[pve-devel] [PATCH kronosnet] bump version to 1.10-pve1
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Jun 19 14:36:51 CEST 2019
note: 1.9 and 1.10 have been cherry-picked as patches from upstream
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
the workaround with +really is needed to easily satisfy the make targets
note: new build-depends!
...elog.patch => 0001-update-changelog.patch} | 14 +-
Makefile | 7 +-
patches/0001-cherry-pick-crypto-patches.patch | 148 -
patches/0002-cherry-pick-1.9-as-patches.patch | 776 +
.../0003-cherry-pick-1.10-as-patches.patch | 14716 ++++++++++++++++
...004-add-libzstd-dev-to-build-depends.patch | 25 +
...005-add-new-symbols-for-libknet-1.10.patch | 43 +
patches/series | 7 +-
...ronosnet_1.10-0+really1.8-2.debian.tar.xz} | Bin
...orig.tar.xz => kronosnet_1.10.orig.tar.xz} | Bin
10 files changed, 15579 insertions(+), 157 deletions(-)
rename patches/{0002-update-changelog.patch => 0001-update-changelog.patch} (75%)
delete mode 100644 patches/0001-cherry-pick-crypto-patches.patch
create mode 100644 patches/0002-cherry-pick-1.9-as-patches.patch
create mode 100644 patches/0003-cherry-pick-1.10-as-patches.patch
create mode 100644 patches/0004-add-libzstd-dev-to-build-depends.patch
create mode 100644 patches/0005-add-new-symbols-for-libknet-1.10.patch
rename upstream/{kronosnet_1.8-2.debian.tar.xz => kronosnet_1.10-0+really1.8-2.debian.tar.xz} (100%)
rename upstream/{kronosnet_1.8.orig.tar.xz => kronosnet_1.10.orig.tar.xz} (100%)
diff --git a/patches/0002-update-changelog.patch b/patches/0001-update-changelog.patch
similarity index 75%
rename from patches/0002-update-changelog.patch
rename to patches/0001-update-changelog.patch
index f07e185..db5859f 100644
--- a/patches/0002-update-changelog.patch
+++ b/patches/0001-update-changelog.patch
@@ -8,14 +8,20 @@ Content-Transfer-Encoding: 8bit
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
- debian/changelog | 8 ++++++++
- 1 file changed, 8 insertions(+)
+ debian/changelog | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
diff --git a/debian/changelog b/debian/changelog
-index 63d5a6d..b89a2b3 100644
+index 63d5a6d..81ef900 100644
--- a/debian/changelog
+++ b/debian/changelog
-@@ -1,3 +1,11 @@
+@@ -1,3 +1,17 @@
++kronosnet (1.10-pve1) pve; urgency=medium
++
++ * update to 1.10
++
++ -- Proxmox Support Team <support at proxmox.com> Wed, 19 Jun 2019 09:32:21 +0200
++
+kronosnet (1.8-pve1) pve; urgency=medium
+
+ * introduce kronosnet for PVE 6.x
diff --git a/Makefile b/Makefile
index c391642..4328b88 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
-VERSION=1.8
-DEBRELEASE=2
+VERSION=1.10
+DEBRELEASE=0+really1.8-2
PVERELEASE=pve1
BUILDDIR=kronosnet-${VERSION}
@@ -24,8 +24,9 @@ all: ${DEBS}
${BUILDDIR}: upstream/${SRCARCHIVE} upstream/${DEBARCHIVE} patches/*
rm -rf ${BUILDDIR}
+ mkdir ${BUILDDIR}
ln -sf upstream/${SRCARCHIVE} ${SRCARCHIVE}
- tar -xf upstream/${SRCARCHIVE}
+ tar -x -C ${BUILDDIR} --strip-components=1 -f upstream/${SRCARCHIVE}
tar -C ${BUILDDIR} -xf upstream/${DEBARCHIVE}
cd ${BUILDDIR}; ln -s ../patches patches
cd ${BUILDDIR}; quilt push -a
diff --git a/patches/0001-cherry-pick-crypto-patches.patch b/patches/0001-cherry-pick-crypto-patches.patch
deleted file mode 100644
index eb279eb..0000000
--- a/patches/0001-cherry-pick-crypto-patches.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
-Date: Wed, 22 May 2019 14:11:59 +0200
-Subject: [PATCH kronosnet] cherry-pick crypto patches
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-for compatibility with Corosync 2.x key files
-
-Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
----
- .../crypto-remove-libnss-3des-support.patch | 74 +++++++++++++++++++
- ...e-minimum-crypto-key-size-to-1024bit.patch | 35 +++++++++
- debian/patches/series | 2 +
- 3 files changed, 111 insertions(+)
- create mode 100644 debian/patches/crypto-remove-libnss-3des-support.patch
- create mode 100644 debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-
-diff --git a/debian/patches/crypto-remove-libnss-3des-support.patch b/debian/patches/crypto-remove-libnss-3des-support.patch
-new file mode 100644
-index 0000000..c8d1123
---- /dev/null
-+++ b/debian/patches/crypto-remove-libnss-3des-support.patch
-@@ -0,0 +1,74 @@
-+From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
-+Date: Thu, 11 Apr 2019 13:36:56 +0200
-+Subject: [crypto] remove libnss 3des support
-+
-+Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
-+(cherry picked from commit acb5adb7f3ea6eaaf858d86e064a9b3fe477ea11)
-+---
-+ libknet/libknet.h | 2 +-
-+ libknet/crypto_nss.c | 14 ++++----------
-+ 2 files changed, 5 insertions(+), 11 deletions(-)
-+
-+diff --git a/libknet/libknet.h b/libknet/libknet.h
-+index 0331b1f..d0c90e4 100644
-+--- a/libknet/libknet.h
-++++ b/libknet/libknet.h
-+@@ -617,7 +617,7 @@ struct knet_handle_crypto_cfg {
-+ * It can be set to "none" to disable
-+ * encryption.
-+ * Currently supported by "nss" model:
-+- * "3des", "aes128", "aes192" and "aes256".
-++ * "aes128", "aes192" and "aes256".
-+ * "openssl" model supports more modes and it strictly
-+ * depends on the openssl build. See: EVP_get_cipherbyname
-+ * openssl API call for details.
-+diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
-+index 35afa0f..a17ff62 100644
-+--- a/libknet/crypto_nss.c
-++++ b/libknet/crypto_nss.c
-+@@ -64,32 +64,28 @@ enum nsscrypto_crypt_t {
-+ CRYPTO_CIPHER_TYPE_NONE = 0,
-+ CRYPTO_CIPHER_TYPE_AES256 = 1,
-+ CRYPTO_CIPHER_TYPE_AES192 = 2,
-+- CRYPTO_CIPHER_TYPE_AES128 = 3,
-+- CRYPTO_CIPHER_TYPE_3DES = 4
-++ CRYPTO_CIPHER_TYPE_AES128 = 3
-+ };
-+
-+ CK_MECHANISM_TYPE cipher_to_nss[] = {
-+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
-+ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES256 */
-+ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES192 */
-+- CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES128 */
-+- CKM_DES3_CBC_PAD /* CRYPTO_CIPHER_TYPE_3DES */
-++ CKM_AES_CBC_PAD /* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+
-+ size_t nsscipher_key_len[] = {
-+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
-+ AES_256_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES256 */
-+ AES_192_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES192 */
-+- AES_128_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES128 */
-+- 24 /* CRYPTO_CIPHER_TYPE_3DES */
-++ AES_128_KEY_LENGTH /* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+
-+ size_t nsscypher_block_len[] = {
-+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
-+ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES256 */
-+ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES192 */
-+- AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES128 */
-+- 0 /* CRYPTO_CIPHER_TYPE_3DES */
-++ AES_BLOCK_SIZE /* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+
-+ /*
-+@@ -155,8 +151,6 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
-+ return CRYPTO_CIPHER_TYPE_AES192;
-+ } else if (strcmp(crypto_cipher_type, "aes128") == 0) {
-+ return CRYPTO_CIPHER_TYPE_AES128;
-+- } else if (strcmp(crypto_cipher_type, "3des") == 0) {
-+- return CRYPTO_CIPHER_TYPE_3DES;
-+ }
-+ return -1;
-+ }
-diff --git a/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-new file mode 100644
-index 0000000..065a53b
---- /dev/null
-+++ b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-@@ -0,0 +1,35 @@
-+From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
-+Date: Wed, 3 Apr 2019 14:28:50 +0200
-+Subject: reduce minimum crypto key size to 1024bit
-+MIME-Version: 1.0
-+Content-Type: text/plain; charset="utf-8"
-+Content-Transfer-Encoding: 8bit
-+
-+Since the key is used for AES/3DES and HMAC operations only, this is
-+safe. AES/3DES use keys in the 128- to 256-bit range, HMAC with
-+MD5/SHA1/SHA2 should use keys with a minimum of 128- to 512-bit (in both
-+cases, depending on the actual algorithm used).
-+
-+This reduction also keeps knet compatible with existing Corosync 2.x
-+keyfiles, which are 1024-bit.
-+
-+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
-+(cherry picked from commit 4e648f76930af8c376a833677d940b2b0efc3c86)
-+---
-+ libknet/libknet.h | 3 +--
-+ 1 file changed, 1 insertion(+), 2 deletions(-)
-+
-+diff --git a/libknet/libknet.h b/libknet/libknet.h
-+index 36fefa5..0331b1f 100644
-+--- a/libknet/libknet.h
-++++ b/libknet/libknet.h
-+@@ -587,8 +587,7 @@ int knet_handle_pmtud_get(knet_handle_t knet_h,
-+ unsigned int *data_mtu);
-+
-+
-+-
-+-#define KNET_MIN_KEY_LEN 256
-++#define KNET_MIN_KEY_LEN 128
-+ #define KNET_MAX_KEY_LEN 4096
-+
-+ struct knet_handle_crypto_cfg {
-diff --git a/debian/patches/series b/debian/patches/series
-index 7fbd139..25f1ff5 100644
---- a/debian/patches/series
-+++ b/debian/patches/series
-@@ -1 +1,3 @@
- send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
-+reduce-minimum-crypto-key-size-to-1024bit.patch
-+crypto-remove-libnss-3des-support.patch
diff --git a/patches/0002-cherry-pick-1.9-as-patches.patch b/patches/0002-cherry-pick-1.9-as-patches.patch
new file mode 100644
index 0000000..adcf1ee
--- /dev/null
+++ b/patches/0002-cherry-pick-1.9-as-patches.patch
@@ -0,0 +1,776 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 09:17:04 +0200
+Subject: [PATCH kronosnet] cherry-pick 1.9 as patches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ ...ther-exception-to-valgrind-nss-combo.patch | 35 +++
+ .../crypto-remove-libnss-3des-support.patch | 74 +++++
+ debian/patches/man-Tidy-manpages-215.patch | 297 ++++++++++++++++++
+ debian/patches/man-Tidy-more-man-pages.patch | 47 +++
+ ...net_host_set_policy-parameters-order.patch | 27 ++
+ ...-errors-detected-by-newly-added-test.patch | 41 +++
+ ...e-minimum-crypto-key-size-to-1024bit.patch | 35 +++
+ ...eck-to-verify-doxy-header-order-and-.patch | 37 +++
+ ...or-message-decoding-from-ICMP-errors.patch | 38 +++
+ ...udp-use-defines-vs-hardcoded-numbers.patch | 36 +++
+ debian/patches/series | 10 +
+ 11 files changed, 677 insertions(+)
+ create mode 100644 debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+ create mode 100644 debian/patches/crypto-remove-libnss-3des-support.patch
+ create mode 100644 debian/patches/man-Tidy-manpages-215.patch
+ create mode 100644 debian/patches/man-Tidy-more-man-pages.patch
+ create mode 100644 debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+ create mode 100644 debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+ create mode 100644 debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+ create mode 100644 debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+ create mode 100644 debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+ create mode 100644 debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+
+diff --git a/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch b/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+new file mode 100644
+index 0000000..4b60b6b
+--- /dev/null
++++ b/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+@@ -0,0 +1,35 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 29 Jan 2019 05:33:51 +0100
++Subject: [build] add another exception to valgrind nss combo
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a6746007986b9324760822aa0190d035b8da7352)
++---
++ build-aux/knet_valgrind_memcheck.supp | 17 +++++++++++++++++
++ 1 file changed, 17 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index 8b3f95f..e0f49d0 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -588,3 +588,20 @@
++ obj:/usr/lib64/libnss3.so
++ obj:/usr/lib64/libnss3.so
++ }
+++{
+++ nss internal leak (3.41) non recurring (spotted on f29)
+++ Memcheck:Leak
+++ match-leak-kinds: definite
+++ fun:malloc
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:*
+++ obj:/usr/lib64/libnss3.so
+++}
+diff --git a/debian/patches/crypto-remove-libnss-3des-support.patch b/debian/patches/crypto-remove-libnss-3des-support.patch
+new file mode 100644
+index 0000000..c8d1123
+--- /dev/null
++++ b/debian/patches/crypto-remove-libnss-3des-support.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 13:36:56 +0200
++Subject: [crypto] remove libnss 3des support
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit acb5adb7f3ea6eaaf858d86e064a9b3fe477ea11)
++---
++ libknet/libknet.h | 2 +-
++ libknet/crypto_nss.c | 14 ++++----------
++ 2 files changed, 5 insertions(+), 11 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 0331b1f..d0c90e4 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -617,7 +617,7 @@ struct knet_handle_crypto_cfg {
++ * It can be set to "none" to disable
++ * encryption.
++ * Currently supported by "nss" model:
++- * "3des", "aes128", "aes192" and "aes256".
+++ * "aes128", "aes192" and "aes256".
++ * "openssl" model supports more modes and it strictly
++ * depends on the openssl build. See: EVP_get_cipherbyname
++ * openssl API call for details.
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 35afa0f..a17ff62 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -64,32 +64,28 @@ enum nsscrypto_crypt_t {
++ CRYPTO_CIPHER_TYPE_NONE = 0,
++ CRYPTO_CIPHER_TYPE_AES256 = 1,
++ CRYPTO_CIPHER_TYPE_AES192 = 2,
++- CRYPTO_CIPHER_TYPE_AES128 = 3,
++- CRYPTO_CIPHER_TYPE_3DES = 4
+++ CRYPTO_CIPHER_TYPE_AES128 = 3
++ };
++
++ CK_MECHANISM_TYPE cipher_to_nss[] = {
++ 0, /* CRYPTO_CIPHER_TYPE_NONE */
++ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES256 */
++ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES192 */
++- CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES128 */
++- CKM_DES3_CBC_PAD /* CRYPTO_CIPHER_TYPE_3DES */
+++ CKM_AES_CBC_PAD /* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++
++ size_t nsscipher_key_len[] = {
++ 0, /* CRYPTO_CIPHER_TYPE_NONE */
++ AES_256_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES256 */
++ AES_192_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES192 */
++- AES_128_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES128 */
++- 24 /* CRYPTO_CIPHER_TYPE_3DES */
+++ AES_128_KEY_LENGTH /* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++
++ size_t nsscypher_block_len[] = {
++ 0, /* CRYPTO_CIPHER_TYPE_NONE */
++ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES256 */
++ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES192 */
++- AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES128 */
++- 0 /* CRYPTO_CIPHER_TYPE_3DES */
+++ AES_BLOCK_SIZE /* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++
++ /*
++@@ -155,8 +151,6 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
++ return CRYPTO_CIPHER_TYPE_AES192;
++ } else if (strcmp(crypto_cipher_type, "aes128") == 0) {
++ return CRYPTO_CIPHER_TYPE_AES128;
++- } else if (strcmp(crypto_cipher_type, "3des") == 0) {
++- return CRYPTO_CIPHER_TYPE_3DES;
++ }
++ return -1;
++ }
+diff --git a/debian/patches/man-Tidy-manpages-215.patch b/debian/patches/man-Tidy-manpages-215.patch
+new file mode 100644
+index 0000000..f0b5b37
+--- /dev/null
++++ b/debian/patches/man-Tidy-manpages-215.patch
+@@ -0,0 +1,297 @@
++From: Chrissie Caulfield <ccaulfie at redhat.com>
++Date: Tue, 16 Apr 2019 14:46:01 +0100
++Subject: man: Tidy manpages (#215)
++
++* man: Tidy manpages for libnozzle
++
++doxygen works in mysterious ways, adding a blank line before
++ at brief makes the lines following that much tidier.
++
++So now instead of
++
++nozzle_close nozzle - pointer to the nozzle struct to destroy
++
++we get:
++
++nozzle_close
++
++ nozzle - pointer to the nozzle struct to destroy
++
++* doxyxml: Cope with pointers-to-pointers passed as params
++
++Double pointers showed as ' * *name' when they should be ' **name'.
++
++Also tidy STRUCTURES display so that they are not indented too much,
++
++* man: Similar @brief fixes for libknet.h
++
++* doxyxml: Tidy descriptions of functions as parameters
++
++If a complex function pointer was passed as a parameter then doxyxml
++tryied to line up all the other parameters with it - making a mess
++by having lots of blank space between the type and the name.
++
++Now we enforce a maximum type length (a line-ish) so that shorter
++tyopes will line up OK and the really long ones will be left to their
++own devices.
++
++(cherry picked from commit 652e355252adf6d248123d564c607c338e899f98)
++---
++ libknet/libknet.h | 3 +++
++ libnozzle/libnozzle.h | 24 +++++++++++++++++++++---
++ man/doxyxml.c | 30 ++++++++++++++++++++----------
++ 3 files changed, 44 insertions(+), 13 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d0c90e4..181724a 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -275,6 +275,7 @@ int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel);
++
++ /**
++ * knet_handle_remove_datafd
+++ *
++ * @brief Remove a file descriptor from knet
++ *
++ * knet_h - pointer to knet_handle_t
++@@ -293,6 +294,7 @@ int knet_handle_remove_datafd(knet_handle_t knet_h, int datafd);
++
++ /**
++ * knet_handle_get_channel
+++ *
++ * @brief Get the channel associated with a file descriptor
++ *
++ * knet_h - pointer to knet_handle_t
++@@ -313,6 +315,7 @@ int knet_handle_get_channel(knet_handle_t knet_h, const int datafd, int8_t *chan
++
++ /**
++ * knet_handle_get_datafd
+++ *
++ * @brief Get the file descriptor associated with a channel
++ *
++ * knet_h - pointer to knet_handle_t
++diff --git a/libnozzle/libnozzle.h b/libnozzle/libnozzle.h
++index 82ca74d..b8ab7d6 100644
++--- a/libnozzle/libnozzle.h
+++++ b/libnozzle/libnozzle.h
++@@ -25,6 +25,7 @@ typedef struct nozzle_iface *nozzle_t;
++
++ /**
++ * nozzle_open
+++ *
++ * @brief create a new tap device on the system.
++ *
++ * devname - pointer to device name of at least size IFNAMSIZ.
++@@ -55,6 +56,7 @@ nozzle_t nozzle_open(char *devname, size_t devname_size, const char *updownpath)
++
++ /**
++ * nozzle_close
+++ *
++ * @brief deconfigure and destroy a nozzle device
++ *
++ * nozzle - pointer to the nozzle struct to destroy
++@@ -74,9 +76,8 @@ int nozzle_close(nozzle_t nozzle);
++
++ /**
++ * nozzle_run_updown
++- * @brief execute updown commands associated with a nozzle device. It is
++- * the application responsibility to call helper scripts
++- * before or after creating/destroying interfaces or IP addresses.
+++ *
+++ * @brief execute updown commands associated with a nozzle device.
++ *
++ * nozzle - pointer to the nozzle struct
++ *
++@@ -86,6 +87,9 @@ int nozzle_close(nozzle_t nozzle);
++ * The string is malloc'ed, the caller needs to free the buffer.
++ * If the script generates no output this string might be NULL.
++ *
+++ * It is the application responsibility to call helper scripts
+++ * before or after creating/destroying interfaces or IP addresses.
+++ *
++ * @return
++ * 0 on success
++ * -1 on error and errno is set (sanity checks and internal calls.
++@@ -96,6 +100,7 @@ int nozzle_run_updown(const nozzle_t nozzle, uint8_t action, char **exec_string)
++
++ /**
++ * nozzle_set_up
+++ *
++ * @brief equivalent of ifconfig up
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -109,6 +114,7 @@ int nozzle_set_up(nozzle_t nozzle);
++
++ /**
++ * nozzle_set_down
+++ *
++ * @brief equivalent of ifconfig down
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -122,6 +128,7 @@ int nozzle_set_down(nozzle_t nozzle);
++
++ /**
++ * nozzle_add_ip
+++ *
++ * @brief equivalent of ip addr or ifconfig <ipaddress/prefix>
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -142,6 +149,7 @@ int nozzle_add_ip(nozzle_t nozzle, const char *ipaddr, const char *prefix);
++
++ /**
++ * nozzle_del_ip
+++ *
++ * @brief equivalent of ip addr del or ifconfig del <ipaddress/prefix>
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -170,6 +178,7 @@ struct nozzle_ip {
++
++ /**
++ * nozzle_get_ips
+++ *
++ * @brief retrieve the list of all configured ips for a given interface
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -191,6 +200,7 @@ int nozzle_get_ips(const nozzle_t nozzle, struct nozzle_ip **nozzle_ip);
++
++ /**
++ * nozzle_get_mtu
+++ *
++ * @brief retrieve mtu on a given nozzle interface
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -204,6 +214,7 @@ int nozzle_get_mtu(const nozzle_t nozzle);
++
++ /**
++ * nozzle_set_mtu
+++ *
++ * @brief set mtu on a given nozzle interface
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -219,6 +230,7 @@ int nozzle_set_mtu(nozzle_t nozzle, const int mtu);
++
++ /**
++ * nozzle_reset_mtu
+++ *
++ * @brief reset mtu on a given nozzle interface to the system default
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -232,6 +244,7 @@ int nozzle_reset_mtu(nozzle_t nozzle);
++
++ /**
++ * nozzle_get_mac
+++ *
++ * @brief retrieve mac address on a given nozzle interface
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -247,6 +260,7 @@ int nozzle_get_mac(const nozzle_t nozzle, char **ether_addr);
++
++ /**
++ * nozzle_set_mac
+++ *
++ * @brief set mac address on a given nozzle interface
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -262,6 +276,7 @@ int nozzle_set_mac(nozzle_t nozzle, const char *ether_addr);
++
++ /**
++ * nozzle_reset_mac
+++ *
++ * @brief reset mac address on a given nozzle interface to system default
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -275,6 +290,7 @@ int nozzle_reset_mac(nozzle_t nozzle);
++
++ /**
++ * nozzle_get_handle_by_name
+++ *
++ * @brief find a nozzle handle by device name
++ *
++ * devname - string containing the name of the interface
++@@ -288,6 +304,7 @@ nozzle_t nozzle_get_handle_by_name(const char *devname);
++
++ /**
++ * nozzle_get_name_by_handle
+++ *
++ * @brief retrieve nozzle interface name by handle
++ *
++ * nozzle - pointer to the nozzle struct
++@@ -301,6 +318,7 @@ const char *nozzle_get_name_by_handle(const nozzle_t nozzle);
++
++ /**
++ * nozzle_get_fd
+++ *
++ * @brief
++ *
++ * nozzle - pointer to the nozzle struct
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index b4b49a9..b623711 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -34,6 +34,14 @@
++ #define XML_DIR "../man/xml-knet"
++ #define XML_FILE "libknet_8h.xml"
++
+++/*
+++ * This isn't a maximum size, it just defines how long a parameter
+++ * type can get before we decide it's not worth lining everything up to.
+++ * it's mainly to stop function pointer types (which can get VERY long because
+++ * of all *their* parameters) making everything else 'line-up' over separate lines
+++ */
+++#define LINE_LENGTH 80
+++
++ static int print_ascii = 1;
++ static int print_man = 0;
++ static int print_params = 0;
++@@ -332,19 +340,25 @@ static int read_structure_from_xml(char *refid, char *name)
++
++ static void print_param(FILE *manfile, struct param_info *pi, int field_width, int bold, const char *delimiter)
++ {
++- char asterisk = ' ';
+++ char *asterisks = " ";
++ char *type = pi->paramtype;
++
++ /* Reformat pointer params so they look nicer */
++ if (pi->paramtype[strlen(pi->paramtype)-1] == '*') {
++- asterisk='*';
+++ asterisks=" *";
++ type = strdup(pi->paramtype);
++ type[strlen(type)-1] = '\0';
+++
+++ /* Cope with double pointers */
+++ if (pi->paramtype[strlen(type)-1] == '*') {
+++ asterisks="**";
+++ type[strlen(type)-1] = '\0';
+++ }
++ }
++
++- fprintf(manfile, " %s%-*s%c%s\\fI%s\\fP%s\n",
+++ fprintf(manfile, " %s%-*s%s%s\\fI%s\\fP%s\n",
++ bold?"\\fB":"", field_width, type,
++- asterisk, bold?"\\fP":"", pi->paramname, delimiter);
+++ asterisks, bold?"\\fP":"", pi->paramname, delimiter);
++
++ if (type != pi->paramtype) {
++ free(type);
++@@ -504,7 +518,8 @@ static void print_manpage(char *name, char *def, char *brief, char *args, char *
++ qb_list_for_each(iter, ¶ms_list) {
++ pi = qb_list_entry(iter, struct param_info, list);
++
++- if (strlen(pi->paramtype) > max_param_type_len) {
+++ if ((strlen(pi->paramtype) < LINE_LENGTH) &&
+++ (strlen(pi->paramtype) > max_param_type_len)) {
++ max_param_type_len = strlen(pi->paramtype);
++ }
++ if (strlen(pi->paramname) > max_param_name_len) {
++@@ -559,11 +574,6 @@ static void print_manpage(char *name, char *def, char *brief, char *args, char *
++
++ map_iter = qb_map_iter_create(used_structures_map);
++ for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
++- fprintf(manfile, ".SS \"\"\n");
++- fprintf(manfile, ".PP\n");
++- fprintf(manfile, ".sp\n");
++- fprintf(manfile, ".sp\n");
++- fprintf(manfile, ".RS\n");
++ fprintf(manfile, ".nf\n");
++ fprintf(manfile, "\\fB\n");
++
+diff --git a/debian/patches/man-Tidy-more-man-pages.patch b/debian/patches/man-Tidy-more-man-pages.patch
+new file mode 100644
+index 0000000..21c6e04
+--- /dev/null
++++ b/debian/patches/man-Tidy-more-man-pages.patch
+@@ -0,0 +1,47 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Mon, 29 Apr 2019 15:16:27 +0100
++Subject: man: Tidy more man pages
++
++Followup to previous 'tidy'
++
++(cherry picked from commit 4ff309b82bbd11300e761ecdcafde596115fc7f7)
++---
++ libknet/libknet.h | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 181724a..7b5a9e3 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -151,6 +151,7 @@ knet_handle_t knet_handle_new(knet_node_id_t host_id,
++
++ /**
++ * knet_handle_free
+++ *
++ * @brief Destroy a knet handle, free all resources
++ *
++ * knet_h - pointer to knet_handle_t
++@@ -165,6 +166,7 @@ int knet_handle_free(knet_handle_t knet_h);
++
++ /**
++ * knet_handle_enable_sock_notify
+++ *
++ * @brief Register a callback to receive socket events
++ *
++ * knet_h - pointer to knet_handle_t
++@@ -336,6 +338,7 @@ int knet_handle_get_datafd(knet_handle_t knet_h, const int8_t channel, int *data
++
++ /**
++ * knet_recv
+++ *
++ * @brief Receive data from knet nodes
++ *
++ * knet_h - pointer to knet_handle_t
++@@ -358,6 +361,7 @@ ssize_t knet_recv(knet_handle_t knet_h,
++
++ /**
++ * knet_send
+++ *
++ * @brief Send data to knet nodes
++ *
++ * knet_h - pointer to knet_handle_t
+diff --git a/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch b/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+new file mode 100644
+index 0000000..5d50b61
+--- /dev/null
++++ b/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+@@ -0,0 +1,27 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:06:47 +0200
++Subject: [man] fix knet_host_set_policy parameters order
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 73e1b520482cef7ced995423aa3f6f53d16b66c4)
++---
++ libknet/libknet.h | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 7b5a9e3..7c0c440 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1027,10 +1027,10 @@ int knet_host_get_host_list(knet_handle_t knet_h,
++ /**
++ * knet_host_set_policy
++ *
++- * knet_h - pointer to knet_handle_t
++- *
++ * @brief Set the switching policy for a host's links
++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
++ * host_id - see knet_host_add(3)
++ *
++ * policy - there are currently 3 kind of simple switching policies
+diff --git a/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+new file mode 100644
+index 0000000..79925df
+--- /dev/null
++++ b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+@@ -0,0 +1,41 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:48 +0200
++Subject: [man] fix libknet.h for errors detected by newly added test
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8e00c883883f0ee183aa3472e5ee72210318ce14)
++---
++ libknet/libknet.h | 6 +++---
++ 1 file changed, 3 insertions(+), 3 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 7c0c440..c7f44d7 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1144,7 +1144,7 @@ struct knet_host_status {
++ };
++
++ /**
++- * knet_host_status_get
+++ * knet_host_get_status
++ *
++ * @brief Get the status of a host
++ *
++@@ -1939,7 +1939,7 @@ struct knet_log_msg {
++ };
++
++ /**
++- * knet_log_set_log_level
+++ * knet_log_set_loglevel
++ *
++ * @brief Set the logging level for a subsystem
++ *
++@@ -1962,7 +1962,7 @@ int knet_log_set_loglevel(knet_handle_t knet_h, uint8_t subsystem,
++ uint8_t level);
++
++ /**
++- * knet_log_get_log_level
+++ * knet_log_get_loglevel
++ *
++ * @brief Get the logging level for a subsystem
++ *
+diff --git a/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+new file mode 100644
+index 0000000..065a53b
+--- /dev/null
++++ b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+@@ -0,0 +1,35 @@
++From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
++Date: Wed, 3 Apr 2019 14:28:50 +0200
++Subject: reduce minimum crypto key size to 1024bit
++MIME-Version: 1.0
++Content-Type: text/plain; charset="utf-8"
++Content-Transfer-Encoding: 8bit
++
++Since the key is used for AES/3DES and HMAC operations only, this is
++safe. AES/3DES use keys in the 128- to 256-bit range, HMAC with
++MD5/SHA1/SHA2 should use keys with a minimum of 128- to 512-bit (in both
++cases, depending on the actual algorithm used).
++
++This reduction also keeps knet compatible with existing Corosync 2.x
++keyfiles, which are 1024-bit.
++
++Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
++(cherry picked from commit 4e648f76930af8c376a833677d940b2b0efc3c86)
++---
++ libknet/libknet.h | 3 +--
++ 1 file changed, 1 insertion(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 36fefa5..0331b1f 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -587,8 +587,7 @@ int knet_handle_pmtud_get(knet_handle_t knet_h,
++ unsigned int *data_mtu);
++
++
++-
++-#define KNET_MIN_KEY_LEN 256
+++#define KNET_MIN_KEY_LEN 128
++ #define KNET_MAX_KEY_LEN 4096
++
++ struct knet_handle_crypto_cfg {
+diff --git a/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch b/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+new file mode 100644
+index 0000000..2ac3e8a
+--- /dev/null
++++ b/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+@@ -0,0 +1,37 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:16 +0200
++Subject: [tests] add man page check to verify doxy header order and
++ definitions
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8b73fbca799114ed579acb73ce0bbcdf45b1f171)
++---
++ man/api-to-man-page-coverage | 15 +++++++++++++++
++ 1 file changed, 15 insertions(+)
++
++diff --git a/man/api-to-man-page-coverage b/man/api-to-man-page-coverage
++index 92e60a5..b9dc18f 100755
++--- a/man/api-to-man-page-coverage
+++++ b/man/api-to-man-page-coverage
++@@ -14,6 +14,21 @@ target="$2"
++ headerapicalls="$(grep ${target}_ "$srcdir"/lib${target}/lib${target}.h | grep -v "^ \*" | grep -v ^struct | grep -v "^[[:space:]]" | grep -v typedef | sed -e 's/(.*//g' -e 's/^const //g' -e 's/\*//g' | awk '{print $2}')"
++ manpages="$(grep ${target}_ "$srcdir"/man/Makefile.am |grep -v man3 |grep -v xml | sed -e 's/\.3.*//g')"
++
+++echo "Checking for header format errors"
+++
+++for i in $headerapicalls; do
+++ echo "Checking $i"
+++ header="$(grep " \* ${i}$" "$srcdir"/lib${target}/lib${target}.h -A2)"
+++ brief="$(echo "$header" | tail -n 1 |grep "@brief")"
+++ if [ -z "$brief" ]; then
+++ echo "Error found in $i doxy header section"
+++ echo "$header"
+++ echo ""
+++ echo "$brief"
+++ exit 1
+++ fi
+++done
+++
++ echo "Checking for symbols in header file NOT distributed as manpages"
++
++ for i in $headerapicalls; do
+diff --git a/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch b/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+new file mode 100644
+index 0000000..876bdd3
+--- /dev/null
++++ b/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+@@ -0,0 +1,38 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 1 May 2019 06:51:19 +0200
++Subject: [udp] improve error message decoding from ICMP errors
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c8522bfa627045932c0bd2c1b31005534efbc495)
++---
++ libknet/transport_udp.c | 10 +++++++++-
++ 1 file changed, 9 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 3decb66..e4f6fdb 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -296,6 +296,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ struct sockaddr_storage *origin;
++ char addr_str[KNET_MAX_HOST_LEN];
++ char port_str[KNET_MAX_PORT_LEN];
+++ char addr_remote_str[KNET_MAX_HOST_LEN];
+++ char port_remote_str[KNET_MAX_PORT_LEN];
++
++ iov.iov_base = &icmph;
++ iov.iov_len = sizeof(icmph);
++@@ -367,7 +369,13 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from unknown source: %s", strerror(sock_err->ee_errno));
++
++ } else {
++- log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s", addr_str, strerror(sock_err->ee_errno));
+++ if (knet_addrtostr(&remote, sizeof(remote),
+++ addr_remote_str, KNET_MAX_HOST_LEN,
+++ port_remote_str, KNET_MAX_PORT_LEN) < 0) {
+++ log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s destination unknown", addr_str, strerror(sock_err->ee_errno));
+++ } else {
+++ log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s %s", addr_str, strerror(sock_err->ee_errno), addr_remote_str);
+++ }
++ }
++ break;
++ }
+diff --git a/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch b/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+new file mode 100644
+index 0000000..65a5d88
+--- /dev/null
++++ b/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+@@ -0,0 +1,36 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 1 May 2019 06:39:53 +0200
++Subject: [udp] use defines vs hardcoded numbers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 77adcf11ee390cfc7158f3f05617beef980429d8)
++---
++ libknet/transport_udp.c | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index acfbab4..3decb66 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -325,8 +325,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ sock_err = (struct sock_extended_err*)(void *)CMSG_DATA(cmsg);
++ if (sock_err) {
++ switch (sock_err->ee_origin) {
++- case 0: /* no origin */
++- case 1: /* local source (EMSGSIZE) */
+++ case SO_EE_ORIGIN_NONE: /* no origin */
+++ case SO_EE_ORIGIN_LOCAL: /* local source (EMSGSIZE) */
++ if (sock_err->ee_errno == EMSGSIZE) {
++ if (pthread_mutex_lock(&knet_h->kmtu_mutex) != 0) {
++ log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Unable to get mutex lock");
++@@ -358,8 +358,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ * those errors are way too noisy
++ */
++ break;
++- case 2: /* ICMP */
++- case 3: /* ICMP6 */
+++ case SO_EE_ORIGIN_ICMP: /* ICMP */
+++ case SO_EE_ORIGIN_ICMP6: /* ICMP6 */
++ origin = (struct sockaddr_storage *)(void *)SO_EE_OFFENDER(sock_err);
++ if (knet_addrtostr(origin, sizeof(origin),
++ addr_str, KNET_MAX_HOST_LEN,
+diff --git a/debian/patches/series b/debian/patches/series
+index 7fbd139..c16ea6e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,11 @@
+ send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
++build-add-another-exception-to-valgrind-nss-combo.patch
++reduce-minimum-crypto-key-size-to-1024bit.patch
++crypto-remove-libnss-3des-support.patch
++man-Tidy-manpages-215.patch
++man-Tidy-more-man-pages.patch
++man-fix-knet_host_set_policy-parameters-order.patch
++tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
++man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
++udp-use-defines-vs-hardcoded-numbers.patch
++udp-improve-error-message-decoding-from-ICMP-errors.patch
diff --git a/patches/0003-cherry-pick-1.10-as-patches.patch b/patches/0003-cherry-pick-1.10-as-patches.patch
new file mode 100644
index 0000000..ec886d6
--- /dev/null
+++ b/patches/0003-cherry-pick-1.10-as-patches.patch
@@ -0,0 +1,14716 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 09:31:57 +0200
+Subject: [PATCH kronosnet] cherry-pick 1.10 as patches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ ...e-entry-per-file-to-match-README.lic.patch | 2928 +++++++++++++++++
+ ...n-shared-code-to-trigger-PMTUd-rerun.patch | 79 +
+ ...-rerun-API-to-allow-full-PMTUd-reset.patch | 74 +
+ ...sts-add-access-lists-support-to-sctp.patch | 96 +
+ ...documentation-for-enable_access_list.patch | 58 +
+ ...dd-errno-around-and-start-using-them.patch | 195 ++
+ ...rnal-API-calls-to-manage-access-list.patch | 746 +++++
+ ...more-extensive-test-for-links_acl_ip.patch | 717 ++++
+ .../access-lists-add-public-API-tests.patch | 1019 ++++++
+ ...s-add-tests-for-default-access-lists.patch | 63 +
+ ...et_bench-to-enable-disable-access-li.patch | 61 +
+ ...cally-add-and-remove-point-to-point-.patch | 283 ++
+ .../access-lists-cleanup-API-a-bit.patch | 98 +
+ ...access-lists-data-structs-within-the.patch | 226 ++
+ ...ccess-lists-for-GENERIC_ACL-protocol.patch | 80 +
+ ...eneric-access-lists-only-for-protoco.patch | 55 +
+ ...d-on-BSD-and-add-some-include-files-.patch | 64 +
+ .../access-lists-fix-build-on-freebsd.patch | 54 +
+ ...improve-checks-on-various-data-types.patch | 74 +
+ ...e-more-generic-to-accept-more-than-I.patch | 436 +++
+ ...s-lists-make-internal-API-consistent.patch | 73 +
+ ...-of-generic-wrappers-and-remove-dupl.patch | 72 +
+ ...ess-lists-structs-and-data-types-to-.patch | 168 +
+ ...-acl-wrappers-to-links_acl-and-split.patch | 1025 ++++++
+ ...-lists-remove-2-unnecessary-wrappers.patch | 70 +
+ ...p1-2-to-ss1-2-to-keep-it-more-generi.patch | 219 ++
+ ...licit-access-lists-management-for-UD.patch | 50 +
+ ...ays-to-access-per-protocol-functions.patch | 309 ++
+ ...better-name-for-fd_tracker-structure.patch | 95 +
+ .../acl-Fix-English-in-commments.patch | 106 +
+ ..._handle_enable_access_lists-api-call.patch | 235 ++
+ ...o-libknet-dir-and-rename-to-links_ac.patch | 186 ++
+ ...ump-soname-to-indicate-new-API-calls.patch | 23 +
+ .../compress-add-support-for-libzstd.patch | 342 ++
+ ...o-fix-openssl1.0-initialization-code.patch | 98 +
+ ...e-errors-generated-by-openssl-1.1.1c.patch | 137 +
+ ...lear-all-security-info-on-crypto_fin.patch | 51 +
+ ...rigger-a-PMTUd-rerun-on-each-good-cr.patch | 25 +
+ ...alls-to-RAND_seed-as-they-don-t-real.patch | 65 +
+ ...crypto-openssl-error-strings-release.patch | 28 +
+ ...ndle_crypto-external-API-to-be-more-.patch | 598 ++++
+ ...ight-from-541d7faf9068d10e12b4278c35.patch | 23 +
+ ...al-update-copyright-across-the-board.patch | 129 +
+ debian/patches/global-update-copyrights.patch | 21 +
+ ...operly-initialize-fd-tracker-buffers.patch | 26 +
+ ..._type-to-transport-to-avoid-confusio.patch | 77 +
+ ...t_type-to-transport-to-avoid-confusi.patch | 196 ++
+ ...g-target-of-recently-added-API-calls.patch | 52 +
+ ...rrors-detected-by-newly-added-test-1.patch | 50 +
+ .../patches/manpages-Document-enums-206.patch | 39 +
+ .../misc-Fix-more-covscan-warnings.patch | 191 ++
+ debian/patches/misc-some-coverity-fixes.patch | 224 ++
+ ...bout-plugins-version-and-architectur.patch | 167 +
+ ...-up-useless-conditionals-and-defines.patch | 376 +++
+ .../spec-drop-support-for-init-scripts.patch | 108 +
+ .../spec-fix-a-bunch-of-rpmlint-errors.patch | 51 +
+ ...s-to-point-to-https-and-official-rel.patch | 30 +
+ ...ora-spec-file-into-upstream-spec-fil.patch | 374 +++
+ ...ditionals-to-determine-BuildRequires.patch | 59 +
+ ...dconfig_scriptlets-only-when-defined.patch | 40 +
+ ...m-internal-memory-leak-non-recurring.patch | 25 +
+ ...r-packet-implementation-to-flush-log.patch | 135 +
+ .../patches/tests-remove-stray-comment.patch | 22 +
+ ...t-add-internal-API-to-gather-which-f.patch | 161 +
+ ...ation-about-the-nature-of-the-transp.patch | 115 +
+ ...ect-merge-when-cherry-picking-7033dd.patch | 29 +
+ debian/patches/series | 66 +
+ 67 files changed, 14167 insertions(+)
+ create mode 100644 debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+ create mode 100644 debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+ create mode 100644 debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+ create mode 100644 debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+ create mode 100644 debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+ create mode 100644 debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+ create mode 100644 debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+ create mode 100644 debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+ create mode 100644 debian/patches/access-lists-add-public-API-tests.patch
+ create mode 100644 debian/patches/access-lists-add-tests-for-default-access-lists.patch
+ create mode 100644 debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+ create mode 100644 debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+ create mode 100644 debian/patches/access-lists-cleanup-API-a-bit.patch
+ create mode 100644 debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+ create mode 100644 debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+ create mode 100644 debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+ create mode 100644 debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+ create mode 100644 debian/patches/access-lists-fix-build-on-freebsd.patch
+ create mode 100644 debian/patches/access-lists-improve-checks-on-various-data-types.patch
+ create mode 100644 debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+ create mode 100644 debian/patches/access-lists-make-internal-API-consistent.patch
+ create mode 100644 debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+ create mode 100644 debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+ create mode 100644 debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+ create mode 100644 debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+ create mode 100644 debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+ create mode 100644 debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+ create mode 100644 debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+ create mode 100644 debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+ create mode 100644 debian/patches/acl-Fix-English-in-commments.patch
+ create mode 100644 debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+ create mode 100644 debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+ create mode 100644 debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+ create mode 100644 debian/patches/compress-add-support-for-libzstd.patch
+ create mode 100644 debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+ create mode 100644 debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+ create mode 100644 debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+ create mode 100644 debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+ create mode 100644 debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+ create mode 100644 debian/patches/crypto-openssl-error-strings-release.patch
+ create mode 100644 debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+ create mode 100644 debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+ create mode 100644 debian/patches/global-update-copyright-across-the-board.patch
+ create mode 100644 debian/patches/global-update-copyrights.patch
+ create mode 100644 debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+ create mode 100644 debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+ create mode 100644 debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+ create mode 100644 debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+ create mode 100644 debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+ create mode 100644 debian/patches/manpages-Document-enums-206.patch
+ create mode 100644 debian/patches/misc-Fix-more-covscan-warnings.patch
+ create mode 100644 debian/patches/misc-some-coverity-fixes.patch
+ create mode 100644 debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+ create mode 100644 debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+ create mode 100644 debian/patches/spec-drop-support-for-init-scripts.patch
+ create mode 100644 debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+ create mode 100644 debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+ create mode 100644 debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+ create mode 100644 debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+ create mode 100644 debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+ create mode 100644 debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+ create mode 100644 debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+ create mode 100644 debian/patches/tests-remove-stray-comment.patch
+ create mode 100644 debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+ create mode 100644 debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+ create mode 100644 debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+
+diff --git a/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch b/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+new file mode 100644
+index 0000000..ba15cf0
+--- /dev/null
++++ b/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+@@ -0,0 +1,2928 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 12 Jun 2019 05:21:24 +0200
++Subject: [global] clarify license entry per file to match README.licence
++
++libraries code: LGPL-2.0+
++binaries code and other files: GPL-2.0+
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dd52554d5dfc0c5c37697842092cd3b99d6d40a4)
++---
++ README | 2 +-
++ autogen.sh | 2 +-
++ configure.ac | 2 +-
++ Makefile.am | 2 +-
++ init/Makefile.am | 2 +-
++ kronosnetd/Makefile.am | 2 +-
++ libknet/Makefile.am | 2 +-
++ libknet/tests/Makefile.am | 2 +-
++ libnozzle/Makefile.am | 2 +-
++ libnozzle/tests/Makefile.am | 2 +-
++ man/Makefile.am | 2 +-
++ poc-code/Makefile.am | 2 +-
++ poc-code/iov-hash/Makefile.am | 2 +-
++ kronosnetd/cfg.h | 2 +-
++ kronosnetd/etherfilter.h | 2 +-
++ kronosnetd/logging.h | 2 +-
++ kronosnetd/vty.h | 2 +-
++ kronosnetd/vty_auth.h | 2 +-
++ kronosnetd/vty_cli.h | 2 +-
++ kronosnetd/vty_cli_cmds.h | 2 +-
++ kronosnetd/vty_utils.h | 2 +-
++ libknet/common.h | 2 +-
++ libknet/compat.h | 2 +-
++ libknet/compress.h | 2 +-
++ libknet/compress_model.h | 2 +-
++ libknet/crypto.h | 2 +-
++ libknet/crypto_model.h | 2 +-
++ libknet/host.h | 2 +-
++ libknet/internals.h | 2 +-
++ libknet/libknet.h | 2 +-
++ libknet/links.h | 2 +-
++ libknet/links_acl.h | 2 +-
++ libknet/links_acl_ip.h | 2 +-
++ libknet/links_acl_loopback.h | 2 +-
++ libknet/logging.h | 2 +-
++ libknet/netutils.h | 2 +-
++ libknet/onwire.h | 2 +-
++ libknet/tests/test-common.h | 2 +-
++ libknet/threads_common.h | 2 +-
++ libknet/threads_dsthandler.h | 2 +-
++ libknet/threads_heartbeat.h | 2 +-
++ libknet/threads_pmtud.h | 2 +-
++ libknet/threads_rx.h | 2 +-
++ libknet/threads_tx.h | 2 +-
++ libknet/transport_common.h | 2 +-
++ libknet/transport_loopback.h | 2 +-
++ libknet/transport_sctp.h | 2 +-
++ libknet/transport_udp.h | 2 +-
++ libknet/transports.h | 2 +-
++ libnozzle/internals.h | 2 +-
++ libnozzle/libnozzle.h | 2 +-
++ libnozzle/tests/test-common.h | 2 +-
++ init/kronosnetd.in | 2 +-
++ init/kronosnetd.service.in | 2 +-
++ kronosnetd/kronosnetd.logrotate.in | 2 +-
++ libknet/libknet.pc.in | 2 +-
++ libnozzle/libnozzle.pc.in | 2 +-
++ man/Doxyfile-knet.in | 2 +-
++ man/Doxyfile-nozzle.in | 2 +-
++ kronosnetd/cfg.c | 2 +-
++ kronosnetd/etherfilter.c | 2 +-
++ kronosnetd/keygen.c | 2 +-
++ kronosnetd/logging.c | 2 +-
++ kronosnetd/main.c | 2 +-
++ kronosnetd/vty.c | 2 +-
++ kronosnetd/vty_auth.c | 2 +-
++ kronosnetd/vty_cli.c | 2 +-
++ kronosnetd/vty_cli_cmds.c | 2 +-
++ kronosnetd/vty_utils.c | 2 +-
++ libknet/common.c | 2 +-
++ libknet/compat.c | 2 +-
++ libknet/compress.c | 2 +-
++ libknet/compress_bzip2.c | 2 +-
++ libknet/compress_lz4.c | 2 +-
++ libknet/compress_lz4hc.c | 2 +-
++ libknet/compress_lzma.c | 2 +-
++ libknet/compress_lzo2.c | 2 +-
++ libknet/compress_zlib.c | 2 +-
++ libknet/compress_zstd.c | 2 +-
++ libknet/crypto.c | 2 +-
++ libknet/crypto_nss.c | 2 +-
++ libknet/crypto_openssl.c | 2 +-
++ libknet/handle.c | 2 +-
++ libknet/host.c | 2 +-
++ libknet/links.c | 2 +-
++ libknet/links_acl.c | 2 +-
++ libknet/links_acl_ip.c | 2 +-
++ libknet/links_acl_loopback.c | 2 +-
++ libknet/logging.c | 2 +-
++ libknet/netutils.c | 2 +-
++ libknet/tests/api_knet_addrtostr.c | 2 +-
++ libknet/tests/api_knet_get_compress_list.c | 2 +-
++ libknet/tests/api_knet_get_crypto_list.c | 2 +-
++ libknet/tests/api_knet_get_transport_id_by_name.c | 2 +-
++ libknet/tests/api_knet_get_transport_list.c | 2 +-
++ libknet/tests/api_knet_get_transport_name_by_id.c | 2 +-
++ libknet/tests/api_knet_handle_add_datafd.c | 2 +-
++ libknet/tests/api_knet_handle_clear_stats.c | 2 +-
++ libknet/tests/api_knet_handle_compress.c | 2 +-
++ libknet/tests/api_knet_handle_crypto.c | 2 +-
++ libknet/tests/api_knet_handle_enable_access_lists.c | 2 +-
++ libknet/tests/api_knet_handle_enable_filter.c | 2 +-
++ libknet/tests/api_knet_handle_enable_pmtud_notify.c | 2 +-
++ libknet/tests/api_knet_handle_enable_sock_notify.c | 2 +-
++ libknet/tests/api_knet_handle_free.c | 2 +-
++ libknet/tests/api_knet_handle_get_channel.c | 2 +-
++ libknet/tests/api_knet_handle_get_datafd.c | 2 +-
++ libknet/tests/api_knet_handle_get_stats.c | 2 +-
++ libknet/tests/api_knet_handle_get_transport_reconnect_interval.c | 2 +-
++ libknet/tests/api_knet_handle_new.c | 2 +-
++ libknet/tests/api_knet_handle_new_limit.c | 2 +-
++ libknet/tests/api_knet_handle_pmtud_get.c | 2 +-
++ libknet/tests/api_knet_handle_pmtud_getfreq.c | 2 +-
++ libknet/tests/api_knet_handle_pmtud_setfreq.c | 2 +-
++ libknet/tests/api_knet_handle_remove_datafd.c | 2 +-
++ libknet/tests/api_knet_handle_set_transport_reconnect_interval.c | 2 +-
++ libknet/tests/api_knet_handle_setfwd.c | 2 +-
++ libknet/tests/api_knet_host_add.c | 2 +-
++ libknet/tests/api_knet_host_enable_status_change_notify.c | 2 +-
++ libknet/tests/api_knet_host_get_host_list.c | 2 +-
++ libknet/tests/api_knet_host_get_id_by_host_name.c | 2 +-
++ libknet/tests/api_knet_host_get_name_by_host_id.c | 2 +-
++ libknet/tests/api_knet_host_get_policy.c | 2 +-
++ libknet/tests/api_knet_host_get_status.c | 2 +-
++ libknet/tests/api_knet_host_remove.c | 2 +-
++ libknet/tests/api_knet_host_set_name.c | 2 +-
++ libknet/tests/api_knet_host_set_policy.c | 2 +-
++ libknet/tests/api_knet_link_add_acl.c | 2 +-
++ libknet/tests/api_knet_link_clear_acl.c | 2 +-
++ libknet/tests/api_knet_link_clear_config.c | 2 +-
++ libknet/tests/api_knet_link_get_config.c | 2 +-
++ libknet/tests/api_knet_link_get_enable.c | 2 +-
++ libknet/tests/api_knet_link_get_link_list.c | 2 +-
++ libknet/tests/api_knet_link_get_ping_timers.c | 2 +-
++ libknet/tests/api_knet_link_get_pong_count.c | 2 +-
++ libknet/tests/api_knet_link_get_priority.c | 2 +-
++ libknet/tests/api_knet_link_get_status.c | 2 +-
++ libknet/tests/api_knet_link_insert_acl.c | 2 +-
++ libknet/tests/api_knet_link_rm_acl.c | 2 +-
++ libknet/tests/api_knet_link_set_config.c | 2 +-
++ libknet/tests/api_knet_link_set_enable.c | 2 +-
++ libknet/tests/api_knet_link_set_ping_timers.c | 2 +-
++ libknet/tests/api_knet_link_set_pong_count.c | 2 +-
++ libknet/tests/api_knet_link_set_priority.c | 2 +-
++ libknet/tests/api_knet_log_get_loglevel.c | 2 +-
++ libknet/tests/api_knet_log_get_loglevel_id.c | 2 +-
++ libknet/tests/api_knet_log_get_loglevel_name.c | 2 +-
++ libknet/tests/api_knet_log_get_subsystem_id.c | 2 +-
++ libknet/tests/api_knet_log_get_subsystem_name.c | 2 +-
++ libknet/tests/api_knet_log_set_loglevel.c | 2 +-
++ libknet/tests/api_knet_recv.c | 2 +-
++ libknet/tests/api_knet_send.c | 2 +-
++ libknet/tests/api_knet_send_compress.c | 2 +-
++ libknet/tests/api_knet_send_crypto.c | 2 +-
++ libknet/tests/api_knet_send_loopback.c | 2 +-
++ libknet/tests/api_knet_send_sync.c | 2 +-
++ libknet/tests/api_knet_strtoaddr.c | 2 +-
++ libknet/tests/int_links_acl_ip.c | 2 +-
++ libknet/tests/int_timediff.c | 2 +-
++ libknet/tests/knet_bench.c | 2 +-
++ libknet/tests/pckt_test.c | 2 +-
++ libknet/tests/test-common.c | 2 +-
++ libknet/threads_common.c | 2 +-
++ libknet/threads_dsthandler.c | 2 +-
++ libknet/threads_heartbeat.c | 2 +-
++ libknet/threads_pmtud.c | 2 +-
++ libknet/threads_rx.c | 2 +-
++ libknet/threads_tx.c | 2 +-
++ libknet/transport_common.c | 2 +-
++ libknet/transport_loopback.c | 2 +-
++ libknet/transport_sctp.c | 2 +-
++ libknet/transport_udp.c | 2 +-
++ libknet/transports.c | 2 +-
++ libnozzle/internals.c | 2 +-
++ libnozzle/libnozzle.c | 2 +-
++ libnozzle/tests/api_nozzle_add_ip.c | 2 +-
++ libnozzle/tests/api_nozzle_close.c | 2 +-
++ libnozzle/tests/api_nozzle_del_ip.c | 2 +-
++ libnozzle/tests/api_nozzle_get_fd.c | 2 +-
++ libnozzle/tests/api_nozzle_get_handle_by_name.c | 2 +-
++ libnozzle/tests/api_nozzle_get_ips.c | 2 +-
++ libnozzle/tests/api_nozzle_get_mac.c | 2 +-
++ libnozzle/tests/api_nozzle_get_mtu.c | 2 +-
++ libnozzle/tests/api_nozzle_get_name_by_handle.c | 2 +-
++ libnozzle/tests/api_nozzle_open.c | 2 +-
++ libnozzle/tests/api_nozzle_run_updown.c | 2 +-
++ libnozzle/tests/api_nozzle_set_down.c | 2 +-
++ libnozzle/tests/api_nozzle_set_mac.c | 2 +-
++ libnozzle/tests/api_nozzle_set_mtu.c | 2 +-
++ libnozzle/tests/api_nozzle_set_up.c | 2 +-
++ libnozzle/tests/int_execute_bin_sh_command.c | 2 +-
++ libnozzle/tests/test-common.c | 2 +-
++ man/doxyxml.c | 2 +-
++ poc-code/iov-hash/main.c | 2 +-
++ build-aux/check.mk | 2 +-
++ build-aux/release.mk | 2 +-
++ build-aux/update-copyright.sh | 4 ++--
++ init/kronosnetd.default | 2 +-
++ libknet/libknet_exported_syms | 2 +-
++ libknet/tests/api-check.mk | 2 +-
++ libknet/tests/api-test-coverage | 2 +-
++ libnozzle/libnozzle_exported_syms | 2 +-
++ libnozzle/tests/api-test-coverage | 2 +-
++ libnozzle/tests/nozzle_run_updown_exit_false | 2 +-
++ libnozzle/tests/nozzle_run_updown_exit_true | 2 +-
++ man/api-to-man-page-coverage | 2 +-
++ man/knet-keygen.8 | 2 +-
++ man/kronosnetd.8 | 2 +-
++ 208 files changed, 209 insertions(+), 209 deletions(-)
++
++diff --git a/README b/README
++index 7b5e7ce..f8f3ea6 100644
++--- a/README
+++++ b/README
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ Upstream resources
++diff --git a/autogen.sh b/autogen.sh
++index 8fb1e58..92e9483 100755
++--- a/autogen.sh
+++++ b/autogen.sh
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ # Run this to generate all the initial makefiles, etc.
++diff --git a/configure.ac b/configure.ac
++index 501053e..e962592 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ # Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ # -*- Autoconf -*-
++diff --git a/Makefile.am b/Makefile.am
++index 82cb1f5..dc5f8a5 100644
++--- a/Makefile.am
+++++ b/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in aclocal.m4 configure depcomp \
++diff --git a/init/Makefile.am b/init/Makefile.am
++index 4d59a9e..fe0d9b0 100644
++--- a/init/Makefile.am
+++++ b/init/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/kronosnetd/Makefile.am b/kronosnetd/Makefile.am
++index 0b6f673..5ce8fa5 100644
++--- a/kronosnetd/Makefile.am
+++++ b/kronosnetd/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in kronostnetd.logrotate
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 8adcc40..d080732 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ # Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 015587c..3346596 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/libnozzle/Makefile.am b/libnozzle/Makefile.am
++index 2ffbd08..8ac438a 100644
++--- a/libnozzle/Makefile.am
+++++ b/libnozzle/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/libnozzle/tests/Makefile.am b/libnozzle/tests/Makefile.am
++index b9e16ae..cdc42a3 100644
++--- a/libnozzle/tests/Makefile.am
+++++ b/libnozzle/tests/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/man/Makefile.am b/man/Makefile.am
++index 0ad12f6..a473e90 100644
++--- a/man/Makefile.am
+++++ b/man/Makefile.am
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ # Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/poc-code/Makefile.am b/poc-code/Makefile.am
++index 15d12f7..ddbea08 100644
++--- a/poc-code/Makefile.am
+++++ b/poc-code/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/poc-code/iov-hash/Makefile.am b/poc-code/iov-hash/Makefile.am
++index a41ed99..acd6b51 100644
++--- a/poc-code/iov-hash/Makefile.am
+++++ b/poc-code/iov-hash/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ MAINTAINERCLEANFILES = Makefile.in
++diff --git a/kronosnetd/cfg.h b/kronosnetd/cfg.h
++index 0260bff..56fa4d5 100644
++--- a/kronosnetd/cfg.h
+++++ b/kronosnetd/cfg.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_CFG_H__
++diff --git a/kronosnetd/etherfilter.h b/kronosnetd/etherfilter.h
++index d805dd6..63e18b6 100644
++--- a/kronosnetd/etherfilter.h
+++++ b/kronosnetd/etherfilter.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_ETHERFILTER_H__
++diff --git a/kronosnetd/logging.h b/kronosnetd/logging.h
++index e4d5ce2..1bc12b9 100644
++--- a/kronosnetd/logging.h
+++++ b/kronosnetd/logging.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_LOGGING_H__
++diff --git a/kronosnetd/vty.h b/kronosnetd/vty.h
++index 86bd821..3c3e6e0 100644
++--- a/kronosnetd/vty.h
+++++ b/kronosnetd/vty.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_VTY_H__
++diff --git a/kronosnetd/vty_auth.h b/kronosnetd/vty_auth.h
++index c42989b..58d75cb 100644
++--- a/kronosnetd/vty_auth.h
+++++ b/kronosnetd/vty_auth.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_VTY_AUTH_H__
++diff --git a/kronosnetd/vty_cli.h b/kronosnetd/vty_cli.h
++index 9bbdcc7..0d7e515 100644
++--- a/kronosnetd/vty_cli.h
+++++ b/kronosnetd/vty_cli.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_VTY_CLI_H__
++diff --git a/kronosnetd/vty_cli_cmds.h b/kronosnetd/vty_cli_cmds.h
++index ac07573..ba40ddf 100644
++--- a/kronosnetd/vty_cli_cmds.h
+++++ b/kronosnetd/vty_cli_cmds.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_VTY_CLI_CMDS_H__
++diff --git a/kronosnetd/vty_utils.h b/kronosnetd/vty_utils.h
++index 07e339b..7ac318a 100644
++--- a/kronosnetd/vty_utils.h
+++++ b/kronosnetd/vty_utils.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNETD_VTY_UTILS_H__
++diff --git a/libknet/common.h b/libknet/common.h
++index ddea7fc..6128b16 100644
++--- a/libknet/common.h
+++++ b/libknet/common.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "internals.h"
++diff --git a/libknet/compat.h b/libknet/compat.h
++index e9af804..903fdfb 100644
++--- a/libknet/compat.h
+++++ b/libknet/compat.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Jan Friesse <jfriesse at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_COMPAT_H__
++diff --git a/libknet/compress.h b/libknet/compress.h
++index 47edddf..d43a9d5 100644
++--- a/libknet/compress.h
+++++ b/libknet/compress.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_COMPRESS_H__
++diff --git a/libknet/compress_model.h b/libknet/compress_model.h
++index 909f5a1..e69e491 100644
++--- a/libknet/compress_model.h
+++++ b/libknet/compress_model.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_COMPRESS_MODEL_H__
++diff --git a/libknet/crypto.h b/libknet/crypto.h
++index 707de32..f80cb43 100644
++--- a/libknet/crypto.h
+++++ b/libknet/crypto.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_CRYPTO_H__
++diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h
++index 9bb4f17..70f6238 100644
++--- a/libknet/crypto_model.h
+++++ b/libknet/crypto_model.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_CRYPTO_MODEL_H__
++diff --git a/libknet/host.h b/libknet/host.h
++index 4336b17..307b6e7 100644
++--- a/libknet/host.h
+++++ b/libknet/host.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_HOST_H__
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 12f613c..3f105a1 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_INTERNALS_H__
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 907213f..acd1c86 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __LIBKNET_H__
++diff --git a/libknet/links.h b/libknet/links.h
++index 7c0250d..e14958d 100644
++--- a/libknet/links.h
+++++ b/libknet/links.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_LINK_H__
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 60f7812..4617c9b 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_LINKS_ACL_H__
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index b33ffb1..f566c1e 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_LINKS_ACL_IP_H__
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index b51d2bf..d10764c 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_LINKS_ACL_LOOPBACK_H__
++diff --git a/libknet/logging.h b/libknet/logging.h
++index bdcd85e..01dcaf1 100644
++--- a/libknet/logging.h
+++++ b/libknet/logging.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_LOGGING_H__
++diff --git a/libknet/netutils.h b/libknet/netutils.h
++index bdc605e..b293115 100644
++--- a/libknet/netutils.h
+++++ b/libknet/netutils.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_NETUTILS_H__
++diff --git a/libknet/onwire.h b/libknet/onwire.h
++index ea45bfb..9815bc3 100644
++--- a/libknet/onwire.h
+++++ b/libknet/onwire.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_ONWIRE_H__
++diff --git a/libknet/tests/test-common.h b/libknet/tests/test-common.h
++index a498a09..f1375ab 100644
++--- a/libknet/tests/test-common.h
+++++ b/libknet/tests/test-common.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __KNET_TEST_COMMON_H__
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index cff7691..596de14 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_COMMON_H__
++diff --git a/libknet/threads_dsthandler.h b/libknet/threads_dsthandler.h
++index 0c968ff..db9117c 100644
++--- a/libknet/threads_dsthandler.h
+++++ b/libknet/threads_dsthandler.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_DSTHANDLER_H__
++diff --git a/libknet/threads_heartbeat.h b/libknet/threads_heartbeat.h
++index 2fcc9a0..b2580d1 100644
++--- a/libknet/threads_heartbeat.h
+++++ b/libknet/threads_heartbeat.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_HEARTBEAT_H__
++diff --git a/libknet/threads_pmtud.h b/libknet/threads_pmtud.h
++index 2cdcdbc..5ed3155 100644
++--- a/libknet/threads_pmtud.h
+++++ b/libknet/threads_pmtud.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_PMTUD_H__
++diff --git a/libknet/threads_rx.h b/libknet/threads_rx.h
++index ff8bd6e..b88c098 100644
++--- a/libknet/threads_rx.h
+++++ b/libknet/threads_rx.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_RX_H__
++diff --git a/libknet/threads_tx.h b/libknet/threads_tx.h
++index 7c4b2c0..28c4958 100644
++--- a/libknet/threads_tx.h
+++++ b/libknet/threads_tx.h
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_THREADS_TX_H__
++diff --git a/libknet/transport_common.h b/libknet/transport_common.h
++index 778af8b..0ca21d0 100644
++--- a/libknet/transport_common.h
+++++ b/libknet/transport_common.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_TRANSPORT_COMMON_H__
++diff --git a/libknet/transport_loopback.h b/libknet/transport_loopback.h
++index 6ce3ed3..a848ff8 100644
++--- a/libknet/transport_loopback.h
+++++ b/libknet/transport_loopback.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_sctp.h b/libknet/transport_sctp.h
++index 83a638b..0b8f320 100644
++--- a/libknet/transport_sctp.h
+++++ b/libknet/transport_sctp.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_udp.h b/libknet/transport_udp.h
++index 6de18e3..1dec863 100644
++--- a/libknet/transport_udp.h
+++++ b/libknet/transport_udp.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transports.h b/libknet/transports.h
++index 38f69ba..3a29ce6 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __KNET_TRANSPORTS_H__
++diff --git a/libnozzle/internals.h b/libnozzle/internals.h
++index 853e14e..c9192a8 100644
++--- a/libnozzle/internals.h
+++++ b/libnozzle/internals.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __NOZZLE_INTERNALS_H__
++diff --git a/libnozzle/libnozzle.h b/libnozzle/libnozzle.h
++index b8ab7d6..ad7c474 100644
++--- a/libnozzle/libnozzle.h
+++++ b/libnozzle/libnozzle.h
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #ifndef __LIBNOZZLE_H__
++diff --git a/libnozzle/tests/test-common.h b/libnozzle/tests/test-common.h
++index 4562ea2..fcfafef 100644
++--- a/libnozzle/tests/test-common.h
+++++ b/libnozzle/tests/test-common.h
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #ifndef __NOZZLE_TEST_COMMON_H__
++diff --git a/init/kronosnetd.in b/init/kronosnetd.in
++index 1823a3b..1da3273 100644
++--- a/init/kronosnetd.in
+++++ b/init/kronosnetd.in
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ # chkconfig: - 20 80
++diff --git a/init/kronosnetd.service.in b/init/kronosnetd.service.in
++index 4d2a32a..cfc80f7 100644
++--- a/init/kronosnetd.service.in
+++++ b/init/kronosnetd.service.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ [Unit]
++diff --git a/kronosnetd/kronosnetd.logrotate.in b/kronosnetd/kronosnetd.logrotate.in
++index 4ed1fd2..a8a6969 100644
++--- a/kronosnetd/kronosnetd.logrotate.in
+++++ b/kronosnetd/kronosnetd.logrotate.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ @LOGDIR at kronosnetd.log {
++diff --git a/libknet/libknet.pc.in b/libknet/libknet.pc.in
++index bb7b25c..021b2c4 100644
++--- a/libknet/libknet.pc.in
+++++ b/libknet/libknet.pc.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++
++ prefix=@prefix@
++diff --git a/libnozzle/libnozzle.pc.in b/libnozzle/libnozzle.pc.in
++index d6b2a15..9df0918 100644
++--- a/libnozzle/libnozzle.pc.in
+++++ b/libnozzle/libnozzle.pc.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++
++ prefix=@prefix@
++diff --git a/man/Doxyfile-knet.in b/man/Doxyfile-knet.in
++index f78e313..4750c9a 100644
++--- a/man/Doxyfile-knet.in
+++++ b/man/Doxyfile-knet.in
++@@ -4,7 +4,7 @@
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ # Christine Caulfield <ccaulfie at redhat.com>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ PROJECT_NAME = @PACKAGE_NAME@
++ PROJECT_NUMBER = @PACKAGE_VERSION@
++diff --git a/man/Doxyfile-nozzle.in b/man/Doxyfile-nozzle.in
++index 2855e50..793d49d 100644
++--- a/man/Doxyfile-nozzle.in
+++++ b/man/Doxyfile-nozzle.in
++@@ -4,7 +4,7 @@
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ # Christine Caulfield <ccaulfie at redhat.com>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ PROJECT_NAME = @PACKAGE_NAME@
++ PROJECT_NUMBER = @PACKAGE_VERSION@
++diff --git a/kronosnetd/cfg.c b/kronosnetd/cfg.c
++index 69d209a..406532a 100644
++--- a/kronosnetd/cfg.c
+++++ b/kronosnetd/cfg.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/etherfilter.c b/kronosnetd/etherfilter.c
++index 8542061..5f0d9fb 100644
++--- a/kronosnetd/etherfilter.c
+++++ b/kronosnetd/etherfilter.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/keygen.c b/kronosnetd/keygen.c
++index eb91473..42706ad 100644
++--- a/kronosnetd/keygen.c
+++++ b/kronosnetd/keygen.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/logging.c b/kronosnetd/logging.c
++index b3ef0d1..9c141cd 100644
++--- a/kronosnetd/logging.c
+++++ b/kronosnetd/logging.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/main.c b/kronosnetd/main.c
++index c1a8c2b..ec43871 100644
++--- a/kronosnetd/main.c
+++++ b/kronosnetd/main.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/vty.c b/kronosnetd/vty.c
++index d624bf4..2c5d4d3 100644
++--- a/kronosnetd/vty.c
+++++ b/kronosnetd/vty.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/vty_auth.c b/kronosnetd/vty_auth.c
++index cf997f9..30e0929 100644
++--- a/kronosnetd/vty_auth.c
+++++ b/kronosnetd/vty_auth.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/vty_cli.c b/kronosnetd/vty_cli.c
++index 68ff0da..95e4c8f 100644
++--- a/kronosnetd/vty_cli.c
+++++ b/kronosnetd/vty_cli.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/vty_cli_cmds.c b/kronosnetd/vty_cli_cmds.c
++index 18b11a0..e5ad496 100644
++--- a/kronosnetd/vty_cli_cmds.c
+++++ b/kronosnetd/vty_cli_cmds.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/kronosnetd/vty_utils.c b/kronosnetd/vty_utils.c
++index 3c5cc86..2cf5117 100644
++--- a/kronosnetd/vty_utils.c
+++++ b/kronosnetd/vty_utils.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/common.c b/libknet/common.c
++index be46f23..30e537e 100644
++--- a/libknet/common.c
+++++ b/libknet/common.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/compat.c b/libknet/compat.c
++index a60bca2..e808f33 100644
++--- a/libknet/compat.c
+++++ b/libknet/compat.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Jan Friesse <jfriesse at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 864828f..24755c7 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/compress_bzip2.c b/libknet/compress_bzip2.c
++index 521e206..5a972ff 100644
++--- a/libknet/compress_bzip2.c
+++++ b/libknet/compress_bzip2.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_lz4.c b/libknet/compress_lz4.c
++index 22b926f..60aa196 100644
++--- a/libknet/compress_lz4.c
+++++ b/libknet/compress_lz4.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_lz4hc.c b/libknet/compress_lz4hc.c
++index 9a69ab4..781bf12 100644
++--- a/libknet/compress_lz4hc.c
+++++ b/libknet/compress_lz4hc.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_lzma.c b/libknet/compress_lzma.c
++index e9ba2e3..7fdd178 100644
++--- a/libknet/compress_lzma.c
+++++ b/libknet/compress_lzma.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_lzo2.c b/libknet/compress_lzo2.c
++index e66d3dc..12066ed 100644
++--- a/libknet/compress_lzo2.c
+++++ b/libknet/compress_lzo2.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_zlib.c b/libknet/compress_zlib.c
++index 8807bb4..2fb12f5 100644
++--- a/libknet/compress_zlib.c
+++++ b/libknet/compress_zlib.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++index 6f9b499..f76ea5f 100644
++--- a/libknet/compress_zstd.c
+++++ b/libknet/compress_zstd.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 6c340f5..9f05fba 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 5c3a437..330b40c 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 999ed93..0cbc6f5 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++ #define KNET_MODULE
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 251d332..4835e99 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/host.c b/libknet/host.c
++index 66826c1..abb1f89 100644
++--- a/libknet/host.c
+++++ b/libknet/host.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/links.c b/libknet/links.c
++index 8011a6d..4ec308c 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 776408a..eb77e7b 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 9310f21..e479bbd 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 044a51c..0a0adec 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/logging.c b/libknet/logging.c
++index 5c91257..2efee1b 100644
++--- a/libknet/logging.c
+++++ b/libknet/logging.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/netutils.c b/libknet/netutils.c
++index 72bc659..e37f4fe 100644
++--- a/libknet/netutils.c
+++++ b/libknet/netutils.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_addrtostr.c b/libknet/tests/api_knet_addrtostr.c
++index 9adbf31..9cdf502 100644
++--- a/libknet/tests/api_knet_addrtostr.c
+++++ b/libknet/tests/api_knet_addrtostr.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_compress_list.c b/libknet/tests/api_knet_get_compress_list.c
++index 230e203..53e4192 100644
++--- a/libknet/tests/api_knet_get_compress_list.c
+++++ b/libknet/tests/api_knet_get_compress_list.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_crypto_list.c b/libknet/tests/api_knet_get_crypto_list.c
++index 4121aa4..760adab 100644
++--- a/libknet/tests/api_knet_get_crypto_list.c
+++++ b/libknet/tests/api_knet_get_crypto_list.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_id_by_name.c b/libknet/tests/api_knet_get_transport_id_by_name.c
++index 973814f..9bcd673 100644
++--- a/libknet/tests/api_knet_get_transport_id_by_name.c
+++++ b/libknet/tests/api_knet_get_transport_id_by_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_list.c b/libknet/tests/api_knet_get_transport_list.c
++index c748901..9ab5c10 100644
++--- a/libknet/tests/api_knet_get_transport_list.c
+++++ b/libknet/tests/api_knet_get_transport_list.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_name_by_id.c b/libknet/tests/api_knet_get_transport_name_by_id.c
++index a797cec..3233a1d 100644
++--- a/libknet/tests/api_knet_get_transport_name_by_id.c
+++++ b/libknet/tests/api_knet_get_transport_name_by_id.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_add_datafd.c b/libknet/tests/api_knet_handle_add_datafd.c
++index 7159399..3088797 100644
++--- a/libknet/tests/api_knet_handle_add_datafd.c
+++++ b/libknet/tests/api_knet_handle_add_datafd.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_clear_stats.c b/libknet/tests/api_knet_handle_clear_stats.c
++index 07f059a..0867b13 100644
++--- a/libknet/tests/api_knet_handle_clear_stats.c
+++++ b/libknet/tests/api_knet_handle_clear_stats.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_compress.c b/libknet/tests/api_knet_handle_compress.c
++index 1525e6a..40b6f39 100644
++--- a/libknet/tests/api_knet_handle_compress.c
+++++ b/libknet/tests/api_knet_handle_compress.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto.c
++index 9dbf5bc..1eed96e 100644
++--- a/libknet/tests/api_knet_handle_crypto.c
+++++ b/libknet/tests/api_knet_handle_crypto.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++index d08f175..be54bc4 100644
++--- a/libknet/tests/api_knet_handle_enable_access_lists.c
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_filter.c b/libknet/tests/api_knet_handle_enable_filter.c
++index 63b2166..e518b42 100644
++--- a/libknet/tests/api_knet_handle_enable_filter.c
+++++ b/libknet/tests/api_knet_handle_enable_filter.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_pmtud_notify.c b/libknet/tests/api_knet_handle_enable_pmtud_notify.c
++index 726c2cc..f11abc3 100644
++--- a/libknet/tests/api_knet_handle_enable_pmtud_notify.c
+++++ b/libknet/tests/api_knet_handle_enable_pmtud_notify.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_sock_notify.c b/libknet/tests/api_knet_handle_enable_sock_notify.c
++index 9c90600..adefb5a 100644
++--- a/libknet/tests/api_knet_handle_enable_sock_notify.c
+++++ b/libknet/tests/api_knet_handle_enable_sock_notify.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_free.c b/libknet/tests/api_knet_handle_free.c
++index 75319fc..53b6dc6 100644
++--- a/libknet/tests/api_knet_handle_free.c
+++++ b/libknet/tests/api_knet_handle_free.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_channel.c b/libknet/tests/api_knet_handle_get_channel.c
++index 3ade302..0196136 100644
++--- a/libknet/tests/api_knet_handle_get_channel.c
+++++ b/libknet/tests/api_knet_handle_get_channel.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_datafd.c b/libknet/tests/api_knet_handle_get_datafd.c
++index 8838b69..57aedf5 100644
++--- a/libknet/tests/api_knet_handle_get_datafd.c
+++++ b/libknet/tests/api_knet_handle_get_datafd.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_stats.c b/libknet/tests/api_knet_handle_get_stats.c
++index e8a83b4..38a0c97 100644
++--- a/libknet/tests/api_knet_handle_get_stats.c
+++++ b/libknet/tests/api_knet_handle_get_stats.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c b/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
++index 7a43823..f013a5b 100644
++--- a/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
+++++ b/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_new.c b/libknet/tests/api_knet_handle_new.c
++index b7af566..9559d4a 100644
++--- a/libknet/tests/api_knet_handle_new.c
+++++ b/libknet/tests/api_knet_handle_new.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_new_limit.c b/libknet/tests/api_knet_handle_new_limit.c
++index d51db97..fc3bdcd 100644
++--- a/libknet/tests/api_knet_handle_new_limit.c
+++++ b/libknet/tests/api_knet_handle_new_limit.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_get.c b/libknet/tests/api_knet_handle_pmtud_get.c
++index a1b1d12..803a288 100644
++--- a/libknet/tests/api_knet_handle_pmtud_get.c
+++++ b/libknet/tests/api_knet_handle_pmtud_get.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_getfreq.c b/libknet/tests/api_knet_handle_pmtud_getfreq.c
++index 5c5c7e0..23e3239 100644
++--- a/libknet/tests/api_knet_handle_pmtud_getfreq.c
+++++ b/libknet/tests/api_knet_handle_pmtud_getfreq.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_setfreq.c b/libknet/tests/api_knet_handle_pmtud_setfreq.c
++index b4eebda..2a720c3 100644
++--- a/libknet/tests/api_knet_handle_pmtud_setfreq.c
+++++ b/libknet/tests/api_knet_handle_pmtud_setfreq.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_remove_datafd.c b/libknet/tests/api_knet_handle_remove_datafd.c
++index 08a42ab..ace5df7 100644
++--- a/libknet/tests/api_knet_handle_remove_datafd.c
+++++ b/libknet/tests/api_knet_handle_remove_datafd.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c b/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
++index 80bbacb..c561559 100644
++--- a/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
+++++ b/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_setfwd.c b/libknet/tests/api_knet_handle_setfwd.c
++index 9658075..21a5c9f 100644
++--- a/libknet/tests/api_knet_handle_setfwd.c
+++++ b/libknet/tests/api_knet_handle_setfwd.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_add.c b/libknet/tests/api_knet_host_add.c
++index 762d0df..65104f5 100644
++--- a/libknet/tests/api_knet_host_add.c
+++++ b/libknet/tests/api_knet_host_add.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_enable_status_change_notify.c b/libknet/tests/api_knet_host_enable_status_change_notify.c
++index 96d133d..b0467a5 100644
++--- a/libknet/tests/api_knet_host_enable_status_change_notify.c
+++++ b/libknet/tests/api_knet_host_enable_status_change_notify.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_host_list.c b/libknet/tests/api_knet_host_get_host_list.c
++index 76fb23b..fc573bb 100644
++--- a/libknet/tests/api_knet_host_get_host_list.c
+++++ b/libknet/tests/api_knet_host_get_host_list.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_id_by_host_name.c b/libknet/tests/api_knet_host_get_id_by_host_name.c
++index 81ad504..745dbfa 100644
++--- a/libknet/tests/api_knet_host_get_id_by_host_name.c
+++++ b/libknet/tests/api_knet_host_get_id_by_host_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_name_by_host_id.c b/libknet/tests/api_knet_host_get_name_by_host_id.c
++index d239821..4604525 100644
++--- a/libknet/tests/api_knet_host_get_name_by_host_id.c
+++++ b/libknet/tests/api_knet_host_get_name_by_host_id.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_policy.c b/libknet/tests/api_knet_host_get_policy.c
++index 3160503..8511815 100644
++--- a/libknet/tests/api_knet_host_get_policy.c
+++++ b/libknet/tests/api_knet_host_get_policy.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_status.c b/libknet/tests/api_knet_host_get_status.c
++index b13c57a..3b46f0c 100644
++--- a/libknet/tests/api_knet_host_get_status.c
+++++ b/libknet/tests/api_knet_host_get_status.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_remove.c b/libknet/tests/api_knet_host_remove.c
++index 12d1f8f..36dd47c 100644
++--- a/libknet/tests/api_knet_host_remove.c
+++++ b/libknet/tests/api_knet_host_remove.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_set_name.c b/libknet/tests/api_knet_host_set_name.c
++index 88d6ce9..c899d33 100644
++--- a/libknet/tests/api_knet_host_set_name.c
+++++ b/libknet/tests/api_knet_host_set_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_set_policy.c b/libknet/tests/api_knet_host_set_policy.c
++index 41102d2..2583114 100644
++--- a/libknet/tests/api_knet_host_set_policy.c
+++++ b/libknet/tests/api_knet_host_set_policy.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++index ff7a2e2..52d6022 100644
++--- a/libknet/tests/api_knet_link_add_acl.c
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++index 234a76b..3516b4d 100644
++--- a/libknet/tests/api_knet_link_clear_acl.c
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_clear_config.c b/libknet/tests/api_knet_link_clear_config.c
++index 8d7800d..ff9c473 100644
++--- a/libknet/tests/api_knet_link_clear_config.c
+++++ b/libknet/tests/api_knet_link_clear_config.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_config.c b/libknet/tests/api_knet_link_get_config.c
++index 111b406..60a56fd 100644
++--- a/libknet/tests/api_knet_link_get_config.c
+++++ b/libknet/tests/api_knet_link_get_config.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_enable.c b/libknet/tests/api_knet_link_get_enable.c
++index 410c017..b0e1348 100644
++--- a/libknet/tests/api_knet_link_get_enable.c
+++++ b/libknet/tests/api_knet_link_get_enable.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_link_list.c b/libknet/tests/api_knet_link_get_link_list.c
++index e3dd73e..6114f83 100644
++--- a/libknet/tests/api_knet_link_get_link_list.c
+++++ b/libknet/tests/api_knet_link_get_link_list.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_ping_timers.c b/libknet/tests/api_knet_link_get_ping_timers.c
++index 5f0e9b1..414619f 100644
++--- a/libknet/tests/api_knet_link_get_ping_timers.c
+++++ b/libknet/tests/api_knet_link_get_ping_timers.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_pong_count.c b/libknet/tests/api_knet_link_get_pong_count.c
++index bbc993d..e032b96 100644
++--- a/libknet/tests/api_knet_link_get_pong_count.c
+++++ b/libknet/tests/api_knet_link_get_pong_count.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_priority.c b/libknet/tests/api_knet_link_get_priority.c
++index 29d7d2e..80538fe 100644
++--- a/libknet/tests/api_knet_link_get_priority.c
+++++ b/libknet/tests/api_knet_link_get_priority.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_status.c b/libknet/tests/api_knet_link_get_status.c
++index fe56734..5139692 100644
++--- a/libknet/tests/api_knet_link_get_status.c
+++++ b/libknet/tests/api_knet_link_get_status.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++index 79d04df..2f55c16 100644
++--- a/libknet/tests/api_knet_link_insert_acl.c
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++index d132c54..7217a4f 100644
++--- a/libknet/tests/api_knet_link_rm_acl.c
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index b96c628..c43a4de 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_enable.c b/libknet/tests/api_knet_link_set_enable.c
++index f48f1c0..17e6e03 100644
++--- a/libknet/tests/api_knet_link_set_enable.c
+++++ b/libknet/tests/api_knet_link_set_enable.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_ping_timers.c b/libknet/tests/api_knet_link_set_ping_timers.c
++index d823a81..46170f6 100644
++--- a/libknet/tests/api_knet_link_set_ping_timers.c
+++++ b/libknet/tests/api_knet_link_set_ping_timers.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_pong_count.c b/libknet/tests/api_knet_link_set_pong_count.c
++index 70fc57f..b8974e3 100644
++--- a/libknet/tests/api_knet_link_set_pong_count.c
+++++ b/libknet/tests/api_knet_link_set_pong_count.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_priority.c b/libknet/tests/api_knet_link_set_priority.c
++index a89392e..aac0ea2 100644
++--- a/libknet/tests/api_knet_link_set_priority.c
+++++ b/libknet/tests/api_knet_link_set_priority.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel.c b/libknet/tests/api_knet_log_get_loglevel.c
++index 4a62ead..4d4a52c 100644
++--- a/libknet/tests/api_knet_log_get_loglevel.c
+++++ b/libknet/tests/api_knet_log_get_loglevel.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel_id.c b/libknet/tests/api_knet_log_get_loglevel_id.c
++index 1053dff..379ba71 100644
++--- a/libknet/tests/api_knet_log_get_loglevel_id.c
+++++ b/libknet/tests/api_knet_log_get_loglevel_id.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel_name.c b/libknet/tests/api_knet_log_get_loglevel_name.c
++index 317ebb1..ef19af2 100644
++--- a/libknet/tests/api_knet_log_get_loglevel_name.c
+++++ b/libknet/tests/api_knet_log_get_loglevel_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_subsystem_id.c b/libknet/tests/api_knet_log_get_subsystem_id.c
++index 0b47805..cff9e8a 100644
++--- a/libknet/tests/api_knet_log_get_subsystem_id.c
+++++ b/libknet/tests/api_knet_log_get_subsystem_id.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_subsystem_name.c b/libknet/tests/api_knet_log_get_subsystem_name.c
++index 1b11fe6..0384730 100644
++--- a/libknet/tests/api_knet_log_get_subsystem_name.c
+++++ b/libknet/tests/api_knet_log_get_subsystem_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_set_loglevel.c b/libknet/tests/api_knet_log_set_loglevel.c
++index e729113..7a9232a 100644
++--- a/libknet/tests/api_knet_log_set_loglevel.c
+++++ b/libknet/tests/api_knet_log_set_loglevel.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_recv.c b/libknet/tests/api_knet_recv.c
++index 6e23353..99bd7bc 100644
++--- a/libknet/tests/api_knet_recv.c
+++++ b/libknet/tests/api_knet_recv.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index ca16e3d..ab9715a 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_compress.c b/libknet/tests/api_knet_send_compress.c
++index b03f4e7..6d5f445 100644
++--- a/libknet/tests/api_knet_send_compress.c
+++++ b/libknet/tests/api_knet_send_compress.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_crypto.c b/libknet/tests/api_knet_send_crypto.c
++index e33a808..11de857 100644
++--- a/libknet/tests/api_knet_send_crypto.c
+++++ b/libknet/tests/api_knet_send_crypto.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 2feca68..741b51d 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_sync.c b/libknet/tests/api_knet_send_sync.c
++index f2718c9..96cb716 100644
++--- a/libknet/tests/api_knet_send_sync.c
+++++ b/libknet/tests/api_knet_send_sync.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_strtoaddr.c b/libknet/tests/api_knet_strtoaddr.c
++index 57a8a0a..a0be1da 100644
++--- a/libknet/tests/api_knet_strtoaddr.c
+++++ b/libknet/tests/api_knet_strtoaddr.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++index 93dff63..41e7d59 100644
++--- a/libknet/tests/int_links_acl_ip.c
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/int_timediff.c b/libknet/tests/int_timediff.c
++index 12735d8..a878a31 100644
++--- a/libknet/tests/int_timediff.c
+++++ b/libknet/tests/int_timediff.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/knet_bench.c b/libknet/tests/knet_bench.c
++index 00cd58b..dfe5238 100644
++--- a/libknet/tests/knet_bench.c
+++++ b/libknet/tests/knet_bench.c
++@@ -3,7 +3,7 @@
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/tests/pckt_test.c b/libknet/tests/pckt_test.c
++index 56cf018..f3e2100 100644
++--- a/libknet/tests/pckt_test.c
+++++ b/libknet/tests/pckt_test.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include <stdio.h>
++diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
++index a4ff297..cd3f6c4 100644
++--- a/libknet/tests/test-common.c
+++++ b/libknet/tests/test-common.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index 53a6f9f..1f3e1e3 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_dsthandler.c b/libknet/threads_dsthandler.c
++index 2633188..0776107 100644
++--- a/libknet/threads_dsthandler.c
+++++ b/libknet/threads_dsthandler.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 8def9b8..8f8a7ec 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index b4ee632..603f595 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 626cbc4..b2a5dad 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index 8096906..32d65d5 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -4,7 +4,7 @@
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ * Federico Simoncelli <fsimon at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_common.c b/libknet/transport_common.c
++index fe40ad8..7286643 100644
++--- a/libknet/transport_common.c
+++++ b/libknet/transport_common.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_loopback.c b/libknet/transport_loopback.c
++index 54129d7..17253f5 100644
++--- a/libknet/transport_loopback.c
+++++ b/libknet/transport_loopback.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 2c1cdcc..d97d6f9 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 1537438..53d2ba0 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 51712df..93119c5 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/internals.c b/libnozzle/internals.c
++index f056e3b..53c0cdb 100644
++--- a/libnozzle/internals.c
+++++ b/libnozzle/internals.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/libnozzle.c b/libnozzle/libnozzle.c
++index b6e9566..15863ec 100644
++--- a/libnozzle/libnozzle.c
+++++ b/libnozzle/libnozzle.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_add_ip.c b/libnozzle/tests/api_nozzle_add_ip.c
++index bb81ba7..a9d76c6 100644
++--- a/libnozzle/tests/api_nozzle_add_ip.c
+++++ b/libnozzle/tests/api_nozzle_add_ip.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_close.c b/libnozzle/tests/api_nozzle_close.c
++index f1cbc77..7ba17c4 100644
++--- a/libnozzle/tests/api_nozzle_close.c
+++++ b/libnozzle/tests/api_nozzle_close.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_del_ip.c b/libnozzle/tests/api_nozzle_del_ip.c
++index 0178bb0..625484f 100644
++--- a/libnozzle/tests/api_nozzle_del_ip.c
+++++ b/libnozzle/tests/api_nozzle_del_ip.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_fd.c b/libnozzle/tests/api_nozzle_get_fd.c
++index 9b29faf..5dc5b4c 100644
++--- a/libnozzle/tests/api_nozzle_get_fd.c
+++++ b/libnozzle/tests/api_nozzle_get_fd.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_handle_by_name.c b/libnozzle/tests/api_nozzle_get_handle_by_name.c
++index 83c39bb..1fa5a0a 100644
++--- a/libnozzle/tests/api_nozzle_get_handle_by_name.c
+++++ b/libnozzle/tests/api_nozzle_get_handle_by_name.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_ips.c b/libnozzle/tests/api_nozzle_get_ips.c
++index c41024f..446a79a 100644
++--- a/libnozzle/tests/api_nozzle_get_ips.c
+++++ b/libnozzle/tests/api_nozzle_get_ips.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_mac.c b/libnozzle/tests/api_nozzle_get_mac.c
++index 1318ba5..f4c72cc 100644
++--- a/libnozzle/tests/api_nozzle_get_mac.c
+++++ b/libnozzle/tests/api_nozzle_get_mac.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_mtu.c b/libnozzle/tests/api_nozzle_get_mtu.c
++index 07b05ee..1b1f85e 100644
++--- a/libnozzle/tests/api_nozzle_get_mtu.c
+++++ b/libnozzle/tests/api_nozzle_get_mtu.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_name_by_handle.c b/libnozzle/tests/api_nozzle_get_name_by_handle.c
++index 5b8152b..0fe9eb4 100644
++--- a/libnozzle/tests/api_nozzle_get_name_by_handle.c
+++++ b/libnozzle/tests/api_nozzle_get_name_by_handle.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_open.c b/libnozzle/tests/api_nozzle_open.c
++index ee15316..413f2c2 100644
++--- a/libnozzle/tests/api_nozzle_open.c
+++++ b/libnozzle/tests/api_nozzle_open.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_run_updown.c b/libnozzle/tests/api_nozzle_run_updown.c
++index c80216a..1536b5b 100644
++--- a/libnozzle/tests/api_nozzle_run_updown.c
+++++ b/libnozzle/tests/api_nozzle_run_updown.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_down.c b/libnozzle/tests/api_nozzle_set_down.c
++index 90623ba..9466bdb 100644
++--- a/libnozzle/tests/api_nozzle_set_down.c
+++++ b/libnozzle/tests/api_nozzle_set_down.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_mac.c b/libnozzle/tests/api_nozzle_set_mac.c
++index dba7d49..244e866 100644
++--- a/libnozzle/tests/api_nozzle_set_mac.c
+++++ b/libnozzle/tests/api_nozzle_set_mac.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_mtu.c b/libnozzle/tests/api_nozzle_set_mtu.c
++index fc8ee1c..ce4ccbb 100644
++--- a/libnozzle/tests/api_nozzle_set_mtu.c
+++++ b/libnozzle/tests/api_nozzle_set_mtu.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_up.c b/libnozzle/tests/api_nozzle_set_up.c
++index d8de39d..d258b6a 100644
++--- a/libnozzle/tests/api_nozzle_set_up.c
+++++ b/libnozzle/tests/api_nozzle_set_up.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/int_execute_bin_sh_command.c b/libnozzle/tests/int_execute_bin_sh_command.c
++index 87531c0..97422a2 100644
++--- a/libnozzle/tests/int_execute_bin_sh_command.c
+++++ b/libnozzle/tests/int_execute_bin_sh_command.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/libnozzle/tests/test-common.c b/libnozzle/tests/test-common.c
++index c84aac1..b36be79 100644
++--- a/libnozzle/tests/test-common.c
+++++ b/libnozzle/tests/test-common.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ #include "config.h"
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index 7d9a60c..2f28976 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++
++diff --git a/poc-code/iov-hash/main.c b/poc-code/iov-hash/main.c
++index 61d2e12..fa407a2 100644
++--- a/poc-code/iov-hash/main.c
+++++ b/poc-code/iov-hash/main.c
++@@ -3,7 +3,7 @@
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++ */
++
++ /* Example code to illustrate DES enccryption/decryption using NSS.
++diff --git a/build-aux/check.mk b/build-aux/check.mk
++index 6da4417..f42e552 100644
++--- a/build-aux/check.mk
+++++ b/build-aux/check.mk
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ VALGRIND = $(VALGRIND_EXEC) -q --error-exitcode=127 --gen-suppressions=all
++diff --git a/build-aux/release.mk b/build-aux/release.mk
++index de3599d..003125d 100644
++--- a/build-aux/release.mk
+++++ b/build-aux/release.mk
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ # to build official release tarballs, handle tagging and publish.
++diff --git a/build-aux/update-copyright.sh b/build-aux/update-copyright.sh
++index fd50f8e..62c449c 100755
++--- a/build-aux/update-copyright.sh
+++++ b/build-aux/update-copyright.sh
++@@ -1,10 +1,10 @@
++ #!/bin/sh
++ #
++-# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
+++# Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ # script to update copyright dates across the tree
++diff --git a/init/kronosnetd.default b/init/kronosnetd.default
++index ed94648..9f6755c 100644
++--- a/init/kronosnetd.default
+++++ b/init/kronosnetd.default
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++
++diff --git a/libknet/libknet_exported_syms b/libknet/libknet_exported_syms
++index d8a55e2..1d8bddb 100644
++--- a/libknet/libknet_exported_syms
+++++ b/libknet/libknet_exported_syms
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++
++ LIBKNET {
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 427c388..102ec52 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -3,7 +3,7 @@
++ #
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ api_checks = \
++diff --git a/libknet/tests/api-test-coverage b/libknet/tests/api-test-coverage
++index bf0ccc3..e988ab1 100755
++--- a/libknet/tests/api-test-coverage
+++++ b/libknet/tests/api-test-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ srcdir="$1"/libknet/tests
++diff --git a/libnozzle/libnozzle_exported_syms b/libnozzle/libnozzle_exported_syms
++index 934b204..f6f62d2 100644
++--- a/libnozzle/libnozzle_exported_syms
+++++ b/libnozzle/libnozzle_exported_syms
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++
++ LIBNOZZLE {
++diff --git a/libnozzle/tests/api-test-coverage b/libnozzle/tests/api-test-coverage
++index cd99edf..4049ad9 100755
++--- a/libnozzle/tests/api-test-coverage
+++++ b/libnozzle/tests/api-test-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ srcdir="$1"/libnozzle/tests
++diff --git a/libnozzle/tests/nozzle_run_updown_exit_false b/libnozzle/tests/nozzle_run_updown_exit_false
++index 3f03ff6..795456a 100755
++--- a/libnozzle/tests/nozzle_run_updown_exit_false
+++++ b/libnozzle/tests/nozzle_run_updown_exit_false
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ exit 1
++diff --git a/libnozzle/tests/nozzle_run_updown_exit_true b/libnozzle/tests/nozzle_run_updown_exit_true
++index bbdcdd6..7b6e355 100755
++--- a/libnozzle/tests/nozzle_run_updown_exit_true
+++++ b/libnozzle/tests/nozzle_run_updown_exit_true
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ exit 0
++diff --git a/man/api-to-man-page-coverage b/man/api-to-man-page-coverage
++index b9dc18f..a1f54a3 100755
++--- a/man/api-to-man-page-coverage
+++++ b/man/api-to-man-page-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++
++ err=0
++diff --git a/man/knet-keygen.8 b/man/knet-keygen.8
++index 67ecf1f..96109c6 100644
++--- a/man/knet-keygen.8
+++++ b/man/knet-keygen.8
++@@ -5,7 +5,7 @@
++ .\" *
++ .\" * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ .\" *
++-.\" * This software licensed under GPL-2.0+, LGPL-2.0+
+++.\" * This software licensed under GPL-2.0+
++ .\" */
++ .TH "KRONOSNETD" "8" "November 2012" "kronosnetd key generator." "System Administration Utilities"
++
++diff --git a/man/kronosnetd.8 b/man/kronosnetd.8
++index 5661e1c..f4480be 100644
++--- a/man/kronosnetd.8
+++++ b/man/kronosnetd.8
++@@ -5,7 +5,7 @@
++ .\" *
++ .\" * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ .\" *
++-.\" * This software licensed under GPL-2.0+, LGPL-2.0+
+++.\" * This software licensed under GPL-2.0+
++ .\" */
++ .TH "KRONOSNETD" "8" "November 2012" "kronosnetd Usage:" "System Administration Utilities"
++
+diff --git a/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch b/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+new file mode 100644
+index 0000000..2404d7a
+--- /dev/null
++++ b/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+@@ -0,0 +1,79 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:37:15 +0200
++Subject: [PMTUd] create common/shared code to trigger PMTUd rerun
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5b02bef11afda959dc8cea4adc383f80ff0e9273)
++---
++ libknet/threads_common.h | 1 +
++ libknet/threads_common.c | 20 ++++++++++++++++++++
++ libknet/transport_udp.c | 17 +----------------
++ 3 files changed, 22 insertions(+), 16 deletions(-)
++
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index 79aaed2..19336ce 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -45,5 +45,6 @@ int shutdown_in_progress(knet_handle_t knet_h);
++ int get_global_wrlock(knet_handle_t knet_h);
++ int set_thread_status(knet_handle_t knet_h, uint8_t thread_id, uint8_t status);
++ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status);
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem);
++
++ #endif
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index b6012a2..61ffd82 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -156,3 +156,23 @@ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status)
++
++ return 0;
++ }
+++
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem)
+++{
+++ /*
+++ * we can only try to take a lock here. This part of the code
+++ * can be invoked by any thread, including PMTUd that is already
+++ * holding a lock at that stage.
+++ * If PMTUd is holding the lock, most likely it is already running
+++ * and we don't need to notify it back.
+++ */
+++ if (!pthread_mutex_trylock(&knet_h->pmtud_mutex)) {
+++ if (!knet_h->pmtud_running) {
+++ if (!knet_h->pmtud_forcerun) {
+++ log_debug(knet_h, subsystem, "Notifying PMTUd to rerun");
+++ knet_h->pmtud_forcerun = 1;
+++ }
+++ }
+++ pthread_mutex_unlock(&knet_h->pmtud_mutex);
+++ }
+++}
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 3fd69ee..232dbcb 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -340,22 +340,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ pthread_mutex_unlock(&knet_h->kmtu_mutex);
++ }
++
++- /*
++- * we can only try to take a lock here. This part of the code
++- * can be invoked by any thread, including PMTUd that is already
++- * holding a lock at that stage.
++- * If PMTUd is holding the lock, most likely it is already running
++- * and we don't need to notify it back.
++- */
++- if (!pthread_mutex_trylock(&knet_h->pmtud_mutex)) {
++- if (!knet_h->pmtud_running) {
++- if (!knet_h->pmtud_forcerun) {
++- log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Notifying PMTUd to rerun");
++- knet_h->pmtud_forcerun = 1;
++- }
++- }
++- pthread_mutex_unlock(&knet_h->pmtud_mutex);
++- }
+++ force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP);
++ }
++ /*
++ * those errors are way too noisy
+diff --git a/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch b/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+new file mode 100644
+index 0000000..31f4550
+--- /dev/null
++++ b/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 05:35:24 +0200
++Subject: [PMTUd] extend internal rerun API to allow full PMTUd reset
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6542aa98cccb2c9bc2c201ef47538a787a5e05fd)
++---
++ libknet/threads_common.h | 2 +-
++ libknet/handle.c | 2 +-
++ libknet/threads_common.c | 11 ++++++++++-
++ libknet/transport_udp.c | 2 +-
++ 4 files changed, 13 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index 19336ce..cff7691 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -45,6 +45,6 @@ int shutdown_in_progress(knet_handle_t knet_h);
++ int get_global_wrlock(knet_handle_t knet_h);
++ int set_thread_status(knet_handle_t knet_h, uint8_t thread_id, uint8_t status);
++ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status);
++-void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem);
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem, uint8_t reset_mtu);
++
++ #endif
++diff --git a/libknet/handle.c b/libknet/handle.c
++index e95c6c1..251d332 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1408,7 +1408,7 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++
++ exit_unlock:
++ if (!err) {
++- force_pmtud_run(knet_h, KNET_SUB_CRYPTO);
+++ force_pmtud_run(knet_h, KNET_SUB_CRYPTO, 1);
++ }
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++ errno = err ? savederrno : 0;
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index 61ffd82..53a6f9f 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -157,8 +157,17 @@ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status)
++ return 0;
++ }
++
++-void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem)
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem, uint8_t reset_mtu)
++ {
+++ if (reset_mtu) {
+++ log_debug(knet_h, subsystem, "PMTUd has been reset to default");
+++ knet_h->data_mtu = KNET_PMTUD_MIN_MTU_V4 - KNET_HEADER_ALL_SIZE - knet_h->sec_header_size;
+++ if (knet_h->pmtud_notify_fn) {
+++ knet_h->pmtud_notify_fn(knet_h->pmtud_notify_fn_private_data,
+++ knet_h->data_mtu);
+++ }
+++ }
+++
++ /*
++ * we can only try to take a lock here. This part of the code
++ * can be invoked by any thread, including PMTUd that is already
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 232dbcb..1537438 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -340,7 +340,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ pthread_mutex_unlock(&knet_h->kmtu_mutex);
++ }
++
++- force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP);
+++ force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP, 0);
++ }
++ /*
++ * those errors are way too noisy
+diff --git a/debian/patches/access-lists-add-access-lists-support-to-sctp.patch b/debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+new file mode 100644
+index 0000000..d962193
+--- /dev/null
++++ b/debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+@@ -0,0 +1,96 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 07:49:13 +0100
++Subject: [access lists] add access lists support to sctp
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d2333aab530d06ec502131aea03281ac13263d99)
++---
++ libknet/transport_sctp.c | 33 +++++++++++++++++++++++++++++++++
++ 1 file changed, 33 insertions(+)
++
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index cb64a32..0d69a33 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -19,6 +19,7 @@
++ #include "compat.h"
++ #include "host.h"
++ #include "links.h"
+++#include "links_acl.h"
++ #include "logging.h"
++ #include "common.h"
++ #include "transport_common.h"
++@@ -728,6 +729,15 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ addr_str, port_str);
+++ if (knet_h->use_access_lists) {
+++ if (!ipcheck_validate(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry, &ss)) {
+++ savederrno = EINVAL;
+++ err = -1;
+++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+++ close(new_fd);
+++ goto exit_error;
+++ }
+++ }
++
++ /*
++ * Keep a track of all accepted FDs
++@@ -936,6 +946,11 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ */
++ knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ if (err) {
+++ return NULL;
+++ }
++ return info;
++ }
++ }
++@@ -990,6 +1005,15 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ goto exit_error;
++ }
++
+++ if (ipcheck_addip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ savederrno = errno;
+++ err = -1;
+++ log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
+++ strerror(savederrno));
+++ goto exit_error;
+++ }
+++
++ memset(&ev, 0, sizeof(struct epoll_event));
++ ev.events = EPOLLIN;
++ ev.data.fd = listen_sock;
++@@ -1012,6 +1036,8 @@ exit_error:
++ if (info->on_listener_epoll) {
++ epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ }
+++ ipcheck_rmip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ if (listen_sock >= 0) {
++ close(listen_sock);
++ }
++@@ -1050,6 +1076,11 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ }
++ }
++
+++ if (ipcheck_rmip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
+++ }
+++
++ if (found) {
++ this_link_info->listener = NULL;
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP listener socket %d still in use", info->listen_sock);
++@@ -1080,6 +1111,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ goto exit_error;
++ }
++
+++ check_rmall(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry);
+++
++ close(info->listen_sock);
++
++ for (i=0; i< MAX_ACCEPTED_SOCKS; i++) {
+diff --git a/debian/patches/access-lists-add-documentation-for-enable_access_list.patch b/debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+new file mode 100644
+index 0000000..e07e54a
+--- /dev/null
++++ b/debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+@@ -0,0 +1,58 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 2 Mar 2019 07:49:19 +0100
++Subject: [access lists] add documentation for enable_access_list
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 21cf1a648999774053a9c7386b13eb5a64c1c7db)
++---
++ libknet/libknet.h | 28 ++++++++++++++++++++++------
++ 1 file changed, 22 insertions(+), 6 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 4283afe..03bbd97 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -505,21 +505,37 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++ /**
++ * knet_handle_enable_access_lists
++ *
++- * @brief Start packet forwarding
+++ * @brief Enable or disable usage of access lists (default: off)
++ *
++ * knet_h - pointer to knet_handle_t
++ *
++- * enable - set to 1 to use ip access lists, 0 to disable ip access_lists.
+++ * enable - set to 1 to use access lists, 0 to disable access_lists.
++ *
++ * @return
++ * knet_handle_enable_access_lists returns
++ * 0 on success
++ * -1 on error and errno is set.
++ *
++- * By default access lists usage is off, but default internal access lists
++- * will be populated regardless, but not enforced. TODO add long explanation
++- * on internal access lists for point to point connections vs global
++- * listeners etc.
+++ * access lists are bound to links. There are 2 types of links:
+++ * 1) point to point, where both source and destinations are well known
+++ * at configuration time.
+++ * 2) open links, where only the source is known at configuration time.
+++ *
+++ * knet will automatically generate access lists for point to point links.
+++ *
+++ * For open links, knet provides 3 API calls to manipulate access lists:
+++ * knet_link_add_acl, knet_link_rm_acl and knet_link_clear_acl.
+++ * Those API calls will work only and exclusively on open links as they
+++ * provide no use for point to point links.
+++ *
+++ * knet will not enforce any access list unless specifically enabled by
+++ * knet_handle_enable_access_lists.
+++ *
+++ * From a security / programming perspective we recommend to:
+++ * - create the knet handle
+++ * - enable access lists
+++ * - configure hosts and links
+++ * - configure access lists for open links
++ */
++
++ int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
+diff --git a/debian/patches/access-lists-add-errno-around-and-start-using-them.patch b/debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+new file mode 100644
+index 0000000..12c0f24
+--- /dev/null
++++ b/debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+@@ -0,0 +1,195 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 10:43:04 +0100
++Subject: [access lists] add errno around and start using them
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 9a5babce2066ecb61a5647345792675c2f9f416b)
++---
++ libknet/links.c | 14 +++++++-------
++ libknet/links_acl.c | 9 +++++++++
++ libknet/links_acl_ip.c | 12 ++++++++++--
++ libknet/transport_sctp.c | 16 +++++++---------
++ 4 files changed, 33 insertions(+), 18 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index dd64a15..1d21d05 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,9 +245,9 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ (link->dynamic == KNET_LINK_STATIC)) {
++ log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ host_id, link_id, link->outsock);
++- if (check_add(knet_h, link->outsock, transport,
++- &link->dst_addr, &link->dst_addr,
++- CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ if ((check_add(knet_h, link->outsock, transport,
+++ &link->dst_addr, &link->dst_addr,
+++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ savederrno = errno;
++ err = -1;
++@@ -428,11 +428,11 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ */
++ if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ (link->dynamic == KNET_LINK_STATIC)) {
++- if (check_rm(knet_h, link->outsock, link->transport,
++- &link->dst_addr, &link->dst_addr,
++- CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ if ((check_rm(knet_h, link->outsock, link->transport,
+++ &link->dst_addr, &link->dst_addr,
+++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
++ err = -1;
++- savederrno = EBUSY;
+++ savederrno = errno;
++ log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
++ host_id, link_id);
++ goto exit_unlock;
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index cfcc1fd..7605fe9 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -8,6 +8,7 @@
++
++ #include "config.h"
++
+++#include <errno.h>
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++@@ -19,6 +20,11 @@
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
++
+++/*
+++ * all those functions will return errno from the
+++ * protocol specific functions
+++ */
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++@@ -27,6 +33,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++
++ switch(transport_get_proto(knet_h, transport)) {
++ case LOOPBACK:
+++ errno = 0;
++ err = 0;
++ break;
++ case IP_PROTO:
++@@ -47,6 +54,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++
++ switch(transport_get_proto(knet_h, transport)) {
++ case LOOPBACK:
+++ errno = 0;
++ err = 0;
++ break;
++ case IP_PROTO:
++@@ -80,6 +88,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ {
++ switch(transport_get_proto(knet_h, transport)) {
++ case LOOPBACK:
+++ errno = 0;
++ return 1;
++ break;
++ case IP_PROTO:
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index ffd18a4..58c7b28 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -8,6 +8,7 @@
++
++ #include "config.h"
++
+++#include <errno.h>
++ #include <sys/socket.h>
++ #include <netinet/in.h>
++ #include <stdint.h>
++@@ -202,6 +203,7 @@ int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++
++ rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++ if (!rm_match_entry) {
+++ errno = ENOENT;
++ return -1;
++ }
++
++@@ -237,24 +239,30 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ struct acl_match_entry *match_entry = *match_entry_head;
++
++ if (!ip1) {
+++ errno = EINVAL;
++ return -1;
++ }
++
++ if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++ errno = EINVAL;
++ return -1;
++ }
++
++ if (type == CHECK_TYPE_RANGE &&
++- (ip1->ss_family != ip2->ss_family))
+++ (ip1->ss_family != ip2->ss_family)) {
+++ errno = EINVAL;
++ return -1;
+++ }
++
++ if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++ errno = EEXIST;
++ return -1;
++ }
++
++ new_match_entry = malloc(sizeof(struct acl_match_entry));
++- if (!new_match_entry)
+++ if (!new_match_entry) {
++ return -1;
+++ }
++
++ memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++ memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index ff7903c..aa0de9d 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -948,9 +948,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ */
++ knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++- err = check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++- if (err) {
+++ if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ return NULL;
++ }
++ return info;
++@@ -1007,8 +1006,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ goto exit_error;
++ }
++
++- if (check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ savederrno = errno;
++ err = -1;
++ log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
++@@ -1038,8 +1037,7 @@ exit_error:
++ if (info->on_listener_epoll) {
++ epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ }
++- check_rm(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ check_rmall(knet_h, listen_sock, KNET_TRANSPORT_SCTP);
++ if (listen_sock >= 0) {
++ close(listen_sock);
++ }
++@@ -1078,8 +1076,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ }
++ }
++
++- if (check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ if ((check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
++ }
++
+diff --git a/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch b/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+new file mode 100644
+index 0000000..e872279
+--- /dev/null
++++ b/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+@@ -0,0 +1,746 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 4 Mar 2019 13:07:04 +0100
++Subject: [access lists] add external API calls to manage access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6373dd2358b816beab2cc87bdf8ff196480b60cc)
++---
++ man/Makefile.am | 7 +-
++ libknet/libknet.h | 157 +++++++++++++++++++++-
++ libknet/links_acl.h | 15 +--
++ libknet/links_acl_ip.h | 2 +-
++ libknet/links_acl_loopback.h | 2 +-
++ libknet/links.c | 306 +++++++++++++++++++++++++++++++++++++++++-
++ libknet/links_acl.c | 4 +-
++ libknet/links_acl_ip.c | 49 ++++---
++ libknet/links_acl_loopback.c | 2 +-
++ libknet/tests/int_links_acl.c | 4 +-
++ libknet/transport_sctp.c | 4 +-
++ 11 files changed, 504 insertions(+), 48 deletions(-)
++
++diff --git a/man/Makefile.am b/man/Makefile.am
++index 6c15f0d..0ad12f6 100644
++--- a/man/Makefile.am
+++++ b/man/Makefile.am
++@@ -95,7 +95,12 @@ knet_man3_MANS = \
++ knet_recv.3 \
++ knet_send.3 \
++ knet_send_sync.3 \
++- knet_strtoaddr.3
+++ knet_strtoaddr.3 \
+++ knet_handle_enable_access_lists.3 \
+++ knet_link_add_acl.3 \
+++ knet_link_insert_acl.3 \
+++ knet_link_rm_acl.3 \
+++ knet_link_clear_acl.3
++
++ if BUILD_LIBNOZZLE
++ nozzle_man3_MANS = \
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 03bbd97..d616e11 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -524,12 +524,12 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++ * knet will automatically generate access lists for point to point links.
++ *
++ * For open links, knet provides 3 API calls to manipulate access lists:
++- * knet_link_add_acl, knet_link_rm_acl and knet_link_clear_acl.
+++ * knet_link_add_acl(3), knet_link_rm_acl(3) and knet_link_clear_acl(3).
++ * Those API calls will work only and exclusively on open links as they
++ * provide no use for point to point links.
++ *
++ * knet will not enforce any access list unless specifically enabled by
++- * knet_handle_enable_access_lists.
+++ * knet_handle_enable_access_lists(3).
++ *
++ * From a security / programming perspective we recommend to:
++ * - create the knet handle
++@@ -1477,6 +1477,159 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++
++ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
++
+++/*
+++ * access lists management for open links
+++ * see also knet_handle_enable_access_lists(3)
+++ */
+++
+++/*
+++ * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
+++ * for example: 10.1.9.3/32
+++ * and the entry is stored in ss1. ss2 can be NULL.
+++ *
+++ * CHECK_TYPE_MASK is used to configure network/netmask.
+++ * for example: 192.168.0.0/24
+++ * the network is stored in ss1 and the netmask in ss2.
+++ *
+++ * CHECK_TYPE_RANGE defines a value / range of ip addresses.
+++ * for example: 172.16.0.1-172.16.0.10
+++ * the start is stored in ss1 and the end in ss2.
+++ *
+++ * Please be aware that the above examples refers only to IP based protocols.
+++ * Other protocols might use ss1 and ss2 in slightly different ways.
+++ * At the moment knet only supports IP based protocol and that might change
+++ * in the future.
+++ */
+++
+++typedef enum {
+++ CHECK_TYPE_ADDRESS,
+++ CHECK_TYPE_MASK,
+++ CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++/*
+++ * accept or reject incoming packets defined in the access list entry
+++ */
+++
+++typedef enum {
+++ CHECK_ACCEPT,
+++ CHECK_REJECT
+++} check_acceptreject_t;
+++
+++/**
+++ * knet_link_add_acl
+++ *
+++ * @brief Add access list entry to an open link
+++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
+++ * host_id - see knet_host_add(3)
+++ *
+++ * link_id - see knet_link_set_config(3)
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * IMPORTANT: the order in which access lists are added is critical and it
+++ * is left to the user to add them in the right order. knet
+++ * will do no attempt to logically sort them.
+++ *
+++ * For example:
+++ * 1 - accept from 10.0.0.0/8
+++ * 2 - reject from 10.0.0.1/32
+++ *
+++ * is not the same as:
+++ *
+++ * 1 - reject from 10.0.0.1/32
+++ * 2 - accept from 10.0.0.0/8
+++ *
+++ * In the first example, rule number 2 will never match because
+++ * packets from 10.0.0.1 will be accepted by rule number 1.
+++ *
+++ * @return
+++ * knet_link_add_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_insert_acl
+++ *
+++ * @brief Insert access list entry to an open link at given index
+++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
+++ * host_id - see knet_host_add(3)
+++ *
+++ * link_id - see knet_link_set_config(3)
+++ *
+++ * index - insert at position "index" where 0 is the first entry and -1
+++ * append to the current list.
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * @return
+++ * knet_link_insert_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ int index,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_rm_acl
+++ *
+++ * @brief Remove access list entry from an open link
+++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
+++ * host_id - see knet_host_add(3)
+++ *
+++ * link_id - see knet_link_set_config(3)
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * IMPORTANT: the data passed to this API call must match exactly the ones used
+++ * in knet_link_add_acl(3).
+++ *
+++ * @return
+++ * knet_link_rm_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_clear_acl
+++ *
+++ * @brief Remove all access list entries from an open link
+++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
+++ * host_id - see knet_host_add(3)
+++ *
+++ * link_id - see knet_link_set_config(3)
+++ *
+++ * @return
+++ * knet_link_clear_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
+++
++ /**
++ * knet_link_set_enable
++ *
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index a64faa1..60f7812 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,23 +11,12 @@
++
++ #include "internals.h"
++
++-typedef enum {
++- CHECK_TYPE_ADDRESS,
++- CHECK_TYPE_MASK,
++- CHECK_TYPE_RANGE
++-} check_type_t;
++-
++-typedef enum {
++- CHECK_ACCEPT,
++- CHECK_REJECT
++-} check_acceptreject_t;
++-
++ typedef struct {
++ uint8_t transport_proto;
++
++ int (*protocheck_validate) (void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++- int (*protocheck_add) (void *fd_tracker_match_entry_head,
+++ int (*protocheck_add) (void *fd_tracker_match_entry_head, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++@@ -38,7 +27,7 @@ typedef struct {
++ void (*protocheck_rmall) (void *fd_tracker_match_entry_head);
++ } check_ops_t;
++
++-int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index e069b99..fac58e2 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -14,7 +14,7 @@
++
++ int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++-int ipcheck_addip(void *fd_tracker_match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index 73a9704..e75c4a4 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -14,7 +14,7 @@
++
++ int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++-int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++int loopbackcheck_add(void *fd_tracker_match_entry_head, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 1d21d05..0f02006 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,7 +245,7 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ (link->dynamic == KNET_LINK_STATIC)) {
++ log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ host_id, link_id, link->outsock);
++- if ((check_add(knet_h, link->outsock, transport,
+++ if ((check_add(knet_h, link->outsock, transport, -1,
++ &link->dst_addr, &link->dst_addr,
++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++@@ -1148,3 +1148,307 @@ exit_unlock:
++ errno = err ? savederrno : 0;
++ return err;
++ }
+++
+++int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ int savederrno = 0, err = 0;
+++ struct knet_host *host;
+++ struct knet_link *link;
+++
+++ if (!knet_h) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (!ss1) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type == CHECK_TYPE_RANGE) &&
+++ (ss1->ss_family != ss2->ss_family)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (link_id >= KNET_MAX_LINK) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ savederrno = get_global_wrlock(knet_h);
+++ if (savederrno) {
+++ log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ strerror(savederrno));
+++ errno = savederrno;
+++ return -1;
+++ }
+++
+++ host = knet_h->host_index[host_id];
+++ if (!host) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++ host_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ link = &host->link[link_id];
+++
+++ if (!link->configured) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ if (link->dynamic != KNET_LINK_DYNIP) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, -1,
+++ ss1, ss2, type, acceptreject);
+++ savederrno = errno;
+++
+++exit_unlock:
+++ pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++ errno = savederrno;
+++ return err;
+++}
+++
+++int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ int index,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ int savederrno = 0, err = 0;
+++ struct knet_host *host;
+++ struct knet_link *link;
+++
+++ if (!knet_h) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (!ss1) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type == CHECK_TYPE_RANGE) &&
+++ (ss1->ss_family != ss2->ss_family)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (link_id >= KNET_MAX_LINK) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ savederrno = get_global_wrlock(knet_h);
+++ if (savederrno) {
+++ log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ strerror(savederrno));
+++ errno = savederrno;
+++ return -1;
+++ }
+++
+++ host = knet_h->host_index[host_id];
+++ if (!host) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++ host_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ link = &host->link[link_id];
+++
+++ if (!link->configured) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ if (link->dynamic != KNET_LINK_DYNIP) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, index,
+++ ss1, ss2, type, acceptreject);
+++ savederrno = errno;
+++
+++exit_unlock:
+++ pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++ errno = savederrno;
+++ return err;
+++}
+++
+++int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++ struct sockaddr_storage *ss1,
+++ struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ int savederrno = 0, err = 0;
+++ struct knet_host *host;
+++ struct knet_link *link;
+++
+++ if (!knet_h) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (!ss1) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((type == CHECK_TYPE_RANGE) &&
+++ (ss1->ss_family != ss2->ss_family)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (link_id >= KNET_MAX_LINK) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ savederrno = get_global_wrlock(knet_h);
+++ if (savederrno) {
+++ log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ strerror(savederrno));
+++ errno = savederrno;
+++ return -1;
+++ }
+++
+++ host = knet_h->host_index[host_id];
+++ if (!host) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++ host_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ link = &host->link[link_id];
+++
+++ if (!link->configured) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ if (link->dynamic != KNET_LINK_DYNIP) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ err = check_rm(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport,
+++ ss1, ss2, type, acceptreject);
+++ savederrno = errno;
+++
+++exit_unlock:
+++ pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++ errno = savederrno;
+++ return err;
+++}
+++
+++int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id)
+++{
+++ int savederrno = 0, err = 0;
+++ struct knet_host *host;
+++ struct knet_link *link;
+++
+++ if (!knet_h) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (link_id >= KNET_MAX_LINK) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ savederrno = get_global_wrlock(knet_h);
+++ if (savederrno) {
+++ log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ strerror(savederrno));
+++ errno = savederrno;
+++ return -1;
+++ }
+++
+++ host = knet_h->host_index[host_id];
+++ if (!host) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++ host_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ link = &host->link[link_id];
+++
+++ if (!link->configured) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ if (link->dynamic != KNET_LINK_DYNIP) {
+++ err = -1;
+++ savederrno = EINVAL;
+++ log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++ host_id, link_id, strerror(savederrno));
+++ goto exit_unlock;
+++ }
+++
+++ check_rmall(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport);
+++
+++exit_unlock:
+++ pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++ errno = savederrno;
+++ return err;
+++}
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 0b1fcd0..776408a 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -31,12 +31,12 @@ static check_ops_t proto_check_modules_cmds[] = {
++ * protocol specific functions
++ */
++
++-int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
++- &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, index,
++ ss1, ss2, type, acceptreject);
++ }
++
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 2682a70..642027b 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -242,29 +242,14 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ return 0;
++ }
++
++-int ipcheck_addip(void *fd_tracker_match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++ struct ip_acl_match_entry *new_match_entry;
++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++-
++- if (!ss1) {
++- errno = EINVAL;
++- return -1;
++- }
++-
++- if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++- errno = EINVAL;
++- return -1;
++- }
++-
++- if (type == CHECK_TYPE_RANGE &&
++- (ss1->ss_family != ss2->ss_family)) {
++- errno = EINVAL;
++- return -1;
++- }
+++ int i = 0;
++
++ if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) {
++ errno = EEXIST;
++@@ -283,12 +268,32 @@ int ipcheck_addip(void *fd_tracker_match_entry_head,
++ new_match_entry->next = NULL;
++
++ if (match_entry) {
++- /* Find the end of the list */
++- /* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++- while (match_entry->next) {
++- match_entry = match_entry->next;
+++ /*
+++ * special case for index 0, since we need to update
+++ * the head of the list
+++ */
+++ if (index == 0) {
+++ *match_entry_head = new_match_entry;
+++ new_match_entry->next = match_entry;
+++ } else {
+++ /*
+++ * find the end of the list or stop at "index"
+++ */
+++ while ((match_entry->next) || (i < index)) {
+++ match_entry = match_entry->next;
+++ i++;
+++ }
+++ /*
+++ * insert if there are more entries in the list
+++ */
+++ if (match_entry->next) {
+++ new_match_entry->next = match_entry->next;
+++ }
+++ /*
+++ * add if we are at the end
+++ */
+++ match_entry->next = new_match_entry;
++ }
++- match_entry->next = new_match_entry;
++ } else {
++ /*
++ * first entry in the list
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index bb69130..97f8198 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -33,7 +33,7 @@ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++ return 0;
++ }
++
++-int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++int loopbackcheck_add(void *fd_tracker_match_entry_head, int index,
++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 05bd829..15e8e07 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -165,9 +165,9 @@ static int load_file(void)
++ }
++ else {
++ if (addr1.ss_family == AF_INET) {
++- ipcheck_addip(&match_entry_v4, &addr1, &addr2, type, acceptreject);
+++ ipcheck_addip(&match_entry_v4, -1, &addr1, &addr2, type, acceptreject);
++ } else {
++- ipcheck_addip(&match_entry_v6, &addr1, &addr2, type, acceptreject);
+++ ipcheck_addip(&match_entry_v6, -1, &addr1, &addr2, type, acceptreject);
++ }
++ }
++ next_record: {} /* empty statement to mollify the compiler */
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 819bc9a..bdfc98d 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -948,7 +948,7 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ */
++ knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++- if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++ if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP, -1,
++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ return NULL;
++ }
++@@ -1006,7 +1006,7 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ goto exit_error;
++ }
++
++- if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++ if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP, -1,
++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ savederrno = errno;
++ err = -1;
+diff --git a/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch b/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+new file mode 100644
+index 0000000..30639fd
+--- /dev/null
++++ b/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+@@ -0,0 +1,717 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 7 Mar 2019 15:31:28 +0100
++Subject: [access lists] add more extensive test for links_acl_ip
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8d42be74c7fdb58b8082c4a4d369d2facca467a9)
++---
++ libknet/tests/int_links_acl.txt | 8 -
++ libknet/tests/Makefile.am | 33 ++--
++ libknet/tests/int_links_acl.c | 211 ---------------------
++ libknet/tests/int_links_acl_ip.c | 399 +++++++++++++++++++++++++++++++++++++++
++ 4 files changed, 415 insertions(+), 236 deletions(-)
++ delete mode 100644 libknet/tests/int_links_acl.txt
++ delete mode 100644 libknet/tests/int_links_acl.c
++ create mode 100644 libknet/tests/int_links_acl_ip.c
++
++diff --git a/libknet/tests/int_links_acl.txt b/libknet/tests/int_links_acl.txt
++deleted file mode 100644
++index 5776d54..0000000
++--- a/libknet/tests/int_links_acl.txt
+++++ /dev/null
++@@ -1,8 +0,0 @@
++-AA192.168.1.1
++-AA192.168.1.2
++-RA192.168.0.3
++-AR192.168.0.0-192.168.0.250
++-AM192.168.2.0/255.255.255.0
++-AM1740::0/FFF0::0
++-RA1000::666
++-AR1000::1-2000::7FF
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index eae5c80..3e74ea8 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -13,8 +13,7 @@ include $(top_srcdir)/libknet/tests/api-check.mk
++
++ EXTRA_DIST = \
++ api-test-coverage \
++- api-check.mk \
++- int_links_acl.txt
+++ api-check.mk
++
++ AM_CPPFLAGS = -I$(top_srcdir)/libknet
++ AM_CFLAGS += $(PTHREAD_CFLAGS)
++@@ -34,6 +33,7 @@ check_PROGRAMS = \
++ $(fun_checks)
++
++ int_checks = \
+++ int_links_acl_ip_test \
++ int_timediff_test
++
++ fun_checks =
++@@ -45,7 +45,6 @@ benchmarks = \
++ noinst_PROGRAMS = \
++ api_knet_handle_new_limit_test \
++ pckt_test \
++- int_links_acl_test \
++ $(benchmarks) \
++ $(check_PROGRAMS)
++
++@@ -67,20 +66,20 @@ check-api-test-coverage:
++
++ pckt_test_SOURCES = pckt_test.c
++
++-int_links_acl_test_SOURCES = int_links_acl.c \
++- ../common.c \
++- ../compat.c \
++- ../logging.c \
++- ../netutils.c \
++- ../threads_common.c \
++- ../transports.c \
++- ../transport_common.c \
++- ../transport_loopback.c \
++- ../transport_sctp.c \
++- ../transport_udp.c \
++- ../links_acl.c \
++- ../links_acl_ip.c \
++- ../links_acl_loopback.c
+++int_links_acl_ip_test_SOURCES = int_links_acl_ip.c \
+++ ../common.c \
+++ ../compat.c \
+++ ../logging.c \
+++ ../netutils.c \
+++ ../threads_common.c \
+++ ../transports.c \
+++ ../transport_common.c \
+++ ../transport_loopback.c \
+++ ../transport_sctp.c \
+++ ../transport_udp.c \
+++ ../links_acl.c \
+++ ../links_acl_ip.c \
+++ ../links_acl_loopback.c
++
++ int_timediff_test_SOURCES = int_timediff.c
++
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++deleted file mode 100644
++index 15e8e07..0000000
++--- a/libknet/tests/int_links_acl.c
+++++ /dev/null
++@@ -1,211 +0,0 @@
++-/*
++- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++- *
++- * Author: Christine Caulfield <ccaulfie at redhat.com>
++- *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
++- */
++-
++-#include "config.h"
++-
++-#include <sys/types.h>
++-#include <sys/socket.h>
++-#include <netinet/in.h>
++-#include <stdio.h>
++-#include <stdlib.h>
++-#include <string.h>
++-#include <netdb.h>
++-
++-#include "internals.h"
++-#include "links_acl.h"
++-#include "links_acl_ip.h"
++-
++-static struct acl_match_entry *match_entry_v4;
++-static struct acl_match_entry *match_entry_v6;
++-
++-/* This is a test program .. remember! */
++-#define BUFLEN 1024
++-
++-static int get_ipaddress(char *buf, struct sockaddr_storage *addr)
++-{
++- struct addrinfo *info;
++- struct addrinfo hints;
++- int res;
++-
++- memset(&hints, 0, sizeof(hints));
++- hints.ai_family = AF_UNSPEC;
++-
++- res = getaddrinfo(buf, NULL, &hints, &info);
++- if (!res) {
++- memmove(addr, info->ai_addr, info->ai_addrlen);
++- freeaddrinfo(info);
++- }
++- return res;
++-}
++-
++-static int read_address(char *buf, struct sockaddr_storage *addr)
++-{
++- return get_ipaddress(buf, addr);
++-}
++-
++-static int read_mask(char *buf, struct sockaddr_storage *addr, struct sockaddr_storage *addr2)
++-{
++- char tmpbuf[BUFLEN];
++- char *slash;
++- int ret;
++-
++- slash = strchr(buf, '/');
++- if (!slash)
++- return 1;
++-
++- strncpy(tmpbuf, buf, slash-buf);
++- tmpbuf[slash-buf] = '\0';
++-
++- ret = get_ipaddress(tmpbuf, addr);
++- if (ret)
++- return ret;
++-
++- ret = get_ipaddress(slash+1, addr2);
++- if (ret)
++- return ret;
++-
++- return 0;
++-}
++-
++-static int read_range(char *buf, struct sockaddr_storage *addr1, struct sockaddr_storage *addr2)
++-{
++- char tmpbuf[BUFLEN];
++- char *hyphen;
++- int ret;
++-
++- hyphen = strchr(buf, '-');
++- if (!hyphen)
++- return 1;
++-
++- strncpy(tmpbuf, buf, hyphen-buf);
++- tmpbuf[hyphen-buf] = '\0';
++-
++- ret = get_ipaddress(tmpbuf, addr1);
++- if (ret)
++- return ret;
++-
++- ret = get_ipaddress(hyphen+1, addr2);
++- if (ret)
++- return ret;
++-
++- return 0;
++-}
++-
++-
++-static int load_file(void)
++-{
++- FILE *filterfile;
++- char filebuf[BUFLEN];
++- int line = 0;
++- int ret;
++- check_type_t type;
++- check_acceptreject_t acceptreject;
++- struct sockaddr_storage addr1;
++- struct sockaddr_storage addr2;
++-
++- ipcheck_rmall(&match_entry_v4);
++- ipcheck_rmall(&match_entry_v6);
++-
++- filterfile = fopen("int_links_acl.txt", "r");
++- if (!filterfile) {
++- fprintf(stderr, "Cannot open int_links_acl.txt\n");
++- return 1;
++- }
++-
++- while (fgets(filebuf, sizeof(filebuf), filterfile)) {
++- filebuf[strlen(filebuf)-1] = '\0'; /* remove trailing LF */
++- line++;
++-
++- /*
++- * First char is A (accept) or R (Reject)
++- */
++- switch(filebuf[0] & 0x5F) {
++- case 'A':
++- acceptreject = CHECK_ACCEPT;
++- break;
++- case 'R':
++- acceptreject = CHECK_REJECT;
++- break;
++- default:
++- fprintf(stderr, "Unknown record type on line %d: %s\n", line, filebuf);
++- goto next_record;
++- }
++-
++- /*
++- * Second char is the filter type:
++- * A Address
++- * M Mask
++- * R Range
++- */
++- switch(filebuf[1] & 0x5F) {
++- case 'A':
++- type = CHECK_TYPE_ADDRESS;
++- ret = read_address(filebuf+2, &addr1);
++- break;
++- case 'M':
++- type = CHECK_TYPE_MASK;
++- ret = read_mask(filebuf+2, &addr1, &addr2);
++- break;
++- case 'R':
++- type = CHECK_TYPE_RANGE;
++- ret = read_range(filebuf+2, &addr1, &addr2);
++- break;
++- default:
++- fprintf(stderr, "Unknown filter type on line %d: %s\n", line, filebuf);
++- goto next_record;
++- break;
++- }
++- if (ret) {
++- fprintf(stderr, "Failed to parse address on line %d: %s\n", line, filebuf);
++- }
++- else {
++- if (addr1.ss_family == AF_INET) {
++- ipcheck_addip(&match_entry_v4, -1, &addr1, &addr2, type, acceptreject);
++- } else {
++- ipcheck_addip(&match_entry_v6, -1, &addr1, &addr2, type, acceptreject);
++- }
++- }
++- next_record: {} /* empty statement to mollify the compiler */
++- }
++- fclose(filterfile);
++-
++- return 0;
++-}
++-
++-int main(int argc, char *argv[])
++-{
++- struct sockaddr_storage saddr;
++- struct acl_match_entry *match_entry;
++- int ret;
++- int i;
++-
++- if (load_file())
++- return 1;
++-
++- for (i=1; i<argc; i++) {
++- ret = get_ipaddress(argv[i], &saddr);
++- if (ret) {
++- fprintf(stderr, "Cannot parse address %s\n", argv[i]);
++- } else {
++- if (saddr.ss_family == AF_INET) {
++- match_entry = match_entry_v4;
++- } else {
++- match_entry = match_entry_v6;
++- }
++- if (ipcheck_validate(&match_entry, &saddr)) {
++- printf("%s is VALID\n", argv[i]);
++- } else {
++- printf("%s is not allowed\n", argv[i]);
++- }
++- }
++- }
++-
++- ipcheck_rmall(&match_entry_v4);
++- ipcheck_rmall(&match_entry_v6);
++- return 0;
++-}
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++new file mode 100644
++index 0000000..a7d2aed
++--- /dev/null
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -0,0 +1,399 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <sys/types.h>
+++#include <sys/socket.h>
+++#include <netinet/in.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <netdb.h>
+++#include <errno.h>
+++
+++#include "internals.h"
+++#include "links_acl.h"
+++#include "links_acl_ip.h"
+++
+++#include "test-common.h"
+++
+++static struct acl_match_entry *match_entry_v4;
+++static struct acl_match_entry *match_entry_v6;
+++
+++/* This is a test program .. remember! */
+++#define BUFLEN 1024
+++
+++static int get_ipaddress(const char *buf, struct sockaddr_storage *addr)
+++{
+++ struct addrinfo *info;
+++ struct addrinfo hints;
+++
+++ memset(&hints, 0, sizeof(hints));
+++ hints.ai_family = AF_UNSPEC;
+++
+++ if (getaddrinfo(buf, NULL, &hints, &info)) {
+++ return -1;
+++ }
+++
+++ memmove(addr, info->ai_addr, info->ai_addrlen);
+++ freeaddrinfo(info);
+++ return 0;
+++}
+++
+++static int read_2ip(const char *buf, const char *delim, struct sockaddr_storage *addr, struct sockaddr_storage *addr2)
+++{
+++ char tmpbuf[BUFLEN];
+++ char *deli;
+++
+++ deli = strstr(buf, delim);
+++ if (!deli) {
+++ return -1;
+++ }
+++
+++ strncpy(tmpbuf, buf, deli-buf);
+++ tmpbuf[deli-buf] = '\0';
+++
+++ if (get_ipaddress(tmpbuf, addr)) {
+++ return -1;
+++ }
+++
+++ if (get_ipaddress(deli+1, addr2)) {
+++ return -1;
+++ }
+++
+++ return 0;
+++}
+++
+++/*
+++ * be aware that ordering is important
+++ * so we can test all the rules with few
+++ * ipcheck_validate calls
+++ */
+++
+++const char *rules[100] = {
+++ /*
+++ * ipv4
+++ */
+++ "RA192.168.0.3", /* reject address */
+++ "AA192.168.0.1", /* accept address */
+++ "RR192.168.0.10-192.168.0.20", /* reject range */
+++ "AR192.168.0.0-192.168.0.255", /* accept range */
+++ "RM192.168.2.0/255.255.255.0", /* reject mask */
+++ "AM192.168.2.0/255.255.254.0", /* accept mask */
+++ /*
+++ * ipv6
+++ */
+++ "RA3ffe::3",
+++ "AA3ffe::1",
+++ "RR3ffe::10-3ffe::20",
+++ "AR3ffe::0-3ffe::ff",
+++ "RM3ffe:1::0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:0",
+++ "AM3ffe:1::0/ffff:ffff:ffff:ffff::0"
+++};
+++
+++static int _ipcheck_addip(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ return ipcheck_addip(fd_tracker_match_entry_head, -1, ss1, ss2, type, acceptreject);
+++}
+++
+++static int default_rules(int load)
+++{
+++ int ret;
+++ check_type_t type;
+++ check_acceptreject_t acceptreject;
+++ struct sockaddr_storage addr1;
+++ struct sockaddr_storage addr2;
+++ int i = 0;
+++ int (*loadfn)(void *fd_tracker_match_entry_head, struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject);
+++
+++ if (load) {
+++ loadfn = _ipcheck_addip;
+++ } else {
+++ loadfn = ipcheck_rmip;
+++ }
+++
+++ while (rules[i] != NULL) {
+++ printf("Parsing rule: %s\n", rules[i]);
+++ memset(&addr1, 0, sizeof(struct sockaddr_storage));
+++ memset(&addr2, 0, sizeof(struct sockaddr_storage));
+++ /*
+++ * First char is A (accept) or R (Reject)
+++ */
+++ switch(rules[i][0] & 0x5F) {
+++ case 'A':
+++ acceptreject = CHECK_ACCEPT;
+++ break;
+++ case 'R':
+++ acceptreject = CHECK_REJECT;
+++ break;
+++ default:
+++ fprintf(stderr, "Unknown record type on line %d: %s\n", i, rules[i]);
+++ goto next_record;
+++ }
+++
+++ /*
+++ * Second char is the filter type:
+++ * A Address
+++ * M Mask
+++ * R Range
+++ */
+++ switch(rules[i][1] & 0x5F) {
+++ case 'A':
+++ type = CHECK_TYPE_ADDRESS;
+++ ret = get_ipaddress(rules[i]+2, &addr1);
+++ break;
+++ case 'M':
+++ type = CHECK_TYPE_MASK;
+++ ret = read_2ip(rules[i]+2, "/", &addr1, &addr2);
+++ break;
+++ case 'R':
+++ type = CHECK_TYPE_RANGE;
+++ ret = read_2ip(rules[i]+2, "-", &addr1, &addr2);
+++ break;
+++ default:
+++ fprintf(stderr, "Unknown filter type on line %d: %s\n", i, rules[i]);
+++ goto next_record;
+++ break;
+++ }
+++
+++ if (ret) {
+++ fprintf(stderr, "Failed to parse address on line %d: %s\n", i, rules[i]);
+++ return -1;
+++ } else {
+++ if (addr1.ss_family == AF_INET) {
+++ if (loadfn(&match_entry_v4, &addr1, &addr2, type, acceptreject) < 0) {
+++ fprintf(stderr, "Failed to add/rm address on line %d: %s (errno: %s)\n", i, rules[i], strerror(errno));
+++ return -1;
+++ }
+++ } else {
+++ if (loadfn(&match_entry_v6, &addr1, &addr2, type, acceptreject) < 0) {
+++ fprintf(stderr, "Failed to add/rm address on line %d: %s (errno: %s)\n", i, rules[i], strerror(errno));
+++ return -1;
+++ }
+++ }
+++ }
+++
+++ next_record:
+++ i++;
+++ }
+++
+++ return 0;
+++}
+++
+++const char *tests[100] = {
+++ /*
+++ * ipv4
+++ */
+++ "R192.168.0.3", /* reject address */
+++ "A192.168.0.1", /* accept address */
+++ "R192.168.0.11", /* reject range */
+++ "A192.168.0.8", /* accept range */
+++ "R192.168.2.1", /* reject mask */
+++ "A192.168.3.1", /* accept mask */
+++ /*
+++ * ipv6
+++ */
+++ "R3ffe::3",
+++ "A3ffe::1",
+++ "R3ffe::11",
+++ "A3ffe::8",
+++ "R3ffe:1::1",
+++ "A3ffe:1::1:1"
+++};
+++
+++const char *after_insert_tests[100] = {
+++ /*
+++ * ipv4
+++ */
+++ "R192.168.0.3", /* reject address */
+++ "A192.168.0.1", /* accept address */
+++ "R192.168.0.11", /* reject range */
+++ "A192.168.0.8", /* accept range */
+++ "A192.168.2.1", /* reject mask */
+++ "A192.168.3.1", /* accept mask */
+++ /*
+++ * ipv6
+++ */
+++ "R3ffe::3",
+++ "A3ffe::1",
+++ "R3ffe::11",
+++ "A3ffe::8",
+++ "A3ffe:1::1",
+++ "A3ffe:1::1:1"
+++};
+++
+++int test(void)
+++{
+++ int i = 0;
+++ int expected;
+++ struct sockaddr_storage saddr;
+++ struct acl_match_entry *match_entry;
+++
+++ /*
+++ * default tests
+++ */
+++ while (tests[i] != NULL) {
+++ /*
+++ * First char is A (accept) or R (Reject)
+++ */
+++ switch(tests[i][0] & 0x5F) {
+++ case 'A':
+++ expected = 1;
+++ break;
+++ case 'R':
+++ expected = 0;
+++ break;
+++ default:
+++ fprintf(stderr, "Unknown record type on line %d: %s\n", i, tests[i]);
+++ return FAIL;
+++ break;
+++ }
+++
+++ if (get_ipaddress(tests[i]+1, &saddr)) {
+++ fprintf(stderr, "Cannot parse address %s\n", tests[i]+1);
+++ return FAIL;
+++ }
+++
+++ if (saddr.ss_family == AF_INET) {
+++ match_entry = match_entry_v4;
+++ } else {
+++ match_entry = match_entry_v6;
+++ }
+++
+++ if (ipcheck_validate(&match_entry, &saddr) != expected) {
+++ fprintf(stderr, "Failed to check access list for ip: %s\n", tests[i]);
+++ return FAIL;
+++ }
+++ i++;
+++ }
+++
+++ /*
+++ * insert tests
+++ */
+++
+++ if (get_ipaddress("192.168.2.1", &saddr)) {
+++ fprintf(stderr, "Cannot parse address 192.168.2.1\n");
+++ return FAIL;
+++ }
+++
+++ if (ipcheck_addip(&match_entry_v4, 3, &saddr, &saddr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ fprintf(stderr, "Unable to insert address in position 3 192.168.2.1\n");
+++ return FAIL;
+++ }
+++
+++ if (get_ipaddress("3ffe:1::1", &saddr)) {
+++ fprintf(stderr, "Cannot parse address 3ffe:1::1\n");
+++ return FAIL;
+++ }
+++
+++ if (ipcheck_addip(&match_entry_v6, 3, &saddr, &saddr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ fprintf(stderr, "Unable to insert address in position 3 3ffe:1::1\n");
+++ return FAIL;
+++ }
+++
+++ while (after_insert_tests[i] != NULL) {
+++ /*
+++ * First char is A (accept) or R (Reject)
+++ */
+++ switch(after_insert_tests[i][0] & 0x5F) {
+++ case 'A':
+++ expected = 1;
+++ break;
+++ case 'R':
+++ expected = 0;
+++ break;
+++ default:
+++ fprintf(stderr, "Unknown record type on line %d: %s\n", i, after_insert_tests[i]);
+++ return FAIL;
+++ break;
+++ }
+++
+++ if (get_ipaddress(after_insert_tests[i]+1, &saddr)) {
+++ fprintf(stderr, "Cannot parse address %s\n", after_insert_tests[i]+1);
+++ return FAIL;
+++ }
+++
+++ if (saddr.ss_family == AF_INET) {
+++ match_entry = match_entry_v4;
+++ } else {
+++ match_entry = match_entry_v6;
+++ }
+++
+++ if (ipcheck_validate(&match_entry, &saddr) != expected) {
+++ fprintf(stderr, "Failed to check access list for ip: %s\n", after_insert_tests[i]);
+++ return FAIL;
+++ }
+++ i++;
+++ }
+++ return PASS;
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ struct sockaddr_storage saddr;
+++ struct acl_match_entry *match_entry;
+++ int ret = PASS;
+++ int i;
+++
+++ if (default_rules(1) < 0) {
+++ return -1;
+++ }
+++
+++ if (argc > 1) {
+++ /*
+++ * run manual check against default access lists
+++ */
+++ for (i=1; i<argc; i++) {
+++ if (get_ipaddress(argv[i], &saddr)) {
+++ fprintf(stderr, "Cannot parse address %s\n", argv[i]);
+++ ret = FAIL;
+++ goto out;
+++ } else {
+++ if (saddr.ss_family == AF_INET) {
+++ match_entry = match_entry_v4;
+++ } else {
+++ match_entry = match_entry_v6;
+++ }
+++ if (ipcheck_validate(&match_entry, &saddr)) {
+++ printf("%s is VALID\n", argv[i]);
+++ ret = PASS;
+++ } else {
+++ printf("%s is not allowed\n", argv[i]);
+++ ret = FAIL;
+++ }
+++ }
+++ }
+++ } else {
+++ /*
+++ * run automatic tests
+++ */
+++ ret = test();
+++ }
+++
+++ /*
+++ * test memory leaks with ipcheck_rmip
+++ */
+++ if (default_rules(0) < 0) {
+++ return FAIL;
+++ }
+++
+++ /*
+++ * test memory leaks with ipcheck_rmall
+++ */
+++ if (default_rules(1) < 0) {
+++ return FAIL;
+++ }
+++out:
+++ ipcheck_rmall(&match_entry_v4);
+++ ipcheck_rmall(&match_entry_v6);
+++
+++ return ret;
+++}
+diff --git a/debian/patches/access-lists-add-public-API-tests.patch b/debian/patches/access-lists-add-public-API-tests.patch
+new file mode 100644
+index 0000000..2be97b8
+--- /dev/null
++++ b/debian/patches/access-lists-add-public-API-tests.patch
+@@ -0,0 +1,1019 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 6 Mar 2019 13:08:34 +0100
++Subject: [access lists] add public API tests
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 31da8fa7b5d034980c38c2f5dcc6e3730f2031fa)
++---
++ libknet/tests/api_knet_link_add_acl.c | 246 +++++++++++++++++++++++++++++
++ libknet/tests/api_knet_link_clear_acl.c | 196 +++++++++++++++++++++++
++ libknet/tests/api_knet_link_insert_acl.c | 246 +++++++++++++++++++++++++++++
++ libknet/tests/api_knet_link_rm_acl.c | 256 +++++++++++++++++++++++++++++++
++ libknet/tests/api-check.mk | 18 ++-
++ 5 files changed, 961 insertions(+), 1 deletion(-)
++ create mode 100644 libknet/tests/api_knet_link_add_acl.c
++ create mode 100644 libknet/tests/api_knet_link_clear_acl.c
++ create mode 100644 libknet/tests/api_knet_link_insert_acl.c
++ create mode 100644 libknet/tests/api_knet_link_rm_acl.c
++
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++new file mode 100644
++index 0000000..b018165
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -0,0 +1,246 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++ knet_handle_t knet_h;
+++ int logfds[2];
+++ struct knet_host *host;
+++ struct knet_link *link;
+++ struct sockaddr_storage lo, lo6;
+++
+++ if (make_local_sockaddr(&lo, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ if (make_local_sockaddr6(&lo6, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ printf("Test knet_link_add_acl incorrect knet_h\n");
+++
+++ if ((!knet_link_add_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ setup_logpipes(logfds);
+++
+++ knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++ printf("Test knet_link_add_acl with unconfigured host\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with unconfigured link\n");
+++
+++ if (knet_host_add(knet_h, 1) < 0) {
+++ printf("knet_host_add failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with invalid link\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with invalid ss1\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with invalid ss2\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with non matching families\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with wrong check_type\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with wrong acceptreject\n");
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_add_acl with point to point link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_add_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ knet_link_clear_config(knet_h, 1, 0);
+++
+++ printf("Test knet_link_add_acl with dynamic link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list not empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ printf("knet_link_add_acl did not accept dynamic link error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ test();
+++
+++ return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++new file mode 100644
++index 0000000..78b7d79
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -0,0 +1,196 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++ knet_handle_t knet_h;
+++ int logfds[2];
+++ struct knet_host *host;
+++ struct knet_link *link;
+++ struct sockaddr_storage lo;
+++
+++ if (make_local_sockaddr(&lo, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ printf("Test knet_link_clear_acl incorrect knet_h\n");
+++
+++ if ((!knet_link_clear_acl(NULL, 1, 0)) || (errno != EINVAL)) {
+++ printf("knet_link_clear_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ setup_logpipes(logfds);
+++
+++ knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++ printf("Test knet_link_clear_acl with unconfigured host\n");
+++
+++ if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++ printf("knet_link_clear_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_clear_acl with unconfigured link\n");
+++
+++ if (knet_host_add(knet_h, 1) < 0) {
+++ printf("knet_host_add failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++ printf("knet_link_clear_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_clear_acl with invalid link\n");
+++
+++ if ((!knet_link_clear_acl(knet_h, 1, KNET_MAX_LINK)) || (errno != EINVAL)) {
+++ printf("knet_link_clear_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_clear_acl with point to point link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++ printf("knet_link_clear_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ knet_link_clear_config(knet_h, 1, 0);
+++
+++ printf("Test knet_link_clear_acl with dynamic link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list NOT empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ printf("knet_link_clear_acl did not accept dynamic link error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_clear_acl(knet_h, 1, 0) < 0) {
+++ printf("knet_link_clear_acl failed to clear. error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list NOT empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ test();
+++
+++ return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++new file mode 100644
++index 0000000..547f92b
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -0,0 +1,246 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++ knet_handle_t knet_h;
+++ int logfds[2];
+++ struct knet_host *host;
+++ struct knet_link *link;
+++ struct sockaddr_storage lo, lo6;
+++
+++ if (make_local_sockaddr(&lo, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ if (make_local_sockaddr6(&lo6, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ printf("Test knet_link_insert_acl incorrect knet_h\n");
+++
+++ if ((!knet_link_insert_acl(NULL, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ setup_logpipes(logfds);
+++
+++ knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++ printf("Test knet_link_insert_acl with unconfigured host\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with unconfigured link\n");
+++
+++ if (knet_host_add(knet_h, 1) < 0) {
+++ printf("knet_host_add failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with invalid link\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, KNET_MAX_LINK, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with invalid ss1\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with invalid ss2\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with non matching families\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with wrong check_type\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with wrong acceptreject\n");
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_insert_acl with point to point link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_insert_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ knet_link_clear_config(knet_h, 1, 0);
+++
+++ printf("Test knet_link_insert_acl with dynamic link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list not empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ printf("knet_link_insert_acl did not accept dynamic link error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ test();
+++
+++ return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++new file mode 100644
++index 0000000..49a82d9
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -0,0 +1,256 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++ knet_handle_t knet_h;
+++ int logfds[2];
+++ struct knet_host *host;
+++ struct knet_link *link;
+++ struct sockaddr_storage lo, lo6;
+++
+++ if (make_local_sockaddr(&lo, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ if (make_local_sockaddr6(&lo6, 0) < 0) {
+++ printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ printf("Test knet_link_rm_acl incorrect knet_h\n");
+++
+++ if ((!knet_link_rm_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
+++ setup_logpipes(logfds);
+++
+++ knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++ printf("Test knet_link_rm_acl with unconfigured host\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with unconfigured link\n");
+++
+++ if (knet_host_add(knet_h, 1) < 0) {
+++ printf("knet_host_add failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with invalid link\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with invalid ss1\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with invalid ss2\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with non matching families\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with wrong check_type\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with wrong acceptreject\n");
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_link_rm_acl with point to point link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++ printf("knet_link_rm_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ knet_link_clear_config(knet_h, 1, 0);
+++
+++ printf("Test knet_link_rm_acl with dynamic link\n");
+++
+++ if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++ printf("Unable to configure link: %s\n", strerror(errno));
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list not empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ printf("Failed to add an access list: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++ printf("knet_link_rm_acl did not accept dynamic link error: %s\n", strerror(errno));
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++ printf("match list NOT empty!");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ test();
+++
+++ return PASS;
+++}
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 247ed58..427c388 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -68,7 +68,11 @@ api_checks = \
++ api_knet_link_set_enable_test \
++ api_knet_link_get_enable_test \
++ api_knet_link_get_link_list_test \
++- api_knet_link_get_status_test
+++ api_knet_link_get_status_test \
+++ api_knet_link_add_acl_test \
+++ api_knet_link_insert_acl_test \
+++ api_knet_link_rm_acl_test \
+++ api_knet_link_clear_acl_test
++
++ api_knet_handle_new_test_SOURCES = api_knet_handle_new.c \
++ test-common.c
++@@ -256,3 +260,15 @@ api_knet_link_get_link_list_test_SOURCES = api_knet_link_get_link_list.c \
++
++ api_knet_link_get_status_test_SOURCES = api_knet_link_get_status.c \
++ test-common.c
+++
+++api_knet_link_add_acl_test_SOURCES = api_knet_link_add_acl.c \
+++ test-common.c
+++
+++api_knet_link_insert_acl_test_SOURCES = api_knet_link_insert_acl.c \
+++ test-common.c
+++
+++api_knet_link_rm_acl_test_SOURCES = api_knet_link_rm_acl.c \
+++ test-common.c
+++
+++api_knet_link_clear_acl_test_SOURCES = api_knet_link_clear_acl.c \
+++ test-common.c
+diff --git a/debian/patches/access-lists-add-tests-for-default-access-lists.patch b/debian/patches/access-lists-add-tests-for-default-access-lists.patch
+new file mode 100644
+index 0000000..24d97e5
+--- /dev/null
++++ b/debian/patches/access-lists-add-tests-for-default-access-lists.patch
+@@ -0,0 +1,63 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 06:47:41 +0100
++Subject: [access lists] add tests for default access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c48b048e3b340ea7696c3300fb64928b22018233)
++---
++ libknet/tests/api_knet_link_set_config.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index 8679428..5fed9be 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -24,6 +24,8 @@
++ static void test(void)
++ {
++ knet_handle_t knet_h;
+++ struct knet_host *host;
+++ struct knet_link *link;
++ int logfds[2];
++ char src_portstr[32];
++ char dst_portstr[32];
++@@ -140,6 +142,19 @@ static void test(void)
++ exit(FAIL);
++ }
++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++ printf("found access lists for dynamic dst_addr!\n");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
++ if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
++ printf("Unable to get link status: %s\n", strerror(errno));
++ knet_link_clear_config(knet_h, 1, 0);
++@@ -244,6 +259,19 @@ static void test(void)
++ exit(FAIL);
++ }
++
+++ host = knet_h->host_index[1];
+++ link = &host->link[0];
+++
+++ if (!knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++ printf("Unable to find default access lists for static dst_addr!\n");
+++ knet_link_clear_config(knet_h, 1, 0);
+++ knet_host_remove(knet_h, 1);
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
++ if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
++ printf("Unable to get link status: %s\n", strerror(errno));
++ knet_link_clear_config(knet_h, 1, 0);
+diff --git a/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch b/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+new file mode 100644
+index 0000000..a9b0ea7
+--- /dev/null
++++ b/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+@@ -0,0 +1,61 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 07:23:09 +0100
++Subject: [access lists] allow knet_bench to enable/disable access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a7fa047d1bdae266cfef18fc31d87072b7dfd6d3)
++---
++ libknet/tests/knet_bench.c | 12 +++++++++++-
++ 1 file changed, 11 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/tests/knet_bench.c b/libknet/tests/knet_bench.c
++index b208b3e..00cd58b 100644
++--- a/libknet/tests/knet_bench.c
+++++ b/libknet/tests/knet_bench.c
++@@ -46,6 +46,7 @@ static int wait_for_perf_rx = 0;
++ static char *compresscfg = NULL;
++ static char *cryptocfg = NULL;
++ static int machine_output = 0;
+++static int use_access_lists = 0;
++
++ static int bench_shutdown_in_progress = 0;
++ static pthread_mutex_t shutdown_mutex = PTHREAD_MUTEX_INITIALIZER;
++@@ -78,6 +79,7 @@ static void print_help(void)
++ printf("knet_bench usage:\n");
++ printf(" -h print this help (no really)\n");
++ printf(" -d enable debug logs (default INFO)\n");
+++ printf(" -f enable use of access lists (default: off)\n");
++ printf(" -c [implementation]:[crypto]:[hashing] crypto configuration. (default disabled)\n");
++ printf(" Example: -c nss:aes128:sha1\n");
++ printf(" -z [implementation]:[level]:[threshold] compress configuration. (default disabled)\n");
++@@ -248,7 +250,7 @@ static void setup_knet(int argc, char *argv[])
++
++ memset(nodes, 0, sizeof(nodes));
++
++- while ((rv = getopt(argc, argv, "aCT:S:s:ldom:wb:t:n:c:p:X::P:z:h")) != EOF) {
+++ while ((rv = getopt(argc, argv, "aCT:S:s:ldfom:wb:t:n:c:p:X::P:z:h")) != EOF) {
++ switch(rv) {
++ case 'h':
++ print_help();
++@@ -260,6 +262,9 @@ static void setup_knet(int argc, char *argv[])
++ case 'd':
++ debug = KNET_LOG_DEBUG;
++ break;
+++ case 'f':
+++ use_access_lists = 1;
+++ break;
++ case 'c':
++ if (cryptocfg) {
++ printf("Error: -c can only be specified once\n");
++@@ -456,6 +461,11 @@ static void setup_knet(int argc, char *argv[])
++ exit(FAIL);
++ }
++
+++ if (knet_handle_enable_access_lists(knet_h, use_access_lists) < 0) {
+++ printf("Unable to knet_handle_enable_access_lists: %s\n", strerror(errno));
+++ exit(FAIL);
+++ }
+++
++ if (cryptocfg) {
++ memset(&knet_handle_crypto_cfg, 0, sizeof(knet_handle_crypto_cfg));
++ cryptomodel = strtok(cryptocfg, ":");
+diff --git a/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch b/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+new file mode 100644
+index 0000000..5c0c247
+--- /dev/null
++++ b/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+@@ -0,0 +1,283 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 06:32:42 +0100
++Subject: [access lists] automatically add and remove point to point access
++ lists
++
++those are not used just yet.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a08389d536726927f2438a7e0bfe6b86244779ab)
++---
++ libknet/links_acl.h | 7 +++-
++ libknet/links.c | 96 +++++++++++++++++++++++++++++++++++++++++++
++ libknet/links_acl.c | 62 +++++++++++++++++++++++++++-
++ libknet/tests/int_links_acl.c | 8 ++--
++ 4 files changed, 166 insertions(+), 7 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 26b0f36..f4713d6 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -13,10 +13,13 @@
++
++ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
++
++-void ipcheck_clear(struct acl_match_entry **match_entry_head);
++-
++ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++void check_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 010aeb6..6c75c35 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -20,6 +20,56 @@
++ #include "transports.h"
++ #include "host.h"
++ #include "threads_common.h"
+++#include "links_acl.h"
+++
+++static void _link_del_all_acl(knet_handle_t knet_h, int sock)
+++{
+++ check_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++}
+++
+++static int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++ int err = -1;
+++
+++ switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++ case LOOPBACK:
+++ /*
+++ * loopback does not require access lists
+++ */
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ break;
+++ default:
+++ break;
+++ }
+++
+++ return err;
+++}
+++
+++static int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++ int err = -1;
+++
+++ switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++ case LOOPBACK:
+++ /*
+++ * loopback does not require access lists
+++ */
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ break;
+++ default:
+++ break;
+++ }
+++
+++ return err;
+++}
++
++ int _link_updown(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
++ unsigned int enabled, unsigned int connected)
++@@ -234,6 +284,21 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ err = -1;
++ goto exit_unlock;
++ }
+++
+++ /*
+++ * we can only configure default access lists if we know both endpoints
+++ */
+++ if (link->dynamic == KNET_LINK_STATIC) {
+++ log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u",
+++ host_id, link_id);
+++ if (_link_add_default_acl(knet_h, link) < 0) {
+++ log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
+++ savederrno = errno;
+++ err = -1;
+++ goto exit_unlock;
+++ }
+++ }
+++
++ link->configured = 1;
++ log_debug(knet_h, KNET_SUB_LINK, "host: %u link: %u is configured",
++ host_id, link_id);
++@@ -351,6 +416,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ int savederrno = 0, err = 0;
++ struct knet_host *host;
++ struct knet_link *link;
+++ int sock;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -397,6 +463,28 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ goto exit_unlock;
++ }
++
+++ /*
+++ * remove well known access lists here.
+++ * After the transport has done clearing the config,
+++ * then we can remove any leftover access lists if the link
+++ * is no longer in use.
+++ */
+++ if (link->dynamic == KNET_LINK_STATIC) {
+++ if (_link_rm_default_acl(knet_h, link) < 0) {
+++ err = -1;
+++ savederrno = EBUSY;
+++ log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
+++ host_id, link_id);
+++ goto exit_unlock;
+++ }
+++ }
+++
+++ /*
+++ * cache it for later as we don't know if the transport
+++ * will clear link info during clear_config.
+++ */
+++ sock = link->outsock;
+++
++ if ((transport_link_clear_config(knet_h, link) < 0) &&
++ (errno != EBUSY)) {
++ savederrno = errno;
++@@ -404,6 +492,14 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ goto exit_unlock;
++ }
++
+++ /*
+++ * remove any other access lists when the socket is no
+++ * longer in use by the transport.
+++ */
+++ if (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS) {
+++ _link_del_all_acl(knet_h, sock);
+++ }
+++
++ memset(link, 0, sizeof(struct knet_link));
++ link->link_id = link_id;
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index fe84088..2ad3e90 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -150,7 +150,7 @@ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_
++ * Routines to manuipulate access lists
++ */
++
++-void ipcheck_clear(struct acl_match_entry **match_entry_head)
+++void check_rmall(struct acl_match_entry **match_entry_head)
++ {
++ struct acl_match_entry *next_match_entry;
++ struct acl_match_entry *match_entry = *match_entry_head;
++@@ -163,6 +163,62 @@ void ipcheck_clear(struct acl_match_entry **match_entry_head)
++ *match_entry_head = NULL;
++ }
++
+++static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ while (match_entry) {
+++ if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
+++ (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++ (match_entry->type == type) &&
+++ (match_entry->acceptreject == acceptreject)) {
+++ return match_entry;
+++ }
+++ match_entry = match_entry->next;
+++ }
+++
+++ return NULL;
+++}
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ struct acl_match_entry *next_match_entry = NULL;
+++ struct acl_match_entry *rm_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++ if (!rm_match_entry) {
+++ return -1;
+++ }
+++
+++ while (match_entry) {
+++ next_match_entry = match_entry->next;
+++ /*
+++ * we are removing the list head, be careful
+++ */
+++ if (rm_match_entry == match_entry) {
+++ *match_entry_head = next_match_entry;
+++ free(match_entry);
+++ break;
+++ }
+++ /*
+++ * the next one is the one we need to remove
+++ */
+++ if (rm_match_entry == next_match_entry) {
+++ match_entry->next = next_match_entry->next;
+++ free(next_match_entry);
+++ break;
+++ }
+++ match_entry = next_match_entry;
+++ }
+++
+++ return 0;
+++}
+++
++ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++@@ -182,6 +238,10 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ (ip1->ss_family != ip2->ss_family))
++ return -1;
++
+++ if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++ return -1;
+++ }
+++
++ new_match_entry = malloc(sizeof(struct acl_match_entry));
++ if (!new_match_entry)
++ return -1;
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 1e7f426..129aabe 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -106,8 +106,8 @@ static int load_file(void)
++ struct sockaddr_storage addr1;
++ struct sockaddr_storage addr2;
++
++- ipcheck_clear(&match_entry_v4);
++- ipcheck_clear(&match_entry_v6);
+++ check_rmall(&match_entry_v4);
+++ check_rmall(&match_entry_v6);
++
++ filterfile = fopen("int_links_acl.txt", "r");
++ if (!filterfile) {
++@@ -203,7 +203,7 @@ int main(int argc, char *argv[])
++ }
++ }
++
++- ipcheck_clear(&match_entry_v4);
++- ipcheck_clear(&match_entry_v6);
+++ check_rmall(&match_entry_v4);
+++ check_rmall(&match_entry_v6);
++ return 0;
++ }
+diff --git a/debian/patches/access-lists-cleanup-API-a-bit.patch b/debian/patches/access-lists-cleanup-API-a-bit.patch
+new file mode 100644
+index 0000000..b88c2b5
+--- /dev/null
++++ b/debian/patches/access-lists-cleanup-API-a-bit.patch
+@@ -0,0 +1,98 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:21:29 +0100
++Subject: [access lists] cleanup API a bit
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 34d87fab04c1e1329f0066adf595d575dac3d0de)
++---
++ libknet/links_acl.h | 3 ++-
++ libknet/links_acl.c | 26 +++++++++++++-------------
++ libknet/threads_rx.c | 2 +-
++ libknet/transport_sctp.c | 2 +-
++ 4 files changed, 17 insertions(+), 16 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 020ec05..0ad50e6 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -37,8 +37,9 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
+++int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
+++
++ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 85a792d..520a934 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -71,22 +71,10 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ }
++ }
++
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++ /*
++ * return 0 to reject and 1 to accept a packet
++ */
++-int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
+++int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++ switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
++ case LOOPBACK:
++@@ -103,3 +91,15 @@ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct socka
++ */
++ return 0;
++ }
+++
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++ return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++}
+++
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++ return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++}
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 06a0168..5fa51c4 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -808,7 +808,7 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ */
++ if ((knet_h->use_access_lists) &&
++ (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++- if (!_generic_filter_packet_by_acl(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
+++ if (!check_validate(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
++ char src_ipaddr[KNET_MAX_HOST_LEN];
++ char src_port[KNET_MAX_PORT_LEN];
++
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index ce3e98e..50a237b 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -731,7 +731,7 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ addr_str, port_str);
++ if (knet_h->use_access_lists) {
++- if (!_generic_filter_packet_by_acl(knet_h, listen_sock, &ss)) {
+++ if (!check_validate(knet_h, listen_sock, &ss)) {
++ savederrno = EINVAL;
++ err = -1;
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+diff --git a/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch b/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+new file mode 100644
+index 0000000..219cd34
+--- /dev/null
++++ b/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+@@ -0,0 +1,226 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 11:37:49 +0100
++Subject: [access lists] confine access lists data structs within the protocol
++ itself
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6abcbf579695dd050da0b5262f1e0a63325bbe52)
++---
++ libknet/links_acl.h | 8 --------
++ libknet/links_acl_ip.h | 13 +++++++------
++ libknet/links_acl.c | 8 ++++----
++ libknet/links_acl_ip.c | 48 ++++++++++++++++++++++++++++++------------------
++ 4 files changed, 41 insertions(+), 36 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index f871403..84ae6b9 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -22,14 +22,6 @@ typedef enum {
++ CHECK_REJECT
++ } check_acceptreject_t;
++
++-struct acl_match_entry {
++- check_type_t type;
++- check_acceptreject_t acceptreject;
++- struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++- struct sockaddr_storage addr2; /* high IP address or address bitmask */
++- struct acl_match_entry *next;
++-};
++-
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index 9e21e00..c475db9 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -12,15 +12,16 @@
++ #include "internals.h"
++ #include "links_acl.h"
++
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject);
+++int ipcheck_rmip(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++void ipcheck_rmall(void *fd_tracker_match_entry_head);
++
++-void ipcheck_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 7605fe9..b1d7ab4 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -37,7 +37,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -58,7 +58,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -74,7 +74,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ return;
++ break;
++ case IP_PROTO:
++- ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++ ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
++ break;
++ default:
++ break;
++@@ -92,7 +92,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ return 1;
++ break;
++ case IP_PROTO:
++- return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
+++ return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
++ break;
++ default:
++ break;
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 58c7b28..e72a382 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -21,6 +21,14 @@
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
++
+++struct ip_acl_match_entry {
+++ check_type_t type;
+++ check_acceptreject_t acceptreject;
+++ struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++ struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++ struct ip_acl_match_entry *next;
+++};
+++
++ /*
++ * s6_addr32 is not defined in BSD userland, only kernel.
++ * definition is the same as linux and it works fine for
++@@ -34,7 +42,7 @@
++ * IPv4 See if the address we have matches the current match entry
++ */
++
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
++ {
++ struct sockaddr_in *ip_to_check;
++ struct sockaddr_in *match1;
++@@ -96,7 +104,7 @@ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++ * IPv6 See if the address we have matches the current match entry
++ */
++
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
++ {
++ struct sockaddr_in6 *ip_to_check;
++ struct sockaddr_in6 *match1;
++@@ -134,10 +142,11 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entr
++ }
++
++
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip)
++ {
++- struct acl_match_entry *match_entry = *match_entry_head;
++- int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++ struct ip_acl_match_entry *match_entry = *match_entry_head;
+++ int (*match_fn)(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry);
++
++ if (checkip->ss_family == AF_INET){
++ match_fn = ip_matches_v4;
++@@ -161,10 +170,11 @@ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_
++ * Routines to manuipulate access lists
++ */
++
++-void ipcheck_rmall(struct acl_match_entry **match_entry_head)
+++void ipcheck_rmall(void *fd_tracker_match_entry_head)
++ {
++- struct acl_match_entry *next_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
+++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++ struct ip_acl_match_entry *next_match_entry;
+++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++ while (match_entry) {
++ next_match_entry = match_entry->next;
++@@ -174,11 +184,11 @@ void ipcheck_rmall(struct acl_match_entry **match_entry_head)
++ *match_entry_head = NULL;
++ }
++
++-static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- struct acl_match_entry *match_entry = *match_entry_head;
+++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++ while (match_entry) {
++ if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++@@ -193,13 +203,14 @@ static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_
++ return NULL;
++ }
++
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- struct acl_match_entry *next_match_entry = NULL;
++- struct acl_match_entry *rm_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
+++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++ struct ip_acl_match_entry *next_match_entry = NULL;
+++ struct ip_acl_match_entry *rm_match_entry;
+++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++ rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++ if (!rm_match_entry) {
++@@ -231,12 +242,13 @@ int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++ return 0;
++ }
++
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- struct acl_match_entry *new_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
+++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++ struct ip_acl_match_entry *new_match_entry;
+++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++ if (!ip1) {
++ errno = EINVAL;
++@@ -259,7 +271,7 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ return -1;
++ }
++
++- new_match_entry = malloc(sizeof(struct acl_match_entry));
+++ new_match_entry = malloc(sizeof(struct ip_acl_match_entry));
++ if (!new_match_entry) {
++ return -1;
++ }
+diff --git a/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch b/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+new file mode 100644
+index 0000000..636f0ab
+--- /dev/null
++++ b/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+@@ -0,0 +1,80 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 15 Feb 2019 10:57:45 +0100
++Subject: [access lists] enable access lists for GENERIC_ACL protocols (udp
++ for example)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit fe077a47ad551d6dcc9f136a1f29b2b98b718beb)
++---
++ libknet/threads_rx.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
++ 1 file changed, 44 insertions(+)
++
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 8435d13..833938d 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -20,6 +20,7 @@
++ #include "crypto.h"
++ #include "host.h"
++ #include "links.h"
+++#include "links_acl.h"
++ #include "logging.h"
++ #include "transports.h"
++ #include "transport_common.h"
++@@ -720,6 +721,27 @@ out_pmtud:
++ }
++ }
++
+++/*
+++ * return 0 to reject and 1 to accept a packet
+++ */
+++static int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
+++{
+++ switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++ case LOOPBACK:
+++ return 1;
+++ break;
+++ case IP_PROTO:
+++ return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, msg->msg_hdr.msg_name);
+++ break;
+++ default:
+++ break;
+++ }
+++ /*
+++ * reject by default
+++ */
+++ return 0;
+++}
+++
++ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
++ {
++ int err, savederrno;
++@@ -802,6 +824,28 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ goto exit_unlock;
++ break;
++ case 2: /* packet is data and should be parsed as such */
+++ /*
+++ * processing incoming packets vs access lists
+++ */
+++ if ((knet_h->use_access_lists) &&
+++ (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
+++ if (!_generic_filter_packet_by_acl(knet_h, sockfd, &msg[i])) {
+++ char src_ipaddr[KNET_MAX_HOST_LEN];
+++ char src_port[KNET_MAX_PORT_LEN];
+++
+++ memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
+++ memset(src_port, 0, KNET_MAX_PORT_LEN);
+++ knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+++ src_ipaddr, KNET_MAX_HOST_LEN,
+++ src_port, KNET_MAX_PORT_LEN);
+++
+++ log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
+++ /*
+++ * continue processing the other packets
+++ */
+++ continue;
+++ }
+++ }
++ _parse_recv_from_links(knet_h, sockfd, &msg[i]);
++ break;
++ }
+diff --git a/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch b/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+new file mode 100644
+index 0000000..a27bd22
+--- /dev/null
++++ b/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+@@ -0,0 +1,55 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 07:32:59 +0100
++Subject: [access lists] enable generic access lists only for protocols that
++ use them
++
++protocols such as SCTP that use their own access list tracking will
++need to setup access lists in transport_link_set/clear_config
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 862446dbc84165963b34f05e2157d3361b5b8f8a)
++---
++ libknet/links.c | 15 ++++++++++-----
++ 1 file changed, 10 insertions(+), 5 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 6c75c35..85b50e5 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -287,10 +287,13 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++
++ /*
++ * we can only configure default access lists if we know both endpoints
+++ * and the protocol uses GENERIC_ACL, otherwise the protocol has
+++ * to setup their own access lists above in transport_link_set_config.
++ */
++- if (link->dynamic == KNET_LINK_STATIC) {
++- log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u",
++- host_id, link_id);
+++ if ((transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL) &&
+++ (link->dynamic == KNET_LINK_STATIC)) {
+++ log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
+++ host_id, link_id, link->outsock);
++ if (_link_add_default_acl(knet_h, link) < 0) {
++ log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ savederrno = errno;
++@@ -469,7 +472,8 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * then we can remove any leftover access lists if the link
++ * is no longer in use.
++ */
++- if (link->dynamic == KNET_LINK_STATIC) {
+++ if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++ (link->dynamic == KNET_LINK_STATIC)) {
++ if (_link_rm_default_acl(knet_h, link) < 0) {
++ err = -1;
++ savederrno = EBUSY;
++@@ -496,7 +500,8 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * remove any other access lists when the socket is no
++ * longer in use by the transport.
++ */
++- if (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS) {
+++ if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++ (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++ _link_del_all_acl(knet_h, sock);
++ }
++
+diff --git a/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch b/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+new file mode 100644
+index 0000000..27b0e57
+--- /dev/null
++++ b/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+@@ -0,0 +1,64 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 07:08:29 +0100
++Subject: [access lists] fix build on BSD and add some include files around
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f1919ce88831032c123bb28771ef2cabf03a148e)
++---
++ libknet/tests/Makefile.am | 1 +
++ libknet/links_acl.c | 2 ++
++ libknet/links_acl_ip.c | 2 ++
++ libknet/tests/int_links_acl.c | 2 ++
++ 4 files changed, 7 insertions(+)
++
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index d46553a..2f22293 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -69,6 +69,7 @@ pckt_test_SOURCES = pckt_test.c
++
++ int_links_acl_test_SOURCES = int_links_acl.c \
++ ../common.c \
+++ ../compat.c \
++ ../logging.c \
++ ../netutils.c \
++ ../threads_common.c \
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 8592f1f..cfcc1fd 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -6,6 +6,8 @@
++ * This software licensed under GPL-2.0+, LGPL-2.0+
++ */
++
+++#include "config.h"
+++
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 2aef14b..ffd18a4 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -6,6 +6,8 @@
++ * This software licensed under GPL-2.0+, LGPL-2.0+
++ */
++
+++#include "config.h"
+++
++ #include <sys/socket.h>
++ #include <netinet/in.h>
++ #include <stdint.h>
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 8d9f4e0..05bd829 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -6,6 +6,8 @@
++ * This software licensed under GPL-2.0+, LGPL-2.0+
++ */
++
+++#include "config.h"
+++
++ #include <sys/types.h>
++ #include <sys/socket.h>
++ #include <netinet/in.h>
+diff --git a/debian/patches/access-lists-fix-build-on-freebsd.patch b/debian/patches/access-lists-fix-build-on-freebsd.patch
+new file mode 100644
+index 0000000..385cc85
+--- /dev/null
++++ b/debian/patches/access-lists-fix-build-on-freebsd.patch
+@@ -0,0 +1,54 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 09:49:06 +0100
++Subject: [access lists] fix build on freebsd
++
++don't use malloc.h, obsoleted by stdlib.h
++define s6_addr32 that's only available in kernel space
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 12ee796ceca832c18054e87a0e310dcd9a6c16c6)
++---
++ libknet/links_acl.c | 11 ++++++++++-
++ libknet/tests/int_links_acl.c | 1 -
++ 2 files changed, 10 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 2ad3e90..854f273 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -10,13 +10,22 @@
++ #include <netinet/in.h>
++ #include <stdint.h>
++ #include <string.h>
++-#include <malloc.h>
+++#include <stdlib.h>
++
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
++ #include "links_acl.h"
++
+++/*
+++ * s6_addr32 is not defined in BSD userland, only kernel.
+++ * definition is the same as linux and it works fine for
+++ * what we need.
+++ */
+++#ifndef s6_addr32
+++#define s6_addr32 __u6_addr.__u6_addr32
+++#endif
+++
++ /*
++ * IPv4 See if the address we have matches the current match entry
++ */
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 129aabe..133cd5a 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -13,7 +13,6 @@
++ #include <stdlib.h>
++ #include <string.h>
++ #include <netdb.h>
++-#include <malloc.h>
++
++ #include "internals.h"
++ #include "links_acl.h"
+diff --git a/debian/patches/access-lists-improve-checks-on-various-data-types.patch b/debian/patches/access-lists-improve-checks-on-various-data-types.patch
+new file mode 100644
+index 0000000..1a8d531
+--- /dev/null
++++ b/debian/patches/access-lists-improve-checks-on-various-data-types.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 6 Mar 2019 09:43:10 +0100
++Subject: [access lists] improve checks on various data types
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f6f08c08179a051aa51fadc48a1acfb71a6f55b4)
++---
++ libknet/links.c | 39 +++++++++++++++++++++++++++++++++++++++
++ 1 file changed, 39 insertions(+)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 0f02006..038a8a4 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -1168,6 +1168,19 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++ return -1;
++ }
++
+++ if ((type != CHECK_TYPE_ADDRESS) &&
+++ (type != CHECK_TYPE_MASK) &&
+++ (type != CHECK_TYPE_RANGE)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((acceptreject != CHECK_ACCEPT) &&
+++ (acceptreject != CHECK_REJECT)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ errno = EINVAL;
++ return -1;
++@@ -1250,6 +1263,19 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ return -1;
++ }
++
+++ if ((type != CHECK_TYPE_ADDRESS) &&
+++ (type != CHECK_TYPE_MASK) &&
+++ (type != CHECK_TYPE_RANGE)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((acceptreject != CHECK_ACCEPT) &&
+++ (acceptreject != CHECK_REJECT)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ errno = EINVAL;
++ return -1;
++@@ -1331,6 +1357,19 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++ return -1;
++ }
++
+++ if ((type != CHECK_TYPE_ADDRESS) &&
+++ (type != CHECK_TYPE_MASK) &&
+++ (type != CHECK_TYPE_RANGE)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if ((acceptreject != CHECK_ACCEPT) &&
+++ (acceptreject != CHECK_REJECT)) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ errno = EINVAL;
++ return -1;
+diff --git a/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch b/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+new file mode 100644
+index 0000000..30cafa3
+--- /dev/null
++++ b/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+@@ -0,0 +1,436 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 12 Feb 2019 07:21:20 +0100
++Subject: [access lists] make code more generic to accept more than IP
++ protocol and start to bind it to each fd
++
++access lists are unique per file descriptor, each fd can have its own protocol and list.
++
++remane around ipcheck* with check* to be more generic.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 45b1d526876aa89986e7bd379c45f8856056fe68)
++---
++ libknet/internals.h | 24 +++++++++
++ libknet/links_acl.h | 18 ++++---
++ libknet/links_acl.c | 114 ++++++++++++++++++++----------------------
++ libknet/tests/int_links_acl.c | 46 +++++++++++------
++ 4 files changed, 120 insertions(+), 82 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 106b49d..78e718d 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -129,11 +129,35 @@ struct knet_sock {
++ * and socket has been removed from epoll */
++ };
++
+++/*
+++ * access lists
+++ */
+++
+++typedef enum {
+++ CHECK_TYPE_ADDRESS,
+++ CHECK_TYPE_MASK,
+++ CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++typedef enum {
+++ CHECK_ACCEPT,
+++ CHECK_REJECT
+++} check_acceptreject_t;
+++
+++struct acl_match_entry {
+++ check_type_t type;
+++ check_acceptreject_t acceptreject;
+++ struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++ struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++ struct acl_match_entry *next;
+++};
+++
++ struct knet_fd_trackers {
++ uint8_t transport; /* transport type (UDP/SCTP...) */
++ uint8_t data_type; /* internal use for transport to define what data are associated
++ * to this fd */
++ void *data; /* pointer to the data */
+++ struct acl_match_entry *match_entry;
++ };
++
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index eca4566..26b0f36 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -6,11 +6,17 @@
++ * This software licensed under GPL-2.0+, LGPL-2.0+
++ */
++
++-typedef enum {IPCHECK_TYPE_ADDRESS, IPCHECK_TYPE_MASK, IPCHECK_TYPE_RANGE} ipcheck_type_t;
++-typedef enum {IPCHECK_ACCEPT, IPCHECK_REJECT} ipcheck_acceptreject_t;
+++#ifndef __KNET_LINKS_ACL_H__
+++#define __KNET_LINKS_ACL_H__
++
++-int ipcheck_validate(struct sockaddr_storage *checkip);
+++#include "internals.h"
++
++-void ipcheck_clear(void);
++-int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- ipcheck_type_t type, ipcheck_acceptreject_t acceptreject);
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++
+++void ipcheck_clear(struct acl_match_entry **match_entry_head);
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++#endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index e7b5602..fe84088 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -11,26 +11,17 @@
++ #include <stdint.h>
++ #include <string.h>
++ #include <malloc.h>
++-#include "links_acl.h"
++-
++-struct ip_match_entry {
++- ipcheck_type_t type;
++- ipcheck_acceptreject_t acceptreject;
++- struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++- struct sockaddr_storage addr2; /* high IP address or address bitmask */
++- struct ip_match_entry *next;
++-};
++
++-
++-/* Lists of things to match against. These are dummy structs to provide a quick list head */
++-static struct ip_match_entry match_entry_head_v4;
++-static struct ip_match_entry match_entry_head_v6;
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl.h"
++
++ /*
++ * IPv4 See if the address we have matches the current match entry
++- *
++ */
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry)
+++
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++ {
++ struct sockaddr_in *ip_to_check;
++ struct sockaddr_in *match1;
++@@ -41,16 +32,16 @@ static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry
++ match2 = (struct sockaddr_in *)&match_entry->addr2;
++
++ switch(match_entry->type) {
++- case IPCHECK_TYPE_ADDRESS:
+++ case CHECK_TYPE_ADDRESS:
++ if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
++ return 1;
++ break;
++- case IPCHECK_TYPE_MASK:
+++ case CHECK_TYPE_MASK:
++ if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
++ match1->sin_addr.s_addr)
++ return 1;
++ break;
++- case IPCHECK_TYPE_RANGE:
+++ case CHECK_TYPE_RANGE:
++ if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
++ (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
++ return 1;
++@@ -60,7 +51,10 @@ static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry
++ return 0;
++ }
++
++-/* Compare two IPv6 addresses */
+++/*
+++ * Compare two IPv6 addresses
+++ */
+++
++ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++ {
++ uint64_t a_high, a_low;
++@@ -89,9 +83,9 @@ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++
++ /*
++ * IPv6 See if the address we have matches the current match entry
++- *
++ */
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry)
+++
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++ {
++ struct sockaddr_in6 *ip_to_check;
++ struct sockaddr_in6 *match1;
++@@ -103,12 +97,12 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ match2 = (struct sockaddr_in6 *)&match_entry->addr2;
++
++ switch(match_entry->type) {
++- case IPCHECK_TYPE_ADDRESS:
+++ case CHECK_TYPE_ADDRESS:
++ if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
++ return 1;
++ break;
++
++- case IPCHECK_TYPE_MASK:
+++ case CHECK_TYPE_MASK:
++ /*
++ * Note that this little loop will quit early if there is a non-match so the
++ * comparison might look backwards compared to the IPv4 one
++@@ -119,7 +113,7 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ return 0;
++ }
++ return 1;
++- case IPCHECK_TYPE_RANGE:
+++ case CHECK_TYPE_RANGE:
++ if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
++ (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
++ return 1;
++@@ -129,24 +123,20 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ }
++
++
++-/*
++- * YOU ARE HERE
++- */
++-int ipcheck_validate(struct sockaddr_storage *checkip)
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
++ {
++- struct ip_match_entry *match_entry;
++- int (*match_fn)(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry);
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++ int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
++
++ if (checkip->ss_family == AF_INET){
++- match_entry = match_entry_head_v4.next;
++ match_fn = ip_matches_v4;
++ } else {
++- match_entry = match_entry_head_v6.next;
++ match_fn = ip_matches_v6;
++ }
+++
++ while (match_entry) {
++ if (match_fn(checkip, match_entry)) {
++- if (match_entry->acceptreject == IPCHECK_ACCEPT)
+++ if (match_entry->acceptreject == CHECK_ACCEPT)
++ return 1;
++ else
++ return 0;
++@@ -157,47 +147,42 @@ int ipcheck_validate(struct sockaddr_storage *checkip)
++ }
++
++ /*
++- * Routines to manuipulate the lists
+++ * Routines to manuipulate access lists
++ */
++
++-void ipcheck_clear(void)
+++void ipcheck_clear(struct acl_match_entry **match_entry_head)
++ {
++- struct ip_match_entry *match_entry;
++- struct ip_match_entry *next_match_entry;
+++ struct acl_match_entry *next_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
++
++- match_entry = match_entry_head_v4.next;
++- while (match_entry) {
++- next_match_entry = match_entry->next;
++- free(match_entry);
++- match_entry = next_match_entry;
++- }
++-
++- match_entry = match_entry_head_v6.next;
++ while (match_entry) {
++ next_match_entry = match_entry->next;
++ free(match_entry);
++ match_entry = next_match_entry;
++ }
+++ *match_entry_head = NULL;
++ }
++
++-int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- ipcheck_type_t type, ipcheck_acceptreject_t acceptreject)
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- struct ip_match_entry *match_entry;
++- struct ip_match_entry *new_match_entry;
+++ struct acl_match_entry *new_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
++
++- if (type == IPCHECK_TYPE_RANGE &&
++- (ip1->ss_family != ip2->ss_family))
+++ if (!ip1) {
++ return -1;
+++ }
++
++- if (ip1->ss_family == AF_INET){
++- match_entry = &match_entry_head_v4;
++- } else {
++- match_entry = &match_entry_head_v6;
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++ return -1;
++ }
++
+++ if (type == CHECK_TYPE_RANGE &&
+++ (ip1->ss_family != ip2->ss_family))
+++ return -1;
++
++- new_match_entry = malloc(sizeof(struct ip_match_entry));
+++ new_match_entry = malloc(sizeof(struct acl_match_entry));
++ if (!new_match_entry)
++ return -1;
++
++@@ -207,12 +192,19 @@ int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ new_match_entry->acceptreject = acceptreject;
++ new_match_entry->next = NULL;
++
++- /* Find the end of the list */
++- /* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++- while (match_entry->next) {
++- match_entry = match_entry->next;
+++ if (match_entry) {
+++ /* Find the end of the list */
+++ /* is this OK, or should we use a doubly-linked list or bulk-load API call? */
+++ while (match_entry->next) {
+++ match_entry = match_entry->next;
+++ }
+++ match_entry->next = new_match_entry;
+++ } else {
+++ /*
+++ * first entry in the list
+++ */
+++ *match_entry_head = new_match_entry;
++ }
++- match_entry->next = new_match_entry;
++
++ return 0;
++ }
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 27ac545..1e7f426 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -14,8 +14,13 @@
++ #include <string.h>
++ #include <netdb.h>
++ #include <malloc.h>
+++
+++#include "internals.h"
++ #include "links_acl.h"
++
+++static struct acl_match_entry *match_entry_v4;
+++static struct acl_match_entry *match_entry_v6;
+++
++ /* This is a test program .. remember! */
++ #define BUFLEN 1024
++
++@@ -31,7 +36,7 @@ static int get_ipaddress(char *buf, struct sockaddr_storage *addr)
++ res = getaddrinfo(buf, NULL, &hints, &info);
++ if (!res) {
++ memmove(addr, info->ai_addr, info->ai_addrlen);
++- free(info);
+++ freeaddrinfo(info);
++ }
++ return res;
++ }
++@@ -96,12 +101,13 @@ static int load_file(void)
++ char filebuf[BUFLEN];
++ int line = 0;
++ int ret;
++- ipcheck_type_t type;
++- ipcheck_acceptreject_t acceptreject;
+++ check_type_t type;
+++ check_acceptreject_t acceptreject;
++ struct sockaddr_storage addr1;
++ struct sockaddr_storage addr2;
++
++- ipcheck_clear();
+++ ipcheck_clear(&match_entry_v4);
+++ ipcheck_clear(&match_entry_v6);
++
++ filterfile = fopen("int_links_acl.txt", "r");
++ if (!filterfile) {
++@@ -118,10 +124,10 @@ static int load_file(void)
++ */
++ switch(filebuf[0] & 0x5F) {
++ case 'A':
++- acceptreject = IPCHECK_ACCEPT;
+++ acceptreject = CHECK_ACCEPT;
++ break;
++ case 'R':
++- acceptreject = IPCHECK_REJECT;
+++ acceptreject = CHECK_REJECT;
++ break;
++ default:
++ fprintf(stderr, "Unknown record type on line %d: %s\n", line, filebuf);
++@@ -136,15 +142,15 @@ static int load_file(void)
++ */
++ switch(filebuf[1] & 0x5F) {
++ case 'A':
++- type = IPCHECK_TYPE_ADDRESS;
+++ type = CHECK_TYPE_ADDRESS;
++ ret = read_address(filebuf+2, &addr1);
++ break;
++ case 'M':
++- type = IPCHECK_TYPE_MASK;
+++ type = CHECK_TYPE_MASK;
++ ret = read_mask(filebuf+2, &addr1, &addr2);
++ break;
++ case 'R':
++- type = IPCHECK_TYPE_RANGE;
+++ type = CHECK_TYPE_RANGE;
++ ret = read_range(filebuf+2, &addr1, &addr2);
++ break;
++ default:
++@@ -156,7 +162,11 @@ static int load_file(void)
++ fprintf(stderr, "Failed to parse address on line %d: %s\n", line, filebuf);
++ }
++ else {
++- ipcheck_addip(&addr1, &addr2, type, acceptreject);
+++ if (addr1.ss_family == AF_INET) {
+++ ipcheck_addip(&match_entry_v4, &addr1, &addr2, type, acceptreject);
+++ } else {
+++ ipcheck_addip(&match_entry_v6, &addr1, &addr2, type, acceptreject);
+++ }
++ }
++ next_record: {} /* empty statement to mollify the compiler */
++ }
++@@ -168,6 +178,7 @@ static int load_file(void)
++ int main(int argc, char *argv[])
++ {
++ struct sockaddr_storage saddr;
+++ struct acl_match_entry *match_entry;
++ int ret;
++ int i;
++
++@@ -178,16 +189,21 @@ int main(int argc, char *argv[])
++ ret = get_ipaddress(argv[i], &saddr);
++ if (ret) {
++ fprintf(stderr, "Cannot parse address %s\n", argv[i]);
++- }
++- else {
++- if (ipcheck_validate(&saddr)) {
++- printf("%s is VALID\n", argv[i]);
+++ } else {
+++ if (saddr.ss_family == AF_INET) {
+++ match_entry = match_entry_v4;
+++ } else {
+++ match_entry = match_entry_v6;
++ }
++- else {
+++ if (ipcheck_validate(&match_entry, &saddr)) {
+++ printf("%s is VALID\n", argv[i]);
+++ } else {
++ printf("%s is not allowed\n", argv[i]);
++ }
++ }
++ }
++
+++ ipcheck_clear(&match_entry_v4);
+++ ipcheck_clear(&match_entry_v6);
++ return 0;
++ }
+diff --git a/debian/patches/access-lists-make-internal-API-consistent.patch b/debian/patches/access-lists-make-internal-API-consistent.patch
+new file mode 100644
+index 0000000..a5d000c
+--- /dev/null
++++ b/debian/patches/access-lists-make-internal-API-consistent.patch
+@@ -0,0 +1,73 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 06:53:48 +0100
++Subject: [access lists] make internal API consistent
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit fb462d4f238b98ab685f9efae945a0e527f399ba)
++---
++ libknet/links_acl.h | 2 +-
++ libknet/links_acl.c | 6 +++---
++ libknet/threads_rx.c | 2 +-
++ libknet/transport_sctp.c | 2 +-
++ 4 files changed, 6 insertions(+), 6 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index b083753..f871403 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -37,6 +37,6 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++-int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
+++int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip);
++
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 93cc5af..8592f1f 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -74,14 +74,14 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ /*
++ * return 0 to reject and 1 to accept a packet
++ */
++-int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
+++int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
++ {
++- switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++ switch(transport_get_proto(knet_h, transport)) {
++ case LOOPBACK:
++ return 1;
++ break;
++ case IP_PROTO:
++- return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++ return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
++ break;
++ default:
++ break;
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 6417261..ae39b38 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -808,7 +808,7 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ */
++ if ((knet_h->use_access_lists) &&
++ (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++- if (!check_validate(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
+++ if (!check_validate(knet_h, sockfd, transport, msg[i].msg_hdr.msg_name)) {
++ char src_ipaddr[KNET_MAX_HOST_LEN];
++ char src_port[KNET_MAX_PORT_LEN];
++
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 50a237b..ff7903c 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -731,7 +731,7 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ addr_str, port_str);
++ if (knet_h->use_access_lists) {
++- if (!check_validate(knet_h, listen_sock, &ss)) {
+++ if (!check_validate(knet_h, listen_sock, KNET_TRANSPORT_SCTP, &ss)) {
++ savederrno = EINVAL;
++ err = -1;
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+diff --git a/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch b/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+new file mode 100644
+index 0000000..b69fa50
+--- /dev/null
++++ b/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+@@ -0,0 +1,72 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:17:57 +0100
++Subject: [access lists] more use of generic wrappers and remove duplicate code
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit be01691050bea1aabe0d8736d2017974d966a1c0)
++---
++ libknet/links_acl.c | 44 ++++++--------------------------------------
++ 1 file changed, 6 insertions(+), 38 deletions(-)
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 32763de..85a792d 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -73,51 +73,19 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++
++ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++- case LOOPBACK:
++- /*
++- * loopback does not require access lists
++- */
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++- break;
++- default:
++- break;
++- }
++-
++- return err;
+++ return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ }
++
++ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++- case LOOPBACK:
++- /*
++- * loopback does not require access lists
++- */
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++- break;
++- default:
++- break;
++- }
++-
++- return err;
+++ return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ }
++
++ /*
++- * * return 0 to reject and 1 to accept a packet
++- * */
+++ * return 0 to reject and 1 to accept a packet
+++ */
++ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++ switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+diff --git a/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch b/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+new file mode 100644
+index 0000000..a96ab6b
+--- /dev/null
++++ b/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+@@ -0,0 +1,168 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:04:20 +0100
++Subject: [access lists] move access lists structs and data types to
++ links_acl.*
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c374aef3fda1c01b282a5baf193e0ac7870d1eb2)
++---
++ libknet/internals.h | 25 +------------------------
++ libknet/links_acl.h | 19 +++++++++++++++++++
++ libknet/links_acl_ip.h | 1 +
++ libknet/links_acl.c | 12 ++++++------
++ libknet/links_acl_ip.c | 1 +
++ 5 files changed, 28 insertions(+), 30 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 78e718d..0d6ee3f 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -129,35 +129,12 @@ struct knet_sock {
++ * and socket has been removed from epoll */
++ };
++
++-/*
++- * access lists
++- */
++-
++-typedef enum {
++- CHECK_TYPE_ADDRESS,
++- CHECK_TYPE_MASK,
++- CHECK_TYPE_RANGE
++-} check_type_t;
++-
++-typedef enum {
++- CHECK_ACCEPT,
++- CHECK_REJECT
++-} check_acceptreject_t;
++-
++-struct acl_match_entry {
++- check_type_t type;
++- check_acceptreject_t acceptreject;
++- struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++- struct sockaddr_storage addr2; /* high IP address or address bitmask */
++- struct acl_match_entry *next;
++-};
++-
++ struct knet_fd_trackers {
++ uint8_t transport; /* transport type (UDP/SCTP...) */
++ uint8_t data_type; /* internal use for transport to define what data are associated
++ * to this fd */
++ void *data; /* pointer to the data */
++- struct acl_match_entry *match_entry;
+++ void *match_entry; /* pointer to access list match_entry list head */
++ };
++
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 9a20754..020ec05 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,6 +11,25 @@
++
++ #include "internals.h"
++
+++typedef enum {
+++ CHECK_TYPE_ADDRESS,
+++ CHECK_TYPE_MASK,
+++ CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++typedef enum {
+++ CHECK_ACCEPT,
+++ CHECK_REJECT
+++} check_acceptreject_t;
+++
+++struct acl_match_entry {
+++ check_type_t type;
+++ check_acceptreject_t acceptreject;
+++ struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++ struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++ struct acl_match_entry *next;
+++};
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index 575b5ff..9e21e00 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -10,6 +10,7 @@
++ #define __KNET_LINKS_ACL_IP_H__
++
++ #include "internals.h"
+++#include "links_acl.h"
++
++ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 34bcce3..32763de 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -28,7 +28,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -48,7 +48,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -64,7 +64,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ return;
++ break;
++ case IP_PROTO:
++- ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++ ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
++ break;
++ default:
++ break;
++@@ -83,7 +83,7 @@ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ break;
++ default:
++@@ -105,7 +105,7 @@ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ break;
++ default:
++@@ -125,7 +125,7 @@ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct socka
++ return 1;
++ break;
++ case IP_PROTO:
++- return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++ return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
++ break;
++ default:
++ break;
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index edc3ae1..2aef14b 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -15,6 +15,7 @@
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
+++#include "links_acl.h"
++ #include "links_acl_ip.h"
++
++ /*
+diff --git a/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch b/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+new file mode 100644
+index 0000000..6f3b9d3
+--- /dev/null
++++ b/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+@@ -0,0 +1,1025 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 04:53:23 +0100
++Subject: [access lists] move all acl wrappers to links_acl* and split
++ links_acl_ip to their own files
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 0cb8e8bab46b30487a4821004ee757ee8f9eb91e)
++---
++ libknet/Makefile.am | 2 +
++ libknet/tests/Makefile.am | 12 +-
++ libknet/links_acl.h | 20 +--
++ libknet/links_acl_ip.h | 25 ++++
++ libknet/links.c | 53 +------
++ libknet/links_acl.c | 322 ++++++++++++------------------------------
++ libknet/links_acl_ip.c | 277 ++++++++++++++++++++++++++++++++++++
++ libknet/tests/int_links_acl.c | 9 +-
++ libknet/threads_rx.c | 25 +---
++ libknet/transport_sctp.c | 24 ++--
++ 10 files changed, 438 insertions(+), 331 deletions(-)
++ create mode 100644 libknet/links_acl_ip.h
++ create mode 100644 libknet/links_acl_ip.c
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 4ea42d9..b60427c 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -32,6 +32,7 @@ sources = \
++ host.c \
++ links.c \
++ links_acl.c \
+++ links_acl_ip.c \
++ logging.c \
++ netutils.c \
++ threads_common.c \
++@@ -63,6 +64,7 @@ noinst_HEADERS = \
++ internals.h \
++ links.h \
++ links_acl.h \
+++ links_acl_ip.h \
++ logging.h \
++ netutils.h \
++ onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index f74cb04..d46553a 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -68,7 +68,17 @@ check-api-test-coverage:
++ pckt_test_SOURCES = pckt_test.c
++
++ int_links_acl_test_SOURCES = int_links_acl.c \
++- ../links_acl.c
+++ ../common.c \
+++ ../logging.c \
+++ ../netutils.c \
+++ ../threads_common.c \
+++ ../transports.c \
+++ ../transport_common.c \
+++ ../transport_loopback.c \
+++ ../transport_sctp.c \
+++ ../transport_udp.c \
+++ ../links_acl.c \
+++ ../links_acl_ip.c
++
++ int_timediff_test_SOURCES = int_timediff.c
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index f4713d6..9a20754 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,15 +11,15 @@
++
++ #include "internals.h"
++
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
+++int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject);
++-
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject);
++-
++-void check_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++new file mode 100644
++index 0000000..575b5ff
++--- /dev/null
+++++ b/libknet/links_acl_ip.h
++@@ -0,0 +1,25 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#ifndef __KNET_LINKS_ACL_IP_H__
+++#define __KNET_LINKS_ACL_IP_H__
+++
+++#include "internals.h"
+++
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++void ipcheck_rmall(struct acl_match_entry **match_entry_head);
+++#endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 85b50e5..07ef26e 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -22,55 +22,6 @@
++ #include "threads_common.h"
++ #include "links_acl.h"
++
++-static void _link_del_all_acl(knet_handle_t knet_h, int sock)
++-{
++- check_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
++-}
++-
++-static int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++- case LOOPBACK:
++- /*
++- * loopback does not require access lists
++- */
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++- break;
++- default:
++- break;
++- }
++-
++- return err;
++-}
++-
++-static int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++- case LOOPBACK:
++- /*
++- * loopback does not require access lists
++- */
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++- break;
++- default:
++- break;
++- }
++-
++- return err;
++-}
++-
++ int _link_updown(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
++ unsigned int enabled, unsigned int connected)
++ {
++@@ -420,6 +371,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ struct knet_host *host;
++ struct knet_link *link;
++ int sock;
+++ uint8_t transport;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -488,6 +440,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * will clear link info during clear_config.
++ */
++ sock = link->outsock;
+++ transport = link->transport_type;
++
++ if ((transport_link_clear_config(knet_h, link) < 0) &&
++ (errno != EBUSY)) {
++@@ -502,7 +455,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ */
++ if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
++ (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++- _link_del_all_acl(knet_h, sock);
+++ check_rmall(knet_h, sock, transport);
++ }
++
++ memset(link, 0, sizeof(struct knet_link));
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 854f273..34bcce3 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -6,8 +6,6 @@
++ * This software licensed under GPL-2.0+, LGPL-2.0+
++ */
++
++-#include <sys/socket.h>
++-#include <netinet/in.h>
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++@@ -15,265 +13,125 @@
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
+++#include "transport_common.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++
++-/*
++- * s6_addr32 is not defined in BSD userland, only kernel.
++- * definition is the same as linux and it works fine for
++- * what we need.
++- */
++-#ifndef s6_addr32
++-#define s6_addr32 __u6_addr.__u6_addr32
++-#endif
++-
++-/*
++- * IPv4 See if the address we have matches the current match entry
++- */
++-
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++-{
++- struct sockaddr_in *ip_to_check;
++- struct sockaddr_in *match1;
++- struct sockaddr_in *match2;
++-
++- ip_to_check = (struct sockaddr_in *)checkip;
++- match1 = (struct sockaddr_in *)&match_entry->addr1;
++- match2 = (struct sockaddr_in *)&match_entry->addr2;
++-
++- switch(match_entry->type) {
++- case CHECK_TYPE_ADDRESS:
++- if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
++- return 1;
++- break;
++- case CHECK_TYPE_MASK:
++- if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
++- match1->sin_addr.s_addr)
++- return 1;
++- break;
++- case CHECK_TYPE_RANGE:
++- if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
++- (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
++- return 1;
++- break;
++-
++- }
++- return 0;
++-}
++-
++-/*
++- * Compare two IPv6 addresses
++- */
++-
++-static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- uint64_t a_high, a_low;
++- uint64_t b_high, b_low;
+++ int err = -1;
++
++- /* Not sure why '&' doesn't work below, so I used '+' instead which is effectively
++- the same thing because the bottom 32bits are always zero and the value unsigned */
++- a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) + (uint64_t)htonl(a->s6_addr32[1]);
++- a_low = ((uint64_t)htonl(a->s6_addr32[2]) << 32) + (uint64_t)htonl(a->s6_addr32[3]);
++-
++- b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) + (uint64_t)htonl(b->s6_addr32[1]);
++- b_low = ((uint64_t)htonl(b->s6_addr32[2]) << 32) + (uint64_t)htonl(b->s6_addr32[3]);
++-
++- if (a_high > b_high)
++- return 1;
++- if (a_high < b_high)
++- return -1;
++-
++- if (a_low > b_low)
++- return 1;
++- if (a_low < b_low)
++- return -1;
++-
++- return 0;
++-}
++-
++-/*
++- * IPv6 See if the address we have matches the current match entry
++- */
++-
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++-{
++- struct sockaddr_in6 *ip_to_check;
++- struct sockaddr_in6 *match1;
++- struct sockaddr_in6 *match2;
++- int i;
++-
++- ip_to_check = (struct sockaddr_in6 *)checkip;
++- match1 = (struct sockaddr_in6 *)&match_entry->addr1;
++- match2 = (struct sockaddr_in6 *)&match_entry->addr2;
++-
++- switch(match_entry->type) {
++- case CHECK_TYPE_ADDRESS:
++- if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
++- return 1;
++- break;
++-
++- case CHECK_TYPE_MASK:
++- /*
++- * Note that this little loop will quit early if there is a non-match so the
++- * comparison might look backwards compared to the IPv4 one
++- */
++- for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
++- if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
++- match1->sin6_addr.s6_addr32[i])
++- return 0;
++- }
++- return 1;
++- case CHECK_TYPE_RANGE:
++- if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
++- (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
++- return 1;
++- break;
+++ switch(transport_get_proto(knet_h, transport)) {
+++ case LOOPBACK:
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ ip1, ip2, type, acceptreject);
+++ break;
+++ default:
+++ break;
++ }
++- return 0;
+++ return err;
++ }
++
++-
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- struct acl_match_entry *match_entry = *match_entry_head;
++- int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++ int err = -1;
++
++- if (checkip->ss_family == AF_INET){
++- match_fn = ip_matches_v4;
++- } else {
++- match_fn = ip_matches_v6;
++- }
++-
++- while (match_entry) {
++- if (match_fn(checkip, match_entry)) {
++- if (match_entry->acceptreject == CHECK_ACCEPT)
++- return 1;
++- else
++- return 0;
++- }
++- match_entry = match_entry->next;
+++ switch(transport_get_proto(knet_h, transport)) {
+++ case LOOPBACK:
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ ip1, ip2, type, acceptreject);
+++ break;
+++ default:
+++ break;
++ }
++- return 0; /* Default reject */
+++ return err;
++ }
++
++-/*
++- * Routines to manuipulate access lists
++- */
++-
++-void check_rmall(struct acl_match_entry **match_entry_head)
+++void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ {
++- struct acl_match_entry *next_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
++-
++- while (match_entry) {
++- next_match_entry = match_entry->next;
++- free(match_entry);
++- match_entry = next_match_entry;
+++ switch(transport_get_proto(knet_h, transport)) {
+++ case LOOPBACK:
+++ return;
+++ break;
+++ case IP_PROTO:
+++ ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++ break;
+++ default:
+++ break;
++ }
++- *match_entry_head = NULL;
++ }
++
++-static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject)
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++- struct acl_match_entry *match_entry = *match_entry_head;
++-
++- while (match_entry) {
++- if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++- (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
++- (match_entry->type == type) &&
++- (match_entry->acceptreject == acceptreject)) {
++- return match_entry;
++- }
++- match_entry = match_entry->next;
+++ int err = -1;
+++
+++ switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++ case LOOPBACK:
+++ /*
+++ * loopback does not require access lists
+++ */
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ break;
+++ default:
+++ break;
++ }
++
++- return NULL;
+++ return err;
++ }
++
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject)
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++- struct acl_match_entry *next_match_entry = NULL;
++- struct acl_match_entry *rm_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
++-
++- rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++- if (!rm_match_entry) {
++- return -1;
++- }
++-
++- while (match_entry) {
++- next_match_entry = match_entry->next;
++- /*
++- * we are removing the list head, be careful
++- */
++- if (rm_match_entry == match_entry) {
++- *match_entry_head = next_match_entry;
++- free(match_entry);
+++ int err = -1;
+++
+++ switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++ case LOOPBACK:
+++ /*
+++ * loopback does not require access lists
+++ */
+++ err = 0;
+++ break;
+++ case IP_PROTO:
+++ err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++ &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ break;
++- }
++- /*
++- * the next one is the one we need to remove
++- */
++- if (rm_match_entry == next_match_entry) {
++- match_entry->next = next_match_entry->next;
++- free(next_match_entry);
+++ default:
++ break;
++- }
++- match_entry = next_match_entry;
++ }
++
++- return 0;
+++ return err;
++ }
++
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++- check_type_t type, check_acceptreject_t acceptreject)
+++/*
+++ * * return 0 to reject and 1 to accept a packet
+++ * */
+++int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++- struct acl_match_entry *new_match_entry;
++- struct acl_match_entry *match_entry = *match_entry_head;
++-
++- if (!ip1) {
++- return -1;
++- }
++-
++- if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
++- return -1;
++- }
++-
++- if (type == CHECK_TYPE_RANGE &&
++- (ip1->ss_family != ip2->ss_family))
++- return -1;
++-
++- if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
++- return -1;
++- }
++-
++- new_match_entry = malloc(sizeof(struct acl_match_entry));
++- if (!new_match_entry)
++- return -1;
++-
++- memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++- memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
++- new_match_entry->type = type;
++- new_match_entry->acceptreject = acceptreject;
++- new_match_entry->next = NULL;
++-
++- if (match_entry) {
++- /* Find the end of the list */
++- /* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++- while (match_entry->next) {
++- match_entry = match_entry->next;
++- }
++- match_entry->next = new_match_entry;
++- } else {
++- /*
++- * first entry in the list
++- */
++- *match_entry_head = new_match_entry;
+++ switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++ case LOOPBACK:
+++ return 1;
+++ break;
+++ case IP_PROTO:
+++ return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++ break;
+++ default:
+++ break;
++ }
++-
+++ /*
+++ * reject by default
+++ */
++ return 0;
++ }
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++new file mode 100644
++index 0000000..edc3ae1
++--- /dev/null
+++++ b/libknet/links_acl_ip.c
++@@ -0,0 +1,277 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include <sys/socket.h>
+++#include <netinet/in.h>
+++#include <stdint.h>
+++#include <string.h>
+++#include <stdlib.h>
+++
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl_ip.h"
+++
+++/*
+++ * s6_addr32 is not defined in BSD userland, only kernel.
+++ * definition is the same as linux and it works fine for
+++ * what we need.
+++ */
+++#ifndef s6_addr32
+++#define s6_addr32 __u6_addr.__u6_addr32
+++#endif
+++
+++/*
+++ * IPv4 See if the address we have matches the current match entry
+++ */
+++
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++{
+++ struct sockaddr_in *ip_to_check;
+++ struct sockaddr_in *match1;
+++ struct sockaddr_in *match2;
+++
+++ ip_to_check = (struct sockaddr_in *)checkip;
+++ match1 = (struct sockaddr_in *)&match_entry->addr1;
+++ match2 = (struct sockaddr_in *)&match_entry->addr2;
+++
+++ switch(match_entry->type) {
+++ case CHECK_TYPE_ADDRESS:
+++ if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
+++ return 1;
+++ break;
+++ case CHECK_TYPE_MASK:
+++ if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
+++ match1->sin_addr.s_addr)
+++ return 1;
+++ break;
+++ case CHECK_TYPE_RANGE:
+++ if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
+++ (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
+++ return 1;
+++ break;
+++
+++ }
+++ return 0;
+++}
+++
+++/*
+++ * Compare two IPv6 addresses
+++ */
+++
+++static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
+++{
+++ uint64_t a_high, a_low;
+++ uint64_t b_high, b_low;
+++
+++ a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) | (uint64_t)htonl(a->s6_addr32[1]);
+++ a_low = ((uint64_t)htonl(a->s6_addr32[2]) << 32) | (uint64_t)htonl(a->s6_addr32[3]);
+++
+++ b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) | (uint64_t)htonl(b->s6_addr32[1]);
+++ b_low = ((uint64_t)htonl(b->s6_addr32[2]) << 32) | (uint64_t)htonl(b->s6_addr32[3]);
+++
+++ if (a_high > b_high)
+++ return 1;
+++ if (a_high < b_high)
+++ return -1;
+++
+++ if (a_low > b_low)
+++ return 1;
+++ if (a_low < b_low)
+++ return -1;
+++
+++ return 0;
+++}
+++
+++/*
+++ * IPv6 See if the address we have matches the current match entry
+++ */
+++
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++{
+++ struct sockaddr_in6 *ip_to_check;
+++ struct sockaddr_in6 *match1;
+++ struct sockaddr_in6 *match2;
+++ int i;
+++
+++ ip_to_check = (struct sockaddr_in6 *)checkip;
+++ match1 = (struct sockaddr_in6 *)&match_entry->addr1;
+++ match2 = (struct sockaddr_in6 *)&match_entry->addr2;
+++
+++ switch(match_entry->type) {
+++ case CHECK_TYPE_ADDRESS:
+++ if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
+++ return 1;
+++ break;
+++
+++ case CHECK_TYPE_MASK:
+++ /*
+++ * Note that this little loop will quit early if there is a non-match so the
+++ * comparison might look backwards compared to the IPv4 one
+++ */
+++ for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
+++ if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
+++ match1->sin6_addr.s6_addr32[i])
+++ return 0;
+++ }
+++ return 1;
+++ case CHECK_TYPE_RANGE:
+++ if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
+++ (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
+++ return 1;
+++ break;
+++ }
+++ return 0;
+++}
+++
+++
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++{
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++ int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++
+++ if (checkip->ss_family == AF_INET){
+++ match_fn = ip_matches_v4;
+++ } else {
+++ match_fn = ip_matches_v6;
+++ }
+++
+++ while (match_entry) {
+++ if (match_fn(checkip, match_entry)) {
+++ if (match_entry->acceptreject == CHECK_ACCEPT)
+++ return 1;
+++ else
+++ return 0;
+++ }
+++ match_entry = match_entry->next;
+++ }
+++ return 0; /* Default reject */
+++}
+++
+++/*
+++ * Routines to manuipulate access lists
+++ */
+++
+++void ipcheck_rmall(struct acl_match_entry **match_entry_head)
+++{
+++ struct acl_match_entry *next_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ while (match_entry) {
+++ next_match_entry = match_entry->next;
+++ free(match_entry);
+++ match_entry = next_match_entry;
+++ }
+++ *match_entry_head = NULL;
+++}
+++
+++static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ while (match_entry) {
+++ if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
+++ (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++ (match_entry->type == type) &&
+++ (match_entry->acceptreject == acceptreject)) {
+++ return match_entry;
+++ }
+++ match_entry = match_entry->next;
+++ }
+++
+++ return NULL;
+++}
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ struct acl_match_entry *next_match_entry = NULL;
+++ struct acl_match_entry *rm_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++ if (!rm_match_entry) {
+++ return -1;
+++ }
+++
+++ while (match_entry) {
+++ next_match_entry = match_entry->next;
+++ /*
+++ * we are removing the list head, be careful
+++ */
+++ if (rm_match_entry == match_entry) {
+++ *match_entry_head = next_match_entry;
+++ free(match_entry);
+++ break;
+++ }
+++ /*
+++ * the next one is the one we need to remove
+++ */
+++ if (rm_match_entry == next_match_entry) {
+++ match_entry->next = next_match_entry->next;
+++ free(next_match_entry);
+++ break;
+++ }
+++ match_entry = next_match_entry;
+++ }
+++
+++ return 0;
+++}
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ struct acl_match_entry *new_match_entry;
+++ struct acl_match_entry *match_entry = *match_entry_head;
+++
+++ if (!ip1) {
+++ return -1;
+++ }
+++
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++ return -1;
+++ }
+++
+++ if (type == CHECK_TYPE_RANGE &&
+++ (ip1->ss_family != ip2->ss_family))
+++ return -1;
+++
+++ if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++ return -1;
+++ }
+++
+++ new_match_entry = malloc(sizeof(struct acl_match_entry));
+++ if (!new_match_entry)
+++ return -1;
+++
+++ memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
+++ memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
+++ new_match_entry->type = type;
+++ new_match_entry->acceptreject = acceptreject;
+++ new_match_entry->next = NULL;
+++
+++ if (match_entry) {
+++ /* Find the end of the list */
+++ /* is this OK, or should we use a doubly-linked list or bulk-load API call? */
+++ while (match_entry->next) {
+++ match_entry = match_entry->next;
+++ }
+++ match_entry->next = new_match_entry;
+++ } else {
+++ /*
+++ * first entry in the list
+++ */
+++ *match_entry_head = new_match_entry;
+++ }
+++
+++ return 0;
+++}
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 133cd5a..8d9f4e0 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -16,6 +16,7 @@
++
++ #include "internals.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++
++ static struct acl_match_entry *match_entry_v4;
++ static struct acl_match_entry *match_entry_v6;
++@@ -105,8 +106,8 @@ static int load_file(void)
++ struct sockaddr_storage addr1;
++ struct sockaddr_storage addr2;
++
++- check_rmall(&match_entry_v4);
++- check_rmall(&match_entry_v6);
+++ ipcheck_rmall(&match_entry_v4);
+++ ipcheck_rmall(&match_entry_v6);
++
++ filterfile = fopen("int_links_acl.txt", "r");
++ if (!filterfile) {
++@@ -202,7 +203,7 @@ int main(int argc, char *argv[])
++ }
++ }
++
++- check_rmall(&match_entry_v4);
++- check_rmall(&match_entry_v6);
+++ ipcheck_rmall(&match_entry_v4);
+++ ipcheck_rmall(&match_entry_v6);
++ return 0;
++ }
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 833938d..06a0168 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -721,27 +721,6 @@ out_pmtud:
++ }
++ }
++
++-/*
++- * return 0 to reject and 1 to accept a packet
++- */
++-static int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
++-{
++- switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
++- case LOOPBACK:
++- return 1;
++- break;
++- case IP_PROTO:
++- return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, msg->msg_hdr.msg_name);
++- break;
++- default:
++- break;
++- }
++- /*
++- * reject by default
++- */
++- return 0;
++-}
++-
++ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
++ {
++ int err, savederrno;
++@@ -829,13 +808,13 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ */
++ if ((knet_h->use_access_lists) &&
++ (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++- if (!_generic_filter_packet_by_acl(knet_h, sockfd, &msg[i])) {
+++ if (!_generic_filter_packet_by_acl(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
++ char src_ipaddr[KNET_MAX_HOST_LEN];
++ char src_port[KNET_MAX_PORT_LEN];
++
++ memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
++ memset(src_port, 0, KNET_MAX_PORT_LEN);
++- knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+++ knet_addrtostr(msg[i].msg_hdr.msg_name, sockaddr_len(msg[i].msg_hdr.msg_name),
++ src_ipaddr, KNET_MAX_HOST_LEN,
++ src_port, KNET_MAX_PORT_LEN);
++
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 0d69a33..ce3e98e 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -20,6 +20,7 @@
++ #include "host.h"
++ #include "links.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++ #include "logging.h"
++ #include "common.h"
++ #include "transport_common.h"
++@@ -730,12 +731,13 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ addr_str, port_str);
++ if (knet_h->use_access_lists) {
++- if (!ipcheck_validate(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry, &ss)) {
+++ if (!_generic_filter_packet_by_acl(knet_h, listen_sock, &ss)) {
++ savederrno = EINVAL;
++ err = -1;
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
++ close(new_fd);
++- goto exit_error;
+++ errno = savederrno;
+++ return;
++ }
++ }
++
++@@ -946,8 +948,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ */
++ knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ err = check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ if (err) {
++ return NULL;
++ }
++@@ -1005,8 +1007,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ goto exit_error;
++ }
++
++- if (ipcheck_addip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ if (check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
++ savederrno = errno;
++ err = -1;
++ log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
++@@ -1036,8 +1038,8 @@ exit_error:
++ if (info->on_listener_epoll) {
++ epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ }
++- ipcheck_rmip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++ check_rm(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ if (listen_sock >= 0) {
++ close(listen_sock);
++ }
++@@ -1076,8 +1078,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ }
++ }
++
++- if (ipcheck_rmip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
++- &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++ if (check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++ &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
++ }
++
++@@ -1111,7 +1113,7 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ goto exit_error;
++ }
++
++- check_rmall(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry);
+++ check_rmall(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP);
++
++ close(info->listen_sock);
++
+diff --git a/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch b/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+new file mode 100644
+index 0000000..7fd5b1c
+--- /dev/null
++++ b/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+@@ -0,0 +1,70 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:29:07 +0100
++Subject: [access lists] remove 2 unnecessary wrappers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f5cba0f7608bed1e142f30c9e04e05b4ba56606c)
++---
++ libknet/links_acl.h | 3 ---
++ libknet/links.c | 8 ++++++--
++ libknet/links_acl.c | 12 ------------
++ 3 files changed, 6 insertions(+), 17 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 0ad50e6..b083753 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -39,7 +39,4 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++ int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-
++ #endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 07ef26e..1693df6 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,7 +245,9 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ (link->dynamic == KNET_LINK_STATIC)) {
++ log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ host_id, link_id, link->outsock);
++- if (_link_add_default_acl(knet_h, link) < 0) {
+++ if (check_add(knet_h, link->outsock, transport,
+++ &link->dst_addr, &link->dst_addr,
+++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ savederrno = errno;
++ err = -1;
++@@ -426,7 +428,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ */
++ if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
++ (link->dynamic == KNET_LINK_STATIC)) {
++- if (_link_rm_default_acl(knet_h, link) < 0) {
+++ if (check_rm(knet_h, link->outsock, link->transport_type,
+++ &link->dst_addr, &link->dst_addr,
+++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ err = -1;
++ savederrno = EBUSY;
++ log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 520a934..93cc5af 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -91,15 +91,3 @@ int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *ch
++ */
++ return 0;
++ }
++-
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++- return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
++- &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
+diff --git a/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch b/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+new file mode 100644
+index 0000000..a4628d7
+--- /dev/null
++++ b/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+@@ -0,0 +1,219 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 28 Feb 2019 08:22:43 +0100
++Subject: [access lists] rename ip1/2 to ss1/2 to keep it more generic
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 118c7c415fbe9e47137c34607f26ac9b5b42fbf4)
++---
++ libknet/links_acl.h | 8 ++++----
++ libknet/links_acl_ip.h | 4 ++--
++ libknet/links_acl_loopback.h | 4 ++--
++ libknet/links_acl.c | 8 ++++----
++ libknet/links_acl_ip.c | 24 ++++++++++++------------
++ libknet/links_acl_loopback.c | 4 ++--
++ 6 files changed, 26 insertions(+), 26 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index cc4fdaf..a64faa1 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -28,21 +28,21 @@ typedef struct {
++ int (*protocheck_validate) (void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++ int (*protocheck_add) (void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ int (*protocheck_rm) (void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ void (*protocheck_rmall) (void *fd_tracker_match_entry_head);
++ } check_ops_t;
++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index c475db9..e069b99 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -15,11 +15,11 @@
++ int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++ int ipcheck_addip(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ void ipcheck_rmall(void *fd_tracker_match_entry_head);
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index 0f86222..73a9704 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -15,11 +15,11 @@
++ int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++
++ int loopbackcheck_add(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject);
++
++ void loopbackcheck_rmall(void *fd_tracker_match_entry_head);
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index a941dde..0b1fcd0 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -32,21 +32,21 @@ static check_ops_t proto_check_modules_cmds[] = {
++ */
++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++- ip1, ip2, type, acceptreject);
+++ ss1, ss2, type, acceptreject);
++ }
++
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm(
++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++- ip1, ip2, type, acceptreject);
+++ ss1, ss2, type, acceptreject);
++ }
++
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index e72a382..2682a70 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -185,14 +185,14 @@ void ipcheck_rmall(void *fd_tracker_match_entry_head)
++ }
++
++ static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++ while (match_entry) {
++- if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++- (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++ if ((!memcmp(&match_entry->addr1, ss1, sizeof(struct sockaddr_storage))) &&
+++ (!memcmp(&match_entry->addr2, ss2, sizeof(struct sockaddr_storage))) &&
++ (match_entry->type == type) &&
++ (match_entry->acceptreject == acceptreject)) {
++ return match_entry;
++@@ -204,7 +204,7 @@ static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **
++ }
++
++ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++@@ -212,7 +212,7 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ struct ip_acl_match_entry *rm_match_entry;
++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++- rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++ rm_match_entry = ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject);
++ if (!rm_match_entry) {
++ errno = ENOENT;
++ return -1;
++@@ -243,30 +243,30 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ }
++
++ int ipcheck_addip(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++ struct ip_acl_match_entry *new_match_entry;
++ struct ip_acl_match_entry *match_entry = *match_entry_head;
++
++- if (!ip1) {
+++ if (!ss1) {
++ errno = EINVAL;
++ return -1;
++ }
++
++- if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++ if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ errno = EINVAL;
++ return -1;
++ }
++
++ if (type == CHECK_TYPE_RANGE &&
++- (ip1->ss_family != ip2->ss_family)) {
+++ (ss1->ss_family != ss2->ss_family)) {
++ errno = EINVAL;
++ return -1;
++ }
++
++- if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++ if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) {
++ errno = EEXIST;
++ return -1;
++ }
++@@ -276,8 +276,8 @@ int ipcheck_addip(void *fd_tracker_match_entry_head,
++ return -1;
++ }
++
++- memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++- memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
+++ memmove(&new_match_entry->addr1, ss1, sizeof(struct sockaddr_storage));
+++ memmove(&new_match_entry->addr2, ss2, sizeof(struct sockaddr_storage));
++ new_match_entry->type = type;
++ new_match_entry->acceptreject = acceptreject;
++ new_match_entry->next = NULL;
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 42559f3..bb69130 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -27,14 +27,14 @@ void loopbackcheck_rmall(void *fd_tracker_match_entry_head)
++ }
++
++ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ return 0;
++ }
++
++ int loopbackcheck_add(void *fd_tracker_match_entry_head,
++- struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++ return 0;
+diff --git a/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch b/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+new file mode 100644
+index 0000000..91c2bb8
+--- /dev/null
++++ b/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+@@ -0,0 +1,50 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 5 Mar 2019 05:16:29 +0100
++Subject: [access lists] test implicit access lists management for UDP,
++ SCTP and LOOPBACK
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dc7731abeff323785291207b91d23173bf0bb458)
++---
++ libknet/tests/api_knet_send.c | 8 ++++++++
++ libknet/tests/api_knet_send_loopback.c | 8 ++++++++
++ 2 files changed, 16 insertions(+)
++
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index 1c55db1..9e81d03 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -145,6 +145,14 @@ static void test(uint8_t transport)
++
++ printf("Test knet_send with valid data\n");
++
+++ if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++ printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
++ if (knet_handle_enable_sock_notify(knet_h, &private_data, sock_notify) < 0) {
++ printf("knet_handle_enable_sock_notify failed: %s\n", strerror(errno));
++ knet_handle_free(knet_h);
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 16a4624..0cfd29f 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -168,6 +168,14 @@ static void test(void)
++ flush_logs(logfds[0], stdout);
++ printf("Test knet_send with valid data\n");
++
+++ if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++ printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
++ if (knet_link_clear_config(knet_h, 1, 0) < 0) {
++ printf("Failed to clear existing UDP link: %s\n", strerror(errno));
++ knet_host_remove(knet_h, 1);
+diff --git a/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch b/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+new file mode 100644
+index 0000000..bb00a3f
+--- /dev/null
++++ b/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+@@ -0,0 +1,309 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 13:34:11 +0100
++Subject: [access lists] use arrays to access per-protocol functions
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ce8b773ed76102719c1e4a8859854e01a250b482)
++---
++ libknet/Makefile.am | 2 ++
++ libknet/tests/Makefile.am | 3 +-
++ libknet/internals.h | 8 ++---
++ libknet/links_acl.h | 16 ++++++++++
++ libknet/links_acl_loopback.h | 27 +++++++++++++++++
++ libknet/links_acl.c | 71 ++++++++++----------------------------------
++ libknet/links_acl_loopback.c | 41 +++++++++++++++++++++++++
++ libknet/transports.c | 6 ++--
++ 8 files changed, 110 insertions(+), 64 deletions(-)
++ create mode 100644 libknet/links_acl_loopback.h
++ create mode 100644 libknet/links_acl_loopback.c
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index b60427c..0be4fff 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -33,6 +33,7 @@ sources = \
++ links.c \
++ links_acl.c \
++ links_acl_ip.c \
+++ links_acl_loopback.c \
++ logging.c \
++ netutils.c \
++ threads_common.c \
++@@ -65,6 +66,7 @@ noinst_HEADERS = \
++ links.h \
++ links_acl.h \
++ links_acl_ip.h \
+++ links_acl_loopback.h \
++ logging.h \
++ netutils.h \
++ onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 2f22293..eae5c80 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -79,7 +79,8 @@ int_links_acl_test_SOURCES = int_links_acl.c \
++ ../transport_sctp.c \
++ ../transport_udp.c \
++ ../links_acl.c \
++- ../links_acl_ip.c
+++ ../links_acl_ip.c \
+++ ../links_acl_loopback.c
++
++ int_timediff_test_SOURCES = int_timediff.c
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 27eea2a..d482674 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -265,10 +265,8 @@ extern pthread_rwlock_t shlib_rwlock; /* global shared lib load lock */
++ * to use for access lists and other operations
++ */
++
++-typedef enum {
++- LOOPBACK,
++- IP_PROTO
++-} transport_proto;
+++#define TRANSPORT_PROTO_LOOPBACK 0
+++#define TRANSPORT_PROTO_IP_PROTO 1
++
++ /*
++ * some transports like SCTP can filter incoming
++@@ -299,7 +297,7 @@ typedef struct knet_transport_ops {
++ const uint8_t transport_id;
++ const uint8_t built_in;
++
++- transport_proto transport_protocol;
+++ uint8_t transport_protocol;
++ transport_acl transport_acl_type;
++
++ /*
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 84ae6b9..cc4fdaf 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -22,6 +22,22 @@ typedef enum {
++ CHECK_REJECT
++ } check_acceptreject_t;
++
+++typedef struct {
+++ uint8_t transport_proto;
+++
+++ int (*protocheck_validate) (void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
+++
+++ int (*protocheck_add) (void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++ int (*protocheck_rm) (void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++ void (*protocheck_rmall) (void *fd_tracker_match_entry_head);
+++} check_ops_t;
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++new file mode 100644
++index 0000000..0f86222
++--- /dev/null
+++++ b/libknet/links_acl_loopback.h
++@@ -0,0 +1,27 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#ifndef __KNET_LINKS_ACL_LOOPBACK_H__
+++#define __KNET_LINKS_ACL_LOOPBACK_H__
+++
+++#include "internals.h"
+++#include "links_acl.h"
+++
+++int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
+++
+++int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++int loopbackcheck_rm(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject);
+++
+++void loopbackcheck_rmall(void *fd_tracker_match_entry_head);
+++
+++#endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index f2c772d..a941dde 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -19,6 +19,12 @@
++ #include "transport_common.h"
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
+++#include "links_acl_loopback.h"
+++
+++static check_ops_t proto_check_modules_cmds[] = {
+++ { TRANSPORT_PROTO_LOOPBACK, loopbackcheck_validate, loopbackcheck_add, loopbackcheck_rm, loopbackcheck_rmall },
+++ { TRANSPORT_PROTO_IP_PROTO, ipcheck_validate, ipcheck_addip, ipcheck_rmip, ipcheck_rmall }
+++};
++
++ /*
++ * all those functions will return errno from the
++@@ -29,56 +35,24 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, transport)) {
++- case LOOPBACK:
++- errno = 0;
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++- ip1, ip2, type, acceptreject);
++- break;
++- default:
++- break;
++- }
++- return err;
+++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
+++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++ ip1, ip2, type, acceptreject);
++ }
++
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ check_type_t type, check_acceptreject_t acceptreject)
++ {
++- int err = -1;
++-
++- switch(transport_get_proto(knet_h, transport)) {
++- case LOOPBACK:
++- errno = 0;
++- err = 0;
++- break;
++- case IP_PROTO:
++- err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++- ip1, ip2, type, acceptreject);
++- break;
++- default:
++- break;
++- }
++- return err;
+++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm(
+++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++ ip1, ip2, type, acceptreject);
++ }
++
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ {
++- switch(transport_get_proto(knet_h, transport)) {
++- case LOOPBACK:
++- return;
++- break;
++- case IP_PROTO:
++- ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++- break;
++- default:
++- break;
++- }
+++ proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rmall(
+++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++ }
++
++ /*
++@@ -86,19 +60,6 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ */
++ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
++ {
++- switch(transport_get_proto(knet_h, transport)) {
++- case LOOPBACK:
++- errno = 0;
++- return 1;
++- break;
++- case IP_PROTO:
++- return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++- break;
++- default:
++- break;
++- }
++- /*
++- * reject by default
++- */
++- return 0;
+++ return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_validate(
+++ &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++ }
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++new file mode 100644
++index 0000000..42559f3
++--- /dev/null
+++++ b/libknet/links_acl_loopback.c
++@@ -0,0 +1,41 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl.h"
+++#include "links_acl_loopback.h"
+++
+++int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip)
+++{
+++ return 1;
+++}
+++
+++void loopbackcheck_rmall(void *fd_tracker_match_entry_head)
+++{
+++ return;
+++}
+++
+++int loopbackcheck_rm(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ return 0;
+++}
+++
+++int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++ struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++ check_type_t type, check_acceptreject_t acceptreject)
+++{
+++ return 0;
+++}
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 69ea091..6ded675 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -30,11 +30,11 @@
++ #define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++- { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++- { "UDP", KNET_TRANSPORT_UDP, 1, IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++ { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++ { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ { "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++- 1, IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++ 1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
+diff --git a/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch b/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+new file mode 100644
+index 0000000..cbba12f
+--- /dev/null
++++ b/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+@@ -0,0 +1,95 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 12:12:09 +0100
++Subject: [access lists] use better name for fd_tracker structure
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit bc25626d5585ac267029470cf518852017d3740b)
++---
++ libknet/internals.h | 10 +++++-----
++ libknet/links_acl.c | 8 ++++----
++ libknet/tests/api_knet_link_set_config.c | 4 ++--
++ 3 files changed, 11 insertions(+), 11 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 2135fb8..27eea2a 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -130,11 +130,11 @@ struct knet_sock {
++ };
++
++ struct knet_fd_trackers {
++- uint8_t transport; /* transport type (UDP/SCTP...) */
++- uint8_t data_type; /* internal use for transport to define what data are associated
++- * to this fd */
++- void *data; /* pointer to the data */
++- void *match_entry; /* pointer to access list match_entry list head */
+++ uint8_t transport; /* transport type (UDP/SCTP...) */
+++ uint8_t data_type; /* internal use for transport to define what data are associated
+++ * to this fd */
+++ void *data; /* pointer to the data */
+++ void *access_list_match_entry_head; /* pointer to access list match_entry list head */
++ };
++
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index b1d7ab4..f2c772d 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -37,7 +37,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -58,7 +58,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ err = 0;
++ break;
++ case IP_PROTO:
++- err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++ err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++ ip1, ip2, type, acceptreject);
++ break;
++ default:
++@@ -74,7 +74,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ return;
++ break;
++ case IP_PROTO:
++- ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++ ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++ break;
++ default:
++ break;
++@@ -92,7 +92,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ return 1;
++ break;
++ case IP_PROTO:
++- return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
+++ return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++ break;
++ default:
++ break;
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index 5fed9be..b96c628 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -145,7 +145,7 @@ static void test(void)
++ host = knet_h->host_index[1];
++ link = &host->link[0];
++
++- if (knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++ if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
++ printf("found access lists for dynamic dst_addr!\n");
++ knet_link_clear_config(knet_h, 1, 0);
++ knet_host_remove(knet_h, 1);
++@@ -262,7 +262,7 @@ static void test(void)
++ host = knet_h->host_index[1];
++ link = &host->link[0];
++
++- if (!knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++ if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
++ printf("Unable to find default access lists for static dst_addr!\n");
++ knet_link_clear_config(knet_h, 1, 0);
++ knet_host_remove(knet_h, 1);
+diff --git a/debian/patches/acl-Fix-English-in-commments.patch b/debian/patches/acl-Fix-English-in-commments.patch
+new file mode 100644
+index 0000000..7e55364
+--- /dev/null
++++ b/debian/patches/acl-Fix-English-in-commments.patch
+@@ -0,0 +1,106 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Thu, 7 Mar 2019 10:04:41 +0000
++Subject: acl: Fix English in commments
++
++(cherry picked from commit e9b656bebb0615c2b2419929cadfb71e3941af34)
++---
++ libknet/internals.h | 2 +-
++ libknet/libknet.h | 27 ++++++++++++++-------------
++ 2 files changed, 15 insertions(+), 14 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 8976a8c..12f613c 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -132,7 +132,7 @@ struct knet_sock {
++ struct knet_fd_trackers {
++ uint8_t transport; /* transport type (UDP/SCTP...) */
++ uint8_t data_type; /* internal use for transport to define what data are associated
++- * to this fd */
+++ * with this fd */
++ void *data; /* pointer to the data */
++ void *access_list_match_entry_head; /* pointer to access list match_entry list head */
++ };
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d616e11..50ed70d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -523,15 +523,16 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++ *
++ * knet will automatically generate access lists for point to point links.
++ *
++- * For open links, knet provides 3 API calls to manipulate access lists:
++- * knet_link_add_acl(3), knet_link_rm_acl(3) and knet_link_clear_acl(3).
++- * Those API calls will work only and exclusively on open links as they
++- * provide no use for point to point links.
+++ * For open links, knet provides 4 API calls to manipulate access lists:
+++ * knet_link_add_acl(3), knet_link_rm_acl(3), knet_link_insert_acl(3)
+++ * and knet_link_clear_acl(3).
+++ * Those API calls will work exclusively on open links as they
+++ * are of no use on point to point links.
++ *
++ * knet will not enforce any access list unless specifically enabled by
++ * knet_handle_enable_access_lists(3).
++ *
++- * From a security / programming perspective we recommend to:
+++ * From a security / programming perspective we recommend:
++ * - create the knet handle
++ * - enable access lists
++ * - configure hosts and links
++@@ -1478,13 +1479,13 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
++
++ /*
++- * access lists management for open links
+++ * Access lists management for open links
++ * see also knet_handle_enable_access_lists(3)
++ */
++
++ /*
++ * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
++- * for example: 10.1.9.3/32
+++ * for example: 10.1.9.3
++ * and the entry is stored in ss1. ss2 can be NULL.
++ *
++ * CHECK_TYPE_MASK is used to configure network/netmask.
++@@ -1495,9 +1496,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * for example: 172.16.0.1-172.16.0.10
++ * the start is stored in ss1 and the end in ss2.
++ *
++- * Please be aware that the above examples refers only to IP based protocols.
+++ * Please be aware that the above examples refer only to IP based protocols.
++ * Other protocols might use ss1 and ss2 in slightly different ways.
++- * At the moment knet only supports IP based protocol and that might change
+++ * At the moment knet only supports IP based protocol, though that might change
++ * in the future.
++ */
++
++@@ -1531,7 +1532,7 @@ typedef enum {
++ *
++ * IMPORTANT: the order in which access lists are added is critical and it
++ * is left to the user to add them in the right order. knet
++- * will do no attempt to logically sort them.
+++ * will not attempt to logically sort them.
++ *
++ * For example:
++ * 1 - accept from 10.0.0.0/8
++@@ -1568,7 +1569,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++ * link_id - see knet_link_set_config(3)
++ *
++ * index - insert at position "index" where 0 is the first entry and -1
++- * append to the current list.
+++ * appends to the current list.
++ *
++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++ *
++@@ -1597,8 +1598,8 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ *
++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++ *
++- * IMPORTANT: the data passed to this API call must match exactly the ones used
++- * in knet_link_add_acl(3).
+++ * IMPORTANT: the data passed to this API call must match exactly that passed
+++ * to knet_link_add_acl(3).
++ *
++ * @return
++ * knet_link_rm_acl
+diff --git a/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch b/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+new file mode 100644
+index 0000000..683d8e6
+--- /dev/null
++++ b/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+@@ -0,0 +1,235 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 8 Feb 2019 14:29:50 +0100
++Subject: [acl] add knet_handle_enable_access_lists api call
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 2a325c9fc388c91fd9969378d5822db87b9d364b)
++---
++ libknet/internals.h | 1 +
++ libknet/libknet.h | 22 +++++
++ libknet/handle.c | 36 ++++++++
++ .../tests/api_knet_handle_enable_access_lists.c | 100 +++++++++++++++++++++
++ libknet/tests/api-check.mk | 4 +
++ 5 files changed, 163 insertions(+)
++ create mode 100644 libknet/tests/api_knet_handle_enable_access_lists.c
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 57da5b4..d33646f 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -158,6 +158,7 @@ struct knet_handle {
++ int send_to_links_epollfd;
++ int recv_from_links_epollfd;
++ int dst_link_handler_epollfd;
+++ uint8_t use_access_lists; /* set to 0 for disable, 1 for enable */
++ unsigned int pmtud_interval;
++ unsigned int data_mtu; /* contains the max data size that we can send onwire
++ * without frags */
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index c7f44d7..4283afe 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -502,6 +502,28 @@ int knet_handle_enable_filter(knet_handle_t knet_h,
++
++ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++
+++/**
+++ * knet_handle_enable_access_lists
+++ *
+++ * @brief Start packet forwarding
+++ *
+++ * knet_h - pointer to knet_handle_t
+++ *
+++ * enable - set to 1 to use ip access lists, 0 to disable ip access_lists.
+++ *
+++ * @return
+++ * knet_handle_enable_access_lists returns
+++ * 0 on success
+++ * -1 on error and errno is set.
+++ *
+++ * By default access lists usage is off, but default internal access lists
+++ * will be populated regardless, but not enforced. TODO add long explanation
+++ * on internal access lists for point to point connections vs global
+++ * listeners etc.
+++ */
+++
+++int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
+++
++ #define KNET_PMTUD_DEFAULT_INTERVAL 60
++
++ /**
++diff --git a/libknet/handle.c b/libknet/handle.c
++index b7aa2fd..6cd49f5 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1186,6 +1186,42 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled)
++ return 0;
++ }
++
+++int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled)
+++{
+++ int savederrno = 0;
+++
+++ if (!knet_h) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ if (enabled > 1) {
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ savederrno = get_global_wrlock(knet_h);
+++ if (savederrno) {
+++ log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+++ strerror(savederrno));
+++ errno = savederrno;
+++ return -1;
+++ }
+++
+++ knet_h->use_access_lists = enabled;
+++
+++ if (enabled) {
+++ log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are enabled");
+++ } else {
+++ log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are disabled");
+++ }
+++
+++ pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++ errno = 0;
+++ return 0;
+++}
+++
++ int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval)
++ {
++ int savederrno = 0;
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++new file mode 100644
++index 0000000..fc3bcc1
++--- /dev/null
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -0,0 +1,100 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++
+++#include "libknet.h"
+++#include "internals.h"
+++
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++ knet_handle_t knet_h;
+++ int logfds[2];
+++
+++ printf("Test knet_handle_enable_access_lists with invalid knet_h\n");
+++
+++ if ((!knet_handle_enable_access_lists(NULL, 0)) || (errno != EINVAL)) {
+++ printf("knet_handle_enable_access_lists accepted invalid knet_h parameter\n");
+++ exit(FAIL);
+++ }
+++
+++ setup_logpipes(logfds);
+++
+++ printf("Test knet_handle_enable_access_lists with invalid param (2) \n");
+++
+++ knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++ if ((!knet_handle_enable_access_lists(knet_h, 2)) || (errno != EINVAL)) {
+++ printf("knet_handle_enable_access_lists accepted invalid param for enabled: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_handle_enable_access_lists with valid param (1) \n");
+++
+++ if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++ printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_h->use_access_lists != 1) {
+++ printf("knet_handle_enable_access_lists failed to set correct value");
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_handle_enable_access_lists with valid param (0) \n");
+++
+++ if (knet_handle_enable_access_lists(knet_h, 0) < 0) {
+++ printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ if (knet_h->use_access_lists != 0) {
+++ printf("knet_handle_enable_access_lists failed to set correct value");
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++ test();
+++
+++ return PASS;
+++}
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 7beba53..247ed58 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -12,6 +12,7 @@ api_checks = \
++ api_knet_handle_compress_test \
++ api_knet_handle_crypto_test \
++ api_knet_handle_setfwd_test \
+++ api_knet_handle_enable_access_lists_test \
++ api_knet_handle_enable_filter_test \
++ api_knet_handle_enable_sock_notify_test \
++ api_knet_handle_add_datafd_test \
++@@ -87,6 +88,9 @@ api_knet_handle_crypto_test_SOURCES = api_knet_handle_crypto.c \
++ api_knet_handle_setfwd_test_SOURCES = api_knet_handle_setfwd.c \
++ test-common.c
++
+++api_knet_handle_enable_access_lists_test_SOURCES = api_knet_handle_enable_access_lists.c \
+++ test-common.c
+++
++ api_knet_handle_enable_filter_test_SOURCES = api_knet_handle_enable_filter.c \
++ test-common.c
++
+diff --git a/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch b/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+new file mode 100644
+index 0000000..c9a98b3
+--- /dev/null
++++ b/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+@@ -0,0 +1,186 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 5 Jan 2019 09:04:38 +0100
++Subject: [acl] move poc-code into libknet dir and rename to links_acl.*
++MIME-Version: 1.0
++Content-Type: text/plain; charset="utf-8"
++Content-Transfer-Encoding: 8bit
++
++code is not integrated yet and test suite can´t run standalone
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d7fb8af3a8be37f12e0149d49280762e2bdb9b16)
++---
++ .../tests/int_links_acl.txt | 0
++ configure.ac | 1 -
++ libknet/Makefile.am | 2 ++
++ libknet/tests/Makefile.am | 8 +++++++-
++ poc-code/Makefile.am | 2 +-
++ poc-code/access-list/Makefile.am | 22 ----------------------
++ .../access-list/ipcheck.h => libknet/links_acl.h | 0
++ .../access-list/ipcheck.c => libknet/links_acl.c | 2 +-
++ .../tests/int_links_acl.c | 6 +++---
++ 9 files changed, 14 insertions(+), 29 deletions(-)
++ rename poc-code/access-list/test_ipcheck.txt => libknet/tests/int_links_acl.txt (100%)
++ delete mode 100644 poc-code/access-list/Makefile.am
++ rename poc-code/access-list/ipcheck.h => libknet/links_acl.h (100%)
++ rename poc-code/access-list/ipcheck.c => libknet/links_acl.c (99%)
++ rename poc-code/access-list/test_ipcheck.c => libknet/tests/int_links_acl.c (96%)
++
++diff --git a/poc-code/access-list/test_ipcheck.txt b/libknet/tests/int_links_acl.txt
++similarity index 100%
++rename from poc-code/access-list/test_ipcheck.txt
++rename to libknet/tests/int_links_acl.txt
++diff --git a/configure.ac b/configure.ac
++index 9df6831..30c57f0 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -463,7 +463,6 @@ AC_CONFIG_FILES([
++ man/Doxyfile-nozzle
++ poc-code/Makefile
++ poc-code/iov-hash/Makefile
++- poc-code/access-list/Makefile
++ ])
++
++ if test "x$VERSION" = "xUNKNOWN"; then
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 906fd01..4ea42d9 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -31,6 +31,7 @@ sources = \
++ handle.c \
++ host.c \
++ links.c \
+++ links_acl.c \
++ logging.c \
++ netutils.c \
++ threads_common.c \
++@@ -61,6 +62,7 @@ noinst_HEADERS = \
++ host.h \
++ internals.h \
++ links.h \
+++ links_acl.h \
++ logging.h \
++ netutils.h \
++ onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index c00e624..f74cb04 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -13,7 +13,8 @@ include $(top_srcdir)/libknet/tests/api-check.mk
++
++ EXTRA_DIST = \
++ api-test-coverage \
++- api-check.mk
+++ api-check.mk \
+++ int_links_acl.txt
++
++ AM_CPPFLAGS = -I$(top_srcdir)/libknet
++ AM_CFLAGS += $(PTHREAD_CFLAGS)
++@@ -40,9 +41,11 @@ fun_checks =
++ benchmarks = \
++ knet_bench_test
++
+++# int_links_acl_test can´t run yet standalone
++ noinst_PROGRAMS = \
++ api_knet_handle_new_limit_test \
++ pckt_test \
+++ int_links_acl_test \
++ $(benchmarks) \
++ $(check_PROGRAMS)
++
++@@ -64,6 +67,9 @@ check-api-test-coverage:
++
++ pckt_test_SOURCES = pckt_test.c
++
+++int_links_acl_test_SOURCES = int_links_acl.c \
+++ ../links_acl.c
+++
++ int_timediff_test_SOURCES = int_timediff.c
++
++ knet_bench_test_SOURCES = knet_bench.c \
++diff --git a/poc-code/Makefile.am b/poc-code/Makefile.am
++index e1b1a73..15d12f7 100644
++--- a/poc-code/Makefile.am
+++++ b/poc-code/Makefile.am
++@@ -10,4 +10,4 @@ MAINTAINERCLEANFILES = Makefile.in
++
++ include $(top_srcdir)/build-aux/check.mk
++
++-SUBDIRS = access-list iov-hash
+++SUBDIRS = iov-hash
++diff --git a/poc-code/access-list/Makefile.am b/poc-code/access-list/Makefile.am
++deleted file mode 100644
++index 80c49c2..0000000
++--- a/poc-code/access-list/Makefile.am
+++++ /dev/null
++@@ -1,22 +0,0 @@
++-#
++-# Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++-#
++-# Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++-#
++-# This software licensed under GPL-2.0+, LGPL-2.0+
++-#
++-
++-MAINTAINERCLEANFILES = Makefile.in
++-
++-include $(top_srcdir)/build-aux/check.mk
++-
++-# override global LIBS that pulls in lots of craft we don't need here
++-LIBS =
++-
++-EXTRA_DIST = test_ipcheck.txt
++-
++-noinst_PROGRAMS = test_ipcheck
++-
++-noinst_HEADERS = ipcheck.h
++-
++-test_ipcheck_SOURCES = ipcheck.c test_ipcheck.c
++diff --git a/poc-code/access-list/ipcheck.h b/libknet/links_acl.h
++similarity index 100%
++rename from poc-code/access-list/ipcheck.h
++rename to libknet/links_acl.h
++diff --git a/poc-code/access-list/ipcheck.c b/libknet/links_acl.c
++similarity index 99%
++rename from poc-code/access-list/ipcheck.c
++rename to libknet/links_acl.c
++index 9774a46..e7b5602 100644
++--- a/poc-code/access-list/ipcheck.c
+++++ b/libknet/links_acl.c
++@@ -11,7 +11,7 @@
++ #include <stdint.h>
++ #include <string.h>
++ #include <malloc.h>
++-#include "ipcheck.h"
+++#include "links_acl.h"
++
++ struct ip_match_entry {
++ ipcheck_type_t type;
++diff --git a/poc-code/access-list/test_ipcheck.c b/libknet/tests/int_links_acl.c
++similarity index 96%
++rename from poc-code/access-list/test_ipcheck.c
++rename to libknet/tests/int_links_acl.c
++index 46a750b..27ac545 100644
++--- a/poc-code/access-list/test_ipcheck.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -14,7 +14,7 @@
++ #include <string.h>
++ #include <netdb.h>
++ #include <malloc.h>
++-#include "ipcheck.h"
+++#include "links_acl.h"
++
++ /* This is a test program .. remember! */
++ #define BUFLEN 1024
++@@ -103,9 +103,9 @@ static int load_file(void)
++
++ ipcheck_clear();
++
++- filterfile = fopen("test_ipcheck.txt", "r");
+++ filterfile = fopen("int_links_acl.txt", "r");
++ if (!filterfile) {
++- fprintf(stderr, "Cannot open test_ipcheck.txt\n");
+++ fprintf(stderr, "Cannot open int_links_acl.txt\n");
++ return 1;
++ }
++
+diff --git a/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch b/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+new file mode 100644
+index 0000000..a5aabe1
+--- /dev/null
++++ b/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+@@ -0,0 +1,23 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 9 May 2019 16:36:07 +0200
++Subject: [build] bump soname to indicate new API calls
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 460fca5e33d52c560e34b1edf60f350efb6023a5)
++---
++ libknet/Makefile.am | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 90ddfba..8adcc40 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -18,7 +18,7 @@ EXTRA_DIST = $(SYMFILE)
++ SUBDIRS = . tests
++
++ # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
++-libversion = 2:0:1
+++libversion = 3:0:2
++
++ # override global LIBS that pulls in lots of craft we don't need here
++ LIBS =
+diff --git a/debian/patches/compress-add-support-for-libzstd.patch b/debian/patches/compress-add-support-for-libzstd.patch
+new file mode 100644
+index 0000000..78b54fb
+--- /dev/null
++++ b/debian/patches/compress-add-support-for-libzstd.patch
+@@ -0,0 +1,342 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 10 Apr 2019 08:40:50 +0200
++Subject: [compress] add support for libzstd
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 592d0451494e815c4c8c74b914aaff69b640d1a2)
++---
++ configure.ac | 2 +
++ Makefile.am | 5 ++
++ libknet/Makefile.am | 7 +++
++ libknet/libknet.h | 1 +
++ kronosnet.spec.in | 29 +++++++++
++ libknet/compress.c | 1 +
++ libknet/compress_zstd.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++
++ libknet/logging.c | 1 +
++ 8 files changed, 206 insertions(+)
++ create mode 100644 libknet/compress_zstd.c
++
++diff --git a/configure.ac b/configure.ac
++index 30c57f0..501053e 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -124,6 +124,8 @@ AC_ARG_ENABLE([compress-all],
++ [AS_HELP_STRING([--disable-compress-all],[disable libknet all compress modules support])],,
++ [ enable_compress_all="yes" ])
++
+++KNET_OPTION_DEFINES([zstd],[compress],[PKG_CHECK_MODULES([libzstd], [libzstd])])
+++
++ KNET_OPTION_DEFINES([zlib],[compress],[PKG_CHECK_MODULES([zlib], [zlib])])
++ KNET_OPTION_DEFINES([lz4],[compress],[PKG_CHECK_MODULES([liblz4], [liblz4])])
++ KNET_OPTION_DEFINES([lzo2],[compress],[
++diff --git a/Makefile.am b/Makefile.am
++index 24a13a6..82cb1f5 100644
++--- a/Makefile.am
+++++ b/Makefile.am
++@@ -138,6 +138,11 @@ if BUILD_COMPRESS_BZIP2
++ else
++ sed -i -e "s#@bzip2@#bcond_with#g" $@-t
++ endif
+++if BUILD_COMPRESS_ZSTD
+++ sed -i -e "s#@zstd@#bcond_without#g" $@-t
+++else
+++ sed -i -e "s#@zstd@#bcond_with#g" $@-t
+++endif
++ if BUILD_KRONOSNETD
++ sed -i -e "s#@kronosnetd@#bcond_without#g" $@-t
++ else
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 0be4fff..90ddfba 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -103,6 +103,13 @@ pkglib_LTLIBRARIES =
++ # MODULE_LDFLAGS would mean a target-specific variable for Automake
++ MODULELDFLAGS = $(AM_LDFLAGS) -module -avoid-version -export-dynamic
++
+++if BUILD_COMPRESS_ZSTD
+++pkglib_LTLIBRARIES += compress_zstd.la
+++compress_zstd_la_LDFLAGS = $(MODULELDFLAGS)
+++compress_zstd_la_CFLAGS = $(AM_CFLAGS) $(libzstd_CFLAGS)
+++compress_zstd_la_LIBADD = $(libzstd_LIBS)
+++endif
+++
++ if BUILD_COMPRESS_ZLIB
++ pkglib_LTLIBRARIES += compress_zlib.la
++ compress_zlib_la_LDFLAGS = $(MODULELDFLAGS)
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d16eb5d..3098eab 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -2053,6 +2053,7 @@ int knet_link_get_status(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ #define KNET_SUB_LZO2COMP 73 /* compress_lzo.c */
++ #define KNET_SUB_LZMACOMP 74 /* compress_lzma.c */
++ #define KNET_SUB_BZIP2COMP 75 /* compress_bzip2.c */
+++#define KNET_SUB_ZSTDCOMP 76 /* compress_zstd.c */
++
++ #define KNET_SUB_UNKNOWN UINT8_MAX - 1
++ #define KNET_MAX_SUBSYSTEMS UINT8_MAX
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 2d4d059..442f3ae 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -24,6 +24,7 @@
++ %@lzo2@ lzo2
++ %@lzma@ lzma
++ %@bzip2@ bzip2
+++%@zstd@ zstd
++ %@kronosnetd@ kronosnetd
++ %@libnozzle@ libnozzle
++ %@runautogen@ runautogen
++@@ -60,6 +61,9 @@
++ %if %{with bzip2}
++ %global buildcompressbzip2 1
++ %endif
+++%if %{with zstd}
+++%global buildcompresszstd 1
+++%endif
++ %if %{with libnozzle}
++ %global buildlibnozzle 1
++ %endif
++@@ -123,6 +127,9 @@ BuildRequires: xz-devel
++ %if %{defined buildcompressbzip2}
++ BuildRequires: /usr/include/bzlib.h
++ %endif
+++%if %{defined buildcompresszstd}
+++BuildRequires: libzstd-devel
+++%endif
++ %if %{defined buildkronosnetd}
++ BuildRequires: pam-devel
++ %endif
++@@ -194,6 +201,11 @@ BuildRequires: libtool
++ %else
++ --disable-compress-bzip2 \
++ %endif
+++%if %{defined buildcompresszstd}
+++ --enable-compress-zstd \
+++%else
+++ --disable-compress-zstd \
+++%endif
++ %if %{defined buildkronosnetd}
++ --enable-kronosnetd \
++ %endif
++@@ -490,6 +502,20 @@ Requires: libknet1 = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++
+++%if %{defined buildcompresszstd}
+++%package -n libknet1-compress-zstd-plugin
+++Group: System Environment/Libraries
+++Summary: libknet1 zstd support
+++Requires: libknet1 = %{version}-%{release}
+++
+++%description -n libknet1-compress-zstd-plugin
+++ zstd compression support for libknet1.
+++
+++%files -n libknet1-compress-zstd-plugin
+++%defattr(-,root,root,-)
+++%{_libdir}/kronosnet/compress_zstd.so
+++%endif
+++
++ %package -n libknet1-crypto-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++@@ -523,6 +549,9 @@ Requires: libknet1-compress-lzma-plugin
++ %if %{defined buildcompressbzip2}
++ Requires: libknet1-compress-bzip2-plugin
++ %endif
+++%if %{defined buildcompresszstd}
+++Requires: libknet1-compress-zstd-plugin
+++%endif
++
++ %description -n libknet1-compress-plugins-all
++ meta package to install all of libknet1 compress plugins
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 278ff44..7eab454 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -40,6 +40,7 @@ static compress_model_t compress_modules_cmds[] = {
++ { "lzo2" , 4, WITH_COMPRESS_LZO2 , 0, NULL },
++ { "lzma" , 5, WITH_COMPRESS_LZMA , 0, NULL },
++ { "bzip2", 6, WITH_COMPRESS_BZIP2, 0, NULL },
+++ { "zstd" , 7, WITH_COMPRESS_ZSTD, 0, NULL },
++ { NULL, 255, 0, 0, NULL }
++ };
++
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++new file mode 100644
++index 0000000..6f9b499
++--- /dev/null
+++++ b/libknet/compress_zstd.c
++@@ -0,0 +1,160 @@
+++/*
+++ * Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+++ *
+++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++#define KNET_MODULE
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <zstd.h>
+++
+++#include "logging.h"
+++#include "compress_model.h"
+++
+++struct zstd_ctx {
+++ ZSTD_CCtx* cctx;
+++ ZSTD_DCtx* dctx;
+++};
+++
+++static int zstd_is_init(
+++ knet_handle_t knet_h,
+++ int method_idx)
+++{
+++ if (knet_h->compress_int_data[method_idx]) {
+++ return 1;
+++ }
+++ return 0;
+++}
+++
+++static void zstd_fini(
+++ knet_handle_t knet_h,
+++ int method_idx)
+++{
+++ struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++
+++ if (zstd_ctx) {
+++ if (zstd_ctx->cctx) {
+++ ZSTD_freeCCtx(zstd_ctx->cctx);
+++ }
+++ if (zstd_ctx->dctx) {
+++ ZSTD_freeDCtx(zstd_ctx->dctx);
+++ }
+++ free(knet_h->compress_int_data[method_idx]);
+++ knet_h->compress_int_data[method_idx] = NULL;
+++ }
+++ return;
+++}
+++
+++static int zstd_init(
+++ knet_handle_t knet_h,
+++ int method_idx)
+++{
+++ struct zstd_ctx *zstd_ctx;
+++ int err = 0;
+++
+++ if (!knet_h->compress_int_data[method_idx]) {
+++ zstd_ctx = malloc(sizeof(struct zstd_ctx));
+++ if (!zstd_ctx) {
+++ errno = ENOMEM;
+++ return -1;
+++ }
+++ memset(zstd_ctx, 0, sizeof(struct zstd_ctx));
+++
+++ zstd_ctx->cctx = ZSTD_createCCtx();
+++ if (!zstd_ctx->cctx) {
+++ log_err(knet_h, KNET_SUB_ZSTDCOMP, "Unable to create compression context");
+++ err = -1;
+++ goto out_err;
+++ }
+++
+++ zstd_ctx->dctx = ZSTD_createDCtx();
+++ if (!zstd_ctx->dctx) {
+++ log_err(knet_h, KNET_SUB_ZSTDCOMP, "Unable to create decompression context");
+++ err = -1;
+++ goto out_err;
+++ }
+++
+++ knet_h->compress_int_data[method_idx] = zstd_ctx;
+++ }
+++
+++out_err:
+++ if (err) {
+++ zstd_fini(knet_h, method_idx);
+++ }
+++ return err;
+++}
+++
+++static int zstd_compress(
+++ knet_handle_t knet_h,
+++ const unsigned char *buf_in,
+++ const ssize_t buf_in_len,
+++ unsigned char *buf_out,
+++ ssize_t *buf_out_len)
+++{
+++ struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++ size_t compress_size;
+++
+++ compress_size = ZSTD_compressCCtx(zstd_ctx->cctx,
+++ buf_out, *buf_out_len,
+++ buf_in, buf_in_len,
+++ knet_h->compress_level);
+++
+++ if (ZSTD_isError(compress_size)) {
+++ log_err(knet_h, KNET_SUB_ZSTDCOMP, "error compressing packet: %s", ZSTD_getErrorName(compress_size));
+++ /*
+++ * ZSTD has lots of internal errors that are not easy to map
+++ * to standard errnos. Use a generic one for now
+++ */
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ *buf_out_len = compress_size;
+++
+++ return 0;
+++}
+++
+++static int zstd_decompress(
+++ knet_handle_t knet_h,
+++ const unsigned char *buf_in,
+++ const ssize_t buf_in_len,
+++ unsigned char *buf_out,
+++ ssize_t *buf_out_len)
+++{
+++ struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++ size_t decompress_size;
+++
+++ decompress_size = ZSTD_decompressDCtx(zstd_ctx->dctx,
+++ buf_out, *buf_out_len,
+++ buf_in, buf_in_len);
+++
+++ if (ZSTD_isError(decompress_size)) {
+++ log_err(knet_h, KNET_SUB_ZSTDCOMP, "error decompressing packet: %s", ZSTD_getErrorName(decompress_size));
+++ /*
+++ * ZSTD has lots of internal errors that are not easy to map
+++ * to standard errnos. Use a generic one for now
+++ */
+++ errno = EINVAL;
+++ return -1;
+++ }
+++
+++ *buf_out_len = decompress_size;
+++
+++ return 0;
+++}
+++
+++compress_ops_t compress_model = {
+++ KNET_COMPRESS_MODEL_ABI,
+++ zstd_is_init,
+++ zstd_init,
+++ zstd_fini,
+++ NULL,
+++ zstd_compress,
+++ zstd_decompress
+++};
++diff --git a/libknet/logging.c b/libknet/logging.c
++index 98bcfd1..5c91257 100644
++--- a/libknet/logging.c
+++++ b/libknet/logging.c
++@@ -47,6 +47,7 @@ static struct pretty_names subsystem_names[] =
++ { "lzo2comp", KNET_SUB_LZO2COMP },
++ { "lzmacomp", KNET_SUB_LZMACOMP },
++ { "bzip2comp", KNET_SUB_BZIP2COMP },
+++ { "zstdcomp", KNET_SUB_ZSTDCOMP },
++ { "unknown", KNET_SUB_UNKNOWN } /* unknown MUST always be last in this array */
++ };
++
+diff --git a/debian/patches/crypto-fix-openssl1.0-initialization-code.patch b/debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+new file mode 100644
+index 0000000..e01d382
+--- /dev/null
++++ b/debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+@@ -0,0 +1,98 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 06:14:29 +0200
++Subject: [crypto] fix openssl1.0 initialization code
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 0b20488500e8d13f17b7f584bdc7a301f44dbfe1)
++---
++ libknet/crypto_openssl.c | 28 ++++++++++++++++------------
++ 1 file changed, 16 insertions(+), 12 deletions(-)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 5c7a74a..26acea8 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -12,6 +12,7 @@
++ #include <string.h>
++ #include <errno.h>
++ #include <dlfcn.h>
+++#include <stdlib.h>
++ #include <openssl/conf.h>
++ #include <openssl/evp.h>
++ #include <openssl/hmac.h>
++@@ -43,6 +44,8 @@ struct opensslcrypto_instance {
++ const EVP_MD *crypto_hash_type;
++ };
++
+++static int openssl_is_init = 0;
+++
++ /*
++ * crypt/decrypt functions openssl1.0
++ */
++@@ -438,6 +441,11 @@ static void openssl_internal_lock_cleanup(void)
++ return;
++ }
++
+++static void openssl_atexit_handler(void)
+++{
+++ openssl_internal_lock_cleanup();
+++}
+++
++ static int openssl_internal_lock_setup(void)
++ {
++ int savederrno = 0, err = 0;
++@@ -461,6 +469,9 @@ static int openssl_internal_lock_setup(void)
++ CRYPTO_set_id_callback((void *)openssl_internal_thread_id);
++ CRYPTO_set_locking_callback((void *)&openssl_internal_locking_callback);
++
+++ if (atexit(openssl_atexit_handler)) {
+++ err = -1;
+++ }
++ out:
++ if (err) {
++ openssl_internal_lock_cleanup();
++@@ -477,9 +488,6 @@ static void opensslcrypto_fini(
++ struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
++
++ if (opensslcrypto_instance) {
++-#ifdef BUILDCRYPTOOPENSSL10
++- openssl_internal_lock_cleanup();
++-#endif
++ if (opensslcrypto_instance->private_key) {
++ free(opensslcrypto_instance->private_key);
++ opensslcrypto_instance->private_key = NULL;
++@@ -496,7 +504,6 @@ static int opensslcrypto_init(
++ struct crypto_instance *crypto_instance,
++ struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++- static int openssl_is_init = 0;
++ struct opensslcrypto_instance *opensslcrypto_instance = NULL;
++ int savederrno;
++
++@@ -509,6 +516,11 @@ static int opensslcrypto_init(
++ #ifdef BUILDCRYPTOOPENSSL10
++ ERR_load_crypto_strings();
++ OPENSSL_add_all_algorithms_noconf();
+++ if (openssl_internal_lock_setup() < 0) {
+++ log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
+++ errno = EAGAIN;
+++ return -1;
+++ }
++ #endif
++ #ifdef BUILDCRYPTOOPENSSL11
++ if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
++@@ -521,14 +533,6 @@ static int opensslcrypto_init(
++ openssl_is_init = 1;
++ }
++
++-#ifdef BUILDCRYPTOOPENSSL10
++- if (openssl_internal_lock_setup() < 0) {
++- log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
++- errno = EAGAIN;
++- return -1;
++- }
++-#endif
++-
++ crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
++ if (!crypto_instance->model_instance) {
++ log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
+diff --git a/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch b/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+new file mode 100644
+index 0000000..5818833
+--- /dev/null
++++ b/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+@@ -0,0 +1,137 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 11:54:08 +0200
++Subject: [crypto] hide errors generated by openssl 1.1.1c
++
++see also:
++https://github.com/kronosnet/kronosnet/issues/226
++https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930061#12
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5333de6a056af75d12eb0a2cc2e46e7b2bbf9082)
++---
++ build-aux/knet_valgrind_memcheck.supp | 115 ++++++++++++++++++++++++++++++++++
++ 1 file changed, 115 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index a34ab93..92eabba 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -612,3 +612,118 @@
++ fun:malloc
++ fun:dl_open_worker
++ }
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Cond
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_generate
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_instantiate
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_get0_public
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:encrypt_openssl
+++ fun:opensslcrypto_encrypt_and_signv
+++ fun:opensslcrypto_encrypt_and_sign
+++ fun:_handle_check_each
+++ fun:_send_pings
+++ fun:_handle_heartbt_thread
+++ fun:start_thread
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Cond
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_generate
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_instantiate
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_get0_public
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:encrypt_openssl
+++ fun:opensslcrypto_encrypt_and_signv
+++ fun:opensslcrypto_encrypt_and_sign
+++ fun:_handle_check_each
+++ fun:_send_pings
+++ fun:_handle_heartbt_thread
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Cond
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_generate
+++ fun:RAND_DRBG_bytes
+++ fun:encrypt_openssl
+++ fun:opensslcrypto_encrypt_and_signv
+++ fun:opensslcrypto_encrypt_and_sign
+++ fun:_handle_check_each
+++ fun:_send_pings
+++ fun:_handle_heartbt_thread
+++ fun:start_thread
+++ fun:clone
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Cond
+++ obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++ fun:RAND_DRBG_generate
+++ fun:RAND_DRBG_bytes
+++ fun:encrypt_openssl
+++ fun:opensslcrypto_encrypt_and_signv
+++ fun:opensslcrypto_encrypt_and_sign
+++ fun:_handle_check_each
+++ fun:_send_pings
+++ fun:_handle_heartbt_thread
+++ fun:start_thread
+++ fun:clone
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Param
+++ socketcall.sendto(msg)
+++ fun:sendto
+++ fun:_handle_check_each
+++ fun:_send_pings
+++ fun:_handle_heartbt_thread
+++ fun:start_thread
+++ fun:clone
+++}
+++{
+++
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Param
+++ socketcall.sendto(msg)
+++ fun:sendto
+++ fun:_parse_recv_from_links
+++ fun:_handle_recv_from_links
+++ fun:_handle_recv_from_links_thread
+++ fun:start_thread
+++ fun:clone
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Param
+++ socketcall.sendto(msg)
+++ fun:sendto
+++ fun:_handle_check_link_pmtud
+++ fun:_handle_check_pmtud
+++ fun:_handle_pmtud_link_thread
+++ fun:start_thread
+++ fun:clone
+++}
+++{
+++ openssl 1.1.1c missing fix from master
+++ Memcheck:Param
+++ sendmsg(msg.msg_iov[0])
+++ fun:__libc_sendmsg
+++ fun:sendmsg
+++ fun:_sendmmsg
+++ fun:_dispatch_to_links
+++ fun:_parse_recv_from_sock
+++ fun:_handle_send_to_links
+++ fun:_handle_send_to_links_thread
+++ fun:start_thread
+++ fun:clone
+++}
+diff --git a/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch b/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+new file mode 100644
+index 0000000..0d373a8
+--- /dev/null
++++ b/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+@@ -0,0 +1,51 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:25:55 +0200
++Subject: [crypto] make sure to clear all security info on crypto_fini
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6888d04108a7eff36f4c562d464190e9886a073a)
++---
++ libknet/crypto.c | 4 ++++
++ libknet/crypto_nss.c | 1 -
++ libknet/crypto_openssl.c | 1 -
++ 3 files changed, 4 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 41d67c9..5d39048 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -178,6 +178,10 @@ void crypto_fini(
++ crypto_modules_cmds[model].ops->fini(knet_h);
++ }
++ free(knet_h->crypto_instance);
+++ knet_h->sec_header_size = 0;
+++ knet_h->sec_block_size = 0;
+++ knet_h->sec_hash_size = 0;
+++ knet_h->sec_salt_size = 0;
++ knet_h->crypto_instance = NULL;
++ }
++
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 640b560..cc83827 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -740,7 +740,6 @@ static void nsscrypto_fini(
++ }
++ free(nsscrypto_instance);
++ knet_h->crypto_instance->model_instance = NULL;
++- knet_h->sec_header_size = 0;
++ }
++
++ return;
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 03d1014..73058cc 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -485,7 +485,6 @@ static void opensslcrypto_fini(
++ }
++ free(opensslcrypto_instance);
++ knet_h->crypto_instance->model_instance = NULL;
++- knet_h->sec_header_size = 0;
++ }
++
++ return;
+diff --git a/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch b/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+new file mode 100644
+index 0000000..8c99023
+--- /dev/null
++++ b/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+@@ -0,0 +1,25 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:42:33 +0200
++Subject: [crypto] make sure to trigger a PMTUd rerun on each good crypto
++ config change
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c9edaa7b632ee853351730ad4dcad7471919bb91)
++---
++ libknet/handle.c | 3 +++
++ 1 file changed, 3 insertions(+)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index fd26bea..7009cc3 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1408,6 +1408,9 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++ }
++
++ exit_unlock:
+++ if (!err) {
+++ force_pmtud_run(knet_h, KNET_SUB_CRYPTO);
+++ }
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++ errno = err ? savederrno : 0;
++ return err;
+diff --git a/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch b/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+new file mode 100644
+index 0000000..cf918e1
+--- /dev/null
++++ b/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+@@ -0,0 +1,65 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 09:26:02 +0200
++Subject: =?utf-8?q?=5Bcrypto=5D_openssl=3A_drop_calls_to_RAND=5Fseed_as_th?=
++ =?utf-8?q?ey_don=C2=B4t_really_help_RNG?=
++
++See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930061#12 for reference
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a3c5adee1d30a751e76386ef31c1a817595bfd1b)
++---
++ libknet/crypto_openssl.c | 20 --------------------
++ 1 file changed, 20 deletions(-)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 615a9e5..999ed93 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -69,11 +69,6 @@ static int encrypt_openssl(
++
++ EVP_CIPHER_CTX_init(&ctx);
++
++- /*
++- * contribute to PRNG for each packet we send/receive
++- */
++- RAND_seed((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
++-
++ if (!RAND_bytes(salt, SALT_SIZE)) {
++ ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
++ log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
++@@ -130,11 +125,6 @@ static int decrypt_openssl (
++
++ EVP_CIPHER_CTX_init(&ctx);
++
++- /*
++- * contribute to PRNG for each packet we send/receive
++- */
++- RAND_seed(buf_in, buf_in_len);
++-
++ /*
++ * add warning re keylength
++ */
++@@ -181,11 +171,6 @@ static int encrypt_openssl(
++
++ ctx = EVP_CIPHER_CTX_new();
++
++- /*
++- * contribute to PRNG for each packet we send/receive
++- */
++- RAND_seed((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
++-
++ if (!RAND_bytes(salt, SALT_SIZE)) {
++ ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
++ log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
++@@ -248,11 +233,6 @@ static int decrypt_openssl (
++
++ ctx = EVP_CIPHER_CTX_new();
++
++- /*
++- * contribute to PRNG for each packet we send/receive
++- */
++- RAND_seed(buf_in, buf_in_len);
++-
++ /*
++ * add warning re keylength
++ */
+diff --git a/debian/patches/crypto-openssl-error-strings-release.patch b/debian/patches/crypto-openssl-error-strings-release.patch
+new file mode 100644
+index 0000000..6bcd03a
+--- /dev/null
++++ b/debian/patches/crypto-openssl-error-strings-release.patch
+@@ -0,0 +1,28 @@
++From: yuan ren <yren at suse.com>
++Date: Thu, 6 Jun 2019 13:46:01 +0800
++Subject: [crypto]openssl error strings release
++
++In versions prior to OpenSSL 1.1.0, ERR_free_strings() releases
++any resources created by ERR_load_crypto_strings.
++
++Signed-off-by: yuan ren <yren at suse.com>
++(cherry picked from commit 80b7d93723e779b914f73ec2e8cd2ac632972eda)
++---
++ libknet/crypto_openssl.c | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 26acea8..615a9e5 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -496,6 +496,10 @@ static void opensslcrypto_fini(
++ crypto_instance->model_instance = NULL;
++ }
++
+++#ifdef BUILDCRYPTOOPENSSL10
+++ ERR_free_strings();
+++#endif
+++
++ return;
++ }
++
+diff --git a/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch b/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+new file mode 100644
+index 0000000..a555595
+--- /dev/null
++++ b/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+@@ -0,0 +1,598 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 05:24:47 +0200
++Subject: [crypto] rework knet_handle_crypto external API to be more solid
++
++the API was rather weak and could potentially leave traffic uncrypted
++in case of certain, corner case, failures.
++
++this patch is a subset of a bigger rework of the crypto layer that
++will in future allow runtime reconfiguration without traffic disruption
++of the crypto config.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 50b998f37c9285bf334eb578319030c06af141e0)
++---
++ libknet/crypto_model.h | 10 +++-
++ libknet/libknet.h | 4 +-
++ libknet/crypto.c | 63 ++++++++++++++--------
++ libknet/crypto_nss.c | 56 +++++++++++---------
++ libknet/crypto_openssl.c | 30 ++++++-----
++ libknet/handle.c | 3 +-
++ libknet/tests/api_knet_handle_crypto.c | 96 +++++++++++++++++++++++++++++++++-
++ 7 files changed, 190 insertions(+), 72 deletions(-)
++
++diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h
++index f11299a..9bb4f17 100644
++--- a/libknet/crypto_model.h
+++++ b/libknet/crypto_model.h
++@@ -14,9 +14,13 @@
++ struct crypto_instance {
++ int model;
++ void *model_instance;
+++ size_t sec_header_size;
+++ size_t sec_block_size;
+++ size_t sec_hash_size;
+++ size_t sec_salt_size;
++ };
++
++-#define KNET_CRYPTO_MODEL_ABI 1
+++#define KNET_CRYPTO_MODEL_ABI 2
++
++ /*
++ * see compress_model.h for explanation of the various lib related functions
++@@ -24,8 +28,10 @@ struct crypto_instance {
++ typedef struct {
++ uint8_t abi_ver;
++ int (*init) (knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance,
++ struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
++- void (*fini) (knet_handle_t knet_h);
+++ void (*fini) (knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance);
++ int (*crypt) (knet_handle_t knet_h,
++ const unsigned char *buf_in,
++ const ssize_t buf_in_len,
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 183c92d..85c06cc 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -700,9 +700,7 @@ struct knet_handle_crypto_cfg {
++ * 1) failure to obtain locking
++ * 2) errors to initializing the crypto level.
++ * This can happen even in subsequent calls to knet_handle_crypto.
++- * A failure in crypto init, might leave your traffic unencrypted!
++- * It's best to stop data forwarding (see knet_handle_setfwd(3)), change crypto config,
++- * start forward again.
+++ * A failure in crypto init will restore the previous crypto configuration.
++ *
++ * @return
++ * knet_handle_crypto returns:
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 5d39048..6c340f5 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -80,8 +80,11 @@ int crypto_init(
++ knet_handle_t knet_h,
++ struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++- int savederrno = 0;
+++ int err = 0, savederrno = 0;
++ int model = 0;
+++ struct crypto_instance *current = NULL, *new = NULL;
+++
+++ current = knet_h->crypto_instance;
++
++ model = crypto_get_model(knet_handle_crypto_cfg->crypto_model);
++ if (model < 0) {
++@@ -105,16 +108,18 @@ int crypto_init(
++ crypto_modules_cmds[model].ops = load_module (knet_h, "crypto", crypto_modules_cmds[model].model_name);
++ if (!crypto_modules_cmds[model].ops) {
++ savederrno = errno;
+++ err = -1;
++ log_err(knet_h, KNET_SUB_CRYPTO, "Unable to load %s lib", crypto_modules_cmds[model].model_name);
++- goto out_err;
+++ goto out;
++ }
++ if (crypto_modules_cmds[model].ops->abi_ver != KNET_CRYPTO_MODEL_ABI) {
+++ savederrno = EINVAL;
+++ err = -1;
++ log_err(knet_h, KNET_SUB_CRYPTO,
++ "ABI mismatch loading module %s. knet ver: %d, module ver: %d",
++ crypto_modules_cmds[model].model_name, KNET_CRYPTO_MODEL_ABI,
++ crypto_modules_cmds[model].ops->abi_ver);
++- savederrno = EINVAL;
++- goto out_err;
+++ goto out;
++ }
++ crypto_modules_cmds[model].loaded = 1;
++ }
++@@ -125,12 +130,13 @@ int crypto_init(
++ knet_handle_crypto_cfg->crypto_cipher_type,
++ knet_handle_crypto_cfg->crypto_hash_type);
++
++- knet_h->crypto_instance = malloc(sizeof(struct crypto_instance));
+++ new = malloc(sizeof(struct crypto_instance));
++
++- if (!knet_h->crypto_instance) {
++- log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
+++ if (!new) {
++ savederrno = ENOMEM;
++- goto out_err;
+++ err = -1;
+++ log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
+++ goto out;
++ }
++
++ /*
++@@ -138,32 +144,44 @@ int crypto_init(
++ * it will clean everything by itself.
++ * crypto_modules_cmds.ops->fini is not invoked on error.
++ */
++- knet_h->crypto_instance->model = model;
++- if (crypto_modules_cmds[knet_h->crypto_instance->model].ops->init(knet_h, knet_handle_crypto_cfg)) {
+++ new->model = model;
+++ if (crypto_modules_cmds[model].ops->init(knet_h, new, knet_handle_crypto_cfg)) {
++ savederrno = errno;
++- goto out_err;
+++ err = -1;
+++ goto out;
++ }
++
++ log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);
++- pthread_rwlock_unlock(&shlib_rwlock);
++- return 0;
++
++-out_err:
++- if (knet_h->crypto_instance) {
++- free(knet_h->crypto_instance);
++- knet_h->crypto_instance = NULL;
+++out:
+++ if (!err) {
+++ knet_h->crypto_instance = new;
+++ knet_h->sec_header_size = new->sec_header_size;
+++ knet_h->sec_block_size = new->sec_block_size;
+++ knet_h->sec_hash_size = new->sec_hash_size;
+++ knet_h->sec_salt_size = new->sec_salt_size;
+++
+++ if (current) {
+++ if (crypto_modules_cmds[current->model].ops->fini != NULL) {
+++ crypto_modules_cmds[current->model].ops->fini(knet_h, current);
+++ }
+++ free(current);
+++ }
+++ } else {
+++ if (new) {
+++ free(new);
+++ }
++ }
++
++ pthread_rwlock_unlock(&shlib_rwlock);
++- errno = savederrno;
++- return -1;
+++ errno = err ? savederrno : 0;
+++ return err;
++ }
++
++ void crypto_fini(
++ knet_handle_t knet_h)
++ {
++ int savederrno = 0;
++- int model = 0;
++
++ savederrno = pthread_rwlock_wrlock(&shlib_rwlock);
++ if (savederrno) {
++@@ -173,9 +191,8 @@ void crypto_fini(
++ }
++
++ if (knet_h->crypto_instance) {
++- model = knet_h->crypto_instance->model;
++- if (crypto_modules_cmds[model].ops->fini != NULL) {
++- crypto_modules_cmds[model].ops->fini(knet_h);
+++ if (crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini != NULL) {
+++ crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini(knet_h, knet_h->crypto_instance);
++ }
++ free(knet_h->crypto_instance);
++ knet_h->sec_header_size = 0;
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index cc83827..5c3a437 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -155,9 +155,11 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
++ return -1;
++ }
++
++-static PK11SymKey *nssimport_symmetric_key(knet_handle_t knet_h, enum sym_key_type key_type)
+++static PK11SymKey *nssimport_symmetric_key(knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance,
+++ enum sym_key_type key_type)
++ {
++- struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++ struct nsscrypto_instance *instance = crypto_instance->model_instance;
++ SECItem key_item;
++ PK11SlotInfo *slot;
++ PK11SymKey *res_key;
++@@ -323,15 +325,15 @@ exit_res_key:
++ return (res_key);
++ }
++
++-static int init_nss_crypto(knet_handle_t knet_h)
+++static int init_nss_crypto(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++- struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++ struct nsscrypto_instance *instance = crypto_instance->model_instance;
++
++ if (!cipher_to_nss[instance->crypto_cipher_type]) {
++ return 0;
++ }
++
++- instance->nss_sym_key = nssimport_symmetric_key(knet_h, SYM_KEY_TYPE_CRYPT);
+++ instance->nss_sym_key = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_CRYPT);
++ if (instance->nss_sym_key == NULL) {
++ errno = ENXIO; /* NSS reported error */
++ return -1;
++@@ -512,15 +514,15 @@ static int nssstring_to_crypto_hash_type(const char* crypto_hash_type)
++ return -1;
++ }
++
++-static int init_nss_hash(knet_handle_t knet_h)
+++static int init_nss_hash(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++- struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++ struct nsscrypto_instance *instance = crypto_instance->model_instance;
++
++ if (!hash_to_nss[instance->crypto_hash_type]) {
++ return 0;
++ }
++
++- instance->nss_sym_key_sign = nssimport_symmetric_key(knet_h, SYM_KEY_TYPE_HASH);
+++ instance->nss_sym_key_sign = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_HASH);
++ if (instance->nss_sym_key_sign == NULL) {
++ errno = ENXIO; /* NSS reported error */
++ return -1;
++@@ -594,7 +596,7 @@ out:
++ * global/glue nss functions
++ */
++
++-static int init_nss(knet_handle_t knet_h)
+++static int init_nss(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++ static int at_exit_registered = 0;
++
++@@ -617,11 +619,11 @@ static int init_nss(knet_handle_t knet_h)
++ nss_db_is_init = 1;
++ }
++
++- if (init_nss_crypto(knet_h) < 0) {
+++ if (init_nss_crypto(knet_h, crypto_instance) < 0) {
++ return -1;
++ }
++
++- if (init_nss_hash(knet_h) < 0) {
+++ if (init_nss_hash(knet_h, crypto_instance) < 0) {
++ return -1;
++ }
++
++@@ -725,9 +727,10 @@ static int nsscrypto_authenticate_and_decrypt (
++ }
++
++ static void nsscrypto_fini(
++- knet_handle_t knet_h)
+++ knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance)
++ {
++- struct nsscrypto_instance *nsscrypto_instance = knet_h->crypto_instance->model_instance;
+++ struct nsscrypto_instance *nsscrypto_instance = crypto_instance->model_instance;
++
++ if (nsscrypto_instance) {
++ if (nsscrypto_instance->nss_sym_key) {
++@@ -739,7 +742,7 @@ static void nsscrypto_fini(
++ nsscrypto_instance->nss_sym_key_sign = NULL;
++ }
++ free(nsscrypto_instance);
++- knet_h->crypto_instance->model_instance = NULL;
+++ crypto_instance->model_instance = NULL;
++ }
++
++ return;
++@@ -747,6 +750,7 @@ static void nsscrypto_fini(
++
++ static int nsscrypto_init(
++ knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance,
++ struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++ struct nsscrypto_instance *nsscrypto_instance = NULL;
++@@ -757,14 +761,14 @@ static int nsscrypto_init(
++ knet_handle_crypto_cfg->crypto_cipher_type,
++ knet_handle_crypto_cfg->crypto_hash_type);
++
++- knet_h->crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
++- if (!knet_h->crypto_instance->model_instance) {
+++ crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
+++ if (!crypto_instance->model_instance) {
++ log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to allocate memory for nss model instance");
++ errno = ENOMEM;
++ return -1;
++ }
++
++- nsscrypto_instance = knet_h->crypto_instance->model_instance;
+++ nsscrypto_instance = crypto_instance->model_instance;
++
++ memset(nsscrypto_instance, 0, sizeof(struct nsscrypto_instance));
++
++@@ -792,16 +796,16 @@ static int nsscrypto_init(
++ nsscrypto_instance->private_key = knet_handle_crypto_cfg->private_key;
++ nsscrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
++
++- if (init_nss(knet_h) < 0) {
+++ if (init_nss(knet_h, crypto_instance) < 0) {
++ savederrno = errno;
++ goto out_err;
++ }
++
++- knet_h->sec_header_size = 0;
+++ crypto_instance->sec_header_size = 0;
++
++ if (nsscrypto_instance->crypto_hash_type > 0) {
++- knet_h->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];
++- knet_h->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
+++ crypto_instance->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];
+++ crypto_instance->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
++ }
++
++ if (nsscrypto_instance->crypto_cipher_type > 0) {
++@@ -817,16 +821,16 @@ static int nsscrypto_init(
++ }
++ }
++
++- knet_h->sec_header_size += (block_size * 2);
++- knet_h->sec_header_size += SALT_SIZE;
++- knet_h->sec_salt_size = SALT_SIZE;
++- knet_h->sec_block_size = block_size;
+++ crypto_instance->sec_header_size += (block_size * 2);
+++ crypto_instance->sec_header_size += SALT_SIZE;
+++ crypto_instance->sec_salt_size = SALT_SIZE;
+++ crypto_instance->sec_block_size = block_size;
++ }
++
++ return 0;
++
++ out_err:
++- nsscrypto_fini(knet_h);
+++ nsscrypto_fini(knet_h, crypto_instance);
++ errno = savederrno;
++ return -1;
++ }
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 73058cc..5c7a74a 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -471,9 +471,10 @@ out:
++ #endif
++
++ static void opensslcrypto_fini(
++- knet_handle_t knet_h)
+++ knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance)
++ {
++- struct opensslcrypto_instance *opensslcrypto_instance = knet_h->crypto_instance->model_instance;
+++ struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
++
++ if (opensslcrypto_instance) {
++ #ifdef BUILDCRYPTOOPENSSL10
++@@ -484,7 +485,7 @@ static void opensslcrypto_fini(
++ opensslcrypto_instance->private_key = NULL;
++ }
++ free(opensslcrypto_instance);
++- knet_h->crypto_instance->model_instance = NULL;
+++ crypto_instance->model_instance = NULL;
++ }
++
++ return;
++@@ -492,6 +493,7 @@ static void opensslcrypto_fini(
++
++ static int opensslcrypto_init(
++ knet_handle_t knet_h,
+++ struct crypto_instance *crypto_instance,
++ struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++ static int openssl_is_init = 0;
++@@ -527,14 +529,14 @@ static int opensslcrypto_init(
++ }
++ #endif
++
++- knet_h->crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
++- if (!knet_h->crypto_instance->model_instance) {
+++ crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
+++ if (!crypto_instance->model_instance) {
++ log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
++ errno = ENOMEM;
++ return -1;
++ }
++
++- opensslcrypto_instance = knet_h->crypto_instance->model_instance;
+++ opensslcrypto_instance = crypto_instance->model_instance;
++
++ memset(opensslcrypto_instance, 0, sizeof(struct opensslcrypto_instance));
++
++@@ -576,11 +578,11 @@ static int opensslcrypto_init(
++ memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
++ opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
++
++- knet_h->sec_header_size = 0;
+++ crypto_instance->sec_header_size = 0;
++
++ if (opensslcrypto_instance->crypto_hash_type) {
++- knet_h->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
++- knet_h->sec_header_size += knet_h->sec_hash_size;
+++ crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
+++ crypto_instance->sec_header_size += crypto_instance->sec_hash_size;
++ }
++
++ if (opensslcrypto_instance->crypto_cipher_type) {
++@@ -588,16 +590,16 @@ static int opensslcrypto_init(
++
++ block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);
++
++- knet_h->sec_header_size += (block_size * 2);
++- knet_h->sec_header_size += SALT_SIZE;
++- knet_h->sec_salt_size = SALT_SIZE;
++- knet_h->sec_block_size = block_size;
+++ crypto_instance->sec_header_size += (block_size * 2);
+++ crypto_instance->sec_header_size += SALT_SIZE;
+++ crypto_instance->sec_salt_size = SALT_SIZE;
+++ crypto_instance->sec_block_size = block_size;
++ }
++
++ return 0;
++
++ out_err:
++- opensslcrypto_fini(knet_h);
+++ opensslcrypto_fini(knet_h, crypto_instance);
++
++ errno = savederrno;
++ return -1;
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 7009cc3..e95c6c1 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1374,11 +1374,10 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++ return -1;
++ }
++
++- crypto_fini(knet_h);
++-
++ if ((!strncmp("none", knet_handle_crypto_cfg->crypto_model, 4)) ||
++ ((!strncmp("none", knet_handle_crypto_cfg->crypto_cipher_type, 4)) &&
++ (!strncmp("none", knet_handle_crypto_cfg->crypto_hash_type, 4)))) {
+++ crypto_fini(knet_h);
++ log_debug(knet_h, KNET_SUB_CRYPTO, "crypto is not enabled");
++ err = 0;
++ goto exit_unlock;
++diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto.c
++index 1805909..9dbf5bc 100644
++--- a/libknet/tests/api_knet_handle_crypto.c
+++++ b/libknet/tests/api_knet_handle_crypto.c
++@@ -17,13 +17,15 @@
++ #include "libknet.h"
++
++ #include "internals.h"
+++#include "crypto_model.h"
++ #include "test-common.h"
++
++-static void test(const char *model)
+++static void test(const char *model, const char *model2)
++ {
++ knet_handle_t knet_h;
++ int logfds[2];
++ struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
+++ struct crypto_instance *current = NULL;
++
++ memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
++
++@@ -152,6 +154,96 @@ static void test(const char *model)
++
++ flush_logs(logfds[0], stdout);
++
+++ printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model2);
+++
+++ current = knet_h->crypto_instance;
+++
+++ memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++ strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++ knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++ if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++ printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ if (current == knet_h->crypto_instance) {
+++ printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model);
+++
+++ current = knet_h->crypto_instance;
+++
+++ memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++ strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++ knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++ if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++ printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ if (current == knet_h->crypto_instance) {
+++ printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ printf("Test knet_handle_crypto reconfig with %s/aes129/sha1 and normal key\n", model);
+++
+++ current = knet_h->crypto_instance;
+++
+++ memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++ strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes129", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++ strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++ knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++ if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++ printf("knet_handle_crypto failed to detect incorrect config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
+++ if (current != knet_h->crypto_instance) {
+++ printf("knet_handle_crypto failed to restore correct config: %s\n", strerror(errno));
+++ knet_handle_free(knet_h);
+++ flush_logs(logfds[0], stdout);
+++ close_logpipes(logfds);
+++ exit(FAIL);
+++ }
+++
+++ flush_logs(logfds[0], stdout);
+++
++ printf("Test knet_handle_crypto with %s/aes128/none and normal key\n", model);
++
++ memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
++@@ -233,7 +325,7 @@ int main(int argc, char *argv[])
++ }
++
++ for (i=0; i < crypto_list_entries; i++) {
++- test(crypto_list[i].name);
+++ test(crypto_list[i].name, crypto_list[0].name);
++ }
++
++ return PASS;
+diff --git a/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch b/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+new file mode 100644
+index 0000000..a079030
+--- /dev/null
++++ b/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+@@ -0,0 +1,23 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 16:09:54 +0200
++Subject: [doc] fix a merge oversight from
++ 541d7faf9068d10e12b4278c35825ce1353db081
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ef89e9d900db037c82e03406dcf426ff62649e7d)
++---
++ libknet/libknet.h | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 85c06cc..907213f 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1511,6 +1511,7 @@ typedef enum {
++
++ /**
++ * check_acceptreject_t
+++ *
++ * @brief enum for accept/reject in knet access lists
++ *
++ * accept or reject incoming packets defined in the access list entry
+diff --git a/debian/patches/global-update-copyright-across-the-board.patch b/debian/patches/global-update-copyright-across-the-board.patch
+new file mode 100644
+index 0000000..9230a7c
+--- /dev/null
++++ b/debian/patches/global-update-copyright-across-the-board.patch
+@@ -0,0 +1,129 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Mar 2019 13:45:52 +0100
++Subject: [global] update copyright across the board
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 27a7d1cb61bd66d8e36dd663075cf5d0f2d385e4)
++---
++ libknet/links_acl_ip.h | 2 +-
++ libknet/links_acl_loopback.h | 2 +-
++ libknet/links_acl_ip.c | 2 +-
++ libknet/links_acl_loopback.c | 2 +-
++ libknet/tests/api_knet_handle_enable_access_lists.c | 2 +-
++ libknet/tests/api_knet_link_add_acl.c | 2 +-
++ libknet/tests/api_knet_link_clear_acl.c | 2 +-
++ libknet/tests/api_knet_link_insert_acl.c | 2 +-
++ libknet/tests/api_knet_link_rm_acl.c | 2 +-
++ libknet/tests/int_links_acl_ip.c | 2 +-
++ 10 files changed, 10 insertions(+), 10 deletions(-)
++
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index fac58e2..b33ffb1 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index e75c4a4..b51d2bf 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 642027b..9310f21 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 97f8198..044a51c 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++index fc3bcc1..d08f175 100644
++--- a/libknet/tests/api_knet_handle_enable_access_lists.c
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++index b018165..ff7a2e2 100644
++--- a/libknet/tests/api_knet_link_add_acl.c
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++index 78b7d79..234a76b 100644
++--- a/libknet/tests/api_knet_link_clear_acl.c
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++index 547f92b..79d04df 100644
++--- a/libknet/tests/api_knet_link_insert_acl.c
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++index 49a82d9..d132c54 100644
++--- a/libknet/tests/api_knet_link_rm_acl.c
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++index a7d2aed..93dff63 100644
++--- a/libknet/tests/int_links_acl_ip.c
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Christine Caulfield <ccaulfie at redhat.com>
++ *
+diff --git a/debian/patches/global-update-copyrights.patch b/debian/patches/global-update-copyrights.patch
+new file mode 100644
+index 0000000..4557faf
+--- /dev/null
++++ b/debian/patches/global-update-copyrights.patch
+@@ -0,0 +1,21 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 12 Jun 2019 05:23:47 +0200
++Subject: [global] update copyrights
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5d6813ecfb9187d031a1195a6670bd174680d478)
++---
++ libknet/compress_zstd.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++index f76ea5f..e234f8d 100644
++--- a/libknet/compress_zstd.c
+++++ b/libknet/compress_zstd.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc. All rights reserved.
++ *
++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ *
+diff --git a/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch b/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+new file mode 100644
+index 0000000..ca34a5d
+--- /dev/null
++++ b/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+@@ -0,0 +1,26 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 13 Feb 2019 09:14:45 +0100
++Subject: [handle] properly initialize fd tracker buffers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 4a76e6de56d50c6c4c78af996d0f97d8df34dadd)
++---
++ libknet/handle.c | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 6cd49f5..0a2f75a 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -309,7 +309,10 @@ static int _init_buffers(knet_handle_t knet_h)
++ }
++ memset(knet_h->send_to_links_buf_compress, 0, KNET_DATABUFSIZE_COMPRESS);
++
++- memset(knet_h->knet_transport_fd_tracker, KNET_MAX_TRANSPORTS, sizeof(knet_h->knet_transport_fd_tracker));
+++ memset(knet_h->knet_transport_fd_tracker, 0, sizeof(knet_h->knet_transport_fd_tracker));
+++ for (i = 0; i < KNET_MAX_FDS; i++) {
+++ knet_h->knet_transport_fd_tracker[i].transport = KNET_MAX_TRANSPORTS;
+++ }
++
++ return 0;
++
+diff --git a/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch b/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+new file mode 100644
+index 0000000..ba846ab
+--- /dev/null
++++ b/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+@@ -0,0 +1,77 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 9 May 2019 15:44:41 +0200
++Subject: [links] rename tranport_type to transport to avoid confusion (part 2)
++
++complements be9d053efafc822cabd696914d53b5dfe25fb4fd due to early
++cherry-pick of 7033ddab505a0cf3655115fe5037579b7c882a8c
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit e1345c4f44efd7db79376a3985e4a6aab1461c6f)
++---
++ libknet/threads_heartbeat.c | 2 +-
++ libknet/threads_pmtud.c | 2 +-
++ libknet/threads_rx.c | 4 ++--
++ libknet/threads_tx.c | 2 +-
++ 4 files changed, 5 insertions(+), 5 deletions(-)
++
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 413b5b7..8def9b8 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -85,7 +85,7 @@ static void _handle_check_each(knet_handle_t knet_h, struct knet_host *dst_host,
++ }
++
++ retry:
++- if (transport_get_connection_oriented(knet_h, dst_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++ if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ len = sendto(dst_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
++ (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
++ } else {
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 1a84540..0050557 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -172,7 +172,7 @@ restart:
++ return -1;
++ }
++ retry:
++- if (transport_get_connection_oriented(knet_h, dst_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++ if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL,
++ (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
++ } else {
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 4670829..6417261 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -578,7 +578,7 @@ static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struc
++ }
++
++ retry_pong:
++- if (transport_get_connection_oriented(knet_h, src_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++ if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
++ (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
++ } else {
++@@ -674,7 +674,7 @@ retry_pong:
++ goto out_pmtud;
++ }
++ retry_pmtud:
++- if (transport_get_connection_oriented(knet_h, src_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++ if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
++ (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
++ } else {
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index b904e12..e987eb1 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -68,7 +68,7 @@ retry:
++ cur = &msg[prev_sent];
++
++ sent_msgs = _sendmmsg(dst_host->link[dst_host->active_links[link_idx]].outsock,
++- transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport_type),
+++ transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport),
++ &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
++ savederrno = errno;
++
+diff --git a/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch b/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+new file mode 100644
+index 0000000..48df681
+--- /dev/null
++++ b/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+@@ -0,0 +1,196 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:31:42 +0100
++Subject: [links] rename transport_type to transport to avoid confusion
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c02c06feed59b18948d0107d2ec4cc2a9182554a)
++---
++ libknet/internals.h | 2 +-
++ libknet/links.c | 10 +++++-----
++ libknet/threads_heartbeat.c | 6 +++---
++ libknet/threads_pmtud.c | 4 ++--
++ libknet/threads_rx.c | 4 ++--
++ libknet/threads_tx.c | 4 ++--
++ libknet/transports.c | 6 +++---
++ 7 files changed, 18 insertions(+), 18 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 0d6ee3f..2135fb8 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -62,7 +62,7 @@ struct knet_link {
++ struct knet_link_status status;
++ /* internals */
++ uint8_t link_id;
++- uint8_t transport_type; /* #defined constant from API */
+++ uint8_t transport; /* #defined constant from API */
++ knet_transport_link_t transport_link; /* link_info_t from transport */
++ int outsock;
++ unsigned int configured:1; /* set to 1 if src/dst have been configured transport initialized on this link*/
++diff --git a/libknet/links.c b/libknet/links.c
++index 1693df6..dd64a15 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -351,7 +351,7 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++
++ memmove(src_addr, &link->src_addr, sizeof(struct sockaddr_storage));
++
++- *transport = link->transport_type;
+++ *transport = link->transport;
++ *flags = link->flags;
++
++ if (link->dynamic == KNET_LINK_STATIC) {
++@@ -426,9 +426,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * then we can remove any leftover access lists if the link
++ * is no longer in use.
++ */
++- if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++ if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ (link->dynamic == KNET_LINK_STATIC)) {
++- if (check_rm(knet_h, link->outsock, link->transport_type,
+++ if (check_rm(knet_h, link->outsock, link->transport,
++ &link->dst_addr, &link->dst_addr,
++ CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ err = -1;
++@@ -444,7 +444,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * will clear link info during clear_config.
++ */
++ sock = link->outsock;
++- transport = link->transport_type;
+++ transport = link->transport;
++
++ if ((transport_link_clear_config(knet_h, link) < 0) &&
++ (errno != EBUSY)) {
++@@ -457,7 +457,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * remove any other access lists when the socket is no
++ * longer in use by the transport.
++ */
++- if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++ if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++ check_rmall(knet_h, sock, transport);
++ }
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 5d4189f..413b5b7 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -98,7 +98,7 @@ retry:
++ dst_link->status.stats.tx_ping_bytes += outlen;
++
++ if (len != outlen) {
++- err = transport_tx_sock_error(knet_h, dst_link->transport_type, dst_link->outsock, len, savederrno);
+++ err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
++ switch(err) {
++ case -1: /* unrecoverable error */
++ log_debug(knet_h, KNET_SUB_HEARTBEAT,
++@@ -140,7 +140,7 @@ void _send_pings(knet_handle_t knet_h, int timed)
++ for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
++ for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
++ if ((dst_host->link[link_idx].status.enabled != 1) ||
++- (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK ) ||
+++ (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
++ ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
++ (dst_host->link[link_idx].status.dynconnected != 1)))
++ continue;
++@@ -166,7 +166,7 @@ static void _adjust_pong_timeouts(knet_handle_t knet_h)
++ for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
++ for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
++ if ((dst_host->link[link_idx].status.enabled != 1) ||
++- (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK ) ||
+++ (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
++ ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
++ (dst_host->link[link_idx].status.dynconnected != 1)))
++ continue;
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 63504d6..1a84540 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -196,7 +196,7 @@ retry:
++
++ kernel_mtu = 0;
++
++- err = transport_tx_sock_error(knet_h, dst_link->transport_type, dst_link->outsock, len, savederrno);
+++ err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
++ switch(err) {
++ case -1: /* unrecoverable error */
++ log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet (sendto): %d %s", savederrno, strerror(savederrno));
++@@ -523,7 +523,7 @@ void *_handle_pmtud_link_thread(void *data)
++
++ if ((dst_link->status.enabled != 1) ||
++ (dst_link->status.connected != 1) ||
++- (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK) ||
+++ (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK) ||
++ (!dst_link->last_ping_size) ||
++ ((dst_link->dynamic == KNET_LINK_DYNIP) &&
++ (dst_link->status.dynconnected != 1)))
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 5fa51c4..4670829 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -586,7 +586,7 @@ retry_pong:
++ }
++ savederrno = errno;
++ if (len != outlen) {
++- err = transport_tx_sock_error(knet_h, src_link->transport_type, src_link->outsock, len, savederrno);
+++ err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
++ switch(err) {
++ case -1: /* unrecoverable error */
++ log_debug(knet_h, KNET_SUB_RX,
++@@ -682,7 +682,7 @@ retry_pmtud:
++ }
++ savederrno = errno;
++ if (len != outlen) {
++- err = transport_tx_sock_error(knet_h, src_link->transport_type, src_link->outsock, len, savederrno);
+++ err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
++ switch(err) {
++ case -1: /* unrecoverable error */
++ log_debug(knet_h, KNET_SUB_RX,
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index fa911dc..b904e12 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -48,7 +48,7 @@ static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host,
++
++ cur_link = &dst_host->link[dst_host->active_links[link_idx]];
++
++- if (cur_link->transport_type == KNET_TRANSPORT_LOOPBACK) {
+++ if (cur_link->transport == KNET_TRANSPORT_LOOPBACK) {
++ continue;
++ }
++
++@@ -72,7 +72,7 @@ retry:
++ &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
++ savederrno = errno;
++
++- err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport_type, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
+++ err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
++ switch(err) {
++ case -1: /* unrecoverable error */
++ cur_link->status.stats.tx_data_errors++;
++diff --git a/libknet/transports.c b/libknet/transports.c
++index ffebe00..69ea091 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -88,19 +88,19 @@ int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, u
++ return -1;
++ }
++ kn_link->transport_connected = 0;
++- kn_link->transport_type = transport;
+++ kn_link->transport = transport;
++ kn_link->proto_overhead = transport_modules_cmd[transport].transport_mtu_overhead;
++ return transport_modules_cmd[transport].transport_link_set_config(knet_h, kn_link);
++ }
++
++ int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
++ {
++- return transport_modules_cmd[kn_link->transport_type].transport_link_clear_config(knet_h, kn_link);
+++ return transport_modules_cmd[kn_link->transport].transport_link_clear_config(knet_h, kn_link);
++ }
++
++ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
++ {
++- return transport_modules_cmd[kn_link->transport_type].transport_link_dyn_connect(knet_h, sockfd, kn_link);
+++ return transport_modules_cmd[kn_link->transport].transport_link_dyn_connect(knet_h, sockfd, kn_link);
++ }
++
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
+diff --git a/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch b/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+new file mode 100644
+index 0000000..d4e4494
+--- /dev/null
++++ b/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+@@ -0,0 +1,52 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 9 Mar 2019 07:03:25 +0100
++Subject: [logging] fix log target of recently added API calls
++
++spotted during sctp testing
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit df6f761997d26afc62651f9ff831e0f7327ee41b)
++---
++ libknet/links.c | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 038a8a4..8011a6d 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -1199,7 +1199,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++
++ savederrno = get_global_wrlock(knet_h);
++ if (savederrno) {
++- log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ strerror(savederrno));
++ errno = savederrno;
++ return -1;
++@@ -1294,7 +1294,7 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++
++ savederrno = get_global_wrlock(knet_h);
++ if (savederrno) {
++- log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ strerror(savederrno));
++ errno = savederrno;
++ return -1;
++@@ -1388,7 +1388,7 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++
++ savederrno = get_global_wrlock(knet_h);
++ if (savederrno) {
++- log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ strerror(savederrno));
++ errno = savederrno;
++ return -1;
++@@ -1450,7 +1450,7 @@ int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t li
++
++ savederrno = get_global_wrlock(knet_h);
++ if (savederrno) {
++- log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++ log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ strerror(savederrno));
++ errno = savederrno;
++ return -1;
+diff --git a/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+new file mode 100644
+index 0000000..445238d
+--- /dev/null
++++ b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+@@ -0,0 +1,50 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:48 +0200
++Subject: [man] fix libknet.h for errors detected by newly added test
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 790b1cb387df9ada2b607c0317a85bab8ec7245b)
++---
++ libknet/libknet.h | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 3098eab..183c92d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1553,7 +1553,7 @@ typedef enum {
++ * packets from 10.0.0.1 will be accepted by rule number 1.
++ *
++ * @return
++- * knet_link_add_acl
+++ * knet_link_add_acl returns
++ * 0 on success.
++ * -1 on error and errno is set.
++ */
++@@ -1580,7 +1580,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++ *
++ * @return
++- * knet_link_insert_acl
+++ * knet_link_insert_acl returns
++ * 0 on success.
++ * -1 on error and errno is set.
++ */
++@@ -1608,7 +1608,7 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ * to knet_link_add_acl(3).
++ *
++ * @return
++- * knet_link_rm_acl
+++ * knet_link_rm_acl returns
++ * 0 on success.
++ * -1 on error and errno is set.
++ */
++@@ -1630,7 +1630,7 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++ * link_id - see knet_link_set_config(3)
++ *
++ * @return
++- * knet_link_clear_acl
+++ * knet_link_clear_acl returns
++ * 0 on success.
++ * -1 on error and errno is set.
++ */
+diff --git a/debian/patches/manpages-Document-enums-206.patch b/debian/patches/manpages-Document-enums-206.patch
+new file mode 100644
+index 0000000..5b6c01e
+--- /dev/null
++++ b/debian/patches/manpages-Document-enums-206.patch
+@@ -0,0 +1,39 @@
++From: Chrissie Caulfield <ccaulfie at redhat.com>
++Date: Tue, 12 Mar 2019 13:55:25 +0000
++Subject: manpages: Document enums (#206)
++
++And also fix a bug in structure printing that caused it to print the wrong name for a struct.
++
++(cherry picked from commit 541d7faf9068d10e12b4278c35825ce1353db081)
++---
++ libknet/libknet.h | 10 ++++++++--
++ 1 file changed, 8 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 50ed70d..d16eb5d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1483,7 +1483,10 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ * see also knet_handle_enable_access_lists(3)
++ */
++
++-/*
+++/**
+++ * check_type_t
+++ * @brief address type enum for knet access lists
+++ *
++ * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
++ * for example: 10.1.9.3
++ * and the entry is stored in ss1. ss2 can be NULL.
++@@ -1508,7 +1511,10 @@ typedef enum {
++ CHECK_TYPE_RANGE
++ } check_type_t;
++
++-/*
+++/**
+++ * check_acceptreject_t
+++ * @brief enum for accept/reject in knet access lists
+++ *
++ * accept or reject incoming packets defined in the access list entry
++ */
++
+diff --git a/debian/patches/misc-Fix-more-covscan-warnings.patch b/debian/patches/misc-Fix-more-covscan-warnings.patch
+new file mode 100644
+index 0000000..1ae8829
+--- /dev/null
++++ b/debian/patches/misc-Fix-more-covscan-warnings.patch
+@@ -0,0 +1,191 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Fri, 24 May 2019 10:09:47 +0100
++Subject: misc: Fix more covscan warnings
++
++The only serious bug here is in transport_udp.c
++(see bottom of patch), the rest are mostly detail.
++
++covscan still reports a lot of errors against doxyxml, most of
++which are because it doesn't understand the libqb hashtables.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ded574d1dd0c53c70a34fbd1eaa0239b3cde59b9)
++---
++ libknet/common.c | 2 +-
++ libknet/compress.c | 6 +++---
++ libknet/crypto.c | 1 -
++ libknet/crypto_nss.c | 2 +-
++ libknet/handle.c | 1 -
++ libknet/threads_pmtud.c | 1 -
++ libknet/threads_rx.c | 1 -
++ libknet/threads_tx.c | 1 -
++ libknet/transport_common.c | 4 ++--
++ libknet/transport_sctp.c | 2 +-
++ libknet/transport_udp.c | 3 ++-
++ 11 files changed, 10 insertions(+), 14 deletions(-)
++
++diff --git a/libknet/common.c b/libknet/common.c
++index c908e23..be46f23 100644
++--- a/libknet/common.c
+++++ b/libknet/common.c
++@@ -101,7 +101,7 @@ static void *open_lib(knet_handle_t knet_h, const char *libname, int extra_flags
++ }
++
++ if (S_ISLNK(sb.st_mode)) {
++- if (readlink(path, link, sizeof(link)) < 0) {
+++ if (readlink(path, link, sizeof(link)-1) < 0) {
++ log_debug(knet_h, KNET_SUB_COMMON, "Unable to readlink %s: %s", path, strerror(errno));
++ goto out;
++ }
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 7eab454..864828f 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -359,11 +359,11 @@ void compress_fini(
++ }
++
++ while (compress_modules_cmds[idx].model_name != NULL) {
++- if ((compress_modules_cmds[idx].built_in == 1) &&
+++ if ((idx < KNET_MAX_COMPRESS_METHODS) && /* check idx first so we don't read bad data */
+++ (compress_modules_cmds[idx].built_in == 1) &&
++ (compress_modules_cmds[idx].loaded == 1) &&
++ (compress_modules_cmds[idx].model_id > 0) &&
++- (knet_h->compress_int_data[idx] != NULL) &&
++- (idx < KNET_MAX_COMPRESS_METHODS)) {
+++ (knet_h->compress_int_data[idx] != NULL)) {
++ if ((all) || (compress_modules_cmds[idx].model_id == knet_h->compress_model)) {
++ if (compress_modules_cmds[idx].ops->fini != NULL) {
++ compress_modules_cmds[idx].ops->fini(knet_h, idx);
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 419f9cc..41d67c9 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -129,7 +129,6 @@ int crypto_init(
++
++ if (!knet_h->crypto_instance) {
++ log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
++- pthread_rwlock_unlock(&shlib_rwlock);
++ savederrno = ENOMEM;
++ goto out_err;
++ }
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index a17ff62..640b560 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -761,7 +761,7 @@ static int nsscrypto_init(
++ knet_h->crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
++ if (!knet_h->crypto_instance->model_instance) {
++ log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to allocate memory for nss model instance");
++- savederrno = ENOMEM;
+++ errno = ENOMEM;
++ return -1;
++ }
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 268d610..fd26bea 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1649,4 +1649,3 @@ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++ return 0;
++ }
++-
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index c5a2b27..b4ee632 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -44,7 +44,6 @@ static int _handle_check_link_pmtud(knet_handle_t knet_h, struct knet_host *dst_
++
++ mutex_retry_limit = 0;
++ failsafe = 0;
++- pad_len = 0;
++
++ dst_link->last_bad_mtu = 0;
++
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index ae39b38..626cbc4 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -499,7 +499,6 @@ static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struc
++ } else { /* HOSTINFO */
++ knet_hostinfo = (struct knet_hostinfo *)inbuf->khp_data_userdata;
++ if (knet_hostinfo->khi_bcast == KNET_HOSTINFO_UCAST) {
++- bcast = 0;
++ knet_hostinfo->khi_dst_node_id = ntohs(knet_hostinfo->khi_dst_node_id);
++ }
++ if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 0, 0)) {
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index e987eb1..8096906 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -42,7 +42,6 @@ static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host,
++ struct knet_link *cur_link;
++
++ for (link_idx = 0; link_idx < dst_host->active_link_entries; link_idx++) {
++- sent_msgs = 0;
++ prev_sent = 0;
++ progress = 1;
++
++diff --git a/libknet/transport_common.c b/libknet/transport_common.c
++index 3c3c439..fe40ad8 100644
++--- a/libknet/transport_common.c
+++++ b/libknet/transport_common.c
++@@ -405,7 +405,7 @@ int _is_valid_fd(knet_handle_t knet_h, int sockfd)
++ return -1;
++ }
++
++- if (sockfd > KNET_MAX_FDS) {
+++ if (sockfd >= KNET_MAX_FDS) {
++ errno = EINVAL;
++ return -1;
++ }
++@@ -430,7 +430,7 @@ int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t
++ return -1;
++ }
++
++- if (sockfd > KNET_MAX_FDS) {
+++ if (sockfd >= KNET_MAX_FDS) {
++ errno = EINVAL;
++ return -1;
++ }
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index bdfc98d..2c1cdcc 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -733,7 +733,6 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ if (knet_h->use_access_lists) {
++ if (!check_validate(knet_h, listen_sock, KNET_TRANSPORT_SCTP, &ss)) {
++ savederrno = EINVAL;
++- err = -1;
++ log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
++ close(new_fd);
++ errno = savederrno;
++@@ -871,6 +870,7 @@ static void _handle_listen_sctp_errors(knet_handle_t knet_h)
++ info->accepted_socks[i] = -1;
++ free(accept_info);
++ close(sockfd);
+++ break; /* Keeps covscan happy */
++ }
++ }
++ }
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index e243a91..3fd69ee 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -71,6 +71,7 @@ int udp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_lin
++ err = -1;
++ goto exit_error;
++ }
+++ memset(info, 0, sizeof(udp_link_info_t));
++
++ sock = socket(kn_link->src_addr.ss_family, SOCK_DGRAM, 0);
++ if (sock < 0) {
++@@ -363,7 +364,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ case SO_EE_ORIGIN_ICMP: /* ICMP */
++ case SO_EE_ORIGIN_ICMP6: /* ICMP6 */
++ origin = (struct sockaddr_storage *)(void *)SO_EE_OFFENDER(sock_err);
++- if (knet_addrtostr(origin, sizeof(origin),
+++ if (knet_addrtostr(origin, sizeof(*origin),
++ addr_str, KNET_MAX_HOST_LEN,
++ port_str, KNET_MAX_PORT_LEN) < 0) {
++ log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from unknown source: %s", strerror(sock_err->ee_errno));
+diff --git a/debian/patches/misc-some-coverity-fixes.patch b/debian/patches/misc-some-coverity-fixes.patch
+new file mode 100644
+index 0000000..154728f
+--- /dev/null
++++ b/debian/patches/misc-some-coverity-fixes.patch
+@@ -0,0 +1,224 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Fri, 17 May 2019 08:44:08 +0100
++Subject: misc: some coverity fixes
++
++In rough order of seriousness:
++
++1. Fix clock_gettime() in pmtud so that it's always called, as
++ variable 'clock_now' is always read.
++2. Allow space for trailing NUL in libnozzle device names
++3. Fix api_nozzle_run_updown_test so it can run out of the build tree
++4. Disallow a 0 length prefix in libnozzle
++5. Fix potential use of NULL pointer on doxyxml
++6. Free 'name' in doxyxml as it's *not* in the map any more
++7. Fix dead code in libknet API functions left by code changes
++
++(cherry picked from commit eff3f735f19d3ea4c4689a0fa52ff8e29f75808c)
++---
++ libknet/handle.c | 13 ++++---------
++ libknet/host.c | 5 ++---
++ libknet/threads_pmtud.c | 10 +++++-----
++ libnozzle/internals.c | 2 +-
++ libnozzle/libnozzle.c | 3 ++-
++ libnozzle/tests/api_nozzle_run_updown.c | 9 +++++++--
++ man/doxyxml.c | 20 ++++++++++----------
++ 7 files changed, 31 insertions(+), 31 deletions(-)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 0a2f75a..268d610 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -785,7 +785,7 @@ int knet_handle_enable_sock_notify(knet_handle_t knet_h,
++ int error,
++ int errorno))
++ {
++- int savederrno = 0, err = 0;
+++ int savederrno = 0;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -811,8 +811,7 @@ int knet_handle_enable_sock_notify(knet_handle_t knet_h,
++
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++
++- errno = err ? savederrno : 0;
++- return err;
+++ return 0;
++ }
++
++ int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel)
++@@ -1576,7 +1575,6 @@ out_unlock:
++ int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats, size_t struct_size)
++ {
++ int savederrno = 0;
++- int err = 0;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -1616,14 +1614,12 @@ int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats,
++ stats->size = sizeof(struct knet_handle_stats);
++
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++- errno = err ? savederrno : 0;
++- return err;
+++ return 0;
++ }
++
++ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ {
++ int savederrno = 0;
++- int err = 0;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -1651,7 +1647,6 @@ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ }
++
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++- errno = err ? savederrno : 0;
++- return err;
+++ return 0;
++ }
++
++diff --git a/libknet/host.c b/libknet/host.c
++index 480db73..66826c1 100644
++--- a/libknet/host.c
+++++ b/libknet/host.c
++@@ -331,7 +331,7 @@ int knet_host_get_id_by_host_name(knet_handle_t knet_h, const char *name,
++ int knet_host_get_host_list(knet_handle_t knet_h,
++ knet_node_id_t *host_ids, size_t *host_ids_entries)
++ {
++- int savederrno = 0, err = 0;
+++ int savederrno = 0;
++
++ if (!knet_h) {
++ errno = EINVAL;
++@@ -355,8 +355,7 @@ int knet_host_get_host_list(knet_handle_t knet_h,
++ *host_ids_entries = knet_h->host_ids_entries;
++
++ pthread_rwlock_unlock(&knet_h->global_rwlock);
++- errno = err ? savederrno : 0;
++- return err;
+++ return 0;
++ }
++
++ int knet_host_set_policy(knet_handle_t knet_h, knet_node_id_t host_id,
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 0050557..c5a2b27 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -380,14 +380,14 @@ static int _handle_check_pmtud(knet_handle_t knet_h, struct knet_host *dst_host,
++ struct timespec clock_now;
++ unsigned long long diff_pmtud, interval;
++
+++ if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
+++ log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
+++ return 0;
+++ }
+++
++ if (!force_run) {
++ interval = knet_h->pmtud_interval * 1000000000llu; /* nanoseconds */
++
++- if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
++- log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
++- return 0;
++- }
++-
++ timespec_diff(dst_link->pmtud_last, clock_now, &diff_pmtud);
++
++ if (diff_pmtud < interval) {
++diff --git a/libnozzle/internals.c b/libnozzle/internals.c
++index 6e68346..f056e3b 100644
++--- a/libnozzle/internals.c
+++++ b/libnozzle/internals.c
++@@ -144,7 +144,7 @@ char *generate_v4_broadcast(const char *ipaddr, const char *prefix)
++
++ prefix_len = atoi(prefix);
++
++- if ((prefix_len > 32) || (prefix_len < 0))
+++ if ((prefix_len > 32) || (prefix_len <= 0))
++ return NULL;
++
++ if (inet_pton(AF_INET, ipaddr, &address) <= 0)
++diff --git a/libnozzle/libnozzle.c b/libnozzle/libnozzle.c
++index 4e5a2d4..b6e9566 100644
++--- a/libnozzle/libnozzle.c
+++++ b/libnozzle/libnozzle.c
++@@ -405,7 +405,8 @@ nozzle_t nozzle_open(char *devname, size_t devname_size, const char *updownpath)
++ return NULL;
++ }
++
++- if (strlen(devname) > IFNAMSIZ) {
+++ /* Need to allow space for trailing NUL */
+++ if (strlen(devname) >= IFNAMSIZ) {
++ errno = E2BIG;
++ return NULL;
++ }
++diff --git a/libnozzle/tests/api_nozzle_run_updown.c b/libnozzle/tests/api_nozzle_run_updown.c
++index a078ad7..c80216a 100644
++--- a/libnozzle/tests/api_nozzle_run_updown.c
+++++ b/libnozzle/tests/api_nozzle_run_updown.c
++@@ -29,16 +29,21 @@ static int test(void)
++ nozzle_t nozzle = NULL;
++ char *error_string = NULL;
++ char *tmpdir = NULL;
++- char tmpdirsrc[PATH_MAX];
+++ char tmpdirsrc[PATH_MAX*2];
++ char tmpstr[PATH_MAX*2];
++ char srcfile[PATH_MAX];
++ char dstfile[PATH_MAX];
+++ char current_dir[PATH_MAX];
++
++ /*
++ * create a tmp dir for storing up/down scripts.
++ * we cannot create symlinks src dir
++ */
++- strcpy(tmpdirsrc, ABSBUILDDIR "/nozzle_test_XXXXXX");
+++ if (getcwd(current_dir, sizeof(current_dir)) == NULL) {
+++ printf("Unable to get current working directory: %s\n", strerror(errno));
+++ return -1;
+++ }
+++ snprintf(tmpdirsrc, sizeof(tmpdirsrc)-1, "%s/nozzle_test_XXXXXX", current_dir);
++
++ tmpdir = mkdtemp(tmpdirsrc);
++ if (!tmpdir) {
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index b623711..7d9a60c 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -695,17 +695,17 @@ static void collect_enums(xmlNode *cur_node, void *arg)
++ }
++ }
++
++- si = malloc(sizeof(struct struct_info));
++- if (si) {
++- si->kind = STRUCTINFO_ENUM;
++- qb_list_init(&si->params_list);
++- si->structname = strdup(name);
++- traverse_node(cur_node, "enumvalue", read_struct, si);
++- qb_map_put(structures_map, refid, si);
+++ if (name) {
+++ si = malloc(sizeof(struct struct_info));
+++ if (si) {
+++ si->kind = STRUCTINFO_ENUM;
+++ qb_list_init(&si->params_list);
+++ si->structname = strdup(name);
+++ traverse_node(cur_node, "enumvalue", read_struct, si);
+++ qb_map_put(structures_map, refid, si);
+++ }
++ }
++-
++ }
++-
++ }
++ }
++
++@@ -786,7 +786,7 @@ static void traverse_members(xmlNode *cur_node, void *arg)
++ free(kind);
++ free(def);
++ free(args);
++-// free(name); /* don't free, it's in the map */
+++ free(name);
++ }
++ }
++
+diff --git a/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch b/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+new file mode 100644
+index 0000000..7650221
+--- /dev/null
++++ b/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+@@ -0,0 +1,167 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 25 Feb 2018 09:08:10 +0100
++Subject: [spec] be more strict about plugins version and architecture
++ depedencies
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 851525b90235db236cc4bf88a66ed5f7c54ed9f6)
++---
++ kronosnet.spec.in | 42 +++++++++++++++++++++---------------------
++ 1 file changed, 21 insertions(+), 21 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 3b597d0..de31656 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -363,7 +363,7 @@ Summary: Simple userland wrapper around kernel tap devices
++ %package -n libnozzle1-devel
++ Group: Development/Libraries
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
++-Requires: libnozzle1 = %{version}-%{release}
+++Requires: libnozzle1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++
++ %description -n libnozzle1-devel
++@@ -402,7 +402,7 @@ Summary: Kronosnet core switching implementation
++ %package -n libknet1-devel
++ Group: Development/Libraries
++ Summary: Kronosnet core switching implementation (developer files)
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++
++ %description -n libknet1-devel
++@@ -424,7 +424,7 @@ Requires: pkgconfig
++ %package -n libknet1-crypto-nss-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 nss support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-crypto-nss-plugin
++ NSS crypto support for libknet1.
++@@ -438,7 +438,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 openssl support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-crypto-openssl-plugin
++ OpenSSL crypto support for libknet1.
++@@ -452,7 +452,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-zlib-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zlib support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-zlib-plugin
++ zlib compression support for libknet1.
++@@ -465,7 +465,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lz4-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lz4 and lz4hc support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lz4-plugin
++ lz4 and lz4hc compression support for libknet1.
++@@ -480,7 +480,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lzo2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzo2 support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lzo2-plugin
++ lzo2 compression support for libknet1.
++@@ -494,7 +494,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lzma-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzma support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lzma-plugin
++ lzma compression support for libknet1.
++@@ -508,7 +508,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-bzip2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 bzip2 support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-bzip2-plugin
++ bzip2 compression support for libknet1.
++@@ -522,7 +522,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-zstd-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zstd support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-zstd-plugin
++ zstd compression support for libknet1.
++@@ -536,10 +536,10 @@ Requires: libknet1 = %{version}-%{release}
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++ %if %{defined buildcryptonss}
++-Requires: libknet1-crypto-nss-plugin
+++Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcryptoopenssl}
++-Requires: libknet1-crypto-openssl-plugin
+++Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++ %description -n libknet1-crypto-plugins-all
++@@ -551,22 +551,22 @@ Requires: libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 compress plugins meta package
++ %if %{defined buildcompresszlib}
++-Requires: libknet1-compress-zlib-plugin
+++Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslz4}
++-Requires: libknet1-compress-lz4-plugin
+++Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslzo2}
++-Requires: libknet1-compress-lzo2-plugin
+++Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslzma}
++-Requires: libknet1-compress-lzma-plugin
+++Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompressbzip2}
++-Requires: libknet1-compress-bzip2-plugin
+++Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresszstd}
++-Requires: libknet1-compress-zstd-plugin
+++Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++ %description -n libknet1-compress-plugins-all
++@@ -577,8 +577,8 @@ Requires: libknet1-compress-zstd-plugin
++ %package -n libknet1-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 plugins meta package
++-Requires: libknet1-compress-plugins-all
++-Requires: libknet1-crypto-plugins-all
+++Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
+++Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-plugins-all
++ meta package to install all of libknet1 plugins
++@@ -589,7 +589,7 @@ Requires: libknet1-crypto-plugins-all
++ %package -n kronosnet-tests
++ Group: System Environment/Libraries
++ Summary: kronosnet test suite
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n kronosnet-tests
++ this package contains all the libknet and libnozzle test suite
+diff --git a/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch b/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+new file mode 100644
+index 0000000..3e7dfa5
+--- /dev/null
++++ b/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+@@ -0,0 +1,376 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 12 May 2019 07:22:41 +0200
++Subject: [spec] clean up useless conditionals and defines
++
++fix a couple of minor conditionals in the process
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dd66ce8b6389772de79e576d6eea542633594cf1)
++---
++ kronosnet.spec.in | 144 ++++++++++++++++++++----------------------------------
++ 1 file changed, 52 insertions(+), 92 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index de31656..b5632ae 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -37,50 +37,6 @@
++ %undefine _enable_debug_packages
++ %endif
++
++-%if %{with sctp}
++-%global buildsctp 1
++-%endif
++-%if %{with nss}
++-%global buildcryptonss 1
++-%endif
++-%if %{with openssl}
++-%global buildcryptoopenssl 1
++-%endif
++-%if %{with zlib}
++-%global buildcompresszlib 1
++-%endif
++-%if %{with lz4}
++-%global buildcompresslz4 1
++-%endif
++-%if %{with lzo2}
++-%global buildcompresslzo2 1
++-%endif
++-%if %{with lzma}
++-%global buildcompresslzma 1
++-%endif
++-%if %{with bzip2}
++-%global buildcompressbzip2 1
++-%endif
++-%if %{with zstd}
++-%global buildcompresszstd 1
++-%endif
++-%if %{with libnozzle}
++-%global buildlibnozzle 1
++-%endif
++-%if %{with kronosnetd}
++-%global buildlibnozzle 1
++-%global buildkronosnetd 1
++-%endif
++-%if %{with runautogen}
++-%global buildautogen 1
++-%endif
++-%if %{with buildman}
++-%global buildmanpages 1
++-%endif
++-%if %{with installtests}
++-%global installtestsuite 1
++-%endif
++-
++ # main (empty) package
++ # http://www.rpm.org/max-rpm/s1-rpm-subpack-spec-file-changes.html
++
++@@ -100,62 +56,60 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
++ # Build dependencies
++ BuildRequires: gcc
++ # required to build man pages
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ BuildRequires: libqb-devel libxml2-devel doxygen
++ %endif
++-%if %{defined buildsctp}
+++%if %{with sctp}
++ BuildRequires: lksctp-tools-devel
++ %endif
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ %if 0%{?suse_version}
++ BuildRequires: mozilla-nss-devel
++ %else
++ BuildRequires: nss-devel
++ %endif
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ %if 0%{?suse_version}
++ BuildRequires: libopenssl-devel
++ %else
++ BuildRequires: openssl-devel
++ %endif
++ %endif
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ BuildRequires: zlib-devel
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ %if 0%{?suse_version}
++ BuildRequires: liblz4-devel
++ %else
++ BuildRequires: lz4-devel
++ %endif
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ BuildRequires: lzo-devel
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ BuildRequires: xz-devel
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ %if 0%{?suse_version}
++ BuildRequires: libbz2-devel
++ %else
++ BuildRequires: bzip2-devel
++ %endif
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ BuildRequires: libzstd-devel
++ %endif
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ BuildRequires: pam-devel
++ %endif
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ BuildRequires: libnl3-devel
++ %endif
++-%if %{defined buildautogen}
++-BuildRequires: autoconf
++-BuildRequires: automake
++-BuildRequires: libtool
+++%if %{with runautogen}
+++BuildRequires: autoconf automake libtool
++ %endif
++
++ %prep
++@@ -167,66 +121,70 @@ BuildRequires: libtool
++ %endif
++
++ %{configure} \
++-%if %{defined installtestsuite}
+++%if %{with installtests}
++ --enable-install-tests \
++ %else
++ --disable-install-tests \
++ %endif
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ --enable-man \
++ %else
++ --disable-man \
++ %endif
++-%if %{defined buildsctp}
+++%if %{with sctp}
++ --enable-libknet-sctp \
++ %else
++ --disable-libknet-sctp \
++ %endif
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ --enable-crypto-nss \
++ %else
++ --disable-crypto-nss \
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ --enable-crypto-openssl \
++ %else
++ --disable-crypto-openssl \
++ %endif
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ --enable-compress-zlib \
++ %else
++ --disable-compress-zlib \
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ --enable-compress-lz4 \
++ %else
++ --disable-compress-lz4 \
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ --enable-compress-lzo2 \
++ %else
++ --disable-compress-lzo2 \
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ --enable-compress-lzma \
++ %else
++ --disable-compress-lzma \
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ --enable-compress-bzip2 \
++ %else
++ --disable-compress-bzip2 \
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ --enable-compress-zstd \
++ %else
++ --disable-compress-zstd \
++ %endif
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ --enable-kronosnetd \
+++%else
+++ --disable-kronosnetd \
++ %endif
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ --enable-libnozzle \
+++%else
+++ --disable-libnozzle \
++ %endif
++ --with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
++ %if %{defined _unitdir}
++@@ -266,7 +224,7 @@ rm -rf %{buildroot}
++ %description
++ kronosnet source
++
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ ## Runtime and subpackages section
++ %package -n kronosnetd
++ Group: System Environment/Base
++@@ -341,7 +299,7 @@ fi
++ %{_mandir}/man8/*
++ %endif
++
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ %package -n libnozzle1
++ Group: System Environment/Libraries
++ Summary: Simple userland wrapper around kernel tap devices
++@@ -377,8 +335,10 @@ Requires: pkgconfig
++ %{_libdir}/libnozzle.so
++ %{_includedir}/libnozzle.h
++ %{_libdir}/pkgconfig/libnozzle.pc
+++%if %{with buildman}
++ %{_mandir}/man3/nozzle*.3.gz
++ %endif
+++%endif
++
++ %package -n libknet1
++ Group: System Environment/Libraries
++@@ -416,11 +376,11 @@ Requires: pkgconfig
++ %{_libdir}/libknet.so
++ %{_includedir}/libknet.h
++ %{_libdir}/pkgconfig/libknet.pc
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ %{_mandir}/man3/knet*.3.gz
++ %endif
++
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ %package -n libknet1-crypto-nss-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 nss support
++@@ -434,7 +394,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/crypto_nss.so
++ %endif
++
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ %package -n libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 openssl support
++@@ -448,7 +408,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/crypto_openssl.so
++ %endif
++
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ %package -n libknet1-compress-zlib-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zlib support
++@@ -461,7 +421,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zlib.so
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ %package -n libknet1-compress-lz4-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lz4 and lz4hc support
++@@ -476,7 +436,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lz4hc.so
++ %endif
++
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ %package -n libknet1-compress-lzo2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzo2 support
++@@ -490,7 +450,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lzo2.so
++ %endif
++
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ %package -n libknet1-compress-lzma-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzma support
++@@ -504,7 +464,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lzma.so
++ %endif
++
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ %package -n libknet1-compress-bzip2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 bzip2 support
++@@ -518,7 +478,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ %package -n libknet1-compress-zstd-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zstd support
++@@ -535,10 +495,10 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %package -n libknet1-crypto-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++@@ -550,22 +510,22 @@ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %package -n libknet1-compress-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 compress plugins meta package
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++
+diff --git a/debian/patches/spec-drop-support-for-init-scripts.patch b/debian/patches/spec-drop-support-for-init-scripts.patch
+new file mode 100644
+index 0000000..16d60d8
+--- /dev/null
++++ b/debian/patches/spec-drop-support-for-init-scripts.patch
+@@ -0,0 +1,108 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 14 May 2019 05:53:12 +0200
++Subject: [spec] drop support for init scripts
++
++no rpm distros left that support old fashion init scripts
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 1fc28307dc2b537abd30eab8b6920f2b6893e786)
++---
++ kronosnet.spec.in | 46 ++--------------------------------------------
++ 1 file changed, 2 insertions(+), 44 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index ddc3af0..8c60125 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -182,11 +182,7 @@ BuildRequires: autoconf automake libtool
++ --disable-libnozzle \
++ %endif
++ --with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
++-%if %{defined _unitdir}
++ --with-systemddir=%{_unitdir}
++-%else
++- --with-initddir=%{_sysconfdir}/rc.d/init.d/
++-%endif
++
++ make %{_smp_mflags}
++
++@@ -200,14 +196,8 @@ find %{buildroot} -name "*.a" -exec rm {} \;
++ # remove libtools leftovers
++ find %{buildroot} -name "*.la" -exec rm {} \;
++
++-# handle systemd vs init script
++-%if %{defined _unitdir}
++ # remove init scripts
++ rm -rf %{buildroot}/etc/init.d
++-%else
++-# remove systemd specific bits
++-find %{buildroot} -name "*.service" -exec rm {} \;
++-%endif
++
++ # remove docs
++ rm -rf %{buildroot}/usr/share/doc/kronosnet
++@@ -221,16 +211,10 @@ rm -rf %{buildroot}/usr/share/doc/kronosnet
++ %package -n kronosnetd
++ Summary: Multipoint-to-Multipoint VPN daemon
++ License: GPLv2+
++-%if %{defined _unitdir}
++-# Needed for systemd unit
++ Requires(post): systemd-sysv
++ Requires(post): systemd-units
++ Requires(preun): systemd-units
++ Requires(postun): systemd-units
++-%else
++-Requires(post): chkconfig
++-Requires(preun): chkconfig, initscripts
++-%endif
++ Requires(post): shadow-utils
++ Requires(preun): shadow-utils
++ Requires: pam, /etc/pam.d/passwd
++@@ -246,33 +230,11 @@ Requires: pam, /etc/pam.d/passwd
++ or service disruption.
++
++ %post -n kronosnetd
++-%if %{defined _unitdir}
++- %if 0%{?systemd_post:1}
++- %systemd_post kronosnetd.service
++- %else
++- /bin/systemctl daemon-reload >/dev/null 2>&1 || :
++- %endif
++-%else
++-/sbin/chkconfig --add kronosnetd
++-%endif
+++%systemd_post kronosnetd.service
++ getent group @defaultadmgroup@ >/dev/null || groupadd --force --system @defaultadmgroup@
++
++ %preun -n kronosnetd
++-%if %{defined _unitdir}
++- %if 0%{?systemd_preun:1}
++- %systemd_preun kronosnetd.service
++- %else
++-if [ "$1" -eq 0 ]; then
++- /bin/systemctl --no-reload disable kronosnetd.service
++- /bin/systemctl stop kronosnetd.service >/dev/null 2>&1
++-fi
++-%endif
++-%else
++-if [ "$1" = 0 ]; then
++- /sbin/service kronosnetd stop >/dev/null 2>&1
++- /sbin/chkconfig --del kronosnetd
++-fi
++-%endif
+++%systemd_preun kronosnetd.service
++
++ %files -n kronosnetd
++ %license COPYING.* COPYRIGHT
++@@ -281,11 +243,7 @@ fi
++ %config(noreplace) %{_sysconfdir}/sysconfig/kronosnetd
++ %config(noreplace) %{_sysconfdir}/pam.d/kronosnetd
++ %config(noreplace) %{_sysconfdir}/logrotate.d/kronosnetd
++-%if %{defined _unitdir}
++ %{_unitdir}/kronosnetd.service
++-%else
++-%config(noreplace) %{_sysconfdir}/rc.d/init.d/kronosnetd
++-%endif
++ %{_sbindir}/*
++ %{_mandir}/man8/*
++ %endif
+diff --git a/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch b/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+new file mode 100644
+index 0000000..1066070
+--- /dev/null
++++ b/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+@@ -0,0 +1,51 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 13 May 2019 06:55:36 +0200
++Subject: [spec] fix a bunch of rpmlint errors
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 95198f0dc5b8a4eefe06b58fa1901740209b42a0)
++---
++ kronosnet.spec.in | 9 +++++----
++ 1 file changed, 5 insertions(+), 4 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index a6c87a0..ddc3af0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -340,6 +340,7 @@ License: LGPLv2+
++ %license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
+++
++ %ldconfig_scriptlets -n libknet1
++
++ %package -n libknet1-devel
++@@ -505,24 +506,24 @@ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++ %description -n libknet1-compress-plugins-all
++- Provides meta package to install all of libknet1 compress plugins
+++ Meta package to install all of libknet1 compress plugins
++
++ %files -n libknet1-compress-plugins-all
++
++ %package -n libknet1-plugins-all
++-Summary: libknet1 plugins meta package
+++Summary: Provides libknet1 plugins meta package
++ License: LGPLv2+
++ Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
++ Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-plugins-all
++- Provides meta package to install all of libknet1 plugins
+++ Meta package to install all of libknet1 plugins
++
++ %files -n libknet1-plugins-all
++
++ %if %{with installtests}
++ %package -n kronosnet-tests
++-Summary: kronosnet test suite
+++Summary: Provides kronosnet test suite
++ License: GPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
+diff --git a/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch b/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+new file mode 100644
+index 0000000..d8c82f8
+--- /dev/null
++++ b/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+@@ -0,0 +1,30 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 12 May 2019 06:59:00 +0200
++Subject: [spec] fix upstream URLs to point to https and official release repo
++
++Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1708616
++
++also to be noted, the Source0: line is different from upstream and Fedora
++because upstream can handle tarballs during development
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5884f8dfc6cf4e648e033da855f8c77eafae84df)
++---
++ kronosnet.spec.in | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 442f3ae..e430ad2 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -90,8 +90,8 @@ Version: @version@
++ Release: 1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
++ License: GPLv2+ and LGPLv2+
++ Group: System Environment/Base
++-URL: https://github.com/kronosnet/kronosnet/
++-Source0: https://github.com/kronosnet/kronosnet/archive/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
+++URL: https://kronosnet.org
+++Source0: https://kronosnet.org/releases/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
++
++ ## Setup/build bits
++
+diff --git a/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch b/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+new file mode 100644
+index 0000000..00a6b28
+--- /dev/null
++++ b/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+@@ -0,0 +1,374 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 13 May 2019 06:02:06 +0200
++Subject: [spec] reconciliate fedora spec file into upstream spec file (part 1)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d880374fbff2ebe404f2bbae95c988aa21e60280)
++---
++ kronosnet.spec.in | 130 ++++++++++++++++++++++--------------------------------
++ 1 file changed, 52 insertions(+), 78 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index b5632ae..a6c87a0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -45,14 +45,9 @@ Summary: Multipoint-to-Multipoint VPN daemon
++ Version: @version@
++ Release: 1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
++ License: GPLv2+ and LGPLv2+
++-Group: System Environment/Base
++ URL: https://kronosnet.org
++ Source0: https://kronosnet.org/releases/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
++
++-## Setup/build bits
++-
++-BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
++-
++ # Build dependencies
++ BuildRequires: gcc
++ # required to build man pages
++@@ -117,7 +112,7 @@ BuildRequires: autoconf automake libtool
++
++ %build
++ %if %{with runautogen}
++- ./autogen.sh
+++./autogen.sh
++ %endif
++
++ %{configure} \
++@@ -217,18 +212,15 @@ find %{buildroot} -name "*.service" -exec rm {} \;
++ # remove docs
++ rm -rf %{buildroot}/usr/share/doc/kronosnet
++
++-%clean
++-rm -rf %{buildroot}
++-
++ # main empty package
++ %description
++-kronosnet source
+++ The kronosnet source
++
++ %if %{with kronosnetd}
++ ## Runtime and subpackages section
++ %package -n kronosnetd
++-Group: System Environment/Base
++ Summary: Multipoint-to-Multipoint VPN daemon
+++License: GPLv2+
++ %if %{defined _unitdir}
++ # Needed for systemd unit
++ Requires(post): systemd-sysv
++@@ -239,8 +231,8 @@ Requires(postun): systemd-units
++ Requires(post): chkconfig
++ Requires(preun): chkconfig, initscripts
++ %endif
++-Requires(post): shadow-utils
++-Requires(preun): shadow-utils
+++Requires(post): shadow-utils
+++Requires(preun): shadow-utils
++ Requires: pam, /etc/pam.d/passwd
++
++ %description -n kronosnetd
++@@ -263,7 +255,7 @@ Requires: pam, /etc/pam.d/passwd
++ %else
++ /sbin/chkconfig --add kronosnetd
++ %endif
++-/usr/sbin/groupadd --force --system @defaultadmgroup@
+++getent group @defaultadmgroup@ >/dev/null || groupadd --force --system @defaultadmgroup@
++
++ %preun -n kronosnetd
++ %if %{defined _unitdir}
++@@ -283,8 +275,7 @@ fi
++ %endif
++
++ %files -n kronosnetd
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %dir %{_sysconfdir}/kronosnet
++ %dir %{_sysconfdir}/kronosnet/*
++ %config(noreplace) %{_sysconfdir}/sysconfig/kronosnetd
++@@ -301,8 +292,8 @@ fi
++
++ %if %{with libnozzle}
++ %package -n libnozzle1
++-Group: System Environment/Libraries
++ Summary: Simple userland wrapper around kernel tap devices
+++License: LGPLv2+
++
++ %description -n libnozzle1
++ This is an over-engineered commodity library to manage a pool
++@@ -310,17 +301,14 @@ Summary: Simple userland wrapper around kernel tap devices
++ pre-up.d/up.d/down.d/post-down.d infrastructure.
++
++ %files -n libnozzle1
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so.*
++
++-%post -n libnozzle1 -p /sbin/ldconfig
++-
++-%postun -n libnozzle1 -p /sbin/ldconfig
+++%ldconfig_scriptlets -n libnozzle1
++
++ %package -n libnozzle1-devel
++-Group: Development/Libraries
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
+++License: LGPLv2+
++ Requires: libnozzle1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++
++@@ -330,8 +318,7 @@ Requires: pkgconfig
++ pre-up.d/up.d/down.d/post-down.d infrastructure.
++
++ %files -n libnozzle1-devel
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so
++ %{_includedir}/libnozzle.h
++ %{_libdir}/pkgconfig/libnozzle.pc
++@@ -341,8 +328,8 @@ Requires: pkgconfig
++ %endif
++
++ %package -n libknet1
++-Group: System Environment/Libraries
++ Summary: Kronosnet core switching implementation
+++License: LGPLv2+
++
++ %description -n libknet1
++ The whole kronosnet core is implemented in this library.
++@@ -350,18 +337,14 @@ Summary: Kronosnet core switching implementation
++ information.
++
++ %files -n libknet1
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
++-
++-%post -n libknet1 -p /sbin/ldconfig
++-
++-%postun -n libknet1 -p /sbin/ldconfig
+++%ldconfig_scriptlets -n libknet1
++
++ %package -n libknet1-devel
++-Group: Development/Libraries
++ Summary: Kronosnet core switching implementation (developer files)
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++
++@@ -371,8 +354,7 @@ Requires: pkgconfig
++ information.
++
++ %files -n libknet1-devel
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so
++ %{_includedir}/libknet.h
++ %{_libdir}/pkgconfig/libknet.pc
++@@ -382,119 +364,112 @@ Requires: pkgconfig
++
++ %if %{with nss}
++ %package -n libknet1-crypto-nss-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 nss support
+++Summary: Provides libknet1 nss support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-crypto-nss-plugin
++- NSS crypto support for libknet1.
+++ Provides NSS crypto support for libknet1.
++
++ %files -n libknet1-crypto-nss-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/crypto_nss.so
++ %endif
++
++ %if %{with openssl}
++ %package -n libknet1-crypto-openssl-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 openssl support
+++Summary: Provides libknet1 openssl support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-crypto-openssl-plugin
++- OpenSSL crypto support for libknet1.
+++ Provides OpenSSL crypto support for libknet1.
++
++ %files -n libknet1-crypto-openssl-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/crypto_openssl.so
++ %endif
++
++ %if %{with zlib}
++ %package -n libknet1-compress-zlib-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 zlib support
+++Summary: Provides libknet1 zlib support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-zlib-plugin
++- zlib compression support for libknet1.
+++ Provides zlib compression support for libknet1.
++
++ %files -n libknet1-compress-zlib-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zlib.so
++ %endif
+++
++ %if %{with lz4}
++ %package -n libknet1-compress-lz4-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lz4 and lz4hc support
+++Summary: Provides libknet1 lz4 and lz4hc support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lz4-plugin
++- lz4 and lz4hc compression support for libknet1.
+++ Provides lz4 and lz4hc compression support for libknet1.
++
++ %files -n libknet1-compress-lz4-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lz4.so
++ %{_libdir}/kronosnet/compress_lz4hc.so
++ %endif
++
++ %if %{with lzo2}
++ %package -n libknet1-compress-lzo2-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lzo2 support
+++Summary: Provides libknet1 lzo2 support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lzo2-plugin
++- lzo2 compression support for libknet1.
+++ Provides lzo2 compression support for libknet1.
++
++ %files -n libknet1-compress-lzo2-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lzo2.so
++ %endif
++
++ %if %{with lzma}
++ %package -n libknet1-compress-lzma-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lzma support
+++Summary: Provides libknet1 lzma support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-lzma-plugin
++- lzma compression support for libknet1.
+++ Provides lzma compression support for libknet1.
++
++ %files -n libknet1-compress-lzma-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lzma.so
++ %endif
++
++ %if %{with bzip2}
++ %package -n libknet1-compress-bzip2-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 bzip2 support
+++Summary: Provides libknet1 bzip2 support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-bzip2-plugin
++- bzip2 compression support for libknet1.
+++ Provides bzip2 compression support for libknet1.
++
++ %files -n libknet1-compress-bzip2-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++
++ %if %{with zstd}
++ %package -n libknet1-compress-zstd-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 zstd support
+++Summary: Provides libknet1 zstd support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-compress-zstd-plugin
++- zstd compression support for libknet1.
+++ Provides zstd compression support for libknet1.
++
++ %files -n libknet1-compress-zstd-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zstd.so
++ %endif
++
++ %package -n libknet1-crypto-plugins-all
++-Group: System Environment/Libraries
++-Summary: libknet1 crypto plugins meta package
+++Summary: Provides libknet1 crypto plugins meta package
+++License: LGPLv2+
++ %if %{with nss}
++ Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++@@ -503,13 +478,13 @@ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++ %description -n libknet1-crypto-plugins-all
++- meta package to install all of libknet1 crypto plugins
+++ Provides meta package to install all of libknet1 crypto plugins
++
++ %files -n libknet1-crypto-plugins-all
++
++ %package -n libknet1-compress-plugins-all
++-Group: System Environment/Libraries
++-Summary: libknet1 compress plugins meta package
+++Summary: Provides libknet1 compress plugins meta package
+++License: LGPLv2+
++ %if %{with zlib}
++ Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++@@ -530,32 +505,31 @@ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++
++ %description -n libknet1-compress-plugins-all
++- meta package to install all of libknet1 compress plugins
+++ Provides meta package to install all of libknet1 compress plugins
++
++ %files -n libknet1-compress-plugins-all
++
++ %package -n libknet1-plugins-all
++-Group: System Environment/Libraries
++ Summary: libknet1 plugins meta package
+++License: LGPLv2+
++ Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
++ Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++
++ %description -n libknet1-plugins-all
++- meta package to install all of libknet1 plugins
+++ Provides meta package to install all of libknet1 plugins
++
++ %files -n libknet1-plugins-all
++
++ %if %{with installtests}
++ %package -n kronosnet-tests
++-Group: System Environment/Libraries
++ Summary: kronosnet test suite
+++License: GPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++
++ %description -n kronosnet-tests
++- this package contains all the libknet and libnozzle test suite
+++ This package contains all the libknet and libnozzle test suite.
++
++ %files -n kronosnet-tests
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/tests/*
++ %endif
++
+diff --git a/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch b/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+new file mode 100644
+index 0000000..500dd1f
+--- /dev/null
++++ b/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+@@ -0,0 +1,59 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 25 Feb 2018 08:42:55 +0100
++Subject: [spec] use distro conditionals to determine BuildRequires
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 3a5332772250c1adf2340503ac8903ea07f2d394)
++---
++ kronosnet.spec.in | 24 ++++++++++++++++++++----
++ 1 file changed, 20 insertions(+), 4 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index e430ad2..3b597d0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -107,16 +107,28 @@ BuildRequires: libqb-devel libxml2-devel doxygen
++ BuildRequires: lksctp-tools-devel
++ %endif
++ %if %{defined buildcryptonss}
++-BuildRequires: /usr/include/nss3/nss.h /usr/include/nspr4/nspr.h
+++%if 0%{?suse_version}
+++BuildRequires: mozilla-nss-devel
+++%else
+++BuildRequires: nss-devel
+++%endif
++ %endif
++ %if %{defined buildcryptoopenssl}
++-BuildRequires: /usr/include/openssl/conf.h
+++%if 0%{?suse_version}
+++BuildRequires: libopenssl-devel
+++%else
+++BuildRequires: openssl-devel
+++%endif
++ %endif
++ %if %{defined buildcompresszlib}
++ BuildRequires: zlib-devel
++ %endif
++ %if %{defined buildcompresslz4}
++-BuildRequires: /usr/include/lz4hc.h
+++%if 0%{?suse_version}
+++BuildRequires: liblz4-devel
+++%else
+++BuildRequires: lz4-devel
+++%endif
++ %endif
++ %if %{defined buildcompresslzo2}
++ BuildRequires: lzo-devel
++@@ -125,7 +137,11 @@ BuildRequires: lzo-devel
++ BuildRequires: xz-devel
++ %endif
++ %if %{defined buildcompressbzip2}
++-BuildRequires: /usr/include/bzlib.h
+++%if 0%{?suse_version}
+++BuildRequires: libbz2-devel
+++%else
+++BuildRequires: bzip2-devel
+++%endif
++ %endif
++ %if %{defined buildcompresszstd}
++ BuildRequires: libzstd-devel
+diff --git a/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch b/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+new file mode 100644
+index 0000000..46a0fee
+--- /dev/null
++++ b/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+@@ -0,0 +1,40 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 14 May 2019 06:57:36 +0200
++Subject: [spec] use ldconfig_scriptlets only when defined
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8a823aa3bf291fe8c7407fd957d71897895e1aec)
++---
++ kronosnet.spec.in | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 8c60125..094090b 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -262,7 +262,12 @@ License: LGPLv2+
++ %license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so.*
++
+++%if 0%{?ldconfig_scriptlets}
++ %ldconfig_scriptlets -n libnozzle1
+++%else
+++%post -n libnozzle1 -p /sbin/ldconfig
+++%postun -n libnozzle1 -p /sbin/ldconfig
+++%endif
++
++ %package -n libnozzle1-devel
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
++@@ -299,7 +304,12 @@ License: LGPLv2+
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
++
+++%if 0%{?ldconfig_scriptlets}
++ %ldconfig_scriptlets -n libknet1
+++%else
+++%post -n libknet1 -p /sbin/ldconfig
+++%postun -n libknet1 -p /sbin/ldconfig
+++%endif
++
++ %package -n libknet1-devel
++ Summary: Kronosnet core switching implementation (developer files)
+diff --git a/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch b/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+new file mode 100644
+index 0000000..76b42da
+--- /dev/null
++++ b/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+@@ -0,0 +1,25 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 09:30:27 +0200
++Subject: [tests] hide an arm internal memory leak (non-recurring)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 43b3f05da8736e7bb286e81f96e7514977541bef)
++---
++ build-aux/knet_valgrind_memcheck.supp | 7 +++++++
++ 1 file changed, 7 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index e0f49d0..a34ab93 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -605,3 +605,10 @@
++ obj:*
++ obj:/usr/lib64/libnss3.so
++ }
+++{
+++ arm internal memory leak
+++ Memcheck:Leak
+++ match-leak-kinds: definite
+++ fun:malloc
+++ fun:dl_open_worker
+++}
+diff --git a/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch b/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+new file mode 100644
+index 0000000..458da67
+--- /dev/null
++++ b/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+@@ -0,0 +1,135 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 09:31:00 +0200
++Subject: [tests] improve wait for packet implementation to flush logs during
++ wait
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit e7825127477c756b4d0d9311c9907e140575e490)
++---
++ libknet/tests/test-common.h | 2 +-
++ libknet/tests/api_knet_handle_clear_stats.c | 2 +-
++ libknet/tests/api_knet_send.c | 2 +-
++ libknet/tests/api_knet_send_compress.c | 2 +-
++ libknet/tests/api_knet_send_crypto.c | 2 +-
++ libknet/tests/api_knet_send_loopback.c | 4 ++--
++ libknet/tests/test-common.c | 7 ++++---
++ 7 files changed, 11 insertions(+), 10 deletions(-)
++
++diff --git a/libknet/tests/test-common.h b/libknet/tests/test-common.h
++index 8742f8d..a498a09 100644
++--- a/libknet/tests/test-common.h
+++++ b/libknet/tests/test-common.h
++@@ -70,6 +70,6 @@ int stop_logthread(void);
++ int make_local_sockaddr(struct sockaddr_storage *lo, uint16_t offset);
++ int make_local_sockaddr6(struct sockaddr_storage *lo, uint16_t offset);
++ int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd, FILE *std);
++-int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd);
+++int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std);
++
++ #endif
++diff --git a/libknet/tests/api_knet_handle_clear_stats.c b/libknet/tests/api_knet_handle_clear_stats.c
++index 8e64235..07f059a 100644
++--- a/libknet/tests/api_knet_handle_clear_stats.c
+++++ b/libknet/tests/api_knet_handle_clear_stats.c
++@@ -160,7 +160,7 @@ static void test(void)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index 9e81d03..ca16e3d 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -247,7 +247,7 @@ static void test(uint8_t transport)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_compress.c b/libknet/tests/api_knet_send_compress.c
++index 6de4674..b03f4e7 100644
++--- a/libknet/tests/api_knet_send_compress.c
+++++ b/libknet/tests/api_knet_send_compress.c
++@@ -170,7 +170,7 @@ static void test(const char *model)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_crypto.c b/libknet/tests/api_knet_send_crypto.c
++index f2ca366..e33a808 100644
++--- a/libknet/tests/api_knet_send_crypto.c
+++++ b/libknet/tests/api_knet_send_crypto.c
++@@ -171,7 +171,7 @@ static void test(const char *model)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 0cfd29f..2feca68 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -251,7 +251,7 @@ static void test(void)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++@@ -352,7 +352,7 @@ static void test(void)
++
++ flush_logs(logfds[0], stdout);
++
++- if (wait_for_packet(knet_h, 10, datafd)) {
+++ if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ printf("Error waiting for packet: %s\n", strerror(errno));
++ knet_link_set_enable(knet_h, 1, 0, 0);
++ knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
++index d0ea1ef..a4ff297 100644
++--- a/libknet/tests/test-common.c
+++++ b/libknet/tests/test-common.c
++@@ -485,7 +485,7 @@ int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd
++ return -1;
++ }
++
++-int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd)
+++int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std)
++ {
++ fd_set rfds;
++ struct timeval tv;
++@@ -500,7 +500,7 @@ try_again:
++ FD_ZERO(&rfds);
++ FD_SET(datafd, &rfds);
++
++- tv.tv_sec = seconds;
+++ tv.tv_sec = 1;
++ tv.tv_usec = 0;
++
++ err = select(datafd+1, &rfds, NULL, NULL, &tv);
++@@ -509,7 +509,8 @@ try_again:
++ * pick an arbitrary 10 times loop (multiplied by waiting seconds)
++ * before failing.
++ */
++- if ((!err) && (i < 10)) {
+++ if ((!err) && (i < seconds)) {
+++ flush_logs(logfd, std);
++ i++;
++ goto try_again;
++ }
+diff --git a/debian/patches/tests-remove-stray-comment.patch b/debian/patches/tests-remove-stray-comment.patch
+new file mode 100644
+index 0000000..dce4422
+--- /dev/null
++++ b/debian/patches/tests-remove-stray-comment.patch
+@@ -0,0 +1,22 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 7 Mar 2019 18:42:20 +0100
++Subject: [tests] remove stray comment
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 3f426c317d41c93cefc7735607ec166539223283)
++---
++ libknet/tests/Makefile.am | 1 -
++ 1 file changed, 1 deletion(-)
++
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 3e74ea8..015587c 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -41,7 +41,6 @@ fun_checks =
++ benchmarks = \
++ knet_bench_test
++
++-# int_links_acl_test can´t run yet standalone
++ noinst_PROGRAMS = \
++ api_knet_handle_new_limit_test \
++ pckt_test \
+diff --git a/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch b/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+new file mode 100644
+index 0000000..3d23858
+--- /dev/null
++++ b/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+@@ -0,0 +1,161 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 28 Feb 2019 14:55:27 +0100
++Subject: [transports / access list] add internal API to gather which fd to
++ use for access lists given a certain link struct
++
++this is required for the external API that has to be transport indepedent
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 2eb0040c7b5c99f3157b3922f6400a6c09c80e7e)
++---
++ libknet/internals.h | 6 ++++++
++ libknet/transport_loopback.h | 1 +
++ libknet/transport_sctp.h | 1 +
++ libknet/transport_udp.h | 1 +
++ libknet/transports.h | 1 +
++ libknet/transport_loopback.c | 5 +++++
++ libknet/transport_sctp.c | 7 +++++++
++ libknet/transport_udp.c | 5 +++++
++ libknet/transports.c | 13 +++++++++----
++ 9 files changed, 36 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index d482674..8976a8c 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -338,6 +338,12 @@ typedef struct knet_transport_ops {
++ */
++ int (*transport_link_dyn_connect)(knet_handle_t knet_h, int sockfd, struct knet_link *link);
++
+++
+++/*
+++ * return the fd to use for access lists
+++ */
+++ int (*transport_link_get_acl_fd)(knet_handle_t knet_h, struct knet_link *link);
+++
++ /*
++ * per transport error handling of recvmmsg
++ * (see _handle_recv_from_links comments for details)
++diff --git a/libknet/transport_loopback.h b/libknet/transport_loopback.h
++index 3d072e8..6ce3ed3 100644
++--- a/libknet/transport_loopback.h
+++++ b/libknet/transport_loopback.h
++@@ -23,5 +23,6 @@ int loopback_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_
++ int loopback_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int loopback_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++
++ #endif
++diff --git a/libknet/transport_sctp.h b/libknet/transport_sctp.h
++index f27bcf1..83a638b 100644
++--- a/libknet/transport_sctp.h
+++++ b/libknet/transport_sctp.h
++@@ -31,6 +31,7 @@ int sctp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err,
++ int sctp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int sctp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++
++ #endif
++
++diff --git a/libknet/transport_udp.h b/libknet/transport_udp.h
++index bbb6ec9..6de18e3 100644
++--- a/libknet/transport_udp.h
+++++ b/libknet/transport_udp.h
++@@ -23,5 +23,6 @@ int udp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err,
++ int udp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int udp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++
++ #endif
++diff --git a/libknet/transports.h b/libknet/transports.h
++index 6338140..38f69ba 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -15,6 +15,7 @@ void stop_all_transports(knet_handle_t knet_h);
++ int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, uint8_t transport);
++ int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
++ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg);
++diff --git a/libknet/transport_loopback.c b/libknet/transport_loopback.c
++index bf48bb9..54129d7 100644
++--- a/libknet/transport_loopback.c
+++++ b/libknet/transport_loopback.c
++@@ -73,3 +73,8 @@ int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct
++ {
++ return 0;
++ }
+++
+++int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++ return 0;
+++}
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index aa0de9d..819bc9a 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -1537,4 +1537,11 @@ int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct kne
++ kn_link->transport_connected = 1;
++ return 0;
++ }
+++
+++int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++ sctp_connect_link_info_t *this_link_info = kn_link->transport_link;
+++ sctp_listen_link_info_t *info = this_link_info->listener;
+++ return info->listen_sock;
+++}
++ #endif
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index e4f6fdb..e243a91 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -438,3 +438,8 @@ int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet
++ kn_link->status.dynconnected = 1;
++ return 0;
++ }
+++
+++int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++ return kn_link->outsock;
+++}
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 6ded675..5181db9 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,14 +27,14 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++
++-#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++- { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++- { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++ { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_link_get_acl_fd, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++ { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED,KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ { "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++- 1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++ 1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_link_get_acl_fd, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
++@@ -103,6 +103,11 @@ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_lin
++ return transport_modules_cmd[kn_link->transport].transport_link_dyn_connect(knet_h, sockfd, kn_link);
++ }
++
+++int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++ return transport_modules_cmd[kn_link->transport].transport_link_get_acl_fd(knet_h, kn_link);
+++}
+++
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
++ {
++ return transport_modules_cmd[transport].transport_rx_sock_error(knet_h, sockfd, recv_err, recv_errno);
+diff --git a/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch b/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+new file mode 100644
+index 0000000..64e7124
+--- /dev/null
++++ b/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+@@ -0,0 +1,115 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 10 Feb 2019 08:52:22 +0100
++Subject: [transports] add information about the nature of the transport and
++ supported access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 7cb7619d9222e09e65c3ec46a9d79a1806c44a25)
++---
++ libknet/internals.h | 31 +++++++++++++++++++++++++++++++
++ libknet/transports.h | 2 ++
++ libknet/transports.c | 18 ++++++++++++++----
++ 3 files changed, 47 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index d33646f..106b49d 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -256,6 +256,34 @@ extern pthread_rwlock_t shlib_rwlock; /* global shared lib load lock */
++ * for every protocol.
++ */
++
+++/*
+++ * for now knet supports only IP protocols (udp/sctp)
+++ * in future there might be others like ARP
+++ * or TIPC.
+++ * keep this around as transport information
+++ * to use for access lists and other operations
+++ */
+++
+++typedef enum {
+++ LOOPBACK,
+++ IP_PROTO
+++} transport_proto;
+++
+++/*
+++ * some transports like SCTP can filter incoming
+++ * connections before knet has to process
+++ * any packets.
+++ * GENERIC_ACL -> packet has to be read and filterted
+++ * PROTO_ACL -> transport provides filtering at lower levels
+++ * and packet does not need to be processed
+++ */
+++
+++typedef enum {
+++ USE_NO_ACL,
+++ USE_GENERIC_ACL,
+++ USE_PROTO_ACL
+++} transport_acl;
+++
++ /*
++ * make it easier to map values in transports.c
++ */
++@@ -270,6 +298,9 @@ typedef struct knet_transport_ops {
++ const uint8_t transport_id;
++ const uint8_t built_in;
++
+++ transport_proto transport_protocol;
+++ transport_acl transport_acl_type;
+++
++ /*
++ * connection oriented protocols like SCTP
++ * don´t need dst_addr in sendto calls and
++diff --git a/libknet/transports.h b/libknet/transports.h
++index d58b7a3..6338140 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -18,6 +18,8 @@ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_lin
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg);
+++int transport_get_proto(knet_handle_t knet_h, uint8_t transport);
+++int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport);
++ int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport);
++
++ #endif
++diff --git a/libknet/transports.c b/libknet/transports.c
++index b6f3b64..ffebe00 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,14 +27,14 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++
++-#define empty_module 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++- { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++- { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++ { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++ { "UDP", KNET_TRANSPORT_UDP, 1, IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ { "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++- 1, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++ 1, IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
++@@ -118,6 +118,16 @@ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, st
++ return transport_modules_cmd[transport].transport_rx_is_data(knet_h, sockfd, msg);
++ }
++
+++int transport_get_proto(knet_handle_t knet_h, uint8_t transport)
+++{
+++ return transport_modules_cmd[transport].transport_protocol;
+++}
+++
+++int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport)
+++{
+++ return transport_modules_cmd[transport].transport_acl_type;
+++}
+++
++ int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport)
++ {
++ return transport_modules_cmd[transport].transport_is_connection_oriented;
+diff --git a/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch b/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+new file mode 100644
+index 0000000..d3b6e32
+--- /dev/null
++++ b/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+@@ -0,0 +1,29 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 3 Jun 2019 18:13:04 +0200
++Subject: [transports] fix incorrect merge when cherry-picking
++ 7033ddab505a0cf3655115fe5037579b7c882a8c
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 02097c450e14afe1f5b34e7fd22a93f7d253b614)
++---
++ libknet/transports.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 5181db9..51712df 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,11 +27,11 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++
++-#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module 0, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++ { "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_link_get_acl_fd, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++- { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED,KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++ { "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ { "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++ 1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_link_get_acl_fd, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+diff --git a/debian/patches/series b/debian/patches/series
+index c16ea6e..e58890e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -9,3 +9,69 @@ tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+ man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+ udp-use-defines-vs-hardcoded-numbers.patch
+ udp-improve-error-message-decoding-from-ICMP-errors.patch
++acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
++acl-add-knet_handle_enable_access_lists-api-call.patch
++transports-add-information-about-the-nature-of-the-transp.patch
++access-lists-make-code-more-generic-to-accept-more-than-I.patch
++handle-properly-initialize-fd-tracker-buffers.patch
++access-lists-automatically-add-and-remove-point-to-point-.patch
++access-lists-add-tests-for-default-access-lists.patch
++access-lists-allow-knet_bench-to-enable-disable-access-li.patch
++access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
++access-lists-enable-generic-access-lists-only-for-protoco.patch
++access-lists-add-access-lists-support-to-sctp.patch
++access-lists-fix-build-on-freebsd.patch
++access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
++access-lists-move-access-lists-structs-and-data-types-to-.patch
++access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
++access-lists-cleanup-API-a-bit.patch
++access-lists-remove-2-unnecessary-wrappers.patch
++links-rename-transport_type-to-transport-to-avoid-confusi.patch
++links-rename-tranport_type-to-transport-to-avoid-confusio.patch
++access-lists-make-internal-API-consistent.patch
++access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
++access-lists-add-errno-around-and-start-using-them.patch
++access-lists-confine-access-lists-data-structs-within-the.patch
++access-lists-use-better-name-for-fd_tracker-structure.patch
++access-lists-use-arrays-to-access-per-protocol-functions.patch
++access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
++transports-access-list-add-internal-API-to-gather-which-f.patch
++access-lists-add-documentation-for-enable_access_list.patch
++access-lists-add-external-API-calls-to-manage-access-list.patch
++access-lists-test-implicit-access-lists-management-for-UD.patch
++access-lists-improve-checks-on-various-data-types.patch
++access-lists-add-public-API-tests.patch
++acl-Fix-English-in-commments.patch
++access-lists-add-more-extensive-test-for-links_acl_ip.patch
++logging-fix-log-target-of-recently-added-API-calls.patch
++tests-remove-stray-comment.patch
++manpages-Document-enums-206.patch
++compress-add-support-for-libzstd.patch
++tests-hide-an-arm-internal-memory-leak-non-recurring.patch
++tests-improve-wait-for-packet-implementation-to-flush-log.patch
++man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
++global-update-copyright-across-the-board.patch
++build-bump-soname-to-indicate-new-API-calls.patch
++spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
++spec-use-distro-conditionals-to-determine-BuildRequires.patch
++spec-be-more-strict-about-plugins-version-and-architectur.patch
++spec-clean-up-useless-conditionals-and-defines.patch
++spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
++spec-fix-a-bunch-of-rpmlint-errors.patch
++spec-drop-support-for-init-scripts.patch
++spec-use-ldconfig_scriptlets-only-when-defined.patch
++misc-some-coverity-fixes.patch
++misc-Fix-more-covscan-warnings.patch
++crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
++PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
++crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
++crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
++PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
++crypto-fix-openssl1.0-initialization-code.patch
++transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
++crypto-openssl-error-strings-release.patch
++crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
++crypto-hide-errors-generated-by-openssl-1.1.1c.patch
++doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
++global-clarify-license-entry-per-file-to-match-README.lic.patch
++global-update-copyrights.patch
diff --git a/patches/0004-add-libzstd-dev-to-build-depends.patch b/patches/0004-add-libzstd-dev-to-build-depends.patch
new file mode 100644
index 0000000..3f17cb3
--- /dev/null
+++ b/patches/0004-add-libzstd-dev-to-build-depends.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 10:21:59 +0200
+Subject: [PATCH kronosnet] add libzstd-dev to build-depends
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ debian/control | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/debian/control b/debian/control
+index 807977c..de690e2 100644
+--- a/debian/control
++++ b/debian/control
+@@ -17,6 +17,7 @@ Build-Depends:
+ liblzma-dev,
+ liblzo2-dev,
+ zlib1g-dev,
++ libzstd-dev,
+ # Crypto plugins:
+ libnss3-dev,
+ libnspr4-dev,
diff --git a/patches/0005-add-new-symbols-for-libknet-1.10.patch b/patches/0005-add-new-symbols-for-libknet-1.10.patch
new file mode 100644
index 0000000..46ef699
--- /dev/null
+++ b/patches/0005-add-new-symbols-for-libknet-1.10.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 10:41:22 +0200
+Subject: [PATCH kronosnet] add new symbols for libknet 1.10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ debian/libknet1.symbols | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/debian/libknet1.symbols b/debian/libknet1.symbols
+index 0fa1fd5..eb0baa3 100644
+--- a/debian/libknet1.symbols
++++ b/debian/libknet1.symbols
+@@ -11,6 +11,7 @@ libknet.so.1 libknet1 #MINVER#
+ knet_handle_clear_stats at LIBKNET 0.9
+ knet_handle_compress at LIBKNET 0.9
+ knet_handle_crypto at LIBKNET 0.9
++ knet_handle_enable_access_lists at LIBKNET 1.10
+ knet_handle_enable_filter at LIBKNET 0.9
+ knet_handle_enable_pmtud_notify at LIBKNET 0.9
+ knet_handle_enable_sock_notify at LIBKNET 0.9
+@@ -37,6 +38,8 @@ libknet.so.1 libknet1 #MINVER#
+ knet_host_remove at LIBKNET 0.9
+ knet_host_set_name at LIBKNET 0.9
+ knet_host_set_policy at LIBKNET 0.9
++ knet_link_add_acl at LIBKNET 1.10
++ knet_link_clear_acl at LIBKNET 1.10
+ knet_link_clear_config at LIBKNET 0.9
+ knet_link_get_config at LIBKNET 0.9
+ knet_link_get_enable at LIBKNET 0.9
+@@ -45,6 +48,8 @@ libknet.so.1 libknet1 #MINVER#
+ knet_link_get_pong_count at LIBKNET 0.9
+ knet_link_get_priority at LIBKNET 0.9
+ knet_link_get_status at LIBKNET 0.9
++ knet_link_insert_acl at LIBKNET 1.10
++ knet_link_rm_acl at LIBKNET 1.10
+ knet_link_set_config at LIBKNET 0.9
+ knet_link_set_enable at LIBKNET 0.9
+ knet_link_set_ping_timers at LIBKNET 0.9
diff --git a/patches/series b/patches/series
index bd0b3fc..2c013fc 100644
--- a/patches/series
+++ b/patches/series
@@ -1,2 +1,5 @@
-0001-cherry-pick-crypto-patches.patch
-0002-update-changelog.patch
+0001-update-changelog.patch
+0002-cherry-pick-1.9-as-patches.patch
+0003-cherry-pick-1.10-as-patches.patch
+0004-add-libzstd-dev-to-build-depends.patch
+0005-add-new-symbols-for-libknet-1.10.patch
diff --git a/upstream/kronosnet_1.8-2.debian.tar.xz b/upstream/kronosnet_1.10-0+really1.8-2.debian.tar.xz
similarity index 100%
rename from upstream/kronosnet_1.8-2.debian.tar.xz
rename to upstream/kronosnet_1.10-0+really1.8-2.debian.tar.xz
diff --git a/upstream/kronosnet_1.8.orig.tar.xz b/upstream/kronosnet_1.10.orig.tar.xz
similarity index 100%
rename from upstream/kronosnet_1.8.orig.tar.xz
rename to upstream/kronosnet_1.10.orig.tar.xz
--
2.20.1
More information about the pve-devel
mailing list