From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id E5776F82C; Sat, 06 Sep 2025 17:07:32 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id B2D18F829; Sat, 06 Sep 2025 17:07:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by atuin.qyliss.net (Postfix) with ESMTPS id 48C80F7BF for ; Sat, 06 Sep 2025 17:07:29 +0000 (UTC) Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-e96f401c478so2630616276.3 for ; Sat, 06 Sep 2025 10:07:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1757178447; x=1757783247; darn=spectrum-os.org; h=autocrypt:to:in-reply-to:content-language:references:subject:from :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=E8onNGAx8pQXpbnKrZcWNvjEILxFODKVUYdGDRrEnV8=; b=dRlRCHLihZHph9w7BBChNXO8iLejXnYgNZGA624HNOaJMptl4bq2m+8UNR0Nn0BTia Gckzwn51tuI4SoJJTwjuTWaS+eRjCccLSIIPUmTLnjcdEMCWiqEYxHKe6kZejxGHFveu MRS+dQ96MG+Qwj4/Iof+5/i9vGyzDfhPgzMEQrdNt/T5eItrA9NmA+2W2WciQ2P26X9w Dkz6xEEhe1JauoKmrLv1SQVS5yMAtPUDu4IqrR/jqnnOjC8FWU6ExqKtIV/suc6Kxt7y LeWoX2XSFTPGTDx/JsPeaemoTMEB4dh5rdF8bbBGh63hNhbLThx2YW6wY2tdiScSvd64 s5yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757178447; x=1757783247; h=autocrypt:to:in-reply-to:content-language:references:subject:from :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=E8onNGAx8pQXpbnKrZcWNvjEILxFODKVUYdGDRrEnV8=; b=XsZ7rSroHCx/F/XFEBcwn/tZsTb6o/5c77CGpEkfdeWXUV8WCBxy4NjY1RGty2/r6x 5dhrXYY5zuvfWthq8Hqa/hUy1oafYgkCNCxJfjtWWqHzC/I8gfj2wxZmC642QrWpuDX0 7kh7wiRAd4BhxD74dZ+n13q3857YxO3C4NYA6bnAwSyXaMf433yOKk9ymPY/JBlHI1hb 7GLBLt/no99KBx4nugbvs7sK7qcaosLAURutbAU0brMUpk46oMHPszOBP0NbKFkXlu8d gl6ymVVoyZYwNeGe5mlfXrnWV+y+4+rkFc32G4rPLRT1R++6JqxlE4hg56djxshrYUS2 nKqQ== X-Gm-Message-State: AOJu0YwET7QNDdfirrC0L9VhPEqp/mxE5Rc4cKr77LhEoOF+KxEIzByS ioew1i7fN6fuNQwiHoVbjNj9XCv2aFHy8cj2oLDN28CJ3uI9zCTTG0p+tmBN0g== X-Gm-Gg: ASbGncuDwnXZWDF0MYFCW3Dr+6uZyexqfkwAYy9MY/0p6QDgGnrIhyWbrW5fsAxalYA MIS1IhOCkxtlIYG0jmEJ1GAz/rUtwi77fWwaIgXY3+rDnVDDRCwKCGDX1iMVPnakLfomhFcsiqQ 0TMrlaMeCWxFBtkE6OZXybeRZjWb1xszZuL1hJsVQJTbjXknIrkLHCY62fGYLEQMGp3HnPa0tAS EEYX/qDhUvTOZz3JOeWboqjYkK1EltAH6lLaqWsSDmXB5iLMFbeqfKh/fSpuC+jI2v/od8ZQtJQ 1Un/ZgsPewcG53RUd7CJwFLT8q+KjoP6G71dI16ImWpB1EuuULHZZSi5Nbye6+tAW+NBpbslz+O CJB5e4/dofCPrkCwYnBHcsocNNP/tSlXfgsvNiYmYzHohcVyy0kM3KMdlNaPzrC9Ag2AQB7+oOH 9MsZa6vLClf6/3Za/g602yLjdzV1FK93YOTqN/fSLZqfAFGQ== X-Google-Smtp-Source: AGHT+IEWUJMFZASlC1ZEy2lW3wfDLelg55EPd+hPZwDhEtosUKHPkf8nkXkfLi2GQl2XqzMqiv9BgA== X-Received: by 2002:a05:6902:726:b0:ea0:52e9:aec5 with SMTP id 3f1490d57ef6-ea052f8f77emr773741276.3.1757178446684; Sat, 06 Sep 2025 10:07:26 -0700 (PDT) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e9d4019d53csm2698780276.7.2025.09.06.10.07.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 06 Sep 2025 10:07:25 -0700 (PDT) Message-ID: <292b0238-9fae-4266-bc0e-a3b007cfa05d@gmail.com> Date: Sat, 6 Sep 2025 13:07:12 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Demi Marie Obenour Subject: Re: [DO_NOT_APPLY v3 2/3] integrate xdp-forwarder into net-vm References: <20250901201248.19794-1-yureka@cyberchaos.dev> <20250901201248.19794-2-yureka@cyberchaos.dev> Content-Language: en-US In-Reply-To: <20250901201248.19794-2-yureka@cyberchaos.dev> To: Spectrum OS Development , Yureka Lilian Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------0p11Etpd5KYkSFrTxH1cxasJ" Message-ID-Hash: FVJLHX2JJPSQVHIV3PZE4AODFACZ77X2 X-Message-ID-Hash: FVJLHX2JJPSQVHIV3PZE4AODFACZ77X2 X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------0p11Etpd5KYkSFrTxH1cxasJ Content-Type: multipart/mixed; boundary="------------JKfRQDrNxZU007BGMUmWZ1j0"; protected-headers="v1" From: Demi Marie Obenour To: Spectrum OS Development , Yureka Lilian Message-ID: <292b0238-9fae-4266-bc0e-a3b007cfa05d@gmail.com> Subject: Re: [DO_NOT_APPLY v3 2/3] integrate xdp-forwarder into net-vm References: <20250901201248.19794-1-yureka@cyberchaos.dev> <20250901201248.19794-2-yureka@cyberchaos.dev> In-Reply-To: <20250901201248.19794-2-yureka@cyberchaos.dev> --------------JKfRQDrNxZU007BGMUmWZ1j0 Content-Type: multipart/mixed; boundary="------------3mmCVr52AmG5yRQ8o9lq0gcl" --------------3mmCVr52AmG5yRQ8o9lq0gcl Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 9/1/25 16:12, Yureka Lilian wrote: > Signed-off-by: Yureka Lilian > --- > pkgs/default.nix | 5 + > tools/default.nix | 15 +- > tools/meson.build | 5 + > tools/meson_options.txt | 4 + > tools/xdp-forwarder/include/parsing_helpers.h | 273 ++++++++++++++++++= > tools/xdp-forwarder/include/rewrite_helpers.h | 145 ++++++++++ > tools/xdp-forwarder/prog_physical.c | 37 +++ > tools/xdp-forwarder/prog_router.c | 43 +++ > tools/xdp-forwarder/set_router_iface.c | 32 ++ > 9 files changed, 556 insertions(+), 3 deletions(-) > create mode 100644 tools/xdp-forwarder/include/parsing_helpers.h > create mode 100644 tools/xdp-forwarder/include/rewrite_helpers.h > create mode 100644 tools/xdp-forwarder/prog_physical.c > create mode 100644 tools/xdp-forwarder/prog_router.c > create mode 100644 tools/xdp-forwarder/set_router_iface.c I have quite a few comments here, but they are almost all about the vendored helper code, not your code. It's not written the way I would write it, and the code for pushing and popping VLAN tags is very slightly suboptimal. Also, while it is correct in the kernel/BPF context it uses practices which would be bad, if not insecure, in userspace. > diff --git a/pkgs/default.nix b/pkgs/default.nix > index 3b81339..76b2a5c 100644 > --- a/pkgs/default.nix > +++ b/pkgs/default.nix > @@ -1,4 +1,5 @@ > # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Yureka Lilian > # SPDX-License-Identifier: MIT > =20 > { ... } @ args: > @@ -42,6 +43,10 @@ let > guestSupport =3D false; > hostSupport =3D true; > }; > + spectrum-driver-tools =3D self.callSpectrumPackage ../tools { > + guestSupport =3D false; > + driverSupport =3D true; > + }; > xdg-desktop-portal-spectrum-host =3D > self.callSpectrumPackage ../tools/xdg-desktop-portal-spectrum-ho= st {}; > =20 > diff --git a/tools/default.nix b/tools/default.nix > index 95d76a1..e664f47 100644 > --- a/tools/default.nix > +++ b/tools/default.nix > @@ -1,13 +1,16 @@ > # SPDX-License-Identifier: MIT > # SPDX-FileCopyrightText: 2022-2025 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Yureka Lilian > =20 > import ../lib/call-package.nix ( > { src, lib, stdenv, fetchCrate, fetchurl, runCommand, buildPackages > , meson, ninja, pkg-config, rustc > , clang-tools, clippy > , dbus > +, clang, libbpf > , guestSupport ? true > , hostSupport ? false > +, driverSupport ? false > }: > =20 > let > @@ -70,15 +73,18 @@ stdenv.mkDerivation (finalAttrs: { > ./lsvm > ./start-vmm > ./subprojects > + ] ++ lib.optionals driverSupport [ > + ./xdp-forwarder > ])); > }; > sourceRoot =3D "source/tools"; > =20 > depsBuildBuild =3D lib.optionals hostSupport [ buildPackages.stdenv.= cc ]; > nativeBuildInputs =3D [ meson ninja ] > - ++ lib.optionals guestSupport [ pkg-config ] > - ++ lib.optionals hostSupport [ rustc ]; > - buildInputs =3D lib.optionals guestSupport [ dbus ]; > + ++ lib.optionals (guestSupport || driverSupport) [ pkg-config ] > + ++ lib.optionals hostSupport [ rustc ] > + ++ lib.optionals driverSupport [ clang ]; > + buildInputs =3D lib.optionals guestSupport [ dbus ] ++ lib.optionals= driverSupport [ libbpf ]; > =20 > postPatch =3D lib.optionals hostSupport (lib.concatMapStringsSep "\n= " (crate: '' > mkdir -p subprojects/packagecache > @@ -88,12 +94,15 @@ stdenv.mkDerivation (finalAttrs: { > mesonFlags =3D [ > (lib.mesonBool "guest" guestSupport) > (lib.mesonBool "host" hostSupport) > + (lib.mesonBool "driver" driverSupport) > "-Dhostfsrootdir=3D/run/virtiofs/virtiofs0" > "-Dtests=3Dfalse" > "-Dunwind=3Dfalse" > "-Dwerror=3Dtrue" > ]; > =20 > + hardeningDisable =3D lib.optionals driverSupport [ "zerocallusedregs= " ]; > + > passthru.tests =3D { > clang-tidy =3D finalAttrs.finalPackage.overrideAttrs ( > { name, src, nativeBuildInputs ? [], ... }: > diff --git a/tools/meson.build b/tools/meson.build > index 9cebd03..e49f27c 100644 > --- a/tools/meson.build > +++ b/tools/meson.build > @@ -1,5 +1,6 @@ > # SPDX-License-Identifier: EUPL-1.2+ > # SPDX-FileCopyrightText: 2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Yureka Lilian > =20 > project('spectrum-tools', 'c', > default_options : { > @@ -26,3 +27,7 @@ endif > if get_option('guest') > subdir('xdg-desktop-portal-spectrum') > endif > + > +if get_option('driver') > + subdir('xdp-forwarder') > +endif > diff --git a/tools/meson_options.txt b/tools/meson_options.txt > index 4af0031..887e388 100644 > --- a/tools/meson_options.txt > +++ b/tools/meson_options.txt > @@ -1,5 +1,6 @@ > # SPDX-License-Identifier: EUPL-1.2+ > # SPDX-FileCopyrightText: 2022-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Yureka Lilian > =20 > option('host', type : 'boolean', value : false, > description : 'Build tools for the Spectrum host') > @@ -7,6 +8,9 @@ option('host', type : 'boolean', value : false, > option('guest', type : 'boolean', > description : 'Build tools for Spectrum guests') > =20 > +option('driver', type : 'boolean', > + description : 'Build tools for Spectrum driver VMs') > + > option('hostfsrootdir', type : 'string', value : '/run/host', > description : 'Path where the virtio-fs provided by the host will be= mounted') > =20 > diff --git a/tools/xdp-forwarder/include/parsing_helpers.h b/tools/xdp-= forwarder/include/parsing_helpers.h > new file mode 100644 > index 0000000..3d240cd > --- /dev/null > +++ b/tools/xdp-forwarder/include/parsing_helpers.h > @@ -0,0 +1,273 @@ > +/* SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-2-clause) */ > +/* Vendored from https://github.com/xdp-project/xdp-tutorial/blob/d3d3= eed6ea9a63d1302bfa8b5a8e93862bfe11f0/common/parsing_helpers.h */> +/* > + * This file contains parsing functions that are used in the packetXX = XDP > + * programs. The functions are marked as __always_inline, and fully de= fined in > + * this header file to be included in the BPF program. > + * > + * Each helper parses a packet header, including doing bounds checking= , and > + * returns the type of its contents if successful, and -1 otherwise. > + * > + * For Ethernet and IP headers, the content type is the type of the pa= yload > + * (h_proto for Ethernet, nexthdr for IPv6), for ICMP it is the ICMP t= ype field. > + * All return values are in host byte order. > + * > + * The versions of the functions included here are slightly expanded v= ersions of > + * the functions in the packet01 lesson. For instance, the Ethernet he= ader > + * parsing has support for parsing VLAN tags. > + */ > + > +#ifndef __PARSING_HELPERS_H > +#define __PARSING_HELPERS_H > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/* Header cursor to keep track of current parsing position */ > +struct hdr_cursor { > + void *pos; > +}; It's better to use `unsigned char *` or `uint8_t *` here. I believe that= clang can be made to issue a warning about arithmetic on `void *`. > +/* > + * struct vlan_hdr - vlan header > + * @h_vlan_TCI: priority and VLAN ID > + * @h_vlan_encapsulated_proto: packet type ID or len > + */ > +struct vlan_hdr { > + __be16 h_vlan_TCI; > + __be16 h_vlan_encapsulated_proto; > +}; > + > +/* > + * Struct icmphdr_common represents the common part of the icmphdr and= icmp6hdr > + * structures. > + */ > +struct icmphdr_common { > + __u8 type; > + __u8 code; > + __sum16 cksum; > +}; > + > +/* Allow users of header file to redefine VLAN max depth */ > +#ifndef VLAN_MAX_DEPTH > +#define VLAN_MAX_DEPTH 2 > +#endif > + > +#define VLAN_VID_MASK 0x0fff /* VLAN Identifier */ > +/* Struct for collecting VLANs after parsing via parse_ethhdr_vlan */ > +struct collect_vlans { > + __u16 id[VLAN_MAX_DEPTH]; > +};>=20 > +static __always_inline int proto_is_vlan(__u16 h_proto) > +{ > + return !!(h_proto =3D=3D bpf_htons(ETH_P_8021Q) || > + h_proto =3D=3D bpf_htons(ETH_P_8021AD)); > +} Presumably the router only uses one of these tags, as using both would be= pointless complexity. There is no need to interoperate with third-party code that assumes that only the innermost tag uses ETH_P_8021Q. Therefor= e, one of these can be removed. > +/* Notice, parse_ethhdr() will skip VLAN tags, by advancing nh->pos an= d returns > + * next header EtherType, BUT the ethhdr pointer supplied still points= to the > + * Ethernet header. Thus, caller can look at eth->h_proto to see if th= is was a > + * VLAN tagged packet. > + */ This function is only ever called with VLAN_MAX_DEPTH =3D=3D 1, so it is = significant overkill for Spectrum's needs. > +static __always_inline int parse_ethhdr_vlan(struct hdr_cursor *nh, > + void *data_end, > + struct ethhdr **ethhdr, > + struct collect_vlans *vla= ns) > +{ > + struct ethhdr *eth =3D nh->pos; > + int hdrsize =3D sizeof(*eth); > + struct vlan_hdr *vlh; > + __u16 h_proto; > + int i; > + > + /* Byte-count bounds check; check if current pointer + size of header= > + * is after data_end. > + */ > + if (nh->pos + hdrsize > data_end) > + return -1; In C, pointer arithmetic must produce a pointer that is either inside the= bounds of an allocation, or one past the end. This means that this is undefined behavior if nh->pos points to less than hdrsize bytes of memory= =2E To avoid this, it is better to write the code as follows *if* data_end is= known to be at least nh->pos, or if (as here) hdrsize is signed and known= to be non-negative: if (data_end - nh->pos < hdrsize) return -1; If hdrsize is unsigned and might exceed PTRDIFF_MAX, the following is needed: if ((data_end >=3D nh->pos) || (size_t)(data_end - nh->pos) < hdrsize) return -1; > + nh->pos +=3D hdrsize; > + *ethhdr =3D eth; > + vlh =3D nh->pos; > + h_proto =3D eth->h_proto; > + > + /* Use loop unrolling to avoid the verifier restriction on loops; > + * support up to VLAN_MAX_DEPTH layers of VLAN encapsulation. > + */ > + #pragma unroll > + for (i =3D 0; i < VLAN_MAX_DEPTH; i++) { > + if (!proto_is_vlan(h_proto)) > + break;> + > + if (vlh + 1 > data_end) > + break; Generally this is an antipattern, as it can cause (potentially exploitabl= e) overflow or wraparound if vlh is an integer, or undefined behavior if vlh= is a past-the-end pointer. Subtracting sizeof(*vlh) from data_end will also be undefined behavior if the frame is too short. I recommend if (((const char *)data_end - (const char *)vlh) <=3D (ptrdiff_t)sizeof(*vlh)) break; which is uglier, but safe. This can be wrapped in a macro if you wish, such as: #define INC_WOULD_BE_OOB(ptr, end) \ ((const char *)(end) - (const char *)(ptr) < (ptrdiff_t)sizeof(*(ptr))) if (INC_WOULD_BE_OOB(vlh, data_end)) break; In the Linux kernel (specifically), one can get away with this because: - Linux compiles with -fno-strict-overflow, so out-of-bounds pointer arit= hmetic is not undefined behavior. - Linux reserves the top 4096 bytes of the address space for error pointe= rs, so there will never be a valid pointer to this memory. - sizeof(*vlh) < 4096 so if vlh is not an error pointer, vlh + 1 will not= wrap around. The same arguments all apply to BPF provided one compiles with -fno-stric= t-overflow and (possibly) -fno-strict-aliasing. The Linux kernel version is much ea= sier to read, which I suspect is why it gets used. In userspace, one (sadly) nee= ds to use the uglier versions. > + h_proto =3D vlh->h_vlan_encapsulated_proto; > + if (vlans) /* collect VLAN ids */ > + vlans->id[i] =3D > + (bpf_ntohs(vlh->h_vlan_TCI) & VLAN_VID_MASK); Spectrum only uses parse_ethhdr(), which passes NULL for the `vlans` argument. Therefore, this branch is unreachable. > + vlh++; > + } > + > + nh->pos =3D vlh; > + return h_proto; /* network-byte-order */ > +} > + > +static __always_inline int parse_ethhdr(struct hdr_cursor *nh, > + void *data_end, > + struct ethhdr **ethhdr) > +{ > + /* Expect compiler removes the code that collects VLAN ids */ > + return parse_ethhdr_vlan(nh, data_end, ethhdr, NULL); > +} >=20 > +static __always_inline int parse_ip6hdr(struct hdr_cursor *nh, > + void *data_end, > + struct ipv6hdr **ip6hdr) > +{ > + struct ipv6hdr *ip6h =3D nh->pos; > + > + /* Pointer-arithmetic bounds check; pointer +1 points to after end of= > + * thing being pointed to. We will be using this style in the remaind= er > + * of the tutorial. > + */ > + if (ip6h + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos =3D ip6h + 1; > + *ip6hdr =3D ip6h; > + > + return ip6h->nexthdr; > +} > + > +static __always_inline int parse_iphdr(struct hdr_cursor *nh, > + void *data_end, > + struct iphdr **iphdr) > +{ > + struct iphdr *iph =3D nh->pos; > + int hdrsize; > + > + if (iph + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + hdrsize =3D iph->ihl * 4; > + /* Sanity check packet field is valid */ > + if(hdrsize < sizeof(*iph)) > + return -1; This is normally a very bad pattern because of integer overflow and/or wraparound, but in this case iph->ihl is a 4-bit bitfield and so iph->ihl * 4 is no more than 15 * 4 =3D=3D 60. > + /* Variable-length IPv4 header, need to use byte-based arithmetic */ > + if (nh->pos + hdrsize > data_end) > + return -1; See above: this is UB in userspace but safe in the kernel/BPF with the correct compiler flags. If hdrsize could exceed 4095 it would not be, but it cannot. > + nh->pos +=3D hdrsize; > + *iphdr =3D iph; > + > + return iph->protocol; > +} > + > +static __always_inline int parse_icmp6hdr(struct hdr_cursor *nh, > + void *data_end, > + struct icmp6hdr **icmp6hdr) > +{ > + struct icmp6hdr *icmp6h =3D nh->pos; > + > + if (icmp6h + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos =3D icmp6h + 1; > + *icmp6hdr =3D icmp6h; > + > + return icmp6h->icmp6_type; > +} > + > +static __always_inline int parse_icmphdr(struct hdr_cursor *nh, > + void *data_end, > + struct icmphdr **icmphdr) > +{ > + struct icmphdr *icmph =3D nh->pos; > + > + if (icmph + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos =3D icmph + 1; > + *icmphdr =3D icmph; > + > + return icmph->type; > +} > + > +static __always_inline int parse_icmphdr_common(struct hdr_cursor *nh,= > + void *data_end, > + struct icmphdr_common = **icmphdr) > +{ > + struct icmphdr_common *h =3D nh->pos; > + > + if (h + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos =3D h + 1; > + *icmphdr =3D h; > + > + return h->type; > +} > + > +/* > + * parse_udphdr: parse the udp header and return the length of the udp= payload > + */ > +static __always_inline int parse_udphdr(struct hdr_cursor *nh, > + void *data_end, > + struct udphdr **udphdr) > +{ > + int len; > + struct udphdr *h =3D nh->pos; > + > + if (h + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos =3D h + 1; > + *udphdr =3D h; > + > + len =3D bpf_ntohs(h->len) - sizeof(struct udphdr); > + if (len < 0) > + return -1; > + > + return len; > +} > + > +/* > + * parse_tcphdr: parse and return the length of the tcp header > + */ > +static __always_inline int parse_tcphdr(struct hdr_cursor *nh, > + void *data_end, > + struct tcphdr **tcphdr) > +{ > + int len; > + struct tcphdr *h =3D nh->pos; > + > + if (h + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + len =3D h->doff * 4; > + /* Sanity check packet field is valid */ > + if(len < sizeof(*h)) > + return -1; > + > + /* Variable-length TCP header, need to use byte-based arithmetic */ > + if (nh->pos + len > data_end) > + return -1; Only safe in kernel/BPF. > + nh->pos +=3D len; > + *tcphdr =3D h; > + > + return len; > +} > + > +#endif /* __PARSING_HELPERS_H */ > diff --git a/tools/xdp-forwarder/include/rewrite_helpers.h b/tools/xdp-= forwarder/include/rewrite_helpers.h > new file mode 100644 > index 0000000..2deae9a > --- /dev/null > +++ b/tools/xdp-forwarder/include/rewrite_helpers.h > @@ -0,0 +1,145 @@ > +/* SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-2-clause) */ > +/* Vendored from https://github.com/xdp-project/xdp-tutorial/blob/d3d3= eed6ea9a63d1302bfa8b5a8e93862bfe11f0/common/rewrite_helpers.h */ > +/* > + * This file contains functions that are used in the packetXX XDP prog= rams to > + * manipulate on packets data. The functions are marked as __always_in= line, and > + * fully defined in this header file to be included in the BPF program= =2E > + */ > + > +#ifndef __REWRITE_HELPERS_H > +#define __REWRITE_HELPERS_H > + > +#include > +#include > +#include > +#include > + > +#include > +#include > + > +/* Pops the outermost VLAN tag off the packet. Returns the popped VLAN= ID on > + * success or negative errno on failure. > + */ > +static __always_inline int vlan_tag_pop(struct xdp_md *ctx, struct eth= hdr *eth) > +{ > + void *data_end =3D (void *)(long)ctx->data_end; > + struct ethhdr eth_cpy; Unless the verifier requires otherwise, this only needs to be 12 bytes as the Ethertype is not restored, only the source and destination MAC addresses. > + struct vlan_hdr *vlh; > + __be16 h_proto; > + int vlid;> + > + if (!proto_is_vlan(eth->h_proto)) > + return -1; Only safe because the caller did a bounds check. > + /* Careful with the parenthesis here */ > + vlh =3D (void *)(eth + 1); > + > + /* Still need to do bounds checking */ > + if (vlh + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + /* Save vlan ID for returning, h_proto for updating Ethernet header *= / > + vlid =3D bpf_ntohs(vlh->h_vlan_TCI); > + h_proto =3D vlh->h_vlan_encapsulated_proto; > + > + /* Make a copy of the outer Ethernet header before we cut it off */ > + __builtin_memcpy(ð_cpy, eth, sizeof(eth_cpy)); > + > + /* Actually adjust the head pointer */ > + if (bpf_xdp_adjust_head(ctx, (int)sizeof(*vlh))) > + return -1; > + > + /* Need to re-evaluate data *and* data_end and do new bounds checking= > + * after adjusting head > + */ > + eth =3D (void *)(long)ctx->data; > + data_end =3D (void *)(long)ctx->data_end; > + if (eth + 1 > data_end) > + return -1; > + > + /* Copy back the old Ethernet header and update the proto type */ > + __builtin_memcpy(eth, ð_cpy, sizeof(*eth)); > + eth->h_proto =3D h_proto; > + > + return vlid; > +} > + > +/* Pushes a new VLAN tag after the Ethernet header. Returns 0 on succe= ss, > + * -1 on failure. > + */ > +static __always_inline int vlan_tag_push(struct xdp_md *ctx, > + struct ethhdr *eth, int vlid)= > +{ > + void *data_end =3D (void *)(long)ctx->data_end; > + struct ethhdr eth_cpy; Again, this only needs to be 12 bytes, not 14, as the old Ethertype is unchanged. The only exception is if not doing this causes the BPF verifier to complain. > + struct vlan_hdr *vlh; > + > + /* First copy the original Ethernet header */ > + __builtin_memcpy(ð_cpy, eth, sizeof(eth_cpy)); > + > + /* Then add space in front of the packet */ > + if (bpf_xdp_adjust_head(ctx, 0 - (int)sizeof(*vlh))) > + return -1; > + > + /* Need to re-evaluate data_end and data after head adjustment, and > + * bounds check, even though we know there is enough space (as we > + * increased it). > + */ > + data_end =3D (void *)(long)ctx->data_end; > + eth =3D (void *)(long)ctx->data; > + > + if (eth + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + /* Copy back Ethernet header in the right place, populate VLAN tag wi= th > + * ID and proto, and set outer Ethernet header to VLAN type. > + */ > + __builtin_memcpy(eth, ð_cpy, sizeof(*eth)); > + > + vlh =3D (void *)(eth + 1); > + > + if (vlh + 1 > data_end) > + return -1; Only safe in kernel/BPF. > + vlh->h_vlan_TCI =3D bpf_htons(vlid); > + vlh->h_vlan_encapsulated_proto =3D eth->h_proto; > + > + eth->h_proto =3D bpf_htons(ETH_P_8021Q); > + return 0; > +} > + > +/* > + * Swaps destination and source MAC addresses inside an Ethernet heade= r > + */ > +static __always_inline void swap_src_dst_mac(struct ethhdr *eth) > +{ > + __u8 h_tmp[ETH_ALEN]; > + > + __builtin_memcpy(h_tmp, eth->h_source, ETH_ALEN); > + __builtin_memcpy(eth->h_source, eth->h_dest, ETH_ALEN); > + __builtin_memcpy(eth->h_dest, h_tmp, ETH_ALEN); > +} > + > +/* > + * Swaps destination and source IPv6 addresses inside an IPv6 header > + */ > +static __always_inline void swap_src_dst_ipv6(struct ipv6hdr *ipv6) > +{ > + struct in6_addr tmp =3D ipv6->saddr; > + > + ipv6->saddr =3D ipv6->daddr; > + ipv6->daddr =3D tmp; > +} > + > +/* > + * Swaps destination and source IPv4 addresses inside an IPv4 header > + */ > +static __always_inline void swap_src_dst_ipv4(struct iphdr *iphdr) > +{ > + __be32 tmp =3D iphdr->saddr; > + > + iphdr->saddr =3D iphdr->daddr; > + iphdr->daddr =3D tmp; > +} > + > +#endif /* __REWRITE_HELPERS_H */ > diff --git a/tools/xdp-forwarder/prog_physical.c b/tools/xdp-forwarder/= prog_physical.c > new file mode 100644 > index 0000000..04b5131 > --- /dev/null > +++ b/tools/xdp-forwarder/prog_physical.c > @@ -0,0 +1,37 @@ > +// SPDX-License-Identifier: EUPL-1.2+ > +// SPDX-FileCopyrightText: 2025 Yureka Lilian > + > +#define VLAN_MAX_DEPTH 1 > + > +#include > +#include > +#include "parsing_helpers.h" > +#include "rewrite_helpers.h" > + > +struct { > + __uint(type, BPF_MAP_TYPE_DEVMAP); > + __type(key, int); > + __type(value, int); > + __uint(max_entries, 1); > + __uint(pinning, LIBBPF_PIN_BY_NAME); > +} router_iface SEC(".maps"); > + > +SEC("xdp") > +int physical(struct xdp_md *ctx) > +{ > + void *data_end =3D (void *)(long)ctx->data_end; > + void *data =3D (void *)(long)ctx->data; > + > + struct hdr_cursor nh; > + nh.pos =3D data; > + > + struct ethhdr *eth; > + if (parse_ethhdr(&nh, data_end, ð) < 0) > + return XDP_DROP; > + > + if (ctx->ingress_ifindex < 1 || ctx->ingress_ifindex > 4096) > + return XDP_DROP;> + > + vlan_tag_push(ctx, eth, ctx->ingress_ifindex); > + return bpf_redirect_map(&router_iface, 0, 0); > +} > diff --git a/tools/xdp-forwarder/prog_router.c b/tools/xdp-forwarder/pr= og_router.c > new file mode 100644 > index 0000000..fe6a6b5 > --- /dev/null > +++ b/tools/xdp-forwarder/prog_router.c > @@ -0,0 +1,43 @@ > +// SPDX-License-Identifier: EUPL-1.2+ > +// SPDX-FileCopyrightText: 2025 Yureka Lilian > + > +#define VLAN_MAX_DEPTH 1 > + > +#include > +#include > +#include "parsing_helpers.h" > +#include "rewrite_helpers.h" > + > +// The map is actually not used by this program, but just included > +// to keep the reference-counted pin alive before any physical interfa= ces > +// are added. > +struct { > + __uint(type, BPF_MAP_TYPE_DEVMAP); > + __type(key, int); > + __type(value, int); > + __uint(max_entries, 1); > + __uint(pinning, LIBBPF_PIN_BY_NAME); > +} router_iface SEC(".maps"); > + > + > +SEC("xdp") > +int router(struct xdp_md *ctx) > +{ > + void *data_end =3D (void *)(long)ctx->data_end; > + void *data =3D (void *)(long)ctx->data; > + > + struct hdr_cursor nh; > + nh.pos =3D data; > + > + struct ethhdr *eth; > + int r; > + if (r =3D parse_ethhdr(&nh, data_end, ð) < 0) > + return XDP_DROP; > + > + int vlid =3D vlan_tag_pop(ctx, eth); > + if (vlid < 0) { > + return XDP_DROP; > + } > + > + return bpf_redirect(vlid, 0); > +} > diff --git a/tools/xdp-forwarder/set_router_iface.c b/tools/xdp-forward= er/set_router_iface.c > new file mode 100644 > index 0000000..f1a2bac > --- /dev/null > +++ b/tools/xdp-forwarder/set_router_iface.c > @@ -0,0 +1,32 @@ > +// SPDX-License-Identifier: EUPL-1.2+ > +// SPDX-FileCopyrightText: 2025 Yureka Lilian > + > +#include > +#include > +#include > + > +int main(int argc, char **argv) > +{ > + if (argc < 2) { > + fprintf(stderr, "missing interface name\n"); > + return 1; > + } > + > + int router_idx =3D if_nametoindex(argv[1]); > + if (router_idx <=3D 0) { > + perror("error getting router interface"); > + return 1; > + } > + > + int map_fd =3D bpf_obj_get("/sys/fs/bpf/router_iface"); > + if (map_fd < 0) { > + perror("failed to open bpf map"); > + return 1; > + } > + > + int id =3D 0; > + if (bpf_map_update_elem(map_fd, &id, &router_idx, 0) < 0) { > + perror("failed to update bpf map"); > + return 1; > + } > +}--=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------3mmCVr52AmG5yRQ8o9lq0gcl Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------3mmCVr52AmG5yRQ8o9lq0gcl-- --------------JKfRQDrNxZU007BGMUmWZ1j0-- --------------0p11Etpd5KYkSFrTxH1cxasJ Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmi8akkACgkQszaHOrMp 8lMJtg/+MStBFdErzuABCneR/g9GyMvs22Qzx4DWkI0HTT4Ws4mLJ0jAPKlke026 lR1XoG17PcofsJWimy2zjwTIpb+Cc+xwaCyj4Eckwh9YXqMSKb4ryQ/N5LEGdzf3 WoXATXrGLG9t8VfqX3QDXMWd13JcZP32YKz4sCkpJ1X3aB/6HYZgN/OwIHHp0EzG DHH5zVpCkix4BLamV/Pb4adIZa6xdBjetxbFpvR5Q8IjV4FELhxssRYq+R81hsxg F3oUywTFIXjhDm9czzzlFTSODcgjs465KcmuGcoOpbjUR+TNeOGXsWiHoe1Hcnju zD2X0+okH+ay5s4RIoYOqj0IERKJoYzTgshHYathpp7+TTGENTDuHDdgklzy9FMj INcCrZJ8ehsucYAazVpR4rITBg4E+G508ypvvYgMbTwDIyZA+XxQiAJjAZ9VZqrH /CZvjQCtHNK8q8b3x9ZEOGuXf94tqQ0pjegHzQzqFffhBhstOtKx6lxuz3cb1qBA yUowLTgbfgYtPY/7TIf5bguXUivlQJq0b5HQii0JP2YsV7gP31UR7iAt2s5gMmf9 G6w5mDsK49s0yw/jpWeT2UjkR7fUQs8gZ9ASjxiMD4jSikQ/hvumTDAxItJKqyzy U7APm76ejgyrFCjmI1EcGWakwQPBPilNfJD7m2B9LE8GpMMUz10= =G0O+ -----END PGP SIGNATURE----- --------------0p11Etpd5KYkSFrTxH1cxasJ--