# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: rousskov@measurement-factory.com-20090309055308-\
#   pycnvm7arktsd5yv
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk
# testament_sha1: ace0a0653c337a5cbc0969213c1afaafd42574cd
# timestamp: 2009-03-08 23:53:52 -0600
# base_revision_id: rousskov@measurement-factory.com-20090308184106-\
#   4hkp9exkjcdwqvfi
# 
# Begin patch
=== modified file 'configure.in'
--- configure.in	2009-03-06 07:36:36 +0000
+++ configure.in	2009-03-09 05:53:08 +0000
@@ -1576,15 +1576,10 @@
 dnl Authentication libraries to build
 dnl This list will not be needed when each auth library has its own Makefile
 AUTH_LIBS_TO_BUILD=
-dnl Authentication libraries to link authenticating executables with.
-dnl These are the same as AUTH_LIBS_TO_BUILD, but with a path
-AUTH_LIBS_TO_ADD=
 for module in $AUTH_MODULES; do
-    AUTH_LIBS_TO_BUILD="$AUTH_LIBS_TO_BUILD lib${module}.a"
-    AUTH_LIBS_TO_ADD="$AUTH_LIBS_TO_ADD auth/lib${module}.a"
+    AUTH_LIBS_TO_BUILD="$AUTH_LIBS_TO_BUILD lib${module}.la"
 done
 AC_SUBST(AUTH_MODULES)
-AC_SUBST(AUTH_LIBS_TO_ADD)
 AC_SUBST(AUTH_LIBS_TO_BUILD)
 
 dnl bundled auth modules, in order to have handy defines for the cppunit testsuite
@@ -3806,6 +3801,7 @@
 	scripts/RunAccel \
 	src/Makefile \
 	src/base/Makefile \
+	src/acl/Makefile \
 	src/fs/Makefile \
 	src/repl/Makefile \
 	src/auth/Makefile \

=== removed file 'src/ACLChecklist.cci'
--- src/ACLChecklist.cci	2009-01-21 03:47:47 +0000
+++ src/ACLChecklist.cci	1970-01-01 00:00:00 +0000
@@ -1,41 +0,0 @@
-/*
- * $Id$
- *
- * DEBUG: section 28    Access Control
- * AUTHOR: Henrik Nordstrom
- *
- * SQUID Web Proxy Cache          http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- *  Squid is the result of efforts by numerous individuals from
- *  the Internet community; see the CONTRIBUTORS file for full
- *  details.   Many organizations have provided support for Squid's
- *  development; see the SPONSORS file for full details.  Squid is
- *  Copyrighted (C) 2001 by the Regents of the University of
- *  California; see the COPYRIGHT file for full details.  Squid
- *  incorporates software developed and/or copyrighted by other
- *  sources; see the CREDITS file for full details.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, write to the Free Software
- *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- */
-
-bool
-ACLChecklist::matchAclListFast(const ACLList * list)
-{
-    matchAclList(list, true);
-    return finished();
-}
-

=== modified file 'src/DelayBucket.cc'
--- src/DelayBucket.cc	2009-01-21 03:47:47 +0000
+++ src/DelayBucket.cc	2009-03-08 19:34:36 +0000
@@ -49,8 +49,8 @@
 #include "StoreClient.h"
 #include "MemObject.h"
 #include "client_side_request.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/Checklist.h"
+#include "acl/Acl.h"
 #include "ConfigParser.h"
 #include "DelayId.h"
 #include "Array.h"

=== modified file 'src/DelayConfig.cc'
--- src/DelayConfig.cc	2009-01-21 03:47:47 +0000
+++ src/DelayConfig.cc	2009-03-08 19:34:36 +0000
@@ -46,7 +46,8 @@
 #include "DelayPools.h"
 #include "DelayPool.h"
 #include "Store.h"
-#include "ACL.h"
+#include "acl/Acl.h"
+#include "acl/Gadgets.h"
 
 void
 DelayConfig::parsePoolCount()

=== modified file 'src/DelayId.cc'
--- src/DelayId.cc	2009-02-04 09:52:20 +0000
+++ src/DelayId.cc	2009-03-08 21:57:12 +0000
@@ -47,7 +47,7 @@
 #include "squid.h"
 #include "DelayId.h"
 #include "client_side_request.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "DelayPools.h"
 #include "DelayPool.h"
 #include "HttpRequest.h"
@@ -114,7 +114,7 @@
             continue;
         }
 
-        ACLChecklist ch;
+        ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, NULL);
 #if FOLLOW_X_FORWARDED_FOR
         if (Config.onoff.delay_pool_uses_indirect_client)
             ch.src_addr = r->indirect_client_addr;
@@ -126,12 +126,6 @@
         if (http->getConn() != NULL)
             ch.conn(http->getConn());
 
-        ch.request = HTTPMSGLOCK(r);
-
-        ch.accessList = cbdataReference(DelayPools::delay_data[pool].access);
-
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
-
         if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck()) {
 
             DelayId result (pool + 1);

=== modified file 'src/DelayPool.cc'
--- src/DelayPool.cc	2009-02-03 21:35:04 +0000
+++ src/DelayPool.cc	2009-03-08 19:34:36 +0000
@@ -41,7 +41,8 @@
 #if DELAY_POOLS
 #include "DelayPool.h"
 #include "CommonPool.h"
-#include "ACL.h"
+#include "acl/Acl.h"
+#include "acl/Gadgets.h"
 #include "Store.h"
 
 DelayPool::DelayPool() : pool (NULL), access (NULL)

=== modified file 'src/DelayTagged.cc'
--- src/DelayTagged.cc	2009-02-18 09:45:32 +0000
+++ src/DelayTagged.cc	2009-03-07 20:43:32 +0000
@@ -40,7 +40,6 @@
 #if DELAY_POOLS
 #include "squid.h"
 #include "DelayTagged.h"
-#include "authenticate.h"
 #include "NullDelayId.h"
 #include "Store.h"
 

=== modified file 'src/DelayTagged.h'
--- src/DelayTagged.h	2009-01-21 03:47:47 +0000
+++ src/DelayTagged.h	2009-03-08 19:34:36 +0000
@@ -41,7 +41,7 @@
 #if DELAY_POOLS
 
 #include "squid.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "CompositePoolNode.h"
 #include "DelayIdComposite.h"
 #include "DelayBucket.h"

=== modified file 'src/DelayUser.h'
--- src/DelayUser.h	2009-01-21 03:47:47 +0000
+++ src/DelayUser.h	2009-03-08 19:34:36 +0000
@@ -41,7 +41,7 @@
 #if DELAY_POOLS
 
 #include "squid.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "CompositePoolNode.h"
 #include "DelayIdComposite.h"
 #include "DelayBucket.h"

=== modified file 'src/ExternalACL.h'
--- src/ExternalACL.h	2009-01-21 03:47:47 +0000
+++ src/ExternalACL.h	2009-03-08 19:34:36 +0000
@@ -34,7 +34,7 @@
 #ifndef SQUID_EXTERNALACL_H
 #define SQUID_EXTERNALACL_H
 
-#include "ACLChecklist.h"
+#include "acl/Checklist.h"
 
 class external_acl;
 
@@ -53,7 +53,7 @@
 /** \todo CLEANUP: kill this typedef. */
 typedef struct _external_acl_data external_acl_data;
 
-#include "ACL.h"
+#include "acl/Acl.h"
 
 class ACLExternal : public ACL
 {

=== modified file 'src/HttpHeaderTools.cc'
--- src/HttpHeaderTools.cc	2009-03-01 22:22:22 +0000
+++ src/HttpHeaderTools.cc	2009-03-09 05:53:08 +0000
@@ -36,7 +36,7 @@
 #include "squid.h"
 #include "HttpHeader.h"
 #include "HttpHdrContRange.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "MemBuf.h"
 
 static void httpHeaderPutStrvf(HttpHeader * hdr, http_hdr_type id, const char *fmt, va_list vargs);
@@ -372,7 +372,6 @@
 
     /* check with anonymizer tables */
     header_mangler *hm;
-    ACLChecklist *checklist;
     assert(e);
 
     if (ROR_REQUEST == req_or_rep) {
@@ -389,9 +388,9 @@
         return 1;
     }
 
-    checklist = aclChecklistCreate(hm->access_list, request, NULL);
+    ACLFilledChecklist checklist(hm->access_list, request, NULL);
 
-    if (checklist->fastCheck()) {
+    if (checklist.fastCheck()) {
         /* aclCheckFast returns true for allow. */
         retval = 1;
     } else if (NULL == hm->replacement) {
@@ -406,7 +405,6 @@
         retval = 1;
     }
 
-    delete checklist;
     return retval;
 }
 

=== modified file 'src/HttpReply.cc'
--- src/HttpReply.cc	2009-02-18 09:45:32 +0000
+++ src/HttpReply.cc	2009-03-08 21:57:12 +0000
@@ -39,7 +39,7 @@
 #include "HttpReply.h"
 #include "HttpHdrContRange.h"
 #include "HttpHdrSc.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "HttpRequest.h"
 #include "MemBuf.h"
 
@@ -538,11 +538,10 @@
         return;
     bodySizeMax = -1;
 
-    ACLChecklist ch;
+    ACLFilledChecklist ch(NULL, &request, NULL);
     ch.src_addr = request.client_addr;
     ch.my_addr = request.my_addr;
     ch.reply = HTTPMSGLOCK(this); // XXX: this lock makes method non-const
-    ch.request = HTTPMSGLOCK(&request);
     for (acl_size_t *l = Config.ReplyBodySize; l; l = l -> next) {
         /* if there is no ACL list or if the ACLs listed match use this size value */
         if (!l->aclList || ch.matchAclListFast(l->aclList)) {

=== modified file 'src/Makefile.am'
--- src/Makefile.am	2009-02-27 15:34:07 +0000
+++ src/Makefile.am	2009-03-08 19:34:36 +0000
@@ -32,7 +32,7 @@
 TESTS=$(check_PROGRAMS)
 check_PROGRAMS=
 
-SUBDIRS	= base fs repl auth ip icmp
+SUBDIRS	= base acl fs repl auth ip icmp
 
 if USE_ADAPTATION
 SUBDIRS += adaptation
@@ -132,14 +132,6 @@
 endif
 
 SSL_ALL_SOURCE = \
-	ACLCertificateData.cc \
-	ACLCertificateData.h  \
-	ACLCertificate.cc \
-	ACLCertificate.h  \
-	ACLSslError.cc \
-	ACLSslError.h \
-	ACLSslErrorData.cc \
-	ACLSslErrorData.h \
 	ssl_support.cc \
 	ssl_support.h
 
@@ -181,20 +173,13 @@
 AIOPS_SOURCE = DiskIO/DiskThreads/aiops.cc
 endif
 
-IDENT_ALL_SOURCE = ACLIdent.cc ACLIdent.h ident.cc ident.h
+IDENT_ALL_SOURCE = ident.cc ident.h
 if ENABLE_IDENT
 IDENT_SOURCE = $(IDENT_ALL_SOURCE)
 else
 IDENT_SOURCE =
 endif
 
-ARP_ACL_ALL_SOURCE = ACLARP.cc ACLARP.h
-if ENABLE_ARP_ACL
-ARP_ACL_SOURCE = $(ARP_ACL_ALL_SOURCE)
-else
-ARP_ACL_SOURCE =
-endif
-
 AM_CFLAGS = @SQUID_CFLAGS@
 AM_CXXFLAGS = @SQUID_CXXFLAGS@
 
@@ -205,7 +190,11 @@
 # libraries used by many targets
 COMMON_LIBS = \
 	libsquid.la \
-	auth/libauth.a \
+	auth/libacls.la \
+	acl/libacls.la \
+	acl/libstate.la \
+	auth/libauth.la \
+	acl/libapi.la \
 	base/libbase.la \
 	ip/libip.la
 
@@ -278,7 +267,6 @@
 EXTRA_squid_SOURCES = \
 	$(AIO_WIN32_ALL_SOURCES) \
 	$(all_AUTHMODULES) \
-	$(ARP_ACL_ALL_SOURCE) \
 	ConfigOption.h \
 	$(DELAY_POOL_ALL_SOURCE) \
 	dns.cc \
@@ -301,89 +289,6 @@
 	DiskIO/DiskThreads/aiops.cc \
 	DiskIO/DiskThreads/aiops_win32.cc
 
-squid_ACLSOURCES = \
-	$(ARP_ACL_SOURCE) \
-	ACLASN.cc \
-	ACLASN.h \
-	ACLDestinationASN.h \
-	ACLSourceASN.h \
-	ACLBrowser.cc \
-	ACLBrowser.h \
-	ACLData.h \
-	ACLDestinationDomain.cc \
-	ACLDestinationDomain.h \
-	ACLDestinationIP.cc \
-	ACLDestinationIP.h \
-	ACLDomainData.h \
-	ACLDomainData.cc \
-	ACLExtUser.h \
-	ACLExtUser.cc \
-	ACLHTTPHeaderData.h \
-	ACLHTTPHeaderData.cc \
-	ACLHTTPStatus.h \
-	ACLHTTPStatus.cc \
-	ACLIntRange.cc \
-	ACLIntRange.h \
-	ACLIP.cc \
-	ACLIP.h \
-	ACLMaxConnection.cc \
-	ACLMaxConnection.h \
-	ACLMaxUserIP.cc \
-	ACLMaxUserIP.h \
-	ACLMethod.cc \
-	ACLMethod.h \
-	ACLMethodData.cc \
-	ACLMethodData.h \
-	ACLMyIP.cc \
-	ACLMyIP.h \
-	ACLMyPort.cc \
-	ACLMyPort.h \
-	ACLMyPortName.cc \
-	ACLMyPortName.h \
-	ACLPeerName.cc \
-	ACLPeerName.h \
-	ACLProtocol.cc \
-	ACLProtocol.h \
-	ACLProtocolData.cc \
-	ACLProtocolData.h \
-	ACLProxyAuth.cc \
-	ACLProxyAuth.h \
-	ACLReferer.cc \
-	ACLReferer.h \
-	ACLRegexData.cc \
-	ACLRegexData.h \
-	ACLReplyHeaderStrategy.h \
-	ACLReplyMIMEType.cc \
-	ACLReplyMIMEType.h \
-	ACLHTTPRepHeader.cc \
-	ACLHTTPRepHeader.h \
-	ACLHTTPReqHeader.cc \
-	ACLHTTPReqHeader.h \
-	ACLRequestHeaderStrategy.h \
-	ACLRequestMIMEType.cc \
-	ACLRequestMIMEType.h \
-	ACLSourceDomain.cc \
-	ACLSourceDomain.h \
-	ACLSourceIP.cc \
-	ACLSourceIP.h \
-	ACLStrategised.cc \
-	ACLStrategised.h \
-	ACLStrategy.h \
-	ACLStringData.cc \
-	ACLStringData.h \
-	ACLTime.cc \
-	ACLTime.h \
-	ACLTimeData.cc \
-	ACLTimeData.h \
-	ACLUrl.cc \
-	ACLUrl.h \
-	ACLUrlPath.cc \
-	ACLUrlPath.h \
-	ACLUrlPort.cc \
-	ACLUrlPort.h \
-	ACLUserData.cc \
-	ACLUserData.h 
-
 squid_COMMSOURCES = \
 	comm_select.cc \
 	comm_select.h \
@@ -413,12 +318,6 @@
 squid_SOURCES = \
 	access_log.cc \
 	AccessLogEntry.h \
-	acl.cc \
-	acl_noncore.cc \
-	ACL.h \
-	ACLChecklist.cc \
-	ACLChecklist.h \
-	$(squid_ACLSOURCES) \
 	asn.cc \
 	AsyncCallQueue.cc \
 	AsyncCallQueue.h \
@@ -427,8 +326,6 @@
 	AsyncJobCalls.h \
 	AsyncEngine.cc \
 	AsyncEngine.h \
-	authenticate.cc \
-	authenticate.h \
 	cache_cf.cc \
 	ProtoPort.cc \
 	ProtoPort.h \
@@ -472,6 +369,7 @@
 	$(DNSSOURCE) \
 	enums.h \
 	errorpage.cc \
+	errorpage.h \
 	$(ESI_SOURCE) \
 	ETag.cc \
 	event.cc \
@@ -637,7 +535,7 @@
 	$(WIN32_SOURCE) \
 	$(WINSVC_SOURCE)
 
-noinst_HEADERS = ACLChecklist.cci \
+noinst_HEADERS = \
 	client_side_request.cci \
 	MemBuf.cci \
 	MemBuf.h \
@@ -663,7 +561,6 @@
 	@REPL_OBJS@ \
 	@STORE_LIBS_TO_ADD@ \
 	@DISK_LIBS@ \
-	@AUTH_LIBS_TO_ADD@ \
 	@CRYPTLIB@ \
 	@REGEXLIB@ \
 	@SNMPLIB@ \
@@ -677,8 +574,7 @@
 	@STORE_LIBS_TO_ADD@ \
 	@DISK_LIBS@ \
 	@DISK_LINKOBJS@ \
-	@REPL_OBJS@ \
-	@AUTH_LIBS_TO_ADD@
+	@REPL_OBJS@
 
 if USE_LOADABLE_MODULES
 squid_SOURCES += $(LOADABLE_MODULES_SOURCES)
@@ -729,162 +625,20 @@
 	String.cc \
 	time.cc \
 	ufsdump.cc \
-	url.cc \
-	AsyncCallQueue.cc \
-	AsyncCallQueue.h \
-	AsyncCall.cc \
-	AsyncCall.h \
-	BodyPipe.cc \
-	BodyPipe.h \
-	ConfigParser.cc \
-	store.cc \
-	StoreFileSystem.cc \
-	StoreSwapLogData.cc \
-	StoreSwapLogData.h \
-	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLUserData.cc \
-	ACLRegexData.cc \
-	ACLStringData.cc \
-	authenticate.cc \
-	cache_cf.cc \
-	ProtoPort.cc \
-	ProtoPort.h \
-	cache_manager.cc \
-	CacheDigest.cc \
-	carp.cc \
-	cbdata.cc \
-	ChunkedCodingParser.cc \
-	ChunkedCodingParser.h \
-	client_db.cc \
-	client_side.cc \
-	client_side_reply.cc \
-	client_side_request.cc \
-	client_side_request.h \
-	clientStream.cc \
-	clientStream.h \
-	CommIO.h \
-	$(squid_COMMSOURCES) \
-	ConfigOption.cc \
-	defines.h \
-	$(DELAY_POOL_SOURCE) \
-	disk.cc \
 	dlink.h \
 	dlink.cc \
-	$(DNSSOURCE) \
-	enums.h \
-	errorpage.cc \
-	errorpage.h \
-	$(ESI_SOURCE) \
-	ETag.cc \
-	event.cc \
-	external_acl.cc \
-	ExternalACLEntry.cc \
-	fd.cc \
-	fde.cc \
-	fde.h \
-	filemap.cc \
-	forward.cc \
-	forward.h \
-	fqdncache.cc \
-	ftp.cc \
-	gopher.cc \
-	helper.cc \
-	$(HTCPSOURCE) \
-	http.cc \
-	HttpStatusLine.cc \
-	HttpHdrCc.cc \
-	HttpHdrRange.cc \
-	HttpHdrSc.cc \
-	HttpHdrScTarget.cc \
-	HttpHdrContRange.cc \
-	HttpHeader.cc \
-	HttpHeaderTools.cc \
-	HttpBody.cc \
-	HttpMsg.cc \
-	HttpReply.cc \
-	HttpRequest.cc \
 	HttpRequestMethod.cc \
-	icp_v2.cc \
-	icp_v3.cc \
-	$(IDENT_SOURCE) \
-	internal.cc \
-	$(IPC_SOURCE) \
-	ipcache.cc \
-	$(LEAKFINDERSOURCE) \
-        list.cc \
-	logfile.cc \
-	mem_node.cc \
-	mem_node.h \
-	Mem.h \
-	MemBuf.cc \
-	MemObject.cc \
-	MemObject.h \
-	mime.cc \
-	multicast.cc \
-	neighbors.cc \
-	Packer.cc \
-	Parsing.cc \
-	$(XPROF_STATS_SOURCE) \
-	pconn.cc \
-	peer_digest.cc \
-	peer_select.cc \
-	peer_sourcehash.cc \
-	peer_userhash.cc \
-	protos.h \
-	redirect.cc \
-	referer.cc \
-	refresh.cc \
 	RemovalPolicy.cc \
-	send-announce.cc \
-	$(SNMP_SOURCE) \
 	squid.h \
-	$(SSL_SOURCE) \
-	tunnel.cc \
-	Server.cc \
-	SquidNew.cc \
-	stat.cc \
-	StatHist.cc \
-	stmem.cc \
-	store_io.cc \
-	StoreIOBuffer.h \
-	StoreIOState.cc \
-	store_client.cc \
-	StoreClient.h \
-	store_digest.cc \
-	store_dir.cc \
-	store_log.cc \
-	store_rebuild.cc \
-	store_swapin.cc \
-	store_swapmeta.cc \
-	store_swapout.cc \
-	structs.h \
-	SwapDir.cc \
-	tools.cc \
-	typedefs.h \
-	$(UNLINKDSOURCE) \
-	URLScheme.cc \
-	urn.cc \
-	useragent.cc \
-	wccp.cc \
-	wccp2.cc \
-	whois.cc \
-	wordlist.cc \
 	$(WIN32_SOURCE)
 ufsdump_LDADD = \
 	$(COMMON_LIBS) \
-	icmp/libicmp.la icmp/libicmp-core.la \
 	@XTRA_OBJS@ \
 	@REPL_OBJS@ \
 	@STORE_LIBS_TO_ADD@ \
-	@AUTH_LIBS_TO_ADD@ \
 	@CRYPTLIB@ \
 	@REGEXLIB@ \
 	@SNMPLIB@ \
-	${ADAPTATION_LIBS} \
 	@SSLLIB@ \
 	-L$(top_builddir)/lib -lmiscutil \
 	@XTRA_LIBS@ \
@@ -894,14 +648,10 @@
 	@STORE_LIBS_TO_ADD@ \
 	@DISK_LIBS@ \
 	@DISK_LINKOBJS@ \
-	@REPL_OBJS@ \
-	@AUTH_LIBS_TO_ADD@
+	@REPL_OBJS@
 
 nodist_ufsdump_SOURCES = \
-	repl_modules.cc \
-	cf_parser.h \
-	globals.cc \
-	string_arrays.c
+	globals.cc
 
 BUILT_SOURCES = \
 	cf_gen_defines.h \
@@ -1163,13 +913,12 @@
 
 tests_testAuth_SOURCES = \
 	tests/testAuth.cc tests/testMain.cc  tests/testAuth.h \
-	authenticate.cc \
 	ConfigParser.cc \
 	tests/stub_acl.cc tests/stub_cache_cf.cc \
 	tests/stub_helper.cc cbdata.cc String.cc \
-	tests/stub_store.cc HttpHeaderTools.cc HttpHeader.cc acl.cc mem.cc \
-	MemBuf.cc HttpHdrContRange.cc Packer.cc ACLChecklist.cc HttpHdrCc.cc HttpHdrSc.cc \
-	HttpHdrScTarget.cc url.cc ACLProxyAuth.cc ACLRegexData.cc ACLUserData.cc \
+	tests/stub_store.cc HttpHeaderTools.cc HttpHeader.cc mem.cc \
+	MemBuf.cc HttpHdrContRange.cc Packer.cc HttpHdrCc.cc HttpHdrSc.cc \
+	HttpHdrScTarget.cc url.cc \
 	StatHist.cc HttpHdrRange.cc ETag.cc tests/stub_errorpage.cc \
 	tests/stub_HttpRequest.cc tests/stub_DelayId.cc \
 	tests/stub_MemObject.cc mem_node.cc \
@@ -1194,22 +943,19 @@
 
 tests_testAuth_LDADD= \
 	$(COMMON_LIBS) \
-	@AUTH_LIBS_TO_ADD@ \
 	-L../lib -lmiscutil \
 	@REGEXLIB@ \
 	@SQUID_CPPUNIT_LIBS@ \
 	@SSLLIB@
 tests_testAuth_LDFLAGS = $(LIBADD_DL)
 tests_testAuth_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a \
-	@AUTH_LIBS_TO_ADD@ \
 	@SQUID_CPPUNIT_LA@
 
 ## Tests for the ACLMaxUserIP class
 ## acl needs wordlist. wordlist needs MemBug
 ## MemBuf needs mem, MemBuf needs event,
 ## event needs cbdata.
-## ACLMaxUserUP needs authenticate.cc
-## authenticate.cc needs libauth.la
+## ACLMaxUserUP needs libauth.la
 ## ACLMaxUserIP needs ACLChecklist
 ## AuthUser request needs HttpHeader, which brings in 
 ##	ETag.cc \
@@ -1224,13 +970,6 @@
 ##	StatHist.cc \
 ##	String.cc \
 tests_testACLMaxUserIP_SOURCES= \
-	acl.cc \
-	ACLChecklist.cc \
-	ACLMaxUserIP.cc \
-	ACLProxyAuth.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	cbdata.cc \
 	ConfigParser.cc \
 	ETag.cc \
@@ -1302,14 +1041,6 @@
 	tests/testMain.cc \
 	time.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_manager.cc \
 	cache_cf.cc \
@@ -1452,10 +1183,11 @@
 nodist_tests_testDiskIO_SOURCES= \
 	$(SWAP_TEST_GEN_SOURCES)
 tests_testDiskIO_LDADD = \
+	$(SWAP_TEST_LDADD) \
+	@DISK_LIBS@ \
 	$(COMMON_LIBS) \
-	@DISK_LIBS@ \
-	$(SWAP_TEST_LDADD) \
 	SquidConfig.o
+
 tests_testDiskIO_LDFLAGS = $(LIBADD_DL)
 tests_testDiskIO_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a \
 	@DISK_LIBS@ \
@@ -1478,14 +1210,6 @@
 	tests/testMain.cc \
 	time.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_manager.cc \
 	cache_cf.cc \
@@ -1633,14 +1357,6 @@
 	tests/testMain.cc \
 	time.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_manager.cc \
 	cache_cf.cc \
@@ -1776,14 +1492,6 @@
 tests_test_http_range_SOURCES = \
 	tests/test_http_range.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_cf.cc \
 	ProtoPort.cc \
@@ -1938,14 +1646,6 @@
 	tests/testMain.cc \
 	time.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_manager.cc \
 	cache_cf.cc \
@@ -2097,7 +1797,6 @@
 	Parsing.cc \
 	ConfigOption.cc \
 	SwapDir.cc \
-	authenticate.cc \
 	tests/stub_acl.cc tests/stub_cache_cf.cc \
 	tests/stub_helper.cc cbdata.cc String.cc \
 	tests/stub_comm.cc \
@@ -2106,10 +1805,9 @@
 	mem_node.cc \
 	stmem.cc \
 	tests/stub_mime.cc \
-	HttpHeaderTools.cc HttpHeader.cc acl.cc mem.cc \
-	acl_noncore.cc \
-	MemBuf.cc HttpHdrContRange.cc Packer.cc ACLChecklist.cc HttpHdrCc.cc HttpHdrSc.cc \
-	HttpHdrScTarget.cc url.cc ACLProxyAuth.cc ACLRegexData.cc ACLUserData.cc \
+	HttpHeaderTools.cc HttpHeader.cc mem.cc \
+	MemBuf.cc HttpHdrContRange.cc Packer.cc HttpHdrCc.cc HttpHdrSc.cc \
+	HttpHdrScTarget.cc url.cc \
 	StatHist.cc HttpHdrRange.cc ETag.cc tests/stub_errorpage.cc \
 	tests/stub_HttpRequest.cc tests/stub_access_log.cc \
 	refresh.cc \
@@ -2223,6 +1921,7 @@
 	@REPL_OBJS@ \
 	@DISK_LIBS@ \
 	-L../lib -lmiscutil \
+	acl/libapi.la \
 	@SQUID_CPPUNIT_LIBS@
 SWAP_TEST_DS =\
 	$(top_builddir)/lib/libmiscutil.a \
@@ -2241,8 +1940,8 @@
 nodist_tests_testUfs_SOURCES = \
 	$(SWAP_TEST_GEN_SOURCES)
 tests_testUfs_LDADD = \
+	$(SWAP_TEST_LDADD) \
 	$(COMMON_LIBS) \
-	$(SWAP_TEST_LDADD) \
 	@SSLLIB@
 tests_testUfs_LDFLAGS = $(LIBADD_DL)
 tests_testUfs_DEPENDENCIES = \
@@ -2296,14 +1995,6 @@
 	tests/testMain.cc \
 	time.cc \
 	access_log.cc \
-	acl.cc \
-	acl_noncore.cc \
-	ACLChecklist.cc \
-	ACLProxyAuth.cc \
-	ACLStringData.cc \
-	ACLRegexData.cc \
-	ACLUserData.cc \
-	authenticate.cc \
 	BodyPipe.cc \
 	cache_manager.cc \
 	cache_cf.cc \

=== modified file 'src/access_log.cc'
--- src/access_log.cc	2009-02-06 00:59:06 +0000
+++ src/access_log.cc	2009-03-08 19:34:36 +0000
@@ -39,7 +39,7 @@
 // Store.h Required by configuration directives parsing/dumping only
 #include "Store.h"
 
-#include "ACLChecklist.h"
+#include "acl/Checklist.h"
 
 #include "HttpReply.h"
 #include "HttpRequest.h"

=== added directory 'src/acl'
=== renamed file 'src/acl.cc' => 'src/acl/Acl.cc'
--- src/acl.cc	2009-02-18 00:18:43 +0000
+++ src/acl/Acl.cc	2009-03-08 19:45:44 +0000
@@ -33,12 +33,10 @@
  */
 #include "config.h"
 
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
 #include "ConfigParser.h"
 #include "dlink.h"
-/* for special-case PURGE test */
-#include "HttpRequestMethod.h"
 
 const char *AclMatchedName = NULL;
 
@@ -278,12 +276,12 @@
 {
     int rv;
 
-    if (NULL == checklist->request && requiresRequest()) {
+    if (!checklist->hasRequest() && requiresRequest()) {
         debugs(28, 1, "ACL::checklistMatches WARNING: '" << name << "' ACL is used but there is no HTTP request -- not matching.");
         return 0;
     }
 
-    if (NULL == checklist->reply && requiresReply()) {
+    if (!checklist->hasReply() && requiresReply()) {
         debugs(28, 1, "ACL::checklistMatches WARNING: '" << name << "' ACL is used but there is no HTTP reply -- not matching.");
         return 0;
     }
@@ -321,35 +319,6 @@
     safe_free(cfgline);
 }
 
-#include "ACLStrategised.h"
-bool
-acl_access::containsPURGE() const
-{
-    acl_access const *a = this;
-    ACLList *b;
-
-    debugs(28, 6, "acl_access::containsPURGE: invoked for '" << cfgline << "'");
-
-    for (; a; a = a->next) {
-        for (b = a->aclList; b; b = b->next) {
-            ACLStrategised<HttpRequestMethod> *tempAcl = dynamic_cast<ACLStrategised<HttpRequestMethod> *>(b->_acl);
-
-            if (!tempAcl) {
-                debugs(28, 7, "acl_access::containsPURGE: can't create tempAcl");
-                continue;
-            }
-
-            if (tempAcl->match(METHOD_PURGE)) {
-                debugs(28, 6, "acl_access::containsPURGE:   returning true");
-                return true;
-            }
-        }
-    }
-
-    debugs(28, 6, "acl_access::containsPURGE:   returning false");
-    return false;
-}
-
 /* to be split into separate files in the future */
 
 CBDATA_CLASS_INIT(acl_access);

=== renamed file 'src/ACL.h' => 'src/acl/Acl.h'
--- src/ACL.h	2009-02-04 09:52:20 +0000
+++ src/acl/Acl.h	2009-03-08 19:45:44 +0000
@@ -38,46 +38,9 @@
 #include "Array.h"
 #include "cbdata.h"
 #include "dlink.h"
-/**
- \todo FIXME: finish splitting out the dependencies here
- *	- typedefs should not be needed to parse this.
- */
-#include "typedefs.h"
 
 class ConfigParser;
-
-/* acl.c */
-
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclDestroyAccessList(acl_access **list);
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclDestroyAcls(ACL **);
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclDestroyAclList(ACLList **);
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclParseAccessLine(ConfigParser &parser, acl_access **);
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclParseAclList(ConfigParser &parser, ACLList **);
-/// \ingroup ACLAPI
-SQUIDCEXTERN int aclIsProxyAuth(const char *name);
-/// \ingroup ACLAPI
-SQUIDCEXTERN err_type aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name, int redirect_allowed);
-
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclParseDenyInfoLine(struct acl_deny_info_list **);
-
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclDestroyDenyInfoList(struct acl_deny_info_list **);
-/// \ingroup ACLAPI
-SQUIDCEXTERN wordlist *aclDumpGeneric(const ACL *);
-/// \ingroup ACLAPI
-SQUIDCEXTERN void aclCacheMatchFlush(dlink_list * cache);
-/// \ingroup ACLAPI
-extern void dump_acl_access(StoreEntry * entry, const char *name, acl_access * head);
-/// \ingroup ACLAPI
-int aclPurgeMethodInUse(acl_access * a);
-/// \ingroup ACLAPI
-extern const char *AclMatchedName;	/* NULL */
+class ACLChecklist;
 
 /// \ingroup ACLAPI
 class ACL
@@ -154,7 +117,6 @@
 public:
     void *operator new(size_t);
     void operator delete(void *);
-    bool containsPURGE() const;
     allow_t allow;
     ACLList *aclList;
     char *cfgline;
@@ -194,4 +156,8 @@
 
 MEMPROXY_CLASS_INLINE(acl_proxy_auth_match_cache);
 
+
+/// \ingroup ACLAPI
+extern const char *AclMatchedName;	/* NULL */
+
 #endif /* SQUID_ACL_H */

=== renamed file 'src/ACLARP.cc' => 'src/acl/Arp.cc'
--- src/ACLARP.cc	2009-01-07 11:24:40 +0000
+++ src/acl/Arp.cc	2009-03-08 21:57:12 +0000
@@ -73,7 +73,8 @@
 #endif
 #endif
 
-#include "ACLARP.h"
+#include "acl/Arp.h"
+#include "acl/FilledChecklist.h"
 #include "wordlist.h"
 
 #if !USE_ARP_ACL
@@ -224,8 +225,10 @@
 }
 
 int
-ACLARP::match(ACLChecklist *checklist)
+ACLARP::match(ACLChecklist *cl)
 {
+	ACLFilledChecklist *checklist = Filled(cl);
+
     /* IPv6 does not do ARP */
     if (!checklist->src_addr.IsIPv4()) {
         debugs(14, 3, "ACLARP::match: IPv4 Required for ARP Lookups. Skipping " << checklist->src_addr );

=== renamed file 'src/ACLARP.h' => 'src/acl/Arp.h'
--- src/ACLARP.h	2009-01-21 03:47:47 +0000
+++ src/acl/Arp.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLARP_H
 #define SQUID_ACLARP_H
 
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
 #include "splay.h"
 
 /// \ingroup ACLAPI

=== renamed file 'src/ACLASN.cc' => 'src/acl/Asn.cc'
--- src/ACLASN.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Asn.cc	2009-03-08 19:34:36 +0000
@@ -34,6 +34,6 @@
  */
 
 #include "squid.h"
-#include "ACLASN.h"
-#include "ACLChecklist.h"
+#include "acl/Asn.h"
+#include "acl/Checklist.h"
 

=== renamed file 'src/ACLASN.h' => 'src/acl/Asn.h'
--- src/ACLASN.h	2009-01-07 11:24:40 +0000
+++ src/acl/Asn.h	2009-03-08 19:34:36 +0000
@@ -32,10 +32,10 @@
 #ifndef SQUID_ACLASN_H
 #define SQUID_ACLASN_H
 
-#include "ACLData.h"
+#include "acl/Data.h"
 #include "CbDataList.h"
-#include "ACLStrategised.h"
-#include "ACLChecklist.h"
+#include "acl/Strategised.h"
+#include "acl/Checklist.h"
 #include "ip/IpAddress.h"
 
 SQUIDCEXTERN int asnMatchIp(CbDataList<int> *, IpAddress &);

=== renamed file 'src/ACLBrowser.cc' => 'src/acl/Browser.cc'
--- src/ACLBrowser.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Browser.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLChecklist.h"
-#include "ACLBrowser.h"
-#include "ACLRegexData.h"
+#include "acl/Checklist.h"
+#include "acl/Browser.h"
+#include "acl/RegexData.h"
 
 /* explicit template instantiation required for some systems */
 

=== renamed file 'src/ACLBrowser.h' => 'src/acl/Browser.h'
--- src/ACLBrowser.h	2009-01-21 03:47:47 +0000
+++ src/acl/Browser.h	2009-03-08 19:34:36 +0000
@@ -35,10 +35,10 @@
 #ifndef SQUID_ACLBROWSER_H
 #define SQUID_ACLBROWSER_H
 
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLRequestHeaderStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/RequestHeaderStrategy.h"
+#include "acl/Strategised.h"
 
 /// \ingroup ACLAPI
 class ACLBrowser

=== renamed file 'src/ACLCertificate.cc' => 'src/acl/Certificate.cc'
--- src/ACLCertificate.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Certificate.cc	2009-03-08 21:53:27 +0000
@@ -41,9 +41,9 @@
  */
 #if USE_SSL
 
-#include "ACLCertificate.h"
-#include "ACLChecklist.h"
-#include "ACLCertificateData.h"
+#include "acl/Certificate.h"
+#include "acl/Checklist.h"
+#include "acl/CertificateData.h"
 #include "fde.h"
 #include "client_side.h"
 
@@ -53,7 +53,7 @@
 ACLStrategised<SSL *> ACLCertificate::CARegistryEntry_(new ACLCertificateData (sslGetCAAttribute), ACLCertificateStrategy::Instance(), "ca_cert");
 
 int
-ACLCertificateStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLCertificateStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     const int fd = checklist->fd();
     const bool goodDescriptor = 0 <= fd && fd <= Biggest_FD;

=== renamed file 'src/ACLCertificate.h' => 'src/acl/Certificate.h'
--- src/ACLCertificate.h	2009-01-21 03:47:47 +0000
+++ src/acl/Certificate.h	2009-03-08 21:53:27 +0000
@@ -35,18 +35,18 @@
 #ifndef SQUID_ACLCERTIFICATE_H
 #define SQUID_ACLCERTIFICATE_H
 
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Checklist.h"
 #include "ssl_support.h"
-#include "ACLStrategised.h"
+#include "acl/Strategised.h"
 
 /// \ingroup ACLAPI
 class ACLCertificateStrategy : public ACLStrategy<SSL *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLCertificateStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLCertificateData.cc' => 'src/acl/CertificateData.cc'
--- src/ACLCertificateData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/CertificateData.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLCertificateData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
+#include "acl/CertificateData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 
 ACLCertificateData::ACLCertificateData(SSLGETATTRIBUTE *sslStrategy) : attribute (NULL), values (), sslAttributeCall (sslStrategy)

=== renamed file 'src/ACLCertificateData.h' => 'src/acl/CertificateData.h'
--- src/ACLCertificateData.h	2009-01-21 03:47:47 +0000
+++ src/acl/CertificateData.h	2009-03-08 19:34:36 +0000
@@ -36,10 +36,10 @@
 #define SQUID_ACLCERTIFICATEDATA_H
 
 #include "splay.h"
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 #include "ssl_support.h"
-#include "ACLStringData.h"
+#include "acl/StringData.h"
 
 /// \ingroup ACLAPI
 class ACLCertificateData : public ACLData<SSL *>

=== renamed file 'src/ACLChecklist.cc' => 'src/acl/Checklist.cc'
--- src/ACLChecklist.cc	2009-02-24 23:52:44 +0000
+++ src/acl/Checklist.cc	2009-03-08 19:41:27 +0000
@@ -34,78 +34,7 @@
  */
 
 #include "squid.h"
-#include "ACLChecklist.h"
-#include "HttpRequest.h"
-#include "HttpReply.h"
-#include "authenticate.h"
-#include "ACLProxyAuth.h"
-#include "client_side.h"
-#include "auth/UserRequest.h"
-
-int
-ACLChecklist::authenticated()
-{
-    http_hdr_type headertype;
-
-    if (NULL == request) {
-        fatal ("requiresRequest SHOULD have been true for this ACL!!");
-        return 0;
-    } else if (request->flags.accelerated) {
-        /* WWW authorization on accelerated requests */
-        headertype = HDR_AUTHORIZATION;
-    } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
-        debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests.");
-        return -1;
-    } else {
-        /* Proxy authorization on proxy requests */
-        headertype = HDR_PROXY_AUTHORIZATION;
-    }
-
-    /* get authed here */
-    /* Note: this fills in auth_user_request when applicable */
-    /*
-     * DPW 2007-05-08
-     * tryToAuthenticateAndSetAuthUser used to try to lock and
-     * unlock auth_user_request on our behalf, but it was too
-     * ugly and hard to follow.  Now we do our own locking here.
-     *
-     * I'm not sure what tryToAuthenticateAndSetAuthUser does when
-     * auth_user_request is set before calling.  I'm tempted to
-     * unlock and set it to NULL, but it seems safer to save the
-     * pointer before calling and unlock it afterwards.  If the
-     * pointer doesn't change then its a no-op.
-     */
-    AuthUserRequest *old_auth_user_request = auth_user_request;
-    auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser (&auth_user_request, headertype, request, conn(), src_addr);
-    if (auth_user_request)
-        AUTHUSERREQUESTLOCK(auth_user_request, "ACLChecklist");
-    AUTHUSERREQUESTUNLOCK(old_auth_user_request, "old ACLChecklist");
-    switch (result) {
-
-    case AUTH_ACL_CANNOT_AUTHENTICATE:
-        debugs(28, 4, "aclMatchAcl: returning  0 user authenticated but not authorised.");
-        return 0;
-
-    case AUTH_AUTHENTICATED:
-
-        return 1;
-        break;
-
-    case AUTH_ACL_HELPER:
-        debugs(28, 4, "aclMatchAcl: returning 0 sending credentials to helper.");
-        changeState (ProxyAuthLookup::Instance());
-        return 0;
-
-    case AUTH_ACL_CHALLENGE:
-        debugs(28, 4, "aclMatchAcl: returning 0 sending authentication challenge.");
-        changeState (ProxyAuthNeeded::Instance());
-        return 0;
-
-    default:
-        fatal("unexpected authenticateAuthenticate reply\n");
-        return 0;
-    }
-}
+#include "acl/Checklist.h"
 
 allow_t const &
 ACLChecklist::currentAnswer() const
@@ -249,6 +178,8 @@
     asyncState()->checkForAsync(this);
 }
 
+// ACLFilledChecklist overwrites this to unclock something before we
+// "delete this"
 void
 ACLChecklist::checkCallback(allow_t answer)
 {
@@ -256,23 +187,6 @@
     void *cbdata_;
     debugs(28, 3, "ACLChecklist::checkCallback: " << this << " answer=" << answer);
 
-    /* During reconfigure, we can end up not finishing call
-     * sequences into the auth code */
-
-    if (auth_user_request) {
-        /* the checklist lock */
-        AUTHUSERREQUESTUNLOCK(auth_user_request, "ACLChecklist");
-        /* it might have been connection based */
-        assert(conn() != NULL);
-        /*
-         * DPW 2007-05-08
-         * yuck, this make me uncomfortable.  why do this here?
-         * ConnStateData will do its own unlocking.
-         */
-        AUTHUSERREQUESTUNLOCK(conn()->auth_user_request, "conn via ACLChecklist");
-        conn()->auth_type = AUTH_BROKEN;
-    }
-
     callback_ = callback;
     callback = NULL;
 
@@ -346,104 +260,28 @@
     PROF_stop(aclMatchAclList);
 }
 
-CBDATA_CLASS_INIT(ACLChecklist);
-
-void *
-ACLChecklist::operator new (size_t size)
-{
-    assert (size == sizeof(ACLChecklist));
-    CBDATA_INIT_TYPE(ACLChecklist);
-    ACLChecklist *result = cbdataAlloc(ACLChecklist);
-    return result;
-}
-
-void
-ACLChecklist::operator delete (void *address)
-{
-    ACLChecklist *t = static_cast<ACLChecklist *>(address);
-    cbdataFree(t);
-}
-
 ACLChecklist::ACLChecklist() :
         accessList (NULL),
-        dst_peer(NULL),
-        request (NULL),
-        reply (NULL),
-        auth_user_request (NULL),
-#if SQUID_SNMP
-        snmp_community(NULL),
-#endif
-#if USE_SSL
-        ssl_error(0),
-#endif
         callback (NULL),
         callback_data (NULL),
-        extacl_entry (NULL),
-        conn_(NULL),
-        fd_(-1),
         async_(false),
         finished_(false),
         allow_(ACCESS_DENIED),
         state_(NullState::Instance()),
-        destinationDomainChecked_(false),
-        sourceDomainChecked_(false),
         lastACLResult_(false)
 {
-    my_addr.SetEmpty();
-    src_addr.SetEmpty();
-    dst_addr.SetEmpty();
-    rfc931[0] = '\0';
 }
 
 ACLChecklist::~ACLChecklist()
 {
     assert (!asyncInProgress());
 
-    if (extacl_entry)
-        cbdataReferenceDone(extacl_entry);
-
-    HTTPMSGUNLOCK(request);
-
-    HTTPMSGUNLOCK(reply);
-
-    // no auth_user_request in builds without any Authentication configured
-    if (auth_user_request)
-        AUTHUSERREQUESTUNLOCK(auth_user_request, "ACLChecklist destructor");
-
-    cbdataReferenceDone(conn_);
-
     cbdataReferenceDone(accessList);
 
     debugs(28, 4, "ACLChecklist::~ACLChecklist: destroyed " << this);
 }
 
 
-ConnStateData *
-ACLChecklist::conn() const
-{
-    return  conn_;
-}
-
-void
-ACLChecklist::conn(ConnStateData *aConn)
-{
-    assert (conn() == NULL);
-    conn_ = cbdataReference(aConn);
-}
-
-int
-ACLChecklist::fd() const
-{
-    return conn_ != NULL ? conn_->fd : fd_;
-}
-
-void
-ACLChecklist::fd(int aDescriptor)
-{
-    assert(!conn() || conn()->fd == aDescriptor);
-    fd_ = aDescriptor;
-}
-
 void
 ACLChecklist::AsyncState::changeState (ACLChecklist *checklist, AsyncState *newState) const
 {
@@ -533,32 +371,6 @@
 
 
 bool
-ACLChecklist::destinationDomainChecked() const
-{
-    return destinationDomainChecked_;
-}
-
-void
-ACLChecklist::markDestinationDomainChecked()
-{
-    assert (!finished() && !destinationDomainChecked());
-    destinationDomainChecked_ = true;
-}
-
-bool
-ACLChecklist::sourceDomainChecked() const
-{
-    return sourceDomainChecked_;
-}
-
-void
-ACLChecklist::markSourceDomainChecked()
-{
-    assert (!finished() && !sourceDomainChecked());
-    sourceDomainChecked_ = true;
-}
-
-bool
 ACLChecklist::checking() const
 {
     return checking_;
@@ -570,58 +382,17 @@
     checking_ = newValue;
 }
 
-/*
- * Any ACLChecklist created by aclChecklistCreate() must eventually be
- * freed by ACLChecklist::operator delete().  There are two common cases:
- *
- * A) Using aclCheckFast():  The caller creates the ACLChecklist using
- *    aclChecklistCreate(), checks it using aclCheckFast(), and frees it
- *    using aclChecklistFree().
- *
- * B) Using aclNBCheck() and callbacks: The caller creates the
- *    ACLChecklist using aclChecklistCreate(), and passes it to
- *    aclNBCheck().  Control eventually passes to ACLChecklist::checkCallback(),
- *    which will invoke the callback function as requested by the
- *    original caller of aclNBCheck().  This callback function must
- *    *not* invoke aclChecklistFree().  After the callback function
- *    returns, ACLChecklist::checkCallback() will free the ACLChecklist using
- *    aclChecklistFree().
- */
-ACLChecklist *
-aclChecklistCreate(const acl_access * A, HttpRequest * request, const char *ident)
-{
-    // TODO: make this a constructor? On-stack creation uses the same code.
-    ACLChecklist *checklist = new ACLChecklist;
-
-    if (A)
-        checklist->accessList = cbdataReference(A);
-
-    if (request != NULL) {
-        checklist->request = HTTPMSGLOCK(request);
-#if FOLLOW_X_FORWARDED_FOR
-        if (Config.onoff.acl_uses_indirect_client)
-            checklist->src_addr = request->indirect_client_addr;
-        else
-#endif /* FOLLOW_X_FORWARDED_FOR */
-            checklist->src_addr = request->client_addr;
-        checklist->my_addr = request->my_addr;
-    }
-
-#if USE_IDENT
-    if (ident)
-        xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ);
-
-#endif
-
-    return checklist;
-}
-
 bool
 ACLChecklist::callerGone()
 {
     return !cbdataReferenceValid(callback_data);
 }
 
-#ifndef _USE_INLINE_
-#include "ACLChecklist.cci"
-#endif
+bool
+ACLChecklist::matchAclListFast(const ACLList * list)
+{
+    matchAclList(list, true);
+    return finished();
+}
+
+

=== renamed file 'src/ACLChecklist.h' => 'src/acl/Checklist.h'
--- src/ACLChecklist.h	2009-02-04 09:52:20 +0000
+++ src/acl/Checklist.h	2009-03-08 19:41:27 +0000
@@ -33,17 +33,13 @@
 #ifndef SQUID_ACLCHECKLIST_H
 #define SQUID_ACLCHECKLIST_H
 
-//#include "typedefs.h"
-//#include "client_side.h"
-//#include "structs.h"
-
-#include "ACL.h"
-
-class AuthUserRequest;
-class ExternalACLEntry;
-class ConnStateData;
-
-/// \ingroup ACLAPI
+#include "acl/Acl.h"
+
+/** \ingroup ACLAPI
+    Base class for maintaining Squid and transaction state for access checks.
+	Provides basic ACL checking methods. Its only child, ACLFilledChecklist,
+	keeps the actual state data. The split is necessary to avoid exposing
+    all ACL-related code to virtually Squid data types. */
 class ACLChecklist
 {
 
@@ -88,18 +84,9 @@
     };
 
 
-public: /* operators */
-    void *operator new(size_t);
-    void operator delete(void *);
-
+public:
     ACLChecklist();
-    ~ACLChecklist();
-    /** NP: To cause link failures if assignment attempted */
-    ACLChecklist (ACLChecklist const &);
-    /** NP: To cause link failures if assignment attempted */
-    ACLChecklist &operator=(ACLChecklist const &);
-
-public: /* API methods */
+    virtual ~ACLChecklist();
 
     /**
      * Trigger off a non-blocking access check for a set of *_access options..
@@ -135,7 +122,7 @@
      * \retval  1/true    Access Allowed
      * \retval 0/false    Access Denied
      */
-    _SQUID_INLINE_ bool matchAclListFast(const ACLList * list);
+    bool matchAclListFast(const ACLList * list);
 
     /**
      * Attempt to check the current checklist against current data.
@@ -149,20 +136,6 @@
      */
     void check();
 
-    ConnStateData * conn() const;
-
-    /// uses conn() if available
-    int fd() const;
-
-    /// set either conn
-    void conn(ConnStateData *);
-    /// set FD
-    void fd(int aDescriptor);
-
-/* Accessors used by internal ACL stuff */
-
-    int authenticated();
-
     bool asyncInProgress() const;
     void asyncInProgress(bool const);
 
@@ -175,62 +148,33 @@
     void changeState(AsyncState *);
     AsyncState *asyncState() const;
 
-private: /* NP: only used internally */
+	// XXX: ACLs that need request or reply have to use ACLFilledChecklist and
+	// should do their own checks so that we do not have to povide these two
+    // for ACL::checklistMatches to use
+	virtual bool hasRequest() const = 0;
+	virtual bool hasReply() const = 0;
 
-    void checkCallback(allow_t answer);
+private:
+    virtual void checkCallback(allow_t answer);
     void checkAccessList();
     void checkForAsync();
 
-public: /* checklist available data */
-
+public:
     const acl_access *accessList;
 
-    IpAddress src_addr;
-
-    IpAddress dst_addr;
-
-    IpAddress my_addr;
-
-    struct peer *dst_peer;
-
-    HttpRequest *request;
-
-    /* for acls that look at reply data */
-    HttpReply *reply;
-    char rfc931[USER_IDENT_SZ];
-    AuthUserRequest *auth_user_request;
-#if SQUID_SNMP
-
-    char *snmp_community;
-#endif
-
-#if USE_SSL
-    int ssl_error;
-#endif
-
     PF *callback;
     void *callback_data;
-    ExternalACLEntry *extacl_entry;
-
-    bool destinationDomainChecked() const;
-    void markDestinationDomainChecked();
-    bool sourceDomainChecked() const;
-    void markSourceDomainChecked();
 
 private: /* internal methods */
     void preCheck();
     void matchAclList(const ACLList * list, bool const fast);
     void matchAclListSlow(const ACLList * list);
-    CBDATA_CLASS(ACLChecklist);
 
-    ConnStateData * conn_;          /**< hack for ident and NTLM */
-    int fd_;                        /**< may be available when conn_ is not */
     bool async_;
     bool finished_;
     allow_t allow_;
     AsyncState *state_;
-    bool destinationDomainChecked_;
-    bool sourceDomainChecked_;
+
     bool checking_;
     bool checking() const;
     void checking (bool const);
@@ -244,13 +188,4 @@
     bool lastACLResult() const { return lastACLResult_; }
 };
 
-/// \ingroup ACLAPI
-SQUIDCEXTERN ACLChecklist *aclChecklistCreate(const acl_access *,
-        HttpRequest *,
-        const char *ident);
-
-#ifdef _USE_INLINE_
-#include "ACLChecklist.cci"
-#endif
-
 #endif /* SQUID_ACLCHECKLIST_H */

=== renamed file 'src/ACLData.h' => 'src/acl/Data.h'
=== renamed file 'src/ACLDestinationASN.h' => 'src/acl/DestinationAsn.h'
--- src/ACLDestinationASN.h	2009-01-07 11:24:40 +0000
+++ src/acl/DestinationAsn.h	2009-03-08 21:53:27 +0000
@@ -32,8 +32,8 @@
 #ifndef SQUID_ACLDESTINATIONASN_H
 #define SQUID_ACLDESTINATIONASN_H
 
-#include "ACLASN.h"
-#include "ACLStrategy.h"
+#include "acl/Asn.h"
+#include "acl/Strategy.h"
 #include "ip/IpAddress.h"
 
 /// \ingroup ACLAPI
@@ -41,7 +41,7 @@
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLDestinationASNStrategy *Instance();

=== renamed file 'src/ACLDestinationDomain.cc' => 'src/acl/DestinationDomain.cc'
--- src/ACLDestinationDomain.cc	2009-01-21 03:47:47 +0000
+++ src/acl/DestinationDomain.cc	2009-03-08 21:57:12 +0000
@@ -35,10 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLDestinationDomain.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
-#include "ACLDomainData.h"
+#include "acl/DestinationDomain.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
+#include "acl/DomainData.h"
 #include "HttpRequest.h"
 
 DestinationDomainLookup DestinationDomainLookup::instance_;
@@ -50,8 +50,9 @@
 }
 
 void
-DestinationDomainLookup::checkForAsync(ACLChecklist *checklist) const
+DestinationDomainLookup::checkForAsync(ACLChecklist *cl) const
 {
+	ACLFilledChecklist *checklist = Filled(cl);
     checklist->asyncInProgress(true);
     fqdncache_nbgethostbyaddr(checklist->dst_addr, LookupDone, checklist);
 }
@@ -64,7 +65,7 @@
 
     checklist->asyncInProgress(false);
     checklist->changeState (ACLChecklist::NullState::Instance());
-    checklist->markDestinationDomainChecked();
+    Filled(checklist)->markDestinationDomainChecked();
     checklist->check();
 }
 
@@ -74,7 +75,7 @@
 ACLStrategised<char const *> ACLDestinationDomain::RegexRegistryEntry_(new ACLRegexData,ACLDestinationDomainStrategy::Instance() ,"dstdom_regex");
 
 int
-ACLDestinationDomainStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLDestinationDomainStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     assert(checklist != NULL && checklist->request != NULL);
 

=== renamed file 'src/ACLDestinationDomain.h' => 'src/acl/DestinationDomain.h'
--- src/ACLDestinationDomain.h	2009-01-21 03:47:47 +0000
+++ src/acl/DestinationDomain.h	2009-03-08 21:53:27 +0000
@@ -35,17 +35,17 @@
 #ifndef SQUID_ACLSOURCEDOMAIN_H
 #define SQUID_ACLSOURCEDOMAIN_H
 
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLChecklist.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Checklist.h"
+#include "acl/Strategised.h"
 
 /// \ingroup ACLAPI
 class ACLDestinationDomainStrategy : public ACLStrategy<char const *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLDestinationDomainStrategy *Instance();
 
     /**

=== renamed file 'src/ACLDestinationIP.cc' => 'src/acl/DestinationIp.cc'
--- src/ACLDestinationIP.cc	2008-10-10 08:02:53 +0000
+++ src/acl/DestinationIp.cc	2009-03-08 21:57:12 +0000
@@ -34,8 +34,8 @@
  */
 
 #include "squid.h"
-#include "ACLDestinationIP.h"
-#include "ACLChecklist.h"
+#include "acl/DestinationIp.h"
+#include "acl/FilledChecklist.h"
 #include "HttpRequest.h"
 
 char const *
@@ -45,8 +45,9 @@
 }
 
 int
-ACLDestinationIP::match(ACLChecklist *checklist)
+ACLDestinationIP::match(ACLChecklist *cl)
 {
+	ACLFilledChecklist *checklist = Filled(cl);
     const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
 
     if (ia) {
@@ -77,8 +78,9 @@
 }
 
 void
-DestinationIPLookup::checkForAsync(ACLChecklist *checklist)const
+DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
 {
+	ACLFilledChecklist *checklist = Filled(cl);
     checklist->asyncInProgress(true);
     ipcache_nbgethostbyname(checklist->request->GetHost(), LookupDone, checklist);
 }
@@ -88,7 +90,7 @@
 {
     ACLChecklist *checklist = (ACLChecklist *)data;
     assert (checklist->asyncState() == DestinationIPLookup::Instance());
-    checklist->request->flags.destinationIPLookupCompleted();
+    Filled(checklist)->request->flags.destinationIPLookupCompleted();
     checklist->asyncInProgress(false);
     checklist->changeState (ACLChecklist::NullState::Instance());
     checklist->check();

=== renamed file 'src/ACLDestinationIP.h' => 'src/acl/DestinationIp.h'
--- src/ACLDestinationIP.h	2008-10-10 08:02:53 +0000
+++ src/acl/DestinationIp.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 
 #ifndef SQUID_ACLDESTINATIONIP_H
 #define SQUID_ACLDESTINATIONIP_H
-#include "ACLChecklist.h"
-#include "ACLIP.h"
+#include "acl/Checklist.h"
+#include "acl/Ip.h"
 
 class DestinationIPLookup : public ACLChecklist::AsyncState
 {

=== renamed file 'src/ACLDomainData.cc' => 'src/acl/DomainData.cc'
--- src/ACLDomainData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/DomainData.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLDomainData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
+#include "acl/DomainData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 
 template<class T>

=== renamed file 'src/ACLDomainData.h' => 'src/acl/DomainData.h'
--- src/ACLDomainData.h	2009-01-21 03:47:47 +0000
+++ src/acl/DomainData.h	2009-03-08 19:34:36 +0000
@@ -36,8 +36,8 @@
 #define SQUID_ACLDOMAINDATA_H
 
 #include "splay.h"
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 
 /// \ingroup ACLAPI
 class ACLDomainData : public ACLData<char const *>

=== renamed file 'src/ACLExtUser.cc' => 'src/acl/ExtUser.cc'
--- src/ACLExtUser.cc	2009-02-10 11:02:53 +0000
+++ src/acl/ExtUser.cc	2009-03-08 21:53:27 +0000
@@ -35,11 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLExtUser.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
-#include "ACLUserData.h"
+#include "acl/ExtUser.h"
+#include "acl/FilledChecklist.h"
+#include "acl/RegexData.h"
+#include "acl/UserData.h"
 #include "client_side.h"
 #include "HttpRequest.h"
 
@@ -76,8 +75,9 @@
 }
 
 int
-ACLExtUser::match(ACLChecklist *checklist)
+ACLExtUser::match(ACLChecklist *cl)
 {
+	ACLFilledChecklist *checklist = Filled(cl);
     if (checklist->request->extacl_user.size()) {
         return data->match(checklist->request->extacl_user.termedBuf());
     } else {

=== renamed file 'src/ACLExtUser.h' => 'src/acl/ExtUser.h'
--- src/ACLExtUser.h	2009-01-21 03:47:47 +0000
+++ src/acl/ExtUser.h	2009-03-08 19:34:36 +0000
@@ -35,9 +35,9 @@
 #ifndef SQUID_ACLIDENT_H
 #define SQUID_ACLIDENT_H
 
-#include "ACL.h"
-#include "ACLChecklist.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
+#include "acl/Data.h"
 
 /// \ingroup ACLAPI
 class ACLExtUser : public ACL

=== added file 'src/acl/FilledChecklist.cc'
--- src/acl/FilledChecklist.cc	1970-01-01 00:00:00 +0000
+++ src/acl/FilledChecklist.cc	2009-03-08 19:41:27 +0000
@@ -0,0 +1,274 @@
+#include "squid.h"
+#include "HttpRequest.h"
+#include "HttpReply.h"
+#include "client_side.h"
+#include "auth/UserRequest.h"
+#include "auth/AclProxyAuth.h"
+#include "acl/FilledChecklist.h"
+
+CBDATA_CLASS_INIT(ACLFilledChecklist);
+
+#if MOVED
+int
+ACLFilledChecklist::authenticated()
+{
+    http_hdr_type headertype;
+
+    if (NULL == request) {
+        fatal ("requiresRequest SHOULD have been true for this ACL!!");
+        return 0;
+    } else if (request->flags.accelerated) {
+        /* WWW authorization on accelerated requests */
+        headertype = HDR_AUTHORIZATION;
+    } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
+        debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests.");
+        return -1;
+    } else {
+        /* Proxy authorization on proxy requests */
+        headertype = HDR_PROXY_AUTHORIZATION;
+    }
+
+    /* get authed here */
+    /* Note: this fills in auth_user_request when applicable */
+    /*
+     * DPW 2007-05-08
+     * tryToAuthenticateAndSetAuthUser used to try to lock and
+     * unlock auth_user_request on our behalf, but it was too
+     * ugly and hard to follow.  Now we do our own locking here.
+     *
+     * I'm not sure what tryToAuthenticateAndSetAuthUser does when
+     * auth_user_request is set before calling.  I'm tempted to
+     * unlock and set it to NULL, but it seems safer to save the
+     * pointer before calling and unlock it afterwards.  If the
+     * pointer doesn't change then its a no-op.
+     */
+    AuthUserRequest *old_auth_user_request = auth_user_request;
+    auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser (&auth_user_request, headertype, request, conn(), src_addr);
+    if (auth_user_request)
+        AUTHUSERREQUESTLOCK(auth_user_request, "ACLFilledChecklist");
+    AUTHUSERREQUESTUNLOCK(old_auth_user_request, "old ACLFilledChecklist");
+    switch (result) {
+
+    case AUTH_ACL_CANNOT_AUTHENTICATE:
+        debugs(28, 4, "aclMatchAcl: returning  0 user authenticated but not authorised.");
+        return 0;
+
+    case AUTH_AUTHENTICATED:
+
+        return 1;
+        break;
+
+    case AUTH_ACL_HELPER:
+        debugs(28, 4, "aclMatchAcl: returning 0 sending credentials to helper.");
+        changeState (ProxyAuthLookup::Instance());
+        return 0;
+
+    case AUTH_ACL_CHALLENGE:
+        debugs(28, 4, "aclMatchAcl: returning 0 sending authentication challenge.");
+        changeState (ProxyAuthNeeded::Instance());
+        return 0;
+
+    default:
+        fatal("unexpected authenticateAuthenticate reply\n");
+        return 0;
+    }
+}
+#endif
+
+void
+ACLFilledChecklist::checkCallback(allow_t answer)
+{
+    debugs(28, 5, "ACLFilledChecklist::checkCallback: " << this << " answer=" << answer);
+
+    /* During reconfigure, we can end up not finishing call
+     * sequences into the auth code */
+
+    if (auth_user_request) {
+        /* the filled_checklist lock */
+        AUTHUSERREQUESTUNLOCK(auth_user_request, "ACLFilledChecklist");
+        /* it might have been connection based */
+        assert(conn() != NULL);
+        /*
+         * DPW 2007-05-08
+         * yuck, this make me uncomfortable.  why do this here?
+         * ConnStateData will do its own unlocking.
+         */
+        AUTHUSERREQUESTUNLOCK(conn()->auth_user_request, "conn via ACLFilledChecklist");
+        conn()->auth_type = AUTH_BROKEN;
+    }
+
+	ACLFilledChecklist::checkCallback(answer); // may delete us
+}
+
+
+void *
+ACLFilledChecklist::operator new (size_t size)
+{
+    assert (size == sizeof(ACLFilledChecklist));
+    CBDATA_INIT_TYPE(ACLFilledChecklist);
+    ACLFilledChecklist *result = cbdataAlloc(ACLFilledChecklist);
+    return result;
+}
+
+void
+ACLFilledChecklist::operator delete (void *address)
+{
+    ACLFilledChecklist *t = static_cast<ACLFilledChecklist *>(address);
+    cbdataFree(t);
+}
+
+
+ACLFilledChecklist::ACLFilledChecklist() :
+        dst_peer(NULL),
+        request (NULL),
+        reply (NULL),
+        auth_user_request (NULL),
+#if SQUID_SNMP
+        snmp_community(NULL),
+#endif
+#if USE_SSL
+        ssl_error(0),
+#endif
+        extacl_entry (NULL),
+        conn_(NULL),
+        fd_(-1),
+        destinationDomainChecked_(false),
+        sourceDomainChecked_(false)
+{
+    my_addr.SetEmpty();
+    src_addr.SetEmpty();
+    dst_addr.SetEmpty();
+    rfc931[0] = '\0';
+}
+
+
+ACLFilledChecklist::~ACLFilledChecklist()
+{
+    assert (!asyncInProgress());
+
+    if (extacl_entry)
+        cbdataReferenceDone(extacl_entry);
+
+    HTTPMSGUNLOCK(request);
+
+    HTTPMSGUNLOCK(reply);
+
+    // no auth_user_request in builds without any Authentication configured
+    if (auth_user_request)
+        AUTHUSERREQUESTUNLOCK(auth_user_request, "ACLFilledChecklist destructor");
+
+    cbdataReferenceDone(conn_);
+
+    debugs(28, 4, HERE << "ACLFilledChecklist destroyed " << this);
+}
+
+
+ConnStateData *
+ACLFilledChecklist::conn() const
+{
+    return  conn_;
+}
+
+void
+ACLFilledChecklist::conn(ConnStateData *aConn)
+{
+    assert (conn() == NULL);
+    conn_ = cbdataReference(aConn);
+}
+
+int
+ACLFilledChecklist::fd() const
+{
+    return conn_ != NULL ? conn_->fd : fd_;
+}
+
+void
+ACLFilledChecklist::fd(int aDescriptor)
+{
+    assert(!conn() || conn()->fd == aDescriptor);
+    fd_ = aDescriptor;
+}
+
+bool
+ACLFilledChecklist::destinationDomainChecked() const
+{
+    return destinationDomainChecked_;
+}
+
+void
+ACLFilledChecklist::markDestinationDomainChecked()
+{
+    assert (!finished() && !destinationDomainChecked());
+    destinationDomainChecked_ = true;
+}
+
+bool
+ACLFilledChecklist::sourceDomainChecked() const
+{
+    return sourceDomainChecked_;
+}
+
+void
+ACLFilledChecklist::markSourceDomainChecked()
+{
+    assert (!finished() && !sourceDomainChecked());
+    sourceDomainChecked_ = true;
+}
+
+/*
+ * There are two common ACLFilledChecklist lifecycles paths:
+ *
+ * A) Using aclCheckFast(): The caller creates an ACLFilledChecklist object
+ *    on stack and calls aclCheckFast().
+ *
+ * B) Using aclNBCheck() and callbacks: The caller allocates an
+ *    ACLFilledChecklist object (via operator new) and passes it to
+ *    aclNBCheck(). Control eventually passes to ACLChecklist::checkCallback(),
+ *    which will invoke the callback function as requested by the
+ *    original caller of aclNBCheck().  This callback function must
+ *    *not* delete the list.  After the callback function returns,
+ *    checkCallback() will delete the list (i.e., self).
+ */
+ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *request, const char *ident):
+    dst_peer(NULL),
+    request(NULL),
+    reply(NULL),
+    auth_user_request(NULL),
+#if SQUID_SNMP
+    snmp_community(NULL),
+#endif
+#if USE_SSL
+    ssl_error(0),
+#endif
+    extacl_entry (NULL),
+    conn_(NULL),
+    fd_(-1),
+    destinationDomainChecked_(false),
+    sourceDomainChecked_(false)
+{
+    my_addr.SetEmpty();
+    src_addr.SetEmpty();
+    dst_addr.SetEmpty();
+    rfc931[0] = '\0';
+    
+    // cbdataReferenceDone() is in either fastCheck() or the destructor
+    if (A)
+        accessList = cbdataReference(A);
+
+    if (request != NULL) {
+        request = HTTPMSGLOCK(request);
+#if FOLLOW_X_FORWARDED_FOR
+        if (Config.onoff.acl_uses_indirect_client)
+            src_addr = request->indirect_client_addr;
+        else
+#endif /* FOLLOW_X_FORWARDED_FOR */
+            src_addr = request->client_addr;
+        my_addr = request->my_addr;
+    }
+
+#if USE_IDENT
+    if (ident)
+        xstrncpy(rfc931, ident, USER_IDENT_SZ);
+#endif
+}
+

=== added file 'src/acl/FilledChecklist.h'
--- src/acl/FilledChecklist.h	1970-01-01 00:00:00 +0000
+++ src/acl/FilledChecklist.h	2009-03-08 19:41:27 +0000
@@ -0,0 +1,94 @@
+#ifndef SQUID_ACLFILLED_CHECKLIST_H
+#define SQUID_ACLFILLED_CHECKLIST_H
+
+#include "acl/Checklist.h"
+
+class AuthUserRequest;
+class ExternalACLEntry;
+class ConnStateData;
+
+/** \ingroup ACLAPI
+    ACLChecklist filled with specific data, representing Squid and transaction
+    state for access checks along with some data-specific checking methods */
+class ACLFilledChecklist: public ACLChecklist
+{
+public:
+    void *operator new(size_t);
+    void operator delete(void *);
+
+    ACLFilledChecklist();
+	ACLFilledChecklist(const acl_access *, HttpRequest *, const char *ident);
+    ~ACLFilledChecklist();
+
+public:
+    ConnStateData * conn() const;
+
+    /// uses conn() if available
+    int fd() const;
+
+    /// set either conn
+    void conn(ConnStateData *);
+    /// set FD
+    void fd(int aDescriptor);
+
+    //int authenticated();
+
+    bool destinationDomainChecked() const;
+    void markDestinationDomainChecked();
+    bool sourceDomainChecked() const;
+    void markSourceDomainChecked();
+
+    // ACLChecklist API
+    virtual bool hasRequest() const { return request != NULL; }
+    virtual bool hasReply() const { return reply != NULL; }
+
+public:
+    IpAddress src_addr;
+    IpAddress dst_addr;
+    IpAddress my_addr;
+    struct peer *dst_peer;
+
+    HttpRequest *request;
+    HttpReply *reply;
+
+    char rfc931[USER_IDENT_SZ];
+    AuthUserRequest *auth_user_request;
+
+#if SQUID_SNMP
+    char *snmp_community;
+#endif
+
+#if USE_SSL
+    int ssl_error;
+#endif
+
+    ExternalACLEntry *extacl_entry;
+
+private:
+    virtual void checkCallback(allow_t answer);
+
+private:
+    CBDATA_CLASS(ACLFilledChecklist);
+
+    ConnStateData * conn_;          /**< hack for ident and NTLM */
+    int fd_;                        /**< may be available when conn_ is not */
+    bool destinationDomainChecked_;
+    bool sourceDomainChecked_;
+
+private:
+    /// not implemented; will cause link failures if used
+    ACLFilledChecklist(const ACLFilledChecklist &);
+    /// not implemented; will cause link failures if used
+    ACLFilledChecklist &operator=(const ACLFilledChecklist &);
+};
+
+/// convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
+inline
+ACLFilledChecklist *Filled(ACLChecklist *checklist)
+{
+    // this should always be safe because ACLChecklist is an abstract class
+    // and ACLFilledChecklist is its only [concrete] child
+    return dynamic_cast<ACLFilledChecklist*>(checklist);
+}
+
+#endif /* SQUID_ACLFILLED_CHECKLIST_H */

=== renamed file 'src/acl_noncore.cc' => 'src/acl/Gadgets.cc'
--- src/acl_noncore.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Gadgets.cc	2009-03-08 19:45:44 +0000
@@ -39,8 +39,10 @@
  */
 
 #include "squid.h"
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
+#include "acl/Strategised.h"
+#include "acl/Gadgets.h"
 #include "ConfigParser.h"
 #include "errorpage.h"
 #include "HttpRequest.h"
@@ -318,5 +320,26 @@
 int
 aclPurgeMethodInUse(acl_access * a)
 {
-    return a->containsPURGE();
+    ACLList *b;
+
+    debugs(28, 6, "aclPurgeMethodInUse: invoked for '" << a->cfgline << "'");
+
+    for (; a; a = a->next) {
+        for (b = a->aclList; b; b = b->next) {
+            ACLStrategised<HttpRequestMethod> *tempAcl = dynamic_cast<ACLStrategised<HttpRequestMethod> *>(b->_acl);
+
+            if (!tempAcl) {
+                debugs(28, 7, "aclPurgeMethodInUse: can't create tempAcl");
+                continue;
+            }
+
+            if (tempAcl->match(METHOD_PURGE)) {
+                debugs(28, 6, "aclPurgeMethodInUse: returning true");
+                return true;
+            }
+        }
+    }
+
+    debugs(28, 6, "aclPurgeMethodInUse: returning false");
+    return false;
 }

=== added file 'src/acl/Gadgets.h'
--- src/acl/Gadgets.h	1970-01-01 00:00:00 +0000
+++ src/acl/Gadgets.h	2009-03-08 19:45:44 +0000
@@ -0,0 +1,43 @@
+#ifndef SQUID_ACL_GADGETS_H
+#define SQUID_ACL_GADGETS_H
+
+#include "config.h"
+#include "enums.h" /* for err_type */
+
+struct dlink_list;
+class StoreEntry;
+class ConfigParser;
+class acl_access;
+class ACL;
+class ACLList;
+struct acl_deny_info_list;
+class wordlist;
+
+/// \ingroup ACLAPI
+extern void aclDestroyAccessList(acl_access **list);
+/// \ingroup ACLAPI
+extern void aclDestroyAcls(ACL **);
+/// \ingroup ACLAPI
+extern void aclDestroyAclList(ACLList **);
+/// \ingroup ACLAPI
+extern void aclParseAccessLine(ConfigParser &parser, acl_access **);
+/// \ingroup ACLAPI
+extern void aclParseAclList(ConfigParser &parser, ACLList **);
+/// \ingroup ACLAPI
+extern int aclIsProxyAuth(const char *name);
+/// \ingroup ACLAPI
+extern err_type aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name, int redirect_allowed);
+/// \ingroup ACLAPI
+extern void aclParseDenyInfoLine(acl_deny_info_list **);
+/// \ingroup ACLAPI
+extern void aclDestroyDenyInfoList(acl_deny_info_list **);
+/// \ingroup ACLAPI
+extern wordlist *aclDumpGeneric(const ACL *);
+/// \ingroup ACLAPI
+extern void aclCacheMatchFlush(dlink_list * cache);
+/// \ingroup ACLAPI
+extern void dump_acl_access(StoreEntry * entry, const char *name, acl_access * head);
+/// \ingroup ACLAPI
+int aclPurgeMethodInUse(acl_access * a);
+
+#endif /* SQUID_ACL_GADGETS_H */

=== renamed file 'src/ACLHTTPHeaderData.cc' => 'src/acl/HttpHeaderData.cc'
--- src/ACLHTTPHeaderData.cc	2009-01-30 14:55:22 +0000
+++ src/acl/HttpHeaderData.cc	2009-03-08 19:34:36 +0000
@@ -35,11 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLHTTPHeaderData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
-#include "ACLRegexData.h"
+#include "acl/HttpHeaderData.h"
+#include "acl/Checklist.h"
+#include "acl/Acl.h"
+#include "acl/RegexData.h"
 #include "wordlist.h"
 #include "ConfigParser.h"
 

=== renamed file 'src/ACLHTTPHeaderData.h' => 'src/acl/HttpHeaderData.h'
--- src/ACLHTTPHeaderData.h	2009-01-21 03:47:47 +0000
+++ src/acl/HttpHeaderData.h	2009-03-08 19:34:36 +0000
@@ -38,7 +38,7 @@
 class wordlist;
 
 /* becaue we inherit from it */
-#include "ACLData.h"
+#include "acl/Data.h"
 /* for String field */
 #include "SquidString.h"
 /* for http_hdr_type field */

=== renamed file 'src/ACLHTTPRepHeader.cc' => 'src/acl/HttpRepHeader.cc'
--- src/ACLHTTPRepHeader.cc	2009-01-21 03:47:47 +0000
+++ src/acl/HttpRepHeader.cc	2009-03-08 21:53:27 +0000
@@ -34,9 +34,9 @@
  */
 
 #include "squid.h"
-#include "ACLHTTPRepHeader.h"
-#include "ACLHTTPHeaderData.h"
-#include "ACLChecklist.h"
+#include "acl/HttpRepHeader.h"
+#include "acl/HttpHeaderData.h"
+#include "acl/Checklist.h"
 #include "HttpReply.h"
 
 ACL::Prototype ACLHTTPRepHeader::RegistryProtoype(&ACLHTTPRepHeader::RegistryEntry_, "rep_header");
@@ -44,7 +44,7 @@
 ACLStrategised<HttpHeader*> ACLHTTPRepHeader::RegistryEntry_(new ACLHTTPHeaderData, ACLHTTPRepHeaderStrategy::Instance(), "rep_header");
 
 int
-ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (&checklist->reply->header);
 }

=== renamed file 'src/ACLHTTPRepHeader.h' => 'src/acl/HttpRepHeader.h'
--- src/ACLHTTPRepHeader.h	2009-01-21 03:47:47 +0000
+++ src/acl/HttpRepHeader.h	2009-03-08 21:53:27 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLHTTPREPHEADER_H
 #define SQUID_ACLHTTPREPHEADER_H
 
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 #include "HttpHeader.h"
 
 /// \ingroup ACLAPI
@@ -44,7 +44,7 @@
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresReply() const { return true; }
 
     static ACLHTTPRepHeaderStrategy *Instance();

=== renamed file 'src/ACLHTTPReqHeader.cc' => 'src/acl/HttpReqHeader.cc'
--- src/ACLHTTPReqHeader.cc	2009-01-21 03:47:47 +0000
+++ src/acl/HttpReqHeader.cc	2009-03-08 21:53:27 +0000
@@ -34,9 +34,9 @@
  */
 
 #include "squid.h"
-#include "ACLHTTPReqHeader.h"
-#include "ACLHTTPHeaderData.h"
-#include "ACLChecklist.h"
+#include "acl/HttpReqHeader.h"
+#include "acl/HttpHeaderData.h"
+#include "acl/Checklist.h"
 #include "HttpRequest.h"
 
 ACL::Prototype ACLHTTPReqHeader::RegistryProtoype(&ACLHTTPReqHeader::RegistryEntry_, "req_header");
@@ -44,7 +44,7 @@
 ACLStrategised<HttpHeader*> ACLHTTPReqHeader::RegistryEntry_(new ACLHTTPHeaderData, ACLHTTPReqHeaderStrategy::Instance(), "req_header");
 
 int
-ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (&checklist->request->header);
 }

=== renamed file 'src/ACLHTTPReqHeader.h' => 'src/acl/HttpReqHeader.h'
--- src/ACLHTTPReqHeader.h	2009-01-21 03:47:47 +0000
+++ src/acl/HttpReqHeader.h	2009-03-08 21:53:27 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLHTTPREQHEADER_H
 #define SQUID_ACLHTTPREQHEADER_H
 
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 #include "HttpHeader.h"
 
 /// \ingroup ACLAPI
@@ -44,7 +44,7 @@
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const { return true; }
 
     static ACLHTTPReqHeaderStrategy *Instance();

=== renamed file 'src/ACLHTTPStatus.cc' => 'src/acl/HttpStatus.cc'
--- src/ACLHTTPStatus.cc	2009-01-21 03:47:47 +0000
+++ src/acl/HttpStatus.cc	2009-03-08 21:57:12 +0000
@@ -40,7 +40,8 @@
 #endif
 #include "squid.h"
 
-#include "ACLHTTPStatus.h"
+#include "acl/HttpStatus.h"
+#include "acl/FilledChecklist.h"
 #include "HttpReply.h"
 #include "wordlist.h"
 
@@ -161,7 +162,7 @@
 int
 ACLHTTPStatus::match(ACLChecklist *checklist)
 {
-    return aclMatchHTTPStatus(&data, checklist->reply->sline.status);
+    return aclMatchHTTPStatus(&data, Filled(checklist)->reply->sline.status);
 }
 
 int

=== renamed file 'src/ACLHTTPStatus.h' => 'src/acl/HttpStatus.h'
--- src/ACLHTTPStatus.h	2009-01-21 03:47:47 +0000
+++ src/acl/HttpStatus.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLHTTPSTATUS_H
 #define SQUID_ACLHTTPSTATUS_H
 
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
 #include "splay.h"
 
 /// \ingroup ACLAPI

=== renamed file 'src/ACLIdent.cc' => 'src/acl/Ident.cc'
--- src/ACLIdent.cc	2008-10-10 08:02:53 +0000
+++ src/acl/Ident.cc	2009-03-08 21:53:27 +0000
@@ -35,11 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLIdent.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
-#include "ACLUserData.h"
+#include "acl/Ident.h"
+#include "acl/FilledChecklist.h"
+#include "acl/RegexData.h"
+#include "acl/UserData.h"
 #include "client_side.h"
 #include "ident.h"
 
@@ -79,8 +78,9 @@
 }
 
 int
-ACLIdent::match(ACLChecklist *checklist)
+ACLIdent::match(ACLChecklist *cl)
 {
+    ACLFilledChecklist *checklist = Filled(cl);
     if (checklist->rfc931[0]) {
         return data->match(checklist->rfc931);
     } else if (checklist->conn() != NULL && checklist->conn()->rfc931[0]) {
@@ -124,8 +124,9 @@
 }
 
 void
-IdentLookup::checkForAsync(ACLChecklist *checklist)const
+IdentLookup::checkForAsync(ACLChecklist *cl)const
 {
+    ACLFilledChecklist *checklist = Filled(cl);
     if (checklist->conn() != NULL) {
         debugs(28, 3, "IdentLookup::checkForAsync: Doing ident lookup" );
         checklist->asyncInProgress(true);
@@ -141,7 +142,7 @@
 void
 IdentLookup::LookupDone(const char *ident, void *data)
 {
-    ACLChecklist *checklist = (ACLChecklist *)data;
+    ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
     assert (checklist->asyncState() == IdentLookup::Instance());
 
     if (ident) {

=== renamed file 'src/ACLIdent.h' => 'src/acl/Ident.h'
--- src/ACLIdent.h	2008-10-10 08:02:53 +0000
+++ src/acl/Ident.h	2009-03-08 19:34:36 +0000
@@ -35,7 +35,7 @@
 #ifndef SQUID_ACLIDENT_H
 #define SQUID_ACLIDENT_H
 
-#include "ACLChecklist.h"
+#include "acl/Checklist.h"
 
 /// \ingroup ACLAPI
 class IdentLookup : public ACLChecklist::AsyncState
@@ -51,8 +51,8 @@
 };
 
 
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 
 /// \ingroup ACLAPI
 class ACLIdent : public ACL

=== renamed file 'src/ACLIntRange.cc' => 'src/acl/IntRange.cc'
--- src/ACLIntRange.cc	2009-01-21 03:47:47 +0000
+++ src/acl/IntRange.cc	2009-03-08 19:34:36 +0000
@@ -35,7 +35,7 @@
  */
 
 #include "squid.h"
-#include "ACLIntRange.h"
+#include "acl/IntRange.h"
 #include "wordlist.h"
 #include "Parsing.h"
 

=== renamed file 'src/ACLIntRange.h' => 'src/acl/IntRange.h'
--- src/ACLIntRange.h	2009-01-21 03:47:47 +0000
+++ src/acl/IntRange.h	2009-03-08 19:34:36 +0000
@@ -35,7 +35,7 @@
 #ifndef SQUID_ACLINTRANGE_H
 #define SQUID_ACLINTRANGE_H
 
-#include "ACLData.h"
+#include "acl/Data.h"
 #include "CbDataList.h"
 #include "Range.h"
 

=== renamed file 'src/ACLIP.cc' => 'src/acl/Ip.cc'
--- src/ACLIP.cc	2009-02-22 03:40:03 +0000
+++ src/acl/Ip.cc	2009-03-08 19:34:36 +0000
@@ -34,8 +34,8 @@
  */
 
 #include "squid.h"
-#include "ACLIP.h"
-#include "ACLChecklist.h"
+#include "acl/Ip.h"
+#include "acl/Checklist.h"
 #include "MemBuf.h"
 #include "wordlist.h"
 

=== renamed file 'src/ACLIP.h' => 'src/acl/Ip.h'
--- src/ACLIP.h	2009-01-09 13:12:24 +0000
+++ src/acl/Ip.h	2009-03-08 19:34:36 +0000
@@ -32,7 +32,7 @@
 #ifndef SQUID_ACLIP_H
 #define SQUID_ACLIP_H
 
-#include "ACL.h"
+#include "acl/Acl.h"
 #include "splay.h"
 #include "ip/IpAddress.h"
 

=== added file 'src/acl/Makefile.am'
--- src/acl/Makefile.am	1970-01-01 00:00:00 +0000
+++ src/acl/Makefile.am	2009-03-08 19:34:36 +0000
@@ -0,0 +1,142 @@
+include $(top_srcdir)/src/Common.am
+include $(top_srcdir)/src/TestHeaders.am
+
+noinst_LTLIBRARIES = libapi.la libstate.la libacls.la
+
+## General data-independent ACL API
+libapi_la_SOURCES = \
+	Acl.cc \
+	Acl.h \
+	Checklist.cc \
+	Checklist.h
+
+## Data-dependent Squid/transaction state used by specific ACLs.
+## Does not refer to specific ACLs to avoid circular dependencies.
+libstate_la_SOURCES = \
+	Data.h \
+	Strategy.h \
+	Strategised.cc \
+	Strategised.h \
+	\
+	FilledChecklist.cc \
+	FilledChecklist.h
+
+## data-specific ACLs
+libacls_la_SOURCES = \
+	IntRange.cc \
+	IntRange.h \
+	RegexData.cc \
+	RegexData.h \
+	StringData.cc \
+	StringData.h \
+	Time.cc \
+	Time.h \
+	TimeData.cc \
+	TimeData.h \
+	\
+	Asn.cc \
+	Asn.h \
+	Browser.cc \
+	Browser.h \
+	DestinationAsn.h \
+	DestinationDomain.cc \
+	DestinationDomain.h \
+	DestinationIp.cc \
+	DestinationIp.h \
+	DomainData.cc \
+	DomainData.h \
+	ExtUser.cc \
+	ExtUser.h \
+	HttpHeaderData.cc \
+	HttpHeaderData.h \
+	HttpRepHeader.cc \
+	HttpRepHeader.h \
+	HttpReqHeader.cc \
+	HttpReqHeader.h \
+	HttpStatus.cc \
+	HttpStatus.h \
+	Ip.cc \
+	Ip.h \
+	MaxConnection.cc \
+	MaxConnection.h \
+	Method.cc \
+	MethodData.cc \
+	MethodData.h \
+	Method.h \
+	MyIp.cc \
+	MyIp.h \
+	MyPort.cc \
+	MyPort.h \
+	MyPortName.cc \
+	MyPortName.h \
+	PeerName.cc \
+	PeerName.h \
+	Protocol.cc \
+	ProtocolData.cc \
+	ProtocolData.h \
+	Protocol.h \
+	Referer.cc \
+	Referer.h \
+	ReplyHeaderStrategy.h \
+	ReplyMimeType.cc \
+	ReplyMimeType.h \
+	RequestHeaderStrategy.h \
+	RequestMimeType.cc \
+	RequestMimeType.h \
+	SourceAsn.h \
+	SourceDomain.cc \
+	SourceDomain.h \
+	SourceIp.cc \
+	SourceIp.h \
+	Url.cc \
+	Url.h \
+	UrlPath.cc \
+	UrlPath.h \
+	UrlPort.cc \
+	UrlPort.h \
+	UserData.cc \
+	UserData.h \
+	\
+	Gadgets.cc \
+	Gadgets.h
+
+## Add conditional sources
+## TODO: move these to their respectful dirs when those dirs are created
+
+EXTRA_libacls_la_SOURCES =
+
+SSL_ACLS = \
+        CertificateData.cc \
+        CertificateData.h  \
+        Certificate.cc \
+        Certificate.h  \
+        SslError.cc \
+        SslError.h \
+        SslErrorData.cc \
+        SslErrorData.h
+
+if ENABLE_SSL
+libacls_la_SOURCES += $(SSL_ACLS)
+endif
+
+EXTRA_libacls_la_SOURCES += $(SSL_ACLS)
+
+
+ARP_ACLS = Arp.cc Arp.h
+
+if ENABLE_ARP_ACL
+libacls_la_SOURCES += $(ARP_ACLS)
+endif
+
+EXTRA_libacls_la_SOURCES += $(ARP_ACLS)
+
+
+IDENT_ACLS = Ident.cc Ident.h
+
+if ENABLE_IDENT
+libacls_la_SOURCES += $(IDENT_ACLS)
+endif
+
+EXTRA_libacls_la_SOURCES += $(IDENT_ACLS)
+
+

=== renamed file 'src/ACLMaxConnection.cc' => 'src/acl/MaxConnection.cc'
--- src/ACLMaxConnection.cc	2009-01-21 03:47:47 +0000
+++ src/acl/MaxConnection.cc	2009-03-08 21:57:12 +0000
@@ -35,7 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLMaxConnection.h"
+#include "acl/FilledChecklist.h"
+#include "acl/MaxConnection.h"
 #include "wordlist.h"
 
 ACL::Prototype ACLMaxConnection::RegistryProtoype(&ACLMaxConnection::RegistryEntry_, "maxconn");
@@ -95,7 +96,7 @@
 int
 ACLMaxConnection::match(ACLChecklist *checklist)
 {
-    return (clientdbEstablished(checklist->src_addr, 0) > limit ? 1 : 0);
+    return clientdbEstablished(Filled(checklist)->src_addr, 0) > limit ? 1 : 0;
 }
 
 wordlist *

=== renamed file 'src/ACLMaxConnection.h' => 'src/acl/MaxConnection.h'
--- src/ACLMaxConnection.h	2009-01-21 03:47:47 +0000
+++ src/acl/MaxConnection.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLMAXCONNECTION_H
 #define SQUID_ACLMAXCONNECTION_H
 
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
 
 /// \ingroup ACLAPI
 class ACLMaxConnection : public ACL

=== renamed file 'src/ACLMethod.cc' => 'src/acl/Method.cc'
--- src/ACLMethod.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Method.cc	2009-03-08 21:53:27 +0000
@@ -34,9 +34,9 @@
  */
 
 #include "squid.h"
-#include "ACLMethod.h"
-#include "ACLMethodData.h"
-#include "ACLChecklist.h"
+#include "acl/Method.h"
+#include "acl/MethodData.h"
+#include "acl/Checklist.h"
 #include "HttpRequest.h"
 
 /* explicit template instantiation required for some systems */
@@ -48,7 +48,7 @@
 ACLStrategised<HttpRequestMethod> ACLMethod::RegistryEntry_(new ACLMethodData, ACLMethodStrategy::Instance(), "method");
 
 int
-ACLMethodStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLMethodStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->request->method);
 }

=== renamed file 'src/ACLMethod.h' => 'src/acl/Method.h'
--- src/ACLMethod.h	2009-01-21 03:47:47 +0000
+++ src/acl/Method.h	2009-03-08 21:53:27 +0000
@@ -35,15 +35,15 @@
 #ifndef SQUID_ACLMETHOD_H
 #define SQUID_ACLMETHOD_H
 
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 /// \ingroup ACLAPI
 class ACLMethodStrategy : public ACLStrategy<HttpRequestMethod>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLMethodStrategy *Instance();

=== renamed file 'src/ACLMethodData.cc' => 'src/acl/MethodData.cc'
--- src/ACLMethodData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/MethodData.cc	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLMethodData.h"
-#include "ACLChecklist.h"
+#include "acl/MethodData.h"
+#include "acl/Checklist.h"
 #include "HttpRequestMethod.h"
 #include "wordlist.h"
 

=== renamed file 'src/ACLMethodData.h' => 'src/acl/MethodData.h'
--- src/ACLMethodData.h	2009-01-21 03:47:47 +0000
+++ src/acl/MethodData.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 #ifndef SQUID_ACLMETHODDATA_H
 #define SQUID_ACLMETHODDATA_H
 
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 #include "CbDataList.h"
 
 /// \ingroup ACLAPI

=== renamed file 'src/ACLMyIP.cc' => 'src/acl/MyIp.cc'
--- src/ACLMyIP.cc	2008-10-10 08:02:53 +0000
+++ src/acl/MyIp.cc	2009-03-08 21:57:12 +0000
@@ -34,8 +34,8 @@
  */
 
 #include "squid.h"
-#include "ACLMyIP.h"
-#include "ACLChecklist.h"
+#include "acl/MyIp.h"
+#include "acl/FilledChecklist.h"
 
 char const *
 ACLMyIP::typeString() const
@@ -46,7 +46,7 @@
 int
 ACLMyIP::match(ACLChecklist *checklist)
 {
-    return ACLIP::match (checklist->my_addr);
+    return ACLIP::match (Filled(checklist)->my_addr);
 }
 
 ACL::Prototype ACLMyIP::RegistryProtoype(&ACLMyIP::RegistryEntry(), "myip");

=== renamed file 'src/ACLMyIP.h' => 'src/acl/MyIp.h'
--- src/ACLMyIP.h	2008-10-10 08:02:53 +0000
+++ src/acl/MyIp.h	2009-03-08 19:34:36 +0000
@@ -35,7 +35,7 @@
 #ifndef SQUID_ACLMYIP_H
 #define SQUID_ACLMYIP_H
 
-#include "ACLIP.h"
+#include "acl/Ip.h"
 
 /// \ingroup ACLAPI
 class ACLMyIP : public ACLIP

=== renamed file 'src/ACLMyPort.cc' => 'src/acl/MyPort.cc'
--- src/ACLMyPort.cc	2009-01-21 03:47:47 +0000
+++ src/acl/MyPort.cc	2009-03-08 21:53:27 +0000
@@ -34,9 +34,9 @@
  */
 
 #include "squid.h"
-#include "ACLMyPort.h"
-#include "ACLIntRange.h"
-#include "ACLChecklist.h"
+#include "acl/MyPort.h"
+#include "acl/IntRange.h"
+#include "acl/Checklist.h"
 
 /* explicit template instantiation required for some systems */
 
@@ -47,7 +47,7 @@
 ACLStrategised<int> ACLMyPort::RegistryEntry_(new ACLIntRange, ACLMyPortStrategy::Instance(), "myport");
 
 int
-ACLMyPortStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLMyPortStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->my_addr.GetPort());
 }

=== renamed file 'src/ACLMyPort.h' => 'src/acl/MyPort.h'
--- src/ACLMyPort.h	2009-01-21 03:47:47 +0000
+++ src/acl/MyPort.h	2009-03-08 21:53:27 +0000
@@ -35,15 +35,15 @@
 #ifndef SQUID_ACLMYPORT_H
 #define SQUID_ACLMYPORT_H
 
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 /// \ingroup ACLAPI
 class ACLMyPortStrategy : public ACLStrategy<int>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLMyPortStrategy *Instance();
     /**
      * Not implemented to prevent copies of the instance.

=== renamed file 'src/ACLMyPortName.cc' => 'src/acl/MyPortName.cc'
--- src/ACLMyPortName.cc	2009-02-04 09:52:20 +0000
+++ src/acl/MyPortName.cc	2009-03-08 21:53:27 +0000
@@ -35,9 +35,9 @@
 
 #include "squid.h"
 #include "ProtoPort.h"
-#include "ACLMyPortName.h"
-#include "ACLStringData.h"
-#include "ACLChecklist.h"
+#include "acl/MyPortName.h"
+#include "acl/StringData.h"
+#include "acl/Checklist.h"
 
 /* for ConnStateData */
 #include "client_side.h"
@@ -48,7 +48,7 @@
 ACLStrategised<const char *> ACLMyPortName::RegistryEntry_(new ACLStringData, ACLMyPortNameStrategy::Instance(), "myportname");
 
 int
-ACLMyPortNameStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLMyPortNameStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     if (checklist->conn() != NULL)
         return data->match (checklist->conn()->port->name);

=== renamed file 'src/ACLMyPortName.h' => 'src/acl/MyPortName.h'
--- src/ACLMyPortName.h	2009-01-21 03:47:47 +0000
+++ src/acl/MyPortName.h	2009-03-08 21:53:27 +0000
@@ -35,14 +35,14 @@
 
 #ifndef SQUID_ACLMYPORTNAME_H
 #define SQUID_ACLMYPORTNAME_H
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLMyPortNameStrategy : public ACLStrategy<const char *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLMyPortNameStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLPeerName.cc' => 'src/acl/PeerName.cc'
--- src/ACLPeerName.cc	2008-12-12 00:17:10 +0000
+++ src/acl/PeerName.cc	2009-03-08 21:53:27 +0000
@@ -1,14 +1,14 @@
 #include "squid.h"
-#include "ACLPeerName.h"
-#include "ACLStringData.h"
-#include "ACLChecklist.h"
+#include "acl/PeerName.h"
+#include "acl/StringData.h"
+#include "acl/Checklist.h"
 
 ACL::Prototype ACLPeerName::RegistryProtoype(&ACLPeerName::RegistryEntry_, "peername");
 
 ACLStrategised<const char *> ACLPeerName::RegistryEntry_(new ACLStringData, ACLPeerNameStrategy::Instance(), "peername");
 
 int
-ACLPeerNameStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLPeerNameStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     if (checklist->dst_peer != NULL && checklist->dst_peer->name != NULL)
         return data->match(checklist->dst_peer->name);

=== renamed file 'src/ACLPeerName.h' => 'src/acl/PeerName.h'
--- src/ACLPeerName.h	2008-12-12 00:17:10 +0000
+++ src/acl/PeerName.h	2009-03-08 21:53:27 +0000
@@ -1,14 +1,14 @@
 #ifndef SQUID_ACLPEERNAME_H
 #define SQUID_ACLPEERNAME_H
 
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLPeerNameStrategy : public ACLStrategy<const char *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLPeerNameStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLProtocol.cc' => 'src/acl/Protocol.cc'
--- src/ACLProtocol.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Protocol.cc	2009-03-08 21:53:27 +0000
@@ -34,9 +34,9 @@
  */
 
 #include "squid.h"
-#include "ACLProtocol.h"
-#include "ACLProtocolData.h"
-#include "ACLChecklist.h"
+#include "acl/Protocol.h"
+#include "acl/ProtocolData.h"
+#include "acl/Checklist.h"
 #include "HttpRequest.h"
 
 /* explicit template instantiation required for some systems */
@@ -48,7 +48,7 @@
 ACLStrategised<protocol_t> ACLProtocol::RegistryEntry_(new ACLProtocolData, ACLProtocolStrategy::Instance(), "proto");
 
 int
-ACLProtocolStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLProtocolStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->request->protocol);
 }

=== renamed file 'src/ACLProtocol.h' => 'src/acl/Protocol.h'
--- src/ACLProtocol.h	2009-01-21 03:47:47 +0000
+++ src/acl/Protocol.h	2009-03-08 21:53:27 +0000
@@ -35,14 +35,14 @@
 
 #ifndef SQUID_ACLPROTOCOL_H
 #define SQUID_ACLPROTOCOL_H
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLProtocolStrategy : public ACLStrategy<protocol_t>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLProtocolStrategy *Instance();

=== renamed file 'src/ACLProtocolData.cc' => 'src/acl/ProtocolData.cc'
--- src/ACLProtocolData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/ProtocolData.cc	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLProtocolData.h"
-#include "ACLChecklist.h"
+#include "acl/ProtocolData.h"
+#include "acl/Checklist.h"
 #include "URLScheme.h"
 #include "wordlist.h"
 

=== renamed file 'src/ACLProtocolData.h' => 'src/acl/ProtocolData.h'
--- src/ACLProtocolData.h	2009-01-21 03:47:47 +0000
+++ src/acl/ProtocolData.h	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
 
 #ifndef SQUID_ACLPROTOCOLDATA_H
 #define SQUID_ACLPROTOCOLDATA_H
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 #include "CbDataList.h"
 
 class ACLProtocolData : public ACLData<protocol_t>

=== renamed file 'src/ACLReferer.cc' => 'src/acl/Referer.cc'
--- src/ACLReferer.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Referer.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLReferer.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
+#include "acl/Referer.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
 
 /* explicit template instantiation required for some systems */
 

=== renamed file 'src/ACLReferer.h' => 'src/acl/Referer.h'
--- src/ACLReferer.h	2009-01-21 03:47:47 +0000
+++ src/acl/Referer.h	2009-03-08 19:34:36 +0000
@@ -35,10 +35,10 @@
 
 #ifndef SQUID_ACLREFERER_H
 #define SQUID_ACLREFERER_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLRequestHeaderStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/RequestHeaderStrategy.h"
+#include "acl/Strategised.h"
 
 class ACLReferer
 {

=== renamed file 'src/ACLRegexData.cc' => 'src/acl/RegexData.cc'
--- src/ACLRegexData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/RegexData.cc	2009-03-08 19:34:36 +0000
@@ -35,10 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLRegexData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/RegexData.h"
+#include "acl/Checklist.h"
+#include "acl/Acl.h"
 #include "wordlist.h"
 #include "ConfigParser.h"
 

=== renamed file 'src/ACLRegexData.h' => 'src/acl/RegexData.h'
--- src/ACLRegexData.h	2009-01-21 03:47:47 +0000
+++ src/acl/RegexData.h	2009-03-08 19:34:36 +0000
@@ -34,7 +34,7 @@
 #ifndef SQUID_ACLREGEXDATA_H
 #define SQUID_ACLREGEXDATA_H
 
-#include "ACLData.h"
+#include "acl/Data.h"
 #include "MemPool.h"
 
 /** \todo CLEANUP: break out relist, we don't need the rest. */

=== renamed file 'src/ACLReplyHeaderStrategy.h' => 'src/acl/ReplyHeaderStrategy.h'
--- src/ACLReplyHeaderStrategy.h	2009-01-21 03:47:47 +0000
+++ src/acl/ReplyHeaderStrategy.h	2009-03-08 21:53:27 +0000
@@ -36,10 +36,10 @@
 
 class ACLChecklist;
 
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLStrategy.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategy.h"
+#include "acl/FilledChecklist.h"
 #include "HttpReply.h"
 
 template <http_hdr_type header>
@@ -47,7 +47,7 @@
 {
 
 public:
-    virtual int match (ACLData<char const *> * &, ACLChecklist *);
+    virtual int match (ACLData<char const *> * &, ACLFilledChecklist *);
     virtual bool requiresReply() const {return true;}
 
     static ACLReplyHeaderStrategy *Instance();
@@ -65,7 +65,7 @@
 
 template <http_hdr_type header>
 int
-ACLReplyHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLReplyHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char const *theHeader = checklist->reply->header.getStr(header);
 

=== renamed file 'src/ACLReplyMIMEType.cc' => 'src/acl/ReplyMimeType.cc'
--- src/ACLReplyMIMEType.cc	2009-01-21 03:47:47 +0000
+++ src/acl/ReplyMimeType.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLReplyMIMEType.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
+#include "acl/ReplyMimeType.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
 
 /* explicit template instantiation required for some systems */
 

=== renamed file 'src/ACLReplyMIMEType.h' => 'src/acl/ReplyMimeType.h'
--- src/ACLReplyMIMEType.h	2009-01-21 03:47:47 +0000
+++ src/acl/ReplyMimeType.h	2009-03-08 21:53:27 +0000
@@ -34,8 +34,8 @@
 #ifndef SQUID_ACLREPLYMIMETYPE_H
 #define SQUID_ACLREPLYMIMETYPE_H
 
-#include "ACL.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Strategised.h"
 
 class ACLReplyMIMEType
 {
@@ -47,13 +47,13 @@
 
 /* partial specialisation */
 
-#include "ACLData.h"
-#include "ACLReplyHeaderStrategy.h"
-#include "ACLChecklist.h"
+#include "acl/Data.h"
+#include "acl/ReplyHeaderStrategy.h"
+#include "acl/Checklist.h"
 
 template <>
 inline int
-ACLReplyHeaderStrategy<HDR_CONTENT_TYPE>::match(ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLReplyHeaderStrategy<HDR_CONTENT_TYPE>::match(ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char const *theHeader = checklist->reply->header.getStr(HDR_CONTENT_TYPE);
 

=== renamed file 'src/ACLRequestHeaderStrategy.h' => 'src/acl/RequestHeaderStrategy.h'
--- src/ACLRequestHeaderStrategy.h	2009-01-21 03:47:47 +0000
+++ src/acl/RequestHeaderStrategy.h	2009-03-08 21:53:27 +0000
@@ -35,11 +35,11 @@
 
 #ifndef SQUID_ACLREQUESTHEADERSTRATEGY_H
 #define SQUID_ACLREQUESTHEADERSTRATEGY_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLStrategy.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategy.h"
 #include "HttpRequest.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 
 template <http_hdr_type header>
 
@@ -47,7 +47,7 @@
 {
 
 public:
-    virtual int match (ACLData<char const *> * &, ACLChecklist *);
+    virtual int match (ACLData<char const *> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLRequestHeaderStrategy *Instance();
@@ -65,7 +65,7 @@
 
 template <http_hdr_type header>
 int
-ACLRequestHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLRequestHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char const *theHeader = checklist->request->header.getStr(header);
 

=== renamed file 'src/ACLRequestMIMEType.cc' => 'src/acl/RequestMimeType.cc'
--- src/ACLRequestMIMEType.cc	2009-01-21 03:47:47 +0000
+++ src/acl/RequestMimeType.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLRequestMIMEType.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
+#include "acl/RequestMimeType.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
 
 /* explicit template instantiation required for some systems */
 

=== renamed file 'src/ACLRequestMIMEType.h' => 'src/acl/RequestMimeType.h'
--- src/ACLRequestMIMEType.h	2009-01-21 03:47:47 +0000
+++ src/acl/RequestMimeType.h	2009-03-08 21:53:27 +0000
@@ -34,8 +34,8 @@
 #ifndef SQUID_ACLREQUESTMIMETYPE_H
 #define SQUID_ACLREQUESTMIMETYPE_H
 
-#include "ACL.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Strategised.h"
 
 class ACLRequestMIMEType
 {
@@ -47,13 +47,13 @@
 
 /* partial specialisation */
 
-#include "ACLData.h"
-#include "ACLRequestHeaderStrategy.h"
-#include "ACLChecklist.h"
+#include "acl/Data.h"
+#include "acl/RequestHeaderStrategy.h"
+#include "acl/Checklist.h"
 
 template <>
 inline int
-ACLRequestHeaderStrategy<HDR_CONTENT_TYPE>::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLRequestHeaderStrategy<HDR_CONTENT_TYPE>::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char const *theHeader = checklist->request->header.getStr(HDR_CONTENT_TYPE);
 

=== renamed file 'src/ACLSourceASN.h' => 'src/acl/SourceAsn.h'
--- src/ACLSourceASN.h	2009-01-07 11:24:40 +0000
+++ src/acl/SourceAsn.h	2009-03-08 21:53:27 +0000
@@ -32,19 +32,19 @@
 #define SQUID_ACLSOURCEASN_H
 
 #if 0
-#include "ACLASN.h"
+#include "acl/Asn.h"
 #endif
 
 class ACLChecklist;
 
-#include "ACLStrategy.h"
+#include "acl/Strategy.h"
 #include "ip/IpAddress.h"
 
 class ACLSourceASNStrategy : public ACLStrategy<IpAddress>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLSourceASNStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLSourceDomain.cc' => 'src/acl/SourceDomain.cc'
--- src/ACLSourceDomain.cc	2009-01-21 03:47:47 +0000
+++ src/acl/SourceDomain.cc	2009-03-08 21:57:12 +0000
@@ -35,10 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLSourceDomain.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
-#include "ACLDomainData.h"
+#include "acl/SourceDomain.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
+#include "acl/DomainData.h"
 
 SourceDomainLookup SourceDomainLookup::instance_;
 
@@ -52,7 +52,7 @@
 SourceDomainLookup::checkForAsync(ACLChecklist *checklist) const
 {
     checklist->asyncInProgress(true);
-    fqdncache_nbgethostbyaddr(checklist->src_addr, LookupDone, checklist);
+    fqdncache_nbgethostbyaddr(Filled(checklist)->src_addr, LookupDone, checklist);
 }
 
 void
@@ -63,7 +63,7 @@
 
     checklist->asyncInProgress(false);
     checklist->changeState (ACLChecklist::NullState::Instance());
-    checklist->markSourceDomainChecked();
+    Filled(checklist)->markSourceDomainChecked();
     checklist->check();
 }
 
@@ -73,7 +73,7 @@
 ACLStrategised<char const *> ACLSourceDomain::RegexRegistryEntry_(new ACLRegexData,ACLSourceDomainStrategy::Instance() ,"srcdom_regex");
 
 int
-ACLSourceDomainStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLSourceDomainStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     const char *fqdn = NULL;
     fqdn = fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS);

=== renamed file 'src/ACLSourceDomain.h' => 'src/acl/SourceDomain.h'
--- src/ACLSourceDomain.h	2009-01-21 03:47:47 +0000
+++ src/acl/SourceDomain.h	2009-03-08 21:53:27 +0000
@@ -35,16 +35,16 @@
 
 #ifndef SQUID_ACLSOURCEDOMAIN_H
 #define SQUID_ACLSOURCEDOMAIN_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLChecklist.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Checklist.h"
+#include "acl/Strategised.h"
 
 class ACLSourceDomainStrategy : public ACLStrategy<char const *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLSourceDomainStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLSourceIP.cc' => 'src/acl/SourceIp.cc'
--- src/ACLSourceIP.cc	2008-10-10 08:02:53 +0000
+++ src/acl/SourceIp.cc	2009-03-08 21:57:12 +0000
@@ -34,8 +34,8 @@
  */
 
 #include "squid.h"
-#include "ACLSourceIP.h"
-#include "ACLChecklist.h"
+#include "acl/SourceIp.h"
+#include "acl/FilledChecklist.h"
 
 char const *
 ACLSourceIP::typeString() const
@@ -46,7 +46,7 @@
 int
 ACLSourceIP::match(ACLChecklist *checklist)
 {
-    return ACLIP::match(checklist->src_addr);
+    return ACLIP::match(Filled(checklist)->src_addr);
 }
 
 ACL::Prototype ACLSourceIP::RegistryProtoype(&ACLSourceIP::RegistryEntry_, "src");

=== renamed file 'src/ACLSourceIP.h' => 'src/acl/SourceIp.h'
--- src/ACLSourceIP.h	2008-10-10 08:02:53 +0000
+++ src/acl/SourceIp.h	2009-03-08 19:34:36 +0000
@@ -34,7 +34,7 @@
 
 #ifndef SQUID_ACLSOURCEIP_H
 #define SQUID_ACLSOURCEIP_H
-#include "ACLIP.h"
+#include "acl/Ip.h"
 
 class ACLSourceIP : public ACLIP
 {

=== renamed file 'src/ACLSslError.cc' => 'src/acl/SslError.cc'
--- src/ACLSslError.cc	2009-01-21 03:47:47 +0000
+++ src/acl/SslError.cc	2009-03-08 21:53:27 +0000
@@ -4,9 +4,9 @@
  */
 
 #include "squid.h"
-#include "ACLSslError.h"
-#include "ACLSslErrorData.h"
-#include "ACLChecklist.h"
+#include "acl/SslError.h"
+#include "acl/SslErrorData.h"
+#include "acl/Checklist.h"
 
 /* explicit template instantiation required for some systems */
 
@@ -17,7 +17,7 @@
 ACLStrategised<int> ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), "ssl_error");
 
 int
-ACLSslErrorStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLSslErrorStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->ssl_error);
 }

=== renamed file 'src/ACLSslError.h' => 'src/acl/SslError.h'
--- src/ACLSslError.h	2009-01-21 03:47:47 +0000
+++ src/acl/SslError.h	2009-03-08 21:53:27 +0000
@@ -5,14 +5,14 @@
 
 #ifndef SQUID_ACLSSL_ERROR_H
 #define SQUID_ACLSSL_ERROR_H
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLSslErrorStrategy : public ACLStrategy<int>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLSslErrorStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLSslErrorData.cc' => 'src/acl/SslErrorData.cc'
--- src/ACLSslErrorData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/SslErrorData.cc	2009-03-08 19:34:36 +0000
@@ -3,8 +3,8 @@
  */
 
 #include "squid.h"
-#include "ACLSslErrorData.h"
-#include "ACLChecklist.h"
+#include "acl/SslErrorData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 
 ACLSslErrorData::ACLSslErrorData() : values (NULL)

=== renamed file 'src/ACLSslErrorData.h' => 'src/acl/SslErrorData.h'
--- src/ACLSslErrorData.h	2009-01-21 03:47:47 +0000
+++ src/acl/SslErrorData.h	2009-03-08 19:34:36 +0000
@@ -5,8 +5,8 @@
 
 #ifndef SQUID_ACLSSL_ERRORDATA_H
 #define SQUID_ACLSSL_ERRORDATA_H
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 #include "CbDataList.h"
 #include "ssl_support.h"
 

=== renamed file 'src/ACLStrategised.cc' => 'src/acl/Strategised.cc'
--- src/ACLStrategised.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Strategised.cc	2009-03-08 21:57:12 +0000
@@ -35,11 +35,7 @@
  */
 
 #include "squid.h"
-#include "ACLStrategised.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
-#include "ACLDomainData.h"
+#include "acl/Strategised.h"
 
 /*
  *  moved template instantiation into ACLStrategized.cc
@@ -49,7 +45,7 @@
 
 /* explicit template instantiation required for some systems */
 
-/* ACLHTTPRepHeader + ACLHTTPReqHeader */
+/* XXX: move to ACLHTTPRepHeader or ACLHTTPReqHeader */
 template class ACLStrategised<HttpHeader*>;
 
 /* ACLMyPortName + ACLMyPeerName + ACLBrowser */

=== renamed file 'src/ACLStrategised.h' => 'src/acl/Strategised.h'
--- src/ACLStrategised.h	2009-01-21 03:47:47 +0000
+++ src/acl/Strategised.h	2009-03-08 21:57:12 +0000
@@ -35,9 +35,10 @@
 
 #ifndef SQUID_ACLSTRATEGISED_H
 #define SQUID_ACLSTRATEGISED_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLStrategy.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategy.h"
+#include "acl/FilledChecklist.h"
 
 template <class M>
 
@@ -147,8 +148,10 @@
 
 template <class MatchType>
 int
-ACLStrategised<MatchType>::match(ACLChecklist *checklist)
+ACLStrategised<MatchType>::match(ACLChecklist *cl)
 {
+	ACLFilledChecklist *checklist = dynamic_cast<ACLFilledChecklist*>(cl);
+	assert(checklist);
     return matcher->match(data, checklist);
 }
 

=== renamed file 'src/ACLStrategy.h' => 'src/acl/Strategy.h'
--- src/ACLStrategy.h	2009-01-21 03:47:47 +0000
+++ src/acl/Strategy.h	2009-03-08 21:57:12 +0000
@@ -35,10 +35,10 @@
 
 #ifndef SQUID_ACLSTRATEGY_H
 #define SQUID_ACLSTRATEGY_H
-#include "ACL.h"
-#include "ACLData.h"
-
-/* Perhaps this should live in ACL? */
+
+#include "acl/Data.h"
+
+class ACLFilledChecklist;
 
 template<class M>
 
@@ -47,7 +47,7 @@
 
 public:
     typedef M MatchType;
-    virtual int match (ACLData<M> * &, ACLChecklist *) = 0;
+    virtual int match (ACLData<M> * &, ACLFilledChecklist *) = 0;
     virtual bool requiresRequest() const {return false;}
 
     virtual bool requiresReply() const {return false;}

=== renamed file 'src/ACLStringData.cc' => 'src/acl/StringData.cc'
--- src/ACLStringData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/StringData.cc	2009-03-08 19:34:36 +0000
@@ -35,8 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLStringData.h"
-#include "ACLChecklist.h"
+#include "acl/StringData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 
 

=== renamed file 'src/ACLStringData.h' => 'src/acl/StringData.h'
--- src/ACLStringData.h	2009-01-21 03:47:47 +0000
+++ src/acl/StringData.h	2009-03-08 19:34:36 +0000
@@ -36,8 +36,8 @@
 #ifndef SQUID_ACLSTRINGDATA_H
 #define SQUID_ACLSTRINGDATA_H
 #include "splay.h"
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 
 
 class ACLStringData : public ACLData<char const *>

=== renamed file 'src/ACLTime.cc' => 'src/acl/Time.cc'
--- src/ACLTime.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Time.cc	2009-03-08 21:53:27 +0000
@@ -35,15 +35,15 @@
  */
 
 #include "squid.h"
-#include "ACLTime.h"
-#include "ACLTimeData.h"
+#include "acl/Time.h"
+#include "acl/TimeData.h"
 #include "SquidTime.h"
 
 ACL::Prototype ACLTime::RegistryProtoype(&ACLTime::RegistryEntry_, "time");
 ACLStrategised<time_t> ACLTime::RegistryEntry_(new ACLTimeData, ACLTimeStrategy::Instance(), "time");
 
 int
-ACLTimeStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLTimeStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (squid_curtime);
 }

=== renamed file 'src/ACLTime.h' => 'src/acl/Time.h'
--- src/ACLTime.h	2009-01-21 03:47:47 +0000
+++ src/acl/Time.h	2009-03-08 21:57:12 +0000
@@ -35,16 +35,17 @@
 
 #ifndef SQUID_ACLTIME_H
 #define SQUID_ACLTIME_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLChecklist.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategised.h"
+
+class ACLChecklist; // XXX: we do not need it
 
 class ACLTimeStrategy : public ACLStrategy<time_t>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLTimeStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about

=== renamed file 'src/ACLTimeData.cc' => 'src/acl/TimeData.cc'
--- src/ACLTimeData.cc	2009-01-21 03:47:47 +0000
+++ src/acl/TimeData.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLTimeData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
+#include "acl/TimeData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 
 ACLTimeData::ACLTimeData () : weekbits (0), start (0), stop (0), next (NULL) {}

=== renamed file 'src/ACLTimeData.h' => 'src/acl/TimeData.h'
--- src/ACLTimeData.h	2009-01-21 03:47:47 +0000
+++ src/acl/TimeData.h	2009-03-08 19:34:36 +0000
@@ -36,8 +36,8 @@
 #ifndef SQUID_ACLTIMEDATA_H
 #define SQUID_ACLTIMEDATA_H
 #include "splay.h"
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 
 class ACLTimeData : public ACLData<time_t>
 {

=== renamed file 'src/ACLUrl.cc' => 'src/acl/Url.cc'
--- src/ACLUrl.cc	2009-01-21 03:47:47 +0000
+++ src/acl/Url.cc	2009-03-08 21:53:27 +0000
@@ -35,15 +35,15 @@
  */
 
 #include "squid.h"
-#include "ACLUrl.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
+#include "acl/Url.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
 
 ACL::Prototype ACLUrl::RegistryProtoype(&ACLUrl::RegistryEntry_, "url_regex");
 ACLStrategised<char const *> ACLUrl::RegistryEntry_(new ACLRegexData, ACLUrlStrategy::Instance(), "url_regex");
 
 int
-ACLUrlStrategy::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLUrlStrategy::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char *esc_buf = xstrdup(urlCanonical(checklist->request));
     rfc1738_unescape(esc_buf);

=== renamed file 'src/ACLUrl.h' => 'src/acl/Url.h'
--- src/ACLUrl.h	2009-01-21 03:47:47 +0000
+++ src/acl/Url.h	2009-03-08 21:53:27 +0000
@@ -35,15 +35,15 @@
 
 #ifndef SQUID_ACLURL_H
 #define SQUID_ACLURL_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategised.h"
 
 class ACLUrlStrategy : public ACLStrategy<char const *>
 {
 
 public:
-    virtual int match (ACLData<char const *> * &, ACLChecklist *);
+    virtual int match (ACLData<char const *> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLUrlStrategy *Instance();

=== renamed file 'src/ACLUrlPath.cc' => 'src/acl/UrlPath.cc'
--- src/ACLUrlPath.cc	2009-01-30 14:55:22 +0000
+++ src/acl/UrlPath.cc	2009-03-08 21:53:27 +0000
@@ -35,9 +35,9 @@
  */
 
 #include "squid.h"
-#include "ACLUrlPath.h"
-#include "ACLChecklist.h"
-#include "ACLRegexData.h"
+#include "acl/UrlPath.h"
+#include "acl/Checklist.h"
+#include "acl/RegexData.h"
 #include "HttpRequest.h"
 
 ACL::Prototype ACLUrlPath::LegacyRegistryProtoype(&ACLUrlPath::RegistryEntry_, "pattern");
@@ -45,7 +45,7 @@
 ACLStrategised<char const *> ACLUrlPath::RegistryEntry_(new ACLRegexData, ACLUrlPathStrategy::Instance(), "urlpath_regex");
 
 int
-ACLUrlPathStrategy::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+ACLUrlPathStrategy::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
 {
     char *esc_buf = xstrdup(checklist->request->urlpath.termedBuf());
     rfc1738_unescape(esc_buf);

=== renamed file 'src/ACLUrlPath.h' => 'src/acl/UrlPath.h'
--- src/ACLUrlPath.h	2009-01-21 03:47:47 +0000
+++ src/acl/UrlPath.h	2009-03-08 21:53:27 +0000
@@ -35,16 +35,16 @@
 
 #ifndef SQUID_ACLURLPATH_H
 #define SQUID_ACLURLPATH_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLUrlPathStrategy : public ACLStrategy<char const *>
 {
 
 public:
-    virtual int match (ACLData<char const *> * &, ACLChecklist *);
+    virtual int match (ACLData<char const *> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLUrlPathStrategy *Instance();

=== renamed file 'src/ACLUrlPort.cc' => 'src/acl/UrlPort.cc'
--- src/ACLUrlPort.cc	2009-01-21 03:47:47 +0000
+++ src/acl/UrlPort.cc	2009-03-08 21:53:27 +0000
@@ -34,16 +34,16 @@
  */
 
 #include "squid.h"
-#include "ACLUrlPort.h"
-#include "ACLIntRange.h"
-#include "ACLChecklist.h"
+#include "acl/UrlPort.h"
+#include "acl/IntRange.h"
+#include "acl/Checklist.h"
 #include "HttpRequest.h"
 
 ACL::Prototype ACLUrlPort::RegistryProtoype(&ACLUrlPort::RegistryEntry_, "port");
 ACLStrategised<int> ACLUrlPort::RegistryEntry_(new ACLIntRange, ACLUrlPortStrategy::Instance(), "port");
 
 int
-ACLUrlPortStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLUrlPortStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->request->port);
 }

=== renamed file 'src/ACLUrlPort.h' => 'src/acl/UrlPort.h'
--- src/ACLUrlPort.h	2009-01-21 03:47:47 +0000
+++ src/acl/UrlPort.h	2009-03-08 21:53:27 +0000
@@ -35,14 +35,14 @@
 
 #ifndef SQUID_ACLURLPORT_H
 #define SQUID_ACLURLPORT_H
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
 
 class ACLUrlPortStrategy : public ACLStrategy<int>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     virtual bool requiresRequest() const {return true;}
 
     static ACLUrlPortStrategy *Instance();

=== renamed file 'src/ACLUserData.cc' => 'src/acl/UserData.cc'
--- src/ACLUserData.cc	2008-10-10 08:02:53 +0000
+++ src/acl/UserData.cc	2009-03-08 19:34:36 +0000
@@ -35,9 +35,8 @@
  */
 
 #include "squid.h"
-#include "ACLUserData.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
+#include "acl/UserData.h"
+#include "acl/Checklist.h"
 #include "wordlist.h"
 #include "ConfigParser.h"
 

=== renamed file 'src/ACLUserData.h' => 'src/acl/UserData.h'
--- src/ACLUserData.h	2008-10-10 08:02:53 +0000
+++ src/acl/UserData.h	2009-03-08 19:34:36 +0000
@@ -36,8 +36,8 @@
 #ifndef SQUID_ACLUSERDATA_H
 #define SQUID_ACLUSERDATA_H
 #include "splay.h"
-#include "ACL.h"
-#include "ACLData.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
 
 class ACLUserData : public ACLData<char const *>
 {

=== modified file 'src/adaptation/AccessCheck.cc'
--- src/adaptation/AccessCheck.cc	2009-02-26 16:27:40 +0000
+++ src/adaptation/AccessCheck.cc	2009-03-08 21:53:27 +0000
@@ -2,10 +2,9 @@
 #include "structs.h"
 
 #include "ConfigParser.h"
-#include "ACL.h"
 #include "HttpRequest.h"
 #include "HttpReply.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "adaptation/Service.h"
 #include "adaptation/ServiceGroups.h"
 #include "adaptation/AccessRule.h"
@@ -106,7 +105,7 @@
         if (AccessRule *r = FindRule(topCandidate())) {
             /* BUG 2526: what to do when r->acl is empty?? */
             // XXX: we do not have access to conn->rfc931 here.
-            acl_checklist = aclChecklistCreate(r->acl, req, dash_str);
+            acl_checklist = new ACLFilledChecklist(r->acl, req, dash_str);
             acl_checklist->reply = rep ? HTTPMSGLOCK(rep) : NULL;
             acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this);
             return;

=== modified file 'src/adaptation/AccessCheck.h'
--- src/adaptation/AccessCheck.h	2009-02-19 07:17:31 +0000
+++ src/adaptation/AccessCheck.h	2009-03-08 21:53:27 +0000
@@ -7,6 +7,7 @@
 
 class HttpRequest;
 class HttpReply;
+class ACLFilledChecklist;
 
 namespace Adaptation
 {
@@ -35,7 +36,7 @@
     HttpReply *rep;
     AccessCheckCallback *callback;
     void *callback_data;
-    ACLChecklist *acl_checklist;
+    ACLFilledChecklist *acl_checklist;
 
     typedef int Candidate;
     typedef Vector<Candidate> Candidates;

=== modified file 'src/adaptation/AccessRule.cc'
--- src/adaptation/AccessRule.cc	2009-02-11 19:11:36 +0000
+++ src/adaptation/AccessRule.cc	2009-03-08 19:34:36 +0000
@@ -2,7 +2,7 @@
 #include "structs.h"
 
 #include "ConfigParser.h"
-#include "ACL.h"
+#include "acl/Gadgets.h"
 #include "adaptation/AccessRule.h"
 #include "adaptation/Service.h"
 #include "adaptation/ServiceGroups.h"

=== modified file 'src/adaptation/Config.cc'
--- src/adaptation/Config.cc	2009-02-26 16:27:40 +0000
+++ src/adaptation/Config.cc	2009-03-08 19:34:36 +0000
@@ -34,7 +34,7 @@
 #include "structs.h"
 
 #include "ConfigParser.h"
-#include "ACL.h"
+#include "acl/Gadgets.h"
 #include "Store.h"
 #include "Array.h"    // really Vector
 #include "adaptation/Config.h"

=== modified file 'src/adaptation/icap/Config.cc'
--- src/adaptation/icap/Config.cc	2009-02-20 19:08:58 +0000
+++ src/adaptation/icap/Config.cc	2009-03-04 22:56:29 +0000
@@ -35,14 +35,12 @@
 #include "squid.h"
 
 #include "ConfigParser.h"
-#include "ACL.h"
 #include "Store.h"
 #include "Array.h"	// really Vector
 #include "adaptation/icap/Config.h"
 #include "adaptation/icap/ServiceRep.h"
 #include "HttpRequest.h"
 #include "HttpReply.h"
-#include "ACLChecklist.h"
 #include "wordlist.h"
 
 Adaptation::Icap::Config Adaptation::Icap::TheConfig;

=== modified file 'src/asn.cc'
--- src/asn.cc	2009-01-21 03:47:47 +0000
+++ src/asn.cc	2009-03-08 21:53:27 +0000
@@ -39,11 +39,11 @@
 #include "HttpRequest.h"
 #include "StoreClient.h"
 #include "Store.h"
-#include "ACL.h"
-#include "ACLASN.h"
-#include "ACLSourceASN.h"
-#include "ACLDestinationASN.h"
-#include "ACLDestinationIP.h"
+#include "acl/Acl.h"
+#include "acl/Asn.h"
+#include "acl/SourceAsn.h"
+#include "acl/DestinationAsn.h"
+#include "acl/DestinationIp.h"
 #include "HttpReply.h"
 #include "forward.h"
 #include "wordlist.h"
@@ -605,7 +605,7 @@
 ACLStrategised<IpAddress> ACLASN::DestinationRegistryEntry_(new ACLASN, ACLDestinationASNStrategy::Instance(), "dst_as");
 
 int
-ACLSourceASNStrategy::match (ACLData<IpAddress> * &data, ACLChecklist *checklist)
+ACLSourceASNStrategy::match (ACLData<IpAddress> * &data, ACLFilledChecklist *checklist)
 {
     return data->match(checklist->src_addr);
 }
@@ -620,7 +620,7 @@
 
 
 int
-ACLDestinationASNStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLDestinationASNStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
 

=== added file 'src/auth/Acl.cc'
--- src/auth/Acl.cc	1970-01-01 00:00:00 +0000
+++ src/auth/Acl.cc	2009-03-08 22:20:22 +0000
@@ -0,0 +1,78 @@
+#include "squid.h"
+#include "acl/Acl.h"
+#include "acl/FilledChecklist.h"
+#include "auth/UserRequest.h"
+#include "auth/Acl.h"
+#include "auth/AclProxyAuth.h"
+#include "HttpRequest.h"
+
+/** retval -1 user not authenticated (authentication error?)
+    retval  0 user not authorized OR user authentication is in pgrogress
+    retval +1 user authenticated and authorized */
+int
+AuthenticateAcl(ACLChecklist *ch)
+{
+	ACLFilledChecklist *checklist = Filled(ch);
+	HttpRequest *request = checklist->request;
+    http_hdr_type headertype;
+
+    if (NULL == request) {
+        fatal ("requiresRequest SHOULD have been true for this ACL!!");
+        return 0;
+    } else if (request->flags.accelerated) {
+        /* WWW authorization on accelerated requests */
+        headertype = HDR_AUTHORIZATION;
+    } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
+        debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests.");
+        return -1;
+    } else {
+        /* Proxy authorization on proxy requests */
+        headertype = HDR_PROXY_AUTHORIZATION;
+    }
+
+    /* get authed here */
+    /* Note: this fills in auth_user_request when applicable */
+    /*
+     * DPW 2007-05-08
+     * tryToAuthenticateAndSetAuthUser used to try to lock and
+     * unlock auth_user_request on our behalf, but it was too
+     * ugly and hard to follow.  Now we do our own locking here.
+     *
+     * I'm not sure what tryToAuthenticateAndSetAuthUser does when
+     * auth_user_request is set before calling.  I'm tempted to
+     * unlock and set it to NULL, but it seems safer to save the
+     * pointer before calling and unlock it afterwards.  If the
+     * pointer doesn't change then its a no-op.
+     */
+    AuthUserRequest *old_auth_user_request = checklist->auth_user_request;
+    const auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser(
+        &checklist->auth_user_request, headertype, request, 
+        checklist->conn(), checklist->src_addr);
+    if (checklist->auth_user_request)
+        AUTHUSERREQUESTLOCK(checklist->auth_user_request, "ACLAuth::authenticated");
+    AUTHUSERREQUESTUNLOCK(old_auth_user_request, "old ACLAuth");
+    switch (result) {
+
+    case AUTH_ACL_CANNOT_AUTHENTICATE:
+        debugs(28, 4, HERE << "returning  0 user authenticated but not authorised.");
+        return 0;
+
+    case AUTH_AUTHENTICATED:
+        return 1;
+        break;
+
+    case AUTH_ACL_HELPER:
+        debugs(28, 4, HERE << "returning 0 sending credentials to helper.");
+        checklist->changeState(ProxyAuthLookup::Instance());
+        return 0;
+
+    case AUTH_ACL_CHALLENGE:
+        debugs(28, 4, HERE << "returning 0 sending authentication challenge.");
+        checklist->changeState (ProxyAuthNeeded::Instance());
+        return 0;
+
+    default:
+        fatal("unexpected authenticateAuthenticate reply\n");
+        return 0;
+    }
+}

=== added file 'src/auth/Acl.h'
--- src/auth/Acl.h	1970-01-01 00:00:00 +0000
+++ src/auth/Acl.h	2009-03-08 22:20:22 +0000
@@ -0,0 +1,12 @@
+#ifndef SQUID_AUTH_ACL_H
+#define SQUID_AUTH_ACL_H
+
+// ACL-related code used by authentication-related code. This code is not in
+// auth/Gadgets to avoid making auth/libauth dependent on acl/libstate because
+// acl/libstate already depends on auth/libauth.
+
+class ACLChecklist;
+/// \ingroup AuthAPI
+extern int AuthenticateAcl(ACLChecklist *ch);
+
+#endif /* SQUID_AUTH_ACL_H */

=== renamed file 'src/ACLMaxUserIP.cc' => 'src/auth/AclMaxUserIp.cc'
--- src/ACLMaxUserIP.cc	2009-02-24 23:52:44 +0000
+++ src/auth/AclMaxUserIp.cc	2009-03-08 21:57:12 +0000
@@ -35,9 +35,10 @@
  */
 
 #include "squid.h"
-#include "ACLMaxUserIP.h"
+#include "acl/FilledChecklist.h"
+#include "auth/Acl.h"
+#include "auth/AclMaxUserIp.h"
 #include "auth/UserRequest.h"
-#include "authenticate.h"
 #include "wordlist.h"
 #include "ConfigParser.h"
 
@@ -152,11 +153,12 @@
 }
 
 int
-ACLMaxUserIP::match(ACLChecklist *checklist)
+ACLMaxUserIP::match(ACLChecklist *cl)
 {
+    ACLFilledChecklist *checklist = Filled(cl);
     int ti;
 
-    if ((ti = checklist->authenticated()) != 1)
+    if ((ti = AuthenticateAcl(checklist)) != 1)
         return ti;
 
     ti = match(checklist->auth_user_request, checklist->src_addr);

=== renamed file 'src/ACLMaxUserIP.h' => 'src/auth/AclMaxUserIp.h'
--- src/ACLMaxUserIP.h	2009-01-21 03:47:47 +0000
+++ src/auth/AclMaxUserIp.h	2009-03-08 21:57:12 +0000
@@ -35,8 +35,10 @@
 #ifndef SQUID_ACLMAXUSERIP_H
 #define SQUID_ACLMAXUSERIP_H
 
-#include "ACL.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Checklist.h"
+
+class AuthUserRequest;
 
 /// \ingroup ACLAPI
 class ACLMaxUserIP : public ACL

=== renamed file 'src/ACLProxyAuth.cc' => 'src/auth/AclProxyAuth.cc'
--- src/ACLProxyAuth.cc	2009-02-24 23:52:44 +0000
+++ src/auth/AclProxyAuth.cc	2009-03-08 21:57:12 +0000
@@ -35,13 +35,14 @@
  */
 
 #include "squid.h"
-#include "ACLProxyAuth.h"
-#include "authenticate.h"
-#include "ACLChecklist.h"
-#include "ACLUserData.h"
-#include "ACLRegexData.h"
+#include "auth/AclProxyAuth.h"
+#include "auth/Gadgets.h"
+#include "acl/FilledChecklist.h"
+#include "acl/UserData.h"
+#include "acl/RegexData.h"
 #include "client_side.h"
 #include "HttpRequest.h"
+#include "auth/Acl.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 
@@ -80,7 +81,7 @@
 {
     int ti;
 
-    if ((ti = checklist->authenticated()) != 1)
+    if ((ti = AuthenticateAcl(checklist)) != 1)
         return ti;
 
     ti = matchProxyAuth(checklist);
@@ -133,8 +134,10 @@
 }
 
 void
-ProxyAuthLookup::checkForAsync(ACLChecklist *checklist)const
+ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 {
+    ACLFilledChecklist *checklist = Filled(cl);
+
     checklist->asyncInProgress(true);
     debugs(28, 3, "ACLChecklist::checkForAsync: checking password via authenticator");
 
@@ -150,7 +153,8 @@
 void
 ProxyAuthLookup::LookupDone(void *data, char *result)
 {
-    ACLChecklist *checklist = (ACLChecklist *)data;
+    ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
+
     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 
     if (result != NULL)
@@ -198,8 +202,9 @@
 }
 
 int
-ACLProxyAuth::matchForCache(ACLChecklist *checklist)
+ACLProxyAuth::matchForCache(ACLChecklist *cl)
 {
+    ACLFilledChecklist *checklist = Filled(cl);
     assert (checklist->auth_user_request);
     return data->match(checklist->auth_user_request->username());
 }
@@ -209,8 +214,9 @@
  * 1 : Authorisation OK. (Matched)
  */
 int
-ACLProxyAuth::matchProxyAuth(ACLChecklist *checklist)
+ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 {
+    ACLFilledChecklist *checklist = Filled(cl);
     checkAuthForCaching(checklist);
     /* check to see if we have matched the user-acl before */
     int result = cacheMatchAcl(&checklist->auth_user_request->user()->
@@ -224,7 +230,7 @@
 {
     /* for completeness */
     /* consistent parameters ? */
-    assert(authenticateUserAuthenticated(checklist->auth_user_request));
+    assert(authenticateUserAuthenticated(Filled(checklist)->auth_user_request));
     /* this check completed */
 }
 

=== renamed file 'src/ACLProxyAuth.h' => 'src/auth/AclProxyAuth.h'
--- src/ACLProxyAuth.h	2008-10-10 08:02:53 +0000
+++ src/auth/AclProxyAuth.h	2009-03-08 19:57:33 +0000
@@ -34,9 +34,9 @@
 
 #ifndef SQUID_ACLPROXYAUTH_H
 #define SQUID_ACLPROXYAUTH_H
-#include "ACL.h"
-#include "ACLData.h"
-#include "ACLChecklist.h"
+#include "acl/Acl.h"
+#include "acl/Data.h"
+#include "acl/Checklist.h"
 
 class ProxyAuthLookup : public ACLChecklist::AsyncState
 {

=== renamed file 'src/authenticate.cc' => 'src/auth/Gadgets.cc'
--- src/authenticate.cc	2009-02-24 23:52:44 +0000
+++ src/auth/Gadgets.cc	2009-03-08 19:34:36 +0000
@@ -38,12 +38,15 @@
  * See acl.c for access control and client_side.c for auditing */
 
 #include "squid.h"
-#include "authenticate.h"
-#include "ACL.h"
+#include "acl/Acl.h"
+#include "acl/FilledChecklist.h"
 #include "client_side.h"
 #include "auth/Config.h"
 #include "auth/Scheme.h"
+#include "auth/Gadgets.h"
 #include "auth/User.h"
+#include "auth/UserRequest.h"
+#include "auth/AclProxyAuth.h"
 #include "HttpReply.h"
 #include "HttpRequest.h"
 

=== renamed file 'src/authenticate.h' => 'src/auth/Gadgets.h'
--- src/authenticate.h	2009-01-21 03:47:47 +0000
+++ src/auth/Gadgets.h	2009-03-08 21:19:10 +0000
@@ -30,10 +30,12 @@
  *
  */
 
-#ifndef SQUID_AUTHENTICATE_H
-#define SQUID_AUTHENTICATE_H
+#ifndef SQUID_AUTH_GADGETS_H
+#define SQUID_AUTH_GADGETS_H
 
-#include "client_side.h"
+#include "hash.h"
+#include "MemPool.h"
+#include "typedefs.h" /* for authConfig */
 
 class AuthUser;
 
@@ -65,6 +67,7 @@
 
 class ConnStateData;
 class AuthScheme;
+class StoreEntry;
 
 /**
  \ingroup AuthAPI
@@ -98,4 +101,4 @@
 /// \ingroup AuthAPI
 extern void authenticateOnCloseConnection(ConnStateData * conn);
 
-#endif /* SQUID_AUTHENTICATE_H */
+#endif /* SQUID_AUTH_GADGETS_H */

=== modified file 'src/auth/Makefile.am'
--- src/auth/Makefile.am	2009-02-25 06:08:49 +0000
+++ src/auth/Makefile.am	2009-03-08 21:29:22 +0000
@@ -1,11 +1,10 @@
 include $(top_srcdir)/src/Common.am
 
-EXTRA_LIBRARIES	= libbasic.a libdigest.a libntlm.a libnegotiate.a
-noinst_LIBRARIES = libauth.a @AUTH_LIBS_TO_BUILD@
+noinst_LTLIBRARIES = libauth.la libacls.la @AUTH_LIBS_TO_BUILD@
+EXTRA_LTLIBRARIES = libbasic.la libdigest.la libntlm.la libnegotiate.la
 
 ## authentication framework; this library is always built
-## TODO: use libtool and add @AUTH_LIBS_TO_BUILD@ to libauth.la
-libauth_a_SOURCES = \
+libauth_la_SOURCES = \
 	Config.cc \
 	Config.h \
 	Scheme.cc \
@@ -14,27 +13,43 @@
 	User.cci \
 	User.cc \
 	UserRequest.h \
-	UserRequest.cc
-
-libbasic_a_SOURCES = \
+	UserRequest.cc \
+	Gadgets.cc \
+	Gadgets.h
+
+libauth_la_LIBADD = @AUTH_LIBS_TO_BUILD@
+libauth_la_DEPENDENCIES = @AUTH_LIBS_TO_BUILD@
+
+## authentication-dependent ACLs and authentication code they share
+libacls_la_SOURCES = \
+	Acl.cc \
+	Acl.h \
+	\
+	AclMaxUserIp.cc \
+	AclMaxUserIp.h \
+	AclProxyAuth.cc \
+	AclProxyAuth.h	
+
+
+libbasic_la_SOURCES = \
 	basic/basicScheme.cc \
 	basic/basicScheme.h \
 	basic/auth_basic.cc \
 	basic/auth_basic.h
 
-libdigest_a_SOURCES = \
+libdigest_la_SOURCES = \
 	digest/digestScheme.cc \
 	digest/digestScheme.h \
 	digest/auth_digest.cc \
 	digest/auth_digest.h
 
-libntlm_a_SOURCES = \
+libntlm_la_SOURCES = \
 	ntlm/ntlmScheme.cc \
 	ntlm/ntlmScheme.h \
 	ntlm/auth_ntlm.cc \
 	ntlm/auth_ntlm.h
 
-libnegotiate_a_SOURCES = \
+libnegotiate_la_SOURCES = \
 	negotiate/negotiateScheme.cc \
 	negotiate/negotiateScheme.h \
 	negotiate/auth_negotiate.cc \

=== modified file 'src/auth/Scheme.cc'
--- src/auth/Scheme.cc	2009-02-24 23:52:44 +0000
+++ src/auth/Scheme.cc	2009-03-08 19:34:36 +0000
@@ -36,7 +36,7 @@
 
 #include "squid.h"
 #include "auth/Scheme.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/Config.h"
 
 Vector<AuthScheme*> *AuthScheme::_Schemes = NULL;

=== modified file 'src/auth/User.cc'
--- src/auth/User.cc	2009-02-24 23:52:44 +0000
+++ src/auth/User.cc	2009-03-08 19:34:36 +0000
@@ -37,8 +37,9 @@
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "auth/Config.h"
-#include "authenticate.h"
-#include "ACL.h"
+#include "auth/Gadgets.h"
+#include "acl/Acl.h"
+#include "acl/Gadgets.h"
 #include "event.h"
 #include "SquidTime.h"
 

=== modified file 'src/auth/UserRequest.cc'
--- src/auth/UserRequest.cc	2009-02-24 23:52:44 +0000
+++ src/auth/UserRequest.cc	2009-03-08 19:34:36 +0000
@@ -43,8 +43,8 @@
 #include "squid.h"
 #include "auth/UserRequest.h"
 #include "auth/User.h"
-/*#include "authenticate.h"
-#include "ACL.h"
+/*#include "auth/Gadgets.h"
+#include "acl/Acl.h"
 #include "client_side.h"
 */
 #include "auth/Config.h"

=== modified file 'src/auth/basic/auth_basic.cc'
--- src/auth/basic/auth_basic.cc	2009-02-11 11:10:32 +0000
+++ src/auth/basic/auth_basic.cc	2009-03-08 19:34:36 +0000
@@ -39,7 +39,7 @@
 
 #include "squid.h"
 #include "auth_basic.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "CacheManager.h"
 #include "Store.h"
 #include "HttpReply.h"

=== modified file 'src/auth/basic/auth_basic.h'
--- src/auth/basic/auth_basic.h	2009-02-24 23:52:44 +0000
+++ src/auth/basic/auth_basic.h	2009-03-08 19:34:36 +0000
@@ -5,7 +5,7 @@
 
 #ifndef __AUTH_BASIC_H__
 #define __AUTH_BASIC_H__
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "auth/Config.h"

=== modified file 'src/auth/digest/auth_digest.cc'
--- src/auth/digest/auth_digest.cc	2009-02-11 11:10:32 +0000
+++ src/auth/digest/auth_digest.cc	2009-03-08 19:34:36 +0000
@@ -40,7 +40,7 @@
 #include "squid.h"
 #include "rfc2617.h"
 #include "auth_digest.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "event.h"
 #include "CacheManager.h"
 #include "Store.h"

=== modified file 'src/auth/digest/auth_digest.h'
--- src/auth/digest/auth_digest.h	2009-02-24 23:52:44 +0000
+++ src/auth/digest/auth_digest.h	2009-03-08 19:34:36 +0000
@@ -6,7 +6,7 @@
 #ifndef __AUTH_DIGEST_H__
 #define __AUTH_DIGEST_H__
 #include "rfc2617.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "auth/Config.h"

=== modified file 'src/auth/negotiate/auth_negotiate.cc'
--- src/auth/negotiate/auth_negotiate.cc	2009-02-11 11:10:32 +0000
+++ src/auth/negotiate/auth_negotiate.cc	2009-03-08 19:34:36 +0000
@@ -39,7 +39,7 @@
 
 #include "squid.h"
 #include "auth_negotiate.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "CacheManager.h"
 #include "Store.h"
 #include "client_side.h"

=== modified file 'src/auth/negotiate/auth_negotiate.h'
--- src/auth/negotiate/auth_negotiate.h	2009-02-24 23:52:44 +0000
+++ src/auth/negotiate/auth_negotiate.h	2009-03-08 19:34:36 +0000
@@ -5,7 +5,7 @@
 
 #ifndef __AUTH_NEGOTIATE_H__
 #define __AUTH_NEGOTIATE_H__
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "auth/Config.h"

=== modified file 'src/auth/ntlm/auth_ntlm.cc'
--- src/auth/ntlm/auth_ntlm.cc	2009-02-11 11:10:32 +0000
+++ src/auth/ntlm/auth_ntlm.cc	2009-03-08 19:34:36 +0000
@@ -39,7 +39,7 @@
 
 #include "squid.h"
 #include "auth_ntlm.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "CacheManager.h"
 #include "Store.h"
 #include "client_side.h"

=== modified file 'src/auth/ntlm/auth_ntlm.h'
--- src/auth/ntlm/auth_ntlm.h	2009-02-24 23:52:44 +0000
+++ src/auth/ntlm/auth_ntlm.h	2009-03-08 19:34:36 +0000
@@ -5,7 +5,7 @@
 
 #ifndef __AUTH_NTLM_H__
 #define __AUTH_NTLM_H__
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "auth/Config.h"

=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc	2009-02-28 08:50:18 +0000
+++ src/cache_cf.cc	2009-03-09 05:53:08 +0000
@@ -33,7 +33,6 @@
  */
 
 #include "squid.h"
-#include "authenticate.h"
 #include "ProtoPort.h"
 #include "HttpRequestMethod.h"
 #include "auth/Config.h"
@@ -42,7 +41,8 @@
 #include "Store.h"
 #include "SwapDir.h"
 #include "ConfigParser.h"
-#include "ACL.h"
+#include "acl/Acl.h"
+#include "acl/Gadgets.h"
 #include "StoreFileSystem.h"
 #include "Parsing.h"
 #include "MemBuf.h"

=== modified file 'src/client_side.cc'
--- src/client_side.cc	2009-03-06 13:26:57 +0000
+++ src/client_side.cc	2009-03-09 05:53:08 +0000
@@ -96,7 +96,7 @@
 #include "MemObject.h"
 #include "fde.h"
 #include "client_side_request.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "ConnectionDetail.h"
 #include "client_side_reply.h"
 #include "ClientRequestContext.h"
@@ -527,7 +527,7 @@
 
 #endif
 
-        ACLChecklist *checklist = clientAclChecklistCreate(Config.accessList.log, this);
+        ACLFilledChecklist *checklist = clientAclChecklistCreate(Config.accessList.log, this);
 
         if (al.reply)
             checklist->reply = HTTPMSGLOCK(al.reply);
@@ -2874,12 +2874,9 @@
 #if USE_IDENT
 
     if (Config.accessList.identLookup) {
-        ACLChecklist identChecklist;
+        ACLFilledChecklist identChecklist(Config.accessList.identLookup, NULL, NULL);
         identChecklist.src_addr = details->peer;
         identChecklist.my_addr = details->me;
-        identChecklist.accessList = cbdataReference(Config.accessList.identLookup);
-
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
         if (identChecklist.fastCheck())
             identStart(details->me, details->peer, clientIdentDone, connState);
     }
@@ -3089,12 +3086,9 @@
 #if USE_IDENT
 
     if (Config.accessList.identLookup) {
-        ACLChecklist identChecklist;
+        ACLFilledChecklist identChecklist(Config.accessList.identLookup, NULL, NULL);
         identChecklist.src_addr = details->peer;
         identChecklist.my_addr = details->me;
-        identChecklist.accessList = cbdataReference(Config.accessList.identLookup);
-
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
         if (identChecklist.fastCheck())
             identStart(details->me, details->peer, clientIdentDone, connState);
     }
@@ -3345,12 +3339,12 @@
     }
 }
 
-ACLChecklist *
+ACLFilledChecklist *
 clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
 {
-    ACLChecklist *ch;
     ConnStateData * conn = http->getConn();
-    ch = aclChecklistCreate(acl, http->request, cbdataReferenceValid(conn) && conn != NULL ? conn->rfc931 : dash_str);
+    ACLFilledChecklist *ch = new ACLFilledChecklist(acl, http->request,
+        cbdataReferenceValid(conn) && conn != NULL ? conn->rfc931 : dash_str);
 
     /*
      * hack for ident ACL. It needs to get full addresses, and a place to store
@@ -3365,7 +3359,7 @@
      */
 
     if (conn != NULL)
-        ch->conn(conn);	/* unreferenced in acl.cc */
+        ch->conn(conn);	/* unreferenced in FilledCheckList.cc */
 
     return ch;
 }

=== modified file 'src/client_side_reply.cc'
--- src/client_side_reply.cc	2009-02-24 23:52:44 +0000
+++ src/client_side_reply.cc	2009-03-08 21:53:27 +0000
@@ -52,8 +52,8 @@
 #endif
 #include "MemObject.h"
 #include "fde.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Gadgets.h"
 #if DELAY_POOLS
 #include "DelayPools.h"
 #endif
@@ -1785,8 +1785,8 @@
     }
 
     /** Process http_reply_access lists */
-    ACLChecklist *replyChecklist;
-    replyChecklist = clientAclChecklistCreate(Config.accessList.reply, http);
+    ACLFilledChecklist *replyChecklist =
+        clientAclChecklistCreate(Config.accessList.reply, http);
     replyChecklist->reply = HTTPMSGLOCK(reply);
     replyChecklist->nonBlockingCheck(ProcessReplyAccessResult, this);
 }

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc	2009-02-24 23:52:44 +0000
+++ src/client_side_request.cc	2009-03-08 21:57:12 +0000
@@ -48,8 +48,8 @@
 #include "auth/UserRequest.h"
 #include "HttpRequest.h"
 #include "ProtoPort.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Gadgets.h"
 #include "client_side.h"
 #include "client_side_reply.h"
 #include "Store.h"
@@ -1113,12 +1113,9 @@
 
     debugs(85, 5, HERE << "SslBump possible, checking ACL");
 
-    ACLChecklist check;
+    ACLFilledChecklist check(Config.accessList.ssl_bump, request, NULL);
     check.src_addr = request->client_addr;
     check.my_addr = request->my_addr;
-    check.request = HTTPMSGLOCK(request);
-    check.accessList = cbdataReference(Config.accessList.ssl_bump);
-    /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
     return check.fastCheck() == 1;
 }
 
@@ -1285,10 +1282,9 @@
     if (!calloutContext->clientside_tos_done) {
         calloutContext->clientside_tos_done = true;
         if (getConn() != NULL) {
-            ACLChecklist ch;
+            ACLFilledChecklist ch(NULL, request, NULL);
             ch.src_addr = request->client_addr;
             ch.my_addr = request->my_addr;
-            ch.request = HTTPMSGLOCK(request);
             int tos = aclMapTOS(Config.accessList.clientside_tos, &ch);
             if (tos)
                 comm_set_tos(getConn()->fd, tos);

=== modified file 'src/client_side_request.h'
--- src/client_side_request.h	2009-02-19 07:17:31 +0000
+++ src/client_side_request.h	2009-03-08 21:57:12 +0000
@@ -187,7 +187,9 @@
 
 /* client http based routines */
 SQUIDCEXTERN char *clientConstructTraceEcho(ClientHttpRequest *);
-SQUIDCEXTERN ACLChecklist *clientAclChecklistCreate(const acl_access * acl,ClientHttpRequest * http);
+
+class ACLFilledChecklist;
+SQUIDCEXTERN ACLFilledChecklist *clientAclChecklistCreate(const acl_access * acl,ClientHttpRequest * http);
 SQUIDCEXTERN int clientHttpRequestStatus(int fd, ClientHttpRequest const *http);
 SQUIDCEXTERN void clientAccessCheck(ClientHttpRequest *);
 

=== modified file 'src/external_acl.cc'
--- src/external_acl.cc	2009-02-24 23:52:44 +0000
+++ src/external_acl.cc	2009-03-08 21:57:12 +0000
@@ -48,15 +48,16 @@
 #include "SquidTime.h"
 #include "Store.h"
 #include "fde.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Acl.h"
 #if USE_IDENT
-#include "ACLIdent.h"
+#include "acl/Ident.h"
 #endif
 #include "client_side.h"
 #include "HttpRequest.h"
 #include "HttpReply.h"
-#include "authenticate.h"
+#include "auth/Acl.h"
+#include "auth/Gadgets.h"
 #include "helper.h"
 #include "MemBuf.h"
 #include "URLScheme.h"
@@ -71,7 +72,7 @@
 
 typedef struct _external_acl_format external_acl_format;
 
-static char *makeExternalAclKey(ACLChecklist * ch, external_acl_data * acl_data);
+static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
 static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry);
 static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry);
 static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry);
@@ -677,9 +678,7 @@
 }
 
 static int
-aclMatchExternal(external_acl_data *acl, ACLChecklist * ch);
-static int
-aclMatchExternal(external_acl_data *acl, ACLChecklist * ch)
+aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
 {
     int result;
     external_acl_entry *entry;
@@ -705,7 +704,7 @@
             int ti;
             /* Make sure the user is authenticated */
 
-            if ((ti = ch->authenticated()) != 1) {
+            if ((ti = AuthenticateAcl(ch)) != 1) {
                 debugs(82, 2, "aclMatchExternal: " << acl->def->name << " user not authenticated (" << ti << ")");
                 return ti;
             }
@@ -777,7 +776,7 @@
 int
 ACLExternal::match(ACLChecklist *checklist)
 {
-    return aclMatchExternal (data, checklist);
+    return aclMatchExternal (data, Filled(checklist));
 }
 
 wordlist *
@@ -811,7 +810,7 @@
 }
 
 static char *
-makeExternalAclKey(ACLChecklist * ch, external_acl_data * acl_data)
+makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
 {
     static MemBuf mb;
     char buf[256];
@@ -1216,7 +1215,7 @@
 }
 
 void
-ACLExternal::ExternalAclLookup(ACLChecklist * ch, ACLExternal * me, EAH * callback, void *callback_data)
+ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback, void *callback_data)
 {
     MemBuf buf;
     external_acl_data *acl = me->data;
@@ -1226,11 +1225,12 @@
     externalAclState *oldstate = NULL;
     bool graceful = 0;
 
+    ACLFilledChecklist *ch = Filled(checklist);
     if (acl->def->require_auth) {
         int ti;
         /* Make sure the user is authenticated */
 
-        if ((ti = ch->authenticated()) != 1) {
+        if ((ti = AuthenticateAcl(ch)) != 1) {
             debugs(82, 1, "externalAclLookup: " << acl->def->name <<
                    " user authentication failure (" << ti << ", ch=" << ch << ")");
             callback(callback_data, NULL);
@@ -1434,7 +1434,7 @@
 void
 ExternalACLLookup::LookupDone(void *data, void *result)
 {
-    ACLChecklist *checklist = (ACLChecklist *)data;
+    ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
     checklist->extacl_entry = cbdataReference((external_acl_entry *)result);
     checklist->asyncInProgress(false);
     checklist->changeState (ACLChecklist::NullState::Instance());

=== modified file 'src/forward.cc'
--- src/forward.cc	2009-02-04 09:52:20 +0000
+++ src/forward.cc	2009-03-08 21:57:12 +0000
@@ -33,8 +33,8 @@
 
 #include "squid.h"
 #include "forward.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Gadgets.h"
 #include "CacheManager.h"
 #include "event.h"
 #include "errorpage.h"
@@ -205,12 +205,9 @@
         /**
          * Check if this host is allowed to fetch MISSES from us (miss_access)
          */
-        ACLChecklist ch;
+        ACLFilledChecklist ch(Config.accessList.miss, request, NULL);
         ch.src_addr = request->client_addr;
         ch.my_addr = request->my_addr;
-        ch.request = HTTPMSGLOCK(request);
-        ch.accessList = cbdataReference(Config.accessList.miss);
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
         int answer = ch.fastCheck();
 
         if (answer == 0) {
@@ -664,7 +661,7 @@
     // Create the ACL check list now, while we have access to more info.
     // The list is used in ssl_verify_cb() and is freed in ssl_free().
     if (acl_access *acl = Config.ssl_client.cert_error) {
-        ACLChecklist *check = aclChecklistCreate(acl, request, dash_str);
+        ACLFilledChecklist *check = new ACLFilledChecklist(acl, request, dash_str);
         check->fd(fd);
         SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check);
     }
@@ -1341,8 +1338,6 @@
 IpAddress
 getOutgoingAddr(HttpRequest * request, struct peer *dst_peer)
 {
-    ACLChecklist ch;
-
     if (request && request->flags.spoof_client_ip)
         return request->client_addr;
 
@@ -1350,12 +1345,12 @@
         return IpAddress(); // anything will do.
     }
 
+    ACLFilledChecklist ch(NULL, request, NULL);
     ch.dst_peer = dst_peer;
 
     if (request) {
         ch.src_addr = request->client_addr;
         ch.my_addr = request->my_addr;
-        ch.request = HTTPMSGLOCK(request);
     }
 
     return aclMapAddr(Config.accessList.outgoing_address, &ch);
@@ -1364,12 +1359,11 @@
 unsigned long
 getOutgoingTOS(HttpRequest * request)
 {
-    ACLChecklist ch;
+    ACLFilledChecklist ch(NULL, request, NULL);
 
     if (request) {
         ch.src_addr = request->client_addr;
         ch.my_addr = request->my_addr;
-        ch.request = HTTPMSGLOCK(request);
     }
 
     return aclMapTOS(Config.accessList.outgoing_tos, &ch);

=== modified file 'src/htcp.cc'
--- src/htcp.cc	2009-02-09 08:53:49 +0000
+++ src/htcp.cc	2009-03-08 21:57:12 +0000
@@ -35,8 +35,8 @@
 
 #include "squid.h"
 #include "htcp.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Acl.h"
 #include "SquidTime.h"
 #include "Store.h"
 #include "StoreClient.h"
@@ -850,12 +850,9 @@
     if (!acl)
         return 0;
 
-    ACLChecklist checklist;
+    ACLFilledChecklist checklist(acl, s->request, NULL);
     checklist.src_addr = from;
     checklist.my_addr.SetNoAddr();
-    checklist.request = HTTPMSGLOCK(s->request);
-    checklist.accessList = cbdataReference(acl);
-    /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
     int result = checklist.fastCheck();
     return result;
 }

=== modified file 'src/http.cc'
--- src/http.cc	2009-02-25 20:59:20 +0000
+++ src/http.cc	2009-03-08 21:57:12 +0000
@@ -50,7 +50,7 @@
 #include "HttpHdrContRange.h"
 #include "HttpHdrSc.h"
 #include "HttpHdrScTarget.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "fde.h"
 #if DELAY_POOLS
 #include "DelayPools.h"
@@ -1974,13 +1974,8 @@
     debugs(11,5, HERE << "doneSendingRequestBody: FD " << fd);
 
 #if HTTP_VIOLATIONS
-    ACLChecklist ch;
-    ch.request = HTTPMSGLOCK(request);
-
     if (Config.accessList.brokenPosts) {
-        ch.accessList = cbdataReference(Config.accessList.brokenPosts);
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
-
+		ACLFilledChecklist ch(Config.accessList.brokenPosts, request, NULL);
         if (!ch.fastCheck()) {
             debugs(11, 5, "doneSendingRequestBody: didn't match brokenPosts");
             CommIoCbParams io(NULL);

=== modified file 'src/icp_v2.cc'
--- src/icp_v2.cc	2009-02-04 09:52:20 +0000
+++ src/icp_v2.cc	2009-03-08 21:57:12 +0000
@@ -40,8 +40,8 @@
 #include "comm.h"
 #include "ICP.h"
 #include "HttpRequest.h"
-#include "ACLChecklist.h"
-#include "ACL.h"
+#include "acl/FilledChecklist.h"
+#include "acl/Acl.h"
 #include "AccessLogEntry.h"
 #include "wordlist.h"
 #include "SquidTime.h"
@@ -409,12 +409,9 @@
     if (!Config.accessList.icp)
         return 0;
 
-    ACLChecklist checklist;
+    ACLFilledChecklist checklist(Config.accessList.icp, icp_request, NULL);
     checklist.src_addr = from;
     checklist.my_addr.SetNoAddr();
-    checklist.request = HTTPMSGLOCK(icp_request);
-    checklist.accessList = cbdataReference(Config.accessList.icp);
-    /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
     int result = checklist.fastCheck();
     return result;
 }

=== modified file 'src/logfile.cc'
--- src/logfile.cc	2009-02-19 09:36:01 +0000
+++ src/logfile.cc	2009-03-07 21:07:45 +0000
@@ -33,7 +33,6 @@
  */
 
 #include "squid.h"
-#include "authenticate.h"
 #include "fde.h"
 
 static void logfileWriteWrapper(Logfile * lf, const void *buf, size_t len);

=== modified file 'src/main.cc'
--- src/main.cc	2009-02-27 16:38:06 +0000
+++ src/main.cc	2009-03-08 19:34:36 +0000
@@ -34,7 +34,7 @@
 
 #include "squid.h"
 #include "AccessLogEntry.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "ConfigParser.h"
 #include "errorpage.h"
 #include "event.h"
@@ -46,8 +46,8 @@
 #include "HttpReply.h"
 #include "pconn.h"
 #include "Mem.h"
-#include "ACLASN.h"
-#include "ACL.h"
+#include "acl/Asn.h"
+#include "acl/Acl.h"
 #include "htcp.h"
 #include "StoreFileSystem.h"
 #include "DiskIO/DiskIOModule.h"

=== modified file 'src/neighbors.cc'
--- src/neighbors.cc	2009-01-13 06:17:33 +0000
+++ src/neighbors.cc	2009-03-08 21:57:12 +0000
@@ -32,7 +32,7 @@
 
 #include "squid.h"
 #include "ProtoPort.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "event.h"
 #include "CacheManager.h"
 #include "htcp.h"
@@ -175,18 +175,10 @@
     if (p->access == NULL)
         return do_ping;
 
-    ACLChecklist checklist;
-
+    ACLFilledChecklist checklist(p->access, request, NULL);
     checklist.src_addr = request->client_addr;
-
     checklist.my_addr = request->my_addr;
 
-    checklist.request = HTTPMSGLOCK(request);
-
-    checklist.accessList = cbdataReference(p->access);
-
-    /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
-
 #if 0 && USE_IDENT
     /*
      * this is currently broken because 'request->user_ident' has been

=== modified file 'src/peer_select.cc'
--- src/peer_select.cc	2009-02-04 09:52:20 +0000
+++ src/peer_select.cc	2009-03-08 21:53:27 +0000
@@ -38,7 +38,7 @@
 #include "Store.h"
 #include "ICP.h"
 #include "HttpRequest.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "htcp.h"
 #include "forward.h"
 #include "SquidTime.h"
@@ -294,7 +294,7 @@
     if (ps->direct == DIRECT_UNKNOWN) {
         if (ps->always_direct == 0 && Config.accessList.AlwaysDirect) {
             /** check always_direct; */
-            ps->acl_checklist = aclChecklistCreate(
+            ps->acl_checklist = new ACLFilledChecklist(
                                     Config.accessList.AlwaysDirect,
                                     request,
                                     NULL);		/* ident */
@@ -305,7 +305,7 @@
             ps->direct = DIRECT_YES;
         } else if (ps->never_direct == 0 && Config.accessList.NeverDirect) {
             /** check never_direct; */
-            ps->acl_checklist = aclChecklistCreate(
+            ps->acl_checklist = new ACLFilledChecklist(
                                     Config.accessList.NeverDirect,
                                     request,
                                     NULL);		/* ident */

=== modified file 'src/redirect.cc'
--- src/redirect.cc	2009-02-24 23:52:44 +0000
+++ src/redirect.cc	2009-03-08 19:34:36 +0000
@@ -39,7 +39,7 @@
 #include "Store.h"
 #include "fde.h"
 #include "client_side_request.h"
-#include "ACLChecklist.h"
+#include "acl/Checklist.h"
 #include "HttpRequest.h"
 #include "client_side.h"
 #include "helper.h"

=== modified file 'src/snmp_core.cc'
--- src/snmp_core.cc	2009-02-08 00:02:47 +0000
+++ src/snmp_core.cc	2009-03-08 21:57:12 +0000
@@ -32,7 +32,7 @@
 #include "squid.h"
 #include "comm.h"
 #include "cache_snmp.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #include "ip/IpAddress.h"
 
 #define SNMP_REQUEST_SIZE 4096
@@ -530,11 +530,9 @@
     /* Check if we have explicit permission to access SNMP data.
      * default (set above) is to deny all */
     if (Community && Config.accessList.snmp) {
-        ACLChecklist checklist;
-        checklist.accessList = cbdataReference(Config.accessList.snmp);
+        ACLFilledChecklist checklist(Config.accessList.snmp, NULL, NULL);
         checklist.src_addr = rq->from;
         checklist.snmp_community = (char *) Community;
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
         allow = checklist.fastCheck();
     }
 
@@ -1136,15 +1134,15 @@
 }
 
 /* SNMP checklists */
-#include "ACLStrategy.h"
-#include "ACLStrategised.h"
-#include "ACLStringData.h"
+#include "acl/Strategy.h"
+#include "acl/Strategised.h"
+#include "acl/StringData.h"
 
 class ACLSNMPCommunityStrategy : public ACLStrategy<char const *>
 {
 
 public:
-    virtual int match (ACLData<MatchType> * &, ACLChecklist *);
+    virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *);
     static ACLSNMPCommunityStrategy *Instance();
     /* Not implemented to prevent copies of the instance. */
     /* Not private to prevent brain dead g+++ warnings about
@@ -1170,7 +1168,7 @@
 ACLStrategised<char const *> ACLSNMPCommunity::RegistryEntry_(new ACLStringData, ACLSNMPCommunityStrategy::Instance(), "snmp_community");
 
 int
-ACLSNMPCommunityStrategy::match (ACLData<MatchType> * &data, ACLChecklist *checklist)
+ACLSNMPCommunityStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
     return data->match (checklist->snmp_community);
 }

=== modified file 'src/ssl_support.cc'
--- src/ssl_support.cc	2009-01-21 03:47:47 +0000
+++ src/ssl_support.cc	2009-03-08 21:57:12 +0000
@@ -41,7 +41,7 @@
 #if USE_SSL
 
 #include "fde.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 
 /**
  \defgroup ServerProtocolSSLInternal Server-Side SSL Internals
@@ -182,7 +182,7 @@
                 debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server);
                 ok = 0;
                 if (check)
-                    check->ssl_error = SQUID_X509_V_ERR_DOMAIN_MISMATCH;
+                    Filled(check)->ssl_error = SQUID_X509_V_ERR_DOMAIN_MISMATCH;
             }
         }
     } else {
@@ -216,7 +216,7 @@
         }
 
         if (check)
-            check->ssl_error = ctx->error;
+            Filled(check)->ssl_error = ctx->error;
     }
 
     if (!ok && check) {

=== modified file 'src/tests/testACLMaxUserIP.cc'
--- src/tests/testACLMaxUserIP.cc	2008-08-10 05:49:14 +0000
+++ src/tests/testACLMaxUserIP.cc	2009-03-08 19:34:36 +0000
@@ -4,7 +4,7 @@
 #include <stdexcept>
 
 #include "testACLMaxUserIP.h"
-#include "ACLMaxUserIP.h"
+#include "auth/AclMaxUserIp.h"
 
 CPPUNIT_TEST_SUITE_REGISTRATION( testACLMaxUserIP );
 

=== modified file 'src/tests/testAuth.cc'
--- src/tests/testAuth.cc	2009-02-24 23:52:44 +0000
+++ src/tests/testAuth.cc	2009-03-08 19:34:36 +0000
@@ -2,7 +2,7 @@
 
 #include "squid.h"
 #include "testAuth.h"
-#include "authenticate.h"
+#include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "auth/Scheme.h"
 #include "auth/Config.h"

=== modified file 'src/tests/test_http_range.cc'
--- src/tests/test_http_range.cc	2009-01-21 03:47:47 +0000
+++ src/tests/test_http_range.cc	2009-03-08 19:34:36 +0000
@@ -45,7 +45,7 @@
 #include "Mem.h"
 
 #if 0
-#include "ACLChecklist.h"
+#include "acl/Checklist.h"
 #endif
 
 /* Stub routines */

=== modified file 'src/tunnel.cc'
--- src/tunnel.cc	2009-02-23 10:55:43 +0000
+++ src/tunnel.cc	2009-03-08 21:57:12 +0000
@@ -39,7 +39,7 @@
 #include "fde.h"
 #include "comm.h"
 #include "client_side_request.h"
-#include "ACLChecklist.h"
+#include "acl/FilledChecklist.h"
 #if DELAY_POOLS
 #include "DelayId.h"
 #endif
@@ -618,12 +618,9 @@
          * Check if this host is allowed to fetch MISSES from us (miss_access)
          * default is to allow.
          */
-        ACLChecklist ch;
+        ACLFilledChecklist ch(Config.accessList.miss, request, NULL);
         ch.src_addr = request->client_addr;
         ch.my_addr = request->my_addr;
-        ch.request = HTTPMSGLOCK(request);
-        ch.accessList = cbdataReference(Config.accessList.miss);
-        /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */
         answer = ch.fastCheck();
 
         if (answer == 0) {

=== modified file 'src/ufsdump.cc'
--- src/ufsdump.cc	2009-01-21 03:47:47 +0000
+++ src/ufsdump.cc	2009-03-08 21:37:32 +0000
@@ -45,19 +45,37 @@
 #include <cassert>
 
 /* stub functions for parts of squid not factored to be dynamic yet */
-void shut_down(int)
-{}
-
-void
-reconfigure(int)
-{}
-
-#if WHENITMINIMAL
 void
 eventAdd(const char *name, EVH * func, void *arg, double when, int, bool cbdata)
 {}
 
-#endif
+// required by storeKeyPublicByRequest*
+// XXX: what pulls in storeKeyPublicByRequest?
+const char *urlCanonical(HttpRequest *) { assert(false); return NULL; }
+
+void
+storeAppendPrintf(StoreEntry * e, const char *fmt,...)
+{
+    va_list args;
+    va_start(args, fmt);
+
+	assert(false);
+
+    va_end(args);
+}
+
+#include "CacheManager.h"
+CacheManager*
+CacheManager::GetInstance()
+{
+	assert(false);
+    return NULL;
+}
+
+void
+CacheManager::registerAction(char const * action, char const * desc, OBJH * handler, int pw_req_flag, int atomic) {}
+
+
 /* end stub functions */
 
 struct MetaStd {

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWTRPa1QAiFd/gHd0RAB9////
/////r////9gkP55u84Ozm2w4D289nugdgXeHrRl56ClSHIaqneHXkBlQAu7u+vuPt1T4Bh7zrev
PZZ3c9hdnB3vffPW2PevC30Zz33r4Hdg+X30LYH0A0AOZ8b7z0+2a4bdPQAdAAnPj730aNAD6K7Y
Bfd8t4eho6HQAJ4vcaKAUoALjznRQAABbl93gA6AAzx3AACgHvePe+tAAAH3h3FA+gADzQ+RASoW
bVrFvl10ZGLWm26DVSLpWeAATgXcslScks4AKBggAxaGa7BrAcAGuRt2xVPp8j4XLA987umOtHDq
ad3bch3ABoEDVdCJpoDIMmhYwUN2DkOwwAkG7dUAAAjWUk6YQ33zzvfXXQwIX193uZVUvs3ZoBrQ
0hFFW2mEkQIATTQATQQnoCZBqYTUPVPUfpE2o09T1PFAGjZINNAIIU0EyJhNJH6p+qeoNqBoA9QA
AAaGmgGgGmIClFU/VP1T8qeTNRqep6gGj1ANPUBoAAAAAAAJNJITREwhTMjTQ1MJqT8mKQ9Q9NJk
epoAepoAABoESiCaaAI0AEwEAAmBTaTCAmSepp6nqHpD1GhoFUgJkAQikxGgRppT9U2o0ZNDQAAA
AGgADMichzBRQMSIBIAdBEBDnCygqNn9Id5D7QTVEVb751/z/fU/+W0CYX2iB3QKwhPqQA+5Jw63
6ddbH1PPH8Ok/qyz6sBRzd/U3x2xGT+lDvEhjDdn4OX1H8P691sD0f5PY3X1maw+O9jnFxtzx+Lw
z4rYmM1W0L73kIwXJ4MvqYUyu/j175hR08/nr3e6FxhcGHw1u6u0iVh4V5iHTAaYN6lEK+F5SnUt
s7u7I0TjsTzq1eAWcrQVe40Yu6o9SATC6rupzW7jaypnj9oRHv91vyJjgKfNqz2XXya/75VkBQqF
fWysgqnDiTN2mJmdMmMMYIe35bw8O44tpS3DOOTX5Dp/N+X3cQ/6OMm4hNmEidPDIAY+FpA8GVgx
OO+ZMlLCvTDMgg1KWaobpoWOoxrtQp73RzrMa3ZmG7oZmm0Q/g+TQ22rpA2sf+N/Ll06c7a+lIDE
HKHSqRScoNtJCdIldS3t5ySdu3wtdN1tZXNpSB05dEirtDJPU6pEcYRPXMuZcIs8nZkGVebZWVbd
pqmD34PK/fCj8IdhP4RobED8QocDQ3rgf9BmwoUSdr1vFYaaWXuXqF+pPuH7nd5gP7/P5MiTlIdh
l/n7uEO+fRoL9PPWbBkMw0qQAnKUiLWlKoHBUEMkP7HCKn6b2ZEyAEf5SmVZATI309rmLp1A/5cN
Sq6/2n7u/6MJkGhZRRhkX5+LDo0RfxVLqn267kIzGan7Zimwjee8JGYf/OpxDQofTXiDNgBsW09w
DvsmQeUA+v5PHQVY7w5xIEXrCr/nSRJwW+nGXG/f+nDbphexczMY14KQ0dk8avdx36ocXxU7Kx26
MfWF5rqB65KqDkRjcevz8iPwD21uk3skFKNYFKDjZmwxZslXTcKKSDGHDjpKkNRAU0hoYGzsjbsM
VUVYpklmnEihrDWsdCOOmlC20BYLF1mOAGhlQqWRTLmUVyUriVrN6QqGqaTdzf2Zrfezub5Z6u23
oikHznQUB/Ekh3dbqlG2FYo2rFmMqsF73TMe9IVBcTTiuMxDBPvZLqqslAGlKSKSIMRTIrADzVPJ
YaDusGlTg3Xjz0aqDhCEqgF8X9jFNmCF8dTVGnB57GNlPhKqrXhGj0WfGVb1LpHeeVI1VWZJUuTQ
J7JmVYVJhqds7e2U+O2M0au0eTMh+aeonztupM4zSmqdnwRi6qIbEMMxGHy83bDLTV6mtGvwhZKN
Ua7uWeuCRiX/KAoHF07nKEIbmgKHCrCJw+TiEIyjTa2tiOo1wNkn2sEpOVlbTgzk3m0Go6NkDhxC
uIaZUgppk3YHrTdDrlgBeLiIRAw4YE8h1qKIjykGQMMaYsiTxvSa2pVTdwZpjxths1ixYGYU0gN1
mmSU4pJKgTfMwk4tgHW0OWTXVpAN0kNmdebJ0TlNk6pJykMYaG3iZCa46Oc78vDp48rh5NcRlZ9J
9Xs8fPggBPb7Zn4EnmeL6PShKwkVVZExlMb6rLgxSqIKQigpFFIxUVYU9M9PuOvv8MeUsAoyo9UQ
yCMvksp3cndxZw0YqgS7UmDHQgggQhfYLujnBXeghucLGaC2rYpVF7wrcvWQmakU4eRVxWdt6WqW
0Z26qqBdc7FAI3XZJmelu6p5hC295J57YiErI8T4S7kUqrkT5M2bo1VG+2ltJxRNDh5VgWUvIEwE
u2R4KxdjLI3bNzNIk1biNMC3Mi1elZYq4lOc7c8rjDOAsApIApBXbJzDligool1m5gNc4pQPGPzp
9v3Z9fhQROvP8n7G6X07rM2Zb7m7ocmlhXygQakhz1zNYlN/RUNR+1UuJt9uy2vdRCvWeJW0JMHv
mWPjiEnpFRTyQQFTL4QFJEGQFkUSEQAkRALIISHcbuETSb1NAU/1018Kfmejg/cGuQNwqIRYgE56
FCrQ4JaHsGhimU3lE+5WnSZZwZ7RH1GqC+ohBU8psdo5O7emcWvp91hyWf7VmBWThObGi+CiR5yw
tPZChNJWyrohkgIn6XGYkzDPZQPl1665Ip+//O60PtyeE0jVCuGIxKEgK11xaFa0Ssupr+o9hThN
yfcdpFBTfUUO85IIoUURJBkUZGRJBAkCRIsiRYCRIgsBgEUJFYxEECMBgCCQGCSLAESCgsFBEixZ
BYRUQBggpEgpJIBIcAYPNhzQYdlA/wLxxVWCREQI+r6vxvWYj8texfj/a+pa60VP1TulT0arMnJ5
TRWcRdur8deaq7MrbcvnXkAfD3ihEZEImCCQUJBJBT9PsBmIXjWxqXHJZhSNysPzbsFmGojOnZFF
aonjbZpqjJDpA0hZjCjJo6RZ3SgJSBognNoN2LDBhkW6eEWDtBPFJHEUcdMcQEdQ1j2MXVGgjgNF
03h3rqQT4ennhDDtOyJodfTPWux3KNc2RhCMDqR7XGWstIwMqnJjThjSN5Bm+QUgQFunp7m1wys0
y3WHbFacQUOsNq1RoUkLEPTlaQw56W1NsBlGTiFoMMjbQ4lnUye5MxhDLPadqRtqtQs0dIR4gyrK
NkMGxXQijRvJvJcOQpUWuM3ALscFXUPC3S6kzm4rmCaM2pOOgslYhzQXpmzJGg0xK0ZOalhjuGUQ
BAwc4g2axjUO4ana9Mq1MWaZ1vIdWGx+BFGc4bBasu4koJKmMyJqIF+jAZhGo9SiWZw8t2RZtDZ2
3lsks+qq5rzmdDTe1x8dUR4CDao5Kyn5brhAA8kadPasJIS1kz0hmlTFyp3zkJs0sZrmhtZMkSaB
iNMm6CDMUOQhQijssRVoQG+14NmkrIEypKBbm3G2J0cRSbgcNAHlKptrjOQZabIYEjCsJd3onkAC
u8vOxu3Z10FlKgffEICyB5SERBMR6cvDEUNQRIJjwIRFOGS0fDO8wLHGMcADmzEP07HGEEaoww/P
Hm2p7MjIgjkOiTLiCW/BDEDkKY4AUoARk5D1OBwoqBMZQM0ysoMVKxmC+XUMWpSUOtU6ISiE2hAv
hRDgTJ86JgKVZhEUeO66MxL8gOASTMvGDGsYxeXFCswVfMBl0jMcC2kuaONKMVrlNPNsPCfKYlcx
UiwxVoeiV8GHCBiKpQwXUCoeDTEwXFa1bglM0tGSNDEsAVWyuzN8iogaXaGkbjYJw3NXIBxBk3h8
I5VxMEC6QnHPlZi3nrkedTP0+D5/o/oHvIHwBz73/khhX5X0sNoTzwWwJZ1RT/Hd77awpG2dui9q
V+t5pqF+r3l8JQO2DfGNBvEZO4xsKGX1zvl/aAUvrp9P4xs9dv2Wr0wGBI/nRS870MQunKWv7EQj
7bQwI52l5Sf7qZyrdPoPiBtxtr9+xSo5tgXlC2AfLfJrXqWRFXDP8VKt44WTGSVutVwCIrXwQQLb
bi0xKUodBXC4qkgAAgpobYlxYiawkD8SImhz8zxDu7u7u7K2o1pHEzK9RnOYyK2MhmbK0H5kjip2
zvPKe9FW0qqsiqq1qsRFVVRFVFFFVRVVVVQ+QL+7UINKCzm5fN2doNYWJL6t242bNiUaW/e1Uxzm
cTrUFnUuKtV26ZQ4JFlRBZNVOOTjOELJEq5KVUzgMZ13EGnvCcSSYjXhCLRsu/IlUxkMWVeJpE1R
dsBjwjFXcKqyMDUYw7FkKEf1ylWbCuceDHsbM0HJFzuuUW9dv5eulWjy5Gz95qld40OcauBuKHaR
eVD1J3sIwjoeUuVD5jlIdq8Edbma+zezSsZnaNCDLAsKOTLdAr8mOls+QqCtu0uhBoRcLWB6n8ME
9zVUGxW+YBkYChPpIHCrsL82QPYONfObDDEOn5vaM0qkjN0fpjjPe0YTHPkIyIlETv7goy5KvX27
mv/b/WwD9dN8kWAmHqQ4qzFNq1/RHdo+u2BshXVbwaMNW3h3S6tW10eGGgcn6w1EHv4qrwPFqJJZ
T62QdVthoBXy2OxbbCk/MUJUcussoR8TR6FLHtq0fspFoYsJJBYmKDE2kWQulkMbaGN7UMbLSBNW
y8UlekqK2g2U2YalVhBOSPOLlJA3mVvZXQyLDIewwK9kLJVMeLam28Zlwc7S+Ke2Tve6ixWwa5UO
dWRTWhDDldd30wsqsms9qSt4Qqo7kcriB8J2kB3yLY7GHYJFCF8G9tW/kbZUcgqY2ltCLcnJtH8H
WFB/jnOsyJcRyMSxRjhzlqi7qiEV9Hxqtv4D3vtDhzuue3Gsi0W4DS5ZrPHkgQFiSYQt0CqpFv51
nBDEg0p20H3YFLRs+6VZR2CsJOqVuWEEVu4zDkNTWlCUHmPBRInGEc2Hakq64ktrvssLyE1JtEAI
sTh9TUegGBy7j1O7pzhPhy42jApqMmxbl48QwM7SFthoIZdGG9O4zWmbyek2JXDeUBO0hIRERRRR
RRRRRRQ6eXbv8B9R3nx9inxCql2qwaBnCFjtXWPrjTpx9Y/Ura86GowupbNWmAaB4iovKm1HeJbk
z7Hl/oIdxhimUQKKGV8vJO/FSBC/3vq0l1NVbZJa1uuV/w+M73+9d9WdSCL0OYGaVMyPio7cjGvP
jDXedTvsERGC/kPj5LHaaFiXQ95To+02YoJBCxZfpDQkIEP55heo14vuNusuMS4hl7b44XbVUVSc
MS93o3kRlGZQgsj6+p+Tvwlquts0cDaNKbHk8mhy6GUmJRYckO8W09tfiWR7VV1NuxhW0ucdm+1K
QyFWMSLlq8D/IyEf7QaEmpNemiqCfTh/VPrWcn1sLfv++s+0trdXIfa/COStUMC1UDk3vct7Krnb
Cvrb6mOxxW8LGp68von6F+W9c+2c9fbmrWb5vnBci3ZkZxfdgWWmJdx7crsrJnEam+mh16FyGAjN
3DJIOTP9P2fjgfBETaImsWoUYfOoSCZklkYa3MxCXLNxTNCqDepw2pym2qFJzMpjBhOYSuHXfdtb
uvMbuyZxtLpa7e7up7s9E2E6FSJEzdCY2TbKHPF0/Z+hViiKigoqqip6WiqxiCiIrEEGKKMEQUFB
K2IrFU+RlVy0gKBruiPWwqd7FkqKuWh1EKwrjiCwTLTzoGTKRZCLFWtiosarVRVKZZ1z42fyvL73
wfJ8n7Xo+98HZns9C6ZiFHx88x32zK6cXCo/vtMrjiriK2FfW+TrTRQr8iVHPRq6PldhxOMuCWtq
2qzFKooayobDsHBDlFKBVDsMnNcdjHZ2bw8Xfx8uMeV5VcYrynbHwe48XrNc545lmmK7WvVK3HDZ
s9Qec22dcY2c3rjUNVbzMteD111xrUaZovMb0lY5xxzxWuJmua655t+Y6xq5xqqunzgLnEtrWdZG
eR4eM9766XX7J2W3bKFJYvXEfVTVR+PHx58NNjcW/IGYNZ3nSdqKCbN/Tfwb3Dm2b/DxZLuK1X1K
8A6QAkVCQhEZFESAChBBYqxQCRZAUkFAWSCgREPpLLIEIiSAxSQofQD8UUU74DaJ+4h7PF9yVBcn
8aCh9iScETvHPqDUth3xTsjmN62Dv6ydUY4QIfGZhyCmQaQFBzTyhYDuBaBEgmCbEH9UsKhKsrew
n8/EkyPWFAEOxYef4/p+umP7yt1Y4y9tK3eI5hV7d2A8Do9+aYMVcO0AHJFAd3e8oSQft5Sjw7J+
BFURyI6IUFEEPElXRA7O033T8SYno5nNddfINw1Oo3sI1Enin7Np0z5AfMVBtqrPjcfCDpkMwLBh
4tH84r/pg59VavsaO51tw4EJQPj8wipsvobvw/j+wjlvw0ikF7YGmCbeQ8Bl9zSqy9/Ox6yz6fbU
1KTk7md6Vlz1GBZsiB9BfpWM+sM3od9Oe4zHkvaQz/j/E37N5795xvfcS9Ki5Dq/n6ppVcmlDkUE
RQXIl2NG5OblIeD88XyLjOtjY+4s5IoiQxaAEgggiP+JvoRj5Wls+E67rqr13/kf8RnGrcmwIX/K
Q0hxkEGV46NREcNJwygmzYzQa1dZQLu7ATZYUqkRmzJNhmzA2NUIwZDcYAGIfwQSzZIsg6ItE+P1
fl8Wxy6PAGuxE18Ipt3X3kInvLgz50tZhXDDMuS8nslG7oSwqOxyr2VPRmv7R/0jL9Vy4RGpe+Ho
sqysn8q322SszUlc0ZHsiau9I/MoaHqyo9kiFm4X9ozHefiAHeHgvxQewO37N1If1/pfgT9UbIu3
am1lq6zu/Crp/Z6J9+y7bN42ZYWwazDSVsnu1Z643wkaqW12TZtt3vDLyReSIUgNIqSSAp5zXv58
N+hZJcsfKABVTVOZmaAE1VeQ5mZczYSYSJSdmGZmFsAR1BhINhxJCnsqhY7Ueurbhpqnm5pxeG+n
GVHa2++vDKdlj2l19kscsrlga1ibgTAxqKURNFMBD6A0URBEEREREEREREERBEET1hSiCIiIiIiI
IiJyUhKHxiQlERE+aIFMKU8aQoiIiIiIm4UKJ7/TIUwpIQw7WSsUK07GOCEnokAYUsohQiFxcFBE
BoUKKnpV/AENIfD0OsaPp6/EetZhjc2LsYCUB9KATPwvOcmMAu0nMrMADj64FW7C+DTMqfgMiaFe
Y/mMU6qsgQLVta/cqWta1YQRdgvbRbSatKVq0cGyEEZynOhGEpSsPUKpAQBFoYb9O3PmeV7MzEGD
hq+MoiGNrPO2Ftby6eqEGDTWZJDBTMBbjbPQ8AKbiufViheGCYqUornQBXFCoohAFxJDukhFgu1c
CRcXAcRViKt+vfQQL+Ey6sRElYYfrZiHkFCKt0JvX9qWHbv/kknnTWu3HEYpiBai0QzCWQuKIA3B
cVvATEjatnR443boR8ojy/vOhGgxtm5vPRzInQl4dPYe62mdg59oxbY7ucok4y8MowFmPUfRGtqq
S+d2MBpkDZGwHIfpy7u7ny690PQx2YhLEWJ+7gI+EN+tC17hw7fDAoesQJkj0FfTnEq+XcWMB3DY
mvqHpT4kafixt5Mm/TWxK0y2EE9KlI60IoX5PTh5wrKZBxgWq2q8R9M22Jznh8Txtea4mic/F2pj
4aL2c6pUlfWXH8aFmy7Jlgk3bLt2hho3SOXLU2YaNFFWyp4kok6TUbpJO2G6rLRRZhNZhNhVhZZh
NRoqwwo4TapMpMLE0k1XiphqlCERvARCY+xtMqaOWNvxjahoYkSzvw12Htb0pNhYRqvzVXG+mokH
i+8h+GzHAtqO2XEgoxUWRrCiHRJ0dLDTjDNaMMbNmzBGXKMEmUCYuvJqhZbKUI02bmFBM0ylFsqJ
1CWsIMznaKhKBHAhkNDvGNFCgBxEQwxextHx9rpHwwhIIDaAZWoAgdMjYRyIJIVVhgJyiiEkknKv
XEYyLE5UJo4lSHcS6iA1RQrLNmIdqDwI1Jl+LxnHWq6z8uIgXXUUSaLNWXKRZJMs5JmjZJNVhhVN
oso0cqMqKpLMrLMqMOGF1CYw5gQKEig6gKCtdx2fIaGGE5R9EFGbepCE7KgWGDKWBsxO0FkMvcA1
gSCe8/H86ez86EhgET7mJE4Ddgf2f4VAhizWLoiDJKLKDJZWlQCg2KCmBcOWKJFIqtIKBVRUFEVY
gMAoMAgpCz2/QJ+n613C/p1DYT4huLZWIW1hVKUrQEv10MUUxbRLEtpSIsD6kP49OqZ7dUxxK8F6
M2fY+Xf6FiREYfDk+D/nknDJO9JJjJHXy22222SAW22hbQtttttttoELaSS2ltDb7x+bafpy+Z93
83ntn5b23Ze0o0UQYHibSEWzabkoM06yTOIEoKcp2zUXeITGUxk8PhEQIgDMwmHERiVFEBkROySc
5YHPNhOrJFIcMmyHRIG6FYHKoByw3TdIGJDowwYodEh1YcdOTnXVhUDdIb5Y43lJ1ebddaS80J0S
QAyISKEYDJBAykKMAmzAOGAGA7JN4JFhKzEAWGmV0wKoSiCMqjAZUI5AJCJkhBJSCiPlpqsvgVqW
ZcsEsjQpkq6x9kZupvLaRE++OP1RIHtACd47h2JosCh3yI9hOl7djfbeud0mmCUynfsTIP7zVEE1
dmFB2k2ayaUCIZZTHcWGNUbbjCohK4FVaKQVyFDA8pYiMIYiFknpdl7SSSZcOGH/UD+9Bjlv1xWs
oh0iIwkujg3LCKk5y7OSKNF1kRBmNF0yldMdW11fv/zuGqpWRg3RBNh6ficOXLVN1lKepSOeDZX0
smdsmUXVXhU+X89VpM+YvwwraMtLNBFtEkMxRgwhcWjDYDQSVCAblncM5kEwgSnJMkFhESylERCL
MoyuZT+lVIhRY6Z6Xe5pxvKIyy9tGy7VoTiU3Fd6puKCEJQZRMmkcJiEIqkRRddKRj/ZOk8os0ee
VWYlJEQdpE0rpNUspR8cFHTR2u7ffjbRptIRQ1wo4GV4hhUTolZ118cqt4RoTJamYNTtajR0pu5T
ctHb4iBRc0LiscwIFusbFBVhjCAlDFwVmtPsmXSaLti7BKUFKKIuhKZdQeTV1csbrkXX+fJt5aNU
aNntbGNNNEnjxu2rtTbaMUaQo70uk1LJIjFekp8kSxEsp+0sqibdqIrHCy0TZYUW2nLZ2ooww5Tc
NXirZy1asbxPnVJpW2Ltd40ULyqYc/FYVjDhTWIjZKDBuw1WWWoywwhND+KJ9JWsn01Tw3cuGhw5
LsnyJ5ltHVJU0lOkiJV7iEVSHz5YR7V2lA6veeFmYAj3KIiarg58ZBJgncJ3JovPHBxRpo37jqXo
mxoxo01vp4TdPEly7RY/rZf44Oa0lNJO19K8QhEIXqRLpOVaHC6lpdELOVy2Iho6UnjZszOIsRE6
xOJulmdCzRZR0o0ZWbKKiIjeSERt+tEf/jjh79zU5SfTpy3Yx4q9MP8D029NNHtPXXxZu3dJOGXK
xNZ6UbMqu3tq0JOmqzRcwsk1auednDdIk3SbqqOmzePwcJ9qtXl2plo/CCSjK7Lc7YbO2Ukj9ERB
/acJ1Yf6x+JKsk0kSlKSSUuC70y5VYcqOlH+H8HDLx4+MOGW77+8KJGzRJs5SUWUarLFQeP9W0Nw
cSmhDrBcQ95rDIX5UPoJ2KcZ95uAdYbEQ8h1mk6Q6lZuvpOnkWaeKwt1yFY0jJIwFJ9HMkJJ79W2
oLs8m22deeAOEJmuHDllQ8OxQOUDd0CDGRGGxw500DnRwEDxFAxAqsXg8UigALMCyEGH4+CQoZNz
hq3PkwAsQPcxjqhMvyfJt+Ic2J81OjHAiBRCKIqKQwtrLVW3VOf8vVeUfM9B0y5FC4kIyA5IJSAs
ggG7ivy6DJxTQFjPQSwoTajYZOFlENIEt1PMushJOhtALvwdM/pxENn7n9MXiFhE/FlTDRZprhF3
iKdSHJlJSkGERBJG8jCSSSGQ6InuOiJ4oeUYaGcjDgzg4DQgnMBIsxEpGqjC62tk7Mv0ZrEszzLt
L3h6VblHGYaIh79Uhd4vRvpy7T5YLtit0jpJpiS1FTyuTFQNNzPPK/VljWmye8xxGryJUZmxBqgZ
vz4Fw9I9g8zDIYbyh4D3gzQnIRSScaPFPUpQVx0qyys9O3TV4u5cppKPEbR1acS2611p6rWc3GUX
hAmhnKxKQ0Y2EkESZIEmHUU0bE5eXDykOGpJNYankjld6V3iSpospVJWIiWP3cP4wVaH03oYk8QQ
ODolACnby5SK8vHxZ+m78Rq98nxfxpYzXLkckmDzxjjjUdhsdcYLqtrZsqpNLYXDDl64xzw+M9c3
xa3Fdci8NfPLNjO9725uetqdVt98xba0Wl2zxxXRfa3bddC9QpnIa1mTjOecdO5zV9CERNiyhpo5
IkYF5wC/amZtDRnZNi61ZkNGbKoKWFb6m1apppFvNiI6bq32m0pmTRDdNNafTsWaIETweOpwcmgr
Dv6FhoQOROaWT0kNms55mhulzo3UQzBdOaTxJVmeqV5aPZ27SYSTjXiXkZ8auJIpKimbRbPXaENI
IuDkFCpSsMTQIKZEyWjaFUiLekql8ShywneRldOH0zEzxZNdZyp41WoqxN7SRwlFUpPGiSbLloss
q2OdvT0/tV3RJJ7pVJERHVXWzxwRkj5eNSSMIQ2+NVWlYiEKKe0nKV3SrjNiyTt0njDLSsRhL0lG
rSbaECXKUMpFZHb0o4bu2742UdLPHpdf24bSkfNqso93aaSIlOEyEtZfFpxj4m3SVaePT0N4j04e
/uer5ZN06Tm1TLCPpPmUY19q1rXakbJJLRPhdPx0fGjt7Se1nCbLVL3KUvnyfCs2t1p30940jqIn
Oi5S1OFNUQSi57e2VKyvNKTxWule2vKHvsuw7T6RTMpVUXpCXua/CtLOmjZszQaSJWa6ymUSt3sj
P1QQjSRlW+oYdWkgewZiPUIIn3KLtIyppyk4fFTW/xhWsayKtnFo1s9vvhNR+r8HLZw179+qOqxK
XlNq14+VxvTswtgwrHqfpeLoYt7ES6WpaQJsMOE3SIQXSgizE4iJ1NdI5bNGkG6zCrCeZJU0XVj0
uwpeOiIiU5ohdJu5ctU3TVs3cKrnDll73cvqBEOYlbp6aq14Se1XTpw0VOVF3SbDZowm8WZavEfe
KNE8N3CyrhZokcOmHSOmrZhlrsloq1ZaMLt3K67jRsw2fxOVHRcuquk5bMsOXTtos4Wct2DdJZo1
WZYSScJtmVHRhJ+kDZlo3atWKOHLY3aPEnab6/H09O3pd02bt0lElFCijZdR0ku0cujmGEChIoT+
gR3IC0MgqPcbPUceIvHzkVjpIRebGKzkEw3HBB8AXqPUeO1HZaztsY4QcOnXufb0fECMFCK7djA7
HYHahIG3XV0cY4txNW7bMlYdWFZuh89jICIDXe4mVVzaTzGMoj0YwuhEIbkmU/XXWHceYDckqKeV
mNq+KFXBJSr1fTOxhcwSe1tuskAkRFEEBokYCEQ3s1eFC+HLFfryfDEl3VhtBkoACCUI0axpTfu9
G83z4WGQDYILZvCBhUlEJQSgmhN0pzS9bfwjFuvLSiuawJlXLaXYNwoUIIqdMESxgABqJQiIQTxE
YNCXBy/hesQuzlstSvpfd7S5EWgveCjXGy6Ggujj20tDaNaRnfCnq1o0unZKgqq6KOmE3t/Bq6Vd
Pzbxyp5rjjh3dV6tOtJgIiAQgDUD9VixSC48EAwxsjwFyC/jZPEE6c939WrxL3PhuRGiGV0EW1g7
dHFCIgwpT4RkhOjWiIKdJK1utEUTpFI1Wjl8UeJPihxy8Y98tGIafOIYvMYYmS6+4zqVQ11XKFkB
0slt99gIwi3rF9ZEI6bmaIr8cLq7AyjU/LGbwJ8pePp7pm6ERnDpOD3Ul74asxYiEaNGquZSzek4
z1wu7bJuGXpo32OdK6pytScp4clDjFk9F3Nq0k5ubo2IbGM2iWZSlkHTZtJqe1kadrtak9YGEEVp
rERV9N3xWzXxd0um9NGzVy6TenVFDOm8JKW2czwRzsfCSd3jR5WMQJe5Up1JIiNyddXKdXHV3bZV
3VdljLho9rtnSjiOW28pEY0xWs6+UrlypW3FxEelfqKV9avbci3xzy5Zzdyk7a3Y2tBy6cJsGihf
ER6Z7eNHbJdZoyf1SQjogxK5YO7T2vgGWesUzVZIlVVAqJZllHUk+laWdqp1SX0Xu9n2bK7LulWP
qbL44YaJsOGzaO3K2JKXiIQ5QtERfLVPQiEVnNNNhzzSbdupTKc5Tq3ZTcpOXLeIbEiqhWq2HJTk
r4zgzxhKUszaCC73CUyugVlFOnhvH9eXktHTVnRxELNPWqi13oo+KwwGC+IwR5ceQMjsNCR0Mhxf
gvleySTryYHvdYUtdVvECkE0GOBSt4YDZkZILBq79HSQK0tJvp7bvNqLJ6y4n29Pbxq9uF3b0/yj
R7XnCERsgIk0ZYVfT+bDZRZNNu4VbMrrJqKv2LqnX6vt4w2cu3xZJZ06SfE3SSqzLDVyZbNXKr7c
GmyWr25d91ct3STdV25WctWG6q6jlllN0uVatnpZZ2665ctW6ijpRJswk5XeKrP1dLqatE4/Z6bX
dvajlnSz20arPbLCpo6OmHbg0cOlUntyk0UYe/faOEmWrto2WdNlGiiREwJngQ7w3eQuoWzNuIX+
fl3hn6TckswOJsCHvL68/Qd/jmFDfR7iKqzyHp8rtJJdj4nlUggXPpNGoVgGpnXWpAdxfttkfIhJ
chziAhSSJMAkzc9I1BzlDwGZ69eu7235lSdG3N1nOVWGTAl1TinSLQJVrbuzhTx+rgzlYfaEhCSC
Tqvb115LWt+6ee7PNvt4AAHn9ZLIioiKjA2668TCBEOOhtqQ2gPTXa3uUtOaJ6TxO6m7Uuywk/R8
iGq94skxNV9tLEEJbJfpdFYNkkPbWat/iiJNlnUqiJJudiKhBFJMSImwoRE/spvqyuaPiSqvmayz
PbftLS+vVsz5Rq/fhdR6PHT8C64HbCWTTrbLLdjXhgMa8rjAea+QwiTDZjlBJLpTIc0WrUtG6jtw
jD8/azG/szJ5Os41zSdMddweKmkHLO22oi7eijXa3K+XWqm2lDDtZBGrUkqrSkTTyszKiriIhD7V
44e2iuO2zZV4kYWbpOG7pss+OM8nUnij3rjOEAO4hvhyWaM2p5cQPJ2N+fAZ4JR4utmt2J5Wjxw5
WrlJZVw4ct2IJ4xrOtJaeqP46Vbq5JPSTXpVNyiEGydnDlPLSIz17UWxdwiINaVy9J6c2Tm0ek1k
iv3niFFkCyQfBDhVCMRgpb3gCgmF0FgWFAzlutm0bJswLIaW9VQRop2k3bJqtGUlHuRwqso9H70L
027v0lJEO9r71hSl66wgjZxlEILq2fSnzM91PjL6enPq8vmqTWeWq/TRw03uRrR8nOOGibgw98bN
V03arCag5cSNYxmajMuHjihJTd7XejITQebPOxgm3emqrSxKW6c4hqUVVVk9crKvpo2eOWdEtHXL
Ks1XpVJ48ZYeLu1l360frRvEMSN90+5N8TRDUqOysPm70h49K54S+OG7Vw8X56Ybs2ln5+WXTV9N
HpVZs/CDS+z3zOPJSkWlCcoC0ogtr1Nlqo9pr0l2ywp9pZWa09vUlGFOWXmzKTRVq3bs+suYQiNs
TSnoo2ekk0k1nLU8KsPHto6au8pTSXddbNkmjZw/WYTatlm7Blym8WccenLCzCTXtLLxu3XartVX
CxdRUu1Ycq0Ss9KNmqy7tc2enThZsVaJMpun8UQcxNwn+zKjs9+9WrpJ29Na0e3pZdI9tdelmGjZ
Or4e1VHJsw8RI4eOWI5YEzHHAoaxzAcuLTed4C8zv8LIH0a8h0IFsJmw0D1m4NgqjmSyanMgNwHO
lGB2GYZgjtERVITC0TiEr2UvsYLtA142dIRuAQKMZlabtLcE4RI+Ku88mashy4nLy7koaMzuRYzR
1DBeZEU1hVjLy34c4tm+tzfhnJhJpWoKgYnvKq6NbyqthvrpelPvMwcQiSAxCTwskQluHj49MkCR
A2aw0gTGcvhqwtxXS2CqyIKfk11fxKNmlUaJun8N3xy0bGKv0nVK0uFlYRndJtpotEcsKIIh9Par
dwqm/tEZgaSYltIh3OcT2SVZjZe0XQKBtSUmqthdtlSUqWYWXGrwIGRzKGRYw5GjFKdqMq4Sy4cO
W72ky5ctkvvmJy7iJSklpaUp81iko9SVkhGnah8aLSb+SbtisoN3EcKE5pQKnj8jf2/dZT2mn8LW
xHNoTk1ctGA5sOxVszArbbmbIO17ulow8NUYlFEGd4kCk1ykSg84YVROaX0u7cbeIhB7ZbG6fA4m
xK7Lp4y4dLpOV30m8SSfrVfh6epRKJKczaSiK+pvrTb3A0CRowrL1J42T6Ycm725bNIp97sJNVrJ
OlSazDPvXq9YlJC954n9bUg1iGRSvKzPLC6T/L1tRowopERRhNRhJ9pvH07WjubCmrTpVXDDtk0a
LtGVVL9c0d3oiskRTnnKFM3lXDpLoqu6V+1m7rdRNd0u39ZWcJpuGz+EII0f1oyXkyJaGBgbc72Z
jXK+MVCqUE7SYQ7SzzZmJntEQYYbK6Hj0nwkbS95REGjnhw4dqNl/i7Xt2nRo/PV6eLPS7DCjL+a
sQR68vOjFWTkmE10HYUyZoMOSjKg5nJalQd7jUQPSia95rMtFPHx8/VNhSnic7tFKbPbR4y0cPPU
cyzZNFJ6fKa4mrW0dJcWzJ6dW3e2npsopzKyezas1nplNl7Nl1XjZpEUAogiGm6U3Kjp6XUWXYen
TZ17lL0q5YdmzLhu7cIxp0wnSXhoaueZSsoymsm3Xvl4wk8bNXBIoym1TcqOlHibLV0bu2zKjth4
s6cKN3L+kQ6Nlnr1My9MqJtHbps1WcPGXTRODbMWTnhlZJNJ/TVs3bPT0qy9OlVGzKbhhVysqqw9
rNHLR25WMrqKvXqjlVu0VcqKqpN27h/UhyfP1x1B3+f0gj+D4eH8hGD+SH8yj8oLCQd3ZBYkdDOT
c33a2hXBbNso0pAlBsVRmZUcqPQ70/A2QHaNJ9kOVahqItyIE0pKIfhSMbVnxT82KHeCIVLHoIrG
lNsVDrhyzHOZIwwvF45tcRFaShb7kIunQEyDNkqW9LhYzd1ls0Ls0fciJtBo4B0AjjRARS4REzVe
xssYHFoyAOEBRBgAJxIRE99ZZThUwcOpE6ZVj6UTSdJkfsfk5VizCqU37F9G07rNJEuU10OsJ5VP
/zRq2WaN1VGqh2a9WvOCZ6UhFZZCoKIyoHMYgdzRadZflWVUMSBUmojR9OGiqHSevziYicgbN027
44dN12pEdpIiTtKUms5w5r3luVJSaJtN14ia7NUtBWBs8ws1WQ4O1XXxd/YgJeXswnpmXkS0Y1G0
KUoRGWSLtFBh2jDVAGhX69V4kgiRF0m6CuGkRCFnzCdGbvRNX7TW/s+zZs02ap6NX2u5enLVs6zr
vlpXNonTRK6qcVl+CfTKvCrKTaybVqyq12iIvodq7KxdPdLZL326asNaONGX4I0+nbou1VYUVePk
PPJYklOZvpxKCJarpMpJ7PTcjpEk0tmXLTCVEtHtRq6Ve2VVFGGCi1l1mrKy7aIj39Wdstseo9bS
rJPmlI7lC9bbxERq8XU6aqsQUary3S6eJx4lwmmsmnHnDpRu0SaJvTCjpy6OaZvKTudKc1aGVl4Q
MrI+KViFG70yos8aNmHHHXLWT8DW0qO2W717e2rh7enLtRJ30234Z6e++q0zR3K3pymXbKM8qpLn
hn5y0YSTlNhOh9KnKzwy9P6PXz439VicuK7WPUl10618UbOTdTzyrX28YbPbpucNttVl323TREFG
XChwznpRdu9unbdNs6Ybu1nTKNWyzdoNW7pwaN1VHbeHo0bqrulVmVWNmGWiabRy6cNzlVNom6ZV
cum/SXDRNVhJos5arrt11Hnmrtlhoy7VavFF1nD8nGiWZOmzRZq2SeHCT61sk1cfsoT+LOGqjVdV
7ZYaMPFnnxLt2vERRJGjKzRJ8+YUVbuW7Vw1YiIQ+z+uCcHhHfZ9HZHYPQkuS8kJLIF7EG/TO9zX
GMenHpFRyuBBJRvUDPv8WbbLncazpoiMDAKCxaoJYrSAnFjdqYMQtQhm0s3d3qmNu7oFXmFMU8qT
1659enpOpMrOA2zUAIkFQCrqW6aFOGeJWBUYqQpc3h9bAyUoGswPT271xFbbu9oMadFNT3AGoYOD
BtRBgUaIKGkTKFUvBKN9ZUpRrdqqpEWBdOkJTKTsqliUNYgURfsaLLLJG35wbUVSeniZGrKyKenx
i0uLttMrkP29MunblQ7USWZbNXUpVvtOSdGiUnTqej2123tj3f6rqv65xZryy/ds2SdrkbMqqvFu
Hff8LMvn3uw8bPajl6fmu99SlLuPn1TFKUrPZ+Z900YXd8rUkkrEocs4TfHTd7eJs+3iylTZE6wW
Wfhw3SUOF1HpVo4fzIbttMbyZlP1e16pzl4naoiz8GqkcPFmkkeNZvfDRP70tC6TLCbKrhsqXenL
hSuklbzvXi1NrRLCvp2thqm3N1Fe3Cfeif4SbsHa3tJq+mjd9EG6SEavSjDsywo/VTStfJVYlJu9
+02nblbqsSk1ShN7fNxFfn10qMjjgUwcjA0NDQYQNgnqbyYPfIaXoCBDiNXPPLtps1aqYbpzXdPT
Lhq+LJJpuWr+ye0S7ljSi8uLtf2k9eEo1aMvSZSjL9SqknKaz6bpuGye8qPvTZ/OlnpdlNNI3dPj
7+93T8FlG0Y6+pJyjZJJsno7cspMOJJsta2fHTlRdqo3XWYZcu6Z1XlSmlfa8lHLZS0sVce2uqP2
xEekVXYTc9sJ6tf1KMLNHLU/fy8iCIddrOVLG7VNl0m3elGHLVuk0dqOlkmHtwyXbuHLko1cqLru
Grhy27OXDplo1ZSTbKuWjt06bO1XbZwqw/oasqPFHr74PbdJOEEXaN3So/tQ0cunpZ7Smly8SN3C
pJNZ2y3Ve0m7dhykssyw/k17aNlIy2fGXTZddwq7MrMuFVXv3y0WXTeKsOm7RbWic+VW20mgRKyh
QuGLzMoTO30ABvDvNEIDQ7jtv8kICKSyrN8tWcGGDYOZEGZtdgRY8h8+7hOFrGyH4X4vioZuhcei
cMDLogOJSDsJwCREEgHUIEIx69SuTtrX2X5bphh3PHzJFhaQtrX5dk8eM7rriNDM9tyvPGciOYxi
5lALcEqTnGDahcYm4dxFTisM7aiLGwmlSAEPv8vNbqcWv1xPqeseI7JrxEIVSQk5OqlERBWIjimR
DLHE5ZtpWnd6pLHCf5KKNqpRVok/Lhc2bUYcqTaNeV3SzZ9qqLvT0o7ScRE94neVdJTRdy2SLlr8
rNKQgT10xxecrZyko1lEQcO42cMNnCqKw2aLtVYQRs1iOHDx5+WXpy4buWxq3a61/aj13SUu5xmW
tZ18prOfPjSBVVKcGFq2SqWXa+nSjRR6Sdt2uWiSrVHDRNhZpHONKaUn42TibZeCr0W7g2UbqNVk
KbsJ0mdvbCpovVJdR793at3TCjh6Satyph08xfiTEq942lhy5927aJNukuIOl1mrlZC6Ig8b76N+
Gq70yjKrdZ49MNXT2zu9ece+a6U33auWao9NW6yRwqoUSatVlHa72u3aN1XiTR2467lbqlNrSm35
pKE93jhn+Oj1R6dMPSab0yaulllWTdbw7xOlq98r80pS3LR40cumd2zxKM9t3bSc3z5dhq3SZVbO
mQnXR4Yc02ZV45a/FV6bgSG0OwIxsQMhgfAYFXbhhVhhR751V0lt3jqmml61n29rxSvLQ6Sy8Vkv
23k0Zrs0bpMssKmWyTtVV6gEUevebtDxNu7YZe1nDxoSTaF3plOD+sj+yDV11qu6OnD07WeOE3TC
Sz2my339Jz9tHDLCfSVHt0qkmo5e0mMO2ibl23bJOkk2rrrVdZo5cPHDhNho4cuHT8OF3DC54flp
hq0eeavTly2Ue1n5zKPT0s7WVcvcTe05NHbdN2o+NmU1G67eQg5kO9Te363eCINw8qoOJiHYGYKb
ke9I2nij1JTKwuLBAvV6A3WtGWRpen3wdrEOVu+yF8+k0oXnEtk0p6dn3G6cmQSYBsFRQZ9MkPuT
BxM3aUhiY8UedeKtNsWLkZiNZwelpXau6sztqBCIuW20oCmj5g8DhUxjEmDThs2FJ0EdUQKSQAnb
dD0VeF9Oz83JrNEfT9JSE0lEQr0ZKOSJqIdWta0/K96Pbr6OOEL1N9zQHkMhyYSkidA+QTDSFUxH
eU4otGrR43o1cLpvCSZvK67hgW6h4vYAECIQhAw4FjjLKpPW+n1nleRr3++bR+xuv6VZemrEdqE4
UYTiIEenjthlR0s2en5Gu6UStxPnX05iIEe1HZs0I1jVy/Ygj5qvCCOG7tww3VaE2rtu/c5lv1TH
d8TidIiKPjjU70swk0Ruyw27du3beabR8Uctj40+vbrhv1upTzye1660XhXpNNrOa87PRq6VNmja
ITeLJuHTtV432Tenbloks4ck++qa0iJqSivu6/Ltsq9e/yaOm7V8Vw6bHxbpdw0UeLWuy9u2Fk1l
FWjdd611itZeusp01kk5p1F1Gy7hi+nTp0wso9etFWr46aN2Xxsu9JtFk3TFvXe23rXesS4Sem7l
rIu0wm2uneSzV01csum67j+S3Gdmadz3dqLSUc8sMPknxyw8XYqmqs1UavG7tdVw3cJU3n5KmO62
nO1nH0teOl+XW54q8fX1Rd07T2y1Scrptnp25aPEn0/J8iI1dYyldNJZhRVlVsm9t2GFFnCrqKpa
sOWzhN7btH04STSXclHTRls1cNn5xEf1aO2V0mrVhl05SZJPGWjRy5aPv78XbMPSrVJRw7Uaqqva
iyabddqu1NEmrDlo2VScpvz4ZbrJMmzrrh6/dh2vfZ7YbMtlFmN2icTLPHtd7USYeKMKMJu3PPDl
Iku5avs/nER3B9ohB+9/J/UHwDccZ1GgS8MRQ5TiOsu6uRanJ4KVMvaF3B3w+7+TXL9tv631/lz3
AdkscE9p+S0+Ssx4YZZyb+iLb8m+CiyKOMTSI5UGrxDfQ75NMzDrp2UjIrszwWgqKmzoGZ2CQLxZ
KRiBDHiF1kPTHeSOmzArxd4hFLxjwA66tiZvyxUTdTWXK6QWamgNXivi2SvZp17z55wdAIBRA5SQ
xEjdKCty1zevVZWia0uH6fpw7IQtI1btKETSROUQgg6UbbH7VoRJo6m7d3WcuFGJfwy2U8TT5eNG
zvdY9OWI41xuqHy69yxCAKq4Et2rGuYdruC2t6TUptQKGBhAijR0w4W0XeOmztdVd56trnSXXdNr
287cbbZea53glMG6WxDhPSjZJ9vacOJRCarDLxZJNlJsq0bXWapJMOnCddtdd5pS3TZiKKGy6SaI
QcLrQgjTZZ7SQmq8bOiqr05XbnW29uK5tvEROdlL5Tk5aUqXTiIwpq5drWkap9LLLpGijdRus4es
+Ad4kFWzHHUNnDNniNkQilmObBh0kzQBLyerFrvicFlFf7PF1l2FDd6VfS76felpS7v1IiIw0Tfb
xpL7wy2W33SX++m1lnL2yYx7dNnbhPqetJ8TnTajam65RZMr296RmN3PPpy40dN3Knj5P0l0m4Ue
Jt028ddzlr5zbjlEUpW27crdOfDVhJo598JOUnvlqqy3dtWzlRNo3fk384knKnEkO9HDFO1HjR6V
Zo7WaQiI6SQwkiPny7o1ePGj03XenqSWGi6znV/IiPFHT477+L8stjp9NVnLluwk330bMptHSTlV
4/a/h4yq5cunT6UenLRh6fSrZhZRZhVow7UdNHiT83pVVZ21crquXbZwsq6TTUWUdpNU3bdqqy4V
ZLPnyrDLRdluu6enTD04OknSbdiq7tlVom772i0v3dN3bZ/CDtJNwuky5JuHT292WZj17dp+3v3Z
o4ScN3pJVZ6VUcvTtZwyq1cLKu3TCqj9b+CPmpP+AFPIHCPSr3nghyhyFqBtICcvKA5wqGsVDsxR
A7VPt4uc1kPZQp+0/0hO7hMmTdZx+i5S3F0i2Y3/2cdFEoxE8UCXRhIUyee0uPbJKAfk5iROQQ/m
/rkcLK1pkIWQPGBmEgREiHXGgBCCEI9CvfDxrYoFRBSHggAyoAFsEFKXKihdR3uALouBEyypwkKa
Z31KXkW/rn66iFsf7xMsb5cSRQtinKYguf0XT/sYf4HfoN3SoLIYnxYX/lNchT3GojDQhOwl7Uk4
Ont0YbJsdzONN7BbfWpWmn55ddtvMZGor9hP2EPxRSqsV7AaAai8zIBIJaoCVICvSrFW4+8Yn9Qg
AR/0jQWkf0ghQjI73j31eAGCd0kpYKooAiQUIqxQUIsEQRgsEEFiyRRIgiCggwZPAkjRFYyIorEE
FixGRioCMWAyG0kZAkoD4AsIBKhWEVVVVVSWAiWSMiUspRYiiWSMBJaWSJUVSKqkWKs/BixQZIAx
YgxBixYsWICRgrGEIEKREJIwZJLMifEX9BBJEDWrwq0VQqrerVQrFMiu//e1lQWCMFFBHTROpzkn
6+xtd5JQOqsX2ojNGRv1f0ISrte0/BAFccF+iIvv+jo+P6Z8NaYe5IfEIfkyBj6rR2ALf32VP/z8
JhVm0hCzgceZTjNjIQ3zUz/L6cUEELckhkQuTP+qFZtt2ENCY6Q0rO34auF6azrB6x6Iht0shhFU
WbcX2arId0CBkzUSywGDT8q8ROX/2M6PSWf+j/ieYxh8YDR/8B+tQphrO71SMlheH8QrA5I3GAQT
IZNd/OP/tZrJHEy9j+7viOwmLepIYkCE4xuXVd5XXFQ8aqmqLVoXj7uvkdwXaSfnTuIrj0tOa+3b
aNprMwDjxDTBpDCJUdrULyGeJ+g5KFiWCxQQmySAsIFQIpFJIMgLCMSQGQFCQVixX+/e8j/95z8n
/o3PNAImXy2aNsfX/gf7gqKwr1N0EGDdZozyEYrISREZAgkN/LphzetYFh1WzbSklCnJ4+Uh6jIe
7oFLixSSIgQSRD2WyAsUFH+VLBQWAvQZCoMZ8j1anZGIxQUARGRUVFRUYMVkRiGIaiQVJJJgn9rf
2dnd5RMDPR7O43dBYWP9E4Clok2JP9ufea0yccXBSPDqjwO+AHaKU/X4RqXwFQFaiTg+yIo/R7vn
+f4v6rol02TJq1KVT9GZlr72AyIkRoVBiqmN1WG6GTYuWMLCCQgIWZmjfzLZNiQiIcWUOnHoE8MK
OzO/oXSQ0otIfINWNwwyiKqsRURR32d5daWfPxx8pPu/I+D9qs5yng6/rMyXgRP/VFCqQ5IGFMa1
BIiKP4Jdp0M688QjPQtx7dQ2akz5JGcY7xSE2g3flxcM4PP1szP691h+r84TTG0OpiQ+tv9Pufyu
Gd3TgFYkgMsGyQA8EI/lqcmXhDy3ZC7L4HcLiveWYGJiMOCTkPRz4XAfD+jh1VD8RiEEx4BATIwH
OB8Qfo2hJ3gf60UUVED+L3qDmZg0HoT0iPm+mXMorl7Ji5dvl32d3Y8TVeL9sgbJhgwBXh6dRyuG
cgAa+SdH1KIbqg99je52Oh5wXcWhvyzbWPPVFfq+CVFw7g31tYnyyjTzk8YSHlGMyTSd4xjN4Qly
XLvwxZeC5CPky8JlwOoMxohgCIBAiEGBBV5jzpzFRUsTBogKV5WAUPSy9Qb3nMxLBvg8tJInoxPa
WgOLEzsB6y3So/D51SmwlaUfLELKh0HjOSj1m61KnDTD1ZU1htLF3I7k2gczNDteADau1Go/ibEd
Gfja7XcyuF6Sb/RuIqPo6dk56PNqu7szvUejjoDK9MGR1S2B1NByRAoOGLANuIwWCEiRgZNnVJIQ
nZKcZaHfOM1ieL5a/MpcHUgVzDqQNCBokHncWlyVcVthcpMR/1Wyo3IQ5IopmodHhbDNWhWRPLiv
sTC69G6vl3/gxuqqqRfq9704elq0vTOx7vLqBsfOfBO4NLwLxoHU0PG8KcqhuLB+JwrY2N4W3+Is
SoHRpByCqA54oPiLbube7szoT+lbC/4IZt4MZmfIGi1dQCY/DgxgJA+SGGDELMjNFiWZXJJVZZAV
DAOzsG9xfE27kLxVZuok3iquA6AkaMAQgEOhC5KiYjEkcxV3JbA1WnYX8xWYbNlHZnf2qMYNF5VJ
HFAMj8YtJ3ZnHp7Q8gOnNGhWXVNWkh61kRinGQMMDEfXb1i/ZxtflEniQ9FAtsa1D5qo5MdjoA5+
/odg7mQBEJBo05zdevQhgmA+VC5LW8O4qlDPDiPabM3REZhmAzNNGk7szj6qhbA4CNwAYf6gLxRq
MlB3J6zCxQ8TuXZ90DjRDbsm2lJKU21pK0qdZ7QcWsXYmy2ttsi1gP+IFFGEVAI2GXKrUv7jgdJQ
vLy/oDoGBYFhYcTYZOgJ+03TJ5om2MiskigP+REDcfyNnb+ffySQkIQIQkZN30ps8WZx37BFMjYR
2sQPsOBMUJooEF2JGjf3ROBOpmGs3uzs7Ds/Zi8rPIldQu++xKwl6bSwvB6gC4LDUXJOv5U7G4R6
2XvZeR7TqzMLMcd3I8YWDbaBzDRslp/zMg1fXDCBgOygn2uMj1gwAjIBEFCMIjAEZBZEUh0CpKAh
AjD7sAqVEAcCxf3Ss0W/Ky7kDR9HThWtG64dLBwdDoALX/r7FSyFRjkvpOJCeKKApIjICrIoQWSK
LBZCEUkVFLjN+lzi5WGUwsjAWt7HIh5vmwnBhMoMPB1BmhT+Hu/3/x2+6OUqfwsRawhXZMzGRFRE
kguOReVH8TA/kH8jIgMGB+r+/WQMzL+pw1cqER/4wbuFX1z3LjjiWJ94yojvu7+D8UEQ7TasNz1e
BEPyemVnTRl7bJMPT9u+XDxTxQ9KtlS5RJhus6MqbJRNRymym5UcsuGqzC0nDVousotU4t0upTLl
N69VWcvbxlwsso8TctmFHa7D9cHows9O1oNVnfdHCrl4km9JNnbh/1Qw8UaMNGWGaOzKmSTjibZs
kkenpN7Ye2x0knePG+9a5WauTpjFlmrphy9nTpc0bLHaTLRJh0uo/yH/Z9NPb4nJo4fFXiLLvibl
o0XWYdO2jt6ZZeKtHpywkwwwmm9Kspst1GzZu0ePx/KREP+j/coUH7kH5Rs8bn29OX0k+Py/LD8G
GrR9vp+D8FV36lDpR+URH+S2X5J+mrBsmy1bN3Dl41bsMvyYfViX3HP4RGOkvHLZs2XJt327SSJk
SQ5YfoN/Ykwz+xz9IkREeP5szMzNHXiZGh+5kDIZLZ4/RuBfUNZbl4eGTEspiAU3dx3Zsh30AUbC
EgsCW2QkH+eJFgdE6al/ez/SkwOtinVNz+HTU0bR8YdjpsevMVVVVVVVVVVVVVVVVVVVVVVVVVdF
qqqqqqqqqqqqqqqqqqq+iSWqqqqqqqqqqqqqqqqr/EeT+EOfdACSP09uHUtHIN0PA6HYgOeIWkSh
j9FoeJWEQ8i8tLDsNS8D5YIcfHkMyoH3qh/MwKmjUTiChecvb+td/N+D/NapssPxYNUySaj8U139
0Qw5fb6P6NWWqi782yrZ27bt1FlGf2Qk2finf0eHBeK1EAfYHx7CQ1DkXYeo5G33oLEGMgdIdH+K
BgN5OJaOfIHvkQQje7xY62OqicqOUggPgfnXL37R18RMzExkEPQvU8K7r3aLlM202oWHnSGqgmR+
wQIMCQQUhFsPNirRcz2hwByLamVW5BNcHY/YLEiQcPNbA9CCKJhRq+XEkRhcYe9AxtCRNg8AziiG
5A7B7VfmeLaKRrTTD5JMr2iAD6DejYRxBaC2gusVeHpRYMxWNUbxp33u6ZM4toG3/B3YhuUBL4/J
sA0Ow6EelL7fmxh4NmsOihP8woBQxQBX+3HsBgrs+0IEZFWQJGAkEIgpBSApELgqCPWxkVSAeyHR
iM5GqL8Z+oyGioIxSMp94YAWRIo5t6jSgyblAS0LCCStf4vMayMJMid1+HDRD6jaFHGxVhBLN+o2
qbgHENZkAu5WE5AZ7jIQoFlgQhFhB9qCh8rnuRRRdo1FFF/b834m8nH1bIjHQ/+P7m+JzzS2nCH6
x/dSwxJNtlkodT3kDnqnEHjQ4TxC9QvN4kLgg/mow8xhef26rvs+n55T+n2Eu78MoHpLrrrqxvvP
iVF5EgXH3mJgYn0FgSOBEtmSLi4/AcuPWXYWSpZY0MHOva0gZYYYZSg/yqLuHbdh/quyTuCuir0p
Vwm5apNFGqjlR33ds7eLpspsKpsvT+7RuvCOx5PCilMP701Fnpy9qPPO3CTZ6Te2zKWqU2zRhJys
0dM4auVPbQ9nZV33uw3cLsvaU5cpLNFnDQoqw0eKsmWixJ0y6YUaKsO1lGjxSiWzRNNw3TWZaMt1
mx2uw2SZcYmlPCzR41SeecsNiRx5o1UpJlNV42eOnabVhds6UePHKqzMKWSu880cJOFa6OXZ2ijd
hq4KVjpyo22upeyTJ/fwu/uPFlF27xom1cuXPNGEl3p49PH9v47fjq6avp48fbChyw9KlZv6oXRJ
azMuKjcYFpWlUGoW09grCILfcN9vib03dFHLx+DLtVVd7fFXD6dKvP1cmz6ZfnEQh1z7fqTpu8fH
LVhc6Jvar4kskuu0Omhqo1WUXVVe2zZhR69ehww2bPb7iL3cp9PFXibKkWePHjd40ZfGp9NlFGzV
s5f2ywy0bvi0SdJxH9UJO/Gicjlwy5VXapruSTt7aulHjfpN/V/iI/NFgHEJNnfTMrwhkQ9RW84X
0GAR8jgnMrlVtu9JT6dQecUMb2SZ6LlJ2nELgGM16zsqBReBUSgbO/4nKdOeYiKoXQRColVJAFkI
kCRVTRnplPFmDivNty8h3AhQRKELCCJwEBIQBCnyPyKLcj0HSQzHN4dVkv6383xNh+D4/m7VYUWZ
WP7H9hO7RlTRlJ+qbbq30uy3astV3DlNuk1UatXKSbZywk4cKo/wtMJXdH9jd0k2evXpuemXLRwm
m/jy9KrtG7LffZsum3TcPbp7aJOVD+PZ00WdMLNHPNW7hdqm5SZbOV1npxw44m6bP5qGxVy1Yx9N
Wrtd2SVdl26bpX1JdKfjKazxqk0ZMMLsMtkk3Jok+QgaqG6SzhR8ek+Uoy0el2E12E2zhhRw2ZUb
OVGrDt2YTXf1bqN2rhqmwYZdLsv3obfPnDVlqlEmpw5dLPbpV2uk9NX4wft/N+aFIOT8HSRuy7dK
oFpMqDxWgGh8hjG0zKzebzaWhaj2MJOvIBxekCAhLyZC1EUw2wzIDHA0Im04F50oNE2c4lRQrNRz
L9TJvM3G4qMDyQgNoyQCv/oomgiGjh7fsX1fCjxd+JRJo+1n2+KrLTeKnGZ1D8mSAyCbT+oUvy5T
80K1xNRmLjL6SSePHj/Assy1XPH8G0II5j9ykVrQWdK1y5VatVWyrh7VVXVZZbwhvEgS2TatHx4o
y4ZcqtY/vSq1N36fplstDkkY/uE/uVJQrCDdJHf8ES7OVXj21fg+nxkYyLiZaOTPfqKis167j50Q
kdxuPFQS8QYYIn1JnPHgkpAkTiEamZwPJqm/gIhoArIkj6Qt0FhBhagcgUSipcLSUh8q4v6ih0Hi
LnHKq5IWXtvH7CiS7B80hti6ApBu+Z7/dJjcwMEr7ZJTFYgm9pFJFJBLNGCIiA9pQoDZPIUhIvEh
NzWIVaII1GLAFgwgiCRiRixJGDFgwCIDj70CEoAEKe0qA7q8d9eeHSeogSSSN14obYiGMEGiKiQA
9obMx9yINUKA8a+tEW0wBNm0EsQBXLYAYJkf5Mqz7TLIsYcYkDbDnA8NH2yclGBA8maUIBzh/cpI
IVAtoFIccFkyT/eGzYw39z8VKBn0kPnOvSGvgHrPo+YR5yEqm1ZZffcMgO0LkAJIjx9AcU+brv+f
Mu3dmT7Fs6SI5FIiM/WWGkNW2LB0Blo5GJaSlKKL9rTTKVOrbsZJRuqjrAplksE7ksYaoHcMMFFF
T7F/H8OPxdv1/lZPQikDlgTuwpN+6ldAbTvybWqd/9KbmGhFhCiVUES+w6nY/Yeo/M8RMPM3Nj+M
TxXfF4J/hdP2ut9T+uNu783pVo3ZVNGGz827ds0TdOFjZskw/wPtsyqk8cquk04huu5WdGyarlhd
21XWdxZLdyyxGjLpssSfz/fNypTVo2XZfUIRG7d7Lm7xokcquXbKazdNVwsyuoo2WeLNkybl/FJw
ow3w3T9pParhJNuZaNHSxdw5YaGrhdd+0i/dGidOk3DVdlo6dOXj84giGjL6+pSyoquWtKVFXL+7
CPbhjGW7Zy6O2HRZ+qAR4+MQeknLdJu+ntzKU2z6fG7160aqUm2cPT3ER6TasunDRl5F2+9Kqu3t
h/LZZwwm9OVnKiayrZyYavT0cNiwQVOQoggxGbVpTXCEGQnGFN90k+vrdLxy9JLunfaX09HT7TfT
LZdzxZkO4PFMMehN9QkO0BaHY5HAgdC84ExMTJExiBMmTDQC3hv2G8165SkdkGh0ORvJkyBvD8U0
35Oms2X5m7dJ01OFU0n5rKrtnCrhVNldlZ7dNWxqmw+z+rJ4qso4aOEjtddu3btH7Ca6STtVswcK
JxeSIVYTsFETIw6KJIDFxDOagymchrLSh9qWRA3bsjI1G0oXmgxWYEjFBIKGs0PNeTJp9pT4zc9/
cRO48/PA5P/ofSb7ffwqqqrqKXoaoQPCSMCEgSXnSFonfLvGUDaqB3KpiFze7E1wPj6hDrQ3HdyN
x2DuDqFCRA8iRUSIh4DneWHUrEkGxAj5lEBQ3gH0iBIy6nMVhnMPE6g5T5sSILzO5A/ulE2m9U+v
z++wqQzogxcQzhyh58op/IDEoNpiS8pS/QV7yxu/5yPaAjmUEfICrUN3oNWGiRrVZ+soHmDl17yU
9MoZZqrN8URPWwk6MhYfxUzYWp77sOIbuYC7XUE4xqYzwo98cB7J6/vWNBTDU5cwNW9UnJwhIi7z
ReWMIBFpNUPeWSqjgOicrGkPjGKhUYL3sw54tnAIxVhnYccHNiQSIMs6hzdhGJkQiQqhNhmi9LMa
SajwkiVz0Nptw8+3KHovq2R0ZGmog0Ja4kW3PvkaMivSyGcCuHG6O8n9AXA7K36wSDBZHwle0fTU
CNGTHBg5LkuYopZZsgISJFBCxYYYoMMUCJIdBIBsOLlyZh0OOOOQHIBMTqGAGFSQCPWbS89pvLzI
2kDebyBtPWROA5QmcRiwvLDsHt9nvxHdzuI4DlQ1tsYZ236mz+7d3cHw8rOFt+yHO8xNZM1GszIF
pekmwu2Weyyaaar9qTRR9/eyyS7Rumk1UUcPtqs3bmjl+pR6auuuX9Z+Td21btm1eVFnpXp0sy1V
VZZenpRosyYcrruKJR6UbP4oyo4YT9qOGiztRw7bumTIcsKED112ucWyZG5h207+6ARfOBzaJ0fl
o72SgN+TsjFx0zDzIcom+u9kswDJHm3DupYoD6inwYD3N7G7FgRbKJ9OGCmST949MoHwN5O41XfT
FvN5V1QzzpMitb3v6a65daquRidRZjFRaRKiAMTOj9btVZJUs0TWZXYfE0k2GiXc2EoaSJSfo1dN
GrVs4fkykkmyy0fms1YwwsaJGzZJRJyuTbKNHCb937uX4qk2zjtN226aE+TlJw2SSarJtmqbDQ5X
XUelXjhRo1eOCeuEtm6jo5atFnDpRQwu4SVUdG7lJo6dMlf2n5kn7fzU/YfriHuEBLRBTlVuACK9
nSvDhlAkGyrQ9kWAKeLCSVJAWERIxgLJBFFQZOVRFVN9ghuH2FhQZCfVDrEUVGENFoi7JAIkIAUC
GxBgTfYDvwOT8VH5vtN+Syij8nxZgwk0WbpPj+goSGLEGBIAbS4ynIXlibXSbyAK1Qr+zZLh00eo
h+t7el3T2w6Mv2KKsNE3xdUss3WWVYVUekRJw3bJMtXCq5RumOEiJYOVmBMwMDA5kyw5gtiEgS9O
nwG2MMMmJKqDIGieGHLqSugenUpQbo65Ew9EXjUxFiZBxRYz7dtZVaZPN6VEHCKYseDjAxCGbnGV
zsXqUKDFFuZaElPr6VJ3IjAijFVS5G45nEYgdDsZnMoMFCJmXl6xQIFk3iEqvtJJM1fqO35/gjoy
q/xq3fF3t8m/c7zQgbcDaen01lgby43jqh4kRiZ4mR1AoOftIEzmupitiEJb+AfsEyWQRANpWahy
8xNhtImsiOXk2MOqAuNhacDkOGP7RMwwyYkejRXIOKaqXoF4dIgTgEooNxzHcdoWuAajztona2vW
GIn7ANCvOmUKDTWhlxPVQadx4A/o0auYzIArDed5eFtIRlKNDdYea8tiefUPW6PfRX5nxYpvBU/h
6SaURdZx6AvNG3QG30l7OnyZYASRhLEWJvACCQK1KGRAchaGRFNIapVVRr6ORyBw2m+tVCgVQYKC
iQSHj8gXJGHZCwEGJBBkEQgKCMYKKggCSGuCnPOAbxzFoECGbqkSXYqlTyU1WbEVwK5lh7TR1O5G
1WUQoIlLR4ccGFEsPDWPW9e6SbjlRGIqKBoiEpAYSTj9G5LZFyy6STeI4D9ddJIrc8kRGp9lpuDM
H4UsqH7d50XwIDpFf0MxGEWBUsCIkmAuL+EyK5SGZoWqMGq5RNxZXAqhP7QrN8q3xpdtZPfRlhWV
pxPedmE4DJe35mYirKGQSBIQJBTOKwDpFMzFB4yICoyKxIUZP8bJZibSRMnJDrEYIKRIUKFlDIj0
J24E+pU9kw90sIRqqJ7h8UGbRyS8zjzEIwgBAKeQIKloKcR0WgdORt5oKgGcbmHAMC1A4gTKifP3
Npgd1DfAES3v+h9LFbhfD7TAurXOGj+Y0NO1X3BXrRTyBF7GSgBPwJIlT1+73ufVv8+tW25dx09J
QX2n2FhYOajEcuFeRMTzBj7TVZJN8fj/p/why9K16enf04rPj1rHCb08dOWF2jBu7WaN100l03lP
9NhPd0km3TdHDpomZXYcvPNnTpJw1YiItPZsnTk4ZNGSbhZq1TPHKTZu7WTduWHibDL/G5YXYcsJ
uDY2ctnbVh0os0Zdv5IiDKar++JvGr03ZNm7589PTRJqkkmy9MrsY2cvaa7DDTSzR2ywo3bOl1Vl
Xt25b7/b/SiI0ul4y6cNm70oo6dqvSqSjxo+nD22ZWZevWVnbd2m2Tatll3SrdRl07ccWaPaTVvR
Ltlq6bpqKKLcOTo6dtUmGE3LlRrHw+KMOUm6bZNyk7SVKGcuKmJaWl5tN5AFamU6w61mlAiff3ij
l+kH2+307culX4/jqTnZo+GVz6YSMrvS70rH0qtJLSOkuX5Q662faT8WqijlNJl/iafcpXaHJJwk
9OW7dS7+196v1tGHT4+m6r8I4iHDhZ9rvnr7Ubsvabdy1dJoIhhdd+/dd8XXSffbaBL3H6+X4vaz
Cjd792aLtmy99CrDt48QRDxLP6NkM/paA0mp0IBcX7D7CAlBfK+RQEsFRPJskoWj+BQ7UPl1Lm9p
b6PqCIagh40LgLU7u6ghnGKvm06p6i/rVE4erIu2ZaAfh3Hb2v4wwPH3K5Q5SYFonsADg9PEfdEQ
PKKh3nOcqWRANZECyySSSmqz0AVbkasAtu2gPcC5jaXXegQMEKvNzZnpBBO0PghdeHmy8uywkBkF
XHVvZ5CSilIHEAJ7BcCJELBECRce7bVIAnOicD0hgOnKnkCFvIUvUDsPSecOgO2o72X4xC8wFTbO
ImtEajGQx9e1AUEtB7EukK/kryIbwHIOdQfahy9VD1qpBUhQVitCECWiyR+ukwyngUJgEkzZi1AL
YIugd8v+tBNmlDQreGAyJEkgAQRJg0RYoCm/nLCkRYVnphIdly+cJVdL0og3+otA+skCQkkkJHKQ
aRjGgpeazOQh5vaVC48ZQPWF4ZD9SRkFgIgyQRgBEIJIChBRRYikIsBGIsBCJGCQkEEkFkEk3O4L
88Aw2HJ4wo52P95oITydHhaML5UIUGeYALQ+4Nx7RMXvy4FcNEcYwkIh5A2978fDxFwociGWgGaB
ikppOE9Nnrj6TYMju+LOaWKEW+w718QiRHB3cC1JCJ2Bj5GkPGh5B9Y4IftXmARHAPZrDj3NmTkQ
4E8QeZe095lUyYe8yh8im9aj07FANXQQpApCylDb4YfOybwNw0GYHAfL7nc5EYIIgEWJbAKBSgPp
ct6vN7T10wyzDL6xT3ECSRa0A8CAK+HaIKm01gGPP8ShgSENBxX/AHQYrsyCN20kbYlIb4rOVTwP
5eyUaQTQFbE7H8ULHGxQUygYQMoJZcEN9EDMKc8e3ATm8bOgzXAeUd1CodJjfJCWIgAeVZ/kAixb
bSHqQNfqIRhF+wlFDOBFdh06dzR9SFB8UTGIcXSNUTvIAExxQI/u5AhCKFQ6Zu8QAqgv8vuyNgf4
jvOyYZnLyFiN1hFRasvkTjPmUjIaKmUYh0n6hiBFSLUf8IGGd0SBtuC9dNoeNo28RKTy95RUlxcF
TkM9AcoYafmriragegF4i1DcrEEiADFWCrECzgN47TE3GcKlhYWFh8FYFmouOI8YdpQCLDkFeMzw
IEZsolAkWJ34nUIGZ0zIKgF/UWKdBBSSRFkkBSACgsRBQkiMkRkgRgMkirBHd1q0VZFDodDxgWHh
HrnS4MitQ9+QMJ+oPJ7fgpvh7bgwMvGKCVJls4xJ69vnKwrWpeXoFTMfVS8Oc30OZDuamIV5IN4k
IOvUmBYQPs+ISwRwPu7gF8BG8RhUUQ5yG7ONULEOAiWRk8CKus55r6q1pWlJL7R6BByiQ8RpCzKa
ii5mLGZDjtFxhLBTOffYrZYnAdIHLCcBxdWZe0QBy4BIfVdbv1EQHAhsMDxAc4Aq3Oy4A7OvcC0S
OncYcD3IPQTWs5EHSucb6IIgM0jR3aURjfQZCGkrSlgs0IigshFhQZAIgliXultt2sRKYJY2yAoS
VIrbBKUkgQ2CfWHmQ2EhJPFAA6Oru5DEOrszOhZiEXQMTEGCtQYrWkoJYNlBCJGMfKIc4hzG243g
N4L0XOJluoqbyNgBkLS5KPUVGwhBa97FQStDJMpLEb4wigJnd+BRQEyPRmTMKi/MMQovfYGQDIuQ
xoWDfwv2VoXB9DRdpPnw2ANQPD8RE9f3qqlMtlVWyqqyBIyBJRCUmgTEd2OAH3xEutctOXu276WG
+ZAM3ONk1RUjC2CKUggVgCyAEgfSKV9dFLIqrbBsItc4TT2zihAk35zA1RoKixCsOKcxExLKWlAC
icSmQku81dtiWhitoqOnYO2i/Ho0b2RUlYFYcRxMiyRCp6nOPKqJVEyac4LxFIP6fFQXa3yRPsrg
rYBrCIqJaQA+neeAAb+Y9YdymU5mcN4cecwttuhSUW2QipWBYYG0Yn9SQpWrBorTzhcUCqrCKCj6
NzYtS4NYdJtQOzqPMHm9XmEHWp2vnuB0g7h20desDq65QVOtPN5LbZJLA9XxpSU71WtUBkiCSZ+y
4nUhQ+s7p9p3zXs+aoUTaiUlRRiHu+NsgSGEVSH80AJJShvC5EFa6lfirarhcmYCBVUr6zrCmQLS
pmIQu85PcrfYJy0RPBD1B/K4xMU4aUdckkDu3B44lqtoUKjjwiCnd3l2tLQjQ/oPyz9djjuQOA+C
onciDwYDvBtN7UKhm9J4/19nkUfRB3Asj4G7jtOVItvlByDAmeMCDjOMOQC7F0aww0OWzfakDG7D
M2uhNazBFw2LCaE1EGlBjqZrW+QNnjZ2ErCAP8hb8hz0hOjBnACFQNZW2yoglKW2tSiFaIiSm4QB
kjN/jBkNYnzHeMxdiG+iDxuY4twZVbEQM4opaixRmv89YFSi0QsFXKGYtrQAgeRyFSENwgpgTrC4
vETlD2h8NaGozrkTXkxsSLYzLKqx6bUVEljnlFsbRGMBJCUbVBTpGK1+A0CjvhFKQEhe3wKnBYNS
EZbw+3ZK1tV2m4S8oHpiek3x9BTzy90B5mIi3g7TrPUmcQM/OwQpEWRCRA3jIQEqVEIPmOmgcqt3
GNzISwPdVMwYPEFSsQ7iUW5O1YgNHUlOB4HAPIhyFwFsAOyVgSHMYXoag+iIGczE1+0Bu8NzaEhk
/RCzRMmgVBRRGEGIqEkkmGpLCEhTEUL74DMAwI7YiNeU1jzlgXAxFIltDzsZIQAFvs0lamg919yK
cR3A0OM7igLkITsjcGVfl1Ii1wXZ25jxgPbFKxD06KBWFhKjEOmUki0aSCA9MkhYYIi5A8pQ5PGi
D0hDQfrHSvRyodhSLQ5QoIawS3jEDMCdVAzgV6sgtzX6MF6Rw9IpEzZLIRYsLhASXUPUbTuD8kXY
2CUh8GqcSJSQl+P8X8n+osa8JeJgtiAKw3w3BCDCABAyhZiQA/cxVnw9b7LCrCH6mWMRkQWfnZWD
IWQVELeBgUCzEOlXAW1YEQvOJ6ychyHMN4BwioCQRGJ8NFAJgwIpJM59Q4Q5T7Kc4Nv77CSnWECv
BoQr2EPhqnPT7Xgr7wHzF/QFhLo1IkJGlCUlCRkpUjEO0YUJsSLRQBgeQzm9eHGk/Kl9gxDiA8Zm
v6OwDEqq5q8LuDhWDAgFtEjiqgBtC5sdFLtSvfA6GL/A091omhEyJASwO1/MSMIkQCCH8FbEAV1h
dPko+ZXKhEAV0hxEIQxya5UNI5ZpNRQgXhLkN8E7woi/An68vQoQ8KUJQ4ihU55tPie3037nH4AS
GSzCEKGIFpAlqshI0AoQ9xap2hnFDFDBW0IcqnG6QG4cyhmChS4DrIQIsiAUWJjoI7rLg01QBOM+
av4K+RAB8ZaPIE7jeMRBTWi75BA3gfqSl/zfu0TEN91QAyUqbwgGCbQTmx6TTlDgAoaw/AFsKoZg
mEe80FqoelT3ZgsNB/PK6ypCDTfbtB9ImgO4OpXt2iajJ8UnEr0CsV0gVYFv7S8MwVNxDEKDflSB
aKITfQ+oeB9O2wHnAfIJmwQKnAHjDdo3Dq5fUXB9UDQJiOYD7zA7hO/nVOiDogJ5oi6t4stQxVxC
wTjxDWbDgE3leH6HCPaGY94mdBA7g7hJERaIZ29856zjOc68SqNWBT3xDFJ8QzQRwsoUEQQYk89G
tEy00rGIltTaldDfVXQ3MKK/PTxPxoaIybMiwiMFgpFhEn7YOYQKPqqP6CKiPxTQ/DU+z9+TGyNU
AUVBaFKIsiIKQlBApBE3ippSxQBsOr2q+i0hF4DhsVqXBERJvEH8+tUTkRXjUAsCIcQcaVDQIJ6B
MEdtTIZtcuYC6BHnYyTCWwPAzBb+o5iMKYAZIVPV5Zb89aIu8AV9eYD21OeRjmQBXUvFsQBIRAFs
OkI/jPn2ft/n8OBP3HB4EZmg4znSm/5lhpOrCjuc5kiA/2rjw6HY0lDId4myba7EQnrHwgeJwppL
OXqZGhjnKcerYLGsAhD+VM8kkaky/crvK1UBOVWCpUA9gqG3NkLekHYu3iEc0HzIG+ILx41UCruQ
vyrFuCZ6TYE4C6FrmYQ/tiSEYcpAoj4UAtVc11VSkJCMSCeUgplqh35qzp1WWZ1htuBXaC3FCMGR
Dv7pzAP6pJ9ZCe9D5ig0Sg0Sg0qUpCAyQCxKDYlkQolkQolBolBolBolBolkIIEKJYAJJKCWCUSk
Q46f6j0DEpgwCBnT6mJGG30G02sKwP0IRiRYPfJCrLgIhGSDKCvvW6wEahAlor1lRQyIfAxV6EQP
SU1Ch7Kplch6CHWiDelgBpaEkhQAVYJFepD2JkL9J1/nT6Et1sKwPQ8UwlcxqhI3D2WzZWMojZsx
dV3xm7os/S8/A8y/QMIcLbY9l2agJUKlBEWHDC6YE4WpebUSA6hR7LvuORiUU64f9cZTYbfFjHWm
9pTJ4ieRUbOgPEqByDHE/e034wRMqKeWMdHJ3AJDwdLPA+71ee4et808RlzRq466HY8u0w8VcwRD
DWishF9XqzBE0bBvTMP2ht64H2eoCOH3i5BhnaHUO8KAlqs0N2NTyAMhJO4AyBo/DibGMsl6FAuu
ThSoroWyhU2ihfU3TLEfY+ayrJtB7lSlP8uxxSlVpk70TpMuaQLo8nKFgV4W9yQwi3ghpfKxDEl5
hcCIynrqiYDRVpRLiSSgB9zA1iyYwlLx7FROGtgXCCmKApd5s6USQlEAf5MY1K4egkgD6ZUEAhx+
5ASwAFX5icAip9QaoUWAe3w4OA8DYkRg/L3fD4+73TZlPYbq8UTkn8sTGpkHNAol5qUp7GMZNdG4
/eBoMyIsBCx0xwpQ/jPxN+kdJTmOA0Ju0oRAjJJIO8RFaIHQAKuvKZd7t4+D6gOp9Yde7uwLoYjK
xtiwI0hQrCSIsZRklFGFwELhZTHJaZkoFAZArBEBjEaMlWYWBRJRCSxGIoRZFEYDAWAIIkVkREFQ
QUYIjBYEihIxiDIshEcLRYhSlYYBYlkoEi1fY0CPuy1QLEpr9ZTRKRZI7/U12e4MDqmeKppu4hAH
NlqFHwMxDYG2D37TFMDXTYxNGmg5zfj64VHS6qpuQBX05RxOsLOQDlNEPQT55GhCCbmMkrRENcBE
ycIUdxEBQPq63llYVfPfDKnRMnKbjymkPOccBz5j4VRhBxA/iBERPgryURV4xVzgnCAg9+awsZ+b
OidexuJcnSENjg6s3NoWeg3MBhSdKjCNcDA3bSJAvIpM1kS6KySRlCASXQBgRIxFyEMSPEQXJZ5a
oZq0OiGaCK2EiNHQU/2fd8evnB3hGICmaJwToRWgCSeikKzsXYwzGnlpuUKUw0YYCGQhIzDCyBKw
BZRCFSiSlChPL5Hu0KicpQ9iFUQen8QAxVEu9W0UMDhNSnGpoQNUBbIfBWititQOQVhazEiUYWRI
WsoHmSwE6EwmHpllkASBUQEoAQQEuFVbb7SxIZwuE+mQ4C6CGQT84kFkQEn6gtRGIcM6r1E5SKjm
XidpiJY6ot0AoESRANhD3CAeEkQDSTyEROyQ9AYlk1AwIgp1avX00ea4IHErjUMwAWGDpvfG+Ekk
D1ZAbAQE41aXIXuvUV42RjBCwgIxRRYjISLJAOCEO8pYMAlXuVPv/tmYkEkQXE4naeKo9GNokhe0
KIDgIN+YCCuKCW2wtlDMlBrLytBiwSKRVpCEEpPEJ4uT3ZBdIZQ+aB8XeEA7g75wk/BCpSyyQRPJ
hVjFDUCOoGNsT4NWDVGqYwyY6g9EIBd4MEbVYgCsFeYeBXWURQ13LzXBm1w5bTEhEGEZBGEFPeiL
EKBZLiK0AsEZPxoOB7T4vvE8dU1pszTCkgPBJPV1+MGqAD5sitg/0EGKNwjhAuyD16pignAptCje
Q7DW5cO8uVu4x0tVZ6CgRhYBDNhwQnYGgB1qiYh8ioZEO1T6bg2q8yjugFpsH9QZCx6982+b7+0v
A2oqJAxPXxaLH9EEDIepDiHj55x+Ow8w6RcAQDKiBQaIfeUfYdXUGCfvyHD95yherxuSHSTfL0zR
/jK6zIud2mwNFq8zHIXIGQr3twoQDmDzgl+gOy3AVDEsTjAiAK9B4l15yod3vlagakCNp+n6Sg0U
ix94zIY2MfJlB4QFI7G0c9gLmDwG09V9ttHfAFXf0UDmJBgLTQP0YSMQSMgRBSAhJESJIkigqJ7F
feKIe4FENdXEsIAGswVg8YwPKucVCFiHTqbTmOhD1KZhBpjkQBXIn1dRwvnDr1ljfCEd+iHpd6RF
JS/QB5A8zQF4+e25+kxI/LVIKdkcmYVAPWA/QUQxN9wOC1gLngBalgxiXXsBFhnd3ZlUOG+dK+Q8
xoM4eIUQ5fcegUQ3+CJBhJCEDIJw3Kb/yV9RTsUyq5cHhOlNyeI6D3rVDIW/qDV7zwmewW24gkde
jiISHFWVG8ALg6FwMjySGJKit9gIzDEX1HAOSpTLcgv6oHDUCUEHcZ8QOqQRBGKRogN4Ja+VhsPE
Bd1AREsXMmiKAZBzWIZHBIiF0wyLn3mJUgbyIPWhZYFrTqVE6gqlgqF4qGBvhn+1wv2GCgpBIBIF
yugdAJ2KZEHEVDaGg4XXIE3yIa9pjWeBQ56XWV99QBMbRJOVGqypqyjzZwpb7WUggKodzZMhCKRA
FblSkS6qsMTlQ3grCoagRqp3BaaOoUQ6NQYiGbMaIVCiu+7EDC6VolL3+CVSpQHYHxDJYZRlx4hp
kCxXYhFBYbJhcHcDmm83m8FE3TZq+IeRggyPGo3GoO1C3b5sah1iag8E+rio8ZtAeJH+IQgmEwAM
KJgBLRBA61pbPUbpBusBz1gtZyJIHn9Hf7uunM1rz+ltlLtvhlz44QkcEREhLCUjQlpDKhFPAxIP
QHbrMbENOxd43sagBEQEI4AmXSKXovOyPMt0Np8BJA5uORXiDOJ2DbiaEQM4DvgBtFEOQB7LDELh
UKGCvlOdYIQWR/Wv+tP92Ppt/ziUn9FqTSRPy1mjlIk7s3/vbf/xdyRThQkDRPa1QA==

