[pve-devel] [PATCH kronosnet] bump version to 1.10-pve1

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jun 19 14:36:51 CEST 2019


note: 1.9 and 1.10 have been cherry-picked as patches from upstream
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
the workaround with +really is needed to easily satisfy the make targets

note: new build-depends!

 ...elog.patch => 0001-update-changelog.patch} |    14 +-
 Makefile                                      |     7 +-
 patches/0001-cherry-pick-crypto-patches.patch |   148 -
 patches/0002-cherry-pick-1.9-as-patches.patch |   776 +
 .../0003-cherry-pick-1.10-as-patches.patch    | 14716 ++++++++++++++++
 ...004-add-libzstd-dev-to-build-depends.patch |    25 +
 ...005-add-new-symbols-for-libknet-1.10.patch |    43 +
 patches/series                                |     7 +-
 ...ronosnet_1.10-0+really1.8-2.debian.tar.xz} |   Bin
 ...orig.tar.xz => kronosnet_1.10.orig.tar.xz} |   Bin
 10 files changed, 15579 insertions(+), 157 deletions(-)
 rename patches/{0002-update-changelog.patch => 0001-update-changelog.patch} (75%)
 delete mode 100644 patches/0001-cherry-pick-crypto-patches.patch
 create mode 100644 patches/0002-cherry-pick-1.9-as-patches.patch
 create mode 100644 patches/0003-cherry-pick-1.10-as-patches.patch
 create mode 100644 patches/0004-add-libzstd-dev-to-build-depends.patch
 create mode 100644 patches/0005-add-new-symbols-for-libknet-1.10.patch
 rename upstream/{kronosnet_1.8-2.debian.tar.xz => kronosnet_1.10-0+really1.8-2.debian.tar.xz} (100%)
 rename upstream/{kronosnet_1.8.orig.tar.xz => kronosnet_1.10.orig.tar.xz} (100%)

diff --git a/patches/0002-update-changelog.patch b/patches/0001-update-changelog.patch
similarity index 75%
rename from patches/0002-update-changelog.patch
rename to patches/0001-update-changelog.patch
index f07e185..db5859f 100644
--- a/patches/0002-update-changelog.patch
+++ b/patches/0001-update-changelog.patch
@@ -8,14 +8,20 @@ Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
 ---
- debian/changelog | 8 ++++++++
- 1 file changed, 8 insertions(+)
+ debian/changelog | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
 
 diff --git a/debian/changelog b/debian/changelog
-index 63d5a6d..b89a2b3 100644
+index 63d5a6d..81ef900 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -1,3 +1,11 @@
+@@ -1,3 +1,17 @@
++kronosnet (1.10-pve1) pve; urgency=medium
++
++  * update to 1.10
++
++ -- Proxmox Support Team <support at proxmox.com>  Wed, 19 Jun 2019 09:32:21 +0200
++
 +kronosnet (1.8-pve1) pve; urgency=medium
 +
 +  * introduce kronosnet for PVE 6.x
diff --git a/Makefile b/Makefile
index c391642..4328b88 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
-VERSION=1.8
-DEBRELEASE=2
+VERSION=1.10
+DEBRELEASE=0+really1.8-2
 PVERELEASE=pve1
 
 BUILDDIR=kronosnet-${VERSION}
@@ -24,8 +24,9 @@ all: ${DEBS}
 
 ${BUILDDIR}: upstream/${SRCARCHIVE} upstream/${DEBARCHIVE} patches/*
 	rm -rf ${BUILDDIR}
+	mkdir ${BUILDDIR}
 	ln -sf upstream/${SRCARCHIVE} ${SRCARCHIVE}
-	tar -xf upstream/${SRCARCHIVE}
+	tar -x -C ${BUILDDIR} --strip-components=1 -f upstream/${SRCARCHIVE}
 	tar -C ${BUILDDIR} -xf upstream/${DEBARCHIVE}
 	cd ${BUILDDIR}; ln -s ../patches patches
 	cd ${BUILDDIR}; quilt push -a
diff --git a/patches/0001-cherry-pick-crypto-patches.patch b/patches/0001-cherry-pick-crypto-patches.patch
deleted file mode 100644
index eb279eb..0000000
--- a/patches/0001-cherry-pick-crypto-patches.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
-Date: Wed, 22 May 2019 14:11:59 +0200
-Subject: [PATCH kronosnet] cherry-pick crypto patches
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-for compatibility with Corosync 2.x key files
-
-Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
----
- .../crypto-remove-libnss-3des-support.patch   | 74 +++++++++++++++++++
- ...e-minimum-crypto-key-size-to-1024bit.patch | 35 +++++++++
- debian/patches/series                         |  2 +
- 3 files changed, 111 insertions(+)
- create mode 100644 debian/patches/crypto-remove-libnss-3des-support.patch
- create mode 100644 debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-
-diff --git a/debian/patches/crypto-remove-libnss-3des-support.patch b/debian/patches/crypto-remove-libnss-3des-support.patch
-new file mode 100644
-index 0000000..c8d1123
---- /dev/null
-+++ b/debian/patches/crypto-remove-libnss-3des-support.patch
-@@ -0,0 +1,74 @@
-+From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
-+Date: Thu, 11 Apr 2019 13:36:56 +0200
-+Subject: [crypto] remove libnss 3des support
-+
-+Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
-+(cherry picked from commit acb5adb7f3ea6eaaf858d86e064a9b3fe477ea11)
-+---
-+ libknet/libknet.h    |  2 +-
-+ libknet/crypto_nss.c | 14 ++++----------
-+ 2 files changed, 5 insertions(+), 11 deletions(-)
-+
-+diff --git a/libknet/libknet.h b/libknet/libknet.h
-+index 0331b1f..d0c90e4 100644
-+--- a/libknet/libknet.h
-++++ b/libknet/libknet.h
-+@@ -617,7 +617,7 @@ struct knet_handle_crypto_cfg {
-+  *                         It can be set to "none" to disable
-+  *                         encryption.
-+  *                         Currently supported by "nss" model:
-+- *                         "3des", "aes128", "aes192" and "aes256".
-++ *                         "aes128", "aes192" and "aes256".
-+  *                         "openssl" model supports more modes and it strictly
-+  *                         depends on the openssl build. See: EVP_get_cipherbyname
-+  *                         openssl API call for details.
-+diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
-+index 35afa0f..a17ff62 100644
-+--- a/libknet/crypto_nss.c
-++++ b/libknet/crypto_nss.c
-+@@ -64,32 +64,28 @@ enum nsscrypto_crypt_t {
-+ 	CRYPTO_CIPHER_TYPE_NONE = 0,
-+ 	CRYPTO_CIPHER_TYPE_AES256 = 1,
-+ 	CRYPTO_CIPHER_TYPE_AES192 = 2,
-+-	CRYPTO_CIPHER_TYPE_AES128 = 3,
-+-	CRYPTO_CIPHER_TYPE_3DES = 4
-++	CRYPTO_CIPHER_TYPE_AES128 = 3
-+ };
-+ 
-+ CK_MECHANISM_TYPE cipher_to_nss[] = {
-+ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
-+ 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES256 */
-+ 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES192 */
-+-	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES128 */
-+-	CKM_DES3_CBC_PAD 		/* CRYPTO_CIPHER_TYPE_3DES */
-++	CKM_AES_CBC_PAD			/* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+ 
-+ size_t nsscipher_key_len[] = {
-+ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
-+ 	AES_256_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES256 */
-+ 	AES_192_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES192 */
-+-	AES_128_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES128 */
-+-	24				/* CRYPTO_CIPHER_TYPE_3DES */
-++	AES_128_KEY_LENGTH		/* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+ 
-+ size_t nsscypher_block_len[] = {
-+ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
-+ 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES256 */
-+ 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES192 */
-+-	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES128 */
-+-	0				/* CRYPTO_CIPHER_TYPE_3DES */
-++	AES_BLOCK_SIZE			/* CRYPTO_CIPHER_TYPE_AES128 */
-+ };
-+ 
-+ /*
-+@@ -155,8 +151,6 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
-+ 		return CRYPTO_CIPHER_TYPE_AES192;
-+ 	} else if (strcmp(crypto_cipher_type, "aes128") == 0) {
-+ 		return CRYPTO_CIPHER_TYPE_AES128;
-+-	} else if (strcmp(crypto_cipher_type, "3des") == 0) {
-+-		return CRYPTO_CIPHER_TYPE_3DES;
-+ 	}
-+ 	return -1;
-+ }
-diff --git a/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-new file mode 100644
-index 0000000..065a53b
---- /dev/null
-+++ b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
-@@ -0,0 +1,35 @@
-+From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
-+Date: Wed, 3 Apr 2019 14:28:50 +0200
-+Subject: reduce minimum crypto key size to 1024bit
-+MIME-Version: 1.0
-+Content-Type: text/plain; charset="utf-8"
-+Content-Transfer-Encoding: 8bit
-+
-+Since the key is used for AES/3DES and HMAC operations only, this is
-+safe. AES/3DES use keys in the 128- to 256-bit range, HMAC with
-+MD5/SHA1/SHA2 should use keys with a minimum of 128- to 512-bit (in both
-+cases, depending on the actual algorithm used).
-+
-+This reduction also keeps knet compatible with existing Corosync 2.x
-+keyfiles, which are 1024-bit.
-+
-+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
-+(cherry picked from commit 4e648f76930af8c376a833677d940b2b0efc3c86)
-+---
-+ libknet/libknet.h | 3 +--
-+ 1 file changed, 1 insertion(+), 2 deletions(-)
-+
-+diff --git a/libknet/libknet.h b/libknet/libknet.h
-+index 36fefa5..0331b1f 100644
-+--- a/libknet/libknet.h
-++++ b/libknet/libknet.h
-+@@ -587,8 +587,7 @@ int knet_handle_pmtud_get(knet_handle_t knet_h,
-+ 				unsigned int *data_mtu);
-+ 
-+ 
-+-
-+-#define KNET_MIN_KEY_LEN  256
-++#define KNET_MIN_KEY_LEN  128
-+ #define KNET_MAX_KEY_LEN 4096
-+ 
-+ struct knet_handle_crypto_cfg {
-diff --git a/debian/patches/series b/debian/patches/series
-index 7fbd139..25f1ff5 100644
---- a/debian/patches/series
-+++ b/debian/patches/series
-@@ -1 +1,3 @@
- send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
-+reduce-minimum-crypto-key-size-to-1024bit.patch
-+crypto-remove-libnss-3des-support.patch
diff --git a/patches/0002-cherry-pick-1.9-as-patches.patch b/patches/0002-cherry-pick-1.9-as-patches.patch
new file mode 100644
index 0000000..adcf1ee
--- /dev/null
+++ b/patches/0002-cherry-pick-1.9-as-patches.patch
@@ -0,0 +1,776 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 09:17:04 +0200
+Subject: [PATCH kronosnet] cherry-pick 1.9 as patches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ ...ther-exception-to-valgrind-nss-combo.patch |  35 +++
+ .../crypto-remove-libnss-3des-support.patch   |  74 +++++
+ debian/patches/man-Tidy-manpages-215.patch    | 297 ++++++++++++++++++
+ debian/patches/man-Tidy-more-man-pages.patch  |  47 +++
+ ...net_host_set_policy-parameters-order.patch |  27 ++
+ ...-errors-detected-by-newly-added-test.patch |  41 +++
+ ...e-minimum-crypto-key-size-to-1024bit.patch |  35 +++
+ ...eck-to-verify-doxy-header-order-and-.patch |  37 +++
+ ...or-message-decoding-from-ICMP-errors.patch |  38 +++
+ ...udp-use-defines-vs-hardcoded-numbers.patch |  36 +++
+ debian/patches/series                         |  10 +
+ 11 files changed, 677 insertions(+)
+ create mode 100644 debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+ create mode 100644 debian/patches/crypto-remove-libnss-3des-support.patch
+ create mode 100644 debian/patches/man-Tidy-manpages-215.patch
+ create mode 100644 debian/patches/man-Tidy-more-man-pages.patch
+ create mode 100644 debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+ create mode 100644 debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+ create mode 100644 debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+ create mode 100644 debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+ create mode 100644 debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+ create mode 100644 debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+
+diff --git a/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch b/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+new file mode 100644
+index 0000000..4b60b6b
+--- /dev/null
++++ b/debian/patches/build-add-another-exception-to-valgrind-nss-combo.patch
+@@ -0,0 +1,35 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 29 Jan 2019 05:33:51 +0100
++Subject: [build] add another exception to valgrind nss combo
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a6746007986b9324760822aa0190d035b8da7352)
++---
++ build-aux/knet_valgrind_memcheck.supp | 17 +++++++++++++++++
++ 1 file changed, 17 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index 8b3f95f..e0f49d0 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -588,3 +588,20 @@
++    obj:/usr/lib64/libnss3.so
++    obj:/usr/lib64/libnss3.so
++ }
+++{
+++   nss internal leak (3.41) non recurring (spotted on f29)
+++   Memcheck:Leak
+++   match-leak-kinds: definite
+++   fun:malloc
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:*
+++   obj:/usr/lib64/libnss3.so
+++}
+diff --git a/debian/patches/crypto-remove-libnss-3des-support.patch b/debian/patches/crypto-remove-libnss-3des-support.patch
+new file mode 100644
+index 0000000..c8d1123
+--- /dev/null
++++ b/debian/patches/crypto-remove-libnss-3des-support.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 13:36:56 +0200
++Subject: [crypto] remove libnss 3des support
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit acb5adb7f3ea6eaaf858d86e064a9b3fe477ea11)
++---
++ libknet/libknet.h    |  2 +-
++ libknet/crypto_nss.c | 14 ++++----------
++ 2 files changed, 5 insertions(+), 11 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 0331b1f..d0c90e4 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -617,7 +617,7 @@ struct knet_handle_crypto_cfg {
++  *                         It can be set to "none" to disable
++  *                         encryption.
++  *                         Currently supported by "nss" model:
++- *                         "3des", "aes128", "aes192" and "aes256".
+++ *                         "aes128", "aes192" and "aes256".
++  *                         "openssl" model supports more modes and it strictly
++  *                         depends on the openssl build. See: EVP_get_cipherbyname
++  *                         openssl API call for details.
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 35afa0f..a17ff62 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -64,32 +64,28 @@ enum nsscrypto_crypt_t {
++ 	CRYPTO_CIPHER_TYPE_NONE = 0,
++ 	CRYPTO_CIPHER_TYPE_AES256 = 1,
++ 	CRYPTO_CIPHER_TYPE_AES192 = 2,
++-	CRYPTO_CIPHER_TYPE_AES128 = 3,
++-	CRYPTO_CIPHER_TYPE_3DES = 4
+++	CRYPTO_CIPHER_TYPE_AES128 = 3
++ };
++ 
++ CK_MECHANISM_TYPE cipher_to_nss[] = {
++ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
++ 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES256 */
++ 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES192 */
++-	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES128 */
++-	CKM_DES3_CBC_PAD 		/* CRYPTO_CIPHER_TYPE_3DES */
+++	CKM_AES_CBC_PAD			/* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++ 
++ size_t nsscipher_key_len[] = {
++ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
++ 	AES_256_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES256 */
++ 	AES_192_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES192 */
++-	AES_128_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES128 */
++-	24				/* CRYPTO_CIPHER_TYPE_3DES */
+++	AES_128_KEY_LENGTH		/* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++ 
++ size_t nsscypher_block_len[] = {
++ 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
++ 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES256 */
++ 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES192 */
++-	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES128 */
++-	0				/* CRYPTO_CIPHER_TYPE_3DES */
+++	AES_BLOCK_SIZE			/* CRYPTO_CIPHER_TYPE_AES128 */
++ };
++ 
++ /*
++@@ -155,8 +151,6 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
++ 		return CRYPTO_CIPHER_TYPE_AES192;
++ 	} else if (strcmp(crypto_cipher_type, "aes128") == 0) {
++ 		return CRYPTO_CIPHER_TYPE_AES128;
++-	} else if (strcmp(crypto_cipher_type, "3des") == 0) {
++-		return CRYPTO_CIPHER_TYPE_3DES;
++ 	}
++ 	return -1;
++ }
+diff --git a/debian/patches/man-Tidy-manpages-215.patch b/debian/patches/man-Tidy-manpages-215.patch
+new file mode 100644
+index 0000000..f0b5b37
+--- /dev/null
++++ b/debian/patches/man-Tidy-manpages-215.patch
+@@ -0,0 +1,297 @@
++From: Chrissie Caulfield <ccaulfie at redhat.com>
++Date: Tue, 16 Apr 2019 14:46:01 +0100
++Subject: man: Tidy manpages (#215)
++
++* man: Tidy manpages for libnozzle
++
++doxygen works in mysterious ways, adding a blank line before
++ at brief makes the lines following that much tidier.
++
++So now instead of
++
++nozzle_close nozzle - pointer to the nozzle struct to destroy
++
++we get:
++
++nozzle_close
++
++       nozzle - pointer to the nozzle struct to destroy
++
++* doxyxml: Cope with pointers-to-pointers passed as params
++
++Double pointers showed as ' * *name' when they should be '  **name'.
++
++Also tidy STRUCTURES display so that they are not indented too much,
++
++* man: Similar @brief fixes for libknet.h
++
++* doxyxml: Tidy descriptions of functions as parameters
++
++If a complex function pointer was passed as a parameter then doxyxml
++tryied to line up all the other parameters with it - making a mess
++by having lots of blank space between the type and the name.
++
++Now we enforce a maximum type length (a line-ish) so that shorter
++tyopes will line up OK and the really long ones will be left to their
++own devices.
++
++(cherry picked from commit 652e355252adf6d248123d564c607c338e899f98)
++---
++ libknet/libknet.h     |  3 +++
++ libnozzle/libnozzle.h | 24 +++++++++++++++++++++---
++ man/doxyxml.c         | 30 ++++++++++++++++++++----------
++ 3 files changed, 44 insertions(+), 13 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d0c90e4..181724a 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -275,6 +275,7 @@ int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel);
++ 
++ /**
++  * knet_handle_remove_datafd
+++ *
++  * @brief Remove a file descriptor from knet
++  *
++  * knet_h   - pointer to knet_handle_t
++@@ -293,6 +294,7 @@ int knet_handle_remove_datafd(knet_handle_t knet_h, int datafd);
++ 
++ /**
++  * knet_handle_get_channel
+++ *
++  * @brief Get the channel associated with a file descriptor
++  *
++  * knet_h  - pointer to knet_handle_t
++@@ -313,6 +315,7 @@ int knet_handle_get_channel(knet_handle_t knet_h, const int datafd, int8_t *chan
++ 
++ /**
++  * knet_handle_get_datafd
+++ *
++  * @brief Get the file descriptor associated with a channel
++  *
++  * knet_h   - pointer to knet_handle_t
++diff --git a/libnozzle/libnozzle.h b/libnozzle/libnozzle.h
++index 82ca74d..b8ab7d6 100644
++--- a/libnozzle/libnozzle.h
+++++ b/libnozzle/libnozzle.h
++@@ -25,6 +25,7 @@ typedef struct nozzle_iface *nozzle_t;
++ 
++ /**
++  * nozzle_open
+++ *
++  * @brief create a new tap device on the system.
++  *
++  * devname - pointer to device name of at least size IFNAMSIZ.
++@@ -55,6 +56,7 @@ nozzle_t nozzle_open(char *devname, size_t devname_size, const char *updownpath)
++ 
++ /**
++  * nozzle_close
+++ *
++  * @brief deconfigure and destroy a nozzle device
++  *
++  * nozzle - pointer to the nozzle struct to destroy
++@@ -74,9 +76,8 @@ int nozzle_close(nozzle_t nozzle);
++ 
++ /**
++  * nozzle_run_updown
++- * @brief execute updown commands associated with a nozzle device. It is
++- *        the application responsibility to call helper scripts
++- *        before or after creating/destroying interfaces or IP addresses.
+++ *
+++ * @brief execute updown commands associated with a nozzle device.
++  *
++  * nozzle - pointer to the nozzle struct
++  *
++@@ -86,6 +87,9 @@ int nozzle_close(nozzle_t nozzle);
++  *               The string is malloc'ed, the caller needs to free the buffer.
++  *               If the script generates no output this string might be NULL.
++  *
+++ * It is the application responsibility to call helper scripts
+++ * before or after creating/destroying interfaces or IP addresses.
+++ *
++  * @return
++  * 0 on success
++  * -1 on error and errno is set (sanity checks and internal calls.
++@@ -96,6 +100,7 @@ int nozzle_run_updown(const nozzle_t nozzle, uint8_t action, char **exec_string)
++ 
++ /**
++  * nozzle_set_up
+++ *
++  * @brief equivalent of ifconfig up
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -109,6 +114,7 @@ int nozzle_set_up(nozzle_t nozzle);
++ 
++ /**
++  * nozzle_set_down
+++ *
++  * @brief equivalent of ifconfig down
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -122,6 +128,7 @@ int nozzle_set_down(nozzle_t nozzle);
++ 
++ /**
++  * nozzle_add_ip
+++ *
++  * @brief equivalent of ip addr or ifconfig <ipaddress/prefix>
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -142,6 +149,7 @@ int nozzle_add_ip(nozzle_t nozzle, const char *ipaddr, const char *prefix);
++ 
++ /**
++  * nozzle_del_ip
+++ *
++  * @brief equivalent of ip addr del or ifconfig del <ipaddress/prefix>
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -170,6 +178,7 @@ struct nozzle_ip {
++ 
++ /**
++  * nozzle_get_ips
+++ *
++  * @brief retrieve the list of all configured ips for a given interface
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -191,6 +200,7 @@ int nozzle_get_ips(const nozzle_t nozzle, struct nozzle_ip **nozzle_ip);
++ 
++ /**
++  * nozzle_get_mtu
+++ *
++  * @brief retrieve mtu on a given nozzle interface
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -204,6 +214,7 @@ int nozzle_get_mtu(const nozzle_t nozzle);
++ 
++ /**
++  * nozzle_set_mtu
+++ *
++  * @brief set mtu on a given nozzle interface
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -219,6 +230,7 @@ int nozzle_set_mtu(nozzle_t nozzle, const int mtu);
++ 
++ /**
++  * nozzle_reset_mtu
+++ *
++  * @brief reset mtu on a given nozzle interface to the system default
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -232,6 +244,7 @@ int nozzle_reset_mtu(nozzle_t nozzle);
++ 
++ /**
++  * nozzle_get_mac
+++ *
++  * @brief retrieve mac address on a given nozzle interface
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -247,6 +260,7 @@ int nozzle_get_mac(const nozzle_t nozzle, char **ether_addr);
++ 
++ /**
++  * nozzle_set_mac
+++ *
++  * @brief set mac address on a given nozzle interface
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -262,6 +276,7 @@ int nozzle_set_mac(nozzle_t nozzle, const char *ether_addr);
++ 
++ /**
++  * nozzle_reset_mac
+++ *
++  * @brief reset mac address on a given nozzle interface to system default
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -275,6 +290,7 @@ int nozzle_reset_mac(nozzle_t nozzle);
++ 
++ /**
++  * nozzle_get_handle_by_name
+++ *
++  * @brief find a nozzle handle by device name
++  *
++  * devname - string containing the name of the interface
++@@ -288,6 +304,7 @@ nozzle_t nozzle_get_handle_by_name(const char *devname);
++ 
++ /**
++  * nozzle_get_name_by_handle
+++ *
++  * @brief retrieve nozzle interface name by handle
++  *
++  * nozzle - pointer to the nozzle struct
++@@ -301,6 +318,7 @@ const char *nozzle_get_name_by_handle(const nozzle_t nozzle);
++ 
++ /**
++  * nozzle_get_fd
+++ *
++  * @brief
++  *
++  * nozzle - pointer to the nozzle struct
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index b4b49a9..b623711 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -34,6 +34,14 @@
++ #define XML_DIR "../man/xml-knet"
++ #define XML_FILE "libknet_8h.xml"
++ 
+++/*
+++ * This isn't a maximum size, it just defines how long a parameter
+++ * type can get before we decide it's not worth lining everything up to.
+++ * it's mainly to stop function pointer types (which can get VERY long because
+++ * of all *their* parameters) making everything else 'line-up' over separate lines
+++ */
+++#define LINE_LENGTH 80
+++
++ static int print_ascii = 1;
++ static int print_man = 0;
++ static int print_params = 0;
++@@ -332,19 +340,25 @@ static int read_structure_from_xml(char *refid, char *name)
++ 
++ static void print_param(FILE *manfile, struct param_info *pi, int field_width, int bold, const char *delimiter)
++ {
++-	char asterisk = ' ';
+++	char *asterisks = "  ";
++ 	char *type = pi->paramtype;
++ 
++ 	/* Reformat pointer params so they look nicer */
++ 	if (pi->paramtype[strlen(pi->paramtype)-1] == '*') {
++-		asterisk='*';
+++		asterisks=" *";
++ 		type = strdup(pi->paramtype);
++ 		type[strlen(type)-1] = '\0';
+++
+++		/* Cope with double pointers */
+++		if (pi->paramtype[strlen(type)-1] == '*') {
+++			asterisks="**";
+++			type[strlen(type)-1] = '\0';
+++		}
++ 	}
++ 
++-	fprintf(manfile, "    %s%-*s%c%s\\fI%s\\fP%s\n",
+++	fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\n",
++ 		bold?"\\fB":"", field_width, type,
++-		asterisk, bold?"\\fP":"", pi->paramname, delimiter);
+++		asterisks, bold?"\\fP":"", pi->paramname, delimiter);
++ 
++ 	if (type != pi->paramtype) {
++ 		free(type);
++@@ -504,7 +518,8 @@ static void print_manpage(char *name, char *def, char *brief, char *args, char *
++ 	qb_list_for_each(iter, &params_list) {
++ 		pi = qb_list_entry(iter, struct param_info, list);
++ 
++-		if (strlen(pi->paramtype) > max_param_type_len) {
+++		if ((strlen(pi->paramtype) < LINE_LENGTH) &&
+++		    (strlen(pi->paramtype) > max_param_type_len)) {
++ 			max_param_type_len = strlen(pi->paramtype);
++ 		}
++ 		if (strlen(pi->paramname) > max_param_name_len) {
++@@ -559,11 +574,6 @@ static void print_manpage(char *name, char *def, char *brief, char *args, char *
++ 
++ 		map_iter = qb_map_iter_create(used_structures_map);
++ 		for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
++-			fprintf(manfile, ".SS \"\"\n");
++-			fprintf(manfile, ".PP\n");
++-			fprintf(manfile, ".sp\n");
++-			fprintf(manfile, ".sp\n");
++-			fprintf(manfile, ".RS\n");
++ 			fprintf(manfile, ".nf\n");
++ 			fprintf(manfile, "\\fB\n");
++ 
+diff --git a/debian/patches/man-Tidy-more-man-pages.patch b/debian/patches/man-Tidy-more-man-pages.patch
+new file mode 100644
+index 0000000..21c6e04
+--- /dev/null
++++ b/debian/patches/man-Tidy-more-man-pages.patch
+@@ -0,0 +1,47 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Mon, 29 Apr 2019 15:16:27 +0100
++Subject: man: Tidy more man pages
++
++Followup to previous 'tidy'
++
++(cherry picked from commit 4ff309b82bbd11300e761ecdcafde596115fc7f7)
++---
++ libknet/libknet.h | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 181724a..7b5a9e3 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -151,6 +151,7 @@ knet_handle_t knet_handle_new(knet_node_id_t host_id,
++ 
++ /**
++  * knet_handle_free
+++ *
++  * @brief Destroy a knet handle, free all resources
++  *
++  * knet_h   - pointer to knet_handle_t
++@@ -165,6 +166,7 @@ int knet_handle_free(knet_handle_t knet_h);
++ 
++ /**
++  * knet_handle_enable_sock_notify
+++ *
++  * @brief Register a callback to receive socket events
++  *
++  * knet_h   - pointer to knet_handle_t
++@@ -336,6 +338,7 @@ int knet_handle_get_datafd(knet_handle_t knet_h, const int8_t channel, int *data
++ 
++ /**
++  * knet_recv
+++ *
++  * @brief Receive data from knet nodes
++  *
++  * knet_h   - pointer to knet_handle_t
++@@ -358,6 +361,7 @@ ssize_t knet_recv(knet_handle_t knet_h,
++ 
++ /**
++  * knet_send
+++ *
++  * @brief Send data to knet nodes
++  *
++  * knet_h   - pointer to knet_handle_t
+diff --git a/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch b/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+new file mode 100644
+index 0000000..5d50b61
+--- /dev/null
++++ b/debian/patches/man-fix-knet_host_set_policy-parameters-order.patch
+@@ -0,0 +1,27 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:06:47 +0200
++Subject: [man] fix knet_host_set_policy parameters order
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 73e1b520482cef7ced995423aa3f6f53d16b66c4)
++---
++ libknet/libknet.h | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 7b5a9e3..7c0c440 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1027,10 +1027,10 @@ int knet_host_get_host_list(knet_handle_t knet_h,
++ /**
++  * knet_host_set_policy
++  *
++- * knet_h   - pointer to knet_handle_t
++- *
++  * @brief Set the switching policy for a host's links
++  *
+++ * knet_h   - pointer to knet_handle_t
+++ *
++  * host_id  - see knet_host_add(3)
++  *
++  * policy   - there are currently 3 kind of simple switching policies
+diff --git a/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+new file mode 100644
+index 0000000..79925df
+--- /dev/null
++++ b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+@@ -0,0 +1,41 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:48 +0200
++Subject: [man] fix libknet.h for errors detected by newly added test
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8e00c883883f0ee183aa3472e5ee72210318ce14)
++---
++ libknet/libknet.h | 6 +++---
++ 1 file changed, 3 insertions(+), 3 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 7c0c440..c7f44d7 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1144,7 +1144,7 @@ struct knet_host_status {
++ };
++ 
++ /**
++- * knet_host_status_get
+++ * knet_host_get_status
++  *
++  * @brief Get the status of a host
++  *
++@@ -1939,7 +1939,7 @@ struct knet_log_msg {
++ };
++ 
++ /**
++- * knet_log_set_log_level
+++ * knet_log_set_loglevel
++  *
++  * @brief Set the logging level for a subsystem
++  *
++@@ -1962,7 +1962,7 @@ int knet_log_set_loglevel(knet_handle_t knet_h, uint8_t subsystem,
++ 			  uint8_t level);
++ 
++ /**
++- * knet_log_get_log_level
+++ * knet_log_get_loglevel
++  *
++  * @brief Get the logging level for a subsystem
++  *
+diff --git a/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+new file mode 100644
+index 0000000..065a53b
+--- /dev/null
++++ b/debian/patches/reduce-minimum-crypto-key-size-to-1024bit.patch
+@@ -0,0 +1,35 @@
++From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
++Date: Wed, 3 Apr 2019 14:28:50 +0200
++Subject: reduce minimum crypto key size to 1024bit
++MIME-Version: 1.0
++Content-Type: text/plain; charset="utf-8"
++Content-Transfer-Encoding: 8bit
++
++Since the key is used for AES/3DES and HMAC operations only, this is
++safe. AES/3DES use keys in the 128- to 256-bit range, HMAC with
++MD5/SHA1/SHA2 should use keys with a minimum of 128- to 512-bit (in both
++cases, depending on the actual algorithm used).
++
++This reduction also keeps knet compatible with existing Corosync 2.x
++keyfiles, which are 1024-bit.
++
++Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
++(cherry picked from commit 4e648f76930af8c376a833677d940b2b0efc3c86)
++---
++ libknet/libknet.h | 3 +--
++ 1 file changed, 1 insertion(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 36fefa5..0331b1f 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -587,8 +587,7 @@ int knet_handle_pmtud_get(knet_handle_t knet_h,
++ 				unsigned int *data_mtu);
++ 
++ 
++-
++-#define KNET_MIN_KEY_LEN  256
+++#define KNET_MIN_KEY_LEN  128
++ #define KNET_MAX_KEY_LEN 4096
++ 
++ struct knet_handle_crypto_cfg {
+diff --git a/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch b/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+new file mode 100644
+index 0000000..2ac3e8a
+--- /dev/null
++++ b/debian/patches/tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+@@ -0,0 +1,37 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:16 +0200
++Subject: [tests] add man page check to verify doxy header order and
++ definitions
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8b73fbca799114ed579acb73ce0bbcdf45b1f171)
++---
++ man/api-to-man-page-coverage | 15 +++++++++++++++
++ 1 file changed, 15 insertions(+)
++
++diff --git a/man/api-to-man-page-coverage b/man/api-to-man-page-coverage
++index 92e60a5..b9dc18f 100755
++--- a/man/api-to-man-page-coverage
+++++ b/man/api-to-man-page-coverage
++@@ -14,6 +14,21 @@ target="$2"
++ headerapicalls="$(grep ${target}_ "$srcdir"/lib${target}/lib${target}.h | grep -v "^ \*" | grep -v ^struct | grep -v "^[[:space:]]" | grep -v typedef | sed -e 's/(.*//g' -e 's/^const //g' -e 's/\*//g' | awk '{print $2}')"
++ manpages="$(grep ${target}_ "$srcdir"/man/Makefile.am |grep -v man3 |grep -v xml | sed -e 's/\.3.*//g')"
++ 
+++echo "Checking for header format errors"
+++
+++for i in $headerapicalls; do
+++	echo "Checking $i"
+++	header="$(grep " \* ${i}$" "$srcdir"/lib${target}/lib${target}.h -A2)"
+++	brief="$(echo "$header" | tail -n 1 |grep "@brief")"
+++	if [ -z "$brief" ]; then
+++		echo "Error found in $i doxy header section"
+++		echo "$header"
+++		echo ""
+++		echo "$brief"
+++		exit 1
+++	fi
+++done
+++
++ echo "Checking for symbols in header file NOT distributed as manpages"
++ 
++ for i in $headerapicalls; do
+diff --git a/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch b/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+new file mode 100644
+index 0000000..876bdd3
+--- /dev/null
++++ b/debian/patches/udp-improve-error-message-decoding-from-ICMP-errors.patch
+@@ -0,0 +1,38 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 1 May 2019 06:51:19 +0200
++Subject: [udp] improve error message decoding from ICMP errors
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c8522bfa627045932c0bd2c1b31005534efbc495)
++---
++ libknet/transport_udp.c | 10 +++++++++-
++ 1 file changed, 9 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 3decb66..e4f6fdb 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -296,6 +296,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 	struct sockaddr_storage *origin;
++ 	char addr_str[KNET_MAX_HOST_LEN];
++ 	char port_str[KNET_MAX_PORT_LEN];
+++	char addr_remote_str[KNET_MAX_HOST_LEN];
+++	char port_remote_str[KNET_MAX_PORT_LEN];
++ 
++ 	iov.iov_base = &icmph;
++ 	iov.iov_len = sizeof(icmph);
++@@ -367,7 +369,13 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 								log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from unknown source: %s", strerror(sock_err->ee_errno));
++ 
++ 							} else {
++-								log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s", addr_str, strerror(sock_err->ee_errno));
+++								if (knet_addrtostr(&remote, sizeof(remote),
+++									       addr_remote_str, KNET_MAX_HOST_LEN,
+++									       port_remote_str, KNET_MAX_PORT_LEN) < 0) {
+++									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s destination unknown", addr_str, strerror(sock_err->ee_errno));
+++								} else {
+++									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s %s", addr_str, strerror(sock_err->ee_errno), addr_remote_str);
+++								}
++ 							}
++ 							break;
++ 					}
+diff --git a/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch b/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+new file mode 100644
+index 0000000..65a5d88
+--- /dev/null
++++ b/debian/patches/udp-use-defines-vs-hardcoded-numbers.patch
+@@ -0,0 +1,36 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 1 May 2019 06:39:53 +0200
++Subject: [udp] use defines vs hardcoded numbers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 77adcf11ee390cfc7158f3f05617beef980429d8)
++---
++ libknet/transport_udp.c | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index acfbab4..3decb66 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -325,8 +325,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 				sock_err = (struct sock_extended_err*)(void *)CMSG_DATA(cmsg);
++ 				if (sock_err) {
++ 					switch (sock_err->ee_origin) {
++-						case 0: /* no origin */
++-						case 1: /* local source (EMSGSIZE) */
+++						case SO_EE_ORIGIN_NONE: /* no origin */
+++						case SO_EE_ORIGIN_LOCAL: /* local source (EMSGSIZE) */
++ 							if (sock_err->ee_errno == EMSGSIZE) {
++ 								if (pthread_mutex_lock(&knet_h->kmtu_mutex) != 0) {
++ 									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Unable to get mutex lock");
++@@ -358,8 +358,8 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 							 * those errors are way too noisy
++ 							 */
++ 							break;
++-						case 2: /* ICMP */
++-						case 3: /* ICMP6 */
+++						case SO_EE_ORIGIN_ICMP:  /* ICMP */
+++						case SO_EE_ORIGIN_ICMP6: /* ICMP6 */
++ 							origin = (struct sockaddr_storage *)(void *)SO_EE_OFFENDER(sock_err);
++ 							if (knet_addrtostr(origin, sizeof(origin),
++ 									   addr_str, KNET_MAX_HOST_LEN,
+diff --git a/debian/patches/series b/debian/patches/series
+index 7fbd139..c16ea6e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,11 @@
+ send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
++build-add-another-exception-to-valgrind-nss-combo.patch
++reduce-minimum-crypto-key-size-to-1024bit.patch
++crypto-remove-libnss-3des-support.patch
++man-Tidy-manpages-215.patch
++man-Tidy-more-man-pages.patch
++man-fix-knet_host_set_policy-parameters-order.patch
++tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
++man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
++udp-use-defines-vs-hardcoded-numbers.patch
++udp-improve-error-message-decoding-from-ICMP-errors.patch
diff --git a/patches/0003-cherry-pick-1.10-as-patches.patch b/patches/0003-cherry-pick-1.10-as-patches.patch
new file mode 100644
index 0000000..ec886d6
--- /dev/null
+++ b/patches/0003-cherry-pick-1.10-as-patches.patch
@@ -0,0 +1,14716 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 09:31:57 +0200
+Subject: [PATCH kronosnet] cherry-pick 1.10 as patches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ ...e-entry-per-file-to-match-README.lic.patch | 2928 +++++++++++++++++
+ ...n-shared-code-to-trigger-PMTUd-rerun.patch |   79 +
+ ...-rerun-API-to-allow-full-PMTUd-reset.patch |   74 +
+ ...sts-add-access-lists-support-to-sctp.patch |   96 +
+ ...documentation-for-enable_access_list.patch |   58 +
+ ...dd-errno-around-and-start-using-them.patch |  195 ++
+ ...rnal-API-calls-to-manage-access-list.patch |  746 +++++
+ ...more-extensive-test-for-links_acl_ip.patch |  717 ++++
+ .../access-lists-add-public-API-tests.patch   | 1019 ++++++
+ ...s-add-tests-for-default-access-lists.patch |   63 +
+ ...et_bench-to-enable-disable-access-li.patch |   61 +
+ ...cally-add-and-remove-point-to-point-.patch |  283 ++
+ .../access-lists-cleanup-API-a-bit.patch      |   98 +
+ ...access-lists-data-structs-within-the.patch |  226 ++
+ ...ccess-lists-for-GENERIC_ACL-protocol.patch |   80 +
+ ...eneric-access-lists-only-for-protoco.patch |   55 +
+ ...d-on-BSD-and-add-some-include-files-.patch |   64 +
+ .../access-lists-fix-build-on-freebsd.patch   |   54 +
+ ...improve-checks-on-various-data-types.patch |   74 +
+ ...e-more-generic-to-accept-more-than-I.patch |  436 +++
+ ...s-lists-make-internal-API-consistent.patch |   73 +
+ ...-of-generic-wrappers-and-remove-dupl.patch |   72 +
+ ...ess-lists-structs-and-data-types-to-.patch |  168 +
+ ...-acl-wrappers-to-links_acl-and-split.patch | 1025 ++++++
+ ...-lists-remove-2-unnecessary-wrappers.patch |   70 +
+ ...p1-2-to-ss1-2-to-keep-it-more-generi.patch |  219 ++
+ ...licit-access-lists-management-for-UD.patch |   50 +
+ ...ays-to-access-per-protocol-functions.patch |  309 ++
+ ...better-name-for-fd_tracker-structure.patch |   95 +
+ .../acl-Fix-English-in-commments.patch        |  106 +
+ ..._handle_enable_access_lists-api-call.patch |  235 ++
+ ...o-libknet-dir-and-rename-to-links_ac.patch |  186 ++
+ ...ump-soname-to-indicate-new-API-calls.patch |   23 +
+ .../compress-add-support-for-libzstd.patch    |  342 ++
+ ...o-fix-openssl1.0-initialization-code.patch |   98 +
+ ...e-errors-generated-by-openssl-1.1.1c.patch |  137 +
+ ...lear-all-security-info-on-crypto_fin.patch |   51 +
+ ...rigger-a-PMTUd-rerun-on-each-good-cr.patch |   25 +
+ ...alls-to-RAND_seed-as-they-don-t-real.patch |   65 +
+ ...crypto-openssl-error-strings-release.patch |   28 +
+ ...ndle_crypto-external-API-to-be-more-.patch |  598 ++++
+ ...ight-from-541d7faf9068d10e12b4278c35.patch |   23 +
+ ...al-update-copyright-across-the-board.patch |  129 +
+ debian/patches/global-update-copyrights.patch |   21 +
+ ...operly-initialize-fd-tracker-buffers.patch |   26 +
+ ..._type-to-transport-to-avoid-confusio.patch |   77 +
+ ...t_type-to-transport-to-avoid-confusi.patch |  196 ++
+ ...g-target-of-recently-added-API-calls.patch |   52 +
+ ...rrors-detected-by-newly-added-test-1.patch |   50 +
+ .../patches/manpages-Document-enums-206.patch |   39 +
+ .../misc-Fix-more-covscan-warnings.patch      |  191 ++
+ debian/patches/misc-some-coverity-fixes.patch |  224 ++
+ ...bout-plugins-version-and-architectur.patch |  167 +
+ ...-up-useless-conditionals-and-defines.patch |  376 +++
+ .../spec-drop-support-for-init-scripts.patch  |  108 +
+ .../spec-fix-a-bunch-of-rpmlint-errors.patch  |   51 +
+ ...s-to-point-to-https-and-official-rel.patch |   30 +
+ ...ora-spec-file-into-upstream-spec-fil.patch |  374 +++
+ ...ditionals-to-determine-BuildRequires.patch |   59 +
+ ...dconfig_scriptlets-only-when-defined.patch |   40 +
+ ...m-internal-memory-leak-non-recurring.patch |   25 +
+ ...r-packet-implementation-to-flush-log.patch |  135 +
+ .../patches/tests-remove-stray-comment.patch  |   22 +
+ ...t-add-internal-API-to-gather-which-f.patch |  161 +
+ ...ation-about-the-nature-of-the-transp.patch |  115 +
+ ...ect-merge-when-cherry-picking-7033dd.patch |   29 +
+ debian/patches/series                         |   66 +
+ 67 files changed, 14167 insertions(+)
+ create mode 100644 debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+ create mode 100644 debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+ create mode 100644 debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+ create mode 100644 debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+ create mode 100644 debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+ create mode 100644 debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+ create mode 100644 debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+ create mode 100644 debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+ create mode 100644 debian/patches/access-lists-add-public-API-tests.patch
+ create mode 100644 debian/patches/access-lists-add-tests-for-default-access-lists.patch
+ create mode 100644 debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+ create mode 100644 debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+ create mode 100644 debian/patches/access-lists-cleanup-API-a-bit.patch
+ create mode 100644 debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+ create mode 100644 debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+ create mode 100644 debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+ create mode 100644 debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+ create mode 100644 debian/patches/access-lists-fix-build-on-freebsd.patch
+ create mode 100644 debian/patches/access-lists-improve-checks-on-various-data-types.patch
+ create mode 100644 debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+ create mode 100644 debian/patches/access-lists-make-internal-API-consistent.patch
+ create mode 100644 debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+ create mode 100644 debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+ create mode 100644 debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+ create mode 100644 debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+ create mode 100644 debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+ create mode 100644 debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+ create mode 100644 debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+ create mode 100644 debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+ create mode 100644 debian/patches/acl-Fix-English-in-commments.patch
+ create mode 100644 debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+ create mode 100644 debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+ create mode 100644 debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+ create mode 100644 debian/patches/compress-add-support-for-libzstd.patch
+ create mode 100644 debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+ create mode 100644 debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+ create mode 100644 debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+ create mode 100644 debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+ create mode 100644 debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+ create mode 100644 debian/patches/crypto-openssl-error-strings-release.patch
+ create mode 100644 debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+ create mode 100644 debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+ create mode 100644 debian/patches/global-update-copyright-across-the-board.patch
+ create mode 100644 debian/patches/global-update-copyrights.patch
+ create mode 100644 debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+ create mode 100644 debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+ create mode 100644 debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+ create mode 100644 debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+ create mode 100644 debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+ create mode 100644 debian/patches/manpages-Document-enums-206.patch
+ create mode 100644 debian/patches/misc-Fix-more-covscan-warnings.patch
+ create mode 100644 debian/patches/misc-some-coverity-fixes.patch
+ create mode 100644 debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+ create mode 100644 debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+ create mode 100644 debian/patches/spec-drop-support-for-init-scripts.patch
+ create mode 100644 debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+ create mode 100644 debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+ create mode 100644 debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+ create mode 100644 debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+ create mode 100644 debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+ create mode 100644 debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+ create mode 100644 debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+ create mode 100644 debian/patches/tests-remove-stray-comment.patch
+ create mode 100644 debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+ create mode 100644 debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+ create mode 100644 debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+
+diff --git a/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch b/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+new file mode 100644
+index 0000000..ba15cf0
+--- /dev/null
++++ b/debian/patches/global-clarify-license-entry-per-file-to-match-README.lic.patch
+@@ -0,0 +1,2928 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 12 Jun 2019 05:21:24 +0200
++Subject: [global] clarify license entry per file to match README.licence
++
++libraries code: LGPL-2.0+
++binaries code and other files: GPL-2.0+
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dd52554d5dfc0c5c37697842092cd3b99d6d40a4)
++---
++ README                                                           | 2 +-
++ autogen.sh                                                       | 2 +-
++ configure.ac                                                     | 2 +-
++ Makefile.am                                                      | 2 +-
++ init/Makefile.am                                                 | 2 +-
++ kronosnetd/Makefile.am                                           | 2 +-
++ libknet/Makefile.am                                              | 2 +-
++ libknet/tests/Makefile.am                                        | 2 +-
++ libnozzle/Makefile.am                                            | 2 +-
++ libnozzle/tests/Makefile.am                                      | 2 +-
++ man/Makefile.am                                                  | 2 +-
++ poc-code/Makefile.am                                             | 2 +-
++ poc-code/iov-hash/Makefile.am                                    | 2 +-
++ kronosnetd/cfg.h                                                 | 2 +-
++ kronosnetd/etherfilter.h                                         | 2 +-
++ kronosnetd/logging.h                                             | 2 +-
++ kronosnetd/vty.h                                                 | 2 +-
++ kronosnetd/vty_auth.h                                            | 2 +-
++ kronosnetd/vty_cli.h                                             | 2 +-
++ kronosnetd/vty_cli_cmds.h                                        | 2 +-
++ kronosnetd/vty_utils.h                                           | 2 +-
++ libknet/common.h                                                 | 2 +-
++ libknet/compat.h                                                 | 2 +-
++ libknet/compress.h                                               | 2 +-
++ libknet/compress_model.h                                         | 2 +-
++ libknet/crypto.h                                                 | 2 +-
++ libknet/crypto_model.h                                           | 2 +-
++ libknet/host.h                                                   | 2 +-
++ libknet/internals.h                                              | 2 +-
++ libknet/libknet.h                                                | 2 +-
++ libknet/links.h                                                  | 2 +-
++ libknet/links_acl.h                                              | 2 +-
++ libknet/links_acl_ip.h                                           | 2 +-
++ libknet/links_acl_loopback.h                                     | 2 +-
++ libknet/logging.h                                                | 2 +-
++ libknet/netutils.h                                               | 2 +-
++ libknet/onwire.h                                                 | 2 +-
++ libknet/tests/test-common.h                                      | 2 +-
++ libknet/threads_common.h                                         | 2 +-
++ libknet/threads_dsthandler.h                                     | 2 +-
++ libknet/threads_heartbeat.h                                      | 2 +-
++ libknet/threads_pmtud.h                                          | 2 +-
++ libknet/threads_rx.h                                             | 2 +-
++ libknet/threads_tx.h                                             | 2 +-
++ libknet/transport_common.h                                       | 2 +-
++ libknet/transport_loopback.h                                     | 2 +-
++ libknet/transport_sctp.h                                         | 2 +-
++ libknet/transport_udp.h                                          | 2 +-
++ libknet/transports.h                                             | 2 +-
++ libnozzle/internals.h                                            | 2 +-
++ libnozzle/libnozzle.h                                            | 2 +-
++ libnozzle/tests/test-common.h                                    | 2 +-
++ init/kronosnetd.in                                               | 2 +-
++ init/kronosnetd.service.in                                       | 2 +-
++ kronosnetd/kronosnetd.logrotate.in                               | 2 +-
++ libknet/libknet.pc.in                                            | 2 +-
++ libnozzle/libnozzle.pc.in                                        | 2 +-
++ man/Doxyfile-knet.in                                             | 2 +-
++ man/Doxyfile-nozzle.in                                           | 2 +-
++ kronosnetd/cfg.c                                                 | 2 +-
++ kronosnetd/etherfilter.c                                         | 2 +-
++ kronosnetd/keygen.c                                              | 2 +-
++ kronosnetd/logging.c                                             | 2 +-
++ kronosnetd/main.c                                                | 2 +-
++ kronosnetd/vty.c                                                 | 2 +-
++ kronosnetd/vty_auth.c                                            | 2 +-
++ kronosnetd/vty_cli.c                                             | 2 +-
++ kronosnetd/vty_cli_cmds.c                                        | 2 +-
++ kronosnetd/vty_utils.c                                           | 2 +-
++ libknet/common.c                                                 | 2 +-
++ libknet/compat.c                                                 | 2 +-
++ libknet/compress.c                                               | 2 +-
++ libknet/compress_bzip2.c                                         | 2 +-
++ libknet/compress_lz4.c                                           | 2 +-
++ libknet/compress_lz4hc.c                                         | 2 +-
++ libknet/compress_lzma.c                                          | 2 +-
++ libknet/compress_lzo2.c                                          | 2 +-
++ libknet/compress_zlib.c                                          | 2 +-
++ libknet/compress_zstd.c                                          | 2 +-
++ libknet/crypto.c                                                 | 2 +-
++ libknet/crypto_nss.c                                             | 2 +-
++ libknet/crypto_openssl.c                                         | 2 +-
++ libknet/handle.c                                                 | 2 +-
++ libknet/host.c                                                   | 2 +-
++ libknet/links.c                                                  | 2 +-
++ libknet/links_acl.c                                              | 2 +-
++ libknet/links_acl_ip.c                                           | 2 +-
++ libknet/links_acl_loopback.c                                     | 2 +-
++ libknet/logging.c                                                | 2 +-
++ libknet/netutils.c                                               | 2 +-
++ libknet/tests/api_knet_addrtostr.c                               | 2 +-
++ libknet/tests/api_knet_get_compress_list.c                       | 2 +-
++ libknet/tests/api_knet_get_crypto_list.c                         | 2 +-
++ libknet/tests/api_knet_get_transport_id_by_name.c                | 2 +-
++ libknet/tests/api_knet_get_transport_list.c                      | 2 +-
++ libknet/tests/api_knet_get_transport_name_by_id.c                | 2 +-
++ libknet/tests/api_knet_handle_add_datafd.c                       | 2 +-
++ libknet/tests/api_knet_handle_clear_stats.c                      | 2 +-
++ libknet/tests/api_knet_handle_compress.c                         | 2 +-
++ libknet/tests/api_knet_handle_crypto.c                           | 2 +-
++ libknet/tests/api_knet_handle_enable_access_lists.c              | 2 +-
++ libknet/tests/api_knet_handle_enable_filter.c                    | 2 +-
++ libknet/tests/api_knet_handle_enable_pmtud_notify.c              | 2 +-
++ libknet/tests/api_knet_handle_enable_sock_notify.c               | 2 +-
++ libknet/tests/api_knet_handle_free.c                             | 2 +-
++ libknet/tests/api_knet_handle_get_channel.c                      | 2 +-
++ libknet/tests/api_knet_handle_get_datafd.c                       | 2 +-
++ libknet/tests/api_knet_handle_get_stats.c                        | 2 +-
++ libknet/tests/api_knet_handle_get_transport_reconnect_interval.c | 2 +-
++ libknet/tests/api_knet_handle_new.c                              | 2 +-
++ libknet/tests/api_knet_handle_new_limit.c                        | 2 +-
++ libknet/tests/api_knet_handle_pmtud_get.c                        | 2 +-
++ libknet/tests/api_knet_handle_pmtud_getfreq.c                    | 2 +-
++ libknet/tests/api_knet_handle_pmtud_setfreq.c                    | 2 +-
++ libknet/tests/api_knet_handle_remove_datafd.c                    | 2 +-
++ libknet/tests/api_knet_handle_set_transport_reconnect_interval.c | 2 +-
++ libknet/tests/api_knet_handle_setfwd.c                           | 2 +-
++ libknet/tests/api_knet_host_add.c                                | 2 +-
++ libknet/tests/api_knet_host_enable_status_change_notify.c        | 2 +-
++ libknet/tests/api_knet_host_get_host_list.c                      | 2 +-
++ libknet/tests/api_knet_host_get_id_by_host_name.c                | 2 +-
++ libknet/tests/api_knet_host_get_name_by_host_id.c                | 2 +-
++ libknet/tests/api_knet_host_get_policy.c                         | 2 +-
++ libknet/tests/api_knet_host_get_status.c                         | 2 +-
++ libknet/tests/api_knet_host_remove.c                             | 2 +-
++ libknet/tests/api_knet_host_set_name.c                           | 2 +-
++ libknet/tests/api_knet_host_set_policy.c                         | 2 +-
++ libknet/tests/api_knet_link_add_acl.c                            | 2 +-
++ libknet/tests/api_knet_link_clear_acl.c                          | 2 +-
++ libknet/tests/api_knet_link_clear_config.c                       | 2 +-
++ libknet/tests/api_knet_link_get_config.c                         | 2 +-
++ libknet/tests/api_knet_link_get_enable.c                         | 2 +-
++ libknet/tests/api_knet_link_get_link_list.c                      | 2 +-
++ libknet/tests/api_knet_link_get_ping_timers.c                    | 2 +-
++ libknet/tests/api_knet_link_get_pong_count.c                     | 2 +-
++ libknet/tests/api_knet_link_get_priority.c                       | 2 +-
++ libknet/tests/api_knet_link_get_status.c                         | 2 +-
++ libknet/tests/api_knet_link_insert_acl.c                         | 2 +-
++ libknet/tests/api_knet_link_rm_acl.c                             | 2 +-
++ libknet/tests/api_knet_link_set_config.c                         | 2 +-
++ libknet/tests/api_knet_link_set_enable.c                         | 2 +-
++ libknet/tests/api_knet_link_set_ping_timers.c                    | 2 +-
++ libknet/tests/api_knet_link_set_pong_count.c                     | 2 +-
++ libknet/tests/api_knet_link_set_priority.c                       | 2 +-
++ libknet/tests/api_knet_log_get_loglevel.c                        | 2 +-
++ libknet/tests/api_knet_log_get_loglevel_id.c                     | 2 +-
++ libknet/tests/api_knet_log_get_loglevel_name.c                   | 2 +-
++ libknet/tests/api_knet_log_get_subsystem_id.c                    | 2 +-
++ libknet/tests/api_knet_log_get_subsystem_name.c                  | 2 +-
++ libknet/tests/api_knet_log_set_loglevel.c                        | 2 +-
++ libknet/tests/api_knet_recv.c                                    | 2 +-
++ libknet/tests/api_knet_send.c                                    | 2 +-
++ libknet/tests/api_knet_send_compress.c                           | 2 +-
++ libknet/tests/api_knet_send_crypto.c                             | 2 +-
++ libknet/tests/api_knet_send_loopback.c                           | 2 +-
++ libknet/tests/api_knet_send_sync.c                               | 2 +-
++ libknet/tests/api_knet_strtoaddr.c                               | 2 +-
++ libknet/tests/int_links_acl_ip.c                                 | 2 +-
++ libknet/tests/int_timediff.c                                     | 2 +-
++ libknet/tests/knet_bench.c                                       | 2 +-
++ libknet/tests/pckt_test.c                                        | 2 +-
++ libknet/tests/test-common.c                                      | 2 +-
++ libknet/threads_common.c                                         | 2 +-
++ libknet/threads_dsthandler.c                                     | 2 +-
++ libknet/threads_heartbeat.c                                      | 2 +-
++ libknet/threads_pmtud.c                                          | 2 +-
++ libknet/threads_rx.c                                             | 2 +-
++ libknet/threads_tx.c                                             | 2 +-
++ libknet/transport_common.c                                       | 2 +-
++ libknet/transport_loopback.c                                     | 2 +-
++ libknet/transport_sctp.c                                         | 2 +-
++ libknet/transport_udp.c                                          | 2 +-
++ libknet/transports.c                                             | 2 +-
++ libnozzle/internals.c                                            | 2 +-
++ libnozzle/libnozzle.c                                            | 2 +-
++ libnozzle/tests/api_nozzle_add_ip.c                              | 2 +-
++ libnozzle/tests/api_nozzle_close.c                               | 2 +-
++ libnozzle/tests/api_nozzle_del_ip.c                              | 2 +-
++ libnozzle/tests/api_nozzle_get_fd.c                              | 2 +-
++ libnozzle/tests/api_nozzle_get_handle_by_name.c                  | 2 +-
++ libnozzle/tests/api_nozzle_get_ips.c                             | 2 +-
++ libnozzle/tests/api_nozzle_get_mac.c                             | 2 +-
++ libnozzle/tests/api_nozzle_get_mtu.c                             | 2 +-
++ libnozzle/tests/api_nozzle_get_name_by_handle.c                  | 2 +-
++ libnozzle/tests/api_nozzle_open.c                                | 2 +-
++ libnozzle/tests/api_nozzle_run_updown.c                          | 2 +-
++ libnozzle/tests/api_nozzle_set_down.c                            | 2 +-
++ libnozzle/tests/api_nozzle_set_mac.c                             | 2 +-
++ libnozzle/tests/api_nozzle_set_mtu.c                             | 2 +-
++ libnozzle/tests/api_nozzle_set_up.c                              | 2 +-
++ libnozzle/tests/int_execute_bin_sh_command.c                     | 2 +-
++ libnozzle/tests/test-common.c                                    | 2 +-
++ man/doxyxml.c                                                    | 2 +-
++ poc-code/iov-hash/main.c                                         | 2 +-
++ build-aux/check.mk                                               | 2 +-
++ build-aux/release.mk                                             | 2 +-
++ build-aux/update-copyright.sh                                    | 4 ++--
++ init/kronosnetd.default                                          | 2 +-
++ libknet/libknet_exported_syms                                    | 2 +-
++ libknet/tests/api-check.mk                                       | 2 +-
++ libknet/tests/api-test-coverage                                  | 2 +-
++ libnozzle/libnozzle_exported_syms                                | 2 +-
++ libnozzle/tests/api-test-coverage                                | 2 +-
++ libnozzle/tests/nozzle_run_updown_exit_false                     | 2 +-
++ libnozzle/tests/nozzle_run_updown_exit_true                      | 2 +-
++ man/api-to-man-page-coverage                                     | 2 +-
++ man/knet-keygen.8                                                | 2 +-
++ man/kronosnetd.8                                                 | 2 +-
++ 208 files changed, 209 insertions(+), 209 deletions(-)
++
++diff --git a/README b/README
++index 7b5e7ce..f8f3ea6 100644
++--- a/README
+++++ b/README
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ Upstream resources
++diff --git a/autogen.sh b/autogen.sh
++index 8fb1e58..92e9483 100755
++--- a/autogen.sh
+++++ b/autogen.sh
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ # Run this to generate all the initial makefiles, etc.
++diff --git a/configure.ac b/configure.ac
++index 501053e..e962592 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #          Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ #                                               -*- Autoconf -*-
++diff --git a/Makefile.am b/Makefile.am
++index 82cb1f5..dc5f8a5 100644
++--- a/Makefile.am
+++++ b/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in aclocal.m4 configure depcomp \
++diff --git a/init/Makefile.am b/init/Makefile.am
++index 4d59a9e..fe0d9b0 100644
++--- a/init/Makefile.am
+++++ b/init/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/kronosnetd/Makefile.am b/kronosnetd/Makefile.am
++index 0b6f673..5ce8fa5 100644
++--- a/kronosnetd/Makefile.am
+++++ b/kronosnetd/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in kronostnetd.logrotate
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 8adcc40..d080732 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #          Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 015587c..3346596 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/libnozzle/Makefile.am b/libnozzle/Makefile.am
++index 2ffbd08..8ac438a 100644
++--- a/libnozzle/Makefile.am
+++++ b/libnozzle/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/libnozzle/tests/Makefile.am b/libnozzle/tests/Makefile.am
++index b9e16ae..cdc42a3 100644
++--- a/libnozzle/tests/Makefile.am
+++++ b/libnozzle/tests/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/man/Makefile.am b/man/Makefile.am
++index 0ad12f6..a473e90 100644
++--- a/man/Makefile.am
+++++ b/man/Makefile.am
++@@ -4,7 +4,7 @@
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #          Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/poc-code/Makefile.am b/poc-code/Makefile.am
++index 15d12f7..ddbea08 100644
++--- a/poc-code/Makefile.am
+++++ b/poc-code/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/poc-code/iov-hash/Makefile.am b/poc-code/iov-hash/Makefile.am
++index a41ed99..acd6b51 100644
++--- a/poc-code/iov-hash/Makefile.am
+++++ b/poc-code/iov-hash/Makefile.am
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ MAINTAINERCLEANFILES	= Makefile.in
++diff --git a/kronosnetd/cfg.h b/kronosnetd/cfg.h
++index 0260bff..56fa4d5 100644
++--- a/kronosnetd/cfg.h
+++++ b/kronosnetd/cfg.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_CFG_H__
++diff --git a/kronosnetd/etherfilter.h b/kronosnetd/etherfilter.h
++index d805dd6..63e18b6 100644
++--- a/kronosnetd/etherfilter.h
+++++ b/kronosnetd/etherfilter.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_ETHERFILTER_H__
++diff --git a/kronosnetd/logging.h b/kronosnetd/logging.h
++index e4d5ce2..1bc12b9 100644
++--- a/kronosnetd/logging.h
+++++ b/kronosnetd/logging.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_LOGGING_H__
++diff --git a/kronosnetd/vty.h b/kronosnetd/vty.h
++index 86bd821..3c3e6e0 100644
++--- a/kronosnetd/vty.h
+++++ b/kronosnetd/vty.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_VTY_H__
++diff --git a/kronosnetd/vty_auth.h b/kronosnetd/vty_auth.h
++index c42989b..58d75cb 100644
++--- a/kronosnetd/vty_auth.h
+++++ b/kronosnetd/vty_auth.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_VTY_AUTH_H__
++diff --git a/kronosnetd/vty_cli.h b/kronosnetd/vty_cli.h
++index 9bbdcc7..0d7e515 100644
++--- a/kronosnetd/vty_cli.h
+++++ b/kronosnetd/vty_cli.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_VTY_CLI_H__
++diff --git a/kronosnetd/vty_cli_cmds.h b/kronosnetd/vty_cli_cmds.h
++index ac07573..ba40ddf 100644
++--- a/kronosnetd/vty_cli_cmds.h
+++++ b/kronosnetd/vty_cli_cmds.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_VTY_CLI_CMDS_H__
++diff --git a/kronosnetd/vty_utils.h b/kronosnetd/vty_utils.h
++index 07e339b..7ac318a 100644
++--- a/kronosnetd/vty_utils.h
+++++ b/kronosnetd/vty_utils.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNETD_VTY_UTILS_H__
++diff --git a/libknet/common.h b/libknet/common.h
++index ddea7fc..6128b16 100644
++--- a/libknet/common.h
+++++ b/libknet/common.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "internals.h"
++diff --git a/libknet/compat.h b/libknet/compat.h
++index e9af804..903fdfb 100644
++--- a/libknet/compat.h
+++++ b/libknet/compat.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Jan Friesse <jfriesse at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_COMPAT_H__
++diff --git a/libknet/compress.h b/libknet/compress.h
++index 47edddf..d43a9d5 100644
++--- a/libknet/compress.h
+++++ b/libknet/compress.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_COMPRESS_H__
++diff --git a/libknet/compress_model.h b/libknet/compress_model.h
++index 909f5a1..e69e491 100644
++--- a/libknet/compress_model.h
+++++ b/libknet/compress_model.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_COMPRESS_MODEL_H__
++diff --git a/libknet/crypto.h b/libknet/crypto.h
++index 707de32..f80cb43 100644
++--- a/libknet/crypto.h
+++++ b/libknet/crypto.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_CRYPTO_H__
++diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h
++index 9bb4f17..70f6238 100644
++--- a/libknet/crypto_model.h
+++++ b/libknet/crypto_model.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_CRYPTO_MODEL_H__
++diff --git a/libknet/host.h b/libknet/host.h
++index 4336b17..307b6e7 100644
++--- a/libknet/host.h
+++++ b/libknet/host.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_HOST_H__
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 12f613c..3f105a1 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_INTERNALS_H__
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 907213f..acd1c86 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __LIBKNET_H__
++diff --git a/libknet/links.h b/libknet/links.h
++index 7c0250d..e14958d 100644
++--- a/libknet/links.h
+++++ b/libknet/links.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_LINK_H__
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 60f7812..4617c9b 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_LINKS_ACL_H__
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index b33ffb1..f566c1e 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_LINKS_ACL_IP_H__
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index b51d2bf..d10764c 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_LINKS_ACL_LOOPBACK_H__
++diff --git a/libknet/logging.h b/libknet/logging.h
++index bdcd85e..01dcaf1 100644
++--- a/libknet/logging.h
+++++ b/libknet/logging.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_LOGGING_H__
++diff --git a/libknet/netutils.h b/libknet/netutils.h
++index bdc605e..b293115 100644
++--- a/libknet/netutils.h
+++++ b/libknet/netutils.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_NETUTILS_H__
++diff --git a/libknet/onwire.h b/libknet/onwire.h
++index ea45bfb..9815bc3 100644
++--- a/libknet/onwire.h
+++++ b/libknet/onwire.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_ONWIRE_H__
++diff --git a/libknet/tests/test-common.h b/libknet/tests/test-common.h
++index a498a09..f1375ab 100644
++--- a/libknet/tests/test-common.h
+++++ b/libknet/tests/test-common.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __KNET_TEST_COMMON_H__
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index cff7691..596de14 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_COMMON_H__
++diff --git a/libknet/threads_dsthandler.h b/libknet/threads_dsthandler.h
++index 0c968ff..db9117c 100644
++--- a/libknet/threads_dsthandler.h
+++++ b/libknet/threads_dsthandler.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_DSTHANDLER_H__
++diff --git a/libknet/threads_heartbeat.h b/libknet/threads_heartbeat.h
++index 2fcc9a0..b2580d1 100644
++--- a/libknet/threads_heartbeat.h
+++++ b/libknet/threads_heartbeat.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_HEARTBEAT_H__
++diff --git a/libknet/threads_pmtud.h b/libknet/threads_pmtud.h
++index 2cdcdbc..5ed3155 100644
++--- a/libknet/threads_pmtud.h
+++++ b/libknet/threads_pmtud.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_PMTUD_H__
++diff --git a/libknet/threads_rx.h b/libknet/threads_rx.h
++index ff8bd6e..b88c098 100644
++--- a/libknet/threads_rx.h
+++++ b/libknet/threads_rx.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_RX_H__
++diff --git a/libknet/threads_tx.h b/libknet/threads_tx.h
++index 7c4b2c0..28c4958 100644
++--- a/libknet/threads_tx.h
+++++ b/libknet/threads_tx.h
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_THREADS_TX_H__
++diff --git a/libknet/transport_common.h b/libknet/transport_common.h
++index 778af8b..0ca21d0 100644
++--- a/libknet/transport_common.h
+++++ b/libknet/transport_common.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_TRANSPORT_COMMON_H__
++diff --git a/libknet/transport_loopback.h b/libknet/transport_loopback.h
++index 6ce3ed3..a848ff8 100644
++--- a/libknet/transport_loopback.h
+++++ b/libknet/transport_loopback.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_sctp.h b/libknet/transport_sctp.h
++index 83a638b..0b8f320 100644
++--- a/libknet/transport_sctp.h
+++++ b/libknet/transport_sctp.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_udp.h b/libknet/transport_udp.h
++index 6de18e3..1dec863 100644
++--- a/libknet/transport_udp.h
+++++ b/libknet/transport_udp.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transports.h b/libknet/transports.h
++index 38f69ba..3a29ce6 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __KNET_TRANSPORTS_H__
++diff --git a/libnozzle/internals.h b/libnozzle/internals.h
++index 853e14e..c9192a8 100644
++--- a/libnozzle/internals.h
+++++ b/libnozzle/internals.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __NOZZLE_INTERNALS_H__
++diff --git a/libnozzle/libnozzle.h b/libnozzle/libnozzle.h
++index b8ab7d6..ad7c474 100644
++--- a/libnozzle/libnozzle.h
+++++ b/libnozzle/libnozzle.h
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #ifndef __LIBNOZZLE_H__
++diff --git a/libnozzle/tests/test-common.h b/libnozzle/tests/test-common.h
++index 4562ea2..fcfafef 100644
++--- a/libnozzle/tests/test-common.h
+++++ b/libnozzle/tests/test-common.h
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #ifndef __NOZZLE_TEST_COMMON_H__
++diff --git a/init/kronosnetd.in b/init/kronosnetd.in
++index 1823a3b..1da3273 100644
++--- a/init/kronosnetd.in
+++++ b/init/kronosnetd.in
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ # chkconfig: - 20 80
++diff --git a/init/kronosnetd.service.in b/init/kronosnetd.service.in
++index 4d2a32a..cfc80f7 100644
++--- a/init/kronosnetd.service.in
+++++ b/init/kronosnetd.service.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ [Unit]
++diff --git a/kronosnetd/kronosnetd.logrotate.in b/kronosnetd/kronosnetd.logrotate.in
++index 4ed1fd2..a8a6969 100644
++--- a/kronosnetd/kronosnetd.logrotate.in
+++++ b/kronosnetd/kronosnetd.logrotate.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ @LOGDIR at kronosnetd.log {
++diff --git a/libknet/libknet.pc.in b/libknet/libknet.pc.in
++index bb7b25c..021b2c4 100644
++--- a/libknet/libknet.pc.in
+++++ b/libknet/libknet.pc.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Federico Simoncelli <fsimon at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++ 
++ prefix=@prefix@
++diff --git a/libnozzle/libnozzle.pc.in b/libnozzle/libnozzle.pc.in
++index d6b2a15..9df0918 100644
++--- a/libnozzle/libnozzle.pc.in
+++++ b/libnozzle/libnozzle.pc.in
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++ 
++ prefix=@prefix@
++diff --git a/man/Doxyfile-knet.in b/man/Doxyfile-knet.in
++index f78e313..4750c9a 100644
++--- a/man/Doxyfile-knet.in
+++++ b/man/Doxyfile-knet.in
++@@ -4,7 +4,7 @@
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #         Christine Caulfield <ccaulfie at redhat.com>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ PROJECT_NAME	       = @PACKAGE_NAME@
++ PROJECT_NUMBER         = @PACKAGE_VERSION@
++diff --git a/man/Doxyfile-nozzle.in b/man/Doxyfile-nozzle.in
++index 2855e50..793d49d 100644
++--- a/man/Doxyfile-nozzle.in
+++++ b/man/Doxyfile-nozzle.in
++@@ -4,7 +4,7 @@
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #         Christine Caulfield <ccaulfie at redhat.com>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ PROJECT_NAME	       = @PACKAGE_NAME@
++ PROJECT_NUMBER         = @PACKAGE_VERSION@
++diff --git a/kronosnetd/cfg.c b/kronosnetd/cfg.c
++index 69d209a..406532a 100644
++--- a/kronosnetd/cfg.c
+++++ b/kronosnetd/cfg.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/etherfilter.c b/kronosnetd/etherfilter.c
++index 8542061..5f0d9fb 100644
++--- a/kronosnetd/etherfilter.c
+++++ b/kronosnetd/etherfilter.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/keygen.c b/kronosnetd/keygen.c
++index eb91473..42706ad 100644
++--- a/kronosnetd/keygen.c
+++++ b/kronosnetd/keygen.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/logging.c b/kronosnetd/logging.c
++index b3ef0d1..9c141cd 100644
++--- a/kronosnetd/logging.c
+++++ b/kronosnetd/logging.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/main.c b/kronosnetd/main.c
++index c1a8c2b..ec43871 100644
++--- a/kronosnetd/main.c
+++++ b/kronosnetd/main.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/vty.c b/kronosnetd/vty.c
++index d624bf4..2c5d4d3 100644
++--- a/kronosnetd/vty.c
+++++ b/kronosnetd/vty.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/vty_auth.c b/kronosnetd/vty_auth.c
++index cf997f9..30e0929 100644
++--- a/kronosnetd/vty_auth.c
+++++ b/kronosnetd/vty_auth.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/vty_cli.c b/kronosnetd/vty_cli.c
++index 68ff0da..95e4c8f 100644
++--- a/kronosnetd/vty_cli.c
+++++ b/kronosnetd/vty_cli.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/vty_cli_cmds.c b/kronosnetd/vty_cli_cmds.c
++index 18b11a0..e5ad496 100644
++--- a/kronosnetd/vty_cli_cmds.c
+++++ b/kronosnetd/vty_cli_cmds.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/kronosnetd/vty_utils.c b/kronosnetd/vty_utils.c
++index 3c5cc86..2cf5117 100644
++--- a/kronosnetd/vty_utils.c
+++++ b/kronosnetd/vty_utils.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/common.c b/libknet/common.c
++index be46f23..30e537e 100644
++--- a/libknet/common.c
+++++ b/libknet/common.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/compat.c b/libknet/compat.c
++index a60bca2..e808f33 100644
++--- a/libknet/compat.c
+++++ b/libknet/compat.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Jan Friesse <jfriesse at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 864828f..24755c7 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/compress_bzip2.c b/libknet/compress_bzip2.c
++index 521e206..5a972ff 100644
++--- a/libknet/compress_bzip2.c
+++++ b/libknet/compress_bzip2.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_lz4.c b/libknet/compress_lz4.c
++index 22b926f..60aa196 100644
++--- a/libknet/compress_lz4.c
+++++ b/libknet/compress_lz4.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_lz4hc.c b/libknet/compress_lz4hc.c
++index 9a69ab4..781bf12 100644
++--- a/libknet/compress_lz4hc.c
+++++ b/libknet/compress_lz4hc.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_lzma.c b/libknet/compress_lzma.c
++index e9ba2e3..7fdd178 100644
++--- a/libknet/compress_lzma.c
+++++ b/libknet/compress_lzma.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_lzo2.c b/libknet/compress_lzo2.c
++index e66d3dc..12066ed 100644
++--- a/libknet/compress_lzo2.c
+++++ b/libknet/compress_lzo2.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_zlib.c b/libknet/compress_zlib.c
++index 8807bb4..2fb12f5 100644
++--- a/libknet/compress_zlib.c
+++++ b/libknet/compress_zlib.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++index 6f9b499..f76ea5f 100644
++--- a/libknet/compress_zstd.c
+++++ b/libknet/compress_zstd.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 6c340f5..9f05fba 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 5c3a437..330b40c 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 999ed93..0cbc6f5 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ #define KNET_MODULE
++ 
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 251d332..4835e99 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/host.c b/libknet/host.c
++index 66826c1..abb1f89 100644
++--- a/libknet/host.c
+++++ b/libknet/host.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/links.c b/libknet/links.c
++index 8011a6d..4ec308c 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 776408a..eb77e7b 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 9310f21..e479bbd 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 044a51c..0a0adec 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/logging.c b/libknet/logging.c
++index 5c91257..2efee1b 100644
++--- a/libknet/logging.c
+++++ b/libknet/logging.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/netutils.c b/libknet/netutils.c
++index 72bc659..e37f4fe 100644
++--- a/libknet/netutils.c
+++++ b/libknet/netutils.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_addrtostr.c b/libknet/tests/api_knet_addrtostr.c
++index 9adbf31..9cdf502 100644
++--- a/libknet/tests/api_knet_addrtostr.c
+++++ b/libknet/tests/api_knet_addrtostr.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_compress_list.c b/libknet/tests/api_knet_get_compress_list.c
++index 230e203..53e4192 100644
++--- a/libknet/tests/api_knet_get_compress_list.c
+++++ b/libknet/tests/api_knet_get_compress_list.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_crypto_list.c b/libknet/tests/api_knet_get_crypto_list.c
++index 4121aa4..760adab 100644
++--- a/libknet/tests/api_knet_get_crypto_list.c
+++++ b/libknet/tests/api_knet_get_crypto_list.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_id_by_name.c b/libknet/tests/api_knet_get_transport_id_by_name.c
++index 973814f..9bcd673 100644
++--- a/libknet/tests/api_knet_get_transport_id_by_name.c
+++++ b/libknet/tests/api_knet_get_transport_id_by_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_list.c b/libknet/tests/api_knet_get_transport_list.c
++index c748901..9ab5c10 100644
++--- a/libknet/tests/api_knet_get_transport_list.c
+++++ b/libknet/tests/api_knet_get_transport_list.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_get_transport_name_by_id.c b/libknet/tests/api_knet_get_transport_name_by_id.c
++index a797cec..3233a1d 100644
++--- a/libknet/tests/api_knet_get_transport_name_by_id.c
+++++ b/libknet/tests/api_knet_get_transport_name_by_id.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_add_datafd.c b/libknet/tests/api_knet_handle_add_datafd.c
++index 7159399..3088797 100644
++--- a/libknet/tests/api_knet_handle_add_datafd.c
+++++ b/libknet/tests/api_knet_handle_add_datafd.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_clear_stats.c b/libknet/tests/api_knet_handle_clear_stats.c
++index 07f059a..0867b13 100644
++--- a/libknet/tests/api_knet_handle_clear_stats.c
+++++ b/libknet/tests/api_knet_handle_clear_stats.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_compress.c b/libknet/tests/api_knet_handle_compress.c
++index 1525e6a..40b6f39 100644
++--- a/libknet/tests/api_knet_handle_compress.c
+++++ b/libknet/tests/api_knet_handle_compress.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto.c
++index 9dbf5bc..1eed96e 100644
++--- a/libknet/tests/api_knet_handle_crypto.c
+++++ b/libknet/tests/api_knet_handle_crypto.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++index d08f175..be54bc4 100644
++--- a/libknet/tests/api_knet_handle_enable_access_lists.c
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_filter.c b/libknet/tests/api_knet_handle_enable_filter.c
++index 63b2166..e518b42 100644
++--- a/libknet/tests/api_knet_handle_enable_filter.c
+++++ b/libknet/tests/api_knet_handle_enable_filter.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_pmtud_notify.c b/libknet/tests/api_knet_handle_enable_pmtud_notify.c
++index 726c2cc..f11abc3 100644
++--- a/libknet/tests/api_knet_handle_enable_pmtud_notify.c
+++++ b/libknet/tests/api_knet_handle_enable_pmtud_notify.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_enable_sock_notify.c b/libknet/tests/api_knet_handle_enable_sock_notify.c
++index 9c90600..adefb5a 100644
++--- a/libknet/tests/api_knet_handle_enable_sock_notify.c
+++++ b/libknet/tests/api_knet_handle_enable_sock_notify.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_free.c b/libknet/tests/api_knet_handle_free.c
++index 75319fc..53b6dc6 100644
++--- a/libknet/tests/api_knet_handle_free.c
+++++ b/libknet/tests/api_knet_handle_free.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_channel.c b/libknet/tests/api_knet_handle_get_channel.c
++index 3ade302..0196136 100644
++--- a/libknet/tests/api_knet_handle_get_channel.c
+++++ b/libknet/tests/api_knet_handle_get_channel.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_datafd.c b/libknet/tests/api_knet_handle_get_datafd.c
++index 8838b69..57aedf5 100644
++--- a/libknet/tests/api_knet_handle_get_datafd.c
+++++ b/libknet/tests/api_knet_handle_get_datafd.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_stats.c b/libknet/tests/api_knet_handle_get_stats.c
++index e8a83b4..38a0c97 100644
++--- a/libknet/tests/api_knet_handle_get_stats.c
+++++ b/libknet/tests/api_knet_handle_get_stats.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c b/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
++index 7a43823..f013a5b 100644
++--- a/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
+++++ b/libknet/tests/api_knet_handle_get_transport_reconnect_interval.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_new.c b/libknet/tests/api_knet_handle_new.c
++index b7af566..9559d4a 100644
++--- a/libknet/tests/api_knet_handle_new.c
+++++ b/libknet/tests/api_knet_handle_new.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_new_limit.c b/libknet/tests/api_knet_handle_new_limit.c
++index d51db97..fc3bdcd 100644
++--- a/libknet/tests/api_knet_handle_new_limit.c
+++++ b/libknet/tests/api_knet_handle_new_limit.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_get.c b/libknet/tests/api_knet_handle_pmtud_get.c
++index a1b1d12..803a288 100644
++--- a/libknet/tests/api_knet_handle_pmtud_get.c
+++++ b/libknet/tests/api_knet_handle_pmtud_get.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_getfreq.c b/libknet/tests/api_knet_handle_pmtud_getfreq.c
++index 5c5c7e0..23e3239 100644
++--- a/libknet/tests/api_knet_handle_pmtud_getfreq.c
+++++ b/libknet/tests/api_knet_handle_pmtud_getfreq.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_pmtud_setfreq.c b/libknet/tests/api_knet_handle_pmtud_setfreq.c
++index b4eebda..2a720c3 100644
++--- a/libknet/tests/api_knet_handle_pmtud_setfreq.c
+++++ b/libknet/tests/api_knet_handle_pmtud_setfreq.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_remove_datafd.c b/libknet/tests/api_knet_handle_remove_datafd.c
++index 08a42ab..ace5df7 100644
++--- a/libknet/tests/api_knet_handle_remove_datafd.c
+++++ b/libknet/tests/api_knet_handle_remove_datafd.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c b/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
++index 80bbacb..c561559 100644
++--- a/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
+++++ b/libknet/tests/api_knet_handle_set_transport_reconnect_interval.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_handle_setfwd.c b/libknet/tests/api_knet_handle_setfwd.c
++index 9658075..21a5c9f 100644
++--- a/libknet/tests/api_knet_handle_setfwd.c
+++++ b/libknet/tests/api_knet_handle_setfwd.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_add.c b/libknet/tests/api_knet_host_add.c
++index 762d0df..65104f5 100644
++--- a/libknet/tests/api_knet_host_add.c
+++++ b/libknet/tests/api_knet_host_add.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_enable_status_change_notify.c b/libknet/tests/api_knet_host_enable_status_change_notify.c
++index 96d133d..b0467a5 100644
++--- a/libknet/tests/api_knet_host_enable_status_change_notify.c
+++++ b/libknet/tests/api_knet_host_enable_status_change_notify.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_host_list.c b/libknet/tests/api_knet_host_get_host_list.c
++index 76fb23b..fc573bb 100644
++--- a/libknet/tests/api_knet_host_get_host_list.c
+++++ b/libknet/tests/api_knet_host_get_host_list.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_id_by_host_name.c b/libknet/tests/api_knet_host_get_id_by_host_name.c
++index 81ad504..745dbfa 100644
++--- a/libknet/tests/api_knet_host_get_id_by_host_name.c
+++++ b/libknet/tests/api_knet_host_get_id_by_host_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_name_by_host_id.c b/libknet/tests/api_knet_host_get_name_by_host_id.c
++index d239821..4604525 100644
++--- a/libknet/tests/api_knet_host_get_name_by_host_id.c
+++++ b/libknet/tests/api_knet_host_get_name_by_host_id.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_policy.c b/libknet/tests/api_knet_host_get_policy.c
++index 3160503..8511815 100644
++--- a/libknet/tests/api_knet_host_get_policy.c
+++++ b/libknet/tests/api_knet_host_get_policy.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_get_status.c b/libknet/tests/api_knet_host_get_status.c
++index b13c57a..3b46f0c 100644
++--- a/libknet/tests/api_knet_host_get_status.c
+++++ b/libknet/tests/api_knet_host_get_status.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_remove.c b/libknet/tests/api_knet_host_remove.c
++index 12d1f8f..36dd47c 100644
++--- a/libknet/tests/api_knet_host_remove.c
+++++ b/libknet/tests/api_knet_host_remove.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_set_name.c b/libknet/tests/api_knet_host_set_name.c
++index 88d6ce9..c899d33 100644
++--- a/libknet/tests/api_knet_host_set_name.c
+++++ b/libknet/tests/api_knet_host_set_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_host_set_policy.c b/libknet/tests/api_knet_host_set_policy.c
++index 41102d2..2583114 100644
++--- a/libknet/tests/api_knet_host_set_policy.c
+++++ b/libknet/tests/api_knet_host_set_policy.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++index ff7a2e2..52d6022 100644
++--- a/libknet/tests/api_knet_link_add_acl.c
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++index 234a76b..3516b4d 100644
++--- a/libknet/tests/api_knet_link_clear_acl.c
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_clear_config.c b/libknet/tests/api_knet_link_clear_config.c
++index 8d7800d..ff9c473 100644
++--- a/libknet/tests/api_knet_link_clear_config.c
+++++ b/libknet/tests/api_knet_link_clear_config.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_config.c b/libknet/tests/api_knet_link_get_config.c
++index 111b406..60a56fd 100644
++--- a/libknet/tests/api_knet_link_get_config.c
+++++ b/libknet/tests/api_knet_link_get_config.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_enable.c b/libknet/tests/api_knet_link_get_enable.c
++index 410c017..b0e1348 100644
++--- a/libknet/tests/api_knet_link_get_enable.c
+++++ b/libknet/tests/api_knet_link_get_enable.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_link_list.c b/libknet/tests/api_knet_link_get_link_list.c
++index e3dd73e..6114f83 100644
++--- a/libknet/tests/api_knet_link_get_link_list.c
+++++ b/libknet/tests/api_knet_link_get_link_list.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_ping_timers.c b/libknet/tests/api_knet_link_get_ping_timers.c
++index 5f0e9b1..414619f 100644
++--- a/libknet/tests/api_knet_link_get_ping_timers.c
+++++ b/libknet/tests/api_knet_link_get_ping_timers.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_pong_count.c b/libknet/tests/api_knet_link_get_pong_count.c
++index bbc993d..e032b96 100644
++--- a/libknet/tests/api_knet_link_get_pong_count.c
+++++ b/libknet/tests/api_knet_link_get_pong_count.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_priority.c b/libknet/tests/api_knet_link_get_priority.c
++index 29d7d2e..80538fe 100644
++--- a/libknet/tests/api_knet_link_get_priority.c
+++++ b/libknet/tests/api_knet_link_get_priority.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_get_status.c b/libknet/tests/api_knet_link_get_status.c
++index fe56734..5139692 100644
++--- a/libknet/tests/api_knet_link_get_status.c
+++++ b/libknet/tests/api_knet_link_get_status.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++index 79d04df..2f55c16 100644
++--- a/libknet/tests/api_knet_link_insert_acl.c
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++index d132c54..7217a4f 100644
++--- a/libknet/tests/api_knet_link_rm_acl.c
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index b96c628..c43a4de 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_enable.c b/libknet/tests/api_knet_link_set_enable.c
++index f48f1c0..17e6e03 100644
++--- a/libknet/tests/api_knet_link_set_enable.c
+++++ b/libknet/tests/api_knet_link_set_enable.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_ping_timers.c b/libknet/tests/api_knet_link_set_ping_timers.c
++index d823a81..46170f6 100644
++--- a/libknet/tests/api_knet_link_set_ping_timers.c
+++++ b/libknet/tests/api_knet_link_set_ping_timers.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_pong_count.c b/libknet/tests/api_knet_link_set_pong_count.c
++index 70fc57f..b8974e3 100644
++--- a/libknet/tests/api_knet_link_set_pong_count.c
+++++ b/libknet/tests/api_knet_link_set_pong_count.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_link_set_priority.c b/libknet/tests/api_knet_link_set_priority.c
++index a89392e..aac0ea2 100644
++--- a/libknet/tests/api_knet_link_set_priority.c
+++++ b/libknet/tests/api_knet_link_set_priority.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel.c b/libknet/tests/api_knet_log_get_loglevel.c
++index 4a62ead..4d4a52c 100644
++--- a/libknet/tests/api_knet_log_get_loglevel.c
+++++ b/libknet/tests/api_knet_log_get_loglevel.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel_id.c b/libknet/tests/api_knet_log_get_loglevel_id.c
++index 1053dff..379ba71 100644
++--- a/libknet/tests/api_knet_log_get_loglevel_id.c
+++++ b/libknet/tests/api_knet_log_get_loglevel_id.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_loglevel_name.c b/libknet/tests/api_knet_log_get_loglevel_name.c
++index 317ebb1..ef19af2 100644
++--- a/libknet/tests/api_knet_log_get_loglevel_name.c
+++++ b/libknet/tests/api_knet_log_get_loglevel_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_subsystem_id.c b/libknet/tests/api_knet_log_get_subsystem_id.c
++index 0b47805..cff9e8a 100644
++--- a/libknet/tests/api_knet_log_get_subsystem_id.c
+++++ b/libknet/tests/api_knet_log_get_subsystem_id.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_get_subsystem_name.c b/libknet/tests/api_knet_log_get_subsystem_name.c
++index 1b11fe6..0384730 100644
++--- a/libknet/tests/api_knet_log_get_subsystem_name.c
+++++ b/libknet/tests/api_knet_log_get_subsystem_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_log_set_loglevel.c b/libknet/tests/api_knet_log_set_loglevel.c
++index e729113..7a9232a 100644
++--- a/libknet/tests/api_knet_log_set_loglevel.c
+++++ b/libknet/tests/api_knet_log_set_loglevel.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_recv.c b/libknet/tests/api_knet_recv.c
++index 6e23353..99bd7bc 100644
++--- a/libknet/tests/api_knet_recv.c
+++++ b/libknet/tests/api_knet_recv.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index ca16e3d..ab9715a 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_compress.c b/libknet/tests/api_knet_send_compress.c
++index b03f4e7..6d5f445 100644
++--- a/libknet/tests/api_knet_send_compress.c
+++++ b/libknet/tests/api_knet_send_compress.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_crypto.c b/libknet/tests/api_knet_send_crypto.c
++index e33a808..11de857 100644
++--- a/libknet/tests/api_knet_send_crypto.c
+++++ b/libknet/tests/api_knet_send_crypto.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 2feca68..741b51d 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_send_sync.c b/libknet/tests/api_knet_send_sync.c
++index f2718c9..96cb716 100644
++--- a/libknet/tests/api_knet_send_sync.c
+++++ b/libknet/tests/api_knet_send_sync.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/api_knet_strtoaddr.c b/libknet/tests/api_knet_strtoaddr.c
++index 57a8a0a..a0be1da 100644
++--- a/libknet/tests/api_knet_strtoaddr.c
+++++ b/libknet/tests/api_knet_strtoaddr.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++index 93dff63..41e7d59 100644
++--- a/libknet/tests/int_links_acl_ip.c
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/int_timediff.c b/libknet/tests/int_timediff.c
++index 12735d8..a878a31 100644
++--- a/libknet/tests/int_timediff.c
+++++ b/libknet/tests/int_timediff.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/knet_bench.c b/libknet/tests/knet_bench.c
++index 00cd58b..dfe5238 100644
++--- a/libknet/tests/knet_bench.c
+++++ b/libknet/tests/knet_bench.c
++@@ -3,7 +3,7 @@
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/tests/pckt_test.c b/libknet/tests/pckt_test.c
++index 56cf018..f3e2100 100644
++--- a/libknet/tests/pckt_test.c
+++++ b/libknet/tests/pckt_test.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include <stdio.h>
++diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
++index a4ff297..cd3f6c4 100644
++--- a/libknet/tests/test-common.c
+++++ b/libknet/tests/test-common.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index 53a6f9f..1f3e1e3 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_dsthandler.c b/libknet/threads_dsthandler.c
++index 2633188..0776107 100644
++--- a/libknet/threads_dsthandler.c
+++++ b/libknet/threads_dsthandler.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 8def9b8..8f8a7ec 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index b4ee632..603f595 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 626cbc4..b2a5dad 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index 8096906..32d65d5 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -4,7 +4,7 @@
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *          Federico Simoncelli <fsimon at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_common.c b/libknet/transport_common.c
++index fe40ad8..7286643 100644
++--- a/libknet/transport_common.c
+++++ b/libknet/transport_common.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_loopback.c b/libknet/transport_loopback.c
++index 54129d7..17253f5 100644
++--- a/libknet/transport_loopback.c
+++++ b/libknet/transport_loopback.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 2c1cdcc..d97d6f9 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 1537438..53d2ba0 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 51712df..93119c5 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/internals.c b/libnozzle/internals.c
++index f056e3b..53c0cdb 100644
++--- a/libnozzle/internals.c
+++++ b/libnozzle/internals.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/libnozzle.c b/libnozzle/libnozzle.c
++index b6e9566..15863ec 100644
++--- a/libnozzle/libnozzle.c
+++++ b/libnozzle/libnozzle.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under LGPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_add_ip.c b/libnozzle/tests/api_nozzle_add_ip.c
++index bb81ba7..a9d76c6 100644
++--- a/libnozzle/tests/api_nozzle_add_ip.c
+++++ b/libnozzle/tests/api_nozzle_add_ip.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_close.c b/libnozzle/tests/api_nozzle_close.c
++index f1cbc77..7ba17c4 100644
++--- a/libnozzle/tests/api_nozzle_close.c
+++++ b/libnozzle/tests/api_nozzle_close.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_del_ip.c b/libnozzle/tests/api_nozzle_del_ip.c
++index 0178bb0..625484f 100644
++--- a/libnozzle/tests/api_nozzle_del_ip.c
+++++ b/libnozzle/tests/api_nozzle_del_ip.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_fd.c b/libnozzle/tests/api_nozzle_get_fd.c
++index 9b29faf..5dc5b4c 100644
++--- a/libnozzle/tests/api_nozzle_get_fd.c
+++++ b/libnozzle/tests/api_nozzle_get_fd.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_handle_by_name.c b/libnozzle/tests/api_nozzle_get_handle_by_name.c
++index 83c39bb..1fa5a0a 100644
++--- a/libnozzle/tests/api_nozzle_get_handle_by_name.c
+++++ b/libnozzle/tests/api_nozzle_get_handle_by_name.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_ips.c b/libnozzle/tests/api_nozzle_get_ips.c
++index c41024f..446a79a 100644
++--- a/libnozzle/tests/api_nozzle_get_ips.c
+++++ b/libnozzle/tests/api_nozzle_get_ips.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_mac.c b/libnozzle/tests/api_nozzle_get_mac.c
++index 1318ba5..f4c72cc 100644
++--- a/libnozzle/tests/api_nozzle_get_mac.c
+++++ b/libnozzle/tests/api_nozzle_get_mac.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_mtu.c b/libnozzle/tests/api_nozzle_get_mtu.c
++index 07b05ee..1b1f85e 100644
++--- a/libnozzle/tests/api_nozzle_get_mtu.c
+++++ b/libnozzle/tests/api_nozzle_get_mtu.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_get_name_by_handle.c b/libnozzle/tests/api_nozzle_get_name_by_handle.c
++index 5b8152b..0fe9eb4 100644
++--- a/libnozzle/tests/api_nozzle_get_name_by_handle.c
+++++ b/libnozzle/tests/api_nozzle_get_name_by_handle.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_open.c b/libnozzle/tests/api_nozzle_open.c
++index ee15316..413f2c2 100644
++--- a/libnozzle/tests/api_nozzle_open.c
+++++ b/libnozzle/tests/api_nozzle_open.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_run_updown.c b/libnozzle/tests/api_nozzle_run_updown.c
++index c80216a..1536b5b 100644
++--- a/libnozzle/tests/api_nozzle_run_updown.c
+++++ b/libnozzle/tests/api_nozzle_run_updown.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_down.c b/libnozzle/tests/api_nozzle_set_down.c
++index 90623ba..9466bdb 100644
++--- a/libnozzle/tests/api_nozzle_set_down.c
+++++ b/libnozzle/tests/api_nozzle_set_down.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_mac.c b/libnozzle/tests/api_nozzle_set_mac.c
++index dba7d49..244e866 100644
++--- a/libnozzle/tests/api_nozzle_set_mac.c
+++++ b/libnozzle/tests/api_nozzle_set_mac.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_mtu.c b/libnozzle/tests/api_nozzle_set_mtu.c
++index fc8ee1c..ce4ccbb 100644
++--- a/libnozzle/tests/api_nozzle_set_mtu.c
+++++ b/libnozzle/tests/api_nozzle_set_mtu.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/api_nozzle_set_up.c b/libnozzle/tests/api_nozzle_set_up.c
++index d8de39d..d258b6a 100644
++--- a/libnozzle/tests/api_nozzle_set_up.c
+++++ b/libnozzle/tests/api_nozzle_set_up.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/int_execute_bin_sh_command.c b/libnozzle/tests/int_execute_bin_sh_command.c
++index 87531c0..97422a2 100644
++--- a/libnozzle/tests/int_execute_bin_sh_command.c
+++++ b/libnozzle/tests/int_execute_bin_sh_command.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/libnozzle/tests/test-common.c b/libnozzle/tests/test-common.c
++index c84aac1..b36be79 100644
++--- a/libnozzle/tests/test-common.c
+++++ b/libnozzle/tests/test-common.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ #include "config.h"
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index 7d9a60c..2f28976 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ 
++diff --git a/poc-code/iov-hash/main.c b/poc-code/iov-hash/main.c
++index 61d2e12..fa407a2 100644
++--- a/poc-code/iov-hash/main.c
+++++ b/poc-code/iov-hash/main.c
++@@ -3,7 +3,7 @@
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
+++ * This software licensed under GPL-2.0+
++  */
++ 
++ /* Example code to illustrate DES enccryption/decryption using NSS.
++diff --git a/build-aux/check.mk b/build-aux/check.mk
++index 6da4417..f42e552 100644
++--- a/build-aux/check.mk
+++++ b/build-aux/check.mk
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ VALGRIND = $(VALGRIND_EXEC) -q --error-exitcode=127 --gen-suppressions=all
++diff --git a/build-aux/release.mk b/build-aux/release.mk
++index de3599d..003125d 100644
++--- a/build-aux/release.mk
+++++ b/build-aux/release.mk
++@@ -3,7 +3,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ # to build official release tarballs, handle tagging and publish.
++diff --git a/build-aux/update-copyright.sh b/build-aux/update-copyright.sh
++index fd50f8e..62c449c 100755
++--- a/build-aux/update-copyright.sh
+++++ b/build-aux/update-copyright.sh
++@@ -1,10 +1,10 @@
++ #!/bin/sh
++ #
++-# Copyright (C) 2017 Red Hat, Inc.  All rights reserved.
+++# Copyright (C) 2017-2019 Red Hat, Inc.  All rights reserved.
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ # script to update copyright dates across the tree
++diff --git a/init/kronosnetd.default b/init/kronosnetd.default
++index ed94648..9f6755c 100644
++--- a/init/kronosnetd.default
+++++ b/init/kronosnetd.default
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ 
++diff --git a/libknet/libknet_exported_syms b/libknet/libknet_exported_syms
++index d8a55e2..1d8bddb 100644
++--- a/libknet/libknet_exported_syms
+++++ b/libknet/libknet_exported_syms
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++ 
++ LIBKNET {
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 427c388..102ec52 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -3,7 +3,7 @@
++ #
++ # Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ api_checks		= \
++diff --git a/libknet/tests/api-test-coverage b/libknet/tests/api-test-coverage
++index bf0ccc3..e988ab1 100755
++--- a/libknet/tests/api-test-coverage
+++++ b/libknet/tests/api-test-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ srcdir="$1"/libknet/tests
++diff --git a/libnozzle/libnozzle_exported_syms b/libnozzle/libnozzle_exported_syms
++index 934b204..f6f62d2 100644
++--- a/libnozzle/libnozzle_exported_syms
+++++ b/libnozzle/libnozzle_exported_syms
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under LGPL-2.0+
++ #
++ 
++ LIBNOZZLE {
++diff --git a/libnozzle/tests/api-test-coverage b/libnozzle/tests/api-test-coverage
++index cd99edf..4049ad9 100755
++--- a/libnozzle/tests/api-test-coverage
+++++ b/libnozzle/tests/api-test-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ srcdir="$1"/libnozzle/tests
++diff --git a/libnozzle/tests/nozzle_run_updown_exit_false b/libnozzle/tests/nozzle_run_updown_exit_false
++index 3f03ff6..795456a 100755
++--- a/libnozzle/tests/nozzle_run_updown_exit_false
+++++ b/libnozzle/tests/nozzle_run_updown_exit_false
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ exit 1
++diff --git a/libnozzle/tests/nozzle_run_updown_exit_true b/libnozzle/tests/nozzle_run_updown_exit_true
++index bbdcdd6..7b6e355 100755
++--- a/libnozzle/tests/nozzle_run_updown_exit_true
+++++ b/libnozzle/tests/nozzle_run_updown_exit_true
++@@ -5,7 +5,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ exit 0
++diff --git a/man/api-to-man-page-coverage b/man/api-to-man-page-coverage
++index b9dc18f..a1f54a3 100755
++--- a/man/api-to-man-page-coverage
+++++ b/man/api-to-man-page-coverage
++@@ -4,7 +4,7 @@
++ #
++ # Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ #
++-# This software licensed under GPL-2.0+, LGPL-2.0+
+++# This software licensed under GPL-2.0+
++ #
++ 
++ err=0
++diff --git a/man/knet-keygen.8 b/man/knet-keygen.8
++index 67ecf1f..96109c6 100644
++--- a/man/knet-keygen.8
+++++ b/man/knet-keygen.8
++@@ -5,7 +5,7 @@
++ .\" *
++ .\" * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ .\" *
++-.\" * This software licensed under GPL-2.0+, LGPL-2.0+
+++.\" * This software licensed under GPL-2.0+
++ .\" */
++ .TH "KRONOSNETD" "8" "November 2012" "kronosnetd key generator." "System Administration Utilities"
++ 
++diff --git a/man/kronosnetd.8 b/man/kronosnetd.8
++index 5661e1c..f4480be 100644
++--- a/man/kronosnetd.8
+++++ b/man/kronosnetd.8
++@@ -5,7 +5,7 @@
++ .\" *
++ .\" * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++ .\" *
++-.\" * This software licensed under GPL-2.0+, LGPL-2.0+
+++.\" * This software licensed under GPL-2.0+
++ .\" */
++ .TH "KRONOSNETD" "8" "November 2012" "kronosnetd Usage:" "System Administration Utilities"
++ 
+diff --git a/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch b/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+new file mode 100644
+index 0000000..2404d7a
+--- /dev/null
++++ b/debian/patches/PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
+@@ -0,0 +1,79 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:37:15 +0200
++Subject: [PMTUd] create common/shared code to trigger PMTUd rerun
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5b02bef11afda959dc8cea4adc383f80ff0e9273)
++---
++ libknet/threads_common.h |  1 +
++ libknet/threads_common.c | 20 ++++++++++++++++++++
++ libknet/transport_udp.c  | 17 +----------------
++ 3 files changed, 22 insertions(+), 16 deletions(-)
++
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index 79aaed2..19336ce 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -45,5 +45,6 @@ int shutdown_in_progress(knet_handle_t knet_h);
++ int get_global_wrlock(knet_handle_t knet_h);
++ int set_thread_status(knet_handle_t knet_h, uint8_t thread_id, uint8_t status);
++ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status);
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem);
++ 
++ #endif
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index b6012a2..61ffd82 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -156,3 +156,23 @@ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status)
++ 
++ 	return 0;
++ }
+++
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem)
+++{
+++	/*
+++	 * we can only try to take a lock here. This part of the code
+++	 * can be invoked by any thread, including PMTUd that is already
+++	 * holding a lock at that stage.
+++	 * If PMTUd is holding the lock, most likely it is already running
+++	 * and we don't need to notify it back.
+++	 */
+++	if (!pthread_mutex_trylock(&knet_h->pmtud_mutex)) {
+++		if (!knet_h->pmtud_running) {
+++			if (!knet_h->pmtud_forcerun) {
+++				log_debug(knet_h, subsystem, "Notifying PMTUd to rerun");
+++				knet_h->pmtud_forcerun = 1;
+++			}
+++		}
+++		pthread_mutex_unlock(&knet_h->pmtud_mutex);
+++	}
+++}
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 3fd69ee..232dbcb 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -340,22 +340,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 									pthread_mutex_unlock(&knet_h->kmtu_mutex);
++ 								}
++ 
++-								/*
++-								 * we can only try to take a lock here. This part of the code
++-								 * can be invoked by any thread, including PMTUd that is already
++-								 * holding a lock at that stage.
++-								 * If PMTUd is holding the lock, most likely it is already running
++-								 * and we don't need to notify it back.
++-								 */
++-								if (!pthread_mutex_trylock(&knet_h->pmtud_mutex)) {
++-									if (!knet_h->pmtud_running) {
++-										if (!knet_h->pmtud_forcerun) {
++-											log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Notifying PMTUd to rerun");
++-											knet_h->pmtud_forcerun = 1;
++-										}
++-									}
++-									pthread_mutex_unlock(&knet_h->pmtud_mutex);
++-								}
+++								force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP);
++ 							}
++ 							/*
++ 							 * those errors are way too noisy
+diff --git a/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch b/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+new file mode 100644
+index 0000000..31f4550
+--- /dev/null
++++ b/debian/patches/PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 05:35:24 +0200
++Subject: [PMTUd] extend internal rerun API to allow full PMTUd reset
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6542aa98cccb2c9bc2c201ef47538a787a5e05fd)
++---
++ libknet/threads_common.h |  2 +-
++ libknet/handle.c         |  2 +-
++ libknet/threads_common.c | 11 ++++++++++-
++ libknet/transport_udp.c  |  2 +-
++ 4 files changed, 13 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/threads_common.h b/libknet/threads_common.h
++index 19336ce..cff7691 100644
++--- a/libknet/threads_common.h
+++++ b/libknet/threads_common.h
++@@ -45,6 +45,6 @@ int shutdown_in_progress(knet_handle_t knet_h);
++ int get_global_wrlock(knet_handle_t knet_h);
++ int set_thread_status(knet_handle_t knet_h, uint8_t thread_id, uint8_t status);
++ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status);
++-void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem);
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem, uint8_t reset_mtu);
++ 
++ #endif
++diff --git a/libknet/handle.c b/libknet/handle.c
++index e95c6c1..251d332 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1408,7 +1408,7 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++ 
++ exit_unlock:
++ 	if (!err) {
++-		force_pmtud_run(knet_h, KNET_SUB_CRYPTO);
+++		force_pmtud_run(knet_h, KNET_SUB_CRYPTO, 1);
++ 	}
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++ 	errno = err ? savederrno : 0;
++diff --git a/libknet/threads_common.c b/libknet/threads_common.c
++index 61ffd82..53a6f9f 100644
++--- a/libknet/threads_common.c
+++++ b/libknet/threads_common.c
++@@ -157,8 +157,17 @@ int wait_all_threads_status(knet_handle_t knet_h, uint8_t status)
++ 	return 0;
++ }
++ 
++-void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem)
+++void force_pmtud_run(knet_handle_t knet_h, uint8_t subsystem, uint8_t reset_mtu)
++ {
+++	if (reset_mtu) {
+++		log_debug(knet_h, subsystem, "PMTUd has been reset to default");
+++		knet_h->data_mtu = KNET_PMTUD_MIN_MTU_V4 - KNET_HEADER_ALL_SIZE - knet_h->sec_header_size;
+++		if (knet_h->pmtud_notify_fn) {
+++			knet_h->pmtud_notify_fn(knet_h->pmtud_notify_fn_private_data,
+++						knet_h->data_mtu);
+++		}
+++	}
+++
++ 	/*
++ 	 * we can only try to take a lock here. This part of the code
++ 	 * can be invoked by any thread, including PMTUd that is already
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index 232dbcb..1537438 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -340,7 +340,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 									pthread_mutex_unlock(&knet_h->kmtu_mutex);
++ 								}
++ 
++-								force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP);
+++								force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP, 0);
++ 							}
++ 							/*
++ 							 * those errors are way too noisy
+diff --git a/debian/patches/access-lists-add-access-lists-support-to-sctp.patch b/debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+new file mode 100644
+index 0000000..d962193
+--- /dev/null
++++ b/debian/patches/access-lists-add-access-lists-support-to-sctp.patch
+@@ -0,0 +1,96 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 07:49:13 +0100
++Subject: [access lists] add access lists support to sctp
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d2333aab530d06ec502131aea03281ac13263d99)
++---
++ libknet/transport_sctp.c | 33 +++++++++++++++++++++++++++++++++
++ 1 file changed, 33 insertions(+)
++
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index cb64a32..0d69a33 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -19,6 +19,7 @@
++ #include "compat.h"
++ #include "host.h"
++ #include "links.h"
+++#include "links_acl.h"
++ #include "logging.h"
++ #include "common.h"
++ #include "transport_common.h"
++@@ -728,6 +729,15 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ 
++ 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ 						addr_str, port_str);
+++	if (knet_h->use_access_lists) {
+++		if (!ipcheck_validate(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry, &ss)) {
+++			savederrno = EINVAL;
+++			err = -1;
+++			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+++			close(new_fd);
+++			goto exit_error;
+++		}
+++	}
++ 
++ 	/*
++ 	 * Keep a track of all accepted FDs
++@@ -936,6 +946,11 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 	 */
++ 	knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+++					    &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++			if (err) {
+++				return NULL;
+++			}
++ 			return info;
++ 		}
++ 	}
++@@ -990,6 +1005,15 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 		goto exit_error;
++ 	}
++ 
+++	if (ipcheck_addip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+++			  &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++		savederrno = errno;
+++		err = -1;
+++		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
+++			strerror(savederrno));
+++		goto exit_error;
+++	}
+++
++ 	memset(&ev, 0, sizeof(struct epoll_event));
++ 	ev.events = EPOLLIN;
++ 	ev.data.fd = listen_sock;
++@@ -1012,6 +1036,8 @@ exit_error:
++ 		if (info->on_listener_epoll) {
++ 			epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ 		}
+++		ipcheck_rmip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+++			     &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 		if (listen_sock >= 0) {
++ 			close(listen_sock);
++ 		}
++@@ -1050,6 +1076,11 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ 		}
++ 	}
++ 
+++	if (ipcheck_rmip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+++			 &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
+++	}
+++
++ 	if (found) {
++ 		this_link_info->listener = NULL;
++ 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP listener socket %d still in use", info->listen_sock);
++@@ -1080,6 +1111,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ 		goto exit_error;
++ 	}
++ 
+++	check_rmall(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry);
+++
++ 	close(info->listen_sock);
++ 
++ 	for (i=0; i< MAX_ACCEPTED_SOCKS; i++) {
+diff --git a/debian/patches/access-lists-add-documentation-for-enable_access_list.patch b/debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+new file mode 100644
+index 0000000..e07e54a
+--- /dev/null
++++ b/debian/patches/access-lists-add-documentation-for-enable_access_list.patch
+@@ -0,0 +1,58 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 2 Mar 2019 07:49:19 +0100
++Subject: [access lists] add documentation for enable_access_list
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 21cf1a648999774053a9c7386b13eb5a64c1c7db)
++---
++ libknet/libknet.h | 28 ++++++++++++++++++++++------
++ 1 file changed, 22 insertions(+), 6 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 4283afe..03bbd97 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -505,21 +505,37 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++ /**
++  * knet_handle_enable_access_lists
++  *
++- * @brief Start packet forwarding
+++ * @brief Enable or disable usage of access lists (default: off)
++  *
++  * knet_h   - pointer to knet_handle_t
++  *
++- * enable   - set to 1 to use ip access lists, 0 to disable ip access_lists.
+++ * enable   - set to 1 to use access lists, 0 to disable access_lists.
++  *
++  * @return
++  * knet_handle_enable_access_lists returns
++  * 0 on success
++  * -1 on error and errno is set.
++  *
++- * By default access lists usage is off, but default internal access lists
++- * will be populated regardless, but not enforced. TODO add long explanation
++- * on internal access lists for point to point connections vs global
++- * listeners etc.
+++ * access lists are bound to links. There are 2 types of links:
+++ * 1) point to point, where both source and destinations are well known
+++ *    at configuration time.
+++ * 2) open links, where only the source is known at configuration time.
+++ *
+++ * knet will automatically generate access lists for point to point links.
+++ *
+++ * For open links, knet provides 3 API calls to manipulate access lists:
+++ * knet_link_add_acl, knet_link_rm_acl and knet_link_clear_acl.
+++ * Those API calls will work only and exclusively on open links as they
+++ * provide no use for point to point links.
+++ *
+++ * knet will not enforce any access list unless specifically enabled by
+++ * knet_handle_enable_access_lists.
+++ *
+++ * From a security / programming perspective we recommend to:
+++ * - create the knet handle
+++ * - enable access lists
+++ * - configure hosts and links
+++ * - configure access lists for open links
++  */
++ 
++ int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
+diff --git a/debian/patches/access-lists-add-errno-around-and-start-using-them.patch b/debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+new file mode 100644
+index 0000000..12c0f24
+--- /dev/null
++++ b/debian/patches/access-lists-add-errno-around-and-start-using-them.patch
+@@ -0,0 +1,195 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 10:43:04 +0100
++Subject: [access lists] add errno around and start using them
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 9a5babce2066ecb61a5647345792675c2f9f416b)
++---
++ libknet/links.c          | 14 +++++++-------
++ libknet/links_acl.c      |  9 +++++++++
++ libknet/links_acl_ip.c   | 12 ++++++++++--
++ libknet/transport_sctp.c | 16 +++++++---------
++ 4 files changed, 33 insertions(+), 18 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index dd64a15..1d21d05 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,9 +245,9 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++ 		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ 			  host_id, link_id, link->outsock);
++-		if (check_add(knet_h, link->outsock, transport,
++-			      &link->dst_addr, &link->dst_addr,
++-			      CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		if ((check_add(knet_h, link->outsock, transport,
+++			       &link->dst_addr, &link->dst_addr,
+++			       CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ 			savederrno = errno;
++ 			err = -1;
++@@ -428,11 +428,11 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 */
++ 	if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++-		if (check_rm(knet_h, link->outsock, link->transport,
++-			     &link->dst_addr, &link->dst_addr,
++-			     CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		if ((check_rm(knet_h, link->outsock, link->transport,
+++			      &link->dst_addr, &link->dst_addr,
+++			      CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
++ 			err = -1;
++-			savederrno = EBUSY;
+++			savederrno = errno;
++ 			log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
++ 				host_id, link_id);
++ 			goto exit_unlock;
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index cfcc1fd..7605fe9 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -8,6 +8,7 @@
++ 
++ #include "config.h"
++ 
+++#include <errno.h>
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++@@ -19,6 +20,11 @@
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
++ 
+++/*
+++ * all those functions will return errno from the
+++ * protocol specific functions
+++ */
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	      check_type_t type, check_acceptreject_t acceptreject)
++@@ -27,6 +33,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 
++ 	switch(transport_get_proto(knet_h, transport)) {
++ 		case LOOPBACK:
+++			errno = 0;
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++@@ -47,6 +54,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 
++ 	switch(transport_get_proto(knet_h, transport)) {
++ 		case LOOPBACK:
+++			errno = 0;
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++@@ -80,6 +88,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ {
++ 	switch(transport_get_proto(knet_h, transport)) {
++ 		case LOOPBACK:
+++			errno = 0;
++ 			return 1;
++ 			break;
++ 		case IP_PROTO:
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index ffd18a4..58c7b28 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -8,6 +8,7 @@
++ 
++ #include "config.h"
++ 
+++#include <errno.h>
++ #include <sys/socket.h>
++ #include <netinet/in.h>
++ #include <stdint.h>
++@@ -202,6 +203,7 @@ int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++ 
++ 	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++ 	if (!rm_match_entry) {
+++		errno = ENOENT;
++ 		return -1;
++ 	}
++ 
++@@ -237,24 +239,30 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ 	struct acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	if (!ip1) {
+++		errno = EINVAL;
++ 		return -1;
++ 	}
++ 
++ 	if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++		errno = EINVAL;
++ 		return -1;
++ 	}
++ 
++ 	if (type == CHECK_TYPE_RANGE &&
++-	    (ip1->ss_family != ip2->ss_family))
+++	    (ip1->ss_family != ip2->ss_family)) {
+++		errno = EINVAL;
++ 		return -1;
+++	}
++ 
++ 	if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++		errno = EEXIST;
++ 		return -1;
++ 	}
++ 
++ 	new_match_entry = malloc(sizeof(struct acl_match_entry));
++-	if (!new_match_entry)
+++	if (!new_match_entry) {
++ 		return -1;
+++	}
++ 
++ 	memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++ 	memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index ff7903c..aa0de9d 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -948,9 +948,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 	 */
++ 	knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++-			err = check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
++-					&kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-			if (err) {
+++			if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++				       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 				return NULL;
++ 			}
++ 			return info;
++@@ -1007,8 +1006,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 		goto exit_error;
++ 	}
++ 
++-	if (check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
++-		      &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++	if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++		       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 		savederrno = errno;
++ 		err = -1;
++ 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
++@@ -1038,8 +1037,7 @@ exit_error:
++ 		if (info->on_listener_epoll) {
++ 			epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ 		}
++-		check_rm(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
++-			 &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++		check_rmall(knet_h, listen_sock, KNET_TRANSPORT_SCTP);
++ 		if (listen_sock >= 0) {
++ 			close(listen_sock);
++ 		}
++@@ -1078,8 +1076,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ 		}
++ 	}
++ 
++-	if (check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
++-		     &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++	if ((check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++		      &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
++ 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
++ 	}
++ 
+diff --git a/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch b/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+new file mode 100644
+index 0000000..e872279
+--- /dev/null
++++ b/debian/patches/access-lists-add-external-API-calls-to-manage-access-list.patch
+@@ -0,0 +1,746 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 4 Mar 2019 13:07:04 +0100
++Subject: [access lists] add external API calls to manage access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6373dd2358b816beab2cc87bdf8ff196480b60cc)
++---
++ man/Makefile.am               |   7 +-
++ libknet/libknet.h             | 157 +++++++++++++++++++++-
++ libknet/links_acl.h           |  15 +--
++ libknet/links_acl_ip.h        |   2 +-
++ libknet/links_acl_loopback.h  |   2 +-
++ libknet/links.c               | 306 +++++++++++++++++++++++++++++++++++++++++-
++ libknet/links_acl.c           |   4 +-
++ libknet/links_acl_ip.c        |  49 ++++---
++ libknet/links_acl_loopback.c  |   2 +-
++ libknet/tests/int_links_acl.c |   4 +-
++ libknet/transport_sctp.c      |   4 +-
++ 11 files changed, 504 insertions(+), 48 deletions(-)
++
++diff --git a/man/Makefile.am b/man/Makefile.am
++index 6c15f0d..0ad12f6 100644
++--- a/man/Makefile.am
+++++ b/man/Makefile.am
++@@ -95,7 +95,12 @@ knet_man3_MANS = \
++ 		knet_recv.3 \
++ 		knet_send.3 \
++ 		knet_send_sync.3 \
++-		knet_strtoaddr.3
+++		knet_strtoaddr.3 \
+++		knet_handle_enable_access_lists.3 \
+++		knet_link_add_acl.3 \
+++		knet_link_insert_acl.3 \
+++		knet_link_rm_acl.3 \
+++		knet_link_clear_acl.3
++ 
++ if BUILD_LIBNOZZLE
++ nozzle_man3_MANS = \
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 03bbd97..d616e11 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -524,12 +524,12 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++  * knet will automatically generate access lists for point to point links.
++  *
++  * For open links, knet provides 3 API calls to manipulate access lists:
++- * knet_link_add_acl, knet_link_rm_acl and knet_link_clear_acl.
+++ * knet_link_add_acl(3), knet_link_rm_acl(3) and knet_link_clear_acl(3).
++  * Those API calls will work only and exclusively on open links as they
++  * provide no use for point to point links.
++  *
++  * knet will not enforce any access list unless specifically enabled by
++- * knet_handle_enable_access_lists.
+++ * knet_handle_enable_access_lists(3).
++  *
++  * From a security / programming perspective we recommend to:
++  * - create the knet handle
++@@ -1477,6 +1477,159 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 
++ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
++ 
+++/*
+++ * access lists management for open links
+++ * see also knet_handle_enable_access_lists(3)
+++ */
+++
+++/*
+++ * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
+++ *                    for example: 10.1.9.3/32
+++ *                    and the entry is stored in ss1. ss2 can be NULL.
+++ *
+++ * CHECK_TYPE_MASK    is used to configure network/netmask.
+++ *                    for example: 192.168.0.0/24
+++ *                    the network is stored in ss1 and the netmask in ss2.
+++ *
+++ * CHECK_TYPE_RANGE   defines a value / range of ip addresses.
+++ *                    for example: 172.16.0.1-172.16.0.10
+++ *                    the start is stored in ss1 and the end in ss2.
+++ *
+++ * Please be aware that the above examples refers only to IP based protocols.
+++ * Other protocols might use ss1 and ss2 in slightly different ways.
+++ * At the moment knet only supports IP based protocol and that might change
+++ * in the future.
+++ */
+++
+++typedef enum {
+++	CHECK_TYPE_ADDRESS,
+++	CHECK_TYPE_MASK,
+++	CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++/*
+++ * accept or reject incoming packets defined in the access list entry
+++ */
+++
+++typedef enum {
+++	CHECK_ACCEPT,
+++	CHECK_REJECT
+++} check_acceptreject_t;
+++
+++/**
+++ * knet_link_add_acl
+++ *
+++ * @brief Add access list entry to an open link
+++ *
+++ * knet_h    - pointer to knet_handle_t
+++ *
+++ * host_id   - see knet_host_add(3)
+++ *
+++ * link_id   - see knet_link_set_config(3)
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * IMPORTANT: the order in which access lists are added is critical and it
+++ *            is left to the user to add them in the right order. knet
+++ *            will do no attempt to logically sort them.
+++ *
+++ *            For example:
+++ *            1 - accept from 10.0.0.0/8
+++ *            2 - reject from 10.0.0.1/32
+++ *
+++ *            is not the same as:
+++ *
+++ *            1 - reject from 10.0.0.1/32
+++ *            2 - accept from 10.0.0.0/8
+++ *
+++ *            In the first example, rule number 2 will never match because
+++ *            packets from 10.0.0.1 will be accepted by rule number 1.
+++ *
+++ * @return
+++ * knet_link_add_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++		      struct sockaddr_storage *ss1,
+++		      struct sockaddr_storage *ss2,
+++		      check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_insert_acl
+++ *
+++ * @brief Insert access list entry to an open link at given index
+++ *
+++ * knet_h    - pointer to knet_handle_t
+++ *
+++ * host_id   - see knet_host_add(3)
+++ *
+++ * link_id   - see knet_link_set_config(3)
+++ *
+++ * index     - insert at position "index" where 0 is the first entry and -1
+++ *             append to the current list.
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * @return
+++ * knet_link_insert_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++			 int index,
+++			 struct sockaddr_storage *ss1,
+++			 struct sockaddr_storage *ss2,
+++			 check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_rm_acl
+++ *
+++ * @brief Remove access list entry from an open link
+++ *
+++ * knet_h    - pointer to knet_handle_t
+++ *
+++ * host_id   - see knet_host_add(3)
+++ *
+++ * link_id   - see knet_link_set_config(3)
+++ *
+++ * ss1 / ss2 / type / acceptreject - see typedef definitions for details
+++ *
+++ * IMPORTANT: the data passed to this API call must match exactly the ones used
+++ *            in knet_link_add_acl(3).
+++ *
+++ * @return
+++ * knet_link_rm_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++		     struct sockaddr_storage *ss1,
+++		     struct sockaddr_storage *ss2,
+++		     check_type_t type, check_acceptreject_t acceptreject);
+++
+++/**
+++ * knet_link_clear_acl
+++ *
+++ * @brief Remove all access list entries from an open link
+++ *
+++ * knet_h    - pointer to knet_handle_t
+++ *
+++ * host_id   - see knet_host_add(3)
+++ *
+++ * link_id   - see knet_link_set_config(3)
+++ *
+++ * @return
+++ * knet_link_clear_acl
+++ * 0 on success.
+++ * -1 on error and errno is set.
+++ */
+++
+++int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
+++
++ /**
++  * knet_link_set_enable
++  *
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index a64faa1..60f7812 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,23 +11,12 @@
++ 
++ #include "internals.h"
++ 
++-typedef enum {
++-	CHECK_TYPE_ADDRESS,
++-	CHECK_TYPE_MASK,
++-	CHECK_TYPE_RANGE
++-} check_type_t;
++-
++-typedef enum {
++-	CHECK_ACCEPT,
++-	CHECK_REJECT
++-} check_acceptreject_t;
++-
++ typedef struct {
++ 	uint8_t				transport_proto;
++ 
++ 	int (*protocheck_validate)	(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++-	int (*protocheck_add)		(void *fd_tracker_match_entry_head,
+++	int (*protocheck_add)		(void *fd_tracker_match_entry_head, int index,
++ 					 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 					 check_type_t type, check_acceptreject_t acceptreject);
++ 
++@@ -38,7 +27,7 @@ typedef struct {
++ 	void (*protocheck_rmall)	(void *fd_tracker_match_entry_head);
++ } check_ops_t;
++ 
++-int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
++ 	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	      check_type_t type, check_acceptreject_t acceptreject);
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index e069b99..fac58e2 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -14,7 +14,7 @@
++ 
++ int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++-int ipcheck_addip(void *fd_tracker_match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head, int index,
++ 		  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		  check_type_t type, check_acceptreject_t acceptreject);
++ 
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index 73a9704..e75c4a4 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -14,7 +14,7 @@
++ 
++ int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++-int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++int loopbackcheck_add(void *fd_tracker_match_entry_head, int index,
++ 		      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		      check_type_t type, check_acceptreject_t acceptreject);
++ 
++diff --git a/libknet/links.c b/libknet/links.c
++index 1d21d05..0f02006 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,7 +245,7 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++ 		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ 			  host_id, link_id, link->outsock);
++-		if ((check_add(knet_h, link->outsock, transport,
+++		if ((check_add(knet_h, link->outsock, transport, -1,
++ 			       &link->dst_addr, &link->dst_addr,
++ 			       CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++@@ -1148,3 +1148,307 @@ exit_unlock:
++ 	errno = err ? savederrno : 0;
++ 	return err;
++ }
+++
+++int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++		      struct sockaddr_storage *ss1,
+++		      struct sockaddr_storage *ss2,
+++		      check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	int savederrno = 0, err = 0;
+++	struct knet_host *host;
+++	struct knet_link *link;
+++
+++	if (!knet_h) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if (!ss1) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type == CHECK_TYPE_RANGE) &&
+++	    (ss1->ss_family != ss2->ss_family)) {
+++			errno = EINVAL;
+++			return -1;
+++	}
+++
+++	if (link_id >= KNET_MAX_LINK) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	savederrno = get_global_wrlock(knet_h);
+++	if (savederrno) {
+++		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++			strerror(savederrno));
+++		errno = savederrno;
+++		return -1;
+++	}
+++
+++	host = knet_h->host_index[host_id];
+++	if (!host) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++			host_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	link = &host->link[link_id];
+++
+++	if (!link->configured) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	if (link->dynamic != KNET_LINK_DYNIP) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, -1,
+++			ss1, ss2, type, acceptreject);
+++	savederrno = errno;
+++
+++exit_unlock:
+++	pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++	errno = savederrno;
+++	return err;
+++}
+++
+++int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++			 int index,
+++			 struct sockaddr_storage *ss1,
+++			 struct sockaddr_storage *ss2,
+++			 check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	int savederrno = 0, err = 0;
+++	struct knet_host *host;
+++	struct knet_link *link;
+++
+++	if (!knet_h) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if (!ss1) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type == CHECK_TYPE_RANGE) &&
+++	    (ss1->ss_family != ss2->ss_family)) {
+++			errno = EINVAL;
+++			return -1;
+++	}
+++
+++	if (link_id >= KNET_MAX_LINK) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	savederrno = get_global_wrlock(knet_h);
+++	if (savederrno) {
+++		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++			strerror(savederrno));
+++		errno = savederrno;
+++		return -1;
+++	}
+++
+++	host = knet_h->host_index[host_id];
+++	if (!host) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++			host_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	link = &host->link[link_id];
+++
+++	if (!link->configured) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	if (link->dynamic != KNET_LINK_DYNIP) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, index,
+++			ss1, ss2, type, acceptreject);
+++	savederrno = errno;
+++
+++exit_unlock:
+++	pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++	errno = savederrno;
+++	return err;
+++}
+++
+++int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+++		     struct sockaddr_storage *ss1,
+++		     struct sockaddr_storage *ss2,
+++		     check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	int savederrno = 0, err = 0;
+++	struct knet_host *host;
+++	struct knet_link *link;
+++
+++	if (!knet_h) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if (!ss1) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((type == CHECK_TYPE_RANGE) &&
+++	    (ss1->ss_family != ss2->ss_family)) {
+++			errno = EINVAL;
+++			return -1;
+++	}
+++
+++	if (link_id >= KNET_MAX_LINK) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	savederrno = get_global_wrlock(knet_h);
+++	if (savederrno) {
+++		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++			strerror(savederrno));
+++		errno = savederrno;
+++		return -1;
+++	}
+++
+++	host = knet_h->host_index[host_id];
+++	if (!host) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++			host_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	link = &host->link[link_id];
+++
+++	if (!link->configured) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	if (link->dynamic != KNET_LINK_DYNIP) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	err = check_rm(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport,
+++		       ss1, ss2, type, acceptreject);
+++	savederrno = errno;
+++
+++exit_unlock:
+++	pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++	errno = savederrno;
+++	return err;
+++}
+++
+++int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id)
+++{
+++	int savederrno = 0, err = 0;
+++	struct knet_host *host;
+++	struct knet_link *link;
+++
+++	if (!knet_h) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if (link_id >= KNET_MAX_LINK) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	savederrno = get_global_wrlock(knet_h);
+++	if (savederrno) {
+++		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++			strerror(savederrno));
+++		errno = savederrno;
+++		return -1;
+++	}
+++
+++	host = knet_h->host_index[host_id];
+++	if (!host) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
+++			host_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	link = &host->link[link_id];
+++
+++	if (!link->configured) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	if (link->dynamic != KNET_LINK_DYNIP) {
+++		err = -1;
+++		savederrno = EINVAL;
+++		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
+++			host_id, link_id, strerror(savederrno));
+++		goto exit_unlock;
+++	}
+++
+++	check_rmall(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport);
+++
+++exit_unlock:
+++	pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++	errno = savederrno;
+++	return err;
+++}
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 0b1fcd0..776408a 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -31,12 +31,12 @@ static check_ops_t proto_check_modules_cmds[] = {
++  * protocol specific functions
++  */
++ 
++-int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
++ 	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	      check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
++-			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, index,
++ 			ss1, ss2, type, acceptreject);
++ }
++ 
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 2682a70..642027b 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -242,29 +242,14 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ 	return 0;
++ }
++ 
++-int ipcheck_addip(void *fd_tracker_match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head, int index,
++ 		  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		  check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++ 	struct ip_acl_match_entry *new_match_entry;
++ 	struct ip_acl_match_entry *match_entry = *match_entry_head;
++-
++-	if (!ss1) {
++-		errno = EINVAL;
++-		return -1;
++-	}
++-
++-	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++-		errno = EINVAL;
++-		return -1;
++-	}
++-
++-	if (type == CHECK_TYPE_RANGE &&
++-	    (ss1->ss_family != ss2->ss_family)) {
++-		errno = EINVAL;
++-		return -1;
++-	}
+++	int i = 0;
++ 
++ 	if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) {
++ 		errno = EEXIST;
++@@ -283,12 +268,32 @@ int ipcheck_addip(void *fd_tracker_match_entry_head,
++ 	new_match_entry->next = NULL;
++ 
++ 	if (match_entry) {
++-		/* Find the end of the list */
++-		/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++-		while (match_entry->next) {
++-			match_entry = match_entry->next;
+++		/*
+++		 * special case for index 0, since we need to update
+++		 * the head of the list
+++		 */
+++		if (index == 0) {
+++			*match_entry_head = new_match_entry;
+++			new_match_entry->next = match_entry;
+++		} else {
+++			/*
+++			 * find the end of the list or stop at "index"
+++			 */
+++			while ((match_entry->next) || (i < index)) {
+++				match_entry = match_entry->next;
+++				i++;
+++			}
+++			/*
+++			 * insert if there are more entries in the list
+++			 */
+++			if (match_entry->next) {
+++				new_match_entry->next = match_entry->next;
+++			}
+++			/*
+++			 * add if we are at the end
+++			 */
+++			match_entry->next = new_match_entry;
++ 		}
++-		match_entry->next = new_match_entry;
++ 	} else {
++ 		/*
++ 		 * first entry in the list
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index bb69130..97f8198 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -33,7 +33,7 @@ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++ 	return 0;
++ }
++ 
++-int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++int loopbackcheck_add(void *fd_tracker_match_entry_head, int index,
++ 		      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		      check_type_t type, check_acceptreject_t acceptreject)
++ {
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 05bd829..15e8e07 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -165,9 +165,9 @@ static int load_file(void)
++ 		}
++ 		else {
++ 			if (addr1.ss_family == AF_INET) {
++-				ipcheck_addip(&match_entry_v4, &addr1, &addr2, type, acceptreject);
+++				ipcheck_addip(&match_entry_v4, -1, &addr1, &addr2, type, acceptreject);
++ 			} else {
++-				ipcheck_addip(&match_entry_v6, &addr1, &addr2, type, acceptreject);
+++				ipcheck_addip(&match_entry_v6, -1, &addr1, &addr2, type, acceptreject);
++ 			}
++ 		}
++ 	next_record: {} /* empty statement to mollify the compiler */
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 819bc9a..bdfc98d 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -948,7 +948,7 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 	 */
++ 	knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++-			if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++			if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP, -1,
++ 				       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 				return NULL;
++ 			}
++@@ -1006,7 +1006,7 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 		goto exit_error;
++ 	}
++ 
++-	if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++	if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP, -1,
++ 		       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
++ 		savederrno = errno;
++ 		err = -1;
+diff --git a/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch b/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+new file mode 100644
+index 0000000..30639fd
+--- /dev/null
++++ b/debian/patches/access-lists-add-more-extensive-test-for-links_acl_ip.patch
+@@ -0,0 +1,717 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 7 Mar 2019 15:31:28 +0100
++Subject: [access lists] add more extensive test for links_acl_ip
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8d42be74c7fdb58b8082c4a4d369d2facca467a9)
++---
++ libknet/tests/int_links_acl.txt  |   8 -
++ libknet/tests/Makefile.am        |  33 ++--
++ libknet/tests/int_links_acl.c    | 211 ---------------------
++ libknet/tests/int_links_acl_ip.c | 399 +++++++++++++++++++++++++++++++++++++++
++ 4 files changed, 415 insertions(+), 236 deletions(-)
++ delete mode 100644 libknet/tests/int_links_acl.txt
++ delete mode 100644 libknet/tests/int_links_acl.c
++ create mode 100644 libknet/tests/int_links_acl_ip.c
++
++diff --git a/libknet/tests/int_links_acl.txt b/libknet/tests/int_links_acl.txt
++deleted file mode 100644
++index 5776d54..0000000
++--- a/libknet/tests/int_links_acl.txt
+++++ /dev/null
++@@ -1,8 +0,0 @@
++-AA192.168.1.1
++-AA192.168.1.2
++-RA192.168.0.3
++-AR192.168.0.0-192.168.0.250
++-AM192.168.2.0/255.255.255.0
++-AM1740::0/FFF0::0
++-RA1000::666
++-AR1000::1-2000::7FF
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index eae5c80..3e74ea8 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -13,8 +13,7 @@ include $(top_srcdir)/libknet/tests/api-check.mk
++ 
++ EXTRA_DIST		= \
++ 			  api-test-coverage \
++-			  api-check.mk \
++-			  int_links_acl.txt
+++			  api-check.mk
++ 
++ AM_CPPFLAGS		= -I$(top_srcdir)/libknet
++ AM_CFLAGS		+= $(PTHREAD_CFLAGS)
++@@ -34,6 +33,7 @@ check_PROGRAMS		= \
++ 			  $(fun_checks)
++ 
++ int_checks		= \
+++			  int_links_acl_ip_test \
++ 			  int_timediff_test
++ 
++ fun_checks		=
++@@ -45,7 +45,6 @@ benchmarks		= \
++ noinst_PROGRAMS		= \
++ 			  api_knet_handle_new_limit_test \
++ 			  pckt_test \
++-			  int_links_acl_test \
++ 			  $(benchmarks) \
++ 			  $(check_PROGRAMS)
++ 
++@@ -67,20 +66,20 @@ check-api-test-coverage:
++ 
++ pckt_test_SOURCES	= pckt_test.c
++ 
++-int_links_acl_test_SOURCES = int_links_acl.c \
++-			     ../common.c \
++-			     ../compat.c \
++-			     ../logging.c \
++-			     ../netutils.c \
++-			     ../threads_common.c \
++-			     ../transports.c \
++-			     ../transport_common.c \
++-			     ../transport_loopback.c \
++-			     ../transport_sctp.c \
++-			     ../transport_udp.c \
++-			     ../links_acl.c \
++-			     ../links_acl_ip.c \
++-			     ../links_acl_loopback.c
+++int_links_acl_ip_test_SOURCES = int_links_acl_ip.c \
+++				../common.c \
+++				../compat.c \
+++				../logging.c \
+++				../netutils.c \
+++				../threads_common.c \
+++				../transports.c \
+++				../transport_common.c \
+++				../transport_loopback.c \
+++				../transport_sctp.c \
+++				../transport_udp.c \
+++				../links_acl.c \
+++				../links_acl_ip.c \
+++				../links_acl_loopback.c
++ 
++ int_timediff_test_SOURCES = int_timediff.c
++ 
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++deleted file mode 100644
++index 15e8e07..0000000
++--- a/libknet/tests/int_links_acl.c
+++++ /dev/null
++@@ -1,211 +0,0 @@
++-/*
++- * Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++- *
++- * Author: Christine Caulfield <ccaulfie at redhat.com>
++- *
++- * This software licensed under GPL-2.0+, LGPL-2.0+
++- */
++-
++-#include "config.h"
++-
++-#include <sys/types.h>
++-#include <sys/socket.h>
++-#include <netinet/in.h>
++-#include <stdio.h>
++-#include <stdlib.h>
++-#include <string.h>
++-#include <netdb.h>
++-
++-#include "internals.h"
++-#include "links_acl.h"
++-#include "links_acl_ip.h"
++-
++-static struct acl_match_entry *match_entry_v4;
++-static struct acl_match_entry *match_entry_v6;
++-
++-/* This is a test program .. remember! */
++-#define BUFLEN 1024
++-
++-static int get_ipaddress(char *buf, struct sockaddr_storage *addr)
++-{
++-	struct addrinfo *info;
++-	struct addrinfo hints;
++-	int res;
++-
++-	memset(&hints, 0, sizeof(hints));
++-	hints.ai_family = AF_UNSPEC;
++-
++-	res = getaddrinfo(buf, NULL, &hints, &info);
++-	if (!res) {
++-		memmove(addr, info->ai_addr, info->ai_addrlen);
++-		freeaddrinfo(info);
++-	}
++-	return res;
++-}
++-
++-static int read_address(char *buf, struct sockaddr_storage *addr)
++-{
++-	return get_ipaddress(buf, addr);
++-}
++-
++-static int read_mask(char *buf, struct sockaddr_storage *addr, struct sockaddr_storage *addr2)
++-{
++-	char tmpbuf[BUFLEN];
++-	char *slash;
++-	int ret;
++-
++-	slash = strchr(buf, '/');
++-	if (!slash)
++-		return 1;
++-
++-	strncpy(tmpbuf, buf, slash-buf);
++-	tmpbuf[slash-buf] = '\0';
++-
++-	ret = get_ipaddress(tmpbuf, addr);
++-        if (ret)
++-		return ret;
++-
++-	ret = get_ipaddress(slash+1, addr2);
++-        if (ret)
++-		return ret;
++-
++-	return 0;
++-}
++-
++-static int read_range(char *buf, struct sockaddr_storage *addr1, struct sockaddr_storage *addr2)
++-{
++-	char tmpbuf[BUFLEN];
++-	char *hyphen;
++-	int ret;
++-
++-	hyphen = strchr(buf, '-');
++-	if (!hyphen)
++-		return 1;
++-
++-	strncpy(tmpbuf, buf, hyphen-buf);
++-	tmpbuf[hyphen-buf] = '\0';
++-
++-	ret = get_ipaddress(tmpbuf, addr1);
++-        if (ret)
++-		return ret;
++-
++-	ret = get_ipaddress(hyphen+1, addr2);
++-        if (ret)
++-		return ret;
++-
++-	return 0;
++-}
++-
++-
++-static int load_file(void)
++-{
++-	FILE *filterfile;
++-	char filebuf[BUFLEN];
++-	int line = 0;
++-	int ret;
++-	check_type_t type;
++-	check_acceptreject_t acceptreject;
++-	struct sockaddr_storage addr1;
++-	struct sockaddr_storage addr2;
++-
++-	ipcheck_rmall(&match_entry_v4);
++-	ipcheck_rmall(&match_entry_v6);
++-
++-	filterfile = fopen("int_links_acl.txt", "r");
++-	if (!filterfile) {
++-		fprintf(stderr, "Cannot open int_links_acl.txt\n");
++-		return 1;
++-	}
++-
++-	while (fgets(filebuf, sizeof(filebuf), filterfile)) {
++-		filebuf[strlen(filebuf)-1] = '\0'; /* remove trailing LF */
++-		line++;
++-
++-		/*
++-		 * First char is A (accept) or R (Reject)
++-		 */
++-		switch(filebuf[0] & 0x5F) {
++-		case 'A':
++-			acceptreject = CHECK_ACCEPT;
++-			break;
++-		case 'R':
++-			acceptreject = CHECK_REJECT;
++-			break;
++-		default:
++-			fprintf(stderr, "Unknown record type on line %d: %s\n", line, filebuf);
++-			goto next_record;
++-		}
++-
++-		/*
++-		 * Second char is the filter type:
++-		 * A Address
++-		 * M Mask
++-		 * R Range
++-		 */
++-		switch(filebuf[1] & 0x5F) {
++-		case 'A':
++-			type = CHECK_TYPE_ADDRESS;
++-			ret = read_address(filebuf+2, &addr1);
++-			break;
++-		case 'M':
++-			type = CHECK_TYPE_MASK;
++-			ret = read_mask(filebuf+2, &addr1, &addr2);
++-			break;
++-		case 'R':
++-			type = CHECK_TYPE_RANGE;
++-			ret = read_range(filebuf+2, &addr1, &addr2);
++-			break;
++-		default:
++-			fprintf(stderr, "Unknown filter type on line %d: %s\n", line, filebuf);
++-			goto next_record;
++-			break;
++-		}
++-		if (ret) {
++-			fprintf(stderr, "Failed to parse address on line %d: %s\n", line, filebuf);
++-		}
++-		else {
++-			if (addr1.ss_family == AF_INET) {
++-				ipcheck_addip(&match_entry_v4, -1, &addr1, &addr2, type, acceptreject);
++-			} else {
++-				ipcheck_addip(&match_entry_v6, -1, &addr1, &addr2, type, acceptreject);
++-			}
++-		}
++-	next_record: {} /* empty statement to mollify the compiler */
++-	}
++-	fclose(filterfile);
++-
++-	return 0;
++-}
++-
++-int main(int argc, char *argv[])
++-{
++-	struct sockaddr_storage saddr;
++-	struct acl_match_entry *match_entry;
++-	int ret;
++-	int i;
++-
++-	if (load_file())
++-		return 1;
++-
++-	for (i=1; i<argc; i++) {
++-		ret = get_ipaddress(argv[i], &saddr);
++-		if (ret) {
++-			fprintf(stderr, "Cannot parse address %s\n", argv[i]);
++-		} else {
++-			if (saddr.ss_family == AF_INET) {
++-				match_entry = match_entry_v4;
++-			} else {
++-				match_entry = match_entry_v6;
++-			}
++-			if (ipcheck_validate(&match_entry, &saddr)) {
++-				printf("%s is VALID\n", argv[i]);
++-			} else {
++-				printf("%s is not allowed\n", argv[i]);
++-			}
++-		}
++-	}
++-
++-	ipcheck_rmall(&match_entry_v4);
++-	ipcheck_rmall(&match_entry_v6);
++-	return 0;
++-}
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++new file mode 100644
++index 0000000..a7d2aed
++--- /dev/null
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -0,0 +1,399 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <sys/types.h>
+++#include <sys/socket.h>
+++#include <netinet/in.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <netdb.h>
+++#include <errno.h>
+++
+++#include "internals.h"
+++#include "links_acl.h"
+++#include "links_acl_ip.h"
+++
+++#include "test-common.h"
+++
+++static struct acl_match_entry *match_entry_v4;
+++static struct acl_match_entry *match_entry_v6;
+++
+++/* This is a test program .. remember! */
+++#define BUFLEN 1024
+++
+++static int get_ipaddress(const char *buf, struct sockaddr_storage *addr)
+++{
+++	struct addrinfo *info;
+++	struct addrinfo hints;
+++
+++	memset(&hints, 0, sizeof(hints));
+++	hints.ai_family = AF_UNSPEC;
+++
+++	if (getaddrinfo(buf, NULL, &hints, &info)) {
+++		return -1;
+++	}
+++
+++	memmove(addr, info->ai_addr, info->ai_addrlen);
+++	freeaddrinfo(info);
+++	return 0;
+++}
+++
+++static int read_2ip(const char *buf, const char *delim, struct sockaddr_storage *addr, struct sockaddr_storage *addr2)
+++{
+++	char tmpbuf[BUFLEN];
+++	char *deli;
+++
+++	deli = strstr(buf, delim);
+++	if (!deli) {
+++		return -1;
+++	}
+++
+++	strncpy(tmpbuf, buf, deli-buf);
+++	tmpbuf[deli-buf] = '\0';
+++
+++	if (get_ipaddress(tmpbuf, addr)) {
+++		return -1;
+++	}
+++
+++	if (get_ipaddress(deli+1, addr2)) {
+++		return -1;
+++	}
+++
+++	return 0;
+++}
+++
+++/*
+++ * be aware that ordering is important
+++ * so we can test all the rules with few
+++ * ipcheck_validate calls
+++ */
+++
+++const char *rules[100] = {
+++	/*
+++	 * ipv4
+++	 */
+++	"RA192.168.0.3",		/* reject address */
+++	"AA192.168.0.1",		/* accept address */
+++	"RR192.168.0.10-192.168.0.20",	/* reject range */
+++	"AR192.168.0.0-192.168.0.255",	/* accept range */
+++	"RM192.168.2.0/255.255.255.0",	/* reject mask */
+++	"AM192.168.2.0/255.255.254.0",	/* accept mask */
+++	/*
+++	 * ipv6
+++	 */
+++	"RA3ffe::3",
+++	"AA3ffe::1",
+++	"RR3ffe::10-3ffe::20",
+++	"AR3ffe::0-3ffe::ff",
+++	"RM3ffe:1::0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:0",
+++	"AM3ffe:1::0/ffff:ffff:ffff:ffff::0"
+++};
+++
+++static int _ipcheck_addip(void *fd_tracker_match_entry_head,
+++			  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
+++			  check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	return ipcheck_addip(fd_tracker_match_entry_head, -1, ss1, ss2, type, acceptreject);
+++}
+++
+++static int default_rules(int load)
+++{
+++	int ret;
+++	check_type_t type;
+++	check_acceptreject_t acceptreject;
+++	struct sockaddr_storage addr1;
+++	struct sockaddr_storage addr2;
+++	int i = 0;
+++	int (*loadfn)(void *fd_tracker_match_entry_head, struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject);
+++
+++	if (load) {
+++		loadfn = _ipcheck_addip;
+++	} else {
+++		loadfn = ipcheck_rmip;
+++	}
+++
+++	while (rules[i] != NULL) {
+++		printf("Parsing rule: %s\n", rules[i]);
+++		memset(&addr1, 0, sizeof(struct sockaddr_storage));
+++		memset(&addr2, 0, sizeof(struct sockaddr_storage));
+++		/*
+++		 * First char is A (accept) or R (Reject)
+++		 */
+++		switch(rules[i][0] & 0x5F) {
+++			case 'A':
+++				acceptreject = CHECK_ACCEPT;
+++				break;
+++			case 'R':
+++				acceptreject = CHECK_REJECT;
+++				break;
+++			default:
+++				fprintf(stderr, "Unknown record type on line %d: %s\n", i, rules[i]);
+++				goto next_record;
+++		}
+++
+++		/*
+++		 * Second char is the filter type:
+++		 * A Address
+++		 * M Mask
+++		 * R Range
+++		 */
+++		switch(rules[i][1] & 0x5F) {
+++			case 'A':
+++				type = CHECK_TYPE_ADDRESS;
+++				ret = get_ipaddress(rules[i]+2, &addr1);
+++				break;
+++			case 'M':
+++				type = CHECK_TYPE_MASK;
+++				ret = read_2ip(rules[i]+2, "/", &addr1, &addr2);
+++				break;
+++			case 'R':
+++				type = CHECK_TYPE_RANGE;
+++				ret = read_2ip(rules[i]+2, "-", &addr1, &addr2);
+++				break;
+++			default:
+++				fprintf(stderr, "Unknown filter type on line %d: %s\n", i, rules[i]);
+++				goto next_record;
+++				break;
+++		}
+++
+++		if (ret) {
+++			fprintf(stderr, "Failed to parse address on line %d: %s\n", i, rules[i]);
+++			return -1;
+++		} else {
+++			if (addr1.ss_family == AF_INET) {
+++				if (loadfn(&match_entry_v4, &addr1, &addr2, type, acceptreject) < 0) {
+++					fprintf(stderr, "Failed to add/rm address on line %d: %s (errno: %s)\n", i, rules[i], strerror(errno));
+++					return -1;
+++				}
+++			} else {
+++				if (loadfn(&match_entry_v6, &addr1, &addr2, type, acceptreject) < 0) {
+++					fprintf(stderr, "Failed to add/rm address on line %d: %s (errno: %s)\n", i, rules[i], strerror(errno));
+++					return -1;
+++				}
+++			}
+++		}
+++
+++	next_record:
+++		i++;
+++	}
+++
+++	return 0;
+++}
+++
+++const char *tests[100] = {
+++	/*
+++	 * ipv4
+++	 */
+++	"R192.168.0.3",		/* reject address */
+++	"A192.168.0.1",		/* accept address */
+++	"R192.168.0.11",	/* reject range */
+++	"A192.168.0.8",		/* accept range */
+++	"R192.168.2.1",		/* reject mask */
+++	"A192.168.3.1",		/* accept mask */
+++	/*
+++	 * ipv6
+++	 */
+++	"R3ffe::3",
+++	"A3ffe::1",
+++	"R3ffe::11",
+++	"A3ffe::8",
+++	"R3ffe:1::1",
+++	"A3ffe:1::1:1"
+++};
+++
+++const char *after_insert_tests[100] = {
+++	/*
+++	 * ipv4
+++	 */
+++	"R192.168.0.3",		/* reject address */
+++	"A192.168.0.1",		/* accept address */
+++	"R192.168.0.11",	/* reject range */
+++	"A192.168.0.8",		/* accept range */
+++	"A192.168.2.1",		/* reject mask */
+++	"A192.168.3.1",		/* accept mask */
+++	/*
+++	 * ipv6
+++	 */
+++	"R3ffe::3",
+++	"A3ffe::1",
+++	"R3ffe::11",
+++	"A3ffe::8",
+++	"A3ffe:1::1",
+++	"A3ffe:1::1:1"
+++};
+++
+++int test(void)
+++{
+++	int i = 0;
+++	int expected;
+++	struct sockaddr_storage saddr;
+++	struct acl_match_entry *match_entry;
+++
+++	/*
+++	 * default tests
+++	 */
+++	while (tests[i] != NULL) {
+++		/*
+++		 * First char is A (accept) or R (Reject)
+++		 */
+++		switch(tests[i][0] & 0x5F) {
+++			case 'A':
+++				expected = 1;
+++				break;
+++			case 'R':
+++				expected = 0;
+++				break;
+++			default:
+++				fprintf(stderr, "Unknown record type on line %d: %s\n", i, tests[i]);
+++				return FAIL;
+++				break;
+++		}
+++
+++		if (get_ipaddress(tests[i]+1, &saddr)) {
+++				fprintf(stderr, "Cannot parse address %s\n", tests[i]+1);
+++				return FAIL;
+++		}
+++
+++		if (saddr.ss_family == AF_INET) {
+++			match_entry = match_entry_v4;
+++		} else {
+++			match_entry = match_entry_v6;
+++		}
+++
+++		if (ipcheck_validate(&match_entry, &saddr) != expected) {
+++			fprintf(stderr, "Failed to check access list for ip: %s\n", tests[i]);
+++			return FAIL;
+++		}
+++		i++;
+++	}
+++
+++	/*
+++	 * insert tests
+++	 */
+++
+++	if (get_ipaddress("192.168.2.1", &saddr)) {
+++		fprintf(stderr, "Cannot parse address 192.168.2.1\n");
+++		return FAIL;
+++	}
+++
+++	if (ipcheck_addip(&match_entry_v4, 3, &saddr, &saddr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		fprintf(stderr, "Unable to insert address in position 3 192.168.2.1\n");
+++		return FAIL;
+++	}
+++
+++	if (get_ipaddress("3ffe:1::1", &saddr)) {
+++		fprintf(stderr, "Cannot parse address 3ffe:1::1\n");
+++		return FAIL;
+++	}
+++
+++	if (ipcheck_addip(&match_entry_v6, 3, &saddr, &saddr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		fprintf(stderr, "Unable to insert address in position 3 3ffe:1::1\n");
+++		return FAIL;
+++	}
+++
+++	while (after_insert_tests[i] != NULL) {
+++		/*
+++		 * First char is A (accept) or R (Reject)
+++		 */
+++		switch(after_insert_tests[i][0] & 0x5F) {
+++			case 'A':
+++				expected = 1;
+++				break;
+++			case 'R':
+++				expected = 0;
+++				break;
+++			default:
+++				fprintf(stderr, "Unknown record type on line %d: %s\n", i, after_insert_tests[i]);
+++				return FAIL;
+++				break;
+++		}
+++
+++		if (get_ipaddress(after_insert_tests[i]+1, &saddr)) {
+++				fprintf(stderr, "Cannot parse address %s\n", after_insert_tests[i]+1);
+++				return FAIL;
+++		}
+++
+++		if (saddr.ss_family == AF_INET) {
+++			match_entry = match_entry_v4;
+++		} else {
+++			match_entry = match_entry_v6;
+++		}
+++
+++		if (ipcheck_validate(&match_entry, &saddr) != expected) {
+++			fprintf(stderr, "Failed to check access list for ip: %s\n", after_insert_tests[i]);
+++			return FAIL;
+++		}
+++		i++;
+++	}
+++	return PASS;
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	struct sockaddr_storage saddr;
+++	struct acl_match_entry *match_entry;
+++	int ret = PASS;
+++	int i;
+++
+++	if (default_rules(1) < 0) {
+++		return -1;
+++	}
+++
+++	if (argc > 1) {
+++		/*
+++		 * run manual check against default access lists
+++		 */
+++		for (i=1; i<argc; i++) {
+++			if (get_ipaddress(argv[i], &saddr)) {
+++				fprintf(stderr, "Cannot parse address %s\n", argv[i]);
+++				ret = FAIL;
+++				goto out;
+++			} else {
+++				if (saddr.ss_family == AF_INET) {
+++					match_entry = match_entry_v4;
+++				} else {
+++					match_entry = match_entry_v6;
+++				}
+++				if (ipcheck_validate(&match_entry, &saddr)) {
+++					printf("%s is VALID\n", argv[i]);
+++					ret = PASS;
+++				} else {
+++					printf("%s is not allowed\n", argv[i]);
+++					ret = FAIL;
+++				}
+++			}
+++		}
+++	} else {
+++		/*
+++		 * run automatic tests
+++		 */
+++		ret = test();
+++	}
+++
+++	/*
+++	 * test memory leaks with ipcheck_rmip
+++	 */
+++	if (default_rules(0) < 0) {
+++		return FAIL;
+++	}
+++
+++	/*
+++	 * test memory leaks with ipcheck_rmall
+++	 */
+++	if (default_rules(1) < 0) {
+++		return FAIL;
+++	}
+++out:
+++	ipcheck_rmall(&match_entry_v4);
+++	ipcheck_rmall(&match_entry_v6);
+++
+++	return ret;
+++}
+diff --git a/debian/patches/access-lists-add-public-API-tests.patch b/debian/patches/access-lists-add-public-API-tests.patch
+new file mode 100644
+index 0000000..2be97b8
+--- /dev/null
++++ b/debian/patches/access-lists-add-public-API-tests.patch
+@@ -0,0 +1,1019 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 6 Mar 2019 13:08:34 +0100
++Subject: [access lists] add public API tests
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 31da8fa7b5d034980c38c2f5dcc6e3730f2031fa)
++---
++ libknet/tests/api_knet_link_add_acl.c    | 246 +++++++++++++++++++++++++++++
++ libknet/tests/api_knet_link_clear_acl.c  | 196 +++++++++++++++++++++++
++ libknet/tests/api_knet_link_insert_acl.c | 246 +++++++++++++++++++++++++++++
++ libknet/tests/api_knet_link_rm_acl.c     | 256 +++++++++++++++++++++++++++++++
++ libknet/tests/api-check.mk               |  18 ++-
++ 5 files changed, 961 insertions(+), 1 deletion(-)
++ create mode 100644 libknet/tests/api_knet_link_add_acl.c
++ create mode 100644 libknet/tests/api_knet_link_clear_acl.c
++ create mode 100644 libknet/tests/api_knet_link_insert_acl.c
++ create mode 100644 libknet/tests/api_knet_link_rm_acl.c
++
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++new file mode 100644
++index 0000000..b018165
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -0,0 +1,246 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++	knet_handle_t knet_h;
+++	int logfds[2];
+++	struct knet_host *host;
+++	struct knet_link *link;
+++	struct sockaddr_storage lo, lo6;
+++
+++	if (make_local_sockaddr(&lo, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	if (make_local_sockaddr6(&lo6, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	printf("Test knet_link_add_acl incorrect knet_h\n");
+++
+++	if ((!knet_link_add_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	setup_logpipes(logfds);
+++
+++	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++	printf("Test knet_link_add_acl with unconfigured host\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with unconfigured link\n");
+++
+++	if (knet_host_add(knet_h, 1) < 0) {
+++		printf("knet_host_add failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with invalid link\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with invalid ss1\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with invalid ss2\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with non matching families\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with wrong check_type\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with wrong acceptreject\n");
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_add_acl with point to point link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_add_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	knet_link_clear_config(knet_h, 1, 0);
+++
+++	printf("Test knet_link_add_acl with dynamic link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list not empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		printf("knet_link_add_acl did not accept dynamic link error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++	knet_link_clear_config(knet_h, 1, 0);
+++	knet_host_remove(knet_h, 1);
+++	knet_handle_free(knet_h);
+++	flush_logs(logfds[0], stdout);
+++	close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	test();
+++
+++	return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++new file mode 100644
++index 0000000..78b7d79
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -0,0 +1,196 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++	knet_handle_t knet_h;
+++	int logfds[2];
+++	struct knet_host *host;
+++	struct knet_link *link;
+++	struct sockaddr_storage lo;
+++
+++	if (make_local_sockaddr(&lo, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	printf("Test knet_link_clear_acl incorrect knet_h\n");
+++
+++	if ((!knet_link_clear_acl(NULL, 1, 0)) || (errno != EINVAL)) {
+++		printf("knet_link_clear_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	setup_logpipes(logfds);
+++
+++	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++	printf("Test knet_link_clear_acl with unconfigured host\n");
+++
+++	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++		printf("knet_link_clear_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_clear_acl with unconfigured link\n");
+++
+++	if (knet_host_add(knet_h, 1) < 0) {
+++		printf("knet_host_add failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++		printf("knet_link_clear_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_clear_acl with invalid link\n");
+++
+++	if ((!knet_link_clear_acl(knet_h, 1, KNET_MAX_LINK)) || (errno != EINVAL)) {
+++		printf("knet_link_clear_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_clear_acl with point to point link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
+++		printf("knet_link_clear_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	knet_link_clear_config(knet_h, 1, 0);
+++
+++	printf("Test knet_link_clear_acl with dynamic link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list NOT empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		printf("knet_link_clear_acl did not accept dynamic link error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_clear_acl(knet_h, 1, 0) < 0) {
+++		printf("knet_link_clear_acl failed to clear. error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list NOT empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++	knet_link_clear_config(knet_h, 1, 0);
+++	knet_host_remove(knet_h, 1);
+++	knet_handle_free(knet_h);
+++	flush_logs(logfds[0], stdout);
+++	close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	test();
+++
+++	return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++new file mode 100644
++index 0000000..547f92b
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -0,0 +1,246 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++	knet_handle_t knet_h;
+++	int logfds[2];
+++	struct knet_host *host;
+++	struct knet_link *link;
+++	struct sockaddr_storage lo, lo6;
+++
+++	if (make_local_sockaddr(&lo, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	if (make_local_sockaddr6(&lo6, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	printf("Test knet_link_insert_acl incorrect knet_h\n");
+++
+++	if ((!knet_link_insert_acl(NULL, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	setup_logpipes(logfds);
+++
+++	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++	printf("Test knet_link_insert_acl with unconfigured host\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with unconfigured link\n");
+++
+++	if (knet_host_add(knet_h, 1) < 0) {
+++		printf("knet_host_add failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with invalid link\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, KNET_MAX_LINK, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with invalid ss1\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with invalid ss2\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with non matching families\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with wrong check_type\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with wrong acceptreject\n");
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_insert_acl with point to point link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_insert_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	knet_link_clear_config(knet_h, 1, 0);
+++
+++	printf("Test knet_link_insert_acl with dynamic link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list not empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		printf("knet_link_insert_acl did not accept dynamic link error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++	knet_link_clear_config(knet_h, 1, 0);
+++	knet_host_remove(knet_h, 1);
+++	knet_handle_free(knet_h);
+++	flush_logs(logfds[0], stdout);
+++	close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	test();
+++
+++	return PASS;
+++}
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++new file mode 100644
++index 0000000..49a82d9
++--- /dev/null
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -0,0 +1,256 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <inttypes.h>
+++
+++#include "libknet.h"
+++
+++#include "internals.h"
+++#include "netutils.h"
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++	knet_handle_t knet_h;
+++	int logfds[2];
+++	struct knet_host *host;
+++	struct knet_link *link;
+++	struct sockaddr_storage lo, lo6;
+++
+++	if (make_local_sockaddr(&lo, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	if (make_local_sockaddr6(&lo6, 0) < 0) {
+++		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	printf("Test knet_link_rm_acl incorrect knet_h\n");
+++
+++	if ((!knet_link_rm_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
+++	setup_logpipes(logfds);
+++
+++	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++	printf("Test knet_link_rm_acl with unconfigured host\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with unconfigured link\n");
+++
+++	if (knet_host_add(knet_h, 1) < 0) {
+++		printf("knet_host_add failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with invalid link\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with invalid ss1\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with invalid ss2\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with non matching families\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with wrong check_type\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with wrong acceptreject\n");
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_link_rm_acl with point to point link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
+++		printf("knet_link_rm_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	knet_link_clear_config(knet_h, 1, 0);
+++
+++	printf("Test knet_link_rm_acl with dynamic link\n");
+++
+++	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
+++		printf("Unable to configure link: %s\n", strerror(errno));
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list not empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		printf("Failed to add an access list: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
+++		printf("knet_link_rm_acl did not accept dynamic link error: %s\n", strerror(errno));
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+++		printf("match list NOT empty!");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++	knet_link_clear_config(knet_h, 1, 0);
+++	knet_host_remove(knet_h, 1);
+++	knet_handle_free(knet_h);
+++	flush_logs(logfds[0], stdout);
+++	close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	test();
+++
+++	return PASS;
+++}
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 247ed58..427c388 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -68,7 +68,11 @@ api_checks		= \
++ 			  api_knet_link_set_enable_test \
++ 			  api_knet_link_get_enable_test \
++ 			  api_knet_link_get_link_list_test \
++-			  api_knet_link_get_status_test
+++			  api_knet_link_get_status_test \
+++			  api_knet_link_add_acl_test \
+++			  api_knet_link_insert_acl_test \
+++			  api_knet_link_rm_acl_test \
+++			  api_knet_link_clear_acl_test
++ 
++ api_knet_handle_new_test_SOURCES = api_knet_handle_new.c \
++ 				   test-common.c
++@@ -256,3 +260,15 @@ api_knet_link_get_link_list_test_SOURCES = api_knet_link_get_link_list.c \
++ 
++ api_knet_link_get_status_test_SOURCES = api_knet_link_get_status.c \
++ 					test-common.c
+++
+++api_knet_link_add_acl_test_SOURCES = api_knet_link_add_acl.c \
+++				     test-common.c
+++
+++api_knet_link_insert_acl_test_SOURCES = api_knet_link_insert_acl.c \
+++					test-common.c
+++
+++api_knet_link_rm_acl_test_SOURCES = api_knet_link_rm_acl.c \
+++				    test-common.c
+++
+++api_knet_link_clear_acl_test_SOURCES = api_knet_link_clear_acl.c \
+++				       test-common.c
+diff --git a/debian/patches/access-lists-add-tests-for-default-access-lists.patch b/debian/patches/access-lists-add-tests-for-default-access-lists.patch
+new file mode 100644
+index 0000000..24d97e5
+--- /dev/null
++++ b/debian/patches/access-lists-add-tests-for-default-access-lists.patch
+@@ -0,0 +1,63 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 06:47:41 +0100
++Subject: [access lists] add tests for default access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c48b048e3b340ea7696c3300fb64928b22018233)
++---
++ libknet/tests/api_knet_link_set_config.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index 8679428..5fed9be 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -24,6 +24,8 @@
++ static void test(void)
++ {
++ 	knet_handle_t knet_h;
+++	struct knet_host *host;
+++	struct knet_link *link;
++ 	int logfds[2];
++ 	char src_portstr[32];
++ 	char dst_portstr[32];
++@@ -140,6 +142,19 @@ static void test(void)
++ 		exit(FAIL);
++ 	}
++ 
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++		printf("found access lists for dynamic dst_addr!\n");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
++ 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
++ 		printf("Unable to get link status: %s\n", strerror(errno));
++ 		knet_link_clear_config(knet_h, 1, 0);
++@@ -244,6 +259,19 @@ static void test(void)
++ 		exit(FAIL);
++ 	}
++ 
+++	host = knet_h->host_index[1];
+++	link = &host->link[0];
+++
+++	if (!knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++		printf("Unable to find default access lists for static dst_addr!\n");
+++		knet_link_clear_config(knet_h, 1, 0);
+++		knet_host_remove(knet_h, 1);
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
++ 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
++ 		printf("Unable to get link status: %s\n", strerror(errno));
++ 		knet_link_clear_config(knet_h, 1, 0);
+diff --git a/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch b/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+new file mode 100644
+index 0000000..a9b0ea7
+--- /dev/null
++++ b/debian/patches/access-lists-allow-knet_bench-to-enable-disable-access-li.patch
+@@ -0,0 +1,61 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 07:23:09 +0100
++Subject: [access lists] allow knet_bench to enable/disable access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a7fa047d1bdae266cfef18fc31d87072b7dfd6d3)
++---
++ libknet/tests/knet_bench.c | 12 +++++++++++-
++ 1 file changed, 11 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/tests/knet_bench.c b/libknet/tests/knet_bench.c
++index b208b3e..00cd58b 100644
++--- a/libknet/tests/knet_bench.c
+++++ b/libknet/tests/knet_bench.c
++@@ -46,6 +46,7 @@ static int wait_for_perf_rx = 0;
++ static char *compresscfg = NULL;
++ static char *cryptocfg = NULL;
++ static int machine_output = 0;
+++static int use_access_lists = 0;
++ 
++ static int bench_shutdown_in_progress = 0;
++ static pthread_mutex_t shutdown_mutex = PTHREAD_MUTEX_INITIALIZER;
++@@ -78,6 +79,7 @@ static void print_help(void)
++ 	printf("knet_bench usage:\n");
++ 	printf(" -h                                        print this help (no really)\n");
++ 	printf(" -d                                        enable debug logs (default INFO)\n");
+++	printf(" -f                                        enable use of access lists (default: off)\n");
++ 	printf(" -c [implementation]:[crypto]:[hashing]    crypto configuration. (default disabled)\n");
++ 	printf("                                           Example: -c nss:aes128:sha1\n");
++ 	printf(" -z [implementation]:[level]:[threshold]   compress configuration. (default disabled)\n");
++@@ -248,7 +250,7 @@ static void setup_knet(int argc, char *argv[])
++ 
++ 	memset(nodes, 0, sizeof(nodes));
++ 
++-	while ((rv = getopt(argc, argv, "aCT:S:s:ldom:wb:t:n:c:p:X::P:z:h")) != EOF) {
+++	while ((rv = getopt(argc, argv, "aCT:S:s:ldfom:wb:t:n:c:p:X::P:z:h")) != EOF) {
++ 		switch(rv) {
++ 			case 'h':
++ 				print_help();
++@@ -260,6 +262,9 @@ static void setup_knet(int argc, char *argv[])
++ 			case 'd':
++ 				debug = KNET_LOG_DEBUG;
++ 				break;
+++			case 'f':
+++				use_access_lists = 1;
+++				break;
++ 			case 'c':
++ 				if (cryptocfg) {
++ 					printf("Error: -c can only be specified once\n");
++@@ -456,6 +461,11 @@ static void setup_knet(int argc, char *argv[])
++ 		exit(FAIL);
++ 	}
++ 
+++	if (knet_handle_enable_access_lists(knet_h, use_access_lists) < 0) {
+++		printf("Unable to knet_handle_enable_access_lists: %s\n", strerror(errno));
+++		exit(FAIL);
+++	}
+++
++ 	if (cryptocfg) {
++ 		memset(&knet_handle_crypto_cfg, 0, sizeof(knet_handle_crypto_cfg));
++ 		cryptomodel = strtok(cryptocfg, ":");
+diff --git a/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch b/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+new file mode 100644
+index 0000000..5c0c247
+--- /dev/null
++++ b/debian/patches/access-lists-automatically-add-and-remove-point-to-point-.patch
+@@ -0,0 +1,283 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 14 Feb 2019 06:32:42 +0100
++Subject: [access lists] automatically add and remove point to point access
++ lists
++
++those are not used just yet.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a08389d536726927f2438a7e0bfe6b86244779ab)
++---
++ libknet/links_acl.h           |  7 +++-
++ libknet/links.c               | 96 +++++++++++++++++++++++++++++++++++++++++++
++ libknet/links_acl.c           | 62 +++++++++++++++++++++++++++-
++ libknet/tests/int_links_acl.c |  8 ++--
++ 4 files changed, 166 insertions(+), 7 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 26b0f36..f4713d6 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -13,10 +13,13 @@
++ 
++ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
++ 
++-void ipcheck_clear(struct acl_match_entry **match_entry_head);
++-
++ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ 		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 		  check_type_t type, check_acceptreject_t acceptreject);
++ 
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject);
+++
+++void check_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 010aeb6..6c75c35 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -20,6 +20,56 @@
++ #include "transports.h"
++ #include "host.h"
++ #include "threads_common.h"
+++#include "links_acl.h"
+++
+++static void _link_del_all_acl(knet_handle_t knet_h, int sock)
+++{
+++	check_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++}
+++
+++static int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++	int err = -1;
+++
+++	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++		case LOOPBACK:
+++			/*
+++			 * loopback does not require access lists
+++			 */
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++					    &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++			break;
+++		default:
+++			break;
+++	}
+++
+++	return err;
+++}
+++
+++static int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++	int err = -1;
+++
+++	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++		case LOOPBACK:
+++			/*
+++			 * loopback does not require access lists
+++			 */
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++					   &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++			break;
+++		default:
+++			break;
+++	}
+++
+++	return err;
+++}
++ 
++ int _link_updown(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
++ 		 unsigned int enabled, unsigned int connected)
++@@ -234,6 +284,21 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 		err = -1;
++ 		goto exit_unlock;
++ 	}
+++
+++	/*
+++	 * we can only configure default access lists if we know both endpoints
+++	 */
+++	if (link->dynamic == KNET_LINK_STATIC) {
+++		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u",
+++			  host_id, link_id);
+++		if (_link_add_default_acl(knet_h, link) < 0) {
+++			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
+++			savederrno = errno;
+++			err = -1;
+++			goto exit_unlock;
+++		}
+++	}
+++
++ 	link->configured = 1;
++ 	log_debug(knet_h, KNET_SUB_LINK, "host: %u link: %u is configured",
++ 		  host_id, link_id);
++@@ -351,6 +416,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	int savederrno = 0, err = 0;
++ 	struct knet_host *host;
++ 	struct knet_link *link;
+++	int sock;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -397,6 +463,28 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 		goto exit_unlock;
++ 	}
++ 
+++	/*
+++	 * remove well known access lists here.
+++	 * After the transport has done clearing the config,
+++	 * then we can remove any leftover access lists if the link
+++	 * is no longer in use.
+++	 */
+++	if (link->dynamic == KNET_LINK_STATIC) {
+++		if (_link_rm_default_acl(knet_h, link) < 0) {
+++			err = -1;
+++			savederrno = EBUSY;
+++			log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
+++				host_id, link_id);
+++			goto exit_unlock;
+++		}
+++	}
+++
+++	/*
+++	 * cache it for later as we don't know if the transport
+++	 * will clear link info during clear_config.
+++	 */
+++	sock = link->outsock;
+++
++ 	if ((transport_link_clear_config(knet_h, link) < 0)  &&
++ 	    (errno != EBUSY)) {
++ 		savederrno = errno;
++@@ -404,6 +492,14 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 		goto exit_unlock;
++ 	}
++ 
+++	/*
+++	 * remove any other access lists when the socket is no
+++	 * longer in use by the transport.
+++	 */
+++	if (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS) {
+++		_link_del_all_acl(knet_h, sock);
+++	}
+++
++ 	memset(link, 0, sizeof(struct knet_link));
++ 	link->link_id = link_id;
++ 
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index fe84088..2ad3e90 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -150,7 +150,7 @@ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_
++  * Routines to manuipulate access lists
++  */
++ 
++-void ipcheck_clear(struct acl_match_entry **match_entry_head)
+++void check_rmall(struct acl_match_entry **match_entry_head)
++ {
++ 	struct acl_match_entry *next_match_entry;
++ 	struct acl_match_entry *match_entry = *match_entry_head;
++@@ -163,6 +163,62 @@ void ipcheck_clear(struct acl_match_entry **match_entry_head)
++ 	*match_entry_head = NULL;
++ }
++ 
+++static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++						 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++						 check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	while (match_entry) {
+++		if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
+++		    (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++		    (match_entry->type == type) &&
+++		    (match_entry->acceptreject == acceptreject)) {
+++			return match_entry;
+++		}
+++		match_entry = match_entry->next;
+++	}
+++
+++	return NULL;
+++}
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		 check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	struct acl_match_entry *next_match_entry = NULL;
+++	struct acl_match_entry *rm_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++	if (!rm_match_entry) {
+++		return -1;
+++	}
+++
+++	while (match_entry) {
+++		next_match_entry = match_entry->next;
+++		/*
+++		 * we are removing the list head, be careful
+++		 */
+++		if (rm_match_entry == match_entry) {
+++			*match_entry_head = next_match_entry;
+++			free(match_entry);
+++			break;
+++		}
+++		/*
+++		 * the next one is the one we need to remove
+++		 */
+++		if (rm_match_entry == next_match_entry) {
+++			match_entry->next = next_match_entry->next;
+++			free(next_match_entry);
+++			break;
+++		}
+++		match_entry = next_match_entry;
+++	}
+++
+++	return 0;
+++}
+++
++ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ 		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 		  check_type_t type, check_acceptreject_t acceptreject)
++@@ -182,6 +238,10 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ 	    (ip1->ss_family != ip2->ss_family))
++ 		return -1;
++ 
+++	if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++		return -1;
+++	}
+++
++ 	new_match_entry = malloc(sizeof(struct acl_match_entry));
++ 	if (!new_match_entry)
++ 		return -1;
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 1e7f426..129aabe 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -106,8 +106,8 @@ static int load_file(void)
++ 	struct sockaddr_storage addr1;
++ 	struct sockaddr_storage addr2;
++ 
++-	ipcheck_clear(&match_entry_v4);
++-	ipcheck_clear(&match_entry_v6);
+++	check_rmall(&match_entry_v4);
+++	check_rmall(&match_entry_v6);
++ 
++ 	filterfile = fopen("int_links_acl.txt", "r");
++ 	if (!filterfile) {
++@@ -203,7 +203,7 @@ int main(int argc, char *argv[])
++ 		}
++ 	}
++ 
++-	ipcheck_clear(&match_entry_v4);
++-	ipcheck_clear(&match_entry_v6);
+++	check_rmall(&match_entry_v4);
+++	check_rmall(&match_entry_v6);
++ 	return 0;
++ }
+diff --git a/debian/patches/access-lists-cleanup-API-a-bit.patch b/debian/patches/access-lists-cleanup-API-a-bit.patch
+new file mode 100644
+index 0000000..b88c2b5
+--- /dev/null
++++ b/debian/patches/access-lists-cleanup-API-a-bit.patch
+@@ -0,0 +1,98 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:21:29 +0100
++Subject: [access lists] cleanup API a bit
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 34d87fab04c1e1329f0066adf595d575dac3d0de)
++---
++ libknet/links_acl.h      |  3 ++-
++ libknet/links_acl.c      | 26 +++++++++++++-------------
++ libknet/threads_rx.c     |  2 +-
++ libknet/transport_sctp.c |  2 +-
++ 4 files changed, 17 insertions(+), 16 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 020ec05..0ad50e6 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -37,8 +37,9 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	     check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
+++int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
+++
++ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++ 
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 85a792d..520a934 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -71,22 +71,10 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ 	}
++ }
++ 
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
++-			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
++-			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++ /*
++  * return 0 to reject and 1 to accept a packet
++  */
++-int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
+++int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++ 	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
++ 		case LOOPBACK:
++@@ -103,3 +91,15 @@ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct socka
++ 	 */
++ 	return 0;
++ }
+++
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++	return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
+++			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++}
+++
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
+++{
+++	return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
+++			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++}
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 06a0168..5fa51c4 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -808,7 +808,7 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ 				 */
++ 				if ((knet_h->use_access_lists) &&
++ 				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++-					if (!_generic_filter_packet_by_acl(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
+++					if (!check_validate(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
++ 						char src_ipaddr[KNET_MAX_HOST_LEN];
++ 						char src_port[KNET_MAX_PORT_LEN];
++ 
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index ce3e98e..50a237b 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -731,7 +731,7 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ 						addr_str, port_str);
++ 	if (knet_h->use_access_lists) {
++-		if (!_generic_filter_packet_by_acl(knet_h, listen_sock, &ss)) {
+++		if (!check_validate(knet_h, listen_sock, &ss)) {
++ 			savederrno = EINVAL;
++ 			err = -1;
++ 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+diff --git a/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch b/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+new file mode 100644
+index 0000000..219cd34
+--- /dev/null
++++ b/debian/patches/access-lists-confine-access-lists-data-structs-within-the.patch
+@@ -0,0 +1,226 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 11:37:49 +0100
++Subject: [access lists] confine access lists data structs within the protocol
++ itself
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6abcbf579695dd050da0b5262f1e0a63325bbe52)
++---
++ libknet/links_acl.h    |  8 --------
++ libknet/links_acl_ip.h | 13 +++++++------
++ libknet/links_acl.c    |  8 ++++----
++ libknet/links_acl_ip.c | 48 ++++++++++++++++++++++++++++++------------------
++ 4 files changed, 41 insertions(+), 36 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index f871403..84ae6b9 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -22,14 +22,6 @@ typedef enum {
++ 	CHECK_REJECT
++ } check_acceptreject_t;
++ 
++-struct acl_match_entry {
++-	check_type_t type;
++-	check_acceptreject_t acceptreject;
++-	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++-	struct sockaddr_storage addr2; /* high IP address or address bitmask */
++-	struct acl_match_entry *next;
++-};
++-
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	      check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index 9e21e00..c475db9 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -12,15 +12,16 @@
++ #include "internals.h"
++ #include "links_acl.h"
++ 
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head,
++ 		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 		  check_type_t type, check_acceptreject_t acceptreject);
++ 
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  check_type_t type, check_acceptreject_t acceptreject);
+++int ipcheck_rmip(void *fd_tracker_match_entry_head,
+++		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		 check_type_t type, check_acceptreject_t acceptreject);
+++
+++void ipcheck_rmall(void *fd_tracker_match_entry_head);
++ 
++-void ipcheck_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 7605fe9..b1d7ab4 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -37,7 +37,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ 					    ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -58,7 +58,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ 					   ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -74,7 +74,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ 			return;
++ 			break;
++ 		case IP_PROTO:
++-			ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
++ 			break;
++ 		default:
++ 			break;
++@@ -92,7 +92,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ 			return 1;
++ 			break;
++ 		case IP_PROTO:
++-			return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
+++			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
++ 			break;
++ 		default:
++ 			break;
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 58c7b28..e72a382 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -21,6 +21,14 @@
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
++ 
+++struct ip_acl_match_entry {
+++	check_type_t type;
+++	check_acceptreject_t acceptreject;
+++	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++	struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++	struct ip_acl_match_entry *next;
+++};
+++
++ /*
++  * s6_addr32 is not defined in BSD userland, only kernel.
++  * definition is the same as linux and it works fine for
++@@ -34,7 +42,7 @@
++  * IPv4 See if the address we have matches the current match entry
++  */
++ 
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
++ {
++ 	struct sockaddr_in *ip_to_check;
++ 	struct sockaddr_in *match1;
++@@ -96,7 +104,7 @@ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++  * IPv6 See if the address we have matches the current match entry
++  */
++ 
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
++ {
++ 	struct sockaddr_in6 *ip_to_check;
++ 	struct sockaddr_in6 *match1;
++@@ -134,10 +142,11 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entr
++ }
++ 
++ 
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip)
++ {
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-	int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++	struct ip_acl_match_entry *match_entry = *match_entry_head;
+++	int (*match_fn)(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry);
++ 
++ 	if (checkip->ss_family == AF_INET){
++ 		match_fn = ip_matches_v4;
++@@ -161,10 +170,11 @@ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_
++  * Routines to manuipulate access lists
++  */
++ 
++-void ipcheck_rmall(struct acl_match_entry **match_entry_head)
+++void ipcheck_rmall(void *fd_tracker_match_entry_head)
++ {
++-	struct acl_match_entry *next_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
+++	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++	struct ip_acl_match_entry *next_match_entry;
+++	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	while (match_entry) {
++ 		next_match_entry = match_entry->next;
++@@ -174,11 +184,11 @@ void ipcheck_rmall(struct acl_match_entry **match_entry_head)
++ 	*match_entry_head = NULL;
++ }
++ 
++-static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head,
++ 						 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 						 check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	struct acl_match_entry *match_entry = *match_entry_head;
+++	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	while (match_entry) {
++ 		if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++@@ -193,13 +203,14 @@ static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_
++ 	return NULL;
++ }
++ 
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ 		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 		 check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	struct acl_match_entry *next_match_entry = NULL;
++-	struct acl_match_entry *rm_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
+++	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++	struct ip_acl_match_entry *next_match_entry = NULL;
+++	struct ip_acl_match_entry *rm_match_entry;
+++	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++ 	if (!rm_match_entry) {
++@@ -231,12 +242,13 @@ int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++ 	return 0;
++ }
++ 
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++int ipcheck_addip(void *fd_tracker_match_entry_head,
++ 		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 		  check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	struct acl_match_entry *new_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
+++	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
+++	struct ip_acl_match_entry *new_match_entry;
+++	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	if (!ip1) {
++ 		errno = EINVAL;
++@@ -259,7 +271,7 @@ int ipcheck_addip(struct acl_match_entry **match_entry_head,
++ 		return -1;
++ 	}
++ 
++-	new_match_entry = malloc(sizeof(struct acl_match_entry));
+++	new_match_entry = malloc(sizeof(struct ip_acl_match_entry));
++ 	if (!new_match_entry) {
++ 		return -1;
++ 	}
+diff --git a/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch b/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+new file mode 100644
+index 0000000..636f0ab
+--- /dev/null
++++ b/debian/patches/access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
+@@ -0,0 +1,80 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 15 Feb 2019 10:57:45 +0100
++Subject: [access lists] enable access lists for GENERIC_ACL protocols (udp
++ for example)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit fe077a47ad551d6dcc9f136a1f29b2b98b718beb)
++---
++ libknet/threads_rx.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
++ 1 file changed, 44 insertions(+)
++
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 8435d13..833938d 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -20,6 +20,7 @@
++ #include "crypto.h"
++ #include "host.h"
++ #include "links.h"
+++#include "links_acl.h"
++ #include "logging.h"
++ #include "transports.h"
++ #include "transport_common.h"
++@@ -720,6 +721,27 @@ out_pmtud:
++ 	}
++ }
++ 
+++/*
+++ * return 0 to reject and 1 to accept a packet
+++ */
+++static int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
+++{
+++	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++		case LOOPBACK:
+++			return 1;
+++			break;
+++		case IP_PROTO:
+++			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, msg->msg_hdr.msg_name);
+++			break;
+++		default:
+++			break;
+++	}
+++	/*
+++	 * reject by default
+++	 */
+++	return 0;
+++}
+++
++ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
++ {
++ 	int err, savederrno;
++@@ -802,6 +824,28 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ 				goto exit_unlock;
++ 				break;
++ 			case 2: /* packet is data and should be parsed as such */
+++				/*
+++				 * processing incoming packets vs access lists
+++				 */
+++				if ((knet_h->use_access_lists) &&
+++				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
+++					if (!_generic_filter_packet_by_acl(knet_h, sockfd, &msg[i])) {
+++						char src_ipaddr[KNET_MAX_HOST_LEN];
+++						char src_port[KNET_MAX_PORT_LEN];
+++
+++						memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
+++						memset(src_port, 0, KNET_MAX_PORT_LEN);
+++						knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+++							       src_ipaddr, KNET_MAX_HOST_LEN,
+++							       src_port, KNET_MAX_PORT_LEN);
+++
+++						log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
+++						/*
+++						 * continue processing the other packets
+++						 */
+++						continue;
+++					}
+++				}
++ 				_parse_recv_from_links(knet_h, sockfd, &msg[i]);
++ 				break;
++ 		}
+diff --git a/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch b/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+new file mode 100644
+index 0000000..a27bd22
+--- /dev/null
++++ b/debian/patches/access-lists-enable-generic-access-lists-only-for-protoco.patch
+@@ -0,0 +1,55 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 07:32:59 +0100
++Subject: [access lists] enable generic access lists only for protocols that
++ use them
++
++protocols such as SCTP that use their own access list tracking will
++need to setup access lists in transport_link_set/clear_config
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 862446dbc84165963b34f05e2157d3361b5b8f8a)
++---
++ libknet/links.c | 15 ++++++++++-----
++ 1 file changed, 10 insertions(+), 5 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 6c75c35..85b50e5 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -287,10 +287,13 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 
++ 	/*
++ 	 * we can only configure default access lists if we know both endpoints
+++	 * and the protocol uses GENERIC_ACL, otherwise the protocol has
+++	 * to setup their own access lists above in transport_link_set_config.
++ 	 */
++-	if (link->dynamic == KNET_LINK_STATIC) {
++-		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u",
++-			  host_id, link_id);
+++	if ((transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL) &&
+++	    (link->dynamic == KNET_LINK_STATIC)) {
+++		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
+++			  host_id, link_id, link->outsock);
++ 		if (_link_add_default_acl(knet_h, link) < 0) {
++ 			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ 			savederrno = errno;
++@@ -469,7 +472,8 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * then we can remove any leftover access lists if the link
++ 	 * is no longer in use.
++ 	 */
++-	if (link->dynamic == KNET_LINK_STATIC) {
+++	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++	    (link->dynamic == KNET_LINK_STATIC)) {
++ 		if (_link_rm_default_acl(knet_h, link) < 0) {
++ 			err = -1;
++ 			savederrno = EBUSY;
++@@ -496,7 +500,8 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * remove any other access lists when the socket is no
++ 	 * longer in use by the transport.
++ 	 */
++-	if (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS) {
+++	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++	    (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++ 		_link_del_all_acl(knet_h, sock);
++ 	}
++ 
+diff --git a/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch b/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+new file mode 100644
+index 0000000..27b0e57
+--- /dev/null
++++ b/debian/patches/access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
+@@ -0,0 +1,64 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 07:08:29 +0100
++Subject: [access lists] fix build on BSD and add some include files around
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f1919ce88831032c123bb28771ef2cabf03a148e)
++---
++ libknet/tests/Makefile.am     | 1 +
++ libknet/links_acl.c           | 2 ++
++ libknet/links_acl_ip.c        | 2 ++
++ libknet/tests/int_links_acl.c | 2 ++
++ 4 files changed, 7 insertions(+)
++
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index d46553a..2f22293 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -69,6 +69,7 @@ pckt_test_SOURCES	= pckt_test.c
++ 
++ int_links_acl_test_SOURCES = int_links_acl.c \
++ 			     ../common.c \
+++			     ../compat.c \
++ 			     ../logging.c \
++ 			     ../netutils.c \
++ 			     ../threads_common.c \
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 8592f1f..cfcc1fd 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -6,6 +6,8 @@
++  * This software licensed under GPL-2.0+, LGPL-2.0+
++  */
++ 
+++#include "config.h"
+++
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 2aef14b..ffd18a4 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -6,6 +6,8 @@
++  * This software licensed under GPL-2.0+, LGPL-2.0+
++  */
++ 
+++#include "config.h"
+++
++ #include <sys/socket.h>
++ #include <netinet/in.h>
++ #include <stdint.h>
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 8d9f4e0..05bd829 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -6,6 +6,8 @@
++  * This software licensed under GPL-2.0+, LGPL-2.0+
++  */
++ 
+++#include "config.h"
+++
++ #include <sys/types.h>
++ #include <sys/socket.h>
++ #include <netinet/in.h>
+diff --git a/debian/patches/access-lists-fix-build-on-freebsd.patch b/debian/patches/access-lists-fix-build-on-freebsd.patch
+new file mode 100644
+index 0000000..385cc85
+--- /dev/null
++++ b/debian/patches/access-lists-fix-build-on-freebsd.patch
+@@ -0,0 +1,54 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 17 Feb 2019 09:49:06 +0100
++Subject: [access lists] fix build on freebsd
++
++don't use malloc.h, obsoleted by stdlib.h
++define s6_addr32 that's only available in kernel space
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 12ee796ceca832c18054e87a0e310dcd9a6c16c6)
++---
++ libknet/links_acl.c           | 11 ++++++++++-
++ libknet/tests/int_links_acl.c |  1 -
++ 2 files changed, 10 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 2ad3e90..854f273 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -10,13 +10,22 @@
++ #include <netinet/in.h>
++ #include <stdint.h>
++ #include <string.h>
++-#include <malloc.h>
+++#include <stdlib.h>
++ 
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
++ #include "links_acl.h"
++ 
+++/*
+++ * s6_addr32 is not defined in BSD userland, only kernel.
+++ * definition is the same as linux and it works fine for
+++ * what we need.
+++ */
+++#ifndef s6_addr32
+++#define s6_addr32 __u6_addr.__u6_addr32
+++#endif
+++
++ /*
++  * IPv4 See if the address we have matches the current match entry
++  */
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 129aabe..133cd5a 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -13,7 +13,6 @@
++ #include <stdlib.h>
++ #include <string.h>
++ #include <netdb.h>
++-#include <malloc.h>
++ 
++ #include "internals.h"
++ #include "links_acl.h"
+diff --git a/debian/patches/access-lists-improve-checks-on-various-data-types.patch b/debian/patches/access-lists-improve-checks-on-various-data-types.patch
+new file mode 100644
+index 0000000..1a8d531
+--- /dev/null
++++ b/debian/patches/access-lists-improve-checks-on-various-data-types.patch
+@@ -0,0 +1,74 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 6 Mar 2019 09:43:10 +0100
++Subject: [access lists] improve checks on various data types
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f6f08c08179a051aa51fadc48a1acfb71a6f55b4)
++---
++ libknet/links.c | 39 +++++++++++++++++++++++++++++++++++++++
++ 1 file changed, 39 insertions(+)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 0f02006..038a8a4 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -1168,6 +1168,19 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++ 		return -1;
++ 	}
++ 
+++	if ((type != CHECK_TYPE_ADDRESS) &&
+++	    (type != CHECK_TYPE_MASK) &&
+++	    (type != CHECK_TYPE_RANGE)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((acceptreject != CHECK_ACCEPT) &&
+++	    (acceptreject != CHECK_REJECT)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
++ 	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ 		errno = EINVAL;
++ 		return -1;
++@@ -1250,6 +1263,19 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 		return -1;
++ 	}
++ 
+++	if ((type != CHECK_TYPE_ADDRESS) &&
+++	    (type != CHECK_TYPE_MASK) &&
+++	    (type != CHECK_TYPE_RANGE)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((acceptreject != CHECK_ACCEPT) &&
+++	    (acceptreject != CHECK_REJECT)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
++ 	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ 		errno = EINVAL;
++ 		return -1;
++@@ -1331,6 +1357,19 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++ 		return -1;
++ 	}
++ 
+++	if ((type != CHECK_TYPE_ADDRESS) &&
+++	    (type != CHECK_TYPE_MASK) &&
+++	    (type != CHECK_TYPE_RANGE)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if ((acceptreject != CHECK_ACCEPT) &&
+++	    (acceptreject != CHECK_REJECT)) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
++ 	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ 		errno = EINVAL;
++ 		return -1;
+diff --git a/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch b/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+new file mode 100644
+index 0000000..30cafa3
+--- /dev/null
++++ b/debian/patches/access-lists-make-code-more-generic-to-accept-more-than-I.patch
+@@ -0,0 +1,436 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 12 Feb 2019 07:21:20 +0100
++Subject: [access lists] make code more generic to accept more than IP
++ protocol and start to bind it to each fd
++
++access lists are unique per file descriptor, each fd can have its own protocol and list.
++
++remane around ipcheck* with check* to be more generic.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 45b1d526876aa89986e7bd379c45f8856056fe68)
++---
++ libknet/internals.h           |  24 +++++++++
++ libknet/links_acl.h           |  18 ++++---
++ libknet/links_acl.c           | 114 ++++++++++++++++++++----------------------
++ libknet/tests/int_links_acl.c |  46 +++++++++++------
++ 4 files changed, 120 insertions(+), 82 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 106b49d..78e718d 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -129,11 +129,35 @@ struct knet_sock {
++ 			  * and socket has been removed from epoll */
++ };
++ 
+++/*
+++ * access lists
+++ */
+++
+++typedef enum {
+++	CHECK_TYPE_ADDRESS,
+++	CHECK_TYPE_MASK,
+++	CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++typedef	enum {
+++	CHECK_ACCEPT,
+++	CHECK_REJECT
+++} check_acceptreject_t;
+++
+++struct acl_match_entry {
+++	check_type_t type;
+++	check_acceptreject_t acceptreject;
+++	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++	struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++	struct acl_match_entry *next;
+++};
+++
++ struct knet_fd_trackers {
++ 	uint8_t transport; /* transport type (UDP/SCTP...) */
++ 	uint8_t data_type; /* internal use for transport to define what data are associated
++ 			    * to this fd */
++ 	void *data;	   /* pointer to the data */
+++	struct acl_match_entry *match_entry;
++ };
++ 
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index eca4566..26b0f36 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -6,11 +6,17 @@
++  * This software licensed under GPL-2.0+, LGPL-2.0+
++  */
++ 
++-typedef enum {IPCHECK_TYPE_ADDRESS, IPCHECK_TYPE_MASK, IPCHECK_TYPE_RANGE} ipcheck_type_t;
++-typedef	enum {IPCHECK_ACCEPT, IPCHECK_REJECT} ipcheck_acceptreject_t;
+++#ifndef __KNET_LINKS_ACL_H__
+++#define __KNET_LINKS_ACL_H__
++ 
++-int ipcheck_validate(struct sockaddr_storage *checkip);
+++#include "internals.h"
++ 
++-void ipcheck_clear(void);
++-int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  ipcheck_type_t type, ipcheck_acceptreject_t acceptreject);
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++
+++void ipcheck_clear(struct acl_match_entry **match_entry_head);
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject);
+++
+++#endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index e7b5602..fe84088 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -11,26 +11,17 @@
++ #include <stdint.h>
++ #include <string.h>
++ #include <malloc.h>
++-#include "links_acl.h"
++-
++-struct ip_match_entry {
++-	ipcheck_type_t type;
++-	ipcheck_acceptreject_t acceptreject;
++-	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++-	struct sockaddr_storage addr2; /* high IP address or address bitmask */
++-	struct ip_match_entry *next;
++-};
++ 
++-
++-/* Lists of things to match against. These are dummy structs to provide a quick list head */
++-static struct ip_match_entry match_entry_head_v4;
++-static struct ip_match_entry match_entry_head_v6;
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl.h"
++ 
++ /*
++  * IPv4 See if the address we have matches the current match entry
++- *
++  */
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry)
+++
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++ {
++ 	struct sockaddr_in *ip_to_check;
++ 	struct sockaddr_in *match1;
++@@ -41,16 +32,16 @@ static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry
++ 	match2 = (struct sockaddr_in *)&match_entry->addr2;
++ 
++ 	switch(match_entry->type) {
++-	case IPCHECK_TYPE_ADDRESS:
+++	case CHECK_TYPE_ADDRESS:
++ 		if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
++ 			return 1;
++ 		break;
++-	case IPCHECK_TYPE_MASK:
+++	case CHECK_TYPE_MASK:
++ 		if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
++ 		    match1->sin_addr.s_addr)
++ 			return 1;
++ 		break;
++-	case IPCHECK_TYPE_RANGE:
+++	case CHECK_TYPE_RANGE:
++ 		if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
++ 		    (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
++ 			return 1;
++@@ -60,7 +51,10 @@ static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_match_entry
++ 	return 0;
++ }
++ 
++-/* Compare two IPv6 addresses */
+++/*
+++ * Compare two IPv6 addresses
+++ */
+++
++ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++ {
++ 	uint64_t a_high, a_low;
++@@ -89,9 +83,9 @@ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
++ 
++ /*
++  * IPv6 See if the address we have matches the current match entry
++- *
++  */
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry)
+++
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++ {
++ 	struct sockaddr_in6 *ip_to_check;
++ 	struct sockaddr_in6 *match1;
++@@ -103,12 +97,12 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ 	match2 = (struct sockaddr_in6 *)&match_entry->addr2;
++ 
++ 	switch(match_entry->type) {
++-	case IPCHECK_TYPE_ADDRESS:
+++	case CHECK_TYPE_ADDRESS:
++ 		if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
++ 			return 1;
++ 		break;
++ 
++-	case IPCHECK_TYPE_MASK:
+++	case CHECK_TYPE_MASK:
++ 		/*
++ 		 * Note that this little loop will quit early if there is a non-match so the
++ 		 * comparison might look backwards compared to the IPv4 one
++@@ -119,7 +113,7 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ 				return 0;
++ 		}
++ 		return 1;
++-	case IPCHECK_TYPE_RANGE:
+++	case CHECK_TYPE_RANGE:
++ 		if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
++ 		    (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
++ 			return 1;
++@@ -129,24 +123,20 @@ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_match_entry
++ }
++ 
++ 
++-/*
++- * YOU ARE HERE
++- */
++-int ipcheck_validate(struct sockaddr_storage *checkip)
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
++ {
++-	struct ip_match_entry *match_entry;
++-	int (*match_fn)(struct sockaddr_storage *checkip, struct ip_match_entry *match_entry);
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++	int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
++ 
++ 	if (checkip->ss_family == AF_INET){
++-		match_entry = match_entry_head_v4.next;
++ 		match_fn = ip_matches_v4;
++ 	} else {
++-		match_entry = match_entry_head_v6.next;
++ 		match_fn = ip_matches_v6;
++ 	}
+++
++ 	while (match_entry) {
++ 		if (match_fn(checkip, match_entry)) {
++-			if (match_entry->acceptreject == IPCHECK_ACCEPT)
+++			if (match_entry->acceptreject == CHECK_ACCEPT)
++ 				return 1;
++ 			else
++ 				return 0;
++@@ -157,47 +147,42 @@ int ipcheck_validate(struct sockaddr_storage *checkip)
++ }
++ 
++ /*
++- * Routines to manuipulate the lists
+++ * Routines to manuipulate access lists
++  */
++ 
++-void ipcheck_clear(void)
+++void ipcheck_clear(struct acl_match_entry **match_entry_head)
++ {
++-	struct ip_match_entry *match_entry;
++-	struct ip_match_entry *next_match_entry;
+++	struct acl_match_entry *next_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
++ 
++-	match_entry = match_entry_head_v4.next;
++-	while (match_entry) {
++-		next_match_entry = match_entry->next;
++-		free(match_entry);
++-		match_entry = next_match_entry;
++-	}
++-
++-	match_entry = match_entry_head_v6.next;
++ 	while (match_entry) {
++ 		next_match_entry = match_entry->next;
++ 		free(match_entry);
++ 		match_entry = next_match_entry;
++ 	}
+++	*match_entry_head = NULL;
++ }
++ 
++-int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  ipcheck_type_t type, ipcheck_acceptreject_t acceptreject)
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	struct ip_match_entry *match_entry;
++-	struct ip_match_entry *new_match_entry;
+++	struct acl_match_entry *new_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
++ 
++-	if (type == IPCHECK_TYPE_RANGE &&
++-	    (ip1->ss_family != ip2->ss_family))
+++	if (!ip1) {
++ 		return -1;
+++	}
++ 
++-	if (ip1->ss_family == AF_INET){
++-		match_entry = &match_entry_head_v4;
++-	} else {
++-		match_entry = &match_entry_head_v6;
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++		return -1;
++ 	}
++ 
+++	if (type == CHECK_TYPE_RANGE &&
+++	    (ip1->ss_family != ip2->ss_family))
+++		return -1;
++ 
++-	new_match_entry = malloc(sizeof(struct ip_match_entry));
+++	new_match_entry = malloc(sizeof(struct acl_match_entry));
++ 	if (!new_match_entry)
++ 		return -1;
++ 
++@@ -207,12 +192,19 @@ int ipcheck_addip(struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	new_match_entry->acceptreject = acceptreject;
++ 	new_match_entry->next = NULL;
++ 
++-	/* Find the end of the list */
++-	/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++-	while (match_entry->next) {
++-		match_entry = match_entry->next;
+++	if (match_entry) {
+++		/* Find the end of the list */
+++		/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
+++		while (match_entry->next) {
+++			match_entry = match_entry->next;
+++		}
+++		match_entry->next = new_match_entry;
+++	} else {
+++		/*
+++		 * first entry in the list
+++		 */
+++		*match_entry_head = new_match_entry;
++ 	}
++-	match_entry->next = new_match_entry;
++ 
++ 	return 0;
++ }
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 27ac545..1e7f426 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -14,8 +14,13 @@
++ #include <string.h>
++ #include <netdb.h>
++ #include <malloc.h>
+++
+++#include "internals.h"
++ #include "links_acl.h"
++ 
+++static struct acl_match_entry *match_entry_v4;
+++static struct acl_match_entry *match_entry_v6;
+++
++ /* This is a test program .. remember! */
++ #define BUFLEN 1024
++ 
++@@ -31,7 +36,7 @@ static int get_ipaddress(char *buf, struct sockaddr_storage *addr)
++ 	res = getaddrinfo(buf, NULL, &hints, &info);
++ 	if (!res) {
++ 		memmove(addr, info->ai_addr, info->ai_addrlen);
++-		free(info);
+++		freeaddrinfo(info);
++ 	}
++ 	return res;
++ }
++@@ -96,12 +101,13 @@ static int load_file(void)
++ 	char filebuf[BUFLEN];
++ 	int line = 0;
++ 	int ret;
++-	ipcheck_type_t type;
++-	ipcheck_acceptreject_t acceptreject;
+++	check_type_t type;
+++	check_acceptreject_t acceptreject;
++ 	struct sockaddr_storage addr1;
++ 	struct sockaddr_storage addr2;
++ 
++-	ipcheck_clear();
+++	ipcheck_clear(&match_entry_v4);
+++	ipcheck_clear(&match_entry_v6);
++ 
++ 	filterfile = fopen("int_links_acl.txt", "r");
++ 	if (!filterfile) {
++@@ -118,10 +124,10 @@ static int load_file(void)
++ 		 */
++ 		switch(filebuf[0] & 0x5F) {
++ 		case 'A':
++-			acceptreject = IPCHECK_ACCEPT;
+++			acceptreject = CHECK_ACCEPT;
++ 			break;
++ 		case 'R':
++-			acceptreject = IPCHECK_REJECT;
+++			acceptreject = CHECK_REJECT;
++ 			break;
++ 		default:
++ 			fprintf(stderr, "Unknown record type on line %d: %s\n", line, filebuf);
++@@ -136,15 +142,15 @@ static int load_file(void)
++ 		 */
++ 		switch(filebuf[1] & 0x5F) {
++ 		case 'A':
++-			type = IPCHECK_TYPE_ADDRESS;
+++			type = CHECK_TYPE_ADDRESS;
++ 			ret = read_address(filebuf+2, &addr1);
++ 			break;
++ 		case 'M':
++-			type = IPCHECK_TYPE_MASK;
+++			type = CHECK_TYPE_MASK;
++ 			ret = read_mask(filebuf+2, &addr1, &addr2);
++ 			break;
++ 		case 'R':
++-			type = IPCHECK_TYPE_RANGE;
+++			type = CHECK_TYPE_RANGE;
++ 			ret = read_range(filebuf+2, &addr1, &addr2);
++ 			break;
++ 		default:
++@@ -156,7 +162,11 @@ static int load_file(void)
++ 			fprintf(stderr, "Failed to parse address on line %d: %s\n", line, filebuf);
++ 		}
++ 		else {
++-			ipcheck_addip(&addr1, &addr2, type, acceptreject);
+++			if (addr1.ss_family == AF_INET) {
+++				ipcheck_addip(&match_entry_v4, &addr1, &addr2, type, acceptreject);
+++			} else {
+++				ipcheck_addip(&match_entry_v6, &addr1, &addr2, type, acceptreject);
+++			}
++ 		}
++ 	next_record: {} /* empty statement to mollify the compiler */
++ 	}
++@@ -168,6 +178,7 @@ static int load_file(void)
++ int main(int argc, char *argv[])
++ {
++ 	struct sockaddr_storage saddr;
+++	struct acl_match_entry *match_entry;
++ 	int ret;
++ 	int i;
++ 
++@@ -178,16 +189,21 @@ int main(int argc, char *argv[])
++ 		ret = get_ipaddress(argv[i], &saddr);
++ 		if (ret) {
++ 			fprintf(stderr, "Cannot parse address %s\n", argv[i]);
++-		}
++-		else {
++-			if (ipcheck_validate(&saddr)) {
++-				printf("%s is VALID\n", argv[i]);
+++		} else {
+++			if (saddr.ss_family == AF_INET) {
+++				match_entry = match_entry_v4;
+++			} else {
+++				match_entry = match_entry_v6;
++ 			}
++-			else {
+++			if (ipcheck_validate(&match_entry, &saddr)) {
+++				printf("%s is VALID\n", argv[i]);
+++			} else {
++ 				printf("%s is not allowed\n", argv[i]);
++ 			}
++ 		}
++ 	}
++ 
+++	ipcheck_clear(&match_entry_v4);
+++	ipcheck_clear(&match_entry_v6);
++ 	return 0;
++ }
+diff --git a/debian/patches/access-lists-make-internal-API-consistent.patch b/debian/patches/access-lists-make-internal-API-consistent.patch
+new file mode 100644
+index 0000000..a5d000c
+--- /dev/null
++++ b/debian/patches/access-lists-make-internal-API-consistent.patch
+@@ -0,0 +1,73 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 06:53:48 +0100
++Subject: [access lists] make internal API consistent
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit fb462d4f238b98ab685f9efae945a0e527f399ba)
++---
++ libknet/links_acl.h      | 2 +-
++ libknet/links_acl.c      | 6 +++---
++ libknet/threads_rx.c     | 2 +-
++ libknet/transport_sctp.c | 2 +-
++ 4 files changed, 6 insertions(+), 6 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index b083753..f871403 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -37,6 +37,6 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	     check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++-int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
+++int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip);
++ 
++ #endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 93cc5af..8592f1f 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -74,14 +74,14 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ /*
++  * return 0 to reject and 1 to accept a packet
++  */
++-int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
+++int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
++ {
++-	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++	switch(transport_get_proto(knet_h, transport)) {
++ 		case LOOPBACK:
++ 			return 1;
++ 			break;
++ 		case IP_PROTO:
++-			return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++			return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
++ 			break;
++ 		default:
++ 			break;
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 6417261..ae39b38 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -808,7 +808,7 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ 				 */
++ 				if ((knet_h->use_access_lists) &&
++ 				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++-					if (!check_validate(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
+++					if (!check_validate(knet_h, sockfd, transport, msg[i].msg_hdr.msg_name)) {
++ 						char src_ipaddr[KNET_MAX_HOST_LEN];
++ 						char src_port[KNET_MAX_PORT_LEN];
++ 
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 50a237b..ff7903c 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -731,7 +731,7 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ 						addr_str, port_str);
++ 	if (knet_h->use_access_lists) {
++-		if (!check_validate(knet_h, listen_sock, &ss)) {
+++		if (!check_validate(knet_h, listen_sock, KNET_TRANSPORT_SCTP, &ss)) {
++ 			savederrno = EINVAL;
++ 			err = -1;
++ 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+diff --git a/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch b/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+new file mode 100644
+index 0000000..b69fa50
+--- /dev/null
++++ b/debian/patches/access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
+@@ -0,0 +1,72 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:17:57 +0100
++Subject: [access lists] more use of generic wrappers and remove duplicate code
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit be01691050bea1aabe0d8736d2017974d966a1c0)
++---
++ libknet/links_acl.c | 44 ++++++--------------------------------------
++ 1 file changed, 6 insertions(+), 38 deletions(-)
++
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 32763de..85a792d 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -73,51 +73,19 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ 
++ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++-		case LOOPBACK:
++-			/*
++-			 * loopback does not require access lists
++-			 */
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++-					    &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-			break;
++-		default:
++-			break;
++-	}
++-
++-	return err;
+++	return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
+++			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ }
++ 
++ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++-		case LOOPBACK:
++-			/*
++-			 * loopback does not require access lists
++-			 */
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++-					   &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-			break;
++-		default:
++-			break;
++-	}
++-
++-	return err;
+++	return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
+++			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ }
++ 
++ /*
++- *  * return 0 to reject and 1 to accept a packet
++- *   */
+++ * return 0 to reject and 1 to accept a packet
+++ */
++ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++ 	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+diff --git a/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch b/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+new file mode 100644
+index 0000000..a96ab6b
+--- /dev/null
++++ b/debian/patches/access-lists-move-access-lists-structs-and-data-types-to-.patch
+@@ -0,0 +1,168 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:04:20 +0100
++Subject: [access lists] move access lists structs and data types to
++ links_acl.*
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c374aef3fda1c01b282a5baf193e0ac7870d1eb2)
++---
++ libknet/internals.h    | 25 +------------------------
++ libknet/links_acl.h    | 19 +++++++++++++++++++
++ libknet/links_acl_ip.h |  1 +
++ libknet/links_acl.c    | 12 ++++++------
++ libknet/links_acl_ip.c |  1 +
++ 5 files changed, 28 insertions(+), 30 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 78e718d..0d6ee3f 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -129,35 +129,12 @@ struct knet_sock {
++ 			  * and socket has been removed from epoll */
++ };
++ 
++-/*
++- * access lists
++- */
++-
++-typedef enum {
++-	CHECK_TYPE_ADDRESS,
++-	CHECK_TYPE_MASK,
++-	CHECK_TYPE_RANGE
++-} check_type_t;
++-
++-typedef	enum {
++-	CHECK_ACCEPT,
++-	CHECK_REJECT
++-} check_acceptreject_t;
++-
++-struct acl_match_entry {
++-	check_type_t type;
++-	check_acceptreject_t acceptreject;
++-	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
++-	struct sockaddr_storage addr2; /* high IP address or address bitmask */
++-	struct acl_match_entry *next;
++-};
++-
++ struct knet_fd_trackers {
++ 	uint8_t transport; /* transport type (UDP/SCTP...) */
++ 	uint8_t data_type; /* internal use for transport to define what data are associated
++ 			    * to this fd */
++ 	void *data;	   /* pointer to the data */
++-	struct acl_match_entry *match_entry;
+++	void *match_entry; /* pointer to access list match_entry list head */
++ };
++ 
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 9a20754..020ec05 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,6 +11,25 @@
++ 
++ #include "internals.h"
++ 
+++typedef enum {
+++	CHECK_TYPE_ADDRESS,
+++	CHECK_TYPE_MASK,
+++	CHECK_TYPE_RANGE
+++} check_type_t;
+++
+++typedef enum {
+++	CHECK_ACCEPT,
+++	CHECK_REJECT
+++} check_acceptreject_t;
+++
+++struct acl_match_entry {
+++	check_type_t type;
+++	check_acceptreject_t acceptreject;
+++	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
+++	struct sockaddr_storage addr2; /* high IP address or address bitmask */
+++	struct acl_match_entry *next;
+++};
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	      check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index 575b5ff..9e21e00 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -10,6 +10,7 @@
++ #define __KNET_LINKS_ACL_IP_H__
++ 
++ #include "internals.h"
+++#include "links_acl.h"
++ 
++ int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
++ 
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 34bcce3..32763de 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -28,7 +28,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ 					    ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -48,7 +48,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
++ 					   ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -64,7 +64,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ 			return;
++ 			break;
++ 		case IP_PROTO:
++-			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++			ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
++ 			break;
++ 		default:
++ 			break;
++@@ -83,7 +83,7 @@ int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++			err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++ 					    &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 			break;
++ 		default:
++@@ -105,7 +105,7 @@ int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++			err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++ 					   &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 			break;
++ 		default:
++@@ -125,7 +125,7 @@ int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct socka
++ 			return 1;
++ 			break;
++ 		case IP_PROTO:
++-			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++			return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
++ 			break;
++ 		default:
++ 			break;
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index edc3ae1..2aef14b 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -15,6 +15,7 @@
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
+++#include "links_acl.h"
++ #include "links_acl_ip.h"
++ 
++ /*
+diff --git a/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch b/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+new file mode 100644
+index 0000000..6f3b9d3
+--- /dev/null
++++ b/debian/patches/access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
+@@ -0,0 +1,1025 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 04:53:23 +0100
++Subject: [access lists] move all acl wrappers to links_acl* and split
++ links_acl_ip to their own files
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 0cb8e8bab46b30487a4821004ee757ee8f9eb91e)
++---
++ libknet/Makefile.am           |   2 +
++ libknet/tests/Makefile.am     |  12 +-
++ libknet/links_acl.h           |  20 +--
++ libknet/links_acl_ip.h        |  25 ++++
++ libknet/links.c               |  53 +------
++ libknet/links_acl.c           | 322 ++++++++++++------------------------------
++ libknet/links_acl_ip.c        | 277 ++++++++++++++++++++++++++++++++++++
++ libknet/tests/int_links_acl.c |   9 +-
++ libknet/threads_rx.c          |  25 +---
++ libknet/transport_sctp.c      |  24 ++--
++ 10 files changed, 438 insertions(+), 331 deletions(-)
++ create mode 100644 libknet/links_acl_ip.h
++ create mode 100644 libknet/links_acl_ip.c
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 4ea42d9..b60427c 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -32,6 +32,7 @@ sources			= \
++ 			  host.c \
++ 			  links.c \
++ 			  links_acl.c \
+++			  links_acl_ip.c \
++ 			  logging.c \
++ 			  netutils.c \
++ 			  threads_common.c \
++@@ -63,6 +64,7 @@ noinst_HEADERS		= \
++ 			  internals.h \
++ 			  links.h \
++ 			  links_acl.h \
+++			  links_acl_ip.h \
++ 			  logging.h \
++ 			  netutils.h \
++ 			  onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index f74cb04..d46553a 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -68,7 +68,17 @@ check-api-test-coverage:
++ pckt_test_SOURCES	= pckt_test.c
++ 
++ int_links_acl_test_SOURCES = int_links_acl.c \
++-			     ../links_acl.c
+++			     ../common.c \
+++			     ../logging.c \
+++			     ../netutils.c \
+++			     ../threads_common.c \
+++			     ../transports.c \
+++			     ../transport_common.c \
+++			     ../transport_loopback.c \
+++			     ../transport_sctp.c \
+++			     ../transport_udp.c \
+++			     ../links_acl.c \
+++			     ../links_acl_ip.c
++ 
++ int_timediff_test_SOURCES = int_timediff.c
++ 
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index f4713d6..9a20754 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -11,15 +11,15 @@
++ 
++ #include "internals.h"
++ 
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	      check_type_t type, check_acceptreject_t acceptreject);
+++int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+++	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	     check_type_t type, check_acceptreject_t acceptreject);
+++void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
+++int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++ 
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  check_type_t type, check_acceptreject_t acceptreject);
++-
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  check_type_t type, check_acceptreject_t acceptreject);
++-
++-void check_rmall(struct acl_match_entry **match_entry_head);
++ #endif
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++new file mode 100644
++index 0000000..575b5ff
++--- /dev/null
+++++ b/libknet/links_acl_ip.h
++@@ -0,0 +1,25 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#ifndef __KNET_LINKS_ACL_IP_H__
+++#define __KNET_LINKS_ACL_IP_H__
+++
+++#include "internals.h"
+++
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip);
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject);
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject);
+++
+++void ipcheck_rmall(struct acl_match_entry **match_entry_head);
+++#endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 85b50e5..07ef26e 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -22,55 +22,6 @@
++ #include "threads_common.h"
++ #include "links_acl.h"
++ 
++-static void _link_del_all_acl(knet_handle_t knet_h, int sock)
++-{
++-	check_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
++-}
++-
++-static int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++-		case LOOPBACK:
++-			/*
++-			 * loopback does not require access lists
++-			 */
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++-					    &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-			break;
++-		default:
++-			break;
++-	}
++-
++-	return err;
++-}
++-
++-static int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
++-		case LOOPBACK:
++-			/*
++-			 * loopback does not require access lists
++-			 */
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
++-					   &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-			break;
++-		default:
++-			break;
++-	}
++-
++-	return err;
++-}
++-
++ int _link_updown(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
++ 		 unsigned int enabled, unsigned int connected)
++ {
++@@ -420,6 +371,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	struct knet_host *host;
++ 	struct knet_link *link;
++ 	int sock;
+++	uint8_t transport;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -488,6 +440,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * will clear link info during clear_config.
++ 	 */
++ 	sock = link->outsock;
+++	transport = link->transport_type;
++ 
++ 	if ((transport_link_clear_config(knet_h, link) < 0)  &&
++ 	    (errno != EBUSY)) {
++@@ -502,7 +455,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 */
++ 	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
++ 	    (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++-		_link_del_all_acl(knet_h, sock);
+++		check_rmall(knet_h, sock, transport);
++ 	}
++ 
++ 	memset(link, 0, sizeof(struct knet_link));
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 854f273..34bcce3 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -6,8 +6,6 @@
++  * This software licensed under GPL-2.0+, LGPL-2.0+
++  */
++ 
++-#include <sys/socket.h>
++-#include <netinet/in.h>
++ #include <stdint.h>
++ #include <string.h>
++ #include <stdlib.h>
++@@ -15,265 +13,125 @@
++ #include "internals.h"
++ #include "logging.h"
++ #include "transports.h"
+++#include "transport_common.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++ 
++-/*
++- * s6_addr32 is not defined in BSD userland, only kernel.
++- * definition is the same as linux and it works fine for
++- * what we need.
++- */
++-#ifndef s6_addr32
++-#define s6_addr32 __u6_addr.__u6_addr32
++-#endif
++-
++-/*
++- * IPv4 See if the address we have matches the current match entry
++- */
++-
++-static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++-{
++-	struct sockaddr_in *ip_to_check;
++-	struct sockaddr_in *match1;
++-	struct sockaddr_in *match2;
++-
++-	ip_to_check = (struct sockaddr_in *)checkip;
++-	match1 = (struct sockaddr_in *)&match_entry->addr1;
++-	match2 = (struct sockaddr_in *)&match_entry->addr2;
++-
++-	switch(match_entry->type) {
++-	case CHECK_TYPE_ADDRESS:
++-		if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
++-			return 1;
++-		break;
++-	case CHECK_TYPE_MASK:
++-		if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
++-		    match1->sin_addr.s_addr)
++-			return 1;
++-		break;
++-	case CHECK_TYPE_RANGE:
++-		if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
++-		    (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
++-			return 1;
++-		break;
++-
++-	}
++-	return 0;
++-}
++-
++-/*
++- * Compare two IPv6 addresses
++- */
++-
++-static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
+++int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
+++	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	      check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	uint64_t a_high, a_low;
++-	uint64_t b_high, b_low;
+++	int err = -1;
++ 
++-	/* Not sure why '&' doesn't work below, so I used '+' instead which is effectively
++-	   the same thing because the bottom 32bits are always zero and the value unsigned */
++-	a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) + (uint64_t)htonl(a->s6_addr32[1]);
++-	a_low  = ((uint64_t)htonl(a->s6_addr32[2]) << 32) + (uint64_t)htonl(a->s6_addr32[3]);
++-
++-	b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) + (uint64_t)htonl(b->s6_addr32[1]);
++-	b_low  = ((uint64_t)htonl(b->s6_addr32[2]) << 32) + (uint64_t)htonl(b->s6_addr32[3]);
++-
++-	if (a_high > b_high)
++-		return 1;
++-	if (a_high < b_high)
++-		return -1;
++-
++-	if (a_low > b_low)
++-		return 1;
++-	if (a_low < b_low)
++-		return -1;
++-
++-	return 0;
++-}
++-
++-/*
++- * IPv6 See if the address we have matches the current match entry
++- */
++-
++-static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
++-{
++-	struct sockaddr_in6 *ip_to_check;
++-	struct sockaddr_in6 *match1;
++-	struct sockaddr_in6 *match2;
++-	int i;
++-
++-	ip_to_check = (struct sockaddr_in6 *)checkip;
++-	match1 = (struct sockaddr_in6 *)&match_entry->addr1;
++-	match2 = (struct sockaddr_in6 *)&match_entry->addr2;
++-
++-	switch(match_entry->type) {
++-	case CHECK_TYPE_ADDRESS:
++-		if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
++-			return 1;
++-		break;
++-
++-	case CHECK_TYPE_MASK:
++-		/*
++-		 * Note that this little loop will quit early if there is a non-match so the
++-		 * comparison might look backwards compared to the IPv4 one
++-		 */
++-		for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
++-			if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
++-			    match1->sin6_addr.s6_addr32[i])
++-				return 0;
++-		}
++-		return 1;
++-	case CHECK_TYPE_RANGE:
++-		if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
++-		    (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
++-			return 1;
++-		break;
+++	switch(transport_get_proto(knet_h, transport)) {
+++		case LOOPBACK:
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++					    ip1, ip2, type, acceptreject);
+++			break;
+++		default:
+++			break;
++ 	}
++-	return 0;
+++	return err;
++ }
++ 
++-
++-int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+++	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	     check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-	int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++	int err = -1;
++ 
++-	if (checkip->ss_family == AF_INET){
++-		match_fn = ip_matches_v4;
++-	} else {
++-		match_fn = ip_matches_v6;
++-	}
++-
++-	while (match_entry) {
++-		if (match_fn(checkip, match_entry)) {
++-			if (match_entry->acceptreject == CHECK_ACCEPT)
++-				return 1;
++-			else
++-				return 0;
++-		}
++-		match_entry = match_entry->next;
+++	switch(transport_get_proto(knet_h, transport)) {
+++		case LOOPBACK:
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++					   ip1, ip2, type, acceptreject);
+++			break;
+++		default:
+++			break;
++ 	}
++-	return 0; /* Default reject */
+++	return err;
++ }
++ 
++-/*
++- * Routines to manuipulate access lists
++- */
++-
++-void check_rmall(struct acl_match_entry **match_entry_head)
+++void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ {
++-	struct acl_match_entry *next_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-
++-	while (match_entry) {
++-		next_match_entry = match_entry->next;
++-		free(match_entry);
++-		match_entry = next_match_entry;
+++	switch(transport_get_proto(knet_h, transport)) {
+++		case LOOPBACK:
+++			return;
+++			break;
+++		case IP_PROTO:
+++			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++			break;
+++		default:
+++			break;
++ 	}
++-	*match_entry_head = NULL;
++ }
++ 
++-static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
++-						 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-						 check_type_t type, check_acceptreject_t acceptreject)
+++int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-
++-	while (match_entry) {
++-		if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++-		    (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
++-		    (match_entry->type == type) &&
++-		    (match_entry->acceptreject == acceptreject)) {
++-			return match_entry;
++-		}
++-		match_entry = match_entry->next;
+++	int err = -1;
+++
+++	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++		case LOOPBACK:
+++			/*
+++			 * loopback does not require access lists
+++			 */
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++					    &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++			break;
+++		default:
+++			break;
++ 	}
++ 
++-	return NULL;
+++	return err;
++ }
++ 
++-int ipcheck_rmip(struct acl_match_entry **match_entry_head,
++-		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		 check_type_t type, check_acceptreject_t acceptreject)
+++int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++ {
++-	struct acl_match_entry *next_match_entry = NULL;
++-	struct acl_match_entry *rm_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-
++-	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
++-	if (!rm_match_entry) {
++-		return -1;
++-	}
++-
++-	while (match_entry) {
++-		next_match_entry = match_entry->next;
++-		/*
++-		 * we are removing the list head, be careful
++-		 */
++-		if (rm_match_entry == match_entry) {
++-			*match_entry_head = next_match_entry;
++-			free(match_entry);
+++	int err = -1;
+++
+++	switch(transport_get_proto(knet_h, kh_link->transport_type)) {
+++		case LOOPBACK:
+++			/*
+++			 * loopback does not require access lists
+++			 */
+++			err = 0;
+++			break;
+++		case IP_PROTO:
+++			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
+++					   &kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 			break;
++-		}
++-		/*
++-		 * the next one is the one we need to remove
++-		 */
++-		if (rm_match_entry == next_match_entry) {
++-			match_entry->next = next_match_entry->next;
++-			free(next_match_entry);
+++		default:
++ 			break;
++-		}
++-		match_entry = next_match_entry;
++ 	}
++ 
++-	return 0;
+++	return err;
++ }
++ 
++-int ipcheck_addip(struct acl_match_entry **match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++-		  check_type_t type, check_acceptreject_t acceptreject)
+++/*
+++ *  * return 0 to reject and 1 to accept a packet
+++ *   */
+++int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
++ {
++-	struct acl_match_entry *new_match_entry;
++-	struct acl_match_entry *match_entry = *match_entry_head;
++-
++-	if (!ip1) {
++-		return -1;
++-	}
++-
++-	if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
++-		return -1;
++-	}
++-
++-	if (type == CHECK_TYPE_RANGE &&
++-	    (ip1->ss_family != ip2->ss_family))
++-		return -1;
++-
++-	if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
++-		return -1;
++-	}
++-
++-	new_match_entry = malloc(sizeof(struct acl_match_entry));
++-	if (!new_match_entry)
++-		return -1;
++-
++-	memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++-	memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
++-	new_match_entry->type = type;
++-	new_match_entry->acceptreject = acceptreject;
++-	new_match_entry->next = NULL;
++-
++-	if (match_entry) {
++-		/* Find the end of the list */
++-		/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
++-		while (match_entry->next) {
++-			match_entry = match_entry->next;
++-		}
++-		match_entry->next = new_match_entry;
++-	} else {
++-		/*
++-		 * first entry in the list
++-		 */
++-		*match_entry_head = new_match_entry;
+++	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+++		case LOOPBACK:
+++			return 1;
+++			break;
+++		case IP_PROTO:
+++			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
+++			break;
+++		default:
+++			break;
++ 	}
++-
+++	/*
+++	 * reject by default
+++	 */
++ 	return 0;
++ }
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++new file mode 100644
++index 0000000..edc3ae1
++--- /dev/null
+++++ b/libknet/links_acl_ip.c
++@@ -0,0 +1,277 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include <sys/socket.h>
+++#include <netinet/in.h>
+++#include <stdint.h>
+++#include <string.h>
+++#include <stdlib.h>
+++
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl_ip.h"
+++
+++/*
+++ * s6_addr32 is not defined in BSD userland, only kernel.
+++ * definition is the same as linux and it works fine for
+++ * what we need.
+++ */
+++#ifndef s6_addr32
+++#define s6_addr32 __u6_addr.__u6_addr32
+++#endif
+++
+++/*
+++ * IPv4 See if the address we have matches the current match entry
+++ */
+++
+++static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++{
+++	struct sockaddr_in *ip_to_check;
+++	struct sockaddr_in *match1;
+++	struct sockaddr_in *match2;
+++
+++	ip_to_check = (struct sockaddr_in *)checkip;
+++	match1 = (struct sockaddr_in *)&match_entry->addr1;
+++	match2 = (struct sockaddr_in *)&match_entry->addr2;
+++
+++	switch(match_entry->type) {
+++	case CHECK_TYPE_ADDRESS:
+++		if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
+++			return 1;
+++		break;
+++	case CHECK_TYPE_MASK:
+++		if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
+++		    match1->sin_addr.s_addr)
+++			return 1;
+++		break;
+++	case CHECK_TYPE_RANGE:
+++		if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
+++		    (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
+++			return 1;
+++		break;
+++
+++	}
+++	return 0;
+++}
+++
+++/*
+++ * Compare two IPv6 addresses
+++ */
+++
+++static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
+++{
+++	uint64_t a_high, a_low;
+++	uint64_t b_high, b_low;
+++
+++	a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) | (uint64_t)htonl(a->s6_addr32[1]);
+++	a_low  = ((uint64_t)htonl(a->s6_addr32[2]) << 32) | (uint64_t)htonl(a->s6_addr32[3]);
+++
+++	b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) | (uint64_t)htonl(b->s6_addr32[1]);
+++	b_low  = ((uint64_t)htonl(b->s6_addr32[2]) << 32) | (uint64_t)htonl(b->s6_addr32[3]);
+++
+++	if (a_high > b_high)
+++		return 1;
+++	if (a_high < b_high)
+++		return -1;
+++
+++	if (a_low > b_low)
+++		return 1;
+++	if (a_low < b_low)
+++		return -1;
+++
+++	return 0;
+++}
+++
+++/*
+++ * IPv6 See if the address we have matches the current match entry
+++ */
+++
+++static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
+++{
+++	struct sockaddr_in6 *ip_to_check;
+++	struct sockaddr_in6 *match1;
+++	struct sockaddr_in6 *match2;
+++	int i;
+++
+++	ip_to_check = (struct sockaddr_in6 *)checkip;
+++	match1 = (struct sockaddr_in6 *)&match_entry->addr1;
+++	match2 = (struct sockaddr_in6 *)&match_entry->addr2;
+++
+++	switch(match_entry->type) {
+++	case CHECK_TYPE_ADDRESS:
+++		if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
+++			return 1;
+++		break;
+++
+++	case CHECK_TYPE_MASK:
+++		/*
+++		 * Note that this little loop will quit early if there is a non-match so the
+++		 * comparison might look backwards compared to the IPv4 one
+++		 */
+++		for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
+++			if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
+++			    match1->sin6_addr.s6_addr32[i])
+++				return 0;
+++		}
+++		return 1;
+++	case CHECK_TYPE_RANGE:
+++		if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
+++		    (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
+++			return 1;
+++		break;
+++	}
+++	return 0;
+++}
+++
+++
+++int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
+++{
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++	int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
+++
+++	if (checkip->ss_family == AF_INET){
+++		match_fn = ip_matches_v4;
+++	} else {
+++		match_fn = ip_matches_v6;
+++	}
+++
+++	while (match_entry) {
+++		if (match_fn(checkip, match_entry)) {
+++			if (match_entry->acceptreject == CHECK_ACCEPT)
+++				return 1;
+++			else
+++				return 0;
+++		}
+++		match_entry = match_entry->next;
+++	}
+++	return 0; /* Default reject */
+++}
+++
+++/*
+++ * Routines to manuipulate access lists
+++ */
+++
+++void ipcheck_rmall(struct acl_match_entry **match_entry_head)
+++{
+++	struct acl_match_entry *next_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	while (match_entry) {
+++		next_match_entry = match_entry->next;
+++		free(match_entry);
+++		match_entry = next_match_entry;
+++	}
+++	*match_entry_head = NULL;
+++}
+++
+++static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
+++						 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++						 check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	while (match_entry) {
+++		if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
+++		    (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++		    (match_entry->type == type) &&
+++		    (match_entry->acceptreject == acceptreject)) {
+++			return match_entry;
+++		}
+++		match_entry = match_entry->next;
+++	}
+++
+++	return NULL;
+++}
+++
+++int ipcheck_rmip(struct acl_match_entry **match_entry_head,
+++		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		 check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	struct acl_match_entry *next_match_entry = NULL;
+++	struct acl_match_entry *rm_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++	if (!rm_match_entry) {
+++		return -1;
+++	}
+++
+++	while (match_entry) {
+++		next_match_entry = match_entry->next;
+++		/*
+++		 * we are removing the list head, be careful
+++		 */
+++		if (rm_match_entry == match_entry) {
+++			*match_entry_head = next_match_entry;
+++			free(match_entry);
+++			break;
+++		}
+++		/*
+++		 * the next one is the one we need to remove
+++		 */
+++		if (rm_match_entry == next_match_entry) {
+++			match_entry->next = next_match_entry->next;
+++			free(next_match_entry);
+++			break;
+++		}
+++		match_entry = next_match_entry;
+++	}
+++
+++	return 0;
+++}
+++
+++int ipcheck_addip(struct acl_match_entry **match_entry_head,
+++		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	struct acl_match_entry *new_match_entry;
+++	struct acl_match_entry *match_entry = *match_entry_head;
+++
+++	if (!ip1) {
+++		return -1;
+++	}
+++
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++		return -1;
+++	}
+++
+++	if (type == CHECK_TYPE_RANGE &&
+++	    (ip1->ss_family != ip2->ss_family))
+++		return -1;
+++
+++	if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++		return -1;
+++	}
+++
+++	new_match_entry = malloc(sizeof(struct acl_match_entry));
+++	if (!new_match_entry)
+++		return -1;
+++
+++	memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
+++	memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
+++	new_match_entry->type = type;
+++	new_match_entry->acceptreject = acceptreject;
+++	new_match_entry->next = NULL;
+++
+++	if (match_entry) {
+++		/* Find the end of the list */
+++		/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
+++		while (match_entry->next) {
+++			match_entry = match_entry->next;
+++		}
+++		match_entry->next = new_match_entry;
+++	} else {
+++		/*
+++		 * first entry in the list
+++		 */
+++		*match_entry_head = new_match_entry;
+++	}
+++
+++	return 0;
+++}
++diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
++index 133cd5a..8d9f4e0 100644
++--- a/libknet/tests/int_links_acl.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -16,6 +16,7 @@
++ 
++ #include "internals.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++ 
++ static struct acl_match_entry *match_entry_v4;
++ static struct acl_match_entry *match_entry_v6;
++@@ -105,8 +106,8 @@ static int load_file(void)
++ 	struct sockaddr_storage addr1;
++ 	struct sockaddr_storage addr2;
++ 
++-	check_rmall(&match_entry_v4);
++-	check_rmall(&match_entry_v6);
+++	ipcheck_rmall(&match_entry_v4);
+++	ipcheck_rmall(&match_entry_v6);
++ 
++ 	filterfile = fopen("int_links_acl.txt", "r");
++ 	if (!filterfile) {
++@@ -202,7 +203,7 @@ int main(int argc, char *argv[])
++ 		}
++ 	}
++ 
++-	check_rmall(&match_entry_v4);
++-	check_rmall(&match_entry_v6);
+++	ipcheck_rmall(&match_entry_v4);
+++	ipcheck_rmall(&match_entry_v6);
++ 	return 0;
++ }
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 833938d..06a0168 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -721,27 +721,6 @@ out_pmtud:
++ 	}
++ }
++ 
++-/*
++- * return 0 to reject and 1 to accept a packet
++- */
++-static int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
++-{
++-	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
++-		case LOOPBACK:
++-			return 1;
++-			break;
++-		case IP_PROTO:
++-			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, msg->msg_hdr.msg_name);
++-			break;
++-		default:
++-			break;
++-	}
++-	/*
++-	 * reject by default
++-	 */
++-	return 0;
++-}
++-
++ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
++ {
++ 	int err, savederrno;
++@@ -829,13 +808,13 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
++ 				 */
++ 				if ((knet_h->use_access_lists) &&
++ 				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
++-					if (!_generic_filter_packet_by_acl(knet_h, sockfd, &msg[i])) {
+++					if (!_generic_filter_packet_by_acl(knet_h, sockfd, msg[i].msg_hdr.msg_name)) {
++ 						char src_ipaddr[KNET_MAX_HOST_LEN];
++ 						char src_port[KNET_MAX_PORT_LEN];
++ 
++ 						memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
++ 						memset(src_port, 0, KNET_MAX_PORT_LEN);
++-						knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+++						knet_addrtostr(msg[i].msg_hdr.msg_name, sockaddr_len(msg[i].msg_hdr.msg_name),
++ 							       src_ipaddr, KNET_MAX_HOST_LEN,
++ 							       src_port, KNET_MAX_PORT_LEN);
++ 
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index 0d69a33..ce3e98e 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -20,6 +20,7 @@
++ #include "host.h"
++ #include "links.h"
++ #include "links_acl.h"
+++#include "links_acl_ip.h"
++ #include "logging.h"
++ #include "common.h"
++ #include "transport_common.h"
++@@ -730,12 +731,13 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
++ 						addr_str, port_str);
++ 	if (knet_h->use_access_lists) {
++-		if (!ipcheck_validate(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry, &ss)) {
+++		if (!_generic_filter_packet_by_acl(knet_h, listen_sock, &ss)) {
++ 			savederrno = EINVAL;
++ 			err = -1;
++ 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
++ 			close(new_fd);
++-			goto exit_error;
+++			errno = savederrno;
+++			return;
++ 		}
++ 	}
++ 
++@@ -946,8 +948,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 	 */
++ 	knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
++ 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
++-					    &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++			err = check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++					&kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 			if (err) {
++ 				return NULL;
++ 			}
++@@ -1005,8 +1007,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
++ 		goto exit_error;
++ 	}
++ 
++-	if (ipcheck_addip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
++-			  &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++	if (check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++		      &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
++ 		savederrno = errno;
++ 		err = -1;
++ 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
++@@ -1036,8 +1038,8 @@ exit_error:
++ 		if (info->on_listener_epoll) {
++ 			epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
++ 		}
++-		ipcheck_rmip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
++-			     &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+++		check_rm(knet_h, listen_sock, KNET_TRANSPORT_SCTP,
+++			 &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++ 		if (listen_sock >= 0) {
++ 			close(listen_sock);
++ 		}
++@@ -1076,8 +1078,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ 		}
++ 	}
++ 
++-	if (ipcheck_rmip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
++-			 &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+++	if (check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+++		     &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
++ 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
++ 	}
++ 
++@@ -1111,7 +1113,7 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
++ 		goto exit_error;
++ 	}
++ 
++-	check_rmall(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry);
+++	check_rmall(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP);
++ 
++ 	close(info->listen_sock);
++ 
+diff --git a/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch b/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+new file mode 100644
+index 0000000..7fd5b1c
+--- /dev/null
++++ b/debian/patches/access-lists-remove-2-unnecessary-wrappers.patch
+@@ -0,0 +1,70 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:29:07 +0100
++Subject: [access lists] remove 2 unnecessary wrappers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit f5cba0f7608bed1e142f30c9e04e05b4ba56606c)
++---
++ libknet/links_acl.h |  3 ---
++ libknet/links.c     |  8 ++++++--
++ libknet/links_acl.c | 12 ------------
++ 3 files changed, 6 insertions(+), 17 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 0ad50e6..b083753 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -39,7 +39,4 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++ int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip);
++ 
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link);
++-
++ #endif
++diff --git a/libknet/links.c b/libknet/links.c
++index 07ef26e..1693df6 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -245,7 +245,9 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++ 		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
++ 			  host_id, link_id, link->outsock);
++-		if (_link_add_default_acl(knet_h, link) < 0) {
+++		if (check_add(knet_h, link->outsock, transport,
+++			      &link->dst_addr, &link->dst_addr,
+++			      CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ 			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
++ 			savederrno = errno;
++ 			err = -1;
++@@ -426,7 +428,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 */
++ 	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++-		if (_link_rm_default_acl(knet_h, link) < 0) {
+++		if (check_rm(knet_h, link->outsock, link->transport_type,
+++			     &link->dst_addr, &link->dst_addr,
+++			     CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ 			err = -1;
++ 			savederrno = EBUSY;
++ 			log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index 520a934..93cc5af 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -91,15 +91,3 @@ int check_validate(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *ch
++ 	 */
++ 	return 0;
++ }
++-
++-int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	return check_add(knet_h, kh_link->outsock, kh_link->transport_type,
++-			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
++-
++-int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
++-{
++-	return check_rm(knet_h, kh_link->outsock, kh_link->transport_type,
++-			&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
++-}
+diff --git a/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch b/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+new file mode 100644
+index 0000000..a4628d7
+--- /dev/null
++++ b/debian/patches/access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
+@@ -0,0 +1,219 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 28 Feb 2019 08:22:43 +0100
++Subject: [access lists] rename ip1/2 to ss1/2 to keep it more generic
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 118c7c415fbe9e47137c34607f26ac9b5b42fbf4)
++---
++ libknet/links_acl.h          |  8 ++++----
++ libknet/links_acl_ip.h       |  4 ++--
++ libknet/links_acl_loopback.h |  4 ++--
++ libknet/links_acl.c          |  8 ++++----
++ libknet/links_acl_ip.c       | 24 ++++++++++++------------
++ libknet/links_acl_loopback.c |  4 ++--
++ 6 files changed, 26 insertions(+), 26 deletions(-)
++
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index cc4fdaf..a64faa1 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -28,21 +28,21 @@ typedef struct {
++ 	int (*protocheck_validate)	(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++ 	int (*protocheck_add)		(void *fd_tracker_match_entry_head,
++-					 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++					 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 					 check_type_t type, check_acceptreject_t acceptreject);
++ 
++ 	int (*protocheck_rm)		(void *fd_tracker_match_entry_head,
++-					 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++					 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 					 check_type_t type, check_acceptreject_t acceptreject);
++ 
++ 	void (*protocheck_rmall)	(void *fd_tracker_match_entry_head);
++ } check_ops_t;
++ 
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++-	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	      check_type_t type, check_acceptreject_t acceptreject);
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++-	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	     check_type_t type, check_acceptreject_t acceptreject);
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
++ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip);
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index c475db9..e069b99 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -15,11 +15,11 @@
++ int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++ int ipcheck_addip(void *fd_tracker_match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		  check_type_t type, check_acceptreject_t acceptreject);
++ 
++ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++-		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		 check_type_t type, check_acceptreject_t acceptreject);
++ 
++ void ipcheck_rmall(void *fd_tracker_match_entry_head);
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index 0f86222..73a9704 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -15,11 +15,11 @@
++ int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
++ 
++ int loopbackcheck_add(void *fd_tracker_match_entry_head,
++-		      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		      check_type_t type, check_acceptreject_t acceptreject);
++ 
++ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++-		     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		     check_type_t type, check_acceptreject_t acceptreject);
++ 
++ void loopbackcheck_rmall(void *fd_tracker_match_entry_head);
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index a941dde..0b1fcd0 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -32,21 +32,21 @@ static check_ops_t proto_check_modules_cmds[] = {
++  */
++ 
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++-	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	      check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
++ 			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++-			ip1, ip2, type, acceptreject);
+++			ss1, ss2, type, acceptreject);
++ }
++ 
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++-	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++	     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 	     check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm(
++ 			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++-			ip1, ip2, type, acceptreject);
+++			ss1, ss2, type, acceptreject);
++ }
++ 
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index e72a382..2682a70 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -185,14 +185,14 @@ void ipcheck_rmall(void *fd_tracker_match_entry_head)
++ }
++ 
++ static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head,
++-						 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++						 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 						 check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++ 	while (match_entry) {
++-		if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
++-		    (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
+++		if ((!memcmp(&match_entry->addr1, ss1, sizeof(struct sockaddr_storage))) &&
+++		    (!memcmp(&match_entry->addr2, ss2, sizeof(struct sockaddr_storage))) &&
++ 		    (match_entry->type == type) &&
++ 		    (match_entry->acceptreject == acceptreject)) {
++ 			return match_entry;
++@@ -204,7 +204,7 @@ static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **
++ }
++ 
++ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++-		 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		 check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++@@ -212,7 +212,7 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ 	struct ip_acl_match_entry *rm_match_entry;
++ 	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++-	rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
+++	rm_match_entry = ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject);
++ 	if (!rm_match_entry) {
++ 		errno = ENOENT;
++ 		return -1;
++@@ -243,30 +243,30 @@ int ipcheck_rmip(void *fd_tracker_match_entry_head,
++ }
++ 
++ int ipcheck_addip(void *fd_tracker_match_entry_head,
++-		  struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		  check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
++ 	struct ip_acl_match_entry *new_match_entry;
++ 	struct ip_acl_match_entry *match_entry = *match_entry_head;
++ 
++-	if (!ip1) {
+++	if (!ss1) {
++ 		errno = EINVAL;
++ 		return -1;
++ 	}
++ 
++-	if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
+++	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
++ 		errno = EINVAL;
++ 		return -1;
++ 	}
++ 
++ 	if (type == CHECK_TYPE_RANGE &&
++-	    (ip1->ss_family != ip2->ss_family)) {
+++	    (ss1->ss_family != ss2->ss_family)) {
++ 		errno = EINVAL;
++ 		return -1;
++ 	}
++ 
++-	if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
+++	if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) {
++ 		errno = EEXIST;
++ 		return -1;
++ 	}
++@@ -276,8 +276,8 @@ int ipcheck_addip(void *fd_tracker_match_entry_head,
++ 		return -1;
++ 	}
++ 
++-	memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
++-	memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
+++	memmove(&new_match_entry->addr1, ss1, sizeof(struct sockaddr_storage));
+++	memmove(&new_match_entry->addr2, ss2, sizeof(struct sockaddr_storage));
++ 	new_match_entry->type = type;
++ 	new_match_entry->acceptreject = acceptreject;
++ 	new_match_entry->next = NULL;
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 42559f3..bb69130 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -27,14 +27,14 @@ void loopbackcheck_rmall(void *fd_tracker_match_entry_head)
++ }
++ 
++ int loopbackcheck_rm(void *fd_tracker_match_entry_head,
++-		     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		     check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	return 0;
++ }
++ 
++ int loopbackcheck_add(void *fd_tracker_match_entry_head,
++-		      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
++ 		      check_type_t type, check_acceptreject_t acceptreject)
++ {
++ 	return 0;
+diff --git a/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch b/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+new file mode 100644
+index 0000000..91c2bb8
+--- /dev/null
++++ b/debian/patches/access-lists-test-implicit-access-lists-management-for-UD.patch
+@@ -0,0 +1,50 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 5 Mar 2019 05:16:29 +0100
++Subject: [access lists] test implicit access lists management for UDP,
++ SCTP and LOOPBACK
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dc7731abeff323785291207b91d23173bf0bb458)
++---
++ libknet/tests/api_knet_send.c          | 8 ++++++++
++ libknet/tests/api_knet_send_loopback.c | 8 ++++++++
++ 2 files changed, 16 insertions(+)
++
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index 1c55db1..9e81d03 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -145,6 +145,14 @@ static void test(uint8_t transport)
++ 
++ 	printf("Test knet_send with valid data\n");
++ 
+++	if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++		printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
++ 	if (knet_handle_enable_sock_notify(knet_h, &private_data, sock_notify) < 0) {
++ 		printf("knet_handle_enable_sock_notify failed: %s\n", strerror(errno));
++ 		knet_handle_free(knet_h);
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 16a4624..0cfd29f 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -168,6 +168,14 @@ static void test(void)
++ 	flush_logs(logfds[0], stdout);
++ 	printf("Test knet_send with valid data\n");
++ 
+++	if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++		printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
++ 	if (knet_link_clear_config(knet_h, 1, 0) < 0) {
++ 		printf("Failed to clear existing UDP link: %s\n", strerror(errno));
++ 		knet_host_remove(knet_h, 1);
+diff --git a/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch b/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+new file mode 100644
+index 0000000..bb00a3f
+--- /dev/null
++++ b/debian/patches/access-lists-use-arrays-to-access-per-protocol-functions.patch
+@@ -0,0 +1,309 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 13:34:11 +0100
++Subject: [access lists] use arrays to access per-protocol functions
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ce8b773ed76102719c1e4a8859854e01a250b482)
++---
++ libknet/Makefile.am          |  2 ++
++ libknet/tests/Makefile.am    |  3 +-
++ libknet/internals.h          |  8 ++---
++ libknet/links_acl.h          | 16 ++++++++++
++ libknet/links_acl_loopback.h | 27 +++++++++++++++++
++ libknet/links_acl.c          | 71 ++++++++++----------------------------------
++ libknet/links_acl_loopback.c | 41 +++++++++++++++++++++++++
++ libknet/transports.c         |  6 ++--
++ 8 files changed, 110 insertions(+), 64 deletions(-)
++ create mode 100644 libknet/links_acl_loopback.h
++ create mode 100644 libknet/links_acl_loopback.c
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index b60427c..0be4fff 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -33,6 +33,7 @@ sources			= \
++ 			  links.c \
++ 			  links_acl.c \
++ 			  links_acl_ip.c \
+++			  links_acl_loopback.c \
++ 			  logging.c \
++ 			  netutils.c \
++ 			  threads_common.c \
++@@ -65,6 +66,7 @@ noinst_HEADERS		= \
++ 			  links.h \
++ 			  links_acl.h \
++ 			  links_acl_ip.h \
+++			  links_acl_loopback.h \
++ 			  logging.h \
++ 			  netutils.h \
++ 			  onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 2f22293..eae5c80 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -79,7 +79,8 @@ int_links_acl_test_SOURCES = int_links_acl.c \
++ 			     ../transport_sctp.c \
++ 			     ../transport_udp.c \
++ 			     ../links_acl.c \
++-			     ../links_acl_ip.c
+++			     ../links_acl_ip.c \
+++			     ../links_acl_loopback.c
++ 
++ int_timediff_test_SOURCES = int_timediff.c
++ 
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 27eea2a..d482674 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -265,10 +265,8 @@ extern pthread_rwlock_t shlib_rwlock;       /* global shared lib load lock */
++  * to use for access lists and other operations
++  */
++ 
++-typedef enum {
++-	LOOPBACK,
++-	IP_PROTO
++-} transport_proto;
+++#define TRANSPORT_PROTO_LOOPBACK 0
+++#define TRANSPORT_PROTO_IP_PROTO 1
++ 
++ /*
++  * some transports like SCTP can filter incoming
++@@ -299,7 +297,7 @@ typedef struct knet_transport_ops {
++ 	const uint8_t transport_id;
++ 	const uint8_t built_in;
++ 
++-	transport_proto transport_protocol;
+++	uint8_t transport_protocol;
++ 	transport_acl transport_acl_type;
++ 
++ /*
++diff --git a/libknet/links_acl.h b/libknet/links_acl.h
++index 84ae6b9..cc4fdaf 100644
++--- a/libknet/links_acl.h
+++++ b/libknet/links_acl.h
++@@ -22,6 +22,22 @@ typedef enum {
++ 	CHECK_REJECT
++ } check_acceptreject_t;
++ 
+++typedef struct {
+++	uint8_t				transport_proto;
+++
+++	int (*protocheck_validate)	(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
+++
+++	int (*protocheck_add)		(void *fd_tracker_match_entry_head,
+++					 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++					 check_type_t type, check_acceptreject_t acceptreject);
+++
+++	int (*protocheck_rm)		(void *fd_tracker_match_entry_head,
+++					 struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++					 check_type_t type, check_acceptreject_t acceptreject);
+++
+++	void (*protocheck_rmall)	(void *fd_tracker_match_entry_head);
+++} check_ops_t;
+++
++ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	      check_type_t type, check_acceptreject_t acceptreject);
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++new file mode 100644
++index 0000000..0f86222
++--- /dev/null
+++++ b/libknet/links_acl_loopback.h
++@@ -0,0 +1,27 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#ifndef __KNET_LINKS_ACL_LOOPBACK_H__
+++#define __KNET_LINKS_ACL_LOOPBACK_H__
+++
+++#include "internals.h"
+++#include "links_acl.h"
+++
+++int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
+++
+++int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++		      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		      check_type_t type, check_acceptreject_t acceptreject);
+++
+++int loopbackcheck_rm(void *fd_tracker_match_entry_head,
+++		     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		     check_type_t type, check_acceptreject_t acceptreject);
+++
+++void loopbackcheck_rmall(void *fd_tracker_match_entry_head);
+++
+++#endif
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index f2c772d..a941dde 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -19,6 +19,12 @@
++ #include "transport_common.h"
++ #include "links_acl.h"
++ #include "links_acl_ip.h"
+++#include "links_acl_loopback.h"
+++
+++static check_ops_t proto_check_modules_cmds[] = {
+++	{ TRANSPORT_PROTO_LOOPBACK, loopbackcheck_validate, loopbackcheck_add, loopbackcheck_rm, loopbackcheck_rmall },
+++	{ TRANSPORT_PROTO_IP_PROTO, ipcheck_validate, ipcheck_addip, ipcheck_rmip, ipcheck_rmall }
+++};
++ 
++ /*
++  * all those functions will return errno from the
++@@ -29,56 +35,24 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	      check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, transport)) {
++-		case LOOPBACK:
++-			errno = 0;
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++-					    ip1, ip2, type, acceptreject);
++-			break;
++-		default:
++-			break;
++-	}
++-	return err;
+++	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
+++			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++			ip1, ip2, type, acceptreject);
++ }
++ 
++ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 	     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
++ 	     check_type_t type, check_acceptreject_t acceptreject)
++ {
++-	int err = -1;
++-
++-	switch(transport_get_proto(knet_h, transport)) {
++-		case LOOPBACK:
++-			errno = 0;
++-			err = 0;
++-			break;
++-		case IP_PROTO:
++-			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++-					   ip1, ip2, type, acceptreject);
++-			break;
++-		default:
++-			break;
++-	}
++-	return err;
+++	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm(
+++			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+++			ip1, ip2, type, acceptreject);
++ }
++ 
++ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ {
++-	switch(transport_get_proto(knet_h, transport)) {
++-		case LOOPBACK:
++-			return;
++-			break;
++-		case IP_PROTO:
++-			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++-			break;
++-		default:
++-			break;
++-	}
+++	proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rmall(
+++		&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++ }
++ 
++ /*
++@@ -86,19 +60,6 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++  */
++ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
++ {
++-	switch(transport_get_proto(knet_h, transport)) {
++-		case LOOPBACK:
++-			errno = 0;
++-			return 1;
++-			break;
++-		case IP_PROTO:
++-			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++-			break;
++-		default:
++-			break;
++-	}
++-	/*
++-	 * reject by default
++-	 */
++-	return 0;
+++	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_validate(
+++			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++ }
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++new file mode 100644
++index 0000000..42559f3
++--- /dev/null
+++++ b/libknet/links_acl_loopback.c
++@@ -0,0 +1,41 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Christine Caulfield <ccaulfie at redhat.com>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++
+++#include "internals.h"
+++#include "logging.h"
+++#include "transports.h"
+++#include "links_acl.h"
+++#include "links_acl_loopback.h"
+++
+++int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip)
+++{
+++	return 1;
+++}
+++
+++void loopbackcheck_rmall(void *fd_tracker_match_entry_head)
+++{
+++	return;
+++}
+++
+++int loopbackcheck_rm(void *fd_tracker_match_entry_head,
+++		     struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		     check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	return 0;
+++}
+++
+++int loopbackcheck_add(void *fd_tracker_match_entry_head,
+++		      struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
+++		      check_type_t type, check_acceptreject_t acceptreject)
+++{
+++	return 0;
+++}
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 69ea091..6ded675 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -30,11 +30,11 @@
++ #define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++ 
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++-	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++-	{ "UDP", KNET_TRANSPORT_UDP, 1, IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ 	{ "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++-				       1, IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
+diff --git a/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch b/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+new file mode 100644
+index 0000000..cbba12f
+--- /dev/null
++++ b/debian/patches/access-lists-use-better-name-for-fd_tracker-structure.patch
+@@ -0,0 +1,95 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Feb 2019 12:12:09 +0100
++Subject: [access lists] use better name for fd_tracker structure
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit bc25626d5585ac267029470cf518852017d3740b)
++---
++ libknet/internals.h                      | 10 +++++-----
++ libknet/links_acl.c                      |  8 ++++----
++ libknet/tests/api_knet_link_set_config.c |  4 ++--
++ 3 files changed, 11 insertions(+), 11 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 2135fb8..27eea2a 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -130,11 +130,11 @@ struct knet_sock {
++ };
++ 
++ struct knet_fd_trackers {
++-	uint8_t transport; /* transport type (UDP/SCTP...) */
++-	uint8_t data_type; /* internal use for transport to define what data are associated
++-			    * to this fd */
++-	void *data;	   /* pointer to the data */
++-	void *match_entry; /* pointer to access list match_entry list head */
+++	uint8_t transport;		    /* transport type (UDP/SCTP...) */
+++	uint8_t data_type;		    /* internal use for transport to define what data are associated
+++					     * to this fd */
+++	void *data;			    /* pointer to the data */
+++	void *access_list_match_entry_head; /* pointer to access list match_entry list head */
++ };
++ 
++ #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
++diff --git a/libknet/links_acl.c b/libknet/links_acl.c
++index b1d7ab4..f2c772d 100644
++--- a/libknet/links_acl.c
+++++ b/libknet/links_acl.c
++@@ -37,7 +37,7 @@ int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++ 					    ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -58,7 +58,7 @@ int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
++ 			err = 0;
++ 			break;
++ 		case IP_PROTO:
++-			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].match_entry,
+++			err = ipcheck_rmip(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
++ 					   ip1, ip2, type, acceptreject);
++ 			break;
++ 		default:
++@@ -74,7 +74,7 @@ void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
++ 			return;
++ 			break;
++ 		case IP_PROTO:
++-			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].match_entry);
+++			ipcheck_rmall(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
++ 			break;
++ 		default:
++ 			break;
++@@ -92,7 +92,7 @@ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct soc
++ 			return 1;
++ 			break;
++ 		case IP_PROTO:
++-			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
+++			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
++ 			break;
++ 		default:
++ 			break;
++diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
++index 5fed9be..b96c628 100644
++--- a/libknet/tests/api_knet_link_set_config.c
+++++ b/libknet/tests/api_knet_link_set_config.c
++@@ -145,7 +145,7 @@ static void test(void)
++ 	host = knet_h->host_index[1];
++ 	link = &host->link[0];
++ 
++-	if (knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
++ 		printf("found access lists for dynamic dst_addr!\n");
++ 		knet_link_clear_config(knet_h, 1, 0);
++ 		knet_host_remove(knet_h, 1);
++@@ -262,7 +262,7 @@ static void test(void)
++ 	host = knet_h->host_index[1];
++ 	link = &host->link[0];
++ 
++-	if (!knet_h->knet_transport_fd_tracker[link->outsock].match_entry) {
+++	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
++ 		printf("Unable to find default access lists for static dst_addr!\n");
++ 		knet_link_clear_config(knet_h, 1, 0);
++ 		knet_host_remove(knet_h, 1);
+diff --git a/debian/patches/acl-Fix-English-in-commments.patch b/debian/patches/acl-Fix-English-in-commments.patch
+new file mode 100644
+index 0000000..7e55364
+--- /dev/null
++++ b/debian/patches/acl-Fix-English-in-commments.patch
+@@ -0,0 +1,106 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Thu, 7 Mar 2019 10:04:41 +0000
++Subject: acl: Fix English in commments
++
++(cherry picked from commit e9b656bebb0615c2b2419929cadfb71e3941af34)
++---
++ libknet/internals.h |  2 +-
++ libknet/libknet.h   | 27 ++++++++++++++-------------
++ 2 files changed, 15 insertions(+), 14 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 8976a8c..12f613c 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -132,7 +132,7 @@ struct knet_sock {
++ struct knet_fd_trackers {
++ 	uint8_t transport;		    /* transport type (UDP/SCTP...) */
++ 	uint8_t data_type;		    /* internal use for transport to define what data are associated
++-					     * to this fd */
+++					     * with this fd */
++ 	void *data;			    /* pointer to the data */
++ 	void *access_list_match_entry_head; /* pointer to access list match_entry list head */
++ };
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d616e11..50ed70d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -523,15 +523,16 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++  *
++  * knet will automatically generate access lists for point to point links.
++  *
++- * For open links, knet provides 3 API calls to manipulate access lists:
++- * knet_link_add_acl(3), knet_link_rm_acl(3) and knet_link_clear_acl(3).
++- * Those API calls will work only and exclusively on open links as they
++- * provide no use for point to point links.
+++ * For open links, knet provides 4 API calls to manipulate access lists:
+++ * knet_link_add_acl(3), knet_link_rm_acl(3), knet_link_insert_acl(3)
+++ * and knet_link_clear_acl(3).
+++ * Those API calls will work exclusively on open links as they
+++ * are of no use on point to point links.
++  *
++  * knet will not enforce any access list unless specifically enabled by
++  * knet_handle_enable_access_lists(3).
++  *
++- * From a security / programming perspective we recommend to:
+++ * From a security / programming perspective we recommend:
++  * - create the knet handle
++  * - enable access lists
++  * - configure hosts and links
++@@ -1478,13 +1479,13 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
++ 
++ /*
++- * access lists management for open links
+++ * Access lists management for open links
++  * see also knet_handle_enable_access_lists(3)
++  */
++ 
++ /*
++  * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
++- *                    for example: 10.1.9.3/32
+++ *                    for example: 10.1.9.3
++  *                    and the entry is stored in ss1. ss2 can be NULL.
++  *
++  * CHECK_TYPE_MASK    is used to configure network/netmask.
++@@ -1495,9 +1496,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++  *                    for example: 172.16.0.1-172.16.0.10
++  *                    the start is stored in ss1 and the end in ss2.
++  *
++- * Please be aware that the above examples refers only to IP based protocols.
+++ * Please be aware that the above examples refer only to IP based protocols.
++  * Other protocols might use ss1 and ss2 in slightly different ways.
++- * At the moment knet only supports IP based protocol and that might change
+++ * At the moment knet only supports IP based protocol, though that might change
++  * in the future.
++  */
++ 
++@@ -1531,7 +1532,7 @@ typedef enum {
++  *
++  * IMPORTANT: the order in which access lists are added is critical and it
++  *            is left to the user to add them in the right order. knet
++- *            will do no attempt to logically sort them.
+++ *            will not attempt to logically sort them.
++  *
++  *            For example:
++  *            1 - accept from 10.0.0.0/8
++@@ -1568,7 +1569,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++  * link_id   - see knet_link_set_config(3)
++  *
++  * index     - insert at position "index" where 0 is the first entry and -1
++- *             append to the current list.
+++ *             appends to the current list.
++  *
++  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++  *
++@@ -1597,8 +1598,8 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++  *
++  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++  *
++- * IMPORTANT: the data passed to this API call must match exactly the ones used
++- *            in knet_link_add_acl(3).
+++ * IMPORTANT: the data passed to this API call must match exactly that passed
+++ *            to knet_link_add_acl(3).
++  *
++  * @return
++  * knet_link_rm_acl
+diff --git a/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch b/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+new file mode 100644
+index 0000000..683d8e6
+--- /dev/null
++++ b/debian/patches/acl-add-knet_handle_enable_access_lists-api-call.patch
+@@ -0,0 +1,235 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 8 Feb 2019 14:29:50 +0100
++Subject: [acl] add knet_handle_enable_access_lists api call
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 2a325c9fc388c91fd9969378d5822db87b9d364b)
++---
++ libknet/internals.h                                |   1 +
++ libknet/libknet.h                                  |  22 +++++
++ libknet/handle.c                                   |  36 ++++++++
++ .../tests/api_knet_handle_enable_access_lists.c    | 100 +++++++++++++++++++++
++ libknet/tests/api-check.mk                         |   4 +
++ 5 files changed, 163 insertions(+)
++ create mode 100644 libknet/tests/api_knet_handle_enable_access_lists.c
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 57da5b4..d33646f 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -158,6 +158,7 @@ struct knet_handle {
++ 	int send_to_links_epollfd;
++ 	int recv_from_links_epollfd;
++ 	int dst_link_handler_epollfd;
+++	uint8_t use_access_lists; /* set to 0 for disable, 1 for enable */
++ 	unsigned int pmtud_interval;
++ 	unsigned int data_mtu;	/* contains the max data size that we can send onwire
++ 				 * without frags */
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index c7f44d7..4283afe 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -502,6 +502,28 @@ int knet_handle_enable_filter(knet_handle_t knet_h,
++ 
++ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
++ 
+++/**
+++ * knet_handle_enable_access_lists
+++ *
+++ * @brief Start packet forwarding
+++ *
+++ * knet_h   - pointer to knet_handle_t
+++ *
+++ * enable   - set to 1 to use ip access lists, 0 to disable ip access_lists.
+++ *
+++ * @return
+++ * knet_handle_enable_access_lists returns
+++ * 0 on success
+++ * -1 on error and errno is set.
+++ *
+++ * By default access lists usage is off, but default internal access lists
+++ * will be populated regardless, but not enforced. TODO add long explanation
+++ * on internal access lists for point to point connections vs global
+++ * listeners etc.
+++ */
+++
+++int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
+++
++ #define KNET_PMTUD_DEFAULT_INTERVAL 60
++ 
++ /**
++diff --git a/libknet/handle.c b/libknet/handle.c
++index b7aa2fd..6cd49f5 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1186,6 +1186,42 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled)
++ 	return 0;
++ }
++ 
+++int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled)
+++{
+++	int savederrno = 0;
+++
+++	if (!knet_h) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	if (enabled > 1) {
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	savederrno = get_global_wrlock(knet_h);
+++	if (savederrno) {
+++		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+++			strerror(savederrno));
+++		errno = savederrno;
+++		return -1;
+++	}
+++
+++	knet_h->use_access_lists = enabled;
+++
+++	if (enabled) {
+++		log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are enabled");
+++	} else {
+++		log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are disabled");
+++	}
+++
+++	pthread_rwlock_unlock(&knet_h->global_rwlock);
+++
+++	errno = 0;
+++	return 0;
+++}
+++
++ int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval)
++ {
++ 	int savederrno = 0;
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++new file mode 100644
++index 0000000..fc3bcc1
++--- /dev/null
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -0,0 +1,100 @@
+++/*
+++ * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <unistd.h>
+++
+++#include "libknet.h"
+++#include "internals.h"
+++
+++#include "test-common.h"
+++
+++static void test(void)
+++{
+++	knet_handle_t knet_h;
+++	int logfds[2];
+++
+++	printf("Test knet_handle_enable_access_lists with invalid knet_h\n");
+++
+++	if ((!knet_handle_enable_access_lists(NULL, 0)) || (errno != EINVAL)) {
+++		printf("knet_handle_enable_access_lists accepted invalid knet_h parameter\n");
+++		exit(FAIL);
+++	}
+++
+++	setup_logpipes(logfds);
+++
+++	printf("Test knet_handle_enable_access_lists with invalid param (2) \n");
+++
+++	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+++
+++	if ((!knet_handle_enable_access_lists(knet_h, 2)) || (errno != EINVAL)) {
+++		printf("knet_handle_enable_access_lists accepted invalid param for enabled: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_handle_enable_access_lists with valid param (1) \n");
+++
+++	if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+++		printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_h->use_access_lists != 1) {
+++		printf("knet_handle_enable_access_lists failed to set correct value");
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_handle_enable_access_lists with valid param (0) \n");
+++
+++	if (knet_handle_enable_access_lists(knet_h, 0) < 0) {
+++		printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	if (knet_h->use_access_lists != 0) {
+++		printf("knet_handle_enable_access_lists failed to set correct value");
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	knet_handle_free(knet_h);
+++	flush_logs(logfds[0], stdout);
+++	close_logpipes(logfds);
+++}
+++
+++int main(int argc, char *argv[])
+++{
+++	test();
+++
+++	return PASS;
+++}
++diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
++index 7beba53..247ed58 100644
++--- a/libknet/tests/api-check.mk
+++++ b/libknet/tests/api-check.mk
++@@ -12,6 +12,7 @@ api_checks		= \
++ 			  api_knet_handle_compress_test \
++ 			  api_knet_handle_crypto_test \
++ 			  api_knet_handle_setfwd_test \
+++			  api_knet_handle_enable_access_lists_test \
++ 			  api_knet_handle_enable_filter_test \
++ 			  api_knet_handle_enable_sock_notify_test \
++ 			  api_knet_handle_add_datafd_test \
++@@ -87,6 +88,9 @@ api_knet_handle_crypto_test_SOURCES = api_knet_handle_crypto.c \
++ api_knet_handle_setfwd_test_SOURCES = api_knet_handle_setfwd.c \
++ 				      test-common.c
++ 
+++api_knet_handle_enable_access_lists_test_SOURCES = api_knet_handle_enable_access_lists.c \
+++						   test-common.c
+++
++ api_knet_handle_enable_filter_test_SOURCES = api_knet_handle_enable_filter.c \
++ 					     test-common.c
++ 
+diff --git a/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch b/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+new file mode 100644
+index 0000000..c9a98b3
+--- /dev/null
++++ b/debian/patches/acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
+@@ -0,0 +1,186 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 5 Jan 2019 09:04:38 +0100
++Subject: [acl] move poc-code into libknet dir and rename to links_acl.*
++MIME-Version: 1.0
++Content-Type: text/plain; charset="utf-8"
++Content-Transfer-Encoding: 8bit
++
++code is not integrated yet and test suite can´t run standalone
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d7fb8af3a8be37f12e0149d49280762e2bdb9b16)
++---
++ .../tests/int_links_acl.txt                        |  0
++ configure.ac                                       |  1 -
++ libknet/Makefile.am                                |  2 ++
++ libknet/tests/Makefile.am                          |  8 +++++++-
++ poc-code/Makefile.am                               |  2 +-
++ poc-code/access-list/Makefile.am                   | 22 ----------------------
++ .../access-list/ipcheck.h => libknet/links_acl.h   |  0
++ .../access-list/ipcheck.c => libknet/links_acl.c   |  2 +-
++ .../tests/int_links_acl.c                          |  6 +++---
++ 9 files changed, 14 insertions(+), 29 deletions(-)
++ rename poc-code/access-list/test_ipcheck.txt => libknet/tests/int_links_acl.txt (100%)
++ delete mode 100644 poc-code/access-list/Makefile.am
++ rename poc-code/access-list/ipcheck.h => libknet/links_acl.h (100%)
++ rename poc-code/access-list/ipcheck.c => libknet/links_acl.c (99%)
++ rename poc-code/access-list/test_ipcheck.c => libknet/tests/int_links_acl.c (96%)
++
++diff --git a/poc-code/access-list/test_ipcheck.txt b/libknet/tests/int_links_acl.txt
++similarity index 100%
++rename from poc-code/access-list/test_ipcheck.txt
++rename to libknet/tests/int_links_acl.txt
++diff --git a/configure.ac b/configure.ac
++index 9df6831..30c57f0 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -463,7 +463,6 @@ AC_CONFIG_FILES([
++ 		man/Doxyfile-nozzle
++ 		poc-code/Makefile
++ 		poc-code/iov-hash/Makefile
++-		poc-code/access-list/Makefile
++ 		])
++ 
++ if test "x$VERSION" = "xUNKNOWN"; then
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 906fd01..4ea42d9 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -31,6 +31,7 @@ sources			= \
++ 			  handle.c \
++ 			  host.c \
++ 			  links.c \
+++			  links_acl.c \
++ 			  logging.c \
++ 			  netutils.c \
++ 			  threads_common.c \
++@@ -61,6 +62,7 @@ noinst_HEADERS		= \
++ 			  host.h \
++ 			  internals.h \
++ 			  links.h \
+++			  links_acl.h \
++ 			  logging.h \
++ 			  netutils.h \
++ 			  onwire.h \
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index c00e624..f74cb04 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -13,7 +13,8 @@ include $(top_srcdir)/libknet/tests/api-check.mk
++ 
++ EXTRA_DIST		= \
++ 			  api-test-coverage \
++-			  api-check.mk
+++			  api-check.mk \
+++			  int_links_acl.txt
++ 
++ AM_CPPFLAGS		= -I$(top_srcdir)/libknet
++ AM_CFLAGS		+= $(PTHREAD_CFLAGS)
++@@ -40,9 +41,11 @@ fun_checks		=
++ benchmarks		= \
++ 			  knet_bench_test
++ 
+++# int_links_acl_test can´t run yet standalone
++ noinst_PROGRAMS		= \
++ 			  api_knet_handle_new_limit_test \
++ 			  pckt_test \
+++			  int_links_acl_test \
++ 			  $(benchmarks) \
++ 			  $(check_PROGRAMS)
++ 
++@@ -64,6 +67,9 @@ check-api-test-coverage:
++ 
++ pckt_test_SOURCES	= pckt_test.c
++ 
+++int_links_acl_test_SOURCES = int_links_acl.c \
+++			     ../links_acl.c
+++
++ int_timediff_test_SOURCES = int_timediff.c
++ 
++ knet_bench_test_SOURCES	= knet_bench.c \
++diff --git a/poc-code/Makefile.am b/poc-code/Makefile.am
++index e1b1a73..15d12f7 100644
++--- a/poc-code/Makefile.am
+++++ b/poc-code/Makefile.am
++@@ -10,4 +10,4 @@ MAINTAINERCLEANFILES	= Makefile.in
++ 
++ include $(top_srcdir)/build-aux/check.mk
++ 
++-SUBDIRS			= access-list iov-hash
+++SUBDIRS			= iov-hash
++diff --git a/poc-code/access-list/Makefile.am b/poc-code/access-list/Makefile.am
++deleted file mode 100644
++index 80c49c2..0000000
++--- a/poc-code/access-list/Makefile.am
+++++ /dev/null
++@@ -1,22 +0,0 @@
++-#
++-# Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++-#
++-# Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++-#
++-# This software licensed under GPL-2.0+, LGPL-2.0+
++-#
++-
++-MAINTAINERCLEANFILES	= Makefile.in
++-
++-include $(top_srcdir)/build-aux/check.mk
++-
++-# override global LIBS that pulls in lots of craft we don't need here
++-LIBS			=
++-
++-EXTRA_DIST		= test_ipcheck.txt
++-
++-noinst_PROGRAMS		= test_ipcheck
++-
++-noinst_HEADERS		= ipcheck.h
++-
++-test_ipcheck_SOURCES	= ipcheck.c test_ipcheck.c
++diff --git a/poc-code/access-list/ipcheck.h b/libknet/links_acl.h
++similarity index 100%
++rename from poc-code/access-list/ipcheck.h
++rename to libknet/links_acl.h
++diff --git a/poc-code/access-list/ipcheck.c b/libknet/links_acl.c
++similarity index 99%
++rename from poc-code/access-list/ipcheck.c
++rename to libknet/links_acl.c
++index 9774a46..e7b5602 100644
++--- a/poc-code/access-list/ipcheck.c
+++++ b/libknet/links_acl.c
++@@ -11,7 +11,7 @@
++ #include <stdint.h>
++ #include <string.h>
++ #include <malloc.h>
++-#include "ipcheck.h"
+++#include "links_acl.h"
++ 
++ struct ip_match_entry {
++ 	ipcheck_type_t type;
++diff --git a/poc-code/access-list/test_ipcheck.c b/libknet/tests/int_links_acl.c
++similarity index 96%
++rename from poc-code/access-list/test_ipcheck.c
++rename to libknet/tests/int_links_acl.c
++index 46a750b..27ac545 100644
++--- a/poc-code/access-list/test_ipcheck.c
+++++ b/libknet/tests/int_links_acl.c
++@@ -14,7 +14,7 @@
++ #include <string.h>
++ #include <netdb.h>
++ #include <malloc.h>
++-#include "ipcheck.h"
+++#include "links_acl.h"
++ 
++ /* This is a test program .. remember! */
++ #define BUFLEN 1024
++@@ -103,9 +103,9 @@ static int load_file(void)
++ 
++ 	ipcheck_clear();
++ 
++-	filterfile = fopen("test_ipcheck.txt", "r");
+++	filterfile = fopen("int_links_acl.txt", "r");
++ 	if (!filterfile) {
++-		fprintf(stderr, "Cannot open test_ipcheck.txt\n");
+++		fprintf(stderr, "Cannot open int_links_acl.txt\n");
++ 		return 1;
++ 	}
++ 
+diff --git a/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch b/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+new file mode 100644
+index 0000000..a5aabe1
+--- /dev/null
++++ b/debian/patches/build-bump-soname-to-indicate-new-API-calls.patch
+@@ -0,0 +1,23 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 9 May 2019 16:36:07 +0200
++Subject: [build] bump soname to indicate new API calls
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 460fca5e33d52c560e34b1edf60f350efb6023a5)
++---
++ libknet/Makefile.am | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 90ddfba..8adcc40 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -18,7 +18,7 @@ EXTRA_DIST		= $(SYMFILE)
++ SUBDIRS			= . tests
++ 
++ # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
++-libversion		= 2:0:1
+++libversion		= 3:0:2
++ 
++ # override global LIBS that pulls in lots of craft we don't need here
++ LIBS			=
+diff --git a/debian/patches/compress-add-support-for-libzstd.patch b/debian/patches/compress-add-support-for-libzstd.patch
+new file mode 100644
+index 0000000..78b54fb
+--- /dev/null
++++ b/debian/patches/compress-add-support-for-libzstd.patch
+@@ -0,0 +1,342 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 10 Apr 2019 08:40:50 +0200
++Subject: [compress] add support for libzstd
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 592d0451494e815c4c8c74b914aaff69b640d1a2)
++---
++ configure.ac            |   2 +
++ Makefile.am             |   5 ++
++ libknet/Makefile.am     |   7 +++
++ libknet/libknet.h       |   1 +
++ kronosnet.spec.in       |  29 +++++++++
++ libknet/compress.c      |   1 +
++ libknet/compress_zstd.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++
++ libknet/logging.c       |   1 +
++ 8 files changed, 206 insertions(+)
++ create mode 100644 libknet/compress_zstd.c
++
++diff --git a/configure.ac b/configure.ac
++index 30c57f0..501053e 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -124,6 +124,8 @@ AC_ARG_ENABLE([compress-all],
++ 	[AS_HELP_STRING([--disable-compress-all],[disable libknet all compress modules support])],,
++ 	[ enable_compress_all="yes" ])
++ 
+++KNET_OPTION_DEFINES([zstd],[compress],[PKG_CHECK_MODULES([libzstd], [libzstd])])
+++
++ KNET_OPTION_DEFINES([zlib],[compress],[PKG_CHECK_MODULES([zlib], [zlib])])
++ KNET_OPTION_DEFINES([lz4],[compress],[PKG_CHECK_MODULES([liblz4], [liblz4])])
++ KNET_OPTION_DEFINES([lzo2],[compress],[
++diff --git a/Makefile.am b/Makefile.am
++index 24a13a6..82cb1f5 100644
++--- a/Makefile.am
+++++ b/Makefile.am
++@@ -138,6 +138,11 @@ if BUILD_COMPRESS_BZIP2
++ else
++ 	sed -i -e "s#@bzip2@#bcond_with#g" $@-t
++ endif
+++if BUILD_COMPRESS_ZSTD
+++	sed -i -e "s#@zstd@#bcond_without#g" $@-t
+++else
+++	sed -i -e "s#@zstd@#bcond_with#g" $@-t
+++endif
++ if BUILD_KRONOSNETD
++ 	sed -i -e "s#@kronosnetd@#bcond_without#g" $@-t
++ else
++diff --git a/libknet/Makefile.am b/libknet/Makefile.am
++index 0be4fff..90ddfba 100644
++--- a/libknet/Makefile.am
+++++ b/libknet/Makefile.am
++@@ -103,6 +103,13 @@ pkglib_LTLIBRARIES	=
++ # MODULE_LDFLAGS would mean a target-specific variable for Automake
++ MODULELDFLAGS		= $(AM_LDFLAGS) -module -avoid-version -export-dynamic
++ 
+++if BUILD_COMPRESS_ZSTD
+++pkglib_LTLIBRARIES	+= compress_zstd.la
+++compress_zstd_la_LDFLAGS = $(MODULELDFLAGS)
+++compress_zstd_la_CFLAGS	= $(AM_CFLAGS) $(libzstd_CFLAGS)
+++compress_zstd_la_LIBADD	= $(libzstd_LIBS)
+++endif
+++
++ if BUILD_COMPRESS_ZLIB
++ pkglib_LTLIBRARIES	+= compress_zlib.la
++ compress_zlib_la_LDFLAGS = $(MODULELDFLAGS)
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index d16eb5d..3098eab 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -2053,6 +2053,7 @@ int knet_link_get_status(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ #define KNET_SUB_LZO2COMP      73 /* compress_lzo.c */
++ #define KNET_SUB_LZMACOMP      74 /* compress_lzma.c */
++ #define KNET_SUB_BZIP2COMP     75 /* compress_bzip2.c */
+++#define KNET_SUB_ZSTDCOMP      76 /* compress_zstd.c */
++ 
++ #define KNET_SUB_UNKNOWN       UINT8_MAX - 1
++ #define KNET_MAX_SUBSYSTEMS    UINT8_MAX
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 2d4d059..442f3ae 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -24,6 +24,7 @@
++ %@lzo2@ lzo2
++ %@lzma@ lzma
++ %@bzip2@ bzip2
+++%@zstd@ zstd
++ %@kronosnetd@ kronosnetd
++ %@libnozzle@ libnozzle
++ %@runautogen@ runautogen
++@@ -60,6 +61,9 @@
++ %if %{with bzip2}
++ %global buildcompressbzip2 1
++ %endif
+++%if %{with zstd}
+++%global buildcompresszstd 1
+++%endif
++ %if %{with libnozzle}
++ %global buildlibnozzle 1
++ %endif
++@@ -123,6 +127,9 @@ BuildRequires: xz-devel
++ %if %{defined buildcompressbzip2}
++ BuildRequires: /usr/include/bzlib.h
++ %endif
+++%if %{defined buildcompresszstd}
+++BuildRequires: libzstd-devel
+++%endif
++ %if %{defined buildkronosnetd}
++ BuildRequires: pam-devel
++ %endif
++@@ -194,6 +201,11 @@ BuildRequires: libtool
++ %else
++ 	--disable-compress-bzip2 \
++ %endif
+++%if %{defined buildcompresszstd}
+++	--enable-compress-zstd \
+++%else
+++	--disable-compress-zstd \
+++%endif
++ %if %{defined buildkronosnetd}
++ 	--enable-kronosnetd \
++ %endif
++@@ -490,6 +502,20 @@ Requires: libknet1 = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++ 
+++%if %{defined buildcompresszstd}
+++%package -n libknet1-compress-zstd-plugin
+++Group: System Environment/Libraries
+++Summary: libknet1 zstd support
+++Requires: libknet1 = %{version}-%{release}
+++
+++%description -n libknet1-compress-zstd-plugin
+++ zstd compression support for libknet1.
+++
+++%files -n libknet1-compress-zstd-plugin
+++%defattr(-,root,root,-)
+++%{_libdir}/kronosnet/compress_zstd.so
+++%endif
+++
++ %package -n libknet1-crypto-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++@@ -523,6 +549,9 @@ Requires: libknet1-compress-lzma-plugin
++ %if %{defined buildcompressbzip2}
++ Requires: libknet1-compress-bzip2-plugin
++ %endif
+++%if %{defined buildcompresszstd}
+++Requires: libknet1-compress-zstd-plugin
+++%endif
++ 
++ %description -n libknet1-compress-plugins-all
++  meta package to install all of libknet1 compress plugins
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 278ff44..7eab454 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -40,6 +40,7 @@ static compress_model_t compress_modules_cmds[] = {
++ 	{ "lzo2" , 4, WITH_COMPRESS_LZO2 , 0, NULL },
++ 	{ "lzma" , 5, WITH_COMPRESS_LZMA , 0, NULL },
++ 	{ "bzip2", 6, WITH_COMPRESS_BZIP2, 0, NULL },
+++	{ "zstd" , 7, WITH_COMPRESS_ZSTD, 0, NULL },
++ 	{ NULL, 255, 0, 0, NULL }
++ };
++ 
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++new file mode 100644
++index 0000000..6f9b499
++--- /dev/null
+++++ b/libknet/compress_zstd.c
++@@ -0,0 +1,160 @@
+++/*
+++ * Copyright (C) 2017-2019 Red Hat, Inc.  All rights reserved.
+++ *
+++ * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
+++ *
+++ * This software licensed under GPL-2.0+, LGPL-2.0+
+++ */
+++#define KNET_MODULE
+++
+++#include "config.h"
+++
+++#include <errno.h>
+++#include <stdlib.h>
+++#include <string.h>
+++#include <zstd.h>
+++
+++#include "logging.h"
+++#include "compress_model.h"
+++
+++struct zstd_ctx {
+++	ZSTD_CCtx* cctx;
+++	ZSTD_DCtx* dctx;
+++};
+++
+++static int zstd_is_init(
+++	knet_handle_t knet_h,
+++	int method_idx)
+++{
+++	if (knet_h->compress_int_data[method_idx]) {
+++		return 1;
+++	}
+++	return 0;
+++}
+++
+++static void zstd_fini(
+++	knet_handle_t knet_h,
+++	int method_idx)
+++{
+++	struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++
+++	if (zstd_ctx) {
+++		if (zstd_ctx->cctx) {
+++			ZSTD_freeCCtx(zstd_ctx->cctx);
+++		}
+++		if (zstd_ctx->dctx) {
+++			ZSTD_freeDCtx(zstd_ctx->dctx);
+++		}
+++		free(knet_h->compress_int_data[method_idx]);
+++		knet_h->compress_int_data[method_idx] = NULL;
+++	}
+++	return;
+++}
+++
+++static int zstd_init(
+++	knet_handle_t knet_h,
+++	int method_idx)
+++{
+++	struct zstd_ctx *zstd_ctx;
+++	int err = 0;
+++
+++	if (!knet_h->compress_int_data[method_idx]) {
+++		zstd_ctx = malloc(sizeof(struct zstd_ctx));
+++		if (!zstd_ctx) {
+++			errno = ENOMEM;
+++			return -1;
+++		}
+++		memset(zstd_ctx, 0, sizeof(struct zstd_ctx));
+++
+++		zstd_ctx->cctx = ZSTD_createCCtx();
+++		if (!zstd_ctx->cctx) {
+++			log_err(knet_h, KNET_SUB_ZSTDCOMP, "Unable to create compression context");
+++			err = -1;
+++			goto out_err;
+++		}
+++
+++		zstd_ctx->dctx = ZSTD_createDCtx();
+++		if (!zstd_ctx->dctx) {
+++			log_err(knet_h, KNET_SUB_ZSTDCOMP, "Unable to create decompression context");
+++			err = -1;
+++			goto out_err;
+++		}
+++
+++		knet_h->compress_int_data[method_idx] = zstd_ctx;
+++	}
+++
+++out_err:
+++	if (err) {
+++		zstd_fini(knet_h, method_idx);
+++	}
+++	return err;
+++}
+++
+++static int zstd_compress(
+++	knet_handle_t knet_h,
+++	const unsigned char *buf_in,
+++	const ssize_t buf_in_len,
+++	unsigned char *buf_out,
+++	ssize_t *buf_out_len)
+++{
+++	struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++	size_t compress_size;
+++
+++	compress_size = ZSTD_compressCCtx(zstd_ctx->cctx,
+++					  buf_out, *buf_out_len,
+++					  buf_in, buf_in_len,
+++					  knet_h->compress_level);
+++
+++	if (ZSTD_isError(compress_size)) {
+++		log_err(knet_h, KNET_SUB_ZSTDCOMP, "error compressing packet: %s", ZSTD_getErrorName(compress_size));
+++		/*
+++		 * ZSTD has lots of internal errors that are not easy to map
+++		 * to standard errnos. Use a generic one for now
+++		 */
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	*buf_out_len = compress_size;
+++
+++	return 0;
+++}
+++
+++static int zstd_decompress(
+++	knet_handle_t knet_h,
+++	const unsigned char *buf_in,
+++	const ssize_t buf_in_len,
+++	unsigned char *buf_out,
+++	ssize_t *buf_out_len)
+++{
+++	struct zstd_ctx *zstd_ctx = knet_h->compress_int_data[knet_h->compress_model];
+++	size_t decompress_size;
+++
+++	decompress_size = ZSTD_decompressDCtx(zstd_ctx->dctx,
+++					      buf_out, *buf_out_len,
+++					      buf_in, buf_in_len);
+++
+++	if (ZSTD_isError(decompress_size)) {
+++		log_err(knet_h, KNET_SUB_ZSTDCOMP, "error decompressing packet: %s", ZSTD_getErrorName(decompress_size));
+++		/*
+++		 * ZSTD has lots of internal errors that are not easy to map
+++		 * to standard errnos. Use a generic one for now
+++		 */
+++		errno = EINVAL;
+++		return -1;
+++	}
+++
+++	*buf_out_len = decompress_size;
+++
+++	return 0;
+++}
+++
+++compress_ops_t compress_model = {
+++	KNET_COMPRESS_MODEL_ABI,
+++	zstd_is_init,
+++	zstd_init,
+++	zstd_fini,
+++	NULL,
+++	zstd_compress,
+++	zstd_decompress
+++};
++diff --git a/libknet/logging.c b/libknet/logging.c
++index 98bcfd1..5c91257 100644
++--- a/libknet/logging.c
+++++ b/libknet/logging.c
++@@ -47,6 +47,7 @@ static struct pretty_names subsystem_names[] =
++ 	{ "lzo2comp", KNET_SUB_LZO2COMP },
++ 	{ "lzmacomp", KNET_SUB_LZMACOMP },
++ 	{ "bzip2comp", KNET_SUB_BZIP2COMP },
+++	{ "zstdcomp", KNET_SUB_ZSTDCOMP },
++ 	{ "unknown", KNET_SUB_UNKNOWN }		/* unknown MUST always be last in this array */
++ };
++ 
+diff --git a/debian/patches/crypto-fix-openssl1.0-initialization-code.patch b/debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+new file mode 100644
+index 0000000..e01d382
+--- /dev/null
++++ b/debian/patches/crypto-fix-openssl1.0-initialization-code.patch
+@@ -0,0 +1,98 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 06:14:29 +0200
++Subject: [crypto] fix openssl1.0 initialization code
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 0b20488500e8d13f17b7f584bdc7a301f44dbfe1)
++---
++ libknet/crypto_openssl.c | 28 ++++++++++++++++------------
++ 1 file changed, 16 insertions(+), 12 deletions(-)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 5c7a74a..26acea8 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -12,6 +12,7 @@
++ #include <string.h>
++ #include <errno.h>
++ #include <dlfcn.h>
+++#include <stdlib.h>
++ #include <openssl/conf.h>
++ #include <openssl/evp.h>
++ #include <openssl/hmac.h>
++@@ -43,6 +44,8 @@ struct opensslcrypto_instance {
++ 	const EVP_MD *crypto_hash_type;
++ };
++ 
+++static int openssl_is_init = 0;
+++
++ /*
++  * crypt/decrypt functions openssl1.0
++  */
++@@ -438,6 +441,11 @@ static void openssl_internal_lock_cleanup(void)
++ 	return;
++ }
++ 
+++static void openssl_atexit_handler(void)
+++{
+++	openssl_internal_lock_cleanup();
+++}
+++
++ static int openssl_internal_lock_setup(void)
++ {
++ 	int savederrno = 0, err = 0;
++@@ -461,6 +469,9 @@ static int openssl_internal_lock_setup(void)
++ 	CRYPTO_set_id_callback((void *)openssl_internal_thread_id);
++ 	CRYPTO_set_locking_callback((void *)&openssl_internal_locking_callback);
++ 
+++	if (atexit(openssl_atexit_handler)) {
+++		err = -1;
+++	}
++ out:
++ 	if (err) {
++ 		openssl_internal_lock_cleanup();
++@@ -477,9 +488,6 @@ static void opensslcrypto_fini(
++ 	struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
++ 
++ 	if (opensslcrypto_instance) {
++-#ifdef BUILDCRYPTOOPENSSL10
++-		openssl_internal_lock_cleanup();
++-#endif
++ 		if (opensslcrypto_instance->private_key) {
++ 			free(opensslcrypto_instance->private_key);
++ 			opensslcrypto_instance->private_key = NULL;
++@@ -496,7 +504,6 @@ static int opensslcrypto_init(
++ 	struct crypto_instance *crypto_instance,
++ 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++-	static int openssl_is_init = 0;
++ 	struct opensslcrypto_instance *opensslcrypto_instance = NULL;
++ 	int savederrno;
++ 
++@@ -509,6 +516,11 @@ static int opensslcrypto_init(
++ #ifdef BUILDCRYPTOOPENSSL10
++ 		ERR_load_crypto_strings();
++ 		OPENSSL_add_all_algorithms_noconf();
+++		if (openssl_internal_lock_setup() < 0) {
+++			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
+++			errno = EAGAIN;
+++			return -1;
+++		}
++ #endif
++ #ifdef BUILDCRYPTOOPENSSL11
++ 		if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
++@@ -521,14 +533,6 @@ static int opensslcrypto_init(
++ 		openssl_is_init = 1;
++ 	}
++ 
++-#ifdef BUILDCRYPTOOPENSSL10
++-	if (openssl_internal_lock_setup() < 0) {
++-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
++-		errno = EAGAIN;
++-		return -1;
++-	}
++-#endif
++-
++ 	crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
++ 	if (!crypto_instance->model_instance) {
++ 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
+diff --git a/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch b/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+new file mode 100644
+index 0000000..5818833
+--- /dev/null
++++ b/debian/patches/crypto-hide-errors-generated-by-openssl-1.1.1c.patch
+@@ -0,0 +1,137 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 11:54:08 +0200
++Subject: [crypto] hide errors generated by openssl 1.1.1c
++
++see also:
++https://github.com/kronosnet/kronosnet/issues/226
++https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930061#12
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5333de6a056af75d12eb0a2cc2e46e7b2bbf9082)
++---
++ build-aux/knet_valgrind_memcheck.supp | 115 ++++++++++++++++++++++++++++++++++
++ 1 file changed, 115 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index a34ab93..92eabba 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -612,3 +612,118 @@
++    fun:malloc
++    fun:dl_open_worker
++ }
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Cond
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_generate
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_instantiate
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_get0_public
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:encrypt_openssl
+++   fun:opensslcrypto_encrypt_and_signv
+++   fun:opensslcrypto_encrypt_and_sign
+++   fun:_handle_check_each
+++   fun:_send_pings
+++   fun:_handle_heartbt_thread
+++   fun:start_thread
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Cond
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_generate
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_instantiate
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_get0_public
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:encrypt_openssl
+++   fun:opensslcrypto_encrypt_and_signv
+++   fun:opensslcrypto_encrypt_and_sign
+++   fun:_handle_check_each
+++   fun:_send_pings
+++   fun:_handle_heartbt_thread
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Cond
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_generate
+++   fun:RAND_DRBG_bytes
+++   fun:encrypt_openssl
+++   fun:opensslcrypto_encrypt_and_signv
+++   fun:opensslcrypto_encrypt_and_sign
+++   fun:_handle_check_each
+++   fun:_send_pings
+++   fun:_handle_heartbt_thread
+++   fun:start_thread
+++   fun:clone
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Cond
+++   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+++   fun:RAND_DRBG_generate
+++   fun:RAND_DRBG_bytes
+++   fun:encrypt_openssl
+++   fun:opensslcrypto_encrypt_and_signv
+++   fun:opensslcrypto_encrypt_and_sign
+++   fun:_handle_check_each
+++   fun:_send_pings
+++   fun:_handle_heartbt_thread
+++   fun:start_thread
+++   fun:clone
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Param
+++   socketcall.sendto(msg)
+++   fun:sendto
+++   fun:_handle_check_each
+++   fun:_send_pings
+++   fun:_handle_heartbt_thread
+++   fun:start_thread
+++   fun:clone
+++}
+++{
+++
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Param
+++   socketcall.sendto(msg)
+++   fun:sendto
+++   fun:_parse_recv_from_links
+++   fun:_handle_recv_from_links
+++   fun:_handle_recv_from_links_thread
+++   fun:start_thread
+++   fun:clone
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Param
+++   socketcall.sendto(msg)
+++   fun:sendto
+++   fun:_handle_check_link_pmtud
+++   fun:_handle_check_pmtud
+++   fun:_handle_pmtud_link_thread
+++   fun:start_thread
+++   fun:clone
+++}
+++{
+++   openssl 1.1.1c missing fix from master
+++   Memcheck:Param
+++   sendmsg(msg.msg_iov[0])
+++   fun:__libc_sendmsg
+++   fun:sendmsg
+++   fun:_sendmmsg
+++   fun:_dispatch_to_links
+++   fun:_parse_recv_from_sock
+++   fun:_handle_send_to_links
+++   fun:_handle_send_to_links_thread
+++   fun:start_thread
+++   fun:clone
+++}
+diff --git a/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch b/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+new file mode 100644
+index 0000000..0d373a8
+--- /dev/null
++++ b/debian/patches/crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
+@@ -0,0 +1,51 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:25:55 +0200
++Subject: [crypto] make sure to clear all security info on crypto_fini
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 6888d04108a7eff36f4c562d464190e9886a073a)
++---
++ libknet/crypto.c         | 4 ++++
++ libknet/crypto_nss.c     | 1 -
++ libknet/crypto_openssl.c | 1 -
++ 3 files changed, 4 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 41d67c9..5d39048 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -178,6 +178,10 @@ void crypto_fini(
++ 			crypto_modules_cmds[model].ops->fini(knet_h);
++ 		}
++ 		free(knet_h->crypto_instance);
+++		knet_h->sec_header_size = 0;
+++		knet_h->sec_block_size = 0;
+++		knet_h->sec_hash_size = 0;
+++		knet_h->sec_salt_size = 0;
++ 		knet_h->crypto_instance = NULL;
++ 	}
++ 
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index 640b560..cc83827 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -740,7 +740,6 @@ static void nsscrypto_fini(
++ 		}
++ 		free(nsscrypto_instance);
++ 		knet_h->crypto_instance->model_instance = NULL;
++-		knet_h->sec_header_size = 0;
++ 	}
++ 
++ 	return;
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 03d1014..73058cc 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -485,7 +485,6 @@ static void opensslcrypto_fini(
++ 		}
++ 		free(opensslcrypto_instance);
++ 		knet_h->crypto_instance->model_instance = NULL;
++-		knet_h->sec_header_size = 0;
++ 	}
++ 
++ 	return;
+diff --git a/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch b/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+new file mode 100644
+index 0000000..8c99023
+--- /dev/null
++++ b/debian/patches/crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
+@@ -0,0 +1,25 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 27 May 2019 12:42:33 +0200
++Subject: [crypto] make sure to trigger a PMTUd rerun on each good crypto
++ config change
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c9edaa7b632ee853351730ad4dcad7471919bb91)
++---
++ libknet/handle.c | 3 +++
++ 1 file changed, 3 insertions(+)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index fd26bea..7009cc3 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1408,6 +1408,9 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++ 	}
++ 
++ exit_unlock:
+++	if (!err) {
+++		force_pmtud_run(knet_h, KNET_SUB_CRYPTO);
+++	}
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++ 	errno = err ? savederrno : 0;
++ 	return err;
+diff --git a/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch b/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+new file mode 100644
+index 0000000..cf918e1
+--- /dev/null
++++ b/debian/patches/crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
+@@ -0,0 +1,65 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 09:26:02 +0200
++Subject: =?utf-8?q?=5Bcrypto=5D_openssl=3A_drop_calls_to_RAND=5Fseed_as_th?=
++ =?utf-8?q?ey_don=C2=B4t_really_help_RNG?=
++
++See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930061#12 for reference
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit a3c5adee1d30a751e76386ef31c1a817595bfd1b)
++---
++ libknet/crypto_openssl.c | 20 --------------------
++ 1 file changed, 20 deletions(-)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 615a9e5..999ed93 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -69,11 +69,6 @@ static int encrypt_openssl(
++ 
++ 	EVP_CIPHER_CTX_init(&ctx);
++ 
++-	/*
++-	 * contribute to PRNG for each packet we send/receive
++-	 */
++-	RAND_seed((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
++-
++ 	if (!RAND_bytes(salt, SALT_SIZE)) {
++ 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
++ 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
++@@ -130,11 +125,6 @@ static int decrypt_openssl (
++ 
++ 	EVP_CIPHER_CTX_init(&ctx);
++ 
++-	/*
++-	 * contribute to PRNG for each packet we send/receive
++-	 */
++-	RAND_seed(buf_in, buf_in_len);
++-
++ 	/*
++ 	 * add warning re keylength
++ 	 */
++@@ -181,11 +171,6 @@ static int encrypt_openssl(
++ 
++ 	ctx = EVP_CIPHER_CTX_new();
++ 
++-	/*
++-	 * contribute to PRNG for each packet we send/receive
++-	 */
++-	RAND_seed((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
++-
++ 	if (!RAND_bytes(salt, SALT_SIZE)) {
++ 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
++ 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
++@@ -248,11 +233,6 @@ static int decrypt_openssl (
++ 
++ 	ctx = EVP_CIPHER_CTX_new();
++ 
++-	/*
++-	 * contribute to PRNG for each packet we send/receive
++-	 */
++-	RAND_seed(buf_in, buf_in_len);
++-
++ 	/*
++ 	 * add warning re keylength
++ 	 */
+diff --git a/debian/patches/crypto-openssl-error-strings-release.patch b/debian/patches/crypto-openssl-error-strings-release.patch
+new file mode 100644
+index 0000000..6bcd03a
+--- /dev/null
++++ b/debian/patches/crypto-openssl-error-strings-release.patch
+@@ -0,0 +1,28 @@
++From: yuan ren <yren at suse.com>
++Date: Thu, 6 Jun 2019 13:46:01 +0800
++Subject: [crypto]openssl error strings release
++
++In versions prior to OpenSSL 1.1.0, ERR_free_strings() releases
++any resources created by ERR_load_crypto_strings.
++
++Signed-off-by: yuan ren <yren at suse.com>
++(cherry picked from commit 80b7d93723e779b914f73ec2e8cd2ac632972eda)
++---
++ libknet/crypto_openssl.c | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 26acea8..615a9e5 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -496,6 +496,10 @@ static void opensslcrypto_fini(
++ 		crypto_instance->model_instance = NULL;
++ 	}
++ 
+++#ifdef BUILDCRYPTOOPENSSL10
+++	ERR_free_strings();
+++#endif
+++
++ 	return;
++ }
++ 
+diff --git a/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch b/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+new file mode 100644
+index 0000000..a555595
+--- /dev/null
++++ b/debian/patches/crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
+@@ -0,0 +1,598 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 28 May 2019 05:24:47 +0200
++Subject: [crypto] rework knet_handle_crypto external API to be more solid
++
++the API was rather weak and could potentially leave traffic uncrypted
++in case of certain, corner case, failures.
++
++this patch is a subset of a bigger rework of the crypto layer that
++will in future allow runtime reconfiguration without traffic disruption
++of the crypto config.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 50b998f37c9285bf334eb578319030c06af141e0)
++---
++ libknet/crypto_model.h                 | 10 +++-
++ libknet/libknet.h                      |  4 +-
++ libknet/crypto.c                       | 63 ++++++++++++++--------
++ libknet/crypto_nss.c                   | 56 +++++++++++---------
++ libknet/crypto_openssl.c               | 30 ++++++-----
++ libknet/handle.c                       |  3 +-
++ libknet/tests/api_knet_handle_crypto.c | 96 +++++++++++++++++++++++++++++++++-
++ 7 files changed, 190 insertions(+), 72 deletions(-)
++
++diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h
++index f11299a..9bb4f17 100644
++--- a/libknet/crypto_model.h
+++++ b/libknet/crypto_model.h
++@@ -14,9 +14,13 @@
++ struct crypto_instance {
++ 	int	model;
++ 	void	*model_instance;
+++	size_t	sec_header_size;
+++	size_t	sec_block_size;
+++	size_t	sec_hash_size;
+++	size_t	sec_salt_size;
++ };
++ 
++-#define KNET_CRYPTO_MODEL_ABI 1
+++#define KNET_CRYPTO_MODEL_ABI 2
++ 
++ /*
++  * see compress_model.h for explanation of the various lib related functions
++@@ -24,8 +28,10 @@ struct crypto_instance {
++ typedef struct {
++ 	uint8_t abi_ver;
++ 	int (*init)	(knet_handle_t knet_h,
+++			 struct crypto_instance *crypto_instance,
++ 			 struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
++-	void (*fini)	(knet_handle_t knet_h);
+++	void (*fini)	(knet_handle_t knet_h,
+++			 struct crypto_instance *crypto_instance);
++ 	int (*crypt)	(knet_handle_t knet_h,
++ 			 const unsigned char *buf_in,
++ 			 const ssize_t buf_in_len,
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 183c92d..85c06cc 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -700,9 +700,7 @@ struct knet_handle_crypto_cfg {
++  *              1) failure to obtain locking
++  *              2) errors to initializing the crypto level.
++  *   This can happen even in subsequent calls to knet_handle_crypto.
++- *   A failure in crypto init, might leave your traffic unencrypted!
++- *   It's best to stop data forwarding (see knet_handle_setfwd(3)), change crypto config,
++- *   start forward again.
+++ *   A failure in crypto init will restore the previous crypto configuration.
++  *
++  * @return
++  * knet_handle_crypto returns:
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 5d39048..6c340f5 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -80,8 +80,11 @@ int crypto_init(
++ 	knet_handle_t knet_h,
++ 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++-	int savederrno = 0;
+++	int err = 0, savederrno = 0;
++ 	int model = 0;
+++	struct crypto_instance *current = NULL, *new = NULL;
+++
+++	current = knet_h->crypto_instance;
++ 
++ 	model = crypto_get_model(knet_handle_crypto_cfg->crypto_model);
++ 	if (model < 0) {
++@@ -105,16 +108,18 @@ int crypto_init(
++ 		crypto_modules_cmds[model].ops = load_module (knet_h, "crypto", crypto_modules_cmds[model].model_name);
++ 		if (!crypto_modules_cmds[model].ops) {
++ 			savederrno = errno;
+++			err = -1;
++ 			log_err(knet_h, KNET_SUB_CRYPTO, "Unable to load %s lib", crypto_modules_cmds[model].model_name);
++-			goto out_err;
+++			goto out;
++ 		}
++ 		if (crypto_modules_cmds[model].ops->abi_ver != KNET_CRYPTO_MODEL_ABI) {
+++			savederrno = EINVAL;
+++			err = -1;
++ 			log_err(knet_h, KNET_SUB_CRYPTO,
++ 				"ABI mismatch loading module %s. knet ver: %d, module ver: %d",
++ 				crypto_modules_cmds[model].model_name, KNET_CRYPTO_MODEL_ABI,
++ 				crypto_modules_cmds[model].ops->abi_ver);
++-			savederrno = EINVAL;
++-			goto out_err;
+++			goto out;
++ 		}
++ 		crypto_modules_cmds[model].loaded = 1;
++ 	}
++@@ -125,12 +130,13 @@ int crypto_init(
++ 		  knet_handle_crypto_cfg->crypto_cipher_type,
++ 		  knet_handle_crypto_cfg->crypto_hash_type);
++ 
++-	knet_h->crypto_instance = malloc(sizeof(struct crypto_instance));
+++	new = malloc(sizeof(struct crypto_instance));
++ 
++-	if (!knet_h->crypto_instance) {
++-		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
+++	if (!new) {
++ 		savederrno = ENOMEM;
++-		goto out_err;
+++		err = -1;
+++		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
+++		goto out;
++ 	}
++ 
++ 	/*
++@@ -138,32 +144,44 @@ int crypto_init(
++ 	 * it will clean everything by itself.
++ 	 * crypto_modules_cmds.ops->fini is not invoked on error.
++ 	 */
++-	knet_h->crypto_instance->model = model;
++-	if (crypto_modules_cmds[knet_h->crypto_instance->model].ops->init(knet_h, knet_handle_crypto_cfg)) {
+++	new->model = model;
+++	if (crypto_modules_cmds[model].ops->init(knet_h, new, knet_handle_crypto_cfg)) {
++ 		savederrno = errno;
++-		goto out_err;
+++		err = -1;
+++		goto out;
++ 	}
++ 
++ 	log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);
++-	pthread_rwlock_unlock(&shlib_rwlock);
++-	return 0;
++ 
++-out_err:
++-	if (knet_h->crypto_instance) {
++-		free(knet_h->crypto_instance);
++-		knet_h->crypto_instance = NULL;
+++out:
+++	if (!err) {
+++		knet_h->crypto_instance = new;
+++		knet_h->sec_header_size = new->sec_header_size;
+++		knet_h->sec_block_size = new->sec_block_size;
+++		knet_h->sec_hash_size = new->sec_hash_size;
+++		knet_h->sec_salt_size = new->sec_salt_size;
+++
+++		if (current) {
+++			if (crypto_modules_cmds[current->model].ops->fini != NULL) {
+++				crypto_modules_cmds[current->model].ops->fini(knet_h, current);
+++			}
+++			free(current);
+++		}
+++	} else {
+++		if (new) {
+++			free(new);
+++		}
++ 	}
++ 
++ 	pthread_rwlock_unlock(&shlib_rwlock);
++-	errno = savederrno;
++-	return -1;
+++	errno = err ? savederrno : 0;
+++	return err;
++ }
++ 
++ void crypto_fini(
++ 	knet_handle_t knet_h)
++ {
++ 	int savederrno = 0;
++-	int model = 0;
++ 
++ 	savederrno = pthread_rwlock_wrlock(&shlib_rwlock);
++ 	if (savederrno) {
++@@ -173,9 +191,8 @@ void crypto_fini(
++ 	}
++ 
++ 	if (knet_h->crypto_instance) {
++-		model = knet_h->crypto_instance->model;
++-		if (crypto_modules_cmds[model].ops->fini != NULL) {
++-			crypto_modules_cmds[model].ops->fini(knet_h);
+++		if (crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini != NULL) {
+++			crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini(knet_h, knet_h->crypto_instance);
++ 		}
++ 		free(knet_h->crypto_instance);
++ 		knet_h->sec_header_size = 0;
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index cc83827..5c3a437 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -155,9 +155,11 @@ static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
++ 	return -1;
++ }
++ 
++-static PK11SymKey *nssimport_symmetric_key(knet_handle_t knet_h, enum sym_key_type key_type)
+++static PK11SymKey *nssimport_symmetric_key(knet_handle_t knet_h,
+++					   struct crypto_instance *crypto_instance,
+++					   enum sym_key_type key_type)
++ {
++-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++	struct nsscrypto_instance *instance = crypto_instance->model_instance;
++ 	SECItem key_item;
++ 	PK11SlotInfo *slot;
++ 	PK11SymKey *res_key;
++@@ -323,15 +325,15 @@ exit_res_key:
++ 	return (res_key);
++ }
++ 
++-static int init_nss_crypto(knet_handle_t knet_h)
+++static int init_nss_crypto(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++	struct nsscrypto_instance *instance = crypto_instance->model_instance;
++ 
++ 	if (!cipher_to_nss[instance->crypto_cipher_type]) {
++ 		return 0;
++ 	}
++ 
++-	instance->nss_sym_key = nssimport_symmetric_key(knet_h, SYM_KEY_TYPE_CRYPT);
+++	instance->nss_sym_key = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_CRYPT);
++ 	if (instance->nss_sym_key == NULL) {
++ 		errno = ENXIO; /* NSS reported error */
++ 		return -1;
++@@ -512,15 +514,15 @@ static int nssstring_to_crypto_hash_type(const char* crypto_hash_type)
++ 	return -1;
++ }
++ 
++-static int init_nss_hash(knet_handle_t knet_h)
+++static int init_nss_hash(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+++	struct nsscrypto_instance *instance = crypto_instance->model_instance;
++ 
++ 	if (!hash_to_nss[instance->crypto_hash_type]) {
++ 		return 0;
++ 	}
++ 
++-	instance->nss_sym_key_sign = nssimport_symmetric_key(knet_h, SYM_KEY_TYPE_HASH);
+++	instance->nss_sym_key_sign = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_HASH);
++ 	if (instance->nss_sym_key_sign == NULL) {
++ 		errno = ENXIO; /* NSS reported error */
++ 		return -1;
++@@ -594,7 +596,7 @@ out:
++  * global/glue nss functions
++  */
++ 
++-static int init_nss(knet_handle_t knet_h)
+++static int init_nss(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
++ {
++ 	static int at_exit_registered = 0;
++ 
++@@ -617,11 +619,11 @@ static int init_nss(knet_handle_t knet_h)
++ 		nss_db_is_init = 1;
++ 	}
++ 
++-	if (init_nss_crypto(knet_h) < 0) {
+++	if (init_nss_crypto(knet_h, crypto_instance) < 0) {
++ 		return -1;
++ 	}
++ 
++-	if (init_nss_hash(knet_h) < 0) {
+++	if (init_nss_hash(knet_h, crypto_instance) < 0) {
++ 		return -1;
++ 	}
++ 
++@@ -725,9 +727,10 @@ static int nsscrypto_authenticate_and_decrypt (
++ }
++ 
++ static void nsscrypto_fini(
++-	knet_handle_t knet_h)
+++	knet_handle_t knet_h,
+++	struct crypto_instance *crypto_instance)
++ {
++-	struct nsscrypto_instance *nsscrypto_instance = knet_h->crypto_instance->model_instance;
+++	struct nsscrypto_instance *nsscrypto_instance = crypto_instance->model_instance;
++ 
++ 	if (nsscrypto_instance) {
++ 		if (nsscrypto_instance->nss_sym_key) {
++@@ -739,7 +742,7 @@ static void nsscrypto_fini(
++ 			nsscrypto_instance->nss_sym_key_sign = NULL;
++ 		}
++ 		free(nsscrypto_instance);
++-		knet_h->crypto_instance->model_instance = NULL;
+++		crypto_instance->model_instance = NULL;
++ 	}
++ 
++ 	return;
++@@ -747,6 +750,7 @@ static void nsscrypto_fini(
++ 
++ static int nsscrypto_init(
++ 	knet_handle_t knet_h,
+++	struct crypto_instance *crypto_instance,
++ 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++ 	struct nsscrypto_instance *nsscrypto_instance = NULL;
++@@ -757,14 +761,14 @@ static int nsscrypto_init(
++ 		  knet_handle_crypto_cfg->crypto_cipher_type,
++ 		  knet_handle_crypto_cfg->crypto_hash_type);
++ 
++-	knet_h->crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
++-	if (!knet_h->crypto_instance->model_instance) {
+++	crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
+++	if (!crypto_instance->model_instance) {
++ 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to allocate memory for nss model instance");
++ 		errno = ENOMEM;
++ 		return -1;
++ 	}
++ 
++-	nsscrypto_instance = knet_h->crypto_instance->model_instance;
+++	nsscrypto_instance = crypto_instance->model_instance;
++ 
++ 	memset(nsscrypto_instance, 0, sizeof(struct nsscrypto_instance));
++ 
++@@ -792,16 +796,16 @@ static int nsscrypto_init(
++ 	nsscrypto_instance->private_key = knet_handle_crypto_cfg->private_key;
++ 	nsscrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
++ 
++-	if (init_nss(knet_h) < 0) {
+++	if (init_nss(knet_h, crypto_instance) < 0) {
++ 		savederrno = errno;
++ 		goto out_err;
++ 	}
++ 
++-	knet_h->sec_header_size = 0;
+++	crypto_instance->sec_header_size = 0;
++ 
++ 	if (nsscrypto_instance->crypto_hash_type > 0) {
++-		knet_h->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];
++-		knet_h->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
+++		crypto_instance->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];
+++		crypto_instance->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
++ 	}
++ 
++ 	if (nsscrypto_instance->crypto_cipher_type > 0) {
++@@ -817,16 +821,16 @@ static int nsscrypto_init(
++ 			}
++ 		}
++ 
++-		knet_h->sec_header_size += (block_size * 2);
++-		knet_h->sec_header_size += SALT_SIZE;
++-		knet_h->sec_salt_size = SALT_SIZE;
++-		knet_h->sec_block_size = block_size;
+++		crypto_instance->sec_header_size += (block_size * 2);
+++		crypto_instance->sec_header_size += SALT_SIZE;
+++		crypto_instance->sec_salt_size = SALT_SIZE;
+++		crypto_instance->sec_block_size = block_size;
++ 	}
++ 
++ 	return 0;
++ 
++ out_err:
++-	nsscrypto_fini(knet_h);
+++	nsscrypto_fini(knet_h, crypto_instance);
++ 	errno = savederrno;
++ 	return -1;
++ }
++diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
++index 73058cc..5c7a74a 100644
++--- a/libknet/crypto_openssl.c
+++++ b/libknet/crypto_openssl.c
++@@ -471,9 +471,10 @@ out:
++ #endif
++ 
++ static void opensslcrypto_fini(
++-	knet_handle_t knet_h)
+++	knet_handle_t knet_h,
+++	struct crypto_instance *crypto_instance)
++ {
++-	struct opensslcrypto_instance *opensslcrypto_instance = knet_h->crypto_instance->model_instance;
+++	struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
++ 
++ 	if (opensslcrypto_instance) {
++ #ifdef BUILDCRYPTOOPENSSL10
++@@ -484,7 +485,7 @@ static void opensslcrypto_fini(
++ 			opensslcrypto_instance->private_key = NULL;
++ 		}
++ 		free(opensslcrypto_instance);
++-		knet_h->crypto_instance->model_instance = NULL;
+++		crypto_instance->model_instance = NULL;
++ 	}
++ 
++ 	return;
++@@ -492,6 +493,7 @@ static void opensslcrypto_fini(
++ 
++ static int opensslcrypto_init(
++ 	knet_handle_t knet_h,
+++	struct crypto_instance *crypto_instance,
++ 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
++ {
++ 	static int openssl_is_init = 0;
++@@ -527,14 +529,14 @@ static int opensslcrypto_init(
++ 	}
++ #endif
++ 
++-	knet_h->crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
++-	if (!knet_h->crypto_instance->model_instance) {
+++	crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
+++	if (!crypto_instance->model_instance) {
++ 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
++ 		errno = ENOMEM;
++ 		return -1;
++ 	}
++ 
++-	opensslcrypto_instance = knet_h->crypto_instance->model_instance;
+++	opensslcrypto_instance = crypto_instance->model_instance;
++ 
++ 	memset(opensslcrypto_instance, 0, sizeof(struct opensslcrypto_instance));
++ 
++@@ -576,11 +578,11 @@ static int opensslcrypto_init(
++ 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
++ 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
++ 
++-	knet_h->sec_header_size = 0;
+++	crypto_instance->sec_header_size = 0;
++ 
++ 	if (opensslcrypto_instance->crypto_hash_type) {
++-		knet_h->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
++-		knet_h->sec_header_size += knet_h->sec_hash_size;
+++		crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
+++		crypto_instance->sec_header_size += crypto_instance->sec_hash_size;
++ 	}
++ 
++ 	if (opensslcrypto_instance->crypto_cipher_type) {
++@@ -588,16 +590,16 @@ static int opensslcrypto_init(
++ 
++ 		block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);
++ 
++-		knet_h->sec_header_size += (block_size * 2);
++-		knet_h->sec_header_size += SALT_SIZE;
++-		knet_h->sec_salt_size = SALT_SIZE;
++-		knet_h->sec_block_size = block_size;
+++		crypto_instance->sec_header_size += (block_size * 2);
+++		crypto_instance->sec_header_size += SALT_SIZE;
+++		crypto_instance->sec_salt_size = SALT_SIZE;
+++		crypto_instance->sec_block_size = block_size;
++ 	}
++ 
++ 	return 0;
++ 
++ out_err:
++-	opensslcrypto_fini(knet_h);
+++	opensslcrypto_fini(knet_h, crypto_instance);
++ 
++ 	errno = savederrno;
++ 	return -1;
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 7009cc3..e95c6c1 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1374,11 +1374,10 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
++ 		return -1;
++ 	}
++ 
++-	crypto_fini(knet_h);
++-
++ 	if ((!strncmp("none", knet_handle_crypto_cfg->crypto_model, 4)) || 
++ 	    ((!strncmp("none", knet_handle_crypto_cfg->crypto_cipher_type, 4)) &&
++ 	     (!strncmp("none", knet_handle_crypto_cfg->crypto_hash_type, 4)))) {
+++		crypto_fini(knet_h);
++ 		log_debug(knet_h, KNET_SUB_CRYPTO, "crypto is not enabled");
++ 		err = 0;
++ 		goto exit_unlock;
++diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto.c
++index 1805909..9dbf5bc 100644
++--- a/libknet/tests/api_knet_handle_crypto.c
+++++ b/libknet/tests/api_knet_handle_crypto.c
++@@ -17,13 +17,15 @@
++ #include "libknet.h"
++ 
++ #include "internals.h"
+++#include "crypto_model.h"
++ #include "test-common.h"
++ 
++-static void test(const char *model)
+++static void test(const char *model, const char *model2)
++ {
++ 	knet_handle_t knet_h;
++ 	int logfds[2];
++ 	struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
+++	struct crypto_instance *current = NULL;
++ 
++ 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
++ 
++@@ -152,6 +154,96 @@ static void test(const char *model)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
+++	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model2);
+++
+++	current = knet_h->crypto_instance;
+++
+++	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++	knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	if (current == knet_h->crypto_instance) {
+++		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model);
+++
+++	current = knet_h->crypto_instance;
+++
+++	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++	knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	if (current == knet_h->crypto_instance) {
+++		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	printf("Test knet_handle_crypto reconfig with %s/aes129/sha1 and normal key\n", model);
+++
+++	current = knet_h->crypto_instance;
+++
+++	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+++	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes129", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+++	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+++	knet_handle_crypto_cfg.private_key_len = 2000;
+++
+++	if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+++		printf("knet_handle_crypto failed to detect incorrect config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
+++	if (current != knet_h->crypto_instance) {
+++		printf("knet_handle_crypto failed to restore correct config: %s\n", strerror(errno));
+++		knet_handle_free(knet_h);
+++		flush_logs(logfds[0], stdout);
+++		close_logpipes(logfds);
+++		exit(FAIL);
+++	}
+++
+++	flush_logs(logfds[0], stdout);
+++
++ 	printf("Test knet_handle_crypto with %s/aes128/none and normal key\n", model);
++ 
++ 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
++@@ -233,7 +325,7 @@ int main(int argc, char *argv[])
++ 	}
++ 
++ 	for (i=0; i < crypto_list_entries; i++) {
++-		test(crypto_list[i].name);
+++		test(crypto_list[i].name, crypto_list[0].name);
++ 	}
++ 
++ 	return PASS;
+diff --git a/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch b/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+new file mode 100644
+index 0000000..a079030
+--- /dev/null
++++ b/debian/patches/doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
+@@ -0,0 +1,23 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 11 Jun 2019 16:09:54 +0200
++Subject: [doc] fix a merge oversight from
++ 541d7faf9068d10e12b4278c35825ce1353db081
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ef89e9d900db037c82e03406dcf426ff62649e7d)
++---
++ libknet/libknet.h | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 85c06cc..907213f 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1511,6 +1511,7 @@ typedef enum {
++ 
++ /**
++  * check_acceptreject_t
+++ *
++  * @brief enum for accept/reject in knet access lists
++  *
++  * accept or reject incoming packets defined in the access list entry
+diff --git a/debian/patches/global-update-copyright-across-the-board.patch b/debian/patches/global-update-copyright-across-the-board.patch
+new file mode 100644
+index 0000000..9230a7c
+--- /dev/null
++++ b/debian/patches/global-update-copyright-across-the-board.patch
+@@ -0,0 +1,129 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 26 Mar 2019 13:45:52 +0100
++Subject: [global] update copyright across the board
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 27a7d1cb61bd66d8e36dd663075cf5d0f2d385e4)
++---
++ libknet/links_acl_ip.h                              | 2 +-
++ libknet/links_acl_loopback.h                        | 2 +-
++ libknet/links_acl_ip.c                              | 2 +-
++ libknet/links_acl_loopback.c                        | 2 +-
++ libknet/tests/api_knet_handle_enable_access_lists.c | 2 +-
++ libknet/tests/api_knet_link_add_acl.c               | 2 +-
++ libknet/tests/api_knet_link_clear_acl.c             | 2 +-
++ libknet/tests/api_knet_link_insert_acl.c            | 2 +-
++ libknet/tests/api_knet_link_rm_acl.c                | 2 +-
++ libknet/tests/int_links_acl_ip.c                    | 2 +-
++ 10 files changed, 10 insertions(+), 10 deletions(-)
++
++diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h
++index fac58e2..b33ffb1 100644
++--- a/libknet/links_acl_ip.h
+++++ b/libknet/links_acl_ip.h
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h
++index e75c4a4..b51d2bf 100644
++--- a/libknet/links_acl_loopback.h
+++++ b/libknet/links_acl_loopback.h
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
++index 642027b..9310f21 100644
++--- a/libknet/links_acl_ip.c
+++++ b/libknet/links_acl_ip.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c
++index 97f8198..044a51c 100644
++--- a/libknet/links_acl_loopback.c
+++++ b/libknet/links_acl_loopback.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
++diff --git a/libknet/tests/api_knet_handle_enable_access_lists.c b/libknet/tests/api_knet_handle_enable_access_lists.c
++index fc3bcc1..d08f175 100644
++--- a/libknet/tests/api_knet_handle_enable_access_lists.c
+++++ b/libknet/tests/api_knet_handle_enable_access_lists.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
++index b018165..ff7a2e2 100644
++--- a/libknet/tests/api_knet_link_add_acl.c
+++++ b/libknet/tests/api_knet_link_add_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
++index 78b7d79..234a76b 100644
++--- a/libknet/tests/api_knet_link_clear_acl.c
+++++ b/libknet/tests/api_knet_link_clear_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2016-2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
++index 547f92b..79d04df 100644
++--- a/libknet/tests/api_knet_link_insert_acl.c
+++++ b/libknet/tests/api_knet_link_insert_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
++index 49a82d9..d132c54 100644
++--- a/libknet/tests/api_knet_link_rm_acl.c
+++++ b/libknet/tests/api_knet_link_rm_acl.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Authors: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
++diff --git a/libknet/tests/int_links_acl_ip.c b/libknet/tests/int_links_acl_ip.c
++index a7d2aed..93dff63 100644
++--- a/libknet/tests/int_links_acl_ip.c
+++++ b/libknet/tests/int_links_acl_ip.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2016-2018 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Christine Caulfield <ccaulfie at redhat.com>
++  *
+diff --git a/debian/patches/global-update-copyrights.patch b/debian/patches/global-update-copyrights.patch
+new file mode 100644
+index 0000000..4557faf
+--- /dev/null
++++ b/debian/patches/global-update-copyrights.patch
+@@ -0,0 +1,21 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 12 Jun 2019 05:23:47 +0200
++Subject: [global] update copyrights
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5d6813ecfb9187d031a1195a6670bd174680d478)
++---
++ libknet/compress_zstd.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/libknet/compress_zstd.c b/libknet/compress_zstd.c
++index f76ea5f..e234f8d 100644
++--- a/libknet/compress_zstd.c
+++++ b/libknet/compress_zstd.c
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (C) 2017-2019 Red Hat, Inc.  All rights reserved.
+++ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.
++  *
++  * Author: Fabio M. Di Nitto <fabbione at kronosnet.org>
++  *
+diff --git a/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch b/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+new file mode 100644
+index 0000000..ca34a5d
+--- /dev/null
++++ b/debian/patches/handle-properly-initialize-fd-tracker-buffers.patch
+@@ -0,0 +1,26 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Wed, 13 Feb 2019 09:14:45 +0100
++Subject: [handle] properly initialize fd tracker buffers
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 4a76e6de56d50c6c4c78af996d0f97d8df34dadd)
++---
++ libknet/handle.c | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 6cd49f5..0a2f75a 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -309,7 +309,10 @@ static int _init_buffers(knet_handle_t knet_h)
++ 	}
++ 	memset(knet_h->send_to_links_buf_compress, 0, KNET_DATABUFSIZE_COMPRESS);
++ 
++-	memset(knet_h->knet_transport_fd_tracker, KNET_MAX_TRANSPORTS, sizeof(knet_h->knet_transport_fd_tracker));
+++	memset(knet_h->knet_transport_fd_tracker, 0, sizeof(knet_h->knet_transport_fd_tracker));
+++	for (i = 0; i < KNET_MAX_FDS; i++) {
+++		knet_h->knet_transport_fd_tracker[i].transport = KNET_MAX_TRANSPORTS;
+++	}
++ 
++ 	return 0;
++ 
+diff --git a/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch b/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+new file mode 100644
+index 0000000..ba846ab
+--- /dev/null
++++ b/debian/patches/links-rename-tranport_type-to-transport-to-avoid-confusio.patch
+@@ -0,0 +1,77 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 9 May 2019 15:44:41 +0200
++Subject: [links] rename tranport_type to transport to avoid confusion (part 2)
++
++complements be9d053efafc822cabd696914d53b5dfe25fb4fd due to early
++cherry-pick of 7033ddab505a0cf3655115fe5037579b7c882a8c
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit e1345c4f44efd7db79376a3985e4a6aab1461c6f)
++---
++ libknet/threads_heartbeat.c | 2 +-
++ libknet/threads_pmtud.c     | 2 +-
++ libknet/threads_rx.c        | 4 ++--
++ libknet/threads_tx.c        | 2 +-
++ 4 files changed, 5 insertions(+), 5 deletions(-)
++
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 413b5b7..8def9b8 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -85,7 +85,7 @@ static void _handle_check_each(knet_handle_t knet_h, struct knet_host *dst_host,
++ 		}
++ 
++ retry:
++-		if (transport_get_connection_oriented(knet_h, dst_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++		if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ 			len = sendto(dst_link->outsock, outbuf, outlen,	MSG_DONTWAIT | MSG_NOSIGNAL,
++ 				     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
++ 		} else {
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 1a84540..0050557 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -172,7 +172,7 @@ restart:
++ 		return -1;
++ 	}
++ retry:
++-	if (transport_get_connection_oriented(knet_h, dst_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++	if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ 		len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL,
++ 			     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
++ 	} else {
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 4670829..6417261 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -578,7 +578,7 @@ static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struc
++ 		}
++ 
++ retry_pong:
++-		if (transport_get_connection_oriented(knet_h, src_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++		if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ 			len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
++ 				     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
++ 		} else {
++@@ -674,7 +674,7 @@ retry_pong:
++ 			goto out_pmtud;
++ 		}
++ retry_pmtud:
++-		if (transport_get_connection_oriented(knet_h, src_link->transport_type) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
+++		if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
++ 			len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
++ 				     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
++ 		} else {
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index b904e12..e987eb1 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -68,7 +68,7 @@ retry:
++ 		cur = &msg[prev_sent];
++ 
++ 		sent_msgs = _sendmmsg(dst_host->link[dst_host->active_links[link_idx]].outsock,
++-				      transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport_type),
+++				      transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport),
++ 				      &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
++ 		savederrno = errno;
++ 
+diff --git a/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch b/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+new file mode 100644
+index 0000000..48df681
+--- /dev/null
++++ b/debian/patches/links-rename-transport_type-to-transport-to-avoid-confusi.patch
+@@ -0,0 +1,196 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Fri, 22 Feb 2019 05:31:42 +0100
++Subject: [links] rename transport_type to transport to avoid confusion
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit c02c06feed59b18948d0107d2ec4cc2a9182554a)
++---
++ libknet/internals.h         |  2 +-
++ libknet/links.c             | 10 +++++-----
++ libknet/threads_heartbeat.c |  6 +++---
++ libknet/threads_pmtud.c     |  4 ++--
++ libknet/threads_rx.c        |  4 ++--
++ libknet/threads_tx.c        |  4 ++--
++ libknet/transports.c        |  6 +++---
++ 7 files changed, 18 insertions(+), 18 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index 0d6ee3f..2135fb8 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -62,7 +62,7 @@ struct knet_link {
++ 	struct knet_link_status status;
++ 	/* internals */
++ 	uint8_t link_id;
++-	uint8_t transport_type;                 /* #defined constant from API */
+++	uint8_t transport;                      /* #defined constant from API */
++ 	knet_transport_link_t transport_link;   /* link_info_t from transport */
++ 	int outsock;
++ 	unsigned int configured:1;		/* set to 1 if src/dst have been configured transport initialized on this link*/
++diff --git a/libknet/links.c b/libknet/links.c
++index 1693df6..dd64a15 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -351,7 +351,7 @@ int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 
++ 	memmove(src_addr, &link->src_addr, sizeof(struct sockaddr_storage));
++ 
++-	*transport = link->transport_type;
+++	*transport = link->transport;
++ 	*flags = link->flags;
++ 
++ 	if (link->dynamic == KNET_LINK_STATIC) {
++@@ -426,9 +426,9 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * then we can remove any leftover access lists if the link
++ 	 * is no longer in use.
++ 	 */
++-	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++	if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ 	    (link->dynamic == KNET_LINK_STATIC)) {
++-		if (check_rm(knet_h, link->outsock, link->transport_type,
+++		if (check_rm(knet_h, link->outsock, link->transport,
++ 			     &link->dst_addr, &link->dst_addr,
++ 			     CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
++ 			err = -1;
++@@ -444,7 +444,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * will clear link info during clear_config.
++ 	 */
++ 	sock = link->outsock;
++-	transport = link->transport_type;
+++	transport = link->transport;
++ 
++ 	if ((transport_link_clear_config(knet_h, link) < 0)  &&
++ 	    (errno != EBUSY)) {
++@@ -457,7 +457,7 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++ 	 * remove any other access lists when the socket is no
++ 	 * longer in use by the transport.
++ 	 */
++-	if ((transport_get_acl_type(knet_h, link->transport_type) == USE_GENERIC_ACL) &&
+++	if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
++ 	    (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
++ 		check_rmall(knet_h, sock, transport);
++ 	}
++diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
++index 5d4189f..413b5b7 100644
++--- a/libknet/threads_heartbeat.c
+++++ b/libknet/threads_heartbeat.c
++@@ -98,7 +98,7 @@ retry:
++ 		dst_link->status.stats.tx_ping_bytes += outlen;
++ 
++ 		if (len != outlen) {
++-			err = transport_tx_sock_error(knet_h, dst_link->transport_type, dst_link->outsock, len, savederrno);
+++			err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
++ 			switch(err) {
++ 				case -1: /* unrecoverable error */
++ 					log_debug(knet_h, KNET_SUB_HEARTBEAT,
++@@ -140,7 +140,7 @@ void _send_pings(knet_handle_t knet_h, int timed)
++ 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
++ 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
++ 			if ((dst_host->link[link_idx].status.enabled != 1) ||
++-			    (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK ) ||
+++			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
++ 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
++ 			     (dst_host->link[link_idx].status.dynconnected != 1)))
++ 				continue;
++@@ -166,7 +166,7 @@ static void _adjust_pong_timeouts(knet_handle_t knet_h)
++ 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
++ 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
++ 			if ((dst_host->link[link_idx].status.enabled != 1) ||
++-			    (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK ) ||
+++			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
++ 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
++ 			     (dst_host->link[link_idx].status.dynconnected != 1)))
++ 				continue;
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 63504d6..1a84540 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -196,7 +196,7 @@ retry:
++ 
++ 	kernel_mtu = 0;
++ 
++-	err = transport_tx_sock_error(knet_h, dst_link->transport_type, dst_link->outsock, len, savederrno);
+++	err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
++ 	switch(err) {
++ 		case -1: /* unrecoverable error */
++ 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet (sendto): %d %s", savederrno, strerror(savederrno));
++@@ -523,7 +523,7 @@ void *_handle_pmtud_link_thread(void *data)
++ 
++ 				if ((dst_link->status.enabled != 1) ||
++ 				    (dst_link->status.connected != 1) ||
++-				    (dst_host->link[link_idx].transport_type == KNET_TRANSPORT_LOOPBACK) ||
+++				    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK) ||
++ 				    (!dst_link->last_ping_size) ||
++ 				    ((dst_link->dynamic == KNET_LINK_DYNIP) &&
++ 				     (dst_link->status.dynconnected != 1)))
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index 5fa51c4..4670829 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -586,7 +586,7 @@ retry_pong:
++ 		}
++ 		savederrno = errno;
++ 		if (len != outlen) {
++-			err = transport_tx_sock_error(knet_h, src_link->transport_type, src_link->outsock, len, savederrno);
+++			err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
++ 			switch(err) {
++ 				case -1: /* unrecoverable error */
++ 					log_debug(knet_h, KNET_SUB_RX,
++@@ -682,7 +682,7 @@ retry_pmtud:
++ 		}
++ 		savederrno = errno;
++ 		if (len != outlen) {
++-			err = transport_tx_sock_error(knet_h, src_link->transport_type, src_link->outsock, len, savederrno);
+++			err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
++ 			switch(err) {
++ 				case -1: /* unrecoverable error */
++ 					log_debug(knet_h, KNET_SUB_RX,
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index fa911dc..b904e12 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -48,7 +48,7 @@ static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host,
++ 
++ 		cur_link = &dst_host->link[dst_host->active_links[link_idx]];
++ 
++-		if (cur_link->transport_type == KNET_TRANSPORT_LOOPBACK) {
+++		if (cur_link->transport == KNET_TRANSPORT_LOOPBACK) {
++ 			continue;
++ 		}
++ 
++@@ -72,7 +72,7 @@ retry:
++ 				      &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
++ 		savederrno = errno;
++ 
++-		err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport_type, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
+++		err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
++ 		switch(err) {
++ 			case -1: /* unrecoverable error */
++ 				cur_link->status.stats.tx_data_errors++;
++diff --git a/libknet/transports.c b/libknet/transports.c
++index ffebe00..69ea091 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -88,19 +88,19 @@ int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, u
++ 		return -1;
++ 	}
++ 	kn_link->transport_connected = 0;
++-	kn_link->transport_type = transport;
+++	kn_link->transport = transport;
++ 	kn_link->proto_overhead = transport_modules_cmd[transport].transport_mtu_overhead;
++ 	return transport_modules_cmd[transport].transport_link_set_config(knet_h, kn_link);
++ }
++ 
++ int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
++ {
++-	return transport_modules_cmd[kn_link->transport_type].transport_link_clear_config(knet_h, kn_link);
+++	return transport_modules_cmd[kn_link->transport].transport_link_clear_config(knet_h, kn_link);
++ }
++ 
++ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
++ {
++-	return transport_modules_cmd[kn_link->transport_type].transport_link_dyn_connect(knet_h, sockfd, kn_link);
+++	return transport_modules_cmd[kn_link->transport].transport_link_dyn_connect(knet_h, sockfd, kn_link);
++ }
++ 
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
+diff --git a/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch b/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+new file mode 100644
+index 0000000..d4e4494
+--- /dev/null
++++ b/debian/patches/logging-fix-log-target-of-recently-added-API-calls.patch
+@@ -0,0 +1,52 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sat, 9 Mar 2019 07:03:25 +0100
++Subject: [logging] fix log target of recently added API calls
++
++spotted during sctp testing
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit df6f761997d26afc62651f9ff831e0f7327ee41b)
++---
++ libknet/links.c | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/links.c b/libknet/links.c
++index 038a8a4..8011a6d 100644
++--- a/libknet/links.c
+++++ b/libknet/links.c
++@@ -1199,7 +1199,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++ 
++ 	savederrno = get_global_wrlock(knet_h);
++ 	if (savederrno) {
++-		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ 			strerror(savederrno));
++ 		errno = savederrno;
++ 		return -1;
++@@ -1294,7 +1294,7 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++ 
++ 	savederrno = get_global_wrlock(knet_h);
++ 	if (savederrno) {
++-		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ 			strerror(savederrno));
++ 		errno = savederrno;
++ 		return -1;
++@@ -1388,7 +1388,7 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++ 
++ 	savederrno = get_global_wrlock(knet_h);
++ 	if (savederrno) {
++-		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ 			strerror(savederrno));
++ 		errno = savederrno;
++ 		return -1;
++@@ -1450,7 +1450,7 @@ int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t li
++ 
++ 	savederrno = get_global_wrlock(knet_h);
++ 	if (savederrno) {
++-		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
+++		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
++ 			strerror(savederrno));
++ 		errno = savederrno;
++ 		return -1;
+diff --git a/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+new file mode 100644
+index 0000000..445238d
+--- /dev/null
++++ b/debian/patches/man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
+@@ -0,0 +1,50 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 30 Apr 2019 05:42:48 +0200
++Subject: [man] fix libknet.h for errors detected by newly added test
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 790b1cb387df9ada2b607c0317a85bab8ec7245b)
++---
++ libknet/libknet.h | 8 ++++----
++ 1 file changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 3098eab..183c92d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1553,7 +1553,7 @@ typedef enum {
++  *            packets from 10.0.0.1 will be accepted by rule number 1.
++  *
++  * @return
++- * knet_link_add_acl
+++ * knet_link_add_acl returns
++  * 0 on success.
++  * -1 on error and errno is set.
++  */
++@@ -1580,7 +1580,7 @@ int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link
++  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
++  *
++  * @return
++- * knet_link_insert_acl
+++ * knet_link_insert_acl returns
++  * 0 on success.
++  * -1 on error and errno is set.
++  */
++@@ -1608,7 +1608,7 @@ int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l
++  *            to knet_link_add_acl(3).
++  *
++  * @return
++- * knet_link_rm_acl
+++ * knet_link_rm_acl returns
++  * 0 on success.
++  * -1 on error and errno is set.
++  */
++@@ -1630,7 +1630,7 @@ int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_
++  * link_id   - see knet_link_set_config(3)
++  *
++  * @return
++- * knet_link_clear_acl
+++ * knet_link_clear_acl returns
++  * 0 on success.
++  * -1 on error and errno is set.
++  */
+diff --git a/debian/patches/manpages-Document-enums-206.patch b/debian/patches/manpages-Document-enums-206.patch
+new file mode 100644
+index 0000000..5b6c01e
+--- /dev/null
++++ b/debian/patches/manpages-Document-enums-206.patch
+@@ -0,0 +1,39 @@
++From: Chrissie Caulfield <ccaulfie at redhat.com>
++Date: Tue, 12 Mar 2019 13:55:25 +0000
++Subject: manpages: Document enums (#206)
++
++And also fix a bug in structure printing that caused it to print the wrong name for a struct.
++
++(cherry picked from commit 541d7faf9068d10e12b4278c35825ce1353db081)
++---
++ libknet/libknet.h | 10 ++++++++--
++ 1 file changed, 8 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/libknet.h b/libknet/libknet.h
++index 50ed70d..d16eb5d 100644
++--- a/libknet/libknet.h
+++++ b/libknet/libknet.h
++@@ -1483,7 +1483,10 @@ int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t
++  * see also knet_handle_enable_access_lists(3)
++  */
++ 
++-/*
+++/**
+++ * check_type_t
+++ * @brief address type enum for knet access lists
+++ *
++  * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
++  *                    for example: 10.1.9.3
++  *                    and the entry is stored in ss1. ss2 can be NULL.
++@@ -1508,7 +1511,10 @@ typedef enum {
++ 	CHECK_TYPE_RANGE
++ } check_type_t;
++ 
++-/*
+++/**
+++ * check_acceptreject_t
+++ * @brief enum for accept/reject in knet access lists
+++ *
++  * accept or reject incoming packets defined in the access list entry
++  */
++ 
+diff --git a/debian/patches/misc-Fix-more-covscan-warnings.patch b/debian/patches/misc-Fix-more-covscan-warnings.patch
+new file mode 100644
+index 0000000..1ae8829
+--- /dev/null
++++ b/debian/patches/misc-Fix-more-covscan-warnings.patch
+@@ -0,0 +1,191 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Fri, 24 May 2019 10:09:47 +0100
++Subject: misc: Fix more covscan warnings
++
++The only serious bug here is in transport_udp.c
++(see bottom of patch), the rest are mostly detail.
++
++covscan still reports a lot of errors against doxyxml, most of
++which are because it doesn't understand the libqb hashtables.
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit ded574d1dd0c53c70a34fbd1eaa0239b3cde59b9)
++---
++ libknet/common.c           | 2 +-
++ libknet/compress.c         | 6 +++---
++ libknet/crypto.c           | 1 -
++ libknet/crypto_nss.c       | 2 +-
++ libknet/handle.c           | 1 -
++ libknet/threads_pmtud.c    | 1 -
++ libknet/threads_rx.c       | 1 -
++ libknet/threads_tx.c       | 1 -
++ libknet/transport_common.c | 4 ++--
++ libknet/transport_sctp.c   | 2 +-
++ libknet/transport_udp.c    | 3 ++-
++ 11 files changed, 10 insertions(+), 14 deletions(-)
++
++diff --git a/libknet/common.c b/libknet/common.c
++index c908e23..be46f23 100644
++--- a/libknet/common.c
+++++ b/libknet/common.c
++@@ -101,7 +101,7 @@ static void *open_lib(knet_handle_t knet_h, const char *libname, int extra_flags
++ 		}
++ 
++ 		if (S_ISLNK(sb.st_mode)) {
++-			if (readlink(path, link, sizeof(link)) < 0) {
+++			if (readlink(path, link, sizeof(link)-1) < 0) {
++ 				log_debug(knet_h, KNET_SUB_COMMON, "Unable to readlink %s: %s", path, strerror(errno));
++ 				goto out;
++ 			}
++diff --git a/libknet/compress.c b/libknet/compress.c
++index 7eab454..864828f 100644
++--- a/libknet/compress.c
+++++ b/libknet/compress.c
++@@ -359,11 +359,11 @@ void compress_fini(
++ 	}
++ 
++ 	while (compress_modules_cmds[idx].model_name != NULL) {
++-		if ((compress_modules_cmds[idx].built_in == 1) &&
+++		if ((idx < KNET_MAX_COMPRESS_METHODS) && /* check idx first so we don't read bad data */
+++		    (compress_modules_cmds[idx].built_in == 1) &&
++ 		    (compress_modules_cmds[idx].loaded == 1) &&
++ 		    (compress_modules_cmds[idx].model_id > 0) &&
++-		    (knet_h->compress_int_data[idx] != NULL) &&
++-		    (idx < KNET_MAX_COMPRESS_METHODS)) {
+++		    (knet_h->compress_int_data[idx] != NULL)) {
++ 			if ((all) || (compress_modules_cmds[idx].model_id == knet_h->compress_model)) {
++ 				if (compress_modules_cmds[idx].ops->fini != NULL) {
++ 					compress_modules_cmds[idx].ops->fini(knet_h, idx);
++diff --git a/libknet/crypto.c b/libknet/crypto.c
++index 419f9cc..41d67c9 100644
++--- a/libknet/crypto.c
+++++ b/libknet/crypto.c
++@@ -129,7 +129,6 @@ int crypto_init(
++ 
++ 	if (!knet_h->crypto_instance) {
++ 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
++-		pthread_rwlock_unlock(&shlib_rwlock);
++ 		savederrno = ENOMEM;
++ 		goto out_err;
++ 	}
++diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
++index a17ff62..640b560 100644
++--- a/libknet/crypto_nss.c
+++++ b/libknet/crypto_nss.c
++@@ -761,7 +761,7 @@ static int nsscrypto_init(
++ 	knet_h->crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
++ 	if (!knet_h->crypto_instance->model_instance) {
++ 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to allocate memory for nss model instance");
++-		savederrno = ENOMEM;
+++		errno = ENOMEM;
++ 		return -1;
++ 	}
++ 
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 268d610..fd26bea 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -1649,4 +1649,3 @@ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++ 	return 0;
++ }
++-
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index c5a2b27..b4ee632 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -44,7 +44,6 @@ static int _handle_check_link_pmtud(knet_handle_t knet_h, struct knet_host *dst_
++ 
++ 	mutex_retry_limit = 0;
++ 	failsafe = 0;
++-	pad_len = 0;
++ 
++ 	dst_link->last_bad_mtu = 0;
++ 
++diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
++index ae39b38..626cbc4 100644
++--- a/libknet/threads_rx.c
+++++ b/libknet/threads_rx.c
++@@ -499,7 +499,6 @@ static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struc
++ 		} else { /* HOSTINFO */
++ 			knet_hostinfo = (struct knet_hostinfo *)inbuf->khp_data_userdata;
++ 			if (knet_hostinfo->khi_bcast == KNET_HOSTINFO_UCAST) {
++-				bcast = 0;
++ 				knet_hostinfo->khi_dst_node_id = ntohs(knet_hostinfo->khi_dst_node_id);
++ 			}
++ 			if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 0, 0)) {
++diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
++index e987eb1..8096906 100644
++--- a/libknet/threads_tx.c
+++++ b/libknet/threads_tx.c
++@@ -42,7 +42,6 @@ static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host,
++ 	struct knet_link *cur_link;
++ 
++ 	for (link_idx = 0; link_idx < dst_host->active_link_entries; link_idx++) {
++-		sent_msgs = 0;
++ 		prev_sent = 0;
++ 		progress = 1;
++ 
++diff --git a/libknet/transport_common.c b/libknet/transport_common.c
++index 3c3c439..fe40ad8 100644
++--- a/libknet/transport_common.c
+++++ b/libknet/transport_common.c
++@@ -405,7 +405,7 @@ int _is_valid_fd(knet_handle_t knet_h, int sockfd)
++ 		return -1;
++ 	}
++ 
++-	if (sockfd > KNET_MAX_FDS) {
+++	if (sockfd >= KNET_MAX_FDS) {
++ 		errno = EINVAL;
++ 		return -1;
++ 	}
++@@ -430,7 +430,7 @@ int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t
++ 		return -1;
++ 	}
++ 
++-	if (sockfd > KNET_MAX_FDS) {
+++	if (sockfd >= KNET_MAX_FDS) {
++ 		errno = EINVAL;
++ 		return -1;
++ 	}
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index bdfc98d..2c1cdcc 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -733,7 +733,6 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
++ 	if (knet_h->use_access_lists) {
++ 		if (!check_validate(knet_h, listen_sock, KNET_TRANSPORT_SCTP, &ss)) {
++ 			savederrno = EINVAL;
++-			err = -1;
++ 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
++ 			close(new_fd);
++ 			errno = savederrno;
++@@ -871,6 +870,7 @@ static void _handle_listen_sctp_errors(knet_handle_t knet_h)
++ 			info->accepted_socks[i] = -1;
++ 			free(accept_info);
++ 			close(sockfd);
+++			break; /* Keeps covscan happy */
++ 		}
++ 	}
++ }
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index e243a91..3fd69ee 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -71,6 +71,7 @@ int udp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_lin
++ 		err = -1;
++ 		goto exit_error;
++ 	}
+++	memset(info, 0, sizeof(udp_link_info_t));
++ 
++ 	sock = socket(kn_link->src_addr.ss_family, SOCK_DGRAM, 0);
++ 	if (sock < 0) {
++@@ -363,7 +364,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
++ 						case SO_EE_ORIGIN_ICMP:  /* ICMP */
++ 						case SO_EE_ORIGIN_ICMP6: /* ICMP6 */
++ 							origin = (struct sockaddr_storage *)(void *)SO_EE_OFFENDER(sock_err);
++-							if (knet_addrtostr(origin, sizeof(origin),
+++							if (knet_addrtostr(origin, sizeof(*origin),
++ 									   addr_str, KNET_MAX_HOST_LEN,
++ 									   port_str, KNET_MAX_PORT_LEN) < 0) {
++ 								log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from unknown source: %s", strerror(sock_err->ee_errno));
+diff --git a/debian/patches/misc-some-coverity-fixes.patch b/debian/patches/misc-some-coverity-fixes.patch
+new file mode 100644
+index 0000000..154728f
+--- /dev/null
++++ b/debian/patches/misc-some-coverity-fixes.patch
+@@ -0,0 +1,224 @@
++From: Christine Caulfield <ccaulfie at redhat.com>
++Date: Fri, 17 May 2019 08:44:08 +0100
++Subject: misc: some coverity fixes
++
++In rough order of seriousness:
++
++1. Fix clock_gettime() in pmtud so that it's always called, as
++   variable 'clock_now' is always read.
++2. Allow space for trailing NUL in libnozzle device names
++3. Fix api_nozzle_run_updown_test so it can run out of the build tree
++4. Disallow a 0 length prefix in libnozzle
++5. Fix potential use of NULL pointer on doxyxml
++6. Free 'name' in doxyxml as it's *not* in the map any more
++7. Fix dead code in libknet API functions left by code changes
++
++(cherry picked from commit eff3f735f19d3ea4c4689a0fa52ff8e29f75808c)
++---
++ libknet/handle.c                        | 13 ++++---------
++ libknet/host.c                          |  5 ++---
++ libknet/threads_pmtud.c                 | 10 +++++-----
++ libnozzle/internals.c                   |  2 +-
++ libnozzle/libnozzle.c                   |  3 ++-
++ libnozzle/tests/api_nozzle_run_updown.c |  9 +++++++--
++ man/doxyxml.c                           | 20 ++++++++++----------
++ 7 files changed, 31 insertions(+), 31 deletions(-)
++
++diff --git a/libknet/handle.c b/libknet/handle.c
++index 0a2f75a..268d610 100644
++--- a/libknet/handle.c
+++++ b/libknet/handle.c
++@@ -785,7 +785,7 @@ int knet_handle_enable_sock_notify(knet_handle_t knet_h,
++ 						int error,
++ 						int errorno))
++ {
++-	int savederrno = 0, err = 0;
+++	int savederrno = 0;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -811,8 +811,7 @@ int knet_handle_enable_sock_notify(knet_handle_t knet_h,
++ 
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++ 
++-	errno = err ? savederrno : 0;
++-	return err;
+++	return 0;
++ }
++ 
++ int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel)
++@@ -1576,7 +1575,6 @@ out_unlock:
++ int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats, size_t struct_size)
++ {
++ 	int savederrno = 0;
++-	int err = 0;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -1616,14 +1614,12 @@ int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats,
++ 	stats->size = sizeof(struct knet_handle_stats);
++ 
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++-	errno = err ? savederrno : 0;
++-	return err;
+++	return 0;
++ }
++ 
++ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ {
++ 	int savederrno = 0;
++-	int err = 0;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -1651,7 +1647,6 @@ int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
++ 	}
++ 
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++-	errno = err ? savederrno : 0;
++-	return err;
+++	return 0;
++ }
++ 
++diff --git a/libknet/host.c b/libknet/host.c
++index 480db73..66826c1 100644
++--- a/libknet/host.c
+++++ b/libknet/host.c
++@@ -331,7 +331,7 @@ int knet_host_get_id_by_host_name(knet_handle_t knet_h, const char *name,
++ int knet_host_get_host_list(knet_handle_t knet_h,
++ 			    knet_node_id_t *host_ids, size_t *host_ids_entries)
++ {
++-	int savederrno = 0, err = 0;
+++	int savederrno = 0;
++ 
++ 	if (!knet_h) {
++ 		errno = EINVAL;
++@@ -355,8 +355,7 @@ int knet_host_get_host_list(knet_handle_t knet_h,
++ 	*host_ids_entries = knet_h->host_ids_entries;
++ 
++ 	pthread_rwlock_unlock(&knet_h->global_rwlock);
++-	errno = err ? savederrno : 0;
++-	return err;
+++	return 0;
++ }
++ 
++ int knet_host_set_policy(knet_handle_t knet_h, knet_node_id_t host_id,
++diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
++index 0050557..c5a2b27 100644
++--- a/libknet/threads_pmtud.c
+++++ b/libknet/threads_pmtud.c
++@@ -380,14 +380,14 @@ static int _handle_check_pmtud(knet_handle_t knet_h, struct knet_host *dst_host,
++ 	struct timespec clock_now;
++ 	unsigned long long diff_pmtud, interval;
++ 
+++	if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
+++		log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
+++		return 0;
+++	}
+++
++ 	if (!force_run) {
++ 		interval = knet_h->pmtud_interval * 1000000000llu; /* nanoseconds */
++ 
++-		if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
++-			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
++-			return 0;
++-		}
++-
++ 		timespec_diff(dst_link->pmtud_last, clock_now, &diff_pmtud);
++ 
++ 		if (diff_pmtud < interval) {
++diff --git a/libnozzle/internals.c b/libnozzle/internals.c
++index 6e68346..f056e3b 100644
++--- a/libnozzle/internals.c
+++++ b/libnozzle/internals.c
++@@ -144,7 +144,7 @@ char *generate_v4_broadcast(const char *ipaddr, const char *prefix)
++ 
++ 	prefix_len = atoi(prefix);
++ 
++-	if ((prefix_len > 32) || (prefix_len < 0))
+++	if ((prefix_len > 32) || (prefix_len <= 0))
++ 		return NULL;
++ 
++ 	if (inet_pton(AF_INET, ipaddr, &address) <= 0)
++diff --git a/libnozzle/libnozzle.c b/libnozzle/libnozzle.c
++index 4e5a2d4..b6e9566 100644
++--- a/libnozzle/libnozzle.c
+++++ b/libnozzle/libnozzle.c
++@@ -405,7 +405,8 @@ nozzle_t nozzle_open(char *devname, size_t devname_size, const char *updownpath)
++ 		return NULL;
++ 	}
++ 
++-	if (strlen(devname) > IFNAMSIZ) {
+++	/* Need to allow space for trailing NUL */
+++	if (strlen(devname) >= IFNAMSIZ) {
++ 		errno = E2BIG;
++ 		return NULL;
++ 	}
++diff --git a/libnozzle/tests/api_nozzle_run_updown.c b/libnozzle/tests/api_nozzle_run_updown.c
++index a078ad7..c80216a 100644
++--- a/libnozzle/tests/api_nozzle_run_updown.c
+++++ b/libnozzle/tests/api_nozzle_run_updown.c
++@@ -29,16 +29,21 @@ static int test(void)
++ 	nozzle_t nozzle = NULL;
++ 	char *error_string = NULL;
++ 	char *tmpdir = NULL;
++-	char tmpdirsrc[PATH_MAX];
+++	char tmpdirsrc[PATH_MAX*2];
++ 	char tmpstr[PATH_MAX*2];
++ 	char srcfile[PATH_MAX];
++ 	char dstfile[PATH_MAX];
+++	char current_dir[PATH_MAX];
++ 
++ 	/*
++ 	 * create a tmp dir for storing up/down scripts.
++ 	 * we cannot create symlinks src dir
++ 	 */
++-	strcpy(tmpdirsrc, ABSBUILDDIR "/nozzle_test_XXXXXX");
+++	if (getcwd(current_dir, sizeof(current_dir)) == NULL) {
+++		printf("Unable to get current working directory: %s\n", strerror(errno));
+++		return -1;
+++	}
+++	snprintf(tmpdirsrc, sizeof(tmpdirsrc)-1, "%s/nozzle_test_XXXXXX", current_dir);
++ 
++ 	tmpdir = mkdtemp(tmpdirsrc);
++ 	if (!tmpdir) {
++diff --git a/man/doxyxml.c b/man/doxyxml.c
++index b623711..7d9a60c 100644
++--- a/man/doxyxml.c
+++++ b/man/doxyxml.c
++@@ -695,17 +695,17 @@ static void collect_enums(xmlNode *cur_node, void *arg)
++ 				}
++ 			}
++ 
++-			si = malloc(sizeof(struct struct_info));
++-			if (si) {
++-				si->kind = STRUCTINFO_ENUM;
++-				qb_list_init(&si->params_list);
++-				si->structname = strdup(name);
++-				traverse_node(cur_node, "enumvalue", read_struct, si);
++-				qb_map_put(structures_map, refid, si);
+++			if (name) {
+++				si = malloc(sizeof(struct struct_info));
+++				if (si) {
+++					si->kind = STRUCTINFO_ENUM;
+++					qb_list_init(&si->params_list);
+++					si->structname = strdup(name);
+++					traverse_node(cur_node, "enumvalue", read_struct, si);
+++					qb_map_put(structures_map, refid, si);
+++				}
++ 			}
++-
++ 		}
++-
++ 	}
++ }
++ 
++@@ -786,7 +786,7 @@ static void traverse_members(xmlNode *cur_node, void *arg)
++ 		free(kind);
++ 		free(def);
++ 		free(args);
++-//		free(name); /* don't free, it's in the map */
+++		free(name);
++ 	}
++ }
++ 
+diff --git a/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch b/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+new file mode 100644
+index 0000000..7650221
+--- /dev/null
++++ b/debian/patches/spec-be-more-strict-about-plugins-version-and-architectur.patch
+@@ -0,0 +1,167 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 25 Feb 2018 09:08:10 +0100
++Subject: [spec] be more strict about plugins version and architecture
++ depedencies
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 851525b90235db236cc4bf88a66ed5f7c54ed9f6)
++---
++ kronosnet.spec.in | 42 +++++++++++++++++++++---------------------
++ 1 file changed, 21 insertions(+), 21 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 3b597d0..de31656 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -363,7 +363,7 @@ Summary: Simple userland wrapper around kernel tap devices
++ %package -n libnozzle1-devel
++ Group: Development/Libraries
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
++-Requires: libnozzle1 = %{version}-%{release}
+++Requires: libnozzle1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++ 
++ %description -n libnozzle1-devel
++@@ -402,7 +402,7 @@ Summary: Kronosnet core switching implementation
++ %package -n libknet1-devel
++ Group: Development/Libraries
++ Summary: Kronosnet core switching implementation (developer files)
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++ 
++ %description -n libknet1-devel
++@@ -424,7 +424,7 @@ Requires: pkgconfig
++ %package -n libknet1-crypto-nss-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 nss support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-crypto-nss-plugin
++  NSS crypto support for libknet1.
++@@ -438,7 +438,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 openssl support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-crypto-openssl-plugin
++  OpenSSL crypto support for libknet1.
++@@ -452,7 +452,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-zlib-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zlib support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-zlib-plugin
++  zlib compression support for libknet1.
++@@ -465,7 +465,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lz4-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lz4 and lz4hc support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lz4-plugin
++  lz4 and lz4hc compression support for libknet1.
++@@ -480,7 +480,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lzo2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzo2 support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lzo2-plugin
++  lzo2 compression support for libknet1.
++@@ -494,7 +494,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-lzma-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzma support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lzma-plugin
++  lzma compression support for libknet1.
++@@ -508,7 +508,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-bzip2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 bzip2 support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-bzip2-plugin
++  bzip2 compression support for libknet1.
++@@ -522,7 +522,7 @@ Requires: libknet1 = %{version}-%{release}
++ %package -n libknet1-compress-zstd-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zstd support
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-zstd-plugin
++  zstd compression support for libknet1.
++@@ -536,10 +536,10 @@ Requires: libknet1 = %{version}-%{release}
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++ %if %{defined buildcryptonss}
++-Requires: libknet1-crypto-nss-plugin
+++Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcryptoopenssl}
++-Requires: libknet1-crypto-openssl-plugin
+++Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++ %description -n libknet1-crypto-plugins-all
++@@ -551,22 +551,22 @@ Requires: libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 compress plugins meta package
++ %if %{defined buildcompresszlib}
++-Requires: libknet1-compress-zlib-plugin
+++Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslz4}
++-Requires: libknet1-compress-lz4-plugin
+++Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslzo2}
++-Requires: libknet1-compress-lzo2-plugin
+++Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresslzma}
++-Requires: libknet1-compress-lzma-plugin
+++Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompressbzip2}
++-Requires: libknet1-compress-bzip2-plugin
+++Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
++ %endif
++ %if %{defined buildcompresszstd}
++-Requires: libknet1-compress-zstd-plugin
+++Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++ %description -n libknet1-compress-plugins-all
++@@ -577,8 +577,8 @@ Requires: libknet1-compress-zstd-plugin
++ %package -n libknet1-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 plugins meta package
++-Requires: libknet1-compress-plugins-all
++-Requires: libknet1-crypto-plugins-all
+++Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
+++Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-plugins-all
++  meta package to install all of libknet1 plugins
++@@ -589,7 +589,7 @@ Requires: libknet1-crypto-plugins-all
++ %package -n kronosnet-tests
++ Group: System Environment/Libraries
++ Summary: kronosnet test suite
++-Requires: libknet1 = %{version}-%{release}
+++Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n kronosnet-tests
++  this package contains all the libknet and libnozzle test suite
+diff --git a/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch b/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+new file mode 100644
+index 0000000..3e7dfa5
+--- /dev/null
++++ b/debian/patches/spec-clean-up-useless-conditionals-and-defines.patch
+@@ -0,0 +1,376 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 12 May 2019 07:22:41 +0200
++Subject: [spec] clean up useless conditionals and defines
++
++fix a couple of minor conditionals in the process
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit dd66ce8b6389772de79e576d6eea542633594cf1)
++---
++ kronosnet.spec.in | 144 ++++++++++++++++++++----------------------------------
++ 1 file changed, 52 insertions(+), 92 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index de31656..b5632ae 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -37,50 +37,6 @@
++ %undefine _enable_debug_packages
++ %endif
++ 
++-%if %{with sctp}
++-%global buildsctp 1
++-%endif
++-%if %{with nss}
++-%global buildcryptonss 1
++-%endif
++-%if %{with openssl}
++-%global buildcryptoopenssl 1
++-%endif
++-%if %{with zlib}
++-%global buildcompresszlib 1
++-%endif
++-%if %{with lz4}
++-%global buildcompresslz4 1
++-%endif
++-%if %{with lzo2}
++-%global buildcompresslzo2 1
++-%endif
++-%if %{with lzma}
++-%global buildcompresslzma 1
++-%endif
++-%if %{with bzip2}
++-%global buildcompressbzip2 1
++-%endif
++-%if %{with zstd}
++-%global buildcompresszstd 1
++-%endif
++-%if %{with libnozzle}
++-%global buildlibnozzle 1
++-%endif
++-%if %{with kronosnetd}
++-%global buildlibnozzle 1
++-%global buildkronosnetd 1
++-%endif
++-%if %{with runautogen}
++-%global buildautogen 1
++-%endif
++-%if %{with buildman}
++-%global buildmanpages 1
++-%endif
++-%if %{with installtests}
++-%global installtestsuite 1
++-%endif
++-
++ # main (empty) package
++ # http://www.rpm.org/max-rpm/s1-rpm-subpack-spec-file-changes.html
++ 
++@@ -100,62 +56,60 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
++ # Build dependencies
++ BuildRequires: gcc
++ # required to build man pages
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ BuildRequires: libqb-devel libxml2-devel doxygen
++ %endif
++-%if %{defined buildsctp}
+++%if %{with sctp}
++ BuildRequires: lksctp-tools-devel
++ %endif
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ %if 0%{?suse_version}
++ BuildRequires: mozilla-nss-devel
++ %else
++ BuildRequires: nss-devel
++ %endif
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ %if 0%{?suse_version}
++ BuildRequires: libopenssl-devel
++ %else
++ BuildRequires: openssl-devel
++ %endif
++ %endif
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ BuildRequires: zlib-devel
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ %if 0%{?suse_version}
++ BuildRequires: liblz4-devel
++ %else
++ BuildRequires: lz4-devel
++ %endif
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ BuildRequires: lzo-devel
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ BuildRequires: xz-devel
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ %if 0%{?suse_version}
++ BuildRequires: libbz2-devel
++ %else
++ BuildRequires: bzip2-devel
++ %endif
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ BuildRequires: libzstd-devel
++ %endif
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ BuildRequires: pam-devel
++ %endif
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ BuildRequires: libnl3-devel
++ %endif
++-%if %{defined buildautogen}
++-BuildRequires: autoconf
++-BuildRequires: automake
++-BuildRequires: libtool
+++%if %{with runautogen}
+++BuildRequires: autoconf automake libtool
++ %endif
++ 
++ %prep
++@@ -167,66 +121,70 @@ BuildRequires: libtool
++ %endif
++ 
++ %{configure} \
++-%if %{defined installtestsuite}
+++%if %{with installtests}
++ 	--enable-install-tests \
++ %else
++ 	--disable-install-tests \
++ %endif
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ 	--enable-man \
++ %else
++ 	--disable-man \
++ %endif
++-%if %{defined buildsctp}
+++%if %{with sctp}
++ 	--enable-libknet-sctp \
++ %else
++ 	--disable-libknet-sctp \
++ %endif
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ 	--enable-crypto-nss \
++ %else
++ 	--disable-crypto-nss \
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ 	--enable-crypto-openssl \
++ %else
++ 	--disable-crypto-openssl \
++ %endif
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ 	--enable-compress-zlib \
++ %else
++ 	--disable-compress-zlib \
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ 	--enable-compress-lz4 \
++ %else
++ 	--disable-compress-lz4 \
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ 	--enable-compress-lzo2 \
++ %else
++ 	--disable-compress-lzo2 \
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ 	--enable-compress-lzma \
++ %else
++ 	--disable-compress-lzma \
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ 	--enable-compress-bzip2 \
++ %else
++ 	--disable-compress-bzip2 \
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ 	--enable-compress-zstd \
++ %else
++ 	--disable-compress-zstd \
++ %endif
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ 	--enable-kronosnetd \
+++%else
+++	--disable-kronosnetd \
++ %endif
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ 	--enable-libnozzle \
+++%else
+++	--disable-libnozzle \
++ %endif
++ 	--with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
++ %if %{defined _unitdir}
++@@ -266,7 +224,7 @@ rm -rf %{buildroot}
++ %description
++ kronosnet source
++ 
++-%if %{defined buildkronosnetd}
+++%if %{with kronosnetd}
++ ## Runtime and subpackages section
++ %package -n kronosnetd
++ Group: System Environment/Base
++@@ -341,7 +299,7 @@ fi
++ %{_mandir}/man8/*
++ %endif
++ 
++-%if %{defined buildlibnozzle}
+++%if %{with libnozzle}
++ %package -n libnozzle1
++ Group: System Environment/Libraries
++ Summary: Simple userland wrapper around kernel tap devices
++@@ -377,8 +335,10 @@ Requires: pkgconfig
++ %{_libdir}/libnozzle.so
++ %{_includedir}/libnozzle.h
++ %{_libdir}/pkgconfig/libnozzle.pc
+++%if %{with buildman}
++ %{_mandir}/man3/nozzle*.3.gz
++ %endif
+++%endif
++ 
++ %package -n libknet1
++ Group: System Environment/Libraries
++@@ -416,11 +376,11 @@ Requires: pkgconfig
++ %{_libdir}/libknet.so
++ %{_includedir}/libknet.h
++ %{_libdir}/pkgconfig/libknet.pc
++-%if %{defined buildmanpages}
+++%if %{with buildman}
++ %{_mandir}/man3/knet*.3.gz
++ %endif
++ 
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ %package -n libknet1-crypto-nss-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 nss support
++@@ -434,7 +394,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/crypto_nss.so
++ %endif
++ 
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ %package -n libknet1-crypto-openssl-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 openssl support
++@@ -448,7 +408,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/crypto_openssl.so
++ %endif
++ 
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ %package -n libknet1-compress-zlib-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zlib support
++@@ -461,7 +421,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zlib.so
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ %package -n libknet1-compress-lz4-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lz4 and lz4hc support
++@@ -476,7 +436,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lz4hc.so
++ %endif
++ 
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ %package -n libknet1-compress-lzo2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzo2 support
++@@ -490,7 +450,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lzo2.so
++ %endif
++ 
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ %package -n libknet1-compress-lzma-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 lzma support
++@@ -504,7 +464,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_lzma.so
++ %endif
++ 
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ %package -n libknet1-compress-bzip2-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 bzip2 support
++@@ -518,7 +478,7 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++ 
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ %package -n libknet1-compress-zstd-plugin
++ Group: System Environment/Libraries
++ Summary: libknet1 zstd support
++@@ -535,10 +495,10 @@ Requires: libknet1%{_isa} = %{version}-%{release}
++ %package -n libknet1-crypto-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 crypto plugins meta package
++-%if %{defined buildcryptonss}
+++%if %{with nss}
++ Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcryptoopenssl}
+++%if %{with openssl}
++ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++@@ -550,22 +510,22 @@ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %package -n libknet1-compress-plugins-all
++ Group: System Environment/Libraries
++ Summary: libknet1 compress plugins meta package
++-%if %{defined buildcompresszlib}
+++%if %{with zlib}
++ Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslz4}
+++%if %{with lz4}
++ Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslzo2}
+++%if %{with lzo2}
++ Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresslzma}
+++%if %{with lzma}
++ Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompressbzip2}
+++%if %{with bzip2}
++ Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
++ %endif
++-%if %{defined buildcompresszstd}
+++%if %{with zstd}
++ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
+diff --git a/debian/patches/spec-drop-support-for-init-scripts.patch b/debian/patches/spec-drop-support-for-init-scripts.patch
+new file mode 100644
+index 0000000..16d60d8
+--- /dev/null
++++ b/debian/patches/spec-drop-support-for-init-scripts.patch
+@@ -0,0 +1,108 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 14 May 2019 05:53:12 +0200
++Subject: [spec] drop support for init scripts
++
++no rpm distros left that support old fashion init scripts
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 1fc28307dc2b537abd30eab8b6920f2b6893e786)
++---
++ kronosnet.spec.in | 46 ++--------------------------------------------
++ 1 file changed, 2 insertions(+), 44 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index ddc3af0..8c60125 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -182,11 +182,7 @@ BuildRequires: autoconf automake libtool
++ 	--disable-libnozzle \
++ %endif
++ 	--with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
++-%if %{defined _unitdir}
++ 	--with-systemddir=%{_unitdir}
++-%else
++-	--with-initddir=%{_sysconfdir}/rc.d/init.d/
++-%endif
++ 
++ make %{_smp_mflags}
++ 
++@@ -200,14 +196,8 @@ find %{buildroot} -name "*.a" -exec rm {} \;
++ # remove libtools leftovers
++ find %{buildroot} -name "*.la" -exec rm {} \;
++ 
++-# handle systemd vs init script
++-%if %{defined _unitdir}
++ # remove init scripts
++ rm -rf %{buildroot}/etc/init.d
++-%else
++-# remove systemd specific bits
++-find %{buildroot} -name "*.service" -exec rm {} \;
++-%endif
++ 
++ # remove docs
++ rm -rf %{buildroot}/usr/share/doc/kronosnet
++@@ -221,16 +211,10 @@ rm -rf %{buildroot}/usr/share/doc/kronosnet
++ %package -n kronosnetd
++ Summary: Multipoint-to-Multipoint VPN daemon
++ License: GPLv2+
++-%if %{defined _unitdir}
++-# Needed for systemd unit
++ Requires(post):   systemd-sysv
++ Requires(post):   systemd-units
++ Requires(preun):  systemd-units
++ Requires(postun): systemd-units
++-%else
++-Requires(post): chkconfig
++-Requires(preun): chkconfig, initscripts
++-%endif
++ Requires(post):   shadow-utils
++ Requires(preun):  shadow-utils
++ Requires: pam, /etc/pam.d/passwd
++@@ -246,33 +230,11 @@ Requires: pam, /etc/pam.d/passwd
++  or service disruption.
++ 
++ %post -n kronosnetd
++-%if %{defined _unitdir}
++- %if 0%{?systemd_post:1}
++-  %systemd_post kronosnetd.service
++- %else
++-  /bin/systemctl daemon-reload >/dev/null 2>&1 || :
++- %endif
++-%else
++-/sbin/chkconfig --add kronosnetd
++-%endif
+++%systemd_post kronosnetd.service
++ getent group @defaultadmgroup@ >/dev/null || groupadd --force --system @defaultadmgroup@
++ 
++ %preun -n kronosnetd
++-%if %{defined _unitdir}
++- %if 0%{?systemd_preun:1}
++-  %systemd_preun kronosnetd.service
++- %else
++-if [ "$1" -eq 0 ]; then
++-	/bin/systemctl --no-reload disable kronosnetd.service
++-	/bin/systemctl stop kronosnetd.service >/dev/null 2>&1
++-fi
++-%endif
++-%else
++-if [ "$1" = 0 ]; then
++-	/sbin/service kronosnetd stop >/dev/null 2>&1
++-	/sbin/chkconfig --del kronosnetd
++-fi
++-%endif
+++%systemd_preun kronosnetd.service
++ 
++ %files -n kronosnetd
++ %license COPYING.* COPYRIGHT
++@@ -281,11 +243,7 @@ fi
++ %config(noreplace) %{_sysconfdir}/sysconfig/kronosnetd
++ %config(noreplace) %{_sysconfdir}/pam.d/kronosnetd
++ %config(noreplace) %{_sysconfdir}/logrotate.d/kronosnetd
++-%if %{defined _unitdir}
++ %{_unitdir}/kronosnetd.service
++-%else
++-%config(noreplace) %{_sysconfdir}/rc.d/init.d/kronosnetd
++-%endif
++ %{_sbindir}/*
++ %{_mandir}/man8/*
++ %endif
+diff --git a/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch b/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+new file mode 100644
+index 0000000..1066070
+--- /dev/null
++++ b/debian/patches/spec-fix-a-bunch-of-rpmlint-errors.patch
+@@ -0,0 +1,51 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 13 May 2019 06:55:36 +0200
++Subject: [spec] fix a bunch of rpmlint errors
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 95198f0dc5b8a4eefe06b58fa1901740209b42a0)
++---
++ kronosnet.spec.in | 9 +++++----
++ 1 file changed, 5 insertions(+), 4 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index a6c87a0..ddc3af0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -340,6 +340,7 @@ License: LGPLv2+
++ %license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
+++
++ %ldconfig_scriptlets -n libknet1
++ 
++ %package -n libknet1-devel
++@@ -505,24 +506,24 @@ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++ %description -n libknet1-compress-plugins-all
++- Provides meta package to install all of libknet1 compress plugins
+++ Meta package to install all of libknet1 compress plugins
++ 
++ %files -n libknet1-compress-plugins-all
++ 
++ %package -n libknet1-plugins-all
++-Summary: libknet1 plugins meta package
+++Summary: Provides libknet1 plugins meta package
++ License: LGPLv2+
++ Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
++ Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-plugins-all
++- Provides meta package to install all of libknet1 plugins
+++ Meta package to install all of libknet1 plugins
++ 
++ %files -n libknet1-plugins-all
++ 
++ %if %{with installtests}
++ %package -n kronosnet-tests
++-Summary: kronosnet test suite
+++Summary: Provides kronosnet test suite
++ License: GPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
+diff --git a/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch b/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+new file mode 100644
+index 0000000..d8c82f8
+--- /dev/null
++++ b/debian/patches/spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
+@@ -0,0 +1,30 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 12 May 2019 06:59:00 +0200
++Subject: [spec] fix upstream URLs to point to https and official release repo
++
++Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1708616
++
++also to be noted, the Source0: line is different from upstream and Fedora
++because upstream can handle tarballs during development
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 5884f8dfc6cf4e648e033da855f8c77eafae84df)
++---
++ kronosnet.spec.in | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 442f3ae..e430ad2 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -90,8 +90,8 @@ Version: @version@
++ Release: 1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
++ License: GPLv2+ and LGPLv2+
++ Group: System Environment/Base
++-URL: https://github.com/kronosnet/kronosnet/
++-Source0: https://github.com/kronosnet/kronosnet/archive/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
+++URL: https://kronosnet.org
+++Source0: https://kronosnet.org/releases/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
++ 
++ ## Setup/build bits
++ 
+diff --git a/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch b/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+new file mode 100644
+index 0000000..00a6b28
+--- /dev/null
++++ b/debian/patches/spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
+@@ -0,0 +1,374 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 13 May 2019 06:02:06 +0200
++Subject: [spec] reconciliate fedora spec file into upstream spec file (part 1)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit d880374fbff2ebe404f2bbae95c988aa21e60280)
++---
++ kronosnet.spec.in | 130 ++++++++++++++++++++++--------------------------------
++ 1 file changed, 52 insertions(+), 78 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index b5632ae..a6c87a0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -45,14 +45,9 @@ Summary: Multipoint-to-Multipoint VPN daemon
++ Version: @version@
++ Release: 1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
++ License: GPLv2+ and LGPLv2+
++-Group: System Environment/Base
++ URL: https://kronosnet.org
++ Source0: https://kronosnet.org/releases/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
++ 
++-## Setup/build bits
++-
++-BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
++-
++ # Build dependencies
++ BuildRequires: gcc
++ # required to build man pages
++@@ -117,7 +112,7 @@ BuildRequires: autoconf automake libtool
++ 
++ %build
++ %if %{with runautogen}
++-    ./autogen.sh
+++./autogen.sh
++ %endif
++ 
++ %{configure} \
++@@ -217,18 +212,15 @@ find %{buildroot} -name "*.service" -exec rm {} \;
++ # remove docs
++ rm -rf %{buildroot}/usr/share/doc/kronosnet
++ 
++-%clean
++-rm -rf %{buildroot}
++-
++ # main empty package
++ %description
++-kronosnet source
+++ The kronosnet source
++ 
++ %if %{with kronosnetd}
++ ## Runtime and subpackages section
++ %package -n kronosnetd
++-Group: System Environment/Base
++ Summary: Multipoint-to-Multipoint VPN daemon
+++License: GPLv2+
++ %if %{defined _unitdir}
++ # Needed for systemd unit
++ Requires(post):   systemd-sysv
++@@ -239,8 +231,8 @@ Requires(postun): systemd-units
++ Requires(post): chkconfig
++ Requires(preun): chkconfig, initscripts
++ %endif
++-Requires(post): shadow-utils
++-Requires(preun): shadow-utils
+++Requires(post):   shadow-utils
+++Requires(preun):  shadow-utils
++ Requires: pam, /etc/pam.d/passwd
++ 
++ %description -n kronosnetd
++@@ -263,7 +255,7 @@ Requires: pam, /etc/pam.d/passwd
++ %else
++ /sbin/chkconfig --add kronosnetd
++ %endif
++-/usr/sbin/groupadd --force --system @defaultadmgroup@
+++getent group @defaultadmgroup@ >/dev/null || groupadd --force --system @defaultadmgroup@
++ 
++ %preun -n kronosnetd
++ %if %{defined _unitdir}
++@@ -283,8 +275,7 @@ fi
++ %endif
++ 
++ %files -n kronosnetd
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT 
+++%license COPYING.* COPYRIGHT
++ %dir %{_sysconfdir}/kronosnet
++ %dir %{_sysconfdir}/kronosnet/*
++ %config(noreplace) %{_sysconfdir}/sysconfig/kronosnetd
++@@ -301,8 +292,8 @@ fi
++ 
++ %if %{with libnozzle}
++ %package -n libnozzle1
++-Group: System Environment/Libraries
++ Summary: Simple userland wrapper around kernel tap devices
+++License: LGPLv2+
++ 
++ %description -n libnozzle1
++  This is an over-engineered commodity library to manage a pool
++@@ -310,17 +301,14 @@ Summary: Simple userland wrapper around kernel tap devices
++  pre-up.d/up.d/down.d/post-down.d infrastructure.
++ 
++ %files -n libnozzle1
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so.*
++ 
++-%post -n libnozzle1 -p /sbin/ldconfig
++-
++-%postun -n libnozzle1 -p /sbin/ldconfig
+++%ldconfig_scriptlets -n libnozzle1
++ 
++ %package -n libnozzle1-devel
++-Group: Development/Libraries
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
+++License: LGPLv2+
++ Requires: libnozzle1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++ 
++@@ -330,8 +318,7 @@ Requires: pkgconfig
++  pre-up.d/up.d/down.d/post-down.d infrastructure.
++ 
++ %files -n libnozzle1-devel
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so
++ %{_includedir}/libnozzle.h
++ %{_libdir}/pkgconfig/libnozzle.pc
++@@ -341,8 +328,8 @@ Requires: pkgconfig
++ %endif
++ 
++ %package -n libknet1
++-Group: System Environment/Libraries
++ Summary: Kronosnet core switching implementation
+++License: LGPLv2+
++ 
++ %description -n libknet1
++  The whole kronosnet core is implemented in this library.
++@@ -350,18 +337,14 @@ Summary: Kronosnet core switching implementation
++  information.
++ 
++ %files -n libknet1
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
++-
++-%post -n libknet1 -p /sbin/ldconfig
++-
++-%postun -n libknet1 -p /sbin/ldconfig
+++%ldconfig_scriptlets -n libknet1
++ 
++ %package -n libknet1-devel
++-Group: Development/Libraries
++ Summary: Kronosnet core switching implementation (developer files)
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ Requires: pkgconfig
++ 
++@@ -371,8 +354,7 @@ Requires: pkgconfig
++  information. 
++ 
++ %files -n libknet1-devel
++-%defattr(-,root,root,-)
++-%doc COPYING.* COPYRIGHT
+++%license COPYING.* COPYRIGHT
++ %{_libdir}/libknet.so
++ %{_includedir}/libknet.h
++ %{_libdir}/pkgconfig/libknet.pc
++@@ -382,119 +364,112 @@ Requires: pkgconfig
++ 
++ %if %{with nss}
++ %package -n libknet1-crypto-nss-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 nss support
+++Summary: Provides libknet1 nss support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-crypto-nss-plugin
++- NSS crypto support for libknet1.
+++ Provides NSS crypto support for libknet1.
++ 
++ %files -n libknet1-crypto-nss-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/crypto_nss.so
++ %endif
++ 
++ %if %{with openssl}
++ %package -n libknet1-crypto-openssl-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 openssl support
+++Summary: Provides libknet1 openssl support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-crypto-openssl-plugin
++- OpenSSL crypto support for libknet1.
+++ Provides OpenSSL crypto support for libknet1.
++ 
++ %files -n libknet1-crypto-openssl-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/crypto_openssl.so
++ %endif
++ 
++ %if %{with zlib}
++ %package -n libknet1-compress-zlib-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 zlib support
+++Summary: Provides libknet1 zlib support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-zlib-plugin
++- zlib compression support for libknet1.
+++ Provides zlib compression support for libknet1.
++ 
++ %files -n libknet1-compress-zlib-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zlib.so
++ %endif
+++
++ %if %{with lz4}
++ %package -n libknet1-compress-lz4-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lz4 and lz4hc support
+++Summary: Provides libknet1 lz4 and lz4hc support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lz4-plugin
++- lz4 and lz4hc compression support for libknet1.
+++ Provides lz4 and lz4hc compression support for libknet1.
++ 
++ %files -n libknet1-compress-lz4-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lz4.so
++ %{_libdir}/kronosnet/compress_lz4hc.so
++ %endif
++ 
++ %if %{with lzo2}
++ %package -n libknet1-compress-lzo2-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lzo2 support
+++Summary: Provides libknet1 lzo2 support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lzo2-plugin
++- lzo2 compression support for libknet1.
+++ Provides lzo2 compression support for libknet1.
++ 
++ %files -n libknet1-compress-lzo2-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lzo2.so
++ %endif
++ 
++ %if %{with lzma}
++ %package -n libknet1-compress-lzma-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 lzma support
+++Summary: Provides libknet1 lzma support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-lzma-plugin
++- lzma compression support for libknet1.
+++ Provides lzma compression support for libknet1.
++ 
++ %files -n libknet1-compress-lzma-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_lzma.so
++ %endif
++ 
++ %if %{with bzip2}
++ %package -n libknet1-compress-bzip2-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 bzip2 support
+++Summary: Provides libknet1 bzip2 support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-bzip2-plugin
++- bzip2 compression support for libknet1.
+++ Provides bzip2 compression support for libknet1.
++ 
++ %files -n libknet1-compress-bzip2-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_bzip2.so
++ %endif
++ 
++ %if %{with zstd}
++ %package -n libknet1-compress-zstd-plugin
++-Group: System Environment/Libraries
++-Summary: libknet1 zstd support
+++Summary: Provides libknet1 zstd support
+++License: LGPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-compress-zstd-plugin
++- zstd compression support for libknet1.
+++ Provides zstd compression support for libknet1.
++ 
++ %files -n libknet1-compress-zstd-plugin
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/compress_zstd.so
++ %endif
++ 
++ %package -n libknet1-crypto-plugins-all
++-Group: System Environment/Libraries
++-Summary: libknet1 crypto plugins meta package
+++Summary: Provides libknet1 crypto plugins meta package
+++License: LGPLv2+
++ %if %{with nss}
++ Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
++ %endif
++@@ -503,13 +478,13 @@ Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++ %description -n libknet1-crypto-plugins-all
++- meta package to install all of libknet1 crypto plugins
+++ Provides meta package to install all of libknet1 crypto plugins
++ 
++ %files -n libknet1-crypto-plugins-all
++ 
++ %package -n libknet1-compress-plugins-all
++-Group: System Environment/Libraries
++-Summary: libknet1 compress plugins meta package
+++Summary: Provides libknet1 compress plugins meta package
+++License: LGPLv2+
++ %if %{with zlib}
++ Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
++ %endif
++@@ -530,32 +505,31 @@ Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
++ %endif
++ 
++ %description -n libknet1-compress-plugins-all
++- meta package to install all of libknet1 compress plugins
+++ Provides meta package to install all of libknet1 compress plugins
++ 
++ %files -n libknet1-compress-plugins-all
++ 
++ %package -n libknet1-plugins-all
++-Group: System Environment/Libraries
++ Summary: libknet1 plugins meta package
+++License: LGPLv2+
++ Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
++ Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
++ 
++ %description -n libknet1-plugins-all
++- meta package to install all of libknet1 plugins
+++ Provides meta package to install all of libknet1 plugins
++ 
++ %files -n libknet1-plugins-all
++ 
++ %if %{with installtests}
++ %package -n kronosnet-tests
++-Group: System Environment/Libraries
++ Summary: kronosnet test suite
+++License: GPLv2+
++ Requires: libknet1%{_isa} = %{version}-%{release}
++ 
++ %description -n kronosnet-tests
++- this package contains all the libknet and libnozzle test suite
+++ This package contains all the libknet and libnozzle test suite.
++ 
++ %files -n kronosnet-tests
++-%defattr(-,root,root,-)
++ %{_libdir}/kronosnet/tests/*
++ %endif
++ 
+diff --git a/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch b/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+new file mode 100644
+index 0000000..500dd1f
+--- /dev/null
++++ b/debian/patches/spec-use-distro-conditionals-to-determine-BuildRequires.patch
+@@ -0,0 +1,59 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 25 Feb 2018 08:42:55 +0100
++Subject: [spec] use distro conditionals to determine BuildRequires
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 3a5332772250c1adf2340503ac8903ea07f2d394)
++---
++ kronosnet.spec.in | 24 ++++++++++++++++++++----
++ 1 file changed, 20 insertions(+), 4 deletions(-)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index e430ad2..3b597d0 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -107,16 +107,28 @@ BuildRequires: libqb-devel libxml2-devel doxygen
++ BuildRequires: lksctp-tools-devel
++ %endif
++ %if %{defined buildcryptonss}
++-BuildRequires: /usr/include/nss3/nss.h /usr/include/nspr4/nspr.h
+++%if 0%{?suse_version}
+++BuildRequires: mozilla-nss-devel
+++%else
+++BuildRequires: nss-devel
+++%endif
++ %endif
++ %if %{defined buildcryptoopenssl}
++-BuildRequires: /usr/include/openssl/conf.h
+++%if 0%{?suse_version}
+++BuildRequires: libopenssl-devel
+++%else
+++BuildRequires: openssl-devel
+++%endif
++ %endif
++ %if %{defined buildcompresszlib}
++ BuildRequires: zlib-devel
++ %endif
++ %if %{defined buildcompresslz4}
++-BuildRequires: /usr/include/lz4hc.h
+++%if 0%{?suse_version}
+++BuildRequires: liblz4-devel
+++%else
+++BuildRequires: lz4-devel
+++%endif
++ %endif
++ %if %{defined buildcompresslzo2}
++ BuildRequires: lzo-devel
++@@ -125,7 +137,11 @@ BuildRequires: lzo-devel
++ BuildRequires: xz-devel
++ %endif
++ %if %{defined buildcompressbzip2}
++-BuildRequires: /usr/include/bzlib.h
+++%if 0%{?suse_version}
+++BuildRequires: libbz2-devel
+++%else
+++BuildRequires: bzip2-devel
+++%endif
++ %endif
++ %if %{defined buildcompresszstd}
++ BuildRequires: libzstd-devel
+diff --git a/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch b/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+new file mode 100644
+index 0000000..46a0fee
+--- /dev/null
++++ b/debian/patches/spec-use-ldconfig_scriptlets-only-when-defined.patch
+@@ -0,0 +1,40 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Tue, 14 May 2019 06:57:36 +0200
++Subject: [spec] use ldconfig_scriptlets only when defined
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 8a823aa3bf291fe8c7407fd957d71897895e1aec)
++---
++ kronosnet.spec.in | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/kronosnet.spec.in b/kronosnet.spec.in
++index 8c60125..094090b 100644
++--- a/kronosnet.spec.in
+++++ b/kronosnet.spec.in
++@@ -262,7 +262,12 @@ License: LGPLv2+
++ %license COPYING.* COPYRIGHT
++ %{_libdir}/libnozzle.so.*
++ 
+++%if 0%{?ldconfig_scriptlets}
++ %ldconfig_scriptlets -n libnozzle1
+++%else
+++%post -n libnozzle1 -p /sbin/ldconfig
+++%postun -n libnozzle1 -p /sbin/ldconfig
+++%endif
++ 
++ %package -n libnozzle1-devel
++ Summary: Simple userland wrapper around kernel tap devices (developer files)
++@@ -299,7 +304,12 @@ License: LGPLv2+
++ %{_libdir}/libknet.so.*
++ %dir %{_libdir}/kronosnet
++ 
+++%if 0%{?ldconfig_scriptlets}
++ %ldconfig_scriptlets -n libknet1
+++%else
+++%post -n libknet1 -p /sbin/ldconfig
+++%postun -n libknet1 -p /sbin/ldconfig
+++%endif
++ 
++ %package -n libknet1-devel
++ Summary: Kronosnet core switching implementation (developer files)
+diff --git a/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch b/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+new file mode 100644
+index 0000000..76b42da
+--- /dev/null
++++ b/debian/patches/tests-hide-an-arm-internal-memory-leak-non-recurring.patch
+@@ -0,0 +1,25 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 09:30:27 +0200
++Subject: [tests] hide an arm internal memory leak (non-recurring)
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 43b3f05da8736e7bb286e81f96e7514977541bef)
++---
++ build-aux/knet_valgrind_memcheck.supp | 7 +++++++
++ 1 file changed, 7 insertions(+)
++
++diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
++index e0f49d0..a34ab93 100644
++--- a/build-aux/knet_valgrind_memcheck.supp
+++++ b/build-aux/knet_valgrind_memcheck.supp
++@@ -605,3 +605,10 @@
++    obj:*
++    obj:/usr/lib64/libnss3.so
++ }
+++{
+++   arm internal memory leak
+++   Memcheck:Leak
+++   match-leak-kinds: definite
+++   fun:malloc
+++   fun:dl_open_worker
+++}
+diff --git a/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch b/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+new file mode 100644
+index 0000000..458da67
+--- /dev/null
++++ b/debian/patches/tests-improve-wait-for-packet-implementation-to-flush-log.patch
+@@ -0,0 +1,135 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 11 Apr 2019 09:31:00 +0200
++Subject: [tests] improve wait for packet implementation to flush logs during
++ wait
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit e7825127477c756b4d0d9311c9907e140575e490)
++---
++ libknet/tests/test-common.h                 | 2 +-
++ libknet/tests/api_knet_handle_clear_stats.c | 2 +-
++ libknet/tests/api_knet_send.c               | 2 +-
++ libknet/tests/api_knet_send_compress.c      | 2 +-
++ libknet/tests/api_knet_send_crypto.c        | 2 +-
++ libknet/tests/api_knet_send_loopback.c      | 4 ++--
++ libknet/tests/test-common.c                 | 7 ++++---
++ 7 files changed, 11 insertions(+), 10 deletions(-)
++
++diff --git a/libknet/tests/test-common.h b/libknet/tests/test-common.h
++index 8742f8d..a498a09 100644
++--- a/libknet/tests/test-common.h
+++++ b/libknet/tests/test-common.h
++@@ -70,6 +70,6 @@ int stop_logthread(void);
++ int make_local_sockaddr(struct sockaddr_storage *lo, uint16_t offset);
++ int make_local_sockaddr6(struct sockaddr_storage *lo, uint16_t offset);
++ int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd, FILE *std);
++-int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd);
+++int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std);
++ 
++ #endif
++diff --git a/libknet/tests/api_knet_handle_clear_stats.c b/libknet/tests/api_knet_handle_clear_stats.c
++index 8e64235..07f059a 100644
++--- a/libknet/tests/api_knet_handle_clear_stats.c
+++++ b/libknet/tests/api_knet_handle_clear_stats.c
++@@ -160,7 +160,7 @@ static void test(void)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
++index 9e81d03..ca16e3d 100644
++--- a/libknet/tests/api_knet_send.c
+++++ b/libknet/tests/api_knet_send.c
++@@ -247,7 +247,7 @@ static void test(uint8_t transport)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_compress.c b/libknet/tests/api_knet_send_compress.c
++index 6de4674..b03f4e7 100644
++--- a/libknet/tests/api_knet_send_compress.c
+++++ b/libknet/tests/api_knet_send_compress.c
++@@ -170,7 +170,7 @@ static void test(const char *model)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_crypto.c b/libknet/tests/api_knet_send_crypto.c
++index f2ca366..e33a808 100644
++--- a/libknet/tests/api_knet_send_crypto.c
+++++ b/libknet/tests/api_knet_send_crypto.c
++@@ -171,7 +171,7 @@ static void test(const char *model)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/api_knet_send_loopback.c b/libknet/tests/api_knet_send_loopback.c
++index 0cfd29f..2feca68 100644
++--- a/libknet/tests/api_knet_send_loopback.c
+++++ b/libknet/tests/api_knet_send_loopback.c
++@@ -251,7 +251,7 @@ static void test(void)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++@@ -352,7 +352,7 @@ static void test(void)
++ 
++ 	flush_logs(logfds[0], stdout);
++ 
++-	if (wait_for_packet(knet_h, 10, datafd)) {
+++	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
++ 		printf("Error waiting for packet: %s\n", strerror(errno));
++ 		knet_link_set_enable(knet_h, 1, 0, 0);
++ 		knet_link_clear_config(knet_h, 1, 0);
++diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
++index d0ea1ef..a4ff297 100644
++--- a/libknet/tests/test-common.c
+++++ b/libknet/tests/test-common.c
++@@ -485,7 +485,7 @@ int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd
++ 	return -1;
++ }
++ 
++-int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd)
+++int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std)
++ {
++ 	fd_set rfds;
++ 	struct timeval tv;
++@@ -500,7 +500,7 @@ try_again:
++ 	FD_ZERO(&rfds);
++ 	FD_SET(datafd, &rfds);
++ 
++-	tv.tv_sec = seconds;
+++	tv.tv_sec = 1;
++ 	tv.tv_usec = 0;
++ 
++ 	err = select(datafd+1, &rfds, NULL, NULL, &tv);
++@@ -509,7 +509,8 @@ try_again:
++ 	 * pick an arbitrary 10 times loop (multiplied by waiting seconds)
++ 	 * before failing.
++ 	 */
++-	if ((!err) && (i < 10)) {
+++	if ((!err) && (i < seconds)) {
+++		flush_logs(logfd, std);
++ 		i++;
++ 		goto try_again;
++ 	}
+diff --git a/debian/patches/tests-remove-stray-comment.patch b/debian/patches/tests-remove-stray-comment.patch
+new file mode 100644
+index 0000000..dce4422
+--- /dev/null
++++ b/debian/patches/tests-remove-stray-comment.patch
+@@ -0,0 +1,22 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 7 Mar 2019 18:42:20 +0100
++Subject: [tests] remove stray comment
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 3f426c317d41c93cefc7735607ec166539223283)
++---
++ libknet/tests/Makefile.am | 1 -
++ 1 file changed, 1 deletion(-)
++
++diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
++index 3e74ea8..015587c 100644
++--- a/libknet/tests/Makefile.am
+++++ b/libknet/tests/Makefile.am
++@@ -41,7 +41,6 @@ fun_checks		=
++ benchmarks		= \
++ 			  knet_bench_test
++ 
++-# int_links_acl_test can´t run yet standalone
++ noinst_PROGRAMS		= \
++ 			  api_knet_handle_new_limit_test \
++ 			  pckt_test \
+diff --git a/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch b/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+new file mode 100644
+index 0000000..3d23858
+--- /dev/null
++++ b/debian/patches/transports-access-list-add-internal-API-to-gather-which-f.patch
+@@ -0,0 +1,161 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Thu, 28 Feb 2019 14:55:27 +0100
++Subject: [transports / access list] add internal API to gather which fd to
++ use for access lists given a certain link struct
++
++this is required for the external API that has to be transport indepedent
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 2eb0040c7b5c99f3157b3922f6400a6c09c80e7e)
++---
++ libknet/internals.h          |  6 ++++++
++ libknet/transport_loopback.h |  1 +
++ libknet/transport_sctp.h     |  1 +
++ libknet/transport_udp.h      |  1 +
++ libknet/transports.h         |  1 +
++ libknet/transport_loopback.c |  5 +++++
++ libknet/transport_sctp.c     |  7 +++++++
++ libknet/transport_udp.c      |  5 +++++
++ libknet/transports.c         | 13 +++++++++----
++ 9 files changed, 36 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index d482674..8976a8c 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -338,6 +338,12 @@ typedef struct knet_transport_ops {
++  */
++ 	int (*transport_link_dyn_connect)(knet_handle_t knet_h, int sockfd, struct knet_link *link);
++ 
+++
+++/*
+++ * return the fd to use for access lists
+++ */
+++	int (*transport_link_get_acl_fd)(knet_handle_t knet_h, struct knet_link *link);
+++
++ /*
++  * per transport error handling of recvmmsg
++  * (see _handle_recv_from_links comments for details)
++diff --git a/libknet/transport_loopback.h b/libknet/transport_loopback.h
++index 3d072e8..6ce3ed3 100644
++--- a/libknet/transport_loopback.h
+++++ b/libknet/transport_loopback.h
++@@ -23,5 +23,6 @@ int loopback_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_
++ int loopback_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int loopback_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++ 
++ #endif
++diff --git a/libknet/transport_sctp.h b/libknet/transport_sctp.h
++index f27bcf1..83a638b 100644
++--- a/libknet/transport_sctp.h
+++++ b/libknet/transport_sctp.h
++@@ -31,6 +31,7 @@ int sctp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err,
++ int sctp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int sctp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++ 
++ #endif
++ 
++diff --git a/libknet/transport_udp.h b/libknet/transport_udp.h
++index bbb6ec9..6de18e3 100644
++--- a/libknet/transport_udp.h
+++++ b/libknet/transport_udp.h
++@@ -23,5 +23,6 @@ int udp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err,
++ int udp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
++ int udp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
++ int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++ 
++ #endif
++diff --git a/libknet/transports.h b/libknet/transports.h
++index 6338140..38f69ba 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -15,6 +15,7 @@ void stop_all_transports(knet_handle_t knet_h);
++ int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, uint8_t transport);
++ int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
++ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
+++int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg);
++diff --git a/libknet/transport_loopback.c b/libknet/transport_loopback.c
++index bf48bb9..54129d7 100644
++--- a/libknet/transport_loopback.c
+++++ b/libknet/transport_loopback.c
++@@ -73,3 +73,8 @@ int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct
++ {
++ 	return 0;
++ }
+++
+++int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++	return 0;
+++}
++diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
++index aa0de9d..819bc9a 100644
++--- a/libknet/transport_sctp.c
+++++ b/libknet/transport_sctp.c
++@@ -1537,4 +1537,11 @@ int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct kne
++ 	kn_link->transport_connected = 1;
++ 	return 0;
++ }
+++
+++int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++	sctp_connect_link_info_t *this_link_info = kn_link->transport_link;
+++	sctp_listen_link_info_t *info = this_link_info->listener;
+++	return info->listen_sock;
+++}
++ #endif
++diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
++index e4f6fdb..e243a91 100644
++--- a/libknet/transport_udp.c
+++++ b/libknet/transport_udp.c
++@@ -438,3 +438,8 @@ int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet
++ 	kn_link->status.dynconnected = 1;
++ 	return 0;
++ }
+++
+++int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++	return kn_link->outsock;
+++}
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 6ded675..5181db9 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,14 +27,14 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++ 
++-#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++ 
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++-	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++-	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_link_get_acl_fd, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED,KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ 	{ "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++-				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_link_get_acl_fd, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
++@@ -103,6 +103,11 @@ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_lin
++ 	return transport_modules_cmd[kn_link->transport].transport_link_dyn_connect(knet_h, sockfd, kn_link);
++ }
++ 
+++int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
+++{
+++	return transport_modules_cmd[kn_link->transport].transport_link_get_acl_fd(knet_h, kn_link);
+++}
+++
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
++ {
++ 	return transport_modules_cmd[transport].transport_rx_sock_error(knet_h, sockfd, recv_err, recv_errno);
+diff --git a/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch b/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+new file mode 100644
+index 0000000..64e7124
+--- /dev/null
++++ b/debian/patches/transports-add-information-about-the-nature-of-the-transp.patch
+@@ -0,0 +1,115 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Sun, 10 Feb 2019 08:52:22 +0100
++Subject: [transports] add information about the nature of the transport and
++ supported access lists
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 7cb7619d9222e09e65c3ec46a9d79a1806c44a25)
++---
++ libknet/internals.h  | 31 +++++++++++++++++++++++++++++++
++ libknet/transports.h |  2 ++
++ libknet/transports.c | 18 ++++++++++++++----
++ 3 files changed, 47 insertions(+), 4 deletions(-)
++
++diff --git a/libknet/internals.h b/libknet/internals.h
++index d33646f..106b49d 100644
++--- a/libknet/internals.h
+++++ b/libknet/internals.h
++@@ -256,6 +256,34 @@ extern pthread_rwlock_t shlib_rwlock;       /* global shared lib load lock */
++  *       for every protocol.
++  */
++ 
+++/*
+++ * for now knet supports only IP protocols (udp/sctp)
+++ * in future there might be others like ARP
+++ * or TIPC.
+++ * keep this around as transport information
+++ * to use for access lists and other operations
+++ */
+++
+++typedef enum {
+++	LOOPBACK,
+++	IP_PROTO
+++} transport_proto;
+++
+++/*
+++ * some transports like SCTP can filter incoming
+++ * connections before knet has to process
+++ * any packets.
+++ * GENERIC_ACL -> packet has to be read and filterted
+++ * PROTO_ACL -> transport provides filtering at lower levels
+++ *              and packet does not need to be processed
+++ */
+++
+++typedef enum {
+++	USE_NO_ACL,
+++	USE_GENERIC_ACL,
+++	USE_PROTO_ACL
+++} transport_acl;
+++
++ /*
++  * make it easier to map values in transports.c
++  */
++@@ -270,6 +298,9 @@ typedef struct knet_transport_ops {
++ 	const uint8_t transport_id;
++ 	const uint8_t built_in;
++ 
+++	transport_proto transport_protocol;
+++	transport_acl transport_acl_type;
+++
++ /*
++  * connection oriented protocols like SCTP
++  * don´t need dst_addr in sendto calls and
++diff --git a/libknet/transports.h b/libknet/transports.h
++index d58b7a3..6338140 100644
++--- a/libknet/transports.h
+++++ b/libknet/transports.h
++@@ -18,6 +18,8 @@ int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_lin
++ int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
++ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg);
+++int transport_get_proto(knet_handle_t knet_h, uint8_t transport);
+++int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport);
++ int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport);
++ 
++ #endif
++diff --git a/libknet/transports.c b/libknet/transports.c
++index b6f3b64..ffebe00 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,14 +27,14 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++ 
++-#define empty_module 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++ 
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++-	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++-	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
+++	{ "UDP", KNET_TRANSPORT_UDP, 1, IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ 	{ "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++-				       1, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+++				       1, IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
++ #else
++ empty_module
++ #endif
++@@ -118,6 +118,16 @@ int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, st
++ 	return transport_modules_cmd[transport].transport_rx_is_data(knet_h, sockfd, msg);
++ }
++ 
+++int transport_get_proto(knet_handle_t knet_h, uint8_t transport)
+++{
+++	return transport_modules_cmd[transport].transport_protocol;
+++}
+++
+++int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport)
+++{
+++	return transport_modules_cmd[transport].transport_acl_type;
+++}
+++
++ int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport)
++ {
++ 	return transport_modules_cmd[transport].transport_is_connection_oriented;
+diff --git a/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch b/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+new file mode 100644
+index 0000000..d3b6e32
+--- /dev/null
++++ b/debian/patches/transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
+@@ -0,0 +1,29 @@
++From: "Fabio M. Di Nitto" <fdinitto at redhat.com>
++Date: Mon, 3 Jun 2019 18:13:04 +0200
++Subject: [transports] fix incorrect merge when cherry-picking
++ 7033ddab505a0cf3655115fe5037579b7c882a8c
++
++Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
++(cherry picked from commit 02097c450e14afe1f5b34e7fd22a93f7d253b614)
++---
++ libknet/transports.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/libknet/transports.c b/libknet/transports.c
++index 5181db9..51712df 100644
++--- a/libknet/transports.c
+++++ b/libknet/transports.c
++@@ -27,11 +27,11 @@
++ #include "transport_sctp.h"
++ #include "threads_common.h"
++ 
++-#define empty_module -1, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+++#define empty_module 0, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
++ 
++ static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
++ 	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_link_get_acl_fd, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data },
++-	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED,KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
+++	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data },
++ 	{ "SCTP", KNET_TRANSPORT_SCTP,
++ #ifdef HAVE_NETINET_SCTP_H
++ 				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_link_get_acl_fd, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data },
+diff --git a/debian/patches/series b/debian/patches/series
+index c16ea6e..e58890e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -9,3 +9,69 @@ tests-add-man-page-check-to-verify-doxy-header-order-and-.patch
+ man-fix-libknet.h-for-errors-detected-by-newly-added-test.patch
+ udp-use-defines-vs-hardcoded-numbers.patch
+ udp-improve-error-message-decoding-from-ICMP-errors.patch
++acl-move-poc-code-into-libknet-dir-and-rename-to-links_ac.patch
++acl-add-knet_handle_enable_access_lists-api-call.patch
++transports-add-information-about-the-nature-of-the-transp.patch
++access-lists-make-code-more-generic-to-accept-more-than-I.patch
++handle-properly-initialize-fd-tracker-buffers.patch
++access-lists-automatically-add-and-remove-point-to-point-.patch
++access-lists-add-tests-for-default-access-lists.patch
++access-lists-allow-knet_bench-to-enable-disable-access-li.patch
++access-lists-enable-access-lists-for-GENERIC_ACL-protocol.patch
++access-lists-enable-generic-access-lists-only-for-protoco.patch
++access-lists-add-access-lists-support-to-sctp.patch
++access-lists-fix-build-on-freebsd.patch
++access-lists-move-all-acl-wrappers-to-links_acl-and-split.patch
++access-lists-move-access-lists-structs-and-data-types-to-.patch
++access-lists-more-use-of-generic-wrappers-and-remove-dupl.patch
++access-lists-cleanup-API-a-bit.patch
++access-lists-remove-2-unnecessary-wrappers.patch
++links-rename-transport_type-to-transport-to-avoid-confusi.patch
++links-rename-tranport_type-to-transport-to-avoid-confusio.patch
++access-lists-make-internal-API-consistent.patch
++access-lists-fix-build-on-BSD-and-add-some-include-files-.patch
++access-lists-add-errno-around-and-start-using-them.patch
++access-lists-confine-access-lists-data-structs-within-the.patch
++access-lists-use-better-name-for-fd_tracker-structure.patch
++access-lists-use-arrays-to-access-per-protocol-functions.patch
++access-lists-rename-ip1-2-to-ss1-2-to-keep-it-more-generi.patch
++transports-access-list-add-internal-API-to-gather-which-f.patch
++access-lists-add-documentation-for-enable_access_list.patch
++access-lists-add-external-API-calls-to-manage-access-list.patch
++access-lists-test-implicit-access-lists-management-for-UD.patch
++access-lists-improve-checks-on-various-data-types.patch
++access-lists-add-public-API-tests.patch
++acl-Fix-English-in-commments.patch
++access-lists-add-more-extensive-test-for-links_acl_ip.patch
++logging-fix-log-target-of-recently-added-API-calls.patch
++tests-remove-stray-comment.patch
++manpages-Document-enums-206.patch
++compress-add-support-for-libzstd.patch
++tests-hide-an-arm-internal-memory-leak-non-recurring.patch
++tests-improve-wait-for-packet-implementation-to-flush-log.patch
++man-fix-libknet.h-for-errors-detected-by-newly-added-test-1.patch
++global-update-copyright-across-the-board.patch
++build-bump-soname-to-indicate-new-API-calls.patch
++spec-fix-upstream-URLs-to-point-to-https-and-official-rel.patch
++spec-use-distro-conditionals-to-determine-BuildRequires.patch
++spec-be-more-strict-about-plugins-version-and-architectur.patch
++spec-clean-up-useless-conditionals-and-defines.patch
++spec-reconciliate-fedora-spec-file-into-upstream-spec-fil.patch
++spec-fix-a-bunch-of-rpmlint-errors.patch
++spec-drop-support-for-init-scripts.patch
++spec-use-ldconfig_scriptlets-only-when-defined.patch
++misc-some-coverity-fixes.patch
++misc-Fix-more-covscan-warnings.patch
++crypto-make-sure-to-clear-all-security-info-on-crypto_fin.patch
++PMTUd-create-common-shared-code-to-trigger-PMTUd-rerun.patch
++crypto-make-sure-to-trigger-a-PMTUd-rerun-on-each-good-cr.patch
++crypto-rework-knet_handle_crypto-external-API-to-be-more-.patch
++PMTUd-extend-internal-rerun-API-to-allow-full-PMTUd-reset.patch
++crypto-fix-openssl1.0-initialization-code.patch
++transports-fix-incorrect-merge-when-cherry-picking-7033dd.patch
++crypto-openssl-error-strings-release.patch
++crypto-openssl-drop-calls-to-RAND_seed-as-they-don-t-real.patch
++crypto-hide-errors-generated-by-openssl-1.1.1c.patch
++doc-fix-a-merge-oversight-from-541d7faf9068d10e12b4278c35.patch
++global-clarify-license-entry-per-file-to-match-README.lic.patch
++global-update-copyrights.patch
diff --git a/patches/0004-add-libzstd-dev-to-build-depends.patch b/patches/0004-add-libzstd-dev-to-build-depends.patch
new file mode 100644
index 0000000..3f17cb3
--- /dev/null
+++ b/patches/0004-add-libzstd-dev-to-build-depends.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 10:21:59 +0200
+Subject: [PATCH kronosnet] add libzstd-dev to build-depends
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ debian/control | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/debian/control b/debian/control
+index 807977c..de690e2 100644
+--- a/debian/control
++++ b/debian/control
+@@ -17,6 +17,7 @@ Build-Depends:
+  liblzma-dev,
+  liblzo2-dev,
+  zlib1g-dev,
++ libzstd-dev,
+ # Crypto plugins:
+  libnss3-dev,
+  libnspr4-dev,
diff --git a/patches/0005-add-new-symbols-for-libknet-1.10.patch b/patches/0005-add-new-symbols-for-libknet-1.10.patch
new file mode 100644
index 0000000..46ef699
--- /dev/null
+++ b/patches/0005-add-new-symbols-for-libknet-1.10.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
+Date: Wed, 19 Jun 2019 10:41:22 +0200
+Subject: [PATCH kronosnet] add new symbols for libknet 1.10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
+---
+ debian/libknet1.symbols | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/debian/libknet1.symbols b/debian/libknet1.symbols
+index 0fa1fd5..eb0baa3 100644
+--- a/debian/libknet1.symbols
++++ b/debian/libknet1.symbols
+@@ -11,6 +11,7 @@ libknet.so.1 libknet1 #MINVER#
+  knet_handle_clear_stats at LIBKNET 0.9
+  knet_handle_compress at LIBKNET 0.9
+  knet_handle_crypto at LIBKNET 0.9
++ knet_handle_enable_access_lists at LIBKNET 1.10
+  knet_handle_enable_filter at LIBKNET 0.9
+  knet_handle_enable_pmtud_notify at LIBKNET 0.9
+  knet_handle_enable_sock_notify at LIBKNET 0.9
+@@ -37,6 +38,8 @@ libknet.so.1 libknet1 #MINVER#
+  knet_host_remove at LIBKNET 0.9
+  knet_host_set_name at LIBKNET 0.9
+  knet_host_set_policy at LIBKNET 0.9
++ knet_link_add_acl at LIBKNET 1.10
++ knet_link_clear_acl at LIBKNET 1.10
+  knet_link_clear_config at LIBKNET 0.9
+  knet_link_get_config at LIBKNET 0.9
+  knet_link_get_enable at LIBKNET 0.9
+@@ -45,6 +48,8 @@ libknet.so.1 libknet1 #MINVER#
+  knet_link_get_pong_count at LIBKNET 0.9
+  knet_link_get_priority at LIBKNET 0.9
+  knet_link_get_status at LIBKNET 0.9
++ knet_link_insert_acl at LIBKNET 1.10
++ knet_link_rm_acl at LIBKNET 1.10
+  knet_link_set_config at LIBKNET 0.9
+  knet_link_set_enable at LIBKNET 0.9
+  knet_link_set_ping_timers at LIBKNET 0.9
diff --git a/patches/series b/patches/series
index bd0b3fc..2c013fc 100644
--- a/patches/series
+++ b/patches/series
@@ -1,2 +1,5 @@
-0001-cherry-pick-crypto-patches.patch
-0002-update-changelog.patch
+0001-update-changelog.patch
+0002-cherry-pick-1.9-as-patches.patch
+0003-cherry-pick-1.10-as-patches.patch
+0004-add-libzstd-dev-to-build-depends.patch
+0005-add-new-symbols-for-libknet-1.10.patch
diff --git a/upstream/kronosnet_1.8-2.debian.tar.xz b/upstream/kronosnet_1.10-0+really1.8-2.debian.tar.xz
similarity index 100%
rename from upstream/kronosnet_1.8-2.debian.tar.xz
rename to upstream/kronosnet_1.10-0+really1.8-2.debian.tar.xz
diff --git a/upstream/kronosnet_1.8.orig.tar.xz b/upstream/kronosnet_1.10.orig.tar.xz
similarity index 100%
rename from upstream/kronosnet_1.8.orig.tar.xz
rename to upstream/kronosnet_1.10.orig.tar.xz
-- 
2.20.1





More information about the pve-devel mailing list