PNG
�
���
IHDR�������������x����sBIT����|�d��� pHYs�������+������tEXtSoftware�www.inkscape.org<���,tEXtComment�
File Manager
File Manager
Viewing File: fw_direct.py
# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2016 Red Hat, Inc.
#
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
__all__ = [ "FirewallDirect" ]
from firewall.fw_types import LastUpdatedOrderedDict
from firewall.core import ipXtables
from firewall.core import ebtables
from firewall.core.fw_transaction import FirewallTransaction
from firewall.core.logger import log
from firewall import errors
from firewall.errors import FirewallError
############################################################################
#
# class Firewall
#
############################################################################
class FirewallDirect(object):
def __init__(self, fw):
self._fw = fw
self.__init_vars()
def __repr__(self):
return '%s(%r, %r, %r)' % (self.__class__, self._chains, self._rules,
self._rule_priority_positions)
def __init_vars(self):
self._chains = { }
self._rules = { }
self._rule_priority_positions = { }
self._passthroughs = { }
self._obj = None
def cleanup(self):
self.__init_vars()
# transaction
def new_transaction(self):
return FirewallTransaction(self._fw)
# configuration
def set_permanent_config(self, obj):
self._obj = obj
def has_runtime_configuration(self):
if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0:
return True
return False
def has_configuration(self):
if self.has_runtime_configuration():
return True
if len(self._obj.get_all_chains()) + \
len(self._obj.get_all_rules()) + \
len(self._obj.get_all_passthroughs()) > 0:
return True
return False
def apply_direct(self, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
# Apply permanent configuration and save the obj to be able to
# remove permanent configuration settings within get_runtime_config
# for use in firewalld reload.
self.set_config((self._obj.get_all_chains(),
self._obj.get_all_rules(),
self._obj.get_all_passthroughs()),
transaction)
if use_transaction is None:
transaction.execute(True)
def get_runtime_config(self):
# Return only runtime changes
# Remove all chains, rules and passthroughs that are in self._obj
# (permanent config applied in firewalld _start.
chains = { }
rules = { }
passthroughs = { }
for table_id in self._chains:
(ipv, table) = table_id
for chain in self._chains[table_id]:
if not self._obj.query_chain(ipv, table, chain):
chains.setdefault(table_id, [ ]).append(chain)
for chain_id in self._rules:
(ipv, table, chain) = chain_id
for (priority, args) in self._rules[chain_id]:
if not self._obj.query_rule(ipv, table, chain, priority, args):
if chain_id not in rules:
rules[chain_id] = LastUpdatedOrderedDict()
rules[chain_id][(priority, args)] = priority
for ipv in self._passthroughs:
for args in self._passthroughs[ipv]:
if not self._obj.query_passthrough(ipv, args):
if ipv not in passthroughs:
passthroughs[ipv] = [ ]
passthroughs[ipv].append(args)
return (chains, rules, passthroughs)
def get_config(self):
return (self._chains, self._rules, self._passthroughs)
def set_config(self, conf, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
(_chains, _rules, _passthroughs) = conf
for table_id in _chains:
(ipv, table) = table_id
for chain in _chains[table_id]:
if not self.query_chain(ipv, table, chain):
try:
self.add_chain(ipv, table, chain,
use_transaction=transaction)
except FirewallError as error:
log.warning(str(error))
for chain_id in _rules:
(ipv, table, chain) = chain_id
for (priority, args) in _rules[chain_id]:
if not self.query_rule(ipv, table, chain, priority, args):
try:
self.add_rule(ipv, table, chain, priority, args,
use_transaction=transaction)
except FirewallError as error:
log.warning(str(error))
for ipv in _passthroughs:
for args in _passthroughs[ipv]:
if not self.query_passthrough(ipv, args):
try:
self.add_passthrough(ipv, args,
use_transaction=transaction)
except FirewallError as error:
log.warning(str(error))
if use_transaction is None:
transaction.execute(True)
def _check_ipv(self, ipv):
ipvs = ['ipv4', 'ipv6', 'eb']
if ipv not in ipvs:
raise FirewallError(errors.INVALID_IPV,
"'%s' not in '%s'" % (ipv, ipvs))
def _check_ipv_table(self, ipv, table):
self._check_ipv(ipv)
tables = ipXtables.BUILT_IN_CHAINS.keys() if ipv in [ 'ipv4', 'ipv6' ] \
else ebtables.BUILT_IN_CHAINS.keys()
if table not in tables:
raise FirewallError(errors.INVALID_TABLE,
"'%s' not in '%s'" % (table, tables))
def _check_builtin_chain(self, ipv, table, chain):
if ipv in ['ipv4', 'ipv6']:
built_in_chains = ipXtables.BUILT_IN_CHAINS[table]
if self._fw.nftables_enabled:
our_chains = {}
else:
our_chains = self._fw.get_direct_backend_by_ipv(ipv).our_chains[table]
else:
built_in_chains = ebtables.BUILT_IN_CHAINS[table]
our_chains = ebtables.OUR_CHAINS[table]
if chain in built_in_chains:
raise FirewallError(errors.BUILTIN_CHAIN,
"chain '%s' is built-in chain" % chain)
if chain in our_chains:
raise FirewallError(errors.BUILTIN_CHAIN,
"chain '%s' is reserved" % chain)
if ipv in [ "ipv4", "ipv6" ]:
if self._fw.zone.zone_from_chain(chain) is not None:
raise FirewallError(errors.INVALID_CHAIN,
"Chain '%s' is reserved" % chain)
def _register_chain(self, table_id, chain, add):
if add:
self._chains.setdefault(table_id, [ ]).append(chain)
else:
self._chains[table_id].remove(chain)
if len(self._chains[table_id]) == 0:
del self._chains[table_id]
def add_chain(self, ipv, table, chain, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
if self._fw.may_skip_flush_direct_backends():
transaction.add_pre(self._fw.flush_direct_backends)
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
#TODO: policy="ACCEPT"
self._chain(True, ipv, table, chain, transaction)
if use_transaction is None:
transaction.execute(True)
def remove_chain(self, ipv, table, chain, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
self._chain(False, ipv, table, chain, transaction)
if use_transaction is None:
transaction.execute(True)
def query_chain(self, ipv, table, chain):
self._check_ipv_table(ipv, table)
self._check_builtin_chain(ipv, table, chain)
table_id = (ipv, table)
return (table_id in self._chains and
chain in self._chains[table_id])
def get_chains(self, ipv, table):
self._check_ipv_table(ipv, table)
table_id = (ipv, table)
if table_id in self._chains:
return self._chains[table_id]
return [ ]
def get_all_chains(self):
r = [ ]
for key in self._chains:
(ipv, table) = key
for chain in self._chains[key]:
r.append((ipv, table, chain))
return r
def add_rule(self, ipv, table, chain, priority, args, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
if self._fw.may_skip_flush_direct_backends():
transaction.add_pre(self._fw.flush_direct_backends)
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
self._rule(True, ipv, table, chain, priority, args, transaction)
if use_transaction is None:
transaction.execute(True)
def remove_rule(self, ipv, table, chain, priority, args,
use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
self._rule(False, ipv, table, chain, priority, args, transaction)
if use_transaction is None:
transaction.execute(True)
def query_rule(self, ipv, table, chain, priority, args):
self._check_ipv_table(ipv, table)
chain_id = (ipv, table, chain)
return chain_id in self._rules and \
(priority, args) in self._rules[chain_id]
def get_rules(self, ipv, table, chain):
self._check_ipv_table(ipv, table)
chain_id = (ipv, table, chain)
if chain_id in self._rules:
return list(self._rules[chain_id].keys())
return [ ]
def get_all_rules(self):
r = [ ]
for key in self._rules:
(ipv, table, chain) = key
for (priority, args) in self._rules[key]:
r.append((ipv, table, chain, priority, list(args)))
return r
def _register_rule(self, rule_id, chain_id, priority, enable, count):
if enable:
if chain_id not in self._rules:
self._rules[chain_id] = LastUpdatedOrderedDict()
self._rules[chain_id][rule_id] = priority
if chain_id not in self._rule_priority_positions:
self._rule_priority_positions[chain_id] = { }
if priority in self._rule_priority_positions[chain_id]:
self._rule_priority_positions[chain_id][priority] += count
else:
self._rule_priority_positions[chain_id][priority] = count
else:
del self._rules[chain_id][rule_id]
if len(self._rules[chain_id]) == 0:
del self._rules[chain_id]
self._rule_priority_positions[chain_id][priority] -= count
# DIRECT PASSTHROUGH (untracked)
def passthrough(self, ipv, args):
try:
return self._fw.rule(self._fw.get_direct_backend_by_ipv(ipv).name, args)
except Exception as msg:
log.debug2(msg)
raise FirewallError(errors.COMMAND_FAILED, msg)
def _register_passthrough(self, ipv, args, enable):
if enable:
if ipv not in self._passthroughs:
self._passthroughs[ipv] = [ ]
self._passthroughs[ipv].append(args)
else:
self._passthroughs[ipv].remove(args)
if len(self._passthroughs[ipv]) == 0:
del self._passthroughs[ipv]
def add_passthrough(self, ipv, args, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
if self._fw.may_skip_flush_direct_backends():
transaction.add_pre(self._fw.flush_direct_backends)
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
self._passthrough(True, ipv, list(args), transaction)
if use_transaction is None:
transaction.execute(True)
def remove_passthrough(self, ipv, args, use_transaction=None):
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
self._passthrough(False, ipv, list(args), transaction)
if use_transaction is None:
transaction.execute(True)
def query_passthrough(self, ipv, args):
return ipv in self._passthroughs and \
tuple(args) in self._passthroughs[ipv]
def get_all_passthroughs(self):
r = [ ]
for ipv in self._passthroughs:
for args in self._passthroughs[ipv]:
r.append((ipv, list(args)))
return r
def get_passthroughs(self, ipv):
r = [ ]
if ipv in self._passthroughs:
for args in self._passthroughs[ipv]:
r.append(list(args))
return r
def split_value(self, rules, opts):
"""Split values combined with commas for options in opts"""
out_rules = [ ]
for rule in rules:
processed = False
for opt in opts:
try:
i = rule.index(opt)
except ValueError:
pass
else:
if len(rule) > i and "," in rule[i+1]:
# For all items in the comma separated list in index
# i of the rule, a new rule is created with a single
# item from this list
processed = True
items = rule[i+1].split(",")
for item in items:
_rule = rule[:]
_rule[i+1] = item
out_rules.append(_rule)
if not processed:
out_rules.append(rule)
return out_rules
def _rule(self, enable, ipv, table, chain, priority, args, transaction):
self._check_ipv_table(ipv, table)
# Do not create zone chains if we're using nftables. Only allow direct
# rules in the built in chains.
if not self._fw.nftables_enabled \
and ipv in [ "ipv4", "ipv6" ]:
self._fw.zone.create_zone_base_by_chain(ipv, table, chain,
transaction)
_chain = chain
backend = self._fw.get_direct_backend_by_ipv(ipv)
# if nftables is in use, just put the direct rules in the chain
# specified by the user. i.e. don't append _direct.
if not self._fw.nftables_enabled \
and backend.is_chain_builtin(ipv, table, chain):
_chain = "%s_direct" % (chain)
elif self._fw.nftables_enabled and chain[-7:] == "_direct" \
and backend.is_chain_builtin(ipv, table, chain[:-7]):
# strip _direct suffix. If we're using nftables we don't bother
# creating the *_direct chains for builtin chains.
_chain = chain[:-7]
chain_id = (ipv, table, chain)
rule_id = (priority, args)
if enable:
if chain_id in self._rules and \
rule_id in self._rules[chain_id]:
raise FirewallError(errors.ALREADY_ENABLED,
"rule '%s' already is in '%s:%s:%s'" % \
(args, ipv, table, chain))
else:
if chain_id not in self._rules or \
rule_id not in self._rules[chain_id]:
raise FirewallError(errors.NOT_ENABLED,
"rule '%s' is not in '%s:%s:%s'" % \
(args, ipv, table, chain))
# get priority of rule
priority = self._rules[chain_id][rule_id]
# If a rule gets added, the initial rule index position within the
# ipv, table and chain combination (chain_id) is 1.
# Tf the chain_id exists in _rule_priority_positions, there are already
# other rules for this chain_id. The number of rules for a priority
# less or equal to the priority of the new rule will increase the
# index of the new rule. The index is the ip*tables -I insert rule
# number.
#
# Example: We have the following rules for chain_id (ipv4, filter,
# INPUT) already:
# ipv4, filter, INPUT, 1, -i, foo1, -j, ACCEPT
# ipv4, filter, INPUT, 2, -i, foo2, -j, ACCEPT
# ipv4, filter, INPUT, 2, -i, foo2_1, -j, ACCEPT
# ipv4, filter, INPUT, 3, -i, foo3, -j, ACCEPT
# This results in the following _rule_priority_positions structure:
# _rule_priority_positions[(ipv4,filter,INPUT)][1] = 1
# _rule_priority_positions[(ipv4,filter,INPUT)][2] = 2
# _rule_priority_positions[(ipv4,filter,INPUT)][3] = 1
# The new rule
# ipv4, filter, INPUT, 2, -i, foo2_2, -j, ACCEPT
# has the same pritority as the second rule before and will be added
# right after it.
# The initial index is 1 and the chain_id is already in
# _rule_priority_positions. Therefore the index will increase for
# the number of rules in every rule position in
# _rule_priority_positions[(ipv4,filter,INPUT)].keys()
# where position is smaller or equal to the entry in keys.
# With the example from above:
# The priority of the new rule is 2. Therefore for all keys in
# _rule_priority_positions[chain_id] where priority is 1 or 2, the
# number of the rules will increase the index of the rule.
# For _rule_priority_positions[chain_id][1]: index += 1
# _rule_priority_positions[chain_id][2]: index += 2
# index will be 4 in the end and the rule in the table chain
# combination will be added at index 4.
# If there are no rules in the table chain combination, a new rule
# has index 1.
index = 1
count = 0
if chain_id in self._rule_priority_positions:
positions = sorted(self._rule_priority_positions[chain_id].keys())
j = 0
while j < len(positions) and priority >= positions[j]:
index += self._rule_priority_positions[chain_id][positions[j]]
j += 1
# split the direct rule in some cases as iptables-restore can't handle
# compound args.
#
args_list = [list(args)]
args_list = self.split_value(args_list, [ "-s", "--source" ])
args_list = self.split_value(args_list, [ "-d", "--destination" ])
for _args in args_list:
transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args)))
index += 1
count += 1
self._register_rule(rule_id, chain_id, priority, enable, count)
transaction.add_fail(self._register_rule,
rule_id, chain_id, priority, not enable, count)
def _chain(self, add, ipv, table, chain, transaction):
self._check_ipv_table(ipv, table)
self._check_builtin_chain(ipv, table, chain)
table_id = (ipv, table)
if add:
if table_id in self._chains and \
chain in self._chains[table_id]:
raise FirewallError(errors.ALREADY_ENABLED,
"chain '%s' already is in '%s:%s'" % \
(chain, ipv, table))
else:
if table_id not in self._chains or \
chain not in self._chains[table_id]:
raise FirewallError(errors.NOT_ENABLED,
"chain '%s' is not in '%s:%s'" % \
(chain, ipv, table))
backend = self._fw.get_direct_backend_by_ipv(ipv)
transaction.add_rules(backend, backend.build_chain_rules(add, table, chain))
self._register_chain(table_id, chain, add)
transaction.add_fail(self._register_chain, table_id, chain, not add)
def _passthrough(self, enable, ipv, args, transaction):
self._check_ipv(ipv)
tuple_args = tuple(args)
if enable:
if ipv in self._passthroughs and \
tuple_args in self._passthroughs[ipv]:
raise FirewallError(errors.ALREADY_ENABLED,
"passthrough '%s', '%s'" % (ipv, args))
else:
if ipv not in self._passthroughs or \
tuple_args not in self._passthroughs[ipv]:
raise FirewallError(errors.NOT_ENABLED,
"passthrough '%s', '%s'" % (ipv, args))
backend = self._fw.get_direct_backend_by_ipv(ipv)
if enable:
backend.check_passthrough(args)
# try to find out if a zone chain should be used
if ipv in [ "ipv4", "ipv6" ]:
table, chain = backend.passthrough_parse_table_chain(args)
if table and chain:
self._fw.zone.create_zone_base_by_chain(ipv, table, chain)
_args = args
else:
_args = backend.reverse_passthrough(args)
transaction.add_rule(backend, _args)
self._register_passthrough(ipv, tuple_args, enable)
transaction.add_fail(self._register_passthrough, ipv, tuple_args,
not enable)
�b�� �IDATxytVսϓ�22� ��A@�I�R�:hCi�Z[v*E:WũZA ^d�Q�e�Q @ !�jZ'>gsV仿$|?g)&x-E�IENT ;�@x�T.i%-X�}�Sv��S5.r/��UHz^_$-W"�w)Ɗ/�@Z &IoX��P$K}��JzX:;`�� �&, �ŋui,e6mX
�Եr��Kb1ԗ)����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������݀!I*]R;I2$e�Z#ORZSrr�6mteffu*((Pu'v{����DIߔ4^pIm��'77WEEE�;vƎ�4-����$]'RI{���\I&G� ��:IHJ
�DWBB=\WRm�
��o$K(V�9��ABB.�}jѢv��`^?IOȅ}���ڶmG�}T#FJ`5��6$-���ھ}F�I&v;0(h;��Б����38CӧOWf!;�A
�i:F��_m�9s&�|��q�%=#���wZprrrl��a
�A� &��P\\СC[A#�!� {��olF}
`E2}�MK/v�V��)i�{��4BffV\|ۭX��`�b�@kɶ@��%i$K���z5zhmX���[��IXZ��` 'b%$�r5�M4º��/l
ԃ�ߖ��xhʔ)[@=}
K6IM}^��5k㏷݆z
ΗÿO:gdGBmyT/�@+Vɶ�纽zl.yit뭷zV��0[Y^�>Wsqs}\/�@$(T7f.Inݺi����R$푔n.�~?H))\Z��RW'Mo~v
Ov�6oԃ���xz!��S,&xm/yɞԟ?'ua�S�ѽb,�8GלKboi&3�t7Y,�)JJ�����c[nzӳd�E�&K�sZLӄ��I���?�@���&�%ӟ۶mSMMњ0�iؐSZ,���|J+N
�~�,0A�0!5%Q-�YQQa�3��}$_vVr�f9f?S��8`��z���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����d�qP,تmMmg��1V?�rSI꒟]u|l
R�CyEf٢9�jURbztѰ!m5~tGj2DhG*{H9)꒟ר3:(+3\?/;TUݭʴ~S6lڧUJ�*�i$d(#=Yݺd{,p|3B))���q:vN0Y.jkק6;Sɶ�VzHJJЀ-utѹսk>QUU�\~]fFnK?�&ߡ�5b=z9)^|u�_k-[��y%ZNU6 7Mi�:]ۦ�tk�[n
�X(e6��Bb."8cۭ|~te��uu�w|ήI-5"~U�k;ZicEm�N/:]M>
��c�Q^uiƞ�??Ң�p�c#��TUU3UakNwA`�:�Y_V-8.KKfRi�tv*
�9S6ֿj,Ճ�NOMߤ]z^fOh|<>�@Å5���_�/Iu?{SY4hK�/2�]�4%it5�q]GGe��2%iR|
�W&�f��*^]??v�q[LgE_3f}Fxu~}qd-ږFxu~I N��>\;͗O֊:̗WJ�@���Bh�W�=y�|GgwܷH_NY�?)�Tdi'?խw�hlmQi� ��!SUUs�w4kӺe�4rfxu�-[nHt�MFj}H_u~w>)oV}(T'ebʒv3_[+vn����@Ȭ\S}ot}w=k�HFnxg�S 0eޢm�~l}u�qZf�F��oZuuEg
�`z�t~?�b;t%�>WTkķh[����2eG8LIWx,�^\thr�l^Ϊ�{�=dž�<}qV@ �⠨W�y^L�F_>0Uk��D�uʫuCs$)I��v�:IK�;��6ֲ4{^6����եm+l��3>݆�uM 9�u�����?>Zc�}g~qhKwڭ�e���FMM~pМuq�ǿz6Tb@8�@Y|jx]�(^]gf}�M"tG
����-w.@�vOqh~/HII�`���S[l.6nØXL9v�U���cOoB\�xo�Ǥ'T&I��Ǎ�Qw_wpv[kmO{w~>#=P1P�ɞa-we:iǏlHo꒟f9SzH?+shk%Fs:����q��VhqY�`jvO'ρ?PyX3lх]˾uV{ݞ]1,MzYNW~̈́�joYn}ȚF߾mS]F� z+EDxm/���d{F�{-W-4wY듏:??_gPf
^3��ecg ���ҵs�8R2מz�@T�A�N�Gj)}CNi/R~}c:5{!�ZHӋӾ�6}T]��G�]7W6^�n
9*,Y�qOZj�:P?Q� D���FL|?-^.Ɵ7��}fFhxe2Ps���cz1�&�5\��cn[=Vn�[ĶE鎀u�ˌd3GII ��k;lNmشOuuRVfBE]ۣ��e���Ӷu�
:X-[(�e�r4~LHi6�:Ѻ@ԅ��r���ST�0�trk%$Č�0���ez"� *�z�"�T/X9|8.C5Feg}�C�Q%͞�ˣJ�v�L/?�����j^��h��&��9xF`њZ�(��&��yF&Iݻf�g�����#W;3^{Wo^4'v������V[[K';+mӍִ]��AC�@��W?1^{එyh�����+^]fm~iԵ]��AB�@WTk̏t�uR?l.OIHiYyԶ]��Aˀ�7c:q}ힽaf6Z~қ�m(+sK4{^6}T�*UUu]�n.:kx{:2 ��_m=�sAߤU@?���Z-Vކе��z왍Nэ{�|5��� pڶn�b
p-@sPg]0G7fy-M{GCF'%{4`���=$-Ge\��eU:m+Zt'W�jO!O�AF�@ik&t݆�ϥ�_
e}=]��"���Wz_.͜E3leW�������Fih|t-wZۍ-uw=6���YN�{6|}��|�*={Ѽn.�S��.�z1z�jۻTH]흾 D�uD�v��mvK�.`���V]yY~sI@t?/ϓ. �����m&[�"��+P?MzovV�ЫG3-�G�RR��[�(!!\_,�^%?v�@���ҵő
m`Y)te�m8GM��x.))A]Y�i`ViW`��?^�~!�S#^+ѽ��GZj?Vģ����0.))AlzL*�]�OXrY���`DBBLOj{-MH'ii-ϰ�o�k7^��
�)쭡��b]UXS�ְmռY|5�*cֽk�0B7镹%ڽP#�8nȎq}mJr23�_>�l�E5$iwui+ ��H~F`�IjƵ�@q
��\�� ��@#qG�0"��.�0"����� l���������`������.�0!����� ,��AQ�HN6�qz�kKJ#�o;`Xv�2>,tێJJ7Z/*�A���.@fفjMzk�g�����@Tv�ZH3Zxu6Ra'%O?/�d���Q�5x�Yk�U]Rֽkق@���Da�S^RS�ּ5�|BeHNN͘p
��H�v���cYcC5:y
#`οb;�z����2��.!kr}gUWkyZn=�f ����P�v��s�n3p~�;4p˚=ē~NmI] ��¾�0lH[_L�hs�h_�ғߤ�c_њe��c)��g�7V�IZ5�yrgk̞W#IjӪv>՞y睝M8[��|�]\շ�8M�6%|@P����ZڨI-m>=k�=��'a�iRo-x�?>Q.����}�`Ȏ:Wsm�u u� ��>
.@,&;�+!!�˱tﭧD����Qw�RW\v�F\~Q7>sp���Yw�$�%A~;~}6���¾�g��&if_��=j,v+U���L�1(tW�a�ke�:�@Ș>j$Gq2t7S?v�L|]u/ .(�0�E��6Mk6hiۺzښOr�ifޱxm/Gx>� �Lal%%~{lBsR4*�}{0Z/�tN�IɚpV�^#�Lf:u@k#RS�u
=S^ZyuR/�.@n&z~B=0eg�뺆#�,Þ[����B�/?H �uUf7y
Wy}Bw�egל`�Wh(||`l`.;Ws�?V@"�c:iɍL֯PGv�6z�ctM̠':wuW��;d=;E�veD}9J�@���B(�0iհ���bvP1{\P&G7DIy�_$-Q��jm~Yrr&]C�Dv%��bh|�Yzni�_���R�;kg}nJOIIw��y�u�L}{ЌNj}:+3Y?:W�J/N+Rzd=hb�;d�j͒suݔ@NKMԄ�jqzC5�@y°h�L�m;*5ezᕏ=ep
�XL�n?מ:r`��۵�tŤZ|1v`V뽧_csج'ߤ%oTuumk%%%h)uy]Nk�[n
�'b2 ��l.=�͜E%�gf$[c;s:�V-͞WߤWh-j7]4��=F-X]>ZLSi[Y*We;�Zan(Ӈ�W|e(HNNP�5[=
r4tP�
�&0<�p�c#�`vTNV
GFqvTi�*�Tyam$ߏWyE*�VJKMTfF�w�����>'�$-ؽ.Ho.8c�"@���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A~�j*�֘,��N;Pi3599h=g�oض��L��giJ5փy~�}&Zd9�p֚
e:|hL`�`b/d9�p?�fgg+%%hMg�Xosج�, �ΩOl0Zh=x�djL���mhݻ��o��O��[g_l,�8a]٭+ӧ0�$I�]����c]:粹:Teꢢ"5a^Kgh,&�=��=�՟�^߶ߢE�ܹS J}I%:8��
IDAT~,9/ʃ�PW'Mo�}zNƍ쨓zPb��NZ~^z�=4mswg;5 Y�~�SVMR��XUյڱRf?s:w
;�6��H:º���i�5�-maM�&O�3�;�1IKeam��Zh͛7+##v+c� ~u~ca]�GnF'ټL~����PPPbn
v�oC���4R,�ӟgg��%hq}�@#M4IÇ��� �Oy^xM��Zx
) ���yO�w��@HkN˖-Sǎ�mb]X�@�n+i͖��!++K3gd\��$mt$^���Yf��J�\�8PRF��)77Wא!Cl����$i:��@@_o�G��� I{$# ��8磌ŋ9�1A�(�Im7��֭>}ߴJq�7ޗt^� -[ԩSj*�}�%]&'
-��ɓ'ꫯVzzvB#;�a
�7@GxI{�jƌ�.LÇ�WBB7�`O"I$�/@R���@�eee@���۷��>}0���,ɒ2$53Xs|cS~r�pTYYY}� k�Hc��%&k�.], �@��A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������@lT<%''*Lo^={رc5h %$�+CnܸQ3fҥK}vUVVs9G�
R,_{�xˇ�3��o߾;TTTd�}�馛]uuuG~iԩ�@4����bn�vmv�fϞ�/Peeeq}}�z���a
�I~,誫{UWW뮻}_~YƍSMMMYχ��֝waw��\�ď�cxꩧtE�ƍ�կ_?۷5�@u���?�1kNׯWzz/wy>}zj3 k��(ٺu�q_Zvf̘:~��AB�Q&r|��!�%KҥKg�����Ԟ={<_X-z� !�C�yFUUz~��AB�QIIIjݺ�W��$���UXXDٳZ~��AB�Qƍec�W��$<�(~<��RSSvZujjjԧO�ZQu�@4 8m&&&jԩg��$�ď�1h ͟?_{768��@��g
�=�@���`)))5o6m�3����)��ѣƌ�J;wҿUTT��/KZR{��~a=�@��0o<*狔�iFɶ[ˎ�;T]]��OX�@�?K.ۈxN ����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������pP���fl߾]��,{ァk۶mڿo5�����BTӦMӴiӴ|r D����B2e�|An�!D��y'tkΝ[A��� $***t5'
"���!駟�oa�D�����nΝ�:t֭[g�D����ШQ�0����6qD;@���� x M6v�(����Piizm�Z����4e�w��"��@��������̴ixf������[~-F���ٱc�&I�Z����2|n�!�?�$��@{[�HTɏ����#@h�����Ȏ����I�#�_m��(���F��/6Z3�z'\r,�����r!;�w2Z3j=~�G���Y�7"I$i����I.����p_"����?���p�����N`�����y�D���D�����?:��� �_����������������������� �G����ÿa���b7�����J�!���Bx���@0 ���Bo�����
����cG���������@`1C�����[���@0G����
����@`0C�����_���u�����V1 ���aC���X����>���W�` ���|�������`!���<�����S�`"���<�.�����`#���c�����`�?�����c�A����������C���4
?����c���� �p#����~���@0����?:���0���8&����_�M���Q1���J�h#����?���/`���7;����I����������q�7���a�w���Q����A����1�H���p
�!��#�<���8/#��@1Ul7��=S=K.4Z�?�E����_$i�@��������!���1�!E���4�?���`����P_�� ��������@��B���ă�1���0#���:�"����a�U,xb��F�Y1
[n��|��n
���#'��v��EH:`�x��b
��#��v����D��4�Y hi.i&�EΖv#��O�� H��4�IŶ�}:Ik��h��@�tZRF���#�(tXҙ��zZ ?�I3l7��q��@õ|ۍ�1,�G��puY�� �Ꮿ@�hJv#��x��xk$
v#�9��5�}_$��c �S#=+"K�{F�*m7`#�%H:NRS��p6I?sIՖ{A�p$I�$�I:QRv2$Z�@UJ*$]<��F�O4�����IENDB`