fIvalue\fR [\fB,\fR \&...] \fB} ;\fR [\fBl3pro=
to\fR \fIfamily\fR \fB;\fR] \fB}\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Ct timeout is used to update connection tracking timeout values\&.Timeout=
 policies are assigned with the \fBct timeout set\fR statement\&. \fIprotoc=
ol\fR and \fIpolicy\fR are mandatory, l3proto is derived from the table fam=
ily by default\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&12.\ \&conntrack timeout specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> protocol
> T}:T{
> .sp
> layer 4 protocol of the timeout object
> T}:T{
> .sp
> string (e\&.g\&. ip)
> T}
> T{
> .sp
> state
> T}:T{
> .sp
> connection state name
> T}:T{
> .sp
> string (e\&.g\&. "established")
> T}
> T{
> .sp
> value
> T}:T{
> .sp
> timeout value for connection state
> T}:T{
> .sp
> unsigned integer
> T}
> T{
> .sp
> l3proto
> T}:T{
> .sp
> layer 3 protocol of the timeout object
> T}:T{
> .sp
> address family (e\&.g\&. ip)
> T}
> .TE
> .sp 1
> .PP
> \fBdefining and assigning ct timeout policy\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> table ip filter {
>         ct timeout customtimeout {
>                 protocol tcp;
>                 l3proto ip
>                 policy =3D { established: 120, close: 20 }
>         }
>=20
>         chain output {
>                 type filter hook output priority filter; policy accept;
>                 ct timeout set "customtimeout"
>         }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBtesting the updated timeout policy\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> % conntrack \-E
>=20
> It should display:
>=20
> [UPDATE] tcp      6 120 ESTABLISHED src=3D172\&.16\&.19\&.128 dst=3D172\&=
=2E16\&.19\&.1
> sport=3D22 dport=3D41360 [UNREPLIED] src=3D172\&.16\&.19\&.1 dst=3D172\&.=
16\&.19\&.128
> sport=3D41360 dport=3D22
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "CT EXPECTATION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBct expectation\fR \fIname\fR \fB{ protocol\fR \fIprotocol\fR \fB; dpor=
t\fR \fIdport\fR \fB; timeout\fR \fItimeout\fR \fB; size\fR \fIsize\fR \fB;=
 [*l3proto\fR \fIfamily\fR \fB;\fR] \fB}\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Ct expectation is used to create connection expectations\&. Expectations =
are assigned with the \fBct expectation set\fR statement\&. \fIprotocol\fR,=
 \fIdport\fR, \fItimeout\fR and \fIsize\fR are mandatory, l3proto is derive=
d from the table family by default\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&13.\ \&conntrack expectation specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> protocol
> T}:T{
> .sp
> layer 4 protocol of the expectation object
> T}:T{
> .sp
> string (e\&.g\&. ip)
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> destination port of expected connection
> T}:T{
> .sp
> unsigned integer
> T}
> T{
> .sp
> timeout
> T}:T{
> .sp
> timeout value for expectation
> T}:T{
> .sp
> unsigned integer
> T}
> T{
> .sp
> size
> T}:T{
> .sp
> size value for expectation
> T}:T{
> .sp
> unsigned integer
> T}
> T{
> .sp
> l3proto
> T}:T{
> .sp
> layer 3 protocol of the expectation object
> T}:T{
> .sp
> address family (e\&.g\&. ip)
> T}
> .TE
> .sp 1
> .PP
> \fBdefining and assigning ct expectation policy\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> table ip filter {
>         ct expectation expect {
>                 protocol udp
>                 dport 9876
>                 timeout 2m
>                 size 8
>                 l3proto ip
>         }
>=20
>         chain input {
>                 type filter hook input priority filter; policy accept;
>                 ct expectation set "expect"
>         }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "COUNTER"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBcounter\fR [\fIpackets bytes\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&14.\ \&Counter specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> packets
> T}:T{
> .sp
> initial count of packets
> T}:T{
> .sp
> unsigned integer (64 bit)
> T}
> T{
> .sp
> bytes
> T}:T{
> .sp
> initial count of bytes
> T}:T{
> .sp
> unsigned integer (64 bit)
> T}
> .TE
> .sp 1
> .SS "QUOTA"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBquota\fR [\fBover\fR | \fBuntil\fR] [\fIused\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&15.\ \&Quota specifications
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> quota
> T}:T{
> .sp
> quota limit, used as the quota name
> T}:T{
> .sp
> Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbyte=
s\&. "over" and "until" go before these arguments
> T}
> T{
> .sp
> used
> T}:T{
> .sp
> initial value of used quota
> T}:T{
> .sp
> Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes
> T}
> .TE
> .sp 1
> .SH "EXPRESSIONS"
> .sp
> Expressions represent values, either constants like network addresses, po=
rt numbers, etc\&., or data gathered from the packet during ruleset evaluat=
ion\&. Expressions can be combined using binary, logical, relational and ot=
her types of expressions to form complex or relational (match) expressions\=
&. They are also used as arguments to certain types of operations, like NAT=
, packet marking etc\&.
> .sp
> Each expression has a data type, which determines the size, parsing and r=
epresentation of symbolic values and type compatibility with other expressi=
ons\&.
> .SS "DESCRIBE COMMAND"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBdescribe\fR \fIexpression\fR | \fIdata type\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The \fBdescribe\fR command shows information about the type of an express=
ion and its data type\&. A data type may also be given, in which nft will d=
isplay more information about the type\&.
> .PP
> \fBThe describe command\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> $ nft describe tcp flags
> payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integ=
er), 8 bits
>=20
> predefined symbolic constants:
> fin                           0x01
> syn                           0x02
> rst                           0x04
> psh                           0x08
> ack                           0x10
> urg                           0x20
> ecn                           0x40
> cwr                           0x80
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "DATA TYPES"
> .sp
> Data types determine the size, parsing and representation of symbolic val=
ues and type compatibility of expressions\&. A number of global data types =
exist, in addition some expression types define further data types specific=
 to the expression type\&. Most data types have a fixed size, some however =
may have a dynamic size, f\&.i\&. the string type\&. Some types also have p=
redefined symbolic constants\&. Those can be listed using the nft \fBdescri=
be\fR command:
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> $ nft describe ct_state
> datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bits
>=20
> pre\-defined symbolic constants (in hexadecimal):
> invalid                         0x00000001
> new \&.\&.\&.
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Types may be derived from lower order types, f\&.i\&. the IPv4 address ty=
pe is derived from the integer type, meaning an IPv4 address can also be sp=
ecified as an integer value\&.
> .sp
> In certain contexts (set and map definitions), it is necessary to explici=
tly specify a data type\&. Each type has a name which is used for this\&.
> .SS "INTEGER TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> Integer
> T}:T{
> .sp
> integer
> T}:T{
> .sp
> variable
> T}:T{
> .sp
> \-
> T}
> .TE
> .sp 1
> .sp
> The integer type is used for numeric values\&. It may be specified as a d=
ecimal, hexadecimal or octal number\&. The integer type does not have a fix=
ed size, its size is determined by the expression for which it is used\&.
> .SS "BITMASK TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> Bitmask
> T}:T{
> .sp
> bitmask
> T}:T{
> .sp
> variable
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The bitmask type (\fBbitmask\fR) is used for bitmasks\&.
> .SS "STRING TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> String
> T}:T{
> .sp
> string
> T}:T{
> .sp
> variable
> T}:T{
> .sp
> \-
> T}
> .TE
> .sp 1
> .sp
> The string type is used for character strings\&. A string begins with an =
alphabetic character (a\-zA\-Z) followed by zero or more alphanumeric chara=
cters or the characters /, \-, _ and \&.\&. In addition, anything enclosed =
in double quotes (") is recognized as a string\&.
> .PP
> \fBString specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # Interface name
> filter input iifname eth0
>=20
> # Weird interface name
> filter input iifname "(eth0)"
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "LINK LAYER ADDRESS TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> Link layer address
> T}:T{
> .sp
> lladdr
> T}:T{
> .sp
> variable
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The link layer address type is used for link layer addresses\&. Link laye=
r addresses are specified as a variable amount of groups of two hexadecimal=
 digits separated using colons (:)\&.
> .PP
> \fBLink layer address specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # Ethernet destination MAC address
> filter input ether daddr 20:c9:d0:43:12:d9
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "IPV4 ADDRESS TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> IPV4 address
> T}:T{
> .sp
> ipv4_addr
> T}:T{
> .sp
> 32 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The IPv4 address type is used for IPv4 addresses\&. Addresses are specifi=
ed in either dotted decimal, dotted hexadecimal, dotted octal, decimal, hex=
adecimal, octal notation or as a host name\&. A host name will be resolved =
using the standard system resolver\&.
> .PP
> \fBIPv4 address specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # dotted decimal notation
> filter output ip daddr 127\&.0\&.0\&.1
>=20
> # host name
> filter output ip daddr localhost
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "IPV6 ADDRESS TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> IPv6 address
> T}:T{
> .sp
> ipv6_addr
> T}:T{
> .sp
> 128 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The IPv6 address type is used for IPv6 addresses\&. Addresses are specifi=
ed as a host name or as hexadecimal halfwords separated by colons\&. Addres=
ses might be enclosed in square brackets ("[]") to differentiate them from =
port numbers\&.
> .PP
> \fBIPv6 address specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # abbreviated loopback address
> filter output ip6 daddr ::1
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBIPv6 address specification with bracket notation\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # without [] the port number (22) would be parsed as part of the
> # ipv6 address
> ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "BOOLEAN TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> Boolean
> T}:T{
> .sp
> boolean
> T}:T{
> .sp
> 1 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The boolean type is a syntactical helper type in userspace\&. Its use is =
in the right\-hand side of a (typically implicit) relational expression to =
change the expression on the left\-hand side into a boolean check (usually =
for existence)\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&16.\ \&The following keywords will automatically resolve into=
 a boolean type with given value
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> exists
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> missing
> T}:T{
> .sp
> 0
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&17.\ \&expressions support a boolean comparison
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Expression
> T}:T{
> Behaviour
> T}
> .T&
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> fib
> T}:T{
> .sp
> Check route existence\&.
> T}
> T{
> .sp
> exthdr
> T}:T{
> .sp
> Check IPv6 extension header existence\&.
> T}
> T{
> .sp
> tcp option
> T}:T{
> .sp
> Check TCP option header existence\&.
> T}
> .TE
> .sp 1
> .PP
> \fBBoolean specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # match if route exists
> filter input fib daddr \&. iif oif exists
>=20
> # match only non\-fragmented packets in IPv6 traffic
> filter input exthdr frag missing
>=20
> # match if TCP timestamp option is present
> filter input tcp option timestamp exists
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "ICMP TYPE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> ICMP Type
> T}:T{
> .sp
> icmp_type
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The ICMP Type type is used to conveniently specify the ICMP header\(cqs t=
ype field\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&18.\ \&Keywords may be used when specifying the ICMP type
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> echo\-reply
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> destination\-unreachable
> T}:T{
> .sp
> 3
> T}
> T{
> .sp
> source\-quench
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> redirect
> T}:T{
> .sp
> 5
> T}
> T{
> .sp
> echo\-request
> T}:T{
> .sp
> 8
> T}
> T{
> .sp
> router\-advertisement
> T}:T{
> .sp
> 9
> T}
> T{
> .sp
> router\-solicitation
> T}:T{
> .sp
> 10
> T}
> T{
> .sp
> time\-exceeded
> T}:T{
> .sp
> 11
> T}
> T{
> .sp
> parameter\-problem
> T}:T{
> .sp
> 12
> T}
> T{
> .sp
> timestamp\-request
> T}:T{
> .sp
> 13
> T}
> T{
> .sp
> timestamp\-reply
> T}:T{
> .sp
> 14
> T}
> T{
> .sp
> info\-request
> T}:T{
> .sp
> 15
> T}
> T{
> .sp
> info\-reply
> T}:T{
> .sp
> 16
> T}
> T{
> .sp
> address\-mask\-request
> T}:T{
> .sp
> 17
> T}
> T{
> .sp
> address\-mask\-reply
> T}:T{
> .sp
> 18
> T}
> .TE
> .sp 1
> .PP
> \fBICMP Type specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # match ping packets
> filter output icmp type { echo\-request, echo\-reply }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "ICMP CODE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> ICMP Code
> T}:T{
> .sp
> icmp_code
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The ICMP Code type is used to conveniently specify the ICMP header\(cqs c=
ode field\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&19.\ \&Keywords may be used when specifying the ICMP code
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> net\-unreachable
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> host\-unreachable
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> prot\-unreachable
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> port\-unreachable
> T}:T{
> .sp
> 3
> T}
> T{
> .sp
> frag\-needed
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> net\-prohibited
> T}:T{
> .sp
> 9
> T}
> T{
> .sp
> host\-prohibited
> T}:T{
> .sp
> 10
> T}
> T{
> .sp
> admin\-prohibited
> T}:T{
> .sp
> 13
> T}
> .TE
> .sp 1
> .SS "ICMPV6 TYPE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> ICMPv6 Type
> T}:T{
> .sp
> icmpx_code
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The ICMPv6 Type type is used to conveniently specify the ICMPv6 header\(c=
qs type field\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&20.\ \&keywords may be used when specifying the ICMPv6 type:
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> destination\-unreachable
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> packet\-too\-big
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> time\-exceeded
> T}:T{
> .sp
> 3
> T}
> T{
> .sp
> parameter\-problem
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> echo\-request
> T}:T{
> .sp
> 128
> T}
> T{
> .sp
> echo\-reply
> T}:T{
> .sp
> 129
> T}
> T{
> .sp
> mld\-listener\-query
> T}:T{
> .sp
> 130
> T}
> T{
> .sp
> mld\-listener\-report
> T}:T{
> .sp
> 131
> T}
> T{
> .sp
> mld\-listener\-done
> T}:T{
> .sp
> 132
> T}
> T{
> .sp
> mld\-listener\-reduction
> T}:T{
> .sp
> 132
> T}
> T{
> .sp
> nd\-router\-solicit
> T}:T{
> .sp
> 133
> T}
> T{
> .sp
> nd\-router\-advert
> T}:T{
> .sp
> 134
> T}
> T{
> .sp
> nd\-neighbor\-solicit
> T}:T{
> .sp
> 135
> T}
> T{
> .sp
> nd\-neighbor\-advert
> T}:T{
> .sp
> 136
> T}
> T{
> .sp
> nd\-redirect
> T}:T{
> .sp
> 137
> T}
> T{
> .sp
> router\-renumbering
> T}:T{
> .sp
> 138
> T}
> T{
> .sp
> ind\-neighbor\-solicit
> T}:T{
> .sp
> 141
> T}
> T{
> .sp
> ind\-neighbor\-advert
> T}:T{
> .sp
> 142
> T}
> T{
> .sp
> mld2\-listener\-report
> T}:T{
> .sp
> 143
> T}
> .TE
> .sp 1
> .PP
> \fBICMPv6 Type specification\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # match ICMPv6 ping packets
> filter output icmpv6 type { echo\-request, echo\-reply }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "ICMPV6 CODE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> ICMPv6 Code
> T}:T{
> .sp
> icmpv6_code
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The ICMPv6 Code type is used to conveniently specify the ICMPv6 header\(c=
qs code field\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&21.\ \&keywords may be used when specifying the ICMPv6 code
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> no\-route
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> admin\-prohibited
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> addr\-unreachable
> T}:T{
> .sp
> 3
> T}
> T{
> .sp
> port\-unreachable
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> policy\-fail
> T}:T{
> .sp
> 5
> T}
> T{
> .sp
> reject\-route
> T}:T{
> .sp
> 6
> T}
> .TE
> .sp 1
> .SS "ICMPVX CODE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> ICMPvX Code
> T}:T{
> .sp
> icmpv6_type
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The ICMPvX Code type abstraction is a set of values which overlap between=
 ICMP and ICMPv6 Code types to be used from the inet family\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&22.\ \&keywords may be used when specifying the ICMPvX code
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> no\-route
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> port\-unreachable
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> host\-unreachable
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> admin\-prohibited
> T}:T{
> .sp
> 3
> T}
> .TE
> .sp 1
> .SS "CONNTRACK TYPES"
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&23.\ \&overview of types used in ct expression and statement
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt
> lt lt lt lt.
> T{
> .sp
> conntrack state
> T}:T{
> .sp
> ct_state
> T}:T{
> .sp
> 4 byte
> T}:T{
> .sp
> bitmask
> T}
> T{
> .sp
> conntrack direction
> T}:T{
> .sp
> ct_dir
> T}:T{
> .sp
> 8 bit
> T}:T{
> .sp
> integer
> T}
> T{
> .sp
> conntrack status
> T}:T{
> .sp
> ct_status
> T}:T{
> .sp
> 4 byte
> T}:T{
> .sp
> bitmask
> T}
> T{
> .sp
> conntrack event bits
> T}:T{
> .sp
> ct_event
> T}:T{
> .sp
> 4 byte
> T}:T{
> .sp
> bitmask
> T}
> T{
> .sp
> conntrack label
> T}:T{
> .sp
> ct_label
> T}:T{
> .sp
> 128 bit
> T}:T{
> .sp
> bitmask
> T}
> .TE
> .sp 1
> .sp
> For each of the types above, keywords are available for convenience:
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&24.\ \&conntrack state (ct_state)
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> invalid
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> established
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> related
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> new
> T}:T{
> .sp
> 8
> T}
> T{
> .sp
> untracked
> T}:T{
> .sp
> 64
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&25.\ \&conntrack direction (ct_dir)
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> original
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> reply
> T}:T{
> .sp
> 1
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&26.\ \&conntrack status (ct_status)
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> expected
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> seen\-reply
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> assured
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> confirmed
> T}:T{
> .sp
> 8
> T}
> T{
> .sp
> snat
> T}:T{
> .sp
> 16
> T}
> T{
> .sp
> dnat
> T}:T{
> .sp
> 32
> T}
> T{
> .sp
> dying
> T}:T{
> .sp
> 512
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&27.\ \&conntrack event bits (ct_event)
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> new
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> related
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> destroy
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> reply
> T}:T{
> .sp
> 8
> T}
> T{
> .sp
> assured
> T}:T{
> .sp
> 16
> T}
> T{
> .sp
> protoinfo
> T}:T{
> .sp
> 32
> T}
> T{
> .sp
> helper
> T}:T{
> .sp
> 64
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> 128
> T}
> T{
> .sp
> seqadj
> T}:T{
> .sp
> 256
> T}
> T{
> .sp
> secmark
> T}:T{
> .sp
> 512
> T}
> T{
> .sp
> label
> T}:T{
> .sp
> 1024
> T}
> .TE
> .sp 1
> .sp
> Possible keywords for conntrack label type (ct_label) are read at runtime=
 from /etc/connlabel\&.conf\&.
> .SS "DCCP PKTTYPE TYPE"
> .TS
> allbox tab(:);
> ltB ltB ltB ltB.
> T{
> Name
> T}:T{
> Keyword
> T}:T{
> Size
> T}:T{
> Base type
> T}
> .T&
> lt lt lt lt.
> T{
> .sp
> DCCP packet type
> T}:T{
> .sp
> dccp_pkttype
> T}:T{
> .sp
> 4 bit
> T}:T{
> .sp
> integer
> T}
> .TE
> .sp 1
> .sp
> The DCCP packet type abstracts the different legal values of the respecti=
ve four bit field in the DCCP header, as stated by RFC4340\&. Note that pos=
sible values 10\-15 are considered reserved and therefore not allowed to be=
 used\&. In iptables\*(Aq \fBdccp\fR match, these values are aliased \fIINV=
ALID\fR\&. With nftables, one may simply match on the numeric value range, =
i\&.e\&. \fB10\-15\fR\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&28.\ \&keywords may be used when specifying the DCCP packet t=
ype
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Value
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> request
> T}:T{
> .sp
> 0
> T}
> T{
> .sp
> response
> T}:T{
> .sp
> 1
> T}
> T{
> .sp
> data
> T}:T{
> .sp
> 2
> T}
> T{
> .sp
> ack
> T}:T{
> .sp
> 3
> T}
> T{
> .sp
> dataack
> T}:T{
> .sp
> 4
> T}
> T{
> .sp
> closereq
> T}:T{
> .sp
> 5
> T}
> T{
> .sp
> close
> T}:T{
> .sp
> 6
> T}
> T{
> .sp
> reset
> T}:T{
> .sp
> 7
> T}
> T{
> .sp
> sync
> T}:T{
> .sp
> 8
> T}
> T{
> .sp
> syncack
> T}:T{
> .sp
> 9
> T}
> .TE
> .sp 1
> .SH "PRIMARY EXPRESSIONS"
> .sp
> The lowest order expression is a primary expression, representing either =
a constant or a single datum from a packet\(cqs payload, meta data or a sta=
teful module\&.
> .SS "META EXPRESSIONS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBmeta\fR {\fBlength\fR | \fBnfproto\fR | \fBl4proto\fR | \fBprotocol\fR=
 | \fBpriority\fR}
> [\fBmeta\fR] {\fBmark\fR | \fBiif\fR | \fBiifname\fR | \fBiiftype\fR | \f=
Boif\fR | \fBoifname\fR | \fBoiftype\fR | \fBskuid\fR | \fBskgid\fR | \fBnf=
trace\fR | \fBrtclassid\fR | \fBibrname\fR | \fBobrname\fR | \fBpkttype\fR =
| \fBcpu\fR | \fBiifgroup\fR | \fBoifgroup\fR | \fBcgroup\fR | \fBrandom\fR=
 | \fBipsec\fR | \fBiifkind\fR | \fBoifkind\fR | \fBtime\fR | \fBhour\fR | =
\fBday\fR }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A meta expression refers to meta data associated with a packet\&.
> .sp
> There are two types of meta expressions: unqualified and qualified meta e=
xpressions\&. Qualified meta expressions require the meta keyword before th=
e meta key, unqualified meta expressions can be specified by using the meta=
 key directly or as qualified meta expressions\&. Meta l4proto is useful to=
 match a particular transport protocol that is part of either an IPv4 or IP=
v6 packet\&. It will also skip any IPv6 extension headers present in an IPv=
6 packet\&.
> .sp
> meta iif, oif, iifname and oifname are used to match the interface a pack=
et arrived on or is about to be sent out on\&.
> .sp
> iif and oif are used to match on the interface index, whereas iifname and=
 oifname are used to match on the interface name\&. This is not the same \(=
em assuming the rule
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> filter input meta iif "foo"
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Then this rule can only be added if the interface "foo" exists\&. Also, t=
he rule will continue to match even if the interface "foo" is renamed to "b=
ar"\&.
> .sp
> This is because internally the interface index is used\&. In case of dyna=
mically created interfaces, such as tun/tap or dialup interfaces (ppp for e=
xample), it might be better to use iifname or oifname instead\&.
> .sp
> In these cases, the name is used so the interface doesn\(cqt have to exis=
t to add such a rule, it will stop matching if the interface gets renamed a=
nd it will match again in case interface gets deleted and later a new inter=
face with the same name is created\&.
> .sp
> Like with iptables, wildcard matching on interface name prefixes is avail=
able for \fBiifname\fR and \fBoifname\fR matches by appending an asterisk (=
*) character\&. Note however that unlike iptables, nftables does not accept=
 interface names consisting of the wildcard character only \- users are sup=
posed to just skip those always matching expressions\&. In order to match o=
n literal asterisk character, one may escape it using backslash (\e)\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&29.\ \&Meta expression types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> length
> T}:T{
> .sp
> Length of the packet in bytes
> T}:T{
> .sp
> integer (32\-bit)
> T}
> T{
> .sp
> nfproto
> T}:T{
> .sp
> real hook protocol family, useful only in inet table
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> l4proto
> T}:T{
> .sp
> layer 4 protocol, skips ipv6 extension headers
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> protocol
> T}:T{
> .sp
> EtherType protocol value
> T}:T{
> .sp
> ether_type
> T}
> T{
> .sp
> priority
> T}:T{
> .sp
> TC packet priority
> T}:T{
> .sp
> tc_handle
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> Packet mark
> T}:T{
> .sp
> mark
> T}
> T{
> .sp
> iif
> T}:T{
> .sp
> Input interface index
> T}:T{
> .sp
> iface_index
> T}
> T{
> .sp
> iifname
> T}:T{
> .sp
> Input interface name
> T}:T{
> .sp
> ifname
> T}
> T{
> .sp
> iiftype
> T}:T{
> .sp
> Input interface type
> T}:T{
> .sp
> iface_type
> T}
> T{
> .sp
> oif
> T}:T{
> .sp
> Output interface index
> T}:T{
> .sp
> iface_index
> T}
> T{
> .sp
> oifname
> T}:T{
> .sp
> Output interface name
> T}:T{
> .sp
> ifname
> T}
> T{
> .sp
> oiftype
> T}:T{
> .sp
> Output interface hardware type
> T}:T{
> .sp
> iface_type
> T}
> T{
> .sp
> sdif
> T}:T{
> .sp
> Slave device input interface index
> T}:T{
> .sp
> iface_index
> T}
> T{
> .sp
> sdifname
> T}:T{
> .sp
> Slave device interface name
> T}:T{
> .sp
> ifname
> T}
> T{
> .sp
> skuid
> T}:T{
> .sp
> UID associated with originating socket
> T}:T{
> .sp
> uid
> T}
> T{
> .sp
> skgid
> T}:T{
> .sp
> GID associated with originating socket
> T}:T{
> .sp
> gid
> T}
> T{
> .sp
> rtclassid
> T}:T{
> .sp
> Routing realm
> T}:T{
> .sp
> realm
> T}
> T{
> .sp
> ibrname
> T}:T{
> .sp
> Input bridge interface name
> T}:T{
> .sp
> ifname
> T}
> T{
> .sp
> obrname
> T}:T{
> .sp
> Output bridge interface name
> T}:T{
> .sp
> ifname
> T}
> T{
> .sp
> pkttype
> T}:T{
> .sp
> packet type
> T}:T{
> .sp
> pkt_type
> T}
> T{
> .sp
> cpu
> T}:T{
> .sp
> cpu number processing the packet
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> iifgroup
> T}:T{
> .sp
> incoming device group
> T}:T{
> .sp
> devgroup
> T}
> T{
> .sp
> oifgroup
> T}:T{
> .sp
> outgoing device group
> T}:T{
> .sp
> devgroup
> T}
> T{
> .sp
> cgroup
> T}:T{
> .sp
> control group id
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> random
> T}:T{
> .sp
> pseudo\-random number
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> ipsec
> T}:T{
> .sp
> true if packet was ipsec encrypted
> T}:T{
> .sp
> boolean (1 bit)
> T}
> T{
> .sp
> iifkind
> T}:T{
> .sp
> Input interface kind
> T}:T{
> .sp
> T}
> T{
> .sp
> oifkind
> T}:T{
> .sp
> Output interface kind
> T}:T{
> .sp
> T}
> T{
> .sp
> time
> T}:T{
> .sp
> Absolute time of packet reception
> T}:T{
> .sp
> Integer (32 bit) or string
> T}
> T{
> .sp
> day
> T}:T{
> .sp
> Day of week
> T}:T{
> .sp
> Integer (8 bit) or string
> T}
> T{
> .sp
> hour
> T}:T{
> .sp
> Hour of day
> T}:T{
> .sp
> String
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&30.\ \&Meta expression specific types
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Type
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> iface_index
> T}:T{
> .sp
> Interface index (32 bit number)\&. Can be specified numerically or as nam=
e of an existing interface\&.
> T}
> T{
> .sp
> ifname
> T}:T{
> .sp
> Interface name (16 byte string)\&. Does not have to exist\&.
> T}
> T{
> .sp
> iface_type
> T}:T{
> .sp
> Interface type (16 bit number)\&.
> T}
> T{
> .sp
> uid
> T}:T{
> .sp
> User ID (32 bit number)\&. Can be specified numerically or as user name\&.
> T}
> T{
> .sp
> gid
> T}:T{
> .sp
> Group ID (32 bit number)\&. Can be specified numerically or as group name=
\&.
> T}
> T{
> .sp
> realm
> T}:T{
> .sp
> Routing Realm (32 bit number)\&. Can be specified numerically or as symbo=
lic name defined in /etc/iproute2/rt_realms\&.
> T}
> T{
> .sp
> devgroup_type
> T}:T{
> .sp
> Device group (32 bit number)\&. Can be specified numerically or as symbol=
ic name defined in /etc/iproute2/group\&.
> T}
> T{
> .sp
> pkt_type
> T}:T{
> .sp
> Packet type: \fBhost\fR (addressed to local host), \fBbroadcast\fR (to al=
l), \fBmulticast\fR (to group), \fBother\fR (addressed to another host)\&.
> T}
> T{
> .sp
> ifkind
> T}:T{
> .sp
> Interface kind (16 byte string)\&. See TYPES in ip\-link(8) for a list\&.
> T}
> T{
> .sp
> time
> T}:T{
> .sp
> Either an integer or a date in ISO format\&. For example: "2019\-06\-06 1=
7:00"\&. Hour and seconds are optional and can be omitted if desired\&. If =
omitted, midnight will be assumed\&. The following three would be equivalen=
t: "2019\-06\-06", "2019\-06\-06 00:00" and "2019\-06\-06 00:00:00"\&. When=
 an integer is given, it is assumed to be a UNIX timestamp\&.
> T}
> T{
> .sp
> day
> T}:T{
> .sp
> Either a day of week ("Monday", "Tuesday", etc\&.), or an integer between=
 0 and 6\&. Strings are matched case\-insensitively, and a full match is no=
t expected (e\&.g\&. "Mon" would match "Monday")\&. When an integer is give=
n, 0 is Sunday and 6 is Saturday\&.
> T}
> T{
> .sp
> hour
> T}:T{
> .sp
> A string representing an hour in 24\-hour format\&. Seconds can optionall=
y be specified\&. For example, 17:00 and 17:00:00 would be equivalent\&.
> T}
> .TE
> .sp 1
> .PP
> \fBUsing meta expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # qualified meta expression
> filter output meta oif eth0
> filter forward meta iifkind { "tun", "veth" }
>=20
> # unqualified meta expression
> filter output oif eth0
>=20
> # incoming packet was subject to ipsec processing
> raw prerouting meta ipsec exists accept
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "SOCKET EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBsocket\fR {\fBtransparent\fR | \fBmark\fR | \fBwildcard\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Socket expression can be used to search for an existing open TCP/UDP sock=
et and its attributes that can be associated with a packet\&. It looks for =
an established or non\-zero bound listening socket (possibly with a non\-lo=
cal address)\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&31.\ \&Available socket attributes
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Name
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> transparent
> T}:T{
> .sp
> Value of the IP_TRANSPARENT socket option in the found socket\&. It can b=
e 0 or 1\&.
> T}:T{
> .sp
> boolean (1 bit)
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> Value of the socket mark (SOL_SOCKET, SO_MARK)\&.
> T}:T{
> .sp
> mark
> T}
> T{
> .sp
> wildcard
> T}:T{
> .sp
> Indicates whether the socket is wildcard\-bound (e\&.g\&. 0\&.0\&.0\&.0 o=
r ::0)\&.
> T}:T{
> .sp
> boolean (1 bit)
> T}
> .TE
> .sp 1
> .PP
> \fBUsing socket expression\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # Mark packets that correspond to a transparent socket\&. "socket wildcar=
d 0"
> # means that zero\-bound listener sockets are NOT matched (which is usual=
ly
> # exactly what you want)\&.
> table inet x {
>     chain y {
>         type filter hook prerouting priority \-150; policy accept;
>         socket transparent 1 socket wildcard 0 mark set 0x00000001 accept
>     }
> }
>=20
> # Trace packets that corresponds to a socket with a mark value of 15
> table inet x {
>     chain y {
>         type filter hook prerouting priority \-150; policy accept;
>         socket mark 0x0000000f nftrace set 1
>     }
> }
>=20
> # Set packet mark to socket mark
> table inet x {
>     chain y {
>         type filter hook prerouting priority \-150; policy accept;
>         tcp dport 8080 mark set socket mark
>     }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "OSF EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBosf\fR [\fBttl\fR {\fBloose\fR | \fBskip\fR}] {\fBname\fR | \fBversion=
\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The osf expression does passive operating system fingerprinting\&. This e=
xpression compares some data (Window Size, MSS, options and their order, DF=
, and others) from packets with the SYN bit set\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&32.\ \&Available osf attributes
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Name
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> ttl
> T}:T{
> .sp
> Do TTL checks on the packet to determine the operating system\&.
> T}:T{
> .sp
> string
> T}
> T{
> .sp
> version
> T}:T{
> .sp
> Do OS version checks on the packet\&.
> T}:T{
> .sp
> T}
> T{
> .sp
> name
> T}:T{
> .sp
> Name of the OS signature to match\&. All signatures can be found at pf\&.=
os file\&. Use "unknown" for OS signatures that the expression could not de=
tect\&.
> T}:T{
> .sp
> string
> T}
> .TE
> .sp 1
> .PP
> \fBAvailable ttl values\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> If no TTL attribute is passed, make a true IP header and fingerprint TTL =
true comparison\&. This generally works for LANs\&.
>=20
> * loose: Check if the IP header\*(Aqs TTL is less than the fingerprint on=
e\&. Works for globally\-routable addresses\&.
> * skip: Do not compare the TTL at all\&.
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBUsing osf expression\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # Accept packets that match the "Linux" OS genre signature without compar=
ing TTL\&.
> table inet x {
>     chain y {
>         type filter hook input priority 0; policy accept;
>         osf ttl skip name "Linux"
>     }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "FIB EXPRESSIONS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBfib\fR {\fBsaddr\fR | \fBdaddr\fR | \fBmark\fR | \fBiif\fR | \fBoif\fR=
} [\fB\&.\fR \&...] {\fBoif\fR | \fBoifname\fR | \fBtype\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A fib expression queries the fib (forwarding information base) to obtain =
information such as the output interface index a particular address would u=
se\&. The input is a tuple of elements that is used as input to the fib loo=
kup functions\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&33.\ \&fib expression specific types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> oif
> T}:T{
> .sp
> Output interface index
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> oifname
> T}:T{
> .sp
> Output interface name
> T}:T{
> .sp
> string
> T}
> T{
> .sp
> type
> T}:T{
> .sp
> Address type
> T}:T{
> .sp
> fib_addrtype
> T}
> .TE
> .sp 1
> .sp
> Use \fBnft\fR \fBdescribe\fR \fBfib_addrtype\fR to get a list of all addr=
ess types\&.
> .PP
> \fBUsing fib expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # drop packets without a reverse path
> filter prerouting fib saddr \&. iif oif missing drop
>=20
> In this example, \*(Aqsaddr \&. iif\*(Aq looks up routing information bas=
ed on the source address and the input interface\&.
> oif picks the output interface index from the routing information\&.
> If no route was found for the source address/input interface combination,=
 the output interface index is zero\&.
> In case the input interface is specified as part of the input key, the ou=
tput interface index is always the same as the input interface index or zer=
o\&.
> If only \*(Aqsaddr oif\*(Aq is given, then oif can be any interface index=
 or zero\&.
>=20
> # drop packets to address not configured on incoming interface
> filter prerouting fib daddr \&. iif type !=3D { local, broadcast, multica=
st } drop
>=20
> # perform lookup in a specific \*(Aqblackhole\*(Aq table (0xdead, needs i=
p appropriate ip rule)
> filter prerouting meta mark set 0xdead fib daddr \&. mark type vmap { bla=
ckhole : drop, prohibit : jump prohibited, unreachable : drop }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "ROUTING EXPRESSIONS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBrt\fR [\fBip\fR | \fBip6\fR] {\fBclassid\fR | \fBnexthop\fR | \fBmtu\f=
R | \fBipsec\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A routing expression refers to routing data associated with a packet\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&34.\ \&Routing expression types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> classid
> T}:T{
> .sp
> Routing realm
> T}:T{
> .sp
> realm
> T}
> T{
> .sp
> nexthop
> T}:T{
> .sp
> Routing nexthop
> T}:T{
> .sp
> ipv4_addr/ipv6_addr
> T}
> T{
> .sp
> mtu
> T}:T{
> .sp
> TCP maximum segment size of route
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> ipsec
> T}:T{
> .sp
> route via ipsec tunnel or transport
> T}:T{
> .sp
> boolean
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&35.\ \&Routing expression specific types
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Type
> T}:T{
> Description
> T}
> .T&
> lt lt.
> T{
> .sp
> realm
> T}:T{
> .sp
> Routing Realm (32 bit number)\&. Can be specified numerically or as symbo=
lic name defined in /etc/iproute2/rt_realms\&.
> T}
> .TE
> .sp 1
> .PP
> \fBUsing routing expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # IP family independent rt expression
> filter output rt classid 10
>=20
> # IP family dependent rt expressions
> ip filter output rt nexthop 192\&.168\&.0\&.1
> ip6 filter output rt nexthop fd00::1
> inet filter output rt ip nexthop 192\&.168\&.0\&.1
> inet filter output rt ip6 nexthop fd00::1
>=20
> # outgoing packet will be encapsulated/encrypted by ipsec
> filter output rt ipsec exists
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "IPSEC EXPRESSIONS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBipsec\fR {\fBin\fR | \fBout\fR} [ \fBspnum\fR \fINUM\fR ]  {\fBreqid\f=
R | \fBspi\fR}
> \fBipsec\fR {\fBin\fR | \fBout\fR} [ \fBspnum\fR \fINUM\fR ]  {\fBip\fR |=
 \fBip6\fR} {\fBsaddr\fR | \fBdaddr\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> An ipsec expression refers to ipsec data associated with a packet\&.
> .sp
> The \fIin\fR or \fIout\fR keyword needs to be used to specify if the expr=
ession should examine inbound or outbound policies\&. The \fIin\fR keyword =
can be used in the prerouting, input and forward hooks\&. The \fIout\fR key=
word applies to forward, output and postrouting hooks\&. The optional keywo=
rd spnum can be used to match a specific state in a chain, it defaults to 0=
\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&36.\ \&Ipsec expression types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> reqid
> T}:T{
> .sp
> Request ID
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> spi
> T}:T{
> .sp
> Security Parameter Index
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> saddr
> T}:T{
> .sp
> Source address of the tunnel
> T}:T{
> .sp
> ipv4_addr/ipv6_addr
> T}
> T{
> .sp
> daddr
> T}:T{
> .sp
> Destination address of the tunnel
> T}:T{
> .sp
> ipv4_addr/ipv6_addr
> T}
> .TE
> .sp 1
> .SS "NUMGEN EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBnumgen\fR {\fBinc\fR | \fBrandom\fR} \fBmod\fR \fINUM\fR [ \fBoffset\f=
R \fINUM\fR ]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Create a number generator\&. The \fBinc\fR or \fBrandom\fR keywords contr=
ol its operation mode: In \fBinc\fR mode, the last returned value is simply=
 incremented\&. In \fBrandom\fR mode, a new random number is returned\&. Th=
e value after \fBmod\fR keyword specifies an upper boundary (read: modulus)=
 which is not reached by returned numbers\&. The optional \fBoffset\fR allo=
ws to increment the returned value by a fixed offset\&.
> .sp
> A typical use\-case for \fBnumgen\fR is load\-balancing:
> .PP
> \fBUsing numgen expression\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # round\-robin between 192\&.168\&.10\&.100 and 192\&.168\&.20\&.200:
> add rule nat prerouting dnat to numgen inc mod 2 map \e
>         { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
>=20
> # probability\-based with odd bias using intervals:
> add rule nat prerouting dnat to numgen random mod 10 map \e
>         { 0\-2 : 192\&.168\&.10\&.100, 3\-9 : 192\&.168\&.20\&.200 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "HASH EXPRESSIONS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBjhash\fR {\fBip saddr\fR | \fBip6 daddr\fR | \fBtcp dport\fR | \fBudp =
sport\fR | \fBether saddr\fR} [\fB\&.\fR \&...] \fBmod\fR \fINUM\fR [ \fBse=
ed\fR \fINUM\fR ] [ \fBoffset\fR \fINUM\fR ]
> \fBsymhash\fR \fBmod\fR \fINUM\fR [ \fBoffset\fR \fINUM\fR ]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Use a hashing function to generate a number\&. The functions available ar=
e \fBjhash\fR, known as Jenkins Hash, and \fBsymhash\fR, for Symmetric Hash=
\&. The \fBjhash\fR requires an expression to determine the parameters of t=
he packet header to apply the hashing, concatenations are possible as well\=
&. The value after \fBmod\fR keyword specifies an upper boundary (read: mod=
ulus) which is not reached by returned numbers\&. The optional \fBseed\fR i=
s used to specify an init value used as seed in the hashing function\&. The=
 optional \fBoffset\fR allows to increment the returned value by a fixed of=
fset\&.
> .sp
> A typical use\-case for \fBjhash\fR and \fBsymhash\fR is load\-balancing:
> .PP
> \fBUsing hash expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # load balance based on source ip between 2 ip addresses:
> add rule nat prerouting dnat to jhash ip saddr mod 2 map \e
>         { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
>=20
> # symmetric load balancing between 2 ip addresses:
> add rule nat prerouting dnat to symhash mod 2 map \e
>         { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "PAYLOAD EXPRESSIONS"
> .sp
> Payload expressions refer to data from the packet\(cqs payload\&.
> .SS "ETHERNET HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBether\fR {\fBdaddr\fR | \fBsaddr\fR | \fBtype\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&37.\ \&Ethernet header expression types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> daddr
> T}:T{
> .sp
> Destination MAC address
> T}:T{
> .sp
> ether_addr
> T}
> T{
> .sp
> saddr
> T}:T{
> .sp
> Source MAC address
> T}:T{
> .sp
> ether_addr
> T}
> T{
> .sp
> type
> T}:T{
> .sp
> EtherType
> T}:T{
> .sp
> ether_type
> T}
> .TE
> .sp 1
> .SS "VLAN HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBvlan\fR {\fBid\fR | \fBcfi\fR | \fBpcp\fR | \fBtype\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&38.\ \&VLAN header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> id
> T}:T{
> .sp
> VLAN ID (VID)
> T}:T{
> .sp
> integer (12 bit)
> T}
> T{
> .sp
> cfi
> T}:T{
> .sp
> Canonical Format Indicator
> T}:T{
> .sp
> integer (1 bit)
> T}
> T{
> .sp
> pcp
> T}:T{
> .sp
> Priority code point
> T}:T{
> .sp
> integer (3 bit)
> T}
> T{
> .sp
> type
> T}:T{
> .sp
> EtherType
> T}:T{
> .sp
> ether_type
> T}
> .TE
> .sp 1
> .SS "ARP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBarp\fR {\fBhtype\fR | \fBptype\fR | \fBhlen\fR | \fBplen\fR | \fBopera=
tion\fR | \fBsaddr\fR { \fBip\fR | \fBether\fR } | \fBdaddr\fR { \fBip\fR |=
 \fBether\fR }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&39.\ \&ARP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> htype
> T}:T{
> .sp
> ARP hardware type
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> ptype
> T}:T{
> .sp
> EtherType
> T}:T{
> .sp
> ether_type
> T}
> T{
> .sp
> hlen
> T}:T{
> .sp
> Hardware address len
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> plen
> T}:T{
> .sp
> Protocol address len
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> operation
> T}:T{
> .sp
> Operation
> T}:T{
> .sp
> arp_op
> T}
> T{
> .sp
> saddr ether
> T}:T{
> .sp
> Ethernet sender address
> T}:T{
> .sp
> ether_addr
> T}
> T{
> .sp
> daddr ether
> T}:T{
> .sp
> Ethernet target address
> T}:T{
> .sp
> ether_addr
> T}
> T{
> .sp
> saddr ip
> T}:T{
> .sp
> IPv4 sender address
> T}:T{
> .sp
> ipv4_addr
> T}
> T{
> .sp
> daddr ip
> T}:T{
> .sp
> IPv4 target address
> T}:T{
> .sp
> ipv4_addr
> T}
> .TE
> .sp 1
> .SS "IPV4 HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBip\fR {\fBversion\fR | \fBhdrlength\fR | \fBdscp\fR | \fBecn\fR | \fBl=
ength\fR | \fBid\fR | \fBfrag\-off\fR | \fBttl\fR | \fBprotocol\fR | \fBche=
cksum\fR | \fBsaddr\fR | \fBdaddr\fR }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&40.\ \&IPv4 header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> version
> T}:T{
> .sp
> IP header version (4)
> T}:T{
> .sp
> integer (4 bit)
> T}
> T{
> .sp
> hdrlength
> T}:T{
> .sp
> IP header length including options
> T}:T{
> .sp
> integer (4 bit) FIXME scaling
> T}
> T{
> .sp
> dscp
> T}:T{
> .sp
> Differentiated Services Code Point
> T}:T{
> .sp
> dscp
> T}
> T{
> .sp
> ecn
> T}:T{
> .sp
> Explicit Congestion Notification
> T}:T{
> .sp
> ecn
> T}
> T{
> .sp
> length
> T}:T{
> .sp
> Total packet length
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> id
> T}:T{
> .sp
> IP ID
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> frag\-off
> T}:T{
> .sp
> Fragment offset
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> ttl
> T}:T{
> .sp
> Time to live
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> protocol
> T}:T{
> .sp
> Upper layer protocol
> T}:T{
> .sp
> inet_proto
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> IP header checksum
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> saddr
> T}:T{
> .sp
> Source address
> T}:T{
> .sp
> ipv4_addr
> T}
> T{
> .sp
> daddr
> T}:T{
> .sp
> Destination address
> T}:T{
> .sp
> ipv4_addr
> T}
> .TE
> .sp 1
> .SS "ICMP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBicmp\fR {\fBtype\fR | \fBcode\fR | \fBchecksum\fR | \fBid\fR | \fBsequ=
ence\fR | \fBgateway\fR | \fBmtu\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This expression refers to ICMP header fields\&. When using it in \fBinet\=
fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit depend=
ency on IPv4 to be created\&. To match on unusual cases like ICMP over IPv6=
, one has to add an explicit \fBmeta protocol ip6\fR match to the rule\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&41.\ \&ICMP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> ICMP type field
> T}:T{
> .sp
> icmp_type
> T}
> T{
> .sp
> code
> T}:T{
> .sp
> ICMP code field
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> ICMP checksum field
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> id
> T}:T{
> .sp
> ID of echo request/response
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> sequence
> T}:T{
> .sp
> sequence number of echo request/response
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> gateway
> T}:T{
> .sp
> gateway of redirects
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> mtu
> T}:T{
> .sp
> MTU of path MTU discovery
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "IGMP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBigmp\fR {\fBtype\fR | \fBmrt\fR | \fBchecksum\fR | \fBgroup\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This expression refers to IGMP header fields\&. When using it in \fBinet\=
fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit depend=
ency on IPv4 to be created\&. To match on unusual cases like IGMP over IPv6=
, one has to add an explicit \fBmeta protocol ip6\fR match to the rule\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&42.\ \&IGMP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> IGMP type field
> T}:T{
> .sp
> igmp_type
> T}
> T{
> .sp
> mrt
> T}:T{
> .sp
> IGMP maximum response time field
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> IGMP checksum field
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> group
> T}:T{
> .sp
> Group address
> T}:T{
> .sp
> integer (32 bit)
> T}
> .TE
> .sp 1
> .SS "IPV6 HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBip6\fR {\fBversion\fR | \fBdscp\fR | \fBecn\fR | \fBflowlabel\fR | \fB=
length\fR | \fBnexthdr\fR | \fBhoplimit\fR | \fBsaddr\fR | \fBdaddr\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This expression refers to the ipv6 header fields\&. Caution when using \f=
Bip6 nexthdr\fR, the value only refers to the next header, i\&.e\&. \fBip6 =
nexthdr tcp\fR will only match if the ipv6 packet does not contain any exte=
nsion headers\&. Packets that are fragmented or e\&.g\&. contain a routing =
extension headers will not be matched\&. Please use \fBmeta l4proto\fR if y=
ou wish to match the real transport header and ignore any additional extens=
ion headers instead\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&43.\ \&IPv6 header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> version
> T}:T{
> .sp
> IP header version (6)
> T}:T{
> .sp
> integer (4 bit)
> T}
> T{
> .sp
> dscp
> T}:T{
> .sp
> Differentiated Services Code Point
> T}:T{
> .sp
> dscp
> T}
> T{
> .sp
> ecn
> T}:T{
> .sp
> Explicit Congestion Notification
> T}:T{
> .sp
> ecn
> T}
> T{
> .sp
> flowlabel
> T}:T{
> .sp
> Flow label
> T}:T{
> .sp
> integer (20 bit)
> T}
> T{
> .sp
> length
> T}:T{
> .sp
> Payload length
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> nexthdr
> T}:T{
> .sp
> Nexthdr protocol
> T}:T{
> .sp
> inet_proto
> T}
> T{
> .sp
> hoplimit
> T}:T{
> .sp
> Hop limit
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> saddr
> T}:T{
> .sp
> Source address
> T}:T{
> .sp
> ipv6_addr
> T}
> T{
> .sp
> daddr
> T}:T{
> .sp
> Destination address
> T}:T{
> .sp
> ipv6_addr
> T}
> .TE
> .sp 1
> .PP
> \fBUsing ip6 header expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # matching if first extension header indicates a fragment
> ip6 nexthdr ipv6\-frag
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "ICMPV6 HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBicmpv6\fR {\fBtype\fR | \fBcode\fR | \fBchecksum\fR | \fBparameter\-pr=
oblem\fR | \fBpacket\-too\-big\fR | \fBid\fR | \fBsequence\fR | \fBmax\-del=
ay\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This expression refers to ICMPv6 header fields\&. When using it in \fBine=
t\fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit depe=
ndency on IPv6 to be created\&. To match on unusual cases like ICMPv6 over =
IPv4, one has to add an explicit \fBmeta protocol ip\fR match to the rule\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&44.\ \&ICMPv6 header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> type
> T}:T{
> .sp
> ICMPv6 type field
> T}:T{
> .sp
> icmpv6_type
> T}
> T{
> .sp
> code
> T}:T{
> .sp
> ICMPv6 code field
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> ICMPv6 checksum field
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> parameter\-problem
> T}:T{
> .sp
> pointer to problem
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> packet\-too\-big
> T}:T{
> .sp
> oversized MTU
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> id
> T}:T{
> .sp
> ID of echo request/response
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> sequence
> T}:T{
> .sp
> sequence number of echo request/response
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> max\-delay
> T}:T{
> .sp
> maximum response delay of MLD queries
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "TCP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBtcp\fR {\fBsport\fR | \fBdport\fR | \fBsequence\fR | \fBackseq\fR | \f=
Bdoff\fR | \fBreserved\fR | \fBflags\fR | \fBwindow\fR | \fBchecksum\fR | \=
fBurgptr\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&45.\ \&TCP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> sport
> T}:T{
> .sp
> Source port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> Destination port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> sequence
> T}:T{
> .sp
> Sequence number
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> ackseq
> T}:T{
> .sp
> Acknowledgement number
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> doff
> T}:T{
> .sp
> Data offset
> T}:T{
> .sp
> integer (4 bit) FIXME scaling
> T}
> T{
> .sp
> reserved
> T}:T{
> .sp
> Reserved area
> T}:T{
> .sp
> integer (4 bit)
> T}
> T{
> .sp
> flags
> T}:T{
> .sp
> TCP flags
> T}:T{
> .sp
> tcp_flag
> T}
> T{
> .sp
> window
> T}:T{
> .sp
> Window
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> Checksum
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> urgptr
> T}:T{
> .sp
> Urgent pointer
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "UDP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBudp\fR {\fBsport\fR | \fBdport\fR | \fBlength\fR | \fBchecksum\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&46.\ \&UDP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> sport
> T}:T{
> .sp
> Source port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> Destination port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> length
> T}:T{
> .sp
> Total packet length
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> Checksum
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "UDP\-LITE HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBudplite\fR {\fBsport\fR | \fBdport\fR | \fBchecksum\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&47.\ \&UDP\-Lite header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> sport
> T}:T{
> .sp
> Source port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> Destination port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> Checksum
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "SCTP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBsctp\fR {\fBsport\fR | \fBdport\fR | \fBvtag\fR | \fBchecksum\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&48.\ \&SCTP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> sport
> T}:T{
> .sp
> Source port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> Destination port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> vtag
> T}:T{
> .sp
> Verification Tag
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> checksum
> T}:T{
> .sp
> Checksum
> T}:T{
> .sp
> integer (32 bit)
> T}
> .TE
> .sp 1
> .SS "DCCP HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBdccp\fR {\fBsport\fR | \fBdport\fR | \fBtype\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&49.\ \&DCCP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> sport
> T}:T{
> .sp
> Source port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> dport
> T}:T{
> .sp
> Destination port
> T}:T{
> .sp
> inet_service
> T}
> T{
> .sp
> type
> T}:T{
> .sp
> Packet type
> T}:T{
> .sp
> dccp_pkttype
> T}
> .TE
> .sp 1
> .SS "AUTHENTICATION HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBah\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBreserved\fR | \fBspi\fR | =
\fBsequence\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&50.\ \&AH header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> nexthdr
> T}:T{
> .sp
> Next header protocol
> T}:T{
> .sp
> inet_proto
> T}
> T{
> .sp
> hdrlength
> T}:T{
> .sp
> AH Header length
> T}:T{
> .sp
> integer (8 bit)
> T}
> T{
> .sp
> reserved
> T}:T{
> .sp
> Reserved area
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> spi
> T}:T{
> .sp
> Security Parameter Index
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> sequence
> T}:T{
> .sp
> Sequence number
> T}:T{
> .sp
> integer (32 bit)
> T}
> .TE
> .sp 1
> .SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBesp\fR {\fBspi\fR | \fBsequence\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&51.\ \&ESP header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> spi
> T}:T{
> .sp
> Security Parameter Index
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> sequence
> T}:T{
> .sp
> Sequence number
> T}:T{
> .sp
> integer (32 bit)
> T}
> .TE
> .sp 1
> .SS "IPCOMP HEADER EXPRESSION"
> .sp
> \fBcomp\fR {\fBnexthdr\fR | \fBflags\fR | \fBcpi\fR}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&52.\ \&IPComp header expression
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> nexthdr
> T}:T{
> .sp
> Next header protocol
> T}:T{
> .sp
> inet_proto
> T}
> T{
> .sp
> flags
> T}:T{
> .sp
> Flags
> T}:T{
> .sp
> bitmask
> T}
> T{
> .sp
> cpi
> T}:T{
> .sp
> compression Parameter Index
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .SS "RAW PAYLOAD EXPRESSION"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fB@\fR\fIbase\fR\fB,\fR\fIoffset\fR\fB,\fR\fIlength\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The raw payload expression instructs to load \fIlength\fR bits starting a=
t \fIoffset\fR bits\&. Bit 0 refers to the very first bit \(em in the C pro=
gramming language, this corresponds to the topmost bit, i\&.e\&. 0x80 in ca=
se of an octet\&. They are useful to match headers that do not have a human=
\-readable template expression yet\&. Note that nft will not add dependenci=
es for Raw payload expressions\&. If you e\&.g\&. want to match protocol fi=
elds of a transport header with protocol number 5, you need to manually exc=
lude packets that have a different transport header, for instance by using =
\fBmeta l4proto 5\fR before the raw expression\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&53.\ \&Supported payload protocol bases
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Base
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> ll
> T}:T{
> .sp
> Link layer, for example the Ethernet header
> T}
> T{
> .sp
> nh
> T}:T{
> .sp
> Network header, for example IPv4 or IPv6
> T}
> T{
> .sp
> th
> T}:T{
> .sp
> Transport Header, for example TCP
> T}
> .TE
> .sp 1
> .PP
> \fBMatching destination port of both UDP and TCP\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The above can also be written as
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> it is more convenient, but like the raw expression notation no dependenci=
es are created or checked\&. It is the users responsibility to restrict mat=
ching to those header types that have a notion of ports\&. Otherwise, rules=
 using raw expressions will errnously match unrelated packets, e\&.g\&. mis=
\-interpreting ESP packets SPI field as a port\&.
> .PP
> \fBRewrite arp packet target hardware address if target protocol address =
matches a given address\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp ple=
n 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "EXTENSION HEADER EXPRESSIONS"
> .sp
> Extension header expressions refer to data from variable\-sized protocol =
headers, such as IPv6 extension headers, TCP options and IPv4 options\&.
> .sp
> nftables currently supports matching (finding) a given ipv6 extension hea=
der, TCP option or IPv4 option\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBhbh\fR {\fBnexthdr\fR | \fBhdrlength\fR}
> \fBfrag\fR {\fBnexthdr\fR | \fBfrag\-off\fR | \fBmore\-fragments\fR | \fB=
id\fR}
> \fBrt\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBtype\fR | \fBseg\-left\fR}
> \fBdst\fR {\fBnexthdr\fR | \fBhdrlength\fR}
> \fBmh\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBchecksum\fR | \fBtype\fR}
> \fBsrh\fR {\fBflags\fR | \fBtag\fR | \fBsid\fR | \fBseg\-left\fR}
> \fBtcp option\fR {\fBeol\fR | \fBnop\fR | \fBmaxseg\fR | \fBwindow\fR | \=
fBsack\-perm\fR | \fBsack\fR | \fBsack0\fR | \fBsack1\fR | \fBsack2\fR | \f=
Bsack3\fR | \fBtimestamp\fR} \fItcp_option_field\fR
> \fBip option\fR { lsrr | ra | rr | ssrr } \fIip_option_field\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The following syntaxes are valid only in a relational expression with boo=
lean type on right\-hand side for checking header existence only:
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBexthdr\fR {\fBhbh\fR | \fBfrag\fR | \fBrt\fR | \fBdst\fR | \fBmh\fR}
> \fBtcp option\fR {\fBeol\fR | \fBnop\fR | \fBmaxseg\fR | \fBwindow\fR | \=
fBsack\-perm\fR | \fBsack\fR | \fBsack0\fR | \fBsack1\fR | \fBsack2\fR | \f=
Bsack3\fR | \fBtimestamp\fR}
> \fBip option\fR { lsrr | ra | rr | ssrr }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&54.\ \&IPv6 extension headers
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> hbh
> T}:T{
> .sp
> Hop by Hop
> T}
> T{
> .sp
> rt
> T}:T{
> .sp
> Routing Header
> T}
> T{
> .sp
> frag
> T}:T{
> .sp
> Fragmentation header
> T}
> T{
> .sp
> dst
> T}:T{
> .sp
> dst options
> T}
> T{
> .sp
> mh
> T}:T{
> .sp
> Mobility Header
> T}
> T{
> .sp
> srh
> T}:T{
> .sp
> Segment Routing Header
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&55.\ \&TCP Options
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> TCP option fields
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> eol
> T}:T{
> .sp
> End if option list
> T}:T{
> .sp
> kind
> T}
> T{
> .sp
> nop
> T}:T{
> .sp
> 1 Byte TCP Nop padding option
> T}:T{
> .sp
> kind
> T}
> T{
> .sp
> maxseg
> T}:T{
> .sp
> TCP Maximum Segment Size
> T}:T{
> .sp
> kind, length, size
> T}
> T{
> .sp
> window
> T}:T{
> .sp
> TCP Window Scaling
> T}:T{
> .sp
> kind, length, count
> T}
> T{
> .sp
> sack\-perm
> T}:T{
> .sp
> TCP SACK permitted
> T}:T{
> .sp
> kind, length
> T}
> T{
> .sp
> sack
> T}:T{
> .sp
> TCP Selective Acknowledgement (alias of block 0)
> T}:T{
> .sp
> kind, length, left, right
> T}
> T{
> .sp
> sack0
> T}:T{
> .sp
> TCP Selective Acknowledgement (block 0)
> T}:T{
> .sp
> kind, length, left, right
> T}
> T{
> .sp
> sack1
> T}:T{
> .sp
> TCP Selective Acknowledgement (block 1)
> T}:T{
> .sp
> kind, length, left, right
> T}
> T{
> .sp
> sack2
> T}:T{
> .sp
> TCP Selective Acknowledgement (block 2)
> T}:T{
> .sp
> kind, length, left, right
> T}
> T{
> .sp
> sack3
> T}:T{
> .sp
> TCP Selective Acknowledgement (block 3)
> T}:T{
> .sp
> kind, length, left, right
> T}
> T{
> .sp
> timestamp
> T}:T{
> .sp
> TCP Timestamps
> T}:T{
> .sp
> kind, length, tsval, tsecr
> T}
> .TE
> .sp 1
> .sp
> TCP option matching also supports raw expression syntax to access arbitra=
ry options:
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBtcp option\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBtcp option\fR \fB@\fR\fInumber\fR\fB,\fR\fIoffset\fR\fB,\fR\fIlength\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&56.\ \&IP Options
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> IP option fields
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> lsrr
> T}:T{
> .sp
> Loose Source Route
> T}:T{
> .sp
> type, length, ptr, addr
> T}
> T{
> .sp
> ra
> T}:T{
> .sp
> Router Alert
> T}:T{
> .sp
> type, length, value
> T}
> T{
> .sp
> rr
> T}:T{
> .sp
> Record Route
> T}:T{
> .sp
> type, length, ptr, addr
> T}
> T{
> .sp
> ssrr
> T}:T{
> .sp
> Strict Source Route
> T}:T{
> .sp
> type, length, ptr, addr
> T}
> .TE
> .sp 1
> .PP
> \fBfinding TCP options\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> filter input tcp option sack\-perm kind 1 counter
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBmatching IPv6 exthdr\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> ip6 filter input frag more\-fragments 1 counter
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBfinding IP option\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> filter input ip option lsrr exists counter
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "CONNTRACK EXPRESSIONS"
> .sp
> Conntrack expressions refer to meta data of the connection tracking entry=
 associated with a packet\&.
> .sp
> There are three types of conntrack expressions\&. Some conntrack expressi=
ons require the flow direction before the conntrack key, others must be use=
d directly because they are direction agnostic\&. The \fBpackets\fR, \fBbyt=
es\fR and \fBavgpkt\fR keywords can be used with or without a direction\&. =
If the direction is omitted, the sum of the original and the reply directio=
n is returned\&. The same is true for the \fBzone\fR, if a direction is giv=
en, the zone is only matched if the zone id is tied to the given direction\=
&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBct\fR {\fBstate\fR | \fBdirection\fR | \fBstatus\fR | \fBmark\fR | \fB=
expiration\fR | \fBhelper\fR | \fBlabel\fR}
> \fBct\fR [\fBoriginal\fR | \fBreply\fR] {\fBl3proto\fR | \fBprotocol\fR |=
 \fBbytes\fR | \fBpackets\fR | \fBavgpkt\fR | \fBzone\fR | \fBid\fR}
> \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBproto\-src\fR | \fBproto\-dst=
\fR}
> \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBip\fR | \fBip6\fR} {\fBsaddr\=
fR | \fBdaddr\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The conntrack\-specific types in this table are described in the sub\-sec=
tion CONNTRACK TYPES above\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&57.\ \&Conntrack expressions
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> state
> T}:T{
> .sp
> State of the connection
> T}:T{
> .sp
> ct_state
> T}
> T{
> .sp
> direction
> T}:T{
> .sp
> Direction of the packet relative to the connection
> T}:T{
> .sp
> ct_dir
> T}
> T{
> .sp
> status
> T}:T{
> .sp
> Status of the connection
> T}:T{
> .sp
> ct_status
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> Connection mark
> T}:T{
> .sp
> mark
> T}
> T{
> .sp
> expiration
> T}:T{
> .sp
> Connection expiration time
> T}:T{
> .sp
> time
> T}
> T{
> .sp
> helper
> T}:T{
> .sp
> Helper associated with the connection
> T}:T{
> .sp
> string
> T}
> T{
> .sp
> label
> T}:T{
> .sp
> Connection tracking label bit or symbolic name defined in connlabel\&.con=
f in the nftables include path
> T}:T{
> .sp
> ct_label
> T}
> T{
> .sp
> l3proto
> T}:T{
> .sp
> Layer 3 protocol of the connection
> T}:T{
> .sp
> nf_proto
> T}
> T{
> .sp
> saddr
> T}:T{
> .sp
> Source address of the connection for the given direction
> T}:T{
> .sp
> ipv4_addr/ipv6_addr
> T}
> T{
> .sp
> daddr
> T}:T{
> .sp
> Destination address of the connection for the given direction
> T}:T{
> .sp
> ipv4_addr/ipv6_addr
> T}
> T{
> .sp
> protocol
> T}:T{
> .sp
> Layer 4 protocol of the connection for the given direction
> T}:T{
> .sp
> inet_proto
> T}
> T{
> .sp
> proto\-src
> T}:T{
> .sp
> Layer 4 protocol source for the given direction
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> proto\-dst
> T}:T{
> .sp
> Layer 4 protocol destination for the given direction
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> packets
> T}:T{
> .sp
> packet count seen in the given direction or sum of original and reply
> T}:T{
> .sp
> integer (64 bit)
> T}
> T{
> .sp
> bytes
> T}:T{
> .sp
> byte count seen, see description for \fBpackets\fR keyword
> T}:T{
> .sp
> integer (64 bit)
> T}
> T{
> .sp
> avgpkt
> T}:T{
> .sp
> average bytes per packet, see description for \fBpackets\fR keyword
> T}:T{
> .sp
> integer (64 bit)
> T}
> T{
> .sp
> zone
> T}:T{
> .sp
> conntrack zone
> T}:T{
> .sp
> integer (16 bit)
> T}
> T{
> .sp
> count
> T}:T{
> .sp
> number of current connections
> T}:T{
> .sp
> integer (32 bit)
> T}
> T{
> .sp
> id
> T}:T{
> .sp
> Connection id
> T}:T{
> .sp
> ct_id
> T}
> .TE
> .sp 1
> .PP
> \fBrestrict the number of parallel connections to a server\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> nft add set filter ssh_flood \*(Aq{ type ipv4_addr; flags dynamic; }\*(Aq
> nft add rule filter input tcp dport 22 add @ssh_flood \*(Aq{ ip saddr ct =
count over 2 }\*(Aq reject
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "STATEMENTS"
> .sp
> Statements represent actions to be performed\&. They can alter control fl=
ow (return, jump to a different chain, accept or drop the packet) or can pe=
rform actions, such as logging, rejecting a packet, etc\&.
> .sp
> Statements exist in two kinds\&. Terminal statements unconditionally term=
inate evaluation of the current rule, non\-terminal statements either only =
conditionally or never terminate evaluation of the current rule, in other w=
ords, they are passive from the ruleset evaluation perspective\&. There can=
 be an arbitrary amount of non\-terminal statements in a rule, but only a s=
ingle terminal statement as the final statement\&.
> .SS "VERDICT STATEMENT"
> .sp
> The verdict statement alters control flow in the ruleset and issues polic=
y decisions for packets\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBaccept\fR | \fBdrop\fR | \fBqueue\fR | \fBcontinue\fR | \fBreturn\fR}
> {\fBjump\fR | \fBgoto\fR} \fIchain\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> \fBaccept\fR and \fBdrop\fR are absolute verdicts \(em they terminate rul=
eset evaluation immediately\&.
> .TS
> tab(:);
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> \fBaccept\fR
> T}:T{
> .sp
> Terminate ruleset evaluation and accept the packet\&. The packet can stil=
l be dropped later by another hook, for instance accept in the forward hook=
 still allows to drop the packet later in the postrouting hook, or another =
forward base chain that has a higher priority number and is evaluated after=
wards in the processing pipeline\&.
> T}
> T{
> .sp
> \fBdrop\fR
> T}:T{
> .sp
> Terminate ruleset evaluation and drop the packet\&. The drop occurs insta=
ntly, no further chains or hooks are evaluated\&. It is not possible to acc=
ept the packet in a later chain again, as those are not evaluated anymore f=
or the packet\&.
> T}
> T{
> .sp
> \fBqueue\fR
> T}:T{
> .sp
> Terminate ruleset evaluation and queue the packet to userspace\&. Userspa=
ce must provide a drop or accept verdict\&. In case of accept, processing r=
esumes with the next base chain hook, not the rule following the queue verd=
ict\&.
> T}
> T{
> .sp
> \fBcontinue\fR
> T}:T{
> .sp
> Continue ruleset evaluation with the next rule\&. This is the default beh=
aviour in case a rule issues no verdict\&.
> T}
> T{
> .sp
> \fBreturn\fR
> T}:T{
> .sp
> Return from the current chain and continue evaluation at the next rule in=
 the last chain\&. If issued in a base chain, it is equivalent to the base =
chain policy\&.
> T}
> T{
> .sp
> \fBjump\fR \fIchain\fR
> T}:T{
> .sp
> Continue evaluation at the first rule in \fIchain\fR\&. The current posit=
ion in the ruleset is pushed to a call stack and evaluation will continue t=
here when the new chain is entirely evaluated or a \fBreturn\fR verdict is =
issued\&. In case an absolute verdict is issued by a rule in the chain, rul=
eset evaluation terminates immediately and the specific action is taken\&.
> T}
> T{
> .sp
> \fBgoto\fR \fIchain\fR
> T}:T{
> .sp
> Similar to \fBjump\fR, but the current position is not pushed to the call=
 stack, meaning that after the new chain evaluation will continue at the la=
st chain instead of the one containing the goto statement\&.
> T}
> .TE
> .sp 1
> .PP
> \fBUsing verdict statements\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # process packets from eth0 and the internal network in from_lan
> # chain, drop all packets from eth0 with different source addresses\&.
>=20
> filter input iif eth0 ip saddr 192\&.168\&.0\&.0/24 jump from_lan
> filter input iif eth0 drop
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "PAYLOAD STATEMENT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fIpayload_expression\fR \fBset\fR \fIvalue\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The payload statement alters packet content\&. It can be used for example=
 to set ip DSCP (diffserv) header field or ipv6 flow labels\&.
> .PP
> \fBroute some packets instead of bridging\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # redirect tcp:http from 192\&.160\&.0\&.0/16 to local machine for routin=
g instead of bridging
> # assumes 00:11:22:33:44:55 is local MAC address\&.
> bridge input meta iif eth0 ip saddr 192\&.168\&.0\&.0/16 tcp dport 80 met=
a pkttype set unicast ether daddr set 00:11:22:33:44:55
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBSet IPv4 DSCP header field\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> ip forward ip dscp set 42
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "EXTENSION HEADER STATEMENT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fIextension_header_expression\fR \fBset\fR \fIvalue\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The extension header statement alters packet content in variable\-sized h=
eaders\&. This can currently be used to alter the TCP Maximum segment size =
of packets, similar to TCPMSS\&.
> .PP
> \fBchange tcp mss\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> tcp flags syn tcp option maxseg size set 1360
> # set a size based on route information:
> tcp flags syn tcp option maxseg size set rt mtu
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "LOG STATEMENT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBlog\fR [\fBprefix\fR \fIquoted_string\fR] [\fBlevel\fR \fIsyslog\-leve=
l\fR] [\fBflags\fR \fIlog\-flags\fR]
> \fBlog\fR \fBgroup\fR \fInflog_group\fR [\fBprefix\fR \fIquoted_string\fR=
] [\fBqueue\-threshold\fR \fIvalue\fR] [\fBsnaplen\fR \fIsize\fR]
> \fBlog level audit\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The log statement enables logging of matching packets\&. When this statem=
ent is used from a rule, the Linux kernel will print some information on al=
l matching packets, such as header fields, via the kernel log (where it can=
 be read with dmesg(1) or read in the syslog)\&.
> .sp
> In the second form of invocation (if \fInflog_group\fR is specified), the=
 Linux kernel will pass the packet to nfnetlink_log which will multicast th=
e packet through a netlink socket to the specified multicast group\&. One o=
r more userspace processes may subscribe to the group to receive the packet=
s, see libnetfilter_queue documentation for details\&.
> .sp
> In the third form of invocation (if level audit is specified), the Linux =
kernel writes a message into the audit buffer suitably formatted for readin=
g with auditd\&. Therefore no further formatting options (such as prefix or=
 flags) are allowed in this mode\&.
> .sp
> This is a non\-terminating statement, so the rule evaluation continues af=
ter the packet is logged\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&58.\ \&log statement options
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> prefix
> T}:T{
> .sp
> Log message prefix
> T}:T{
> .sp
> quoted string
> T}
> T{
> .sp
> level
> T}:T{
> .sp
> Syslog level of logging
> T}:T{
> .sp
> string: emerg, alert, crit, err, warn [default], notice, info, debug, aud=
it
> T}
> T{
> .sp
> group
> T}:T{
> .sp
> NFLOG group to send messages to
> T}:T{
> .sp
> unsigned integer (16 bit)
> T}
> T{
> .sp
> snaplen
> T}:T{
> .sp
> Length of packet payload to include in netlink message
> T}:T{
> .sp
> unsigned integer (32 bit)
> T}
> T{
> .sp
> queue\-threshold
> T}:T{
> .sp
> Number of packets to queue inside the kernel before sending them to users=
pace
> T}:T{
> .sp
> unsigned integer (32 bit)
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&59.\ \&log\-flags
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Flag
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> tcp sequence
> T}:T{
> .sp
> Log TCP sequence numbers\&.
> T}
> T{
> .sp
> tcp options
> T}:T{
> .sp
> Log options from the TCP packet header\&.
> T}
> T{
> .sp
> ip options
> T}:T{
> .sp
> Log options from the IP/IPv6 packet header\&.
> T}
> T{
> .sp
> skuid
> T}:T{
> .sp
> Log the userid of the process which generated the packet\&.
> T}
> T{
> .sp
> ether
> T}:T{
> .sp
> Decode MAC addresses and protocol\&.
> T}
> T{
> .sp
> all
> T}:T{
> .sp
> Enable all log flags listed above\&.
> T}
> .TE
> .sp 1
> .PP
> \fBUsing log statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # log the UID which generated the packet and ip options
> ip filter output log flags skuid flags ip options
>=20
> # log the tcp sequence numbers and tcp options from the TCP packet
> ip filter output log flags tcp sequence,options
>=20
> # enable all supported log flags
> ip6 filter output log flags all
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "REJECT STATEMENT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBreject\fR [ \fBwith\fR \fIREJECT_WITH\fR ]
>=20
> \fIREJECT_WITH\fR :=3D \fBicmp type\fR \fIicmp_code\fR |
>                  \fBicmpv6 type\fR \fIicmpv6_code\fR |
>                  \fBicmpx type\fR \fIicmpx_code\fR |
>                  \fBtcp reset\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A reject statement is used to send back an error packet in response to th=
e matched packet otherwise it is equivalent to drop so it is a terminating =
statement, ending rule traversal\&. This statement is only valid in base ch=
ains using the \fBinput\fR, \fBforward\fR or \fBoutput\fR hooks, and user\-=
defined chains which are only called from those chains\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&60.\ \&different ICMP reject variants are meant for use in di=
fferent table families
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Variant
> T}:T{
> Family
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> icmp
> T}:T{
> .sp
> ip
> T}:T{
> .sp
> icmp_code
> T}
> T{
> .sp
> icmpv6
> T}:T{
> .sp
> ip6
> T}:T{
> .sp
> icmpv6_code
> T}
> T{
> .sp
> icmpx
> T}:T{
> .sp
> inet
> T}:T{
> .sp
> icmpx_code
> T}
> .TE
> .sp 1
> .sp
> For a description of the different types and a list of supported keywords=
 refer to DATA TYPES section above\&. The common default reject value is \f=
Bport\-unreachable\fR\&.
> .sp
> Note that in bridge family, reject statement is only allowed in base chai=
ns which hook into input or prerouting\&.
> .SS "COUNTER STATEMENT"
> .sp
> A counter statement sets the hit count of packets along with the number o=
f bytes\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBcounter\fR \fBpackets\fR \fInumber\fR \fBbytes\fR \fInumber\fR
> \fBcounter\fR { \fBpackets\fR \fInumber\fR | \fBbytes\fR \fInumber\fR }
> .fi
> .if n \{\
> .RE
> .\}
> .SS "CONNTRACK STATEMENT"
> .sp
> The conntrack statement can be used to set the conntrack mark and conntra=
ck labels\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBct\fR {\fBmark\fR | \fBevent\fR | \fBlabel\fR | \fBzone\fR} \fBset\fR =
\fIvalue\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The ct statement sets meta data associated with a connection\&. The zone =
id has to be assigned before a conntrack lookup takes place, i\&.e\&. this =
has to be done in prerouting and possibly output (if locally generated pack=
ets need to be placed in a distinct zone), with a hook priority of \-300\&.
> .sp
> Unlike iptables, where the helper assignment happens in the raw table, th=
e helper needs to be assigned after a conntrack entry has been found, i\&.e=
\&. it will not work when used with hook priorities equal or before \-200\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&61.\ \&Conntrack statement types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Value
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> event
> T}:T{
> .sp
> conntrack event bits
> T}:T{
> .sp
> bitmask, integer (32 bit)
> T}
> T{
> .sp
> helper
> T}:T{
> .sp
> name of ct helper object to assign to the connection
> T}:T{
> .sp
> quoted string
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> Connection tracking mark
> T}:T{
> .sp
> mark
> T}
> T{
> .sp
> label
> T}:T{
> .sp
> Connection tracking label
> T}:T{
> .sp
> label
> T}
> T{
> .sp
> zone
> T}:T{
> .sp
> conntrack zone
> T}:T{
> .sp
> integer (16 bit)
> T}
> .TE
> .sp 1
> .PP
> \fBsave packet nfmark in conntrack\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> ct mark set meta mark
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBset zone mapped via interface\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> table inet raw {
>   chain prerouting {
>       type filter hook prerouting priority \-300;
>       ct zone set iif map { "eth1" : 1, "veth1" : 2 }
>   }
>   chain output {
>       type filter hook output priority \-300;
>       ct zone set oif map { "eth1" : 1, "veth1" : 2 }
>   }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBrestrict events reported by ctnetlink\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> ct event set new,related,destroy
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "NOTRACK STATEMENT"
> .sp
> The notrack statement allows to disable connection tracking for certain p=
ackets\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBnotrack\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> Note that for this statement to be effective, it has to be applied to pac=
kets before a conntrack lookup happens\&. Therefore, it needs to sit in a c=
hain with either prerouting or output hook and a hook priority of \-300 or =
less\&.
> .sp
> See SYNPROXY STATEMENT for an example usage\&.
> .SS "META STATEMENT"
> .sp
> A meta statement sets the value of a meta expression\&. The existing meta=
 fields are: priority, mark, pkttype, nftrace\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBmeta\fR {\fBmark\fR | \fBpriority\fR | \fBpkttype\fR | \fBnftrace\fR} =
\fBset\fR \fIvalue\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A meta statement sets meta data associated with a packet\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&62.\ \&Meta statement types
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Keyword
> T}:T{
> Description
> T}:T{
> Value
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> priority
> T}:T{
> .sp
> TC packet priority
> T}:T{
> .sp
> tc_handle
> T}
> T{
> .sp
> mark
> T}:T{
> .sp
> Packet mark
> T}:T{
> .sp
> mark
> T}
> T{
> .sp
> pkttype
> T}:T{
> .sp
> packet type
> T}:T{
> .sp
> pkt_type
> T}
> T{
> .sp
> nftrace
> T}:T{
> .sp
> ruleset packet tracing on/off\&. Use \fBmonitor trace\fR command to watch=
 traces
> T}:T{
> .sp
> 0, 1
> T}
> .TE
> .sp 1
> .SS "LIMIT STATEMENT"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBlimit rate\fR [\fBover\fR] \fIpacket_number\fR \fB/\fR \fITIME_UNIT\fR=
 [\fBburst\fR \fIpacket_number\fR \fBpackets\fR]
> \fBlimit rate\fR [\fBover\fR] \fIbyte_number\fR \fIBYTE_UNIT\fR \fB/\fR \=
fITIME_UNIT\fR [\fBburst\fR \fIbyte_number\fR \fIBYTE_UNIT\fR]
>=20
> \fITIME_UNIT\fR :=3D \fBsecond\fR | \fBminute\fR | \fBhour\fR | \fBday\fR
> \fIBYTE_UNIT\fR :=3D \fBbytes\fR | \fBkbytes\fR | \fBmbytes\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> A limit statement matches at a limited rate using a token bucket filter\&=
=2E A rule using this statement will match until this limit is reached\&. I=
t can be used in combination with the log statement to give limited logging=
\&. The optional \fBover\fR keyword makes it match over the specified rate\=
&. Default \fBburst\fR is 5\&. if you specify \fBburst\fR, it must be non\-=
zero value\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&63.\ \&limit statement values
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Value
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> packet_number
> T}:T{
> .sp
> Number of packets
> T}:T{
> .sp
> unsigned integer (32 bit)
> T}
> T{
> .sp
> byte_number
> T}:T{
> .sp
> Number of bytes
> T}:T{
> .sp
> unsigned integer (32 bit)
> T}
> .TE
> .sp 1
> .SS "NAT STATEMENTS"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBsnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
> \fBsnat to\fR \fIaddress\fR \fB\-\fR \fIaddress\fR [\fB:\fR\fIport\fR \fB=
\-\fR \fIport\fR] [\fIPRF_FLAGS\fR]
> \fBsnat\fR { \fBip\fR | \fBip6\fR } \fBto\fR \fIaddress\fR \fB\-\fR \fIad=
dress\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPR_FLAGS\fR]
> \fBdnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
> \fBdnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIP=
R_FLAGS\fR]
> \fBdnat\fR { \fBip\fR | \fBip6\fR } \fBto\fR \fIaddress\fR [\fB:\fR\fIpor=
t\fR \fB\-\fR \fIport\fR] [\fIPR_FLAGS\fR]
> \fBmasquerade to\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
> \fBmasquerade to\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPRF_FLAGS=
\fR]
> \fBredirect to\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
> \fBredirect to\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPRF_FLAGS\f=
R]
>=20
> \fIPRF_FLAGS\fR :=3D \fIPRF_FLAG\fR [\fB,\fR \fIPRF_FLAGS\fR]
> \fIPR_FLAGS\fR  :=3D \fIPR_FLAG\fR [\fB,\fR \fIPR_FLAGS\fR]
> \fIPRF_FLAG\fR  :=3D \fIPR_FLAG\fR | \fBfully\-random\fR
> \fIPR_FLAG\fR   :=3D \fBpersistent\fR | \fBrandom\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The nat statements are only valid from nat chain types\&.
> .sp
> The \fBsnat\fR and \fBmasquerade\fR statements specify that the source ad=
dress of the packet should be modified\&. While \fBsnat\fR is only valid in=
 the postrouting and input chains, \fBmasquerade\fR makes sense only in pos=
trouting\&. The dnat and redirect statements are only valid in the prerouti=
ng and output chains, they specify that the destination address of the pack=
et should be modified\&. You can use non\-base chains which are called from=
 base chains of nat chain type too\&. All future packets in this connection=
 will also be mangled, and rules should cease being examined\&.
> .sp
> The \fBmasquerade\fR statement is a special form of snat which always use=
s the outgoing interface\(cqs IP address to translate to\&. It is particula=
rly useful on gateways with dynamic (public) IP addresses\&.
> .sp
> The \fBredirect\fR statement is a special form of dnat which always trans=
lates the destination address to the local host\(cqs one\&. It comes in han=
dy if one only wants to alter the destination port of incoming traffic on d=
ifferent interfaces\&.
> .sp
> When used in the inet family (available with kernel 5\&.2), the dnat and =
snat statements require the use of the ip and ip6 keyword in case an addres=
s is provided, see the examples below\&.
> .sp
> Before kernel 4\&.18 nat statements require both prerouting and postrouti=
ng base chains to be present since otherwise packets on the return path won=
\(cqt be seen by netfilter and therefore no reverse translation will take p=
lace\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&64.\ \&NAT statement values
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Expression
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> address
> T}:T{
> .sp
> Specifies that the source/destination address of the packet should be mod=
ified\&. You may specify a mapping to relate a list of tuples composed of a=
rbitrary expression key with address value\&.
> T}:T{
> .sp
> ipv4_addr, ipv6_addr, e\&.g\&. abcd::1234, or you can use a mapping, e\&.=
g\&. meta mark map { 10 : 192\&.168\&.1\&.2, 20 : 192\&.168\&.1\&.3 }
> T}
> T{
> .sp
> port
> T}:T{
> .sp
> Specifies that the source/destination address of the packet should be mod=
ified\&.
> T}:T{
> .sp
> port number (16 bit)
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&65.\ \&NAT statement flags
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Flag
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt
> lt lt.
> T{
> .sp
> persistent
> T}:T{
> .sp
> Gives a client the same source\-/destination\-address for each connection=
\&.
> T}
> T{
> .sp
> random
> T}:T{
> .sp
> In kernel 5\&.0 and newer this is the same as fully\-random\&. In earlier=
 kernels the port mapping will be randomized using a seeded MD5 hash mix us=
ing source and destination address and destination port\&.
> T}
> T{
> .sp
> fully\-random
> T}:T{
> .sp
> If used then port mapping is generated based on a 32\-bit pseudo\-random =
algorithm\&.
> T}
> .TE
> .sp 1
> .PP
> \fBUsing NAT statements\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # create a suitable table/chain setup for all further examples
> add table nat
> add chain nat prerouting { type nat hook prerouting priority 0; }
> add chain nat postrouting { type nat hook postrouting priority 100; }
>=20
> # translate source addresses of all packets leaving via eth0 to address 1=
\&.2\&.3\&.4
> add rule nat postrouting oif eth0 snat to 1\&.2\&.3\&.4
>=20
> # redirect all traffic entering via eth0 to destination address 192\&.168=
\&.1\&.120
> add rule nat prerouting iif eth0 dnat to 192\&.168\&.1\&.120
>=20
> # translate source addresses of all packets leaving via eth0 to whatever
> # locally generated packets would use as source to reach the same destina=
tion
> add rule nat postrouting oif eth0 masquerade
>=20
> # redirect incoming TCP traffic for port 22 to port 2222
> add rule nat prerouting tcp dport 22 redirect to :2222
>=20
> # inet family:
> # handle ip dnat:
> add rule inet nat prerouting dnat ip to 10\&.0\&.2\&.99
> # handle ip6 dnat:
> add rule inet nat prerouting dnat ip6 to fe80::dead
> # this masquerades both ipv4 and ipv6:
> add rule inet nat postrouting meta oif ppp0 masquerade
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "TPROXY STATEMENT"
> .sp
> Tproxy redirects the packet to a local socket without changing the packet=
 header in any way\&. If any of the arguments is missing the data of the in=
coming packet is used as parameter\&. Tproxy matching requires another rule=
 that ensures the presence of transport protocol header is specified\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBtproxy to\fR \fIaddress\fR\fB:\fR\fIport\fR
> \fBtproxy to\fR {\fIaddress\fR | \fB:\fR\fIport\fR}
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This syntax can be used in \fBip/ip6\fR tables where network layer protoc=
ol is obvious\&. Either IP address or port can be specified, but at least o=
ne of them is necessary\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBtproxy\fR {\fBip\fR | \fBip6\fR} \fBto\fR \fIaddress\fR[\fB:\fR\fIport=
\fR]
> \fBtproxy to :\fR\fIport\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> This syntax can be used in \fBinet\fR tables\&. The \fBip/ip6\fR paramete=
r defines the family the rule will match\&. The \fBaddress\fR parameter mus=
t be of this family\&. When only \fBport\fR is defined, the address family =
should not be specified\&. In this case the rule will match for both famili=
es\&.
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&66.\ \&tproxy attributes
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Name
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> address
> T}:T{
> .sp
> IP address the listening socket with IP_TRANSPARENT option is bound to\&.
> T}
> T{
> .sp
> port
> T}:T{
> .sp
> Port the listening socket with IP_TRANSPARENT option is bound to\&.
> T}
> .TE
> .sp 1
> .PP
> \fBExample ruleset for tproxy statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> table ip x {
>     chain y {
>         type filter hook prerouting priority \-150; policy accept;
>         tcp dport ntp tproxy to 1\&.1\&.1\&.1
>         udp dport ssh tproxy to :2222
>     }
> }
> table ip6 x {
>     chain y {
>        type filter hook prerouting priority \-150; policy accept;
>        tcp dport ntp tproxy to [dead::beef]
>        udp dport ssh tproxy to :2222
>     }
> }
> table inet x {
>     chain y {
>         type filter hook prerouting priority \-150; policy accept;
>         tcp dport 321 tproxy to :ssh
>         tcp dport 99 tproxy ip to 1\&.1\&.1\&.1:999
>         udp dport 155 tproxy ip6 to [dead::beef]:smux
>     }
> }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "SYNPROXY STATEMENT"
> .sp
> This statement will process TCP three\-way\-handshake parallel in netfilt=
er context to protect either local or backend system\&. This statement requ=
ires connection tracking because sequence numbers need to be translated\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBsynproxy\fR [\fBmss\fR \fImss_value\fR] [\fBwscale\fR \fIwscale_value\=
fR] [\fISYNPROXY_FLAGS\fR]
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&67.\ \&synproxy statement attributes
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Name
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> mss
> T}:T{
> .sp
> Maximum segment size announced to clients\&. This must match the backend\=
&.
> T}
> T{
> .sp
> wscale
> T}:T{
> .sp
> Window scale announced to clients\&. This must match the backend\&.
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&68.\ \&synproxy statement flags
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Flag
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> sack\-perm
> T}:T{
> .sp
> Pass client selective acknowledgement option to backend (will be disabled=
 if not present)\&.
> T}
> T{
> .sp
> timestamp
> T}:T{
> .sp
> Pass client timestamp option to backend (will be disabled if not present,=
 also needed for selective acknowledgement and window scaling)\&.
> T}
> .TE
> .sp 1
> .PP
> \fBExample ruleset for synproxy statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> Determine tcp options used by backend, from an external system
>=20
>               tcpdump \-pni eth0 \-c 1 \*(Aqtcp[tcpflags] =3D=3D (tcp\-sy=
n|tcp\-ack)\*(Aq
>                   port 80 &
>               telnet 192\&.0\&.2\&.42 80
>               18:57:24\&.693307 IP 192\&.0\&.2\&.42\&.80 > 192\&.0\&.2\&.=
43\&.48757:
>                   Flags [S\&.], seq 360414582, ack 788841994, win 14480,
>                   options [mss 1460,sackOK,
>                   TS val 1409056151 ecr 9690221,
>                   nop,wscale 9],
>                   length 0
>=20
> Switch tcp_loose mode off, so conntrack will mark out\-of\-flow packets a=
s state INVALID\&.
>=20
>               echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
>=20
> Make SYN packets untracked\&.
>=20
>         table ip x {
>                 chain y {
>                         type filter hook prerouting priority raw; policy =
accept;
>                         tcp flags syn notrack
>                 }
>         }
>=20
> Catch UNTRACKED (SYN  packets) and INVALID (3WHS ACK packets) states and =
send
> them to SYNPROXY\&. This rule will respond to SYN packets with SYN+ACK
> syncookies, create ESTABLISHED for valid client response (3WHS ACK packet=
s) and
> drop incorrect cookies\&. Flags combinations not expected during  3WHS wi=
ll not
> match and continue (e\&.g\&. SYN+FIN, SYN+ACK)\&. Finally, drop invalid p=
ackets, this
> will be out\-of\-flow packets that were not matched by SYNPROXY\&.
>=20
>     table ip foo {
>             chain z {
>                     type filter hook input priority filter; policy accept;
>                     ct state { invalid, untracked } synproxy mss 1460 wsc=
ale 9 timestamp sack\-perm
>                     ct state invalid drop
>             }
>     }
>=20
> The outcome ruleset of the steps above should be similar to the one below=
\&.
>=20
>         table ip x {
>                 chain y {
>                         type filter hook prerouting priority raw; policy =
accept;
>                         tcp flags syn notrack
>                 }
>=20
>                 chain z {
>                         type filter hook input priority filter; policy ac=
cept;
>                         ct state { invalid, untracked } synproxy mss 1460=
 wscale 9 timestamp sack\-perm
>                         ct state invalid drop
>                 }
>         }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "FLOW STATEMENT"
> .sp
> A flow statement allows us to select what flows you want to accelerate fo=
rwarding through layer 3 network stack bypass\&. You have to specify the fl=
owtable name where you want to offload this flow\&.
> .sp
> \fBflow add @\fR\fIflowtable\fR
> .SS "QUEUE STATEMENT"
> .sp
> This statement passes the packet to userspace using the nfnetlink_queue h=
andler\&. The packet is put into the queue identified by its 16\-bit queue =
number\&. Userspace can inspect and modify the packet if desired\&. Userspa=
ce must then drop or re\-inject the packet into the kernel\&. See libnetfil=
ter_queue documentation for details\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBqueue\fR [\fBnum\fR \fIqueue_number\fR] [\fBbypass\fR]
> \fBqueue\fR [\fBnum\fR \fIqueue_number_from\fR \- \fIqueue_number_to\fR] =
[\fIQUEUE_FLAGS\fR]
>=20
> \fIQUEUE_FLAGS\fR :=3D \fIQUEUE_FLAG\fR [\fB,\fR \fIQUEUE_FLAGS\fR]
> \fIQUEUE_FLAG\fR  :=3D \fBbypass\fR | \fBfanout\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&69.\ \&queue statement values
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Value
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt
> lt lt lt.
> T{
> .sp
> queue_number
> T}:T{
> .sp
> Sets queue number, default is 0\&.
> T}:T{
> .sp
> unsigned integer (16 bit)
> T}
> T{
> .sp
> queue_number_from
> T}:T{
> .sp
> Sets initial queue in the range, if fanout is used\&.
> T}:T{
> .sp
> unsigned integer (16 bit)
> T}
> T{
> .sp
> queue_number_to
> T}:T{
> .sp
> Sets closing queue in the range, if fanout is used\&.
> T}:T{
> .sp
> unsigned integer (16 bit)
> T}
> .TE
> .sp 1
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&70.\ \&queue statement flags
> .TS
> allbox tab(:);
> ltB ltB.
> T{
> Flag
> T}:T{
> Description
> T}
> .T&
> lt lt
> lt lt.
> T{
> .sp
> bypass
> T}:T{
> .sp
> Let packets go through if userspace application cannot back off\&. Before=
 using this flag, read libnetfilter_queue documentation for performance tun=
ing recommendations\&.
> T}
> T{
> .sp
> fanout
> T}:T{
> .sp
> Distribute packets between several queues\&.
> T}
> .TE
> .sp 1
> .SS "DUP STATEMENT"
> .sp
> The dup statement is used to duplicate a packet and send the copy to a di=
fferent destination\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fBdup to\fR \fIdevice\fR
> \fBdup to\fR \fIaddress\fR \fBdevice\fR \fIdevice\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .it 1 an-trap
> .nr an-no-space-flag 1
> .nr an-break-flag 1
> .br
> .B Table\ \&71.\ \&Dup statement values
> .TS
> allbox tab(:);
> ltB ltB ltB.
> T{
> Expression
> T}:T{
> Description
> T}:T{
> Type
> T}
> .T&
> lt lt lt
> lt lt lt.
> T{
> .sp
> address
> T}:T{
> .sp
> Specifies that the copy of the packet should be sent to a new gateway\&.
> T}:T{
> .sp
> ipv4_addr, ipv6_addr, e\&.g\&. abcd::1234, or you can use a mapping, e\&.=
g\&. ip saddr map { 192\&.168\&.1\&.2 : 10\&.1\&.1\&.1 }
> T}
> T{
> .sp
> device
> T}:T{
> .sp
> Specifies that the copy should be transmitted via device\&.
> T}:T{
> .sp
> string
> T}
> .TE
> .sp 1
> .PP
> \fBUsing the dup statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # send to machine with ip address 10\&.2\&.3\&.4 on eth0
> ip filter forward dup to 10\&.2\&.3\&.4 device "eth0"
>=20
> # copy raw frame to another interface
> netdetv ingress dup to "eth0"
> dup to "eth0"
>=20
> # combine with map dst addr to gateways
> dup to ip daddr map { 192\&.168\&.7\&.1 : "eth0", 192\&.168\&.7\&.2 : "et=
h1" }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "FWD STATEMENT"
> .sp
> The fwd statement is used to redirect a raw packet to another interface\&=
=2E It is only available in the netdev family ingress hook\&. It is similar=
 to the dup statement except that no copy is made\&.
> .sp
> \fBfwd to\fR \fIdevice\fR
> .SS "SET STATEMENT"
> .sp
> The set statement is used to dynamically add or update elements in a set =
=66rom the packet path\&. The set setname must already exist in the given t=
able and must have been created with one or both of the dynamic and the tim=
eout flags\&. The dynamic flag is required if the set statement expression =
includes a stateful object\&. The timeout flag is implied if the set is cre=
ated with a timeout, and is required if the set statement updates elements,=
 rather than adding them\&. Furthermore, these sets should specify both a m=
aximum set size (to prevent memory exhaustion), and their elements should h=
ave a timeout (so their number will not grow indefinitely) either from the =
set definition or from the statement that adds or updates them\&. The set s=
tatement can be used to e\&.g\&. create dynamic blacklists\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> {\fBadd\fR | \fBupdate\fR} \fB@\fR\fIsetname\fR \fB{\fR \fIexpression\fR =
[\fBtimeout\fR \fItimeout\fR] [\fBcomment\fR \fIstring\fR] \fB}\fR
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBExample for simple blacklist\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # declare a set, bound to table "filter", in family "ip"\&.
> # Timeout and size are mandatory because we will add elements from packet=
 path\&.
> # Entries will timeout after one minute, after which they might be
> # re\-added if limit condition persists\&.
> nft add set ip filter blackhole \e
>     "{ type ipv4_addr; flags dynamic; timeout 1m; size 65536; }"
>=20
> # declare a set to store the limit per saddr\&.
> # This must be separate from blackhole since the timeout is different
> nft add set ip filter flood \e
>     "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000; }"
>=20
> # whitelist internal interface\&.
> nft add rule ip filter input meta iifname "internal" accept
>=20
> # drop packets coming from blacklisted ip addresses\&.
> nft add rule ip filter input ip saddr @blackhole counter drop
>=20
> # add source ip addresses to the blacklist if more than 10 tcp connection
> # requests occurred per second and ip address\&.
> nft add rule ip filter input tcp flags syn tcp dport ssh \e
>     add @flood { ip saddr limit rate over 10/second } \e
>     add @blackhole { ip saddr } drop
>=20
> # inspect state of the sets\&.
> nft list set ip filter flood
> nft list set ip filter blackhole
>=20
> # manually add two addresses to the blackhole\&.
> nft add element filter blackhole { 10\&.2\&.3\&.4, 10\&.23\&.1\&.42 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "MAP STATEMENT"
> .sp
> The map statement is used to lookup data based on some specific input key=
\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fIexpression\fR \fBmap\fR \fB{\fR \fIMAP_ELEMENTS\fR \fB}\fR
>=20
> \fIMAP_ELEMENTS\fR :=3D \fIMAP_ELEMENT\fR [\fB,\fR \fIMAP_ELEMENTS\fR]
> \fIMAP_ELEMENT\fR  :=3D \fIkey\fR \fB:\fR \fIvalue\fR
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> The \fIkey\fR is a value returned by \fIexpression\fR\&.
> .PP
> \fBUsing the map statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # select DNAT target based on TCP dport:
> # connections to port 80 are redirected to 192\&.168\&.1\&.100,
> # connections to port 8888 are redirected to 192\&.168\&.1\&.101
> nft add rule ip nat prerouting dnat tcp dport map { 80 : 192\&.168\&.1\&.=
100, 8888 : 192\&.168\&.1\&.101 }
>=20
> # source address based SNAT:
> # packets from net 192\&.168\&.1\&.0/24 will appear as originating from 1=
0\&.0\&.0\&.1,
> # packets from net 192\&.168\&.2\&.0/24 will appear as originating from 1=
0\&.0\&.0\&.2
> nft add rule ip nat postrouting snat to ip saddr map { 192\&.168\&.1\&.0/=
24 : 10\&.0\&.0\&.1, 192\&.168\&.2\&.0/24 : 10\&.0\&.0\&.2 }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SS "VMAP STATEMENT"
> .sp
> The verdict map (vmap) statement works analogous to the map statement, bu=
t contains verdicts as values\&.
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> \fIexpression\fR \fBvmap\fR \fB{\fR \fIVMAP_ELEMENTS\fR \fB}\fR
>=20
> \fIVMAP_ELEMENTS\fR :=3D \fIVMAP_ELEMENT\fR [\fB,\fR \fIVMAP_ELEMENTS\fR]
> \fIVMAP_ELEMENT\fR  :=3D \fIkey\fR \fB:\fR \fIverdict\fR
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBUsing the vmap statement\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> # jump to different chains depending on layer 4 protocol type:
> nft add rule ip filter input ip protocol vmap { tcp : jump tcp\-chain, ud=
p : jump udp\-chain , icmp : jump icmp\-chain }
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "ADDITIONAL COMMANDS"
> .sp
> These are some additional commands included in nft\&.
> .SS "MONITOR"
> .sp
> The monitor command allows you to listen to Netlink events produced by th=
e nf_tables subsystem, related to creation and deletion of objects\&. When =
they occur, nft will print to stdout the monitored events in either JSON or=
 native nft format\&.
> .sp
> To filter events related to a concrete object, use one of the keywords \f=
Itables\fR, \fIchains\fR, \fIsets\fR, \fIrules\fR, \fIelements\fR, \fIrules=
et\fR\&.
> .sp
> To filter events related to a concrete action, use keyword \fInew\fR or \=
fIdestroy\fR\&.
> .sp
> Hit ^C to finish the monitor operation\&.
> .PP
> \fBListen to all events, report in native nft format\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> % nft monitor
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBListen to deleted rules, report in JSON format\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> % nft \-j monitor destroy rules
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBListen to both new and destroyed chains, in native nft format\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> % nft monitor chains
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBListen to ruleset events such as table, chain, rule, set, counters and=
 quotas, in native nft format\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> % nft monitor ruleset
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "ERROR REPORTING"
> .sp
> When an error is detected, nft shows the line(s) containing the error, th=
e position of the erroneous parts in the input stream and marks up the erro=
neous parts using carets (^)\&. If the error results from the combination o=
f two expressions or statements, the part imposing the constraints which ar=
e violated is marked using tildes (~)\&.
> .sp
> For errors returned by the kernel, nft cannot detect which parts of the i=
nput caused the error and the entire command is marked\&.
> .PP
> \fBError caused by single incorrect expression\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> <cmdline>:1:19\-22: Error: Interface does not exist
> filter output oif eth0
>                   ^^^^
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBError caused by invalid combination of two expressions\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> <cmdline>:1:28\-36: Error: Right hand side of relational expression (=3D=
=3D) must be constant
> filter output tcp dport =3D=3D tcp dport
>                         ~~ ^^^^^^^^^
> .fi
> .if n \{\
> .RE
> .\}
> .PP
> \fBError returned by the kernel\fR.=20
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> <cmdline>:0:0\-23: Error: Could not process rule: Operation not permitted
> filter output oif wlan0
> ^^^^^^^^^^^^^^^^^^^^^^^
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> .SH "EXIT STATUS"
> .sp
> On success, nft exits with a status of 0\&. Unspecified errors cause it t=
o exit with a status of 1, memory allocation errors with a status of 2, una=
ble to open Netlink socket with 3\&.
> .SH "SEE ALSO"
> .sp
> .if n \{\
> .RS 4
> .\}
> .nf
> libnftables(3), libnftables\-json(5), iptables(8), ip6tables(8), arptable=
s(8), ebtables(8), ip(8), tc(8)
> .fi
> .if n \{\
> .RE
> .\}
> .sp
> There is an official wiki at: https://wiki\&.nftables\&.org
> .SH "AUTHORS"
> .sp
> nftables was written by Patrick McHardy and Pablo Neira Ayuso, among many=
 other contributors from the Netfilter community\&.
> .SH "COPYRIGHT"
> .sp
> Copyright \(co 2008\-2014 Patrick McHardy <kaber@trash\&.net> Copyright \=
(co 2013\-2018 Pablo Neira Ayuso <pablo@netfilter\&.org>
> .sp
> nftables is free software; you can redistribute it and/or modify it under=
 the terms of the GNU General Public License version 2 as published by the =
Free Software Foundation\&.
> .sp
> This documentation is licensed under the terms of the Creative Commons At=
tribution\-ShareAlike 4\&.0 license, CC BY\-SA 4\&.0 http://creativecommons=
\&.org/licenses/by\-sa/4\&.0/\&.

--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv


From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	NICE_REPLY_A autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 13556 invoked from network); 4 Feb 2021 17:03:31 -0000
Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12)
  by inbox.vuxu.org with ESMTPUTF8; 4 Feb 2021 17:03:31 -0000
Received: from fantadrom.bsd.lv (localhost [127.0.0.1])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 8e8b4f65
	for <ml@inbox.vuxu.org>;
	Thu, 4 Feb 2021 12:03:27 -0500 (EST)
Received: from mail.aisha.cc (mail.aisha.cc [108.61.81.40])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 3e343610
	for <discuss@mandoc.bsd.lv>;
	Thu, 4 Feb 2021 12:02:38 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aisha.cc; s=excisionRSA;
	t=1612458157;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xEHbjEvZKNr0eW+sedN55/S0uOZu1h/Xx/bcSVIas2c=;
	b=bTIPKJsJub9v/uU49CJXRUQqZ+e2j8A5kslW7YTKGd+Eeu88wF8/rQAew9fdekiKe8amKS
	Xz50+TIByXveO7fxHvvfrtE7TZWtibvh47kVDIZT9MJNl8awlTWi1OfaOXsOthBTSAuo+O
	yVsMzwluoqL8ee3MRjU1m2hNpc1iDNg/o/iyUBJmNx2yvzDw85HLejSSuhsCVTCvgbZa93
	YQZKh/VdsVkhBy+GzMMVloHbjHYqWKYbPgk5lh7W2/yA+QKTyIkbJATd8pSmmD9gQ9scqs
	O53Q4YRIuMRvz1sNPv1R92tLzZEXxXEuMOR9c+fQ5oadVxtzJ374/PrVkjNsxw==
Received: from [192.168.1.111] (c-73-215-141-174.hsd1.nj.comcast.net [73.215.141.174])
	by mail.aisha.cc (OpenSMTPD) with ESMTPSA id f0a2e118 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=aisha@aisha.cc
	for <discuss@mandoc.bsd.lv>;
	Thu, 4 Feb 2021 12:02:25 -0500 (EST)
Subject: Re: Segmentation fault on trying to view nft.8 man page on Gentoo
To: discuss@mandoc.bsd.lv
References: <d939c333-2286-5945-2bd9-6417c8c36403@aisha.cc>
 <YBwk7bUvlWMm5fM4@arya.arvanta.net>
From: Aisha Tammy <openbsd@aisha.cc>
Message-ID: <19971540-7291-ea54-ac3a-571ea841010a@aisha.cc>
Date: Thu, 4 Feb 2021 12:02:24 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
X-Mailinglist: mandoc-discuss
Reply-To: discuss@mandoc.bsd.lv
MIME-Version: 1.0
In-Reply-To: <YBwk7bUvlWMm5fM4@arya.arvanta.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

Ah, nice to know it's not only me.
I still think it might be a better idea to get a new release.
There are also problems with gcc-10 in older release.
Better than carrying patches in=C2=A0 all distros.

Aisha

On 2/4/21 11:46 AM, Milan P. Stani=C4=87 wrote:
> Hi,
>
> On Thu, 2021-02-04 at 11:15, Aisha Tammy wrote:
>> Hi,
>>  =C2=A0 It seems that the latest release of mandoc (1.14.5) on Gentoo =
has trouble
>> viewing the nft.8 man page (attached), it crashes with segmentation fa=
ult.
>> I am able to view it on OpenBSD with man -l nft.8, after copying it ov=
er.
>> (I can provide access to a gentoo virtual machine where this bug is
>> replicable.)
> About year ago we had such bug on alpine linux and I reported it here:
> https://marc.info/?l=3Dmandoc-discuss&m=3D158605350702994&w=3D2
>
> Bug is fixed with Ingos patch.
>
>> I presume this must be a bug in the release version that has since bee=
n
>> fixed.
>>
>> Can we get another release which we can use so that we can avoid this =
bug?
>>
>> Thanks a lot,
>> Aisha
>>
>> '\" t
>> .\"     Title: nft
>> .\"    Author: [see the "AUTHORS" section]
>> .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/=
>
>> .\"      Date: 01/15/2021
>> .\"    Manual: \ \&
>> .\"    Source: \ \&
>> .\"  Language: English
>> .\"
>> .TH "NFT" "8" "01/15/2021" "\ \&" "\ \&"
>> .\" -----------------------------------------------------------------
>> .\" * Define some portability stuff
>> .\" -----------------------------------------------------------------
>> .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> .\" http://bugs.debian.org/507673
>> .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
>> .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> .ie \n(.g .ds Aq \(aq
>> .el       .ds Aq '
>> .\" -----------------------------------------------------------------
>> .\" * set default formatting
>> .\" -----------------------------------------------------------------
>> .\" disable hyphenation
>> .nh
>> .\" disable justification (adjust text to left margin only)
>> .ad l
>> .\" -----------------------------------------------------------------
>> .\" * MAIN CONTENT STARTS HERE *
>> .\" -----------------------------------------------------------------
>> .SH "NAME"
>> nft \- Administration tool of the nftables framework for packet filter=
ing and classification
>> .SH "SYNOPSIS"
>> .sp
>> .nf
>> \fBnft\fR [ \fB\-nNscaeSupyjt\fR ] [ \fB\-I\fR \fIdirectory\fR ] [ \fB=
\-f\fR \fIfilename\fR | \fB\-i\fR | \fIcmd\fR \&...]
>> \fBnft\fR \fB\-h\fR
>> \fBnft\fR \fB\-v\fR
>> .fi
>> .SH "DESCRIPTION"
>> .sp
>> nft is the command line tool used to set up, maintain and inspect pack=
et filtering and classification rules in the Linux kernel, in the nftable=
s framework\&. The Linux kernel subsystem is known as nf_tables, and \(oq=
nf\(cq stands for Netfilter\&.
>> .SH "OPTIONS"
>> .sp
>> The command accepts several different options which are documented her=
e in groups for better understanding of their meaning\&. You can get info=
rmation about options by running \fBnft \-\-help\fR\&.
>> .PP
>> \fBGeneral options:\fR
>> .PP
>> \fB\-h\fR, \fB\-\-help\fR
>> .RS 4
>> Show help message and all options\&.
>> .RE
>> .PP
>> \fB\-v\fR, \fB\-\-version\fR
>> .RS 4
>> Show version\&.
>> .RE
>> .PP
>> \fB\-V\fR
>> .RS 4
>> Show long version information, including compile\-time configuration\&=
=2E
>> .RE
>> .PP
>> \fBRuleset input handling options that specify to how to load rulesets=
:\fR
>> .PP
>> \fB\-f\fR, \fB\-\-file \fR\fB\fIfilename\fR\fR
>> .RS 4
>> Read input from
>> \fIfilename\fR\&. If
>> \fIfilename\fR
>> is \-, read from stdin\&.
>> .RE
>> .PP
>> \fB\-i\fR, \fB\-\-interactive\fR
>> .RS 4
>> Read input from an interactive readline CLI\&. You can use quit to exi=
t, or use the EOF marker, normally this is CTRL\-D\&.
>> .RE
>> .PP
>> \fB\-I\fR, \fB\-\-includepath directory\fR
>> .RS 4
>> Add the directory
>> \fIdirectory\fR
>> to the list of directories to be searched for included files\&. This o=
ption may be specified multiple times\&.
>> .RE
>> .PP
>> \fB\-c\fR, \fB\-\-check\fR
>> .RS 4
>> Check commands validity without actually applying the changes\&.
>> .RE
>> .PP
>> \fBRuleset list output formatting that modify the output of the list r=
uleset command:\fR
>> .PP
>> \fB\-a\fR, \fB\-\-handle\fR
>> .RS 4
>> Show object handles in output\&.
>> .RE
>> .PP
>> \fB\-s\fR, \fB\-\-stateless\fR
>> .RS 4
>> Omit stateful information of rules and stateful objects\&.
>> .RE
>> .PP
>> \fB\-t\fR, \fB\-\-terse\fR
>> .RS 4
>> Omit contents of sets from output\&.
>> .RE
>> .PP
>> \fB\-S\fR, \fB\-\-service\fR
>> .RS 4
>> Translate ports to service names as defined by /etc/services\&.
>> .RE
>> .PP
>> \fB\-N\fR, \fB\-\-reversedns\fR
>> .RS 4
>> Translate IP address to names via reverse DNS lookup\&. This may slow =
down your listing since it generates network traffic\&.
>> .RE
>> .PP
>> \fB\-u\fR, \fB\-\-guid\fR
>> .RS 4
>> Translate numeric UID/GID to names as defined by /etc/passwd and /etc/=
group\&.
>> .RE
>> .PP
>> \fB\-n\fR, \fB\-\-numeric\fR
>> .RS 4
>> Print fully numerical output\&.
>> .RE
>> .PP
>> \fB\-y\fR, \fB\-\-numeric\-priority\fR
>> .RS 4
>> Display base chain priority numerically\&.
>> .RE
>> .PP
>> \fB\-p\fR, \fB\-\-numeric\-protocol\fR
>> .RS 4
>> Display layer 4 protocol numerically\&.
>> .RE
>> .PP
>> \fB\-T\fR, \fB\-\-numeric\-time\fR
>> .RS 4
>> Show time, day and hour values in numeric format\&.
>> .RE
>> .PP
>> \fBCommand output formatting:\fR
>> .PP
>> \fB\-e\fR, \fB\-\-echo\fR
>> .RS 4
>> When inserting items into the ruleset using
>> \fBadd\fR,
>> \fBinsert\fR
>> or
>> \fBreplace\fR
>> commands, print notifications just like
>> \fBnft monitor\fR\&.
>> .RE
>> .PP
>> \fB\-j\fR, \fB\-\-json\fR
>> .RS 4
>> Format output in JSON\&. See libnftables\-json(5) for a schema descrip=
tion\&.
>> .RE
>> .PP
>> \fB\-d\fR, \fB\-\-debug\fR \fIlevel\fR
>> .RS 4
>> Enable debugging output\&. The debug level can be any of
>> \fBscanner\fR,
>> \fBparser\fR,
>> \fBeval\fR,
>> \fBnetlink\fR,
>> \fBmnl\fR,
>> \fBproto\-ctx\fR,
>> \fBsegtree\fR,
>> \fBall\fR\&. You can combine more than one by separating by the
>> \fI,\fR
>> symbol, for example
>> \fI\-d eval,mnl\fR\&.
>> .RE
>> .SH "INPUT FILE FORMATS"
>> .SS "LEXICAL CONVENTIONS"
>> .sp
>> Input is parsed line\-wise\&. When the last character of a line, just =
before the newline character, is a non\-quoted backslash (\e), the next l=
ine is treated as a continuation\&. Multiple commands on the same line ca=
n be separated using a semicolon (;)\&.
>> .sp
>> A hash sign (#) begins a comment\&. All following characters on the sa=
me line are ignored\&.
>> .sp
>> Identifiers begin with an alphabetic character (a\-z,A\-Z), followed z=
ero or more alphanumeric characters (a\-z,A\-Z,0\-9) and the characters s=
lash (/), backslash (\e), underscore (_) and dot (\&.)\&. Identifiers usi=
ng different characters or clashing with a keyword need to be enclosed in=
 double quotes (")\&.
>> .SS "INCLUDE FILES"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBinclude\fR \fIfilename\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Other files can be included by using the \fBinclude\fR statement\&. Th=
e directories to be searched for include files can be specified using the=
 \fB\-I\fR/\fB\-\-includepath\fR option\&. You can override this behaviou=
r either by prepending \(oq\&./\(cq to your path to force inclusion of fi=
les located in the current working directory (i\&.e\&. relative path) or =
/ for file location expressed as an absolute path\&.
>> .sp
>> If \fB\-I\fR/\fB\-\-includepath\fR is not specified, then nft relies o=
n the default directory that is specified at compile time\&. You can retr=
ieve this default directory via \fB\-h\fR/\fB\-\-help\fR option\&.
>> .sp
>> Include statements support the usual shell wildcard symbols (\e*,?,[])=
\&. Having no matches for an include statement is not an error, if wildca=
rd symbols are used in the include statement\&. This allows having potent=
ially empty include directories for statements like \fBinclude "/etc/fire=
wall/rules/"\fR\&. The wildcard matches are loaded in alphabetical order\=
&. Files beginning with dot (\&.) are not matched by include statements\&=
=2E
>> .SS "SYMBOLIC VARIABLES"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBdefine\fR \fIvariable\fR \fB=3D\fR \fIexpr\fR
>> \fB$variable\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Symbolic variables can be defined using the \fBdefine\fR statement\&. =
Variable references are expressions and can be used initialize other vari=
ables\&. The scope of a definition is the current block and all blocks co=
ntained within\&.
>> .PP
>> \fBUsing symbolic variables\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> define int_if1 =3D eth0
>> define int_if2 =3D eth1
>> define int_ifs =3D { $int_if1, $int_if2 }
>>
>> filter input iif $int_ifs accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "ADDRESS FAMILIES"
>> .sp
>> Address families determine the type of packets which are processed\&. =
For each address family, the kernel contains so called hooks at specific =
stages of the packet processing paths, which invoke nftables if rules for=
 these hooks exist\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBip\fR
>> T}:T{
>> .sp
>> IPv4 address family\&.
>> T}
>> T{
>> .sp
>> \fBip6\fR
>> T}:T{
>> .sp
>> IPv6 address family\&.
>> T}
>> T{
>> .sp
>> \fBinet\fR
>> T}:T{
>> .sp
>> Internet (IPv4/IPv6) address family\&.
>> T}
>> T{
>> .sp
>> \fBarp\fR
>> T}:T{
>> .sp
>> ARP address family, handling IPv4 ARP packets\&.
>> T}
>> T{
>> .sp
>> \fBbridge\fR
>> T}:T{
>> .sp
>> Bridge address family, handling packets which traverse a bridge device=
\&.
>> T}
>> T{
>> .sp
>> \fBnetdev\fR
>> T}:T{
>> .sp
>> Netdev address family, handling packets from ingress\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> All nftables objects exist in address family specific namespaces, ther=
efore all identifiers include an address family\&. If an identifier is sp=
ecified without an address family, the \fBip\fR family is used by default=
\&.
>> .SS "IPV4/IPV6/INET ADDRESS FAMILIES"
>> .sp
>> The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of=
 packets\&. They contain five hooks at different packet processing stages=
 in the network stack\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&1.\ \&IPv4/IPv6/Inet address family hooks
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Hook
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> prerouting
>> T}:T{
>> .sp
>> All packets entering the system are processed by the prerouting hook\&=
=2E It is invoked before the routing process and is used for early filter=
ing or changing packet attributes that affect routing\&.
>> T}
>> T{
>> .sp
>> input
>> T}:T{
>> .sp
>> Packets delivered to the local system are processed by the input hook\=
&.
>> T}
>> T{
>> .sp
>> forward
>> T}:T{
>> .sp
>> Packets forwarded to a different host are processed by the forward hoo=
k\&.
>> T}
>> T{
>> .sp
>> output
>> T}:T{
>> .sp
>> Packets sent by local processes are processed by the output hook\&.
>> T}
>> T{
>> .sp
>> postrouting
>> T}:T{
>> .sp
>> All packets leaving the system are processed by the postrouting hook\&=
=2E
>> T}
>> T{
>> .sp
>> ingress
>> T}:T{
>> .sp
>> All packets entering the system are processed by this hook\&. It is in=
voked before layer 3 protocol handlers, hence before the prerouting hook,=
 and it can be used for filtering and policing\&. Ingress is only availab=
le for Inet family (since Linux kernel 5\&.10)\&.
>> T}
>> .TE
>> .sp 1
>> .SS "ARP ADDRESS FAMILY"
>> .sp
>> The ARP address family handles ARP packets received and sent by the sy=
stem\&. It is commonly used to mangle ARP packets for clustering\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&2.\ \&ARP address family hooks
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Hook
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> input
>> T}:T{
>> .sp
>> Packets delivered to the local system are processed by the input hook\=
&.
>> T}
>> T{
>> .sp
>> output
>> T}:T{
>> .sp
>> Packets send by the local system are processed by the output hook\&.
>> T}
>> .TE
>> .sp 1
>> .SS "BRIDGE ADDRESS FAMILY"
>> .sp
>> The bridge address family handles Ethernet packets traversing bridge d=
evices\&.
>> .sp
>> The list of supported hooks is identical to IPv4/IPv6/Inet address fam=
ilies above\&.
>> .SS "NETDEV ADDRESS FAMILY"
>> .sp
>> The Netdev address family handles packets from the device ingress path=
\&. This family allows you to filter packets of any ethertype such as ARP=
, VLAN 802\&.1q, VLAN 802\&.1ad (Q\-in\-Q) as well as IPv4 and IPv6 packe=
ts\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&3.\ \&Netdev address family hooks
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Hook
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt.
>> T{
>> .sp
>> ingress
>> T}:T{
>> .sp
>> All packets entering the system are processed by this hook\&. It is in=
voked after the network taps (ie\&. \fBtcpdump\fR), right after \fBtc\fR =
ingress and before layer 3 protocol handlers, it can be used for early fi=
ltering and policing\&.
>> T}
>> .TE
>> .sp 1
>> .SH "RULESET"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBlist\fR | \fBflush\fR} \fBruleset\fR [\fIfamily\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The \fBruleset\fR keyword is used to identify the whole set of tables,=
 chains, etc\&. currently in place in kernel\&. The following \fBruleset\=
fR commands exist:
>> .TS
>> tab(:);
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> Print the ruleset in human\-readable format\&.
>> T}
>> T{
>> .sp
>> \fBflush\fR
>> T}:T{
>> .sp
>> Clear the whole ruleset\&. Note that, unlike iptables, this will remov=
e all tables and whatever they contain, effectively leading to an empty r=
uleset \- no packet filtering will happen anymore, so the kernel accepts =
any valid packet it receives\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> It is possible to limit \fBlist\fR and \fBflush\fR to a specific addre=
ss family only\&. For a list of valid family names, see the section calle=
d \(lqADDRESS FAMILIES\(rq above\&.
>> .sp
>> By design, \fBlist ruleset\fR command output may be used as input to \=
fBnft \-f\fR\&. Effectively, this is the nft\-equivalent of \fBiptables\-=
save\fR and \fBiptables\-restore\fR\&.
>> .SH "TABLES"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBcreate\fR} \fBtable\fR [\fIfamily\fR] \fItable\fR [\fB=
{ flags\fR \fIflags\fR \fB; }\fR]
>> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBtable\fR [\fIfamily\fR] \=
fItable\fR
>> \fBlist tables\fR [\fIfamily\fR]
>> \fBdelete table\fR [\fIfamily\fR] \fBhandle\fR \fIhandle\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Tables are containers for chains, sets and stateful objects\&. They ar=
e identified by their address family and their name\&. The address family=
 must be one of \fBip\fR, \fBip6\fR, \fBinet\fR, \fBarp\fR, \fBbridge\fR,=
 \fBnetdev\fR\&. The \fBinet\fR address family is a dummy family which is=
 used to create hybrid IPv4/IPv6 tables\&. The \fBmeta expression nfproto=
\fR keyword can be used to test which family (ipv4 or ipv6) context the p=
acket is being processed in\&. When no address family is specified, \fBip=
\fR is used by default\&. The only difference between add and create is t=
hat the former will not return an error if the specified table already ex=
ists while \fBcreate\fR will return an error\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&4.\ \&Table flags
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Flag
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt.
>> T{
>> .sp
>> dormant
>> T}:T{
>> .sp
>> table is not evaluated any more (base chains are unregistered)\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBAdd, change, delete a table\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # start nft in interactive mode
>> nft \-\-interactive
>>
>> # create a new table\&.
>> create table inet mytable
>>
>> # add a new base chain: get input packets
>> add chain inet mytable myin { type filter hook input priority 0; }
>>
>> # add a single counter to the chain
>> add rule inet mytable myin counter
>>
>> # disable the table temporarily \-\- rules are not evaluated anymore
>> add table inet mytable { flags dormant; }
>>
>> # make table active again:
>> add table inet mytable
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new table for the given family with the given name\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified table\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> List all chains and rules of the specified table\&.
>> T}
>> T{
>> .sp
>> \fBflush\fR
>> T}:T{
>> .sp
>> Flush all chains and rules of the specified table\&.
>> T}
>> .TE
>> .sp 1
>> .SH "CHAINS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBcreate\fR} \fBchain\fR [\fIfamily\fR] \fItable\fR \fIc=
hain\fR [\fB{ type\fR \fItype\fR \fBhook\fR \fIhook\fR [\fBdevice\fR \fId=
evice\fR] \fBpriority\fR \fIpriority\fR \fB;\fR [\fBpolicy\fR \fIpolicy\f=
R \fB;\fR] \fB}\fR]
>> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBchain\fR [\fIfamily\fR] \=
fItable\fR \fIchain\fR
>> \fBlist chains\fR [\fIfamily\fR]
>> \fBdelete chain\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle\f=
R
>> \fBrename chain\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fInewname\f=
R
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Chains are containers for rules\&. They exist in two kinds, base chain=
s and regular chains\&. A base chain is an entry point for packets from t=
he networking stack, a regular chain may be used as jump target and is us=
ed for better rule organization\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new chain in the specified table\&. When a hook and priority val=
ue are specified, the chain is created as a base chain and hooked up to t=
he networking stack\&.
>> T}
>> T{
>> .sp
>> \fBcreate\fR
>> T}:T{
>> .sp
>> Similar to the \fBadd\fR command, but returns an error if the chain al=
ready exists\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified chain\&. The chain must not contain any rules or =
be used as jump target\&.
>> T}
>> T{
>> .sp
>> \fBrename\fR
>> T}:T{
>> .sp
>> Rename the specified chain\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> List all rules of the specified chain\&.
>> T}
>> T{
>> .sp
>> \fBflush\fR
>> T}:T{
>> .sp
>> Flush all rules of the specified chain\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> For base chains, \fBtype\fR, \fBhook\fR and \fBpriority\fR parameters =
are mandatory\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&5.\ \&Supported chain types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Type
>> T}:T{
>> Families
>> T}:T{
>> Hooks
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt.
>> T{
>> .sp
>> filter
>> T}:T{
>> .sp
>> all
>> T}:T{
>> .sp
>> all
>> T}:T{
>> .sp
>> Standard chain type to use in doubt\&.
>> T}
>> T{
>> .sp
>> nat
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> prerouting, input, output, postrouting
>> T}:T{
>> .sp
>> Chains of this type perform Native Address Translation based on conntr=
ack entries\&. Only the first packet of a connection actually traverses t=
his chain \- its rules usually define details of the created conntrack en=
try (NAT statements for instance)\&.
>> T}
>> T{
>> .sp
>> route
>> T}:T{
>> .sp
>> ip, ip6
>> T}:T{
>> .sp
>> output
>> T}:T{
>> .sp
>> If a packet has traversed a chain of this type and is about to be acce=
pted, a new route lookup is performed if relevant parts of the IP header =
have changed\&. This allows to e\&.g\&. implement policy routing selector=
s in nftables\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> Apart from the special cases illustrated above (e\&.g\&. \fBnat\fR typ=
e not supporting \fBforward\fR hook or \fBroute\fR type only supporting \=
fBoutput\fR hook), there are three further quirks worth noticing:
>> .sp
>> .RS 4
>> .ie n \{\
>> \h'-04'\(bu\h'+03'\c
>> .\}
>> .el \{\
>> .sp -1
>> .IP \(bu 2.3
>> .\}
>> The netdev family supports merely a single combination, namely
>> \fBfilter\fR
>> type and
>> \fBingress\fR
>> hook\&. Base chains in this family also require the
>> \fBdevice\fR
>> parameter to be present since they exist per incoming interface only\&=
=2E
>> .RE
>> .sp
>> .RS 4
>> .ie n \{\
>> \h'-04'\(bu\h'+03'\c
>> .\}
>> .el \{\
>> .sp -1
>> .IP \(bu 2.3
>> .\}
>> The arp family supports only the
>> \fBinput\fR
>> and
>> \fBoutput\fR
>> hooks, both in chains of type
>> \fBfilter\fR\&.
>> .RE
>> .sp
>> .RS 4
>> .ie n \{\
>> \h'-04'\(bu\h'+03'\c
>> .\}
>> .el \{\
>> .sp -1
>> .IP \(bu 2.3
>> .\}
>> The inet family also supports the
>> \fBingress\fR
>> hook (since Linux kernel 5\&.10), to filter IPv4 and IPv6 packet at th=
e same location as the netdev
>> \fBingress\fR
>> hook\&. This inet hook allows you to share sets and maps between the u=
sual
>> \fBprerouting\fR,
>> \fBinput\fR,
>> \fBforward\fR,
>> \fBoutput\fR,
>> \fBpostrouting\fR
>> and this
>> \fBingress\fR
>> hook\&.
>> .RE
>> .sp
>> The \fBpriority\fR parameter accepts a signed integer value or a stand=
ard priority name which specifies the order in which chains with same \fB=
hook\fR value are traversed\&. The ordering is ascending, i\&.e\&. lower =
priority values have precedence over higher ones\&.
>> .sp
>> Standard priority values can be replaced with easily memorizable names=
\&. Not all names make sense in every family with every hook (see the com=
patibility matrices below) but their numerical value can still be used fo=
r prioritizing chains\&.
>> .sp
>> These names and values are defined and made available based on what pr=
iorities are used by xtables when registering their default chains\&.
>> .sp
>> Most of the families use the same values, but bridge uses different on=
es from the others\&. See the following tables that describe the values a=
nd compatibility\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&6.\ \&Standard priority names, family and hook compatibili=
ty matrix
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Value
>> T}:T{
>> Families
>> T}:T{
>> Hooks
>> T}
>> .T&
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt.
>> T{
>> .sp
>> raw
>> T}:T{
>> .sp
>> \-300
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> all
>> T}
>> T{
>> .sp
>> mangle
>> T}:T{
>> .sp
>> \-150
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> all
>> T}
>> T{
>> .sp
>> dstnat
>> T}:T{
>> .sp
>> \-100
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> prerouting
>> T}
>> T{
>> .sp
>> filter
>> T}:T{
>> .sp
>> 0
>> T}:T{
>> .sp
>> ip, ip6, inet, arp, netdev
>> T}:T{
>> .sp
>> all
>> T}
>> T{
>> .sp
>> security
>> T}:T{
>> .sp
>> 50
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> all
>> T}
>> T{
>> .sp
>> srcnat
>> T}:T{
>> .sp
>> 100
>> T}:T{
>> .sp
>> ip, ip6, inet
>> T}:T{
>> .sp
>> postrouting
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&7.\ \&Standard priority names and hook compatibility for t=
he bridge family
>> .TS
>> allbox tab(:);
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> Name
>> T}:T{
>> .sp
>> Value
>> T}:T{
>> .sp
>> Hooks
>> T}
>> T{
>> .sp
>> dstnat
>> T}:T{
>> .sp
>> \-300
>> T}:T{
>> .sp
>> prerouting
>> T}
>> T{
>> .sp
>> filter
>> T}:T{
>> .sp
>> \-200
>> T}:T{
>> .sp
>> all
>> T}
>> T{
>> .sp
>> out
>> T}:T{
>> .sp
>> 100
>> T}:T{
>> .sp
>> output
>> T}
>> T{
>> .sp
>> srcnat
>> T}:T{
>> .sp
>> 300
>> T}:T{
>> .sp
>> postrouting
>> T}
>> .TE
>> .sp 1
>> .sp
>> Basic arithmetic expressions (addition and subtraction) can also be ac=
hieved with these standard names to ease relative prioritizing, e\&.g\&. =
\fBmangle \- 5\fR stands for \fB\-155\fR\&. Values will also be printed l=
ike this until the value is not further than 10 form the standard value\&=
=2E
>> .sp
>> Base chains also allow to set the chain\(cqs \fBpolicy\fR, i\&.e\&. wh=
at happens to packets not explicitly accepted or refused in contained rul=
es\&. Supported policy values are \fBaccept\fR (which is the default) or =
\fBdrop\fR\&.
>> .SH "RULES"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBinsert\fR} \fBrule\fR [\fIfamily\fR] \fItable\fR \fIch=
ain\fR [\fBhandle\fR \fIhandle\fR | \fBindex\fR \fIindex\fR] \fIstatement=
\fR \&... [\fBcomment\fR \fIcomment\fR]
>> \fBreplace rule\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fBhandle\fR=
 \fIhandle\fR \fIstatement\fR \&... [\fBcomment\fR \fIcomment\fR]
>> \fBdelete rule\fR [\fIfamily\fR] \fItable\fR \fIchain\fR \fBhandle\fR =
\fIhandle\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Rules are added to chains in the given table\&. If the family is not s=
pecified, the ip family is used\&. Rules are constructed from two kinds o=
f components according to a set of grammatical rules: expressions and sta=
tements\&.
>> .sp
>> The add and insert commands support an optional location specifier, wh=
ich is either a \fIhandle\fR or the \fIindex\fR (starting at zero) of an =
existing rule\&. Internally, rule locations are always identified by \fIh=
andle\fR and the translation from \fIindex\fR happens in userspace\&. Thi=
s has two potential implications in case a concurrent ruleset change happ=
ens after the translation was done: The effective rule index might change=
 if a rule was inserted or deleted before the referred one\&. If the refe=
rred rule was deleted, the command is rejected by the kernel just as if a=
n invalid \fIhandle\fR was given\&.
>> .sp
>> A \fIcomment\fR is a single word or a double\-quoted (") multi\-word s=
tring which can be used to make notes regarding the actual rule\&. \fBNot=
e:\fR If you use bash for adding rules, you have to escape the quotation =
marks, e\&.g\&. \e"enable ssh for servers\e"\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new rule described by the list of statements\&. The rule is appe=
nded to the given chain unless a location is specified, in which case the=
 rule is inserted after the specified rule\&.
>> T}
>> T{
>> .sp
>> \fBinsert\fR
>> T}:T{
>> .sp
>> Same as \fBadd\fR except the rule is inserted at the beginning of the =
chain or before the specified rule\&.
>> T}
>> T{
>> .sp
>> \fBreplace\fR
>> T}:T{
>> .sp
>> Similar to \fBadd\fR, but the rule replaces the specified rule\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified rule\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBadd a rule to ip table output chain\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> nft add rule filter output ip daddr 192\&.168\&.0\&.0/24 accept # \*(A=
qip filter\*(Aq is assumed
>> # same command, slightly more verbose
>> nft add rule ip filter output ip daddr 192\&.168\&.0\&.0/24 accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBdelete rule from inet table\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # nft \-a list ruleset
>> table inet filter {
>>          chain input {
>>                  type filter hook input priority 0; policy accept;
>>                  ct state established,related accept # handle 4
>>                  ip saddr 10\&.1\&.1\&.1 tcp dport ssh accept # handle=
 5
>>            \&.\&.\&.
>> # delete the rule with handle 5
>> # nft delete rule inet filter input handle 5
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "SETS"
>> .sp
>> nftables offers two kinds of set concepts\&. Anonymous sets are sets t=
hat have no specific name\&. The set members are enclosed in curly braces=
, with commas to separate elements when creating the rule the set is used=
 in\&. Once that rule is removed, the set is removed as well\&. They cann=
ot be updated, i\&.e\&. once an anonymous set is declared it cannot be ch=
anged anymore except by removing/altering the rule that uses the anonymou=
s set\&.
>> .PP
>> \fBUsing anonymous sets to accept particular subnets and ports\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> nft add rule filter input ip saddr { 10\&.0\&.0\&.0/8, 192\&.168\&.0\&=
=2E0/16 } tcp dport { 22, 443 } accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Named sets are sets that need to be defined first before they can be r=
eferenced in rules\&. Unlike anonymous sets, elements can be added to or =
removed from a named set at any time\&. Sets are referenced from rules us=
ing an @ prefixed to the sets name\&.
>> .PP
>> \fBUsing named sets to accept addresses and ports\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_p=
orts accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The sets allowed_hosts and allowed_ports need to be created first\&. T=
he next section describes nft set syntax in more detail\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBadd set\fR [\fIfamily\fR] \fItable\fR \fIset\fR \fB{ type\fR \fItyp=
e\fR | \fBtypeof\fR \fIexpression\fR \fB;\fR [\fBflags\fR \fIflags\fR \fB=
;\fR] [\fBtimeout\fR \fItimeout\fR \fB;\fR] [\fBgc\-interval\fR \fIgc\-in=
terval\fR \fB;\fR] [\fBelements =3D {\fR \fIelement\fR[\fB,\fR \&...] \fB=
} ;\fR] [\fBsize\fR \fIsize\fR \fB;\fR] [\fBpolicy\fR \fIpolicy\fR \fB;\f=
R] [\fBauto\-merge ;\fR] \fB}\fR
>> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBset\fR [\fIfamily\fR] \fI=
table\fR \fIset\fR
>> \fBlist sets\fR [\fIfamily\fR]
>> \fBdelete set\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle\fR
>> {\fBadd\fR | \fBdelete\fR} \fBelement\fR [\fIfamily\fR] \fItable\fR \f=
Iset\fR \fB{\fR \fIelement\fR[\fB,\fR \&...] \fB}\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Sets are element containers of a user\-defined data type, they are uni=
quely identified by a user\-defined name and attached to tables\&. Their =
behaviour can be tuned with the flags that can be specified at set creati=
on time\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new set in the specified table\&. See the Set specification tabl=
e below for more information about how to specify a sets properties\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified set\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> Display the elements in the specified set\&.
>> T}
>> T{
>> .sp
>> \fBflush\fR
>> T}:T{
>> .sp
>> Remove all elements from the specified set\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&8.\ \&Set specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> data type of set elements
>> T}:T{
>> .sp
>> string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, ma=
rk
>> T}
>> T{
>> .sp
>> typeof
>> T}:T{
>> .sp
>> data type of set element
>> T}:T{
>> .sp
>> expression to derive the data type from
>> T}
>> T{
>> .sp
>> flags
>> T}:T{
>> .sp
>> set flags
>> T}:T{
>> .sp
>> string: constant, dynamic, interval, timeout
>> T}
>> T{
>> .sp
>> timeout
>> T}:T{
>> .sp
>> time an element stays in the set, mandatory if set is added to from th=
e packet path (ruleset)\&.
>> T}:T{
>> .sp
>> string, decimal followed by unit\&. Units are: d, h, m, s
>> T}
>> T{
>> .sp
>> gc\-interval
>> T}:T{
>> .sp
>> garbage collection interval, only available when timeout or flag timeo=
ut are active
>> T}:T{
>> .sp
>> string, decimal followed by unit\&. Units are: d, h, m, s
>> T}
>> T{
>> .sp
>> elements
>> T}:T{
>> .sp
>> elements contained by the set
>> T}:T{
>> .sp
>> set data type
>> T}
>> T{
>> .sp
>> size
>> T}:T{
>> .sp
>> maximum number of elements in the set, mandatory if set is added to fr=
om the packet path (ruleset)\&.
>> T}:T{
>> .sp
>> unsigned integer (64 bit)
>> T}
>> T{
>> .sp
>> policy
>> T}:T{
>> .sp
>> set policy
>> T}:T{
>> .sp
>> string: performance [default], memory
>> T}
>> T{
>> .sp
>> auto\-merge
>> T}:T{
>> .sp
>> automatic merge of adjacent/overlapping set elements (only for interva=
l sets)
>> T}:T{
>> .sp
>> T}
>> .TE
>> .sp 1
>> .SH "MAPS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBadd map\fR [\fIfamily\fR] \fItable\fR \fImap\fR \fB{ type\fR \fItyp=
e\fR | \fBtypeof\fR \fIexpression\fR [\fBflags\fR \fIflags\fR \fB;\fR] [\=
fBelements =3D {\fR \fIelement\fR[\fB,\fR \&...] \fB} ;\fR] [\fBsize\fR \=
fIsize\fR \fB;\fR] [\fBpolicy\fR \fIpolicy\fR \fB;\fR] \fB}\fR
>> {\fBdelete\fR | \fBlist\fR | \fBflush\fR} \fBmap\fR [\fIfamily\fR] \fI=
table\fR \fImap\fR
>> \fBlist maps\fR [\fIfamily\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Maps store data based on some specific key used as input\&. They are u=
niquely identified by a user\-defined name and attached to tables\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new map in the specified table\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified map\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> Display the elements in the specified map\&.
>> T}
>> T{
>> .sp
>> \fBflush\fR
>> T}:T{
>> .sp
>> Remove all elements from the specified map\&.
>> T}
>> T{
>> .sp
>> \fBadd element\fR
>> T}:T{
>> .sp
>> Comma\-separated list of elements to add into the specified map\&.
>> T}
>> T{
>> .sp
>> \fBdelete element\fR
>> T}:T{
>> .sp
>> Comma\-separated list of element keys to delete from the specified map=
\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&9.\ \&Map specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> data type of map elements
>> T}:T{
>> .sp
>> string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, ma=
rk, counter, quota\&. Counter and quota can\(cqt be used as keys
>> T}
>> T{
>> .sp
>> typeof
>> T}:T{
>> .sp
>> data type of set element
>> T}:T{
>> .sp
>> expression to derive the data type from
>> T}
>> T{
>> .sp
>> flags
>> T}:T{
>> .sp
>> map flags
>> T}:T{
>> .sp
>> string: constant, interval
>> T}
>> T{
>> .sp
>> elements
>> T}:T{
>> .sp
>> elements contained by the map
>> T}:T{
>> .sp
>> map data type
>> T}
>> T{
>> .sp
>> size
>> T}:T{
>> .sp
>> maximum number of elements in the map
>> T}:T{
>> .sp
>> unsigned integer (64 bit)
>> T}
>> T{
>> .sp
>> policy
>> T}:T{
>> .sp
>> map policy
>> T}:T{
>> .sp
>> string: performance [default], memory
>> T}
>> .TE
>> .sp 1
>> .SH "ELEMENTS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBcreate\fR | \fBdelete\fR | \fBget\fR } \fBelement\fR [=
\fIfamily\fR] \fItable\fR \fIset\fR \fB{\fR \fIELEMENT\fR[\fB,\fR \&...] =
\fB}\fR
>>
>> \fIELEMENT\fR :=3D \fIkey_expression\fR \fIOPTIONS\fR [\fB:\fR \fIvalu=
e_expression\fR]
>> \fIOPTIONS\fR :=3D [\fBtimeout\fR \fITIMESPEC\fR] [\fBexpires\fR \fITI=
MESPEC\fR] [\fBcomment\fR \fIstring\fR]
>> \fITIMESPEC\fR :=3D [\fInum\fR\fBd\fR][\fInum\fR\fBh\fR][\fInum\fR\fBm=
\fR][\fInum\fR[\fBs\fR]]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Element\-related commands allow to change contents of named sets and m=
aps\&. \fIkey_expression\fR is typically a value matching the set type\&.=
 \fIvalue_expression\fR is not allowed in sets but mandatory when adding =
to maps, where it matches the data part in it\(cqs type definition\&. Whe=
n deleting from maps, it may be specified but is optional as \fIkey_expre=
ssion\fR uniquely identifies the element\&.
>> .sp
>> \fBcreate\fR command is similar to \fBadd\fR with the exception that n=
one of the listed elements may already exist\&.
>> .sp
>> \fBget\fR command is useful to check if an element is contained in a s=
et which may be non\-trivial in very large and/or interval sets\&. In the=
 latter case, the containing interval is returned instead of just the ele=
ment itself\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&10.\ \&Element options
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Option
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> timeout
>> T}:T{
>> .sp
>> timeout value for sets/maps with flag \fBtimeout\fR
>> T}
>> T{
>> .sp
>> expires
>> T}:T{
>> .sp
>> the time until given element expires, useful for ruleset replication o=
nly
>> T}
>> T{
>> .sp
>> comment
>> T}:T{
>> .sp
>> per element comment field
>> T}
>> .TE
>> .sp 1
>> .SH "FLOWTABLES"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBcreate\fR} \fBflowtable\fR [\fIfamily\fR] \fItable\fR =
\fIflowtable\fR \fB{ hook\fR \fIhook\fR \fBpriority\fR \fIpriority\fR \fB=
; devices =3D {\fR \fIdevice\fR[\fB,\fR \&...] \fB} ; }\fR
>> \fBlist flowtables\fR [\fIfamily\fR]
>> {\fBdelete\fR | \fBlist\fR} \fBflowtable\fR [\fIfamily\fR] \fItable\fR=
 \fIflowtable\fR
>> \fBdelete\fR \fBflowtable\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \=
fIhandle\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Flowtables allow you to accelerate packet forwarding in software\&. Fl=
owtables entries are represented through a tuple that is composed of the =
input interface, source and destination address, source and destination p=
ort; and layer 3/4 protocols\&. Each entry also caches the destination in=
terface and the gateway address \- to update the destination link\-layer =
address \- to forward packets\&. The ttl and hoplimit fields are also dec=
remented\&. Hence, flowtables provides an alternative path that allow pac=
kets to bypass the classic forwarding path\&. Flowtables reside in the in=
gress hook that is located before the prerouting hook\&. You can select w=
hich flows you want to offload through the flow expression from the forwa=
rd chain\&. Flowtables are identified by their address family and their n=
ame\&. The address family must be one of ip, ip6, or inet\&. The inet add=
ress family is a dummy family which is used to create hybrid IPv4/IPv6 ta=
bles\&. When no address family is specified, ip is used by default\&.
>> .sp
>> The \fBpriority\fR can be a signed integer or \fBfilter\fR which stand=
s for 0\&. Addition and subtraction can be used to set relative priority,=
 e\&.g\&. filter + 5 equals to 5\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new flowtable for the given family with the given name\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified flowtable\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> List all flowtables\&.
>> T}
>> .TE
>> .sp 1
>> .SH "STATEFUL OBJECTS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBdelete\fR | \fBlist\fR | \fBreset\fR} \fItype\fR [\fIf=
amily\fR] \fItable\fR \fIobject\fR
>> \fBdelete\fR \fItype\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhan=
dle\fR
>> \fBlist counters\fR [\fIfamily\fR]
>> \fBlist quotas\fR [\fIfamily\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Stateful objects are attached to tables and are identified by an uniqu=
e name\&. They group stateful information from rules, to reference them i=
n rules the keywords "type name" are used e\&.g\&. "counter name"\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBadd\fR
>> T}:T{
>> .sp
>> Add a new stateful object in the specified table\&.
>> T}
>> T{
>> .sp
>> \fBdelete\fR
>> T}:T{
>> .sp
>> Delete the specified object\&.
>> T}
>> T{
>> .sp
>> \fBlist\fR
>> T}:T{
>> .sp
>> Display stateful information the object holds\&.
>> T}
>> T{
>> .sp
>> \fBreset\fR
>> T}:T{
>> .sp
>> List\-and\-reset stateful object\&.
>> T}
>> .TE
>> .sp 1
>> .SS "CT HELPER"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBct helper\fR \fIhelper\fR \fB{ type\fR \fItype\fR \fBprotocol\fR \f=
Iprotocol\fR \fB;\fR [\fBl3proto\fR \fIfamily\fR \fB;\fR] \fB}\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Ct helper is used to define connection tracking helpers that can then =
be used in combination with the \fBct helper set\fR statement\&. \fItype\=
fR and \fIprotocol\fR are mandatory, l3proto is derived from the table fa=
mily by default, i\&.e\&. in the inet table the kernel will try to load b=
oth the ipv4 and ipv6 helper backends, if they are supported by the kerne=
l\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&11.\ \&conntrack helper specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> name of helper type
>> T}:T{
>> .sp
>> quoted string (e\&.g\&. "ftp")
>> T}
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> layer 4 protocol of the helper
>> T}:T{
>> .sp
>> string (e\&.g\&. ip)
>> T}
>> T{
>> .sp
>> l3proto
>> T}:T{
>> .sp
>> layer 3 protocol of the helper
>> T}:T{
>> .sp
>> address family (e\&.g\&. ip)
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBdefining and assigning ftp helper\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> Unlike iptables, helper assignment needs to be performed after the con=
ntrack
>> lookup has completed, for example with the default 0 hook priority\&.
>>
>> table inet myhelpers {
>>    ct helper ftp\-standard {
>>       type "ftp" protocol tcp
>>    }
>>    chain prerouting {
>>        type filter hook prerouting priority 0;
>>        tcp dport 21 ct helper set "ftp\-standard"
>>    }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "CT TIMEOUT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBct timeout\fR \fIname\fR \fB{ protocol\fR \fIprotocol\fR \fB; polic=
y =3D {\fR \fIstate\fR\fB:\fR \fIvalue\fR [\fB,\fR \&...] \fB} ;\fR [\fBl=
3proto\fR \fIfamily\fR \fB;\fR] \fB}\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Ct timeout is used to update connection tracking timeout values\&.Time=
out policies are assigned with the \fBct timeout set\fR statement\&. \fIp=
rotocol\fR and \fIpolicy\fR are mandatory, l3proto is derived from the ta=
ble family by default\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&12.\ \&conntrack timeout specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> layer 4 protocol of the timeout object
>> T}:T{
>> .sp
>> string (e\&.g\&. ip)
>> T}
>> T{
>> .sp
>> state
>> T}:T{
>> .sp
>> connection state name
>> T}:T{
>> .sp
>> string (e\&.g\&. "established")
>> T}
>> T{
>> .sp
>> value
>> T}:T{
>> .sp
>> timeout value for connection state
>> T}:T{
>> .sp
>> unsigned integer
>> T}
>> T{
>> .sp
>> l3proto
>> T}:T{
>> .sp
>> layer 3 protocol of the timeout object
>> T}:T{
>> .sp
>> address family (e\&.g\&. ip)
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBdefining and assigning ct timeout policy\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> table ip filter {
>>          ct timeout customtimeout {
>>                  protocol tcp;
>>                  l3proto ip
>>                  policy =3D { established: 120, close: 20 }
>>          }
>>
>>          chain output {
>>                  type filter hook output priority filter; policy accep=
t;
>>                  ct timeout set "customtimeout"
>>          }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBtesting the updated timeout policy\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> % conntrack \-E
>>
>> It should display:
>>
>> [UPDATE] tcp      6 120 ESTABLISHED src=3D172\&.16\&.19\&.128 dst=3D17=
2\&.16\&.19\&.1
>> sport=3D22 dport=3D41360 [UNREPLIED] src=3D172\&.16\&.19\&.1 dst=3D172=
\&.16\&.19\&.128
>> sport=3D41360 dport=3D22
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "CT EXPECTATION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBct expectation\fR \fIname\fR \fB{ protocol\fR \fIprotocol\fR \fB; d=
port\fR \fIdport\fR \fB; timeout\fR \fItimeout\fR \fB; size\fR \fIsize\fR=
 \fB; [*l3proto\fR \fIfamily\fR \fB;\fR] \fB}\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Ct expectation is used to create connection expectations\&. Expectatio=
ns are assigned with the \fBct expectation set\fR statement\&. \fIprotoco=
l\fR, \fIdport\fR, \fItimeout\fR and \fIsize\fR are mandatory, l3proto is=
 derived from the table family by default\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&13.\ \&conntrack expectation specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> layer 4 protocol of the expectation object
>> T}:T{
>> .sp
>> string (e\&.g\&. ip)
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> destination port of expected connection
>> T}:T{
>> .sp
>> unsigned integer
>> T}
>> T{
>> .sp
>> timeout
>> T}:T{
>> .sp
>> timeout value for expectation
>> T}:T{
>> .sp
>> unsigned integer
>> T}
>> T{
>> .sp
>> size
>> T}:T{
>> .sp
>> size value for expectation
>> T}:T{
>> .sp
>> unsigned integer
>> T}
>> T{
>> .sp
>> l3proto
>> T}:T{
>> .sp
>> layer 3 protocol of the expectation object
>> T}:T{
>> .sp
>> address family (e\&.g\&. ip)
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBdefining and assigning ct expectation policy\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> table ip filter {
>>          ct expectation expect {
>>                  protocol udp
>>                  dport 9876
>>                  timeout 2m
>>                  size 8
>>                  l3proto ip
>>          }
>>
>>          chain input {
>>                  type filter hook input priority filter; policy accept=
;
>>                  ct expectation set "expect"
>>          }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "COUNTER"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBcounter\fR [\fIpackets bytes\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&14.\ \&Counter specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> packets
>> T}:T{
>> .sp
>> initial count of packets
>> T}:T{
>> .sp
>> unsigned integer (64 bit)
>> T}
>> T{
>> .sp
>> bytes
>> T}:T{
>> .sp
>> initial count of bytes
>> T}:T{
>> .sp
>> unsigned integer (64 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "QUOTA"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBquota\fR [\fBover\fR | \fBuntil\fR] [\fIused\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&15.\ \&Quota specifications
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> quota
>> T}:T{
>> .sp
>> quota limit, used as the quota name
>> T}:T{
>> .sp
>> Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mb=
ytes\&. "over" and "until" go before these arguments
>> T}
>> T{
>> .sp
>> used
>> T}:T{
>> .sp
>> initial value of used quota
>> T}:T{
>> .sp
>> Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mb=
ytes
>> T}
>> .TE
>> .sp 1
>> .SH "EXPRESSIONS"
>> .sp
>> Expressions represent values, either constants like network addresses,=
 port numbers, etc\&., or data gathered from the packet during ruleset ev=
aluation\&. Expressions can be combined using binary, logical, relational=
 and other types of expressions to form complex or relational (match) exp=
ressions\&. They are also used as arguments to certain types of operation=
s, like NAT, packet marking etc\&.
>> .sp
>> Each expression has a data type, which determines the size, parsing an=
d representation of symbolic values and type compatibility with other exp=
ressions\&.
>> .SS "DESCRIBE COMMAND"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBdescribe\fR \fIexpression\fR | \fIdata type\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The \fBdescribe\fR command shows information about the type of an expr=
ession and its data type\&. A data type may also be given, in which nft w=
ill display more information about the type\&.
>> .PP
>> \fBThe describe command\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> $ nft describe tcp flags
>> payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, in=
teger), 8 bits
>>
>> predefined symbolic constants:
>> fin                           0x01
>> syn                           0x02
>> rst                           0x04
>> psh                           0x08
>> ack                           0x10
>> urg                           0x20
>> ecn                           0x40
>> cwr                           0x80
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "DATA TYPES"
>> .sp
>> Data types determine the size, parsing and representation of symbolic =
values and type compatibility of expressions\&. A number of global data t=
ypes exist, in addition some expression types define further data types s=
pecific to the expression type\&. Most data types have a fixed size, some=
 however may have a dynamic size, f\&.i\&. the string type\&. Some types =
also have predefined symbolic constants\&. Those can be listed using the =
nft \fBdescribe\fR command:
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> $ nft describe ct_state
>> datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bi=
ts
>>
>> pre\-defined symbolic constants (in hexadecimal):
>> invalid                         0x00000001
>> new \&.\&.\&.
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Types may be derived from lower order types, f\&.i\&. the IPv4 address=
 type is derived from the integer type, meaning an IPv4 address can also =
be specified as an integer value\&.
>> .sp
>> In certain contexts (set and map definitions), it is necessary to expl=
icitly specify a data type\&. Each type has a name which is used for this=
\&.
>> .SS "INTEGER TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> Integer
>> T}:T{
>> .sp
>> integer
>> T}:T{
>> .sp
>> variable
>> T}:T{
>> .sp
>> \-
>> T}
>> .TE
>> .sp 1
>> .sp
>> The integer type is used for numeric values\&. It may be specified as =
a decimal, hexadecimal or octal number\&. The integer type does not have =
a fixed size, its size is determined by the expression for which it is us=
ed\&.
>> .SS "BITMASK TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> Bitmask
>> T}:T{
>> .sp
>> bitmask
>> T}:T{
>> .sp
>> variable
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The bitmask type (\fBbitmask\fR) is used for bitmasks\&.
>> .SS "STRING TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> String
>> T}:T{
>> .sp
>> string
>> T}:T{
>> .sp
>> variable
>> T}:T{
>> .sp
>> \-
>> T}
>> .TE
>> .sp 1
>> .sp
>> The string type is used for character strings\&. A string begins with =
an alphabetic character (a\-zA\-Z) followed by zero or more alphanumeric =
characters or the characters /, \-, _ and \&.\&. In addition, anything en=
closed in double quotes (") is recognized as a string\&.
>> .PP
>> \fBString specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # Interface name
>> filter input iifname eth0
>>
>> # Weird interface name
>> filter input iifname "(eth0)"
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "LINK LAYER ADDRESS TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> Link layer address
>> T}:T{
>> .sp
>> lladdr
>> T}:T{
>> .sp
>> variable
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The link layer address type is used for link layer addresses\&. Link l=
ayer addresses are specified as a variable amount of groups of two hexade=
cimal digits separated using colons (:)\&.
>> .PP
>> \fBLink layer address specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # Ethernet destination MAC address
>> filter input ether daddr 20:c9:d0:43:12:d9
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "IPV4 ADDRESS TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> IPV4 address
>> T}:T{
>> .sp
>> ipv4_addr
>> T}:T{
>> .sp
>> 32 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The IPv4 address type is used for IPv4 addresses\&. Addresses are spec=
ified in either dotted decimal, dotted hexadecimal, dotted octal, decimal=
, hexadecimal, octal notation or as a host name\&. A host name will be re=
solved using the standard system resolver\&.
>> .PP
>> \fBIPv4 address specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # dotted decimal notation
>> filter output ip daddr 127\&.0\&.0\&.1
>>
>> # host name
>> filter output ip daddr localhost
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "IPV6 ADDRESS TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> IPv6 address
>> T}:T{
>> .sp
>> ipv6_addr
>> T}:T{
>> .sp
>> 128 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The IPv6 address type is used for IPv6 addresses\&. Addresses are spec=
ified as a host name or as hexadecimal halfwords separated by colons\&. A=
ddresses might be enclosed in square brackets ("[]") to differentiate the=
m from port numbers\&.
>> .PP
>> \fBIPv6 address specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # abbreviated loopback address
>> filter output ip6 daddr ::1
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBIPv6 address specification with bracket notation\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # without [] the port number (22) would be parsed as part of the
>> # ipv6 address
>> ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "BOOLEAN TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> Boolean
>> T}:T{
>> .sp
>> boolean
>> T}:T{
>> .sp
>> 1 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The boolean type is a syntactical helper type in userspace\&. Its use =
is in the right\-hand side of a (typically implicit) relational expressio=
n to change the expression on the left\-hand side into a boolean check (u=
sually for existence)\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&16.\ \&The following keywords will automatically resolve i=
nto a boolean type with given value
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> exists
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> missing
>> T}:T{
>> .sp
>> 0
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&17.\ \&expressions support a boolean comparison
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Expression
>> T}:T{
>> Behaviour
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> fib
>> T}:T{
>> .sp
>> Check route existence\&.
>> T}
>> T{
>> .sp
>> exthdr
>> T}:T{
>> .sp
>> Check IPv6 extension header existence\&.
>> T}
>> T{
>> .sp
>> tcp option
>> T}:T{
>> .sp
>> Check TCP option header existence\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBBoolean specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # match if route exists
>> filter input fib daddr \&. iif oif exists
>>
>> # match only non\-fragmented packets in IPv6 traffic
>> filter input exthdr frag missing
>>
>> # match if TCP timestamp option is present
>> filter input tcp option timestamp exists
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "ICMP TYPE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> ICMP Type
>> T}:T{
>> .sp
>> icmp_type
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The ICMP Type type is used to conveniently specify the ICMP header\(cq=
s type field\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&18.\ \&Keywords may be used when specifying the ICMP type
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> echo\-reply
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> destination\-unreachable
>> T}:T{
>> .sp
>> 3
>> T}
>> T{
>> .sp
>> source\-quench
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> redirect
>> T}:T{
>> .sp
>> 5
>> T}
>> T{
>> .sp
>> echo\-request
>> T}:T{
>> .sp
>> 8
>> T}
>> T{
>> .sp
>> router\-advertisement
>> T}:T{
>> .sp
>> 9
>> T}
>> T{
>> .sp
>> router\-solicitation
>> T}:T{
>> .sp
>> 10
>> T}
>> T{
>> .sp
>> time\-exceeded
>> T}:T{
>> .sp
>> 11
>> T}
>> T{
>> .sp
>> parameter\-problem
>> T}:T{
>> .sp
>> 12
>> T}
>> T{
>> .sp
>> timestamp\-request
>> T}:T{
>> .sp
>> 13
>> T}
>> T{
>> .sp
>> timestamp\-reply
>> T}:T{
>> .sp
>> 14
>> T}
>> T{
>> .sp
>> info\-request
>> T}:T{
>> .sp
>> 15
>> T}
>> T{
>> .sp
>> info\-reply
>> T}:T{
>> .sp
>> 16
>> T}
>> T{
>> .sp
>> address\-mask\-request
>> T}:T{
>> .sp
>> 17
>> T}
>> T{
>> .sp
>> address\-mask\-reply
>> T}:T{
>> .sp
>> 18
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBICMP Type specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # match ping packets
>> filter output icmp type { echo\-request, echo\-reply }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "ICMP CODE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> ICMP Code
>> T}:T{
>> .sp
>> icmp_code
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The ICMP Code type is used to conveniently specify the ICMP header\(cq=
s code field\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&19.\ \&Keywords may be used when specifying the ICMP code
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> net\-unreachable
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> host\-unreachable
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> prot\-unreachable
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> port\-unreachable
>> T}:T{
>> .sp
>> 3
>> T}
>> T{
>> .sp
>> frag\-needed
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> net\-prohibited
>> T}:T{
>> .sp
>> 9
>> T}
>> T{
>> .sp
>> host\-prohibited
>> T}:T{
>> .sp
>> 10
>> T}
>> T{
>> .sp
>> admin\-prohibited
>> T}:T{
>> .sp
>> 13
>> T}
>> .TE
>> .sp 1
>> .SS "ICMPV6 TYPE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> ICMPv6 Type
>> T}:T{
>> .sp
>> icmpx_code
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The ICMPv6 Type type is used to conveniently specify the ICMPv6 header=
\(cqs type field\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&20.\ \&keywords may be used when specifying the ICMPv6 typ=
e:
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> destination\-unreachable
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> packet\-too\-big
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> time\-exceeded
>> T}:T{
>> .sp
>> 3
>> T}
>> T{
>> .sp
>> parameter\-problem
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> echo\-request
>> T}:T{
>> .sp
>> 128
>> T}
>> T{
>> .sp
>> echo\-reply
>> T}:T{
>> .sp
>> 129
>> T}
>> T{
>> .sp
>> mld\-listener\-query
>> T}:T{
>> .sp
>> 130
>> T}
>> T{
>> .sp
>> mld\-listener\-report
>> T}:T{
>> .sp
>> 131
>> T}
>> T{
>> .sp
>> mld\-listener\-done
>> T}:T{
>> .sp
>> 132
>> T}
>> T{
>> .sp
>> mld\-listener\-reduction
>> T}:T{
>> .sp
>> 132
>> T}
>> T{
>> .sp
>> nd\-router\-solicit
>> T}:T{
>> .sp
>> 133
>> T}
>> T{
>> .sp
>> nd\-router\-advert
>> T}:T{
>> .sp
>> 134
>> T}
>> T{
>> .sp
>> nd\-neighbor\-solicit
>> T}:T{
>> .sp
>> 135
>> T}
>> T{
>> .sp
>> nd\-neighbor\-advert
>> T}:T{
>> .sp
>> 136
>> T}
>> T{
>> .sp
>> nd\-redirect
>> T}:T{
>> .sp
>> 137
>> T}
>> T{
>> .sp
>> router\-renumbering
>> T}:T{
>> .sp
>> 138
>> T}
>> T{
>> .sp
>> ind\-neighbor\-solicit
>> T}:T{
>> .sp
>> 141
>> T}
>> T{
>> .sp
>> ind\-neighbor\-advert
>> T}:T{
>> .sp
>> 142
>> T}
>> T{
>> .sp
>> mld2\-listener\-report
>> T}:T{
>> .sp
>> 143
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBICMPv6 Type specification\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # match ICMPv6 ping packets
>> filter output icmpv6 type { echo\-request, echo\-reply }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "ICMPV6 CODE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> ICMPv6 Code
>> T}:T{
>> .sp
>> icmpv6_code
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The ICMPv6 Code type is used to conveniently specify the ICMPv6 header=
\(cqs code field\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&21.\ \&keywords may be used when specifying the ICMPv6 cod=
e
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> no\-route
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> admin\-prohibited
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> addr\-unreachable
>> T}:T{
>> .sp
>> 3
>> T}
>> T{
>> .sp
>> port\-unreachable
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> policy\-fail
>> T}:T{
>> .sp
>> 5
>> T}
>> T{
>> .sp
>> reject\-route
>> T}:T{
>> .sp
>> 6
>> T}
>> .TE
>> .sp 1
>> .SS "ICMPVX CODE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> ICMPvX Code
>> T}:T{
>> .sp
>> icmpv6_type
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The ICMPvX Code type abstraction is a set of values which overlap betw=
een ICMP and ICMPv6 Code types to be used from the inet family\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&22.\ \&keywords may be used when specifying the ICMPvX cod=
e
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> no\-route
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> port\-unreachable
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> host\-unreachable
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> admin\-prohibited
>> T}:T{
>> .sp
>> 3
>> T}
>> .TE
>> .sp 1
>> .SS "CONNTRACK TYPES"
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&23.\ \&overview of types used in ct expression and stateme=
nt
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt
>> lt lt lt lt.
>> T{
>> .sp
>> conntrack state
>> T}:T{
>> .sp
>> ct_state
>> T}:T{
>> .sp
>> 4 byte
>> T}:T{
>> .sp
>> bitmask
>> T}
>> T{
>> .sp
>> conntrack direction
>> T}:T{
>> .sp
>> ct_dir
>> T}:T{
>> .sp
>> 8 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> T{
>> .sp
>> conntrack status
>> T}:T{
>> .sp
>> ct_status
>> T}:T{
>> .sp
>> 4 byte
>> T}:T{
>> .sp
>> bitmask
>> T}
>> T{
>> .sp
>> conntrack event bits
>> T}:T{
>> .sp
>> ct_event
>> T}:T{
>> .sp
>> 4 byte
>> T}:T{
>> .sp
>> bitmask
>> T}
>> T{
>> .sp
>> conntrack label
>> T}:T{
>> .sp
>> ct_label
>> T}:T{
>> .sp
>> 128 bit
>> T}:T{
>> .sp
>> bitmask
>> T}
>> .TE
>> .sp 1
>> .sp
>> For each of the types above, keywords are available for convenience:
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&24.\ \&conntrack state (ct_state)
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> invalid
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> established
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> related
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> new
>> T}:T{
>> .sp
>> 8
>> T}
>> T{
>> .sp
>> untracked
>> T}:T{
>> .sp
>> 64
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&25.\ \&conntrack direction (ct_dir)
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> original
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> reply
>> T}:T{
>> .sp
>> 1
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&26.\ \&conntrack status (ct_status)
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> expected
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> seen\-reply
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> assured
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> confirmed
>> T}:T{
>> .sp
>> 8
>> T}
>> T{
>> .sp
>> snat
>> T}:T{
>> .sp
>> 16
>> T}
>> T{
>> .sp
>> dnat
>> T}:T{
>> .sp
>> 32
>> T}
>> T{
>> .sp
>> dying
>> T}:T{
>> .sp
>> 512
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&27.\ \&conntrack event bits (ct_event)
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> new
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> related
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> destroy
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> reply
>> T}:T{
>> .sp
>> 8
>> T}
>> T{
>> .sp
>> assured
>> T}:T{
>> .sp
>> 16
>> T}
>> T{
>> .sp
>> protoinfo
>> T}:T{
>> .sp
>> 32
>> T}
>> T{
>> .sp
>> helper
>> T}:T{
>> .sp
>> 64
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> 128
>> T}
>> T{
>> .sp
>> seqadj
>> T}:T{
>> .sp
>> 256
>> T}
>> T{
>> .sp
>> secmark
>> T}:T{
>> .sp
>> 512
>> T}
>> T{
>> .sp
>> label
>> T}:T{
>> .sp
>> 1024
>> T}
>> .TE
>> .sp 1
>> .sp
>> Possible keywords for conntrack label type (ct_label) are read at runt=
ime from /etc/connlabel\&.conf\&.
>> .SS "DCCP PKTTYPE TYPE"
>> .TS
>> allbox tab(:);
>> ltB ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Keyword
>> T}:T{
>> Size
>> T}:T{
>> Base type
>> T}
>> .T&
>> lt lt lt lt.
>> T{
>> .sp
>> DCCP packet type
>> T}:T{
>> .sp
>> dccp_pkttype
>> T}:T{
>> .sp
>> 4 bit
>> T}:T{
>> .sp
>> integer
>> T}
>> .TE
>> .sp 1
>> .sp
>> The DCCP packet type abstracts the different legal values of the respe=
ctive four bit field in the DCCP header, as stated by RFC4340\&. Note tha=
t possible values 10\-15 are considered reserved and therefore not allowe=
d to be used\&. In iptables\*(Aq \fBdccp\fR match, these values are alias=
ed \fIINVALID\fR\&. With nftables, one may simply match on the numeric va=
lue range, i\&.e\&. \fB10\-15\fR\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&28.\ \&keywords may be used when specifying the DCCP packe=
t type
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> request
>> T}:T{
>> .sp
>> 0
>> T}
>> T{
>> .sp
>> response
>> T}:T{
>> .sp
>> 1
>> T}
>> T{
>> .sp
>> data
>> T}:T{
>> .sp
>> 2
>> T}
>> T{
>> .sp
>> ack
>> T}:T{
>> .sp
>> 3
>> T}
>> T{
>> .sp
>> dataack
>> T}:T{
>> .sp
>> 4
>> T}
>> T{
>> .sp
>> closereq
>> T}:T{
>> .sp
>> 5
>> T}
>> T{
>> .sp
>> close
>> T}:T{
>> .sp
>> 6
>> T}
>> T{
>> .sp
>> reset
>> T}:T{
>> .sp
>> 7
>> T}
>> T{
>> .sp
>> sync
>> T}:T{
>> .sp
>> 8
>> T}
>> T{
>> .sp
>> syncack
>> T}:T{
>> .sp
>> 9
>> T}
>> .TE
>> .sp 1
>> .SH "PRIMARY EXPRESSIONS"
>> .sp
>> The lowest order expression is a primary expression, representing eith=
er a constant or a single datum from a packet\(cqs payload, meta data or =
a stateful module\&.
>> .SS "META EXPRESSIONS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBmeta\fR {\fBlength\fR | \fBnfproto\fR | \fBl4proto\fR | \fBprotocol=
\fR | \fBpriority\fR}
>> [\fBmeta\fR] {\fBmark\fR | \fBiif\fR | \fBiifname\fR | \fBiiftype\fR |=
 \fBoif\fR | \fBoifname\fR | \fBoiftype\fR | \fBskuid\fR | \fBskgid\fR | =
\fBnftrace\fR | \fBrtclassid\fR | \fBibrname\fR | \fBobrname\fR | \fBpktt=
ype\fR | \fBcpu\fR | \fBiifgroup\fR | \fBoifgroup\fR | \fBcgroup\fR | \fB=
random\fR | \fBipsec\fR | \fBiifkind\fR | \fBoifkind\fR | \fBtime\fR | \f=
Bhour\fR | \fBday\fR }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A meta expression refers to meta data associated with a packet\&.
>> .sp
>> There are two types of meta expressions: unqualified and qualified met=
a expressions\&. Qualified meta expressions require the meta keyword befo=
re the meta key, unqualified meta expressions can be specified by using t=
he meta key directly or as qualified meta expressions\&. Meta l4proto is =
useful to match a particular transport protocol that is part of either an=
 IPv4 or IPv6 packet\&. It will also skip any IPv6 extension headers pres=
ent in an IPv6 packet\&.
>> .sp
>> meta iif, oif, iifname and oifname are used to match the interface a p=
acket arrived on or is about to be sent out on\&.
>> .sp
>> iif and oif are used to match on the interface index, whereas iifname =
and oifname are used to match on the interface name\&. This is not the sa=
me \(em assuming the rule
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> filter input meta iif "foo"
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Then this rule can only be added if the interface "foo" exists\&. Also=
, the rule will continue to match even if the interface "foo" is renamed =
to "bar"\&.
>> .sp
>> This is because internally the interface index is used\&. In case of d=
ynamically created interfaces, such as tun/tap or dialup interfaces (ppp =
for example), it might be better to use iifname or oifname instead\&.
>> .sp
>> In these cases, the name is used so the interface doesn\(cqt have to e=
xist to add such a rule, it will stop matching if the interface gets rena=
med and it will match again in case interface gets deleted and later a ne=
w interface with the same name is created\&.
>> .sp
>> Like with iptables, wildcard matching on interface name prefixes is av=
ailable for \fBiifname\fR and \fBoifname\fR matches by appending an aster=
isk (*) character\&. Note however that unlike iptables, nftables does not=
 accept interface names consisting of the wildcard character only \- user=
s are supposed to just skip those always matching expressions\&. In order=
 to match on literal asterisk character, one may escape it using backslas=
h (\e)\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&29.\ \&Meta expression types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> length
>> T}:T{
>> .sp
>> Length of the packet in bytes
>> T}:T{
>> .sp
>> integer (32\-bit)
>> T}
>> T{
>> .sp
>> nfproto
>> T}:T{
>> .sp
>> real hook protocol family, useful only in inet table
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> l4proto
>> T}:T{
>> .sp
>> layer 4 protocol, skips ipv6 extension headers
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> EtherType protocol value
>> T}:T{
>> .sp
>> ether_type
>> T}
>> T{
>> .sp
>> priority
>> T}:T{
>> .sp
>> TC packet priority
>> T}:T{
>> .sp
>> tc_handle
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> Packet mark
>> T}:T{
>> .sp
>> mark
>> T}
>> T{
>> .sp
>> iif
>> T}:T{
>> .sp
>> Input interface index
>> T}:T{
>> .sp
>> iface_index
>> T}
>> T{
>> .sp
>> iifname
>> T}:T{
>> .sp
>> Input interface name
>> T}:T{
>> .sp
>> ifname
>> T}
>> T{
>> .sp
>> iiftype
>> T}:T{
>> .sp
>> Input interface type
>> T}:T{
>> .sp
>> iface_type
>> T}
>> T{
>> .sp
>> oif
>> T}:T{
>> .sp
>> Output interface index
>> T}:T{
>> .sp
>> iface_index
>> T}
>> T{
>> .sp
>> oifname
>> T}:T{
>> .sp
>> Output interface name
>> T}:T{
>> .sp
>> ifname
>> T}
>> T{
>> .sp
>> oiftype
>> T}:T{
>> .sp
>> Output interface hardware type
>> T}:T{
>> .sp
>> iface_type
>> T}
>> T{
>> .sp
>> sdif
>> T}:T{
>> .sp
>> Slave device input interface index
>> T}:T{
>> .sp
>> iface_index
>> T}
>> T{
>> .sp
>> sdifname
>> T}:T{
>> .sp
>> Slave device interface name
>> T}:T{
>> .sp
>> ifname
>> T}
>> T{
>> .sp
>> skuid
>> T}:T{
>> .sp
>> UID associated with originating socket
>> T}:T{
>> .sp
>> uid
>> T}
>> T{
>> .sp
>> skgid
>> T}:T{
>> .sp
>> GID associated with originating socket
>> T}:T{
>> .sp
>> gid
>> T}
>> T{
>> .sp
>> rtclassid
>> T}:T{
>> .sp
>> Routing realm
>> T}:T{
>> .sp
>> realm
>> T}
>> T{
>> .sp
>> ibrname
>> T}:T{
>> .sp
>> Input bridge interface name
>> T}:T{
>> .sp
>> ifname
>> T}
>> T{
>> .sp
>> obrname
>> T}:T{
>> .sp
>> Output bridge interface name
>> T}:T{
>> .sp
>> ifname
>> T}
>> T{
>> .sp
>> pkttype
>> T}:T{
>> .sp
>> packet type
>> T}:T{
>> .sp
>> pkt_type
>> T}
>> T{
>> .sp
>> cpu
>> T}:T{
>> .sp
>> cpu number processing the packet
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> iifgroup
>> T}:T{
>> .sp
>> incoming device group
>> T}:T{
>> .sp
>> devgroup
>> T}
>> T{
>> .sp
>> oifgroup
>> T}:T{
>> .sp
>> outgoing device group
>> T}:T{
>> .sp
>> devgroup
>> T}
>> T{
>> .sp
>> cgroup
>> T}:T{
>> .sp
>> control group id
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> random
>> T}:T{
>> .sp
>> pseudo\-random number
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> ipsec
>> T}:T{
>> .sp
>> true if packet was ipsec encrypted
>> T}:T{
>> .sp
>> boolean (1 bit)
>> T}
>> T{
>> .sp
>> iifkind
>> T}:T{
>> .sp
>> Input interface kind
>> T}:T{
>> .sp
>> T}
>> T{
>> .sp
>> oifkind
>> T}:T{
>> .sp
>> Output interface kind
>> T}:T{
>> .sp
>> T}
>> T{
>> .sp
>> time
>> T}:T{
>> .sp
>> Absolute time of packet reception
>> T}:T{
>> .sp
>> Integer (32 bit) or string
>> T}
>> T{
>> .sp
>> day
>> T}:T{
>> .sp
>> Day of week
>> T}:T{
>> .sp
>> Integer (8 bit) or string
>> T}
>> T{
>> .sp
>> hour
>> T}:T{
>> .sp
>> Hour of day
>> T}:T{
>> .sp
>> String
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&30.\ \&Meta expression specific types
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Type
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> iface_index
>> T}:T{
>> .sp
>> Interface index (32 bit number)\&. Can be specified numerically or as =
name of an existing interface\&.
>> T}
>> T{
>> .sp
>> ifname
>> T}:T{
>> .sp
>> Interface name (16 byte string)\&. Does not have to exist\&.
>> T}
>> T{
>> .sp
>> iface_type
>> T}:T{
>> .sp
>> Interface type (16 bit number)\&.
>> T}
>> T{
>> .sp
>> uid
>> T}:T{
>> .sp
>> User ID (32 bit number)\&. Can be specified numerically or as user nam=
e\&.
>> T}
>> T{
>> .sp
>> gid
>> T}:T{
>> .sp
>> Group ID (32 bit number)\&. Can be specified numerically or as group n=
ame\&.
>> T}
>> T{
>> .sp
>> realm
>> T}:T{
>> .sp
>> Routing Realm (32 bit number)\&. Can be specified numerically or as sy=
mbolic name defined in /etc/iproute2/rt_realms\&.
>> T}
>> T{
>> .sp
>> devgroup_type
>> T}:T{
>> .sp
>> Device group (32 bit number)\&. Can be specified numerically or as sym=
bolic name defined in /etc/iproute2/group\&.
>> T}
>> T{
>> .sp
>> pkt_type
>> T}:T{
>> .sp
>> Packet type: \fBhost\fR (addressed to local host), \fBbroadcast\fR (to=
 all), \fBmulticast\fR (to group), \fBother\fR (addressed to another host=
)\&.
>> T}
>> T{
>> .sp
>> ifkind
>> T}:T{
>> .sp
>> Interface kind (16 byte string)\&. See TYPES in ip\-link(8) for a list=
\&.
>> T}
>> T{
>> .sp
>> time
>> T}:T{
>> .sp
>> Either an integer or a date in ISO format\&. For example: "2019\-06\-0=
6 17:00"\&. Hour and seconds are optional and can be omitted if desired\&=
=2E If omitted, midnight will be assumed\&. The following three would be =
equivalent: "2019\-06\-06", "2019\-06\-06 00:00" and "2019\-06\-06 00:00:=
00"\&. When an integer is given, it is assumed to be a UNIX timestamp\&.
>> T}
>> T{
>> .sp
>> day
>> T}:T{
>> .sp
>> Either a day of week ("Monday", "Tuesday", etc\&.), or an integer betw=
een 0 and 6\&. Strings are matched case\-insensitively, and a full match =
is not expected (e\&.g\&. "Mon" would match "Monday")\&. When an integer =
is given, 0 is Sunday and 6 is Saturday\&.
>> T}
>> T{
>> .sp
>> hour
>> T}:T{
>> .sp
>> A string representing an hour in 24\-hour format\&. Seconds can option=
ally be specified\&. For example, 17:00 and 17:00:00 would be equivalent\=
&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing meta expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # qualified meta expression
>> filter output meta oif eth0
>> filter forward meta iifkind { "tun", "veth" }
>>
>> # unqualified meta expression
>> filter output oif eth0
>>
>> # incoming packet was subject to ipsec processing
>> raw prerouting meta ipsec exists accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "SOCKET EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBsocket\fR {\fBtransparent\fR | \fBmark\fR | \fBwildcard\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Socket expression can be used to search for an existing open TCP/UDP s=
ocket and its attributes that can be associated with a packet\&. It looks=
 for an established or non\-zero bound listening socket (possibly with a =
non\-local address)\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&31.\ \&Available socket attributes
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> transparent
>> T}:T{
>> .sp
>> Value of the IP_TRANSPARENT socket option in the found socket\&. It ca=
n be 0 or 1\&.
>> T}:T{
>> .sp
>> boolean (1 bit)
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> Value of the socket mark (SOL_SOCKET, SO_MARK)\&.
>> T}:T{
>> .sp
>> mark
>> T}
>> T{
>> .sp
>> wildcard
>> T}:T{
>> .sp
>> Indicates whether the socket is wildcard\-bound (e\&.g\&. 0\&.0\&.0\&.=
0 or ::0)\&.
>> T}:T{
>> .sp
>> boolean (1 bit)
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing socket expression\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # Mark packets that correspond to a transparent socket\&. "socket wild=
card 0"
>> # means that zero\-bound listener sockets are NOT matched (which is us=
ually
>> # exactly what you want)\&.
>> table inet x {
>>      chain y {
>>          type filter hook prerouting priority \-150; policy accept;
>>          socket transparent 1 socket wildcard 0 mark set 0x00000001 ac=
cept
>>      }
>> }
>>
>> # Trace packets that corresponds to a socket with a mark value of 15
>> table inet x {
>>      chain y {
>>          type filter hook prerouting priority \-150; policy accept;
>>          socket mark 0x0000000f nftrace set 1
>>      }
>> }
>>
>> # Set packet mark to socket mark
>> table inet x {
>>      chain y {
>>          type filter hook prerouting priority \-150; policy accept;
>>          tcp dport 8080 mark set socket mark
>>      }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "OSF EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBosf\fR [\fBttl\fR {\fBloose\fR | \fBskip\fR}] {\fBname\fR | \fBvers=
ion\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The osf expression does passive operating system fingerprinting\&. Thi=
s expression compares some data (Window Size, MSS, options and their orde=
r, DF, and others) from packets with the SYN bit set\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&32.\ \&Available osf attributes
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Name
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> ttl
>> T}:T{
>> .sp
>> Do TTL checks on the packet to determine the operating system\&.
>> T}:T{
>> .sp
>> string
>> T}
>> T{
>> .sp
>> version
>> T}:T{
>> .sp
>> Do OS version checks on the packet\&.
>> T}:T{
>> .sp
>> T}
>> T{
>> .sp
>> name
>> T}:T{
>> .sp
>> Name of the OS signature to match\&. All signatures can be found at pf=
\&.os file\&. Use "unknown" for OS signatures that the expression could n=
ot detect\&.
>> T}:T{
>> .sp
>> string
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBAvailable ttl values\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> If no TTL attribute is passed, make a true IP header and fingerprint T=
TL true comparison\&. This generally works for LANs\&.
>>
>> * loose: Check if the IP header\*(Aqs TTL is less than the fingerprint=
 one\&. Works for globally\-routable addresses\&.
>> * skip: Do not compare the TTL at all\&.
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBUsing osf expression\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # Accept packets that match the "Linux" OS genre signature without com=
paring TTL\&.
>> table inet x {
>>      chain y {
>>          type filter hook input priority 0; policy accept;
>>          osf ttl skip name "Linux"
>>      }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "FIB EXPRESSIONS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBfib\fR {\fBsaddr\fR | \fBdaddr\fR | \fBmark\fR | \fBiif\fR | \fBoif=
\fR} [\fB\&.\fR \&...] {\fBoif\fR | \fBoifname\fR | \fBtype\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A fib expression queries the fib (forwarding information base) to obta=
in information such as the output interface index a particular address wo=
uld use\&. The input is a tuple of elements that is used as input to the =
fib lookup functions\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&33.\ \&fib expression specific types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> oif
>> T}:T{
>> .sp
>> Output interface index
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> oifname
>> T}:T{
>> .sp
>> Output interface name
>> T}:T{
>> .sp
>> string
>> T}
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> Address type
>> T}:T{
>> .sp
>> fib_addrtype
>> T}
>> .TE
>> .sp 1
>> .sp
>> Use \fBnft\fR \fBdescribe\fR \fBfib_addrtype\fR to get a list of all a=
ddress types\&.
>> .PP
>> \fBUsing fib expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # drop packets without a reverse path
>> filter prerouting fib saddr \&. iif oif missing drop
>>
>> In this example, \*(Aqsaddr \&. iif\*(Aq looks up routing information =
based on the source address and the input interface\&.
>> oif picks the output interface index from the routing information\&.
>> If no route was found for the source address/input interface combinati=
on, the output interface index is zero\&.
>> In case the input interface is specified as part of the input key, the=
 output interface index is always the same as the input interface index o=
r zero\&.
>> If only \*(Aqsaddr oif\*(Aq is given, then oif can be any interface in=
dex or zero\&.
>>
>> # drop packets to address not configured on incoming interface
>> filter prerouting fib daddr \&. iif type !=3D { local, broadcast, mult=
icast } drop
>>
>> # perform lookup in a specific \*(Aqblackhole\*(Aq table (0xdead, need=
s ip appropriate ip rule)
>> filter prerouting meta mark set 0xdead fib daddr \&. mark type vmap { =
blackhole : drop, prohibit : jump prohibited, unreachable : drop }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "ROUTING EXPRESSIONS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBrt\fR [\fBip\fR | \fBip6\fR] {\fBclassid\fR | \fBnexthop\fR | \fBmt=
u\fR | \fBipsec\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A routing expression refers to routing data associated with a packet\&=
=2E
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&34.\ \&Routing expression types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> classid
>> T}:T{
>> .sp
>> Routing realm
>> T}:T{
>> .sp
>> realm
>> T}
>> T{
>> .sp
>> nexthop
>> T}:T{
>> .sp
>> Routing nexthop
>> T}:T{
>> .sp
>> ipv4_addr/ipv6_addr
>> T}
>> T{
>> .sp
>> mtu
>> T}:T{
>> .sp
>> TCP maximum segment size of route
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> ipsec
>> T}:T{
>> .sp
>> route via ipsec tunnel or transport
>> T}:T{
>> .sp
>> boolean
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&35.\ \&Routing expression specific types
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Type
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt.
>> T{
>> .sp
>> realm
>> T}:T{
>> .sp
>> Routing Realm (32 bit number)\&. Can be specified numerically or as sy=
mbolic name defined in /etc/iproute2/rt_realms\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing routing expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # IP family independent rt expression
>> filter output rt classid 10
>>
>> # IP family dependent rt expressions
>> ip filter output rt nexthop 192\&.168\&.0\&.1
>> ip6 filter output rt nexthop fd00::1
>> inet filter output rt ip nexthop 192\&.168\&.0\&.1
>> inet filter output rt ip6 nexthop fd00::1
>>
>> # outgoing packet will be encapsulated/encrypted by ipsec
>> filter output rt ipsec exists
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "IPSEC EXPRESSIONS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBipsec\fR {\fBin\fR | \fBout\fR} [ \fBspnum\fR \fINUM\fR ]  {\fBreqi=
d\fR | \fBspi\fR}
>> \fBipsec\fR {\fBin\fR | \fBout\fR} [ \fBspnum\fR \fINUM\fR ]  {\fBip\f=
R | \fBip6\fR} {\fBsaddr\fR | \fBdaddr\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> An ipsec expression refers to ipsec data associated with a packet\&.
>> .sp
>> The \fIin\fR or \fIout\fR keyword needs to be used to specify if the e=
xpression should examine inbound or outbound policies\&. The \fIin\fR key=
word can be used in the prerouting, input and forward hooks\&. The \fIout=
\fR keyword applies to forward, output and postrouting hooks\&. The optio=
nal keyword spnum can be used to match a specific state in a chain, it de=
faults to 0\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&36.\ \&Ipsec expression types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> reqid
>> T}:T{
>> .sp
>> Request ID
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> spi
>> T}:T{
>> .sp
>> Security Parameter Index
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> saddr
>> T}:T{
>> .sp
>> Source address of the tunnel
>> T}:T{
>> .sp
>> ipv4_addr/ipv6_addr
>> T}
>> T{
>> .sp
>> daddr
>> T}:T{
>> .sp
>> Destination address of the tunnel
>> T}:T{
>> .sp
>> ipv4_addr/ipv6_addr
>> T}
>> .TE
>> .sp 1
>> .SS "NUMGEN EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBnumgen\fR {\fBinc\fR | \fBrandom\fR} \fBmod\fR \fINUM\fR [ \fBoffse=
t\fR \fINUM\fR ]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Create a number generator\&. The \fBinc\fR or \fBrandom\fR keywords co=
ntrol its operation mode: In \fBinc\fR mode, the last returned value is s=
imply incremented\&. In \fBrandom\fR mode, a new random number is returne=
d\&. The value after \fBmod\fR keyword specifies an upper boundary (read:=
 modulus) which is not reached by returned numbers\&. The optional \fBoff=
set\fR allows to increment the returned value by a fixed offset\&.
>> .sp
>> A typical use\-case for \fBnumgen\fR is load\-balancing:
>> .PP
>> \fBUsing numgen expression\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # round\-robin between 192\&.168\&.10\&.100 and 192\&.168\&.20\&.200:
>> add rule nat prerouting dnat to numgen inc mod 2 map \e
>>          { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
>>
>> # probability\-based with odd bias using intervals:
>> add rule nat prerouting dnat to numgen random mod 10 map \e
>>          { 0\-2 : 192\&.168\&.10\&.100, 3\-9 : 192\&.168\&.20\&.200 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "HASH EXPRESSIONS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBjhash\fR {\fBip saddr\fR | \fBip6 daddr\fR | \fBtcp dport\fR | \fBu=
dp sport\fR | \fBether saddr\fR} [\fB\&.\fR \&...] \fBmod\fR \fINUM\fR [ =
\fBseed\fR \fINUM\fR ] [ \fBoffset\fR \fINUM\fR ]
>> \fBsymhash\fR \fBmod\fR \fINUM\fR [ \fBoffset\fR \fINUM\fR ]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Use a hashing function to generate a number\&. The functions available=
 are \fBjhash\fR, known as Jenkins Hash, and \fBsymhash\fR, for Symmetric=
 Hash\&. The \fBjhash\fR requires an expression to determine the paramete=
rs of the packet header to apply the hashing, concatenations are possible=
 as well\&. The value after \fBmod\fR keyword specifies an upper boundary=
 (read: modulus) which is not reached by returned numbers\&. The optional=
 \fBseed\fR is used to specify an init value used as seed in the hashing =
function\&. The optional \fBoffset\fR allows to increment the returned va=
lue by a fixed offset\&.
>> .sp
>> A typical use\-case for \fBjhash\fR and \fBsymhash\fR is load\-balanci=
ng:
>> .PP
>> \fBUsing hash expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # load balance based on source ip between 2 ip addresses:
>> add rule nat prerouting dnat to jhash ip saddr mod 2 map \e
>>          { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
>>
>> # symmetric load balancing between 2 ip addresses:
>> add rule nat prerouting dnat to symhash mod 2 map \e
>>          { 0 : 192\&.168\&.10\&.100, 1 : 192\&.168\&.20\&.200 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "PAYLOAD EXPRESSIONS"
>> .sp
>> Payload expressions refer to data from the packet\(cqs payload\&.
>> .SS "ETHERNET HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBether\fR {\fBdaddr\fR | \fBsaddr\fR | \fBtype\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&37.\ \&Ethernet header expression types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> daddr
>> T}:T{
>> .sp
>> Destination MAC address
>> T}:T{
>> .sp
>> ether_addr
>> T}
>> T{
>> .sp
>> saddr
>> T}:T{
>> .sp
>> Source MAC address
>> T}:T{
>> .sp
>> ether_addr
>> T}
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> EtherType
>> T}:T{
>> .sp
>> ether_type
>> T}
>> .TE
>> .sp 1
>> .SS "VLAN HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBvlan\fR {\fBid\fR | \fBcfi\fR | \fBpcp\fR | \fBtype\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&38.\ \&VLAN header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> id
>> T}:T{
>> .sp
>> VLAN ID (VID)
>> T}:T{
>> .sp
>> integer (12 bit)
>> T}
>> T{
>> .sp
>> cfi
>> T}:T{
>> .sp
>> Canonical Format Indicator
>> T}:T{
>> .sp
>> integer (1 bit)
>> T}
>> T{
>> .sp
>> pcp
>> T}:T{
>> .sp
>> Priority code point
>> T}:T{
>> .sp
>> integer (3 bit)
>> T}
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> EtherType
>> T}:T{
>> .sp
>> ether_type
>> T}
>> .TE
>> .sp 1
>> .SS "ARP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBarp\fR {\fBhtype\fR | \fBptype\fR | \fBhlen\fR | \fBplen\fR | \fBop=
eration\fR | \fBsaddr\fR { \fBip\fR | \fBether\fR } | \fBdaddr\fR { \fBip=
\fR | \fBether\fR }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&39.\ \&ARP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> htype
>> T}:T{
>> .sp
>> ARP hardware type
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> ptype
>> T}:T{
>> .sp
>> EtherType
>> T}:T{
>> .sp
>> ether_type
>> T}
>> T{
>> .sp
>> hlen
>> T}:T{
>> .sp
>> Hardware address len
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> plen
>> T}:T{
>> .sp
>> Protocol address len
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> operation
>> T}:T{
>> .sp
>> Operation
>> T}:T{
>> .sp
>> arp_op
>> T}
>> T{
>> .sp
>> saddr ether
>> T}:T{
>> .sp
>> Ethernet sender address
>> T}:T{
>> .sp
>> ether_addr
>> T}
>> T{
>> .sp
>> daddr ether
>> T}:T{
>> .sp
>> Ethernet target address
>> T}:T{
>> .sp
>> ether_addr
>> T}
>> T{
>> .sp
>> saddr ip
>> T}:T{
>> .sp
>> IPv4 sender address
>> T}:T{
>> .sp
>> ipv4_addr
>> T}
>> T{
>> .sp
>> daddr ip
>> T}:T{
>> .sp
>> IPv4 target address
>> T}:T{
>> .sp
>> ipv4_addr
>> T}
>> .TE
>> .sp 1
>> .SS "IPV4 HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBip\fR {\fBversion\fR | \fBhdrlength\fR | \fBdscp\fR | \fBecn\fR | \=
fBlength\fR | \fBid\fR | \fBfrag\-off\fR | \fBttl\fR | \fBprotocol\fR | \=
fBchecksum\fR | \fBsaddr\fR | \fBdaddr\fR }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&40.\ \&IPv4 header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> version
>> T}:T{
>> .sp
>> IP header version (4)
>> T}:T{
>> .sp
>> integer (4 bit)
>> T}
>> T{
>> .sp
>> hdrlength
>> T}:T{
>> .sp
>> IP header length including options
>> T}:T{
>> .sp
>> integer (4 bit) FIXME scaling
>> T}
>> T{
>> .sp
>> dscp
>> T}:T{
>> .sp
>> Differentiated Services Code Point
>> T}:T{
>> .sp
>> dscp
>> T}
>> T{
>> .sp
>> ecn
>> T}:T{
>> .sp
>> Explicit Congestion Notification
>> T}:T{
>> .sp
>> ecn
>> T}
>> T{
>> .sp
>> length
>> T}:T{
>> .sp
>> Total packet length
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> id
>> T}:T{
>> .sp
>> IP ID
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> frag\-off
>> T}:T{
>> .sp
>> Fragment offset
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> ttl
>> T}:T{
>> .sp
>> Time to live
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> Upper layer protocol
>> T}:T{
>> .sp
>> inet_proto
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> IP header checksum
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> saddr
>> T}:T{
>> .sp
>> Source address
>> T}:T{
>> .sp
>> ipv4_addr
>> T}
>> T{
>> .sp
>> daddr
>> T}:T{
>> .sp
>> Destination address
>> T}:T{
>> .sp
>> ipv4_addr
>> T}
>> .TE
>> .sp 1
>> .SS "ICMP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBicmp\fR {\fBtype\fR | \fBcode\fR | \fBchecksum\fR | \fBid\fR | \fBs=
equence\fR | \fBgateway\fR | \fBmtu\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This expression refers to ICMP header fields\&. When using it in \fBin=
et\fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit d=
ependency on IPv4 to be created\&. To match on unusual cases like ICMP ov=
er IPv6, one has to add an explicit \fBmeta protocol ip6\fR match to the =
rule\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&41.\ \&ICMP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> ICMP type field
>> T}:T{
>> .sp
>> icmp_type
>> T}
>> T{
>> .sp
>> code
>> T}:T{
>> .sp
>> ICMP code field
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> ICMP checksum field
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> id
>> T}:T{
>> .sp
>> ID of echo request/response
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> sequence
>> T}:T{
>> .sp
>> sequence number of echo request/response
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> gateway
>> T}:T{
>> .sp
>> gateway of redirects
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> mtu
>> T}:T{
>> .sp
>> MTU of path MTU discovery
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "IGMP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBigmp\fR {\fBtype\fR | \fBmrt\fR | \fBchecksum\fR | \fBgroup\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This expression refers to IGMP header fields\&. When using it in \fBin=
et\fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit d=
ependency on IPv4 to be created\&. To match on unusual cases like IGMP ov=
er IPv6, one has to add an explicit \fBmeta protocol ip6\fR match to the =
rule\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&42.\ \&IGMP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> IGMP type field
>> T}:T{
>> .sp
>> igmp_type
>> T}
>> T{
>> .sp
>> mrt
>> T}:T{
>> .sp
>> IGMP maximum response time field
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> IGMP checksum field
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> group
>> T}:T{
>> .sp
>> Group address
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "IPV6 HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBip6\fR {\fBversion\fR | \fBdscp\fR | \fBecn\fR | \fBflowlabel\fR | =
\fBlength\fR | \fBnexthdr\fR | \fBhoplimit\fR | \fBsaddr\fR | \fBdaddr\fR=
}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This expression refers to the ipv6 header fields\&. Caution when using=
 \fBip6 nexthdr\fR, the value only refers to the next header, i\&.e\&. \f=
Bip6 nexthdr tcp\fR will only match if the ipv6 packet does not contain a=
ny extension headers\&. Packets that are fragmented or e\&.g\&. contain a=
 routing extension headers will not be matched\&. Please use \fBmeta l4pr=
oto\fR if you wish to match the real transport header and ignore any addi=
tional extension headers instead\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&43.\ \&IPv6 header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> version
>> T}:T{
>> .sp
>> IP header version (6)
>> T}:T{
>> .sp
>> integer (4 bit)
>> T}
>> T{
>> .sp
>> dscp
>> T}:T{
>> .sp
>> Differentiated Services Code Point
>> T}:T{
>> .sp
>> dscp
>> T}
>> T{
>> .sp
>> ecn
>> T}:T{
>> .sp
>> Explicit Congestion Notification
>> T}:T{
>> .sp
>> ecn
>> T}
>> T{
>> .sp
>> flowlabel
>> T}:T{
>> .sp
>> Flow label
>> T}:T{
>> .sp
>> integer (20 bit)
>> T}
>> T{
>> .sp
>> length
>> T}:T{
>> .sp
>> Payload length
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> nexthdr
>> T}:T{
>> .sp
>> Nexthdr protocol
>> T}:T{
>> .sp
>> inet_proto
>> T}
>> T{
>> .sp
>> hoplimit
>> T}:T{
>> .sp
>> Hop limit
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> saddr
>> T}:T{
>> .sp
>> Source address
>> T}:T{
>> .sp
>> ipv6_addr
>> T}
>> T{
>> .sp
>> daddr
>> T}:T{
>> .sp
>> Destination address
>> T}:T{
>> .sp
>> ipv6_addr
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing ip6 header expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # matching if first extension header indicates a fragment
>> ip6 nexthdr ipv6\-frag
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "ICMPV6 HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBicmpv6\fR {\fBtype\fR | \fBcode\fR | \fBchecksum\fR | \fBparameter\=
-problem\fR | \fBpacket\-too\-big\fR | \fBid\fR | \fBsequence\fR | \fBmax=
\-delay\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This expression refers to ICMPv6 header fields\&. When using it in \fB=
inet\fR, \fBbridge\fR or \fBnetdev\fR families, it will cause an implicit=
 dependency on IPv6 to be created\&. To match on unusual cases like ICMPv=
6 over IPv4, one has to add an explicit \fBmeta protocol ip\fR match to t=
he rule\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&44.\ \&ICMPv6 header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> ICMPv6 type field
>> T}:T{
>> .sp
>> icmpv6_type
>> T}
>> T{
>> .sp
>> code
>> T}:T{
>> .sp
>> ICMPv6 code field
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> ICMPv6 checksum field
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> parameter\-problem
>> T}:T{
>> .sp
>> pointer to problem
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> packet\-too\-big
>> T}:T{
>> .sp
>> oversized MTU
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> id
>> T}:T{
>> .sp
>> ID of echo request/response
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> sequence
>> T}:T{
>> .sp
>> sequence number of echo request/response
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> max\-delay
>> T}:T{
>> .sp
>> maximum response delay of MLD queries
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "TCP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBtcp\fR {\fBsport\fR | \fBdport\fR | \fBsequence\fR | \fBackseq\fR |=
 \fBdoff\fR | \fBreserved\fR | \fBflags\fR | \fBwindow\fR | \fBchecksum\f=
R | \fBurgptr\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&45.\ \&TCP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> sport
>> T}:T{
>> .sp
>> Source port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> Destination port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> sequence
>> T}:T{
>> .sp
>> Sequence number
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> ackseq
>> T}:T{
>> .sp
>> Acknowledgement number
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> doff
>> T}:T{
>> .sp
>> Data offset
>> T}:T{
>> .sp
>> integer (4 bit) FIXME scaling
>> T}
>> T{
>> .sp
>> reserved
>> T}:T{
>> .sp
>> Reserved area
>> T}:T{
>> .sp
>> integer (4 bit)
>> T}
>> T{
>> .sp
>> flags
>> T}:T{
>> .sp
>> TCP flags
>> T}:T{
>> .sp
>> tcp_flag
>> T}
>> T{
>> .sp
>> window
>> T}:T{
>> .sp
>> Window
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> Checksum
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> urgptr
>> T}:T{
>> .sp
>> Urgent pointer
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "UDP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBudp\fR {\fBsport\fR | \fBdport\fR | \fBlength\fR | \fBchecksum\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&46.\ \&UDP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> sport
>> T}:T{
>> .sp
>> Source port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> Destination port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> length
>> T}:T{
>> .sp
>> Total packet length
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> Checksum
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "UDP\-LITE HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBudplite\fR {\fBsport\fR | \fBdport\fR | \fBchecksum\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&47.\ \&UDP\-Lite header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> sport
>> T}:T{
>> .sp
>> Source port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> Destination port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> Checksum
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "SCTP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBsctp\fR {\fBsport\fR | \fBdport\fR | \fBvtag\fR | \fBchecksum\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&48.\ \&SCTP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> sport
>> T}:T{
>> .sp
>> Source port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> Destination port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> vtag
>> T}:T{
>> .sp
>> Verification Tag
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> checksum
>> T}:T{
>> .sp
>> Checksum
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "DCCP HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBdccp\fR {\fBsport\fR | \fBdport\fR | \fBtype\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&49.\ \&DCCP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> sport
>> T}:T{
>> .sp
>> Source port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> dport
>> T}:T{
>> .sp
>> Destination port
>> T}:T{
>> .sp
>> inet_service
>> T}
>> T{
>> .sp
>> type
>> T}:T{
>> .sp
>> Packet type
>> T}:T{
>> .sp
>> dccp_pkttype
>> T}
>> .TE
>> .sp 1
>> .SS "AUTHENTICATION HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBah\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBreserved\fR | \fBspi\fR=
 | \fBsequence\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&50.\ \&AH header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> nexthdr
>> T}:T{
>> .sp
>> Next header protocol
>> T}:T{
>> .sp
>> inet_proto
>> T}
>> T{
>> .sp
>> hdrlength
>> T}:T{
>> .sp
>> AH Header length
>> T}:T{
>> .sp
>> integer (8 bit)
>> T}
>> T{
>> .sp
>> reserved
>> T}:T{
>> .sp
>> Reserved area
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> spi
>> T}:T{
>> .sp
>> Security Parameter Index
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> sequence
>> T}:T{
>> .sp
>> Sequence number
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBesp\fR {\fBspi\fR | \fBsequence\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&51.\ \&ESP header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> spi
>> T}:T{
>> .sp
>> Security Parameter Index
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> sequence
>> T}:T{
>> .sp
>> Sequence number
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "IPCOMP HEADER EXPRESSION"
>> .sp
>> \fBcomp\fR {\fBnexthdr\fR | \fBflags\fR | \fBcpi\fR}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&52.\ \&IPComp header expression
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> nexthdr
>> T}:T{
>> .sp
>> Next header protocol
>> T}:T{
>> .sp
>> inet_proto
>> T}
>> T{
>> .sp
>> flags
>> T}:T{
>> .sp
>> Flags
>> T}:T{
>> .sp
>> bitmask
>> T}
>> T{
>> .sp
>> cpi
>> T}:T{
>> .sp
>> compression Parameter Index
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "RAW PAYLOAD EXPRESSION"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fB@\fR\fIbase\fR\fB,\fR\fIoffset\fR\fB,\fR\fIlength\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The raw payload expression instructs to load \fIlength\fR bits startin=
g at \fIoffset\fR bits\&. Bit 0 refers to the very first bit \(em in the =
C programming language, this corresponds to the topmost bit, i\&.e\&. 0x8=
0 in case of an octet\&. They are useful to match headers that do not hav=
e a human\-readable template expression yet\&. Note that nft will not add=
 dependencies for Raw payload expressions\&. If you e\&.g\&. want to matc=
h protocol fields of a transport header with protocol number 5, you need =
to manually exclude packets that have a different transport header, for i=
nstance by using \fBmeta l4proto 5\fR before the raw expression\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&53.\ \&Supported payload protocol bases
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Base
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> ll
>> T}:T{
>> .sp
>> Link layer, for example the Ethernet header
>> T}
>> T{
>> .sp
>> nh
>> T}:T{
>> .sp
>> Network header, for example IPv4 or IPv6
>> T}
>> T{
>> .sp
>> th
>> T}:T{
>> .sp
>> Transport Header, for example TCP
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBMatching destination port of both UDP and TCP\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The above can also be written as
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> it is more convenient, but like the raw expression notation no depende=
ncies are created or checked\&. It is the users responsibility to restric=
t matching to those header types that have a notion of ports\&. Otherwise=
, rules using raw expressions will errnously match unrelated packets, e\&=
=2Eg\&. mis\-interpreting ESP packets SPI field as a port\&.
>> .PP
>> \fBRewrite arp packet target hardware address if target protocol addre=
ss matches a given address\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp =
plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "EXTENSION HEADER EXPRESSIONS"
>> .sp
>> Extension header expressions refer to data from variable\-sized protoc=
ol headers, such as IPv6 extension headers, TCP options and IPv4 options\=
&.
>> .sp
>> nftables currently supports matching (finding) a given ipv6 extension =
header, TCP option or IPv4 option\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBhbh\fR {\fBnexthdr\fR | \fBhdrlength\fR}
>> \fBfrag\fR {\fBnexthdr\fR | \fBfrag\-off\fR | \fBmore\-fragments\fR | =
\fBid\fR}
>> \fBrt\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBtype\fR | \fBseg\-left\=
fR}
>> \fBdst\fR {\fBnexthdr\fR | \fBhdrlength\fR}
>> \fBmh\fR {\fBnexthdr\fR | \fBhdrlength\fR | \fBchecksum\fR | \fBtype\f=
R}
>> \fBsrh\fR {\fBflags\fR | \fBtag\fR | \fBsid\fR | \fBseg\-left\fR}
>> \fBtcp option\fR {\fBeol\fR | \fBnop\fR | \fBmaxseg\fR | \fBwindow\fR =
| \fBsack\-perm\fR | \fBsack\fR | \fBsack0\fR | \fBsack1\fR | \fBsack2\fR=
 | \fBsack3\fR | \fBtimestamp\fR} \fItcp_option_field\fR
>> \fBip option\fR { lsrr | ra | rr | ssrr } \fIip_option_field\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The following syntaxes are valid only in a relational expression with =
boolean type on right\-hand side for checking header existence only:
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBexthdr\fR {\fBhbh\fR | \fBfrag\fR | \fBrt\fR | \fBdst\fR | \fBmh\fR=
}
>> \fBtcp option\fR {\fBeol\fR | \fBnop\fR | \fBmaxseg\fR | \fBwindow\fR =
| \fBsack\-perm\fR | \fBsack\fR | \fBsack0\fR | \fBsack1\fR | \fBsack2\fR=
 | \fBsack3\fR | \fBtimestamp\fR}
>> \fBip option\fR { lsrr | ra | rr | ssrr }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&54.\ \&IPv6 extension headers
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> hbh
>> T}:T{
>> .sp
>> Hop by Hop
>> T}
>> T{
>> .sp
>> rt
>> T}:T{
>> .sp
>> Routing Header
>> T}
>> T{
>> .sp
>> frag
>> T}:T{
>> .sp
>> Fragmentation header
>> T}
>> T{
>> .sp
>> dst
>> T}:T{
>> .sp
>> dst options
>> T}
>> T{
>> .sp
>> mh
>> T}:T{
>> .sp
>> Mobility Header
>> T}
>> T{
>> .sp
>> srh
>> T}:T{
>> .sp
>> Segment Routing Header
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&55.\ \&TCP Options
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> TCP option fields
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> eol
>> T}:T{
>> .sp
>> End if option list
>> T}:T{
>> .sp
>> kind
>> T}
>> T{
>> .sp
>> nop
>> T}:T{
>> .sp
>> 1 Byte TCP Nop padding option
>> T}:T{
>> .sp
>> kind
>> T}
>> T{
>> .sp
>> maxseg
>> T}:T{
>> .sp
>> TCP Maximum Segment Size
>> T}:T{
>> .sp
>> kind, length, size
>> T}
>> T{
>> .sp
>> window
>> T}:T{
>> .sp
>> TCP Window Scaling
>> T}:T{
>> .sp
>> kind, length, count
>> T}
>> T{
>> .sp
>> sack\-perm
>> T}:T{
>> .sp
>> TCP SACK permitted
>> T}:T{
>> .sp
>> kind, length
>> T}
>> T{
>> .sp
>> sack
>> T}:T{
>> .sp
>> TCP Selective Acknowledgement (alias of block 0)
>> T}:T{
>> .sp
>> kind, length, left, right
>> T}
>> T{
>> .sp
>> sack0
>> T}:T{
>> .sp
>> TCP Selective Acknowledgement (block 0)
>> T}:T{
>> .sp
>> kind, length, left, right
>> T}
>> T{
>> .sp
>> sack1
>> T}:T{
>> .sp
>> TCP Selective Acknowledgement (block 1)
>> T}:T{
>> .sp
>> kind, length, left, right
>> T}
>> T{
>> .sp
>> sack2
>> T}:T{
>> .sp
>> TCP Selective Acknowledgement (block 2)
>> T}:T{
>> .sp
>> kind, length, left, right
>> T}
>> T{
>> .sp
>> sack3
>> T}:T{
>> .sp
>> TCP Selective Acknowledgement (block 3)
>> T}:T{
>> .sp
>> kind, length, left, right
>> T}
>> T{
>> .sp
>> timestamp
>> T}:T{
>> .sp
>> TCP Timestamps
>> T}:T{
>> .sp
>> kind, length, tsval, tsecr
>> T}
>> .TE
>> .sp 1
>> .sp
>> TCP option matching also supports raw expression syntax to access arbi=
trary options:
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBtcp option\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBtcp option\fR \fB@\fR\fInumber\fR\fB,\fR\fIoffset\fR\fB,\fR\fIlengt=
h\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&56.\ \&IP Options
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> IP option fields
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> lsrr
>> T}:T{
>> .sp
>> Loose Source Route
>> T}:T{
>> .sp
>> type, length, ptr, addr
>> T}
>> T{
>> .sp
>> ra
>> T}:T{
>> .sp
>> Router Alert
>> T}:T{
>> .sp
>> type, length, value
>> T}
>> T{
>> .sp
>> rr
>> T}:T{
>> .sp
>> Record Route
>> T}:T{
>> .sp
>> type, length, ptr, addr
>> T}
>> T{
>> .sp
>> ssrr
>> T}:T{
>> .sp
>> Strict Source Route
>> T}:T{
>> .sp
>> type, length, ptr, addr
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBfinding TCP options\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> filter input tcp option sack\-perm kind 1 counter
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBmatching IPv6 exthdr\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> ip6 filter input frag more\-fragments 1 counter
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBfinding IP option\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> filter input ip option lsrr exists counter
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "CONNTRACK EXPRESSIONS"
>> .sp
>> Conntrack expressions refer to meta data of the connection tracking en=
try associated with a packet\&.
>> .sp
>> There are three types of conntrack expressions\&. Some conntrack expre=
ssions require the flow direction before the conntrack key, others must b=
e used directly because they are direction agnostic\&. The \fBpackets\fR,=
 \fBbytes\fR and \fBavgpkt\fR keywords can be used with or without a dire=
ction\&. If the direction is omitted, the sum of the original and the rep=
ly direction is returned\&. The same is true for the \fBzone\fR, if a dir=
ection is given, the zone is only matched if the zone id is tied to the g=
iven direction\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBct\fR {\fBstate\fR | \fBdirection\fR | \fBstatus\fR | \fBmark\fR | =
\fBexpiration\fR | \fBhelper\fR | \fBlabel\fR}
>> \fBct\fR [\fBoriginal\fR | \fBreply\fR] {\fBl3proto\fR | \fBprotocol\f=
R | \fBbytes\fR | \fBpackets\fR | \fBavgpkt\fR | \fBzone\fR | \fBid\fR}
>> \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBproto\-src\fR | \fBproto\-=
dst\fR}
>> \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBip\fR | \fBip6\fR} {\fBsad=
dr\fR | \fBdaddr\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The conntrack\-specific types in this table are described in the sub\-=
section CONNTRACK TYPES above\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&57.\ \&Conntrack expressions
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> state
>> T}:T{
>> .sp
>> State of the connection
>> T}:T{
>> .sp
>> ct_state
>> T}
>> T{
>> .sp
>> direction
>> T}:T{
>> .sp
>> Direction of the packet relative to the connection
>> T}:T{
>> .sp
>> ct_dir
>> T}
>> T{
>> .sp
>> status
>> T}:T{
>> .sp
>> Status of the connection
>> T}:T{
>> .sp
>> ct_status
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> Connection mark
>> T}:T{
>> .sp
>> mark
>> T}
>> T{
>> .sp
>> expiration
>> T}:T{
>> .sp
>> Connection expiration time
>> T}:T{
>> .sp
>> time
>> T}
>> T{
>> .sp
>> helper
>> T}:T{
>> .sp
>> Helper associated with the connection
>> T}:T{
>> .sp
>> string
>> T}
>> T{
>> .sp
>> label
>> T}:T{
>> .sp
>> Connection tracking label bit or symbolic name defined in connlabel\&.=
conf in the nftables include path
>> T}:T{
>> .sp
>> ct_label
>> T}
>> T{
>> .sp
>> l3proto
>> T}:T{
>> .sp
>> Layer 3 protocol of the connection
>> T}:T{
>> .sp
>> nf_proto
>> T}
>> T{
>> .sp
>> saddr
>> T}:T{
>> .sp
>> Source address of the connection for the given direction
>> T}:T{
>> .sp
>> ipv4_addr/ipv6_addr
>> T}
>> T{
>> .sp
>> daddr
>> T}:T{
>> .sp
>> Destination address of the connection for the given direction
>> T}:T{
>> .sp
>> ipv4_addr/ipv6_addr
>> T}
>> T{
>> .sp
>> protocol
>> T}:T{
>> .sp
>> Layer 4 protocol of the connection for the given direction
>> T}:T{
>> .sp
>> inet_proto
>> T}
>> T{
>> .sp
>> proto\-src
>> T}:T{
>> .sp
>> Layer 4 protocol source for the given direction
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> proto\-dst
>> T}:T{
>> .sp
>> Layer 4 protocol destination for the given direction
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> packets
>> T}:T{
>> .sp
>> packet count seen in the given direction or sum of original and reply
>> T}:T{
>> .sp
>> integer (64 bit)
>> T}
>> T{
>> .sp
>> bytes
>> T}:T{
>> .sp
>> byte count seen, see description for \fBpackets\fR keyword
>> T}:T{
>> .sp
>> integer (64 bit)
>> T}
>> T{
>> .sp
>> avgpkt
>> T}:T{
>> .sp
>> average bytes per packet, see description for \fBpackets\fR keyword
>> T}:T{
>> .sp
>> integer (64 bit)
>> T}
>> T{
>> .sp
>> zone
>> T}:T{
>> .sp
>> conntrack zone
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> T{
>> .sp
>> count
>> T}:T{
>> .sp
>> number of current connections
>> T}:T{
>> .sp
>> integer (32 bit)
>> T}
>> T{
>> .sp
>> id
>> T}:T{
>> .sp
>> Connection id
>> T}:T{
>> .sp
>> ct_id
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBrestrict the number of parallel connections to a server\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> nft add set filter ssh_flood \*(Aq{ type ipv4_addr; flags dynamic; }\*=
(Aq
>> nft add rule filter input tcp dport 22 add @ssh_flood \*(Aq{ ip saddr =
ct count over 2 }\*(Aq reject
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "STATEMENTS"
>> .sp
>> Statements represent actions to be performed\&. They can alter control=
 flow (return, jump to a different chain, accept or drop the packet) or c=
an perform actions, such as logging, rejecting a packet, etc\&.
>> .sp
>> Statements exist in two kinds\&. Terminal statements unconditionally t=
erminate evaluation of the current rule, non\-terminal statements either =
only conditionally or never terminate evaluation of the current rule, in =
other words, they are passive from the ruleset evaluation perspective\&. =
There can be an arbitrary amount of non\-terminal statements in a rule, b=
ut only a single terminal statement as the final statement\&.
>> .SS "VERDICT STATEMENT"
>> .sp
>> The verdict statement alters control flow in the ruleset and issues po=
licy decisions for packets\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBaccept\fR | \fBdrop\fR | \fBqueue\fR | \fBcontinue\fR | \fBreturn\=
fR}
>> {\fBjump\fR | \fBgoto\fR} \fIchain\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> \fBaccept\fR and \fBdrop\fR are absolute verdicts \(em they terminate =
ruleset evaluation immediately\&.
>> .TS
>> tab(:);
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> \fBaccept\fR
>> T}:T{
>> .sp
>> Terminate ruleset evaluation and accept the packet\&. The packet can s=
till be dropped later by another hook, for instance accept in the forward=
 hook still allows to drop the packet later in the postrouting hook, or a=
nother forward base chain that has a higher priority number and is evalua=
ted afterwards in the processing pipeline\&.
>> T}
>> T{
>> .sp
>> \fBdrop\fR
>> T}:T{
>> .sp
>> Terminate ruleset evaluation and drop the packet\&. The drop occurs in=
stantly, no further chains or hooks are evaluated\&. It is not possible t=
o accept the packet in a later chain again, as those are not evaluated an=
ymore for the packet\&.
>> T}
>> T{
>> .sp
>> \fBqueue\fR
>> T}:T{
>> .sp
>> Terminate ruleset evaluation and queue the packet to userspace\&. User=
space must provide a drop or accept verdict\&. In case of accept, process=
ing resumes with the next base chain hook, not the rule following the que=
ue verdict\&.
>> T}
>> T{
>> .sp
>> \fBcontinue\fR
>> T}:T{
>> .sp
>> Continue ruleset evaluation with the next rule\&. This is the default =
behaviour in case a rule issues no verdict\&.
>> T}
>> T{
>> .sp
>> \fBreturn\fR
>> T}:T{
>> .sp
>> Return from the current chain and continue evaluation at the next rule=
 in the last chain\&. If issued in a base chain, it is equivalent to the =
base chain policy\&.
>> T}
>> T{
>> .sp
>> \fBjump\fR \fIchain\fR
>> T}:T{
>> .sp
>> Continue evaluation at the first rule in \fIchain\fR\&. The current po=
sition in the ruleset is pushed to a call stack and evaluation will conti=
nue there when the new chain is entirely evaluated or a \fBreturn\fR verd=
ict is issued\&. In case an absolute verdict is issued by a rule in the c=
hain, ruleset evaluation terminates immediately and the specific action i=
s taken\&.
>> T}
>> T{
>> .sp
>> \fBgoto\fR \fIchain\fR
>> T}:T{
>> .sp
>> Similar to \fBjump\fR, but the current position is not pushed to the c=
all stack, meaning that after the new chain evaluation will continue at t=
he last chain instead of the one containing the goto statement\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing verdict statements\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # process packets from eth0 and the internal network in from_lan
>> # chain, drop all packets from eth0 with different source addresses\&.=

>>
>> filter input iif eth0 ip saddr 192\&.168\&.0\&.0/24 jump from_lan
>> filter input iif eth0 drop
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "PAYLOAD STATEMENT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fIpayload_expression\fR \fBset\fR \fIvalue\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The payload statement alters packet content\&. It can be used for exam=
ple to set ip DSCP (diffserv) header field or ipv6 flow labels\&.
>> .PP
>> \fBroute some packets instead of bridging\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # redirect tcp:http from 192\&.160\&.0\&.0/16 to local machine for rou=
ting instead of bridging
>> # assumes 00:11:22:33:44:55 is local MAC address\&.
>> bridge input meta iif eth0 ip saddr 192\&.168\&.0\&.0/16 tcp dport 80 =
meta pkttype set unicast ether daddr set 00:11:22:33:44:55
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBSet IPv4 DSCP header field\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> ip forward ip dscp set 42
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "EXTENSION HEADER STATEMENT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fIextension_header_expression\fR \fBset\fR \fIvalue\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The extension header statement alters packet content in variable\-size=
d headers\&. This can currently be used to alter the TCP Maximum segment =
size of packets, similar to TCPMSS\&.
>> .PP
>> \fBchange tcp mss\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> tcp flags syn tcp option maxseg size set 1360
>> # set a size based on route information:
>> tcp flags syn tcp option maxseg size set rt mtu
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "LOG STATEMENT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBlog\fR [\fBprefix\fR \fIquoted_string\fR] [\fBlevel\fR \fIsyslog\-l=
evel\fR] [\fBflags\fR \fIlog\-flags\fR]
>> \fBlog\fR \fBgroup\fR \fInflog_group\fR [\fBprefix\fR \fIquoted_string=
\fR] [\fBqueue\-threshold\fR \fIvalue\fR] [\fBsnaplen\fR \fIsize\fR]
>> \fBlog level audit\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The log statement enables logging of matching packets\&. When this sta=
tement is used from a rule, the Linux kernel will print some information =
on all matching packets, such as header fields, via the kernel log (where=
 it can be read with dmesg(1) or read in the syslog)\&.
>> .sp
>> In the second form of invocation (if \fInflog_group\fR is specified), =
the Linux kernel will pass the packet to nfnetlink_log which will multica=
st the packet through a netlink socket to the specified multicast group\&=
=2E One or more userspace processes may subscribe to the group to receive=
 the packets, see libnetfilter_queue documentation for details\&.
>> .sp
>> In the third form of invocation (if level audit is specified), the Lin=
ux kernel writes a message into the audit buffer suitably formatted for r=
eading with auditd\&. Therefore no further formatting options (such as pr=
efix or flags) are allowed in this mode\&.
>> .sp
>> This is a non\-terminating statement, so the rule evaluation continues=
 after the packet is logged\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&58.\ \&log statement options
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> prefix
>> T}:T{
>> .sp
>> Log message prefix
>> T}:T{
>> .sp
>> quoted string
>> T}
>> T{
>> .sp
>> level
>> T}:T{
>> .sp
>> Syslog level of logging
>> T}:T{
>> .sp
>> string: emerg, alert, crit, err, warn [default], notice, info, debug, =
audit
>> T}
>> T{
>> .sp
>> group
>> T}:T{
>> .sp
>> NFLOG group to send messages to
>> T}:T{
>> .sp
>> unsigned integer (16 bit)
>> T}
>> T{
>> .sp
>> snaplen
>> T}:T{
>> .sp
>> Length of packet payload to include in netlink message
>> T}:T{
>> .sp
>> unsigned integer (32 bit)
>> T}
>> T{
>> .sp
>> queue\-threshold
>> T}:T{
>> .sp
>> Number of packets to queue inside the kernel before sending them to us=
erspace
>> T}:T{
>> .sp
>> unsigned integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&59.\ \&log\-flags
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Flag
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> tcp sequence
>> T}:T{
>> .sp
>> Log TCP sequence numbers\&.
>> T}
>> T{
>> .sp
>> tcp options
>> T}:T{
>> .sp
>> Log options from the TCP packet header\&.
>> T}
>> T{
>> .sp
>> ip options
>> T}:T{
>> .sp
>> Log options from the IP/IPv6 packet header\&.
>> T}
>> T{
>> .sp
>> skuid
>> T}:T{
>> .sp
>> Log the userid of the process which generated the packet\&.
>> T}
>> T{
>> .sp
>> ether
>> T}:T{
>> .sp
>> Decode MAC addresses and protocol\&.
>> T}
>> T{
>> .sp
>> all
>> T}:T{
>> .sp
>> Enable all log flags listed above\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing log statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # log the UID which generated the packet and ip options
>> ip filter output log flags skuid flags ip options
>>
>> # log the tcp sequence numbers and tcp options from the TCP packet
>> ip filter output log flags tcp sequence,options
>>
>> # enable all supported log flags
>> ip6 filter output log flags all
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "REJECT STATEMENT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBreject\fR [ \fBwith\fR \fIREJECT_WITH\fR ]
>>
>> \fIREJECT_WITH\fR :=3D \fBicmp type\fR \fIicmp_code\fR |
>>                   \fBicmpv6 type\fR \fIicmpv6_code\fR |
>>                   \fBicmpx type\fR \fIicmpx_code\fR |
>>                   \fBtcp reset\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A reject statement is used to send back an error packet in response to=
 the matched packet otherwise it is equivalent to drop so it is a termina=
ting statement, ending rule traversal\&. This statement is only valid in =
base chains using the \fBinput\fR, \fBforward\fR or \fBoutput\fR hooks, a=
nd user\-defined chains which are only called from those chains\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&60.\ \&different ICMP reject variants are meant for use in=
 different table families
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Variant
>> T}:T{
>> Family
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> icmp
>> T}:T{
>> .sp
>> ip
>> T}:T{
>> .sp
>> icmp_code
>> T}
>> T{
>> .sp
>> icmpv6
>> T}:T{
>> .sp
>> ip6
>> T}:T{
>> .sp
>> icmpv6_code
>> T}
>> T{
>> .sp
>> icmpx
>> T}:T{
>> .sp
>> inet
>> T}:T{
>> .sp
>> icmpx_code
>> T}
>> .TE
>> .sp 1
>> .sp
>> For a description of the different types and a list of supported keywo=
rds refer to DATA TYPES section above\&. The common default reject value =
is \fBport\-unreachable\fR\&.
>> .sp
>> Note that in bridge family, reject statement is only allowed in base c=
hains which hook into input or prerouting\&.
>> .SS "COUNTER STATEMENT"
>> .sp
>> A counter statement sets the hit count of packets along with the numbe=
r of bytes\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBcounter\fR \fBpackets\fR \fInumber\fR \fBbytes\fR \fInumber\fR
>> \fBcounter\fR { \fBpackets\fR \fInumber\fR | \fBbytes\fR \fInumber\fR =
}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .SS "CONNTRACK STATEMENT"
>> .sp
>> The conntrack statement can be used to set the conntrack mark and conn=
track labels\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBct\fR {\fBmark\fR | \fBevent\fR | \fBlabel\fR | \fBzone\fR} \fBset\=
fR \fIvalue\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The ct statement sets meta data associated with a connection\&. The zo=
ne id has to be assigned before a conntrack lookup takes place, i\&.e\&. =
this has to be done in prerouting and possibly output (if locally generat=
ed packets need to be placed in a distinct zone), with a hook priority of=
 \-300\&.
>> .sp
>> Unlike iptables, where the helper assignment happens in the raw table,=
 the helper needs to be assigned after a conntrack entry has been found, =
i\&.e\&. it will not work when used with hook priorities equal or before =
\-200\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&61.\ \&Conntrack statement types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> event
>> T}:T{
>> .sp
>> conntrack event bits
>> T}:T{
>> .sp
>> bitmask, integer (32 bit)
>> T}
>> T{
>> .sp
>> helper
>> T}:T{
>> .sp
>> name of ct helper object to assign to the connection
>> T}:T{
>> .sp
>> quoted string
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> Connection tracking mark
>> T}:T{
>> .sp
>> mark
>> T}
>> T{
>> .sp
>> label
>> T}:T{
>> .sp
>> Connection tracking label
>> T}:T{
>> .sp
>> label
>> T}
>> T{
>> .sp
>> zone
>> T}:T{
>> .sp
>> conntrack zone
>> T}:T{
>> .sp
>> integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBsave packet nfmark in conntrack\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> ct mark set meta mark
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBset zone mapped via interface\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> table inet raw {
>>    chain prerouting {
>>        type filter hook prerouting priority \-300;
>>        ct zone set iif map { "eth1" : 1, "veth1" : 2 }
>>    }
>>    chain output {
>>        type filter hook output priority \-300;
>>        ct zone set oif map { "eth1" : 1, "veth1" : 2 }
>>    }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBrestrict events reported by ctnetlink\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> ct event set new,related,destroy
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "NOTRACK STATEMENT"
>> .sp
>> The notrack statement allows to disable connection tracking for certai=
n packets\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBnotrack\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> Note that for this statement to be effective, it has to be applied to =
packets before a conntrack lookup happens\&. Therefore, it needs to sit i=
n a chain with either prerouting or output hook and a hook priority of \-=
300 or less\&.
>> .sp
>> See SYNPROXY STATEMENT for an example usage\&.
>> .SS "META STATEMENT"
>> .sp
>> A meta statement sets the value of a meta expression\&. The existing m=
eta fields are: priority, mark, pkttype, nftrace\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBmeta\fR {\fBmark\fR | \fBpriority\fR | \fBpkttype\fR | \fBnftrace\f=
R} \fBset\fR \fIvalue\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A meta statement sets meta data associated with a packet\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&62.\ \&Meta statement types
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Keyword
>> T}:T{
>> Description
>> T}:T{
>> Value
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> priority
>> T}:T{
>> .sp
>> TC packet priority
>> T}:T{
>> .sp
>> tc_handle
>> T}
>> T{
>> .sp
>> mark
>> T}:T{
>> .sp
>> Packet mark
>> T}:T{
>> .sp
>> mark
>> T}
>> T{
>> .sp
>> pkttype
>> T}:T{
>> .sp
>> packet type
>> T}:T{
>> .sp
>> pkt_type
>> T}
>> T{
>> .sp
>> nftrace
>> T}:T{
>> .sp
>> ruleset packet tracing on/off\&. Use \fBmonitor trace\fR command to wa=
tch traces
>> T}:T{
>> .sp
>> 0, 1
>> T}
>> .TE
>> .sp 1
>> .SS "LIMIT STATEMENT"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBlimit rate\fR [\fBover\fR] \fIpacket_number\fR \fB/\fR \fITIME_UNIT=
\fR [\fBburst\fR \fIpacket_number\fR \fBpackets\fR]
>> \fBlimit rate\fR [\fBover\fR] \fIbyte_number\fR \fIBYTE_UNIT\fR \fB/\f=
R \fITIME_UNIT\fR [\fBburst\fR \fIbyte_number\fR \fIBYTE_UNIT\fR]
>>
>> \fITIME_UNIT\fR :=3D \fBsecond\fR | \fBminute\fR | \fBhour\fR | \fBday=
\fR
>> \fIBYTE_UNIT\fR :=3D \fBbytes\fR | \fBkbytes\fR | \fBmbytes\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> A limit statement matches at a limited rate using a token bucket filte=
r\&. A rule using this statement will match until this limit is reached\&=
=2E It can be used in combination with the log statement to give limited =
logging\&. The optional \fBover\fR keyword makes it match over the specif=
ied rate\&. Default \fBburst\fR is 5\&. if you specify \fBburst\fR, it mu=
st be non\-zero value\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&63.\ \&limit statement values
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Value
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> packet_number
>> T}:T{
>> .sp
>> Number of packets
>> T}:T{
>> .sp
>> unsigned integer (32 bit)
>> T}
>> T{
>> .sp
>> byte_number
>> T}:T{
>> .sp
>> Number of bytes
>> T}:T{
>> .sp
>> unsigned integer (32 bit)
>> T}
>> .TE
>> .sp 1
>> .SS "NAT STATEMENTS"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBsnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
>> \fBsnat to\fR \fIaddress\fR \fB\-\fR \fIaddress\fR [\fB:\fR\fIport\fR =
\fB\-\fR \fIport\fR] [\fIPRF_FLAGS\fR]
>> \fBsnat\fR { \fBip\fR | \fBip6\fR } \fBto\fR \fIaddress\fR \fB\-\fR \f=
Iaddress\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPR_FLAGS\fR]
>> \fBdnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
>> \fBdnat to\fR \fIaddress\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\=
fIPR_FLAGS\fR]
>> \fBdnat\fR { \fBip\fR | \fBip6\fR } \fBto\fR \fIaddress\fR [\fB:\fR\fI=
port\fR \fB\-\fR \fIport\fR] [\fIPR_FLAGS\fR]
>> \fBmasquerade to\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
>> \fBmasquerade to\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPRF_FL=
AGS\fR]
>> \fBredirect to\fR [\fB:\fR\fIport\fR] [\fIPRF_FLAGS\fR]
>> \fBredirect to\fR [\fB:\fR\fIport\fR \fB\-\fR \fIport\fR] [\fIPRF_FLAG=
S\fR]
>>
>> \fIPRF_FLAGS\fR :=3D \fIPRF_FLAG\fR [\fB,\fR \fIPRF_FLAGS\fR]
>> \fIPR_FLAGS\fR  :=3D \fIPR_FLAG\fR [\fB,\fR \fIPR_FLAGS\fR]
>> \fIPRF_FLAG\fR  :=3D \fIPR_FLAG\fR | \fBfully\-random\fR
>> \fIPR_FLAG\fR   :=3D \fBpersistent\fR | \fBrandom\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The nat statements are only valid from nat chain types\&.
>> .sp
>> The \fBsnat\fR and \fBmasquerade\fR statements specify that the source=
 address of the packet should be modified\&. While \fBsnat\fR is only val=
id in the postrouting and input chains, \fBmasquerade\fR makes sense only=
 in postrouting\&. The dnat and redirect statements are only valid in the=
 prerouting and output chains, they specify that the destination address =
of the packet should be modified\&. You can use non\-base chains which ar=
e called from base chains of nat chain type too\&. All future packets in =
this connection will also be mangled, and rules should cease being examin=
ed\&.
>> .sp
>> The \fBmasquerade\fR statement is a special form of snat which always =
uses the outgoing interface\(cqs IP address to translate to\&. It is part=
icularly useful on gateways with dynamic (public) IP addresses\&.
>> .sp
>> The \fBredirect\fR statement is a special form of dnat which always tr=
anslates the destination address to the local host\(cqs one\&. It comes i=
n handy if one only wants to alter the destination port of incoming traff=
ic on different interfaces\&.
>> .sp
>> When used in the inet family (available with kernel 5\&.2), the dnat a=
nd snat statements require the use of the ip and ip6 keyword in case an a=
ddress is provided, see the examples below\&.
>> .sp
>> Before kernel 4\&.18 nat statements require both prerouting and postro=
uting base chains to be present since otherwise packets on the return pat=
h won\(cqt be seen by netfilter and therefore no reverse translation will=
 take place\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&64.\ \&NAT statement values
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Expression
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> address
>> T}:T{
>> .sp
>> Specifies that the source/destination address of the packet should be =
modified\&. You may specify a mapping to relate a list of tuples composed=
 of arbitrary expression key with address value\&.
>> T}:T{
>> .sp
>> ipv4_addr, ipv6_addr, e\&.g\&. abcd::1234, or you can use a mapping, e=
\&.g\&. meta mark map { 10 : 192\&.168\&.1\&.2, 20 : 192\&.168\&.1\&.3 }
>> T}
>> T{
>> .sp
>> port
>> T}:T{
>> .sp
>> Specifies that the source/destination address of the packet should be =
modified\&.
>> T}:T{
>> .sp
>> port number (16 bit)
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&65.\ \&NAT statement flags
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Flag
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt
>> lt lt.
>> T{
>> .sp
>> persistent
>> T}:T{
>> .sp
>> Gives a client the same source\-/destination\-address for each connect=
ion\&.
>> T}
>> T{
>> .sp
>> random
>> T}:T{
>> .sp
>> In kernel 5\&.0 and newer this is the same as fully\-random\&. In earl=
ier kernels the port mapping will be randomized using a seeded MD5 hash m=
ix using source and destination address and destination port\&.
>> T}
>> T{
>> .sp
>> fully\-random
>> T}:T{
>> .sp
>> If used then port mapping is generated based on a 32\-bit pseudo\-rand=
om algorithm\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing NAT statements\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # create a suitable table/chain setup for all further examples
>> add table nat
>> add chain nat prerouting { type nat hook prerouting priority 0; }
>> add chain nat postrouting { type nat hook postrouting priority 100; }
>>
>> # translate source addresses of all packets leaving via eth0 to addres=
s 1\&.2\&.3\&.4
>> add rule nat postrouting oif eth0 snat to 1\&.2\&.3\&.4
>>
>> # redirect all traffic entering via eth0 to destination address 192\&.=
168\&.1\&.120
>> add rule nat prerouting iif eth0 dnat to 192\&.168\&.1\&.120
>>
>> # translate source addresses of all packets leaving via eth0 to whatev=
er
>> # locally generated packets would use as source to reach the same dest=
ination
>> add rule nat postrouting oif eth0 masquerade
>>
>> # redirect incoming TCP traffic for port 22 to port 2222
>> add rule nat prerouting tcp dport 22 redirect to :2222
>>
>> # inet family:
>> # handle ip dnat:
>> add rule inet nat prerouting dnat ip to 10\&.0\&.2\&.99
>> # handle ip6 dnat:
>> add rule inet nat prerouting dnat ip6 to fe80::dead
>> # this masquerades both ipv4 and ipv6:
>> add rule inet nat postrouting meta oif ppp0 masquerade
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "TPROXY STATEMENT"
>> .sp
>> Tproxy redirects the packet to a local socket without changing the pac=
ket header in any way\&. If any of the arguments is missing the data of t=
he incoming packet is used as parameter\&. Tproxy matching requires anoth=
er rule that ensures the presence of transport protocol header is specifi=
ed\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBtproxy to\fR \fIaddress\fR\fB:\fR\fIport\fR
>> \fBtproxy to\fR {\fIaddress\fR | \fB:\fR\fIport\fR}
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This syntax can be used in \fBip/ip6\fR tables where network layer pro=
tocol is obvious\&. Either IP address or port can be specified, but at le=
ast one of them is necessary\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBtproxy\fR {\fBip\fR | \fBip6\fR} \fBto\fR \fIaddress\fR[\fB:\fR\fIp=
ort\fR]
>> \fBtproxy to :\fR\fIport\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> This syntax can be used in \fBinet\fR tables\&. The \fBip/ip6\fR param=
eter defines the family the rule will match\&. The \fBaddress\fR paramete=
r must be of this family\&. When only \fBport\fR is defined, the address =
family should not be specified\&. In this case the rule will match for bo=
th families\&.
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&66.\ \&tproxy attributes
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Name
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> address
>> T}:T{
>> .sp
>> IP address the listening socket with IP_TRANSPARENT option is bound to=
\&.
>> T}
>> T{
>> .sp
>> port
>> T}:T{
>> .sp
>> Port the listening socket with IP_TRANSPARENT option is bound to\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBExample ruleset for tproxy statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> table ip x {
>>      chain y {
>>          type filter hook prerouting priority \-150; policy accept;
>>          tcp dport ntp tproxy to 1\&.1\&.1\&.1
>>          udp dport ssh tproxy to :2222
>>      }
>> }
>> table ip6 x {
>>      chain y {
>>         type filter hook prerouting priority \-150; policy accept;
>>         tcp dport ntp tproxy to [dead::beef]
>>         udp dport ssh tproxy to :2222
>>      }
>> }
>> table inet x {
>>      chain y {
>>          type filter hook prerouting priority \-150; policy accept;
>>          tcp dport 321 tproxy to :ssh
>>          tcp dport 99 tproxy ip to 1\&.1\&.1\&.1:999
>>          udp dport 155 tproxy ip6 to [dead::beef]:smux
>>      }
>> }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "SYNPROXY STATEMENT"
>> .sp
>> This statement will process TCP three\-way\-handshake parallel in netf=
ilter context to protect either local or backend system\&. This statement=
 requires connection tracking because sequence numbers need to be transla=
ted\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBsynproxy\fR [\fBmss\fR \fImss_value\fR] [\fBwscale\fR \fIwscale_val=
ue\fR] [\fISYNPROXY_FLAGS\fR]
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&67.\ \&synproxy statement attributes
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Name
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> mss
>> T}:T{
>> .sp
>> Maximum segment size announced to clients\&. This must match the backe=
nd\&.
>> T}
>> T{
>> .sp
>> wscale
>> T}:T{
>> .sp
>> Window scale announced to clients\&. This must match the backend\&.
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&68.\ \&synproxy statement flags
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Flag
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> sack\-perm
>> T}:T{
>> .sp
>> Pass client selective acknowledgement option to backend (will be disab=
led if not present)\&.
>> T}
>> T{
>> .sp
>> timestamp
>> T}:T{
>> .sp
>> Pass client timestamp option to backend (will be disabled if not prese=
nt, also needed for selective acknowledgement and window scaling)\&.
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBExample ruleset for synproxy statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> Determine tcp options used by backend, from an external system
>>
>>                tcpdump \-pni eth0 \-c 1 \*(Aqtcp[tcpflags] =3D=3D (tcp=
\-syn|tcp\-ack)\*(Aq
>>                    port 80 &
>>                telnet 192\&.0\&.2\&.42 80
>>                18:57:24\&.693307 IP 192\&.0\&.2\&.42\&.80 > 192\&.0\&.=
2\&.43\&.48757:
>>                    Flags [S\&.], seq 360414582, ack 788841994, win 144=
80,
>>                    options [mss 1460,sackOK,
>>                    TS val 1409056151 ecr 9690221,
>>                    nop,wscale 9],
>>                    length 0
>>
>> Switch tcp_loose mode off, so conntrack will mark out\-of\-flow packet=
s as state INVALID\&.
>>
>>                echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose=

>>
>> Make SYN packets untracked\&.
>>
>>          table ip x {
>>                  chain y {
>>                          type filter hook prerouting priority raw; pol=
icy accept;
>>                          tcp flags syn notrack
>>                  }
>>          }
>>
>> Catch UNTRACKED (SYN  packets) and INVALID (3WHS ACK packets) states a=
nd send
>> them to SYNPROXY\&. This rule will respond to SYN packets with SYN+ACK=

>> syncookies, create ESTABLISHED for valid client response (3WHS ACK pac=
kets) and
>> drop incorrect cookies\&. Flags combinations not expected during  3WHS=
 will not
>> match and continue (e\&.g\&. SYN+FIN, SYN+ACK)\&. Finally, drop invali=
d packets, this
>> will be out\-of\-flow packets that were not matched by SYNPROXY\&.
>>
>>      table ip foo {
>>              chain z {
>>                      type filter hook input priority filter; policy ac=
cept;
>>                      ct state { invalid, untracked } synproxy mss 1460=
 wscale 9 timestamp sack\-perm
>>                      ct state invalid drop
>>              }
>>      }
>>
>> The outcome ruleset of the steps above should be similar to the one be=
low\&.
>>
>>          table ip x {
>>                  chain y {
>>                          type filter hook prerouting priority raw; pol=
icy accept;
>>                          tcp flags syn notrack
>>                  }
>>
>>                  chain z {
>>                          type filter hook input priority filter; polic=
y accept;
>>                          ct state { invalid, untracked } synproxy mss =
1460 wscale 9 timestamp sack\-perm
>>                          ct state invalid drop
>>                  }
>>          }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "FLOW STATEMENT"
>> .sp
>> A flow statement allows us to select what flows you want to accelerate=
 forwarding through layer 3 network stack bypass\&. You have to specify t=
he flowtable name where you want to offload this flow\&.
>> .sp
>> \fBflow add @\fR\fIflowtable\fR
>> .SS "QUEUE STATEMENT"
>> .sp
>> This statement passes the packet to userspace using the nfnetlink_queu=
e handler\&. The packet is put into the queue identified by its 16\-bit q=
ueue number\&. Userspace can inspect and modify the packet if desired\&. =
Userspace must then drop or re\-inject the packet into the kernel\&. See =
libnetfilter_queue documentation for details\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBqueue\fR [\fBnum\fR \fIqueue_number\fR] [\fBbypass\fR]
>> \fBqueue\fR [\fBnum\fR \fIqueue_number_from\fR \- \fIqueue_number_to\f=
R] [\fIQUEUE_FLAGS\fR]
>>
>> \fIQUEUE_FLAGS\fR :=3D \fIQUEUE_FLAG\fR [\fB,\fR \fIQUEUE_FLAGS\fR]
>> \fIQUEUE_FLAG\fR  :=3D \fBbypass\fR | \fBfanout\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&69.\ \&queue statement values
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Value
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> queue_number
>> T}:T{
>> .sp
>> Sets queue number, default is 0\&.
>> T}:T{
>> .sp
>> unsigned integer (16 bit)
>> T}
>> T{
>> .sp
>> queue_number_from
>> T}:T{
>> .sp
>> Sets initial queue in the range, if fanout is used\&.
>> T}:T{
>> .sp
>> unsigned integer (16 bit)
>> T}
>> T{
>> .sp
>> queue_number_to
>> T}:T{
>> .sp
>> Sets closing queue in the range, if fanout is used\&.
>> T}:T{
>> .sp
>> unsigned integer (16 bit)
>> T}
>> .TE
>> .sp 1
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&70.\ \&queue statement flags
>> .TS
>> allbox tab(:);
>> ltB ltB.
>> T{
>> Flag
>> T}:T{
>> Description
>> T}
>> .T&
>> lt lt
>> lt lt.
>> T{
>> .sp
>> bypass
>> T}:T{
>> .sp
>> Let packets go through if userspace application cannot back off\&. Bef=
ore using this flag, read libnetfilter_queue documentation for performanc=
e tuning recommendations\&.
>> T}
>> T{
>> .sp
>> fanout
>> T}:T{
>> .sp
>> Distribute packets between several queues\&.
>> T}
>> .TE
>> .sp 1
>> .SS "DUP STATEMENT"
>> .sp
>> The dup statement is used to duplicate a packet and send the copy to a=
 different destination\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fBdup to\fR \fIdevice\fR
>> \fBdup to\fR \fIaddress\fR \fBdevice\fR \fIdevice\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .it 1 an-trap
>> .nr an-no-space-flag 1
>> .nr an-break-flag 1
>> .br
>> .B Table\ \&71.\ \&Dup statement values
>> .TS
>> allbox tab(:);
>> ltB ltB ltB.
>> T{
>> Expression
>> T}:T{
>> Description
>> T}:T{
>> Type
>> T}
>> .T&
>> lt lt lt
>> lt lt lt.
>> T{
>> .sp
>> address
>> T}:T{
>> .sp
>> Specifies that the copy of the packet should be sent to a new gateway\=
&.
>> T}:T{
>> .sp
>> ipv4_addr, ipv6_addr, e\&.g\&. abcd::1234, or you can use a mapping, e=
\&.g\&. ip saddr map { 192\&.168\&.1\&.2 : 10\&.1\&.1\&.1 }
>> T}
>> T{
>> .sp
>> device
>> T}:T{
>> .sp
>> Specifies that the copy should be transmitted via device\&.
>> T}:T{
>> .sp
>> string
>> T}
>> .TE
>> .sp 1
>> .PP
>> \fBUsing the dup statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # send to machine with ip address 10\&.2\&.3\&.4 on eth0
>> ip filter forward dup to 10\&.2\&.3\&.4 device "eth0"
>>
>> # copy raw frame to another interface
>> netdetv ingress dup to "eth0"
>> dup to "eth0"
>>
>> # combine with map dst addr to gateways
>> dup to ip daddr map { 192\&.168\&.7\&.1 : "eth0", 192\&.168\&.7\&.2 : =
"eth1" }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "FWD STATEMENT"
>> .sp
>> The fwd statement is used to redirect a raw packet to another interfac=
e\&. It is only available in the netdev family ingress hook\&. It is simi=
lar to the dup statement except that no copy is made\&.
>> .sp
>> \fBfwd to\fR \fIdevice\fR
>> .SS "SET STATEMENT"
>> .sp
>> The set statement is used to dynamically add or update elements in a s=
et from the packet path\&. The set setname must already exist in the give=
n table and must have been created with one or both of the dynamic and th=
e timeout flags\&. The dynamic flag is required if the set statement expr=
ession includes a stateful object\&. The timeout flag is implied if the s=
et is created with a timeout, and is required if the set statement update=
s elements, rather than adding them\&. Furthermore, these sets should spe=
cify both a maximum set size (to prevent memory exhaustion), and their el=
ements should have a timeout (so their number will not grow indefinitely)=
 either from the set definition or from the statement that adds or update=
s them\&. The set statement can be used to e\&.g\&. create dynamic blackl=
ists\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> {\fBadd\fR | \fBupdate\fR} \fB@\fR\fIsetname\fR \fB{\fR \fIexpression\=
fR [\fBtimeout\fR \fItimeout\fR] [\fBcomment\fR \fIstring\fR] \fB}\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBExample for simple blacklist\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # declare a set, bound to table "filter", in family "ip"\&.
>> # Timeout and size are mandatory because we will add elements from pac=
ket path\&.
>> # Entries will timeout after one minute, after which they might be
>> # re\-added if limit condition persists\&.
>> nft add set ip filter blackhole \e
>>      "{ type ipv4_addr; flags dynamic; timeout 1m; size 65536; }"
>>
>> # declare a set to store the limit per saddr\&.
>> # This must be separate from blackhole since the timeout is different
>> nft add set ip filter flood \e
>>      "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000; }"
>>
>> # whitelist internal interface\&.
>> nft add rule ip filter input meta iifname "internal" accept
>>
>> # drop packets coming from blacklisted ip addresses\&.
>> nft add rule ip filter input ip saddr @blackhole counter drop
>>
>> # add source ip addresses to the blacklist if more than 10 tcp connect=
ion
>> # requests occurred per second and ip address\&.
>> nft add rule ip filter input tcp flags syn tcp dport ssh \e
>>      add @flood { ip saddr limit rate over 10/second } \e
>>      add @blackhole { ip saddr } drop
>>
>> # inspect state of the sets\&.
>> nft list set ip filter flood
>> nft list set ip filter blackhole
>>
>> # manually add two addresses to the blackhole\&.
>> nft add element filter blackhole { 10\&.2\&.3\&.4, 10\&.23\&.1\&.42 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "MAP STATEMENT"
>> .sp
>> The map statement is used to lookup data based on some specific input =
key\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fIexpression\fR \fBmap\fR \fB{\fR \fIMAP_ELEMENTS\fR \fB}\fR
>>
>> \fIMAP_ELEMENTS\fR :=3D \fIMAP_ELEMENT\fR [\fB,\fR \fIMAP_ELEMENTS\fR]=

>> \fIMAP_ELEMENT\fR  :=3D \fIkey\fR \fB:\fR \fIvalue\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> The \fIkey\fR is a value returned by \fIexpression\fR\&.
>> .PP
>> \fBUsing the map statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # select DNAT target based on TCP dport:
>> # connections to port 80 are redirected to 192\&.168\&.1\&.100,
>> # connections to port 8888 are redirected to 192\&.168\&.1\&.101
>> nft add rule ip nat prerouting dnat tcp dport map { 80 : 192\&.168\&.1=
\&.100, 8888 : 192\&.168\&.1\&.101 }
>>
>> # source address based SNAT:
>> # packets from net 192\&.168\&.1\&.0/24 will appear as originating fro=
m 10\&.0\&.0\&.1,
>> # packets from net 192\&.168\&.2\&.0/24 will appear as originating fro=
m 10\&.0\&.0\&.2
>> nft add rule ip nat postrouting snat to ip saddr map { 192\&.168\&.1\&=
=2E0/24 : 10\&.0\&.0\&.1, 192\&.168\&.2\&.0/24 : 10\&.0\&.0\&.2 }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SS "VMAP STATEMENT"
>> .sp
>> The verdict map (vmap) statement works analogous to the map statement,=
 but contains verdicts as values\&.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> \fIexpression\fR \fBvmap\fR \fB{\fR \fIVMAP_ELEMENTS\fR \fB}\fR
>>
>> \fIVMAP_ELEMENTS\fR :=3D \fIVMAP_ELEMENT\fR [\fB,\fR \fIVMAP_ELEMENTS\=
fR]
>> \fIVMAP_ELEMENT\fR  :=3D \fIkey\fR \fB:\fR \fIverdict\fR
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBUsing the vmap statement\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> # jump to different chains depending on layer 4 protocol type:
>> nft add rule ip filter input ip protocol vmap { tcp : jump tcp\-chain,=
 udp : jump udp\-chain , icmp : jump icmp\-chain }
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "ADDITIONAL COMMANDS"
>> .sp
>> These are some additional commands included in nft\&.
>> .SS "MONITOR"
>> .sp
>> The monitor command allows you to listen to Netlink events produced by=
 the nf_tables subsystem, related to creation and deletion of objects\&. =
When they occur, nft will print to stdout the monitored events in either =
JSON or native nft format\&.
>> .sp
>> To filter events related to a concrete object, use one of the keywords=
 \fItables\fR, \fIchains\fR, \fIsets\fR, \fIrules\fR, \fIelements\fR, \fI=
ruleset\fR\&.
>> .sp
>> To filter events related to a concrete action, use keyword \fInew\fR o=
r \fIdestroy\fR\&.
>> .sp
>> Hit ^C to finish the monitor operation\&.
>> .PP
>> \fBListen to all events, report in native nft format\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> % nft monitor
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBListen to deleted rules, report in JSON format\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> % nft \-j monitor destroy rules
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBListen to both new and destroyed chains, in native nft format\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> % nft monitor chains
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBListen to ruleset events such as table, chain, rule, set, counters =
and quotas, in native nft format\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> % nft monitor ruleset
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "ERROR REPORTING"
>> .sp
>> When an error is detected, nft shows the line(s) containing the error,=
 the position of the erroneous parts in the input stream and marks up the=
 erroneous parts using carets (^)\&. If the error results from the combin=
ation of two expressions or statements, the part imposing the constraints=
 which are violated is marked using tildes (~)\&.
>> .sp
>> For errors returned by the kernel, nft cannot detect which parts of th=
e input caused the error and the entire command is marked\&.
>> .PP
>> \fBError caused by single incorrect expression\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> <cmdline>:1:19\-22: Error: Interface does not exist
>> filter output oif eth0
>>                    ^^^^
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBError caused by invalid combination of two expressions\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> <cmdline>:1:28\-36: Error: Right hand side of relational expression (=3D=
=3D) must be constant
>> filter output tcp dport =3D=3D tcp dport
>>                          ~~ ^^^^^^^^^
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .PP
>> \fBError returned by the kernel\fR.
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> <cmdline>:0:0\-23: Error: Could not process rule: Operation not permit=
ted
>> filter output oif wlan0
>> ^^^^^^^^^^^^^^^^^^^^^^^
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> .SH "EXIT STATUS"
>> .sp
>> On success, nft exits with a status of 0\&. Unspecified errors cause i=
t to exit with a status of 1, memory allocation errors with a status of 2=
, unable to open Netlink socket with 3\&.
>> .SH "SEE ALSO"
>> .sp
>> .if n \{\
>> .RS 4
>> .\}
>> .nf
>> libnftables(3), libnftables\-json(5), iptables(8), ip6tables(8), arpta=
bles(8), ebtables(8), ip(8), tc(8)
>> .fi
>> .if n \{\
>> .RE
>> .\}
>> .sp
>> There is an official wiki at: https://wiki\&.nftables\&.org
>> .SH "AUTHORS"
>> .sp
>> nftables was written by Patrick McHardy and Pablo Neira Ayuso, among m=
any other contributors from the Netfilter community\&.
>> .SH "COPYRIGHT"
>> .sp
>> Copyright \(co 2008\-2014 Patrick McHardy <kaber@trash\&.net> Copyrigh=
t \(co 2013\-2018 Pablo Neira Ayuso <pablo@netfilter\&.org>
>> .sp
>> nftables is free software; you can redistribute it and/or modify it un=
der the terms of the GNU General Public License version 2 as published by=
 the Free Software Foundation\&.
>> .sp
>> This documentation is licensed under the terms of the Creative Commons=
 Attribution\-ShareAlike 4\&.0 license, CC BY\-SA 4\&.0 http://creativeco=
mmons\&.org/licenses/by\-sa/4\&.0/\&.
> --
>   To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv
>


--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv