diff --git a/NOTES_TO_PACKAGE_MAINTAINERS b/NOTES_TO_PACKAGE_MAINTAINERS
index fd931f4b..b6396260 100644
--- a/NOTES_TO_PACKAGE_MAINTAINERS
+++ b/NOTES_TO_PACKAGE_MAINTAINERS
@@ -1,29 +1,35 @@
+# Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
+#
+# Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
+#
+# This software licensed under GPL-2.0+
+
 To: distribution package maintainers
 
 Those are a few things about this project that you should know.
 
 I surely welcome patches to support both in a better way.
 
 libnozzle is a simple commodity library currently used by
 corosync, to manage tun/tap devices.
 
 libknet is the core of this project. It is considered stable
 and supported in the stable* branches and still under
 heavy development in master branch. Upstream does guarantee
 onwire and update compatibility between releases in the same
 major versions (aka 1.x will always be able to talk to 1.x+n).
 There is NO guarantee of onwire compatibility
 between major versions of knet (aka: 1.x might not be able to talk
 to 2.x).
 
 libknet has a lot of build dependencies due to its modular
 implementation. It does not, however, link with all those libraries
 but uses a dlopen model to save runtime resources and provide
 flexibility to users to install only the libraries they are
 planning to use. Make sure that you do build with all feature
 enabled (compatible with your distribution licencing/patent
 policy of course) and tune your packaging to Recommend/Suggest
 the external libraries.
 
 Thanks
 Your upstream maintainers
diff --git a/README b/README
index b8143f48..f1fc011a 100644
--- a/README
+++ b/README
@@ -1,46 +1,46 @@
 #
 # Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 Upstream resources
 ------------------
 
 https://github.com/kronosnet/kronosnet/
 https://ci.kronosnet.org/
 https://trello.com/kronosnet (TODO list and activities tracking)
 https://goo.gl/9ZvkLS (google shared drive)
 https://github.com/kronosnet/knet-ansible-ci
 https://lists.kronosnet.org/mailman/listinfo/users
 https://lists.kronosnet.org/mailman/listinfo/devel
 https://lists.kronosnet.org/mailman/listinfo/commits
 https://kronosnet.org/ (web 0.1 style)
-IRC: #kronosnet on Freenode
+IRC: #kronosnet on Libera.Chat
 
 Architecture
 ------------
 
 Please refer to the google shared drive Presentations directory for
 diagrams and fancy schemas
 
 Running knet on FreeBSD
 -----------------------
 
 knet requires big socket buffers and you need to set:
 kern.ipc.maxsockbuf=18388608
 in /etc/sysctl.conf or knet will fail to run.
 
 For version 12 (or lower), knet requires also:
 net.inet.sctp.blackhole=1
 in /etc/sysctl.conf or knet will fail to work with SCTP.
 This sysctl is obsoleted in version 13.
 
 libnozzle requires if_tap.ko loaded in the kernel.
 
 Please avoid to use ifconfig_DEFAULT in /etc/rc.conf to use
 DHCP for all interfaces or the dhclient will interfere with
 libnozzle interface management, causing errors on some
 operations such as "ifconfig tap down".
diff --git a/build-aux/knet_valgrind_helgrind.supp b/build-aux/knet_valgrind_helgrind.supp
index 116ee4cf..d3976c29 100644
--- a/build-aux/knet_valgrind_helgrind.supp
+++ b/build-aux/knet_valgrind_helgrind.supp
@@ -1,43 +1,49 @@
+# Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
+#
+# Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
+#
+# This software licensed under GPL-2.0+
+
 {
    link enable/disable known race (safe to ignore)
    Helgrind:Race
    fun:_link_updown
    fun:knet_link_set_enable
    fun:test
    fun:main
 }
 {
    link enable/disable known race (safe to ignore)
    Helgrind:Race
    fun:_handle_heartbt_thread
    obj:/usr/lib64/valgrind/vgpreload_helgrind-amd64-linux.so
    fun:start_thread
    fun:clone
 }
 {
    helgrind glitch in parsing the heartbeat code
    Helgrind:Race
    fun:_handle_check_each
    fun:_handle_heartbt_thread
    obj:/usr/lib64/valgrind/vgpreload_helgrind-amd64-linux.so
    fun:start_thread
    fun:clone
 }
 {
    helgrind glitch in parsing the recv from links code
    Helgrind:Race
    fun:_parse_recv_from_links
    fun:_handle_recv_from_links
    fun:_handle_recv_from_links_thread
    obj:/usr/lib64/valgrind/vgpreload_helgrind-amd64-linux.so
    fun:start_thread
    fun:clone
 }
 {
    helgrind glitch in parsing the PMTUd code
    Helgrind:Race
    fun:_handle_pmtud_link_thread
    obj:/usr/lib64/valgrind/vgpreload_helgrind-amd64-linux.so
    fun:start_thread
    fun:clone
 }
diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
index cd09f695..2416c318 100644
--- a/build-aux/knet_valgrind_memcheck.supp
+++ b/build-aux/knet_valgrind_memcheck.supp
@@ -1,616 +1,634 @@
+# Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
+#
+# Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
+#
+# This software licensed under GPL-2.0+
+
 {
   lzma internals (spotted on Debian 9 and Ubuntu 18.04 LTS x86-64)
   Memcheck:Cond
   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
   fun:lzma_block_buffer_encode
   fun:lzma_stream_buffer_encode
   fun:lzma_easy_buffer_encode
   fun:lzma_compress
   fun:compress_lib_test
   fun:compress_cfg
   fun:knet_handle_compress
   fun:test
 }
 {
   lzma internals (spotted on Ubuntu 18.04 LTS i386)
   Memcheck:Cond
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
   fun:lzma_stream_buffer_encode
   fun:lzma_easy_buffer_encode
   fun:lzma_compress
   fun:compress_lib_test
   fun:compress_cfg
   fun:knet_handle_compress
 }
 {
   openssl internals (spotted on OpenSUSE 15)
   Memcheck:Cond
   fun:__memcmp_sse4_1
   obj:/usr/lib64/libcrypto.so.1.1
   fun:FIPS_selftest
   obj:/usr/lib64/libcrypto.so.1.1
   fun:FIPS_mode_set
   obj:/usr/lib64/libcrypto.so.1.1
   fun:call_init.part.0
   fun:_dl_init
   fun:dl_open_worker
   fun:_dl_catch_error
   fun:_dl_open
   fun:dlopen_doit
 }
 {
   openssl internals (spotted on OpenSUSE Tumbleweed)
   Memcheck:Cond
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib64/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
 }
 {
   openssl internals (spotted on OpenSUSE Tumbleweed)
   Memcheck:Cond
   obj:/usr/lib64/libcrypto.so.1.1
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib64/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl internals (spotted on OpenSUSE Tumbleweed)
   Memcheck:Cond
   obj:/usr/lib64/libcrypto.so.1.1
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on OpenSUSE Tumbleweed)
   Memcheck:Cond
   obj:/usr/lib64/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on OpenSUSE 15)
   Memcheck:Cond
   obj:/usr/lib64/libcrypto.so.1.1
   fun:FIPS_mode_set
   obj:/usr/lib64/libcrypto.so.1.1
   fun:call_init.part.0
   fun:_dl_init
   fun:dl_open_worker
   fun:_dl_catch_error
   fun:_dl_open
   fun:dlopen_doit
   fun:_dl_catch_error
   fun:_dlerror_run
   fun:dlopen@@GLIBC_2.2.5
 }
 {
   openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:_parse_recv_from_links
   fun:_handle_recv_from_links
   fun:_handle_recv_from_links_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:_handle_check_link_pmtud
   fun:_handle_check_pmtud
   fun:_handle_pmtud_link_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed)
   Memcheck:Param
   sendmsg(msg.msg_iov[0])
   fun:sendmsg
   fun:_sendmmsg
   fun:_dispatch_to_links
   fun:_parse_recv_from_sock
   fun:_handle_send_to_links
   fun:_handle_send_to_links_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
   Memcheck:Param
   sendmsg(msg.msg_iov[0])
   fun:__libc_sendmsg
   fun:sendmsg
   fun:_sendmmsg
   fun:_dispatch_to_links
   fun:_parse_recv_from_sock
   fun:_handle_send_to_links
   fun:_handle_send_to_links_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:_handle_check_each
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   nss internal leak (3.41) non recurring (spotted on f29)
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:/usr/lib64/libnss3.so
 }
 {
   nss internal leak (3.41) non recurring
   Memcheck:Leak
   match-leak-kinds: definite
   fun:calloc
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   fun:init_nss
   fun:nsscrypto_init
   fun:crypto_init
   fun:knet_handle_crypto_set_config
   fun:test
   fun:main
 }
 {
   nss internal leak (3.41) non recurring
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   fun:init_nss
   fun:nsscrypto_init
   fun:crypto_init
   fun:knet_handle_crypto_set_config
   fun:test
   fun:main
 }
 {
   nss internal leak (3.55) non recurring (spotted on f34)
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   fun:realpath@@GLIBC_2.3
   obj:*
   obj:*
   obj:*
   obj:/usr/lib64/libnss3.so
   fun:SECMOD_LoadModule
   fun:SECMOD_LoadModule
   obj:/usr/lib64/libnss3.so
   fun:NSS_NoDB_Init
   fun:init_nss
   fun:nsscrypto_init
   fun:crypto_init
   fun:_knet_handle_crypto_set_config
 }
 {
   openssl uncoditional jump (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
 }
 {
   openssl uncoditional jump (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl uncoditional jump (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uncoditional jump (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl.isra.0
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   ubuntu-devel new toolchain is not stable yet (spotted on Ubuntu devel 10092020)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   ubuntu-devel new toolchain is not stable yet (spotted on Ubuntu devel 10092020)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:send_pong
   fun:process_ping
   fun:_parse_recv_from_links
   fun:_handle_recv_from_links
   fun:_handle_recv_from_links_thread
   fun:start_thread
   fun:clone
 }
 {
   ubuntu-devel new toolchain is not stable yet (spotted on Ubuntu devel 10092020)
   Memcheck:Param
   socketcall.sendto(msg)
   fun:sendto
   fun:send_pmtud_reply
   fun:process_pmtud
   fun:_parse_recv_from_links
   fun:_handle_recv_from_links
   fun:_handle_recv_from_links_thread
   fun:start_thread
   fun:clone
 }
 {
   ubuntu-devel new toolchain is not stable yet (spotted on Ubuntu devel 10092020)
   Memcheck:Param
   sendmsg(msg.msg_iov[0])
   fun:__libc_sendmsg
   fun:sendmsg
   fun:_sendmmsg
   fun:_dispatch_to_links
   fun:_prep_and_send_msgs
   fun:_parse_recv_from_sock
   fun:_handle_send_to_links
   fun:_handle_send_to_links_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uncoditional jump (clang) (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
 }
 {
   openssl uncoditional jump (clang) (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_instantiate
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_get0_public
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
 }
 {
   openssl uncoditional jump (clang) (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   openssl uncoditional jump (clang) (spotted on Ubuntu devel 10092020)
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:encrypt_openssl
   fun:opensslcrypto_encrypt_and_signv
   fun:opensslcrypto_encrypt_and_sign
   fun:send_ping
   fun:_send_pings
   fun:_handle_heartbt_thread
   fun:start_thread
   fun:clone
 }
 {
   nss internal leak (3.59) non recurring (spotted on f34)
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   fun:realpath@@GLIBC_2.3
   obj:*
   obj:*
   obj:*
   obj:*
   obj:/usr/lib64/libnss3.so
   fun:SECMOD_LoadModule
   fun:SECMOD_LoadModule
   obj:/usr/lib64/libnss3.so
   fun:NSS_NoDB_Init
   fun:init_nss
   fun:nsscrypto_init
 }
 {
   nss internal leak (3.59) non recurring (spotted on f34)
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   fun:realpath@@GLIBC_2.3
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   obj:*
   fun:init_nss
   fun:nsscrypto_init
 }
+{
+  nss internal leak non recurring (spotted on rhel8.4 and clang)
+  Memcheck:Leak
+  match-leak-kinds: possible
+  fun:malloc
+  fun:realpath@@GLIBC_2.3
+  ...
+  obj:/usr/lib64/libnss3.so
+  fun:SECMOD_LoadModule
+  fun:SECMOD_LoadModule
+  obj:/usr/lib64/libnss3.so
+}
diff --git a/build-aux/update-copyright.sh b/build-aux/update-copyright.sh
index 62c449c8..9bb9ff14 100755
--- a/build-aux/update-copyright.sh
+++ b/build-aux/update-copyright.sh
@@ -1,29 +1,29 @@
 #!/bin/sh
 #
-# Copyright (C) 2017-2019 Red Hat, Inc.  All rights reserved.
+# Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 # script to update copyright dates across the tree
 
 enddate=$(date +%Y)
 
-input=$(grep -ril -e "Copyright.*Red Hat" |grep -v .swp |grep -v update-copyright |grep -v doxyxml.c)
+input=$(grep -ril -e "Copyright.*Red Hat" |grep -v .swp |grep -v update-copyright)
 for i in $input; do
 	startdate=$(git log --follow "$i" | grep ^Date: | tail -n 1 | awk '{print $6}')
 	if [ "$startdate" != "$enddate" ]; then
 		sed -i -e 's#Copyright (C).*Red Hat#Copyright (C) '$startdate'-'$enddate' Red Hat#g' $i
 	else
 		sed -i -e 's#Copyright (C).*Red Hat#Copyright (C) '$startdate' Red Hat#g' $i
 	fi
 done
 
 input=$(find . -type f |grep -v ".git")
 for i in $input; do
 	if [ -z "$(grep -i "Copyright" $i)" ]; then
 		echo "WARNING: $i appears to be missing Copyright information"
 	fi
 done
diff --git a/configure.ac b/configure.ac
index 78a12786..c1e5d761 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,385 +1,390 @@
 #
 # Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #          Federico Simoncelli <fsimon@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 #                                               -*- Autoconf -*-
 # Process this file with autoconf to produce a configure script.
 #
 
 AC_PREREQ([2.63])
 AC_INIT([kronosnet],
 	m4_esyscmd([build-aux/git-version-gen .tarball-version .gitarchivever]),
 	[devel@lists.kronosnet.org])
 # Don't let AC_PROC_CC (invoked by AC_USE_SYSTEM_EXTENSIONS) replace
 # undefined CFLAGS with -g -O2, overriding our special OPT_CFLAGS.
 : ${CFLAGS=""}
 AC_USE_SYSTEM_EXTENSIONS
 AM_INIT_AUTOMAKE([1.13 dist-bzip2 dist-xz color-tests -Wno-portability subdir-objects])
 
 LT_PREREQ([2.2.6])
 # --enable-new-dtags: Use RUNPATH instead of RPATH.
 # It is necessary to have this done before libtool does linker detection.
 # See also: https://github.com/kronosnet/kronosnet/issues/107
 # --as-needed: Modern systems have builtin ceil() making -lm superfluous but
 # AC_SEARCH_LIBS can't detect this because it tests with a false prototype
 AX_CHECK_LINK_FLAG([-Wl,--enable-new-dtags],
 		   [AM_LDFLAGS=-Wl,--enable-new-dtags],
 		   [AC_MSG_ERROR(["Linker support for --enable-new-dtags is required"])])
 AX_CHECK_LINK_FLAG([-Wl,--as-needed], [AM_LDFLAGS="$AM_LDFLAGS -Wl,--as-needed"])
 
 AC_SUBST([AM_LDFLAGS])
 saved_LDFLAGS="$LDFLAGS"
 LDFLAGS="$AM_LDFLAGS $LDFLAGS"
 LT_INIT
 LDFLAGS="$saved_LDFLAGS"
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([libknet/handle.c])
 AC_CONFIG_HEADERS([config.h])
 
 AC_CANONICAL_HOST
 
 AC_LANG([C])
 
 if test "$prefix" = "NONE"; then
 	prefix="/usr"
 	if test "$localstatedir" = "\${prefix}/var"; then
 		localstatedir="/var"
 	fi
 	if test "$libdir" = "\${exec_prefix}/lib"; then
 		if test -e /usr/lib64; then
 			libdir="/usr/lib64"
 		else
 			libdir="/usr/lib"
 		fi
 	fi
 fi
 
 AC_PROG_AWK
 AC_PROG_GREP
 AC_PROG_SED
 AC_PROG_CPP
 AC_PROG_CC
 AC_PROG_CC_C99
 if test "x$ac_cv_prog_cc_c99" = "xno"; then
 	AC_MSG_ERROR(["C99 support is required"])
 fi
 AC_PROG_LN_S
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 PKG_PROG_PKG_CONFIG
 
 AC_CHECK_PROGS([VALGRIND_EXEC], [valgrind])
 AM_CONDITIONAL([HAS_VALGRIND], [test x$VALGRIND_EXEC != "x"])
 
 AC_CHECK_PROGS([COVBUILD_EXEC], [cov-build])
 AM_CONDITIONAL([HAS_COVBUILD], [test x$COVBUILD_EXEC != "x"])
 
 AC_CHECK_PROGS([COVANALYZE_EXEC], [cov-analyze])
 AM_CONDITIONAL([HAS_COVANALYZE], [test x$COVANALYZE_EXEC != "x"])
 
 AC_CHECK_PROGS([COVFORMATERRORS_EXEC], [cov-format-errors])
 AM_CONDITIONAL([HAS_COVFORMATERRORS], [test x$COVFORMATERRORS_EXEC != "x"])
 
 # KNET_OPTION_DEFINES(stem,type,detection code)
 # stem: enters name of option, Automake conditional and preprocessor define
 # type: compress or crypto, determines where the default comes from
 AC_DEFUN([KNET_OPTION_DEFINES],[
 AC_ARG_ENABLE([$2-$1],[AS_HELP_STRING([--disable-$2-$1],[disable libknet $1 support])],,
 	[enable_$2_$1="$enable_$2_all"])
 AM_CONDITIONAL([BUILD_]m4_toupper([$2_$1]),[test "x$enable_$2_$1" = xyes])
 if test "x$enable_$2_$1" = xyes; then
 	$3
 fi
 AC_DEFINE_UNQUOTED([WITH_]m4_toupper([$2_$1]), [`test "x$enable_$2_$1" != xyes; echo $?`], $1 $2 [built in])
 ])
 
 AC_ARG_ENABLE([man],
 	[AS_HELP_STRING([--disable-man],[disable man page creation])],,
 	[ enable_man="yes" ])
 AM_CONDITIONAL([BUILD_MAN], [test x$enable_man = xyes])
 
 AC_ARG_ENABLE([libknet-sctp],
 	[AS_HELP_STRING([--disable-libknet-sctp],[disable libknet SCTP support])],,
 	[ enable_libknet_sctp="yes" ])
 AM_CONDITIONAL([BUILD_SCTP], [test x$enable_libknet_sctp = xyes])
 
+AC_ARG_ENABLE([functional-tests],
+	[AS_HELP_STRING([--disable-functional-tests],[disable execution of functional tests, useful for old and slow arches])],,
+	[ enable_functional_tests="yes" ])
+AM_CONDITIONAL([RUN_FUN_TESTS], [test x$enable_functional_tests = xyes])
+
 AC_ARG_ENABLE([crypto-all],
 	[AS_HELP_STRING([--disable-crypto-all],[disable libknet all crypto modules support])],,
 	[ enable_crypto_all="yes" ])
 
 KNET_OPTION_DEFINES([nss],[crypto],[PKG_CHECK_MODULES([nss], [nss])])
 KNET_OPTION_DEFINES([openssl],[crypto],[PKG_CHECK_MODULES([openssl],[libcrypto])])
 
 AC_ARG_ENABLE([compress-all],
 	[AS_HELP_STRING([--disable-compress-all],[disable libknet all compress modules support])],,
 	[ enable_compress_all="yes" ])
 
 KNET_OPTION_DEFINES([zstd],[compress],[PKG_CHECK_MODULES([libzstd], [libzstd])])
 KNET_OPTION_DEFINES([zlib],[compress],[PKG_CHECK_MODULES([zlib], [zlib])])
 KNET_OPTION_DEFINES([lz4],[compress],[PKG_CHECK_MODULES([liblz4], [liblz4])])
 KNET_OPTION_DEFINES([lzo2],[compress],[
 	PKG_CHECK_MODULES([lzo2], [lzo2],
 		[# work around broken pkg-config file in v2.10
 		 AC_SUBST([lzo2_CFLAGS],[`echo $lzo2_CFLAGS | sed 's,/lzo *, ,'`])],
 		[AC_CHECK_HEADERS([lzo/lzo1x.h],
 			[AC_CHECK_LIB([lzo2], [lzo1x_decompress_safe],
 				[AC_SUBST([lzo2_LIBS], [-llzo2])])],
 				[AC_MSG_ERROR(["missing required lzo/lzo1x.h header"])])])
 ])
 KNET_OPTION_DEFINES([lzma],[compress],[PKG_CHECK_MODULES([liblzma], [liblzma])])
 KNET_OPTION_DEFINES([bzip2],[compress],[
 	PKG_CHECK_MODULES([bzip2], [bzip2],,
 		[AC_CHECK_HEADERS([bzlib.h],
 			[AC_CHECK_LIB([bz2], [BZ2_bzBuffToBuffCompress],
 				[AC_SUBST([bzip2_LIBS], [-lbz2])])],
 				[AC_MSG_ERROR(["missing required bzlib.h"])])])
 ])
 
 AC_ARG_ENABLE([install-tests],
 	[AS_HELP_STRING([--enable-install-tests],[install tests])],,
 	[ enable_install_tests="no" ])
 AM_CONDITIONAL([INSTALL_TESTS], [test x$enable_install_tests = xyes])
 
 AC_ARG_ENABLE([runautogen],
 	[AS_HELP_STRING([--enable-runautogen],[run autogen.sh])],,
 	[ enable_runautogen="no" ])
 AM_CONDITIONAL([BUILD_RUNAUTOGEN], [test x$enable_runautogen = xyes])
 
 override_rpm_debuginfo_option="yes"
 AC_ARG_ENABLE([rpm-debuginfo],
 	[AS_HELP_STRING([--enable-rpm-debuginfo],[build debuginfo packages])],,
 	[ enable_rpm_debuginfo="no", override_rpm_debuginfo_option="no" ])
 AM_CONDITIONAL([BUILD_RPM_DEBUGINFO], [test x$enable_rpm_debuginfo = xyes])
 AM_CONDITIONAL([OVERRIDE_RPM_DEBUGINFO], [test x$override_rpm_debuginfo_option = xyes])
 
 AC_ARG_ENABLE([libnozzle],
 	[AS_HELP_STRING([--enable-libnozzle],[libnozzle support])],,
 	[ enable_libnozzle="yes" ])
 
 AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes])
 
 # Checks for libraries.
 AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])])
 saved_LIBS="$LIBS"
 LIBS=
 AC_SEARCH_LIBS([ceil], [m], , [AC_MSG_ERROR([ceil not found])])
 AC_SUBST([m_LIBS], [$LIBS])
 LIBS=
 AC_SEARCH_LIBS([clock_gettime], [rt], , [AC_MSG_ERROR([clock_gettime not found])])
 AC_SUBST([rt_LIBS], [$LIBS])
 LIBS=
 AC_SEARCH_LIBS([dlopen], [dl dld], , [AC_MSG_ERROR([dlopen not found])])
 AC_SUBST([dl_LIBS], [$LIBS])
 LIBS="$saved_LIBS"
 
 # Check RTLD_DI_ORIGIN (not decalred by musl. glibc has it as an enum so cannot use ifdef)
 AC_CHECK_DECL([RTLD_DI_ORIGIN], [AC_DEFINE([HAVE_RTLD_DI_ORIGIN], 1,
     [define when RTLD_DI_ORIGIN is declared])], ,[[#include <dlfcn.h>]])
 
 # OS detection
 
 AC_MSG_CHECKING([for os in ${host_os}])
 case "$host_os" in
 	*linux*)
 		AC_DEFINE_UNQUOTED([KNET_LINUX], [1], [Compiling for Linux platform])
 		AC_MSG_RESULT([Linux])
 		;;
 	*bsd*)
 		AC_DEFINE_UNQUOTED([KNET_BSD], [1], [Compiling for BSD platform])
 		AC_MSG_RESULT([BSD])
 		;;
 	*)
 		AC_MSG_ERROR([Unsupported OS? hmmmm])
 		;;
 esac
 
 # Checks for header files.
 AC_CHECK_HEADERS([sys/epoll.h])
 AC_CHECK_FUNCS([kevent])
 # if neither sys/epoll.h nor kevent are present, we should fail.
 
 if test "x$ac_cv_header_sys_epoll_h" = xno && test "x$ac_cv_func_kevent" = xno; then
 	AC_MSG_ERROR([Both epoll and kevent unavailable on this OS])
 fi
 
 if test "x$ac_cv_header_sys_epoll_h" = xyes && test "x$ac_cv_func_kevent" = xyes; then
 	AC_MSG_ERROR([Both epoll and kevent available on this OS, please contact the maintainers to fix the code])
 fi
 
 if test "x$enable_libknet_sctp" = xyes; then
 	AC_CHECK_HEADERS([netinet/sctp.h],, [AC_MSG_ERROR(["missing required SCTP headers"])])
 fi
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_INLINE
 AC_TYPE_PID_T
 AC_TYPE_SIZE_T
 AC_TYPE_SSIZE_T
 AC_TYPE_UINT8_T
 AC_TYPE_UINT16_T
 AC_TYPE_UINT32_T
 AC_TYPE_UINT64_T
 AC_TYPE_INT8_T
 AC_TYPE_INT16_T
 AC_TYPE_INT32_T
 AC_TYPE_INT64_T
 
 PKG_CHECK_MODULES([libqb], [libqb])
 
 if test "x$enable_man" = "xyes"; then
 	AC_ARG_VAR([DOXYGEN], [override doxygen executable])
 	AC_CHECK_PROGS([DOXYGEN], [doxygen], [no])
 	if test "x$DOXYGEN" = xno; then
 		AC_MSG_ERROR(["Doxygen command not found"])
 	fi
 
 	AC_ARG_VAR([DOXYGEN2MAN], [override doxygen2man executable])
 	if test "x$cross_compiling" = "xno"; then
 		PKG_CHECK_VAR([libqb_PREFIX], [libqb], [prefix])
 		AC_PATH_PROG([DOXYGEN2MAN], [doxygen2man], [no], [$libqb_PREFIX/bin$PATH_SEPARATOR$PATH])
 	fi
 	if test "x$DOXYGEN2MAN" = "xno"; then
 		# required by doxyxml to build man pages dynamically
 		# Don't let AC_PROC_CC (invoked by AX_PROG_CC_FOR_BUILD) replace
 		# undefined CFLAGS_FOR_BUILD with -g -O2, overriding our special OPT_CFLAGS.
 		: ${CFLAGS_FOR_BUILD=""}
 		AX_PROG_CC_FOR_BUILD
 		saved_PKG_CONFIG="$PKG_CONFIG"
 		saved_ac_cv_path_PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
 		unset PKG_CONFIG ac_cv_path_PKG_CONFIG
 		AC_PATH_PROG([PKG_CONFIG], [pkg-config])
 		PKG_CHECK_MODULES([libqb_BUILD], [libqb])
 		PKG_CHECK_VAR([libqb_BUILD_PREFIX], [libqb], [prefix])
 		AC_PATH_PROG([DOXYGEN2MAN], [doxygen2man], [no], [$libqb_BUILD_PREFIX/bin$PATH_SEPARATOR$PATH])
 		if test "x$DOXYGEN2MAN" = "xno"; then
 			PKG_CHECK_MODULES([libxml_BUILD], [libxml-2.0])
 			DOXYGEN2MAN="\${abs_top_builddir}/man/doxyxml"
 			build_doxy=yes
 		fi
 		PKG_CONFIG="$saved_PKG_CONFIG"
 		ac_cv_path_PKG_CONFIG="$saved_ac_cv_path_PKG_CONFIG"
 	fi
 	AC_SUBST([DOXYGEN2MAN])
 fi
 AM_CONDITIONAL([BUILD_DOXYXML], [test "x$build_doxy" = "xyes"])
 
 # checks for libnozzle
 if test "x$enable_libnozzle" = xyes; then
 	if `echo $host_os | grep -q linux`; then
 		PKG_CHECK_MODULES([libnl], [libnl-3.0])
 		PKG_CHECK_MODULES([libnlroute], [libnl-route-3.0 >= 3.3], [],
 			[PKG_CHECK_MODULES([libnlroute], [libnl-route-3.0 < 3.3],
 					   [AC_DEFINE_UNQUOTED([LIBNL3_WORKAROUND], [1], [Enable libnl < 3.3 build workaround])], [])])
 	fi
 fi
 
 # local options
 AC_ARG_ENABLE([debug],
 	[AS_HELP_STRING([--enable-debug],[enable debug build])])
 
 AC_ARG_WITH([testdir],
 	[AS_HELP_STRING([--with-testdir=DIR],[path to /usr/lib../kronosnet/tests/ dir where to install the test suite])],
 	[ TESTDIR="$withval" ],
 	[ TESTDIR="$libdir/kronosnet/tests" ])
 
 ## do subst
 
 AC_SUBST([TESTDIR])
 
 # debug build stuff
 if test "x${enable_debug}" = xyes; then
 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
 	OPT_CFLAGS="-O0"
 else
 	OPT_CFLAGS="-O3"
 fi
 
 # gdb flags
 if test "x${GCC}" = xyes; then
 	GDB_FLAGS="-ggdb3"
 else
 	GDB_FLAGS="-g"
 fi
 
 DEFAULT_CFLAGS="-Werror -Wall -Wextra"
 
 # manual overrides
 # generates too much noise for stub APIs
 UNWANTED_CFLAGS="-Wno-unused-parameter"
 
 AC_SUBST([AM_CFLAGS],["$OPT_CFLAGS $GDB_FLAGS $DEFAULT_CFLAGS $UNWANTED_CFLAGS"])
 
 AX_PROG_DATE
 AS_IF([test "$ax_cv_prog_date_gnu_date:$ax_cv_prog_date_gnu_utc" = yes:yes],
 	[UTC_DATE_AT="date -u -d@"],
 	[AS_IF([test "x$ax_cv_prog_date_bsd_date" = xyes],
 		[UTC_DATE_AT="date -u -r"],
 		[AC_MSG_ERROR([date utility unable to convert epoch to UTC])])])
 AC_SUBST([UTC_DATE_AT])
 
 AC_ARG_VAR([SOURCE_EPOCH],[last modification date of the source])
 AC_MSG_NOTICE([trying to determine source epoch])
 AC_MSG_CHECKING([for source epoch in \$SOURCE_EPOCH])
 AS_IF([test -n "$SOURCE_EPOCH"],
 	[AC_MSG_RESULT([yes])],
 	[AC_MSG_RESULT([no])
 	 AC_MSG_CHECKING([for source epoch in source_epoch file])
 	 AS_IF([test -e "$srcdir/source_epoch"],
 		[read SOURCE_EPOCH <"$srcdir/source_epoch"
 		 AC_MSG_RESULT([yes])],
 		[AC_MSG_RESULT([no])
 		 AC_MSG_CHECKING([for source epoch baked in by gitattributes export-subst])
 		 SOURCE_EPOCH='$Format:%at$' # template for rewriting by git-archive
 		 AS_CASE([$SOURCE_EPOCH],
 			[?Format:*], # was not rewritten
 				[AC_MSG_RESULT([no])
 				 AC_MSG_CHECKING([for source epoch in \$SOURCE_DATE_EPOCH])
 				 AS_IF([test "x$SOURCE_DATE_EPOCH" != x],
 					[SOURCE_EPOCH="$SOURCE_DATE_EPOCH"
 					 AC_MSG_RESULT([yes])],
 					[AC_MSG_RESULT([no])
 					 AC_MSG_CHECKING([whether git log can provide a source epoch])
 					 SOURCE_EPOCH=f${SOURCE_EPOCH#\$F} # convert into git log --pretty format
 					 SOURCE_EPOCH=$(cd "$srcdir" && git log -1 --pretty=${SOURCE_EPOCH%$} 2>/dev/null)
 					 AS_IF([test -n "$SOURCE_EPOCH"],
 						[AC_MSG_RESULT([yes])],
 						[AC_MSG_RESULT([no, using current time and breaking reproducibility])
 						 SOURCE_EPOCH=$(date +%s)])])],
 			[AC_MSG_RESULT([yes])]
 		 )])
 	])
 AC_MSG_NOTICE([using source epoch $($UTC_DATE_AT$SOURCE_EPOCH +'%F %T %Z')])
 
 AC_CONFIG_FILES([
 		Makefile
 		libnozzle/Makefile
 		libnozzle/libnozzle.pc
 		libnozzle/tests/Makefile
 		libknet/Makefile
 		libknet/libknet.pc
 		libknet/tests/Makefile
 		man/Makefile
 		man/Doxyfile-knet
 		man/Doxyfile-nozzle
 		])
 
 if test "x$VERSION" = "xUNKNOWN"; then
 	AC_MSG_ERROR([m4_text_wrap([
   configure was unable to determine the source tree's current version. This
   generally happens when using git archive (or the github download button)
   generated tarball/zip file. In order to workaround this issue, either use git
   clone https://github.com/kronosnet/kronosnet.git or use an official release
   tarball, available at https://kronosnet.org/releases/.  Alternatively you
   can add a compatible version in a .tarball-version file at the top of the
   source tree, wipe your autom4te.cache dir and generated configure, and rerun
   autogen.sh.
   ], [  ], [   ], [76])])
 fi
 
 AC_OUTPUT
diff --git a/kronosnet.spec.in b/kronosnet.spec.in
index 629e2353..b764f605 100644
--- a/kronosnet.spec.in
+++ b/kronosnet.spec.in
@@ -1,461 +1,458 @@
 ###############################################################################
 ###############################################################################
 ##
 ##  Copyright (C) 2012-2021 Red Hat, Inc.  All rights reserved.
 ##
 ##  This copyrighted material is made available to anyone wishing to use,
 ##  modify, copy, or redistribute it subject to the terms and conditions
 ##  of the GNU General Public License v.2 or higher
 ##
 ###############################################################################
 ###############################################################################
 
 # keep around ready for later user
 %global alphatag @alphatag@
 %global numcomm @numcomm@
 %global dirty @dirty@
 
 # set defaults from ./configure invokation
 %@sctp@ sctp
 %@nss@ nss
 %@openssl@ openssl
 %@zlib@ zlib
 %@lz4@ lz4
 %@lzo2@ lzo2
 %@lzma@ lzma
 %@bzip2@ bzip2
 %@zstd@ zstd
 %@libnozzle@ libnozzle
 %@runautogen@ runautogen
 %@rpmdebuginfo@ rpmdebuginfo
 %@overriderpmdebuginfo@ overriderpmdebuginfo
 %@buildman@ buildman
 %@installtests@ installtests
 
 %if %{with overriderpmdebuginfo}
 %undefine _enable_debug_packages
 %endif
 
 # main (empty) package
 # http://www.rpm.org/max-rpm/s1-rpm-subpack-spec-file-changes.html
 
 Name: kronosnet
 Summary: Multipoint-to-Multipoint VPN daemon
 Version: @version@
 Release: 1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://kronosnet.org
 Source0: https://kronosnet.org/releases/%{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}.tar.gz
 
 # Build dependencies
-BuildRequires: gcc libqb-devel
+BuildRequires: gcc libqb-devel make
 # required to build man pages
 %if %{with buildman}
 BuildRequires: libxml2-devel doxygen
 %endif
 %if %{with sctp}
 BuildRequires: lksctp-tools-devel
 %endif
 %if %{with nss}
 %if 0%{?suse_version}
 BuildRequires: mozilla-nss-devel
 %else
 BuildRequires: nss-devel
 %endif
 %endif
 %if %{with openssl}
 %if 0%{?suse_version}
 BuildRequires: libopenssl-devel
 %else
 BuildRequires: openssl-devel
 %endif
 %endif
 %if %{with zlib}
 BuildRequires: zlib-devel
 %endif
 %if %{with lz4}
 %if 0%{?suse_version}
 BuildRequires: liblz4-devel
 %else
 BuildRequires: lz4-devel
 %endif
 %endif
 %if %{with lzo2}
 BuildRequires: lzo-devel
 %endif
 %if %{with lzma}
 BuildRequires: xz-devel
 %endif
 %if %{with bzip2}
 %if 0%{?suse_version}
 BuildRequires: libbz2-devel
 %else
 BuildRequires: bzip2-devel
 %endif
 %endif
 %if %{with zstd}
 BuildRequires: libzstd-devel
 %endif
 %if %{with libnozzle}
 BuildRequires: libnl3-devel
 %endif
 %if %{with runautogen}
 BuildRequires: autoconf automake libtool
 %endif
 
 %prep
 %setup -q -n %{name}-%{version}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
 
 %build
 %if %{with runautogen}
 ./autogen.sh
 %endif
 
 %{configure} \
 %if %{with installtests}
 	--enable-install-tests \
 %else
 	--disable-install-tests \
 %endif
 %if %{with buildman}
 	--enable-man \
 %else
 	--disable-man \
 %endif
 %if %{with sctp}
 	--enable-libknet-sctp \
 %else
 	--disable-libknet-sctp \
 %endif
 %if %{with nss}
 	--enable-crypto-nss \
 %else
 	--disable-crypto-nss \
 %endif
 %if %{with openssl}
 	--enable-crypto-openssl \
 %else
 	--disable-crypto-openssl \
 %endif
 %if %{with zlib}
 	--enable-compress-zlib \
 %else
 	--disable-compress-zlib \
 %endif
 %if %{with lz4}
 	--enable-compress-lz4 \
 %else
 	--disable-compress-lz4 \
 %endif
 %if %{with lzo2}
 	--enable-compress-lzo2 \
 %else
 	--disable-compress-lzo2 \
 %endif
 %if %{with lzma}
 	--enable-compress-lzma \
 %else
 	--disable-compress-lzma \
 %endif
 %if %{with bzip2}
 	--enable-compress-bzip2 \
 %else
 	--disable-compress-bzip2 \
 %endif
 %if %{with zstd}
 	--enable-compress-zstd \
 %else
 	--disable-compress-zstd \
 %endif
 %if %{with libnozzle}
-	--enable-libnozzle \
+	--enable-libnozzle
 %else
-	--disable-libnozzle \
+	--disable-libnozzle
 %endif
-	--with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
-	--with-systemddir=%{_unitdir}
 
 make %{_smp_mflags}
 
 %install
 rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}
 
 # tree cleanup
 # remove static libraries
 find %{buildroot} -name "*.a" -exec rm {} \;
 # remove libtools leftovers
 find %{buildroot} -name "*.la" -exec rm {} \;
 
 # remove init scripts
 rm -rf %{buildroot}/etc/init.d
 
 # remove docs
 rm -rf %{buildroot}/usr/share/doc/kronosnet
 
 # main empty package
 %description
  The kronosnet source
 
 %if %{with libnozzle}
 %package -n libnozzle1
 Summary: Simple userland wrapper around kernel tap devices
 License: LGPLv2+
 
 %description -n libnozzle1
  This is an over-engineered commodity library to manage a pool
  of tap devices and provides the basic
  pre-up.d/up.d/down.d/post-down.d infrastructure.
 
 %files -n libnozzle1
 %license COPYING.* COPYRIGHT
 %{_libdir}/libnozzle.so.*
 
 %if 0%{?ldconfig_scriptlets}
 %ldconfig_scriptlets -n libnozzle1
 %else
 %post -n libnozzle1 -p /sbin/ldconfig
 %postun -n libnozzle1 -p /sbin/ldconfig
 %endif
 
 %package -n libnozzle1-devel
 Summary: Simple userland wrapper around kernel tap devices (developer files)
 License: LGPLv2+
 Requires: libnozzle1%{_isa} = %{version}-%{release}
 Requires: pkgconfig
 
 %description -n libnozzle1-devel
  This is an over-engineered commodity library to manage a pool
  of tap devices and provides the basic
  pre-up.d/up.d/down.d/post-down.d infrastructure.
 
 %files -n libnozzle1-devel
 %license COPYING.* COPYRIGHT
 %{_libdir}/libnozzle.so
 %{_includedir}/libnozzle.h
 %{_libdir}/pkgconfig/libnozzle.pc
 %if %{with buildman}
 %{_mandir}/man3/nozzle*.3.gz
 %endif
 %endif
 
 %package -n libknet1
 Summary: Kronosnet core switching implementation
 License: LGPLv2+
 
 %description -n libknet1
  The whole kronosnet core is implemented in this library.
  Please refer to the not-yet-existing documentation for further
  information.
 
 %files -n libknet1
 %license COPYING.* COPYRIGHT
 %{_libdir}/libknet.so.*
 %dir %{_libdir}/kronosnet
 
 %if 0%{?ldconfig_scriptlets}
 %ldconfig_scriptlets -n libknet1
 %else
 %post -n libknet1 -p /sbin/ldconfig
 %postun -n libknet1 -p /sbin/ldconfig
 %endif
 
 %package -n libknet1-devel
 Summary: Kronosnet core switching implementation (developer files)
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 Requires: pkgconfig
 
 %description -n libknet1-devel
  The whole kronosnet core is implemented in this library.
  Please refer to the not-yet-existing documentation for further
  information. 
 
 %files -n libknet1-devel
 %license COPYING.* COPYRIGHT
 %{_libdir}/libknet.so
 %{_includedir}/libknet.h
 %{_libdir}/pkgconfig/libknet.pc
 %if %{with buildman}
 %{_mandir}/man3/knet*.3.gz
 %endif
 
 %if %{with nss}
 %package -n libknet1-crypto-nss-plugin
 Summary: Provides libknet1 nss support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-crypto-nss-plugin
  Provides NSS crypto support for libknet1.
 
 %files -n libknet1-crypto-nss-plugin
 %{_libdir}/kronosnet/crypto_nss.so
 %endif
 
 %if %{with openssl}
 %package -n libknet1-crypto-openssl-plugin
 Summary: Provides libknet1 openssl support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-crypto-openssl-plugin
  Provides OpenSSL crypto support for libknet1.
 
 %files -n libknet1-crypto-openssl-plugin
 %{_libdir}/kronosnet/crypto_openssl.so
 %endif
 
 %if %{with zlib}
 %package -n libknet1-compress-zlib-plugin
 Summary: Provides libknet1 zlib support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-zlib-plugin
  Provides zlib compression support for libknet1.
 
 %files -n libknet1-compress-zlib-plugin
 %{_libdir}/kronosnet/compress_zlib.so
 %endif
 
 %if %{with lz4}
 %package -n libknet1-compress-lz4-plugin
 Summary: Provides libknet1 lz4 and lz4hc support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-lz4-plugin
  Provides lz4 and lz4hc compression support for libknet1.
 
 %files -n libknet1-compress-lz4-plugin
 %{_libdir}/kronosnet/compress_lz4.so
 %{_libdir}/kronosnet/compress_lz4hc.so
 %endif
 
 %if %{with lzo2}
 %package -n libknet1-compress-lzo2-plugin
 Summary: Provides libknet1 lzo2 support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-lzo2-plugin
  Provides lzo2 compression support for libknet1.
 
 %files -n libknet1-compress-lzo2-plugin
 %{_libdir}/kronosnet/compress_lzo2.so
 %endif
 
 %if %{with lzma}
 %package -n libknet1-compress-lzma-plugin
 Summary: Provides libknet1 lzma support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-lzma-plugin
  Provides lzma compression support for libknet1.
 
 %files -n libknet1-compress-lzma-plugin
 %{_libdir}/kronosnet/compress_lzma.so
 %endif
 
 %if %{with bzip2}
 %package -n libknet1-compress-bzip2-plugin
 Summary: Provides libknet1 bzip2 support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-bzip2-plugin
  Provides bzip2 compression support for libknet1.
 
 %files -n libknet1-compress-bzip2-plugin
 %{_libdir}/kronosnet/compress_bzip2.so
 %endif
 
 %if %{with zstd}
 %package -n libknet1-compress-zstd-plugin
 Summary: Provides libknet1 zstd support
 License: LGPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n libknet1-compress-zstd-plugin
  Provides zstd compression support for libknet1.
 
 %files -n libknet1-compress-zstd-plugin
 %{_libdir}/kronosnet/compress_zstd.so
 %endif
 
 %package -n libknet1-crypto-plugins-all
 Summary: Provides libknet1 crypto plugins meta package
 License: LGPLv2+
 %if %{with nss}
 Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with openssl}
 Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
 %endif
 
 %description -n libknet1-crypto-plugins-all
  Provides meta package to install all of libknet1 crypto plugins
 
 %files -n libknet1-crypto-plugins-all
 
 %package -n libknet1-compress-plugins-all
 Summary: Provides libknet1 compress plugins meta package
 License: LGPLv2+
 %if %{with zlib}
 Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with lz4}
 Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with lzo2}
 Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with lzma}
 Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with bzip2}
 Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
 %endif
 %if %{with zstd}
 Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
 %endif
 
 %description -n libknet1-compress-plugins-all
  Meta package to install all of libknet1 compress plugins
 
 %files -n libknet1-compress-plugins-all
 
 %package -n libknet1-plugins-all
 Summary: Provides libknet1 plugins meta package
 License: LGPLv2+
 Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
 Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
 
 %description -n libknet1-plugins-all
  Meta package to install all of libknet1 plugins
 
 %files -n libknet1-plugins-all
 
 %if %{with installtests}
 %package -n kronosnet-tests
 Summary: Provides kronosnet test suite
 License: GPLv2+
 Requires: libknet1%{_isa} = %{version}-%{release}
 
 %description -n kronosnet-tests
  This package contains all the libknet and libnozzle test suite.
 
 %files -n kronosnet-tests
 %{_libdir}/kronosnet/tests/*
 %endif
 
 %if %{with rpmdebuginfo}
 %debug_package
 %endif
 
 %changelog
 * @date@ Autotools generated version <nobody@nowhere.org> - @version@-1-@numcomm@.@alphatag@.@dirty@
 - These aren't the droids you're looking for.
-
diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
index 5c079428..10821a81 100644
--- a/libknet/crypto_openssl.c
+++ b/libknet/crypto_openssl.c
@@ -1,727 +1,729 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 #define KNET_MODULE
 
 #include "config.h"
 
 #include <string.h>
 #include <errno.h>
 #include <dlfcn.h>
 #include <stdlib.h>
 #include <openssl/conf.h>
 #include <openssl/evp.h>
 #if (OPENSSL_VERSION_NUMBER < 0x30000000L)
 #include <openssl/hmac.h>
 #endif
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
 #include "logging.h"
 #include "crypto_model.h"
 
 /*
  * 1.0.2 requires at least 120 bytes
  * 1.1.0 requires at least 256 bytes
  */
 #define SSLERR_BUF_SIZE 512
 
 /*
  * crypto definitions and conversion tables
  */
 
 #define SALT_SIZE 16
 
 /*
  * required by OSSL_PARAM_construct_*
  * making them global and cost, saves 2 strncpy and some memory on each config
  */
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 static const char *hash = "digest";
 #endif
 
 struct opensslcrypto_instance {
 	void *private_key;
 
 	int private_key_len;
 
 	const EVP_CIPHER *crypto_cipher_type;
 
 	const EVP_MD *crypto_hash_type;
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	EVP_MAC *crypto_hash_mac;
 	OSSL_PARAM params[3];
 	char hash_type[16]; /* Need to store a copy from knet_handle_crypto_cfg for OSSL_PARAM_construct_* */
 #endif
 };
 
 static int openssl_is_init = 0;
 
 /*
  * crypt/decrypt functions openssl1.0
  */
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 static int encrypt_openssl(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen = 0, offset = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = 0;
 	int		i;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	EVP_CIPHER_CTX_init(&ctx);
 
 	if (!RAND_bytes(salt, SALT_SIZE)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_EncryptInit_ex(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	for (i=0; i<iovcnt; i++) {
 		if (!EVP_EncryptUpdate(&ctx,
 				       data + offset, &tmplen,
 				       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
 			ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
 			err = -1;
 			goto out;
 		}
 		offset = offset + tmplen;
 	}
 
 	if (!EVP_EncryptFinal_ex(&ctx, data + offset, &tmplen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = offset + tmplen + SALT_SIZE;
 
 out:
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	return err;
 }
 
 static int decrypt_openssl (
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len,
 	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	EVP_CIPHER_CTX_init(&ctx);
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_DecryptInit_ex(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	if (!EVP_DecryptUpdate(&ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		if (log_level == KNET_LOG_DEBUG) {
 			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
 		} else {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
 		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(&ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		if (log_level == KNET_LOG_DEBUG) {
 			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
 		} else {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
 		}
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	return err;
 }
 #else /* (OPENSSL_VERSION_NUMBER < 0x10100000L) */
 static int encrypt_openssl(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	*ctx;
 	int		tmplen = 0, offset = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = 0;
 	int		i;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	ctx = EVP_CIPHER_CTX_new();
 
 	if (!RAND_bytes(salt, SALT_SIZE)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_EncryptInit_ex(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	for (i=0; i<iovcnt; i++) {
 		if (!EVP_EncryptUpdate(ctx,
 				       data + offset, &tmplen,
 				       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
 			ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
 			err = -1;
 			goto out;
 		}
 		offset = offset + tmplen;
 	}
 
 	if (!EVP_EncryptFinal_ex(ctx, data + offset, &tmplen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = offset + tmplen + SALT_SIZE;
 
 out:
 	EVP_CIPHER_CTX_free(ctx);
 	return err;
 }
 
 static int decrypt_openssl (
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len,
 	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	*ctx = NULL;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	if (datalen <= 0) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Packet is too short");
 		err = -1;
 		goto out;
 	}
 
 	ctx = EVP_CIPHER_CTX_new();
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_DecryptInit_ex(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	if (!EVP_DecryptUpdate(ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		if (log_level == KNET_LOG_DEBUG) {
 			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
 		} else {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
 		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		if (log_level == KNET_LOG_DEBUG) {
 			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
 		} else {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
 		}
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
 	if (ctx) {
 		EVP_CIPHER_CTX_free(ctx);
 	}
 	return err;
 }
 #endif
 
 /*
  * hash/hmac/digest functions
  */
 
 #if (OPENSSL_VERSION_NUMBER < 0x30000000L)
 static int calculate_openssl_hash(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
 	unsigned char *hash,
 	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	unsigned int hash_len = 0;
 	unsigned char *hash_out = NULL;
 	char sslerr[SSLERR_BUF_SIZE];
 
 	hash_out = HMAC(instance->crypto_hash_type,
 			instance->private_key, instance->private_key_len,
 			buf, buf_len,
 			hash, &hash_len);
 
 	if ((!hash_out) || (hash_len != crypto_instance->sec_hash_size)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		if (log_level == KNET_LOG_DEBUG) {
 			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
 		} else {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
 		}
 		return -1;
 	}
 
 	return 0;
 }
 #else
 static int calculate_openssl_hash(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
 	unsigned char *hash,
 	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_MAC_CTX *ctx = NULL;
 	char sslerr[SSLERR_BUF_SIZE];
 	int err = 0;
 	size_t outlen = 0;
 
 	ctx = EVP_MAC_CTX_new(instance->crypto_hash_mac);
 	if (!ctx) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate openssl context: %s", sslerr);
 		err = -1;
 		goto out_err;
 	}
 
 	if (!EVP_MAC_init(ctx, instance->private_key, instance->private_key_len, instance->params)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to set openssl context parameters: %s", sslerr);
 		err = -1;
 		goto out_err;
 	}
 
 	if (!EVP_MAC_update(ctx, buf, buf_len)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to update hash: %s", sslerr);
 		err = -1;
 		goto out_err;
 	}
 
 	if (!EVP_MAC_final(ctx, hash, &outlen, crypto_instance->sec_hash_size)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize hash: %s", sslerr);
 		err = -1;
 		goto out_err;
 	}
 
 out_err:
 	if (ctx) {
 		EVP_MAC_CTX_free(ctx);
 	}
 
 	return err;
 
 }
 #endif
 
 /*
  * exported API
  */
 
 static int opensslcrypto_encrypt_and_signv (
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	int i;
 
 	if (instance->crypto_cipher_type) {
 		if (encrypt_openssl(knet_h, crypto_instance, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
 			return -1;
 		}
 	} else {
 		*buf_out_len = 0;
 		for (i=0; i<iovcnt_in; i++) {
 			memmove(buf_out + *buf_out_len, iov_in[i].iov_base, iov_in[i].iov_len);
 			*buf_out_len = *buf_out_len + iov_in[i].iov_len;
 		}
 	}
 
 	if (instance->crypto_hash_type) {
 		if (calculate_openssl_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len, KNET_LOG_ERR) < 0) {
 			return -1;
 		}
 		*buf_out_len = *buf_out_len + crypto_instance->sec_hash_size;
 	}
 
 	return 0;
 }
 
 static int opensslcrypto_encrypt_and_sign (
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct iovec iov_in;
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (unsigned char *)buf_in;
 	iov_in.iov_len = buf_in_len;
 
 	return opensslcrypto_encrypt_and_signv(knet_h, crypto_instance, &iov_in, 1, buf_out, buf_out_len);
 }
 
 static int opensslcrypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len,
 	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
 
 	if (instance->crypto_hash_type) {
 		unsigned char tmp_hash[crypto_instance->sec_hash_size];
 		ssize_t temp_buf_len = buf_in_len - crypto_instance->sec_hash_size;
 
+		memset(tmp_hash, 0, sizeof(tmp_hash));
+
 		if ((temp_buf_len <= 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Incorrect packet size.");
 			return -1;
 		}
 
 		if (calculate_openssl_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash, log_level) < 0) {
 			return -1;
 		}
 
 		if (memcmp(tmp_hash, buf_in + temp_buf_len, crypto_instance->sec_hash_size) != 0) {
 			if (log_level == KNET_LOG_DEBUG) {
 				log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
 			} else {
 				log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
 			}
 			return -1;
 		}
 
 		temp_len = temp_len - crypto_instance->sec_hash_size;
 		*buf_out_len = temp_len;
 	}
 	if (instance->crypto_cipher_type) {
 		if (decrypt_openssl(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len, log_level) < 0) {
 			return -1;
 		}
 	} else {
 		memmove(buf_out, buf_in, temp_len);
 		*buf_out_len = temp_len;
 	}
 
 	return 0;
 }
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 static pthread_mutex_t *openssl_internal_lock;
 
 static void openssl_internal_locking_callback(int mode, int type, char *file, int line)
 {
 	if (mode & CRYPTO_LOCK) {
 		(void)pthread_mutex_lock(&(openssl_internal_lock[type]));
 	} else {
 		pthread_mutex_unlock(&(openssl_internal_lock[type]));
 	}
 }
 
 static pthread_t openssl_internal_thread_id(void)
 {
 	return pthread_self();
 }
 
 static void openssl_internal_lock_cleanup(void)
 {
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
 	CRYPTO_set_id_callback(NULL);
 
 	for (i = 0; i < CRYPTO_num_locks(); i++) {
 		pthread_mutex_destroy(&(openssl_internal_lock[i]));
 	}
 
 	if (openssl_internal_lock) {
 		free(openssl_internal_lock);
 	}
 
 	return;
 }
 
 static void openssl_atexit_handler(void)
 {
 	openssl_internal_lock_cleanup();
 }
 
 static int openssl_internal_lock_setup(void)
 {
 	int savederrno = 0, err = 0;
 	int i;
 
 	openssl_internal_lock = malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
 	if (!openssl_internal_lock) {
 		savederrno = errno;
 		err = -1;
 		goto out;
 	}
 
 	for (i = 0; i < CRYPTO_num_locks(); i++) {
 		savederrno = pthread_mutex_init(&(openssl_internal_lock[i]), NULL);
 		if (savederrno) {
 			err = -1;
 			goto out;
 		}
 	}
 
 	CRYPTO_set_id_callback((void *)openssl_internal_thread_id);
 	CRYPTO_set_locking_callback((void *)&openssl_internal_locking_callback);
 
 	if (atexit(openssl_atexit_handler)) {
 		err = -1;
 	}
 out:
 	if (err) {
 		openssl_internal_lock_cleanup();
 	}
 	errno = savederrno;
 	return err;
 }
 #endif
 
 static void opensslcrypto_fini(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
 
 	if (opensslcrypto_instance) {
 		if (opensslcrypto_instance->private_key) {
 			free(opensslcrypto_instance->private_key);
 			opensslcrypto_instance->private_key = NULL;
 		}
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		if (opensslcrypto_instance->crypto_hash_mac) {
 			EVP_MAC_free(opensslcrypto_instance->crypto_hash_mac);
 		}
 #endif
 		free(opensslcrypto_instance);
 		crypto_instance->model_instance = NULL;
 	}
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	ERR_free_strings();
 #endif
 
 	return;
 }
 
 static int opensslcrypto_init(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = NULL;
 	int savederrno;
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	char sslerr[SSLERR_BUF_SIZE];
 	size_t params_n = 0;
 #endif
 
 	log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO,
 		  "Initizializing openssl crypto module [%s/%s]",
 		  knet_handle_crypto_cfg->crypto_cipher_type,
 		  knet_handle_crypto_cfg->crypto_hash_type);
 
 	if (!openssl_is_init) {
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 		ERR_load_crypto_strings();
 		OPENSSL_add_all_algorithms_noconf();
 		if (openssl_internal_lock_setup() < 0) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
 			errno = EAGAIN;
 			return -1;
 		}
 #else
 		if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
 					 | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
 			errno = EAGAIN;
 			return -1;
 		}
 #endif
 		openssl_is_init = 1;
 	}
 
 	crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
 	if (!crypto_instance->model_instance) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
 		errno = ENOMEM;
 		return -1;
 	}
 
 	opensslcrypto_instance = crypto_instance->model_instance;
 
 	memset(opensslcrypto_instance, 0, sizeof(struct opensslcrypto_instance));
 
 	opensslcrypto_instance->private_key = malloc(knet_handle_crypto_cfg->private_key_len);
 	if (!opensslcrypto_instance->private_key) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl private key");
 		savederrno = ENOMEM;
 		goto out_err;
 	}
 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_cipher_type, "none") == 0) {
 		opensslcrypto_instance->crypto_cipher_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_cipher_type = EVP_get_cipherbyname(knet_handle_crypto_cfg->crypto_cipher_type);
 		if (!opensslcrypto_instance->crypto_cipher_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto cipher type requested");
 			savederrno = ENXIO;
 			goto out_err;
 		}
 	}
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_hash_type, "none") == 0) {
 		opensslcrypto_instance->crypto_hash_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_hash_type = EVP_get_digestbyname(knet_handle_crypto_cfg->crypto_hash_type);
 		if (!opensslcrypto_instance->crypto_hash_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto hash type requested");
 			savederrno = ENXIO;
 			goto out_err;
 		}
 
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		opensslcrypto_instance->crypto_hash_mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
 		if (!opensslcrypto_instance->crypto_hash_mac) {
 			ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to fetch HMAC: %s", sslerr);
 			savederrno = ENXIO;
 			goto out_err;
 		}
 
 		/*
 		 * OSSL_PARAM_construct_* store pointers to the data, it´s important that the referenced data are per-instance
 		 */
 		memmove(opensslcrypto_instance->hash_type, knet_handle_crypto_cfg->crypto_hash_type, sizeof(opensslcrypto_instance->hash_type));
 
 		opensslcrypto_instance->params[params_n++] = OSSL_PARAM_construct_utf8_string(hash, opensslcrypto_instance->hash_type, 0);
 		opensslcrypto_instance->params[params_n] = OSSL_PARAM_construct_end();
 #endif
 	}
 
 	if ((opensslcrypto_instance->crypto_cipher_type) &&
 	    (!opensslcrypto_instance->crypto_hash_type)) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "crypto communication requires hash specified");
 		savederrno = EINVAL;
 		goto out_err;
 	}
 
 	if (opensslcrypto_instance->crypto_hash_type) {
 		crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
 	}
 
 	if (opensslcrypto_instance->crypto_cipher_type) {
 		size_t block_size;
 
 		block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);
 
 		crypto_instance->sec_salt_size = SALT_SIZE;
 		crypto_instance->sec_block_size = block_size;
 	}
 
 	return 0;
 
 out_err:
 	opensslcrypto_fini(knet_h, crypto_instance);
 
 	errno = savederrno;
 	return -1;
 }
 
 crypto_ops_t crypto_model = {
 	KNET_CRYPTO_MODEL_ABI,
 	opensslcrypto_init,
 	opensslcrypto_fini,
 	opensslcrypto_encrypt_and_sign,
 	opensslcrypto_encrypt_and_signv,
 	opensslcrypto_authenticate_and_decrypt
 };
diff --git a/libknet/host.c b/libknet/host.c
index 46183b84..ec73c0df 100644
--- a/libknet/host.c
+++ b/libknet/host.c
@@ -1,711 +1,711 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <pthread.h>
 #include <stdio.h>
 
 #include "host.h"
 #include "internals.h"
 #include "logging.h"
 #include "threads_common.h"
 
 static void _host_list_update(knet_handle_t knet_h)
 {
 	struct knet_host *host;
 	knet_h->host_ids_entries = 0;
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		knet_h->host_ids[knet_h->host_ids_entries] = host->host_id;
 		knet_h->host_ids_entries++;
 	}
 }
 
 int knet_host_add(knet_handle_t knet_h, knet_node_id_t host_id)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host = NULL;
 	uint8_t link_idx;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (knet_h->host_index[host_id]) {
 		err = -1;
 		savederrno = EEXIST;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to add host %u: %s",
 			  host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	host = malloc(sizeof(struct knet_host));
 	if (!host) {
 		err = -1;
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to allocate memory for host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	memset(host, 0, sizeof(struct knet_host));
 
 	/*
 	 * set host_id
 	 */
 	host->host_id = host_id;
 
 	/*
 	 * set default host->name to host_id for logging
 	 */
 	snprintf(host->name, KNET_MAX_HOST_LEN, "%u", host_id);
 
 	/*
 	 * initialize links internal data
 	 */
 	for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 		host->link[link_idx].link_id = link_idx;
 		host->link[link_idx].status.stats.latency_min = UINT32_MAX;
 	}
 
 	/*
 	 * add new host to the index
 	 */
 	knet_h->host_index[host_id] = host;
 
 	/*
 	 * add new host to host list
 	 */
 	if (knet_h->host_head) {
 		host->next = knet_h->host_head;
 	}
 	knet_h->host_head = host;
 
 	_host_list_update(knet_h);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	if (err < 0) {
 		free(host);
 	}
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_remove(knet_handle_t knet_h, knet_node_id_t host_id)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host, *removed;
 	uint8_t link_idx;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to remove host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	/*
 	 * if links are configured we cannot release the host
 	 */
 
 	for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 		if (host->link[link_idx].configured) {
 			err = -1;
 			savederrno = EBUSY;
 			log_err(knet_h, KNET_SUB_HOST, "Unable to remove host %u, links are still configured: %s",
 				host_id, strerror(savederrno));
 			goto exit_unlock;
 		}
 	}
 
 	removed = NULL;
 
 	/*
 	 * removing host from list
 	 */
 	if (knet_h->host_head->host_id == host_id) {
 		removed = knet_h->host_head;
 		knet_h->host_head = removed->next;
 	} else {
 		for (host = knet_h->host_head; host->next != NULL; host = host->next) {
 			if (host->next->host_id == host_id) {
 				removed = host->next;
 				host->next = removed->next;
 				break;
 			}
 		}
 	}
 
 	knet_h->host_index[host_id] = NULL;
 	free(removed);
 
 	_host_list_update(knet_h);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_set_name(knet_handle_t knet_h, knet_node_id_t host_id, const char *name)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->host_index[host_id]) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to find host %u to set name: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (!name) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to set name for host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (strlen(name) >= KNET_MAX_HOST_LEN) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Requested name for host %u is too long: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		if (!strncmp(host->name, name, KNET_MAX_HOST_LEN)) {
 			err = -1;
 			savederrno = EEXIST;
 			log_err(knet_h, KNET_SUB_HOST, "Duplicated name found on host_id %u",
 				host->host_id);
 			goto exit_unlock;
 		}
 	}
 
 	snprintf(knet_h->host_index[host_id]->name, KNET_MAX_HOST_LEN, "%s", name);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_get_name_by_host_id(knet_handle_t knet_h, knet_node_id_t host_id,
 				  char *name)
 {
 	int savederrno = 0, err = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!name) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->host_index[host_id]) {
 		savederrno = EINVAL;
 		err = -1;
 		log_debug(knet_h, KNET_SUB_HOST, "Host %u not found", host_id);
 		goto exit_unlock;
 	}
 
 	snprintf(name, KNET_MAX_HOST_LEN, "%s", knet_h->host_index[host_id]->name);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_get_id_by_host_name(knet_handle_t knet_h, const char *name,
 				  knet_node_id_t *host_id)
 {
 	int savederrno = 0, err = 0, found = 0;
 	struct knet_host *host;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!name) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!host_id) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		if (!strncmp(name, host->name, KNET_MAX_HOST_LEN)) {
 			found = 1;
 			*host_id = host->host_id;
 			break;
 		}
 	}
 
 	if (!found) {
 		savederrno = ENOENT;
 		err = -1;
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_get_host_list(knet_handle_t knet_h,
 			    knet_node_id_t *host_ids, size_t *host_ids_entries)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if ((!host_ids) || (!host_ids_entries)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	memmove(host_ids, knet_h->host_ids, sizeof(knet_h->host_ids));
 	*host_ids_entries = knet_h->host_ids_entries;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	return 0;
 }
 
 int knet_host_set_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t policy)
 {
 	int savederrno = 0, err = 0;
 	uint8_t old_policy;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (policy > KNET_LINK_POLICY_RR) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->host_index[host_id]) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to set name for host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	old_policy = knet_h->host_index[host_id]->link_handler_policy;
 	knet_h->host_index[host_id]->link_handler_policy = policy;
 
 	if (_host_dstcache_update_async(knet_h, knet_h->host_index[host_id])) {
 		savederrno = errno;
 		err = -1;
 		knet_h->host_index[host_id]->link_handler_policy = old_policy;
 		log_debug(knet_h, KNET_SUB_HOST, "Unable to update switch cache for host %u: %s",
 			  host_id, strerror(savederrno));
 	}
 
 	log_debug(knet_h, KNET_SUB_HOST, "Host %u has new switching policy: %u", host_id, policy);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_get_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t *policy)
 {
 	int savederrno = 0, err = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!policy) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->host_index[host_id]) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get name for host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	*policy = knet_h->host_index[host_id]->link_handler_policy;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_get_status(knet_handle_t knet_h, knet_node_id_t host_id,
 			 struct knet_host_status *status)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!status) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_HOST, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	memmove(status, &host->status, sizeof(struct knet_host_status));
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_host_enable_status_change_notify(knet_handle_t knet_h,
 					  void *host_status_change_notify_fn_private_data,
 					  void (*host_status_change_notify_fn) (
 						void *private_data,
 						knet_node_id_t host_id,
 						uint8_t reachable,
 						uint8_t remote,
 						uint8_t external))
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HOST, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->host_status_change_notify_fn_private_data = host_status_change_notify_fn_private_data;
 	knet_h->host_status_change_notify_fn = host_status_change_notify_fn;
 	if (knet_h->host_status_change_notify_fn) {
 		log_debug(knet_h, KNET_SUB_HOST, "host_status_change_notify_fn enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HOST, "host_status_change_notify_fn disabled");
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 static void _clear_cbuffers(struct knet_host *host, seq_num_t rx_seq_num)
 {
 	int i;
 
 	memset(host->circular_buffer, 0, KNET_CBUFFER_SIZE);
 	host->rx_seq_num = rx_seq_num;
 
 	memset(host->circular_buffer_defrag, 0, KNET_CBUFFER_SIZE);
 
-	for (i = 0; i < KNET_MAX_LINK; i++) {
+	for (i = 0; i < KNET_DEFRAG_BUFFERS; i++) {
 		memset(&host->defrag_buf[i], 0, sizeof(struct knet_host_defrag_buf));
 	}
 }
 
 static void _reclaim_old_defrag_bufs(struct knet_host *host, seq_num_t seq_num)
 {
 	seq_num_t head, tail; /* seq_num boundaries */
 	int i;
 
 	head = seq_num + 1;
-	tail = seq_num - (KNET_MAX_LINK + 1);
+	tail = seq_num - (KNET_DEFRAG_BUFFERS + 1);
 
 	/*
 	 * expire old defrag buffers
 	 */
-	for (i = 0; i < KNET_MAX_LINK; i++) {
+	for (i = 0; i < KNET_DEFRAG_BUFFERS; i++) {
 		if (host->defrag_buf[i].in_use) {
 			/*
 			 * head has done a rollover to 0+
 			 */
 			if (tail > head) {
 				if ((host->defrag_buf[i].pckt_seq >= head) && (host->defrag_buf[i].pckt_seq <= tail)) {
 					host->defrag_buf[i].in_use = 0;
 				}
 			} else {
 				if ((host->defrag_buf[i].pckt_seq >= head) || (host->defrag_buf[i].pckt_seq <= tail)){
 					host->defrag_buf[i].in_use = 0;
 				}
 			}
 		}
 	}
 }
 
 /*
  * check if a given packet seq num is in the circular buffers
  * defrag_buf = 0 -> use normal cbuf 1 -> use the defrag buffer lookup
  */
 
 int _seq_num_lookup(struct knet_host *host, seq_num_t seq_num, int defrag_buf, int clear_buf)
 {
 	size_t head, tail; /* circular buffer indexes */
 	seq_num_t seq_dist;
 	char *dst_cbuf = host->circular_buffer;
 	char *dst_cbuf_defrag = host->circular_buffer_defrag;
 	seq_num_t *dst_seq_num = &host->rx_seq_num;
 
 	if (clear_buf) {
 		_clear_cbuffers(host, seq_num);
 	}
 
-	_reclaim_old_defrag_bufs(host, seq_num);
+	_reclaim_old_defrag_bufs(host, *dst_seq_num);
 
 	if (seq_num < *dst_seq_num) {
 		seq_dist =  (SEQ_MAX - seq_num) + *dst_seq_num;
 	} else {
 		seq_dist = *dst_seq_num - seq_num;
 	}
 
 	head = seq_num % KNET_CBUFFER_SIZE;
 
 	if (seq_dist < KNET_CBUFFER_SIZE) { /* seq num is in ring buffer */
 		if (!defrag_buf) {
 			return (dst_cbuf[head] == 0) ? 1 : 0;
 		} else {
 			return (dst_cbuf_defrag[head] == 0) ? 1 : 0;
 		}
 	} else if (seq_dist <= SEQ_MAX - KNET_CBUFFER_SIZE) {
 		memset(dst_cbuf, 0, KNET_CBUFFER_SIZE);
 		memset(dst_cbuf_defrag, 0, KNET_CBUFFER_SIZE);
 		*dst_seq_num = seq_num;
 	}
 
 	/* cleaning up circular buffer */
 	tail = (*dst_seq_num + 1) % KNET_CBUFFER_SIZE;
 
 	if (tail > head) {
 		memset(dst_cbuf + tail, 0, KNET_CBUFFER_SIZE - tail);
 		memset(dst_cbuf, 0, head + 1);
 		memset(dst_cbuf_defrag + tail, 0, KNET_CBUFFER_SIZE - tail);
 		memset(dst_cbuf_defrag, 0, head + 1);
 	} else {
 		memset(dst_cbuf + tail, 0, head - tail + 1);
 		memset(dst_cbuf_defrag + tail, 0, head - tail + 1);
 	}
 
 	*dst_seq_num = seq_num;
 
 	return 1;
 }
 
 void _seq_num_set(struct knet_host *host, seq_num_t seq_num, int defrag_buf)
 {
 	if (!defrag_buf) { 
 		host->circular_buffer[seq_num % KNET_CBUFFER_SIZE] = 1;
 	} else {
 		host->circular_buffer_defrag[seq_num % KNET_CBUFFER_SIZE] = 1;
 	}
 
 	return;
 }
 
 int _host_dstcache_update_async(knet_handle_t knet_h, struct knet_host *host)
 {
 	int savederrno = 0;
 	knet_node_id_t host_id = host->host_id;
 
 	if (sendto(knet_h->dstsockfd[1], &host_id, sizeof(host_id), MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0) != sizeof(host_id)) {
 		savederrno = errno;
 		log_debug(knet_h, KNET_SUB_HOST, "Unable to write to dstpipefd[1]: %s",
 			  strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	return 0;
 }
 
 int _host_dstcache_update_sync(knet_handle_t knet_h, struct knet_host *host)
 {
 	int link_idx;
 	int best_priority = -1;
 	int reachable = 0;
 
 	if (knet_h->host_id == host->host_id && knet_h->has_loop_link) {
 		host->active_link_entries = 1;
 		return 0;
 	}
 
 	host->active_link_entries = 0;
 	for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 		if (host->link[link_idx].status.enabled != 1) /* link is not enabled */
 			continue;
 		if (host->link[link_idx].status.connected != 1) /* link is not enabled */
 			continue;
 		if (host->link[link_idx].has_valid_mtu != 1) /* link does not have valid MTU */
 			continue;
 
 		if (host->link_handler_policy == KNET_LINK_POLICY_PASSIVE) {
 			/* for passive we look for the only active link with higher priority */
 			if (host->link[link_idx].priority > best_priority) {
 				host->active_links[0] = link_idx;
 				best_priority = host->link[link_idx].priority;
 			}
 			host->active_link_entries = 1;
 		} else {
 			/* for RR and ACTIVE we need to copy all available links */
 			host->active_links[host->active_link_entries] = link_idx;
 			host->active_link_entries++;
 		}
 	}
 
 	if (host->link_handler_policy == KNET_LINK_POLICY_PASSIVE) {
 		log_info(knet_h, KNET_SUB_HOST, "host: %u (passive) best link: %u (pri: %u)",
 			 host->host_id, host->link[host->active_links[0]].link_id,
 			 host->link[host->active_links[0]].priority);
 	} else {
 		log_info(knet_h, KNET_SUB_HOST, "host: %u has %u active links",
 			 host->host_id, host->active_link_entries);
 	}
 
 	/* no active links, we can clean the circular buffers and indexes */
 	if (!host->active_link_entries) {
 		log_warn(knet_h, KNET_SUB_HOST, "host: %u has no active links", host->host_id);
 		_clear_cbuffers(host, 0);
 	} else {
 		reachable = 1;
 	}
 
 	if (host->status.reachable != reachable) {
 		host->status.reachable = reachable;
 		if (knet_h->host_status_change_notify_fn) {
 			knet_h->host_status_change_notify_fn(
 						     knet_h->host_status_change_notify_fn_private_data,
 						     host->host_id,
 						     host->status.reachable,
 						     host->status.remote,
 						     host->status.external);
 		}
 	}
 
 	return 0;
 }
diff --git a/libknet/internals.h b/libknet/internals.h
index 6c26965d..a3477280 100644
--- a/libknet/internals.h
+++ b/libknet/internals.h
@@ -1,435 +1,432 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_INTERNALS_H__
 #define __KNET_INTERNALS_H__
 
 /*
  * NOTE: you shouldn't need to include this header normally
  */
 
 #include <pthread.h>
 #include <stddef.h>
 #include <qb/qblist.h>
 #include "libknet.h"
 #include "onwire.h"
 #include "compat.h"
 #include "threads_common.h"
 
 #define KNET_DATABUFSIZE KNET_MAX_PACKET_SIZE + KNET_HEADER_ALL_SIZE
 
 #define KNET_DATABUFSIZE_CRYPT_PAD 1024
 #define KNET_DATABUFSIZE_CRYPT KNET_DATABUFSIZE + KNET_DATABUFSIZE_CRYPT_PAD
 
 #define KNET_DATABUFSIZE_COMPRESS_PAD 1024
 #define KNET_DATABUFSIZE_COMPRESS KNET_DATABUFSIZE + KNET_DATABUFSIZE_COMPRESS_PAD
 
 #define KNET_RING_RCVBUFF 8388608
 
 #define PCKT_FRAG_MAX UINT8_MAX
 #define PCKT_RX_BUFS  512
 
 #define KNET_EPOLL_MAX_EVENTS KNET_DATAFD_MAX + 1
 
 /*
  * Size of threads stack. Value is choosen by experimenting, how much is needed
  * to sucesfully finish test suite, and at the time of writing patch it was
  * ~300KiB. To have some room for future enhancement it is increased
  * by factor of 3 and rounded.
  */
 #define KNET_THREAD_STACK_SIZE (1024 * 1024)
 
 typedef void *knet_transport_link_t; /* per link transport handle */
 typedef void *knet_transport_t;      /* per knet_h transport handle */
 struct  knet_transport_ops;          /* Forward because of circular dependancy */
 
 struct knet_mmsghdr {
 	struct msghdr msg_hdr;	/* Message header */
 	unsigned int  msg_len;	/* Number of bytes transmitted */
 };
 
 struct knet_link {
 	/* required */
 	struct sockaddr_storage src_addr;
 	struct sockaddr_storage dst_addr;
 	/* configurable */
 	unsigned int dynamic;			/* see KNET_LINK_DYN_ define above */
 	uint8_t  priority;			/* higher priority == preferred for A/P */
 	unsigned long long ping_interval;	/* interval */
 	unsigned long long pong_timeout;	/* timeout */
 	unsigned long long pong_timeout_adj;	/* timeout adjusted for latency */
 	uint8_t pong_timeout_backoff;		/* see link.h for definition */
 	unsigned int latency_max_samples;	/* precision */
 	unsigned int latency_cur_samples;
 	uint8_t pong_count;			/* how many ping/pong to send/receive before link is up */
 	uint64_t flags;
+	void *access_list_match_entry_head;	/* pointer to access list match_entry list head */
 	/* status */
 	struct knet_link_status status;
 	/* internals */
 	pthread_mutex_t link_stats_mutex;	/* used to update link stats */
 	uint8_t link_id;
 	uint8_t transport;                      /* #defined constant from API */
 	knet_transport_link_t transport_link;   /* link_info_t from transport */
 	int outsock;
 	unsigned int configured:1;		/* set to 1 if src/dst have been configured transport initialized on this link*/
 	unsigned int transport_connected:1;	/* set to 1 if lower level transport is connected */
 	uint8_t received_pong;
 	struct timespec ping_last;
 	/* used by PMTUD thread as temp per-link variables and should always contain the onwire_len value! */
 	uint32_t proto_overhead;		/* IP + UDP/SCTP overhead. NOT to be confused
 						   with stats.proto_overhead that includes also knet headers
 						   and crypto headers */
 	struct timespec pmtud_last;
 	uint32_t last_ping_size;
 	uint32_t last_good_mtu;
 	uint32_t last_bad_mtu;
 	uint32_t last_sent_mtu;
 	uint32_t last_recv_mtu;
 	uint32_t pmtud_crypto_timeout_multiplier;/* used by PMTUd to adjust timeouts on high loads */
 	uint8_t has_valid_mtu;
 };
 
+#define KNET_DEFRAG_BUFFERS 32
 #define KNET_CBUFFER_SIZE 4096
 
 struct knet_host_defrag_buf {
 	char buf[KNET_DATABUFSIZE];
 	uint8_t in_use;			/* 0 buffer is free, 1 is in use */
 	seq_num_t pckt_seq;		/* identify the pckt we are receiving */
 	uint8_t frag_recv;		/* how many frags did we receive */
 	uint8_t frag_map[PCKT_FRAG_MAX];/* bitmap of what we received? */
 	uint8_t	last_first;		/* special case if we receive the last fragment first */
 	ssize_t frag_size;		/* normal frag size (not the last one) */
 	ssize_t last_frag_size;		/* the last fragment might not be aligned with MTU size */
 	struct timespec last_update;	/* keep time of the last pckt */
 };
 
 struct knet_host {
 	/* required */
 	knet_node_id_t host_id;
 	/* configurable */
 	uint8_t link_handler_policy;
 	char name[KNET_MAX_HOST_LEN];
 	/* status */
 	struct knet_host_status status;
 	/* internals */
 	char circular_buffer[KNET_CBUFFER_SIZE];
 	seq_num_t rx_seq_num;
 	seq_num_t untimed_rx_seq_num;
 	seq_num_t timed_rx_seq_num;
 	uint8_t got_data;
 	/* defrag/reassembly buffers */
-	struct knet_host_defrag_buf defrag_buf[KNET_MAX_LINK];
+	struct knet_host_defrag_buf defrag_buf[KNET_DEFRAG_BUFFERS];
 	char circular_buffer_defrag[KNET_CBUFFER_SIZE];
 	/* link stuff */
 	struct knet_link link[KNET_MAX_LINK];
 	uint8_t active_link_entries;
 	uint8_t active_links[KNET_MAX_LINK];
 	struct knet_host *next;
 };
 
 struct knet_sock {
 	int sockfd[2];   /* sockfd[0] will always be application facing
 			  * and sockfd[1] internal if sockpair has been created by knet */
 	int is_socket;   /* check if it's a socket for recvmmsg usage */
 	int is_created;  /* knet created this socket and has to clean up on exit/del */
 	int in_use;      /* set to 1 if it's use, 0 if free */
 	int has_error;   /* set to 1 if there were errors reading from the sock
 			  * and socket has been removed from epoll */
 };
 
 struct knet_fd_trackers {
 	uint8_t transport;		    /* transport type (UDP/SCTP...) */
 	uint8_t data_type;		    /* internal use for transport to define what data are associated
 					     * with this fd */
+	socklen_t sockaddr_len;             /* Size of sockaddr_in[6] structure for this socket */
 	void *data;			    /* pointer to the data */
-	void *access_list_match_entry_head; /* pointer to access list match_entry list head */
 };
 
 #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
 
 #define KNET_MAX_COMPRESS_METHODS UINT8_MAX
 
 #define KNET_MAX_CRYPTO_INSTANCES 2
 
 struct knet_handle_stats_extra {
 	uint64_t tx_crypt_pmtu_packets;
 	uint64_t tx_crypt_pmtu_reply_packets;
 	uint64_t tx_crypt_ping_packets;
 	uint64_t tx_crypt_pong_packets;
 };
 
 struct knet_handle {
 	knet_node_id_t host_id;
 	unsigned int enabled:1;
 	struct knet_sock sockfd[KNET_DATAFD_MAX + 1];
 	int logfd;
 	uint8_t log_levels[KNET_MAX_SUBSYSTEMS];
 	int dstsockfd[2];
 	int send_to_links_epollfd;
 	int recv_from_links_epollfd;
 	int dst_link_handler_epollfd;
 	uint8_t use_access_lists; /* set to 0 for disable, 1 for enable */
 	unsigned int pmtud_interval;
 	unsigned int manual_mtu;
 	unsigned int data_mtu;	/* contains the max data size that we can send onwire
 				 * without frags */
 	struct knet_host *host_head;
 	struct knet_host *host_index[KNET_MAX_HOST];
 	knet_transport_t transports[KNET_MAX_TRANSPORTS+1];
 	struct knet_fd_trackers knet_transport_fd_tracker[KNET_MAX_FDS]; /* track status for each fd handled by transports */
 	struct knet_handle_stats stats;
 	struct knet_handle_stats_extra stats_extra;
 	pthread_mutex_t handle_stats_mutex;	/* used to protect handle stats */
 	uint32_t reconnect_int;
 	knet_node_id_t host_ids[KNET_MAX_HOST];
 	size_t host_ids_entries;
 	struct knet_header *recv_from_sock_buf;
 	struct knet_header *send_to_links_buf[PCKT_FRAG_MAX];
 	struct knet_header *recv_from_links_buf[PCKT_RX_BUFS];
 	struct knet_header *pingbuf;
 	struct knet_header *pmtudbuf;
 	uint8_t threads_status[KNET_THREAD_MAX];
 	uint8_t threads_flush_queue[KNET_THREAD_MAX];
 	pthread_mutex_t threads_status_mutex;
 	pthread_t send_to_links_thread;
 	pthread_t recv_from_links_thread;
 	pthread_t heartbt_thread;
 	pthread_t dst_link_handler_thread;
 	pthread_t pmtud_link_handler_thread;
 	pthread_rwlock_t global_rwlock;		/* global config lock */
 	pthread_mutex_t pmtud_mutex;		/* pmtud mutex to handle conditional send/recv + timeout */
 	pthread_cond_t pmtud_cond;		/* conditional for above */
 	pthread_mutex_t tx_mutex;		/* used to protect knet_send_sync and TX thread */
 	pthread_mutex_t hb_mutex;		/* used to protect heartbeat thread and seq_num broadcasting */
 	pthread_mutex_t backoff_mutex;		/* used to protect dst_link->pong_timeout_adj */
 	pthread_mutex_t kmtu_mutex;		/* used to protect kernel_mtu */
 	uint32_t kernel_mtu;			/* contains the MTU detected by the kernel on a given link */
 	int pmtud_waiting;
 	int pmtud_running;
 	int pmtud_forcerun;
 	int pmtud_abort;
 	struct crypto_instance *crypto_instance[KNET_MAX_CRYPTO_INSTANCES + 1]; /* store an extra pointer to allow 0|1|2 values without too much magic in the code */
 	uint8_t crypto_in_use_config;		/* crypto config to use for TX */
 	uint8_t crypto_only;			/* allow only crypto (1) or also clear (0) traffic */
 	size_t sec_block_size;
 	size_t sec_hash_size;
 	size_t sec_salt_size;
 	unsigned char *send_to_links_buf_crypt[PCKT_FRAG_MAX];
 	unsigned char *recv_from_links_buf_crypt;
 	unsigned char *recv_from_links_buf_decrypt;
 	unsigned char *pingbuf_crypt;
 	unsigned char *pmtudbuf_crypt;
 	int compress_model;
 	int compress_level;
 	size_t compress_threshold;
 	void *compress_int_data[KNET_MAX_COMPRESS_METHODS]; /* for compress method private data */
 	unsigned char *recv_from_links_buf_decompress;
 	unsigned char *send_to_links_buf_compress;
 	seq_num_t tx_seq_num;
 	pthread_mutex_t tx_seq_num_mutex;
 	uint8_t has_loop_link;
 	uint8_t loop_link;
 	void *dst_host_filter_fn_private_data;
 	int (*dst_host_filter_fn) (
 		void *private_data,
 		const unsigned char *outdata,
 		ssize_t outdata_len,
 		uint8_t tx_rx,
 		knet_node_id_t this_host_id,
 		knet_node_id_t src_node_id,
 		int8_t *channel,
 		knet_node_id_t *dst_host_ids,
 		size_t *dst_host_ids_entries);
 	void *pmtud_notify_fn_private_data;
 	void (*pmtud_notify_fn) (
 		void *private_data,
 		unsigned int data_mtu);
 	void *host_status_change_notify_fn_private_data;
 	void (*host_status_change_notify_fn) (
 		void *private_data,
 		knet_node_id_t host_id,
 		uint8_t reachable,
 		uint8_t remote,
 		uint8_t external);
 	void *sock_notify_fn_private_data;
 	void (*sock_notify_fn) (
 		void *private_data,
 		int datafd,
 		int8_t channel,
 		uint8_t tx_rx,
 		int error,
 		int errorno);
 	int fini_in_progress;
 	uint64_t flags;
 	struct qb_list_head list;
 	const char *plugin_path;
 };
 
 struct handle_tracker {
 	struct qb_list_head head;
 };
 
 /*
  * lib_config stuff shared across everything
  */
 extern pthread_rwlock_t shlib_rwlock;       /* global shared lib load lock */
 extern pthread_mutex_t handle_config_mutex;
 
 extern struct handle_tracker handle_list;
 extern uint8_t handle_list_init;
 int _is_valid_handle(knet_handle_t knet_h);
 int _init_shlib_tracker(knet_handle_t knet_h);
 void _fini_shlib_tracker(void);
 
 /*
  * NOTE: every single operation must be implementend
  *       for every protocol.
  */
 
 /*
  * for now knet supports only IP protocols (udp/sctp)
  * in future there might be others like ARP
  * or TIPC.
  * keep this around as transport information
  * to use for access lists and other operations
  */
 
 #define TRANSPORT_PROTO_LOOPBACK 0
 #define TRANSPORT_PROTO_IP_PROTO 1
 
 /*
  * some transports like SCTP can filter incoming
  * connections before knet has to process
  * any packets.
  * GENERIC_ACL -> packet has to be read and filterted
  * PROTO_ACL -> transport provides filtering at lower levels
  *              and packet does not need to be processed
  */
 
 typedef enum {
 	USE_NO_ACL,
 	USE_GENERIC_ACL,
 	USE_PROTO_ACL
 } transport_acl;
 
 /*
  * make it easier to map values in transports.c
  */
 #define TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED 0
 #define TRANSPORT_PROTO_IS_CONNECTION_ORIENTED  1
 
 typedef struct knet_transport_ops {
 /*
  * transport generic information
  */
 	const char *transport_name;
 	const uint8_t transport_id;
 	const uint8_t built_in;
 
 	uint8_t transport_protocol;
 	transport_acl transport_acl_type;
 
 /*
  * connection oriented protocols like SCTP
  * don´t need dst_addr in sendto calls and
  * on some OSes are considered EINVAL.
  */
 	uint8_t transport_is_connection_oriented;
 
 	uint32_t transport_mtu_overhead;
 /*
  * transport init must allocate the new transport
  * and perform all internal initializations
  * (threads, lists, etc).
  */
 	int (*transport_init)(knet_handle_t knet_h);
 /*
  * transport free must releases _all_ resources
  * allocated by tranport_init
  */
 	int (*transport_free)(knet_handle_t knet_h);
 
 /*
  * link operations should take care of all the
  * sockets and epoll management for a given link/transport set
  * transport_link_disable should return err = -1 and errno = EBUSY
  * if listener is still in use, and any other errno in case
  * the link cannot be disabled.
  *
  * set_config/clear_config are invoked in global write lock context
  */
 	int (*transport_link_set_config)(knet_handle_t knet_h, struct knet_link *link);
 	int (*transport_link_clear_config)(knet_handle_t knet_h, struct knet_link *link);
 
 /*
  * transport callback for incoming dynamic connections
  * this is called in global read lock context
  */
 	int (*transport_link_dyn_connect)(knet_handle_t knet_h, int sockfd, struct knet_link *link);
 
 
-/*
- * return the fd to use for access lists
- */
-	int (*transport_link_get_acl_fd)(knet_handle_t knet_h, struct knet_link *link);
-
 /*
  * per transport error handling of recvmmsg
  * (see _handle_recv_from_links comments for details)
  */
 
 /*
  * transport_rx_sock_error is invoked when recvmmsg returns <= 0
  *
  * transport_rx_sock_error is invoked with both global_rdlock
  */
 
 	int (*transport_rx_sock_error)(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 
 /*
  * transport_tx_sock_error is invoked with global_rwlock and
  * it's invoked when sendto or sendmmsg returns =< 0
  *
  * it should return:
  * -1 on internal error
  *  0 ignore error and continue
  *  1 retry
  *    any sleep or wait action should happen inside the transport code
  */
 	int (*transport_tx_sock_error)(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 
 /*
  * this function is called on _every_ received packet
  * to verify if the packet is data or internal protocol error handling
  *
  * it should return:
  * -1 on error
  *  0 packet is not data and we should continue the packet process loop
  *  1 packet is not data and we should STOP the packet process loop
  *  2 packet is data and should be parsed as such
  *
  * transport_rx_is_data is invoked with both global_rwlock
  * and fd_tracker read lock (from RX thread)
  */
 	int (*transport_rx_is_data)(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
 
 /*
  * this function is called by links.c when a link down event is recorded
  * to notify the transport that packets are not going through, and give
  * transport the opportunity to take actions.
  */
 	int (*transport_link_is_down)(knet_handle_t knet_h, struct knet_link *link);
 } knet_transport_ops_t;
 
 struct pretty_names {
 	const char *name;
 	uint8_t val;
 };
 
 #endif
diff --git a/libknet/libknet.h b/libknet/libknet.h
index ab4dbf25..790bc227 100644
--- a/libknet/libknet.h
+++ b/libknet/libknet.h
@@ -1,2300 +1,2456 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __LIBKNET_H__
 #define __LIBKNET_H__
 
 #include <stdint.h>
 #include <time.h>
 #include <netinet/in.h>
 #include <unistd.h>
 #include <limits.h>
 
 /**
  * @file libknet.h
  * @brief kronosnet API include file
  * @copyright Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Kronosnet is an advanced VPN system for High Availability applications.
  */
 
 #define KNET_API_VER 1
 
 /*
  * libknet limits
  */
 
+
+/** typedef for a knet node */
+typedef uint16_t knet_node_id_t;
+
+
 /*
  * Maximum number of hosts
  */
 
-typedef uint16_t knet_node_id_t;
-
 #define KNET_MAX_HOST 65536
 
 /*
  * Maximum number of links between 2 hosts
  */
 
 #define KNET_MAX_LINK 8
 
 /*
  * Maximum packet size that should be written to datafd
  *  see knet_handle_new for details
  */
 
 #define KNET_MAX_PACKET_SIZE 65536
 
 /*
  * Buffers used for pretty logging
  *  host is used to store both ip addresses and hostnames
  */
 
 #define KNET_MAX_HOST_LEN 256
 #define KNET_MAX_PORT_LEN 6
 
 /*
  * Some notifications can be generated either on TX or RX
  */
 
 #define KNET_NOTIFY_TX 0
 #define KNET_NOTIFY_RX 1
 
 /*
  * Link flags
  */
 
 /*
  * Where possible, set traffic priority to high.
  * On Linux this sets the TOS to INTERACTIVE (6),
  * see tc-prio(8) for more infomation
  */
 
 #define KNET_LINK_FLAG_TRAFFICHIPRIO (1ULL << 0)
 
 /*
  * Handle flags
  */
 
 /*
  * Use privileged operations during socket setup.
  */
 
 #define KNET_HANDLE_FLAG_PRIVILEGED (1ULL << 0)
 
+/**
+ * Opaque handle for this knet connection, created with knet_handle_new() and
+ * freed with knet_handle_free()
+ */
+
 typedef struct knet_handle *knet_handle_t;
 
 /*
  * Handle structs/API calls
  */
 
 /**
  * knet_handle_new_ex
  *
  * @brief create a new instance of a knet handle
  *
  * host_id  - Each host in a knet is identified with a unique
  *            ID. when creating a new handle local host_id
  *            must be specified (0 to UINT16_MAX are all valid).
  *            It is the user's responsibility to check that the value
  *            is unique, or bad things might happen.
  *
  * log_fd   - Write file descriptor. If set to a value > 0, it will be used
  *            to write log packets from libknet to the application.
  *            Setting to 0 will disable logging from libknet.
  *            It is possible to enable logging at any given time (see logging API).
  *            Make sure to either read from this filedescriptor properly and/or
  *            mark it O_NONBLOCK, otherwise if the fd becomes full, libknet could
  *            block.
  *            It is strongly encouraged to use pipes (ex: pipe(2) or pipe2(2)) for
  *            logging fds due to the atomic nature of writes between fds.
  *            See also libknet test suite for reference and guidance.
+ *            The caller is responsible for management of the FD. eg. knet will not
+ *            close it when knet_handle_free(3) is called
  *
  * default_log_level -
  *            If logfd is specified, it will initialize all subsystems to log
  *            at default_log_level value. (see logging API)
  *
  * flags    - bitwise OR of some of the following flags:
  *   KNET_HANDLE_FLAG_PRIVILEGED: use privileged operations setting up the
  *            communication sockets.  If disabled, failure to acquire large
  *            enough socket buffers is ignored but logged.  Inadequate buffers
  *            lead to poor performance.
  *
  * @return
  * on success, a new knet_handle_t is returned.
  * on failure, NULL is returned and errno is set.
  * knet-specific errno values:
  *   ENAMETOOLONG - socket buffers couldn't be set big enough and KNET_HANDLE_FLAG_PRIVILEGED was specified
  *   ERANGE       - buffer size readback returned unexpected type
  */
 
 knet_handle_t knet_handle_new_ex(knet_node_id_t host_id,
 				 int            log_fd,
 				 uint8_t        default_log_level,
 				 uint64_t	flags);
 
 /**
  * knet_handle_new
  *
  * @brief knet_handle_new_ex with flags = KNET_HANDLE_FLAG_PRIVILEGED.
  */
 
 knet_handle_t knet_handle_new(knet_node_id_t host_id,
 			      int      log_fd,
 			      uint8_t  default_log_level);
 
 /**
  * knet_handle_free
  *
  * @brief Destroy a knet handle, free all resources
  *
  * knet_h   - pointer to knet_handle_t
  *
  * @return
  * knet_handle_free returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_free(knet_handle_t knet_h);
 
 /**
  * knet_handle_enable_sock_notify
  *
  * @brief Register a callback to receive socket events
  *
  * knet_h   - pointer to knet_handle_t
  *
  * sock_notify_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * sock_notify_fn
  *            A callback function that is invoked every time
  *            a socket in the datafd pool will report an error (-1)
  *            or an end of read (0) (see socket.7).
  *            This function MUST NEVER block or add substantial delays.
  *            The callback is invoked in an internal unlocked area
  *            to allow calls to knet_handle_add_datafd/knet_handle_remove_datafd
  *            to swap/replace the bad fd.
  *            if both err and errno are 0, it means that the socket
  *            has received a 0 byte packet (EOF?).
  *            The callback function must either remove the fd from knet
  *            (by calling knet_handle_remove_fd()) or dup a new fd in its place.
  *            Failure to do this can cause problems.
  *
  * @return
  * knet_handle_enable_sock_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_sock_notify(knet_handle_t knet_h,
 				   void *sock_notify_fn_private_data,
 				   void (*sock_notify_fn) (
 						void *private_data,
 						int datafd,
 						int8_t channel,
 						uint8_t tx_rx,
 						int error,
 						int errorno)); /* sorry! can't call it errno ;) */
 
 #define KNET_DATAFD_MAX 32
 
 /**
  * knet_handle_add_datafd
  *
  * @brief Install a file descriptor for communication
  *
  * IMPORTANT: In order to add datafd to knet, knet_handle_enable_sock_notify
  *            _MUST_ be set and be able to handle both errors (-1) and
  *            0 bytes read / write from the provided datafd.
  *            On read error (< 0) from datafd, the socket is automatically
  *            removed from polling to avoid spinning on dead sockets.
  *            It is safe to call knet_handle_remove_datafd even on sockets
  *            that have been removed.
  *
  * knet_h   - pointer to knet_handle_t
  *
  * *datafd  - read/write file descriptor.
  *            knet will read data here to send to the other hosts
  *            and will write data received from the network.
  *            Each data packet can be of max size KNET_MAX_PACKET_SIZE!
  *            Applications using knet_send/knet_recv will receive a
  *            proper error if the packet size is not within boundaries.
  *            Applications using their own functions to write to the
  *            datafd should NOT write more than KNET_MAX_PACKET_SIZE.
  *
  *            Please refer to handle.c on how to set up a socketpair.
  *
  *            datafd can be 0, and knet_handle_add_datafd will create a properly
  *            populated socket pair the same way as ping_test, or a value
  *            higher than 0. A negative number will return an error.
  *            On exit knet_handle_free will take care to cleanup the
  *            socketpair only if they have been created by knet_handle_add_datafd.
  *
  *            It is possible to pass either sockets or normal fds.
  *            User provided datafd will be marked as non-blocking and close-on-exec.
  *
  * *channel - This value is analogous to the tag in VLAN tagging.
  *            A negative value will auto-allocate a channel.
  *            Setting a value between 0 and 31 will try to allocate that
  *            specific channel (unless already in use).
  *
  *            It is possible to add up to 32 datafds but be aware that each
  *            one of them must have a receiving end on the other host.
  *
  *            Example:
  *            hostA channel 0 will be delivered to datafd on hostB channel 0
  *            hostA channel 1 to hostB channel 1.
  *
  *            Each channel must have a unique file descriptor.
  *
  *            If your application could have 2 channels on one host and one
  *            channel on another host, then you can use dst_host_filter
  *            to manipulate channel values on TX and RX.
  *
  * @return
  * knet_handle_add_datafd returns
  * @retval 0 on success,
  *         *datafd  will be populated with a socket if the original value was 0
  *            or if a specific fd was set, the value is untouched.
  *         *channel will be populated with a channel number if the original value
  *            was negative or the value is untouched if a specific channel
  *            was requested.
  *
  * @retval -1 on error and errno is set.
  *         *datafd and *channel are untouched or empty.
  */
 
 int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel);
 
 /**
  * knet_handle_remove_datafd
  *
  * @brief Remove a file descriptor from knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * datafd   - file descriptor to remove.
  *            NOTE that if the socket/fd was created by knet_handle_add_datafd,
  *                 the socket will be closed by libknet.
  *
  * @return
  * knet_handle_remove_datafd returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_remove_datafd(knet_handle_t knet_h, int datafd);
 
 /**
  * knet_handle_get_channel
  *
  * @brief Get the channel associated with a file descriptor
  *
  * knet_h  - pointer to knet_handle_t
  *
  * datafd  - get the channel associated to this datafd
  *
  * *channel - will contain the result
  *
  * @return
  * knet_handle_get_channel returns
  * @retval 0 on success
  *   and *channel will contain the result
  * @retval -1 on error and errno is set.
  *   and *channel content is meaningless
  */
 
 int knet_handle_get_channel(knet_handle_t knet_h, const int datafd, int8_t *channel);
 
 /**
  * knet_handle_get_datafd
  *
  * @brief Get the file descriptor associated with a channel
  *
  * knet_h   - pointer to knet_handle_t
  *
  * channel  - get the datafd associated to this channel
  *
  * *datafd  - will contain the result
  *
  * @return
  * knet_handle_get_datafd returns
  * @retval 0 on success
  *   and *datafd will contain the results
  * @retval -1 on error and errno is set.
  *   and *datafd content is meaningless
  */
 
 int knet_handle_get_datafd(knet_handle_t knet_h, const int8_t channel, int *datafd);
 
 /**
  * knet_recv
  *
  * @brief Receive data from knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to buffer to store the received data
  *
  * buff_len - buffer length
  *
  * channel  - channel number
  *
  * @return
  * knet_recv is a commodity function to wrap iovec operations
  * around a socket. It returns a call to readv(2).
  */
 
 ssize_t knet_recv(knet_handle_t knet_h,
 		  char *buff,
 		  const size_t buff_len,
 		  const int8_t channel);
 
 /**
  * knet_send
  *
  * @brief Send data to knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to the buffer of data to send
  *
  * buff_len - length of data to send
  *
  * channel  - channel number
  *
  * @return
  * knet_send is a commodity function to wrap iovec operations
  * around a socket. It returns a call to writev(2).
  */
 
 ssize_t knet_send(knet_handle_t knet_h,
 		  const char *buff,
 		  const size_t buff_len,
 		  const int8_t channel);
 
 /**
  * knet_send_sync
  *
  * @brief Synchronously send data to knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to the buffer of data to send
  *
  * buff_len - length of data to send
  *
  * channel  - data channel to use (see knet_handle_add_datafd(3))
  *
  * All knet RX/TX operations are async for performance reasons.
  * There are applications that might need a sync version of data
  * transmission and receive errors in case of failure to deliver
  * to another host.
  * knet_send_sync bypasses the whole TX async layer and delivers
  * data directly to the link layer, and returns errors accordingly.
  * knet_send_sync sends only one packet to one host at a time.
  * It does NOT support multiple destinations or multicast packets.
  * Decision is still based on dst_host_filter_fn.
  *
  * @return
  * knet_send_sync returns 0 on success and -1 on error.
  * In addition to normal sendmmsg errors, knet_send_sync can fail
  * due to:
  *
  * @retval ECANCELED - data forward is disabled
  * @retval EFAULT    - dst_host_filter fatal error
  * @retval EINVAL    - dst_host_filter did not provide dst_host_ids_entries on unicast pckts
  * @retval E2BIG     - dst_host_filter did return more than one dst_host_ids_entries on unicast pckts
  * @retval ENOMSG    - received unknown message type
  * @retval EHOSTDOWN - unicast pckt cannot be delivered because dest host is not connected yet
  * @retval ECHILD    - crypto failed
  * @retval EAGAIN    - sendmmsg was unable to send all messages and there was no progress during retry
+ * @retval ENETDOWN  - a packet filter was not installed (necessary for knet_send_sync, but not knet_send)
  */
 
 int knet_send_sync(knet_handle_t knet_h,
 		   const char *buff,
 		   const size_t buff_len,
 		   const int8_t channel);
 
 /**
  * knet_handle_enable_filter
  *
  * @brief install a filter to route packets
  *
  * knet_h   - pointer to knet_handle_t
  *
  * dst_host_filter_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * dst_host_filter_fn -
  *            is a callback function that is invoked every time
  *            a packet hits datafd (see knet_handle_new(3)).
  *            the function allows users to tell libknet where the
  *            packet has to be delivered.
  *
  *            const unsigned char *outdata - is a pointer to the
  *                                           current packet
  *            ssize_t outdata_len          - length of the above data
  *            uint8_t tx_rx                - filter is called on tx or rx
  *                                           (KNET_NOTIFY_TX, KNET_NOTIFY_RX)
  *            knet_node_id_t this_host_id  - host_id processing the packet
  *            knet_node_id_t src_host_id   - host_id that generated the
  *                                           packet
  *            knet_node_id_t *dst_host_ids - array of KNET_MAX_HOST knet_node_id_t
  *                                           where to store the destinations
  *            size_t *dst_host_ids_entries - number of hosts to send the message
  *
  * dst_host_filter_fn should return
  * -1 on error, packet is discarded.
  *  0 packet is unicast and should be sent to dst_host_ids and there are
  *    dst_host_ids_entries in the buffer.
  *  1 packet is broadcast/multicast and is sent all hosts.
  *    contents of dst_host_ids and dst_host_ids_entries are ignored.
  *
  * @return
  * knet_handle_enable_filter returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_filter(knet_handle_t knet_h,
 			      void *dst_host_filter_fn_private_data,
 			      int (*dst_host_filter_fn) (
 					void *private_data,
 					const unsigned char *outdata,
 					ssize_t outdata_len,
 					uint8_t tx_rx,
 					knet_node_id_t this_host_id,
 					knet_node_id_t src_host_id,
 					int8_t *channel,
 					knet_node_id_t *dst_host_ids,
 					size_t *dst_host_ids_entries));
 
 /**
  * knet_handle_setfwd
  *
  * @brief Start packet forwarding
  *
  * knet_h   - pointer to knet_handle_t
  *
  * enable   - set to 1 to allow data forwarding, 0 to disable data forwarding.
  *
  * @return
  * knet_handle_setfwd returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * By default data forwarding is off and no traffic will pass through knet until
  * it is set on.
  */
 
 int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
 
 /**
  * knet_handle_enable_access_lists
  *
  * @brief Enable or disable usage of access lists (default: off)
  *
  * knet_h   - pointer to knet_handle_t
  *
  * enable   - set to 1 to use access lists, 0 to disable access_lists.
  *
  * @return
  * knet_handle_enable_access_lists returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * access lists are bound to links. There are 2 types of links:
  * 1) point to point, where both source and destinations are well known
  *    at configuration time.
  * 2) open links, where only the source is known at configuration time.
  *
  * knet will automatically generate access lists for point to point links.
  *
  * For open links, knet provides 4 API calls to manipulate access lists:
  * knet_link_add_acl(3), knet_link_rm_acl(3), knet_link_insert_acl(3)
  * and knet_link_clear_acl(3).
  * Those API calls will work exclusively on open links as they
  * are of no use on point to point links.
  *
  * knet will not enforce any access list unless specifically enabled by
  * knet_handle_enable_access_lists(3).
  *
  * From a security / programming perspective we recommend:
  * - create the knet handle
  * - enable access lists
  * - configure hosts and links
  * - configure access lists for open links
  */
 
 int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
 
 #define KNET_PMTUD_DEFAULT_INTERVAL 60
 
 /**
  * knet_handle_pmtud_setfreq
  *
  * @brief Set the interval between PMTUd scans
  *
  * knet_h   - pointer to knet_handle_t
  *
  * interval - define the interval in seconds between PMTUd scans
  *            range from 1 to 86400 (24h)
  *
  * @return
  * knet_handle_pmtud_setfreq returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * default interval is 60.
  */
 
 int knet_handle_pmtud_setfreq(knet_handle_t knet_h, unsigned int interval);
 
 /**
  * knet_handle_pmtud_getfreq
  *
  * @brief Get the interval between PMTUd scans
  *
  * knet_h   - pointer to knet_handle_t
  *
  * interval - pointer where to store the current interval value
  *
  * @return
  * knet_handle_pmtud_setfreq returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval);
 
 /**
  * knet_handle_enable_pmtud_notify
  *
  * @brief install a callback to receive PMTUd changes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * pmtud_notify_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * pmtud_notify_fn
  *            is a callback function that is invoked every time
  *            a path MTU size change is detected.
  *            The function allows libknet to notify the user
  *            of data MTU, that's the max value that can be send
  *            onwire without fragmentation. The data MTU will always
  *            be lower than real link MTU because it accounts for
  *            protocol overhead, knet packet header and (if configured)
  *            crypto overhead,
  *            This function MUST NEVER block or add substantial delays.
  *
  * @return
  * knet_handle_enable_pmtud_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 				    void *pmtud_notify_fn_private_data,
 				    void (*pmtud_notify_fn) (
 						void *private_data,
 						unsigned int data_mtu));
 
 /**
  * knet_handle_pmtud_set
  *
  * @brief Set the current interface MTU
  *
  * knet_h    - pointer to knet_handle_t
  *
  * iface_mtu - current interface MTU, value 0 to 65535. 0 will
  *             re-enable automatic MTU discovery.
  *             In a setup with multiple interfaces, please specify
  *             the lowest MTU between the selected intefaces.
  *             knet will automatically adjust this value for
  *             all headers overhead and set the correct data_mtu.
  *             data_mtu can be retrivied with knet_handle_pmtud_get(3)
  *             or applications will receive a pmtud_nofity event
  *             if enabled via knet_handle_enable_pmtud_notify(3).
  *
  * @return
  * knet_handle_pmtud_set returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_set(knet_handle_t knet_h,
 			  unsigned int iface_mtu);
 
 /**
  * knet_handle_pmtud_get
  *
  * @brief Get the current data MTU
  *
  * knet_h   - pointer to knet_handle_t
  *
  * data_mtu - pointer where to store data_mtu
  *
  * @return
  * knet_handle_pmtud_get returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_get(knet_handle_t knet_h,
 				unsigned int *data_mtu);
 
 
 #define KNET_MIN_KEY_LEN  128
 #define KNET_MAX_KEY_LEN 4096
 
+
+/**
+ * Structure passed into knet_handle_set_crypto_config() to determine
+ * the crypto options to use for the current communications handle
+ */
 struct knet_handle_crypto_cfg {
+	/** Model to use. nss, openssl, etc */
 	char		crypto_model[16];
+	/** Cipher type name for encryption. aes 256 etc */
 	char		crypto_cipher_type[16];
+	/** Hash type for digest. sha512 etc */
 	char		crypto_hash_type[16];
+	/** Private key */
 	unsigned char	private_key[KNET_MAX_KEY_LEN];
+	/** Length of private key */
 	unsigned int	private_key_len;
 };
 
 /**
  * knet_handle_crypto_set_config
  *
  * @brief set up packet cryptographic signing & encryption
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_crypto_cfg -
  *            pointer to a knet_handle_crypto_cfg structure
  *
  *            crypto_model should contain the model name.
  *                         Currently only "openssl" and "nss" are supported.
  *                         Setting to "none" will disable crypto.
  *
  *            crypto_cipher_type
  *                         should contain the cipher algo name.
  *                         It can be set to "none" to disable
  *                         encryption.
  *                         Currently supported by "nss" model:
  *                         "aes128", "aes192" and "aes256".
  *                         "openssl" model supports more modes and it strictly
  *                         depends on the openssl build. See: EVP_get_cipherbyname
  *                         openssl API call for details.
  *
  *            crypto_hash_type
  *                         should contain the hashing algo name.
  *                         It can be set to "none" to disable
  *                         hashing.
  *                         Currently supported by "nss" model:
  *                         "md5", "sha1", "sha256", "sha384" and "sha512".
  *                         "openssl" model supports more modes and it strictly
  *                         depends on the openssl build. See: EVP_get_digestbyname
  *                         openssl API call for details.
  *
  *            private_key  will contain the private shared key.
  *                         It has to be at least KNET_MIN_KEY_LEN long.
  *
  *            private_key_len
  *                         length of the provided private_key.
  *
  * config_num - knet supports 2 concurrent sets of crypto configurations,
  *              to allow runtime change of crypto config and keys.
  *              On RX both configurations will be used sequentially
  *              in an attempt to decrypt/validate a packet (when 2 are available).
  *              Note that this might slow down performance during a reconfiguration.
  *              See also knet_handle_crypto_rx_clear_traffic(3) to enable / disable
  *              processing of clear (unencrypted) traffic.
  *              For TX, the user needs to specify which configuration to use via
  *              knet_handle_crypto_use_config(3).
  *              config_num accepts 0, 1 or 2 as the value. 0 should be used when
  *              all crypto is being disabled.
  *              Calling knet_handle_crypto_set_config(3) twice with
  *              the same config_num will REPLACE the configuration and
  *              NOT activate the second key. If the configuration is currently in use
  *              EBUSY will be returned. See also knet_handle_crypto_use_config(3).
  *              The correct sequence to perform a runtime rekey / reconfiguration
  *              is:
  *              - knet_handle_crypto_set_config(..., 1). -> first time config, will use config1
  *              - knet_handle_crypto_use_config(..., 1). -> switch TX to config 1
  *              - knet_handle_crypto_set_config(..., 2). -> install config2 and use it only for RX
  *              - knet_handle_crypto_use_config(..., 2). -> switch TX to config 2
  *              - knet_handle_crypto_set_config(..., 1). -> with a "none"/"none"/"none" configuration to
  *                                                          release the resources previously allocated
  *              The application is responsible for synchronizing calls on the nodes
  *              to make sure the new config is in place before switching the TX configuration.
  *              Failure to do so will result in knet being unable to talk to some of the nodes.
  *
  * Implementation notes/current limitations:
  * - enabling crypto, will increase latency as packets have
  *   to processed.
  * - enabling crypto might reduce the overall throughtput
  *   due to crypto data overhead.
  * - private/public key encryption/hashing is not currently
  *   planned.
  * - crypto key must be the same for all hosts in the same
  *   knet instance / configX.
  * - it is safe to call knet_handle_crypto_set_config multiple times at runtime.
  *   The last config will be used.
  *   IMPORTANT: a call to knet_handle_crypto_set_config can fail due to:
  *              1) failure to obtain locking
  *              2) errors to initializing the crypto level.
  *   This can happen even in subsequent calls to knet_handle_crypto_set_config(3).
  *   A failure in crypto init will restore the previous crypto configuration if any.
  *
  * @return
  * knet_handle_crypto_set_config returns:
  * @retval 0 on success
  * @retval -1 on error and errno is set.
  * @retval -2 on crypto subsystem initialization error. No errno is provided at the moment (yet).
  */
 
 int knet_handle_crypto_set_config(knet_handle_t knet_h,
 				  struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
 				  uint8_t config_num);
 
 
 
 #define KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC 0
 #define KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC 1
 
 /**
  * knet_handle_crypto_rx_clear_traffic
  *
  * @brief enable or disable RX processing of clear (unencrypted) traffic
  *
  * knet_h   - pointer to knet_handle_t
  *
  * value    - KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC or KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC
  *
  * @return
  * knet_handle_crypto_use_config returns:
  * @retval 0 on success
  * @retval -1 on error and errno is set.
  */
 
 int knet_handle_crypto_rx_clear_traffic(knet_handle_t knet_h, uint8_t value);
 
 /**
  * knet_handle_crypto_use_config
  *
  * @brief specify crypto configuration to use for TX
  *
  * knet_h   - pointer to knet_handle_t
  *
  * config_num - 1|2 use configuration 1 or 2, 0 for clear (unencrypted) traffic.
  *
  * @return
  * knet_handle_crypto_use_config returns:
  * @retval 0 on success
  * @retval -1 on error and errno is set.
  */
 
 int knet_handle_crypto_use_config(knet_handle_t knet_h,
 				  uint8_t config_num);
 
 /**
  * knet_handle_crypto
  *
  * @brief set up packet cryptographic signing & encryption
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_crypto_cfg -
  *            pointer to a knet_handle_crypto_cfg structure
  *            see knet_handle_crypto_set_config(3) for details.
  *
  *
  * Implementation notes:
  *
  * knet_handle_crypto(3) is now a wrapper for knet_handle_crypto_set_config(3)
  * and knet_handle_crypto_use_config(3) with config_num set to 1.
  *
  * @return
  * knet_handle_crypto returns:
  * @retval 0 on success
  * @retval -1 on error and errno is set.
  * @retval -2 on crypto subsystem initialization error. No errno is provided at the moment (yet).
  */
 
 int knet_handle_crypto(knet_handle_t knet_h,
 		       struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
 
 
 
 #define KNET_COMPRESS_THRESHOLD 100
 
+
+/**
+ * Structure passed into knet_handle_compress()
+ * to tell knet what type of compression to use
+ * for this communiction
+ */
+
 struct knet_handle_compress_cfg {
+	/** Compression library to use, bzip2 etc... */
 	char	 compress_model[16];
+	/** Threshold. Packets smaller than this will not be compressed */
 	uint32_t compress_threshold;
+	/** Passed into the compression library as an indication of the level of compression to apply */
 	int	 compress_level;
 };
 
 /**
  * knet_handle_compress
  *
  * @brief Set up packet compression
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_compress_cfg -
  *            pointer to a knet_handle_compress_cfg structure
  *
  *            compress_model contains the model name.
  *                           See "compress_level" for the list of accepted values.
  *                           Setting the value to "none" disables compression.
  *
  *            compress_threshold
  *                           tells the transmission thread to NOT compress
  *                           any packets that are smaller than the value
  *                           indicated. Default 100 bytes.
  *                           Set to 0 to reset to the default.
  *                           Set to 1 to compress everything.
  *                           Max accepted value is KNET_MAX_PACKET_SIZE.
  *
  *            compress_level is the "level" parameter for most models:
  *                           zlib: 0 (no compression), 1 (minimal) .. 9 (max compression).
  *                           lz4: 1 (max compression)... 9 (fastest compression).
  *                           lz4hc: 1 (min compression) ... LZ4HC_MAX_CLEVEL (16) or LZ4HC_CLEVEL_MAX (12)
  *                                  depending on the version of lz4hc libknet was built with.
  *                           lzma: 0 (minimal) .. 9 (max compression)
  *                           bzip2: 1 (minimal) .. 9 (max compression)
  *                           For lzo2 it selects the algorithm to use:
  *                                 1  : lzo1x_1_compress (default)
  *                                 11 : lzo1x_1_11_compress
  *                                 12 : lzo1x_1_12_compress
  *                                 15 : lzo1x_1_15_compress
  *                                 999: lzo1x_999_compress
  *                                 Other values select the default algorithm.
  *                           Please refer to the documentation of the respective
  *                           compression library for guidance about setting this
  *                           value.
  *
  * Implementation notes:
  * - it is possible to enable/disable compression at any time.
  * - nodes can be using a different compression algorithm at any time.
  * - knet does NOT implement the compression algorithm directly. it relies
  *   on external libraries for this functionality. Please read
  *   the libraries man pages to figure out which algorithm/compression
  *   level is best for the data you are planning to transmit.
  *
  * @return
  * knet_handle_compress returns
  * 0 on success
  * -1 on error and errno is set. EINVAL means that either the model or the
  *    level are not supported.
  */
 
 int knet_handle_compress(knet_handle_t knet_h,
 			 struct knet_handle_compress_cfg *knet_handle_compress_cfg);
 
 
+/**
+ * Detailed stats for this knet handle as returned by knet_handle_get_stats()
+ */
 
 struct knet_handle_stats {
+	/** Size of the structure. set this to sizeof(struct knet_handle_stats) before calling */
 	size_t   size;
-
+	/** Number of uncompressed packets sent */
 	uint64_t tx_uncompressed_packets;
+	/** Number of compressed packets sent */
 	uint64_t tx_compressed_packets;
+	/** Number of bytes sent (as if uncompressed, ie actual data bytes) */
 	uint64_t tx_compressed_original_bytes;
+	/** Number of bytes sent on the wire after compresion */
 	uint64_t tx_compressed_size_bytes;
+	/** Average(mean) time take to compress transmitted packets */
 	uint64_t tx_compress_time_ave;
+	/** Minumum time taken to compress transmitted packets */
 	uint64_t tx_compress_time_min;
+	/** Maximum time taken to compress transmitted packets */
 	uint64_t tx_compress_time_max;
 
+	/** Number of compressed packets received */
 	uint64_t rx_compressed_packets;
+	/** Number of bytes received - after decompression */
 	uint64_t rx_compressed_original_bytes;
+	/** Number of compressed bytes received before decompression */
 	uint64_t rx_compressed_size_bytes;
+	/** Average(mean) time take to decompress received packets */
 	uint64_t rx_compress_time_ave;
+	/** Minimum time take to decompress received packets */
 	uint64_t rx_compress_time_min;
+	/** Maximum time take to decompress received packets */
 	uint64_t rx_compress_time_max;
 
-	/* Overhead times, measured in usecs */
+	/** Number of encrypted packets sent */
 	uint64_t tx_crypt_packets;
+	/** Cumulative byte overhead of encrypted traffic */
 	uint64_t tx_crypt_byte_overhead;
+	/** Average(mean) time take to encrypt packets in usecs */
 	uint64_t tx_crypt_time_ave;
+	/** Minimum time take to encrypto packets in usecs */
 	uint64_t tx_crypt_time_min;
+	/** Maximum time take to encrypto packets in usecs */
 	uint64_t tx_crypt_time_max;
 
+	/** Number of encrypted packets received */
 	uint64_t rx_crypt_packets;
+	/** Average(mean) time take to decrypt received packets */
 	uint64_t rx_crypt_time_ave;
+	/** Minimum time take to decrypt received packets in usecs */
 	uint64_t rx_crypt_time_min;
+	/** Maximum time take to decrypt received packets in usecs */
 	uint64_t rx_crypt_time_max;
 };
 
 /**
  * knet_handle_get_stats
  *
  * @brief Get statistics for compression & crypto
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_stats
  *            pointer to a knet_handle_stats structure
  *
  * struct_size
  *            size of knet_handle_stats structure to allow
  *            for backwards compatibility. libknet will only
  *            copy this much data into the stats structure
  *            so that older callers will not get overflowed if
  *            new fields are added.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  *
  */
 
 int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats, size_t struct_size);
 
 /*
  * Tell knet_handle_clear_stats whether to clear just the handle stats
  * or all of them.
  */
 #define KNET_CLEARSTATS_HANDLE_ONLY     1
 #define KNET_CLEARSTATS_HANDLE_AND_LINK 2
 
 /**
  * knet_handle_clear_stats
  *
  * @brief Clear knet stats, link and/or handle
  *
  * knet_h   - pointer to knet_handle_t
  *
  * clear_option -  Which stats to clear, must be one of
  *
  * KNET_CLEARSTATS_HANDLE_ONLY or
  * KNET_CLEARSTATS_HANDLE_AND_LINK
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  *
  */
 
 int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option);
 
 
+/**
+ * Structure returned from get_crypto_list() containing
+ * information about the installed cryptographic systems
+ */
 
 struct knet_crypto_info {
-	const char *name; /* openssl,nss,etc.. */
-	uint8_t properties; /* currently unused */
-	char pad[256];      /* currently unused */
+	/** Name of the crypto library/ openssl, nss,etc .. */
+	const char *name;
+	/** Properties - currently unused */
+	uint8_t properties;
+	/** Currently unused padding */
+	char pad[256];
 };
 
 /**
  * knet_get_crypto_list
  *
  * @brief Get a list of supported crypto libraries
  *
  * crypto_list  - array of struct knet_crypto_info *
  *                If NULL then only the number of structs is returned in crypto_list_entries
  *                to allow the caller to allocate sufficient space.
  *		  libknet does not allow more than 256 crypto methods at the moment.
  *		  it is safe to allocate 256 structs to avoid calling
  *		  knet_get_crypto_list twice.
  *
  * crypto_list_entries - returns the number of structs in crypto_list
  *
  * @return
  * knet_get_crypto_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_crypto_list(struct knet_crypto_info *crypto_list,
 			 size_t *crypto_list_entries);
 
 
 
+/**
+ * Structure returned from get_compress_list() containing
+ * information about the installed compression systems
+ */
 struct knet_compress_info {
-	const char *name; /* bzip2, lz4, etc.. */
-	uint8_t properties; /* currently unused */
-	char pad[256];      /* currently unused */
+	/** Name of the compression type  bzip2, lz4, etc.. */
+	const char *name;
+	/** Properties - currently unused */
+	uint8_t properties;
+	/** Currently unused padding */
+	char pad[256];
 };
 
 /**
  * knet_get_compress_list
  *
  * @brief Get a list of support compression types
  *
  * compress_list - array of struct knet_compress_info *
  *		   If NULL then only the number of structs is returned in compress_list_entries
  *		   to allow the caller to allocate sufficient space.
  *		   libknet does not allow more than 256 compress methods at the moment.
  *		   it is safe to allocate 256 structs to avoid calling
  *		   knet_get_compress_list twice.
  *
  * compress_list_entries - returns the number of structs in compress_list
  *
  * @return
  * knet_get_compress_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_compress_list(struct knet_compress_info *compress_list,
 			   size_t *compress_list_entries);
 
 /*
  * host structs/API calls
  */
 
 /**
  * knet_host_add
  *
  * @brief Add a new host ID to knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - each host in a knet is identified with a unique ID
  *            (see also knet_handle_new(3))
  *
  * @return
  * knet_host_add returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_add(knet_handle_t knet_h, knet_node_id_t host_id);
 
 /**
  * knet_host_remove
  *
  * @brief Remove a host ID from knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - each host in a knet is identified with a unique ID
  *            (see also knet_handle_new(3))
  *
  * @return
  * knet_host_remove returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_remove(knet_handle_t knet_h, knet_node_id_t host_id);
 
 /**
  * knet_host_set_name
  *
  * @brief Set the name of a knet host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * name     - this name will be used for pretty logging and eventually
  *            search for hosts (see also knet_handle_host_get_name(2) and knet_handle_host_get_id(3)).
  *            Only up to KNET_MAX_HOST_LEN - 1 bytes will be accepted and
  *            name has to be unique for each host.
  *
  * @return
  * knet_host_set_name returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_set_name(knet_handle_t knet_h, knet_node_id_t host_id,
 		       const char *name);
 
 /**
  * knet_host_get_name_by_host_id
  *
  * @brief Get the name of a host given its ID
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * name     - pointer to a preallocated buffer of at least size KNET_MAX_HOST_LEN
  *            where the current host name will be stored
  *            (as set by knet_host_set_name or default by knet_host_add)
  *
  * @return
  * knet_host_get_name_by_host_id returns:
  * 0 on success
  * -1 on error and errno is set (name is left untouched)
  */
 
 int knet_host_get_name_by_host_id(knet_handle_t knet_h, knet_node_id_t host_id,
 				  char *name);
 
 /**
  * knet_host_get_id_by_host_name
  *
  * @brief Get the ID of a host given its name
  *
  * knet_h   - pointer to knet_handle_t
  *
  * name     - name to lookup, max len KNET_MAX_HOST_LEN
  *
  * host_id  - where to store the result
  *
  * @return
  * knet_host_get_id_by_host_name returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_id_by_host_name(knet_handle_t knet_h, const char *name,
 				  knet_node_id_t *host_id);
 
 /**
  * knet_host_get_host_list
  *
  * @brief Get a list of hosts known to knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_ids - array of at lest KNET_MAX_HOST size
  *
  * host_ids_entries -
  *            number of entries writted in host_ids
  *
  * @return
  * knet_host_get_host_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_host_list(knet_handle_t knet_h,
 			    knet_node_id_t *host_ids, size_t *host_ids_entries);
 
 /*
  * define switching policies
  */
 
 #define KNET_LINK_POLICY_PASSIVE 0
 #define KNET_LINK_POLICY_ACTIVE  1
 #define KNET_LINK_POLICY_RR      2
 
 /**
  * knet_host_set_policy
  *
  * @brief Set the switching policy for a host's links
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * policy   - there are currently 3 kind of simple switching policies
  *            based on link configuration.
  *            KNET_LINK_POLICY_PASSIVE - the active link with the highest
  *                                       priority (highest number) will be used.
  *                                       if one or more active links share
  *                                       the same priority, the one with
  *                                       lowest link_id will be used.
  *
  *            KNET_LINK_POLICY_ACTIVE  - all active links will be used
  *                                       simultaneously to send traffic.
  *                                       link priority is ignored.
  *
  *            KNET_LINK_POLICY_RR      - round-robin policy, every packet
  *                                       will be send on a different active
  *                                       link.
  *
  * @return
  * knet_host_set_policy returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_set_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t policy);
 
 /**
  * knet_host_get_policy
  *
  * @brief Get the switching policy for a host's links
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * policy   - will contain the current configured switching policy.
  *            Default is passive when creating a new host.
  *
  * @return
  * knet_host_get_policy returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t *policy);
 
 /**
  * knet_host_enable_status_change_notify
  *
  * @brief Install a callback to get host status change events
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_status_change_notify_fn_private_data -
  *            void pointer to data that can be used to identify
  *            the callback
  *
  * host_status_change_notify_fn -
  *            is a callback function that is invoked every time
  *            there is a change in the host status.
  *            host status is identified by:
  *            - reachable, this host can send/receive data to/from host_id
  *            - remote, 0 if the host_id is connected locally or 1 if
  *                      the there is one or more knet host(s) in between.
  *                      NOTE: re-switching is NOT currently implemented,
  *                            but this is ready for future and can avoid
  *                            an API/ABI breakage later on.
  *            - external, 0 if the host_id is configured locally or 1 if
  *                        it has been added from remote nodes config.
  *                        NOTE: dynamic topology is NOT currently implemented,
  *                        but this is ready for future and can avoid
  *                        an API/ABI breakage later on.
  *            This function MUST NEVER block or add substantial delays.
  *
  * @return
  * knet_host_status_change_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_enable_status_change_notify(knet_handle_t knet_h,
 					  void *host_status_change_notify_fn_private_data,
 					  void (*host_status_change_notify_fn) (
 						void *private_data,
 						knet_node_id_t host_id,
 						uint8_t reachable,
 						uint8_t remote,
 						uint8_t external));
 
 /*
  * define host status structure for quick lookup
  * struct is in flux as more stats will be added soon
  *
  * reachable             host_id can be seen either directly connected
  *                       or via another host_id
  *
  * remote                0 = node is connected locally, 1 is visible via
  *                       via another host_id
  *
  * external              0 = node is configured/known locally,
  *                       1 host_id has been received via another host_id
  */
 
+/**
+ * status of a knet host, returned from knet_host_get_status()
+ */
 struct knet_host_status {
+	/** Whether the host is currently reachable */
 	uint8_t reachable;
+	/** Whether the host is a remote node (not currently implemented) */
 	uint8_t remote;
+	/** Whether the host is external (not currently implemented) */
 	uint8_t external;
 	/* add host statistics */
 };
 
 /**
  * knet_host_get_status
  *
  * @brief Get the status of a host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * status   - pointer to knet_host_status struct
  *
  * @return
  * knet_handle_pmtud_get returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_status(knet_handle_t knet_h, knet_node_id_t host_id,
 			 struct knet_host_status *status);
 
 /*
  * link structs/API calls
  *
  * every host allocated/managed by knet_host_* has
  * KNET_MAX_LINK structures to define the network
  * paths that connect 2 hosts.
  *
  * Each link is identified by a link_id that has a
  * values between 0 and KNET_MAX_LINK - 1.
  *
  * KNOWN LIMITATIONS:
  *
  * - let's assume the scenario where two hosts are connected
  *   with any number of links. link_id must match on both sides.
  *   If host_id 0 link_id 0 is configured to connect IP1 to IP2 and
  *   host_id 0 link_id 1 is configured to connect IP3 to IP4,
  *   host_id 1 link_id 0 _must_ connect IP2 to IP1 and likewise
  *   host_id 1 link_id 1 _must_ connect IP4 to IP3.
  *   We might be able to lift this restriction in future, by using
  *   other data to determine src/dst link_id, but for now, deal with it.
  */
 
 /*
  * commodity functions to convert strings to sockaddr and viceversa
  */
 
 /**
  * knet_strtoaddr
  *
  * @brief Convert a hostname string to an address
  *
  * host      - IPaddr/hostname to convert
  *             be aware only the first IP address will be returned
  *             in case a hostname resolves to multiple IP
  *
  * port      - port to connect to
  *
  * ss        - sockaddr_storage where to store the converted data
  *
  * sslen     - len of the sockaddr_storage
  *
  * @return
  * knet_strtoaddr returns same error codes as getaddrinfo
  *
  */
 
 int knet_strtoaddr(const char *host, const char *port,
 		   struct sockaddr_storage *ss, socklen_t sslen);
 
 /**
  * knet_addrtostr
  *
  * @brief Convert an address to a host name
  *
  * ss        - sockaddr_storage to convert
  *
  * sslen     - len of the sockaddr_storage
  *
  * host      - IPaddr/hostname where to store data
  *             (recommended size: KNET_MAX_HOST_LEN)
  *
  * port      - port buffer where to store data
  *             (recommended size: KNET_MAX_PORT_LEN)
  *
  * @return
  * knet_strtoaddr returns same error codes as getnameinfo
  */
 
 int knet_addrtostr(const struct sockaddr_storage *ss, socklen_t sslen,
 		   char *addr_buf, size_t addr_buf_size,
 		   char *port_buf, size_t port_buf_size);
 
 
 
 #define KNET_TRANSPORT_LOOPBACK 0
 #define KNET_TRANSPORT_UDP      1
 #define KNET_TRANSPORT_SCTP     2
 #define KNET_MAX_TRANSPORTS     UINT8_MAX
 
 /*
  * The Loopback transport is only valid for connections to localhost, the host
  * with the same node_id specified in knet_handle_new(). Only one link of this
  * type is allowed. Data sent down a LOOPBACK link will be copied directly from
  * the knet send datafd to the knet receive datafd so the application must be set
  * up to take data from that socket at least as often as it is sent or deadlocks
  * could occur. If used, a LOOPBACK link must be the only link configured to the
  * local host.
  */
 
+
+/**
+ * Transport information returned from knet_get_transport_list()
+ */
 struct knet_transport_info {
-	const char *name;   /* UDP/SCTP/etc... */
-	uint8_t id;         /* value that can be used for link_set_config */
-	uint8_t properties; /* currently unused */
-	char pad[256];      /* currently unused */
+	/** Transport name. UDP, SCTP, etc... */
+	const char *name;
+	/** value that can be used for knet_link_set_config() */
+	uint8_t id;
+	/** currently unused */
+	uint8_t properties;
+	/** currently unused */
+	char pad[256];
 };
 
 /**
  * knet_get_transport_list
  *
  * @brief Get a list of the transports support by this build of knet
  *
  * transport_list         - an array of struct transport_info that must be
  *                          at least of size struct transport_info * KNET_MAX_TRANSPORTS
  *
  * transport_list_entries - pointer to a size_t where to store how many transports
  *                          are available in this build of libknet.
  *
  * @return
  * knet_get_transport_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_transport_list(struct knet_transport_info *transport_list,
 			    size_t *transport_list_entries);
 
 /**
  * knet_get_transport_name_by_id
  *
  * @brief Get a transport name from its ID number
  *
  * transport - one of the KNET_TRANSPORT_xxx constants
  *
  * @return
  * knet_get_transport_name_by_id returns:
  *
  * @retval pointer to the name on success or
  * @retval NULL on error and errno is set.
  */
 
 const char *knet_get_transport_name_by_id(uint8_t transport);
 
 /**
  * knet_get_transport_id_by_name
  *
  * @brief Get a transport ID from its name
  *
  * name      - transport name (UDP/SCTP/etc)
  *
  * @return
  * knet_get_transport_name_by_id returns:
  *
  * @retval KNET_MAX_TRANSPORTS on error and errno is set accordingly
  * @retval KNET_TRANSPORT_xxx on success.
  */
 
 uint8_t knet_get_transport_id_by_name(const char *name);
 
 
 
 #define KNET_TRANSPORT_DEFAULT_RECONNECT_INTERVAL 1000
 
 /**
  * knet_handle_set_transport_reconnect_interval
  *
  * @brief Set the interval between transport attempts to reconnect a failed link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * msecs     - milliseconds
  *
  * @return
  * knet_handle_set_transport_reconnect_interval returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_set_transport_reconnect_interval(knet_handle_t knet_h, uint32_t msecs);
 
 /**
  * knet_handle_get_transport_reconnect_interval
  *
  * @brief Get the interval between transport attempts to reconnect a failed link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * msecs     - milliseconds
  *
  * @return
  * knet_handle_get_transport_reconnect_interval returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_get_transport_reconnect_interval(knet_handle_t knet_h, uint32_t *msecs);
 
 /**
  * knet_link_set_config
  *
  * @brief Configure the link to a host
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * transport - one of the KNET_TRANSPORT_xxx constants
  *
  * src_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dst_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *             this can be null if we don't know the incoming
  *             IP address/port and the link will remain quiet
  *             till the node on the other end will initiate a
  *             connection
  *
  * flags     - KNET_LINK_FLAG_*
  *
  * @return
  * knet_link_set_config returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint64_t flags);
 
 /**
  * knet_link_get_config
  *
  * @brief Get the link configutation information
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * transport - see knet_link_set_config(3)
  *
  * src_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dst_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dynamic   - 0 if dst_addr is static or 1 if dst_addr is dynamic.
  *             In case of 1, dst_addr can be NULL and it will be left
  *             untouched.
  *
  * flags     - KNET_LINK_FLAG_*
  *
  * @return
  * knet_link_get_config returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t *transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint8_t *dynamic,
 			 uint64_t *flags);
 
 /**
  * knet_link_clear_config
  *
  * @brief Clear link information and disconnect the link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * @return
  * knet_link_clear_config returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
 
 /*
  * Access lists management for open links
  * see also knet_handle_enable_access_lists(3)
  */
 
 /**
  * check_type_t
  * @brief address type enum for knet access lists
  *
  * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
  *                    for example: 10.1.9.3
  *                    and the entry is stored in ss1. ss2 can be NULL.
  *
  * CHECK_TYPE_MASK    is used to configure network/netmask.
  *                    for example: 192.168.0.0/24
  *                    the network is stored in ss1 and the netmask in ss2.
  *
  * CHECK_TYPE_RANGE   defines a value / range of ip addresses.
  *                    for example: 172.16.0.1-172.16.0.10
  *                    the start is stored in ss1 and the end in ss2.
  *
  * Please be aware that the above examples refer only to IP based protocols.
  * Other protocols might use ss1 and ss2 in slightly different ways.
  * At the moment knet only supports IP based protocol, though that might change
  * in the future.
  */
 
 typedef enum {
 	CHECK_TYPE_ADDRESS,
 	CHECK_TYPE_MASK,
 	CHECK_TYPE_RANGE
 } check_type_t;
 
 /**
  * check_acceptreject_t
  *
  * @brief enum for accept/reject in knet access lists
  *
  * accept or reject incoming packets defined in the access list entry
  */
 
 typedef enum {
 	CHECK_ACCEPT,
 	CHECK_REJECT
 } check_acceptreject_t;
 
 /**
  * knet_link_add_acl
  *
  * @brief Add access list entry to an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * IMPORTANT: the order in which access lists are added is critical and it
  *            is left to the user to add them in the right order. knet
  *            will not attempt to logically sort them.
  *
  *            For example:
  *            1 - accept from 10.0.0.0/8
  *            2 - reject from 10.0.0.1/32
  *
  *            is not the same as:
  *
  *            1 - reject from 10.0.0.1/32
  *            2 - accept from 10.0.0.0/8
  *
  *            In the first example, rule number 2 will never match because
  *            packets from 10.0.0.1 will be accepted by rule number 1.
  *
  * @return
  * knet_link_add_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		      struct sockaddr_storage *ss1,
 		      struct sockaddr_storage *ss2,
 		      check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_insert_acl
  *
  * @brief Insert access list entry to an open link at given index
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * index     - insert at position "index" where 0 is the first entry and -1
  *             appends to the current list.
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * @return
  * knet_link_insert_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 int index,
 			 struct sockaddr_storage *ss1,
 			 struct sockaddr_storage *ss2,
 			 check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_rm_acl
  *
  * @brief Remove access list entry from an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * IMPORTANT: the data passed to this API call must match exactly that passed
  *            to knet_link_add_acl(3).
  *
  * @return
  * knet_link_rm_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		     struct sockaddr_storage *ss1,
 		     struct sockaddr_storage *ss2,
 		     check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_clear_acl
  *
  * @brief Remove all access list entries from an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * @return
  * knet_link_clear_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
 
 /**
  * knet_link_set_enable
  *
  * @brief Enable traffic on a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * enabled   - 0 disable the link, 1 enable the link
  *
  * @return
  * knet_link_set_enable returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int enabled);
 
 /**
  * knet_link_get_enable
  *
  * @brief Find out whether a link is enabled or not
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * enabled   - 0 disable the link, 1 enable the link
  *
  * @return
  * knet_link_get_enable returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int *enabled);
 
 
 
 #define KNET_LINK_DEFAULT_PING_INTERVAL  1000 /* 1 second */
 #define KNET_LINK_DEFAULT_PING_TIMEOUT   2000 /* 2 seconds */
 #define KNET_LINK_DEFAULT_PING_PRECISION 2048 /* samples */
 
 /**
  * knet_link_set_ping_timers
  *
  * @brief Set the ping timers for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * interval  - specify the ping interval in milliseconds.
  *
  * timeout   - if no pong is received within this time,
  *             the link is declared dead, in milliseconds.
  *             NOTE: in future it will be possible to set timeout to 0
  *             for an autocalculated timeout based on interval, pong_count
  *             and latency. The API already accept 0 as value and it will
  *             return ENOSYS / -1. Once the automatic calculation feature
  *             will be implemented, this call will only return EINVAL
  *             for incorrect values.
  *
  * precision - how many values of latency are used to calculate
  *             the average link latency (see also knet_link_get_status(3))
  *
  * @return
  * knet_link_set_ping_timers returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t interval, time_t timeout, unsigned int precision);
 
 /**
  * knet_link_get_ping_timers
  *
  * @brief Get the ping timers for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * interval  - ping interval
  *
  * timeout   - if no pong is received within this time,
  *             the link is declared dead
  *
  * precision - how many values of latency are used to calculate
  *             the average link latency (see also knet_link_get_status(3))
  *
  * @return
  * knet_link_get_ping_timers returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t *interval, time_t *timeout, unsigned int *precision);
 
 
 
 #define KNET_LINK_DEFAULT_PONG_COUNT 5
 
 /**
  * knet_link_set_pong_count
  *
  * @brief Set the pong count for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * pong_count - how many valid ping/pongs before a link is marked UP.
  *              default: 5, value should be > 0
  *
  * @return
  * knet_link_set_pong_count returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t pong_count);
 
 /**
  * knet_link_get_pong_count
  *
  * @brief Get the pong count for a link
  *
  * knet_h     - pointer to knet_handle_t
  *
  * host_id    - see knet_host_add(3)
  *
  * link_id    - see knet_link_set_config(3)
  *
  * pong_count - how many valid ping/pongs before a link is marked UP.
  *              default: 5, value should be > 0
  *
  * @return
  * knet_link_get_pong_count returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t *pong_count);
 
 /**
  * knet_link_set_priority
  *
  * @brief Set the priority for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * priority  - specify the switching priority for this link
  *             see also knet_host_set_policy
  *
  * @return
  * knet_link_set_priority returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t priority);
 
 /**
  * knet_link_get_priority
  *
  * @brief Get the priority for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * priority  - gather the switching priority for this link
  *             see also knet_host_set_policy
  *
  * @return
  * knet_link_get_priority returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t *priority);
 
 /**
  * knet_link_get_link_list
  *
  * @brief Get a list of links connecting a host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * link_ids - array of at lest KNET_MAX_LINK size
  *            with the list of configured links for a certain host.
  *
  * link_ids_entries -
  *            number of entries contained in link_ids
  *
  * @return
  * knet_link_get_link_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_link_list(knet_handle_t knet_h, knet_node_id_t host_id,
 			    uint8_t *link_ids, size_t *link_ids_entries);
 
 /*
  * define link status structure for quick lookup
  *
  * src/dst_{ipaddr,port} strings are filled by
  *                       getnameinfo(3) when configuring the link.
  *                       if the link is dynamic (see knet_link_set_config(3))
  *                       dst_ipaddr/port will contain ipaddr/port of the currently
  *                       connected peer or "Unknown" if it was not possible
  *                       to determine the ipaddr/port at runtime.
  *
  * enabled               see also knet_link_set/get_enable.
  *
  * connected             the link is connected to a peer and ping/pong traffic
  *                       is flowing.
  *
  * dynconnected          the link has dynamic ip on the other end, and
  *                       we can see the other host is sending pings to us.
  *
  * latency               average latency of this link
  *                       see also knet_link_set/get_timeout.
  *
  * pong_last             if the link is down, this value tells us how long
  *                       ago this link was active. A value of 0 means that the link
  *                       has never been active.
  *
  * knet_link_stats       structure that contains details statistics for the link
  */
 
 #define MAX_LINK_EVENTS 16
 
+/**
+ * Stats for a knet link
+ * returned from knet_link_get_status() as part of a knet_link_status structure
+ * link stats are 'onwire', ie they indicate the number of actual bytes/packets
+ * sent including overheads, not just data packets.
+ */
 struct knet_link_stats {
-	/* onwire values */
+	/** Number of data packets sent */
 	uint64_t tx_data_packets;
+	/** Number of data packets received */
 	uint64_t rx_data_packets;
+	/** Number of data bytes sent */
 	uint64_t tx_data_bytes;
+	/** Number of data bytes received */
 	uint64_t rx_data_bytes;
+	/** Number of ping packets sent */
 	uint64_t rx_ping_packets;
+	/** Number of ping packets received */
 	uint64_t tx_ping_packets;
+	/** Number of ping bytes sent */
 	uint64_t rx_ping_bytes;
+	/** Number of ping bytes received */
 	uint64_t tx_ping_bytes;
+	/** Number of pong packets sent */
 	uint64_t rx_pong_packets;
+	/** Number of pong packets received */
 	uint64_t tx_pong_packets;
+	/** Number of pong bytes sent */
 	uint64_t rx_pong_bytes;
+	/** Number of pong bytes received */
 	uint64_t tx_pong_bytes;
+	/** Number of pMTU packets sent */
 	uint64_t rx_pmtu_packets;
+	/** Number of pMTU packets received */
 	uint64_t tx_pmtu_packets;
+	/** Number of pMTU bytes sent */
 	uint64_t rx_pmtu_bytes;
+	/** Number of pMTU bytes received */
 	uint64_t tx_pmtu_bytes;
 
-	/* Only filled in when requested */
+	/* These are only filled in when requested
+	   ie. they are not collected in realtime */
+	/** Total of all packets sent */
 	uint64_t tx_total_packets;
+	/** Total of all packets received */
 	uint64_t rx_total_packets;
+	/** Total number of bytes sent */
 	uint64_t tx_total_bytes;
+	/** Total number of bytes received */
 	uint64_t rx_total_bytes;
+	/** Total number of errors that occurred while sending */
 	uint64_t tx_total_errors;
+	/** Total number of retries that occurred while sending */
 	uint64_t tx_total_retries;
 
+	/** Total number of errors that occurred while sending pMTU packets */
 	uint32_t tx_pmtu_errors;
+	/** Total number of retries that occurred while sending pMTU packets */
 	uint32_t tx_pmtu_retries;
+	/** Total number of errors that occurred while sending ping packets */
 	uint32_t tx_ping_errors;
+	/** Total number of retries that occurred while sending ping packets */
 	uint32_t tx_ping_retries;
+	/** Total number of errors that occurred while sending pong packets */
 	uint32_t tx_pong_errors;
+	/** Total number of retries that occurred while sending pong packets */
 	uint32_t tx_pong_retries;
+	/** Total number of errors that occurred while sending data packets */
 	uint32_t tx_data_errors;
+	/** Total number of retries that occurred while sending data packets */
 	uint32_t tx_data_retries;
 
-	/* measured in usecs */
+	/** Minimum latency measured in usecs */
 	uint32_t latency_min;
+	/** Maximum latency measured in usecs */
 	uint32_t latency_max;
+	/** Average(mean) latency measured in usecs */
 	uint32_t latency_ave;
+	/** Number of samples used to calculate latency */
 	uint32_t latency_samples;
 
-	/* how many times the link has been going up/down */
+	/** How many times the link has gone down */
 	uint32_t down_count;
+	/** How many times the link has come up */
 	uint32_t up_count;
 
-	/*
-	 * circular buffer of time_t structs collecting the history
-	 * of up/down events on this link.
-	 * the index indicates current/last event.
+	/**
+	 * A circular buffer of time_t structs collecting the history
+	 * of up events on this link.
+	 * The index indicates current/last event.
 	 * it is safe to walk back the history by decreasing the index
 	 */
 	time_t   last_up_times[MAX_LINK_EVENTS];
+	/**
+	 * A circular buffer of time_t structs collecting the history
+	 * of down events on this link.
+	 * The index indicates current/last event.
+	 * it is safe to walk back the history by decreasing the index
+	 */
 	time_t   last_down_times[MAX_LINK_EVENTS];
+	/** Index of last element in the last_up_times[] array */
 	int8_t   last_up_time_index;
+	/** Index of last element in the last_down_times[] array */
 	int8_t   last_down_time_index;
 	/* Always add new stats at the end */
 };
 
+
+/**
+ * Status of a knet link as returned from knet_link_get_status()
+ */
 struct knet_link_status {
-	size_t size;                    /* For ABI checking */
+	/** Size of the structure for ABI checking, set this to sizeof(knet_link_status) before calling knet_link_get_status() */
+	size_t size;
+	/** Local IP address as a string*/
 	char src_ipaddr[KNET_MAX_HOST_LEN];
+	/** Local IP port as a string */
 	char src_port[KNET_MAX_PORT_LEN];
+	/** Remote IP address as a string */
 	char dst_ipaddr[KNET_MAX_HOST_LEN];
+	/** Remote IP port as a string*/
 	char dst_port[KNET_MAX_PORT_LEN];
-	uint8_t enabled;	        /* link is configured and admin enabled for traffic */
-	uint8_t connected;              /* link is connected for data (local view) */
-	uint8_t dynconnected;	        /* link has been activated by remote dynip */
-	unsigned long long latency;	/* average latency computed by fix/exp */
+	/** Link is configured and admin enabled for traffic */
+	uint8_t enabled;
+	/** Link is connected for data (local view) */
+	uint8_t connected;
+	/** Link has been activated by remote dynip */
+	uint8_t dynconnected;
+	/** average latency computed by fix/exp */
+	unsigned long long latency;
+	/** Timestamp of the past pong received */
 	struct timespec pong_last;
-	unsigned int mtu;		/* current detected MTU on this link */
-	unsigned int proto_overhead;    /* contains the size of the IP protocol, knet headers and
-					 * crypto headers (if configured). This value is filled in
-					 * ONLY after the first PMTUd run on that given link,
-					 * and can change if link configuration or crypto configuration
-					 * changes at runtime.
-					 * WARNING: in general mtu + proto_overhead might or might
-					 * not match the output of ifconfig mtu due to crypto
-					 * requirements to pad packets to some specific boundaries. */
-	/* Link statistics */
+	/** Currently detected MTU on this link */
+	unsigned int mtu;
+	/**
+	 * Contains the size of the IP protocol, knet headers and
+	 * crypto headers (if configured). This value is filled in
+	 * ONLY after the first PMTUd run on that given link,
+	 * and can change if link configuration or crypto configuration
+	 * changes at runtime.
+	 * WARNING: in general mtu + proto_overhead might or might
+	 * not match the output of ifconfig mtu due to crypto
+	 * requirements to pad packets to some specific boundaries.
+	 */
+	unsigned int proto_overhead;
+	/** Link statistics */
 	struct knet_link_stats stats;
 };
 
 /**
  * knet_link_get_status
  *
  * @brief Get the status (and statistics) for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * status    - pointer to knet_link_status struct
  *
  * struct_size - max size of knet_link_status - allows library to
  *               add fields without ABI change. Returned structure
  *               will be truncated to this length and .size member
  *               indicates the full size.
  *
  * @return
  * knet_link_get_status returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_status(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 struct knet_link_status *status, size_t struct_size);
 
 /*
  * logging structs/API calls
  */
 
 /*
  * libknet is composed of several subsystems. In order
  * to easily distinguish log messages coming from different
  * places, each subsystem has its own ID.
  *
  *  0-19 config/management
  * 20-39 internal threads
  * 40-59 transports
  * 60-69 crypto implementations
  */
 
 #define KNET_SUB_COMMON         0 /* common.c */
 #define KNET_SUB_HANDLE         1 /* handle.c alloc/dealloc config changes */
 #define KNET_SUB_HOST           2 /* host add/del/modify */
 #define KNET_SUB_LISTENER       3 /* listeners add/del/modify... */
 #define KNET_SUB_LINK           4 /* link add/del/modify */
 #define KNET_SUB_TRANSPORT      5 /* Transport common */
 #define KNET_SUB_CRYPTO         6 /* crypto.c config generic layer */
 #define KNET_SUB_COMPRESS       7 /* compress.c config generic layer */
 
 #define KNET_SUB_FILTER        19 /* allocated for users to log from dst_filter */
 
 #define KNET_SUB_DSTCACHE      20 /* switching thread (destination cache handling) */
 #define KNET_SUB_HEARTBEAT     21 /* heartbeat thread */
 #define KNET_SUB_PMTUD         22 /* Path MTU Discovery thread */
 #define KNET_SUB_TX            23 /* send to link thread */
 #define KNET_SUB_RX            24 /* recv from link thread */
 
 #define KNET_SUB_TRANSP_BASE   40 /* Base log level for transports */
 #define KNET_SUB_TRANSP_LOOPBACK (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_LOOPBACK)
 #define KNET_SUB_TRANSP_UDP      (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_UDP)
 #define KNET_SUB_TRANSP_SCTP     (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_SCTP)
 
 #define KNET_SUB_NSSCRYPTO     60 /* nsscrypto.c */
 #define KNET_SUB_OPENSSLCRYPTO 61 /* opensslcrypto.c */
 
 #define KNET_SUB_ZLIBCOMP      70 /* compress_zlib.c */
 #define KNET_SUB_LZ4COMP       71 /* compress_lz4.c */
 #define KNET_SUB_LZ4HCCOMP     72 /* compress_lz4.c */
 #define KNET_SUB_LZO2COMP      73 /* compress_lzo.c */
 #define KNET_SUB_LZMACOMP      74 /* compress_lzma.c */
 #define KNET_SUB_BZIP2COMP     75 /* compress_bzip2.c */
 #define KNET_SUB_ZSTDCOMP      76 /* compress_zstd.c */
 
 #define KNET_SUB_UNKNOWN       UINT8_MAX - 1
 #define KNET_MAX_SUBSYSTEMS    UINT8_MAX
 
 /*
  * Convert between subsystem IDs and names
  */
 
 /**
  * knet_log_get_subsystem_name
  *
  * @brief Get a logging system name from its numeric ID
  *
  * @return
  * returns internal name of the subsystem or "common"
  */
 
 const char *knet_log_get_subsystem_name(uint8_t subsystem);
 
 /**
  * knet_log_get_subsystem_id
  *
  * @brief Get a logging system ID from its name
  *
  * @return
  * returns internal ID of the subsystem or KNET_SUB_COMMON
  */
 
 uint8_t knet_log_get_subsystem_id(const char *name);
 
 /*
  * 4 log levels are enough for everybody
  */
 
 #define KNET_LOG_ERR         0 /* unrecoverable errors/conditions */
 #define KNET_LOG_WARN        1 /* recoverable errors/conditions */
 #define KNET_LOG_INFO        2 /* info, link up/down, config changes.. */
 #define KNET_LOG_DEBUG       3
 
 /*
  * Convert between log level values and names
  */
 
 /**
  * knet_log_get_loglevel_name
  *
  * @brief Get a logging level name from its numeric ID
  *
  * @return
  * returns internal name of the log level or "ERROR" for unknown values
  */
 
 const char *knet_log_get_loglevel_name(uint8_t level);
 
 /**
  * knet_log_get_loglevel_id
  *
  * @brief Get a logging level ID from its name
  *
  * @return
  * returns internal log level ID or KNET_LOG_ERR for invalid names
  */
 
 uint8_t knet_log_get_loglevel_id(const char *name);
 
 /*
  * every log message is composed by a text message
  * and message level/subsystem IDs.
  * In order to make debugging easier it is possible to send those packets
  * straight to stdout/stderr (see knet_bench.c stdout option).
  */
 
 #define KNET_MAX_LOG_MSG_SIZE    254
 #if KNET_MAX_LOG_MSG_SIZE > PIPE_BUF
 #error KNET_MAX_LOG_MSG_SIZE cannot be bigger than PIPE_BUF for guaranteed system atomic writes
 #endif
 
+
+/**
+ * Structure of a log message sent to the logging fd
+ */
 struct knet_log_msg {
+	/** Text of the log message */
 	char	msg[KNET_MAX_LOG_MSG_SIZE];
-	uint8_t	subsystem;	/* KNET_SUB_* */
-	uint8_t msglevel;	/* KNET_LOG_* */
+	/** Subsystem that sent this message. KNET_SUB_* */
+	uint8_t	subsystem;
+	/** Logging level of this message. KNET_LOG_* */
+	uint8_t msglevel;
 };
 
 /**
  * knet_log_set_loglevel
  *
  * @brief Set the logging level for a subsystem
  *
  * knet_h     - same as above
  *
  * subsystem  - same as above
  *
  * level      - same as above
  *
  * knet_log_set_loglevel allows fine control of log levels by subsystem.
  *                       See also knet_handle_new for defaults.
  *
  * @return
  * knet_log_set_loglevel returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_log_set_loglevel(knet_handle_t knet_h, uint8_t subsystem,
 			  uint8_t level);
 
 /**
  * knet_log_get_loglevel
  *
  * @brief Get the logging level for a subsystem
  *
  * knet_h     - same as above
  *
  * subsystem  - same as above
  *
  * level      - same as above
  *
  * @return
  * knet_log_get_loglevel returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_log_get_loglevel(knet_handle_t knet_h, uint8_t subsystem,
 			  uint8_t *level);
 
 #endif
diff --git a/libknet/links.c b/libknet/links.c
index 91aeff48..8cb1621b 100644
--- a/libknet/links.c
+++ b/libknet/links.c
@@ -1,1539 +1,1513 @@
 /*
  * Copyright (C) 2012-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <netdb.h>
 #include <string.h>
 #include <pthread.h>
 
+#include "netutils.h"
 #include "internals.h"
 #include "logging.h"
 #include "links.h"
 #include "transports.h"
 #include "host.h"
 #include "threads_common.h"
 #include "links_acl.h"
 
 int _link_updown(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		 unsigned int enabled, unsigned int connected, unsigned int lock_stats)
 {
 	struct knet_host *host = knet_h->host_index[host_id];
 	struct knet_link *link = &host->link[link_id];
 	int savederrno = 0;
 
 	if ((link->status.enabled == enabled) &&
 	    (link->status.connected == connected))
 		return 0;
 
 	link->status.enabled = enabled;
 	link->status.connected = connected;
 
 	_host_dstcache_update_async(knet_h, knet_h->host_index[host_id]);
 
 	if ((link->status.dynconnected) &&
 	    (!link->status.connected)) {
 		link->status.dynconnected = 0;
 	}
 
 	if (!connected) {
 		transport_link_is_down(knet_h, link);
 	}
 
 	if (lock_stats) {
 		savederrno = pthread_mutex_lock(&link->link_stats_mutex);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_LINK, "Unable to get stats mutex lock for host %u link %u: %s",
 				host_id, link_id, strerror(savederrno));
 			errno = savederrno;
 			return -1;
 		}
 	}
 
 	if (connected) {
 		time(&link->status.stats.last_up_times[link->status.stats.last_up_time_index]);
 		link->status.stats.up_count++;
 		if (++link->status.stats.last_up_time_index >= MAX_LINK_EVENTS) {
 			link->status.stats.last_up_time_index = 0;
 		}
 	} else {
 		time(&link->status.stats.last_down_times[link->status.stats.last_down_time_index]);
 		link->status.stats.down_count++;
 		if (++link->status.stats.last_down_time_index >= MAX_LINK_EVENTS) {
 			link->status.stats.last_down_time_index = 0;
 		}
 	}
 
 	if (lock_stats) {
 		pthread_mutex_unlock(&link->link_stats_mutex);
 	}
 	return 0;
 }
 
 void _link_clear_stats(knet_handle_t knet_h)
 {
 	struct knet_host *host;
 	struct knet_link *link;
 	uint32_t host_id;
 	uint8_t link_id;
 
 	for (host_id = 0; host_id < KNET_MAX_HOST; host_id++) {
 		host = knet_h->host_index[host_id];
 		if (!host) {
 			continue;
 		}
 		for (link_id = 0; link_id < KNET_MAX_LINK; link_id++) {
 			link = &host->link[link_id];
 			memset(&link->status.stats, 0, sizeof(struct knet_link_stats));
 		}
 	}
 }
 
 int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint64_t flags)
 {
-	int savederrno = 0, err = 0, i;
-	struct knet_host *host;
+	int savederrno = 0, err = 0, i, wipelink = 0, link_idx;
+	struct knet_host *host, *tmp_host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!src_addr) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (dst_addr && (src_addr->ss_family != dst_addr->ss_family)) {
 		log_err(knet_h, KNET_SUB_LINK, "Source address family does not match destination address family");
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (transport >= KNET_MAX_TRANSPORTS) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (transport == KNET_TRANSPORT_LOOPBACK && knet_h->host_id != host_id) {
 		log_err(knet_h, KNET_SUB_LINK, "Cannot create loopback link to remote node");
 		err = -1;
 		savederrno = EINVAL;
 		goto exit_unlock;
 	}
 
 	if (knet_h->host_id == host_id && knet_h->has_loop_link) {
 		log_err(knet_h, KNET_SUB_LINK, "Cannot create more than 1 link when loopback is active");
 		err = -1;
 		savederrno = EINVAL;
 		goto exit_unlock;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (transport == KNET_TRANSPORT_LOOPBACK && knet_h->host_id == host_id) {
 		for (i=0; i<KNET_MAX_LINK; i++) {
 			if (host->link[i].configured) {
 				log_err(knet_h, KNET_SUB_LINK, "Cannot add loopback link when other links are already configured.");
 				err = -1;
 				savederrno = EINVAL;
 				goto exit_unlock;
 			}
 		}
 	}
 
 	link = &host->link[link_id];
 
 	if (link->configured != 0) {
 		err =-1;
 		savederrno = EBUSY;
 		log_err(knet_h, KNET_SUB_LINK, "Host %u link %u is currently configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->status.enabled != 0) {
 		err =-1;
 		savederrno = EBUSY;
 		log_err(knet_h, KNET_SUB_LINK, "Host %u link %u is currently in use: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
-	memmove(&link->src_addr, src_addr, sizeof(struct sockaddr_storage));
+	/*
+	 * errors happening after this point should trigger
+	 * a memset of the link
+	 */
+	wipelink = 1;
+
+	copy_sockaddr(&link->src_addr, src_addr);
 
 	err = knet_addrtostr(src_addr, sizeof(struct sockaddr_storage),
 			     link->status.src_ipaddr, KNET_MAX_HOST_LEN,
 			     link->status.src_port, KNET_MAX_PORT_LEN);
 	if (err) {
 		if (err == EAI_SYSTEM) {
 			savederrno = errno;
 			log_warn(knet_h, KNET_SUB_LINK,
 				 "Unable to resolve host: %u link: %u source addr/port: %s",
 				 host_id, link_id, strerror(savederrno));
 		} else {
 			savederrno = EINVAL;
 			log_warn(knet_h, KNET_SUB_LINK,
 				 "Unable to resolve host: %u link: %u source addr/port: %s",
 				 host_id, link_id, gai_strerror(err));
 		}
 		err = -1;
 		goto exit_unlock;
 	}
 
 	if (!dst_addr) {
 		link->dynamic = KNET_LINK_DYNIP;
 	} else {
 
 		link->dynamic = KNET_LINK_STATIC;
 
-		memmove(&link->dst_addr, dst_addr, sizeof(struct sockaddr_storage));
+		copy_sockaddr(&link->dst_addr, dst_addr);
 		err = knet_addrtostr(dst_addr, sizeof(struct sockaddr_storage),
 				     link->status.dst_ipaddr, KNET_MAX_HOST_LEN,
 				     link->status.dst_port, KNET_MAX_PORT_LEN);
 		if (err) {
 			if (err == EAI_SYSTEM) {
 				savederrno = errno;
 				log_warn(knet_h, KNET_SUB_LINK,
 					 "Unable to resolve host: %u link: %u destination addr/port: %s",
 					 host_id, link_id, strerror(savederrno));
 			} else {
 				savederrno = EINVAL;
 				log_warn(knet_h, KNET_SUB_LINK,
 					 "Unable to resolve host: %u link: %u destination addr/port: %s",
 					 host_id, link_id, gai_strerror(err));
 			}
 			err = -1;
 			goto exit_unlock;
 		}
 	}
 
 	link->pmtud_crypto_timeout_multiplier = KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MIN;
 	link->pong_count = KNET_LINK_DEFAULT_PONG_COUNT;
 	link->has_valid_mtu = 0;
 	link->ping_interval = KNET_LINK_DEFAULT_PING_INTERVAL * 1000; /* microseconds */
 	link->pong_timeout = KNET_LINK_DEFAULT_PING_TIMEOUT * 1000; /* microseconds */
 	link->pong_timeout_backoff = KNET_LINK_PONG_TIMEOUT_BACKOFF;
 	link->pong_timeout_adj = link->pong_timeout * link->pong_timeout_backoff; /* microseconds */
 	link->latency_max_samples = KNET_LINK_DEFAULT_PING_PRECISION;
 	link->latency_cur_samples = 0;
 	link->flags = flags;
 
+	/*
+	 * check for DYNIP vs STATIC collisions.
+	 * example: link0 is static, user attempts to configure link1 as dynamic with the same source
+	 * address/port.
+	 * This configuration is invalid and would cause ACL collisions.
+	 */
+	for (tmp_host = knet_h->host_head; tmp_host != NULL; tmp_host = tmp_host->next) {
+		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
+			if (&tmp_host->link[link_idx] == link)
+				continue;
+
+			if ((!memcmp(&tmp_host->link[link_idx].src_addr, &link->src_addr, sizeof(struct sockaddr_storage))) &&
+			    (tmp_host->link[link_idx].dynamic != link->dynamic)) {
+				savederrno = EINVAL;
+				err = -1;
+				log_err(knet_h, KNET_SUB_LINK, "Failed to configure host %u link %u dyn %u. Conflicts with host %u link %u dyn %u: %s",
+					host_id, link_id, link->dynamic, tmp_host->host_id, link_idx, tmp_host->link[link_idx].dynamic, strerror(savederrno));
+				goto exit_unlock;
+			}
+		}
+	}
+
 	savederrno = pthread_mutex_init(&link->link_stats_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to initialize link stats mutex: %s", strerror(savederrno));
 		err = -1;
 		goto exit_unlock;
 	}
 
 	if (transport_link_set_config(knet_h, link, transport) < 0) {
 		savederrno = errno;
 		err = -1;
-		goto exit_unlock;
+		goto exit_transport_err;
 	}
 
 	/*
 	 * we can only configure default access lists if we know both endpoints
 	 * and the protocol uses GENERIC_ACL, otherwise the protocol has
 	 * to setup their own access lists above in transport_link_set_config.
 	 */
 	if ((transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL) &&
 	    (link->dynamic == KNET_LINK_STATIC)) {
 		log_debug(knet_h, KNET_SUB_LINK, "Configuring default access lists for host: %u link: %u socket: %d",
 			  host_id, link_id, link->outsock);
-		if ((check_add(knet_h, link->outsock, transport, -1,
+		if ((check_add(knet_h, link, -1,
 			       &link->dst_addr, &link->dst_addr,
 			       CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
 			log_warn(knet_h, KNET_SUB_LINK, "Failed to configure default access lists for host: %u link: %u", host_id, link_id);
 			savederrno = errno;
 			err = -1;
-			goto exit_unlock;
+			goto exit_acl_error;
 		}
 	}
 
+	/*
+	 * no errors should happen after link is configured
+	 */
 	link->configured = 1;
 	log_debug(knet_h, KNET_SUB_LINK, "host: %u link: %u is configured",
 		  host_id, link_id);
 
 	if (transport == KNET_TRANSPORT_LOOPBACK) {
 		knet_h->has_loop_link = 1;
 		knet_h->loop_link = link_id;
 		host->status.reachable = 1;
 		link->status.mtu = KNET_PMTUD_SIZE_V6;
 	} else {
 		/*
 		 * calculate the minimum MTU that is safe to use,
 		 * based on RFCs and that each network device should
 		 * be able to support without any troubles
 		 */
 		if (link->dynamic == KNET_LINK_STATIC) {
 			/*
 			 * with static link we can be more precise than using
 			 * the generic calc_min_mtu()
 			 */
 			switch (link->dst_addr.ss_family) {
 				case AF_INET6:
 					link->status.mtu =  calc_max_data_outlen(knet_h, KNET_PMTUD_MIN_MTU_V6 - (KNET_PMTUD_OVERHEAD_V6 + link->proto_overhead));
 					break;
 				case AF_INET:
 					link->status.mtu =  calc_max_data_outlen(knet_h, KNET_PMTUD_MIN_MTU_V4 - (KNET_PMTUD_OVERHEAD_V4 + link->proto_overhead));
 					break;
 			}
 		} else {
 			/*
 			 * for dynamic links we start with the minimum MTU
 			 * possible and PMTUd will kick in immediately
 			 * after connection status is 1
 			 */
 			link->status.mtu =  calc_min_mtu(knet_h);
 		}
 		link->has_valid_mtu = 1;
 	}
 
+exit_acl_error:
+	/*
+	 * if creating access lists has error, we only need to clean
+	 * the transport and the stuff below.
+	 */
+	if (err < 0) {
+		if ((transport_link_clear_config(knet_h, link) < 0)  &&
+		    (errno != EBUSY)) {
+			log_warn(knet_h, KNET_SUB_LINK, "Failed to deconfigure transport for host %u link %u: %s", host_id, link_id, strerror(errno));
+		}
+	}
+exit_transport_err:
+	/*
+	 * if transport has errors, transport will clean after itself
+	 * and we only need to clean the mutex
+	 */
+	if (err < 0) {
+		pthread_mutex_destroy(&link->link_stats_mutex);
+	}
 exit_unlock:
+	/*
+	 * re-init the link on error
+	 */
+	if ((err < 0) && (wipelink)) {
+		memset(link, 0, sizeof(struct knet_link));
+		link->link_id = link_id;
+	}
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t *transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint8_t *dynamic,
 			 uint64_t *flags)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!src_addr) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!dynamic) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!transport) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!flags) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if ((link->dynamic == KNET_LINK_STATIC) && (!dst_addr)) {
 		savederrno = EINVAL;
 		err = -1;
 		goto exit_unlock;
 	}
 
 	memmove(src_addr, &link->src_addr, sizeof(struct sockaddr_storage));
 
 	*transport = link->transport;
 	*flags = link->flags;
 
 	if (link->dynamic == KNET_LINK_STATIC) {
 		*dynamic = 0;
 		memmove(dst_addr, &link->dst_addr, sizeof(struct sockaddr_storage));
 	} else {
 		*dynamic = 1;
 	}
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 	int sock;
 	uint8_t transport;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (link->configured != 1) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->status.enabled != 0) {
 		err = -1;
 		savederrno = EBUSY;
 		log_err(knet_h, KNET_SUB_LINK, "Host %u link %u is currently in use: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	/*
 	 * remove well known access lists here.
 	 * After the transport has done clearing the config,
 	 * then we can remove any leftover access lists if the link
 	 * is no longer in use.
 	 */
 	if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
 	    (link->dynamic == KNET_LINK_STATIC)) {
-		if ((check_rm(knet_h, link->outsock, link->transport,
+		if ((check_rm(knet_h, link,
 			      &link->dst_addr, &link->dst_addr,
 			      CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
 			err = -1;
 			savederrno = errno;
 			log_err(knet_h, KNET_SUB_LINK, "Host %u link %u: unable to remove default access list",
 				host_id, link_id);
 			goto exit_unlock;
 		}
 	}
 
 	/*
 	 * cache it for later as we don't know if the transport
 	 * will clear link info during clear_config.
 	 */
 	sock = link->outsock;
 	transport = link->transport;
 
 	if ((transport_link_clear_config(knet_h, link) < 0)  &&
 	    (errno != EBUSY)) {
 		savederrno = errno;
 		err = -1;
 		goto exit_unlock;
 	}
 
 	/*
 	 * remove any other access lists when the socket is no
 	 * longer in use by the transport.
 	 */
-	if ((transport_get_acl_type(knet_h, link->transport) == USE_GENERIC_ACL) &&
+	if ((transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL) &&
 	    (knet_h->knet_transport_fd_tracker[sock].transport == KNET_MAX_TRANSPORTS)) {
-		check_rmall(knet_h, sock, transport);
+		check_rmall(knet_h, link);
 	}
 
 	pthread_mutex_destroy(&link->link_stats_mutex);
 
 	memset(link, 0, sizeof(struct knet_link));
 	link->link_id = link_id;
 
 	if (knet_h->has_loop_link && host_id == knet_h->host_id && link_id == knet_h->loop_link) {
 		knet_h->has_loop_link = 0;
 		if (host->active_link_entries == 0) {
 			host->status.reachable = 0;
 		}
 	}
 
 	log_debug(knet_h, KNET_SUB_LINK, "host: %u link: %u config has been wiped",
 		  host_id, link_id);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_set_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int enabled)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (enabled > 1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->status.enabled == enabled) {
 		err = 0;
 		goto exit_unlock;
 	}
 
 	err = _link_updown(knet_h, host_id, link_id, enabled, link->status.connected, 0);
 	savederrno = errno;
 
 	if (enabled) {
 		goto exit_unlock;
 	}
 
 	log_debug(knet_h, KNET_SUB_LINK, "host: %u link: %u is disabled",
 		  host_id, link_id);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int *enabled)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!enabled) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	*enabled = link->status.enabled;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_set_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t pong_count)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (pong_count < 1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link->pong_count = pong_count;
 
 	log_debug(knet_h, KNET_SUB_LINK,
 		  "host: %u link: %u pong count update: %u",
 		  host_id, link_id, link->pong_count);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t *pong_count)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!pong_count) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	*pong_count = link->pong_count;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_set_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t interval, time_t timeout, unsigned int precision)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!interval) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!timeout) {
 		errno = ENOSYS;
 		return -1;
 	}
 
 	if (!precision) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link->ping_interval = interval * 1000; /* microseconds */
 	link->pong_timeout = timeout * 1000; /* microseconds */
 	link->latency_max_samples = precision;
 
 	log_debug(knet_h, KNET_SUB_LINK,
 		  "host: %u link: %u timeout update - interval: %llu timeout: %llu precision: %u",
 		  host_id, link_id, link->ping_interval, link->pong_timeout, precision);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t *interval, time_t *timeout, unsigned int *precision)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!interval) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!timeout) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!precision) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	*interval = link->ping_interval / 1000; /* microseconds */
 	*timeout = link->pong_timeout / 1000;
 	*precision = link->latency_max_samples;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_set_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t priority)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 	uint8_t old_priority;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	old_priority = link->priority;
 
 	if (link->priority == priority) {
 		err = 0;
 		goto exit_unlock;
 	}
 
 	link->priority = priority;
 
 	if (_host_dstcache_update_sync(knet_h, host)) {
 		savederrno = errno;
 		log_debug(knet_h, KNET_SUB_LINK,
 			  "Unable to update link priority (host: %u link: %u priority: %u): %s",
 			  host_id, link_id, link->priority, strerror(savederrno));
 		link->priority = old_priority;
 		err = -1;
 		goto exit_unlock;
 	}
 
 	log_debug(knet_h, KNET_SUB_LINK,
 		  "host: %u link: %u priority set to: %u",
 		  host_id, link_id, link->priority);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t *priority)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!priority) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	*priority = link->priority;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_link_list(knet_handle_t knet_h, knet_node_id_t host_id,
 			    uint8_t *link_ids, size_t *link_ids_entries)
 {
 	int savederrno = 0, err = 0, i, count = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!link_ids) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!link_ids_entries) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	for (i = 0; i < KNET_MAX_LINK; i++) {
 		link = &host->link[i];
 		if (!link->configured) {
 			continue;
 		}
 		link_ids[count] = i;
 		count++;
 	}
 
 	*link_ids_entries = count;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_link_get_status(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 struct knet_link_status *status, size_t struct_size)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!status) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	savederrno = pthread_mutex_lock(&link->link_stats_mutex);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get stats mutex lock for host %u link %u: %s",
 			host_id, link_id, strerror(savederrno));
 		err = -1;
 		goto exit_unlock;
 	}
 
 	memmove(status, &link->status, struct_size);
 
 	pthread_mutex_unlock(&link->link_stats_mutex);
 
 	/* Calculate totals - no point in doing this on-the-fly */
 	status->stats.rx_total_packets =
 		status->stats.rx_data_packets +
 		status->stats.rx_ping_packets +
 		status->stats.rx_pong_packets +
 		status->stats.rx_pmtu_packets;
 	status->stats.tx_total_packets =
 		status->stats.tx_data_packets +
 		status->stats.tx_ping_packets +
 		status->stats.tx_pong_packets +
 		status->stats.tx_pmtu_packets;
 	status->stats.rx_total_bytes =
 		status->stats.rx_data_bytes +
 		status->stats.rx_ping_bytes +
 		status->stats.rx_pong_bytes +
 		status->stats.rx_pmtu_bytes;
 	status->stats.tx_total_bytes =
 		status->stats.tx_data_bytes +
 		status->stats.tx_ping_bytes +
 		status->stats.tx_pong_bytes +
 		status->stats.tx_pmtu_bytes;
 	status->stats.tx_total_errors =
 		status->stats.tx_data_errors +
 		status->stats.tx_ping_errors +
 		status->stats.tx_pong_errors +
 		status->stats.tx_pmtu_errors;
 	status->stats.tx_total_retries =
 		status->stats.tx_data_retries +
 		status->stats.tx_ping_retries +
 		status->stats.tx_pong_retries +
 		status->stats.tx_pmtu_retries;
 
 	/* Tell the caller our full size in case they have an old version */
 	status->size = sizeof(struct knet_link_status);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
-int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
-		      struct sockaddr_storage *ss1,
-		      struct sockaddr_storage *ss2,
-		      check_type_t type, check_acceptreject_t acceptreject)
-{
-	int savederrno = 0, err = 0;
-	struct knet_host *host;
-	struct knet_link *link;
-
-	if (!_is_valid_handle(knet_h)) {
-		return -1;
-	}
-
-	if (!ss1) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	if ((type != CHECK_TYPE_ADDRESS) &&
-	    (type != CHECK_TYPE_MASK) &&
-	    (type != CHECK_TYPE_RANGE)) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	if ((acceptreject != CHECK_ACCEPT) &&
-	    (acceptreject != CHECK_REJECT)) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	if ((type == CHECK_TYPE_RANGE) &&
-	    (ss1->ss_family != ss2->ss_family)) {
-			errno = EINVAL;
-			return -1;
-	}
-
-	if (link_id >= KNET_MAX_LINK) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	savederrno = get_global_wrlock(knet_h);
-	if (savederrno) {
-		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
-			strerror(savederrno));
-		errno = savederrno;
-		return -1;
-	}
-
-	host = knet_h->host_index[host_id];
-	if (!host) {
-		err = -1;
-		savederrno = EINVAL;
-		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
-			host_id, strerror(savederrno));
-		goto exit_unlock;
-	}
-
-	link = &host->link[link_id];
-
-	if (!link->configured) {
-		err = -1;
-		savederrno = EINVAL;
-		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
-			host_id, link_id, strerror(savederrno));
-		goto exit_unlock;
-	}
-
-	if (link->dynamic != KNET_LINK_DYNIP) {
-		err = -1;
-		savederrno = EINVAL;
-		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
-			host_id, link_id, strerror(savederrno));
-		goto exit_unlock;
-	}
-
-	err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, -1,
-			ss1, ss2, type, acceptreject);
-	savederrno = errno;
-
-exit_unlock:
-	pthread_rwlock_unlock(&knet_h->global_rwlock);
-
-	errno = savederrno;
-	return err;
-}
-
 int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 int index,
 			 struct sockaddr_storage *ss1,
 			 struct sockaddr_storage *ss2,
 			 check_type_t type, check_acceptreject_t acceptreject)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!ss1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type != CHECK_TYPE_ADDRESS) &&
 	    (type != CHECK_TYPE_MASK) &&
 	    (type != CHECK_TYPE_RANGE)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((acceptreject != CHECK_ACCEPT) &&
 	    (acceptreject != CHECK_REJECT)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type == CHECK_TYPE_RANGE) &&
 	    (ss1->ss_family != ss2->ss_family)) {
 			errno = EINVAL;
 			return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->dynamic != KNET_LINK_DYNIP) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
-	err = check_add(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport, index,
+	err = check_add(knet_h, link, index,
 			ss1, ss2, type, acceptreject);
 	savederrno = errno;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = savederrno;
 	return err;
 }
 
+int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+		      struct sockaddr_storage *ss1,
+		      struct sockaddr_storage *ss2,
+		      check_type_t type, check_acceptreject_t acceptreject)
+{
+	return knet_link_insert_acl(knet_h, host_id, link_id, -1, ss1, ss2, type, acceptreject);
+}
+
+
 int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		     struct sockaddr_storage *ss1,
 		     struct sockaddr_storage *ss2,
 		     check_type_t type, check_acceptreject_t acceptreject)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!ss1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type != CHECK_TYPE_ADDRESS) &&
 	    (type != CHECK_TYPE_MASK) &&
 	    (type != CHECK_TYPE_RANGE)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((acceptreject != CHECK_ACCEPT) &&
 	    (acceptreject != CHECK_REJECT)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((type == CHECK_TYPE_RANGE) &&
 	    (ss1->ss_family != ss2->ss_family)) {
 			errno = EINVAL;
 			return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->dynamic != KNET_LINK_DYNIP) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
-	err = check_rm(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport,
+	err = check_rm(knet_h, link,
 		       ss1, ss2, type, acceptreject);
 	savederrno = errno;
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = savederrno;
 	return err;
 }
 
 int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id)
 {
 	int savederrno = 0, err = 0;
 	struct knet_host *host;
 	struct knet_link *link;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (link_id >= KNET_MAX_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_LINK, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	host = knet_h->host_index[host_id];
 	if (!host) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "Unable to find host %u: %s",
 			host_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	link = &host->link[link_id];
 
 	if (!link->configured) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is not configured: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
 	if (link->dynamic != KNET_LINK_DYNIP) {
 		err = -1;
 		savederrno = EINVAL;
 		log_err(knet_h, KNET_SUB_LINK, "host %u link %u is a point to point connection: %s",
 			host_id, link_id, strerror(savederrno));
 		goto exit_unlock;
 	}
 
-	check_rmall(knet_h, transport_link_get_acl_fd(knet_h, link), link->transport);
+	check_rmall(knet_h, link);
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = savederrno;
 	return err;
 }
diff --git a/libknet/links_acl.c b/libknet/links_acl.c
index 1612f15e..66faf244 100644
--- a/libknet/links_acl.c
+++ b/libknet/links_acl.c
@@ -1,65 +1,67 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
 
 #include "internals.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "links_acl.h"
 #include "links_acl_ip.h"
 #include "links_acl_loopback.h"
 
 static check_ops_t proto_check_modules_cmds[] = {
 	{ TRANSPORT_PROTO_LOOPBACK, loopbackcheck_validate, loopbackcheck_add, loopbackcheck_rm, loopbackcheck_rmall },
 	{ TRANSPORT_PROTO_IP_PROTO, ipcheck_validate, ipcheck_addip, ipcheck_rmip, ipcheck_rmall }
 };
 
 /*
  * all those functions will return errno from the
  * protocol specific functions
  */
 
-int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
+int check_add(knet_handle_t knet_h, struct knet_link *kn_link,
+	      int index,
 	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 	      check_type_t type, check_acceptreject_t acceptreject)
 {
-	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add(
-			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, index,
+	return proto_check_modules_cmds[transport_get_proto(knet_h, kn_link->transport)].protocheck_add(
+			&kn_link->access_list_match_entry_head, index,
 			ss1, ss2, type, acceptreject);
 }
 
-int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+int check_rm(knet_handle_t knet_h, struct knet_link *kn_link,
 	     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 	     check_type_t type, check_acceptreject_t acceptreject)
 {
-	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm(
-			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head,
+	return proto_check_modules_cmds[transport_get_proto(knet_h, kn_link->transport)].protocheck_rm(
+			&kn_link->access_list_match_entry_head,
 			ss1, ss2, type, acceptreject);
 }
 
-void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
+void check_rmall(knet_handle_t knet_h, struct knet_link *kn_link)
 {
-	proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rmall(
-		&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head);
+	proto_check_modules_cmds[transport_get_proto(knet_h, kn_link->transport)].protocheck_rmall(
+		&kn_link->access_list_match_entry_head);
 }
 
 /*
  * return 0 to reject and 1 to accept a packet
  */
-int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
+int check_validate(knet_handle_t knet_h, struct knet_link *kn_link,
+		   struct sockaddr_storage *checkip)
 {
-	return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_validate(
-			&knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip);
+	return proto_check_modules_cmds[transport_get_proto(knet_h, kn_link->transport)].protocheck_validate(
+			&kn_link->access_list_match_entry_head, checkip);
 }
diff --git a/libknet/links_acl.h b/libknet/links_acl.h
index 9901c956..3b9fd35e 100644
--- a/libknet/links_acl.h
+++ b/libknet/links_acl.h
@@ -1,39 +1,44 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_LINKS_ACL_H__
 #define __KNET_LINKS_ACL_H__
 
 #include "internals.h"
 
 typedef struct {
 	uint8_t				transport_proto;
 
 	int (*protocheck_validate)	(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip);
 
 	int (*protocheck_add)		(void *fd_tracker_match_entry_head, int index,
 					 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 					 check_type_t type, check_acceptreject_t acceptreject);
 
 	int (*protocheck_rm)		(void *fd_tracker_match_entry_head,
 					 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 					 check_type_t type, check_acceptreject_t acceptreject);
 
 	void (*protocheck_rmall)	(void *fd_tracker_match_entry_head);
 } check_ops_t;
 
-int check_add(knet_handle_t knet_h, int sock, uint8_t transport, int index,
+int check_add(knet_handle_t knet_h, struct knet_link *kn_link,
+	      int index,
 	      struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 	      check_type_t type, check_acceptreject_t acceptreject);
-int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
+
+int check_rm(knet_handle_t knet_h, struct knet_link *kn_link,
 	     struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 	     check_type_t type, check_acceptreject_t acceptreject);
-void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport);
-int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip);
+
+void check_rmall(knet_handle_t knet_h, struct knet_link *kn_link);
+
+int check_validate(knet_handle_t knet_h, struct knet_link *kn_link,
+		   struct sockaddr_storage *checkip);
 
 #endif
diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
index 68050bfc..8d562c58 100644
--- a/libknet/links_acl_ip.c
+++ b/libknet/links_acl_ip.c
@@ -1,302 +1,305 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
 
 #include "internals.h"
 #include "netutils.h"
 #include "logging.h"
 #include "transports.h"
 #include "links_acl.h"
 #include "links_acl_ip.h"
 
 struct ip_acl_match_entry {
 	check_type_t type;
 	check_acceptreject_t acceptreject;
 	struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */
 	struct sockaddr_storage addr2; /* high IP address or address bitmask */
 	struct ip_acl_match_entry *next;
 };
 
 /*
  * IPv4 See if the address we have matches the current match entry
  */
 
 static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
 {
 	struct sockaddr_in *ip_to_check;
 	struct sockaddr_in *match1;
 	struct sockaddr_in *match2;
 
 	ip_to_check = (struct sockaddr_in *)checkip;
 	match1 = (struct sockaddr_in *)&match_entry->addr1;
 	match2 = (struct sockaddr_in *)&match_entry->addr2;
 
 	switch(match_entry->type) {
 	case CHECK_TYPE_ADDRESS:
 		if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
 			return 1;
 		break;
 	case CHECK_TYPE_MASK:
 		if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
 		    match1->sin_addr.s_addr)
 			return 1;
 		break;
 	case CHECK_TYPE_RANGE:
 		if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
 		    (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
 			return 1;
 		break;
 
 	}
 	return 0;
 }
 
 /*
  * Compare two IPv6 addresses
  */
 
 static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
 {
 	uint64_t a_high, a_low;
 	uint64_t b_high, b_low;
 
 	a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) | (uint64_t)htonl(a->s6_addr32[1]);
 	a_low  = ((uint64_t)htonl(a->s6_addr32[2]) << 32) | (uint64_t)htonl(a->s6_addr32[3]);
 
 	b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) | (uint64_t)htonl(b->s6_addr32[1]);
 	b_low  = ((uint64_t)htonl(b->s6_addr32[2]) << 32) | (uint64_t)htonl(b->s6_addr32[3]);
 
 	if (a_high > b_high)
 		return 1;
 	if (a_high < b_high)
 		return -1;
 
 	if (a_low > b_low)
 		return 1;
 	if (a_low < b_low)
 		return -1;
 
 	return 0;
 }
 
 /*
  * IPv6 See if the address we have matches the current match entry
  */
 
 static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry)
 {
 	struct sockaddr_in6 *ip_to_check;
 	struct sockaddr_in6 *match1;
 	struct sockaddr_in6 *match2;
 	int i;
 
 	ip_to_check = (struct sockaddr_in6 *)checkip;
 	match1 = (struct sockaddr_in6 *)&match_entry->addr1;
 	match2 = (struct sockaddr_in6 *)&match_entry->addr2;
 
 	switch(match_entry->type) {
 	case CHECK_TYPE_ADDRESS:
 		if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
 			return 1;
 		break;
 
 	case CHECK_TYPE_MASK:
 		/*
 		 * Note that this little loop will quit early if there is a non-match so the
 		 * comparison might look backwards compared to the IPv4 one
 		 */
 		for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
 			if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
 			    match1->sin6_addr.s6_addr32[i])
 				return 0;
 		}
 		return 1;
 	case CHECK_TYPE_RANGE:
 		if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
 		    (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
 			return 1;
 		break;
 	}
 	return 0;
 }
 
 
 int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip)
 {
 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
 	struct ip_acl_match_entry *match_entry = *match_entry_head;
 	int (*match_fn)(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry);
 
 	if (checkip->ss_family == AF_INET) {
 		match_fn = ip_matches_v4;
 	} else {
 		match_fn = ip_matches_v6;
 	}
 
 	while (match_entry) {
 		if (match_fn(checkip, match_entry)) {
 			if (match_entry->acceptreject == CHECK_ACCEPT)
 				return 1;
 			else
 				return 0;
 		}
 		match_entry = match_entry->next;
 	}
 	return 0; /* Default reject */
 }
 
 /*
  * Routines to manuipulate access lists
  */
 
 void ipcheck_rmall(void *fd_tracker_match_entry_head)
 {
 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
 	struct ip_acl_match_entry *next_match_entry;
 	struct ip_acl_match_entry *match_entry = *match_entry_head;
 
 	while (match_entry) {
 		next_match_entry = match_entry->next;
 		free(match_entry);
 		match_entry = next_match_entry;
 	}
 	*match_entry_head = NULL;
 }
 
 static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head,
 						 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 						 check_type_t type, check_acceptreject_t acceptreject)
 {
 	struct ip_acl_match_entry *match_entry = *match_entry_head;
 
 	while (match_entry) {
-		if ((!memcmp(&match_entry->addr1, ss1, sizeof(struct sockaddr_storage))) &&
-		    (!memcmp(&match_entry->addr2, ss2, sizeof(struct sockaddr_storage))) &&
+		if ((!memcmp(&match_entry->addr1, ss1, sockaddr_len(ss1))) &&
+		    ((match_entry->type == CHECK_TYPE_ADDRESS) ||
+		     ((match_entry->type != CHECK_TYPE_ADDRESS) && ss2 && !memcmp(&match_entry->addr2, ss2, sockaddr_len(ss1)))) &&
 		    (match_entry->type == type) &&
 		    (match_entry->acceptreject == acceptreject)) {
 			return match_entry;
 		}
 		match_entry = match_entry->next;
 	}
 
 	return NULL;
 }
 
 int ipcheck_rmip(void *fd_tracker_match_entry_head,
 		 struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 		 check_type_t type, check_acceptreject_t acceptreject)
 {
 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
 	struct ip_acl_match_entry *next_match_entry = NULL;
 	struct ip_acl_match_entry *rm_match_entry;
 	struct ip_acl_match_entry *match_entry = *match_entry_head;
 
 	rm_match_entry = ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject);
 	if (!rm_match_entry) {
 		errno = ENOENT;
 		return -1;
 	}
 
 	while (match_entry) {
 		next_match_entry = match_entry->next;
 		/*
 		 * we are removing the list head, be careful
 		 */
 		if (rm_match_entry == match_entry) {
 			*match_entry_head = next_match_entry;
 			free(match_entry);
 			break;
 		}
 		/*
 		 * the next one is the one we need to remove
 		 */
 		if (rm_match_entry == next_match_entry) {
 			match_entry->next = next_match_entry->next;
 			free(next_match_entry);
 			break;
 		}
 		match_entry = next_match_entry;
 	}
 
 	return 0;
 }
 
 int ipcheck_addip(void *fd_tracker_match_entry_head, int index,
 		  struct sockaddr_storage *ss1, struct sockaddr_storage *ss2,
 		  check_type_t type, check_acceptreject_t acceptreject)
 {
 	struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head;
 	struct ip_acl_match_entry *new_match_entry;
 	struct ip_acl_match_entry *match_entry = *match_entry_head;
 	int i = 0;
 
 	if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) {
 		errno = EEXIST;
 		return -1;
 	}
 
 	new_match_entry = malloc(sizeof(struct ip_acl_match_entry));
 	if (!new_match_entry) {
 		return -1;
 	}
 
-	memmove(&new_match_entry->addr1, ss1, sizeof(struct sockaddr_storage));
-	memmove(&new_match_entry->addr2, ss2, sizeof(struct sockaddr_storage));
+	copy_sockaddr(&new_match_entry->addr1, ss1);
+	if (ss2) {
+		copy_sockaddr(&new_match_entry->addr2, ss2);
+	}
 	new_match_entry->type = type;
 	new_match_entry->acceptreject = acceptreject;
 	new_match_entry->next = NULL;
 
 	if (match_entry) {
 		/*
 		 * special case for index 0, since we need to update
 		 * the head of the list
 		 */
 		if (index == 0) {
 			*match_entry_head = new_match_entry;
 			new_match_entry->next = match_entry;
 		} else {
 			/*
 			 * find the end of the list or stop at "index"
 			 */
 
 			while (match_entry->next) {
 				match_entry = match_entry->next;
 				if (i == index) {
 					break;
 				}
 				i++;
 			}
 
 			/*
 			 * insert if there are more entries in the list
 			 */
 			if (match_entry->next) {
 				new_match_entry->next = match_entry->next;
 			}
 			/*
 			 * add if we are at the end
 			 */
 			match_entry->next = new_match_entry;
 		}
 	} else {
 		/*
 		 * first entry in the list
 		 */
 		*match_entry_head = new_match_entry;
 	}
 
 	return 0;
 }
diff --git a/libknet/netutils.c b/libknet/netutils.c
index 7e19104c..03f01650 100644
--- a/libknet/netutils.c
+++ b/libknet/netutils.c
@@ -1,133 +1,140 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <errno.h>
 #include <string.h>
 
 #include "internals.h"
 #include "netutils.h"
 
 int cmpaddr(const struct sockaddr_storage *ss1, const struct sockaddr_storage *ss2)
 {
 	struct sockaddr_in6 *ss1_addr6 = (struct sockaddr_in6 *)ss1;
 	struct sockaddr_in6 *ss2_addr6 = (struct sockaddr_in6 *)ss2;
 	struct sockaddr_in *ss1_addr = (struct sockaddr_in *)ss1;
 	struct sockaddr_in *ss2_addr = (struct sockaddr_in *)ss2;
 
 	if (ss1->ss_family != ss2->ss_family) {
 		return -1;
 	}
 
 	if (ss1->ss_family == AF_INET6) {
 		return memcmp(&ss1_addr6->sin6_addr.s6_addr32, &ss2_addr6->sin6_addr.s6_addr32, sizeof(struct in6_addr));
 	}
 
 	return memcmp(&ss1_addr->sin_addr.s_addr, &ss2_addr->sin_addr.s_addr, sizeof(struct in_addr));
 }
 
 socklen_t sockaddr_len(const struct sockaddr_storage *ss)
 {
         if (ss->ss_family == AF_INET) {
 	        return sizeof(struct sockaddr_in);
 	} else {
 	        return sizeof(struct sockaddr_in6);
 	}
 }
 
+/* Only copy the valid parts of a sockaddr* */
+void copy_sockaddr(struct sockaddr_storage *sout, const struct sockaddr_storage *sin)
+{
+	memset(sout, 0, sizeof(struct sockaddr_storage));
+	memmove(sout, sin, sockaddr_len(sin));
+}
+
 /*
  * exported APIs
  */
 
 int knet_strtoaddr(const char *host, const char *port, struct sockaddr_storage *ss, socklen_t sslen)
 {
 	int err;
 	struct addrinfo hints;
 	struct addrinfo *result = NULL;
 
 	if (!host) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!port) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!ss) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!sslen) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	memset(&hints, 0, sizeof(struct addrinfo));
 
 	hints.ai_family = AF_UNSPEC;
 	hints.ai_socktype = SOCK_DGRAM;
 	hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
 
 	err = getaddrinfo(host, port, &hints, &result);
 
 	if (!err) {
 		memmove(ss, result->ai_addr,
 			(sslen < result->ai_addrlen) ? sslen : result->ai_addrlen);
 
 		freeaddrinfo(result);
 	}
 
 	if (!err)
 		errno = 0;
 	return err;
 }
 
 int knet_addrtostr(const struct sockaddr_storage *ss, socklen_t sslen,
 		   char *addr_buf, size_t addr_buf_size,
 		   char *port_buf, size_t port_buf_size)
 {
 	int err;
 
 	if (!ss) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!sslen) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!addr_buf) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!port_buf) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	err = getnameinfo((struct sockaddr *)ss, sockaddr_len(ss),
 			  addr_buf, addr_buf_size,
 			  port_buf, port_buf_size,
 			  NI_NUMERICHOST | NI_NUMERICSERV);
 
 	if (!err)
 		errno = 0;
 	return err;
 }
diff --git a/libknet/netutils.h b/libknet/netutils.h
index 0c0c6e34..b9e5f4b7 100644
--- a/libknet/netutils.h
+++ b/libknet/netutils.h
@@ -1,29 +1,31 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_NETUTILS_H__
 #define __KNET_NETUTILS_H__
 
 #include <sys/socket.h>
 #include <netinet/in.h>
 
 /*
  * s6_addr32 is not defined in BSD userland, only kernel.
  * definition is the same as linux and it works fine for
  * what we need.
  */
 
 #ifndef s6_addr32
 #define s6_addr32 __u6_addr.__u6_addr32
 #endif
 
 int cmpaddr(const struct sockaddr_storage *ss1, const struct sockaddr_storage *ss2);
 
+void copy_sockaddr(struct sockaddr_storage *sout, const struct sockaddr_storage *sin);
+
 socklen_t sockaddr_len(const struct sockaddr_storage *ss);
 #endif
diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
index 60c83bda..38794433 100644
--- a/libknet/tests/Makefile.am
+++ b/libknet/tests/Makefile.am
@@ -1,113 +1,122 @@
 #
 # Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 MAINTAINERCLEANFILES	= Makefile.in
 
 include $(top_srcdir)/build-aux/check.mk
 include $(top_srcdir)/libknet/tests/api-check.mk
 
 EXTRA_DIST		= \
 			  api-test-coverage \
 			  api-check.mk
 
 AM_CPPFLAGS		= -I$(top_srcdir)/libknet
 AM_CFLAGS		+= $(PTHREAD_CFLAGS) $(libqb_CFLAGS)
 LIBS			= $(top_builddir)/libknet/libknet.la \
 			  $(PTHREAD_LIBS) $(dl_LIBS)
 
 noinst_HEADERS		= \
 			  test-common.h
 
 # the order of those tests is NOT random.
 # some functions can only be tested properly after some dependents
 # API have been validated upfront.
 
 check_PROGRAMS		= \
 			  $(api_checks) \
-			  $(int_checks) \
-			  $(fun_checks)
+			  $(int_checks)
+
+if RUN_FUN_TESTS
+check_PROGRAMS		+= $(fun_checks)
+endif
 
 int_checks		= \
 			  int_links_acl_ip_test \
 			  int_timediff_test
 
 fun_checks		= \
-			  fun_config_crypto_test
+			  fun_config_crypto_test \
+			  fun_acl_check_test
 
 # checks below need to be executed manually
 # or with a specifi environment
 
 long_run_checks		= \
 			  fun_pmtud_crypto_test
 
 benchmarks		= \
 			  knet_bench_test
 
 noinst_PROGRAMS		= \
 			  api_knet_handle_new_limit_test \
 			  pckt_test \
 			  $(benchmarks) \
 			  $(long_run_checks) \
-			  $(check_PROGRAMS)
+			  $(api_checks) \
+			  $(int_checks) \
+			  $(fun_checks)
 
 noinst_SCRIPTS		= \
 			  api-test-coverage
 
 TESTS			= $(check_PROGRAMS)
 
 if INSTALL_TESTS
 testsuitedir		= $(TESTDIR)
 testsuite_PROGRAMS	= $(noinst_PROGRAMS)
 endif
 
 check-local: check-api-test-coverage
 
 check-api-test-coverage:
 	chmod u+x $(top_srcdir)/libknet/tests/api-test-coverage
 	$(top_srcdir)/libknet/tests/api-test-coverage $(top_srcdir) $(top_builddir)
 
 pckt_test_SOURCES	= pckt_test.c
 
 int_links_acl_ip_test_SOURCES = int_links_acl_ip.c \
 				../common.c \
 				../compat.c \
 				../logging.c \
 				../netutils.c \
 				../threads_common.c \
 				../onwire.c \
 				../transports.c \
 				../transport_common.c \
 				../transport_loopback.c \
 				../transport_sctp.c \
 				../transport_udp.c \
 				../links_acl.c \
 				../links_acl_ip.c \
 				../links_acl_loopback.c \
 				../lib_config.c
 
 int_timediff_test_SOURCES = int_timediff.c
 
 knet_bench_test_SOURCES	= knet_bench.c \
 			  test-common.c \
 			  ../common.c \
 			  ../logging.c \
 			  ../compat.c \
 			  ../transport_common.c \
 			  ../threads_common.c \
 			  ../onwire.c \
 			  ../lib_config.c
 
 fun_pmtud_crypto_test_SOURCES = fun_pmtud_crypto.c \
 				test-common.c \
 				../onwire.c \
 				../logging.c \
 				../threads_common.c \
 				../lib_config.c
 
 fun_config_crypto_test_SOURCES = fun_config_crypto.c \
 				 test-common.c
+
+fun_acl_check_test_SOURCES = fun_acl_check.c \
+			     test-common.c
diff --git a/libknet/tests/api_knet_link_add_acl.c b/libknet/tests/api_knet_link_add_acl.c
index 4f6f8c91..759afdc2 100644
--- a/libknet/tests/api_knet_link_add_acl.c
+++ b/libknet/tests/api_knet_link_add_acl.c
@@ -1,246 +1,246 @@
 /*
  * Copyright (C) 2019-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_host *host;
 	struct knet_link *link;
 	struct sockaddr_storage lo, lo6;
 
 	if (make_local_sockaddr(&lo, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	if (make_local_sockaddr6(&lo6, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_add_acl incorrect knet_h\n");
 
 	if ((!knet_link_add_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_link_add_acl with unconfigured host\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with unconfigured link\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with invalid link\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with invalid ss1\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with invalid ss2\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with non matching families\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with wrong check_type\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with wrong acceptreject\n");
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_add_acl with point to point link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 0, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_add_acl accepted point to point link or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_link_clear_config(knet_h, 1, 0);
 
 	printf("Test knet_link_add_acl with dynamic link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 1, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list not empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
 		printf("knet_link_add_acl did not accept dynamic link error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (!link->access_list_match_entry_head) {
 		printf("match list empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_link_clear_acl.c b/libknet/tests/api_knet_link_clear_acl.c
index 9b5cfbb8..d2a6d8d5 100644
--- a/libknet/tests/api_knet_link_clear_acl.c
+++ b/libknet/tests/api_knet_link_clear_acl.c
@@ -1,191 +1,191 @@
 /*
  * Copyright (C) 2019-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_host *host;
 	struct knet_link *link;
 	struct sockaddr_storage lo;
 
 	printf("Test knet_link_clear_acl incorrect knet_h\n");
 
 	if ((!knet_link_clear_acl(NULL, 1, 0)) || (errno != EINVAL)) {
 		printf("knet_link_clear_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_link_clear_acl with unconfigured host\n");
 
 	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
 		printf("knet_link_clear_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_clear_acl with unconfigured link\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
 		printf("knet_link_clear_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_clear_acl with invalid link\n");
 
 	if ((!knet_link_clear_acl(knet_h, 1, KNET_MAX_LINK)) || (errno != EINVAL)) {
 		printf("knet_link_clear_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_clear_acl with point to point link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 0, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_clear_acl(knet_h, 1, 0)) || (errno != EINVAL)) {
 		printf("knet_link_clear_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_link_clear_config(knet_h, 1, 0);
 
 	printf("Test knet_link_clear_acl with dynamic link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 1, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list NOT empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
 		printf("knet_link_clear_acl did not accept dynamic link error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (!link->access_list_match_entry_head) {
 		printf("match list empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_clear_acl(knet_h, 1, 0) < 0) {
 		printf("knet_link_clear_acl failed to clear. error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list NOT empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_link_insert_acl.c b/libknet/tests/api_knet_link_insert_acl.c
index c0a4de3e..a5de2378 100644
--- a/libknet/tests/api_knet_link_insert_acl.c
+++ b/libknet/tests/api_knet_link_insert_acl.c
@@ -1,246 +1,246 @@
 /*
  * Copyright (C) 2019-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_host *host;
 	struct knet_link *link;
 	struct sockaddr_storage lo, lo6;
 
 	if (make_local_sockaddr(&lo, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	if (make_local_sockaddr6(&lo6, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_insert_acl incorrect knet_h\n");
 
 	if ((!knet_link_insert_acl(NULL, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_link_insert_acl with unconfigured host\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with unconfigured link\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with invalid link\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, KNET_MAX_LINK, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with invalid ss1\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with invalid ss2\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with non matching families\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with wrong check_type\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with wrong acceptreject\n");
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_insert_acl with point to point link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 0, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_insert_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_link_clear_config(knet_h, 1, 0);
 
 	printf("Test knet_link_insert_acl with dynamic link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 1, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list not empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_insert_acl(knet_h, 1, 0, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
 		printf("knet_link_insert_acl did not accept dynamic link error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (!link->access_list_match_entry_head) {
 		printf("match list empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_link_rm_acl.c b/libknet/tests/api_knet_link_rm_acl.c
index b3300dd1..7af3fd0a 100644
--- a/libknet/tests/api_knet_link_rm_acl.c
+++ b/libknet/tests/api_knet_link_rm_acl.c
@@ -1,256 +1,256 @@
 /*
  * Copyright (C) 2019-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_host *host;
 	struct knet_link *link;
 	struct sockaddr_storage lo, lo6;
 
 	if (make_local_sockaddr(&lo, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	if (make_local_sockaddr6(&lo6, 0) < 0) {
 		printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_rm_acl incorrect knet_h\n");
 
 	if ((!knet_link_rm_acl(NULL, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_link_rm_acl with unconfigured host\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted unconfigured host or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with unconfigured link\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted unconfigured link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with invalid link\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, KNET_MAX_LINK, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted invalid link or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with invalid ss1\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, NULL, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted invalid ss1 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with invalid ss2\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, NULL, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted invalid ss2 or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with non matching families\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo6, CHECK_TYPE_RANGE, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted non matching families or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with wrong check_type\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_RANGE + CHECK_TYPE_MASK + CHECK_TYPE_ADDRESS + 1, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with wrong acceptreject\n");
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT + CHECK_REJECT + 1)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted incorrect check_type or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_rm_acl with point to point link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 0, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) || (errno != EINVAL)) {
 		printf("knet_link_rm_acl accepted point ot point link or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_link_clear_config(knet_h, 1, 0);
 
 	printf("Test knet_link_rm_acl with dynamic link\n");
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 1, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list not empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_add_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
 		printf("Failed to add an access list: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_rm_acl(knet_h, 1, 0, &lo, &lo, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) {
 		printf("knet_link_rm_acl did not accept dynamic link error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("match list NOT empty!");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_link_set_config.c b/libknet/tests/api_knet_link_set_config.c
index 2aab41b3..14025649 100644
--- a/libknet/tests/api_knet_link_set_config.c
+++ b/libknet/tests/api_knet_link_set_config.c
@@ -1,302 +1,313 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "links.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	struct knet_host *host;
 	struct knet_link *link;
 	int logfds[2];
 	char lo_portstr[32];
 	struct sockaddr_storage lo, lo6;
 	struct sockaddr_in *lo_in = (struct sockaddr_in *)&lo;
 	struct knet_link_status link_status;
 
 	if (make_local_sockaddr(&lo, -1) < 0) {
 		printf("Unable to convert src to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 	sprintf(lo_portstr, "%d", ntohs(lo_in->sin_port));
 
 	printf("Test knet_link_set_config incorrect knet_h\n");
 
 	if ((!knet_link_set_config(NULL, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0)) || (errno != EINVAL)) {
 		printf("knet_link_set_config accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_link_set_config with unconfigured host_id\n");
 
 	if ((!knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0)) || (errno != EINVAL)) {
 		printf("knet_link_set_config accepted invalid host_id or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_set_config with bad transport type\n");
 
 	if ((!knet_link_set_config(knet_h, 1, 0, KNET_MAX_TRANSPORTS, &lo, &lo, 0)) || (errno != EINVAL)) {
 		printf("knet_link_set_config accepted invalid transport or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_set_config with incorrect linkid\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("Unable to add host_id 1: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_set_config(knet_h, 1, KNET_MAX_LINK, KNET_TRANSPORT_UDP, &lo, &lo, 0)) || (errno != EINVAL)) {
 		printf("knet_link_set_config accepted invalid linkid or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_set_config with incorrect src_addr\n");
 
 	if ((!knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, NULL, &lo, 0)) || (errno != EINVAL)) {
 		printf("knet_link_set_config accepted invalid src_addr or returned incorrect error: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_set_config with conflicting address families\n");
 
 	if (make_local_sockaddr6(&lo6, -1) < 0) {
 		printf("Unable to convert dst to sockaddr: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo6, 0) == 0) {
 		printf("knet_link_set_config accepted invalid address families: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_link_set_config with dynamic dst_addr\n");
 
 	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (link->access_list_match_entry_head) {
 		printf("found access lists for dynamic dst_addr!\n");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
 		printf("Unable to get link status: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((link_status.enabled != 0) ||
 	    (strcmp(link_status.src_ipaddr, "127.0.0.1")) ||
 	    (strcmp(link_status.src_port, lo_portstr)) ||
 	    (knet_h->host_index[1]->link[0].dynamic != KNET_LINK_DYNIP)) {
 		printf("knet_link_set_config failed to set configuration. enabled: %d src_addr %s src_port %s dynamic %u\n",
 		       link_status.enabled, link_status.src_ipaddr, link_status.src_port, knet_h->host_index[1]->link[0].dynamic);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
+	printf("Test knet_link_set_config with dynamic link (0) and static link (1)\n");
+
+	if (!knet_link_set_config(knet_h, 1, 1, KNET_TRANSPORT_UDP, &lo, &lo, 0) || (errno != EINVAL)) {
+		printf("knet_link_set_config accepted request mixed static/dynamic request or returned incorrect error: %s\n", strerror(errno));
+		knet_host_remove(knet_h, 1);
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
 	printf("Test knet_link_set_config with already configured link\n");
 	if ((!knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0) || (errno != EBUSY))) {
 		printf("knet_link_set_config accepted request while link configured or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_set_config with link enabled\n");
 
 	if (knet_link_set_enable(knet_h, 1, 0, 1) < 0) {
 		printf("Unable to enable link: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
 		printf("Unable to get link status: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((!knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, NULL, 0)) || (errno != EBUSY)) {
 		printf("knet_link_set_config accepted request while link enabled or returned incorrect error: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_set_enable(knet_h, 1, 0, 0) < 0) {
 		printf("Unable to disable link: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_clear_config(knet_h, 1, 0) < 0) {
 		printf("Unable to clear link config: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	printf("Test knet_link_set_config with static dst_addr\n");
 
 	if (knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, &lo, &lo, 0) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	host = knet_h->host_index[1];
 	link = &host->link[0];
 
-	if (!knet_h->knet_transport_fd_tracker[link->outsock].access_list_match_entry_head) {
+	if (!link->access_list_match_entry_head) {
 		printf("Unable to find default access lists for static dst_addr!\n");
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(struct knet_link_status)) < 0) {
 		printf("Unable to get link status: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((link_status.enabled != 0) ||
 	    (strcmp(link_status.src_ipaddr, "127.0.0.1")) ||
 	    (strcmp(link_status.src_port, lo_portstr)) ||
 	    (strcmp(link_status.dst_ipaddr, "127.0.0.1")) ||
 	    (strcmp(link_status.dst_port, lo_portstr)) ||
 	    (knet_h->host_index[1]->link[0].dynamic != KNET_LINK_STATIC)) {
 		printf("knet_link_set_config failed to set configuration. enabled: %d src_addr %s src_port %s dst_addr %s dst_port %s dynamic %u\n",
 		       link_status.enabled, link_status.src_ipaddr, link_status.src_port, link_status.dst_ipaddr, link_status.dst_port, knet_h->host_index[1]->link[0].dynamic);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
index f4ffb3df..a3b5aa49 100644
--- a/libknet/tests/api_knet_send.c
+++ b/libknet/tests/api_knet_send.c
@@ -1,368 +1,376 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static int private_data;
 
 static void sock_notify(void *pvt_data,
 			int datafd,
 			int8_t channel,
 			uint8_t tx_rx,
 			int error,
 			int errorno)
 {
 	return;
 }
 
 static void test(uint8_t transport)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	int datafd = 0;
 	int8_t channel = 0;
 	struct knet_link_status link_status;
 	char send_buff[KNET_MAX_PACKET_SIZE + 1];
 	char recv_buff[KNET_MAX_PACKET_SIZE];
 	ssize_t send_len = 0;
 	int recv_len = 0;
 	int savederrno;
 	struct sockaddr_storage lo;
 
 	memset(send_buff, 0, sizeof(send_buff));
 
 	printf("Test knet_send incorrect knet_h\n");
 
 	if ((!knet_send(NULL, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
+	if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
+		printf("Cannot enable access lists: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
 	printf("Test knet_send with no send_buff\n");
 
 	if ((!knet_send(knet_h, NULL, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid send_buff or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with invalid send_buff len (0)\n");
 
 	if ((!knet_send(knet_h, send_buff, 0, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid send_buff len (0) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with invalid send_buff len (> KNET_MAX_PACKET_SIZE)\n");
 
 	if ((!knet_send(knet_h, send_buff, KNET_MAX_PACKET_SIZE + 1, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid send_buff len (> KNET_MAX_PACKET_SIZE) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with invalid channel (-1)\n");
 
 	channel = -1;
 
 	if ((!knet_send(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid channel (-1) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with invalid channel (KNET_DATAFD_MAX)\n");
 
 	channel = KNET_DATAFD_MAX;
 
 	if ((!knet_send(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid channel (KNET_DATAFD_MAX) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with unconfigured channel\n");
 
 	channel = 0;
 
 	if ((!knet_send(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send accepted invalid unconfigured channel or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send with valid data\n");
 
 	if (knet_handle_enable_access_lists(knet_h, 1) < 0) {
 		printf("knet_handle_enable_access_lists failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_handle_enable_sock_notify(knet_h, &private_data, sock_notify) < 0) {
 		printf("knet_handle_enable_sock_notify failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
         }
 
 	datafd = 0;
 	channel = -1;
 
 	if (knet_handle_add_datafd(knet_h, &datafd, &channel) < 0) {
 		printf("knet_handle_add_datafd failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (_knet_link_set_config(knet_h, 1, 0, transport, 0, AF_INET, 0, &lo) < 0 ) {
 		int exit_status = transport == KNET_TRANSPORT_SCTP && errno == EPROTONOSUPPORT ? SKIP : FAIL;
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(exit_status);
 	}
 
 	if (knet_link_set_enable(knet_h, 1, 0, 1) < 0) {
 		printf("knet_link_set_enable failed: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_handle_setfwd(knet_h, 1) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (wait_for_host(knet_h, 1, 10, logfds[0], stdout) < 0) {
 		printf("timeout waiting for host to be reachable\n");
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	send_len = knet_send(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel);
 	if (send_len <= 0) {
 		printf("knet_send failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (send_len != sizeof(send_buff) - 1) {
 		printf("knet_send sent only %zd bytes: %s\n", send_len, strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	if (knet_handle_setfwd(knet_h, 0) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (wait_for_packet(knet_h, 10, datafd, logfds[0], stdout)) {
 		printf("Error waiting for packet: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	recv_len = knet_recv(knet_h, recv_buff, KNET_MAX_PACKET_SIZE, channel);
 	savederrno = errno;
 	if (recv_len != send_len) {
 		printf("knet_recv received only %d bytes: %s (errno: %d)\n", recv_len, strerror(errno), errno);
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		if ((is_helgrind()) && (recv_len == -1) && (savederrno == EAGAIN)) {
 			printf("helgrind exception. this is normal due to possible timeouts\n");
 			exit(PASS);
 		}
 		exit(FAIL);
 	}
 
 	if (memcmp(recv_buff, send_buff, KNET_MAX_PACKET_SIZE)) {
 		printf("recv and send buffers are different!\n");
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	/* A sanity check on the stats */
 	if (knet_link_get_status(knet_h, 1, 0, &link_status, sizeof(link_status)) < 0) {
 		printf("knet_link_get_status failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (link_status.stats.tx_data_packets != 2 ||
 	    link_status.stats.rx_data_packets != 2 ||
 	    link_status.stats.tx_data_bytes < KNET_MAX_PACKET_SIZE ||
 	    link_status.stats.rx_data_bytes < KNET_MAX_PACKET_SIZE ||
 	    link_status.stats.tx_data_bytes > KNET_MAX_PACKET_SIZE*2 ||
 	    link_status.stats.rx_data_bytes > KNET_MAX_PACKET_SIZE*2) {
 	    printf("stats look wrong: tx_packets: %" PRIu64 " (%" PRIu64 " bytes), rx_packets: %" PRIu64 " (%" PRIu64 " bytes)\n",
 		   link_status.stats.tx_data_packets,
 		   link_status.stats.tx_data_bytes,
 		   link_status.stats.rx_data_packets,
 		   link_status.stats.rx_data_bytes);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	if (knet_handle_setfwd(knet_h, 1) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	printf("try to send big packet to local datafd (bypass knet_send)\n");
 	if (write(datafd, &send_buff, sizeof(send_buff)) != KNET_MAX_PACKET_SIZE + 1) {
 		printf("Error writing to datafd: %s\n", strerror(errno));
 	}
 
 	if (!wait_for_packet(knet_h, 2, datafd, logfds[0], stdout)) {
 		printf("Received unexpected packet!\n");
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	knet_link_set_enable(knet_h, 1, 0, 0);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	printf("Testing with UDP\n");
 	test(KNET_TRANSPORT_UDP);
 
 #ifdef HAVE_NETINET_SCTP_H
 	printf("Testing with SCTP\n");
 	test(KNET_TRANSPORT_SCTP);
 #endif
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_send_sync.c b/libknet/tests/api_knet_send_sync.c
index 2e81e325..9994c36e 100644
--- a/libknet/tests/api_knet_send_sync.c
+++ b/libknet/tests/api_knet_send_sync.c
@@ -1,397 +1,409 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "netutils.h"
 #include "test-common.h"
 
 static int private_data;
 
 static void sock_notify(void *pvt_data,
 			int datafd,
 			int8_t channel,
 			uint8_t tx_rx,
 			int error,
 			int errorno)
 {
 	return;
 }
 
 static int dhost_filter_ret = 0;
 
 static int dhost_filter(void *pvt_data,
 			const unsigned char *outdata,
 			ssize_t outdata_len,
 			uint8_t tx_rx,
 			knet_node_id_t this_host_id,
 			knet_node_id_t src_host_id,
 			int8_t *dst_channel,
 			knet_node_id_t *dst_host_ids,
 			size_t *dst_host_ids_entries)
 {
 	dst_host_ids[0] = 0;
 
 	/*
 	 * fatal fault
 	 */
 	if (dhost_filter_ret < 0) {
 		return -1;
 	}
 
 	/*
 	 * trigger EINVAL
 	 * no ids found
 	 */
 	if (dhost_filter_ret == 0) {
 		*dst_host_ids_entries = 0;
 		return 0;
 	}
 
 	/*
  	 * send correct info back
  	 */
 
 	if (dhost_filter_ret == 1) {
 		dst_host_ids[0] = 1;
 		*dst_host_ids_entries = 1;
 		return 0;
 	}
 
 	/*
 	 * trigger E2BIG
 	 * mcast destinations
 	 */
 	if (dhost_filter_ret == 2) {
 		dst_host_ids[0] = 1;
 		*dst_host_ids_entries = 2;
 		return 0;
 	}
 
 	/*
 	 * return mcast
 	 */
 	if (dhost_filter_ret == 3) {
 		return 1;
 	}
 
 	return dhost_filter_ret;
 }
 
 static void test(void)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	int datafd = 0;
 	int8_t channel = 0;
 	char send_buff[KNET_MAX_PACKET_SIZE];
 	struct sockaddr_storage lo;
 
 	memset(send_buff, 0, sizeof(send_buff));
 
 	printf("Test knet_send_sync incorrect knet_h\n");
 
 	if ((!knet_send_sync(NULL, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	printf("Test knet_send_sync with no send_buff\n");
 
 	if ((!knet_send_sync(knet_h, NULL, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid send_buff or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with invalid send_buff len (0)\n");
 
 	if ((!knet_send_sync(knet_h, send_buff, 0, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid send_buff len (0) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with invalid send_buff len (> KNET_MAX_PACKET_SIZE)\n");
 
 	if ((!knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE + 1, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid send_buff len (> KNET_MAX_PACKET_SIZE) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with invalid channel (-1)\n");
 
 	channel = -1;
 
 	if ((!knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid channel (-1) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with invalid channel (KNET_DATAFD_MAX)\n");
 
 	channel = KNET_DATAFD_MAX;
 
 	if ((!knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid channel (KNET_DATAFD_MAX) or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
+	printf("Test knet_send_sync with no filter configured\n");
+
+	channel = 1;
+	if ((!knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != ENETDOWN)) {
+		printf("knet_send_sync Did not return ENETDOWN for no filter installed: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_handle_enable_filter(knet_h, NULL, dhost_filter) < 0) {
+		printf("knet_handle_enable_filter failed: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+
 	printf("Test knet_send_sync with unconfigured channel\n");
 
 	channel = 0;
 
 	if ((!knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel)) || (errno != EINVAL)) {
 		printf("knet_send_sync accepted invalid unconfigured channel or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with data forwarding disabled\n");
 
 	if (knet_handle_enable_sock_notify(knet_h, &private_data, sock_notify) < 0) {
 		printf("knet_handle_enable_sock_notify failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
         }
 
 	datafd = 0;
 	channel = -1;
 
 	if (knet_handle_add_datafd(knet_h, &datafd, &channel) < 0) {
 		printf("knet_handle_add_datafd failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != ECANCELED)) {
 		printf("knet_send_sync didn't detect datafwd disabled or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with broken dst_host_filter\n");
 
 	if (knet_handle_setfwd(knet_h, 1) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
-	if (knet_handle_enable_filter(knet_h, NULL, dhost_filter) < 0) {
-		printf("knet_handle_enable_filter failed: %s\n", strerror(errno));
-		knet_handle_free(knet_h);
-		flush_logs(logfds[0], stdout);
-		close_logpipes(logfds);
-		exit(FAIL);
-	}
-
 	dhost_filter_ret = -1;
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != EFAULT)) {
 		printf("knet_send_sync didn't detect fatal error from dst_host_filter or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with dst_host_filter returning no host_ids_entries\n");
 
 	dhost_filter_ret = 0;
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != EINVAL)) {
 		printf("knet_send_sync didn't detect 0 host_ids from dst_host_filter or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with host down\n");
 
 	dhost_filter_ret = 1;
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != EHOSTDOWN)) {
 		printf("knet_send_sync didn't detect hostdown or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with dst_host_filter returning too many host_ids_entries\n");
 
 	if (knet_host_add(knet_h, 1) < 0) {
 		printf("knet_host_add failed: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (_knet_link_set_config(knet_h, 1, 0, KNET_TRANSPORT_UDP, 0, AF_INET, 0, &lo) < 0) {
 		printf("Unable to configure link: %s\n", strerror(errno));
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (knet_link_set_enable(knet_h, 1, 0, 1) < 0) {
 		printf("knet_link_set_enable failed: %s\n", strerror(errno));
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	if (wait_for_host(knet_h, 1, 10, logfds[0], stdout) < 0) {
 		printf("timeout waiting for host to be reachable");
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	dhost_filter_ret = 2;
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != E2BIG)) {
 		printf("knet_send_sync didn't detect 2+ host_ids from dst_host_filter or returned incorrect error: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with dst_host_filter returning mcast packets\n");
 
 	dhost_filter_ret = 3;
 
 	if ((knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) == sizeof(send_buff)) || (errno != E2BIG)) {
 		printf("knet_send_sync didn't detect mcast packet from dst_host_filter or returned incorrect error: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_send_sync with valid data\n");
 
 	dhost_filter_ret = 1;
 
 	if (knet_send_sync(knet_h, send_buff, KNET_MAX_PACKET_SIZE, channel) < 0) {
 		printf("knet_send_sync failed: %d %s\n", errno, strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	if (knet_handle_setfwd(knet_h, 0) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		knet_link_set_enable(knet_h, 1, 0, 0);
 		knet_link_clear_config(knet_h, 1, 0);
 		knet_host_remove(knet_h, 1);
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	knet_link_set_enable(knet_h, 1, 0, 0);
 	knet_link_clear_config(knet_h, 1, 0);
 	knet_host_remove(knet_h, 1);
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	test();
 
 	return PASS;
 }
diff --git a/libknet/tests/fun_acl_check.c b/libknet/tests/fun_acl_check.c
new file mode 100644
index 00000000..55cf09bb
--- /dev/null
+++ b/libknet/tests/fun_acl_check.c
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.  All rights reserved.
+ *
+ * Authors: Christine Caulfield <ccaulfie@redhat.com>
+ *
+ * This software licensed under GPL-2.0+
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <pthread.h>
+#include <poll.h>
+
+#include "libknet.h"
+
+#include "internals.h"
+#include "netutils.h"
+#include "test-common.h"
+
+
+/*
+ * Keep track of how many messages got through:
+ * clean + 3xACLs + QUIT
+ */
+#define CORRECT_NUM_MSGS 5
+static int msgs_recvd = 0;
+
+#define TESTNODES 2
+
+static pthread_mutex_t recv_mutex = PTHREAD_MUTEX_INITIALIZER;
+static int quit_recv_thread = 0;
+
+static int reply_pipe[2];
+
+#define FAIL_ON_ERR(fn) \
+	printf("FOE: %s\n", #fn);			  \
+	if ((res = fn) != 0) {				  \
+	  int savederrno = errno;			  \
+	  pthread_mutex_lock(&recv_mutex);		  \
+	  quit_recv_thread = 1;				  \
+	  pthread_mutex_unlock(&recv_mutex);		  \
+	  if (recv_thread) {				  \
+		  pthread_join(recv_thread, (void**)&thread_err); \
+	  }						  \
+	  knet_handle_stop_nodes(knet_h, TESTNODES);	  \
+	  stop_logthread();				  \
+	  flush_logs(logfds[0], stdout);		  \
+	  close_logpipes(logfds);			  \
+	  close(reply_pipe[0]);				  \
+	  close(reply_pipe[1]);				  \
+	  if (res == -2) {				  \
+		  exit(SKIP);				  \
+	  } else {					  \
+		  printf("*** FAIL on line %d %s failed: %s\n", __LINE__ , #fn, strerror(savederrno)); \
+		  exit(FAIL);				  \
+	  }						  \
+	}
+
+static int knet_send_str(knet_handle_t knet_h, char *str)
+{
+	return knet_send_sync(knet_h, str, strlen(str)+1, 0);
+}
+
+/*
+ * lo0 is filled in with the local address on return.
+ * lo1 is expected to be provided - it's the actual remote address to connect to.
+ */
+int dyn_knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
+			     uint8_t transport, uint64_t flags, int family, int dynamic,
+			     struct sockaddr_storage *lo0, struct sockaddr_storage *lo1)
+{
+	int err = 0, savederrno = 0;
+	uint32_t port;
+	char portstr[32];
+
+	for (port = 1025; port < 65536; port++) {
+		sprintf(portstr, "%u", port);
+		memset(lo0, 0, sizeof(struct sockaddr_storage));
+		if (family == AF_INET6) {
+			err = knet_strtoaddr("::1", portstr, lo0, sizeof(struct sockaddr_storage));
+		} else {
+			err = knet_strtoaddr("127.0.0.1", portstr, lo0, sizeof(struct sockaddr_storage));
+		}
+		if (err < 0) {
+			printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
+			goto out;
+		}
+		errno = 0;
+		if (dynamic) {
+			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo0, NULL, flags);
+		} else {
+			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo0, lo1, flags);
+		}
+		savederrno = errno;
+		if ((err < 0) && (savederrno != EADDRINUSE)) {
+			if (savederrno == EPROTONOSUPPORT && transport == KNET_TRANSPORT_SCTP) {
+				return -2;
+			} else {
+				printf("Unable to configure link: %s\n", strerror(savederrno));
+				goto out;
+			}
+		}
+		if (!err) {
+			printf("Using port %u\n", port);
+			goto out;
+		}
+	}
+
+	if (err) {
+		printf("No more ports available\n");
+	}
+out:
+	errno = savederrno;
+	return err;
+}
+
+static void *recv_messages(void *handle)
+{
+	knet_handle_t knet_h = (knet_handle_t)handle;
+	char buf[4096];
+	ssize_t len;
+	static int err = 0;
+	int savederrno = 0, quit = 0;
+
+	while ((len = knet_recv(knet_h, buf, sizeof(buf), 0)) && (!quit)) {
+		savederrno = errno;
+		pthread_mutex_lock(&recv_mutex);
+		quit = quit_recv_thread;
+		pthread_mutex_unlock(&recv_mutex);
+		if (quit) {
+			printf(" *** recv thread was requested to exit via FOE\n");
+			err = 1;
+			return &err;
+		}
+		if (len > 0) {
+			int res;
+
+			printf("recv: (%ld) %s\n", (long)len, buf);
+			msgs_recvd++;
+			if (strcmp("QUIT", buf) == 0) {
+				break;
+			}
+			if (buf[0] == '0') { /* We should not have received this! */
+				printf(" *** FAIL received packet that should have been blocked\n");
+				err = 1;
+				return &err;
+			}
+			/* Tell the main thread we have received something */
+			res = write(reply_pipe[1], ".", 1);
+			if (res != 1) {
+				printf(" *** FAIL to send response back to main thread\n");
+				err = 1;
+				return &err;
+			}
+		}
+		usleep(1000);
+		if (len < 0 && savederrno != EAGAIN) {
+			break;
+		}
+	}
+	printf("-- recv thread finished: %zd %d %s\n", len, errno, strerror(savederrno));
+	return &err;
+}
+
+static void notify_fn(void *private_data,
+		     int datafd,
+		     int8_t channel,
+		     uint8_t tx_rx,
+		     int error,
+		     int errorno)
+{
+	printf("NOTIFY fn called\n");
+}
+
+/* A VERY basic filter because all data traffic is going to one place */
+static int dhost_filter(void *pvt_data,
+			const unsigned char *outdata,
+			ssize_t outdata_len,
+			uint8_t tx_rx,
+			knet_node_id_t this_host_id,
+			knet_node_id_t src_host_id,
+			int8_t *dst_channel,
+			knet_node_id_t *dst_host_ids,
+			size_t *dst_host_ids_entries)
+{
+	dst_host_ids[0] = 1;
+	*dst_host_ids_entries = 1;
+	return 0;
+}
+
+/* This used to be a pthread condition variable, but
+   there was a race where it could be triggered before
+   the main thread was waiting for it.
+   Go old-fashioned.
+*/
+static int wait_for_reply(int seconds)
+{
+	int res;
+	struct pollfd pfds;
+	char tmpbuf[32];
+
+	pfds.fd = reply_pipe[0];
+	pfds.events = POLLIN | POLLERR | POLLHUP;
+	pfds.revents = 0;
+
+	res = poll(&pfds, 1, seconds*1000);
+	if (res == 1) {
+		if (pfds.revents & POLLIN) {
+			res = read(reply_pipe[0], tmpbuf, sizeof(tmpbuf));
+			if (res > 0) {
+				return 0;
+			}
+		} else {
+			printf("Error on pipe poll revent = 0x%x\n", pfds.revents);
+			errno = EIO;
+		}
+	}
+	if (res == 0) {
+		errno = ETIMEDOUT;
+		return -1;
+	}
+
+	return -1;
+}
+
+static void test(int transport)
+{
+	knet_handle_t knet_h[TESTNODES+1];
+	int logfds[2];
+	struct sockaddr_storage lo0, lo1;
+	struct sockaddr_storage ss1, ss2;
+	int res;
+	pthread_t recv_thread = 0;
+	int *thread_err;
+	int datafd;
+	int8_t channel;
+	int seconds = 90; // dynamic tests take longer than normal tests
+
+	if (is_memcheck() || is_helgrind()) {
+		printf("Test suite is running under valgrind, adjusting wait_for_host timeout\n");
+		seconds = seconds * 16;
+	}
+
+	memset(knet_h, 0, sizeof(knet_h));
+	memset(reply_pipe, 0, sizeof(reply_pipe));
+	memset(logfds, 0, sizeof(logfds));
+
+	FAIL_ON_ERR(pipe(reply_pipe));
+
+	// Initial setup gubbins
+	msgs_recvd = 0;
+	setup_logpipes(logfds);
+	start_logthread(logfds[1], stdout);
+	knet_handle_start_nodes(knet_h, TESTNODES, logfds, KNET_LOG_DEBUG);
+
+	FAIL_ON_ERR(knet_host_add(knet_h[2], 1));
+	FAIL_ON_ERR(knet_host_add(knet_h[1], 2));
+
+	FAIL_ON_ERR(knet_handle_enable_filter(knet_h[2], NULL, dhost_filter));
+
+	// Create the dynamic (receiving) link
+	FAIL_ON_ERR(dyn_knet_link_set_config(knet_h[1], 2, 0, transport, 0, AF_INET, 1, &lo0, NULL));
+
+	// Connect to the dynamic link
+	FAIL_ON_ERR(dyn_knet_link_set_config(knet_h[2], 1, 0, transport, 0, AF_INET, 0, &lo1, &lo0));
+
+	// All the rest of the setup gubbins
+	FAIL_ON_ERR(knet_handle_enable_sock_notify(knet_h[1], 0, &notify_fn));
+	FAIL_ON_ERR(knet_handle_enable_sock_notify(knet_h[2], 0, &notify_fn));
+
+	channel = datafd = 0;
+	FAIL_ON_ERR(knet_handle_add_datafd(knet_h[1], &datafd, &channel));
+	channel = datafd = 0;
+	FAIL_ON_ERR(knet_handle_add_datafd(knet_h[2], &datafd, &channel));
+
+	FAIL_ON_ERR(knet_link_set_enable(knet_h[1], 2, 0, 1));
+	FAIL_ON_ERR(knet_link_set_enable(knet_h[2], 1, 0, 1));
+
+	FAIL_ON_ERR(knet_handle_setfwd(knet_h[1], 1));
+	FAIL_ON_ERR(knet_handle_setfwd(knet_h[2], 1));
+
+	// Start receive thread
+	FAIL_ON_ERR(pthread_create(&recv_thread, NULL, recv_messages, (void *)knet_h[1]));
+
+	// Let everything settle down
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 1, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 1, seconds, logfds[0], stdout));
+
+	/*
+	 * TESTING STARTS HERE
+	 * strings starting '1' should reach the receiving thread
+	 * strings starting '0' should not
+	 */
+
+	// No ACL
+	printf("Testing No ACL - this should get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "1No ACL - this should get through"));
+	FAIL_ON_ERR(wait_for_reply(seconds))
+
+	// Block traffic from this address.
+	memset(&ss1, 0, sizeof(ss1));
+	memset(&ss2, 0, sizeof(ss1));
+	knet_strtoaddr("127.0.0.1","0", &ss1, sizeof(ss1));
+	FAIL_ON_ERR(knet_link_add_acl(knet_h[1], 2, 0, &ss1, NULL, CHECK_TYPE_ADDRESS, CHECK_REJECT));
+	// Accept ACL for when we remove them
+	FAIL_ON_ERR(knet_link_add_acl(knet_h[1], 2, 0, &ss1, NULL, CHECK_TYPE_ADDRESS, CHECK_ACCEPT));
+
+	// This needs to go after the first ACLs are added
+	FAIL_ON_ERR(knet_handle_enable_access_lists(knet_h[1], 1));
+
+	printf("Testing Address blocked - this should NOT get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "0Address blocked - this should NOT get through"));
+
+	// Unblock and check again
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(knet_link_rm_acl(knet_h[1], 2, 0, &ss1, NULL, CHECK_TYPE_ADDRESS, CHECK_REJECT));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 1, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 1, seconds, logfds[0], stdout));
+
+	printf("Testing Address unblocked - this should get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "1Address unblocked - this should get through"));
+	FAIL_ON_ERR(wait_for_reply(seconds));
+
+	// Block traffic using a netmask
+	knet_strtoaddr("127.0.0.1","0", &ss1, sizeof(ss1));
+	knet_strtoaddr("255.0.0.1","0", &ss2, sizeof(ss2));
+	FAIL_ON_ERR(knet_link_insert_acl(knet_h[1], 2, 0, 0, &ss1, &ss2, CHECK_TYPE_MASK, CHECK_REJECT));
+
+	printf("Testing Netmask blocked - this should NOT get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "0Netmask blocked - this should NOT get through"));
+
+	// Unblock and check again
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(knet_link_rm_acl(knet_h[1], 2, 0, &ss1, &ss2, CHECK_TYPE_MASK, CHECK_REJECT));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 1, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 1, seconds, logfds[0], stdout));
+
+	printf("Testing Netmask unblocked - this should get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "1Netmask unblocked - this should get through"));
+	FAIL_ON_ERR(wait_for_reply(seconds));
+
+	// Block traffic from a range
+	knet_strtoaddr("127.0.0.0", "0", &ss1, sizeof(ss1));
+	knet_strtoaddr("127.0.0.9", "0", &ss2, sizeof(ss2));
+	FAIL_ON_ERR(knet_link_insert_acl(knet_h[1], 2, 0, 0, &ss1, &ss2, CHECK_TYPE_RANGE, CHECK_REJECT));
+
+	printf("Testing Range blocked - this should NOT get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "0Range blocked - this should NOT get through"));
+
+	// Unblock and check again
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 0, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(knet_link_rm_acl(knet_h[1], 2, 0, &ss1, &ss2, CHECK_TYPE_RANGE, CHECK_REJECT));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 1, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 1, seconds, logfds[0], stdout));
+
+	printf("Testing Range unblocked - this should get through\n");
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "1Range unblocked - this should get through"));
+	FAIL_ON_ERR(wait_for_reply(seconds));
+
+	// Finish up - disable ACLS to make sure the QUIT message gets through
+	FAIL_ON_ERR(knet_handle_enable_access_lists(knet_h[1], 0));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[1], TESTNODES, 1, seconds, logfds[0], stdout));
+	FAIL_ON_ERR(wait_for_nodes_state(knet_h[2], TESTNODES, 1, seconds, logfds[0], stdout));
+
+	FAIL_ON_ERR(knet_send_str(knet_h[2], "QUIT"));
+
+	// Check return from the receiving thread
+	pthread_join(recv_thread, (void**)&thread_err);
+	if (*thread_err) {
+		printf("Thread returned %d\n", *thread_err);
+		exit(FAIL);
+	}
+
+	//  Tidy Up
+	knet_handle_stop_nodes(knet_h, TESTNODES);
+
+	stop_logthread();
+	flush_logs(logfds[0], stdout);
+	close_logpipes(logfds);
+	close(reply_pipe[0]);
+	close(reply_pipe[1]);
+
+	if (msgs_recvd != CORRECT_NUM_MSGS) {
+		printf("*** FAIL Recv thread got %d messages, expected %d\n", msgs_recvd, CORRECT_NUM_MSGS);
+		exit(FAIL);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	printf("Testing with UDP\n");
+	test(KNET_TRANSPORT_UDP);
+
+#ifdef HAVE_NETINET_SCTP_H
+	printf("Testing with SCTP currently disabled\n");
+	//test(KNET_TRANSPORT_SCTP);
+#endif
+
+	return PASS;
+}
diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
index e55f5f73..86b76b0c 100644
--- a/libknet/tests/test-common.c
+++ b/libknet/tests/test-common.c
@@ -1,878 +1,952 @@
 
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <dirent.h>
 #include <sys/select.h>
+#include <sys/poll.h>
 
 #include "libknet.h"
 #include "test-common.h"
 
 static pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
 static int log_init = 0;
 static pthread_mutex_t log_thread_mutex = PTHREAD_MUTEX_INITIALIZER;
 static pthread_t log_thread;
 static int log_thread_init = 0;
 static int log_fds[2];
 struct log_thread_data {
 	int logfd;
 	FILE *std;
 };
 static struct log_thread_data data;
 static char plugin_path[PATH_MAX];
 
 static int _read_pipe(int fd, char **file, size_t *length)
 {
 	char buf[4096];
 	int n;
 	int done = 0;
 
 	*file = NULL;
 	*length = 0;
 
 	memset(buf, 0, sizeof(buf));
 
 	while (!done) {
 
 		n = read(fd, buf, sizeof(buf));
 
 		if (n < 0) {
 			if (errno == EINTR)
 				continue;
 
 			if (*file)
 				free(*file);
 
 			return n;
 		}
 
 		if (n == 0 && (!*length))
 			return 0;
 
 		if (n == 0)
 			done = 1;
 
 		if (*file)
 			*file = realloc(*file, (*length) + n + done);
 		else
 			*file = malloc(n + done);
 
 		if (!*file)
 			return -1;
 
 		memmove((*file) + (*length), buf, n);
 		*length += (done + n);
 	}
 
 	/* Null terminator */
 	(*file)[(*length) - 1] = 0;
 
 	return 0;
 }
 
 int execute_shell(const char *command, char **error_string)
 {
 	pid_t pid;
 	int status, err = 0;
 	int fd[2];
 	size_t size = 0;
 
 	if ((command == NULL) || (!error_string)) {
 		errno = EINVAL;
 		return FAIL;
 	}
 
 	*error_string = NULL;
 
 	err = pipe(fd);
 	if (err)
 		goto out_clean;
 
 	pid = fork();
 	if (pid < 0) {
 		err = pid;
 		goto out_clean;
 	}
 
 	if (pid) { /* parent */
 
 		close(fd[1]);
 		err = _read_pipe(fd[0], error_string, &size);
 		if (err)
 			goto out_clean0;
 
 		waitpid(pid, &status, 0);
 		if (!WIFEXITED(status)) {
 			err = -1;
 			goto out_clean0;
 		}
 		if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
 			err = WEXITSTATUS(status);
 			goto out_clean0;
 		}
 		goto out_clean0;
 	} else { /* child */
 		close(0);
 		close(1);
 		close(2);
 
 		close(fd[0]);
 		dup2(fd[1], 1);
 		dup2(fd[1], 2);
 		close(fd[1]);
 
 		execlp("/bin/sh", "/bin/sh", "-c", command, NULL);
 		exit(FAIL);
 	}
 
 out_clean:
 	close(fd[1]);
 out_clean0:
 	close(fd[0]);
 
 	return err;
 }
 
 int is_memcheck(void)
 {
 	char *val;
 
 	val = getenv("KNETMEMCHECK");
 
 	if (val) {
 		if (!strncmp(val, "yes", 3)) {
 			return 1;
 		}
 	}
 
 	return 0;
 }
 
 int is_helgrind(void)
 {
 	char *val;
 
 	val = getenv("KNETHELGRIND");
 
 	if (val) {
 		if (!strncmp(val, "yes", 3)) {
 			return 1;
 		}
 	}
 
 	return 0;
 }
 
 void set_scheduler(int policy)
 {
 	struct sched_param sched_param;
 	int err;
 
 	err = sched_get_priority_max(policy);
 	if (err < 0) {
 		printf("Could not get maximum scheduler priority\n");
 		exit(FAIL);
 	}
 	sched_param.sched_priority = err;
 	err = sched_setscheduler(0, policy, &sched_param);
 	if (err < 0) {
 		printf("Could not set priority\n");
 		exit(FAIL);
 	}
 	return;
 }
 
 int setup_logpipes(int *logfds)
 {
 	if (pipe2(logfds, O_CLOEXEC | O_NONBLOCK) < 0) {
 		printf("Unable to setup logging pipe\n");
 		exit(FAIL);
 	}
 
 	return PASS;
 }
 
 void close_logpipes(int *logfds)
 {
 	close(logfds[0]);
 	logfds[0] = 0;
 	close(logfds[1]);
 	logfds[1] = 0;
 }
 
 void flush_logs(int logfd, FILE *std)
 {
 	struct knet_log_msg msg;
 	int len;
 
 	while (1) {
 		len = read(logfd, &msg, sizeof(msg));
 		if (len != sizeof(msg)) {
 			/*
 			 * clear errno to avoid incorrect propagation
 			 */
 			errno = 0;
 			return;
 		}
 
 		msg.msg[sizeof(msg.msg) - 1] = 0;
 
 		fprintf(std, "[knet]: [%s] %s: %.*s\n",
 			knet_log_get_loglevel_name(msg.msglevel),
 			knet_log_get_subsystem_name(msg.subsystem),
 			KNET_MAX_LOG_MSG_SIZE, msg.msg);
 	}
 }
 
 static void *_logthread(void *args)
 {
 	while (1) {
 		int num;
 		struct timeval tv = { 60, 0 };
 		fd_set rfds;
 
 		FD_ZERO(&rfds);
 		FD_SET(data.logfd, &rfds);
 
 		num = select(FD_SETSIZE, &rfds, NULL, NULL, &tv);
 		if (num < 0) {
 			fprintf(data.std, "Unable select over logfd!\nHALTING LOGTHREAD!\n");
 			return NULL;
 		}
 		if (num == 0) {
 			fprintf(data.std, "[knet]: No logs in the last 60 seconds\n");
 			continue;
 		}
 		if (FD_ISSET(data.logfd, &rfds)) {
 			flush_logs(data.logfd, data.std);
 		}
 	}
 }
 
 int start_logthread(int logfd, FILE *std)
 {
 	int savederrno = 0;
 
 	savederrno = pthread_mutex_lock(&log_thread_mutex);
 	if (savederrno) {
 		printf("Unable to get log_thread mutex lock\n");
 		return -1;
 	}
 
 	if (!log_thread_init) {
 		data.logfd = logfd;
 		data.std = std;
 
 		savederrno = pthread_create(&log_thread, 0, _logthread, NULL);
 		if (savederrno) {
 			printf("Unable to start logging thread: %s\n", strerror(savederrno));
 			pthread_mutex_unlock(&log_thread_mutex);
 			return -1;
 		}
 		log_thread_init = 1;
 	}
 
 	pthread_mutex_unlock(&log_thread_mutex);
 	return 0;
 }
 
 int stop_logthread(void)
 {
 	int savederrno = 0;
 	void *retval;
 
 	savederrno = pthread_mutex_lock(&log_thread_mutex);
 	if (savederrno) {
 		printf("Unable to get log_thread mutex lock\n");
 		return -1;
 	}
 
 	if (log_thread_init) {
 		pthread_cancel(log_thread);
 		pthread_join(log_thread, &retval);
 		log_thread_init = 0;
 	}
 
 	pthread_mutex_unlock(&log_thread_mutex);
 	return 0;
 }
 
 static void stop_logging(void)
 {
 	stop_logthread();
 	flush_logs(log_fds[0], stdout);
 	close_logpipes(log_fds);
 }
 
 int start_logging(FILE *std)
 {
 	int savederrno = 0;
 
 	savederrno = pthread_mutex_lock(&log_mutex);
 	if (savederrno) {
 		printf("Unable to get log_mutex lock\n");
 		return -1;
 	}
 
 	if (!log_init) {
 		setup_logpipes(log_fds);
 
 		if (atexit(&stop_logging) != 0) {
 			printf("Unable to register atexit handler to stop logging: %s\n",
 			       strerror(errno));
 			exit(FAIL);
 		}
 
 		if (start_logthread(log_fds[0], std) < 0) {
 			exit(FAIL);
 		}
 
 		log_init = 1;
 	}
 
 	pthread_mutex_unlock(&log_mutex);
 
 	return log_fds[1];
 }
 
 static int dir_filter(const struct dirent *dname)
 {
 	if ( (strcmp(dname->d_name + strlen(dname->d_name)-3, ".so") == 0) &&
 	    ((strncmp(dname->d_name,"crypto", 6) == 0) ||
 	     (strncmp(dname->d_name,"compress", 8) == 0))) {
 		return 1;
 	}
 	return 0;
 }
 
 /* Make sure the proposed plugin path has at least 1 of each plugin available
    - just as a sanity check really */
 static int contains_plugins(char *path)
 {
 	struct dirent **namelist;
 	int n,i;
 	size_t j;
 	struct knet_compress_info compress_list[256];
 	struct knet_crypto_info crypto_list[256];
 	size_t num_compress, num_crypto;
 	size_t compress_found = 0;
 	size_t crypto_found = 0;
 
 	if (knet_get_compress_list(compress_list, &num_compress) == -1) {
 		return 0;
 	}
 	if (knet_get_crypto_list(crypto_list, &num_crypto) == -1) {
 		return 0;
 	}
 
 	n = scandir(path, &namelist, dir_filter, alphasort);
 	if (n == -1) {
 		return 0;
 	}
 
 	/* Look for plugins in the list */
 	for (i=0; i<n; i++) {
 		for (j=0; j<num_crypto; j++) {
 			if (strlen(namelist[i]->d_name) >= 7 &&
 			    strncmp(crypto_list[j].name, namelist[i]->d_name+7,
 				    strlen(crypto_list[j].name)) == 0) {
 				crypto_found++;
 			}
 		}
 		for (j=0; j<num_compress; j++) {
 			if (strlen(namelist[i]->d_name) >= 9 &&
 			    strncmp(compress_list[j].name, namelist[i]->d_name+9,
 				    strlen(compress_list[j].name)) == 0) {
 				compress_found++;
 			}
 		}
 		free(namelist[i]);
 	}
 	free(namelist);
 	/* If at least one plugin was found (or none were built) */
 	if ((crypto_found || num_crypto == 0) &&
 	    (compress_found || num_compress == 0)) {
 		return 1;
 	} else {
 		return 0;
 	}
 }
 
 
 /* libtool sets LD_LIBRARY_PATH to the build tree when running test in-tree */
 static char *find_plugins_path(void)
 {
 	char *ld_libs_env = getenv("LD_LIBRARY_PATH");
 	if (ld_libs_env) {
 		char *ld_libs = strdup(ld_libs_env);
 		char *str = strtok(ld_libs, ":");
 		while (str) {
 			if (contains_plugins(str)) {
 				strncpy(plugin_path, str, sizeof(plugin_path)-1);
 				free(ld_libs);
 				printf("Using plugins from %s\n", plugin_path);
 				return plugin_path;
 			}
 			str = strtok(NULL, ":");
 		}
 		free(ld_libs);
 	}
 	return NULL;
 }
 
 
 knet_handle_t knet_handle_start(int logfds[2], uint8_t log_level)
 {
 	knet_handle_t knet_h = knet_handle_new_ex(1, logfds[1], log_level, 0);
 	char *plugins_path;
 
 	if (knet_h) {
 		printf("knet_handle_new at %p\n", knet_h);
 		plugins_path = find_plugins_path();
 		/* Use plugins from the build tree */
 		if (plugins_path) {
 			knet_h->plugin_path = plugins_path;
 		}
 		return knet_h;
 	} else {
 		printf("knet_handle_new failed: %s\n", strerror(errno));
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 }
 
 int knet_handle_stop(knet_handle_t knet_h)
 {
 	size_t i, j;
 	knet_node_id_t host_ids[KNET_MAX_HOST];
 	uint8_t link_ids[KNET_MAX_LINK];
 	size_t host_ids_entries = 0, link_ids_entries = 0;
 	unsigned int enabled;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (knet_handle_setfwd(knet_h, 0) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		return -1;
 	}
 
 	if (knet_host_get_host_list(knet_h, host_ids, &host_ids_entries) < 0) {
 		printf("knet_host_get_host_list failed: %s\n", strerror(errno));
 		return -1;
 	}
 
 	for (i = 0; i < host_ids_entries; i++) {
 		if (knet_link_get_link_list(knet_h, host_ids[i], link_ids, &link_ids_entries)) {
 			printf("knet_link_get_link_list failed: %s\n", strerror(errno));
 			return -1;
 		}
 		for (j = 0; j < link_ids_entries; j++) {
 			if (knet_link_get_enable(knet_h, host_ids[i], link_ids[j], &enabled)) {
 				printf("knet_link_get_enable failed: %s\n", strerror(errno));
 				return -1;
 			}
 			if (enabled) {
 				if (knet_link_set_enable(knet_h, host_ids[i], j, 0)) {
 					printf("knet_link_set_enable failed: %s\n", strerror(errno));
 					return -1;
 				}
 			}
 			printf("clearing config for: %p host: %u link: %zu\n", knet_h, host_ids[i], j);
 			knet_link_clear_config(knet_h, host_ids[i], j);
 		}
 		if (knet_host_remove(knet_h, host_ids[i]) < 0) {
 			printf("knet_host_remove failed: %s\n", strerror(errno));
 			return -1;
 		}
 	}
 
 	if (knet_handle_free(knet_h)) {
 		printf("knet_handle_free failed: %s\n", strerror(errno));
 		return -1;
 	}
 
 	return 0;
 }
 
 static int _make_local_sockaddr(struct sockaddr_storage *lo, int offset, int family)
 {
 	in_port_t port;
 	char portstr[32];
 
 	if (offset < 0) {
 		/*
 		 * api_knet_link_set_config needs to access the API directly, but
 		 * it does not send any traffic, so it´s safe to ask the kernel
 		 * for a random port.
 		 */
 		port = 0;
 	} else {
 		/* Use the pid if we can. but makes sure its in a sensible range */
 		port = (getpid() + offset) % (65536-1024) + 1024;
 	}
 	sprintf(portstr, "%u", port);
 	memset(lo, 0, sizeof(struct sockaddr_storage));
 	printf("Using port %u\n", port);
 
 	if (family == AF_INET6) {
 		return knet_strtoaddr("::1", portstr, lo, sizeof(struct sockaddr_storage));
 	}
 	return knet_strtoaddr("127.0.0.1", portstr, lo, sizeof(struct sockaddr_storage));
 }
 
 int make_local_sockaddr(struct sockaddr_storage *lo, int offset)
 {
 	return _make_local_sockaddr(lo, offset, AF_INET);
 }
 
 int make_local_sockaddr6(struct sockaddr_storage *lo, int offset)
 {
 	return _make_local_sockaddr(lo, offset, AF_INET6);
 }
 
 int _knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			  uint8_t transport, uint64_t flags, int family, int dynamic,
 			  struct sockaddr_storage *lo)
 {
 	int err = 0, savederrno = 0;
 	uint32_t port;
 	char portstr[32];
 
 	for (port = 1025; port < 65536; port++) {
 		sprintf(portstr, "%u", port);
 		memset(lo, 0, sizeof(struct sockaddr_storage));
 		if (family == AF_INET6) {
 			err = knet_strtoaddr("::1", portstr, lo, sizeof(struct sockaddr_storage));
 		} else {
 			err = knet_strtoaddr("127.0.0.1", portstr, lo, sizeof(struct sockaddr_storage));
 		}
 		if (err < 0) {
 			printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 			goto out;
 		}
 		errno = 0;
 		if (dynamic) {
 			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo, NULL, flags);
 		} else {
 			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo, lo, flags);
 		}
 		savederrno = errno;
 		if ((err < 0)  && (savederrno != EADDRINUSE)) {
 			printf("Unable to configure link: %s\n", strerror(savederrno));
 			goto out;
 		}
 		if (!err) {
 			printf("Using port %u\n", port);
 			goto out;
 		}
 	}
 
 	if (err) {
 		printf("No more ports available\n");
 	}
 out:
 	errno = savederrno;
 	return err;
 }
 
 void test_sleep(knet_handle_t knet_h, int seconds)
 {
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting sleep timers\n");
 		seconds = seconds * 16;
 	}
 	sleep(seconds);
 }
 
 
 int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std)
 {
 	fd_set rfds;
 	struct timeval tv;
 	int err = 0, i = 0;
 
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting wait_for_packet timeout\n");
 		seconds = seconds * 16;
 	}
 
 try_again:
 	FD_ZERO(&rfds);
 	FD_SET(datafd, &rfds);
 
 	tv.tv_sec = 1;
 	tv.tv_usec = 0;
 
 	err = select(datafd+1, &rfds, NULL, NULL, &tv);
 	/*
 	 * on slow arches the first call to select can return 0.
 	 * pick an arbitrary 10 times loop (multiplied by waiting seconds)
 	 * before failing.
 	 */
 	if ((!err) && (i < seconds)) {
 		flush_logs(logfd, std);
 		i++;
 		goto try_again;
 	}
 	if ((err > 0) && (FD_ISSET(datafd, &rfds))) {
 		return 0;
 	}
 
 	errno = ETIMEDOUT;
 	return -1;
 }
 
 /*
  * functional tests helpers
  */
 
 void knet_handle_start_nodes(knet_handle_t knet_h[], uint8_t numnodes, int logfds[2], uint8_t log_level)
 {
 	uint8_t i;
 	char *plugins_path = find_plugins_path();
 
 	for (i = 1; i <= numnodes; i++) {
 		knet_h[i] = knet_handle_new_ex(i, logfds[1], log_level, 0);
 		if (!knet_h[i]) {
 			printf("failed to create handle: %s\n", strerror(errno));
 			break;
 		} else {
 			printf("knet_h[%u] at %p\n", i, knet_h[i]);
 		}
 		/* Use plugins from the build tree */
 		if (plugins_path) {
 			knet_h[i]->plugin_path = plugins_path;
 		}
 	}
 
 	if (i < numnodes) {
 		knet_handle_stop_nodes(knet_h, i);
 		exit(FAIL);
 	}
 
 	return;
 }
 
 void knet_handle_stop_nodes(knet_handle_t knet_h[], uint8_t numnodes)
 {
 	uint8_t i;
 
 	for (i = 1; i <= numnodes; i++) {
-		printf("stopping handle %u at %p\n", i, knet_h[i]);
-		knet_handle_stop(knet_h[i]);
+		if (knet_h[i]) {
+			printf("stopping handle %u at %p\n", i, knet_h[i]);
+			knet_handle_stop(knet_h[i]);
+		}
 	}
 
 	return;
 }
 
 void knet_handle_join_nodes(knet_handle_t knet_h[], uint8_t numnodes, uint8_t numlinks, int family, uint8_t transport)
 {
 	uint8_t i, x, j;
 	struct sockaddr_storage src, dst;
 	int offset = 0;
 	int res;
 
 	for (i = 1; i <= numnodes; i++) {
 		for (j = 1; j <= numnodes; j++) {
 			/*
 			 * don´t connect to itself
 			 */
 			if (j == i) {
 				continue;
 			}
 
 			printf("host %u adding host: %u\n", i, j);
 
 			if (knet_host_add(knet_h[i], j) < 0) {
 				printf("Unable to add host: %s\n", strerror(errno));
 				knet_handle_stop_nodes(knet_h, numnodes);
 				exit(FAIL);
 			}
 
 			for (x = 0; x < numlinks; x++) {
 				res = -1;
 				offset = 0;
 				while (i + x + offset++ < 65535 && res != 0) {
 					if (_make_local_sockaddr(&src, i + x + offset, family) < 0) {
 						printf("Unable to convert src to sockaddr: %s\n", strerror(errno));
 						knet_handle_stop_nodes(knet_h, numnodes);
 						exit(FAIL);
 					}
 
 					if (_make_local_sockaddr(&dst, j + x + offset, family) < 0) {
 						printf("Unable to convert dst to sockaddr: %s\n", strerror(errno));
 						knet_handle_stop_nodes(knet_h, numnodes);
 						exit(FAIL);
 					}
 
 					res = knet_link_set_config(knet_h[i], j, x, transport, &src, &dst, 0);
 				}
 				printf("joining node %u with node %u via link %u src offset: %u dst offset: %u\n", i, j, x, i+x, j+x);
 				if (knet_link_set_enable(knet_h[i], j, x, 1) < 0) {
 					printf("unable to enable link: %s\n", strerror(errno));
 					knet_handle_stop_nodes(knet_h, numnodes);
 					exit(FAIL);
 				}
 			}
 		}
 	}
 
 	for (i = 1; i <= numnodes; i++) {
 		wait_for_nodes_state(knet_h[i], numnodes, 1, 600, knet_h[1]->logfd, stdout);
 	}
 	return;
 }
 
 
 static int target=0;
-static pthread_mutex_t wait_mutex = PTHREAD_MUTEX_INITIALIZER;
-static pthread_cond_t wait_cond = PTHREAD_COND_INITIALIZER;
+
+static int state_wait_pipe[2] = {0,0};
+static int host_wait_pipe[2] = {0,0};
 
 static int count_nodes(knet_handle_t knet_h)
 {
 	int nodes = 0;
 	int i;
 
 	for (i=0; i< KNET_MAX_HOST; i++) {
 		if (knet_h->host_index[i] && knet_h->host_index[i]->status.reachable == 1) {
 			nodes++;
 		}
 	}
 	return nodes;
 }
 
 static void nodes_notify_callback(void *private_data,
 				  knet_node_id_t host_id,
 				  uint8_t reachable, uint8_t remote, uint8_t external)
 {
 	knet_handle_t knet_h = (knet_handle_t) private_data;
 	int nodes;
+	int res;
 
 	nodes = count_nodes(knet_h);
 
 	if (nodes == target) {
-		pthread_cond_signal(&wait_cond);
+		res = write(state_wait_pipe[1], ".", 1);
+		if (res != 1) {
+			printf("***FAILed to signal wait_for_nodes_state: %s\n", strerror(errno));
+		}
+	}
+}
+
+/* Called atexit() */
+static void finish_state_pipes()
+{
+	if (state_wait_pipe[0] != 0) {
+		close(state_wait_pipe[0]);
+		close(state_wait_pipe[1]);
+		state_wait_pipe[0] = 0;
+	}
+	if (host_wait_pipe[0] != 0) {
+		close(host_wait_pipe[0]);
+		close(host_wait_pipe[1]);
+		host_wait_pipe[0] = 0;
 	}
 }
 
 static void host_notify_callback(void *private_data,
 				 knet_node_id_t host_id,
 				 uint8_t reachable, uint8_t remote, uint8_t external)
 {
 	knet_handle_t knet_h = (knet_handle_t) private_data;
+	int res;
 
 	if (knet_h->host_index[host_id]->status.reachable == 1) {
-		pthread_cond_signal(&wait_cond);
+		res = write(host_wait_pipe[1], ".", 1);
+		if (res != 1) {
+			printf("***FAILed to signal wait_for_host: %s\n", strerror(errno));
+		}
+	}
+}
+
+static int wait_for_reply(int seconds, int pipefd)
+{
+	int res;
+	struct pollfd pfds;
+	char tmpbuf[32];
+
+	pfds.fd = pipefd;
+	pfds.events = POLLIN | POLLERR | POLLHUP;
+	pfds.revents = 0;
+
+	res = poll(&pfds, 1, seconds*1000);
+	if (res == 1) {
+		if (pfds.revents & POLLIN) {
+			res = read(pipefd, tmpbuf, sizeof(tmpbuf));
+			if (res > 0) {
+				return 0;
+			}
+		} else {
+			printf("Error on pipe poll revent = 0x%x\n", pfds.revents);
+			errno = EIO;
+		}
+	}
+	if (res == 0) {
+		errno = ETIMEDOUT;
+		return -1;
 	}
+
+	return -1;
 }
 
 /* Wait for a cluster of 'numnodes' to come up/go down */
 int wait_for_nodes_state(knet_handle_t knet_h, size_t numnodes,
 			 uint8_t state, uint32_t timeout,
 			 int logfd, FILE *std)
 {
-	struct timespec ts;
-	int res;
+	int res, savederrno = 0;
+
+	if (state_wait_pipe[0] == 0) {
+		res = pipe(state_wait_pipe);
+		if (res == -1) {
+			savederrno = errno;
+			printf("Error creating host reply pipe: %s\n", strerror(errno));
+			errno = savederrno;
+			return -1;
+		}
+		if (atexit(finish_state_pipes)) {
+			printf("Unable to register atexit handler to close pipes: %s\n",
+			       strerror(errno));
+			exit(FAIL);
+		}
+
+	}
 
 	if (state) {
 		target = numnodes-1; /* exclude us */
 	} else {
 		target = 0; /* Wait for all to go down */
 	}
 
 	/* Set this before checking existing status or there's a race condition */
 	knet_host_enable_status_change_notify(knet_h,
 					      (void *)(long)knet_h,
 					      nodes_notify_callback);
 
 	/* Check we haven't already got all the nodes in the correct state */
 	if (count_nodes(knet_h) == target) {
 		fprintf(stderr, "target already reached\n");
 		knet_host_enable_status_change_notify(knet_h, (void *)(long)0, NULL);
 		flush_logs(logfd, std);
 		return 0;
 	}
 
-	clock_gettime(CLOCK_REALTIME, &ts);
-	ts.tv_sec += timeout;
-	if (pthread_mutex_lock(&wait_mutex)) {
-		fprintf(stderr, "unable to get nodewait mutex: %s\n", strerror(errno));
-		return -1;
-	}
-	res = pthread_cond_timedwait(&wait_cond, &wait_mutex, &ts);
-	if (res == -1 && errno == ETIMEDOUT) {
-		fprintf(stderr, "Timed-out\n");
+	res = wait_for_reply(timeout, state_wait_pipe[0]);
+	if (res == -1) {
+		savederrno = errno;
+		printf("Error waiting for nodes status reply: %s\n", strerror(errno));
 	}
-	pthread_mutex_unlock(&wait_mutex);
 
 	knet_host_enable_status_change_notify(knet_h, (void *)(long)0, NULL);
 	flush_logs(logfd, std);
+	errno = savederrno;
 	return res;
 }
 
 /* Wait for a single node to come up */
 int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd, FILE *std)
 {
-	int res;
-	struct timespec ts;
+	int res = 0;
+	int savederrno = 0;
 
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting wait_for_host timeout\n");
 		seconds = seconds * 16;
 	}
 
+	if (host_wait_pipe[0] == 0) {
+		res = pipe(host_wait_pipe);
+		if (res == -1) {
+			savederrno = errno;
+			printf("Error creating host reply pipe: %s\n", strerror(errno));
+			errno = savederrno;
+			return -1;
+		}
+		if (atexit(finish_state_pipes)) {
+			printf("Unable to register atexit handler to close pipes: %s\n",
+			       strerror(errno));
+			exit(FAIL);
+		}
+
+	}
+
 	/* Set this before checking existing status or there's a race condition */
 	knet_host_enable_status_change_notify(knet_h,
 					      (void *)(long)knet_h,
 					      host_notify_callback);
 
 	/* Check it's not already reachable */
 	if (knet_h->host_index[host_id]->status.reachable == 1) {
 		knet_host_enable_status_change_notify(knet_h, (void *)(long)0, NULL);
 		flush_logs(logfd, std);
 		return 0;
 	}
 
-	clock_gettime(CLOCK_REALTIME, &ts);
-	ts.tv_sec += seconds;
-	if (pthread_mutex_lock(&wait_mutex)) {
-		fprintf(stderr, "unable to get nodewait mutex: %s\n", strerror(errno));
-		return -1;
-	}
-	res = pthread_cond_timedwait(&wait_cond, &wait_mutex, &ts);
-	if (res == -1 && errno == ETIMEDOUT) {
-		fprintf(stderr, "Timed-out\n");
-		knet_host_enable_status_change_notify(knet_h, (void *)(long)0, NULL);
-		pthread_mutex_unlock(&wait_mutex);
-		flush_logs(logfd, std);
-		return -1;
+	res = wait_for_reply(seconds, host_wait_pipe[0]);
+	if (res == -1) {
+		savederrno = errno;
+		printf("Error waiting for host status reply: %s\n", strerror(errno));
 	}
-	pthread_mutex_unlock(&wait_mutex);
 
 	knet_host_enable_status_change_notify(knet_h, (void *)(long)0, NULL);
 
 	/* Still wait for it to settle */
 	flush_logs(logfd, std);
 	test_sleep(knet_h, 1);
-	return 0;
+	errno = savederrno;
+	return res;
 }
diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
index 6684952e..45d5c326 100644
--- a/libknet/threads_heartbeat.c
+++ b/libknet/threads_heartbeat.c
@@ -1,238 +1,239 @@
 /*
  * Copyright (C) 2015-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <errno.h>
 #include <string.h>
 #include <pthread.h>
 #include <time.h>
 
 #include "crypto.h"
 #include "links.h"
 #include "logging.h"
 #include "transports.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 
 static void _link_down(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link)
 {
 	memset(&dst_link->pmtud_last, 0, sizeof(struct timespec));
 	dst_link->received_pong = 0;
 	dst_link->status.pong_last.tv_nsec = 0;
 	dst_link->pong_timeout_backoff = KNET_LINK_PONG_TIMEOUT_BACKOFF;
 	if (dst_link->status.connected == 1) {
 		log_info(knet_h, KNET_SUB_LINK, "host: %u link: %u is down",
 			 dst_host->host_id, dst_link->link_id);
 		_link_updown(knet_h, dst_host->host_id, dst_link->link_id, dst_link->status.enabled, 0, 1);
 	}
 }
 
 static void _handle_check_each(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link, int timed)
 {
 	int err = 0, savederrno = 0, stats_err = 0;
 	int len;
 	ssize_t outlen = KNET_HEADER_PING_SIZE;
 	struct timespec clock_now, pong_last;
 	unsigned long long diff_ping;
 	unsigned char *outbuf = (unsigned char *)knet_h->pingbuf;
 
 	if (dst_link->transport_connected == 0) {
 		_link_down(knet_h, dst_host, dst_link);
 		return;
 	}
 
 	/* caching last pong to avoid race conditions */
 	pong_last = dst_link->status.pong_last;
 
 	if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get monotonic clock");
 		return;
 	}
 
 	timespec_diff(dst_link->ping_last, clock_now, &diff_ping);
 
 	if ((diff_ping >= (dst_link->ping_interval * 1000llu)) || (!timed)) {
 		memmove(&knet_h->pingbuf->khp_ping_time[0], &clock_now, sizeof(struct timespec));
 		knet_h->pingbuf->khp_ping_link = dst_link->link_id;
 		if (pthread_mutex_lock(&knet_h->tx_seq_num_mutex)) {
 			log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get seq mutex lock");
 			return;
 		}
 		knet_h->pingbuf->khp_ping_seq_num = htons(knet_h->tx_seq_num);
 		pthread_mutex_unlock(&knet_h->tx_seq_num_mutex);
 		knet_h->pingbuf->khp_ping_timed = timed;
 
 		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)knet_h->pingbuf,
 						    outlen,
 						    knet_h->pingbuf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to crypto ping packet");
 				return;
 			}
 
 			outbuf = knet_h->pingbuf_crypt;
 			if (pthread_mutex_lock(&knet_h->handle_stats_mutex) < 0) {
 				log_err(knet_h, KNET_SUB_HEARTBEAT, "Unable to get mutex lock");
 				return;
 			}
 			knet_h->stats_extra.tx_crypt_ping_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		stats_err = pthread_mutex_lock(&dst_link->link_stats_mutex);
 		if (stats_err) {
 			log_err(knet_h, KNET_SUB_HEARTBEAT, "Unable to get stats mutex lock for host %u link %u: %s",
 				dst_host->host_id, dst_link->link_id, strerror(stats_err));
 			return;
 		}
 
 retry:
 		if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 			len = sendto(dst_link->outsock, outbuf, outlen,	MSG_DONTWAIT | MSG_NOSIGNAL,
-				     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
+				     (struct sockaddr *) &dst_link->dst_addr,
+				     knet_h->knet_transport_fd_tracker[dst_link->outsock].sockaddr_len);
 		} else {
 			len = sendto(dst_link->outsock, outbuf, outlen,	MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 		}
 		savederrno = errno;
 
 		dst_link->ping_last = clock_now;
 		dst_link->status.stats.tx_ping_packets++;
 		dst_link->status.stats.tx_ping_bytes += outlen;
 
 		if (len != outlen) {
 			err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
 			switch(err) {
 				case -1: /* unrecoverable error */
 					log_debug(knet_h, KNET_SUB_HEARTBEAT,
 						  "Unable to send ping (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 						  dst_link->outsock, savederrno, strerror(savederrno),
 						  dst_link->status.src_ipaddr, dst_link->status.src_port,
 						  dst_link->status.dst_ipaddr, dst_link->status.dst_port);
 					dst_link->status.stats.tx_ping_errors++;
 					break;
 				case 0:
 					break;
 				case 1:
 					dst_link->status.stats.tx_ping_retries++;
 					goto retry;
 					break;
 			}
 		} else {
 			dst_link->last_ping_size = outlen;
 		}
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 	}
 
 	timespec_diff(pong_last, clock_now, &diff_ping);
 	if ((pong_last.tv_nsec) && 
 	    (diff_ping >= (dst_link->pong_timeout_adj * 1000llu))) {
 		_link_down(knet_h, dst_host, dst_link);
 	}
 }
 
 void _send_pings(knet_handle_t knet_h, int timed)
 {
 	struct knet_host *dst_host;
 	int link_idx;
 
 	if (pthread_mutex_lock(&knet_h->hb_mutex)) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get hb mutex lock");
 		return;
 	}
 
 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if ((dst_host->link[link_idx].status.enabled != 1) ||
 			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
 			     (dst_host->link[link_idx].status.dynconnected != 1)))
 				continue;
 
 			_handle_check_each(knet_h, dst_host, &dst_host->link[link_idx], timed);
 		}
 	}
 
 	pthread_mutex_unlock(&knet_h->hb_mutex);
 }
 
 static void _adjust_pong_timeouts(knet_handle_t knet_h)
 {
 	struct knet_host *dst_host;
 	struct knet_link *dst_link;
 	int link_idx;
 
 	if (pthread_mutex_lock(&knet_h->backoff_mutex)) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get backoff_mutex");
 		return;
 	}
 
 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if ((dst_host->link[link_idx].status.enabled != 1) ||
 			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
 			     (dst_host->link[link_idx].status.dynconnected != 1)))
 				continue;
 
 			dst_link = &dst_host->link[link_idx];
 
 			if (dst_link->pong_timeout_backoff > 1) {
 				dst_link->pong_timeout_backoff--;
 			}
 
 			dst_link->pong_timeout_adj = (dst_link->pong_timeout * dst_link->pong_timeout_backoff) + (dst_link->status.latency * KNET_LINK_PONG_TIMEOUT_LAT_MUL);
 		}
 	}
 
 	pthread_mutex_unlock(&knet_h->backoff_mutex);
 }
 
 void *_handle_heartbt_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	int i = 1;
 
 	set_thread_status(knet_h, KNET_THREAD_HB, KNET_THREAD_STARTED);
 
 	/* preparing ping buffer */
 	knet_h->pingbuf->kh_version = KNET_HEADER_VERSION;
 	knet_h->pingbuf->kh_type = KNET_HEADER_TYPE_PING;
 	knet_h->pingbuf->kh_node = htons(knet_h->host_id);
 
 	while (!shutdown_in_progress(knet_h)) {
 		usleep(KNET_THREADS_TIMERES);
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get read lock");
 			continue;
 		}
 
 		/*
 		 *  _adjust_pong_timeouts should execute approx once a second.
 		 */
 		if ((i % (1000000 / KNET_THREADS_TIMERES)) == 0) {
 			_adjust_pong_timeouts(knet_h);
 			i = 1;
 		} else {
 			i++;
 		}
 
 		_send_pings(knet_h, 1);
 
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_HB, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
index 4aba9330..735d3a64 100644
--- a/libknet/threads_pmtud.c
+++ b/libknet/threads_pmtud.c
@@ -1,799 +1,800 @@
 /*
  * Copyright (C) 2015-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
 #include <pthread.h>
 
 #include "crypto.h"
 #include "links.h"
 #include "host.h"
 #include "logging.h"
 #include "transports.h"
 #include "threads_common.h"
 #include "threads_pmtud.h"
 
 static int _calculate_manual_mtu(knet_handle_t knet_h, struct knet_link *dst_link)
 {
 	size_t ipproto_overhead_len;	/* onwire packet overhead (protocol based) */
 
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead;
 			break;
 		case AF_INET:
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead;
 			break;
 		default:
 			log_debug(knet_h, KNET_SUB_PMTUD, "unknown protocol");
 			return 0;
 			break;
 	}
 
 	dst_link->status.mtu = calc_max_data_outlen(knet_h, knet_h->manual_mtu - ipproto_overhead_len);
 
 	return 1;
 }
 
 static int _handle_check_link_pmtud(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link)
 {
 	int err, ret, savederrno, mutex_retry_limit, failsafe, use_kernel_mtu, warn_once;
 	uint32_t kernel_mtu;		/* record kernel_mtu from EMSGSIZE */
 	size_t onwire_len;   		/* current packet onwire size */
 	size_t ipproto_overhead_len;	/* onwire packet overhead (protocol based) */
 	size_t max_mtu_len;		/* max mtu for protocol */
 	size_t data_len;		/* how much data we can send in the packet
 					 * generally would be onwire_len - ipproto_overhead_len
 					 * needs to be adjusted for crypto
 					 */
 	size_t app_mtu_len;		/* real data that we can send onwire */
 	ssize_t len;			/* len of what we were able to sendto onwire */
 
 	struct timespec ts, pmtud_crypto_start_ts, pmtud_crypto_stop_ts;
 	unsigned long long pong_timeout_adj_tmp, timediff;
 	int pmtud_crypto_reduce = 1;
 	unsigned char *outbuf = (unsigned char *)knet_h->pmtudbuf;
 
 	warn_once = 0;
 
 	mutex_retry_limit = 0;
 	failsafe = 0;
 
 	knet_h->pmtudbuf->khp_pmtud_link = dst_link->link_id;
 
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			max_mtu_len = KNET_PMTUD_SIZE_V6;
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead;
 			break;
 		case AF_INET:
 			max_mtu_len = KNET_PMTUD_SIZE_V4;
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead;
 			break;
 		default:
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted, unknown protocol");
 			return -1;
 			break;
 	}
 
 	dst_link->last_bad_mtu = 0;
 	dst_link->last_good_mtu = dst_link->last_ping_size + ipproto_overhead_len;
 
 	/*
 	 * discovery starts from the top because kernel will
 	 * refuse to send packets > current iface mtu.
 	 * this saves us some time and network bw.
 	 */ 
 	onwire_len = max_mtu_len;
 
 restart:
 
 	/*
 	 * prevent a race when interface mtu is changed _exactly_ during
 	 * the discovery process and it's complex to detect. Easier
 	 * to wait the next loop.
 	 * 30 is not an arbitrary value. To bisect from 576 to 128000 doesn't
 	 * take more than 18/19 steps.
 	 */
 
 	if (failsafe == 30) {
 		log_err(knet_h, KNET_SUB_PMTUD,
 			"Aborting PMTUD process: Too many attempts. MTU might have changed during discovery.");
 		return -1;
 	} else {
 		failsafe++;
 	}
 
 	/*
 	 * common to all packets
 	 */
 
 	/*
 	 * calculate the application MTU based on current onwire_len minus ipproto_overhead_len
 	 */
 
 	app_mtu_len = calc_max_data_outlen(knet_h, onwire_len - ipproto_overhead_len);
 
 	/*
 	 * recalculate onwire len back that might be different based
 	 * on data padding from crypto layer.
 	 */
 
 	onwire_len = calc_data_outlen(knet_h, app_mtu_len + KNET_HEADER_ALL_SIZE) + ipproto_overhead_len;
 
 	/*
 	 * calculate the size of what we need to send to sendto(2).
 	 * see also onwire.c for packet format explanation.
 	 */
 	data_len = app_mtu_len + knet_h->sec_hash_size + knet_h->sec_salt_size + KNET_HEADER_ALL_SIZE;
 
 	if (knet_h->crypto_in_use_config) {
 		if (data_len < (knet_h->sec_hash_size + knet_h->sec_salt_size) + 1) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Aborting PMTUD process: link mtu smaller than crypto header detected (link might have been disconnected)");
 			return -1;
 		}
 
 		knet_h->pmtudbuf->khp_pmtud_size = onwire_len;
 
 		if (crypto_encrypt_and_sign(knet_h,
 					    (const unsigned char *)knet_h->pmtudbuf,
 					    data_len - (knet_h->sec_hash_size + knet_h->sec_salt_size),
 					    knet_h->pmtudbuf_crypt,
 					    (ssize_t *)&data_len) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to crypto pmtud packet");
 			return -1;
 		}
 
 		outbuf = knet_h->pmtudbuf_crypt;
 		if (pthread_mutex_lock(&knet_h->handle_stats_mutex) < 0) {
 			log_err(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 			return -1;
 		}
 		knet_h->stats_extra.tx_crypt_pmtu_packets++;
 		pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 	} else {
 		knet_h->pmtudbuf->khp_pmtud_size = onwire_len;
 	}
 
 	/* link has gone down, aborting pmtud */
 	if (dst_link->status.connected != 1) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD detected host (%u) link (%u) has been disconnected", dst_host->host_id, dst_link->link_id);
 		return -1;
 	}
 
 	if (dst_link->transport_connected != 1) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD detected host (%u) link (%u) has been disconnected", dst_host->host_id, dst_link->link_id);
 		return -1;
 	}
 
 	if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 		return -1;
 	}
 
 	if (knet_h->pmtud_abort) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		errno = EDEADLK;
 		return -1;
 	}
 
 	savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 	if (savederrno) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get TX mutex lock: %s", strerror(savederrno));
 		return -1;
 	}
 
 	savederrno = pthread_mutex_lock(&dst_link->link_stats_mutex);
 	if (savederrno) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		pthread_mutex_unlock(&knet_h->tx_mutex);
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get stats mutex lock for host %u link %u: %s",
 			dst_host->host_id, dst_link->link_id, strerror(savederrno));
 		return -1;
 	}
 
 retry:
 	if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 		len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL,
-			     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
+			     (struct sockaddr *) &dst_link->dst_addr,
+			     knet_h->knet_transport_fd_tracker[dst_link->outsock].sockaddr_len);
 	} else {
 		len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 	}
 	savederrno = errno;
 
 	/*
 	 * we cannot hold a lock on kmtu_mutex between resetting
 	 * knet_h->kernel_mtu here and below where it's used.
 	 * use_kernel_mtu tells us if the knet_h->kernel_mtu was
 	 * set to 0 and we can trust its value later.
 	 */
 	use_kernel_mtu = 0;
 
 	if (pthread_mutex_lock(&knet_h->kmtu_mutex) == 0) {
 		use_kernel_mtu = 1;
 		knet_h->kernel_mtu = 0;
 		pthread_mutex_unlock(&knet_h->kmtu_mutex);
 	}
 
 	kernel_mtu = 0;
 
 	err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
 	switch(err) {
 		case -1: /* unrecoverable error */
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet (sendto): %d %s", savederrno, strerror(savederrno));
 			pthread_mutex_unlock(&knet_h->tx_mutex);
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			dst_link->status.stats.tx_pmtu_errors++;
 			pthread_mutex_unlock(&dst_link->link_stats_mutex);
 			return -1;
 		case 0: /* ignore error and continue */
 			break;
 		case 1: /* retry to send those same data */
 			dst_link->status.stats.tx_pmtu_retries++;
 			goto retry;
 			break;
 	}
 
 	pthread_mutex_unlock(&knet_h->tx_mutex);
 
 	if (len != (ssize_t )data_len) {
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 		if (savederrno == EMSGSIZE) {
 			/*
 			 * we cannot hold a lock on kmtu_mutex between resetting
 			 * knet_h->kernel_mtu and here.
 			 * use_kernel_mtu tells us if the knet_h->kernel_mtu was
 			 * set to 0 previously and we can trust its value now.
 			 */
 			if (use_kernel_mtu) {
 				use_kernel_mtu = 0;
 				if (pthread_mutex_lock(&knet_h->kmtu_mutex) == 0) {
 					kernel_mtu = knet_h->kernel_mtu;
 					pthread_mutex_unlock(&knet_h->kmtu_mutex);
 				}
 			}
 			if (kernel_mtu > 0) {
 				dst_link->last_bad_mtu = kernel_mtu + 1;
 			} else {
 				dst_link->last_bad_mtu = onwire_len;
 			}
 		} else {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet len: %zu err: %s", onwire_len, strerror(savederrno));
 		}
 
 	} else {
 		dst_link->last_sent_mtu = onwire_len;
 		dst_link->last_recv_mtu = 0;
 		dst_link->status.stats.tx_pmtu_packets++;
 		dst_link->status.stats.tx_pmtu_bytes += data_len;
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 
 		if (clock_gettime(CLOCK_REALTIME, &ts) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			return -1;
 		}
 
 		/*
 		 * non fatal, we can wait the next round to reduce the
 		 * multiplier
 		 */
 		if (clock_gettime(CLOCK_MONOTONIC, &pmtud_crypto_start_ts) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			pmtud_crypto_reduce = 0;
 		}
 
 		/*
 		 * set PMTUd reply timeout to match pong_timeout on a given link
 		 *
 		 * math: internally pong_timeout is expressed in microseconds, while
 		 *       the public API exports milliseconds. So careful with the 0's here.
 		 * the loop is necessary because we are grabbing the current time just above
 		 * and add values to it that could overflow into seconds.
 		 */ 
 
 		if (pthread_mutex_lock(&knet_h->backoff_mutex)) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get backoff_mutex");
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			return -1;
 		}
 
 		if (knet_h->crypto_in_use_config) {
 			/*
 			 * crypto, under pressure, is a royal PITA
 			 */
 			pong_timeout_adj_tmp = dst_link->pong_timeout_adj * dst_link->pmtud_crypto_timeout_multiplier;
 		} else {
 			pong_timeout_adj_tmp = dst_link->pong_timeout_adj;
 		}
 
 		ts.tv_sec += pong_timeout_adj_tmp / 1000000;
 		ts.tv_nsec += (((pong_timeout_adj_tmp) % 1000000) * 1000);
 		while (ts.tv_nsec > 1000000000) {
 			ts.tv_sec += 1;
 			ts.tv_nsec -= 1000000000;
 		}
 
 		pthread_mutex_unlock(&knet_h->backoff_mutex);
 
 		knet_h->pmtud_waiting = 1;
 
 		ret = pthread_cond_timedwait(&knet_h->pmtud_cond, &knet_h->pmtud_mutex, &ts);
 
 		knet_h->pmtud_waiting = 0;
 
 		if (knet_h->pmtud_abort) {
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			errno = EDEADLK;
 			return -1;
 		}
 
 		/*
 		 * we cannot use shutdown_in_progress in here because
 		 * we already hold the read lock
 		 */
 		if (knet_h->fini_in_progress) {
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted. shutdown in progress");
 			return -1;
 		}
 
 		if (ret) {
 			if (ret == ETIMEDOUT) {
 				if ((knet_h->crypto_in_use_config) && (dst_link->pmtud_crypto_timeout_multiplier < KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MAX)) {
 					dst_link->pmtud_crypto_timeout_multiplier = dst_link->pmtud_crypto_timeout_multiplier * 2;
 					pmtud_crypto_reduce = 0;
 					log_debug(knet_h, KNET_SUB_PMTUD,
 							"Increasing PMTUd response timeout multiplier to (%u) for host %u link: %u",
 							dst_link->pmtud_crypto_timeout_multiplier,
 							dst_host->host_id,
 							dst_link->link_id);
 					pthread_mutex_unlock(&knet_h->pmtud_mutex);
 					goto restart;
 				}
 				if (!warn_once) {
 					log_warn(knet_h, KNET_SUB_PMTUD,
 							"possible MTU misconfiguration detected. "
 							"kernel is reporting MTU: %u bytes for "
 							"host %u link %u but the other node is "
 							"not acknowledging packets of this size. ",
 							dst_link->last_sent_mtu,
 							dst_host->host_id,
 							dst_link->link_id);
 					log_warn(knet_h, KNET_SUB_PMTUD,
 							"This can be caused by this node interface MTU "
 							"too big or a network device that does not "
 							"support or has been misconfigured to manage MTU "
 							"of this size, or packet loss. knet will continue "
 							"to run but performances might be affected.");
 					warn_once = 1;
 				}
 			} else {
 				pthread_mutex_unlock(&knet_h->pmtud_mutex);
 				if (mutex_retry_limit == 3) {
 					log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted, unable to get mutex lock");
 					return -1;
 				}
 				mutex_retry_limit++;
 				goto restart;
 			}
 		}
 
 		if ((knet_h->crypto_in_use_config) && (pmtud_crypto_reduce == 1) &&
 		    (dst_link->pmtud_crypto_timeout_multiplier > KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MIN)) {
 			if (!clock_gettime(CLOCK_MONOTONIC, &pmtud_crypto_stop_ts)) {
 				timespec_diff(pmtud_crypto_start_ts, pmtud_crypto_stop_ts, &timediff);
 				if (((pong_timeout_adj_tmp * 1000) / 2) > timediff) {
 					dst_link->pmtud_crypto_timeout_multiplier = dst_link->pmtud_crypto_timeout_multiplier / 2;
 					log_debug(knet_h, KNET_SUB_PMTUD,
 							"Decreasing PMTUd response timeout multiplier to (%u) for host %u link: %u",
 							dst_link->pmtud_crypto_timeout_multiplier,
 							dst_host->host_id,
 							dst_link->link_id);
 				}
 			} else {
 				log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			}
 		}
 
 		if ((dst_link->last_recv_mtu != onwire_len) || (ret)) {
 			dst_link->last_bad_mtu = onwire_len;
 		} else {
 			int found_mtu = 0;
 
 			if (knet_h->sec_block_size) {
 				if ((onwire_len + knet_h->sec_block_size >= max_mtu_len) ||
 				   ((dst_link->last_bad_mtu) && (dst_link->last_bad_mtu <= (onwire_len + knet_h->sec_block_size)))) {
 					found_mtu = 1;
 				}
 			} else {
 				if ((onwire_len == max_mtu_len) ||
 				    ((dst_link->last_bad_mtu) && (dst_link->last_bad_mtu == (onwire_len + 1))) ||
 				     (dst_link->last_bad_mtu == dst_link->last_good_mtu)) {
 					found_mtu = 1;
 				}
 			}
 
 			if (found_mtu) {
 				/*
 				 * account for IP overhead, knet headers and crypto in PMTU calculation
 				 */
 				dst_link->status.mtu = calc_max_data_outlen(knet_h, onwire_len - ipproto_overhead_len);
 				pthread_mutex_unlock(&knet_h->pmtud_mutex);
 				return 0;
 			}
 
 			dst_link->last_good_mtu = onwire_len;
 		}
 	}
 
 	if (kernel_mtu) {
 		onwire_len = kernel_mtu;
 	} else {
 		onwire_len = (dst_link->last_good_mtu + dst_link->last_bad_mtu) / 2;
 	}
 
 	pthread_mutex_unlock(&knet_h->pmtud_mutex);
 
 	goto restart;
 }
 
 static int _handle_check_pmtud(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link, int force_run)
 {
 	uint8_t saved_valid_pmtud;
 	unsigned int saved_pmtud;
 	struct timespec clock_now;
 	unsigned long long diff_pmtud, interval;
 
 	if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
 		return 0;
 	}
 
 	if (!force_run) {
 		interval = knet_h->pmtud_interval * 1000000000llu; /* nanoseconds */
 
 		timespec_diff(dst_link->pmtud_last, clock_now, &diff_pmtud);
 
 		if (diff_pmtud < interval) {
 			return dst_link->has_valid_mtu;
 		}
 	}
 
 	/*
 	 * status.proto_overhead should include all IP/(UDP|SCTP)/knet headers
 	 *
 	 * please note that it is not the same as link->proto_overhead that
 	 * includes only either UDP or SCTP (at the moment) overhead.
 	 */
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			dst_link->status.proto_overhead = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead + KNET_HEADER_ALL_SIZE + knet_h->sec_hash_size + knet_h->sec_salt_size;
 			break;
 		case AF_INET:
 			dst_link->status.proto_overhead = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead + KNET_HEADER_ALL_SIZE + knet_h->sec_hash_size + knet_h->sec_salt_size;
 			break;
 	}
 
 	saved_pmtud = dst_link->status.mtu;
 	saved_valid_pmtud = dst_link->has_valid_mtu;
 
 	log_debug(knet_h, KNET_SUB_PMTUD, "Starting PMTUD for host: %u link: %u", dst_host->host_id, dst_link->link_id);
 
 	errno = 0;
 	if (_handle_check_link_pmtud(knet_h, dst_host, dst_link) < 0) {
 		if (errno == EDEADLK) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD for host: %u link: %u has been rescheduled", dst_host->host_id, dst_link->link_id);
 			dst_link->status.mtu = saved_pmtud;
 			dst_link->has_valid_mtu = saved_valid_pmtud;
 			errno = EDEADLK;
 			return dst_link->has_valid_mtu;
 		}
 		dst_link->has_valid_mtu = 0;
 	} else {
 		if (dst_link->status.mtu < calc_min_mtu(knet_h)) {
 			log_info(knet_h, KNET_SUB_PMTUD,
 				 "Invalid MTU detected for host: %u link: %u mtu: %u",
 				 dst_host->host_id, dst_link->link_id, dst_link->status.mtu);
 			dst_link->has_valid_mtu = 0;
 		} else {
 			dst_link->has_valid_mtu = 1;
 		}
 		if (dst_link->has_valid_mtu) {
 			if ((saved_pmtud) && (saved_pmtud != dst_link->status.mtu)) {
 				log_info(knet_h, KNET_SUB_PMTUD, "PMTUD link change for host: %u link: %u from %u to %u",
 					 dst_host->host_id, dst_link->link_id, saved_pmtud, dst_link->status.mtu);
 			}
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD completed for host: %u link: %u current link mtu: %u",
 				  dst_host->host_id, dst_link->link_id, dst_link->status.mtu);
 
 			/*
 			 * set pmtud_last, if we can, after we are done with the PMTUd process
 			 * because it can take a very long time.
 			 */
 			dst_link->pmtud_last = clock_now;
 			if (!clock_gettime(CLOCK_MONOTONIC, &clock_now)) {
 				dst_link->pmtud_last = clock_now;
 			}
 		}
 	}
 
 	if (saved_valid_pmtud != dst_link->has_valid_mtu) {
 		_host_dstcache_update_async(knet_h, dst_host);
 	}
 
 	return dst_link->has_valid_mtu;
 }
 
 void *_handle_pmtud_link_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct knet_host *dst_host;
 	struct knet_link *dst_link;
 	int link_idx;
 	unsigned int have_mtu;
 	unsigned int lower_mtu;
 	int link_has_mtu;
 	int force_run = 0;
 
 	set_thread_status(knet_h, KNET_THREAD_PMTUD, KNET_THREAD_STARTED);
 
 	knet_h->data_mtu = calc_min_mtu(knet_h);
 
 	/* preparing pmtu buffer */
 	knet_h->pmtudbuf->kh_version = KNET_HEADER_VERSION;
 	knet_h->pmtudbuf->kh_type = KNET_HEADER_TYPE_PMTUD;
 	knet_h->pmtudbuf->kh_node = htons(knet_h->host_id);
 
 	while (!shutdown_in_progress(knet_h)) {
 		usleep(KNET_THREADS_TIMERES);
 
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 			continue;
 		}
 		knet_h->pmtud_abort = 0;
 		knet_h->pmtud_running = 1;
 		force_run = knet_h->pmtud_forcerun;
 		knet_h->pmtud_forcerun = 0;
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 
 		if (force_run) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUd request to rerun has been received");
 		}
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get read lock");
 			continue;
 		}
 
 		lower_mtu = KNET_PMTUD_SIZE_V4;
 		have_mtu = 0;
 
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 				dst_link = &dst_host->link[link_idx];
 
 				if ((dst_link->status.enabled != 1) ||
 				    (dst_link->status.connected != 1) ||
 				    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK) ||
 				    (!dst_link->last_ping_size) ||
 				    ((dst_link->dynamic == KNET_LINK_DYNIP) &&
 				     (dst_link->status.dynconnected != 1)))
 					continue;
 
 				if (!knet_h->manual_mtu) {
 					link_has_mtu = _handle_check_pmtud(knet_h, dst_host, dst_link, force_run);
 					if (errno == EDEADLK) {
 						goto out_unlock;
 					}
 					if (link_has_mtu) {
 						have_mtu = 1;
 						if (dst_link->status.mtu < lower_mtu) {
 							lower_mtu = dst_link->status.mtu;
 						}
 					}
 				} else {
 					link_has_mtu = _calculate_manual_mtu(knet_h, dst_link);
 					if (link_has_mtu) {
 						have_mtu = 1;
 						if (dst_link->status.mtu < lower_mtu) {
 							lower_mtu = dst_link->status.mtu;
 						}
 					}
 				}
 			}
 		}
 
 		if (have_mtu) {
 			if (knet_h->data_mtu != lower_mtu) {
 				knet_h->data_mtu = lower_mtu;
 				log_info(knet_h, KNET_SUB_PMTUD, "Global data MTU changed to: %u", knet_h->data_mtu);
 
 				if (knet_h->pmtud_notify_fn) {
 					knet_h->pmtud_notify_fn(knet_h->pmtud_notify_fn_private_data,
 								knet_h->data_mtu);
 				}
 			}
 		}
 out_unlock:
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 		} else {
 			knet_h->pmtud_running = 0;
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		}
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_PMTUD, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
 
 int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!interval) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*interval = knet_h->pmtud_interval;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_setfreq(knet_handle_t knet_h, unsigned int interval)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if ((!interval) || (interval > 86400)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->pmtud_interval = interval;
 	log_debug(knet_h, KNET_SUB_HANDLE, "PMTUd interval set to: %u seconds", interval);
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 				    void *pmtud_notify_fn_private_data,
 				    void (*pmtud_notify_fn) (
 						void *private_data,
 						unsigned int data_mtu))
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->pmtud_notify_fn_private_data = pmtud_notify_fn_private_data;
 	knet_h->pmtud_notify_fn = pmtud_notify_fn;
 	if (knet_h->pmtud_notify_fn) {
 		log_debug(knet_h, KNET_SUB_HANDLE, "pmtud_notify_fn enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HANDLE, "pmtud_notify_fn disabled");
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_set(knet_handle_t knet_h,
 			  unsigned int iface_mtu)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (iface_mtu > KNET_PMTUD_SIZE_V4) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	log_info(knet_h, KNET_SUB_PMTUD, "MTU manually set to: %u", iface_mtu);
 
 	knet_h->manual_mtu = iface_mtu;
 
 	force_pmtud_run(knet_h, KNET_SUB_PMTUD, 0);
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_get(knet_handle_t knet_h,
 			  unsigned int *data_mtu)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!data_mtu) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*data_mtu = knet_h->data_mtu;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
index d03ed35e..213860fd 100644
--- a/libknet/threads_rx.c
+++ b/libknet/threads_rx.c
@@ -1,1047 +1,1058 @@
 /*
  * Copyright (C) 2012-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
 #include <sys/uio.h>
 #include <pthread.h>
 
 #include "compat.h"
 #include "compress.h"
 #include "crypto.h"
 #include "host.h"
 #include "links.h"
 #include "links_acl.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 #include "threads_rx.h"
 #include "netutils.h"
 
 /*
  * RECV
  */
 
 /*
  *  return 1 if a > b
  *  return -1 if b > a
  *  return 0 if they are equal
  */
 static inline int timecmp(struct timespec a, struct timespec b)
 {
 	if (a.tv_sec != b.tv_sec) {
 		if (a.tv_sec > b.tv_sec) {
 			return 1;
 		} else {
 			return -1;
 		}
 	} else {
 		if (a.tv_nsec > b.tv_nsec) {
 			return 1;
 		} else if (a.tv_nsec < b.tv_nsec) {
 			return -1;
 		} else {
 			return 0;
 		}
 	}
 }
 
 /*
  * this functions needs to return an index (0 to 7)
  * to a knet_host_defrag_buf. (-1 on errors)
  */
 
 static int find_pckt_defrag_buf(knet_handle_t knet_h, struct knet_header *inbuf)
 {
 	struct knet_host *src_host = knet_h->host_index[inbuf->kh_node];
 	int i, oldest;
 
 	/*
 	 * check if there is a buffer already in use handling the same seq_num
 	 */
-	for (i = 0; i < KNET_MAX_LINK; i++) {
+	for (i = 0; i < KNET_DEFRAG_BUFFERS; i++) {
 		if (src_host->defrag_buf[i].in_use) {
 			if (src_host->defrag_buf[i].pckt_seq == inbuf->khp_data_seq_num) {
 				return i;
 			}
 		}
 	}
 
 	/*
 	 * If there is no buffer that's handling the current seq_num
 	 * either it's new or it's been reclaimed already.
 	 * check if it's been reclaimed/seen before using the defrag circular
 	 * buffer. If the pckt has been seen before, the buffer expired (ETIME)
 	 * and there is no point to try to defrag it again.
 	 */
 	if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 1, 0)) {
 		errno = ETIME;
 		return -1;
 	}
 
 	/*
 	 * register the pckt as seen
 	 */
 	_seq_num_set(src_host, inbuf->khp_data_seq_num, 1);
 
 	/*
 	 * see if there is a free buffer
 	 */
-	for (i = 0; i < KNET_MAX_LINK; i++) {
+	for (i = 0; i < KNET_DEFRAG_BUFFERS; i++) {
 		if (!src_host->defrag_buf[i].in_use) {
 			return i;
 		}
 	}
 
 	/*
 	 * at this point, there are no free buffers, the pckt is new
 	 * and we need to reclaim a buffer, and we will take the one
 	 * with the oldest timestamp. It's as good as any.
 	 */
 
 	oldest = 0;
 
-	for (i = 0; i < KNET_MAX_LINK; i++) {
+	for (i = 0; i < KNET_DEFRAG_BUFFERS; i++) {
 		if (timecmp(src_host->defrag_buf[i].last_update, src_host->defrag_buf[oldest].last_update) < 0) {
 			oldest = i;
 		}
 	}
 	src_host->defrag_buf[oldest].in_use = 0;
 	return oldest;
 }
 
 static int pckt_defrag(knet_handle_t knet_h, struct knet_header *inbuf, ssize_t *len)
 {
 	struct knet_host_defrag_buf *defrag_buf;
 	int defrag_buf_idx;
 
 	defrag_buf_idx = find_pckt_defrag_buf(knet_h, inbuf);
 	if (defrag_buf_idx < 0) {
 		return 1;
 	}
 
 	defrag_buf = &knet_h->host_index[inbuf->kh_node]->defrag_buf[defrag_buf_idx];
 
 	/*
 	 * if the buf is not is use, then make sure it's clean
 	 */
 	if (!defrag_buf->in_use) {
 		memset(defrag_buf, 0, sizeof(struct knet_host_defrag_buf));
 		defrag_buf->in_use = 1;
 		defrag_buf->pckt_seq = inbuf->khp_data_seq_num;
 	}
 
 	/*
 	 * update timestamp on the buffer
 	 */
 	clock_gettime(CLOCK_MONOTONIC, &defrag_buf->last_update);
 
 	/*
 	 * check if we already received this fragment
 	 */
 	if (defrag_buf->frag_map[inbuf->khp_data_frag_seq]) {
 		/*
 		 * if we have received this fragment and we didn't clear the buffer
 		 * it means that we don't have all fragments yet
 		 */
 		return 1;
 	}
 
 	/*
 	 *  we need to handle the last packet with gloves due to its different size
 	 */
 
 	if (inbuf->khp_data_frag_seq == inbuf->khp_data_frag_num) {
 		defrag_buf->last_frag_size = *len;
 
 		/*
 		 * in the event when the last packet arrives first,
 		 * we still don't know the offset vs the other fragments (based on MTU),
 		 * so we store the fragment at the end of the buffer where it's safe
 		 * and take a copy of the len so that we can restore its offset later.
 		 * remember we can't use the local MTU for this calculation because pMTU
 		 * can be asymettric between the same hosts.
 		 */
 		if (!defrag_buf->frag_size) {
 			defrag_buf->last_first = 1;
 			memmove(defrag_buf->buf + (KNET_MAX_PACKET_SIZE - *len),
 			       inbuf->khp_data_userdata,
 			       *len);
 		}
 	} else {
 		defrag_buf->frag_size = *len;
 	}
 
 	if (defrag_buf->frag_size) {
 		memmove(defrag_buf->buf + ((inbuf->khp_data_frag_seq - 1) * defrag_buf->frag_size),
 		       inbuf->khp_data_userdata, *len);
 	}
 
 	defrag_buf->frag_recv++;
 	defrag_buf->frag_map[inbuf->khp_data_frag_seq] = 1;
 
 	/*
 	 * check if we received all the fragments
 	 */
 	if (defrag_buf->frag_recv == inbuf->khp_data_frag_num) {
 		/*
 		 * special case the last pckt
 		 */
 
 		if (defrag_buf->last_first) {
 			memmove(defrag_buf->buf + ((inbuf->khp_data_frag_num - 1) * defrag_buf->frag_size),
 			        defrag_buf->buf + (KNET_MAX_PACKET_SIZE - defrag_buf->last_frag_size),
 				defrag_buf->last_frag_size);
 		}
 
 		/*
 		 * recalculate packet lenght
 		 */
 
 		*len = ((inbuf->khp_data_frag_num - 1) * defrag_buf->frag_size) + defrag_buf->last_frag_size;
 
 		/*
 		 * copy the pckt back in the user data
 		 */
 		memmove(inbuf->khp_data_userdata, defrag_buf->buf, *len);
 
 		/*
 		 * free this buffer
 		 */
 		defrag_buf->in_use = 0;
 		return 0;
 	}
 
 	return 1;
 }
 
+/*
+ * processing incoming packets vs access lists
+ */
+static int _check_rx_acl(knet_handle_t knet_h, struct knet_link *src_link, const struct knet_mmsghdr *msg)
+{
+	if (knet_h->use_access_lists) {
+		if (!check_validate(knet_h, src_link, msg->msg_hdr.msg_name)) {
+			char src_ipaddr[KNET_MAX_HOST_LEN];
+			char src_port[KNET_MAX_PORT_LEN];
+			
+			memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
+			memset(src_port, 0, KNET_MAX_PORT_LEN);
+			if (knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+					   src_ipaddr, KNET_MAX_HOST_LEN,
+					   src_port, KNET_MAX_PORT_LEN) < 0) {
+
+				log_debug(knet_h, KNET_SUB_RX, "Packet rejected: unable to resolve host/port");
+			} else {
+				log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
+			}
+			return 0;
+		}
+	}
+	return 1;
+}
+
 static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
 {
 	int err = 0, savederrno = 0, stats_err = 0;
 	ssize_t outlen;
 	struct knet_host *src_host;
 	struct knet_link *src_link;
 	unsigned long long latency_last;
 	knet_node_id_t dst_host_ids[KNET_MAX_HOST];
 	size_t dst_host_ids_entries = 0;
 	int bcast = 1;
 	uint64_t decrypt_time = 0;
 	struct timespec recvtime;
 	struct knet_header *inbuf = msg->msg_hdr.msg_iov->iov_base;
 	unsigned char *outbuf = (unsigned char *)msg->msg_hdr.msg_iov->iov_base;
 	ssize_t len = msg->msg_len;
 	struct iovec iov_out[1];
 	int8_t channel;
 	seq_num_t recv_seq_num;
 	int wipe_bufs = 0;
 	int try_decrypt = 0, decrypted = 0, i, found_link = 0;
 
 	for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
 		if (knet_h->crypto_instance[i]) {
 			try_decrypt = 1;
 			break;
 		}
 	}
 
 	if ((!try_decrypt) && (knet_h->crypto_only == KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC)) {
 		log_debug(knet_h, KNET_SUB_RX, "RX thread configured to accept only crypto packets, but no crypto configs are configured!");
 		return;
 	}
 
 	if (try_decrypt) {
 		struct timespec start_time;
 		struct timespec end_time;
 
 		clock_gettime(CLOCK_MONOTONIC, &start_time);
 		if (crypto_authenticate_and_decrypt(knet_h,
 						    (unsigned char *)inbuf,
 						    len,
 						    knet_h->recv_from_links_buf_decrypt,
 						    &outlen) < 0) {
 			log_debug(knet_h, KNET_SUB_RX, "Unable to decrypt/auth packet");
 			if (knet_h->crypto_only == KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC) {
 				return;
 			}
 			log_debug(knet_h, KNET_SUB_RX, "Attempting to process packet as clear data");
 		} else {
 			clock_gettime(CLOCK_MONOTONIC, &end_time);
 			timespec_diff(start_time, end_time, &decrypt_time);
 
 			len = outlen;
 			inbuf = (struct knet_header *)knet_h->recv_from_links_buf_decrypt;
 			decrypted = 1;
 		}
 	}
 
 	if (len < (ssize_t)(KNET_HEADER_SIZE + 1)) {
 		log_debug(knet_h, KNET_SUB_RX, "Packet is too short: %ld", (long)len);
 		return;
 	}
 
 	if (inbuf->kh_version != KNET_HEADER_VERSION) {
 		log_debug(knet_h, KNET_SUB_RX, "Packet version does not match");
 		return;
 	}
 
 	inbuf->kh_node = ntohs(inbuf->kh_node);
 	src_host = knet_h->host_index[inbuf->kh_node];
 	if (src_host == NULL) {  /* host not found */
 		log_debug(knet_h, KNET_SUB_RX, "Unable to find source host for this packet");
 		return;
 	}
 
 	if ((inbuf->kh_type & KNET_HEADER_TYPE_PMSK) != 0) {
 		/* be aware this works only for PING / PONG and PMTUd packets! */
 		src_link = src_host->link +
 			(inbuf->khp_ping_link % KNET_MAX_LINK);
+		if (!_check_rx_acl(knet_h, src_link, msg)) {
+			return;
+		}
 		if (src_link->dynamic == KNET_LINK_DYNIP) {
 			if (cmpaddr(&src_link->dst_addr, msg->msg_hdr.msg_name) != 0) {
 				log_debug(knet_h, KNET_SUB_RX, "host: %u link: %u appears to have changed ip address",
 					  src_host->host_id, src_link->link_id);
 				memmove(&src_link->dst_addr, msg->msg_hdr.msg_name, sizeof(struct sockaddr_storage));
 				if (knet_addrtostr(&src_link->dst_addr, sockaddr_len(&src_link->dst_addr),
 						src_link->status.dst_ipaddr, KNET_MAX_HOST_LEN,
 						src_link->status.dst_port, KNET_MAX_PORT_LEN) != 0) {
 					log_debug(knet_h, KNET_SUB_RX, "Unable to resolve ???");
 					snprintf(src_link->status.dst_ipaddr, KNET_MAX_HOST_LEN - 1, "Unknown!!!");
 					snprintf(src_link->status.dst_port, KNET_MAX_PORT_LEN - 1, "??");
 				} else {
 					log_info(knet_h, KNET_SUB_RX,
 						 "host: %u link: %u new connection established from: %s %s",
 						 src_host->host_id, src_link->link_id,
 						 src_link->status.dst_ipaddr, src_link->status.dst_port);
 				}
 			}
 			/*
 			 * transport has already accepted the connection here
 			 * otherwise we would not be receiving packets
 			 */
 			transport_link_dyn_connect(knet_h, sockfd, src_link);
 		}
 	} else { /* data packet */
 		for (i = 0; i < KNET_MAX_LINK; i++) {
 			src_link = &src_host->link[i];
 			if (cmpaddr(&src_link->dst_addr, msg->msg_hdr.msg_name) == 0) {
 				found_link = 1;
 				break;
 			}
 		}
-		if (!found_link) {
+		if (found_link) {
+			/*
+			 * this check is currently redundant.. Keep it here for now
+			 */
+			if (!_check_rx_acl(knet_h, src_link, msg)) {
+				return;
+			}
+		} else {
 			log_debug(knet_h, KNET_SUB_RX, "Unable to determine source link for data packet. Discarding packet.");
 			return;
 		}
 	}
 
 	stats_err = pthread_mutex_lock(&src_link->link_stats_mutex);
 	if (stats_err) {
 		log_err(knet_h, KNET_SUB_RX, "Unable to get stats mutex lock for host %u link %u: %s",
 			src_host->host_id, src_link->link_id, strerror(savederrno));
 		return;
 	}
 
 	switch (inbuf->kh_type) {
 	case KNET_HEADER_TYPE_DATA:
 
 		/* data stats at the top for consistency with TX */
 		src_link->status.stats.rx_data_packets++;
 		src_link->status.stats.rx_data_bytes += len;
 
 		if (decrypted) {
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				return;
 			}
 			/* Only update the crypto overhead for data packets. Mainly to be
 			   consistent with TX */
 			if (decrypt_time < knet_h->stats.rx_crypt_time_min) {
 				knet_h->stats.rx_crypt_time_min = decrypt_time;
 			}
 			if (decrypt_time > knet_h->stats.rx_crypt_time_max) {
 				knet_h->stats.rx_crypt_time_max = decrypt_time;
 			}
 			knet_h->stats.rx_crypt_time_ave =
 				(knet_h->stats.rx_crypt_time_ave * knet_h->stats.rx_crypt_packets +
 				 decrypt_time) / (knet_h->stats.rx_crypt_packets+1);
 			knet_h->stats.rx_crypt_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		if (!src_host->status.reachable) {
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			log_debug(knet_h, KNET_SUB_RX, "Source host %u not reachable yet. Discarding packet.", src_host->host_id);
 			return;
 		}
 
 		inbuf->khp_data_seq_num = ntohs(inbuf->khp_data_seq_num);
 		channel = inbuf->khp_data_channel;
 		src_host->got_data = 1;
 
 		if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 0, 0)) {
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			if (src_host->link_handler_policy != KNET_LINK_POLICY_ACTIVE) {
 				log_debug(knet_h, KNET_SUB_RX, "Packet has already been delivered");
 			}
 			return;
 		}
 
 		if (inbuf->khp_data_frag_num > 1) {
 			/*
 			 * len as received from the socket also includes extra stuff
 			 * that the defrag code doesn't care about. So strip it
 			 * here and readd only for repadding once we are done
 			 * defragging
 			 */
 			len = len - KNET_HEADER_DATA_SIZE;
 			if (pckt_defrag(knet_h, inbuf, &len)) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				return;
 			}
 			len = len + KNET_HEADER_DATA_SIZE;
 		}
 
 		if (inbuf->khp_data_compress) {
 			ssize_t decmp_outlen = KNET_DATABUFSIZE_COMPRESS;
 			struct timespec start_time;
 			struct timespec end_time;
 			uint64_t compress_time;
 
 			clock_gettime(CLOCK_MONOTONIC, &start_time);
 			err = decompress(knet_h, inbuf->khp_data_compress,
 					 (const unsigned char *)inbuf->khp_data_userdata,
 					 len - KNET_HEADER_DATA_SIZE,
 					 knet_h->recv_from_links_buf_decompress,
 					 &decmp_outlen);
 
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				return;
 			}
 
 			clock_gettime(CLOCK_MONOTONIC, &end_time);
 			timespec_diff(start_time, end_time, &compress_time);
 
 			if (!err) {
 				/* Collect stats */
 				if (compress_time < knet_h->stats.rx_compress_time_min) {
 					knet_h->stats.rx_compress_time_min = compress_time;
 				}
 				if (compress_time > knet_h->stats.rx_compress_time_max) {
 					knet_h->stats.rx_compress_time_max = compress_time;
 				}
 				knet_h->stats.rx_compress_time_ave =
 					(knet_h->stats.rx_compress_time_ave * knet_h->stats.rx_compressed_packets +
 					 compress_time) / (knet_h->stats.rx_compressed_packets+1);
 
 				knet_h->stats.rx_compressed_packets++;
 				knet_h->stats.rx_compressed_original_bytes += decmp_outlen;
 				knet_h->stats.rx_compressed_size_bytes += len - KNET_HEADER_SIZE;
 
 				memmove(inbuf->khp_data_userdata, knet_h->recv_from_links_buf_decompress, decmp_outlen);
 				len = decmp_outlen + KNET_HEADER_DATA_SIZE;
 			} else {
 				pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_warn(knet_h, KNET_SUB_COMPRESS, "Unable to decompress packet (%d): %s",
 					 err, strerror(errno));
 				return;
 			}
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		if (knet_h->enabled != 1) /* data forward is disabled */
 			break;
 
 		if (knet_h->dst_host_filter_fn) {
 			size_t host_idx;
 			int found = 0;
 
 			bcast = knet_h->dst_host_filter_fn(
 					knet_h->dst_host_filter_fn_private_data,
 					(const unsigned char *)inbuf->khp_data_userdata,
 					len - KNET_HEADER_DATA_SIZE,
 					KNET_NOTIFY_RX,
 					knet_h->host_id,
 					inbuf->kh_node,
 					&channel,
 					dst_host_ids,
 					&dst_host_ids_entries);
 			if (bcast < 0) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_debug(knet_h, KNET_SUB_RX, "Error from dst_host_filter_fn: %d", bcast);
 				return;
 			}
 
 			if ((!bcast) && (!dst_host_ids_entries)) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_debug(knet_h, KNET_SUB_RX, "Message is unicast but no dst_host_ids_entries");
 				return;
 			}
 
 			/* check if we are dst for this packet */
 			if (!bcast) {
 				if (dst_host_ids_entries > KNET_MAX_HOST) {
 					pthread_mutex_unlock(&src_link->link_stats_mutex);
 					log_debug(knet_h, KNET_SUB_RX, "dst_host_filter_fn returned too many destinations");
 					return;
 				}
 				for (host_idx = 0; host_idx < dst_host_ids_entries; host_idx++) {
 					if (dst_host_ids[host_idx] == knet_h->host_id) {
 						found = 1;
 						break;
 					}
 				}
 				if (!found) {
 					pthread_mutex_unlock(&src_link->link_stats_mutex);
 					log_debug(knet_h, KNET_SUB_RX, "Packet is not for us");
 					return;
 				}
 			}
 		}
 
 		if (!knet_h->sockfd[channel].in_use) {
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			log_debug(knet_h, KNET_SUB_RX,
 				  "received packet for channel %d but there is no local sock connected",
 				  channel);
 			return;
 		}
 
 		outlen = 0;
 		memset(iov_out, 0, sizeof(iov_out));
 
 retry:
 		iov_out[0].iov_base = (void *) inbuf->khp_data_userdata + outlen;
 		iov_out[0].iov_len = len - (outlen + KNET_HEADER_DATA_SIZE);
 
 		outlen = writev(knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], iov_out, 1);
 		if ((outlen > 0) && (outlen < (ssize_t)iov_out[0].iov_len)) {
 			log_debug(knet_h, KNET_SUB_RX,
 				  "Unable to send all data to the application in one go. Expected: %zu Sent: %zd\n",
 				  iov_out[0].iov_len, outlen);
 			goto retry;
 		}
 
 		if (outlen <= 0) {
 			knet_h->sock_notify_fn(knet_h->sock_notify_fn_private_data,
 					       knet_h->sockfd[channel].sockfd[0],
 					       channel,
 					       KNET_NOTIFY_RX,
 					       outlen,
 					       errno);
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			return;
 		}
 		if ((size_t)outlen == iov_out[0].iov_len) {
 			_seq_num_set(src_host, inbuf->khp_data_seq_num, 0);
 		}
 		break;
 	case KNET_HEADER_TYPE_PING:
 		outlen = KNET_HEADER_PING_SIZE;
 		inbuf->kh_type = KNET_HEADER_TYPE_PONG;
 		inbuf->kh_node = htons(knet_h->host_id);
 		recv_seq_num = ntohs(inbuf->khp_ping_seq_num);
 		src_link->status.stats.rx_ping_packets++;
 		src_link->status.stats.rx_ping_bytes += len;
 
 		wipe_bufs = 0;
 
 		if (!inbuf->khp_ping_timed) {
 			/*
 			 * we might be receiving this message from all links, but we want
 			 * to process it only the first time
 			 */
 			if (recv_seq_num != src_host->untimed_rx_seq_num) {
 				/*
 				 * cache the untimed seq num
 				 */
 				src_host->untimed_rx_seq_num = recv_seq_num;
 				/*
 				 * if the host has received data in between
 				 * untimed ping, then we don't need to wipe the bufs
 				 */
 				if (src_host->got_data) {
 					src_host->got_data = 0;
 					wipe_bufs = 0;
 				} else {
 					wipe_bufs = 1;
 				}
 			}
 			_seq_num_lookup(src_host, recv_seq_num, 0, wipe_bufs);
 		} else {
 			/*
 			 * pings always arrives in bursts over all the link
 			 * catch the first of them to cache the seq num and
 			 * avoid duplicate processing
 			 */
 			if (recv_seq_num != src_host->timed_rx_seq_num) {
 				src_host->timed_rx_seq_num = recv_seq_num;
 
 				if (recv_seq_num == 0) {
 					_seq_num_lookup(src_host, recv_seq_num, 0, 1);
 				}
 			}
 		}
 
 		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)inbuf,
 						    outlen,
 						    knet_h->recv_from_links_buf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_RX, "Unable to encrypt pong packet");
 				break;
 			}
 			outbuf = knet_h->recv_from_links_buf_crypt;
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				break;
 			}
 			knet_h->stats_extra.tx_crypt_pong_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 retry_pong:
 		if (src_link->transport_connected) {
 			if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
-					     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
+					     (struct sockaddr *) &src_link->dst_addr, knet_h->knet_transport_fd_tracker[src_link->outsock].sockaddr_len);
 			} else {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 			}
 			savederrno = errno;
 			if (len != outlen) {
 				err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
 				switch(err) {
 					case -1: /* unrecoverable error */
 						log_debug(knet_h, KNET_SUB_RX,
 							  "Unable to send pong reply (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 							  src_link->outsock, errno, strerror(errno),
 							  src_link->status.src_ipaddr, src_link->status.src_port,
 							  src_link->status.dst_ipaddr, src_link->status.dst_port);
 						src_link->status.stats.tx_pong_errors++;
 						break;
 					case 0: /* ignore error and continue */
 						break;
 					case 1: /* retry to send those same data */
 						src_link->status.stats.tx_pong_retries++;
 						goto retry_pong;
 						break;
 				}
 			}
 			src_link->status.stats.tx_pong_packets++;
 			src_link->status.stats.tx_pong_bytes += outlen;
 		}
 		break;
 	case KNET_HEADER_TYPE_PONG:
 		src_link->status.stats.rx_pong_packets++;
 		src_link->status.stats.rx_pong_bytes += len;
 		clock_gettime(CLOCK_MONOTONIC, &src_link->status.pong_last);
 
 		memmove(&recvtime, &inbuf->khp_ping_time[0], sizeof(struct timespec));
 		timespec_diff(recvtime,
 				src_link->status.pong_last, &latency_last);
 
 		if ((latency_last / 1000llu) > src_link->pong_timeout) {
 			log_debug(knet_h, KNET_SUB_RX,
 				  "Incoming pong packet from host: %u link: %u has higher latency than pong_timeout. Discarding",
 				  src_host->host_id, src_link->link_id);
 		} else {
 
 			/*
 			 * in words : ('previous mean' * '(count -1)') + 'new value') / 'count'
 			 */
 
 			src_link->latency_cur_samples++;
 
 			/*
 			 * limit to max_samples (precision)
 			 */
 			if (src_link->latency_cur_samples >= src_link->latency_max_samples) {
 				src_link->latency_cur_samples = src_link->latency_max_samples;
 			}
 			src_link->status.latency =
 				(((src_link->status.latency * (src_link->latency_cur_samples - 1)) + (latency_last / 1000llu)) / src_link->latency_cur_samples);
 
 			if (src_link->status.latency < src_link->pong_timeout_adj) {
 				if (!src_link->status.connected) {
 					if (src_link->received_pong >= src_link->pong_count) {
 						log_info(knet_h, KNET_SUB_RX, "host: %u link: %u is up",
 							 src_host->host_id, src_link->link_id);
 						_link_updown(knet_h, src_host->host_id, src_link->link_id, src_link->status.enabled, 1, 0);
 					} else {
 						src_link->received_pong++;
 						log_debug(knet_h, KNET_SUB_RX, "host: %u link: %u received pong: %u",
 							  src_host->host_id, src_link->link_id, src_link->received_pong);
 					}
 				}
 			}
 			/* Calculate latency stats */
 			if (src_link->status.latency > src_link->status.stats.latency_max) {
 				src_link->status.stats.latency_max = src_link->status.latency;
 			}
 			if (src_link->status.latency < src_link->status.stats.latency_min) {
 				src_link->status.stats.latency_min = src_link->status.latency;
 			}
 
 			/*
 			 * those 2 lines below make all latency average calculations consistent and capped to
 			 * link precision. In future we will kill the one above to keep only this one in
 			 * the stats structure, but for now we leave it around to avoid API/ABI
 			 * breakage as we backport the fixes to stable
 			 */
 			src_link->status.stats.latency_ave = src_link->status.latency;
 			src_link->status.stats.latency_samples = src_link->latency_cur_samples;
 		}
 		break;
 	case KNET_HEADER_TYPE_PMTUD:
 		src_link->status.stats.rx_pmtu_packets++;
 		src_link->status.stats.rx_pmtu_bytes += len;
 		outlen = KNET_HEADER_PMTUD_SIZE;
 		inbuf->kh_type = KNET_HEADER_TYPE_PMTUD_REPLY;
 		inbuf->kh_node = htons(knet_h->host_id);
 
 		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)inbuf,
 						    outlen,
 						    knet_h->recv_from_links_buf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_RX, "Unable to encrypt PMTUd reply packet");
 				break;
 			}
 			outbuf = knet_h->recv_from_links_buf_crypt;
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				break;
 			}
 			knet_h->stats_extra.tx_crypt_pmtu_reply_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		/* Unlock so we don't deadlock with tx_mutex */
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 
 		savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_RX, "Unable to get TX mutex lock: %s", strerror(savederrno));
 			goto out_pmtud;
 		}
 retry_pmtud:
 		if (src_link->transport_connected) {
 			if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
-					     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
+					     (struct sockaddr *) &src_link->dst_addr, knet_h->knet_transport_fd_tracker[src_link->outsock].sockaddr_len);
 			} else {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 			}
 			savederrno = errno;
 			if (len != outlen) {
 				err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
 				stats_err = pthread_mutex_lock(&src_link->link_stats_mutex);
 				if (stats_err < 0) {
 					log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 					break;
 				}
 				switch(err) {
 					case -1: /* unrecoverable error */
 						log_debug(knet_h, KNET_SUB_RX,
 							  "Unable to send PMTUd reply (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 							  src_link->outsock, errno, strerror(errno),
 							  src_link->status.src_ipaddr, src_link->status.src_port,
 							  src_link->status.dst_ipaddr, src_link->status.dst_port);
 
 						src_link->status.stats.tx_pmtu_errors++;
 						break;
 					case 0: /* ignore error and continue */
 						src_link->status.stats.tx_pmtu_errors++;
 						break;
 					case 1: /* retry to send those same data */
 						src_link->status.stats.tx_pmtu_retries++;
 						pthread_mutex_unlock(&src_link->link_stats_mutex);
 						goto retry_pmtud;
 						break;
 				}
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 			}
 		}
 		pthread_mutex_unlock(&knet_h->tx_mutex);
 out_pmtud:
 		return; /* Don't need to unlock link_stats_mutex */
 	case KNET_HEADER_TYPE_PMTUD_REPLY:
 		src_link->status.stats.rx_pmtu_packets++;
 		src_link->status.stats.rx_pmtu_bytes += len;
 
 		/* pmtud_mutex can't be acquired while we hold a link_stats_mutex (ordering) */
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_RX, "Unable to get mutex lock");
 			break;
 		}
 		src_link->last_recv_mtu = inbuf->khp_pmtud_size;
 		pthread_cond_signal(&knet_h->pmtud_cond);
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		return;
 	default:
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 		return;
 	}
 	pthread_mutex_unlock(&src_link->link_stats_mutex);
 }
 
 static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	int err, savederrno;
 	int i, msg_recv, transport;
 
 	if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 		log_debug(knet_h, KNET_SUB_RX, "Unable to get global read lock");
 		return;
 	}
 
 	if (_is_valid_fd(knet_h, sockfd) < 1) {
 		/*
 		 * this is normal if a fd got an event and before we grab the read lock
 		 * and the link is removed by another thread
 		 */
 		goto exit_unlock;
 	}
 
 	transport = knet_h->knet_transport_fd_tracker[sockfd].transport;
 
 	/*
 	 * reset msg_namelen to buffer size because after recvmmsg
 	 * each msg_namelen will contain sizeof sockaddr_in or sockaddr_in6
 	 */
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
-		msg[i].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
+		msg[i].msg_hdr.msg_namelen = knet_h->knet_transport_fd_tracker[sockfd].sockaddr_len;
 	}
 
 	msg_recv = _recvmmsg(sockfd, &msg[0], PCKT_RX_BUFS, MSG_DONTWAIT | MSG_NOSIGNAL);
 	savederrno = errno;
 
 	/*
 	 * WARNING: man page for recvmmsg is wrong. Kernel implementation here:
 	 * recvmmsg can return:
 	 * -1 on error
 	 *  0 if the previous run of recvmmsg recorded an error on the socket
 	 *  N number of messages (see exception below).
 	 *
 	 * If there is an error from recvmsg after receiving a frame or more, the recvmmsg
 	 * loop is interrupted, error recorded in the socket (getsockopt(SO_ERROR) and
 	 * it will be visibile in the next run.
 	 *
 	 * Need to be careful how we handle errors at this stage.
 	 *
 	 * error messages need to be handled on a per transport/protocol base
 	 * at this point we have different layers of error handling
 	 * - msg_recv < 0 -> error from this run
 	 *   msg_recv = 0 -> error from previous run and error on socket needs to be cleared
 	 * - per-transport message data
 	 *   example: msg[i].msg_hdr.msg_flags & MSG_NOTIFICATION or msg_len for SCTP == EOF,
 	 *            but for UDP it is perfectly legal to receive a 0 bytes message.. go figure
 	 * - NOTE: on SCTP MSG_NOTIFICATION we get msg_recv == PCKT_FRAG_MAX messages and no
 	 *         errno set. That means the error api needs to be able to abort the loop below.
 	 */
 
 	if (msg_recv <= 0) {
 		transport_rx_sock_error(knet_h, transport, sockfd, msg_recv, savederrno);
 		goto exit_unlock;
 	}
 
 	for (i = 0; i < msg_recv; i++) {
 		err = transport_rx_is_data(knet_h, transport, sockfd, &msg[i]);
 
 		/*
 		 * TODO: make this section silent once we are confident
 		 *       all protocols packet handlers are good
 		 */
 
 		switch(err) {
 			case KNET_TRANSPORT_RX_ERROR: /* on error */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported error parsing packet");
 				goto exit_unlock;
 				break;
 			case KNET_TRANSPORT_RX_NOT_DATA_CONTINUE: /* packet is not data and we should continue the packet process loop */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported no data, continue");
 				break;
 			case KNET_TRANSPORT_RX_NOT_DATA_STOP: /* packet is not data and we should STOP the packet process loop */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported no data, stop");
 				goto exit_unlock;
 				break;
 			case KNET_TRANSPORT_RX_IS_DATA: /* packet is data and should be parsed as such */
-				/*
-				 * processing incoming packets vs access lists
-				 */
-				if ((knet_h->use_access_lists) &&
-				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
-					if (!check_validate(knet_h, sockfd, transport, msg[i].msg_hdr.msg_name)) {
-						char src_ipaddr[KNET_MAX_HOST_LEN];
-						char src_port[KNET_MAX_PORT_LEN];
-
-						memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
-						memset(src_port, 0, KNET_MAX_PORT_LEN);
-						if (knet_addrtostr(msg[i].msg_hdr.msg_name, sockaddr_len(msg[i].msg_hdr.msg_name),
-								   src_ipaddr, KNET_MAX_HOST_LEN,
-								   src_port, KNET_MAX_PORT_LEN) < 0) {
-
-							log_debug(knet_h, KNET_SUB_RX, "Packet rejected: unable to resolve host/port");
-						} else {
-							log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
-						}
-						/*
-						 * continue processing the other packets
-						 */
-						continue;
-					}
-				}
 				_parse_recv_from_links(knet_h, sockfd, &msg[i]);
 				break;
 			case KNET_TRANSPORT_RX_OOB_DATA_CONTINUE:
 				log_debug(knet_h, KNET_SUB_RX, "Transport is processing sock OOB data, continue");
 				break;
 			case KNET_TRANSPORT_RX_OOB_DATA_STOP:
 				log_debug(knet_h, KNET_SUB_RX, "Transport has completed processing sock OOB data, stop");
 				goto exit_unlock;
 				break;
 		}
 	}
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 }
 
 void *_handle_recv_from_links_thread(void *data)
 {
 	int i, nev;
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 	struct sockaddr_storage address[PCKT_RX_BUFS];
 	struct knet_mmsghdr msg[PCKT_RX_BUFS];
 	struct iovec iov_in[PCKT_RX_BUFS];
 
 	set_thread_status(knet_h, KNET_THREAD_RX, KNET_THREAD_STARTED);
 
 	memset(&msg, 0, sizeof(msg));
 	memset(&events, 0, sizeof(events));
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
 		iov_in[i].iov_base = (void *)knet_h->recv_from_links_buf[i];
 		iov_in[i].iov_len = KNET_DATABUFSIZE;
 
 		memset(&msg[i].msg_hdr, 0, sizeof(struct msghdr));
 
 		msg[i].msg_hdr.msg_name = &address[i];
-		msg[i].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
+		msg[i].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage); /* Real value filled in before actual use */
 		msg[i].msg_hdr.msg_iov = &iov_in[i];
 		msg[i].msg_hdr.msg_iovlen = 1;
 	}
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(knet_h->recv_from_links_epollfd, events, KNET_EPOLL_MAX_EVENTS, KNET_THREADS_TIMERES / 1000);
 
 		/*
 		 * the RX threads only need to notify that there has been at least
 		 * one successful run after queue flush has been requested.
 		 * See setfwd in handle.c
 		 */
 		if (get_thread_flush_queue(knet_h, KNET_THREAD_RX) == KNET_THREAD_QUEUE_FLUSH) {
 			set_thread_flush_queue(knet_h, KNET_THREAD_RX, KNET_THREAD_QUEUE_FLUSHED);
 		}
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			continue;
 		}
 
 		for (i = 0; i < nev; i++) {
 			_handle_recv_from_links(knet_h, events[i].data.fd, msg);
 		}
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_RX, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
 
 ssize_t knet_recv(knet_handle_t knet_h, char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0;
 	ssize_t err = 0;
 	struct iovec iov_in;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (void *)buff;
 	iov_in.iov_len = buff_len;
 
 	err = readv(knet_h->sockfd[channel].sockfd[0], &iov_in, 1);
 	savederrno = errno;
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
index 9f16706f..404bfc73 100644
--- a/libknet/threads_tx.c
+++ b/libknet/threads_tx.c
@@ -1,878 +1,893 @@
 /*
  * Copyright (C) 2012-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <math.h>
 #include <string.h>
 #include <pthread.h>
 #include <unistd.h>
 #include <sys/uio.h>
 #include <errno.h>
 
 #include "compat.h"
 #include "compress.h"
 #include "crypto.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 #include "threads_tx.h"
 #include "netutils.h"
 
 /*
  * SEND
  */
 
 static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_mmsghdr *msg, int msgs_to_send)
 {
 	int link_idx, msg_idx, sent_msgs, prev_sent, progress;
 	int err = 0, savederrno = 0, locked = 0;
 	unsigned int i;
 	struct knet_mmsghdr *cur;
 	struct knet_link *cur_link;
 
 	for (link_idx = 0; link_idx < dst_host->active_link_entries; link_idx++) {
 		prev_sent = 0;
 		progress = 1;
 		locked = 0;
 
 		cur_link = &dst_host->link[dst_host->active_links[link_idx]];
 
 		if (cur_link->transport == KNET_TRANSPORT_LOOPBACK) {
 			continue;
 		}
 
 		savederrno = pthread_mutex_lock(&cur_link->link_stats_mutex);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get stats mutex lock for host %u link %u: %s",
 				dst_host->host_id, cur_link->link_id, strerror(savederrno));
 			continue;
 		}
 		locked = 1;
 
 		msg_idx = 0;
 		while (msg_idx < msgs_to_send) {
 			msg[msg_idx].msg_hdr.msg_name = &cur_link->dst_addr;
+			msg[msg_idx].msg_hdr.msg_namelen = knet_h->knet_transport_fd_tracker[cur_link->outsock].sockaddr_len;
 
 			/* Cast for Linux/BSD compatibility */
 			for (i=0; i<(unsigned int)msg[msg_idx].msg_hdr.msg_iovlen; i++) {
 				cur_link->status.stats.tx_data_bytes += msg[msg_idx].msg_hdr.msg_iov[i].iov_len;
 			}
 			cur_link->status.stats.tx_data_packets++;
 			msg_idx++;
 		}
 
 retry:
 		cur = &msg[prev_sent];
 
 		sent_msgs = _sendmmsg(dst_host->link[dst_host->active_links[link_idx]].outsock,
 				      transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport),
 				      &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
 		savederrno = errno;
 
 		err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
 		switch(err) {
 			case -1: /* unrecoverable error */
 				cur_link->status.stats.tx_data_errors++;
 				goto out_unlock;
 				break;
 			case 0: /* ignore error and continue */
 				break;
 			case 1: /* retry to send those same data */
 				cur_link->status.stats.tx_data_retries++;
 				goto retry;
 				break;
 		}
 
 		prev_sent = prev_sent + sent_msgs;
 
 		if ((sent_msgs >= 0) && (prev_sent < msgs_to_send)) {
 			if ((sent_msgs) || (progress)) {
 				if (sent_msgs) {
 					progress = 1;
 				} else {
 					progress = 0;
 				}
 #ifdef DEBUG
 				log_debug(knet_h, KNET_SUB_TX, "Unable to send all (%d/%d) data packets to host %s (%u) link %s:%s (%u)",
 					  sent_msgs, msg_idx,
 					  dst_host->name, dst_host->host_id,
 					  dst_host->link[dst_host->active_links[link_idx]].status.dst_ipaddr,
 					  dst_host->link[dst_host->active_links[link_idx]].status.dst_port,
 					  dst_host->link[dst_host->active_links[link_idx]].link_id);
 #endif
 				goto retry;
 			}
 			if (!progress) {
 				savederrno = EAGAIN;
 				err = -1;
 				goto out_unlock;
 			}
 		}
 
 		if ((dst_host->link_handler_policy == KNET_LINK_POLICY_RR) &&
 		    (dst_host->active_link_entries > 1)) {
 			uint8_t cur_link_id = dst_host->active_links[0];
 
 			memmove(&dst_host->active_links[0], &dst_host->active_links[1], KNET_MAX_LINK - 1);
 			dst_host->active_links[dst_host->active_link_entries - 1] = cur_link_id;
 
 			break;
 		}
 		pthread_mutex_unlock(&cur_link->link_stats_mutex);
 		locked = 0;
 	}
 
 out_unlock:
 	if (locked) {
 		pthread_mutex_unlock(&cur_link->link_stats_mutex);
 	}
 	errno = savederrno;
 	return err;
 }
 
 static int _parse_recv_from_sock(knet_handle_t knet_h, size_t inlen, int8_t channel, int is_sync)
 {
 	size_t outlen, frag_len;
 	struct knet_host *dst_host;
 	knet_node_id_t dst_host_ids_temp[KNET_MAX_HOST];
 	size_t dst_host_ids_entries_temp = 0;
 	knet_node_id_t dst_host_ids[KNET_MAX_HOST];
 	size_t dst_host_ids_entries = 0;
 	int bcast = 1;
 	struct iovec iov_out[PCKT_FRAG_MAX][2];
 	int iovcnt_out = 2;
 	uint8_t frag_idx;
 	unsigned int temp_data_mtu;
 	size_t host_idx;
 	int send_mcast = 0;
 	struct knet_header *inbuf;
 	int savederrno = 0;
 	int err = 0;
 	seq_num_t tx_seq_num;
 	struct knet_mmsghdr msg[PCKT_FRAG_MAX];
 	int msgs_to_send, msg_idx;
 	unsigned int i;
 	int j;
 	int send_local = 0;
 	int data_compressed = 0;
 	size_t uncrypted_frag_size;
 	int stats_locked = 0, stats_err = 0;
 
 	inbuf = knet_h->recv_from_sock_buf;
 
 	if (knet_h->enabled != 1) {
 		log_debug(knet_h, KNET_SUB_TX, "Received data packet but forwarding is disabled");
 		savederrno = ECANCELED;
 		err = -1;
 		goto out_unlock;
 	}
 
+	memset(dst_host_ids_temp, 0, sizeof(dst_host_ids_temp));
+	memset(dst_host_ids, 0, sizeof(dst_host_ids));
+
 	/*
 	 * move this into a separate function to expand on
 	 * extra switching rules
 	 */
 	switch(inbuf->kh_type) {
 		case KNET_HEADER_TYPE_DATA:
 			if (knet_h->dst_host_filter_fn) {
 				bcast = knet_h->dst_host_filter_fn(
 						knet_h->dst_host_filter_fn_private_data,
 						(const unsigned char *)inbuf->khp_data_userdata,
 						inlen,
 						KNET_NOTIFY_TX,
 						knet_h->host_id,
 						knet_h->host_id,
 						&channel,
 						dst_host_ids_temp,
 						&dst_host_ids_entries_temp);
 				if (bcast < 0) {
 					log_debug(knet_h, KNET_SUB_TX, "Error from dst_host_filter_fn: %d", bcast);
 					savederrno = EFAULT;
 					err = -1;
 					goto out_unlock;
 				}
 
 				if ((!bcast) && (!dst_host_ids_entries_temp)) {
 					log_debug(knet_h, KNET_SUB_TX, "Message is unicast but no dst_host_ids_entries");
 					savederrno = EINVAL;
 					err = -1;
 					goto out_unlock;
 				}
 
 				if ((!bcast) &&
 				    (dst_host_ids_entries_temp > KNET_MAX_HOST)) {
 					log_debug(knet_h, KNET_SUB_TX, "dst_host_filter_fn returned too many destinations");
 					savederrno = EINVAL;
 					err = -1;
 					goto out_unlock;
 				}
 			}
 
 			/* Send to localhost if appropriate and enabled */
 			if (knet_h->has_loop_link) {
 				send_local = 0;
 				if (bcast) {
 					send_local = 1;
 				} else {
 					for (i=0; i< dst_host_ids_entries_temp; i++) {
 						if (dst_host_ids_temp[i] == knet_h->host_id) {
 							send_local = 1;
 						}
 					}
 				}
 				if (send_local) {
 					const unsigned char *buf = inbuf->khp_data_userdata;
 					ssize_t buflen = inlen;
 					struct knet_link *local_link;
 
 					local_link = knet_h->host_index[knet_h->host_id]->link;
 
 				local_retry:
 					err = write(knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], buf, buflen);
 					if (err < 0) {
 						log_err(knet_h, KNET_SUB_TRANSP_LOOPBACK, "send local failed. error=%s\n", strerror(errno));
 						local_link->status.stats.tx_data_errors++;
 					}
 					if (err > 0 && err < buflen) {
 						log_debug(knet_h, KNET_SUB_TRANSP_LOOPBACK, "send local incomplete=%d bytes of %zu\n", err, inlen);
 						local_link->status.stats.tx_data_retries++;
 						buf += err;
 						buflen -= err;
 						goto local_retry;
 					}
 					if (err == buflen) {
 						local_link->status.stats.tx_data_packets++;
 						local_link->status.stats.tx_data_bytes += inlen;
 					}
 				}
 			}
 			break;
 		default:
 			log_warn(knet_h, KNET_SUB_TX, "Receiving unknown messages from socket");
 			savederrno = ENOMSG;
 			err = -1;
 			goto out_unlock;
 			break;
 	}
 
 	if (is_sync) {
 		if ((bcast) ||
 		    ((!bcast) && (dst_host_ids_entries_temp > 1))) {
 			log_debug(knet_h, KNET_SUB_TX, "knet_send_sync is only supported with unicast packets for one destination");
 			savederrno = E2BIG;
 			err = -1;
 			goto out_unlock;
 		}
 	}
 
 	/*
 	 * check destinations hosts before spending time
 	 * in fragmenting/encrypting packets to save
 	 * time processing data for unreachable hosts.
 	 * for unicast, also remap the destination data
 	 * to skip unreachable hosts.
 	 */
 
 	if (!bcast) {
 		dst_host_ids_entries = 0;
 		for (host_idx = 0; host_idx < dst_host_ids_entries_temp; host_idx++) {
 			dst_host = knet_h->host_index[dst_host_ids_temp[host_idx]];
 			if (!dst_host) {
 				continue;
 			}
 			if (!(dst_host->host_id == knet_h->host_id &&
 			     knet_h->has_loop_link) &&
 			    dst_host->status.reachable) {
 				dst_host_ids[dst_host_ids_entries] = dst_host_ids_temp[host_idx];
 				dst_host_ids_entries++;
 			}
 		}
 		if (!dst_host_ids_entries) {
 			savederrno = EHOSTDOWN;
 			err = -1;
 			goto out_unlock;
 		}
 	} else {
 		send_mcast = 0;
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			if (!(dst_host->host_id == knet_h->host_id &&
 			      knet_h->has_loop_link) &&
 			    dst_host->status.reachable) {
 				send_mcast = 1;
 				break;
 			}
 		}
 		if (!send_mcast) {
 			savederrno = EHOSTDOWN;
 			err = -1;
 			goto out_unlock;
 		}
 	}
 
 	if (!knet_h->data_mtu) {
 		/*
 		 * using MIN_MTU_V4 for data mtu is not completely accurate but safe enough
 		 */
 		log_debug(knet_h, KNET_SUB_TX,
 			  "Received data packet but data MTU is still unknown."
 			  " Packet might not be delivered."
 			  " Assuming minimum IPv4 MTU (%d)",
 			  KNET_PMTUD_MIN_MTU_V4);
 		temp_data_mtu = KNET_PMTUD_MIN_MTU_V4;
 	} else {
 		/*
 		 * take a copy of the mtu to avoid value changing under
 		 * our feet while we are sending a fragmented pckt
 		 */
 		temp_data_mtu = knet_h->data_mtu;
 	}
 
 	/*
 	 * compress data
 	 */
 	if ((knet_h->compress_model > 0) && (inlen > knet_h->compress_threshold)) {
 		size_t cmp_outlen = KNET_DATABUFSIZE_COMPRESS;
 		struct timespec start_time;
 		struct timespec end_time;
 		uint64_t compress_time;
 
 		clock_gettime(CLOCK_MONOTONIC, &start_time);
 		err = compress(knet_h,
 			       (const unsigned char *)inbuf->khp_data_userdata, inlen,
 			       knet_h->send_to_links_buf_compress, (ssize_t *)&cmp_outlen);
 
 		savederrno = errno;
 
 		stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 		if (stats_err < 0) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 			err = -1;
 			savederrno = stats_err;
 			goto out_unlock;
 		}
 		stats_locked = 1;
 		/* Collect stats */
 		clock_gettime(CLOCK_MONOTONIC, &end_time);
 		timespec_diff(start_time, end_time, &compress_time);
 
 		if (compress_time < knet_h->stats.tx_compress_time_min) {
 			knet_h->stats.tx_compress_time_min = compress_time;
 		}
 		if (compress_time > knet_h->stats.tx_compress_time_max) {
 			knet_h->stats.tx_compress_time_max = compress_time;
 		}
 		knet_h->stats.tx_compress_time_ave =
 			(unsigned long long)(knet_h->stats.tx_compress_time_ave * knet_h->stats.tx_compressed_packets +
 			 compress_time) / (knet_h->stats.tx_compressed_packets+1);
 		if (err < 0) {
 			log_warn(knet_h, KNET_SUB_COMPRESS, "Compression failed (%d): %s", err, strerror(savederrno));
 		} else {
 			knet_h->stats.tx_compressed_packets++;
 			knet_h->stats.tx_compressed_original_bytes += inlen;
 			knet_h->stats.tx_compressed_size_bytes += cmp_outlen;
 
 			if (cmp_outlen < inlen) {
 				memmove(inbuf->khp_data_userdata, knet_h->send_to_links_buf_compress, cmp_outlen);
 				inlen = cmp_outlen;
 				data_compressed = 1;
 			}
 		}
 	}
 	if (!stats_locked) {
 		stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 		if (stats_err < 0) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 			err = -1;
 			savederrno = stats_err;
 			goto out_unlock;
 		}
 	}
 	if (knet_h->compress_model > 0 && !data_compressed) {
 		knet_h->stats.tx_uncompressed_packets++;
 	}
 	pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 	stats_locked = 0;
 
 	/*
 	 * prepare the outgoing buffers
 	 */
 
 	frag_len = inlen;
 	frag_idx = 0;
 
 	inbuf->khp_data_bcast = bcast;
 	inbuf->khp_data_frag_num = ceil((float)inlen / temp_data_mtu);
 	inbuf->khp_data_channel = channel;
 	if (data_compressed) {
 		inbuf->khp_data_compress = knet_h->compress_model;
 	} else {
 		inbuf->khp_data_compress = 0;
 	}
 
 	if (pthread_mutex_lock(&knet_h->tx_seq_num_mutex)) {
 		log_debug(knet_h, KNET_SUB_TX, "Unable to get seq mutex lock");
 		goto out_unlock;
 	}
 	knet_h->tx_seq_num++;
 	/*
 	 * force seq_num 0 to detect a node that has crashed and rejoining
 	 * the knet instance. seq_num 0 will clear the buffers in the RX
 	 * thread
 	 */
 	if (knet_h->tx_seq_num == 0) {
 		knet_h->tx_seq_num++;
 	}
 	/*
 	 * cache the value in locked context
 	 */
 	tx_seq_num = knet_h->tx_seq_num;
 	inbuf->khp_data_seq_num = htons(knet_h->tx_seq_num);
 	pthread_mutex_unlock(&knet_h->tx_seq_num_mutex);
 
 	/*
 	 * forcefully broadcast a ping to all nodes every SEQ_MAX / 8
 	 * pckts.
 	 * this solves 2 problems:
 	 * 1) on TX socket overloads we generate extra pings to keep links alive
 	 * 2) in 3+ nodes setup, where all the traffic is flowing between node 1 and 2,
 	 *    node 3+ will be able to keep in sync on the TX seq_num even without
 	 *    receiving traffic or pings in betweens. This avoids issues with
 	 *    rollover of the circular buffer
 	 */
 
 	if (tx_seq_num % (SEQ_MAX / 8) == 0) {
 		_send_pings(knet_h, 0);
 	}
 
 	if (inbuf->khp_data_frag_num > 1) {
 		while (frag_idx < inbuf->khp_data_frag_num) {
 			/*
 			 * set the iov_base
 			 */
 			iov_out[frag_idx][0].iov_base = (void *)knet_h->send_to_links_buf[frag_idx];
 			iov_out[frag_idx][0].iov_len = KNET_HEADER_DATA_SIZE;
 			iov_out[frag_idx][1].iov_base = inbuf->khp_data_userdata + (temp_data_mtu * frag_idx);
 
 			/*
 			 * set the len
 			 */
 			if (frag_len > temp_data_mtu) {
 				iov_out[frag_idx][1].iov_len = temp_data_mtu;
 			} else {
 				iov_out[frag_idx][1].iov_len = frag_len;
 			}
 
 			/*
 			 * copy the frag info on all buffers
 			 */
 			knet_h->send_to_links_buf[frag_idx]->kh_type = inbuf->kh_type;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_seq_num = inbuf->khp_data_seq_num;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_frag_num = inbuf->khp_data_frag_num;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_bcast = inbuf->khp_data_bcast;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_channel = inbuf->khp_data_channel;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_compress = inbuf->khp_data_compress;
 
 			frag_len = frag_len - temp_data_mtu;
 			frag_idx++;
 		}
 		iovcnt_out = 2;
 	} else {
 		iov_out[frag_idx][0].iov_base = (void *)inbuf;
 		iov_out[frag_idx][0].iov_len = frag_len + KNET_HEADER_DATA_SIZE;
 		iovcnt_out = 1;
 	}
 
 	if (knet_h->crypto_in_use_config) {
 		struct timespec start_time;
 		struct timespec end_time;
 		uint64_t crypt_time;
 
 		frag_idx = 0;
 		while (frag_idx < inbuf->khp_data_frag_num) {
 			clock_gettime(CLOCK_MONOTONIC, &start_time);
 			if (crypto_encrypt_and_signv(
 					knet_h,
 					iov_out[frag_idx], iovcnt_out,
 					knet_h->send_to_links_buf_crypt[frag_idx],
 					(ssize_t *)&outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_TX, "Unable to encrypt packet");
 				savederrno = ECHILD;
 				err = -1;
 				goto out_unlock;
 			}
 			clock_gettime(CLOCK_MONOTONIC, &end_time);
 			timespec_diff(start_time, end_time, &crypt_time);
 
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 				err = -1;
 				savederrno = stats_err;
 				goto out_unlock;
 			}
 
 			if (crypt_time < knet_h->stats.tx_crypt_time_min) {
 				knet_h->stats.tx_crypt_time_min = crypt_time;
 			}
 			if (crypt_time > knet_h->stats.tx_crypt_time_max) {
 				knet_h->stats.tx_crypt_time_max = crypt_time;
 			}
 			knet_h->stats.tx_crypt_time_ave =
 				(knet_h->stats.tx_crypt_time_ave * knet_h->stats.tx_crypt_packets +
 				 crypt_time) / (knet_h->stats.tx_crypt_packets+1);
 
 			uncrypted_frag_size = 0;
 			for (j=0; j < iovcnt_out; j++) {
 				uncrypted_frag_size += iov_out[frag_idx][j].iov_len;
 			}
 			knet_h->stats.tx_crypt_byte_overhead += (outlen - uncrypted_frag_size);
 			knet_h->stats.tx_crypt_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 
 			iov_out[frag_idx][0].iov_base = knet_h->send_to_links_buf_crypt[frag_idx];
 			iov_out[frag_idx][0].iov_len = outlen;
 			frag_idx++;
 		}
 		iovcnt_out = 1;
 	}
 
 	memset(&msg, 0, sizeof(msg));
 
 	msgs_to_send = inbuf->khp_data_frag_num;
 
 	msg_idx = 0;
 
 	while (msg_idx < msgs_to_send) {
-		msg[msg_idx].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
+		msg[msg_idx].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage); /* this will set properly in _dispatch_to_links() */
 		msg[msg_idx].msg_hdr.msg_iov = &iov_out[msg_idx][0];
 		msg[msg_idx].msg_hdr.msg_iovlen = iovcnt_out;
 		msg_idx++;
 	}
 
 	if (!bcast) {
 		for (host_idx = 0; host_idx < dst_host_ids_entries; host_idx++) {
 			dst_host = knet_h->host_index[dst_host_ids[host_idx]];
 
 			err = _dispatch_to_links(knet_h, dst_host, &msg[0], msgs_to_send);
 			savederrno = errno;
 			if (err) {
 				goto out_unlock;
 			}
 		}
 	} else {
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			if (dst_host->status.reachable) {
 				err = _dispatch_to_links(knet_h, dst_host, &msg[0], msgs_to_send);
 				savederrno = errno;
 				if (err) {
 					goto out_unlock;
 				}
 			}
 		}
 	}
 
 out_unlock:
 	errno = savederrno;
 	return err;
 }
 
 static void _handle_send_to_links(knet_handle_t knet_h, struct msghdr *msg, int sockfd, int8_t channel, int type)
 {
 	ssize_t inlen = 0;
 	int savederrno = 0, docallback = 0;
 
+	/*
+	 * make sure BSD gets the right size
+	 */
+	msg->msg_namelen = knet_h->knet_transport_fd_tracker[sockfd].sockaddr_len;
+
 	if ((channel >= 0) &&
 	    (channel < KNET_DATAFD_MAX) &&
 	    (!knet_h->sockfd[channel].is_socket)) {
 		inlen = readv(sockfd, msg->msg_iov, 1);
 	} else {
 		inlen = recvmsg(sockfd, msg, MSG_DONTWAIT | MSG_NOSIGNAL);
 		if (msg->msg_flags & MSG_TRUNC) {
 			log_warn(knet_h, KNET_SUB_TX, "Received truncated message from sock %d. Discarding", sockfd);
 			return;
 		}
 	}
 
 	if (inlen == 0) {
 		savederrno = 0;
 		docallback = 1;
 	} else if (inlen < 0) {
 		struct epoll_event ev;
 
 		savederrno = errno;
 		docallback = 1;
 		memset(&ev, 0, sizeof(struct epoll_event));
 
 		if (epoll_ctl(knet_h->send_to_links_epollfd,
 			      EPOLL_CTL_DEL, knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], &ev)) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to del datafd %d from linkfd epoll pool: %s",
 				knet_h->sockfd[channel].sockfd[0], strerror(savederrno));
 		} else {
 			knet_h->sockfd[channel].has_error = 1;
 		}
 	} else {
 		knet_h->recv_from_sock_buf->kh_type = type;
 		_parse_recv_from_sock(knet_h, inlen, channel, 0);
 	}
 
 	if (docallback) {
 		knet_h->sock_notify_fn(knet_h->sock_notify_fn_private_data,
 				       knet_h->sockfd[channel].sockfd[0],
 				       channel,
 				       KNET_NOTIFY_TX,
 				       inlen,
 				       savederrno);
 	}
 }
 
 void *_handle_send_to_links_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 	int i, nev, type;
 	int flush, flush_queue_limit;
 	int8_t channel;
 	struct iovec iov_in;
 	struct msghdr msg;
 	struct sockaddr_storage address;
 
 	set_thread_status(knet_h, KNET_THREAD_TX, KNET_THREAD_STARTED);
 
 	memset(&events, 0, sizeof(events));
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (void *)knet_h->recv_from_sock_buf->khp_data_userdata;
 	iov_in.iov_len = KNET_MAX_PACKET_SIZE;
 
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = &address;
 	msg.msg_namelen = sizeof(struct sockaddr_storage);
 	msg.msg_iov = &iov_in;
 	msg.msg_iovlen = 1;
 
 	knet_h->recv_from_sock_buf->kh_version = KNET_HEADER_VERSION;
 	knet_h->recv_from_sock_buf->khp_data_frag_seq = 0;
 	knet_h->recv_from_sock_buf->kh_node = htons(knet_h->host_id);
 
 	for (i = 0; i < PCKT_FRAG_MAX; i++) {
 		knet_h->send_to_links_buf[i]->kh_version = KNET_HEADER_VERSION;
 		knet_h->send_to_links_buf[i]->khp_data_frag_seq = i + 1;
 		knet_h->send_to_links_buf[i]->kh_node = htons(knet_h->host_id);
 	}
 
 	flush_queue_limit = 0;
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(knet_h->send_to_links_epollfd, events, KNET_EPOLL_MAX_EVENTS + 1, KNET_THREADS_TIMERES / 1000);
 
 		flush = get_thread_flush_queue(knet_h, KNET_THREAD_TX);
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			/*
 			 * ideally we want to communicate that we are done flushing
 			 * the queue when we have an epoll timeout event
 			 */
 			if (flush == KNET_THREAD_QUEUE_FLUSH) {
 				set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSHED);
 				flush_queue_limit = 0;
 			}
 			continue;
 		}
 
 		/*
 		 * fall back in case the TX sockets will continue receive traffic
 		 * and we do not hit an epoll timeout.
 		 *
 		 * allow up to a 100 loops to flush queues, then we give up.
 		 * there might be more clean ways to do it by checking the buffer queue
 		 * on each socket, but we have tons of sockets and calculations can go wrong.
 		 * Also, why would you disable data forwarding and still send packets?
 		 */
 		if (flush == KNET_THREAD_QUEUE_FLUSH) {
 			if (flush_queue_limit >= 100) {
 				log_debug(knet_h, KNET_SUB_TX, "Timeout flushing the TX queue, expect packet loss");
 				set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSHED);
 				flush_queue_limit = 0;
 			} else {
 				flush_queue_limit++;
 			}
 		} else {
 			flush_queue_limit = 0;
 		}
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_TX, "Unable to get read lock");
 			continue;
 		}
 
 		for (i = 0; i < nev; i++) {
 			type = KNET_HEADER_TYPE_DATA;
 			for (channel = 0; channel < KNET_DATAFD_MAX; channel++) {
 				if ((knet_h->sockfd[channel].in_use) &&
 				    (knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created] == events[i].data.fd)) {
 					break;
 				}
 			}
 			if (channel >= KNET_DATAFD_MAX) {
 				log_debug(knet_h, KNET_SUB_TX, "No available channels");
 				continue; /* channel not found */
 			}
 			if (pthread_mutex_lock(&knet_h->tx_mutex) != 0) {
 				log_debug(knet_h, KNET_SUB_TX, "Unable to get mutex lock");
 				continue;
 			}
 			_handle_send_to_links(knet_h, &msg, events[i].data.fd, channel, type);
 			pthread_mutex_unlock(&knet_h->tx_mutex);
 		}
 
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_TX, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
 
 int knet_send_sync(knet_handle_t knet_h, const char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0, err = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_TX, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
+	if (!knet_h->dst_host_filter_fn) {
+		savederrno = ENETDOWN;
+		err = -1;
+		goto out;
+	}
+
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out;
 	}
 
 	savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_TX, "Unable to get TX mutex lock: %s",
 			strerror(savederrno));
 		err = -1;
 		goto out;
 	}
 
 	knet_h->recv_from_sock_buf->kh_type = KNET_HEADER_TYPE_DATA;
 	memmove(knet_h->recv_from_sock_buf->khp_data_userdata, buff, buff_len);
 	err = _parse_recv_from_sock(knet_h, buff_len, channel, 1);
 	savederrno = errno;
 
 	pthread_mutex_unlock(&knet_h->tx_mutex);
 
 out:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 ssize_t knet_send(knet_handle_t knet_h, const char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0;
 	ssize_t err = 0;
 	struct iovec iov_out[1];
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	memset(iov_out, 0, sizeof(iov_out));
 
 	iov_out[0].iov_base = (void *)buff;
 	iov_out[0].iov_len = buff_len;
 
 	err = writev(knet_h->sockfd[channel].sockfd[0], iov_out, 1);
 	savederrno = errno;
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
diff --git a/libknet/transport_common.c b/libknet/transport_common.c
index 69cd0227..5f187c0b 100644
--- a/libknet/transport_common.c
+++ b/libknet/transport_common.c
@@ -1,446 +1,447 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
 #include <pthread.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 
 #include "libknet.h"
 #include "compat.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "common.h"
 #include "transport_common.h"
 
 /*
  * reuse Jan Friesse's compat layer as wrapper to drop usage of sendmmsg
  *
  * TODO: kill those wrappers once we work on packet delivery guarantees
  */
 
 int _recvmmsg(int sockfd, struct knet_mmsghdr *msgvec, unsigned int vlen, unsigned int flags)
 {
 	int savederrno = 0, err = 0;
 	unsigned int i;
 
 	for (i = 0; i < vlen; i++) {
 		err = recvmsg(sockfd, &msgvec[i].msg_hdr, flags);
 		savederrno = errno;
 		if (err >= 0) {
 			msgvec[i].msg_len = err;
 			if (err == 0) {
 				/* No point in reading anything more until we know this has been dealt with
 				   or we'll just get a vector full of them. Several in fact */
 				i++;
 				break;
 			}
 		} else {
 			if ((i > 0) &&
 			    ((errno == EAGAIN) || (errno == EWOULDBLOCK))) {
 				savederrno = 0;
 			}
 			break;
 		}
 	}
 
 	errno = savederrno;
 	return ((i > 0) ? (int)i : err);
 }
 
 int _sendmmsg(int sockfd, int connection_oriented, struct knet_mmsghdr *msgvec, unsigned int vlen, unsigned int flags)
 {
 	int savederrno = 0, err = 0;
 	unsigned int i;
 	struct msghdr temp_msg;
 	struct msghdr *use_msghdr;
 
 	for (i = 0; i < vlen; i++) {
 		if (connection_oriented == TRANSPORT_PROTO_IS_CONNECTION_ORIENTED) {
 			memcpy(&temp_msg, &msgvec[i].msg_hdr, sizeof(struct msghdr));
 			temp_msg.msg_name = NULL;
 			temp_msg.msg_namelen = 0;
 			use_msghdr = &temp_msg;
 		} else {
 			use_msghdr = &msgvec[i].msg_hdr;
 		}
 		err = sendmsg(sockfd, use_msghdr, flags);
 		savederrno = errno;
 		if (err < 0) {
 			break;
 		}
 	}
 
 	errno = savederrno;
 	return ((i > 0) ? (int)i : err);
 }
 
 /* Assume neither of these constants can ever be zero */
 #ifndef SO_RCVBUFFORCE
 #define SO_RCVBUFFORCE 0
 #endif
 #ifndef SO_SNDBUFFORCE
 #define SO_SNDBUFFORCE 0
 #endif
 
 static int _configure_sockbuf(knet_handle_t knet_h, int sock, int option, int force, int target)
 {
 	int savederrno = 0;
 	int new_value;
 	socklen_t value_len = sizeof new_value;
 
 	if (setsockopt(sock, SOL_SOCKET, option, &target, sizeof target) != 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSPORT,
 			"Error setting socket buffer via option %d to value %d: %s\n",
 			option, target, strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (getsockopt(sock, SOL_SOCKET, option, &new_value, &value_len) != 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSPORT,
 			"Error getting socket buffer via option %d: %s\n",
 			option, strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (value_len != sizeof new_value) {
 		log_err(knet_h, KNET_SUB_TRANSPORT,
 			"Socket option %d returned unexpected size %u\n",
 			option, value_len);
 		errno = ERANGE;
 		return -1;
 	}
 
 	if (target <= new_value) {
 		return 0;
 	}
 
 	if (!force || !(knet_h->flags & KNET_HANDLE_FLAG_PRIVILEGED)) {
 		log_err(knet_h, KNET_SUB_TRANSPORT,
 			"Failed to set socket buffer via option %d to value %d: capped at %d",
 			option, target, new_value);
 		if (!(knet_h->flags & KNET_HANDLE_FLAG_PRIVILEGED)) {
 			log_err(knet_h, KNET_SUB_TRANSPORT,
 				"Continuing regardless, as the handle is not privileged."
 				" Expect poor performance!");
 			return 0;
 		} else {
 			errno = ENAMETOOLONG;
 			return -1;
 		}
 	}
 
 	if (setsockopt(sock, SOL_SOCKET, force, &target, sizeof target) < 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSPORT,
 			"Failed to set socket buffer via force option %d: %s",
 			force, strerror(savederrno));
 		if (savederrno == EPERM) {
 			errno = ENAMETOOLONG;
 		} else {
 			errno = savederrno;
 		}
 		return -1;
 	}
 
 	return 0;
 }
 
 int _configure_common_socket(knet_handle_t knet_h, int sock, uint64_t flags, const char *type)
 {
 	int err = 0, savederrno = 0;
 	int value;
 
 	if (_fdset_cloexec(sock)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s CLOEXEC socket opts: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_fdset_nonblock(sock)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s NONBLOCK socket opts: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_configure_sockbuf(knet_h, sock, SO_RCVBUF, SO_RCVBUFFORCE, KNET_RING_RCVBUFF)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s receive buffer: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_configure_sockbuf(knet_h, sock, SO_SNDBUF, SO_SNDBUFFORCE, KNET_RING_RCVBUFF)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s send buffer: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (flags & KNET_LINK_FLAG_TRAFFICHIPRIO) {
 #ifdef KNET_LINUX
 #ifdef SO_PRIORITY
 		value = 6; /* TC_PRIO_INTERACTIVE */
 		if (setsockopt(sock, SOL_SOCKET, SO_PRIORITY, &value, sizeof(value)) < 0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s priority: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "TC_PRIO_INTERACTIVE enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "TC_PRIO_INTERACTIVE not available in this build/platform");
 #endif
 #endif
 #if defined(IP_TOS) && defined(IPTOS_LOWDELAY)
 		value = IPTOS_LOWDELAY;
 		if (setsockopt(sock, IPPROTO_IP, IP_TOS, &value, sizeof(value)) < 0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s priority: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPTOS_LOWDELAY enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPTOS_LOWDELAY not available in this build/platform");
 #endif
 	}
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 int _configure_transport_socket(knet_handle_t knet_h, int sock, struct sockaddr_storage *address, uint64_t flags, const char *type)
 {
 	int err = 0, savederrno = 0;
 	int value;
 
 	if (_configure_common_socket(knet_h, sock, flags, type) < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 #ifdef KNET_LINUX
 #ifdef IP_FREEBIND
 	value = 1;
 	if (setsockopt(sock, SOL_IP, IP_FREEBIND, &value, sizeof(value)) <0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set FREEBIND on %s socket: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 	log_debug(knet_h, KNET_SUB_TRANSPORT, "FREEBIND enabled on socket: %i", sock);
 #else
 	log_debug(knet_h, KNET_SUB_TRANSPORT, "FREEBIND not available in this build/platform");
 #endif
 #endif
 #ifdef KNET_BSD
 #ifdef IP_BINDANY /* BSD */
 	value = 1;
 	if (setsockopt(sock, IPPROTO_IP, IP_BINDANY, &value, sizeof(value)) <0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set BINDANY on %s socket: %s",
 			type, strerror(savederrno));
 		goto exit_error;
 	}
 	log_debug(knet_h, KNET_SUB_TRANSPORT, "BINDANY enabled on socket: %i", sock);
 #else
 	log_debug(knet_h, KNET_SUB_TRANSPORT, "BINDANY not available in this build/platform");
 #endif
 #endif
 
 	if (address->ss_family == AF_INET6) {
 		value = 1;
 		if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
 			       &value, sizeof(value)) < 0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set %s IPv6 only: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 
 		}
 #ifdef KNET_LINUX
 #ifdef IPV6_MTU_DISCOVER
 		value = IPV6_PMTUDISC_PROBE;
 		if (setsockopt(sock, SOL_IPV6, IPV6_MTU_DISCOVER, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set PMTUDISC on %s socket: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPV6_MTU_DISCOVER enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPV6_MTU_DISCOVER not available in this build/platform");
 #endif
 #endif
 #ifdef IPV6_DONTFRAG
 		value = 1;
 		if (setsockopt(sock, IPPROTO_IPV6, IPV6_DONTFRAG, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set DONTFRAG on %s socket: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPV6_DONTFRAG enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "IPV6_DONTFRAG not available in this build/platform");
 #endif
 	} else {
 #ifdef KNET_LINUX
 #ifdef IP_MTU_DISCOVER
 		value = IP_PMTUDISC_PROBE;
 		if (setsockopt(sock, SOL_IP, IP_MTU_DISCOVER, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set PMTUDISC on %s socket: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "PMTUDISC enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "PMTUDISC not available in this build/platform");
 #endif
 #endif
 #ifdef KNET_BSD
 #ifdef IP_DONTFRAG
 		value = 1;
 		if (setsockopt(sock, IPPROTO_IP, IP_DONTFRAG, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set DONTFRAG on %s socket: %s",
 				type, strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "DONTFRAG enabled on socket: %i", sock);
 #else
 		log_debug(knet_h, KNET_SUB_TRANSPORT, "DONTFRAG not available in this build/platform");
 #endif
 #endif
 	}
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 int _init_socketpair(knet_handle_t knet_h, int *sock)
 {
 	int err = 0, savederrno = 0;
 	int i;
 
 	if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sock) != 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize socketpair: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	for (i = 0; i < 2; i++) {
 		if (_configure_common_socket(knet_h, sock[i], 0, "local socketpair") < 0) {
 			savederrno = errno;
 			err = -1;
 			goto exit_fail;
 		}
 	}
 
 exit_fail:
 	errno = savederrno;
 	return err;
 }
 
 void _close_socketpair(knet_handle_t knet_h, int *sock)
 {
 	int i;
 
 	for (i = 0; i < 2; i++) {
 		if (sock[i]) {
 			close(sock[i]);
 			sock[i] = 0;
 		}
 	}
 }
 
 /*
  * must be called with global read lock
  *
  * return -1 on error
  * return 0 if fd is invalid
  * return 1 if fd is valid
  */
 int _is_valid_fd(knet_handle_t knet_h, int sockfd)
 {
 	int ret = 0;
 
 	if (sockfd < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (sockfd >= KNET_MAX_FDS) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (knet_h->knet_transport_fd_tracker[sockfd].transport >= KNET_MAX_TRANSPORTS) {
 		ret = 0;
 	} else {
 		ret = 1;
 	}
 
 	return ret;
 }
 
 /*
  * must be called with global write lock
  */
 
-int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t data_type, void *data)
+int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t data_type, socklen_t socklen, void *data)
 {
 	if (sockfd < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (sockfd >= KNET_MAX_FDS) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	knet_h->knet_transport_fd_tracker[sockfd].transport = transport;
 	knet_h->knet_transport_fd_tracker[sockfd].data_type = data_type;
+	knet_h->knet_transport_fd_tracker[sockfd].sockaddr_len = socklen;
 	knet_h->knet_transport_fd_tracker[sockfd].data = data;
 
 	return 0;
 }
diff --git a/libknet/transport_common.h b/libknet/transport_common.h
index 120e4760..95c1ee58 100644
--- a/libknet/transport_common.h
+++ b/libknet/transport_common.h
@@ -1,24 +1,24 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_TRANSPORT_COMMON_H__
 #define __KNET_TRANSPORT_COMMON_H__
 
 int _configure_common_socket(knet_handle_t knet_h, int sock, uint64_t flags, const char *type);
 int _configure_transport_socket(knet_handle_t knet_h, int sock, struct sockaddr_storage *address, uint64_t flags, const char *type);
 
 int _init_socketpair(knet_handle_t knet_h, int *sock);
 void _close_socketpair(knet_handle_t knet_h, int *sock);
 
-int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t data_type, void *data);
+int _set_fd_tracker(knet_handle_t knet_h, int sockfd, uint8_t transport, uint8_t data_type, socklen_t socklen, void *data);
 int _is_valid_fd(knet_handle_t knet_h, int sockfd);
 
 int _sendmmsg(int sockfd, int connection_oriented, struct knet_mmsghdr *msgvec, unsigned int vlen, unsigned int flags);
 int _recvmmsg(int sockfd, struct knet_mmsghdr *msgvec, unsigned int vlen, unsigned int flags);
 
 #endif
diff --git a/libknet/transport_loopback.c b/libknet/transport_loopback.c
index 34e7c980..99a1db95 100644
--- a/libknet/transport_loopback.c
+++ b/libknet/transport_loopback.c
@@ -1,85 +1,80 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdlib.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 
 #include "libknet.h"
 #include "compat.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "common.h"
 #include "transports.h"
 #include "transport_loopback.h"
 #include "threads_common.h"
 
 /* This is just a file of empty calls as the actual loopback is in threads_tx.c as a special case
    when receiving a packet from the localhost */
 
 
 int loopback_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	kn_link->transport_connected = 1;
 	kn_link->status.connected = 1;
 	return 0;
 }
 
 int loopback_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	return 0;
 }
 
 int loopback_transport_free(knet_handle_t knet_h)
 {
 	return 0;
 }
 
 int loopback_transport_init(knet_handle_t knet_h)
 {
 	return 0;
 }
 
 int loopback_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	return 0;
 }
 
 int loopback_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	return 0;
 }
 
 int loopback_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	return 0;
 }
 
 int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
 {
 	return 0;
 }
 
-int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
-{
-	return 0;
-}
-
 int loopback_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	return 0;
 }
diff --git a/libknet/transport_loopback.h b/libknet/transport_loopback.h
index f8e4e5a7..861c1776 100644
--- a/libknet/transport_loopback.h
+++ b/libknet/transport_loopback.h
@@ -1,29 +1,28 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include "internals.h"
 
 #ifndef __KNET_TRANSPORT_LOOPBACK_H__
 #define __KNET_TRANSPORT_LOOPBACK_H__
 
 #define KNET_PMTUD_LOOPBACK_OVERHEAD 0
 
 int loopback_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int loopback_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int loopback_transport_free(knet_handle_t knet_h);
 int loopback_transport_init(knet_handle_t knet_h);
 int loopback_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int loopback_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int loopback_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
 int loopback_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
-int loopback_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
 int loopback_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link);
 
 #endif
diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
index f3a03f16..36485e75 100644
--- a/libknet/transport_sctp.c
+++ b/libknet/transport_sctp.c
@@ -1,1618 +1,1639 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <pthread.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdlib.h>
 #include <assert.h>
 
 #include "compat.h"
 #include "host.h"
 #include "links.h"
 #include "links_acl.h"
 #include "links_acl_ip.h"
 #include "logging.h"
 #include "netutils.h"
 #include "common.h"
 #include "transport_common.h"
 #include "transports.h"
 #include "threads_common.h"
 
 #ifdef HAVE_NETINET_SCTP_H
 #include <netinet/sctp.h>
 #include "transport_sctp.h"
 
 typedef struct sctp_handle_info {
 	struct qb_list_head listen_links_list;
 	struct qb_list_head connect_links_list;
 	int connect_epollfd;
 	int connectsockfd[2];
 	int listen_epollfd;
 	int listensockfd[2];
 	pthread_t connect_thread;
 	pthread_t listen_thread;
 	socklen_t event_subscribe_kernel_size;
 	char *event_subscribe_buffer;
 } sctp_handle_info_t;
 
 /*
  * use by fd_tracker data type
  */
 #define SCTP_NO_LINK_INFO       0
 #define SCTP_LISTENER_LINK_INFO 1
 #define SCTP_ACCEPTED_LINK_INFO 2
 #define SCTP_CONNECT_LINK_INFO  3
 
 /*
  * this value is per listener
  */
 #define MAX_ACCEPTED_SOCKS 256
 
 typedef struct sctp_listen_link_info {
 	struct qb_list_head list;
 	int listen_sock;
 	int accepted_socks[MAX_ACCEPTED_SOCKS];
 	struct sockaddr_storage src_address;
 	int on_listener_epoll;
 	int on_rx_epoll;
 	int sock_shutdown;
 } sctp_listen_link_info_t;
 
 typedef struct sctp_accepted_link_info {
 	char mread_buf[KNET_DATABUFSIZE];
 	ssize_t mread_len;
 	sctp_listen_link_info_t *link_info;
 } sctp_accepted_link_info_t ;
 
 typedef struct sctp_connect_link_info {
 	struct qb_list_head list;
 	sctp_listen_link_info_t *listener;
 	struct knet_link *link;
 	struct sockaddr_storage dst_address;
 	int connect_sock;
 	int on_rx_epoll;
 	int close_sock;
 	int sock_shutdown;
 } sctp_connect_link_info_t;
 
 /*
  * socket handling functions
  *
  * those functions do NOT perform locking. locking
  * should be handled in the right context from callers
  */
 
 /*
  * sockets are removed from rx_epoll from callers
  * see also error handling functions
  */
 static int _close_connect_socket(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	struct epoll_event ev;
 	sctp_connect_link_info_t *info = kn_link->transport_link;
 
 	if (info->connect_sock != -1) {
 		if (info->on_rx_epoll) {
 			memset(&ev, 0, sizeof(struct epoll_event));
 			ev.events = EPOLLIN;
 			ev.data.fd = info->connect_sock;
 			if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_DEL, info->connect_sock, &ev)) {
 				savederrno = errno;
 				err = -1;
 				log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove connected socket from epoll pool: %s",
 				strerror(savederrno));
 				goto exit_error;
 			}
 			info->on_rx_epoll = 0;
 		}
 
-		if (_set_fd_tracker(knet_h, info->connect_sock, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, NULL) < 0) {
+		if (_set_fd_tracker(knet_h, info->connect_sock, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, 0, NULL) < 0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 				strerror(savederrno));
 		} else {
 			close(info->connect_sock);
 			info->connect_sock = -1;
 		}
 	}
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 static int _enable_sctp_notifications(knet_handle_t knet_h, int sock, const char *type)
 {
 	int err = 0, savederrno = 0;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	if (setsockopt(sock, IPPROTO_SCTP, SCTP_EVENTS,
 		       handle_info->event_subscribe_buffer,
 		       handle_info->event_subscribe_kernel_size) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to enable %s events: %s",
 			type, strerror(savederrno));
 	}
 
 	errno = savederrno;
 	return err;
 }
 
 static int _configure_sctp_socket(knet_handle_t knet_h, int sock, struct sockaddr_storage *address, uint64_t flags, const char *type)
 {
 	int err = 0, savederrno = 0;
 	int value;
 	int level;
 
 #ifdef SOL_SCTP
 	level = SOL_SCTP;
 #else
 	level = IPPROTO_SCTP;
 #endif
 
 	if (_configure_transport_socket(knet_h, sock, address, flags, type) < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	value = 1;
 	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &value, sizeof(value)) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set reuseaddr on socket %d: %s",
 			sock, strerror(savederrno));
 		goto exit_error;
 	}
 
 	value = 1;
 	if (setsockopt(sock, level, SCTP_NODELAY, &value, sizeof(value)) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSPORT, "Unable to set sctp nodelay: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_enable_sctp_notifications(knet_h, sock, type) < 0) {
 		savederrno = errno;
 		err = -1;
 	}
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 static int _reconnect_socket(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	sctp_connect_link_info_t *info = kn_link->transport_link;
 
 	if (connect(info->connect_sock, (struct sockaddr *)&kn_link->dst_addr, sockaddr_len(&kn_link->dst_addr)) < 0) {
 		savederrno = errno;
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP socket %d received error: %s", info->connect_sock, strerror(savederrno));
 		if ((savederrno != EALREADY) && (savederrno != EINPROGRESS) && (savederrno != EISCONN)) {
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to connect SCTP socket %d: %s",
 				info->connect_sock, strerror(savederrno));
 		}
 	}
 
 	errno = savederrno;
 	return err;
 }
 
 static int _create_connect_socket(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	struct epoll_event ev;
 	sctp_connect_link_info_t *info = kn_link->transport_link;
 	int connect_sock;
 	struct sockaddr_storage connect_addr;
 
 	connect_sock = socket(kn_link->dst_addr.ss_family, SOCK_STREAM, IPPROTO_SCTP);
 	if (connect_sock < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to create send/recv socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_configure_sctp_socket(knet_h, connect_sock, &kn_link->dst_addr, kn_link->flags, "SCTP connect") < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	memset(&connect_addr, 0, sizeof(struct sockaddr_storage));
 	if (knet_strtoaddr(kn_link->status.src_ipaddr, "0", &connect_addr, sockaddr_len(&connect_addr)) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to resolve connecting socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 
 	}
 
 	if (bind(connect_sock, (struct sockaddr *)&connect_addr, sockaddr_len(&connect_addr)) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to bind connecting socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
-	if (_set_fd_tracker(knet_h, connect_sock, KNET_TRANSPORT_SCTP, SCTP_CONNECT_LINK_INFO, info) < 0) {
+	if (_set_fd_tracker(knet_h, connect_sock, KNET_TRANSPORT_SCTP, SCTP_CONNECT_LINK_INFO, sockaddr_len(&kn_link->src_addr), info) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = connect_sock;
 	if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_ADD, connect_sock, &ev)) {
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to add connected socket to epoll pool: %s",
 			strerror(errno));
 	}
 	info->on_rx_epoll = 1;
 
 	info->connect_sock = connect_sock;
 	info->close_sock = 0;
 	kn_link->outsock = info->connect_sock;
 
 	if (_reconnect_socket(knet_h, kn_link) < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 exit_error:
 	if (err) {
 		if (connect_sock >= 0) {
 			close(connect_sock);
 		}
 	}
 	errno = savederrno;
 	return err;
 }
 
 static void _lock_sleep_relock(knet_handle_t knet_h)
 {
 	int i = 0;
 
 	/* Don't hold onto the lock while sleeping */
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	while (i < 5) {
 		usleep(KNET_THREADS_TIMERES / 16);
 		if (!pthread_rwlock_rdlock(&knet_h->global_rwlock)) {
 			/*
 			 * lock acquired, we can go out
 			 */
 			return;
 		} else {
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to get read lock!");
 			i++;
 		}
 	}
 	/*
 	 * time to crash! if we cannot re-acquire the lock
 	 * there is no easy way out of this one
 	 */
 	assert(0);
 }
 
 int sctp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	sctp_connect_link_info_t *connect_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 	sctp_accepted_link_info_t *accepted_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 	sctp_listen_link_info_t *listen_info;
 
 	if (recv_err < 0) {
 		switch (knet_h->knet_transport_fd_tracker[sockfd].data_type) {
 			case SCTP_CONNECT_LINK_INFO:
 				if (connect_info->link->transport_connected == 0) {
 					return -1;
 				}
 				break;
 			case SCTP_ACCEPTED_LINK_INFO:
 				listen_info = accepted_info->link_info;
 				if (listen_info->listen_sock != sockfd) {
 					if (listen_info->on_rx_epoll == 0) {
 						return -1;
 					}
 				}
 				break;
 		}
 		if (recv_errno == EAGAIN) {
 #ifdef DEBUG
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Sock: %d is overloaded. Slowing TX down", sockfd);
 #endif
 			_lock_sleep_relock(knet_h);
 			return 1;
 		}
 		return -1;
 	}
 	return 0;
 }
 
 /*
  * socket error management functions
  *
  * both called with global read lock.
  *
  * NOTE: we need to remove the fd from the epoll as soon as possible
  *       even before we notify the respective thread to take care of it
  *       because scheduling can make it so that this thread will overload
  *       and the threads supposed to take care of the error will never
  *       be able to take action.
  *       we CANNOT handle FDs here directly (close/reconnect/etc) due
  *       to locking context. We need to delegate that to their respective
  *       management threads within the global write lock.
  *
  * this function is called from:
  * - RX thread with recv_err <= 0 directly on recvmmsg error
  * - transport_rx_is_data when msg_len == 0 (recv_err = 1)
  * - transport_rx_is_data on notification (recv_err = 2)
  *
  * basically this small abuse of recv_err is to detect notifications
  * generated by sockets created by listen().
  */
 int sctp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	struct epoll_event ev;
 	sctp_accepted_link_info_t *accepted_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 	sctp_listen_link_info_t *listen_info;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	switch (knet_h->knet_transport_fd_tracker[sockfd].data_type) {
 		case SCTP_CONNECT_LINK_INFO:
 			/*
 			 * all connect link have notifications enabled
 			 * and we accept only data from notification and
 			 * generic recvmmsg errors.
 			 *
 			 * Errors generated by msg_len 0 can be ignored because
 			 * they follow a notification (double notification)
 			 */
 			if (recv_err != 1) {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Notifying connect thread that sockfd %d received an error", sockfd);
 				if (sendto(handle_info->connectsockfd[1], &sockfd, sizeof(int), MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0) != sizeof(int)) {
 					log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to notify connect thread: %s", strerror(errno));
 				}
 			}
 			break;
 		case SCTP_ACCEPTED_LINK_INFO:
 			listen_info = accepted_info->link_info;
 			if (listen_info->listen_sock != sockfd) {
 				if (recv_err != 1) {
 					if (listen_info->on_rx_epoll) {
 						memset(&ev, 0, sizeof(struct epoll_event));
 						ev.events = EPOLLIN;
 						ev.data.fd = sockfd;
 						if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_DEL, sockfd, &ev)) {
 							log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove EOFed socket from epoll pool: %s",
 							strerror(errno));
 							return -1;
 						}
 						listen_info->on_rx_epoll = 0;
 					}
 					log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Notifying listen thread that sockfd %d received an error", sockfd);
 					if (sendto(handle_info->listensockfd[1], &sockfd, sizeof(int), MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0) != sizeof(int)) {
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to notify listen thread: %s", strerror(errno));
 					}
 				}
 			} else {
 				/*
 				 * this means the listen() socket has generated
 				 * a notification. now what? :-)
 				 */
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received stray notification for listen() socket %d", sockfd);
 			}
 			break;
 		default:
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received unknown notification? %d", sockfd);
 			break;
 	}
 	/*
 	 * Under RX pressure we need to give time to IPC to pick up the message
 	 */
 
 	_lock_sleep_relock(knet_h);
 	return 0;
 }
 
 /*
  * NOTE: sctp_transport_rx_is_data is called with global rdlock
  *       delegate any FD error management to sctp_transport_rx_sock_error
  *       and keep this code to parsing incoming data only
  */
 int sctp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	size_t i;
 	struct iovec *iov = msg->msg_hdr.msg_iov;
 	size_t iovlen = msg->msg_hdr.msg_iovlen;
 	struct sctp_assoc_change *sac;
 	union sctp_notification  *snp;
 	sctp_accepted_link_info_t *listen_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 	sctp_connect_link_info_t *connect_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 
 	if (!(msg->msg_hdr.msg_flags & MSG_NOTIFICATION)) {
 		if (msg->msg_len == 0) {
 			/*
 			 * NOTE: with event notification enabled, we receive error twice:
 			 *       1) from the event notification
 			 *       2) followed by a 0 byte msg_len
 			 *
 			 * the event handler should take care to avoid #2 by stopping
 			 * the rx thread from processing more packets than necessary.
 			 */
 			if (knet_h->knet_transport_fd_tracker[sockfd].data_type == SCTP_CONNECT_LINK_INFO) {
 				if (connect_info->sock_shutdown) {
 					return KNET_TRANSPORT_RX_OOB_DATA_CONTINUE;
 				}
 			} else {
 				if (listen_info->link_info->sock_shutdown) {
 					return KNET_TRANSPORT_RX_OOB_DATA_CONTINUE;
 				}
 			}
 			/*
 			 * this is pretty much dead code and we should never hit it.
 			 * keep it for safety and avoid the rx thread to process
 			 * bad info / data.
 			 */
 			return KNET_TRANSPORT_RX_NOT_DATA_STOP;
 		}
 		/*
 		 * missing MSG_EOR has to be treated as a short read
 		 * from the socket and we need to fill in the mread buf
 		 * while we wait for MSG_EOR
 		 */
 		if (!(msg->msg_hdr.msg_flags & MSG_EOR)) {
 			/*
 			 * copy the incoming data into mread_buf + mread_len (incremental)
 			 * and increase mread_len
 			 */
 			memmove(listen_info->mread_buf + listen_info->mread_len, iov->iov_base, msg->msg_len);
 			listen_info->mread_len = listen_info->mread_len + msg->msg_len;
 			return KNET_TRANSPORT_RX_NOT_DATA_CONTINUE;
 		}
 		/*
 		 * got EOR.
 		 * if mread_len is > 0 we are completing a packet from short reads
 		 * complete reassembling the packet in mread_buf, copy it back in the iov
 		 * and set the iov/msg len numbers (size) correctly
 		 */
 		if (listen_info->mread_len) {
 			/*
 			 * add last fragment to mread_buf
 			 */
 			memmove(listen_info->mread_buf + listen_info->mread_len, iov->iov_base, msg->msg_len);
 			listen_info->mread_len = listen_info->mread_len + msg->msg_len;
 			/*
 			 * move all back into the iovec
 			 */
 			memmove(iov->iov_base, listen_info->mread_buf, listen_info->mread_len);
 			msg->msg_len = listen_info->mread_len;
 			listen_info->mread_len = 0;
 		}
 		return KNET_TRANSPORT_RX_IS_DATA;
 	}
 
 	if (!(msg->msg_hdr.msg_flags & MSG_EOR)) {
 		return KNET_TRANSPORT_RX_NOT_DATA_STOP;
 	}
 
 	for (i = 0; i < iovlen; i++) {
 		snp = iov[i].iov_base;
 
 		switch (snp->sn_header.sn_type) {
 			case SCTP_ASSOC_CHANGE:
 				sac = &snp->sn_assoc_change;
 				switch (sac->sac_state) {
 					case SCTP_COMM_LOST:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: comm_lost", sockfd);
 						if (knet_h->knet_transport_fd_tracker[sockfd].data_type == SCTP_CONNECT_LINK_INFO) {
 							connect_info->close_sock = 1;
 							connect_info->link->transport_connected = 0;
 						}
 						sctp_transport_rx_sock_error(knet_h, sockfd, 2, 0);
 						return KNET_TRANSPORT_RX_OOB_DATA_STOP;
 						break;
 					case SCTP_COMM_UP:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: comm_up", sockfd);
 						if (knet_h->knet_transport_fd_tracker[sockfd].data_type == SCTP_CONNECT_LINK_INFO) {
 							connect_info->link->transport_connected = 1;
 						}
 						break;
 					case SCTP_RESTART:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: restart", sockfd);
 						break;
 					case SCTP_SHUTDOWN_COMP:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: shutdown comp", sockfd);
 						if (knet_h->knet_transport_fd_tracker[sockfd].data_type == SCTP_CONNECT_LINK_INFO) {
 							connect_info->close_sock = 1;
 						}
 						sctp_transport_rx_sock_error(knet_h, sockfd, 2, 0);
 						return KNET_TRANSPORT_RX_OOB_DATA_STOP;
 						break;
 					case SCTP_CANT_STR_ASSOC:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: cant str assoc", sockfd);
 						sctp_transport_rx_sock_error(knet_h, sockfd, 2, 0);
 						break;
 					default:
 						log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp assoc change socket %d: unknown %d", sockfd, sac->sac_state);
 						break;
 				}
 				break;
 			case SCTP_SHUTDOWN_EVENT:
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp shutdown event socket %d", sockfd);
 				if (knet_h->knet_transport_fd_tracker[sockfd].data_type == SCTP_CONNECT_LINK_INFO) {
 					connect_info->link->transport_connected = 0;
 					connect_info->sock_shutdown = 1;
 				} else {
 					listen_info->link_info->sock_shutdown = 1;
 				}
 				break;
 			case SCTP_SEND_FAILED:
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp send failed socket: %d", sockfd);
 				break;
 			case SCTP_PEER_ADDR_CHANGE:
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp peer addr change socket %d", sockfd);
 				break;
 			case SCTP_REMOTE_ERROR:
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] sctp remote error socket %d", sockfd);
 				break;
 			default:
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "[event] unknown sctp event socket: %d type: %hu", sockfd, snp->sn_header.sn_type);
 				break;
 		}
 	}
 	return KNET_TRANSPORT_RX_OOB_DATA_CONTINUE;
 }
 
 int sctp_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	sctp_connect_link_info_t *info = kn_link->transport_link;
 
 	kn_link->transport_connected = 0;
 	info->close_sock = 1;
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Notifying connect thread that sockfd %d received a link down event", info->connect_sock);
 	if (sendto(handle_info->connectsockfd[1], &info->connect_sock, sizeof(int), MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0) != sizeof(int)) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to notify connect thread: %s", strerror(errno));
 	}
 
 	return 0;
 }
 
 /*
  * connect / outgoing socket management thread
  */
 
 /*
  * _handle_connected_sctp* are called with a global write lock
  * from the connect_thread
  */
 static void _handle_connected_sctp_socket(knet_handle_t knet_h, int connect_sock)
 {
 	int err;
 	unsigned int status, len = sizeof(status);
 	sctp_connect_link_info_t *info = knet_h->knet_transport_fd_tracker[connect_sock].data;
 	struct knet_link *kn_link = info->link;
 
 	if (info->close_sock) {
 		if (_close_connect_socket(knet_h, kn_link) < 0) {
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to close sock %d from _handle_connected_sctp_socket: %s", connect_sock, strerror(errno));
 			return;
 		}
 		info->close_sock = 0;
 		if (_create_connect_socket(knet_h, kn_link) < 0) {
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to recreate connecting sock! %s", strerror(errno));
 			return;
 		}
 	}
 
 	_reconnect_socket(knet_h, info->link);
 
 	err = getsockopt(connect_sock, SOL_SOCKET, SO_ERROR, &status, &len);
 	if (err) {
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP getsockopt() on connecting socket %d failed: %s",
 			connect_sock, strerror(errno));
 		return;
 	}
 
 	if (status) {
 		log_info(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP connect on %d to %s port %s failed: %s",
 			 connect_sock, kn_link->status.dst_ipaddr, kn_link->status.dst_port,
 			 strerror(status));
 
 		/*
 		 * No need to create a new socket if connect failed,
 		 * just retry connect
 		 */
 		return;
 	}
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP handler fd %d now connected to %s port %s",
 		  connect_sock,
 		  kn_link->status.dst_ipaddr, kn_link->status.dst_port);
 }
 
 static void _handle_connected_sctp_notifications(knet_handle_t knet_h)
 {
 	int sockfd = -1;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	if (recv(handle_info->connectsockfd[0], &sockfd, sizeof(int), MSG_DONTWAIT | MSG_NOSIGNAL) != sizeof(int)) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Short read on connectsockfd");
 		return;
 	}
 
 	if (_is_valid_fd(knet_h, sockfd) < 1) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received stray notification for connected socket fd error");
 		return;
 	}
 
 	/*
 	 * revalidate sockfd
 	 */
 	if ((sockfd < 0) || (sockfd >= KNET_MAX_FDS)) {
 		return;
 	}
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Processing connected error on socket: %d", sockfd);
 
 	_handle_connected_sctp_socket(knet_h, sockfd);
 }
 
 static void *_sctp_connect_thread(void *data)
 {
 	int savederrno;
 	int i, nev;
 	knet_handle_t knet_h = (knet_handle_t) data;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 
 	set_thread_status(knet_h, KNET_THREAD_SCTP_CONN, KNET_THREAD_STARTED);
 
 	memset(&events, 0, sizeof(events));
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(handle_info->connect_epollfd, events, KNET_EPOLL_MAX_EVENTS, KNET_THREADS_TIMERES / 1000);
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			continue;
 		}
 
 		if (nev < 0) {
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP connect handler EPOLL ERROR: %s",
 				  strerror(errno));
 			continue;
 		}
 
 		/*
 		 * Sort out which FD has a connection
 		 */
 		savederrno = get_global_wrlock(knet_h);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to get write lock: %s",
 				strerror(savederrno));
 			continue;
 		}
 
 		/*
 		 * minor optimization: deduplicate events
 		 *
 		 * in some cases we can receive multiple notifcations
 		 * of the same FD having issues or need handling.
 		 * It's enough to process it once even tho it's safe
 		 * to handle them multiple times.
 		 */
 		for (i = 0; i < nev; i++) {
 			if (events[i].data.fd == handle_info->connectsockfd[0]) {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received notification from rx_error for connected socket");
 				_handle_connected_sctp_notifications(knet_h);
 			} else {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received stray notification on connected sockfd %d\n", events[i].data.fd);
 			}
 		}
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 		/*
 		 * this thread can generate events for itself.
 		 * we need to sleep in between loops to allow other threads
 		 * to be scheduled
 		 */
 		usleep(knet_h->reconnect_int * 1000);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_SCTP_CONN, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
 
 /*
  * listen/incoming connections management thread
  */
 
 /*
  * Listener received a new connection
  * called with a write lock from main thread
  */
 static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
 {
 	int err = 0, savederrno = 0;
 	int new_fd;
 	int i = -1;
 	sctp_listen_link_info_t *info = knet_h->knet_transport_fd_tracker[listen_sock].data;
 	struct epoll_event ev;
 	struct sockaddr_storage ss;
 	socklen_t sock_len = sizeof(ss);
 	char addr_str[KNET_MAX_HOST_LEN];
 	char port_str[KNET_MAX_PORT_LEN];
 	sctp_accepted_link_info_t *accept_info = NULL;
+	struct knet_host *host;
+	struct knet_link *kn_link;
+	int link_idx;
+	sctp_connect_link_info_t *this_link_connect_info;
+	sctp_listen_link_info_t *this_link_listen_info;
+	int pass_acl = 0;
+
+	memset(&ss, 0, sizeof(ss));
 
 	new_fd = accept(listen_sock, (struct sockaddr *)&ss, &sock_len);
 	if (new_fd < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: accept error: %s", strerror(errno));
 		goto exit_error;
 	}
 
 	if (knet_addrtostr(&ss, sizeof(ss),
 			   addr_str, KNET_MAX_HOST_LEN,
 			   port_str, KNET_MAX_PORT_LEN) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: unable to gather socket info");
 		goto exit_error;
 	}
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
 						addr_str, port_str);
+
 	if (knet_h->use_access_lists) {
-		if (!check_validate(knet_h, listen_sock, KNET_TRANSPORT_SCTP, &ss)) {
+		for (host = knet_h->host_head; host != NULL; host = host->next) {
+			for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
+				kn_link = &host->link[link_idx];
+
+				if ((kn_link->configured) && (kn_link->transport == KNET_TRANSPORT_SCTP)) {
+					this_link_connect_info = kn_link->transport_link;
+					this_link_listen_info = this_link_connect_info->listener;
+					if ((this_link_listen_info->listen_sock == listen_sock) &&
+					    (check_validate(knet_h, kn_link, &ss))) {
+						pass_acl = 1;
+						break;
+					}
+				}
+			}
+			if (pass_acl) {
+				break;
+			}
+		}
+		if (!pass_acl) {
 			savederrno = EINVAL;
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
 			close(new_fd);
 			errno = savederrno;
 			return;
 		}
 	}
 
 	/*
 	 * Keep a track of all accepted FDs
 	 */
 	for (i=0; i<MAX_ACCEPTED_SOCKS; i++) {
 		if (info->accepted_socks[i] == -1) {
 			info->accepted_socks[i] = new_fd;
 			break;
 		}
 	}
 
 	if (i == MAX_ACCEPTED_SOCKS) {
 		errno = EBUSY;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: too many connections!");
 		goto exit_error;
 	}
 
 	if (_configure_common_socket(knet_h, new_fd, 0, "SCTP incoming") < 0) { /* Inherit flags from listener? */
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	if (_enable_sctp_notifications(knet_h, new_fd, "Incoming connection") < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	accept_info = malloc(sizeof(sctp_accepted_link_info_t));
 	if (!accept_info) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 	memset(accept_info, 0, sizeof(sctp_accepted_link_info_t));
 
 	accept_info->link_info = info;
 
-	if (_set_fd_tracker(knet_h, new_fd, KNET_TRANSPORT_SCTP, SCTP_ACCEPTED_LINK_INFO, accept_info) < 0) {
+	if (_set_fd_tracker(knet_h, new_fd, KNET_TRANSPORT_SCTP, SCTP_ACCEPTED_LINK_INFO,
+			    knet_h->knet_transport_fd_tracker[listen_sock].sockaddr_len,
+			    accept_info) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 			strerror(errno));
 		goto exit_error;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = new_fd;
 	if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_ADD, new_fd, &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: unable to add accepted socket %d to epoll pool: %s",
 			new_fd, strerror(errno));
 		goto exit_error;
 	}
 	info->on_rx_epoll = 1;
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: accepted new fd %d for %s/%s (listen fd: %d). index: %d",
 		  new_fd, addr_str, port_str, info->listen_sock, i);
 
 exit_error:
 	if (err) {
 		if ((i >= 0) && (i < MAX_ACCEPTED_SOCKS)) {
 			info->accepted_socks[i] = -1;
 		}
 		/*
 		 * check the error to make coverity scan happy.
 		 * _set_fd_tracker cannot fail at this stage
 		 */
-		if (_set_fd_tracker(knet_h, new_fd, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, NULL) < 0){
+		if (_set_fd_tracker(knet_h, new_fd, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, 0, NULL) < 0){
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to update fdtracker for socket %d", new_fd);
 		}
 		free(accept_info);
 		if (new_fd >= 0) {
 			close(new_fd);
 		}
 	}
 	errno = savederrno;
 	return;
 }
 
 /*
  * Listen thread received a notification of a bad socket that needs closing
  * called with a write lock from main thread
  */
 static void _handle_listen_sctp_errors(knet_handle_t knet_h)
 {
 	int sockfd = -1;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	sctp_accepted_link_info_t *accept_info;
 	sctp_listen_link_info_t *info;
 	struct knet_host *host;
 	int link_idx;
 	int i;
 
 	if (recv(handle_info->listensockfd[0], &sockfd, sizeof(int), MSG_DONTWAIT | MSG_NOSIGNAL) != sizeof(int)) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Short read on listensockfd");
 		return;
 	}
 
 	if (_is_valid_fd(knet_h, sockfd) < 1) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received stray notification for listen socket fd error");
 		return;
 	}
 
 	/*
 	 * revalidate sockfd
 	 */
 	if ((sockfd < 0) || (sockfd >= KNET_MAX_FDS)) {
 		return;
 	}
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Processing listen error on socket: %d", sockfd);
 
 	accept_info = knet_h->knet_transport_fd_tracker[sockfd].data;
 	info = accept_info->link_info;
 
 	/*
 	 * clear all links using this accepted socket as
 	 * outbound dynamically connected socket
 	 */
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if ((host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
 			    (host->link[link_idx].outsock == sockfd)) {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Found dynamic connection on host %d link %d (%d)",
 					  host->host_id, link_idx, sockfd);
 				host->link[link_idx].status.dynconnected = 0;
 				host->link[link_idx].transport_connected = 0;
 				host->link[link_idx].outsock = 0;
 				memset(&host->link[link_idx].dst_addr, 0, sizeof(struct sockaddr_storage));
 			}
 		}
 	}
 
 	for (i=0; i<MAX_ACCEPTED_SOCKS; i++) {
 		if (sockfd == info->accepted_socks[i]) {
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Closing accepted socket %d", sockfd);
 			/*
 			 * check the error to make coverity scan happy.
 			 * _set_fd_tracker cannot fail at this stage
 			 */
-			if (_set_fd_tracker(knet_h, sockfd, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, NULL) < 0) {
+			if (_set_fd_tracker(knet_h, sockfd, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, 0, NULL) < 0) {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to update fdtracker for socket %d", sockfd);
 			}
 			info->accepted_socks[i] = -1;
 			free(accept_info);
 			close(sockfd);
 			break; /* Keeps covscan happy */
 		}
 	}
 }
 
 static void *_sctp_listen_thread(void *data)
 {
 	int savederrno;
 	int i, nev;
 	knet_handle_t knet_h = (knet_handle_t) data;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 
 	set_thread_status(knet_h, KNET_THREAD_SCTP_LISTEN, KNET_THREAD_STARTED);
 
 	memset(&events, 0, sizeof(events));
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(handle_info->listen_epollfd, events, KNET_EPOLL_MAX_EVENTS, KNET_THREADS_TIMERES / 1000);
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			continue;
 		}
 
 		if (nev < 0) {
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP listen handler EPOLL ERROR: %s",
 				  strerror(errno));
 			continue;
 		}
 
 		savederrno = get_global_wrlock(knet_h);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to get write lock: %s",
 				strerror(savederrno));
 			continue;
 		}
 		/*
 		 * Sort out which FD has an incoming connection
 		 */
 		for (i = 0; i < nev; i++) {
 			if (events[i].data.fd == handle_info->listensockfd[0]) {
 				log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received notification from rx_error for listener/accepted socket");
 				_handle_listen_sctp_errors(knet_h);
 			} else {
 				if (_is_valid_fd(knet_h, events[i].data.fd) == 1) {
 					_handle_incoming_sctp(knet_h, events[i].data.fd);
 				} else {
 					log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Received listen notification from invalid socket");
 				}
 			}
 
 		}
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_SCTP_LISTEN, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
 
 /*
  * sctp_link_listener_start/stop are called in global write lock
  * context from set_config and clear_config.
  */
 static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	int listen_sock = -1;
 	struct epoll_event ev;
 	sctp_listen_link_info_t *info = NULL;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	/*
 	 * Only allocate a new listener if src address is different
 	 */
 	qb_list_for_each_entry(info, &handle_info->listen_links_list, list) {
 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
-			if ((check_add(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP, -1,
+			if ((check_add(knet_h, kn_link, -1,
 				       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
 				return NULL;
 			}
 			return info;
 		}
 	}
 
 	info = malloc(sizeof(sctp_listen_link_info_t));
 	if (!info) {
 		err = -1;
 		goto exit_error;
 	}
 
 	memset(info, 0, sizeof(sctp_listen_link_info_t));
 
 	memset(info->accepted_socks, -1, sizeof(info->accepted_socks));
 	memmove(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage));
 
 	listen_sock = socket(kn_link->src_addr.ss_family, SOCK_STREAM, IPPROTO_SCTP);
 	if (listen_sock < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to create listener socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_configure_sctp_socket(knet_h, listen_sock, &kn_link->src_addr, kn_link->flags, "SCTP listener") < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	if (bind(listen_sock, (struct sockaddr *)&kn_link->src_addr, sockaddr_len(&kn_link->src_addr)) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to bind listener socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (listen(listen_sock, 5) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to listen on listener socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
-	if (_set_fd_tracker(knet_h, listen_sock, KNET_TRANSPORT_SCTP, SCTP_LISTENER_LINK_INFO, info) < 0) {
+	if (_set_fd_tracker(knet_h, listen_sock, KNET_TRANSPORT_SCTP, SCTP_LISTENER_LINK_INFO, sockaddr_len(&kn_link->src_addr), info) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
-	if ((check_add(knet_h, listen_sock, KNET_TRANSPORT_SCTP, -1,
+	if ((check_add(knet_h, kn_link, -1,
 		       &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != EEXIST)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = listen_sock;
 	if (epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_ADD, listen_sock, &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to add listener to epoll pool: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 	info->on_listener_epoll = 1;
 
 	info->listen_sock = listen_sock;
 	qb_list_add(&info->list, &handle_info->listen_links_list);
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Listening on fd %d for %s:%s", listen_sock, kn_link->status.src_ipaddr, kn_link->status.src_port);
 
 exit_error:
 	if (err) {
 		if ((info) && (info->on_listener_epoll)) {
 			epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
 		}
 		if (listen_sock >= 0) {
-			check_rmall(knet_h, listen_sock, KNET_TRANSPORT_SCTP);
+			check_rmall(knet_h, kn_link);
 			close(listen_sock);
 		}
 		if (info) {
 			free(info);
 			info = NULL;
 		}
 	}
 	errno = savederrno;
 	return info;
 }
 
 static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	int found = 0, i;
 	struct knet_host *host;
 	int link_idx;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	sctp_connect_link_info_t *this_link_info = kn_link->transport_link;
 	sctp_listen_link_info_t *info = this_link_info->listener;
 	sctp_connect_link_info_t *link_info;
 	struct epoll_event ev;
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if (&host->link[link_idx] == kn_link)
 				continue;
 
 			link_info = host->link[link_idx].transport_link;
 			if ((link_info) &&
 			    (link_info->listener == info)) {
 				found = 1;
 				break;
 			}
 		}
 	}
 
-	if ((check_rm(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP,
+	if ((check_rm(knet_h, kn_link,
 		      &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT) < 0) && (errno != ENOENT)) {
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
 	}
 
 	if (found) {
 		this_link_info->listener = NULL;
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP listener socket %d still in use", info->listen_sock);
 		savederrno = EBUSY;
 		err = -1;
 		goto exit_error;
 	}
 
 	if (info->on_listener_epoll) {
 		memset(&ev, 0, sizeof(struct epoll_event));
 		ev.events = EPOLLIN;
 		ev.data.fd = info->listen_sock;
 		if (epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, info->listen_sock, &ev)) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove listener to epoll pool: %s",
 				strerror(savederrno));
 			goto exit_error;
 		}
 		info->on_listener_epoll = 0;
 	}
 
-	if (_set_fd_tracker(knet_h, info->listen_sock, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, NULL) < 0) {
+	if (_set_fd_tracker(knet_h, info->listen_sock, KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, 0, NULL) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
-	check_rmall(knet_h, info->listen_sock, KNET_TRANSPORT_SCTP);
-
+	check_rmall(knet_h, kn_link);
 	close(info->listen_sock);
 
 	for (i=0; i< MAX_ACCEPTED_SOCKS; i++) {
 		if (info->accepted_socks[i] > -1) {
 			memset(&ev, 0, sizeof(struct epoll_event));
 			ev.events = EPOLLIN;
 			ev.data.fd = info->accepted_socks[i];
 			if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_DEL, info->accepted_socks[i], &ev)) {
 				log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove EOFed socket from epoll pool: %s",
 					strerror(errno));
 			}
 			info->on_rx_epoll = 0;
 			free(knet_h->knet_transport_fd_tracker[info->accepted_socks[i]].data);
 			close(info->accepted_socks[i]);
-			if (_set_fd_tracker(knet_h, info->accepted_socks[i], KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, NULL) < 0) {
+			if (_set_fd_tracker(knet_h, info->accepted_socks[i], KNET_MAX_TRANSPORTS, SCTP_NO_LINK_INFO, 0, NULL) < 0) {
 				savederrno = errno;
 				err = -1;
 				log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set fd tracker: %s",
 					strerror(savederrno));
 				goto exit_error;
 			}
 			info->accepted_socks[i] = -1;
 		}
 	}
 
 	qb_list_del(&info->list);
 	free(info);
 	this_link_info->listener = NULL;
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 /*
  * Links config/clear. Both called with global wrlock from link_set_config/clear_config
  */
 int sctp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int savederrno = 0, err = 0;
 	sctp_connect_link_info_t *info;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	info = malloc(sizeof(sctp_connect_link_info_t));
 	if (!info) {
 		goto exit_error;
 	}
 
 	memset(info, 0, sizeof(sctp_connect_link_info_t));
 
 	kn_link->transport_link = info;
 	info->link = kn_link;
 
 	memmove(&info->dst_address, &kn_link->dst_addr, sizeof(struct sockaddr_storage));
 	info->connect_sock = -1;
 
 	info->listener = sctp_link_listener_start(knet_h, kn_link);
 	if (!info->listener) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 	if (kn_link->dynamic == KNET_LINK_STATIC) {
 		if (_create_connect_socket(knet_h, kn_link) < 0) {
 			savederrno = errno;
 			err = -1;
 			goto exit_error;
 		}
 		kn_link->outsock = info->connect_sock;
 	}
 
 	qb_list_add(&info->list, &handle_info->connect_links_list);
 
 exit_error:
 	if (err) {
 		if (info) {
 			if (info->connect_sock >= 0) {
 				close(info->connect_sock);
 			}
 			if (info->listener) {
 				sctp_link_listener_stop(knet_h, kn_link);
 			}
 			kn_link->transport_link = NULL;
 			free(info);
 		}
 	}
 	errno = savederrno;
 	return err;
 }
 
 /*
  * called with global wrlock
  */
 int sctp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	sctp_connect_link_info_t *info;
 
 	if (!kn_link) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	info = kn_link->transport_link;
 
 	if (!info) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((sctp_link_listener_stop(knet_h, kn_link) <0) && (errno != EBUSY)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove listener transport: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_close_connect_socket(knet_h, kn_link) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to close connected socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	qb_list_del(&info->list);
 
 	free(info);
 	kn_link->transport_link = NULL;
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 /*
  * transport_free and transport_init are
  * called only from knet_handle_new and knet_handle_free.
  * all resources (hosts/links) should have been already freed at this point
  * and they are called in a write locked context, hence they
  * don't need their own locking.
  */
 
 int sctp_transport_free(knet_handle_t knet_h)
 {
 	sctp_handle_info_t *handle_info;
 	void *thread_status;
 	struct epoll_event ev;
 
 	if (!knet_h->transports[KNET_TRANSPORT_SCTP]) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 
 	/*
 	 * keep it here while we debug list usage and such
 	 */
 	if (!qb_list_empty(&handle_info->listen_links_list)) {
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Internal error. listen links list is not empty");
 	}
 	if (!qb_list_empty(&handle_info->connect_links_list)) {
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Internal error. connect links list is not empty");
 	}
 
 	if (handle_info->listen_thread) {
 		pthread_cancel(handle_info->listen_thread);
 		pthread_join(handle_info->listen_thread, &thread_status);
 	}
 
 	if (handle_info->connect_thread) {
 		pthread_cancel(handle_info->connect_thread);
 		pthread_join(handle_info->connect_thread, &thread_status);
 	}
 
 	if (handle_info->listensockfd[0] >= 0) {
 		memset(&ev, 0, sizeof(struct epoll_event));
 		ev.events = EPOLLIN;
 		ev.data.fd = handle_info->listensockfd[0];
 		epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, handle_info->listensockfd[0], &ev);
 	}
 
 	if (handle_info->connectsockfd[0] >= 0) {
 		memset(&ev, 0, sizeof(struct epoll_event));
 		ev.events = EPOLLIN;
 		ev.data.fd = handle_info->connectsockfd[0];
 		epoll_ctl(handle_info->connect_epollfd, EPOLL_CTL_DEL, handle_info->connectsockfd[0], &ev);
 	}
 
 	_close_socketpair(knet_h, handle_info->connectsockfd);
 	_close_socketpair(knet_h, handle_info->listensockfd);
 
 	if (handle_info->listen_epollfd >= 0) {
 		close(handle_info->listen_epollfd);
 	}
 
 	if (handle_info->connect_epollfd >= 0) {
 		close(handle_info->connect_epollfd);
 	}
 
 	free(handle_info->event_subscribe_buffer);
 	free(handle_info);
 	knet_h->transports[KNET_TRANSPORT_SCTP] = NULL;
 
 	return 0;
 }
 
 static int _sctp_subscribe_init(knet_handle_t knet_h)
 {
 	int test_socket, savederrno;
 	sctp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_SCTP];
 	char dummy_events[100];
 	struct sctp_event_subscribe *events;
 	/* Below we set the first 6 fields of this expanding struct.
 	 * SCTP_EVENTS is deprecated, but SCTP_EVENT is not available
 	 * on Linux; on the other hand, FreeBSD and old Linux does not
 	 * accept small transfers, so we can't simply use this minimum
 	 * everywhere.  Thus we query and store the native size. */
 	const unsigned int subscribe_min = 6;
 
 	test_socket = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
 	if (test_socket < 0) {
 		if (errno == EPROTONOSUPPORT) {
 			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP not supported, skipping initialization");
 			return 0;
 		}
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to create test socket: %s",
 			strerror(savederrno));
 		return savederrno;
 	}
 	handle_info->event_subscribe_kernel_size = sizeof dummy_events;
 	if (getsockopt(test_socket, IPPROTO_SCTP, SCTP_EVENTS, &dummy_events,
 		       &handle_info->event_subscribe_kernel_size)) {
 		close(test_socket);
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to query kernel size of struct sctp_event_subscribe: %s",
 			strerror(savederrno));
 		return savederrno;
 	}
 	close(test_socket);
 	if (handle_info->event_subscribe_kernel_size < subscribe_min) {
 		savederrno = ERANGE;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP,
 			"No kernel support for the necessary notifications: struct sctp_event_subscribe is %u bytes, %u needed",
 			handle_info->event_subscribe_kernel_size, subscribe_min);
 		return savederrno;
 	}
 	events = malloc(handle_info->event_subscribe_kernel_size);
 	if (!events) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP,
 			"Failed to allocate event subscribe buffer: %s", strerror(savederrno));
 		return savederrno;
 	}
 	memset(events, 0, handle_info->event_subscribe_kernel_size);
 	events->sctp_data_io_event = 1;
 	events->sctp_association_event = 1;
 	events->sctp_address_event = 1;
 	events->sctp_send_failure_event = 1;
 	events->sctp_peer_error_event = 1;
 	events->sctp_shutdown_event = 1;
 	handle_info->event_subscribe_buffer = (char *)events;
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Size of struct sctp_event_subscribe is %u in kernel, %zu in user space",
 		  handle_info->event_subscribe_kernel_size, sizeof(struct sctp_event_subscribe));
 	return 0;
 }
 
 int sctp_transport_init(knet_handle_t knet_h)
 {
 	int err = 0, savederrno = 0;
 	sctp_handle_info_t *handle_info;
 	struct epoll_event ev;
 
 	if (knet_h->transports[KNET_TRANSPORT_SCTP]) {
 		errno = EEXIST;
 		return -1;
 	}
 
 	handle_info = malloc(sizeof(sctp_handle_info_t));
 	if (!handle_info) {
 		return -1;
 	}
 
 	memset(handle_info, 0,sizeof(sctp_handle_info_t));
 
 	knet_h->transports[KNET_TRANSPORT_SCTP] = handle_info;
 
 	savederrno = _sctp_subscribe_init(knet_h);
 	if (savederrno) {
 		err = -1;
 		goto exit_fail;
 	}
 
 	qb_list_init(&handle_info->listen_links_list);
 	qb_list_init(&handle_info->connect_links_list);
 
 	handle_info->listen_epollfd = epoll_create(KNET_EPOLL_MAX_EVENTS + 1);
 	if (handle_info->listen_epollfd < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to create epoll listen fd: %s",
 			strerror(savederrno));
 		goto exit_fail;
         }
 
 	if (_fdset_cloexec(handle_info->listen_epollfd)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set CLOEXEC on listen_epollfd: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	handle_info->connect_epollfd = epoll_create(KNET_EPOLL_MAX_EVENTS + 1);
         if (handle_info->connect_epollfd < 0) {
                 savederrno = errno;
 		err = -1;
                 log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to create epoll connect fd: %s",
                         strerror(savederrno));
                 goto exit_fail;
         }
 
 	if (_fdset_cloexec(handle_info->connect_epollfd)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to set CLOEXEC on connect_epollfd: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	if (_init_socketpair(knet_h, handle_info->connectsockfd) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to init connect socketpair: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = handle_info->connectsockfd[0];
 	if (epoll_ctl(handle_info->connect_epollfd, EPOLL_CTL_ADD, handle_info->connectsockfd[0], &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to add connectsockfd[0] to connect epoll pool: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	if (_init_socketpair(knet_h, handle_info->listensockfd) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to init listen socketpair: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = handle_info->listensockfd[0];
 	if (epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_ADD, handle_info->listensockfd[0], &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to add listensockfd[0] to listen epoll pool: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	/*
 	 * Start connect & listener threads
 	 */
 	set_thread_status(knet_h, KNET_THREAD_SCTP_LISTEN, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&handle_info->listen_thread, 0, _sctp_listen_thread, (void *) knet_h);
 	if (savederrno) {
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to start sctp listen thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_SCTP_CONN, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&handle_info->connect_thread, 0, _sctp_connect_thread, (void *) knet_h);
 	if (savederrno) {
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to start sctp connect thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 exit_fail:
 	if (err < 0) {
 		sctp_transport_free(knet_h);
 	}
 	errno = savederrno;
 	return err;
 }
 
 int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
 {
 	kn_link->outsock = sockfd;
 	kn_link->status.dynconnected = 1;
 	kn_link->transport_connected = 1;
 	return 0;
 }
-
-int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
-{
-	sctp_connect_link_info_t *this_link_info = kn_link->transport_link;
-	sctp_listen_link_info_t *info = this_link_info->listener;
-	return info->listen_sock;
-}
 #endif
diff --git a/libknet/transport_sctp.h b/libknet/transport_sctp.h
index 74f6023a..b60b038e 100644
--- a/libknet/transport_sctp.h
+++ b/libknet/transport_sctp.h
@@ -1,39 +1,38 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include "internals.h"
 
 #ifndef __KNET_TRANSPORT_SCTP_H__
 #define __KNET_TRANSPORT_SCTP_H__
 
 /*
  * https://en.wikipedia.org/wiki/SCTP_packet_structure
  */
 
 #define KNET_PMTUD_SCTP_OVERHEAD_COMMON 12
 #define KNET_PMTUD_SCTP_OVERHEAD_DATA_CHUNK 16
 #define KNET_PMTUD_SCTP_OVERHEAD KNET_PMTUD_SCTP_OVERHEAD_COMMON + KNET_PMTUD_SCTP_OVERHEAD_DATA_CHUNK
 
 #ifdef HAVE_NETINET_SCTP_H
 
 int sctp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int sctp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int sctp_transport_free(knet_handle_t knet_h);
 int sctp_transport_init(knet_handle_t knet_h);
 int sctp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int sctp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int sctp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
 int sctp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
-int sctp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
 int sctp_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link);
 
 #endif
 
 #endif
diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
index 7bdd5f18..482c99b1 100644
--- a/libknet/transport_udp.c
+++ b/libknet/transport_udp.c
@@ -1,445 +1,440 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdlib.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 #if defined (IP_RECVERR) || defined (IPV6_RECVERR)
 #include <linux/errqueue.h>
 #endif
 
 #include "libknet.h"
 #include "compat.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "common.h"
 #include "netutils.h"
 #include "transport_common.h"
 #include "transport_udp.h"
 #include "transports.h"
 #include "threads_common.h"
 
 typedef struct udp_handle_info {
 	struct qb_list_head links_list;
 } udp_handle_info_t;
 
 typedef struct udp_link_info {
 	struct qb_list_head list;
 	struct sockaddr_storage local_address;
 	int socket_fd;
 	int on_epoll;
 } udp_link_info_t;
 
 int udp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	int sock = -1;
 	struct epoll_event ev;
 	udp_link_info_t *info;
 	udp_handle_info_t *handle_info = knet_h->transports[KNET_TRANSPORT_UDP];
 #if defined (IP_RECVERR) || defined (IPV6_RECVERR)
 	int value;
 #endif
 
 	/*
 	 * Only allocate a new link if the local address is different
 	 */
 	qb_list_for_each_entry(info, &handle_info->links_list, list) {
 		if (memcmp(&info->local_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
 			log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Re-using existing UDP socket for new link");
 			kn_link->outsock = info->socket_fd;
 			kn_link->transport_link = info;
 			kn_link->transport_connected = 1;
 			return 0;
 		}
 	}
 
 	info = malloc(sizeof(udp_link_info_t));
 	if (!info) {
 		err = -1;
 		goto exit_error;
 	}
 	memset(info, 0, sizeof(udp_link_info_t));
 
 	sock = socket(kn_link->src_addr.ss_family, SOCK_DGRAM, 0);
 	if (sock < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to create listener socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	if (_configure_transport_socket(knet_h, sock, &kn_link->src_addr, kn_link->flags, "UDP") < 0) {
 		savederrno = errno;
 		err = -1;
 		goto exit_error;
 	}
 
 #ifdef IP_RECVERR
 	if (kn_link->src_addr.ss_family == AF_INET) {
 		value = 1;
 		if (setsockopt(sock, SOL_IP, IP_RECVERR, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to set RECVERR on socket: %s",
 				strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSP_UDP, "IP_RECVERR enabled on socket: %i", sock);
 	}
 #else
 	log_debug(knet_h, KNET_SUB_TRANSP_UDP, "IP_RECVERR not available in this build/platform");
 #endif
 #ifdef IPV6_RECVERR
 	if (kn_link->src_addr.ss_family == AF_INET6) {
 		value = 1;
 		if (setsockopt(sock, SOL_IPV6, IPV6_RECVERR, &value, sizeof(value)) <0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to set RECVERR on socket: %s",
 				strerror(savederrno));
 			goto exit_error;
 		}
 		log_debug(knet_h, KNET_SUB_TRANSP_UDP, "IPV6_RECVERR enabled on socket: %i", sock);
 	}
 #else
 	log_debug(knet_h, KNET_SUB_TRANSP_UDP, "IPV6_RECVERR not available in this build/platform");
 #endif
 
 	if (bind(sock, (struct sockaddr *)&kn_link->src_addr, sockaddr_len(&kn_link->src_addr))) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to bind listener socket: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = sock;
 
 	if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_ADD, sock, &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to add listener to epoll pool: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	info->on_epoll = 1;
 
-	if (_set_fd_tracker(knet_h, sock, KNET_TRANSPORT_UDP, 0, info) < 0) {
+	if (_set_fd_tracker(knet_h, sock, KNET_TRANSPORT_UDP, 0, sockaddr_len(&kn_link->src_addr), info) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to set fd tracker: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	memmove(&info->local_address, &kn_link->src_addr, sizeof(struct sockaddr_storage));
 	info->socket_fd = sock;
 	qb_list_add(&info->list, &handle_info->links_list);
 
 	kn_link->outsock = sock;
 	kn_link->transport_link = info;
 	kn_link->transport_connected = 1;
 
 exit_error:
 	if (err) {
 		if (info) {
 			if (info->on_epoll) {
 				epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_DEL, sock, &ev);
 			}
 			free(info);
 		}
 		if (sock >= 0) {
 			close(sock);
 		}
 	}
 	errno = savederrno;
 	return err;
 }
 
 int udp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	int err = 0, savederrno = 0;
 	int found = 0;
 	struct knet_host *host;
 	int link_idx;
 	udp_link_info_t *info = kn_link->transport_link;
 	struct epoll_event ev;
 
 	for (host = knet_h->host_head; host != NULL; host = host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if (&host->link[link_idx] == kn_link)
 				continue;
 
 			if (host->link[link_idx].transport_link == info) {
 				found = 1;
 				break;
 			}
 		}
 	}
 
 	if (found) {
 		log_debug(knet_h, KNET_SUB_TRANSP_UDP, "UDP socket %d still in use", info->socket_fd);
 		savederrno = EBUSY;
 		err = -1;
 		goto exit_error;
 	}
 
 	if (info->on_epoll) {
 		memset(&ev, 0, sizeof(struct epoll_event));
 		ev.events = EPOLLIN;
 		ev.data.fd = info->socket_fd;
 
 		if (epoll_ctl(knet_h->recv_from_links_epollfd, EPOLL_CTL_DEL, info->socket_fd, &ev) < 0) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to remove UDP socket from epoll poll: %s",
 				strerror(errno));
 			goto exit_error;
 		}
 		info->on_epoll = 0;
 	}
 
-	if (_set_fd_tracker(knet_h, info->socket_fd, KNET_MAX_TRANSPORTS, 0, NULL) < 0) {
+	if (_set_fd_tracker(knet_h, info->socket_fd, KNET_MAX_TRANSPORTS, 0, sockaddr_len(&kn_link->src_addr), NULL) < 0) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Unable to set fd tracker: %s",
 			strerror(savederrno));
 		goto exit_error;
 	}
 
 	close(info->socket_fd);
 	qb_list_del(&info->list);
 	free(kn_link->transport_link);
 
 exit_error:
 	errno = savederrno;
 	return err;
 }
 
 int udp_transport_free(knet_handle_t knet_h)
 {
 	udp_handle_info_t *handle_info;
 
 	if (!knet_h->transports[KNET_TRANSPORT_UDP]) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	handle_info = knet_h->transports[KNET_TRANSPORT_UDP];
 
 	/*
 	 * keep it here while we debug list usage and such
 	 */
 	if (!qb_list_empty(&handle_info->links_list)) {
 		log_err(knet_h, KNET_SUB_TRANSP_UDP, "Internal error. handle list is not empty");
 		return -1;
 	}
 
 	free(handle_info);
 
 	knet_h->transports[KNET_TRANSPORT_UDP] = NULL;
 
 	return 0;
 }
 
 int udp_transport_init(knet_handle_t knet_h)
 {
 	udp_handle_info_t *handle_info;
 
 	if (knet_h->transports[KNET_TRANSPORT_UDP]) {
 		errno = EEXIST;
 		return -1;
 	}
 
 	handle_info = malloc(sizeof(udp_handle_info_t));
 	if (!handle_info) {
 		return -1;
 	}
 
 	memset(handle_info, 0, sizeof(udp_handle_info_t));
 
 	knet_h->transports[KNET_TRANSPORT_UDP] = handle_info;
 
 	qb_list_init(&handle_info->links_list);
 
 	return 0;
 }
 
 #if defined (IP_RECVERR) || defined (IPV6_RECVERR)
 static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
 {
 	int err = 0, savederrno = 0;
 	int got_err = 0;
 	char buffer[1024];
 	struct iovec iov;
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct sock_extended_err *sock_err;
 	struct icmphdr icmph;
 	struct sockaddr_storage remote;
 	struct sockaddr_storage *origin;
 	char addr_str[KNET_MAX_HOST_LEN];
 	char port_str[KNET_MAX_PORT_LEN];
 	char addr_remote_str[KNET_MAX_HOST_LEN];
 	char port_remote_str[KNET_MAX_PORT_LEN];
 
 	iov.iov_base = &icmph;
 	iov.iov_len = sizeof(icmph);
 	msg.msg_name = (void*)&remote;
 	msg.msg_namelen = sizeof(remote);
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
 	msg.msg_control = buffer;
 	msg.msg_controllen = sizeof(buffer);
 
 	for (;;) {
 		err = recvmsg(sockfd, &msg, MSG_ERRQUEUE);
 		savederrno = errno;
 		if (err < 0) {
 			if (!got_err) {
 				errno = savederrno;
 				return -1;
 			} else {
 				return 0;
 			}
 		}
 		got_err = 1;
 		for (cmsg = CMSG_FIRSTHDR(&msg);cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
 			if (((cmsg->cmsg_level == SOL_IP) && (cmsg->cmsg_type == IP_RECVERR)) ||
 			    ((cmsg->cmsg_level == SOL_IPV6 && (cmsg->cmsg_type == IPV6_RECVERR)))) {
 				sock_err = (struct sock_extended_err*)(void *)CMSG_DATA(cmsg);
 				if (sock_err) {
 					switch (sock_err->ee_origin) {
 						case SO_EE_ORIGIN_NONE: /* no origin */
 						case SO_EE_ORIGIN_LOCAL: /* local source (EMSGSIZE) */
 							if (sock_err->ee_errno == EMSGSIZE) {
 								if (pthread_mutex_lock(&knet_h->kmtu_mutex) != 0) {
 									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Unable to get mutex lock");
 									knet_h->kernel_mtu = 0;
 									break;
 								} else {
 									knet_h->kernel_mtu = sock_err->ee_info;
 									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "detected kernel MTU: %u", knet_h->kernel_mtu);
 									pthread_mutex_unlock(&knet_h->kmtu_mutex);
 								}
 
 								force_pmtud_run(knet_h, KNET_SUB_TRANSP_UDP, 0);
 							}
 							/*
 							 * those errors are way too noisy
 							 */
 							break;
 						case SO_EE_ORIGIN_ICMP:  /* ICMP */
 						case SO_EE_ORIGIN_ICMP6: /* ICMP6 */
 							origin = (struct sockaddr_storage *)(void *)SO_EE_OFFENDER(sock_err);
 							if (knet_addrtostr(origin, sizeof(*origin),
 									   addr_str, KNET_MAX_HOST_LEN,
 									   port_str, KNET_MAX_PORT_LEN) < 0) {
 								log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from unknown source: %s", strerror(sock_err->ee_errno));
 
 							} else {
 								if (knet_addrtostr(&remote, sizeof(remote),
 									       addr_remote_str, KNET_MAX_HOST_LEN,
 									       port_remote_str, KNET_MAX_PORT_LEN) < 0) {
 									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s destination unknown", addr_str, strerror(sock_err->ee_errno));
 								} else {
 									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Received ICMP error from %s: %s %s", addr_str, strerror(sock_err->ee_errno), addr_remote_str);
 								}
 							}
 							break;
 					}
 				} else {
 					log_debug(knet_h, KNET_SUB_TRANSP_UDP, "No data in MSG_ERRQUEUE");
 				}
 			}
 		}
 	}
 }
 #else
 static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)
 {
 	return 0;
 }
 #endif
 
 int udp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	if (recv_errno == EAGAIN) {
 		read_errs_from_sock(knet_h, sockfd);
 	}
 	return 0;
 }
 
 int udp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno)
 {
 	if (recv_err < 0) {
 		if (recv_errno == EMSGSIZE) {
 			read_errs_from_sock(knet_h, sockfd);
 			return 0;
 		}
 		if ((recv_errno == EINVAL) || (recv_errno == EPERM) ||
 		    (recv_errno == ENETUNREACH) || (recv_errno == ENETDOWN)) {
 #ifdef DEBUG
 			if ((recv_errno == ENETUNREACH) || (recv_errno == ENETDOWN)) {
 				log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Sock: %d is unreachable.", sockfd);
 			}
 #endif
 			return -1;
 		}
 		if ((recv_errno == ENOBUFS) || (recv_errno == EAGAIN)) {
 #ifdef DEBUG
 			log_debug(knet_h, KNET_SUB_TRANSP_UDP, "Sock: %d is overloaded. Slowing TX down", sockfd);
 #endif
 			usleep(KNET_THREADS_TIMERES / 16);
 		} else {
 			read_errs_from_sock(knet_h, sockfd);
 		}
 		return 1;
 	}
 
 	return 0;
 }
 
 int udp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	if (msg->msg_len == 0)
 		return KNET_TRANSPORT_RX_NOT_DATA_CONTINUE;
 
 	return KNET_TRANSPORT_RX_IS_DATA;
 }
 
 int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
 {
 	kn_link->status.dynconnected = 1;
 	return 0;
 }
 
-int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
-{
-	return kn_link->outsock;
-}
-
 int udp_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	return 0;
 }
diff --git a/libknet/transport_udp.h b/libknet/transport_udp.h
index 69a84995..40d162a8 100644
--- a/libknet/transport_udp.h
+++ b/libknet/transport_udp.h
@@ -1,29 +1,28 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include "internals.h"
 
 #ifndef __KNET_TRANSPORT_UDP_H__
 #define __KNET_TRANSPORT_UDP_H__
 
 #define KNET_PMTUD_UDP_OVERHEAD 8
 
 int udp_transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int udp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int udp_transport_free(knet_handle_t knet_h);
 int udp_transport_init(knet_handle_t knet_h);
 int udp_transport_rx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int udp_transport_tx_sock_error(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 int udp_transport_rx_is_data(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
 int udp_transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
-int udp_transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
 int udp_transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link);
 
 #endif
diff --git a/libknet/transports.c b/libknet/transports.c
index 2f18ec81..a113d5f2 100644
--- a/libknet/transports.c
+++ b/libknet/transports.c
@@ -1,295 +1,290 @@
 /*
  * Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
 #include <pthread.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 
 #include "libknet.h"
 #include "compat.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "common.h"
 #include "transports.h"
 #include "transport_loopback.h"
 #include "transport_udp.h"
 #include "transport_sctp.h"
 #include "threads_common.h"
 
-#define empty_module 0, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+#define empty_module 0, -1, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
 
 static knet_transport_ops_t transport_modules_cmd[KNET_MAX_TRANSPORTS] = {
-	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_link_get_acl_fd, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data, loopback_transport_link_is_down },
-	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_link_get_acl_fd, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data, udp_transport_link_is_down },
+	{ "LOOPBACK", KNET_TRANSPORT_LOOPBACK, 1, TRANSPORT_PROTO_LOOPBACK, USE_NO_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_LOOPBACK_OVERHEAD, loopback_transport_init, loopback_transport_free, loopback_transport_link_set_config, loopback_transport_link_clear_config, loopback_transport_link_dyn_connect, loopback_transport_rx_sock_error, loopback_transport_tx_sock_error, loopback_transport_rx_is_data, loopback_transport_link_is_down },
+	{ "UDP", KNET_TRANSPORT_UDP, 1, TRANSPORT_PROTO_IP_PROTO, USE_GENERIC_ACL, TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED, KNET_PMTUD_UDP_OVERHEAD, udp_transport_init, udp_transport_free, udp_transport_link_set_config, udp_transport_link_clear_config, udp_transport_link_dyn_connect, udp_transport_rx_sock_error, udp_transport_tx_sock_error, udp_transport_rx_is_data, udp_transport_link_is_down },
 	{ "SCTP", KNET_TRANSPORT_SCTP,
 #ifdef HAVE_NETINET_SCTP_H
-				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_link_get_acl_fd, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data, sctp_transport_link_is_down },
+				       1, TRANSPORT_PROTO_IP_PROTO, USE_PROTO_ACL, TRANSPORT_PROTO_IS_CONNECTION_ORIENTED, KNET_PMTUD_SCTP_OVERHEAD, sctp_transport_init, sctp_transport_free, sctp_transport_link_set_config, sctp_transport_link_clear_config, sctp_transport_link_dyn_connect, sctp_transport_rx_sock_error, sctp_transport_tx_sock_error, sctp_transport_rx_is_data, sctp_transport_link_is_down },
 #else
 empty_module
 #endif
 	{ NULL, KNET_MAX_TRANSPORTS, empty_module
 };
 
 /*
  * transport wrappers
  */
 
 int start_all_transports(knet_handle_t knet_h)
 {
 	int idx = 0, savederrno = 0, err = 0;
 
 	while (transport_modules_cmd[idx].transport_name != NULL) {
 		if (transport_modules_cmd[idx].built_in) {
 			if (transport_modules_cmd[idx].transport_init(knet_h) < 0) {
 				savederrno = errno;
 				log_err(knet_h, KNET_SUB_HANDLE,
 					"Failed to allocate transport handle for %s: %s",
 					transport_modules_cmd[idx].transport_name,
 					strerror(savederrno));
 				err = -1;
 				goto out;
 			}
 		}
 		idx++;
 	}
 
 out:
 	errno = savederrno;
 	return err;
 }
 
 void stop_all_transports(knet_handle_t knet_h)
 {
 	int idx = 0;
 
 	while (transport_modules_cmd[idx].transport_name != NULL) {
 		if (transport_modules_cmd[idx].built_in) {
 			transport_modules_cmd[idx].transport_free(knet_h);
 		}
 		idx++;
 	}
 }
 
 int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, uint8_t transport)
 {
 	if (!transport_modules_cmd[transport].built_in) {
 		errno = EINVAL;
 		return -1;
 	}
 	kn_link->transport_connected = 0;
 	kn_link->transport = transport;
 	kn_link->proto_overhead = transport_modules_cmd[transport].transport_mtu_overhead;
 	return transport_modules_cmd[transport].transport_link_set_config(knet_h, kn_link);
 }
 
 int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	return transport_modules_cmd[kn_link->transport].transport_link_clear_config(knet_h, kn_link);
 }
 
 int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link)
 {
 	return transport_modules_cmd[kn_link->transport].transport_link_dyn_connect(knet_h, sockfd, kn_link);
 }
 
-int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link)
-{
-	return transport_modules_cmd[kn_link->transport].transport_link_get_acl_fd(knet_h, kn_link);
-}
-
 int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
 {
 	return transport_modules_cmd[transport].transport_rx_sock_error(knet_h, sockfd, recv_err, recv_errno);
 }
 
 int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno)
 {
 	return transport_modules_cmd[transport].transport_tx_sock_error(knet_h, sockfd, recv_err, recv_errno);
 }
 
 int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg)
 {
 	return transport_modules_cmd[transport].transport_rx_is_data(knet_h, sockfd, msg);
 }
 
 int transport_get_proto(knet_handle_t knet_h, uint8_t transport)
 {
 	return transport_modules_cmd[transport].transport_protocol;
 }
 
 int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport)
 {
 	return transport_modules_cmd[transport].transport_acl_type;
 }
 
 int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport)
 {
 	return transport_modules_cmd[transport].transport_is_connection_oriented;
 }
 
 int transport_link_is_down(knet_handle_t knet_h, struct knet_link *kn_link)
 {
 	return transport_modules_cmd[kn_link->transport].transport_link_is_down(knet_h, kn_link);
 }
 
 /*
  * public api
  */
 
 int knet_get_transport_list(struct knet_transport_info *transport_list,
 			    size_t *transport_list_entries)
 {
 	int err = 0;
 	int idx = 0;
 	int outidx = 0;
 
 	if (!transport_list_entries) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	while (transport_modules_cmd[idx].transport_name != NULL) {
 		if (transport_modules_cmd[idx].built_in) {
 			if (transport_list) {
 				transport_list[outidx].name = transport_modules_cmd[idx].transport_name;
 				transport_list[outidx].id = transport_modules_cmd[idx].transport_id;
 			}
 			outidx++;
 		}
 		idx++;
 	}
 
 	*transport_list_entries = outidx;
 
 	if (!err)
 		errno = 0;
 	return err;
 }
 
 const char *knet_get_transport_name_by_id(uint8_t transport)
 {
 	int savederrno = 0;
 	const char *name = NULL;
 
 	if (transport == KNET_MAX_TRANSPORTS) {
 		errno = EINVAL;
 		return name;
 	}
 
 	if ((transport_modules_cmd[transport].transport_name) &&
 	    (transport_modules_cmd[transport].built_in)) {
 		name = transport_modules_cmd[transport].transport_name;
 	} else {
 		savederrno = ENOENT;
 	}
 
 	errno = name ? 0 : savederrno;
 	return name;
 }
 
 uint8_t knet_get_transport_id_by_name(const char *name)
 {
 	int savederrno = 0;
 	uint8_t err = KNET_MAX_TRANSPORTS;
 	int i, found;
 
 	if (!name) {
 		errno = EINVAL;
 		return err;
 	}
 
 	i = 0;
 	found = 0;
 	while (transport_modules_cmd[i].transport_name != NULL) {
 		if (transport_modules_cmd[i].built_in) {
 			if (!strcmp(transport_modules_cmd[i].transport_name, name)) {
 				err = transport_modules_cmd[i].transport_id;
 				found = 1;
 				break;
 			}
 		}
 		i++;
 	}
 
 	if (!found) {
 		savederrno = EINVAL;
 	}
 
 	errno = err == KNET_MAX_TRANSPORTS ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_set_transport_reconnect_interval(knet_handle_t knet_h, uint32_t msecs)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!msecs) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (msecs < 1000) {
 		log_warn(knet_h, KNET_SUB_HANDLE, "reconnect internval below 1 sec (%u msecs) might be too aggressive", msecs);
 	}
 
 	if (msecs > 60000) {
 		log_warn(knet_h, KNET_SUB_HANDLE, "reconnect internval above 1 minute (%u msecs) could cause long delays in network convergiance", msecs);
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->reconnect_int = msecs;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_get_transport_reconnect_interval(knet_handle_t knet_h, uint32_t *msecs)
 {
 	int savederrno = 0;
 
 	if (!_is_valid_handle(knet_h)) {
 		return -1;
 	}
 
 	if (!msecs) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*msecs = knet_h->reconnect_int;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = 0;
 	return 0;
 }
diff --git a/libknet/transports.h b/libknet/transports.h
index 7dfe63ee..6626ec25 100644
--- a/libknet/transports.h
+++ b/libknet/transports.h
@@ -1,34 +1,33 @@
 /*
  * Copyright (C) 2016-2021 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_TRANSPORTS_H__
 #define __KNET_TRANSPORTS_H__
 
 #define KNET_TRANSPORT_RX_ERROR -1
 #define KNET_TRANSPORT_RX_NOT_DATA_CONTINUE 0
 #define KNET_TRANSPORT_RX_NOT_DATA_STOP 1
 #define KNET_TRANSPORT_RX_IS_DATA 2
 #define KNET_TRANSPORT_RX_OOB_DATA_CONTINUE 3
 #define KNET_TRANSPORT_RX_OOB_DATA_STOP 4
 
 int start_all_transports(knet_handle_t knet_h);
 void stop_all_transports(knet_handle_t knet_h);
 
 int transport_link_set_config(knet_handle_t knet_h, struct knet_link *kn_link, uint8_t transport);
 int transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_link);
 int transport_link_dyn_connect(knet_handle_t knet_h, int sockfd, struct knet_link *kn_link);
-int transport_link_get_acl_fd(knet_handle_t knet_h, struct knet_link *kn_link);
 int transport_rx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
 int transport_tx_sock_error(knet_handle_t knet_h, uint8_t transport, int sockfd, int recv_err, int recv_errno);
 int transport_rx_is_data(knet_handle_t knet_h, uint8_t transport, int sockfd, struct knet_mmsghdr *msg);
 int transport_get_proto(knet_handle_t knet_h, uint8_t transport);
 int transport_get_acl_type(knet_handle_t knet_h, uint8_t transport);
 int transport_get_connection_oriented(knet_handle_t knet_h, uint8_t transport);
 int transport_link_is_down(knet_handle_t knet_h, struct knet_link *link);
 
 #endif
diff --git a/libnozzle/libnozzle.h b/libnozzle/libnozzle.h
index d8e644a1..dae44e1a 100644
--- a/libnozzle/libnozzle.h
+++ b/libnozzle/libnozzle.h
@@ -1,333 +1,346 @@
 /*
  * Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __LIBNOZZLE_H__
 #define __LIBNOZZLE_H__
 
 #include <sys/types.h>
 #include <net/if.h>
 
 /**
  *
  * @file libnozzle.h
  * @brief tap interfaces management API include file
  * @copyright Copyright (C) 2010-2021 Red Hat, Inc.  All rights reserved.
  *
  * nozzle is a commodity library to manage tap (ethernet) interfaces
  */
 
+/**
+ * An opaque handle returned from nozzle_open(), this should be
+ * passed into all other nozzle API calls and closed with nozzle_close()
+ * when finished with.
+ */
 typedef struct nozzle_iface *nozzle_t;
 
 /**
  * nozzle_open
  *
  * @brief create a new tap device on the system.
  *
  * devname - pointer to device name of at least size IFNAMSIZ.
  *           if the dev strlen is 0, then the system will assign a name automatically.
  *           if a string is specified, the system will try to create a device with
  *           the specified name.
  *           NOTE: on FreeBSD the tap device names can only be tapX where X is a
  *           number from 0 to 255. On Linux such limitation does not apply.
  *           The name must be unique to the system. If an interface with the same
  *           name is already configured on the system, an error will be returned.
  *
  * devname_size - length of the buffer provided in dev (has to be at least IFNAMSIZ).
  *
  * updownpath - nozzle supports the typical filesystem structure to execute
  *              actions for: down.d  post-down.d  pre-up.d  up.d
  *              in the form of:
- *              updownpath/<action>/<interface_name>
+ *              updownpath/\<action\>/\<interface_name\>
  *              updownpath specifies where to find those directories on the
  *              filesystem and it must be an absolute path.
  *
  * @return
  * nozzle_open returns
  * a pointer to a nozzle struct on success
  * NULL on error and errno is set.
  */
 
 nozzle_t nozzle_open(char *devname, size_t devname_size, const char *updownpath);
 
 /**
  * nozzle_close
  *
  * @brief deconfigure and destroy a nozzle device
  *
  * nozzle - pointer to the nozzle struct to destroy
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_close(nozzle_t nozzle);
 
 
 #define NOZZLE_PREUP    0
 #define NOZZLE_UP       1
 #define NOZZLE_DOWN     2
 #define NOZZLE_POSTDOWN 3
 
 /**
  * nozzle_run_updown
  *
  * @brief execute updown commands associated with a nozzle device.
  *
  * nozzle - pointer to the nozzle struct
  *
  * action - pre-up.d / up.d / down.d / post-down.d (see defines above)
  *
  * exec_string - pointers to string to record executing action stdout/stderr.
  *               The string is malloc'ed, the caller needs to free the buffer.
  *               If the script generates no output this string might be NULL.
  *
  * It is the application responsibility to call helper scripts
  * before or after creating/destroying interfaces or IP addresses.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set (sanity checks and internal calls.
  * -2 on error from executing the shell scripts, and no errno is set.
  */
 
 int nozzle_run_updown(const nozzle_t nozzle, uint8_t action, char **exec_string);
 
 /**
  * nozzle_set_up
  *
  * @brief equivalent of ifconfig up
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_set_up(nozzle_t nozzle);
 
 /**
  * nozzle_set_down
  *
  * @brief equivalent of ifconfig down
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_set_down(nozzle_t nozzle);
 
 /**
  * nozzle_add_ip
  *
  * @brief equivalent of ip addr or ifconfig <ipaddress/prefix>
  *
  * nozzle - pointer to the nozzle struct
  *
  * ipaddr - string containing either an IPv4 or an IPv6 address.
  *          Please note that Linux will automatically remove any IPv6 addresses from an interface
  *          with MTU < 1280. libnozzle will cache those IPs and re-instate them when MTU is > 1280.
  *          MTU must be set via nozzle_set_mtu for IPv6 to be re-instated.
  *
  * prefix - 24, 64 or any valid network prefix for the requested address.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_add_ip(nozzle_t nozzle, const char *ipaddr, const char *prefix);
 
 /**
  * nozzle_del_ip
  *
  * @brief equivalent of ip addr del or ifconfig del <ipaddress/prefix>
  *
  * nozzle - pointer to the nozzle struct
  *
  * ipaddr - string containing either an IPv4 or an IPv6 address.
  *
  * prefix - 24, 64 or any valid network prefix for the requested address.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_del_ip(nozzle_t nozzle, const char *ipaddr, const char *prefix);
 
 
 #define IPADDR_CHAR_MAX	128
 #define PREFIX_CHAR_MAX	  4
 
+/**
+ * Info about an IP address on a nozzle interface
+ * as returned from nozzle_get_ips
+ */
 struct nozzle_ip {
+	/** The IP address */
 	char ipaddr[IPADDR_CHAR_MAX + 1];
+	/** Prefix - eg "24" */
 	char prefix[PREFIX_CHAR_MAX + 1];
-	int  domain;	/* AF_INET or AF_INET6 */
+	/** AF_INET or AF_INET6 */
+	int  domain;
+	/** Pointer to next struct or NULL */
 	struct nozzle_ip *next;
 };
 
 /**
  * nozzle_get_ips
  *
  * @brief retrieve the list of all configured ips for a given interface
  *
  * nozzle - pointer to the nozzle struct
  *
  * nozzle_ip - pointer to the head of a list of nozzle_ip structs.
  *             The last IP will have next = NULL.
  *             nozzle_ip can be NULL if there are no IP addresses
  *             associated with this nozzle device.
  *             *DO NOT* free those structs as they are used internally
  *             for IP address tracking.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  *
  */
 
 int nozzle_get_ips(const nozzle_t nozzle, struct nozzle_ip **nozzle_ip);
 
 /**
  * nozzle_get_mtu
  *
  * @brief retrieve mtu on a given nozzle interface
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * MTU on success
  * -1 on error and errno is set.
  */
 
 int nozzle_get_mtu(const nozzle_t nozzle);
 
 /**
  * nozzle_set_mtu
  *
  * @brief set mtu on a given nozzle interface
  *
  * nozzle - pointer to the nozzle struct
  *
  * mtu - new MTU value
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_set_mtu(nozzle_t nozzle, const int mtu);
 
 /**
  * nozzle_reset_mtu
  *
  * @brief reset mtu on a given nozzle interface to the system default
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int nozzle_reset_mtu(nozzle_t nozzle);
 
 /**
  * nozzle_get_mac
  *
  * @brief retrieve mac address on a given nozzle interface
  *
  * nozzle - pointer to the nozzle struct
  *
  * ether_addr - pointers to string containing the current mac address.
  *              The string is malloc'ed, the caller needs to free this buffer.
  * @return
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int nozzle_get_mac(const nozzle_t nozzle, char **ether_addr);
 
 /**
  * nozzle_set_mac
  *
  * @brief set mac address on a given nozzle interface
  *
  * nozzle - pointer to the nozzle struct
  *
  * ether_addr - pointers to string containing the new mac address.
  *
  * @return
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int nozzle_set_mac(nozzle_t nozzle, const char *ether_addr);
 
 /**
  * nozzle_reset_mac
  *
  * @brief reset mac address on a given nozzle interface to system default
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int nozzle_reset_mac(nozzle_t nozzle);
 
 /**
  * nozzle_get_handle_by_name
  *
  * @brief find a nozzle handle by device name
  *
  * devname - string containing the name of the interface
  *
  * @return
  * handle on success.
  * NULL on error and errno is set.
  */
 
 nozzle_t nozzle_get_handle_by_name(const char *devname);
 
 /**
  * nozzle_get_name_by_handle
  *
  * @brief retrieve nozzle interface name by handle
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * pointer to the interface name
  * NULL on error and errno is set.
  */
 
 const char *nozzle_get_name_by_handle(const nozzle_t nozzle);
 
 /**
  * nozzle_get_fd
  *
  * @brief
  *
  * nozzle - pointer to the nozzle struct
  *
  * @return
  * fd associated to a given nozzle on success.
  * -1 on error and errno is set.
  */
 
 int nozzle_get_fd(const nozzle_t nozzle);
 
 #endif
diff --git a/m4/pkg_check_var.m4 b/m4/pkg_check_var.m4
index ae1bf222..fa3f5df3 100644
--- a/m4/pkg_check_var.m4
+++ b/m4/pkg_check_var.m4
@@ -1,14 +1,20 @@
+# Copyright (C) 2020-2021 Red Hat, Inc.  All rights reserved.
+#
+# Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
+#
+# This software licensed under GPL-2.0+
+
 # PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
 # [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
 # -------------------------------------------
 # Retrieves the value of the pkg-config variable for the given module.
 
 m4_ifndef([PKG_CHECK_VAR],
 	  [AC_DEFUN([PKG_CHECK_VAR],
 		    [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
 		     AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
 		     _PKG_CONFIG([$1], [variable="][$3]["], [$2])
 		     AS_VAR_COPY([$1], [pkg_cv_][$1])
 		     AS_VAR_IF([$1], [""], [$5], [$4])dnl
 		    ])# PKG_CHECK_VAR
 ])
diff --git a/man/Makefile.am b/man/Makefile.am
index 7852ef67..2ff160be 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,160 +1,161 @@
 #
 # Copyright (C) 2017-2021 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #          Federico Simoncelli <fsimon@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 MAINTAINERCLEANFILES	= Makefile.in
 
 include $(top_srcdir)/build-aux/check.mk
 
 EXTRA_DIST	= \
 		  api-to-man-page-coverage
 
 # Avoid Automake warnings about overriding these user variables.
 # Programs in this directory are used during the build only.
 AUTOMAKE_OPTIONS = -Wno-gnu
 EXEEXT=$(BUILD_EXEEXT)
 CC=$(CC_FOR_BUILD)
 CFLAGS=$(CFLAGS_FOR_BUILD)
 CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
 LDFLAGS=$(LDFLAGS_FOR_BUILD)
 
 if BUILD_MAN
 
 if BUILD_DOXYXML
 noinst_PROGRAMS	= doxyxml
+noinst_HEADERS  = cstring.h
 
-doxyxml_SOURCES = doxyxml.c
+doxyxml_SOURCES = doxyxml.c cstring.c
 doxyxml_CFLAGS = $(AM_CFLAGS) $(libqb_BUILD_CFLAGS) $(libxml_BUILD_CFLAGS)
 doxyxml_LDADD = $(libqb_BUILD_LIBS) $(libxml_BUILD_LIBS)
 endif
 
 knet_man3_MANS = \
 		knet_addrtostr.3 \
 		knet_handle_add_datafd.3 \
 		knet_handle_clear_stats.3 \
 		knet_handle_compress.3 \
 		knet_handle_crypto.3 \
 		knet_handle_enable_filter.3 \
 		knet_handle_enable_pmtud_notify.3 \
 		knet_handle_enable_sock_notify.3 \
 		knet_handle_free.3 \
 		knet_handle_get_channel.3 \
 		knet_get_compress_list.3 \
 		knet_get_crypto_list.3 \
 		knet_handle_get_datafd.3 \
 		knet_handle_get_stats.3 \
 		knet_get_transport_id_by_name.3 \
 		knet_get_transport_list.3 \
 		knet_get_transport_name_by_id.3 \
 		knet_handle_get_transport_reconnect_interval.3 \
 		knet_handle_new.3 \
 		knet_handle_new_ex.3 \
 		knet_handle_pmtud_get.3 \
 		knet_handle_pmtud_set.3 \
 		knet_handle_pmtud_getfreq.3 \
 		knet_handle_pmtud_setfreq.3 \
 		knet_handle_remove_datafd.3 \
 		knet_handle_setfwd.3 \
 		knet_handle_set_transport_reconnect_interval.3 \
 		knet_host_add.3 \
 		knet_host_enable_status_change_notify.3 \
 		knet_host_get_host_list.3 \
 		knet_host_get_id_by_host_name.3 \
 		knet_host_get_name_by_host_id.3 \
 		knet_host_get_policy.3 \
 		knet_host_get_status.3 \
 		knet_host_remove.3 \
 		knet_host_set_name.3 \
 		knet_host_set_policy.3 \
 		knet_link_clear_config.3 \
 		knet_link_get_config.3 \
 		knet_link_get_enable.3 \
 		knet_link_get_link_list.3 \
 		knet_link_get_ping_timers.3 \
 		knet_link_get_pong_count.3 \
 		knet_link_get_priority.3 \
 		knet_link_get_status.3 \
 		knet_link_set_config.3 \
 		knet_link_set_enable.3 \
 		knet_link_set_ping_timers.3 \
 		knet_link_set_pong_count.3 \
 		knet_link_set_priority.3 \
 		knet_log_get_loglevel.3 \
 		knet_log_get_loglevel_id.3 \
 		knet_log_get_loglevel_name.3 \
 		knet_log_get_subsystem_id.3 \
 		knet_log_get_subsystem_name.3 \
 		knet_log_set_loglevel.3 \
 		knet_recv.3 \
 		knet_send.3 \
 		knet_send_sync.3 \
 		knet_strtoaddr.3 \
 		knet_handle_enable_access_lists.3 \
 		knet_link_add_acl.3 \
 		knet_link_insert_acl.3 \
 		knet_link_rm_acl.3 \
 		knet_link_clear_acl.3 \
 		knet_handle_crypto_set_config.3 \
 		knet_handle_crypto_use_config.3 \
 		knet_handle_crypto_rx_clear_traffic.3
 
 if BUILD_LIBNOZZLE
 nozzle_man3_MANS = \
 		nozzle_add_ip.3 \
 		nozzle_close.3 \
 		nozzle_del_ip.3 \
 		nozzle_get_fd.3 \
 		nozzle_get_handle_by_name.3 \
 		nozzle_get_ips.3 \
 		nozzle_get_mac.3 \
 		nozzle_get_mtu.3 \
 		nozzle_get_name_by_handle.3 \
 		nozzle_open.3 \
 		nozzle_reset_mac.3 \
 		nozzle_reset_mtu.3 \
 		nozzle_run_updown.3 \
 		nozzle_set_down.3 \
 		nozzle_set_mac.3 \
 		nozzle_set_mtu.3 \
 		nozzle_set_up.3
 endif
 
 man3_MANS = $(knet_man3_MANS) $(nozzle_man3_MANS)
 
 $(MANS): doxyfile-knet.stamp doxyfile-nozzle.stamp
 
 doxyfile-knet.stamp: $(noinst_PROGRAMS) Doxyfile-knet $(top_srcdir)/libknet/libknet.h
-	$(DOXYGEN) Doxyfile-knet
+	$(DOXYGEN) Doxyfile-knet 2>&1 | $(EGREP) -v 'warning.*macro definition'
 	$(DOXYGEN2MAN) -m -P -o $(builddir) -s 3 -p @PACKAGE_NAME@ -H "Kronosnet Programmer's Manual" \
 		$$($(UTC_DATE_AT)$(SOURCE_EPOCH) +"-D %F -Y %Y") -d $(builddir)/xml-knet/ libknet_8h.xml
 	touch doxyfile-knet.stamp
 
 doxyfile-nozzle.stamp: $(noinst_PROGRAMS) Doxyfile-nozzle $(top_srcdir)/libnozzle/libnozzle.h
 if BUILD_LIBNOZZLE
-	$(DOXYGEN) Doxyfile-nozzle
+	$(DOXYGEN) Doxyfile-nozzle 2>&1 | $(EGREP) -v 'warning.*macro definition'
 	$(DOXYGEN2MAN) -m -P -o $(builddir) -s 3 -p @PACKAGE_NAME@ -H "Kronosnet Programmer's Manual" \
 		$$($(UTC_DATE_AT)$(SOURCE_EPOCH) +"-D %F -Y %Y") -d $(builddir)/xml-nozzle/ libnozzle_8h.xml
 endif
 	touch doxyfile-nozzle.stamp
 
 noinst_SCRIPTS	= api-to-man-page-coverage
 
 check-local: check-api-to-man-page-coverage-libknet check-api-to-man-page-coverage-libnozzle
 
 check-api-to-man-page-coverage-libnozzle:
 if BUILD_LIBNOZZLE
 	$(srcdir)/api-to-man-page-coverage $(top_srcdir) nozzle
 endif
 
 check-api-to-man-page-coverage-libknet:
 	$(srcdir)/api-to-man-page-coverage $(top_srcdir) knet
 
 endif
 
 clean-local:
 	rm -rf doxyxml doxyfile*.stamp xml* *.3
diff --git a/man/cstring.c b/man/cstring.c
new file mode 100644
index 00000000..23ba31d3
--- /dev/null
+++ b/man/cstring.c
@@ -0,0 +1,131 @@
+/* A really basic expanding/appendable string type */
+
+#include <stdlib.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <assert.h>
+#include <stdio.h>
+#include <limits.h>
+#include <string.h>
+#include <getopt.h>
+#include <errno.h>
+#include "cstring.h"
+
+#define INITIAL_SIZE 1024
+#define INCREMENT    1024
+#define CHECKER_WORD 0xbcd6712a
+
+struct cstring_header
+{
+	size_t checker;
+	size_t allocated;
+	size_t used;
+	char the_string[];
+};
+
+cstring_t cstring_alloc(void)
+{
+	char *cstring = malloc(INITIAL_SIZE);
+	if (cstring) {
+		struct cstring_header *h = (struct cstring_header *)cstring;
+		h->checker = CHECKER_WORD;
+		h->allocated = INITIAL_SIZE;
+		h->used = 0;
+		h->the_string[0] = '\0';
+		return cstring;
+	} else {
+		return NULL;
+	}
+}
+
+char *cstring_to_chars(cstring_t cstring)
+{
+	struct cstring_header *h = (struct cstring_header *)cstring;
+
+	if (!h) {
+		return NULL;
+	}
+
+	assert(h->checker == CHECKER_WORD);
+	return strdup(h->the_string);
+}
+
+size_t cstring_len(cstring_t cstring)
+{
+	struct cstring_header *h = (struct cstring_header *)cstring;
+
+	if (!h) {
+		return 0;
+	}
+
+	assert(h->checker == CHECKER_WORD);
+	return h->used;
+}
+
+
+cstring_t cstring_append_chars(cstring_t cstring, const char *newstring)
+{
+	struct cstring_header *h = (struct cstring_header *)cstring;
+	size_t newlen;
+
+	if (!h) {
+		return NULL;
+	}
+
+	assert(h->checker == CHECKER_WORD);
+	if (!newstring) {
+		return NULL;
+	}
+
+	newlen = h->used + strlen(newstring)+1 + sizeof(struct cstring_header);
+	if (newlen > h->allocated) {
+		size_t new_allocsize = (newlen + 2048) & 0xFFFFFC00;
+		char *tmp = realloc(cstring, new_allocsize);
+		if (!tmp) {
+			return cstring;
+		}
+
+		cstring = tmp;
+		h = (struct cstring_header *)cstring;
+		h->allocated = new_allocsize;
+	}
+	strncat(h->the_string, newstring, h->allocated - h->used -1);
+	h->used += strlen(newstring);
+	return cstring;
+}
+
+cstring_t cstring_append_cstring(cstring_t cstring, cstring_t newstring)
+{
+	/* Just check the newstring - cstring_append_chars() will check the target */
+	struct cstring_header *h = (struct cstring_header *)newstring;
+
+	if (!h) {
+		return NULL;
+	}
+
+	assert(h->checker == CHECKER_WORD);
+	return cstring_append_chars(cstring, h->the_string);
+}
+
+cstring_t cstring_from_chars(const char* chars)
+{
+	cstring_t new_string = cstring_alloc();
+	if (!new_string) {
+		return NULL;
+	}
+	return cstring_append_chars(new_string, chars);
+}
+
+void cstring_free(cstring_t cstring)
+{
+	struct cstring_header *h = (struct cstring_header *)cstring;
+
+	if (!h) {
+		return;
+	}
+	assert(h->checker == CHECKER_WORD);
+	free(cstring);
+}
+
+
diff --git a/man/cstring.h b/man/cstring.h
new file mode 100644
index 00000000..172a4e6b
--- /dev/null
+++ b/man/cstring.h
@@ -0,0 +1,15 @@
+#ifndef __CSTRING_H__
+#define __CSTRING_H__
+
+typedef void* cstring_t;
+
+cstring_t cstring_alloc(void);
+cstring_t cstring_from_chars(const char* chars);
+cstring_t cstring_dup(cstring_t string);
+char *cstring_to_chars(cstring_t cstring);
+cstring_t cstring_append_chars(cstring_t cstring, const char *newstring);
+cstring_t cstring_append_cstring(cstring_t cstring, cstring_t newstring);
+void cstring_free(cstring_t cstring);
+size_t cstring_len(cstring_t cstring);
+
+#endif
diff --git a/man/doxyxml.c b/man/doxyxml.c
index 880734a1..73f705d3 100644
--- a/man/doxyxml.c
+++ b/man/doxyxml.c
@@ -1,1155 +1,1389 @@
 /*
- * Copyright (C) 2018-2020 Red Hat, Inc.  All rights reserved.
+ * Copyright (C) 2018-2021 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under GPL-2.0+
  */
 
 
 /*
  * NOTE: this code is very rough, it does the bare minimum to parse the
  * XML out from doxygen and is probably very fragile to changes in that XML
  * schema. It probably leaks memory all over the place too.
  *
  * In its favour, it *does* generate nice man pages and should only be run very ocasionally
  */
 
 #define _DEFAULT_SOURCE
 #define _BSD_SOURCE
+#define _GNU_SOURCE
 #define _XOPEN_SOURCE
 #define _XOPEN_SOURCE_EXTENDED
 #include <stdlib.h>
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <time.h>
 #include <stdio.h>
 #include <limits.h>
 #include <string.h>
 #include <getopt.h>
 #include <errno.h>
 #include <ctype.h>
 #include <libxml/tree.h>
 #include <qb/qblist.h>
 #include <qb/qbmap.h>
+#include "cstring.h"
 
 /*
  * This isn't a maximum size, it just defines how long a parameter
  * type can get before we decide it's not worth lining everything up.
  * It's mainly to stop function pointer types (which can get VERY long because
  * of all *their* parameters) making everything else 'line-up' over separate lines
  */
 #define LINE_LENGTH 80
 
+/* Similar - but for structure member comments */
+#define STRUCT_COMMENT_LENGTH 50
+
 static int print_ascii = 1;
 static int print_man = 0;
 static int print_params = 0;
 static int print_general = 0;
 static int num_functions = 0;
-static int quiet=0;
+static int quiet = 0;
+static int use_header_copyright = 0;
 static const char *man_section="3";
 static const char *package_name="Package";
 static const char *header="Programmer's Manual";
 static const char *company="Red Hat";
 static const char *output_dir="./";
 static const char *xml_dir = "./xml/";
 static const char *xml_file;
 static const char *manpage_date = NULL;
 static const char *headerfile = NULL;
 static const char *header_prefix = "";
+static const char *header_src_dir = "./";
+static char header_copyright[256] = "\0";
 static long manpage_year = LONG_MIN;
 static long start_year = 2010;
 static struct qb_list_head params_list;
 static struct qb_list_head retval_list;
 static qb_map_t *function_map;
 static qb_map_t *structures_map;
 static qb_map_t *used_structures_map;
 
 struct param_info {
 	char *paramname;
 	char *paramtype;
 	char *paramdesc;
 	struct param_info *next;
 	struct qb_list_head list;
 };
 
 struct struct_info {
 	enum {STRUCTINFO_STRUCT, STRUCTINFO_ENUM} kind;
 	char *structname;
 	char *description;
 	char *brief_description;
 	struct qb_list_head params_list; /* our params */
 	struct qb_list_head list;
 };
 
-static char *get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext);
+static cstring_t get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext, int add_nl);
 static void traverse_node(xmlNode *parentnode, const char *leafname, void (do_members(xmlNode*, void*)), void *arg);
+static cstring_t get_text(xmlNode *cur_node, char **returntext, char **notetext);
+static void man_print_long_string(FILE *manfile, char *text);
 
 static void free_paraminfo(struct param_info *pi)
 {
 	free(pi->paramname);
 	free(pi->paramtype);
 	free(pi->paramdesc);
 	free(pi);
 }
 
 static char *get_attr(xmlNode *node, const char *tag)
 {
 	xmlAttr *this_attr;
 
 	for (this_attr = node->properties; this_attr; this_attr = this_attr->next) {
 		if (this_attr->type == XML_ATTRIBUTE_NODE && strcmp((char *)this_attr->name, tag) == 0) {
 			return strdup((char *)this_attr->children->content);
 		}
 	}
 	return NULL;
 }
 
-static char *get_child(xmlNode *node, const char *tag)
+static cstring_t get_child(xmlNode *node, const char *tag)
 {
-	xmlNode *this_node;
-	xmlNode *child;
-	char buffer[1024] = {'\0'};
+        xmlNode *this_node;
+        xmlNode *child;
+        cstring_t buffer = cstring_alloc();
 	char *refid = NULL;
 	char *declname = NULL;
 
 	for (this_node = node->children; this_node; this_node = this_node->next) {
 		if ((strcmp( (char*)this_node->name, "declname") == 0)) {
 			declname = strdup((char*)this_node->children->content);
 		}
 
 		if ((this_node->type == XML_ELEMENT_NODE && this_node->children) && ((strcmp((char *)this_node->name, tag) == 0))) {
 			refid = NULL;
 			for (child = this_node->children; child; child = child->next) {
 				if (child->content) {
-					strncat(buffer, (char *)child->content, sizeof(buffer)-1);
+					buffer = cstring_append_chars(buffer, (char *)child->content);
 				}
 
 				if ((strcmp( (char*)child->name, "ref") == 0)) {
 					if (child->children->content) {
-						strncat(buffer,(char *)child->children->content, sizeof(buffer)-1);
+						buffer = cstring_append_chars(buffer, (char *)child->children->content);
 					}
 					refid = get_attr(child, "refid");
 				}
 			}
 		}
 		if (declname && refid) {
 			qb_map_put(used_structures_map, refid, declname);
 		}
 	}
-	return strdup(buffer);
+	return buffer;
 }
 
 static struct param_info *find_param_by_name(struct qb_list_head *list, const char *name)
 {
 	struct qb_list_head *iter;
 	struct param_info *pi;
 
 	qb_list_for_each(iter, list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		if (strcmp(pi->paramname, name) == 0) {
 			return pi;
 		}
 	}
 	return NULL;
 }
 
 static int not_all_whitespace(char *string)
 {
 	unsigned int i;
 
 	for (i=0; i<strlen(string); i++) {
 		if (string[i] != ' ' &&
 		    string[i] != '\n' &&
 		    string[i] != '\r' &&
 		    string[i] != '\t')
 			return 1;
 	}
 	return 0;
 }
 
 static void get_param_info(xmlNode *cur_node, struct qb_list_head *list)
 {
 	xmlNode *this_tag;
 	xmlNode *sub_tag;
 	char *paramname = NULL;
 	char *paramdesc = NULL;
 	struct param_info *pi;
 
 	/* This is not robust, and very inflexible */
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		for (sub_tag = this_tag->children; sub_tag; sub_tag = sub_tag->next) {
 			if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameternamelist") == 0 &&
 				sub_tag->children->next->children) {
 				paramname = (char*)sub_tag->children->next->children->content;
 			}
-			if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameterdescription") == 0 &&
+			if (sub_tag->type == XML_ELEMENT_NODE &&
+			    strcmp((char *)sub_tag->name, "parameterdescription") == 0 &&
 			    paramname && sub_tag->children->next->children) {
 				paramdesc = (char*)sub_tag->children->next->children->content;
 
 				/* Add text to the param_map */
 				pi = find_param_by_name(list, paramname);
 				if (pi) {
 					pi->paramdesc = paramdesc;
 				}
 				else {
 					pi = malloc(sizeof(struct param_info));
 					if (pi) {
 						pi->paramname = paramname;
 						pi->paramdesc = paramdesc;
-						pi->paramtype = NULL; /* retval */
+						pi->paramtype = NULL; /* it's a retval */
 						qb_list_add_tail(&pi->list, list);
 					}
 				}
 			}
 		}
 	}
 }
 
-static char *get_text(xmlNode *cur_node, char **returntext, char **notetext)
+static cstring_t get_codeline(xmlNode *this_tag)
+{
+	cstring_t buffer = cstring_alloc();
+	xmlNode *sub_tag;
+
+	for (sub_tag = this_tag; sub_tag; sub_tag = sub_tag->next) {
+		if (strcmp((char*)sub_tag->name, "sp") == 0) {
+			buffer = cstring_append_chars(buffer, " ");
+		}
+		if (strcmp((char*)sub_tag->name, "text") == 0) {
+			// If the line starts with a dot then escape the first one to
+			// stop nroff thinking it's a macro
+			char *tmp = (char*)sub_tag->content;
+			if (tmp[0] == '.') {
+				buffer = cstring_append_chars(buffer, (char*)"\\[char46]");
+				tmp += 1;
+			}
+			buffer = cstring_append_chars(buffer, tmp);
+		}
+		if (strcmp((char*)sub_tag->name, "ref") == 0) {
+			// Handled by the child recusion below
+		}
+		if (sub_tag->children) {
+			char *tmp = get_codeline(sub_tag->children);
+			buffer = cstring_append_cstring(buffer, tmp);
+			cstring_free(tmp);
+		}
+	}
+	return buffer;
+}
+
+static cstring_t get_codetree(xmlNode *cur_node)
+{
+	xmlNode *this_tag;
+	cstring_t buffer = cstring_alloc();
+	cstring_t tmp;
+
+	if (print_man) {
+		buffer = cstring_append_chars(buffer, "\n.nf\n");
+	}
+
+	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
+		if (strcmp((char*)this_tag->name, "codeline") == 0) {
+
+			tmp = get_codeline(this_tag->children);
+			buffer = cstring_append_cstring(buffer, tmp);
+			cstring_free(tmp);
+		}
+		if (strcmp((char*)this_tag->name, "text") == 0) {
+			buffer = cstring_append_chars(buffer, (char*)this_tag->content);
+		}
+	}
+
+	if (print_man) {
+		buffer = cstring_append_chars(buffer, ".fi\n");
+	}
+
+	return buffer;
+}
+
+
+static cstring_t get_text(xmlNode *cur_node, char **returntext, char **notetext)
 {
 	xmlNode *this_tag;
 	xmlNode *sub_tag;
 	char *kind;
-	char buffer[4096] = {'\0'};
+	cstring_t buffer = cstring_alloc();
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (this_tag->type == XML_TEXT_NODE && strcmp((char *)this_tag->name, "text") == 0) {
 			if (not_all_whitespace((char*)this_tag->content)) {
-				strncat(buffer, (char*)this_tag->content, sizeof(buffer)-1);
+				buffer = cstring_append_chars(buffer, (char*)this_tag->content);
 			}
 		}
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "emphasis") == 0) {
 			if (print_man) {
-				strncat(buffer, "\\fB", sizeof(buffer)-1);
+				buffer = cstring_append_chars(buffer, "\\fB");
 			}
-			strncat(buffer, (char*)this_tag->children->content, sizeof(buffer)-1);
+			buffer = cstring_append_chars(buffer, (char*)this_tag->children->content);
 			if (print_man) {
-				strncat(buffer, "\\fR", sizeof(buffer)-1);
+				buffer = cstring_append_chars(buffer, "\\fR");
 			}
 		}
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "ref") == 0) {
 			if (print_man) {
-				strncat(buffer, "\\fI", sizeof(buffer)-1);
+				buffer = cstring_append_chars(buffer, "\\fI");
+			}
+			buffer = cstring_append_chars(buffer, (char*)this_tag->children->content);
+			if (print_man) {
+				buffer = cstring_append_chars(buffer, "\\fR");
+			}
+		}
+		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "computeroutput") == 0) {
+			if (print_man) {
+				buffer = cstring_append_chars(buffer, "\\fB");
 			}
-			strncat(buffer, (char*)this_tag->children->content, sizeof(buffer)-1);
+			buffer = cstring_append_chars(buffer, (char*)this_tag->children->content);
 			if (print_man) {
-				strncat(buffer, "\\fR", sizeof(buffer)-1);
+				buffer = cstring_append_chars(buffer, "\\fP");
 			}
 		}
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "itemizedlist") == 0) {
 			for (sub_tag = this_tag->children; sub_tag; sub_tag = sub_tag->next) {
-				if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "listitem") == 0) {
-					strncat(buffer, (char*)sub_tag->children->children->content, sizeof(buffer)-1);
-					strncat(buffer, "\n", sizeof(buffer)-1);
+				if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "listitem") == 0
+				    && sub_tag->children->children->content) {
+					buffer = cstring_append_chars(buffer, (char*)sub_tag->children->children->content);
+					buffer = cstring_append_chars(buffer, "\n");
 				}
 			}
 		}
 
+		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "programlisting") == 0) {
+			cstring_t tmp = get_codetree(this_tag);
+			buffer = cstring_append_cstring(buffer, tmp);
+			buffer = cstring_append_chars(buffer, "\n");
+			cstring_free(tmp);
+		}
+
 		/* Look for subsections - return value & params */
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "simplesect") == 0) {
-			char *tmp;
+			cstring_t tmp;
 
 			kind = get_attr(this_tag, "kind");
 			tmp = get_text(this_tag->children, NULL, NULL);
 
 			if (returntext && strcmp(kind, "return") == 0) {
-				*returntext = tmp;
+				*returntext = cstring_to_chars(tmp);
 			}
 			if (notetext && strcmp(kind, "note") == 0) {
-				*notetext = tmp;
+				*notetext = cstring_to_chars(tmp);
+			}
+			if (notetext && strcmp(kind, "par") == 0) {
+				int type;
+
+				tmp = get_child(this_tag, "title");
+				buffer = cstring_append_cstring(buffer, tmp);
+				buffer = cstring_append_chars(buffer, "\n");
+				cstring_free(tmp);
+
+				tmp = get_texttree(&type,this_tag, NULL, NULL, 1);
+				buffer = cstring_append_cstring(buffer, tmp);
+				buffer = cstring_append_chars(buffer, "\n");
 			}
+			cstring_free(tmp);
 		}
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "parameterlist") == 0) {
 			kind = get_attr(this_tag, "kind");
 			if (strcmp(kind, "param") == 0) {
 				get_param_info(this_tag, &params_list);
 			}
 			if (strcmp(kind, "retval") == 0) {
 				get_param_info(this_tag, &retval_list);
 			}
 		}
 	}
-	return strdup(buffer);
+	return buffer;
 }
 
 static void read_structname(xmlNode *cur_node, void *arg)
 {
 	struct struct_info *si=arg;
 	xmlNode *this_tag;
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "compoundname") == 0) {
 			si->structname = strdup((char*)this_tag->children->content);
 		}
 	}
 }
 
 static void read_structdesc(xmlNode *cur_node, void *arg)
 {
 	struct struct_info *si=arg;
 	xmlNode *this_tag;
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "detaileddescription") == 0) {
-			char *desc = get_texttree(NULL, this_tag, NULL, NULL);
-			if (desc) {
-				si->description = strdup((char*)desc);
-			}
+			cstring_t desc = get_texttree(NULL, this_tag, NULL, NULL, 1);
+			si->description = cstring_to_chars(desc);
+			cstring_free(desc);
 		}
 		if (strcmp((char*)this_tag->name, "briefdescription") == 0) {
-			char *brief = get_texttree(NULL, this_tag, NULL, NULL);
-			if (brief) {
-				si->brief_description = brief;
-			}
+			cstring_t brief = get_texttree(NULL, this_tag, NULL, NULL, 1);
+			si->brief_description = cstring_to_chars(brief);
 		}
 	}
 }
 
 
 static void read_headername(xmlNode *cur_node, void *arg)
 {
 	char **h_file = arg;
 	xmlNode *this_tag;
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "compoundname") == 0) {
 			*h_file = strdup((char*)this_tag->children->content);
 		}
 	}
 }
 
 
 /* Called from traverse_node() */
 static void read_struct(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	struct struct_info *si=arg;
-	struct param_info *pi;
+	struct param_info *pi = NULL;
 	char fullname[1024];
 	char *type = NULL;
 	char *name = NULL;
+	char *desc = NULL;
 	const char *args="";
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "type") == 0) {
 			type = (char*)this_tag->children->content;
 			/* If type is NULL then look for a ref - it's probably an external struct or typedef */
 			if (type == NULL) {
-				type = get_child(this_tag, "ref");
+				cstring_t tmp = get_child(this_tag, "ref");
+				type = cstring_to_chars(tmp);
+				cstring_free(tmp);
 			}
 		}
 		if (strcmp((char*)this_tag->name, "name") == 0) {
 			name = (char*)this_tag->children->content;
 		}
 		if (this_tag->children && strcmp((char*)this_tag->name, "argsstring") == 0) {
 			args = (char*)this_tag->children->content;
 		}
+		if (this_tag->children && strcmp((char*)this_tag->name, "detaileddescription") == 0) {
+			cstring_t *desc_cs = get_texttree(NULL, this_tag, NULL, NULL, 0);
+			if (cstring_len(desc_cs) > 1) {
+				desc = cstring_to_chars(desc_cs);
+			}
+			cstring_free(desc_cs);
+		}
 	}
 
 	if (name) {
 		pi = malloc(sizeof(struct param_info));
 		if (pi) {
 			snprintf(fullname, sizeof(fullname), "%s%s", name, args);
 			pi->paramtype = type?strdup(type):strdup("");
 			pi->paramname = strdup(fullname);
-			pi->paramdesc = NULL;
+			pi->paramdesc = desc;
 			qb_list_add_tail(&pi->list, &si->params_list);
 		}
 	}
+	/* Tidy */
+	if (!name || !pi) {
+		free(desc);
+	}
 }
 
 static int read_structure_from_xml(const char *refid, const char *name)
 {
 	char fname[PATH_MAX];
 	xmlNode *rootdoc;
 	xmlDocPtr doc;
 	struct struct_info *si;
 	struct stat st;
 	int ret = -1;
 
 	snprintf(fname, sizeof(fname),  "%s/%s.xml", xml_dir, refid);
 
 	/* Don't call into libxml if the file does not exist - saves unwanted error messages */
 	if (stat(fname, &st) == -1) {
 		return -1;
 	}
 
 	doc = xmlParseFile(fname);
 	if (doc == NULL) {
 		fprintf(stderr, "Error: unable to open xml file for %s\n", refid);
 		return -1;
 	}
 
 	rootdoc = xmlDocGetRootElement(doc);
 	if (!rootdoc) {
 		fprintf(stderr, "Can't find \"document root\"\n");
 		return -1;
 	}
 
 	si = malloc(sizeof(struct struct_info));
 	if (si) {
 		memset(si, 0, sizeof(*si));
 		si->kind = STRUCTINFO_STRUCT;
 		qb_list_init(&si->params_list);
 		traverse_node(rootdoc, "memberdef", read_struct, si);
 		traverse_node(rootdoc, "compounddef", read_structdesc, si);
 		traverse_node(rootdoc, "compounddef", read_structname, si);
 		ret = 0;
 		qb_map_put(structures_map, refid, si);
 	}
 	xmlFreeDoc(doc);
 
 	return ret;
 }
 
 static char *allcaps(const char *name)
 {
-	static char buffer[1024] = {'\0'};
+	static char buffer[4096] = {'\0'};
 	size_t i;
 
-	for (i=0; i< strlen(name); i++) {
-		buffer[i] = toupper(name[i]);
+	if (name) {
+		size_t len = strnlen(name, 4096);
+		for (i=0; i< len; i++) {
+			buffer[i] = toupper(name[i]);
+		}
+		buffer[len] = '\0';
 	}
-	buffer[strlen(name)] = '\0';
 	return buffer;
 }
 
-static void print_param(FILE *manfile, struct param_info *pi, int field_width, int bold, const char *delimiter)
+/*
+ * Print a structure comment that would be too long
+ * to fit after the structure member, in a style ...
+ * well, in a style like this!
+ */
+static void print_long_structure_comment(FILE *manfile, char *comment)
+{
+	char *ptr = strtok(comment, " ");
+	int column = 7;
+
+	fprintf(manfile, "\\fP    /*");
+	fprintf(manfile, "\n     *");
+	while (ptr) {
+		column += strlen(ptr)+1;
+		if (column > 80) {
+			fprintf(manfile, "\n     *");
+			column = 7;
+		}
+		fprintf(manfile, " %s", ptr);
+		ptr = strtok(NULL, " ");
+	}
+	fprintf(manfile, "\n     */\n");
+}
+
+static void print_param(FILE *manfile, struct param_info *pi, int type_field_width, int name_field_width, int bold, const char *delimiter)
 {
 	const char *asterisks = "  ";
 	char *type = pi->paramtype;
 	int typelength = strlen(type);
 
 	/* Reformat pointer params so they look nicer */
 	if (typelength > 0 && pi->paramtype[typelength-1] == '*') {
 		asterisks=" *";
 		type = strdup(pi->paramtype);
 		type[typelength-1] = '\0';
 
 		/* Cope with double pointers */
 		if (typelength > 1 && pi->paramtype[typelength-2] == '*') {
 			asterisks="**";
 			type[typelength-2] = '\0';
 		}
 
 		/* Tidy function pointers */
 		if (typelength > 1 && pi->paramtype[typelength-2] == '(') {
 			asterisks="(*";
 			type[typelength-2] = '\0';
 		}
 	}
 
-	fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\n",
-		bold?"\\fB":"", field_width, type,
-		asterisks, bold?"\\fP":"", pi->paramname, delimiter);
+	/* Print structure description if available */
+	if (pi->paramdesc) {
+		/* Too long to go on the same line? */
+		if (strlen(pi->paramdesc) > STRUCT_COMMENT_LENGTH) {
+			print_long_structure_comment(manfile, pi->paramdesc);
+			fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\n",
+				bold?"\\fB":"", type_field_width, type,
+				asterisks, bold?"\\fP":"",
+				pi->paramname?pi->paramname:"", delimiter);
+		} else {
+			/* Pad out so they all line up */
+			int pad_length = name_field_width -
+				(pi->paramname?strlen(pi->paramname):0) + 1;
+			fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\\fR%*s/* %s*/\n",
+				bold?"\\fB":"", type_field_width, type,
+				asterisks, bold?"\\fP":"",
+				pi->paramname?pi->paramname:"", delimiter,
+				pad_length, " ",
+				pi->paramdesc);
+		}
+	} else {
+		fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\n",
+			bold?"\\fB":"", type_field_width, type,
+			asterisks, bold?"\\fP":"",
+			pi->paramname?pi->paramname:"", delimiter);
+	}
 
 	if (type != pi->paramtype) {
 		free(type);
 	}
 }
 
 static void print_structure(FILE *manfile, struct struct_info *si)
 {
 	struct param_info *pi;
 	struct qb_list_head *iter;
 	unsigned int max_param_length=0;
+	unsigned int max_param_name_length=0;
 
 	fprintf(manfile, ".nf\n");
-	fprintf(manfile, "\\fB\n");
 
 	if (si->brief_description) {
 		fprintf(manfile, "%s\n", si->brief_description);
 	}
 	if (si->description) {
 		fprintf(manfile, "%s\n", si->description);
 	}
 
 	qb_list_for_each(iter, &si->params_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		if (strlen(pi->paramtype) > max_param_length) {
 			max_param_length = strlen(pi->paramtype);
 		}
+		if (strlen(pi->paramname) > max_param_name_length) {
+			max_param_name_length = strlen(pi->paramname);
+		}
 	}
 
+	fprintf(manfile, "\\fB\n");
 	if (si->kind == STRUCTINFO_STRUCT) {
 		fprintf(manfile, "struct %s {\n", si->structname);
 	} else if (si->kind == STRUCTINFO_ENUM) {
 		fprintf(manfile, "enum %s {\n", si->structname);
 	} else {
 		fprintf(manfile, "%s {\n", si->structname);
 	}
+	fprintf(manfile, "\\fR\n");
 
 	qb_list_for_each(iter, &si->params_list) {
+		fprintf(manfile, "\\fB\n");
 		pi = qb_list_entry(iter, struct param_info, list);
-		print_param(manfile, pi, max_param_length, 0,";");
+		print_param(manfile, pi, max_param_length, max_param_name_length, 1, ";");
 	}
 	fprintf(manfile, "};\n");
 
 	fprintf(manfile, "\\fP\n");
 	fprintf(manfile, ".fi\n");
 }
 
-char *get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext)
+cstring_t get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext, int add_nl)
 {
 	xmlNode *this_tag;
-	char *tmp = NULL;
-	char buffer[4096] = {'\0'};
+	cstring_t tmp;
+	cstring_t buffer = cstring_alloc();
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "para") == 0) {
 			tmp = get_text(this_tag, returntext, notetext);
-			strncat(buffer, tmp, sizeof(buffer)-1);
-			strncat(buffer, "\n", sizeof(buffer)-1);
-			free(tmp);
-		}
-	}
+			buffer = cstring_append_cstring(buffer, tmp);
+			if (add_nl) {
+				buffer = cstring_append_chars(buffer, "\n");
+			}
 
-	if (buffer[0]) {
-		return strdup(buffer);
-	} else {
-		return NULL;
+			cstring_free(tmp);
+		}
 	}
+	return buffer;
 }
 
 /* The text output is VERY basic and just a check that it's working really */
 static void print_text(char *name, char *def, char *brief, char *args, char *detailed,
 		       struct qb_list_head *param_list, char *returntext, char *notetext)
 {
 	printf(" ------------------ %s --------------------\n", name);
 	printf("NAME\n");
 	if (brief) {
 		printf("        %s - %s\n", name, brief);
 	} else {
 		printf("        %s\n", name);
 	}
 
 	printf("SYNOPSIS\n");
 	printf("        #include <%s%s>\n", header_prefix, headerfile);
 	if (args) {
 		printf("        %s %s\n\n", name, args);
 	}
 
 	if (detailed) {
 		printf("DESCRIPTION\n");
 		printf("        %s\n", detailed);
 	}
 
 	if (returntext) {
 		printf("RETURN VALUE\n");
 		printf("        %s\n", returntext);
 	}
 	if (notetext) {
 		printf("NOTE\n");
 		printf("        %s\n", notetext);
 	}
 }
 
 /* Print a long string with para marks in it. */
 static void man_print_long_string(FILE *manfile, char *text)
 {
 	char *next_nl;
 	char *current = text;
+	int in_prog = 0;
 
 	next_nl = strchr(text, '\n');
 	while (next_nl && *next_nl != '\0') {
 		*next_nl = '\0';
-		if (strlen(current)) {
-			fprintf(manfile, ".PP\n%s\n", current);
+
+		// Don't format @code blocks
+		if (strncmp(current, ".nf", 3) == 0) {
+			in_prog = 1;
+			fprintf(manfile, "\n");
+		}
+
+		if (in_prog) {
+			fprintf(manfile, "%s\n", current);
+		} else {
+			if (strlen(current)) {
+				fprintf(manfile, ".PP\n%s\n", current);
+			}
+		}
+
+		if (strncmp(current, ".fi", 3) == 0) {
+			in_prog = 0;
+			fprintf(manfile, "\n");
 		}
 
 		*next_nl = '\n';
 		current = next_nl+1;
 		next_nl = strchr(current, '\n');
 	}
 
 	/* The bit at the end */
-	if (strlen(current)) {
+	if (strlen(current) && !in_prog) {
 		fprintf(manfile, ".PP\n%s\n", current);
 	}
 }
 
 static void print_manpage(char *name, char *def, char *brief, char *args, char *detailed,
 			  struct qb_list_head *param_map, char *returntext, char *notetext)
 {
 	char manfilename[PATH_MAX];
 	char gendate[64];
 	const char *dateptr = gendate;
 	FILE *manfile;
 	time_t t;
 	struct tm *tm;
 	qb_map_iter_t *map_iter;
 	struct qb_list_head *iter;
 	struct qb_list_head *tmp;
 	const char *p;
 	void *data;
 	unsigned int max_param_type_len;
 	unsigned int max_param_name_len;
 	unsigned int num_param_descs;
 	int param_count = 0;
 	int param_num = 0;
 	struct param_info *pi;
 
 	t = time(NULL);
 	tm = localtime(&t);
 	if (!tm) {
 		perror("unable to get localtime");
 		exit(1);
 	}
 	strftime(gendate, sizeof(gendate), "%Y-%m-%d", tm);
 
 	if (manpage_date) {
 		dateptr = manpage_date;
 	}
 	if (manpage_year == LONG_MIN) {
 		manpage_year = tm->tm_year+1900;
 	}
 
 	snprintf(manfilename, sizeof(manfilename), "%s/%s.%s", output_dir, name, man_section);
 	manfile = fopen(manfilename, "w+");
 	if (!manfile) {
 		perror("unable to open output file");
 		printf("%s", manfilename);
 		exit(1);
 	}
 
 	/* Work out the length of the parameters, so we can line them up   */
 	max_param_type_len = 0;
 	max_param_name_len = 0;
 	num_param_descs = 0;
 
-	qb_list_for_each(iter, &params_list) {
+	qb_list_for_each(iter, param_map) {
 		pi = qb_list_entry(iter, struct param_info, list);
 
 		/* It's mainly macros that break this,
 		 * macros need more work
 		 */
 		if (!pi->paramtype) {
 			pi->paramtype = strdup("");
 		}
 		if ((strlen(pi->paramtype) < LINE_LENGTH) &&
 		    (strlen(pi->paramtype) > max_param_type_len)) {
 			max_param_type_len = strlen(pi->paramtype);
 		}
 		if (strlen(pi->paramname) > max_param_name_len) {
 			max_param_name_len = strlen(pi->paramname);
 		}
-		if (pi->paramdesc) {
+		if (pi->paramdesc && pi->paramtype[0] != '\0') {
 			num_param_descs++;
 		}
 		param_count++;
 	}
 
 	/* Off we go */
 
 	fprintf(manfile, ".\\\"  Automatically generated man page, do not edit\n");
 	fprintf(manfile, ".TH %s %s %s \"%s\" \"%s\"\n", allcaps(name), man_section, dateptr, package_name, header);
 
 	fprintf(manfile, ".SH NAME\n");
-	if (brief) {
+	if (brief && not_all_whitespace(brief)) {
 		fprintf(manfile, "%s \\- %s\n", name, brief);
 	} else {
 		fprintf(manfile, "%s\n", name);
 	}
 
 	fprintf(manfile, ".SH SYNOPSIS\n");
 	fprintf(manfile, ".nf\n");
 	fprintf(manfile, ".B #include <%s%s>\n", header_prefix, headerfile);
 	if (def) {
 		fprintf(manfile, ".sp\n");
 		fprintf(manfile, "\\fB%s\\fP(\n", def);
 
-		qb_list_for_each(iter, &params_list) {
+		qb_list_for_each(iter, param_map) {
 			pi = qb_list_entry(iter, struct param_info, list);
 
-			print_param(manfile, pi, max_param_type_len, 1, ++param_num < param_count?",":"");
+			if (pi->paramtype[0] != '\0') {
+				print_param(manfile, pi, max_param_type_len, 0, 1, ++param_num < param_count?",":"");
+			}
 		}
 
 		fprintf(manfile, ");\n");
 		fprintf(manfile, ".fi\n");
 	}
 
 	if (print_params && num_param_descs) {
 		fprintf(manfile, ".SH PARAMS\n");
 
 		qb_list_for_each(iter, &params_list) {
-		pi = qb_list_entry(iter, struct param_info, list);
+			pi = qb_list_entry(iter, struct param_info, list);
 			fprintf(manfile, "\\fB%-*s \\fP\\fI%s\\fP\n", (int)max_param_name_len, pi->paramname,
 				pi->paramdesc);
 			fprintf(manfile, ".PP\n");
 		}
 	}
 
 	if (detailed) {
 		fprintf(manfile, ".SH DESCRIPTION\n");
 		man_print_long_string(manfile, detailed);
 	}
 
 	if (qb_map_count_get(used_structures_map)) {
 		int first_struct = 1;
 
 		map_iter = qb_map_iter_create(used_structures_map);
 		for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
 			struct struct_info *si;
 			const char *refid = p;
 			char *refname = data;
 
 			/* If it's not been read in - go and look for it */
 			si = qb_map_get(structures_map, refid);
 			if (!si) {
 				if (!read_structure_from_xml(refid, refname)) {
 					si = qb_map_get(structures_map, refid);
 				}
 			}
 
 			/* Only print header if the struct files exist - sometimes they don't */
 			if (si && first_struct) {
 				fprintf(manfile, ".SH STRUCTURES\n");
 				first_struct = 0;
 			}
 			if (si) {
 				print_structure(manfile, si);
 				fprintf(manfile, ".PP\n");
 			}
 		}
 		qb_map_iter_free(map_iter);
 
 		fprintf(manfile, ".RE\n");
 	}
 
-	if (returntext) {
+	if (returntext || !qb_list_empty(&retval_list)) {
 		fprintf(manfile, ".SH RETURN VALUE\n");
-		man_print_long_string(manfile, returntext);
+		if (returntext) {
+			man_print_long_string(manfile, returntext);
+		}
 		fprintf(manfile, ".PP\n");
 	}
 
 	qb_list_for_each(iter, &retval_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 
 		fprintf(manfile, "\\fB%-*s \\fP%s\n", 10, pi->paramname,
 			pi->paramdesc);
 		fprintf(manfile, ".PP\n");
 	}
 
 	if (notetext) {
 		fprintf(manfile, ".SH NOTE\n");
 		man_print_long_string(manfile, notetext);
 	}
 
 	fprintf(manfile, ".SH SEE ALSO\n");
 	fprintf(manfile, ".PP\n");
 	fprintf(manfile, ".nh\n");
 	fprintf(manfile, ".ad l\n");
 
 	param_num = 0;
 	map_iter = qb_map_iter_create(function_map);
 	for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
 
 		/* Exclude us! */
 		if (strcmp(data, name)) {
 			fprintf(manfile, "\\fI%s\\fR(%s)%s", (char *)data, man_section,
 				param_num < (num_functions - 1)?", ":"");
 		}
 		param_num++;
 	}
 	qb_map_iter_free(map_iter);
 
 	fprintf(manfile, "\n");
 	fprintf(manfile, ".ad\n");
 	fprintf(manfile, ".hy\n");
 	fprintf(manfile, ".SH \"COPYRIGHT\"\n");
 	fprintf(manfile, ".PP\n");
-	fprintf(manfile, "Copyright (C) %4ld-%4ld %s, Inc. All rights reserved.\n", start_year, manpage_year, company);
+	if (header_copyright[0] == 'C') {
+		fprintf(manfile, "%s", header_copyright); /* String already contains trailing NL */
+	} else {
+		fprintf(manfile, "Copyright (C) %4ld-%4ld %s, Inc. All rights reserved.\n", start_year, manpage_year, company);
+	}
 	fclose(manfile);
 
 	/* Free the params & retval info */
 	qb_list_for_each_safe(iter, tmp, &params_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		qb_list_del(&pi->list);
 		free_paraminfo(pi);
 	}
 
 	qb_list_for_each_safe(iter, tmp, &retval_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		qb_list_del(&pi->list);
 		free_paraminfo(pi);
 	}
 
 	/* Free used-structures map */
 	map_iter = qb_map_iter_create(used_structures_map);
 	for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
 		qb_map_rm(used_structures_map, p);
 		free(data);
 	}
 }
 
 /* Same as traverse_members, but to collect function names */
 static void collect_functions(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	char *kind;
 	char *name = NULL;
 
 	if (cur_node->name && strcmp((char *)cur_node->name, "memberdef") == 0) {
 
 		kind = get_attr(cur_node, "kind");
 		if (kind && strcmp(kind, "function") == 0) {
 
 			for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 				if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0) {
 					name = strdup((char *)this_tag->children->content);
 				}
 			}
 
 			if (name) {
 				qb_map_put(function_map, name, name);
 				num_functions++;
 			}
 		}
 	}
 }
 
 /* Same as traverse_members, but to collect enums. The behave like structures for,
    but, for some reason, are in the main XML file rather than their own */
 static void collect_enums(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	struct struct_info *si;
 	char *kind;
 	char *refid = NULL;
 	char *name = NULL;
 
 	if (cur_node->name && strcmp((char *)cur_node->name, "memberdef") == 0) {
 
 		kind = get_attr(cur_node, "kind");
 		if (kind && strcmp(kind, "enum") == 0) {
 			refid = get_attr(cur_node, "id");
 
 			for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 				if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0) {
 					name = strdup((char *)this_tag->children->content);
 				}
 			}
 
 			if (name) {
 				si = malloc(sizeof(struct struct_info));
 				if (si) {
 					memset(si, 0, sizeof(*si));
 					si->kind = STRUCTINFO_ENUM;
 					qb_list_init(&si->params_list);
 					si->structname = strdup(name);
 					traverse_node(cur_node, "enumvalue", read_struct, si);
 					qb_map_put(structures_map, refid, si);
 				}
 			}
 		}
 	}
 }
 
 static void traverse_members(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 
+	qb_list_init(&params_list);
+
 	/* if arg == NULL then we're generating a page for the whole header file */
 	if ((cur_node->name && (strcmp((char *)cur_node->name, "memberdef") == 0)) ||
 	    ((arg == NULL) && cur_node->name && strcmp((char *)cur_node->name, "compounddef")) == 0) {
 		char *kind = NULL;
 		char *def = NULL;
 		char *args = NULL;
 		char *name = NULL;
 		char *brief = NULL;
 		char *detailed = NULL;
 		char *returntext = NULL;
 		char *notetext = NULL;
 		int type;
 
 		kind=def=args=name=NULL;
 
 		kind = get_attr(cur_node, "kind");
 
 		for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next)
 		{
 			if (!this_tag->children || !this_tag->children->content)
 				continue;
 
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "definition") == 0)
 				def = strdup((char *)this_tag->children->content);
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "argsstring") == 0)
 				args = strdup((char *)this_tag->children->content);
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0)
 				name = strdup((char *)this_tag->children->content);
 
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "briefdescription") == 0) {
-				brief = get_texttree(&type, this_tag, &returntext, &notetext);
-				if (brief) {
-					/*
-					 * apparently brief text contains extra trailing space and a \n.
-					 * remove them.
-					 */
-					brief[strlen(brief) - 2] = '\0';
+				cstring_t tmp = get_texttree(&type, this_tag, &returntext, &notetext, 1);
+				if (!brief) {
+					brief = cstring_to_chars(tmp);
+				} else {
+					fprintf(stderr, "ERROR function %s has 2 briefdescription tags\n", name?name:"unknown");
 				}
+				cstring_free(tmp);
 			}
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "detaileddescription") == 0) {
-				detailed = get_texttree(&type, this_tag, &returntext, &notetext);
+				cstring_t tmp = get_texttree(&type, this_tag, &returntext, &notetext, 1);
+				if (!detailed) {
+					detailed = cstring_to_chars(tmp);
+				} else {
+					fprintf(stderr, "ERROR function %s has 2 detaileddescription tags\n", name?name:"unknown");
+				}
+				cstring_free(tmp);
 			}
 			/* Get all the params */
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "param") == 0) {
-				char *param_type = get_child(this_tag, "type");
-				char *param_name = get_child(this_tag, "declname");
+				cstring_t param_type = get_child(this_tag, "type");
+				cstring_t param_name = get_child(this_tag, "declname");
 				struct param_info *pi = malloc(sizeof(struct param_info));
 				if (pi) {
-					pi->paramname = param_name;
-					pi->paramtype = param_type;
+					pi->paramname = cstring_to_chars(param_name);
+					pi->paramtype = cstring_to_chars(param_type);
 					pi->paramdesc = NULL;
 					qb_list_add_tail(&pi->list, &params_list);
 				}
 			}
 		}
 
 		if (arg == headerfile) {
 			/* Print header page */
 			name = (char*)headerfile;
 			if (print_man) {
 				if (!quiet) {
 					printf("Printing header manpage for %s\n", name);
 				}
 				print_manpage(name, def, brief, args, detailed, &params_list, returntext, notetext);
 			}
 			else {
 				print_text(name, def, brief, args, detailed, &params_list, returntext, notetext);
 			}
 		}
 
 		if (kind && strcmp(kind, "function") == 0) {
 
 			/* Make sure function has a doxygen description */
 			if (!detailed) {
 				fprintf(stderr, "No detailed description for function '%s' - please fix this\n", name);
 			}
 
 			if (!name) {
 				fprintf(stderr, "Internal error - no name found for function\n");
 			} else {
 				if (print_man) {
 					if (!quiet) {
 						printf("Printing manpage for %s\n", name);
 					}
 					print_manpage(name, def, brief, args, detailed, &params_list, returntext, notetext);
 				}
 				else {
 					print_text(name, def, brief, args, detailed, &params_list, returntext, notetext);
 				}
 			}
 
 		}
 
 		free(kind);
 		free(def);
 		free(args);
 		free(name);
+		free(brief);
+		free(detailed);
 	}
 }
 
 
 static void traverse_node(xmlNode *parentnode, const char *leafname, void (do_members(xmlNode*, void*)), void *arg)
 {
 	xmlNode *cur_node;
 
 	for (cur_node = parentnode->children; cur_node; cur_node = cur_node->next) {
 		if (cur_node->type == XML_ELEMENT_NODE && cur_node->name
 		    && strcmp((char*)cur_node->name, leafname)==0) {
 			do_members(cur_node, arg);
 			continue;
 		}
 		if (cur_node->type == XML_ELEMENT_NODE) {
 			traverse_node(cur_node, leafname, do_members, arg);
 		}
 	}
 }
 
 
 static void usage(char *name)
 {
 	printf("Usage:\n");
 	printf("      %s [OPTIONS] <XML file>\n", name);
 	printf("\n");
 	printf(" This is a tool to generate API manpages from a doxygen-annotated header file.\n");
 	printf(" First run doxygen on the file and then run this program against the main XML file\n");
 	printf(" it created and the directory containing the ancilliary files. It will then\n");
 	printf(" output a lot of *.3 man page files which you can then ship with your library.\n");
 	printf("\n");
 	printf(" You will need to invoke this program once for each .h file in your library,\n");
 	printf(" using the name of the generated .xml file. This file will usually be called\n");
 	printf(" something like <include-file>_8h.xml, eg qbipcs_8h.xml\n");
 	printf("\n");
 	printf(" If you want HTML output then simpy use nroff on the generated files as you\n");
 	printf(" would do with any other man page.\n");
 	printf("\n");
 	printf("       -a            Print ASCII dump of man pages to stdout\n");
 	printf("       -m            Write man page files to <output dir>\n");
 	printf("       -P            Print PARAMS section\n");
 	printf("       -g            Print general man page for the whole header file\n");
+	printf("       -c            Use the Copyright date from the header file (if one can be found)\n");
+	printf("       -O <dir>      Directory for the orignal header file. Often needed by -c above\n");
 	printf("       -s <s>        Write man pages into section <s> <default 3)\n");
 	printf("       -p <package>  Use <package> name. default <Package>\n");
 	printf("       -H <header>   Set header (default \"Programmer's Manual\"\n");
 	printf("       -I <include>  Set include filename (default taken from xml)\n");
 	printf("       -i <prefix>   Prefix for include files. eg qb/ (default \"\")\n");
 	printf("       -C <company>  Company name in copyright (defaults to Red Hat)\n");
 	printf("       -D <date>     Date to print at top of man pages (format not checked, default: today)\n");
 	printf("       -S <year>     Start year to print at end of copyright line (default: 2010)\n");
 	printf("       -Y <year>     Year to print at end of copyright line (default: today's year)\n");
 	printf("       -o <dir>      Write all man pages to <dir> (default .)\n");
 	printf("       -d <dir>      Directory for XML files (./xml/)\n");
 	printf("       -h            Print this usage text\n");
 }
 
 static long get_year(char *optionarg, char optionchar)
 {
 	long year = strtol(optionarg, NULL, 10);
 	/*
 	 * Don't make too many assumptions about the year. I was on call at the
 	 * 2000 rollover. #experience
 	 */
 	if (year == LONG_MIN || year == LONG_MAX ||
 	    year < 1900) {
 		fprintf(stderr, "Value passed to -%c is not a valid year number\n", optionchar);
 		return 0;
 	}
 	return year;
 }
 
 int main(int argc, char *argv[])
 {
 	xmlNode *rootdoc;
 	xmlDocPtr doc;
 	int opt;
 	char xml_filename[PATH_MAX];
 
-	while ( (opt = getopt_long(argc, argv, "H:amqgPD:Y:s:S:d:o:p:f:I:i:C:h?", NULL, NULL)) != EOF)
+	while ( (opt = getopt_long(argc, argv, "H:amqgcPD:Y:s:S:d:o:p:f:I:i:C:O:h?", NULL, NULL)) != EOF)
 	{
 		switch(opt)
 		{
 			case 'a':
 				print_ascii = 1;
 				print_man = 0;
 				break;
 			case 'm':
 				print_man = 1;
 				print_ascii = 0;
 				break;
 			case 'P':
 				print_params = 1;
 				break;
 			case 'g':
 				print_general = 1;
 				break;
 			case 'q':
 				quiet = 1;
 				break;
+			case 'c':
+				use_header_copyright = 1;
+				break;
 			case 'I':
 				headerfile = optarg;
 				break;
 			case 'i':
 				header_prefix = optarg;
 				break;
 			case 'C':
 				company = optarg;
 				break;
 			case 's':
 				man_section = optarg;
 				break;
 			case 'S':
 				start_year = get_year(optarg, 'S');
 				if (start_year == 0) {
 					return 1;
 				}
 				break;
 			case 'd':
 				xml_dir = optarg;
 				break;
 			case 'D':
 				manpage_date = optarg;
 				break;
 			case 'Y':
 				manpage_year = get_year(optarg, 'Y');
 				if (manpage_year == 0) {
 					return 1;
 				}
 				break;
 			case 'p':
 				package_name = optarg;
 				break;
 			case 'H':
 				header = optarg;
 				break;
 			case 'o':
 				output_dir = optarg;
 				break;
+			case 'O':
+			        header_src_dir = optarg;
+				break;
 			case '?':
 			case 'h':
 				usage(argv[0]);
 				return 0;
 		}
 	}
 
 	if (argv[optind]) {
 		xml_file = argv[optind];
 	}
 	if (!xml_file) {
 		usage(argv[0]);
 		exit(1);
 	}
 
 	if (!quiet) {
 		printf("reading %s ... ", xml_file);
 	}
 
 	snprintf(xml_filename, sizeof(xml_filename), "%s/%s", xml_dir, xml_file);
 	doc = xmlParseFile(xml_filename);
 	if (doc == NULL) {
 		fprintf(stderr, "Error: unable to read xml file %s\n", xml_filename);
 		exit(1);
 	}
 
 	rootdoc = xmlDocGetRootElement(doc);
 	if (!rootdoc) {
 		fprintf(stderr, "Can't find \"document root\"\n");
 		exit(1);
 	}
 	if (!quiet)
 		printf("done.\n");
 
 	/* Get our header file name */
 	if (!headerfile) {
 		traverse_node(rootdoc, "compounddef", read_headername, &headerfile);
+
+		if (use_header_copyright) {
+			/* And get the copyright line from this file if we can */
+			char file_path[PATH_MAX];
+			char file_line[256];
+			FILE *hfile;
+			int lineno = 0;
+
+			snprintf(file_path, sizeof(file_path), "%s/%s", header_src_dir, headerfile);
+			hfile = fopen(file_path, "r");
+			if (hfile) {
+				/* Don't look too far, this should be at the top */
+				while (!feof(hfile) && (lineno++ < 10)) {
+					if (fgets(file_line, sizeof(file_line)-1, hfile)) {
+						if (strncmp(file_line, " * Copyright", 12) == 0) {
+							/* Keep the NL at the end of the buffer, it save us printing one */
+							strncpy(header_copyright, file_line+3, sizeof(header_copyright)-1);
+							break;
+						}
+					}
+				}
+				fclose(hfile);
+			}
+		}
 	}
+
 	/* Default to *something* if it all goes wrong */
 	if (!headerfile) {
 		headerfile = "unknown.h";
 	}
 
 	qb_list_init(&params_list);
 	qb_list_init(&retval_list);
 	structures_map = qb_hashtable_create(10);
 	function_map = qb_hashtable_create(10);
 	used_structures_map = qb_hashtable_create(10);
 
 	/* Collect functions */
 	traverse_node(rootdoc, "memberdef", collect_functions, NULL);
 
 	/* Collect enums */
 	traverse_node(rootdoc, "memberdef", collect_enums, NULL);
 
 	/* print pages */
 	traverse_node(rootdoc, "memberdef", traverse_members, NULL);
 
 	if (print_general) {
 		/* Generate and print a page for the headerfile itself */
 		traverse_node(rootdoc, "compounddef", traverse_members, (char *)headerfile);
 	}
 	return 0;
 }