From nobody Mon Apr 07 22:36:32 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZWkbD5V5Yz5sJ3f;
	Mon, 07 Apr 2025 22:36:40 +0000 (UTC)
	(envelope-from robert.austen@willowglensystems.com)
Received: from YT3PR01CU008.outbound.protection.outlook.com (mail-canadacentralazlp170100000.outbound.protection.outlook.com [IPv6:2a01:111:f403:c103::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (secp384r1) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZWkbD01y7z3Wc6;
	Mon, 07 Apr 2025 22:36:40 +0000 (UTC)
	(envelope-from robert.austen@willowglensystems.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=willowglensystems.com header.s=selector1 header.b=UG9pjF4T;
	arc=pass ("microsoft.com:s=arcselector10001:i=1");
	dmarc=pass (policy=reject) header.from=willowglensystems.com;
	spf=pass (mx1.freebsd.org: domain of robert.austen@willowglensystems.com designates 2a01:111:f403:c103:: as permitted sender) smtp.mailfrom=robert.austen@willowglensystems.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=taAX7XIahpklFPZNb7VI8DkKQsxWAvtLhLVW/a3Ow9PsGcbVLw6s0MyAjV6xXCBSjgAGYsc4zX+bIridDTsUXrYDxlGmoZJ9NmUOg3ZX4xndwkMpjv2Io9ffJVF8VBO7K4+VhoHiIPLpXIiqRPsWX2EOUywbhgiWQsOqpKh8FfgoExLEPqFOy61VJrpDvGzp3+qp3XATG7sOJT5GXh7GL/zcTXNACRRj0e6yTr2Y9GogtwhEFw+aMKyjj2i4VSWv3I6a/FSAxRl9FlwtsklGOkcKC7Vym3JjcLnpwpmt9TNVPhgp7OfbwkSd05GOvp0sorA2YnH4jgyvKerX+SzIQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=mKA2YZpye/L17Jc/kRlwjgkWwZd6+tIIT1UPV+kTTUg=;
 b=nYWE9D/j085ycss/3zV0dQ95Nuv38VFVB/PeNPfi62BWjASUUvcC+H6yaCYKGj3s/VImZgaSv5h201S56JiNfVqtYVu0OMjDVxhcBBiw0p5o4hhSzzfK9EQ4broosxQCIjcHY77SUeoc/j4jCgzTc5N+9r9sXLuLMln7FoCLpDMYtjR/6OwIwNWxTqdsheWsZu3Yx/C+ZaNiGPpHRPRmRGNUyl6Y526+HGaJcaTvjv5fOwZ6C1E2puW6kVtjqOthsXLECs3jEHwz/U6/7pJmb20P4SfCdgvBl3BYMUnfUBYf3vrWhYPpf6Wey5bj7GvugvsZ0rsAH3gpyyQsiCGchg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=willowglensystems.com; dmarc=pass action=none
 header.from=willowglensystems.com; dkim=pass header.d=willowglensystems.com;
 arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willowglensystems.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=mKA2YZpye/L17Jc/kRlwjgkWwZd6+tIIT1UPV+kTTUg=;
 b=UG9pjF4TYmz8WWVgMTRF5xipvCRKXKLQA4379baYJU8i9quDRlmW7fSmO2G2Z9YSlYcJAS1Lc3fX1eKLciPw4h31hRcHRBX6OoVR4eMNVTmNUrnzoi+KBMVDy5jkaOb5UvOaP0mNAm3cY2A1YKW2UqDP541EGNXZAcZetqg7hWY=
Received: from YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b08::48f)
 by YT2PR01MB8230.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:b1::6) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8606.34; Mon, 7 Apr
 2025 22:36:32 +0000
Received: from YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::5599:33c9:6953:d09]) by YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::5599:33c9:6953:d09%3]) with mapi id 15.20.8606.033; Mon, 7 Apr 2025
 22:36:32 +0000
From: Robert Austen <robert.austen@willowglensystems.com>
To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>,
	"freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: Fw: pfil_default_to_drop
Thread-Topic: pfil_default_to_drop
Thread-Index: AQHbqAfyk4Z18yjsM0yECEK2f5QGrrOYyea/gAAA4zE=
Date: Mon, 7 Apr 2025 22:36:32 +0000
Message-ID:
 <YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM>
References:
 <YT2PPFD8040D4DA15FF1002CDBF5DE22C41EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM>
 <YT2PPFD8040D4DA456DB44A9D2934D49D21EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To:
 <YT2PPFD8040D4DA456DB44A9D2934D49D21EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YT2PPFD8040D4DA:EE_|YT2PR01MB8230:EE_
x-ms-office365-filtering-correlation-id: 5a4b2d8c-680e-45b7-0c2d-08dd7624a590
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam:
 BCL:0;ARA:13230040|376014|366016|1800799024|4013099003|4053099003|7053199007|8096899003|38070700018;
x-microsoft-antispam-message-info:
 =?iso-8859-1?Q?J5d/uduYyac5PI2FpBR3hZZSz9aBLCcRoogEHXABxs3C+1Nt5gGBvQoNBR?=
 =?iso-8859-1?Q?lM3PH3SBTx/4EffnxlTOtOuZ4VYOiBdDiKOkMfRoKXAnhOiDq+QhsoQlGw?=
 =?iso-8859-1?Q?/pCuhGY282byFWRav2imu+G0Oq147uej4stDXYbXtHFMotF4/Q7633kfVo?=
 =?iso-8859-1?Q?T5etmg0R2JLSM1TxMDFeqzu0L3YqwpOoIw+D3U6mkC8/9jeq4qjaWeayPr?=
 =?iso-8859-1?Q?EJbu45uyshYsk2SHPaxP2bc9KqbV1sPIAuyaEcdFSzXtTLcbIjPMO9/tHD?=
 =?iso-8859-1?Q?M5qTQpyu160TonX20WNbh4lhDhxbmq+6tho/8JrNF76jkRaojKscp3/Yb1?=
 =?iso-8859-1?Q?jZ4jy+yRS38iQ1X9HEaWgBTgiankSbelF6/JyFs/1LCOsQdsk04JBUQoVy?=
 =?iso-8859-1?Q?odcmTGOrTuzMAbPtOzbtKOUMYVmgImu6DTbHP6T7UmyX0FJqwPYX1A+4GF?=
 =?iso-8859-1?Q?9wxW1hjMHdoxEzAhc+LajUxzqyBt/tr1Hgl3jcrE+nPc1tIaPFQnVz+lgq?=
 =?iso-8859-1?Q?Io7JwWclXkmO70BxwWaEwrkUOyrlF30tInXY/z1O5N7q/BEDFpB7DxskZb?=
 =?iso-8859-1?Q?r6dwL0pga1BzhPq/IYY/KhrtvZUecXprw8TO/ZraOwc94aViAqmtVRuPOM?=
 =?iso-8859-1?Q?GEKPKsKmPvuuyMMmgLxDLpm+RSnGwA5Ap5bqr3CKQMQ6+YnyAjZNcSkquT?=
 =?iso-8859-1?Q?hKISqW+YFCq9oVLNgblygCdyvlMCoY+1dSCJ5rbGV1QnZ+FkSDOn92oAK5?=
 =?iso-8859-1?Q?O49Dgk0rOrU3K7kjm4V4i3JqAnn79ZdPgJ4g6rSrcUS9JoZ6kZX0VWUM/9?=
 =?iso-8859-1?Q?1f1QQAIxKXEhhhi69ekFiQAoq+0XtH+rUjfps+T6i9BRpiJd0YZdG0LnpJ?=
 =?iso-8859-1?Q?zzRSVkur4918bgcyuVPCuPk5Oo0CzXUgXVnmGA4SugI96Rq5TdN3Kv37G/?=
 =?iso-8859-1?Q?ckLkjG0NtMVr169TSGv0ymtCX15LAzwIg7C6BPq6ZIVDMOStSIrOU2JhUd?=
 =?iso-8859-1?Q?vCOIt/6s5oms+Q89ftDyyktrqDUg3ZUK0Z6GGw5Nn4JYjCTmq/vYnYUXEb?=
 =?iso-8859-1?Q?2owyOLG5Xia5Wx9VrnQOepCs7/izGH1+NxMDR9rqg2yuqT/NoTPSijlDbf?=
 =?iso-8859-1?Q?YvaIgqn463TKvOzJdGLkdUn/ZIFwffGiRoqv70C0LtMAQrEzCkDtZiNhGo?=
 =?iso-8859-1?Q?5H63K34McfGfau3IYGWyLD7J/QXJG28Qs4qzTGv5vnPikiUjwGyDa1eo8E?=
 =?iso-8859-1?Q?0BM0XJOqXuwYG8XeUf/Q2TMo6SgibeItGHoTZXyM06ntkFN+ZAPS9LKv84?=
 =?iso-8859-1?Q?2SnC9PrEZ7TZqb5xerxXHgP2U2I8VqpmCOFGa5HnW8lLYeEeIKV275u+g8?=
 =?iso-8859-1?Q?fHmfmGWLQfveeGQru6kyPNwoSRYdm4wAnX9zdG7NbFPgxyBIa0VBxVY3YQ?=
 =?iso-8859-1?Q?g/Rd0cHuV+ohFnci?=
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(4013099003)(4053099003)(7053199007)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?iso-8859-1?Q?A4v/ipqPtXz0yRE0Ix/3PKqy92pIbmJeZ8ydnqUEONqgSEkAiCOSdopHag?=
 =?iso-8859-1?Q?lnWSrlcKfCQOV7CtqQ2piPwVcIzLPeOymQ+qtxZ61lO5+RbVXPDoHOOseQ?=
 =?iso-8859-1?Q?nDR1BvJhi7kWTdXQPUF/RQ7Ru6sIzPgpQSv1+UREKqIPtxwnjmToiZGKUT?=
 =?iso-8859-1?Q?J44N6hk5gVdeDD+VzgoETBvQQFW6lGA2xvGIgHKxK77AgjENAaj7CTq/IM?=
 =?iso-8859-1?Q?DMV2SuMVSq98yYb03YEfyCNgjT72oSGKV3Uai8QSXOdOO+t3Cjqjhh+2mI?=
 =?iso-8859-1?Q?d6hm5pO1AV9FGsZhY55hgXTEHxIBzE2UrP+4SU8qTmqWU/1mLx3PNUtGX4?=
 =?iso-8859-1?Q?1vSeN8ZfQBh35Z1CJsYNUBvWimLQsFbnJhASvQqmlQBziDnlpc7BmyajNG?=
 =?iso-8859-1?Q?/+i+VF5HjE43VtOB4z/c7UVk+x+3VqmxnyPYkKkm6yLbQYznD+9cHEZhQg?=
 =?iso-8859-1?Q?MD5IQ9DNmiRAdUIHiXV/6zOBzrfYi/iKqKnMQ05UgEEu82zdYyMunEuVKL?=
 =?iso-8859-1?Q?3k1n4fkSAqpOsvRnwv8Pb2NocpV8kEH+gzeDOh6X0saRC6OovYBlqsznNw?=
 =?iso-8859-1?Q?xAOZLTDy/i5b7ZXhSimIRFxvT/R3/Kgj+rvRPOUp5+ey33eimFXUZbUt+7?=
 =?iso-8859-1?Q?eF3z4fgY3iiiM7FzrMRQ9dZXSC+1uYBUO6DIVyd+zha0paouy8JG0CUfqG?=
 =?iso-8859-1?Q?VmEucXruoaRtpUHkNZjhTdVouijdT0pgGdV8AIM4vhsU4wr4cgCjhN6LbN?=
 =?iso-8859-1?Q?Q40WnFRoccrUid6lDP63Cgih8KVZsd83NfDK7S7llaGdjG+4VvP0YXnPyp?=
 =?iso-8859-1?Q?2wuShGsl1Fv2KMG9hIpZVzdopPuxYeIGvEI/Dib33Oiu7u9WZsKhyPmD1e?=
 =?iso-8859-1?Q?gCRfo/o8tL6s4EDPIwhY4ZDhuahetJt5QpAq3INCgQEp2TzRKTseDUPpy6?=
 =?iso-8859-1?Q?RctrvrH2WHnbq0y1jyG2bg5OKfNMWtSclbJ+Dc7EXEdmvetumSIs21kDOH?=
 =?iso-8859-1?Q?UKlTDw1b/jUPjWhcvM4Zjw/cNoefs+ZOpaijyshxWpFB7aAbDrjkAkvRkt?=
 =?iso-8859-1?Q?kSYZKCYgtdvCP46wW/PPzoWr62OAgedPmSz2UAuvLFU3//DIGOE/n5p/WC?=
 =?iso-8859-1?Q?ng5+KtPBN2XUQT4spEHAlnvcMDAJZSl2Yy3TH8c7ds6lGluKPbgAP6Nuh/?=
 =?iso-8859-1?Q?VQIv3vI37WiOrIMs47rOAt/4BP6U7tJdnKR9cb502Kw5HA4FD6LRfQ35Gd?=
 =?iso-8859-1?Q?CSwTutFfAgZakIb2a6KobJGZugFEVh79pl3M+DgjQ3QWgKuR4s3wxkwyjD?=
 =?iso-8859-1?Q?iz3pOLHadWzPxxvFvSzrFIOQimwArji48FeVwLgrIdM/88bmv9d6tQx0S5?=
 =?iso-8859-1?Q?SS+hdEh9bzucs/GpIZDSCp3eq7Lh8ODC/YY4HygCsEyKI7Vh4ty6upWMYK?=
 =?iso-8859-1?Q?SGWT/qxn21TgW7QX9Bff3bDE/QoOaCyMxlnePWZaZx7/RNBfM5QqHd2bBJ?=
 =?iso-8859-1?Q?dsA7mRY2Nq6jRugeIVTXfgn3OU0ReSdz1Iqd4ydRie+sE59TxcJaxj6CMM?=
 =?iso-8859-1?Q?dpZbeWErflkkq7tbkDBoxqyFkyfWuLsWs+0GRgzwpZ2Goce+X1zEwgl4c5?=
 =?iso-8859-1?Q?SByCapPZYtbCmQwoNO6WogR4mn8x7R87qfPX87/FVA7Jy/eobx0v+yXxVE?=
 =?iso-8859-1?Q?pdXTGBb4bCFwoNjO6G8=3D?=
Content-Type: multipart/mixed;
	boundary="_004_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_"
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
X-OriginatorOrg: willowglensystems.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a4b2d8c-680e-45b7-0c2d-08dd7624a590
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2025 22:36:32.4570
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c7bca0fa-9d0c-460d-8770-da688c84194e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Nnp/o7qRt3Fp6N/X+7e7nwc1dFM1vepsh3zQ6F6Wo5Gqlj49oIytRH0ZeHPBVeB2hpMjmcn7NuWNmvg0IOjOUoEJDMKwo8jGFWxNwOOw4qeFWzBVE1yVF1x1Dx4IFpDp
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT2PR01MB8230
X-Spamd-Result: default: False [-4.89 / 15.00];
	ARC_ALLOW(-1.00)[microsoft.com:s=arcselector10001:i=1];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-0.997];
	NEURAL_HAM_SHORT(-0.90)[-0.897];
	DMARC_POLICY_ALLOW(-0.50)[willowglensystems.com,reject];
	R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f403:c000::/51:c];
	R_DKIM_ALLOW(-0.20)[willowglensystems.com:s=selector1];
	MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain];
	ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US];
	MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~];
	MISSING_XM_UA(0.00)[];
	HAS_ATTACHMENT(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-net@freebsd.org];
	RCVD_IN_DNSWL_NONE(0.00)[2a01:111:f403:c103:::from];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_EQ_ADDR_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	DKIM_TRACE(0.00)[willowglensystems.com:+]
X-Rspamd-Queue-Id: 4ZWkbD01y7z3Wc6
X-Spamd-Bar: ----

--_004_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_
Content-Type: multipart/alternative;
	boundary="_000_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_"

--_000_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



________________________________
From: Robert Austen <robert.austen@willowglensystems.com>
Sent: April 7, 2025 4:33 PM
To: freebsd-current@freebsd.org <freebsd-current@freebsd.org>; freebsd-net@=
freebsd.org <freebsd-net@freebsd.org>
Subject: Fw: pfil_default_to_drop


________________________________
From: Robert Austen
Sent: April 7, 2025 4:21 PM
To: freebsd-current@freebsd.org <freebsd-current@freebsd.org>
Subject: pfil_default_to_drop

Hello,
I've been playing with FreeBSD and PF to build myself a new firewall, as Op=
en/FreeBSD + PF seems to be a common starting point.

I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a=
nd the like, with the observations that it's hard
to ensure that packets all default to drop if the rule file(s) for whatever=
 reason fail to load.

After looking thru the online documentation, forums and scripts, I came to =
the conclusion that it's not a PF problem or IPFW etc
or really a problem with any of the filters or scripts, the problem is at t=
he level of PFIL, the kernel packet filtering code: If no
filter is loaded, i.e. if the heads are unhooked, then PFIL sends everythin=
g thru to its destination. So my thought
was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_=
DEFAULT_TO_DROP) that drops all the
IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho=
sen filter (PF or whatever) at any given time the
hooks are  unhooked.

[No one filters on local loopback nor the link layer, so I've left those ho=
oks untouched. I suppose one could add them,
maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt =
there's much demand for it.]

Normally I'm an embedded linux kernel basher.
I'm not entirely sure where to send this patch. Most of the threads asking =
the above PF questions are closed to changes,
so that doesn't seem a good place. Sir Dice seems to be a common answerer o=
f questions; I would have sent it to him/her
if I could...

I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch=
"...
I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol=
der. The code was written against FreeBSD-14.1-RELEASE-amd64,
but I suspect the kernel code in the networking core doesn't change much fr=
om platform to platform, or version to version.

But it works, it's pretty simple, pretty small and so just in case it might=
 be useful, I'm passing it along.

thanks!


Robert





--_000_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, =
Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id=3D"appendonsend"></div>
<hr style=3D"display: inline-block; width: 98%;">
<div dir=3D"ltr" id=3D"divRplyFwdMsg"><span style=3D"font-family: Calibri, =
sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b>&nbsp;Robert=
 Austen &lt;robert.austen@willowglensystems.com&gt;<br>
<b>Sent:</b>&nbsp;April 7, 2025 4:33 PM<br>
<b>To:</b>&nbsp;freebsd-current@freebsd.org &lt;freebsd-current@freebsd.org=
&gt;; freebsd-net@freebsd.org &lt;freebsd-net@freebsd.org&gt;<br>
<b>Subject:</b>&nbsp;Fw: pfil_default_to_drop</span>
<div>&nbsp;</div>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div id=3D"x_appendonsend"></div>
<hr style=3D"direction: ltr; display: inline-block; width: 98%;">
<div dir=3D"ltr" id=3D"x_divRplyFwdMsg"><span style=3D"font-family: Calibri=
, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b>&nbsp;Robe=
rt Austen<br>
<b>Sent:</b>&nbsp;April 7, 2025 4:21 PM<br>
<b>To:</b>&nbsp;freebsd-current@freebsd.org &lt;freebsd-current@freebsd.org=
&gt;<br>
<b>Subject:</b>&nbsp;pfil_default_to_drop</span>
<div>&nbsp;</div>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
Hello,</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
I've been playing with FreeBSD and PF to build myself a new firewall, as Op=
en/FreeBSD + PF seems to be a common starting point.</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a=
nd the like, with the observations that it's hard</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
to ensure that packets all default to drop if the rule file(s) for whatever=
 reason fail to load.&nbsp;</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
After looking thru the online documentation, forums and scripts, I came to =
the conclusion that it's not a PF problem or IPFW etc</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
or really a problem with any of the filters or scripts, the problem is at t=
he level of PFIL, the kernel packet filtering code: If no</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
filter is loaded, i.e. if the heads are unhooked, then PFIL sends <b>everyt=
hing</b>&nbsp;thru to its destination. So my thought&nbsp;</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_=
DEFAULT_TO_DROP) that drops all the</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho=
sen filter (PF or whatever) at any given time the&nbsp;</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
hooks are&nbsp; unhooked.&nbsp;</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
[No one filters on local loopback nor the link layer, so I've left those ho=
oks untouched. I suppose one could add them,</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt =
there's much demand for it.]</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
Normally I'm an embedded linux kernel basher.</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I'm not entirely sure where to send this patch. Most of the threads asking =
the above PF questions are closed to changes,</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
so that doesn't seem a good place. Sir Dice seems to be a common answerer o=
f questions; I would have sent it to him/her&nbsp;</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
if I could...</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
I'm not a user of GIT, so I'm not sure how to submit a &quot;GIT formatted =
patch&quot;...</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol=
der. The code was written against FreeBSD-14.1-RELEASE-amd64,</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
but I suspect the kernel code in the networking core doesn't change much fr=
om platform to platform, or version to version.</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
But it works, it's pretty simple, pretty small and so just in case it might=
 be useful, I'm passing it along.</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
thanks!</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Robert</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; text-align: left; text-indent: 0px; margin: 0=
px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=
elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos=
_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb=
(0, 0, 0);">
<br>
</div>
</body>
</html>

--_000_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_--

--_004_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_
Content-Type: application/x-zip-compressed;
	name="FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip"
Content-Description: FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip
Content-Disposition: attachment;
	filename="FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip";
	size=3361; creation-date="Mon, 07 Apr 2025 22:17:42 GMT";
	modification-date="Mon, 07 Apr 2025 22:35:54 GMT"
Content-Transfer-Encoding: base64

UEsDBBQAAAAIAFl9h1o5P+nyMQwAAC4yAAA1AAAARnJlZUJTRC0xNC4xLVJFTEVBU0UtYW1kNjQt
cGZpbF9kZWZhdWx0X3RvX2Ryb3AucGF0Y2jdWntv4kYQ/5uT7jtse1IEIRBsjAlJLypJ4EKPAAqk
vVaVLGMWbMXYrtdcmr4+e2cftgHbYNJcVTVKAt6dnd2dnd+81jNrPkcVf+YNHlADfevas9MV8U+J
b5ySZ3JquM78dDCcdMboWwc/ZfS9fVOpVHYNLsg1uVGpKZVaE0mNc6V2LqtVRW5IUuusVkOVmlqr
vX1TLpfZLHmYKOeN+rmkVmVFkRrKGpNvv0UVqVZTTqQaKvMvMoLGGf5sGbhQeFq8fYPeIU83HnFA
0JMVmO4qQIG7MkzLWaDAxGgy6ZeqCE1MiyBDd9AUoxXB85UNZMi0ZhjNLR8/6bZNGLO57y5R4OsG
9oEXRrozQ8RaWrbuwwjXJlVKxkhHXe2m020/9CfaZKjd3A9HMAMwJ3RiWORcX9kB8uZFpYT8lY1h
PLQ6zwh/xv5zQJcomJUps14/HzvLRvAXYD+dX5kvbnI9Gl23Rwg7+tQGHoYLW30yLcNEjxh7nKmt
kwA5kQAJdgK2YR8b2PqMZ4yT6yCdskPEpWTR/mmbdtVvX3+8Gn4K54FPU3cMPKO9sDDK0XYXi3Cv
4aHKZ+JQ67UTSaKH6nqB5ToEFXpUFJPOfaHwzvLETsnK81w/AA4JMq0//LBGGs6WQTr8+DBap/bo
kabRhmcBOxxefyy8m9qwewRqEklr+hweyub48aTT7k9uYRaxajR3YQcB1u3ApN+fdH+2tcKkKhXe
zXzXWzvajfnK0Ui63MPGxrMKHdlsis90u/32FsS33ng/fJh0tLtRe3ILzW/f5DFAYjAzDpm9sRHK
JMkwQ00wQ608ZkiwyTBEraQhUpoyU1n4FBp7d/XQ1Ub3QziB3uDD2ze8YTy574zHGhi5CW2iMoLe
QgEm1JbUplAomNA16I6pat3Qr50JsPhY4FQL253qNqNJ6gWj8Oa0txydfbLf4uPXTojzZkYt7pq0
r/qd8XZXt3eltfsfhokhYyDlbYSwlnG/N9J63a42HE0EG2JbXtXcqwwODk6tuTb1rdkCVw12SrsI
mErsZbOlFfWzc1mpKoosKfKmc9o7X6piSDL1UM1NxWg2mV7AB1MLkAo6PoX/8PvOcgx7BYb3G6Z3
AEEQ2+V6x9dUZBbMXTW/Tm1XWUc57ojP9+u0STzd15fxJHEHs8UmWHcb+2n9y+lqntqu22D6oEeY
7oaw3I3WSb3J90vHwN5guQVuj6ih6NxovYGmqIXiVlMPtF1Ff/yBUtpLWaxAWWNecVvMLK2jxNd2
egwCRMfoTjd8l1CvycWAiIcNa24ZsMNn5g/1KcHgvJA7Bzf4LNwsYaNP2SHMYW2IzQmPmwt9GGxt
MdFc/J6fKDs+zcT6rJTJJd5csj2DD7YJzrGquQ50eeaNCLEDWIYvmxLYO1XW/g/afubuX7L5vHvf
sfVUf5vBMUbAVygBi9173xoVt+bbrJLrmJX0Mz49ZiYMja3fKBIYMHgsbOrERAGN8yCivluRgEbT
OsRQT9hnlE9uNTJ/IC+H6srVfe/mQ0e7n9y2x7fauPdTZw3jyc5CAYJDBUj4krjRkaWGyqyOLJ1B
EqBQ78sNtTZbLZfPoA9FEvgrI0DUjKHj5QkSzxawKhSsOSryAUxvikeUwKhcEkOz5t4Jov+YtKlg
Suir96hWYgMLPg5WvnMRcVmi9+/R4KHfT/b/CcIr0LNBlDBN3iX0O6UpLLW5j/GyuCxd0OeYSZky
QZSZWC12flnhFS4SQyySDUF/hpZNyEdpKFw+yhkIqr4mHxFvCvGErcSdBwY6plwz5COmIz6VkJBN
b/AlRNMbrElm4YJ5ptHrhjDooBkJYCXhFEBPO0IxTX1XnxmQzYCg4kXDJiQmrs21hDI7EzrVkKVX
lRlf6b+pT5HUdqtQuLRQi9Ymg186/lzIRj2TuGyaUmsTb5bjrUKwwboAeeiY7TrEH+WbKhy2Sy4i
IPiZ0yH42dAt6suXa6ccUYrFoiLruCjEPP6EP/FEH6KnciGW3vfcX9guOHvNM58JOjpC6XoYjt2A
acgycyHltamjwy1acygksI1NYd+lte5CZ3ILWeYVRPh3k/aIU7KDESTxPLxNNLNZ4qfoQRxcsykM
wZmkioPbhkiWWucylHTPr63Z/sqhkRY9kX9oNK8/av3eeKJ1h/ed9vVtcTalyn4UbcC2SHBCj0Jz
8K9BaENCy4IoeeUS/tG9RhuJLY8wLGI/kEZCLrfCF0L0Z7IqRN+UXyL6FNkbXOB7TEq8kpjP0gil
n0rET+DgI9g+g41DiE5hp+ExSlwDQrO+IlArei82szFBrhSSZ0JxNpfsY4njrsHpOSMASJFrOXJG
ziR/uii1aidNVKYf0hlVEqETcUDL1dJyggJ90hzTdR8JBGDM8V/E0dNWrlX0SmBxikl2xyXoKlUu
17hZDroEkW/zig/9EGawtJAbyOmVs619AbdQ100pfJWQTCk5ZGuzXyUlEAXbe+brtvvjzs4JYqI4
1I5iXAjjkPaxcz/o9GHnm82QjWh8YRr05YGExQoZnjYHezN/monSyl4qBpN8DNMBAxcASr2+HzA7
2cUlODmlBKdyAwsfcaUF3VHdoYWNR6ps8BgEUO13lzqhijXAwdX4hlVgpzqxDIG2lc/Uji7Ddp+q
Bq+Mc4YWgbQGinQwyIZOME8m9nE1T10nvUyTrOt4ohp8aA0H/oLUjkfsO9iOijR1cWdSrzX4lQnd
aeA/i8B2K1dilteFI6oSTZ/NfPQeyCuXMCRuuxC2/fSY/gcp3a8ckDrkhQsTUbdKxRlV1ZlZYEJn
4WJYMqdDObaZ6d9fHyhtRbfcaYRY3T0Q8YEwNwFzR4eGoxkZ3TuMSgw9QTTkWVYul5r3GJgzv+ob
n8FzsbXDD3WpzPuyJYza43FJyLylcpm3WlzmYuZzFmgHM0yCWL7xU1Ky4wB7qHGOwKwuXNDD6IJK
iBF5vmtgynqxJdActZJcEoWRe0UKq0uXKXRkCNUxK5eOSWOrXdI8xMYx7RIWbidNHvvGCDOtmwzW
Tclv3RizLNtWT7nnrAvEKty25S8eT1038MCQ5K8qh9YnoxMb0JHblrHKUGoHIWnNxAi8vWaPGXuJ
S0SVhA2j16/EhPu0cwEU+KEXW4P2BAFAfIverNC73h9MTG0T2HFT9zzskBMUYNteG2V5YY7P7lBd
XuOyFmaA+DWqAFYETfTdaukhFy7U6BUg09Y1GEIILUyeDn7FceES1Qjg/rT6UmM31WevYOtcCLpj
Ww4PFwdYQIrSCJ6HYBL0YT8ogSgnKoFyFyzrh8ESuB2KS5njUn79251DoUadvBbYabDihwluHRRS
C8C5pCJSBxjAqwzBi3DMMNmqc0y2wlcxCA1VOSItD5RtGbizYlx9hbZjnvCZNnZiZTRt9M03SL7Y
CHbh6rxz/SVRB34tN+z2+0NRPSDw2gm8VFGMtGurGji39QWB7w6vDAK65tbUWS2ZD2RO8Aj7vutH
DA0dknLpnEqkazkWMfGMC6UQOm7XwbmyY3ZLBGqv5kgGGF3edGCDOAubqiLBCz35sJlkmIRnjcGz
sQlPOax7r6cEk9veGI2H3ckP7fvOCep83xmgXhe1b77vjTs3aNgFig4aDcfj3hXc3U9+pE3jh+tb
dNO+a3/o5Ir1D7+r/dJJALUBa/e0LX5Pq9aiFEDdkwOAelYBWWqcBaiVSzoMOhJhas8x3CXAUESl
cZQaI7SaL+BXs+NTy9njB9VdjnCXv1O3HR4L82OXJyLUjcAUbazsUAgyueeAIKPLC0FGnA3BJkBQ
PgiCjGE2BFsUgq8Uue5/7SHNY+7HUk4A5opEc2Nv8y2JutTgQpFUgT59oYtcUBhzijPDxrpPDNfD
xaMIbHAupYt0ihiOpYt/wUuq+93kdt64H5br0em2jWEbSq8txCUFoaJ4FpYVqgdUxpiW780bGVW+
zHGNNBOFjUMdIWN3iBtURa4kMHiw53ohDHMibW9s+RJkslevxGukTTmsuUTSS/i3OPsr4uqimjNz
jIexHJLy/6+kjoeiM7/PzIDnQe40WUE7DKJ700hGljORjGh3oVQ91FcCv/8VTMP88vVzx3R8h++C
S/xdA/giCxQ7rmOqNsBi5Z0zBWXaxDIpdPQe/XVH3+QeXdAU6dOnT2F2lFA5xG9A+YXjFwPkF/aX
tND6T10m19RNf/k3UEsBAj8AFAAAAAgAWX2HWjk/6fIxDAAALjIAADUAJAAAAAAAAAAgAAAAAAAA
AEZyZWVCU0QtMTQuMS1SRUxFQVNFLWFtZDY0LXBmaWxfZGVmYXVsdF90b19kcm9wLnBhdGNoCgAg
AAAAAAABABgATcmsAQao2wH5SqcBBqjbAflKpwEGqNsBUEsFBgAAAAABAAEAhwAAAIQMAAAAAA==

--_004_YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2YT2PPFD8040D4DA_--