diff --git a/.github/workflows/build-rpm-arm64.yml b/.github/workflows/build-rpm-arm64.yml new file mode 100644 index 0000000..caf34c5 --- /dev/null +++ b/.github/workflows/build-rpm-arm64.yml @@ -0,0 +1,71 @@ +name: RPM/DEB build aarch64 + +on: + push: + branches: [ "master", "test-ci" ] + paths: [ 'RELEASE', '.github/workflows/build-rpm-arm64.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - ubuntu-24.04-arm + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 + - name: env + run: | + pwd + echo "RELEASE=$(cat RELEASE)" >> $GITHUB_ENV + echo "VERSION=$(date +%y%m%d%H%M%S)" >> $GITHUB_ENV + echo "MAJOR=$(cat RELEASE | cut -d "-" -f 1)" >> $GITHUB_ENV + echo "SUBMAJOR=$(cat RELEASE | cut -d "-" -f 2)" >> $GITHUB_ENV + echo "MINOR=$(cat RELEASE | cut -d "-" -f 3)" >> $GITHUB_ENV + - name: echo env + run: echo "release $RELEASE version $VERSION major $MAJOR submajor $SUBMAJOR minor $MINOR" + - name: Linux libraries + run: | + sudo apt update + sudo apt install libssl-dev libpam-dev libpcre2-dev rpm build-essential debhelper + - name: configure rpm env + run: | + mkdir ~/debian + mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} + tar -czf ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz --transform "s,^,3proxy-$RELEASE/," . + ln -s ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/rpmbuild/SOURCES/$RELEASE.tar.gz + cp scripts/rh/3proxy.spec ~/rpmbuild/SPECS/3proxy-$RELEASE.spec + cp ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/debian/3proxy_$RELEASE.orig.tar.gz + - name: rpmbuild + run: | + ret=`pwd` + cd ~/rpmbuild/SPECS + rpmbuild -ba 3proxy-$RELEASE.spec + cd $ret + mv ~/rpmbuild/RPMS/aarch64/3proxy-$RELEASE-1.aarch64.rpm 3proxy-$RELEASE.arm64.rpm + - name: Get artifact arp + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-arm64.rpm" + path: "*.rpm" + - name: debbuild + run: | + ret=`pwd` + cd ~/debian/ + tar xzf 3proxy_$RELEASE.orig.tar.gz + cd 3proxy-$RELEASE + echo "3proxy ($RELEASE-$VERSION) buster; urgency=medium" >debian/changelog + echo " " >>debian/changelog + echo " *3proxy $RELEASE build" >>debian/changelog + echo " " >>debian/changelog + echo " -- z3APA3A <3apa3a@3proxy.org> "`date "+%a, %d %b %Y %H:%M:%S %z"` >>debian/changelog + echo "">>debian/changelog + dpkg-buildpackage + cd $ret + cp ~/debian/3proxy_$RELEASE-"$VERSION"_arm64.deb ./3proxy-$RELEASE.arm64.deb + - name: Get artifact deb + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-arm64.deb" + path: "*.deb" diff --git a/.github/workflows/build-rpm-armhf.yml b/.github/workflows/build-rpm-armhf.yml new file mode 100644 index 0000000..7c94445 --- /dev/null +++ b/.github/workflows/build-rpm-armhf.yml @@ -0,0 +1,104 @@ +name: RPM/DEB build armhf + +on: + push: + branches: [ "master", "test-ci" ] + paths: [ 'RELEASE', '.github/workflows/build-rpm-armhf.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - ubuntu-latest + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 + - name: env + run: | + pwd + echo "RELEASE=$(cat RELEASE)" >> $GITHUB_ENV + echo "VERSION=$(date +%y%m%d%H%M%S)" >> $GITHUB_ENV + echo "MAJOR=$(cat RELEASE | cut -d "-" -f 1)" >> $GITHUB_ENV + echo "SUBMAJOR=$(cat RELEASE | cut -d "-" -f 2)" >> $GITHUB_ENV + echo "MINOR=$(cat RELEASE | cut -d "-" -f 3)" >> $GITHUB_ENV + - name: Linux libraries + run: | + sudo apt update + sudo dpkg --add-architecture armhf + echo "Types: deb" > ~/ubuntu.sources + echo "URIs: http://archive.ubuntu.com/ubuntu/" >> ~/ubuntu.sources + echo "Suites: noble noble-updates noble-backports" >> ~/ubuntu.sources + echo "Components: main restricted universe multiverse" >> ~/ubuntu.sources + echo "Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg" >> ~/ubuntu.sources + echo "Architectures: amd64" >> ~/ubuntu.sources + echo "" >> ~/ubuntu.sources + echo "Types: deb" >> ~/ubuntu.sources + echo "URIs: http://security.ubuntu.com/ubuntu/" >> ~/ubuntu.sources + echo "Suites: noble-security" >> ~/ubuntu.sources + echo "Components: main restricted universe multiverse" >> ~/ubuntu.sources + echo "Architectures: amd64" >> ~/ubuntu.sources + echo "Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg" >> ~/ubuntu.sources + echo "" >> ~/ubuntu.sources + echo "Types: deb" >>~/ubuntu.sources + echo "URIs: http://ports.ubuntu.com/ubuntu-ports/" >>~/ubuntu.sources + echo "Suites: noble noble-updates" >>~/ubuntu.sources + echo "Components: main restricted universe multiverse" >>~/ubuntu.sources + echo "Architectures: armhf" >>~/ubuntu.sources + echo "Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg" >>~/ubuntu.sources + sudo cp ~/ubuntu.sources /etc/apt/sources.list.d/ubuntu.sources + sudo apt update + sudo apt install libssl3t64:armhf openssl:armhf libssl-dev:armhf libpam0g:armhf libpam0g-dev:armhf libpcre2-dev:armhf rpm crossbuild-essential-armhf build-essential debhelper + - name: configure rpm env + run: | + mkdir ~/debian + mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} + tar -czf ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz --transform "s,^,3proxy-$RELEASE/," . + ln -s ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/rpmbuild/SOURCES/$RELEASE.tar.gz + cp scripts/rh/3proxy.spec ~/rpmbuild/SPECS/3proxy-$RELEASE.spec + cp ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/debian/3proxy_$RELEASE.orig.tar.gz + - name: rpmbuild + run: | + ret=`pwd` + cd ~/rpmbuild/SPECS + PATH=/usr/arm-linux-gnueabihf/bin:$PATH + export PATH=$PATH + CC=arm-linux-gnueabihf-gcc + export CC=$CC + export RPATH=/usr/arm-linux-gnueabihf/lib:$RPATH + export LD_LIBRARY_PATH=/usr/arm-linux-gnueabihf/lib:$LD_LIBRARY_PATH + rpmbuild -ba --define "PAMLIB pam0g" --define "_arch arm" --define "cross yes" --target=arm-linux-gnueabi 3proxy-$RELEASE.spec + cd $ret + mv ~/rpmbuild/RPMS/arm/3proxy-$RELEASE-1.arm.rpm 3proxy-$RELEASE.arm.rpm + - name: Get artifact + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-arm.rpm" + path: "*.rpm" + - name: debbuild + run: | + ret=`pwd` + cd ~/debian/ + tar xzf 3proxy_$RELEASE.orig.tar.gz + cd 3proxy-$RELEASE + echo "3proxy ($RELEASE-$VERSION) buster; urgency=medium" >debian/changelog + echo " " >>debian/changelog + echo " *3proxy $RELEASE build" >>debian/changelog + echo " " >>debian/changelog + echo " -- z3APA3A <3apa3a@3proxy.org> "`date "+%a, %d %b %Y %H:%M:%S %z"` >>debian/changelog + echo "">>debian/changelog + PATH=/usr/arm-linux-gnueabihf/bin:$PATH + export PATH=$PATH + CC=arm-linux-gnueabihf-gcc + export CC=$CC + export RPATH=/usr/arm-linux-gnueabihf/lib:$RPATH + export LD_LIBRARY_PATH=/usr/arm-linux-gnueabihf/lib:$LD_LIBRARY_PATH + dpkg-buildpackage + cd $ret + cp ~/debian/3proxy_$RELEASE-"$VERSION"_armhf.deb ./3proxy-$RELEASE.arm.deb + - name: Get artifact deb + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-arm.deb" + path: "*.deb" diff --git a/.github/workflows/build-rpm-x86-64.yml b/.github/workflows/build-rpm-x86-64.yml new file mode 100644 index 0000000..315a172 --- /dev/null +++ b/.github/workflows/build-rpm-x86-64.yml @@ -0,0 +1,72 @@ +name: RPM/DEB build x86-64 + +on: + push: + branches: [ "master", "test-ci" ] + paths: [ 'RELEASE', '.github/workflows/build-rpm-x86-64.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - ubuntu-latest + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 + - name: env + run: | + pwd + echo "RELEASE=$(cat RELEASE)" >> $GITHUB_ENV + echo "VERSION=$(date +%y%m%d%H%M%S)" >> $GITHUB_ENV + echo "MAJOR=$(cat RELEASE | cut -d "-" -f 1)" >> $GITHUB_ENV + echo "SUBMAJOR=$(cat RELEASE | cut -d "-" -f 2)" >> $GITHUB_ENV + echo "MINOR=$(cat RELEASE | cut -d "-" -f 3)" >> $GITHUB_ENV + - name: echo env + run: echo "release $RELEASE version $VERSION major $MAJOR submajor $SUBMAJOR minor $MINOR" + - name: Linux libraries + run: | + sudo apt update + sudo apt install libssl-dev libpam-dev libpcre2-dev rpm build-essential debhelper + - name: configure rpm/deb env + run: | + mkdir ~/debian + mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} + tar -czf ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz --transform "s,^,3proxy-$RELEASE/," . + ln -s ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/rpmbuild/SOURCES/$RELEASE.tar.gz + cp scripts/rh/3proxy.spec ~/rpmbuild/SPECS/3proxy-$RELEASE.spec + cp ~/rpmbuild/SOURCES/3proxy-$RELEASE.tar.gz ~/debian/3proxy_$RELEASE.orig.tar.gz + - name: rpmbuild + run: | + ret=`pwd` + cd ~/rpmbuild/SPECS + rpmbuild -ba 3proxy-$RELEASE.spec + cd $ret + mv ~/rpmbuild/RPMS/x86_64/3proxy-$RELEASE-1.x86_64.rpm 3proxy-$RELEASE.x86_64.rpm + - name: Get artifact rpm + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-x86_64.rpm" + path: "*.rpm" + - name: debbuild + run: | + ret=`pwd` + cd ~/debian/ + tar xzf 3proxy_$RELEASE.orig.tar.gz + cd 3proxy-$RELEASE + echo "3proxy ($RELEASE-$VERSION) buster; urgency=medium" >debian/changelog + echo " " >>debian/changelog + echo " *3proxy $RELEASE build" >>debian/changelog + echo " " >>debian/changelog + echo " -- z3APA3A <3apa3a@3proxy.org> "`date "+%a, %d %b %Y %H:%M:%S %z"` >>debian/changelog + echo "">>debian/changelog + dpkg-buildpackage + cd $ret + cp ~/debian/3proxy_$RELEASE-"$VERSION"_amd64.deb ./3proxy-$RELEASE.x86_64.deb + - name: Get artifact deb + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-x86_64.deb" + path: "*.deb" + diff --git a/.github/workflows/build-watcom.yml b/.github/workflows/build-watcom.yml new file mode 100644 index 0000000..0f23251 --- /dev/null +++ b/.github/workflows/build-watcom.yml @@ -0,0 +1,70 @@ +name: Build Win32 3proxy-lite with Watcom + +on: + push: + branches: [ "master" ] + paths: [ 'RELEASE', '.github/workflows/build-watcom.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: Setup Open Watcom + uses: open-watcom/setup-watcom@v0 + - name: set date + run: | + $NOW = Get-Date -Format "yyMMddHHmmss" + echo "now: $NOW" + $RELEASE = Get-Content -Path "RELEASE" -Raw + echo "release: $RELEASE" + echo "RELEASE=$RELEASE" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "VERSION=/D `"VERSION=\`"3proxy-$RELEASE\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "BUILDDATE=/D `"BUILDDATE=\`"$NOW\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + - name: make Watcom + shell: cmd + run: | + echo "volatile char VerSion[]=^"3APA3A-3proxy-Internal-Build: 3proxy-%RELEASE%-%NOW%\r\nCode certificate: https://3proxy.org/3proxy.cer\r\n^";" >>src/3proxy.c + nmake /F Makefile.watcom + - name: make dist dir + shell: cmd + run: | + mkdir dist + mkdir dist\3proxy + mkdir dist\3proxy\bin + mkdir dist\3proxy\cfg + mkdir dist\3proxy\cfg\sql + mkdir dist\3proxy\doc + mkdir dist\3proxy\doc\ru + mkdir dist\3proxy\doc\html + mkdir dist\3proxy\doc\html\plugins + mkdir dist\3proxy\doc\html\man5 + mkdir dist\3proxy\doc\html\man8 + mkdir dist\3proxy\doc\devel + copy bin\3proxy.exe dist\3proxy\bin\ + copy bin\*.dll dist\3proxy\bin\ + copy bin\mycrypt.exe dist\3proxy\bin\ + copy cfg\*.* dist\3proxy\cfg\ + copy cfg\sql\*.* dist\3proxy\cfg\sql\ + copy doc\ru\*.* dist\3proxy\doc\ru\ + copy doc\html\*.* dist\3proxy\doc\html\ + copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ + copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ + copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ + copy doc\devel\*.rtf dist\3proxy\doc\devel\ + copy copying dist\3proxy\ + copy authors dist\3proxy\ + copy README dist\3proxy\ + copy rus.3ps dist\3proxy\ + - name: Get artifact + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-lite" + path: dist/ diff --git a/.github/workflows/build-win32.yml b/.github/workflows/build-win32.yml new file mode 100644 index 0000000..6f35716 --- /dev/null +++ b/.github/workflows/build-win32.yml @@ -0,0 +1,76 @@ +name: Build Win32 3proxy with MSVC + +on: + push: + branches: [ "master" ] + paths: [ 'RELEASE', '.github/workflows/build-win32.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: set date + run: | + $NOW = Get-Date -Format "yyMMddHHmmss" + $RELEASE = Get-Content -Path "RELEASE" -Raw + echo "RELEASE=$RELEASE" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "VERSION=/D `"VERSION=\`"3proxy-$RELEASE\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "BUILDDATE=/D `"BUILDDATE=\`"$NOW\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + - name: install packages + run: vcpkg install pcre2:x86-windows-static openssl:x86-windows-static + - name: Add msbuild to PATH + uses: microsoft/setup-msbuild@v3 + - name: make Windows MSVC + if: ${{ startsWith(matrix.target, 'windows') }} + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars32.bat" + D: + cd "D:/a/3proxy/3proxy" + set "LIB=%LIB%;c:/vcpkg/installed/x86-windows-static/lib" + set "INCLUDE=%INCLUDE%;c:/vcpkg/installed/x86-windows-static/include" + echo "volatile char VerSion[]=^"3APA3A-3proxy-Internal-Build: 3proxy-%RELEASE%-%NOW%\r\nCode certificate: https://3proxy.org/3proxy.cer\r\n^";" >>src/3proxy.c + nmake /F Makefile.msvc + - name: make dist dir + shell: cmd + run: | + mkdir dist + mkdir dist\3proxy + mkdir dist\3proxy\bin + mkdir dist\3proxy\cfg + mkdir dist\3proxy\cfg\sql + mkdir dist\3proxy\doc + mkdir dist\3proxy\doc\ru + mkdir dist\3proxy\doc\html + mkdir dist\3proxy\doc\html\plugins + mkdir dist\3proxy\doc\html\man5 + mkdir dist\3proxy\doc\html\man8 + mkdir dist\3proxy\doc\devel + copy bin\3proxy.exe dist\3proxy\bin\ + copy bin\*.dll dist\3proxy\bin\ + copy bin\mycrypt.exe dist\3proxy\bin\ + copy cfg\*.* dist\3proxy\cfg\ + copy cfg\sql\*.* dist\3proxy\cfg\sql\ + copy doc\ru\*.* dist\3proxy\doc\ru\ + copy doc\html\*.* dist\3proxy\doc\html\ + copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ + copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ + copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ + copy doc\devel\*.rtf dist\3proxy\doc\devel\ + copy copying dist\3proxy\ + copy authors dist\3proxy\ + copy README dist\3proxy\ + copy rus.3ps dist\3proxy\ + - name: Get artifact + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}" + path: dist/ diff --git a/.github/workflows/build-win64.yml b/.github/workflows/build-win64.yml new file mode 100644 index 0000000..84933b4 --- /dev/null +++ b/.github/workflows/build-win64.yml @@ -0,0 +1,78 @@ +name: Build Win64 3proxy with MSVC + +on: + push: + branches: [ "master" ] + paths: [ 'RELEASE', '.github/workflows/build-win64.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: set date + run: | + $NOW = Get-Date -Format "yyMMddHHmmss" + $RELEASE = Get-Content -Path "RELEASE" -Raw + echo "NOW=$NOW" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "RELEASE=$RELEASE" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "VERSION=/D `"VERSION=\`"3proxy-$RELEASE\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "BUILDDATE=/D `"BUILDDATE=\`"$NOW\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + - name: install packages + run: vcpkg install pcre2:x64-windows-static openssl:x64-windows-static + - name: Add msbuild to PATH + uses: microsoft/setup-msbuild@v3 + - name: make Windows MSVC + if: ${{ startsWith(matrix.target, 'windows') }} + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat" + D: + cd "D:/a/3proxy/3proxy" + set "LIB=%LIB%;c:/vcpkg/installed/x64-windows-static/lib" + set "INCLUDE=%INCLUDE%;c:/vcpkg/installed/x64-windows-static/include" + echo "volatile char VerSion[]=^"3APA3A-3proxy-Internal-Build: 3proxy-%RELEASE%-%NOW%\r\nCode certificate: https://3proxy.org/3proxy.cer\r\n^";" >>src/3proxy.c + echo %NOW% / %RELEASE% / %BUILDDATE% / %VERSION% + nmake /F Makefile.msvc + - name: make dist dir + shell: cmd + run: | + mkdir dist + mkdir dist\3proxy + mkdir dist\3proxy\bin64 + mkdir dist\3proxy\cfg + mkdir dist\3proxy\cfg\sql + mkdir dist\3proxy\doc + mkdir dist\3proxy\doc\ru + mkdir dist\3proxy\doc\html + mkdir dist\3proxy\doc\html\plugins + mkdir dist\3proxy\doc\html\man5 + mkdir dist\3proxy\doc\html\man8 + mkdir dist\3proxy\doc\devel + copy bin\3proxy.exe dist\3proxy\bin64\ + copy bin\*.dll dist\3proxy\bin64\ + copy bin\mycrypt.exe dist\3proxy\bin64\ + copy cfg\*.* dist\3proxy\cfg\ + copy cfg\sql\*.* dist\3proxy\cfg\sql\ + copy doc\ru\*.* dist\3proxy\doc\ru\ + copy doc\html\*.* dist\3proxy\doc\html\ + copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ + copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ + copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ + copy doc\devel\*.rtf dist\3proxy\doc\devel\ + copy copying dist\3proxy\ + copy authors dist\3proxy\ + copy README dist\3proxy\ + copy rus.3ps dist\3proxy\ + - name: Get artifact + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-x64" + path: dist/ diff --git a/.github/workflows/build-winarm64.yml b/.github/workflows/build-winarm64.yml new file mode 100644 index 0000000..6a90abd --- /dev/null +++ b/.github/workflows/build-winarm64.yml @@ -0,0 +1,76 @@ +name: Build Win-arm64 3proxy with MSVC + +on: + push: + branches: [ "master" ] + paths: [ 'RELEASE', '.github/workflows/build-winarm64.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: set date + run: | + $NOW = Get-Date -Format "yyMMddHHmmss" + $RELEASE = Get-Content -Path "RELEASE" -Raw + echo "RELEASE=$RELEASE" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "VERSION=/D `"VERSION=\`"3proxy-$RELEASE\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "BUILDDATE=/D `"BUILDDATE=\`"$NOW\`"`"" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + - name: install packages + run: vcpkg install pcre2:arm64-windows-static openssl:arm64-windows-static + - name: Add msbuild to PATH + uses: microsoft/setup-msbuild@v3 + - name: make Windows MSVC + if: ${{ startsWith(matrix.target, 'windows') }} + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsx86_arm64.bat" + D: + cd "D:/a/3proxy/3proxy" + set "LIB=%LIB%;c:/vcpkg/installed/arm64-windows-static/lib" + set "INCLUDE=%INCLUDE%;c:/vcpkg/installed/arm64-windows-static/include" + echo "volatile char VerSion[]=^"3APA3A-3proxy-Internal-Build: 3proxy-%RELEASE%-%NOW%\r\nCode certificate: https://3proxy.org/3proxy.cer\r\n^";" >>src/3proxy.c + nmake /F Makefile.msvc + - name: make dist dir + shell: cmd + run: | + mkdir dist + mkdir dist\3proxy + mkdir dist\3proxy\bin64 + mkdir dist\3proxy\cfg + mkdir dist\3proxy\cfg\sql + mkdir dist\3proxy\doc + mkdir dist\3proxy\doc\ru + mkdir dist\3proxy\doc\html + mkdir dist\3proxy\doc\html\plugins + mkdir dist\3proxy\doc\html\man5 + mkdir dist\3proxy\doc\html\man8 + mkdir dist\3proxy\doc\devel + copy bin\3proxy.exe dist\3proxy\bin64\ + copy bin\*.dll dist\3proxy\bin64\ + copy bin\mycrypt.exe dist\3proxy\bin64\ + copy cfg\*.* dist\3proxy\cfg\ + copy cfg\sql\*.* dist\3proxy\cfg\sql\ + copy doc\ru\*.* dist\3proxy\doc\ru\ + copy doc\html\*.* dist\3proxy\doc\html\ + copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ + copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ + copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ + copy doc\devel\*.rtf dist\3proxy\doc\devel\ + copy copying dist\3proxy\ + copy authors dist\3proxy\ + copy README dist\3proxy\ + copy rus.3ps dist\3proxy\ + - name: Get artifact + uses: actions/upload-artifact@v6 + with: + name: "3proxy-${{ env.RELEASE }}-arm64" + path: dist/ diff --git a/.github/workflows/c-cpp-Linux.yml b/.github/workflows/c-cpp-Linux.yml new file mode 100644 index 0000000..4d5c1f0 --- /dev/null +++ b/.github/workflows/c-cpp-Linux.yml @@ -0,0 +1,34 @@ +name: C/C++ CI Linux + +on: + push: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ] + pull_request: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - ubuntu-latest + - ubuntu-24.04-arm + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: Linux libraries + if: ${{ startsWith(matrix.target, 'ubuntu') }} + run: sudo apt install libssl-dev libpam-dev libpcre2-dev + - name: make + run: make -f Makefile.Linux + - name: mkdir + run: mkdir ~/3proxy + - name: make install + run: make -f Makefile.Linux DESTDIR=~/3proxy install + - name: make clean Linux + run: make -f Makefile.Linux clean diff --git a/.github/workflows/c-cpp-MacOS.yml b/.github/workflows/c-cpp-MacOS.yml new file mode 100644 index 0000000..06ee52a --- /dev/null +++ b/.github/workflows/c-cpp-MacOS.yml @@ -0,0 +1,31 @@ +name: C/C++ CI MacOS + +on: + push: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ] + pull_request: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - macos-15 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: Mac libraries + run: brew install pcre2 + - name: make MacOS + run: make -f Makefile.FreeBSD + env: + LDFLAGS: "-L/usr/local/lib -L/opt/homebrew/lib -L/opt/homebrew/opt/openssl/lib" + CFLAGS: "-I/usr/local/include -I/opt/homebrew/include -I/usr/local/opt/openssl/include -I/opt/homebrew/opt/openssl/include" + - name: make clean MacOS + run: make -f Makefile.FreeBSD clean diff --git a/.github/workflows/c-cpp-Windows.yml b/.github/workflows/c-cpp-Windows.yml new file mode 100644 index 0000000..242b7c4 --- /dev/null +++ b/.github/workflows/c-cpp-Windows.yml @@ -0,0 +1,41 @@ +name: C/C++ CI Windows + +on: + push: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ] + pull_request: + branches: [ "master" ] + paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 + - name: install Windows libraries + run: vcpkg install pcre2:x64-windows && c:\msys64\usr\bin\pacman.exe -S --noconfirm mingw-w64-x86_64-pcre2 mingw-w64-x86_64-openssl + - name: make Windows + run: make -f Makefile.win + env: + LDFLAGS: '-L "c:/msys64/mingw64/lib"' + CFLAGS: '-I "c:/msys64/mingw64/include"' + - name: make clean Windows + run: make -f Makefile.win clean + - name: Add msbuild to PATH + uses: microsoft/setup-msbuild@v3 + - name: make Windows MSVC + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat" + D: + cd "D:/a/3proxy/3proxy" + set "LIB=%LIB%;c:/program files/openssl/lib/VC/x64/MT;c:/vcpkg/installed/x64-windows/lib" + set "INCLUDE=%INCLUDE%;c:/program files/openssl/include;c:/vcpkg/installed/x64-windows/include" + nmake /F Makefile.msvc + nmake /F Makefile.msvc clean diff --git a/.github/workflows/c-cpp-cmake.yml b/.github/workflows/c-cpp-cmake.yml new file mode 100644 index 0000000..4f4030a --- /dev/null +++ b/.github/workflows/c-cpp-cmake.yml @@ -0,0 +1,57 @@ +name: C/C++ CI cmake + +on: + push: + branches: [ "master", "unix_socket" ] + paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ] + pull_request: + branches: [ "master" ] + paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ] + +jobs: + ci: + name: "${{ matrix.target }}" + strategy: + matrix: + target: + - ubuntu-latest + - ubuntu-24.04-arm + - macos-15 + - windows-2022 + runs-on: ${{ matrix.target }} + steps: + - uses: actions/checkout@v5 +# - name: configure +# run: ./configure + - name: Linux libraries + if: ${{ startsWith(matrix.target, 'ubuntu') }} + run: sudo apt install libssl-dev libpam-dev libpcre2-dev + - name: Mac libraries + if: ${{ startsWith(matrix.target, 'macos') }} + run: brew install pcre2 + - name: install Windows libraries + if: ${{ startsWith(matrix.target, 'windows') }} + run: vcpkg install pcre2:x64-windows + - name: make with CMake POSIX + if: ${{ ! startsWith(matrix.target, 'windows') }} + run: | + mkdir build + cd build + cmake .. + cmake --build . + mkdir ~/3proxy + DESTDIR=~/3proxy cmake --install . + cd .. && rm -rf build/ + - name: make with CMake Win + if: ${{ startsWith(matrix.target, 'windows') }} + shell: cmd + run: | + mkdir build + cd build + set "LIB=%LIB%;c:/program files/openssl/lib/VC/x64/MT;c:/vcpkg/installed/x64-windows/lib" + set "INCLUDE=%INCLUDE%;c:/program files/openssl/include;c:/vcpkg/installed/x64-windows/include" + cmake .. + dir + cmake --build . + cd .. + rmdir /s /q build diff --git a/.gitignore b/.gitignore index b562c58..5f4b1c0 100644 --- a/.gitignore +++ b/.gitignore @@ -21,6 +21,7 @@ bin/pop3p bin/smtpp bin/ftppr bin/mycrypt +bin/tlspr bin64/ dll/ tmp/ @@ -51,11 +52,9 @@ src/mycrypt src/dighosts *.ld.so *.dSYM -doc/html/man3/ -doc/html/man8/ *.var verfile.sh -Makefile +/Makefile copytgz.sh *~.nib local.properties @@ -258,3 +257,14 @@ pip-log.txt #Mr Developer .mr.developer.cfg +CLAUDE.md +bin/3proxy_crypt +bin/3proxy_ftppr +bin/3proxy_pop3p +bin/3proxy_proxy +bin/3proxy_smtpp +bin/3proxy_socks +bin/3proxy_tcppm +bin/3proxy_tlspr +bin/3proxy_udppm +build*/* \ No newline at end of file diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..747638d --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,11 @@ +3proxy-0.9.6 Released April, 11 2026 + ++ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios. ++ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header. ++ tlspr is supported in auto ++ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI ++ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems ++ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5 ++ cmake environment added +! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy +! Multiple minor bugfixes \ No newline at end of file diff --git a/CHANGELOG.rus b/CHANGELOG.rus new file mode 100644 index 0000000..a0da305 --- /dev/null +++ b/CHANGELOG.rus @@ -0,0 +1,11 @@ +3proxy-0.9.6 Вышел 11 Апреля 2026 + ++ В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях. ++ Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1. ++ tlspr поддерживается в режиме auto ++ tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI ++ Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU ++ Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5 ++ Добавлено окружение cmake +! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy +! Множество мелких исправлений ошибок \ No newline at end of file diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..193f147 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,864 @@ +# +# 3proxy CMake build system +# + +cmake_minimum_required(VERSION 3.16) + +# Read version from RELEASE file +file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/RELEASE" PROJECT_VERSION LIMIT_COUNT 1) + +project(3proxy + VERSION ${PROJECT_VERSION} + LANGUAGES C + DESCRIPTION "3proxy - tiny free proxy server" +) + +# Include GNUInstallDirs for standard installation directories +include(GNUInstallDirs) + +# Add cmake module path +list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") + +# Detect compiler +if(CMAKE_C_COMPILER_ID STREQUAL "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang") + set(COMPILER_IS_CLANG TRUE) + if(WIN32 AND CMAKE_C_COMPILER_FRONTEND_VARIANT STREQUAL "MSVC") + set(COMPILER_IS_CLANG_CL TRUE) + else() + set(COMPILER_IS_CLANG_CL FALSE) + endif() +else() + set(COMPILER_IS_CLANG FALSE) + set(COMPILER_IS_CLANG_CL FALSE) +endif() + +if(CMAKE_C_COMPILER_ID STREQUAL "GNU") + set(COMPILER_IS_GCC TRUE) +else() + set(COMPILER_IS_GCC FALSE) +endif() + +if(MSVC AND NOT COMPILER_IS_CLANG_CL) + set(COMPILER_IS_MSVC TRUE) +else() + set(COMPILER_IS_MSVC FALSE) +endif() + +# Options +option(3PROXY_BUILD_SHARED "Build shared libraries for plugins" ON) +option(3PROXY_USE_OPENSSL "Enable TLS/SSL support (requires OpenSSL)" ON) +option(3PROXY_USE_PCRE2 "Enable PCRE2 regex filtering" ON) +option(3PROXY_USE_PAM "Enable PAM/PamAuth" ON) +option(3PROXY_USE_ODBC "Enable ODBC support (Unix only, always ON on Windows)" OFF) +option(3PROXY_USE_SPLICE "Use Linux splice() for zero-copy (Linux only)" ON) +option(3PROXY_USE_POLL "Use poll() instead of select() (Unix only)" ON) +option(3PROXY_USE_WSAPOLL "Use WSAPoll instead of select() (Windows only)" ON) +option(3PROXY_USE_NETFILTER "Enable Linux netfilter support (Linux only)" ON) +option(3PROXY_USE_UNIX_SOCKETS "Enable Unix domain socket support (Unix only)" ON) + +if(NOT WIN32 AND NOT APPLE) + option(3PROXY_STATIC_LINK "Statically link libraries using -Wl,-Bstatic (Linux/Unix only)" OFF) +endif() + +# Binary name prefix for standalone modules and crypt (default: 3proxy_) +# For crypt: if prefix is empty, "my" is used instead (→ mycrypt) +set(3PROXY_BINARY_PREFIX "3proxy_" CACHE STRING "Prefix for standalone module and crypt binary names") + +# Standalone module build options (OFF by default) +option(3PROXY_BUILD_ALL "Build all standalone binaries" OFF) +option(3PROXY_BUILD_PROXY "Build standalone proxy binary" OFF) +option(3PROXY_BUILD_SOCKS "Build standalone socks binary" OFF) +option(3PROXY_BUILD_POP3P "Build standalone pop3p binary" OFF) +option(3PROXY_BUILD_SMTPP "Build standalone smtpp binary" OFF) +option(3PROXY_BUILD_FTPPR "Build standalone ftppr binary" OFF) +option(3PROXY_BUILD_TCPPM "Build standalone tcppm binary" OFF) +option(3PROXY_BUILD_UDPPM "Build standalone udppm binary" OFF) +option(3PROXY_BUILD_TLSPR "Build standalone tlspr binary" OFF) + +if(3PROXY_BUILD_ALL) + foreach(_M PROXY SOCKS POP3P SMTPP FTPPR TCPPM UDPPM TLSPR) + set(3PROXY_BUILD_${_M} ON) + endforeach() +endif() + +# Output directory +set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin) + +# Find threads library (cross-platform pthread equivalent) +find_package(Threads REQUIRED) + +# Set default build type if not specified +if(NOT CMAKE_BUILD_TYPE) + set(CMAKE_BUILD_TYPE Release CACHE STRING "Build type" FORCE) +endif() + +# Platform-independent position independent code for shared libraries +set(CMAKE_POSITION_INDEPENDENT_CODE ON) + +# Platform detection and configuration +if(WIN32) + # Windows-specific configuration + add_compile_definitions( + WIN32 + _WIN32 + _MBCS + _CONSOLE + ) + + if(COMPILER_IS_MSVC) + # MSVC-specific settings + add_compile_definitions( + MSVC + ) + # Use static runtime library + set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Debug>") + # MSVC compiler options + add_compile_options( + /W3 # Warning level 3 + /GS # Buffer security check + /GA # Optimize for Windows applications + /GF # Enable string pooling + ) + # Optimization flags per build type + set(CMAKE_C_FLAGS_RELEASE "/O2") + + elseif(COMPILER_IS_CLANG_CL) + # clang-cl (Clang with MSVC frontend) + add_compile_definitions( + MSVC + ) + set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Debug>") + add_compile_options( + -W3 + -fno-strict-aliasing + ) + + elseif(COMPILER_IS_CLANG OR COMPILER_IS_GCC) + # Clang or GCC on Windows (MinGW-like) + add_compile_definitions(WITH_STD_MALLOC) + add_compile_options(-fno-strict-aliasing) + + elseif(WATCOM) + # OpenWatcom-specific flags + add_compile_definitions( + WATCOM + MSVC + NOIPV6 + NODEBUG + NORADIUS + ) + endif() + + # Windows libraries + set(WINDOWS_LIBS ws2_32 advapi32 user32 kernel32 gdi32 crypt32) + + # Windows plugins (always built) + set(DEFAULT_PLUGINS + utf8tocp1251 + WindowsAuthentication + TrafficPlugin + StringsPlugin + FilePlugin + ) + +elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux") + # Linux-specific configuration + add_compile_definitions( + _GNU_SOURCE + GETHOSTBYNAME_R + _THREAD_SAFE + _REENTRANT + ) + + if(COMPILER_IS_CLANG OR COMPILER_IS_GCC) + # Clang/GCC on Linux + add_compile_options(-fno-strict-aliasing) + endif() + + if(3PROXY_USE_SPLICE) + add_compile_definitions(WITHSPLICE) + endif() + + if(3PROXY_USE_NETFILTER) + add_compile_definitions(WITH_NETFILTER) + endif() + + if(3PROXY_USE_UNIX_SOCKETS) + add_compile_definitions(WITH_UN) + endif() + + set(DEFAULT_PLUGINS + StringsPlugin + TrafficPlugin + TransparentPlugin + FilePlugin + ) + +elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD") + # BSD/macOS-specific configuration + if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") + # macOS-specific + add_compile_definitions(_DARWIN_UNLIMITED_SELECT) + endif() + + if(COMPILER_IS_CLANG OR COMPILER_IS_GCC) + add_compile_options(-fno-strict-aliasing) + endif() + + if(3PROXY_USE_UNIX_SOCKETS) + add_compile_definitions(WITH_UN) + endif() + + set(DEFAULT_PLUGINS + StringsPlugin + TrafficPlugin + TransparentPlugin + FilePlugin + ) + +else() + # Generic Unix configuration + if(COMPILER_IS_CLANG OR COMPILER_IS_GCC) + add_compile_options(-fno-strict-aliasing) + endif() + + if(3PROXY_USE_UNIX_SOCKETS) + add_compile_definitions(WITH_UN) + endif() + + set(DEFAULT_PLUGINS + StringsPlugin + TrafficPlugin + TransparentPlugin + FilePlugin + ) +endif() + +# Common definitions +if(WIN32) + # Windows: use WSAPOLL + if(3PROXY_USE_WSAPOLL) + add_compile_definitions(WITH_WSAPOLL) + else() + add_compile_definitions(FD_SETSIZE=4096) + endif() +else() + # Unix: use poll + if(3PROXY_USE_POLL) + add_compile_definitions(WITH_POLL) + else() + add_compile_definitions(FD_SETSIZE=4096) + endif() +endif() + +# Find dependencies + +# OpenSSL +set(OPENSSL_FOUND FALSE) +if(3PROXY_USE_OPENSSL) + find_package(OpenSSL REQUIRED) + if(OpenSSL_FOUND) + set(OPENSSL_FOUND TRUE) + add_compile_definitions(WITH_SSL) + message(STATUS "OpenSSL found: ${OPENSSL_VERSION}") + endif() +else() + message(STATUS "OpenSSL disabled by user request") +endif() + +# PCRE2 +set(PCRE2_FOUND FALSE) +if(3PROXY_USE_PCRE2) + find_package(PCRE2 QUIET) + if(PCRE2_FOUND) + add_compile_definitions(WITH_PCRE) + message(STATUS "PCRE2 found: ${PCRE2_VERSION}") + else() + message(STATUS "PCRE2 not found, PCRE support will not be built") + endif() +endif() + +# PAM (Unix only) +set(PAM_FOUND FALSE) +if(3PROXY_USE_PAM AND NOT WIN32) + find_package(PAM QUIET) + if(PAM_FOUND) + message(STATUS "PAM found") + else() + message(STATUS "PAM not found, PamAuth will not be built") + endif() +endif() + +# ODBC (always enabled on Windows) +set(ODBC_FOUND FALSE) +if(WIN32 OR 3PROXY_USE_ODBC) + find_package(ODBC QUIET) + if(ODBC_FOUND) + message(STATUS "ODBC found") + else() + message(STATUS "ODBC not found, building without ODBC support") + endif() +endif() + +# Define WITH_ODBC when ODBC is available +if(ODBC_FOUND) + add_compile_definitions(WITH_ODBC) +endif() + +# Set NORADIUS if OpenSSL is not available (RADIUS requires MD5 from OpenSSL) +if(NOT OPENSSL_FOUND) + add_compile_definitions(NORADIUS) +endif() + +# Source files for 3proxy core +set(3PROXY_CORE_SOURCES + src/3proxy.c + src/auth.c + src/acl.c + src/limiter.c + src/redirect.c + src/authradius.c + src/hash.c + src/hashtables.c + src/resolve.c + src/sql.c + src/conf.c + src/datatypes.c + src/plugins.c + src/stringtable.c +) + +# BLAKE2 source for 3proxy_crypt +set(MD_SOURCES + src/libs/blake2b-ref.c +) + +# ============================================================================ +# Object libraries for common sources (shared between executables) +# ============================================================================ + +# Common object library (sockmap, sockgetchar, common, log) +add_library(common_obj OBJECT + src/sockmap.c + src/sockgetchar.c + src/common.c + src/log.c +) +target_include_directories(common_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) + +# base64 object library +add_library(base64_obj OBJECT src/base64.c) +target_include_directories(base64_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) + +# ============================================================================ +# Object libraries for 3proxy (compiled WITHOUT WITHMAIN) +# These are used by the main 3proxy executable +# ============================================================================ + +# Server modules object library (without WITHMAIN, without UDP) +add_library(srv_modules OBJECT + src/proxy.c + src/pop3p.c + src/smtpp.c + src/ftppr.c + src/tcppm.c + src/tlspr.c + src/auto.c + src/socks.c + src/webadmin.c + src/dnspr.c +) + +target_include_directories(srv_modules PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/src +) +# UDP port mapper server module (without WITHMAIN) +add_library(srvudppm_obj OBJECT src/udppm.c) +target_include_directories(srvudppm_obj PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/src +) + +# UDP socket relay (used by 3proxy, socks, udppm) +add_library(udpsockmap_obj OBJECT src/udpsockmap.c) +target_include_directories(udpsockmap_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) + +# mainfunc object (proxymain.c compiled with MODULEMAINFUNC=mainfunc for 3proxy) +add_library(mainfunc OBJECT src/proxymain.c) +target_include_directories(mainfunc PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) +target_compile_definitions(mainfunc PRIVATE MODULEMAINFUNC=mainfunc) + +# ftp object (used only by 3proxy and ftppr) +add_library(ftp_obj OBJECT src/ftp.c) +target_include_directories(ftp_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) + +# 3proxy_crypt object for 3proxy (without WITHMAIN) +add_library(3proxy_crypt_obj OBJECT src/3proxy_crypt.c) +target_include_directories(3proxy_crypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src) +if(OpenSSL_FOUND) + target_include_directories(3proxy_crypt_obj PRIVATE ${OPENSSL_INCLUDE_DIR}) +endif() + +# ============================================================================ +# Main 3proxy executable +# Uses srv_* object files (without WITHMAIN) +# ============================================================================ + +add_executable(3proxy + ${3PROXY_CORE_SOURCES} + $ + $ + $ + $ + $ + $ + $ + $ +) +target_sources(3proxy PRIVATE ${MD_SOURCES}) + +if(OpenSSL_FOUND) + target_sources(3proxy PRIVATE src/ssllib.c src/ssl.c) +endif() + +if(PCRE2_FOUND) + target_sources(3proxy PRIVATE src/pcre.c) +endif() + +target_include_directories(3proxy PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/src + ${CMAKE_CURRENT_SOURCE_DIR}/src/libs +) +if(OpenSSL_FOUND) + target_include_directories(3proxy PRIVATE ${OPENSSL_INCLUDE_DIR}) +endif() +if(PCRE2_FOUND) + target_include_directories(3proxy PRIVATE ${PCRE2_INCLUDE_DIRS}) +endif() + +target_link_libraries(3proxy PRIVATE Threads::Threads) + +if(ODBC_FOUND) + if(TARGET ODBC::ODBC) + target_link_libraries(3proxy PRIVATE ODBC::ODBC) + else() + target_link_libraries(3proxy PRIVATE ${ODBC_LIBRARIES}) + endif() +endif() + +# OpenSSL linking +if(OpenSSL_FOUND) + if(3PROXY_STATIC_LINK) + # Will be linked statically below (if static libraries are found) + else() + target_link_libraries(3proxy PRIVATE OpenSSL::SSL OpenSSL::Crypto) + endif() +endif() + +# PCRE2 linking +if(PCRE2_FOUND) + if(3PROXY_STATIC_LINK) + # Will be linked statically below (if static libraries are found) + elseif(TARGET PCRE2::PCRE2) + target_link_libraries(3proxy PRIVATE PCRE2::PCRE2) + else() + target_link_libraries(3proxy PRIVATE ${PCRE2_LIBRARIES}) + endif() +endif() + +# Static linking of OpenSSL and PCRE2 (when option is enabled) +if(3PROXY_STATIC_LINK AND (OpenSSL_FOUND OR PCRE2_FOUND)) + set(_saved_cmake_find_library_suffixes ${CMAKE_FIND_LIBRARY_SUFFIXES}) + set(CMAKE_FIND_LIBRARY_SUFFIXES ".a") + + set(_static_libs "") + + if(OpenSSL_FOUND) + find_library(_ssl_static_lib ssl) + find_library(_crypto_static_lib crypto) + if(_ssl_static_lib AND _crypto_static_lib) + list(APPEND _static_libs ${_ssl_static_lib} ${_crypto_static_lib}) + endif() + endif() + + if(PCRE2_FOUND) + find_library(_pcre2_static_lib NAMES pcre2-8) + if(_pcre2_static_lib) + list(APPEND _static_libs ${_pcre2_static_lib}) + endif() + endif() + + set(CMAKE_FIND_LIBRARY_SUFFIXES ${_saved_cmake_find_library_suffixes}) + + if(_static_libs) + target_link_libraries(3proxy PRIVATE -Wl,-Bstatic ${_static_libs} -Wl,-Bdynamic) + message(STATUS "Static linking enabled for OpenSSL/PCRE2") + else() + message(WARNING "3PROXY_STATIC_LINK is ON but static libraries not found, falling back to dynamic") + if(OpenSSL_FOUND) + target_link_libraries(3proxy PRIVATE OpenSSL::SSL OpenSSL::Crypto) + endif() + if(PCRE2_FOUND) + if(TARGET PCRE2::PCRE2) + target_link_libraries(3proxy PRIVATE PCRE2::PCRE2) + else() + target_link_libraries(3proxy PRIVATE ${PCRE2_LIBRARIES}) + endif() + endif() + endif() +endif() + +if(WIN32) + target_link_libraries(3proxy PRIVATE ${WINDOWS_LIBS}) + if(COMPILER_IS_MSVC AND EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/3proxy.rc) + target_sources(3proxy PRIVATE 3proxy.rc) + endif() +elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux") + target_link_libraries(3proxy PRIVATE dl) +endif() + +# Build 3proxy_crypt utility +add_executable(3proxy_crypt + src/3proxy_crypt.c + $ +) +target_sources(3proxy_crypt PRIVATE ${MD_SOURCES}) +target_compile_definitions(3proxy_crypt PRIVATE WITHMAIN) +target_include_directories(3proxy_crypt PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/src + ${CMAKE_CURRENT_SOURCE_DIR}/src/libs +) +if(OpenSSL_FOUND) + target_include_directories(3proxy_crypt PRIVATE ${OPENSSL_INCLUDE_DIR}) +endif() +target_link_libraries(3proxy_crypt PRIVATE Threads::Threads) +if(OpenSSL_FOUND) + if(3PROXY_STATIC_LINK) + set(_saved_cmake_find_library_suffixes ${CMAKE_FIND_LIBRARY_SUFFIXES}) + set(CMAKE_FIND_LIBRARY_SUFFIXES ".a") + find_library(_ssl_static_lib ssl) + find_library(_crypto_static_lib crypto) + set(CMAKE_FIND_LIBRARY_SUFFIXES ${_saved_cmake_find_library_suffixes}) + if(_ssl_static_lib AND _crypto_static_lib) + target_link_libraries(3proxy_crypt PRIVATE -Wl,-Bstatic ${_ssl_static_lib} ${_crypto_static_lib} -Wl,-Bdynamic) + message(STATUS "3proxy_crypt: static OpenSSL") + else() + message(WARNING "3PROXY_STATIC_LINK is ON but static OpenSSL not found, using dynamic") + target_link_libraries(3proxy_crypt PRIVATE OpenSSL::SSL OpenSSL::Crypto) + endif() + else() + target_link_libraries(3proxy_crypt PRIVATE OpenSSL::SSL OpenSSL::Crypto) + endif() +endif() +if("${3PROXY_BINARY_PREFIX}" STREQUAL "") + set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "mycrypt") +else() + set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "${3PROXY_BINARY_PREFIX}crypt") +endif() + +# Build standalone proxy executables +foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr) + string(TOUPPER "${PROXY_NAME}" _MODULE_OPT) + if(NOT 3PROXY_BUILD_${_MODULE_OPT}) + continue() + endif() + + if(PROXY_NAME STREQUAL "ftppr" OR PROXY_NAME STREQUAL "proxy") + # ftppr and proxy use ftp_obj + add_executable(${PROXY_NAME} + src/${PROXY_NAME}.c + $ + $ + ) + else() + add_executable(${PROXY_NAME} + src/${PROXY_NAME}.c + $ + ) + endif() + + set_target_properties(${PROXY_NAME} PROPERTIES + OUTPUT_NAME "${3PROXY_BINARY_PREFIX}${PROXY_NAME}" + ) + + target_include_directories(${PROXY_NAME} PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/src + ) + + target_compile_definitions(${PROXY_NAME} PRIVATE + WITHMAIN + NOPORTMAP + ) + + if(NOT PROXY_NAME STREQUAL "udppm") + target_compile_definitions(${PROXY_NAME} PRIVATE NOUDPMAIN) + endif() + + target_link_libraries(${PROXY_NAME} PRIVATE Threads::Threads) + + if(PROXY_NAME STREQUAL "proxy") + target_compile_definitions(${PROXY_NAME} PRIVATE ANONYMOUS) + endif() + + if(PROXY_NAME STREQUAL "tcppm" OR PROXY_NAME STREQUAL "udppm" OR PROXY_NAME STREQUAL "tlspr") + target_compile_definitions(${PROXY_NAME} PRIVATE PORTMAP) + endif() + + if(WIN32) + target_link_libraries(${PROXY_NAME} PRIVATE ${WINDOWS_LIBS}) + endif() + + if(PROXY_NAME STREQUAL "proxy" OR PROXY_NAME STREQUAL "smtpp") + target_sources(${PROXY_NAME} PRIVATE $) + endif() + + if(PROXY_NAME STREQUAL "udppm") + target_sources(${PROXY_NAME} PRIVATE src/hash.c) + endif() + + if(PROXY_NAME STREQUAL "socks" OR PROXY_NAME STREQUAL "udppm") + target_sources(${PROXY_NAME} PRIVATE src/udpsockmap.c) + endif() +endforeach() + +# Plugin output directory +set(PLUGIN_OUTPUT_DIR ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}) +if(WIN32) + set(PLUGIN_SUFFIX ".dll") +else() + set(PLUGIN_SUFFIX ".ld.so") +endif() + +# Include plugin definitions +include(cmake/plugins.cmake) + +# Build plugins +foreach(PLUGIN ${DEFAULT_PLUGINS}) + add_subdirectory(src/plugins/${PLUGIN}) +endforeach() + +if(PAM_FOUND) + add_subdirectory(src/plugins/PamAuth) +endif() + +# Build full list of plugins to be built +set(ALL_PLUGINS ${DEFAULT_PLUGINS}) +if(PAM_FOUND) + list(APPEND ALL_PLUGINS PamAuth) +endif() + +# Installation rules +install(TARGETS 3proxy 3proxy_crypt + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} +) + +foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr) + string(TOUPPER "${PROXY_NAME}" _MODULE_OPT) + if(3PROXY_BUILD_${_MODULE_OPT}) + install(TARGETS ${PROXY_NAME} + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} + ) + endif() +endforeach() + +# Install plugins +file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}") +if(WIN32) + install(FILES + ${PLUGINFILES} + DESTINATION ${CMAKE_INSTALL_BINDIR} + ) +else() + install(FILES + ${PLUGINFILES} + DESTINATION ${CMAKE_INSTALL_LIBDIR}/3proxy + ) +endif() + +# Install configuration files +if(NOT WIN32) + install(FILES scripts/3proxy.cfg DESTINATION /etc/3proxy) + install(FILES scripts/add3proxyuser.sh DESTINATION ${CMAKE_INSTALL_BINDIR}) +endif() + +# Install service files (systemd, launchd, init.d, or rc.d) +if(NOT WIN32) + if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") + # macOS - install launchd plist + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/org.3proxy.3proxy.plist.in + ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist + DESTINATION /Library/LaunchDaemons + ) + + message(STATUS " launchd: YES (/Library/LaunchDaemons)") + elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|OpenBSD|NetBSD") + # BSD - install rc.d script + set(RCD_DIR "/usr/local/etc/rc.d") + + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/rc.d/3proxy.in + ${CMAKE_CURRENT_BINARY_DIR}/3proxy.rc + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.rc + DESTINATION ${RCD_DIR} + RENAME 3proxy + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE + ) + + message(STATUS " rc.d: YES (${RCD_DIR})") + elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux") + # Linux - check for systemd + find_package(PkgConfig QUIET) + if(PkgConfig_FOUND) + pkg_check_modules(SYSTEMD QUIET systemd) + endif() + + if(SYSTEMD_FOUND) + # systemd is available - install systemd service + # Get systemd unit directory + pkg_get_variable(SYSTEMD_UNIT_DIR systemd systemdsystemunitdir) + if(NOT SYSTEMD_UNIT_DIR) + # Fallback to common location + set(SYSTEMD_UNIT_DIR "/lib/systemd/system") + endif() + + # Configure and install systemd service file + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/3proxy.service.in + ${CMAKE_CURRENT_BINARY_DIR}/3proxy.service + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.service + DESTINATION ${SYSTEMD_UNIT_DIR} + ) + + # Install tmpfiles.d configuration for runtime directory + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/3proxy.tmpfiles.in + ${CMAKE_CURRENT_BINARY_DIR}/3proxy.conf + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.conf + DESTINATION /usr/lib/tmpfiles.d + ) + + message(STATUS " systemd: YES (${SYSTEMD_UNIT_DIR})") + else() + # No systemd - install init.d script + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in + ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init + DESTINATION /etc/init.d + RENAME 3proxy + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE + ) + + message(STATUS " systemd: NO (using init.d)") + endif() + else() + # Other Unix - install init.d script + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in + ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init + @ONLY + ) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init + DESTINATION /etc/init.d + RENAME 3proxy + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE + ) + + message(STATUS " init.d: YES (/etc/init.d)") + endif() + + # Create proxy user and group during installation + install(FILES scripts/postinstall.sh + DESTINATION ${CMAKE_INSTALL_BINDIR} + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE + ) + install(CODE " + execute_process( + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/postinstall.sh + RESULT_VARIABLE POSTINSTALL_RESULT + ) + ") +endif() + +# Install man pages +if(NOT WIN32) + # Config man page (section 5) — no prefix + file(GLOB MAN5_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.5") + install(FILES ${MAN5_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man5) + # Main 3proxy man page — no prefix + install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy.8" + DESTINATION ${CMAKE_INSTALL_MANDIR}/man8 + ) + # 3proxy_crypt man page — no prefix (already has 3proxy_) + if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8") + install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8" + DESTINATION ${CMAKE_INSTALL_MANDIR}/man8 + ) + endif() + # Module man pages — installed with binary prefix only if module is built + foreach(_MAN proxy socks pop3p smtpp ftppr tcppm udppm tlspr) + string(TOUPPER "${_MAN}" _MODULE_OPT) + if(3PROXY_BUILD_${_MODULE_OPT}) + set(_MAN_SRC "${CMAKE_CURRENT_SOURCE_DIR}/man/${_MAN}.8") + if(EXISTS "${_MAN_SRC}") + install(FILES "${_MAN_SRC}" + DESTINATION ${CMAKE_INSTALL_MANDIR}/man8 + RENAME "${3PROXY_BINARY_PREFIX}${_MAN}.8" + ) + endif() + endif() + endforeach() +endif() + +# Summary +message(STATUS "") +message(STATUS "3proxy configuration summary:") +message(STATUS " Version: ${PROJECT_VERSION}") +message(STATUS " Platform: ${CMAKE_SYSTEM_NAME}") +message(STATUS " Compiler: ${CMAKE_C_COMPILER_ID} ${CMAKE_C_COMPILER_VERSION}") +message(STATUS " Build type: ${CMAKE_BUILD_TYPE}") +message(STATUS "") +message(STATUS " Options:") +message(STATUS " BUILD_SHARED: ${3PROXY_BUILD_SHARED}") +message(STATUS " USE_OPENSSL: ${3PROXY_USE_OPENSSL}") +message(STATUS " USE_PCRE2: ${3PROXY_USE_PCRE2}") +message(STATUS " USE_PAM: ${3PROXY_USE_PAM}") +message(STATUS " USE_ODBC: ${3PROXY_USE_ODBC}") +message(STATUS " USE_POLL: ${3PROXY_USE_POLL}") +if(CMAKE_SYSTEM_NAME STREQUAL "Linux") + message(STATUS " USE_SPLICE: ${3PROXY_USE_SPLICE}") + message(STATUS " USE_NETFILTER: ${3PROXY_USE_NETFILTER}") +endif() +if(NOT WIN32 AND NOT APPLE) + message(STATUS " STATIC_LINK: ${3PROXY_STATIC_LINK}") +endif() +if(WIN32) + message(STATUS " USE_WSAPOLL: ${3PROXY_USE_WSAPOLL}") +endif() +message(STATUS "") +message(STATUS " Libraries found:") +message(STATUS " OpenSSL: ${OPENSSL_FOUND}") +message(STATUS " PCRE2: ${PCRE2_FOUND}") +message(STATUS " PAM: ${PAM_FOUND}") +message(STATUS " ODBC: ${ODBC_FOUND}") +message(STATUS "") +message(STATUS " Plugins to build: ${ALL_PLUGINS}") +message(STATUS "") +message(STATUS " Standalone modules:") +message(STATUS " Binary prefix: \"${3PROXY_BINARY_PREFIX}\"") +foreach(_M proxy socks pop3p smtpp ftppr tcppm udppm tlspr) + string(TOUPPER "${_M}" _MO) + message(STATUS " BUILD_${_MO}: ${3PROXY_BUILD_${_MO}}") +endforeach() +message(STATUS "") diff --git a/Dockerfile.busybox b/Dockerfile.busybox new file mode 100644 index 0000000..1081a29 --- /dev/null +++ b/Dockerfile.busybox @@ -0,0 +1,57 @@ +# 3proxy.full is fully functional 3proxy build based on busybox:glibc +# +# Examples are for podman, for docker change 'podman' to 'docker' +# +#to build: +# podman build -f Dockerfile.busybox -t 3proxy.busybox . +#to run: +# +# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg +# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg +# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.busybox 3proxy.busybox +# +# use "log" without pathname in config to log to stdout. +# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config) +# symlinked as /lib and /lib64 in both root and chroot configurations, so no need +# to specify full path to plugin. SSLPlugin is supported. +# +# Since 0.9.6 image is distroless, no reason to use chroot, chroot +# configuration is supported for compatibility only. + + +FROM docker.io/gcc AS buildenv +COPY . 3proxy +RUN cd 3proxy &&\ + apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\ + make -f Makefile.Linux &&\ + strip bin/3proxy &&\ + strip bin/*so &&\ + mkdir /dist &&\ + mkdir /dist/etc &&\ + mkdir /dist/etc/3proxy &&\ + mkdir /dist/bin &&\ + mkdir /dist/usr &&\ + mkdir /dist/usr/local &&\ + mkdir /dist/usr/local/3proxy &&\ + mkdir /dist/usr/local/3proxy/conf &&\ + mkdir /dist/usr/local/3proxy/libexec &&\ + cp bin/3proxy /dist/bin &&\ + cp bin/*.so /dist/usr/local/3proxy/libexec &&\ + cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg +RUN cd /dist &&\ + ln -s /lib lib64 &&\ + ln -s /lib usr/lib &&\ + ln -s /lib usr/lib64 &&\ + cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec &&\ + ls -lR /dist + +FROM docker.io/busybox:glibc +COPY --from=buildenv /dist / +RUN ln -sf /usr/local/3proxy/libexec/* /lib/ && cd /usr/local/3proxy/ && ln -s libexec lib && ln -s libexec lib64 && mkdir usr && ln -s libexec usr/lib && ln -s libexec usr//lib64 +CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"] diff --git a/Dockerfile.full b/Dockerfile.full index e9f59a3..5fcc2f1 100644 --- a/Dockerfile.full +++ b/Dockerfile.full @@ -1,55 +1,66 @@ -# 3proxy.full is fully functional 3proxy build based on busibox:glibc +# 3proxy.full is fully functional distroless 3proxy build # -#to build: -# docker build -f Dockerfile.full -t 3proxy.full . +# Examples are for podman, for docker change 'podman' to 'docker' +# +#to build: +# podman build -f Dockerfile.full -t 3proxy.full . #to run: -# by default 3proxy uses safe chroot environment with chroot to /usr/local/3proxy with uid/gid 65535/65535 and expects -# configuration file to be placed in /usr/local/etc/3proxy. -# Paths in configuration file must be relative to /usr/local/3proxy, that is use /logs instead of -# /usr/local/3proxy/logs. nserver in chroot is required for DNS resolution. An example: # # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg -# docker run -p 3129:3129 -v /path/to/local/config/directory:/usr/local/3proxy/conf -name 3proxy.full 3proxy.full -# -# /path/to/local/config/directory in this example must conrain 3proxy.cfg -# if you need 3proxy to be executed without chroot with root permissions, replace /etc/3proxy/3proxy.cfg by e.g. mounting config -# dir to /etc/3proxy ot by providing config file /etc/3proxy/3proxy.cfg -# docker run -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full +# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.full 3proxy.full # # use "log" without pathname in config to log to stdout. -# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config). +# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config) +# symlinked as /lib and /lib64 in both root and chroot configurations, so no need +# to specify full path to plugin. SSLPlugin is supported. +# +# Since 0.9.6 image is distroless, no reason to use chroot, chroot +# configuration is supported for compatibility only. -FROM gcc AS buildenv +FROM docker.io/gcc AS buildenv COPY . 3proxy RUN cd 3proxy &&\ - echo "">> Makefile.Linux &&\ - echo PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin SSLPlugin>>Makefile.Linux &&\ - echo LIBS = -l:libcrypto.a -l:libssl.a -ldl >>Makefile.Linux &&\ + apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\ make -f Makefile.Linux &&\ strip bin/3proxy &&\ - strip bin/StringsPlugin.ld.so &&\ - strip bin/TrafficPlugin.ld.so &&\ - strip bin/PCREPlugin.ld.so &&\ - strip bin/TransparentPlugin.ld.so &&\ - strip bin/SSLPlugin.ld.so - -FROM busybox:glibc -COPY --from=buildenv /lib/x86_64-linux-gnu/libdl.so.* /lib/ -COPY --from=buildenv 3proxy/bin/3proxy /bin/ -COPY --from=buildenv 3proxy/bin/*.ld.so /usr/local/3proxy/libexec/ -RUN mkdir /usr/local/3proxy/logs &&\ - mkdir /usr/local/3proxy/conf &&\ - chown -R 65535:65535 /usr/local/3proxy &&\ - chmod -R 550 /usr/local/3proxy &&\ - chmod 750 /usr/local/3proxy/logs &&\ - chmod -R 555 /usr/local/3proxy/libexec &&\ - chown -R root /usr/local/3proxy/libexec &&\ - mkdir /etc/3proxy/ &&\ - echo chroot /usr/local/3proxy 65535 65535 >/etc/3proxy/3proxy.cfg &&\ - echo include /conf/3proxy.cfg >>/etc/3proxy/3proxy.cfg &&\ - chmod 440 /etc/3proxy/3proxy.cfg - + mkdir /dist &&\ + mkdir /dist/etc &&\ + mkdir /dist/etc/3proxy &&\ + mkdir /dist/bin &&\ + mkdir /dist/usr &&\ + mkdir /dist/usr/local &&\ + mkdir /dist/usr/local/3proxy &&\ + mkdir /dist/usr/local/3proxy/libexec &&\ + mkdir /dist/usr/local/3proxy/conf &&\ + cp bin/3proxy /dist/bin &&\ + cp bin/*.so /dist/usr/local/3proxy/libexec &&\ + cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg +RUN cd /dist &&\ + ln -s /usr/local/3proxy/libexec lib64 &&\ + ln -s /usr/local/3proxy/libexec lib &&\ + ln -s /usr/local/3proxy/libexec usr/lib &&\ + ln -s /usr/local/3proxy/libexec usr/lib64 &&\ + ln -s /usr/local/3proxy/libexec /dist/usr/local/3proxy/libexec/`gcc -dumpmachine` &&\ + cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libc.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\ + cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec +RUN cd /dist/usr/local/3proxy/ &&\ + ln -s libexec lib &&\ + ln -s libexec lib64 &&\ + mkdir usr +RUN cd /dist/usr/local/3proxy/usr &&\ + ln -s ../libexec lib &&\ + ln -s ../libexec lib64 &&\ + strip /dist/usr/local/3proxy/libexec/*.so &&\ + ls -lR /dist +FROM scratch +COPY --from=buildenv /dist / CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"] diff --git a/Dockerfile.minimal b/Dockerfile.minimal index 4ea1d50..f3328c7 100644 --- a/Dockerfile.minimal +++ b/Dockerfile.minimal @@ -1,42 +1,38 @@ # dockerfile for "interactive" minimal 3proxy execution, no configuration mounting is required, configuration # is accepted from stdin. Use "end" command to indicate the end of configuration. Use "log" for stdout logging. # -# This is busybox based docker with only 3proxy static executable and empty non-writable "run" directory. +# Examples are for podman. For docker change 'podman' to 'docker'. # -# "plugin" is not supported +# This is busybox based docker with only 3proxy static executable. +# +# Limitations for minimal version: +# no support for plugins, IPv6, RADIUS, system resolver. +# 'nserver' or 'fakeresolve' are mandatory in configuration. # # Build: # -# docker build -f Dockerfile.minimal -t 3proxy.minimal . +# podman build -f Dockerfile.minimal -t 3proxy.minimal . # # Run example: # -# docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal +# podman run --read-only -i -p 3129:3129 --name 3proxy 3proxy.minimal #or -# docker start -i 3proxy -#>Makefile.Linux&&\ - echo LDFLAGS = -fPIE -O2 -fno-strict-aliasing -pthread >>Makefile.Linux&&\ - echo PLUGINS = >>Makefile.Linux&&\ - echo LIBS = >>Makefile.Linux&&\ - echo CFLAGS = -g -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -DNOPLUGINS >>Makefile.Linux&&\ - make -f Makefile.Linux&&\ +FROM docker.io/gcc AS buildenv +COPY . 3proxy +RUN cd 3proxy &&\ + export "LDFLAGS=-static" &&\ + export "CFLAGS=-DNOPLUGINS -DNORADIUS -DNOIPV6 -DNOODBC -DNOCRYPT -DNOSTDRESOLVE" &&\ + make -f Makefile.Linux PLUGINS= LIBS= &&\ strip bin/3proxy - -FROM busybox:glibc -COPY --from=buildenv /3proxy/bin/3proxy /bin/3proxy -RUN mkdir /run && chmod 555 /run +FROM scratch +COPY --from=buildenv 3proxy/bin/3proxy /bin/3proxy CMD ["/bin/3proxy"] diff --git a/Makefile.FreeBSD b/Makefile.FreeBSD index 182165b..034286e 100644 --- a/Makefile.FreeBSD +++ b/Makefile.FreeBSD @@ -1,25 +1,27 @@ # # 3 proxy Makefile for GCC/Unix # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC +# add -DWITH_ODBC to CFLAGS and -lodbc to LDFLAGS to compile with ODBC # library support. Add -DSAFESQL for poorely written ODBC library / drivers. BUILDDIR = ../bin/ -CC ?= gcc +PREFIX ?= 3proxy_ +CRYPT_PREFIX ?= $(PREFIX) +MANDIR ?= /usr/share/man +CC ?= cc -CFLAGS = -c -O -fno-strict-aliasing -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL +CFLAGS ?= -O3 -flto +CFLAGS += -c -fno-strict-aliasing -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN COUT = -o LN ?= ${CC} -LDFLAGS = -pthread -O -fno-strict-aliasing -# -lpthreads may be reuqired on some platforms instead of -pthreads +LDFLAGS ?= -flto +LDFLAGS += -pthread -fno-strict-aliasing +# -lpthreads may be reuiured on some platforms instead of -pthreads # -ldl or -lld may be required for some platforms -DCFLAGS = -fPIC -DLFLAGS = -shared +DCFLAGS ?= -fPIC +DLFLAGS ?= -shared DLSUFFICS = .so -LIBS = +LIBS ?= LIBSPREFIX = -l LIBSSUFFIX = LNOUT = -o @@ -32,27 +34,54 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak TYPECOMMAND = cat COMPATLIBS = MAKEFILE = Makefile.FreeBSD -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin PamAuth TransparentPlugin +PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin +ifeq ($(STATIC), true) + STATIC_PREFIX = -Wl,-Bstatic + STATIC_SUFFIX = -Wl,-Bdynamic + ZLIB = -lz +endif +OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o $(STATIC_PREFIX) -lcrypto -lssl $(ZLIB) $(STATIC_SUFFIX) 2>/dev/null && rm testssl testssl.o && echo true||echo false) +ifeq ($(OPENSSL_CHECK), true) + LIBS += $(STATIC_PREFIX) -l crypto -l ssl $(ZLIB) $(STATIC_SUFFIX) + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +endif +PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) +ifeq ($(PCRE_CHECK), true) + CFLAGS += -DWITH_PCRE + PCRE_OBJS = pcre$(OBJSUFFICS) + PCRE_LIBS = $(STATIC_PREFIX) -lpcre2-8 $(STATIC_SUFFIX) +endif +PAM_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false) +ifeq ($(PAM_CHECK), true) + PLUGINS += PamAuth +endif include Makefile.inc install: all - if [ ! -d /usr/local/3proxy/bin ]; then mkdir -p /usr/local/3proxy/bin/; fi + if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi install bin/3proxy /usr/local/3proxy/bin/3proxy - install bin/mycrypt /usr/local/3proxy/bin/mycrypt + install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt + for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \ + if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \ + done + install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy install scripts/add3proxyuser.sh /usr/local/3proxy/bin/ - if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then - echo /usr/local/3proxy/3proxy.cfg already exists - else - install scripts/3proxy.cfg /usr/local/etc/3proxy/ - if [ ! -d /var/log/3proxy/ ]; then - mkdir /var/log/3proxy/ - fi + if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi + if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi touch /usr/local/3proxy/passwd touch /usr/local/3proxy/counters touch /usr/local/3proxy/bandlimiters + install -d $(MANDIR)/man8 + install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8 + for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \ + if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \ + done + install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8 + install -d $(MANDIR)/man5 + install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5 echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user - fi allplugins: @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done diff --git a/Makefile.Linux b/Makefile.Linux index 4f3f2b3..f4d6cd0 100644 --- a/Makefile.Linux +++ b/Makefile.Linux @@ -1,21 +1,22 @@ # # 3 proxy Makefile for GCC/Linux/Cygwin # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC +# add -DWITH_ODBC to CFLAGS and -lodbc to LIBS to compile with ODBC # library support. Add -DSAFESQL for poorely written ODBC library / drivers. BUILDDIR = ../bin/ -CC = gcc +PREFIX ?= 3proxy_ +CRYPT_PREFIX ?= $(PREFIX) +CC ?= gcc -CFLAGS = -g -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER +CFLAGS ?= -O3 -flto +CFLAGS += -fPIC -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -D WITH_UN COUT = -o -LN = $(CC) -DCFLAGS = -LDFLAGS = -fPIE -O2 -fno-strict-aliasing -pthread -DLFLAGS = -shared +LN ?= ${CC} +DCFLAGS ?= +LDFLAGS ?= -flto +LDFLAGS += -fPIC -O3 -fno-strict-aliasing -pthread +DLFLAGS ?= -shared DLSUFFICS = .ld.so # -lpthreads may be reuqired on some platforms instead of -pthreads LIBSPREFIX = -l @@ -33,10 +34,31 @@ MAKEFILE = Makefile.Linux # PamAuth requires libpam, you may require pam-devel package to be installed # SSLPlugin requires -lcrypto -lssl #LIBS = -lcrypto -lssl -ldl -LIBS = -ldl +LIBS ?= -ldl #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin +PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin +ifeq ($(STATIC), true) + STATIC_PREFIX = -Wl,-Bstatic + STATIC_SUFFIX = -Wl,-Bdynamic + ZLIB = -lz +endif +OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o $(STATIC_PREFIX) -lcrypto -lssl $(ZLIB) $(STATIC_SUFFIX) 2>/dev/null && rm testssl testssl.o && echo true||echo false) +ifeq ($(OPENSSL_CHECK), true) + LIBS += $(STATIC_PREFIX) -lcrypto -lssl $(ZLIB) $(STATIC_SUFFIX) + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +endif +PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) $(STATIC_PREFIX) -lpcre2-8 $(STATIC_SUFFIX) 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) +ifeq ($(PCRE_CHECK), true) + CFLAGS += -DWITH_PCRE + PCRE_OBJS = pcre$(OBJSUFFICS) + PCRE_LIBS = $(STATIC_PREFIX) -lpcre2-8 $(STATIC_SUFFIX) +endif +PAM_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false) +ifeq ($(PAM_CHECK), true) + PLUGINS += PamAuth +endif include Makefile.inc allplugins: @@ -52,18 +74,20 @@ INSTALL = /usr/bin/install INSTALL_BIN = $(INSTALL) -m 755 INSTALL_DATA = $(INSTALL) -m 644 INSTALL_OBJS = bin/3proxy \ - bin/ftppr \ - bin/mycrypt \ - bin/pop3p \ - bin/proxy \ - bin/socks \ - bin/tcppm \ - bin/udppm + bin/$(CRYPT_PREFIX)crypt \ + bin/$(PREFIX)ftppr \ + bin/$(PREFIX)pop3p \ + bin/$(PREFIX)proxy \ + bin/$(PREFIX)smtpp \ + bin/$(PREFIX)socks \ + bin/$(PREFIX)tcppm \ + bin/$(PREFIX)tlspr \ + bin/$(PREFIX)udppm INSTALL_CFG = scripts/3proxy.cfg.chroot -INSTALL_CFG_OBJS = scripts/3proxy.cfg \ - scripts/add3proxyuser.sh +INSTALL_CFG_INCHROOT = scripts/3proxy.cfg.inchroot +INSTALL_CFG_OBJS = scripts/add3proxyuser.sh INSTALL_CFG_OBJS2 = counters bandlimiters @@ -72,8 +96,7 @@ INSTALL_SYSTEMD_SCRIPT = scripts/3proxy.service CHROOTDIR = $(DESTDIR)$(chroot_prefix)/3proxy CHROOTREL = ../..$(chroot_prefix)/3proxy -MANDIR1 = $(DESTDIR)$(man_prefix)/man/man1 -MANDIR3 = $(DESTDIR)$(man_prefix)/man/man3 +MANDIR5 = $(DESTDIR)$(man_prefix)/man/man5 MANDIR8 = $(DESTDIR)$(man_prefix)/man/man8 BINDIR = $(DESTDIR)$(exec_prefix)/bin ETCDIR = $(DESTDIR)/etc/3proxy @@ -89,7 +112,6 @@ install-bin: $(INSTALL_BIN) -d $(BINDIR) $(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR) $(INSTALL_BIN) -s bin/*.ld.so $(CHROOTDIR)/libexec - chmod -R a-w $(CHROOTDIR)/libexec install-etc-dir: $(INSTALL_BIN) -d $(ETCDIR) @@ -102,11 +124,12 @@ install-chroot-dir: $(INSTALL_BIN) -d $(CHROOTDIR)/libexec chmod -R o-rwx $(CHROOTDIR) -install-etc-default-config: +install-etc-default-config: install-chroot-dir if [ ! -d $(INSTALL_CFG_DEST) ]; then \ ln -s $(CHROOTREL)/conf $(INSTALL_CFG_DEST); \ $(INSTALL_BIN) $(INSTALL_CFG) $(ETCDIR)/3proxy.cfg; \ $(INSTALL_BIN) $(INSTALL_CFG_OBJS) $(INSTALL_CFG_DEST); \ + $(INSTALL_BIN) $(INSTALL_CFG_INCHROOT) $(INSTALL_CFG_DEST)/3proxy.cfg; \ fi install-etc: install-etc-dir install-etc-default-config @@ -116,10 +139,14 @@ install-etc: install-etc-dir install-etc-default-config done; install-man: - $(INSTALL_BIN) -d $(MANDIR3) + $(INSTALL_BIN) -d $(MANDIR5) $(INSTALL_BIN) -d $(MANDIR8) - $(INSTALL_DATA) man/*.3 $(MANDIR3) - $(INSTALL_DATA) man/*.8 $(MANDIR8) + $(INSTALL_DATA) man/3proxy.cfg.5 $(MANDIR5) + $(INSTALL_DATA) man/3proxy.8 $(MANDIR8) + for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \ + if [ -f man/$$f.8 ]; then $(INSTALL_DATA) man/$$f.8 $(MANDIR8)/$(PREFIX)$$f.8; fi; \ + done + $(INSTALL_DATA) man/3proxy_crypt.8 $(MANDIR8) install-init: $(INSTALL_BIN) -d $(INITDDIR) @@ -138,6 +165,6 @@ install-log: install: install-chroot-dir install-bin install-etc install-log install-man install-run install-init @if [ "$(DESTDIR)" = "" ]; then \ - sh scripts/debian/preinst; \ - sh scripts/debian/postinst; \ + sh debian/preinst; \ + sh debian/postinst; \ fi diff --git a/Makefile.Solaris b/Makefile.Solaris index e1d9212..1b73953 100644 --- a/Makefile.Solaris +++ b/Makefile.Solaris @@ -1,15 +1,13 @@ # # 3 proxy Makefile for Solaris/SunCC # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries # -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC +# add -DWITH_ODBC to CFLAGS and -lodbc to LDFLAGS to compile with ODBC # library support. Add -DSAFESQL for poorely written ODBC library / drivers. BUILDDIR = ../bin/ -CC = cc -CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL +CC ?= cc +CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DFD_SETSIZE=4096 -DWITH_POLL COUT = -o ./ LN = $(CC) LDFLAGS = -xO3 @@ -29,7 +27,20 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak TYPECOMMAND = cat COMPATLIBS = MAKEFILE = Makefile.Solaris -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin +PLUGINS = StringsPlugin TrafficPlugin TransparentPlugin FilePlugin + +OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false) +ifeq ($(OPENSSL_CHECK), true) + LIBS += -l crypto -l ssl + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +endif +PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -Wl,-Bstatic -lpcre2-8 -Wl,-Bdynamic 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) +ifeq ($(PCRE_CHECK), true) + CFLAGS += -DWITH_PCRE + PCRE_OBJS = pcre$(OBJSUFFICS) + PCRE_LIBS = -Wl,-Bstatic -lpcre2-8 -Wl,-Bdynamic +endif include Makefile.inc diff --git a/Makefile.Solaris-gcc b/Makefile.Solaris-gcc deleted file mode 100644 index 890ab1b..0000000 --- a/Makefile.Solaris-gcc +++ /dev/null @@ -1,38 +0,0 @@ -# -# 3 proxy Makefile for Solaris/gcc -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC -# library support. Add -DSAFESQL for poorely written ODBC library / drivers. - - -BUILDDIR = ../bin/ -CC = gcc -CFLAGS = -O2 -fno-strict-aliasing -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -COUT = -o ./ -LN = $(CC) -LDFLAGS = -O3 -DCFLAGS = -fPIC -DLFLAGS = -shared -DLSUFFICS = .ld.so -LIBS = -lpthread -lsocket -lnsl -lresolv -ldl -LIBSPREFIX = -l -LIBSSUFFIX = -LNOUT = -o ./ -EXESUFFICS = -OBJSUFFICS = .o -DEFINEOPTION = -D -COMPFILES = *~ -REMOVECOMMAND = rm -f -AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true -TYPECOMMAND = cat -COMPATLIBS = -MAKEFILE = Makefile.Solaris-gcc -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin - -include Makefile.inc - -allplugins: - @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index c13ae0f..0000000 --- a/Makefile.am +++ /dev/null @@ -1,2 +0,0 @@ -SUBDIRS = src man -EXTRA_DIST = doc cfg diff --git a/Makefile.debug b/Makefile.debug deleted file mode 100644 index f9aabc5..0000000 --- a/Makefile.debug +++ /dev/null @@ -1,26 +0,0 @@ -# -# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake) -# -# You can try to add /D "WITH_STD_MALLOC" to CFLAGS to use standard malloc -# libraries - -BUILDDIR = ../bin/ -CC = cl -CFLAGS = /FD /MDd /nologo /W3 /ZI /Wp64 /GS /Gs /RTCsu /EHs- /GA /GF /DEBUG /D "WITH_STD_MALLOC" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /c -COUT = /Fo -LN = link -LDFLAGS = /nologo /subsystem:console /machine:I386 /DEBUG -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib -LNOUT = /out: -EXESUFFICS = .exe -OBJSUFFICS = .obj -DEFINEOPTION = /D -COMPFILES = *.pch *.idb -REMOVECOMMAND = del 2>NUL >NUL -TYPECOMMAND = type -COMPATLIBS = -MAKEFILE = Makefile.debug - -include Makefile.inc - -allplugins: \ No newline at end of file diff --git a/Makefile.intl b/Makefile.intl deleted file mode 100644 index 56ab7d9..0000000 --- a/Makefile.intl +++ /dev/null @@ -1,33 +0,0 @@ -# -# 3 proxy Makefile for Intel C compiler for Windows (for both make and nmake) -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver - - -BUILDDIR = ../bin/ -CC = icl -CFLAGS = /nologo /MD /W3 /G6 /GX /O2 /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /YX /FD /c -COUT = /Fo -LN = xilink -LDFLAGS = /nologo /subsystem:console /incremental:no /machine:I386 -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib -DLFLAGS = /DLL -DLSUFFICS = .dll -LNOUT = /out: -EXESUFFICS = .exe -OBJSUFFICS = .obj -DEFINEOPTION = /D -COMPFILES = *.pch *.idb -REMOVECOMMAND = del 2>NUL -TYPECOMMAND = type -COMPATLIBS = -MAKEFILE = Makefile.intl -PLUGINS = WindowsAuthentication TrafficPlugin PCREPlugin - -include Makefile.inc - -allplugins: - for /D %%i in ($(PLUGINS)) do (copy Makefile Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..) diff --git a/Makefile.llvm b/Makefile.llvm deleted file mode 100644 index 00a3df4..0000000 --- a/Makefile.llvm +++ /dev/null @@ -1,37 +0,0 @@ -# -# 3 proxy Makefile for GCC/windows -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC -# library support - - -BUILDDIR = ../bin/ -CC = clang -CFLAGS = -O2 -fno-strict-aliasing -c -pthread -static -DWITH_STD_MALLOC -DNOIPV6 -COUT = -o -LN = $(CC) -LDFLAGS = -O2 -fno-strict-aliasing -static -s -DLFLAGS = -shared -DLSUFFICS = .dll -LIBS = -lws2_32 -lodbc32 -ladvapi32 -LIBSPREFIX = -l -LIBSSUFFIX = -LNOUT = -o -EXESUFFICS = .exe -OBJSUFFICS = .o -DEFINEOPTION = -D -COMPFILES = *.tmp -REMOVECOMMAND = rm -f -AFTERCLEAN = find src/ -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete -TYPECOMMAND = cat -COMPATLIBS = -MAKEFILE = Makefile.win -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin - -include Makefile.inc - -allplugins: - for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.o &&cd ..\..) diff --git a/Makefile.msvc b/Makefile.msvc index 7fedec3..aad015b 100644 --- a/Makefile.msvc +++ b/Makefile.msvc @@ -1,38 +1,38 @@ # # 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake) # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries # +# ODBC support is enabled by default on Windows (/D WITH_ODBC, odbc32.lib) # Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver BUILDDIR = ../bin/ CC = cl -CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "WITH_SSL" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE) +VERSION = $(VERSION) +BUILDDATE = $(BUILDDATE) +CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "WITH_SSL" /D "WITH_PCRE" /D "WITH_ODBC" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c $(BUILDDATE) $(VERSION) COUT = /Fo LN = link -LDFLAGS = /nologo /subsystem:console /incremental:no /machine:I386 +LDFLAGS = /nologo /subsystem:console /incremental:no DLFLAGS = /DLL DLSUFFICS = .dll -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libcrypto_static.lib libssl_static.lib -LIBSOLD = libeay32MT.lib ssleay32MT.lib -LIBSPREFIX = +LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib Crypt32.lib libcrypto.lib libssl.lib pcre2-8.lib +LIBSPREFIX = LIBSSUFFIX = .lib -LIBEXT = .lib +LIBEXT = .lib LNOUT = /out: EXESUFFICS = .exe OBJSUFFICS = .obj -DEFINEOPTION = /D +DEFINEOPTION = /D COMPFILES = *.pch *.idb REMOVECOMMAND = del TYPECOMMAND = type COMPATLIBS = MAKEFILE = Makefile.msvc -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin +PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin +SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +PCRE_OBJS = pcre$(OBJSUFFICS) VERFILE = 3proxy.res $(VERFILE) -VERSION = $(VERSION) VERSIONDEP = 3proxy.res $(VERSIONDEP) -BUILDDATE = $(BUILDDATE) AFTERCLEAN = if exist src\*.res (del src\*.res) && if exist src\*.err (del src\*.err) include Makefile.inc diff --git a/Makefile.msvc64 b/Makefile.msvc64 deleted file mode 100644 index 1d0ed0e..0000000 --- a/Makefile.msvc64 +++ /dev/null @@ -1,46 +0,0 @@ -# -# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake) -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver - -BUILDDIR = ../bin64/ -CC = cl -CFLAGS = /nologo /MT /W3 /Ox /EHs- /GS /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_SSL" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE) -COUT = /Fo -LN = link -LDFLAGS = /nologo /subsystem:console /incremental:no /machine:x64 -DLFLAGS = /DLL -DLSUFFICS = .dll -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libcrypto_static.lib libssl_static.lib -LIBSOLD = libeay32.lib ssleay32.lib -LIBSPREFIX = -LIBSSUFFIX = .lib -LIBEXT = .lib -LNOUT = /out: -EXESUFFICS = .exe -OBJSUFFICS = .obj -DEFINEOPTION = /D -COMPFILES = *.pch *.idb -REMOVECOMMAND = del 2>NUL >NUL -TYPECOMMAND = type -COMPATLIBS = -VERFILE = 3proxy.res $(VERFILE) -VERSIONDEP = 3proxy.res $(VERSIONDEP) -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin -AFTERCLEAN = del src\*.res - -include Makefile.inc - -3proxy.res: - rc 3proxy.rc - -3proxyres.obj: ../3proxy.res - cvtres /out:3proxyres.obj /machine:x64 ../3proxy.res - - -allplugins: - for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..) - diff --git a/Makefile.msvcARM64 b/Makefile.msvcARM64 deleted file mode 100644 index 43c559f..0000000 --- a/Makefile.msvcARM64 +++ /dev/null @@ -1,48 +0,0 @@ -# -# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake) -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver - -BUILDDIR = ../bin64/ -CC = cl -CFLAGS = /nologo /MT /W3 /Ox /EHs- /GS /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_WSAPOLL" /D "WITH_SSL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE) -COUT = /Fo -LN = link -LDFLAGS = /nologo /subsystem:console /incremental:no /machine:arm64 -DLFLAGS = /DLL -DLSUFFICS = .dll -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libcrypto_static.lib libssl_static.lib -LIBSOLD = -LIBSPREFIX = -LIBSSUFFIX = .lib -LIBEXT = .lib -LNOUT = /out: -EXESUFFICS = .exe -OBJSUFFICS = .obj -DEFINEOPTION = /D -COMPFILES = *.pch *.idb -REMOVECOMMAND = del 2>NUL >NUL -TYPECOMMAND = type -COMPATLIBS = -MAKEFILE = Makefile.msvcARM64 -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin -VERFILE = 3proxy.res $(VERFILE) -VERSIONDEP = 3proxy.res $(VERSIONDEP) -AFTERCLEAN = del src\*.res - - -include Makefile.inc - -3proxy.res: - rc 3proxy.rc - -3proxyres.obj: ../3proxy.res - cvtres /out:3proxyres.obj /machine:x64 ../3proxy.res - - -allplugins: - for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..) - diff --git a/Makefile.msvcCE b/Makefile.msvcCE deleted file mode 100644 index bbff3fa..0000000 --- a/Makefile.msvcCE +++ /dev/null @@ -1,35 +0,0 @@ -# -# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake) -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver - -BUILDDIR = ../bin/ -CC = cl -CFLAGS = /DARM /D "NOODBC" /nologo /MT /W3 /Wp64 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "_WINCE" /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c -COUT = /Fo -LN = link -LDFLAGS = /nologo /subsystem:console /incremental:no -DLFLAGS = /DLL -DLSUFFICS = .dll -LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib -LIBEXT = .lib -LNOUT = /out: -EXESUFFICS = .exe -OBJSUFFICS = .obj -DEFINEOPTION = /D -COMPFILES = *.pch *.idb -REMOVECOMMAND = del 2>NUL >NUL -TYPECOMMAND = type -COMPATLIBS = -MAKEFILE = Makefile.msvc -PLUGINS = WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin - - -include Makefile.inc - -allplugins: - for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..) - \ No newline at end of file diff --git a/Makefile.openwrt-mips b/Makefile.openwrt-mips deleted file mode 100644 index 33856f1..0000000 --- a/Makefile.openwrt-mips +++ /dev/null @@ -1,102 +0,0 @@ -# -# 3 proxy Makefile for GCC/Linux/Cygwin -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC -# library support. Add -DSAFESQL for poorely written ODBC library / drivers. - -BUILDDIR = ../bin/ -CC = mips-openwrt-linux-gcc - -CFLAGS = -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -COUT = -o -LN = $(CC) -DCFLAGS = -fPIC -LDFLAGS = -O2 -fno-strict-aliasing -pthread -s -DLFLAGS = -shared -DLSUFFICS = .ld.so -# -lpthreads may be reuqired on some platforms instead of -pthreads -LIBSPREFIX = -l -LIBSSUFFIX = -LNOUT = -o -EXESUFFICS = -OBJSUFFICS = .o -DEFINEOPTION = -D -COMPFILES = *~ -REMOVECOMMAND = rm -f -AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true -TYPECOMMAND = cat -COMPATLIBS = -MAKEFILE = Makefile.openwrt-mips -# PamAuth requires libpam, you may require pam-devel package to be installed -# SSLPlugin requires -lcrypto -lssl -#LIBS = -lcrypto -lssl -ldl -LIBS = -ldl -#PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin - -include Makefile.inc - -allplugins: - @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done - -DESTDIR = -prefix = /usr/local -exec_prefix = $(prefix) -man_prefix = $(prefix)/share - -INSTALL = /usr/bin/install -INSTALL_BIN = $(INSTALL) -m 755 -INSTALL_DATA = $(INSTALL) -m 644 -INSTALL_OBJS = src/3proxy \ - src/ftppr \ - src/mycrypt \ - src/pop3p \ - src/proxy \ - src/socks \ - src/tcppm \ - src/udppm - - -INSTALL_CFG_OBJS = scripts/3proxy.cfg \ - scripts/add3proxyuser.sh -INSTALL_CFG_DEST = config - -INSTALL_CFG_OBJS2 = passwd counters bandlimiters - -MANDIR1 = $(DESTDIR)$(man_prefix)/man/man1 -MANDIR3 = $(DESTDIR)$(man_prefix)/man/man3 -MANDIR8 = $(DESTDIR)$(man_prefix)/man/man8 -BINDIR = $(DESTDIR)$(exec_prefix)/bin -ETCDIR = $(DESTDIR)$(prefix)/etc/3proxy - -install-bin: - $(INSTALL_BIN) -d $(BINDIR) - $(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR) - -install-etc-dir: - $(INSTALL_BIN) -d $(ETCDIR) - -install-etc-default-config: - if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \ - : ; \ - else \ - $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \ - fi - -install-etc: install-etc-dir - for file in $(INSTALL_CFG_OBJS2); \ - do \ - touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \ - done; - -install-man: - $(INSTALL_BIN) -d $(MANDIR3) - $(INSTALL_BIN) -d $(MANDIR8) - $(INSTALL_DATA) man/*.3 $(MANDIR3) - $(INSTALL_DATA) man/*.8 $(MANDIR8) - -install: install-bin install-etc install-man - diff --git a/Makefile.unix b/Makefile.unix index 7bf21de..0cdf976 100644 --- a/Makefile.unix +++ b/Makefile.unix @@ -1,28 +1,31 @@ # # 3 proxy Makefile for GCC/Unix # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries # -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC +# add -DWITH_ODBC to CFLAGS and -lodbc to LDFLAGS to compile with ODBC # library support. Add -DSAFESQL for poorely written ODBC library / drivers. BUILDDIR = ../bin/ -CC = gcc +PREFIX ?= 3proxy_ +CRYPT_PREFIX ?= $(PREFIX) +MANDIR ?= /usr/share/man +CC ?= gcc # you may need -L/usr/pkg/lib for older NetBSD versions -CFLAGS = -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL +CFLAGS ?= -O3 -flto +CFLAGS += -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN COUT = -o -LN = $(CC) -LDFLAGS = -O2 -fno-strict-aliasing -pthread +LN ?= $(CC) +LDFLAGS ?= -flto +LDFLAGS += -pthread -fno-strict-aliasing # -lpthreads may be reuqired on some platforms instead of -pthreads # -ldl or -lld may be required for some platforms -DCFLAGS = -fPIC -DLFLAGS = -shared -DLSUFFICS = .ld.so -LIBS = -LIBSPREFIX = -l -LIBSSUFFIX = +DCFLAGS ?= -fPIC +DLFLAGS ?= -shared +DLSUFFICS ?= .ld.so +LIBS ?= +LIBSPREFIX ?= -l +LIBSSUFFIX ?= LNOUT = -o EXESUFFICS = OBJSUFFICS = .o @@ -33,28 +36,54 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak TYPECOMMAND = cat COMPATLIBS = MAKEFILE = Makefile.unix -PLUGINS = StringsPlugin TrafficPlugin PCREPlugin PamAuth TransparentPlugin +PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin +ifeq ($(STATIC), true) + STATIC_PREFIX = -Wl,-Bstatic + STATIC_SUFFIX = -Wl,-Bdynamic + ZLIB = -lz +endif +OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o $(STATIC_PREFIX) -lcrypto -lssl $(ZLIB) $(STATIC_SUFFIX) 2>/dev/null && rm testssl testssl.o && echo true||echo false) +ifeq ($(OPENSSL_CHECK), true) + LIBS += $(STATIC_PREFIX) -lcrypto -lssl $(ZLIB) $(STATIC_SUFFIX) + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +endif +PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) $(STATIC_PREFIX) -lpcre2-8 $(STATIC_SUFFIX) 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) +ifeq ($(PCRE_CHECK), true) + CFLAGS += -DWITH_PCRE + PCRE_OBJS = pcre$(OBJSUFFICS) + PCRE_LIBS = $(STATIC_PREFIX) -lpcre2-8 $(STATIC_SUFFIX) +endif +PAM_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false) +ifeq ($(PAM_CHECK), true) + PLUGINS += PamAuth +endif include Makefile.inc install: all - if [ ! -d /usr/local/etc/3proxy/bin ]; then mkdir -p /usr/local/etc/3proxy/bin/; fi - install bin/3proxy /usr/local/etc/3proxy/bin/3proxy - install bin/mycrypt /usr/local/etc/3proxy/bin/mycrypt - install scripts/rc.d/proxy.sh /usr/local/etc/rc.d/proxy.sh - install scripts/add3proxyuser.sh /usr/local/etc/3proxy/bin/ - if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then - echo /usr/local/etc/3proxy/3proxy.cfg already exists - else - install scripts/3proxy.cfg /usr/local/etc/3proxy/ - if [ ! -d /var/log/3proxy/ ]; then - mkdir /var/log/3proxy/ - fi - touch /usr/local/etc/3proxy/passwd - touch /usr/local/etc/3proxy/counters - touch /usr/local/etc/3proxy/bandlimiters - echo Run /usr/local/etc/3proxy/bin/add3proxyuser.sh to add \'admin\' user - fi + if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi + install bin/3proxy /usr/local/3proxy/bin/3proxy + install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt + for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \ + if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \ + done + install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy + install scripts/add3proxyuser.sh /usr/local/3proxy/bin/ + if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi + if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi + touch /usr/local/3proxy/passwd + touch /usr/local/3proxy/counters + touch /usr/local/3proxy/bandlimiters + install -d $(MANDIR)/man8 + install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8 + for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \ + if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \ + done + install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8 + install -d $(MANDIR)/man5 + install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5 + echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user allplugins: @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done diff --git a/Makefile.unix-install b/Makefile.unix-install deleted file mode 100644 index d9c8fe0..0000000 --- a/Makefile.unix-install +++ /dev/null @@ -1,59 +0,0 @@ -DESTDIR = -prefix = /usr/local -exec_prefix = $(prefix) -man_prefix = $(prefix)/share - -INSTALL = /usr/bin/install -INSTALL_BIN = $(INSTALL) -m 755 -INSTALL_DATA = $(INSTALL) -m 644 -INSTALL_OBJS = bin/3proxy \ - bin/ftppr \ - bin/mycrypt \ - bin/pop3p \ - bin/proxy \ - bin/socks \ - bin/tcppm \ - bin/udppm \ - scripts/add3proxyuser.sh - -INSTALL_CFG_OBJS = scripts/3proxy.cfg -INSTALL_CFG_DEST = config - -INSTALL_CFG_OBJS2 = passwd counters bandlimiters - -MANDIR1 = $(DESTDIR)$(man_prefix)/man/man1 -MANDIR3 = $(DESTDIR)$(man_prefix)/man/man3 -MANDIR8 = $(DESTDIR)$(man_prefix)/man/man8 -BINDIR = $(DESTDIR)$(exec_prefix)/bin -ETCDIR = $(DESTDIR)$(prefix)/etc/3proxy - -install-bin: - $(INSTALL_BIN) -d $(BINDIR) - $(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR) - -install-etc-dir: - $(INSTALL_BIN) -d $(ETCDIR) - -install-etc-default-config: - if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \ - : ; \ - else \ - $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \ - fi - -install-etc: install-etc-dir - for file in $(INSTALL_CFG_OBJS2); \ - do \ - touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \ - done; - -install-man: - $(INSTALL_BIN) -d $(MANDIR1) - $(INSTALL_BIN) -d $(MANDIR3) - $(INSTALL_BIN) -d $(MANDIR8) - $(INSTALL_DATA) man/*.1 $(MANDIR1) - $(INSTALL_DATA) man/*.3 $(MANDIR3) - $(INSTALL_DATA) man/*.8 $(MANDIR8) - -install: install-bin install-etc install-man - diff --git a/Makefile.watcom b/Makefile.watcom index 4eab735..1a6cb62 100644 --- a/Makefile.watcom +++ b/Makefile.watcom @@ -1,14 +1,12 @@ # # 3 proxy Makefile for Open Watcom 2 # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries # # Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver BUILDDIR = ../bin/ CC = cl -CFLAGS = /nologo /Ox /MT /D "NOIPV6" /D "NODEBUG" /D "NOODBC" /D "NORADIUS" /D"WATCOM" /D "MSVC" /D "WITH_STD_MALLOC" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /c $(VERSION) $(BUILDDATE) +CFLAGS = /nologo /Ox /MT /D "NOIPV6" /D "NODEBUG" /D "NORADIUS" /D"WATCOM" /D "MSVC" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRId64=\"I64d\"" /D "PRIu64=\"I64u\"" /D "SCNu64=\"I64u\"" /D "SCNx64=\"I64x\"" /D "SCNd64=\"I64d\"" /D "PRIx64=\"I64x\"" /c $(VERSION) $(BUILDDATE) COUT = /Fo LN = link LDFLAGS = /nologo /subsystem:console /incremental:no @@ -28,7 +26,9 @@ REMOVECOMMAND = del 2>NUL >NUL TYPECOMMAND = type COMPATLIBS = MAKEFILE = Makefile.watcom -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin +PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin +SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +PCRE_OBJS = pcre$(OBJSUFFICS) VERFILE = $(VERFILE) VERSION = $(VERSION) VERSIONDEP = 3proxy.res $(VERSIONDEP) @@ -64,9 +64,3 @@ allplugins: nmake del *.obj *.idb cd ../../ - copy Makefile plugins\PCREPlugin - copy Makefile.var plugins\PCREPlugin - cd plugins\PCREPlugin - nmake - del *.obj *.idb - cd ../../ diff --git a/Makefile.win b/Makefile.win index 261833b..46e2938 100644 --- a/Makefile.win +++ b/Makefile.win @@ -1,24 +1,23 @@ # # 3 proxy Makefile for GCC/windows # -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries # -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC -# library support +# ODBC support is enabled by default on Windows (-DWITH_ODBC, -lodbc32) BUILDDIR = ../bin/ -CC = gcc -CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOIPV6 -DNORADIUS +CC ?= gcc +CFLAGS ?= -O3 -flto -fno-strict-aliasing +CFLAGS += -c -mthreads -DWITH_WSAPOLL -DWITH_ODBC COUT = -o -LN = gcc -LDFLAGS = -O2 -s -mthreads -DLFLAGS = -shared +LN ?= $(CC) +LDFLAGS ?= -flto -fno-strict-aliasing +LDFLAGS += -mthreads +DLFLAGS ?= -shared DLSUFFICS = .dll -LIBS = -lws2_32 -lodbc32 -ladvapi32 +LIBS += -lws2_32 -lodbc32 -ladvapi32 -luser32 LIBSPREFIX = -l -LIBSSUFFIX = +LIBSSUFFIX = LNOUT = -o EXESUFFICS = .exe OBJSUFFICS = .o @@ -28,9 +27,37 @@ REMOVECOMMAND = rm -f TYPECOMMAND = cat COMPATLIBS = MAKEFILE = Makefile.win -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin +PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin +VERFILE := 3proxyres.o $(VERFILE) +VERSION := $(VERSION) +VERSIONDEP := 3proxyres.o $(VERSIONDEP) +BUILDDATE := $(BUILDDATE) +AFTERCLEAN = (find . -type f -name "*.o" -delete && find . -type f -name "*.res" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true + +ifndef OPENSSL_CHECK +OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d '\\\\' | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false) +ifeq ($(OPENSSL_CHECK), true) + LIBS += -l crypto -l ssl + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) +endif +PAM_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d '\\\\' | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false) +ifeq ($(PAM_CHECK), true) + PLUGINS += PamAuth +endif +PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n#include \\n int main(){return 0;}" | tr -d '\\\\' | cc -x c $(CFLAGS) $(LDFLAGS) -lpcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false) +ifeq ($(PCRE_CHECK), true) + CFLAGS += -DWITH_PCRE + PCRE_OBJS = pcre$(OBJSUFFICS) + PCRE_LIBS = -lpcre2-8 +endif +endif include Makefile.inc +3proxyres.o: + windres 3proxy.rc -o 3proxyres.o + allplugins: - @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; rm *.o ; cd ../.. ; done + @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done + diff --git a/Makefile.winCE b/Makefile.winCE deleted file mode 100644 index 865a2ec..0000000 --- a/Makefile.winCE +++ /dev/null @@ -1,34 +0,0 @@ -# -# 3 proxy Makefile for GCC/windows -# -# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc -# libraries -# -# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC -# library support - - -BUILDDIR = ../bin/ -CC = /opt/cegcc/arm-wince-cegcc/bin/gcc -CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOODBC -D_WINCE -D_WIN32 -DNORADIUS -D__USE_W32_SOCKETS -COUT = -o -LN = /opt/cegcc/arm-wince-cegcc/bin/gcc -LDFLAGS = -O2 -s -mthreads -DLFLAGS = -shared -DLSUFFICS = .dll -LIBS = -lws2 -LNOUT = -o -EXESUFFICS = .exe -OBJSUFFICS = .o -DEFINEOPTION = -D -COMPFILES = *.tmp -REMOVECOMMAND = rm -f -TYPECOMMAND = more -COMPATLIBS = -MAKEFILE = Makefile.winCE -PLUGINS = TrafficPlugin StringsPlugin PCREPlugin - -include Makefile.inc - -allplugins: - @list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; rm *.o ; cd ../.. ; done diff --git a/README b/README deleted file mode 100644 index 29df0d7..0000000 --- a/README +++ /dev/null @@ -1,217 +0,0 @@ -# 3APA3A 3proxy tiny proxy server -(c) 2002-2020 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.ru> - - -Branches: -Master (stable) branch - 3proxy 0.9 -Devel branch - 3proxy 10 - - -Download: - Binaries for released (master) versions (Windows, Linux): - https://github.com/z3APA3A/3proxy/releases - Binaries for devel version (Windows, Linux): - https://3proxy.org/download/devel/ - Docker images: - https://hub.docker.com/repository/docker/3proxy/3proxy -Archive of old versions: https://github.com/z3APA3A/3proxy-archive - - -Windows installation: - -3proxy --install - - installs and starts proxy as Windows service - (config file should be located in the same directory) - -3proxy --remove - - removes the service (should be stopped before via - 'net stop 3proxy'). - -To build in Linux install git and build-essential packages, use - -git clone https://github.com/z3apa3a/3proxy -cd 3proxy -ln -s Makefile.Linux Makefile -make -sudo make install - -Default configuration (for Linux/Unix): -3proxy uses 2 configuration files: -/etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified. -/usr/local/3proxy/conf/3proxy.cfg symlinked from /etc/3proxy/conf/3proxy.cfg (after-chroot) is a main configuration file. Modify this file, if required. -All paths in /usr/local/3proxy/conf/3proxy.cfg are relative to chroot directory (/usr/local/3proxy). For future versions it's planned to move -3proxy chroot direcory to /var. -Log files are created in /usr/local/3proxy/logs symlinked from /var/log/3proxy. -By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default. - -use /etc/3proxy/conf/add3proxyuser.sh script to add users. - -usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth] - day_limit - traffic limit in MB per day - bandwidth - bandwith in bits per second 1048576 = 1Mbps - -or modify /etc/3proxy/conf/ files directly. - -Please read doc/html/index.html and man pages. - - Features: - 1. General - + IPv6 support for incoming and outgoing connection, - can be used as a proxy between IPv4 and IPv6 networks - in either direction. - + HTTP/1.1 Proxy with keep-alive client and server support, - transparent proxy support. - + HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY) - + Anonymous and random client IP emulation for HTTP proxy mode - + FTP over HTTP support. - + DNS caching with built-in resolver - + DNS proxy - + DNS over TCP support, redirecting DNS traffic via parent - proxy - + SOCKSv4/4.5 Proxy - + SOCKSv5 Proxy - + SOCKSv5 UDP and BIND support (fully compatible with - SocksCAP/FreeCAP for UDP) - + Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP - + POP3 Proxy - + FTP proxy - + TCP port mapper (port forwarding) - + UDP port mapper (port forwarding) - + SMTP proxy - + Threaded application (no child process). - + Web administration and statistics - + Plugins for functionality extension - + Native 32/64 bit application - 2. Proxy chaining and network connections - + Can be used as a bridge between client and different proxy type - (e.g. convert incoming HTTP proxy request from client to SOCKSv5 - request to parent server). - + Connect back proxy support to bypass firewalls - + Parent proxy support for any type of incoming connection - + Username/password authentication for parent proxy(s). - + HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support - + Random parent selection - + Chain building (multihop proxing) - + Load balancing between few network connections by choosing network - interface - 3. Logging - + tuneable log format compatible with any log parser - + stdout logging - + file logging - + syslog logging (Unix) - + ODBC logging - + RADIUS accounting - + log file rotation - + automatic log file processing with external archiver (for files) - + Character filtering for log files - + different log files for different servces are supported - 4. Access control - + ACL-driven Access control by username, source IP, - destination IP/hostname, destination port and destination action - (POST, PUT, GET, etc), weekday and daytime. - + ACL-driven (user/source/destination/protocol/weekday/daytime or - combined) bandwith limitation for incoming and (!)outgoing trafic. - + ACL-driven traffic limitation per day, week or month for incoming and - outgoing traffic - + Connection limitation and ratelimting - + User authentication by username / password - + RADIUS Authentication and Authorization - + User authentication by DNS hostname - + Authentication cache with possibility to limit user to single IP address - + Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP - + Cleartext or encrypted (crypt/MD5 or NT) passwords. - + Connection redirection - + Access control by requested action (CONNECT/BIND, - HTTP GET/POST/PUT/HEAD/OTHER). - + All access control entries now support weekday and time limitations - + Hostnames and * templates are supported instead of IP address - 5. Extensions - + Regular expression filtering (with PCRE) via PCREPlugin - + Authentication with Windows username/password (cleartext only) - + SSL/TLS decryptions with certificate spoofing - + Transparent redirection support for Linux and *BSD - 6. Configuration - + support for configuration files - + support for includes in configuration files - + interface binding - + socket options - + running as daemon process - + utility for automated networks list building - + configuration reload on any file change - Unix - + support for chroot - + support for setgid - + support for setuid - + support for signals (SIGUSR1 to reload configuration) - Windows - + support --install as service - + support --remove as service - + support for service START, STOP, PAUSE and CONTINUE commands (on - PAUSE no new connection accepted, but active connections still in - progress, on CONTINUE configuration is reloaded) - Windows 95/98/ME - + support --install as service - + support --remove as service - 6. Compilation - + MSVC (static) - + OpenWatcom (static) - + Intel Windows Compiler (msvcrt.dll) - + Windows/gcc (msvcrt.dll) - + Cygwin/gcc (cygwin.dll) - + Unix/gcc - + Unix/ccc - + Solaris - + Mac OS X, iPhone OS - + Linux and derivered systems - + Lite version for Windows 95/98/NT/2000/XP/2003 - + 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above - -3proxy Combined proxy server may be used as - executable or service (supports installation and removal). - It uses config file to read it's configuration (see - 3proxy.cfg.sample for details). - 3proxy.exe is all-in-one, it doesn't require all others .exe - to work. - See 3proxy.cfg.sample for examples, see man 3proxy.cfg - -proxy HTTP proxy server, binds to port 3128 -ftppr FTP proxy server, binds to port 21 -socks SOCKS 4/5 proxy server, binds to port 1080 -ftppr FTP proxy server, please do not mess it with FTP over HTTP - proxy used in browsers -pop3p POP3 proxy server, binds to port 110. You must specify - POP3 username as username@target.host.ip[:port] - port is 110 by default. - Exmple: in Username configuration for you e-mail reader - set someuser@pop.example.org, to obtains mail for someuser - from pop.somehost.ru via proxy. -smtpp SMTP proxy server, binds to port 25. You must specify - SMTP username as username@target.host.ip[:port] - port is 25 by default. - Exmple: in Username configuration for you e-mail reader - set someuser@mail.example.org, to send mail as someuser - via mail.somehost.ru via proxy. -tcppm TCP port mapping. Maps some TCP port on local machine to - TCP port on remote host. -udppm UDP port mapping. Maps some UDP port on local machine to - UDP port on remote machine. Only one user simulationeously - can use UDP mapping, so it cann't be used for public service - in large networks. It's OK to use it to map to DNS server - in small network or to map Counter-Strike server for single - client (you can use few mappings on different ports for - different clients in last case). -mycrypt Program to obtain crypted password fro cleartext. Supports - both MD5/crypt and NT password. - mycrypt password - produces NT password - mycrypt salt password - produces MD5/crypt password with salt "salt". - - -Run utility with --help option for command line reference. - -Latest version is available from https://3proxy.org/ - -Want to donate the project? https://3proxy.org/donations/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..f1a613f --- /dev/null +++ b/README.md @@ -0,0 +1,303 @@ +# 3APA3A 3proxy tiny proxy server + +(c) 2002-2026 by Vladimir '3APA3A' Dubrovin + +## Branches + +- **Master** (stable) branch - 3proxy 0.9 +- **Devel** branch - 3proxy 10 (don't use it) + +## Download + +Binaries and sources for released (master) versions (Windows, Linux): +https://github.com/z3APA3A/3proxy/releases + +Docker images: +https://hub.docker.com/r/3proxy/3proxy + +Archive of old versions: +https://github.com/z3APA3A/3proxy-archive + +## Documentation + +Documentation (man pages and HTML) available with download, on https://3proxy.org/ and in github wiki https://github.com/3proxy/3proxy/wiki + +## Windows Installation + +Install and start proxy as Windows service: + +```bash +3proxy [path_to_config_file] --install +``` + +Config file should be located in the same directory or may be optionally specified. + +Remove the service (should be stopped before via `net stop 3proxy`): + +```bash +3proxy --remove +``` + +## Building on Linux + +### With Makefile + +```bash +git clone https://github.com/z3apa3a/3proxy +cd 3proxy +ln -s Makefile.Linux Makefile +make +sudo make install +``` + +### Default Configuration (Linux/Unix) + +3proxy uses 2 configuration files: +- `/etc/3proxy/3proxy.cfg` (before-chroot) - This configuration file is executed before chroot and should not be modified. +- `/usr/local/3proxy/conf/3proxy.cfg` symlinked from `/etc/3proxy/conf/3proxy.cfg` (after-chroot) - Main configuration file. Modify this file if required. + +All paths in `/usr/local/3proxy/conf/3proxy.cfg` are relative to chroot directory (`/usr/local/3proxy`). For future versions it's planned to move 3proxy chroot directory to `/var`. + +Log files are created in `/usr/local/3proxy/logs` symlinked from `/var/log/3proxy`. + +By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default. + +### Adding Users + +Use `/etc/3proxy/conf/add3proxyuser.sh` script to add users: + +```bash +/etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth] +``` + +Parameters: +- `day_limit` - traffic limit in MB per day +- `bandwidth` - bandwidth in bits per second (1048576 = 1Mbps) + +Or modify `/etc/3proxy/conf/` files directly. + +### With CMake + +```bash +git clone https://github.com/z3apa3a/3proxy +cd 3proxy +mkdir build && cd build +cmake .. +cmake --build . +sudo cmake --install . +``` + +CMake does not use chroot configuration, config file is `/etc/3proxy/3proxy.cfg` + +## MacOS X / FreeBSD / *BSD + +### With Makefile + +```bash +git clone https://github.com/z3apa3a/3proxy +cd 3proxy +ln -s Makefile.FreeBSD Makefile +make +``` + +Binaries are in `bin/` directory. + +### With CMake (recommended) + +```bash +git clone https://github.com/z3apa3a/3proxy +cd 3proxy +mkdir build && cd build +cmake .. +cmake --build . +sudo cmake --install . +``` + +This installs: +- Binaries to `/usr/local/bin/` +- Configuration to `/etc/3proxy/` +- Plugins to `/usr/local/lib/3proxy/` +- rc scripts to `rc.d` for BSD +- launchd plist to `/Library/LaunchDaemons/` for MacOS + +### Service Management on macOS + +```bash +# Load and start service +sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist + +# Stop service +sudo launchctl stop org.3proxy.3proxy + +# Start service +sudo launchctl start org.3proxy.3proxy + +# Unload and disable service +sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist +``` + +## Features + +### 1. General + +- IPv4 / IPv6 support for incoming and outgoing connection, can be used as a proxy between IPv4 and IPv6 networks in either direction +- Unix domain sockets support +- HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support +- HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY) +- Anonymous and random client IP emulation for HTTP proxy mode +- FTP over HTTP support +- DNS caching with built-in resolver +- DNS proxy +- DNS over TCP support, redirecting DNS traffic via parent proxy +- SOCKSv4/4.5 Proxy +- SOCKSv5 Proxy +- SOCKSv5 UDP and BIND support (fully compatible with SocksCAP/FreeCAP for UDP) +- Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP +- SNI proxy (based on TLS hostname) +- TLS (SSL) server and client, 3proxy may be used as https:// type proxy or stunnel replacement +- POP3 Proxy +- FTP proxy +- TCP port mapper (port forwarding) +- UDP port mapper (port forwarding) +- SMTP proxy +- Threaded application (no child process) +- Web administration and statistics +- Plugins for functionality extension +- Native 32/64 bit application + +### 2. Proxy Chaining and Network Connections + +- Can be used as a bridge between client and different proxy type (e.g. convert incoming HTTP proxy request from client to SOCKSv5 request to parent server) +- Connect back proxy support to bypass firewalls +- Parent proxy support for any type of incoming connection +- Username/password authentication for parent proxy(s) +- HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support +- Random parent selection +- Chain building (multihop proxing) +- Load balancing between few network connections by choosing network interface + +### 3. Logging + +- Tuneable log format compatible with any log parser +- stdout logging +- File logging +- Syslog logging (Unix) +- ODBC logging +- RADIUS accounting +- Log file rotation +- Automatic log file processing with external archiver (for files) +- Character filtering for log files +- Different log files for different services are supported + +### 4. Access Control + +- ACL-driven Access control by username, source IP, destination IP/hostname, destination port and destination action (POST, PUT, GET, etc), weekday and daytime +- ACL-driven (user/source/destination/protocol/weekday/daytime or combined) bandwidth limitation for incoming and (!)outgoing traffic +- ACL-driven traffic limitation per day, week or month for incoming and outgoing traffic +- Connection limitation and ratelimiting +- User authentication by username / password +- RADIUS Authentication and Authorization +- User authentication by DNS hostname +- Authentication cache with possibility to limit user to single IP address +- Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP +- Cleartext or encrypted passwords +- Connection redirection +- Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER) +- All access control entries now support weekday and time limitations +- Hostnames and * templates are supported instead of IP address + +### 5. Extensions + +- Regular expression filtering (with PCRE2) via PCREPlugin +- Authentication with Windows username/password (cleartext only) +- SSL/TLS decryptions with certificate spoofing +- Transparent redirection support for Linux and *BSD + +### 6. Configuration + +- Support for configuration files +- Support for includes in configuration files +- Interface binding +- Socket options +- Running as daemon process +- Utility for automated networks list building +- Configuration reload on any file change + +**Unix:** +- Support for chroot +- Support for setgid +- Support for setuid +- Support for signals (SIGUSR1 to reload configuration) + +**Windows:** +- Support `--install` as service +- Support `--remove` as service +- Support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress, on CONTINUE configuration is reloaded) + +**Windows 95/98/ME:** +- Support `--install` as service +- Support `--remove` as service + +### 7. Compilation + +- MSVC (static) +- OpenWatcom (static) +- Intel Windows Compiler (msvcrt.dll) +- Windows/gcc (msvcrt.dll) +- Cygwin/gcc (cygwin.dll) +- Unix/gcc +- Unix/ccc +- Solaris +- Mac OS X, iPhone OS +- Linux and derived systems +- Lite version for Windows 95/98/NT/2000/XP/2003 +- 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above + +## Executables + +### 3proxy +Combined proxy server may be used as executable or service (supports installation and removal). It uses config file to read its configuration (see `3proxy.cfg.sample` for details). `3proxy.exe` is all-in-one, it doesn't require all others .exe to work. See `3proxy.cfg.sample` for examples, see `man 3proxy.cfg` + +### proxy +HTTP proxy server, binds to port 3128 + +### ftppr +FTP proxy server, binds to port 21. Please do not mess it with FTP over HTTP proxy used in browsers + +### socks +SOCKS 4/5 proxy server, binds to port 1080 + +### pop3p +POP3 proxy server, binds to port 110. You must specify POP3 username as `username@popserver[:port]` (port is 110 by default). + +Example: in Username configuration for your e-mail reader set `someuser@pop.somehost.ru`, to obtain mail for someuser from pop.somehost.ru via proxy. + +### smtpp +SMTP proxy server, binds to port 25. You must specify SMTP username as `username@smtpserver[:port]` (port is 25 by default). + +Example: in Username configuration for your e-mail reader set `someuser@mail.somehost.ru`, to send mail as someuser via mail.somehost.ru via proxy. + +### tcppm +TCP port mapping. Maps some TCP port on local machine to TCP port on remote host. + +### tlspr +TLS proxy (SNI proxy) - sniffs hostname from TLS handshake + +### udppm +UDP port mapping. Maps some UDP port on local machine to UDP port on remote machine. Only one user simultaneously can use UDP mapping, so it can't be used for public service in large networks. It's OK to use it to map to DNS server in small network or to map Counter-Strike server for single client (you can use few mappings on different ports for different clients in last case). + +### 3proxy_crypt +Program to obtain crypted password for cleartext. Supports both salted and NT password. + +```bash +3proxy_crypt password # produces NT password +3proxy_crypt salt password # produces password hash with salt "salt" +``` + +--- + +Run utility with `--help` option for command line reference. + +Latest version is available from https://3proxy.org/ + +Want to donate the project? https://3proxy.org/donations/ diff --git a/RELEASE b/RELEASE index b3ec163..9cf0386 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.9.3 \ No newline at end of file +0.9.6 \ No newline at end of file diff --git a/authors b/authors index fb31660..4990c37 100644 --- a/authors +++ b/authors @@ -1 +1 @@ -(c) 2002-2019 by Vladimir '3APA3A' Dubrovin \ No newline at end of file +(c) 2002-2025 by Vladimir '3APA3A' Dubrovin \ No newline at end of file diff --git a/cfg/3proxy.cfg.sample b/cfg/3proxy.cfg.sample index f077a0b..3c84987 100644 --- a/cfg/3proxy.cfg.sample +++ b/cfg/3proxy.cfg.sample @@ -2,7 +2,7 @@ # Yes, 3proxy.cfg can be executable, in this case you should place # something like #config /usr/local/3proxy/3proxy.cfg -# to show which configuration 3proxy should re-read on realod. +# to show which configuration 3proxy should re-read on reload. #system "echo Hello world!" # you may use system to execute some external command if proxy starts @@ -24,7 +24,7 @@ timeouts 1 5 30 60 180 1800 15 60 # Here we can change timeout values users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1" -# note that "" required, overvise $... is treated as include file name. +# note that "" required, otherwise $... is treated as include file name. # $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format. #users $/usr/local/etc/3proxy/passwd # this example shows you how to include passwd file. For included files @@ -39,7 +39,7 @@ service #log /var/log/3proxy/log D log c:\3proxy\logs\3proxy.log D -# log allows to specify log file location and rotation, D means logfile +# log allows you to specify log file location and rotation, D means logfile # is created daily #logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" @@ -60,7 +60,7 @@ log c:\3proxy\logs\3proxy.log D # #Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited): # -#"- + L%C %U unnknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -" +#"- + L%C %U unknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -" # #Compatible with HTTPD standard log (Apache and others) # @@ -90,7 +90,7 @@ auth iponly # auth specifies type of user authentication. If you specify none proxy # will not do anything to check name of the user. If you specify # nbname proxy will send NetBIOS name request packet to UDP/137 of -# client and parse request for NetBIOS name of messanger service. +# client and parse request for NetBIOS name of messenger service. # Strong means that proxy will check password. For strong authentication # unknown user will not be allowed to use proxy regardless of ACL. # If you do not want username to be checked but wanna ACL to work you should @@ -102,7 +102,7 @@ auth iponly #parent 1000 http 192.168.1.2 80 * * * 80 #allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535 # we will allow everything if username matches ADMINISTRATOR or root or -# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request +# client ip is 127.0.0.1 or 192.168.1.1. Otherwise we will redirect any request # to port 80 to our Web-server 192.168.0.2. # We will allow any outgoing connections from network 192.168.1.0/24 to # SMTP, POP3, FTP, DNS and unprivileged ports. @@ -124,7 +124,7 @@ internal 192.168.1.1 # have open proxy in your network in this case. auth none -# no authentication is requires +# no authentication is required dnspr @@ -134,17 +134,9 @@ dnspr #external $./external.ip #internal $./internal.ip -# this is just an alternative form fo giving external and internal address +# this is just an alternative form for giving external and internal address # allows you to read this addresses from files -auth strong -# We want to protect internal interface -deny * * 127.0.0.1,192.168.1.1 -# and llow HTTP and HTTPS traffic. -allow * * * 80-88,8080-8088 HTTP -allow * * * 443,8443 HTTPS -proxy -n - auth none # pop3p will be used without any authentication. It's bad choice # because it's possible to use pop3p to access any port @@ -157,26 +149,16 @@ tcppm 25 mail.my.provider 25 # Now we can use our proxy as SMTP and DNS server. # -s switch for UDP means "single packet" service - instead of setting # association for period of time association will only be set for 1 packet. -# It's very userfull for services like DNS but not for some massive services +# It's very useful for services like DNS but not for some massive services # like multimedia streams or online games. -auth strong -flush -allow 3APA3A,test -maxconn 20 -socks -# for socks we will use password authentication and different access control - -# we flush previously configured ACL list and create new one to allow users -# test and 3APA3A to connect from any location - - auth strong flush internal 127.0.0.1 allow 3APA3A 127.0.0.1 maxconn 3 admin -#only allow acces to admin interface for user 3APA3A from 127.0.0.1 address +#only allow access to admin interface for user 3APA3A from 127.0.0.1 address #via 127.0.0.1 address. # map external 80 and 443 ports to internal Web server @@ -196,6 +178,24 @@ admin #chroot /usr/local/jail #setgid 65535 #setuid 65535 -# now we needn't any root rights. We can chroot and setgid/setuid. +# now we no longer need root rights. We can chroot and setgid/setuid. + + +auth strong +flush +# We want to protect internal interface +deny * * 127.0.0.1,192.168.1.1 +# and allow HTTP and HTTPS traffic. +allow * * * 80-88,8080-8088 HTTP +allow * * * 443,8443 HTTPS +proxy -n + +flush +allow 3APA3A,test +maxconn 20 +socks +# for socks we will use password authentication and different access control - +# we flush previously configured ACL list and create new one to allow users +# test and 3APA3A to connect from any location diff --git a/cmake/FindODBC.cmake b/cmake/FindODBC.cmake new file mode 100644 index 0000000..822339a --- /dev/null +++ b/cmake/FindODBC.cmake @@ -0,0 +1,63 @@ +# FindODBC.cmake +# +# Find the ODBC library +# +# This module defines: +# ODBC_FOUND - whether the ODBC library was found +# ODBC_INCLUDE_DIRS - the ODBC include directories +# ODBC_LIBRARIES - the ODBC libraries + +# Try pkg-config first +find_package(PkgConfig QUIET) +if(PkgConfig_FOUND) + pkg_check_modules(PC_ODBC QUIET odbc) +endif() + +# Find include directory +find_path(ODBC_INCLUDE_DIR + NAMES sql.h + HINTS + ${PC_ODBC_INCLUDE_DIRS} + /usr/include + /usr/local/include +) + +# Find library +if(WIN32) + # On Windows, ODBC is typically available as odbc32 + find_library(ODBC_LIBRARY + NAMES odbc32 + HINTS + ${PC_ODBC_LIBRARY_DIRS} + ) +else() + # On Unix, look for odbc + find_library(ODBC_LIBRARY + NAMES odbc iodbc + HINTS + ${PC_ODBC_LIBRARY_DIRS} + /usr/lib + /usr/local/lib + /usr/lib/x86_64-linux-gnu + ) +endif() + +include(FindPackageHandleStandardArgs) +find_package_handle_standard_args(ODBC + REQUIRED_VARS ODBC_LIBRARY ODBC_INCLUDE_DIR +) + +if(ODBC_FOUND) + set(ODBC_LIBRARIES ${ODBC_LIBRARY}) + set(ODBC_INCLUDE_DIRS ${ODBC_INCLUDE_DIR}) + + if(NOT TARGET ODBC::ODBC) + add_library(ODBC::ODBC UNKNOWN IMPORTED) + set_target_properties(ODBC::ODBC PROPERTIES + IMPORTED_LOCATION "${ODBC_LIBRARY}" + INTERFACE_INCLUDE_DIRECTORIES "${ODBC_INCLUDE_DIR}" + ) + endif() +endif() + +mark_as_advanced(ODBC_INCLUDE_DIR ODBC_LIBRARY) diff --git a/cmake/FindPAM.cmake b/cmake/FindPAM.cmake new file mode 100644 index 0000000..59cd8d4 --- /dev/null +++ b/cmake/FindPAM.cmake @@ -0,0 +1,45 @@ +# FindPAM.cmake +# +# Find the PAM library +# +# This module defines: +# PAM_FOUND - whether the PAM library was found +# PAM_INCLUDE_DIRS - the PAM include directories +# PAM_LIBRARIES - the PAM libraries + +# Find include directory +find_path(PAM_INCLUDE_DIR + NAMES security/pam_appl.h pam/pam_appl.h + HINTS + /usr/include + /usr/local/include +) + +# Find library +find_library(PAM_LIBRARY + NAMES pam + HINTS + /usr/lib + /usr/local/lib + /usr/lib/x86_64-linux-gnu +) + +include(FindPackageHandleStandardArgs) +find_package_handle_standard_args(PAM + REQUIRED_VARS PAM_LIBRARY PAM_INCLUDE_DIR +) + +if(PAM_FOUND) + set(PAM_LIBRARIES ${PAM_LIBRARY}) + set(PAM_INCLUDE_DIRS ${PAM_INCLUDE_DIR}) + + if(NOT TARGET PAM::PAM) + add_library(PAM::PAM UNKNOWN IMPORTED) + set_target_properties(PAM::PAM PROPERTIES + IMPORTED_LOCATION "${PAM_LIBRARY}" + INTERFACE_INCLUDE_DIRECTORIES "${PAM_INCLUDE_DIR}" + ) + endif() +endif() + +mark_as_advanced(PAM_INCLUDE_DIR PAM_LIBRARY) diff --git a/cmake/FindPCRE2.cmake b/cmake/FindPCRE2.cmake new file mode 100644 index 0000000..008636e --- /dev/null +++ b/cmake/FindPCRE2.cmake @@ -0,0 +1,69 @@ +# FindPCRE2.cmake +# +# Find the PCRE2 library +# +# This module defines: +# PCRE2_FOUND - whether the PCRE2 library was found +# PCRE2_INCLUDE_DIRS - the PCRE2 include directories +# PCRE2_LIBRARIES - the PCRE2 libraries +# PCRE2_VERSION - the PCRE2 version + +# Try pkg-config first +find_package(PkgConfig QUIET) +if(PkgConfig_FOUND) + pkg_check_modules(PC_PCRE2 QUIET libpcre2-8) +endif() + +# Find include directory +find_path(PCRE2_INCLUDE_DIR + NAMES pcre2.h + HINTS + ${PC_PCRE2_INCLUDE_DIRS} + /usr/include + /usr/local/include + PATH_SUFFIXES + pcre2 +) + +# Find library +find_library(PCRE2_LIBRARY + NAMES pcre2-8 pcre2-8d pcre2 + HINTS + ${PC_PCRE2_LIBRARY_DIRS} + /usr/lib + /usr/local/lib +) + +# Extract version from header +if(PCRE2_INCLUDE_DIR AND EXISTS "${PCRE2_INCLUDE_DIR}/pcre2.h") + file(STRINGS "${PCRE2_INCLUDE_DIR}/pcre2.h" PCRE2_VERSION_MAJOR_LINE + REGEX "^#define[ \t]+PCRE2_MAJOR[ \t]+[0-9]+") + file(STRINGS "${PCRE2_INCLUDE_DIR}/pcre2.h" PCRE2_VERSION_MINOR_LINE + REGEX "^#define[ \t]+PCRE2_MINOR[ \t]+[0-9]+") + string(REGEX REPLACE "^#define[ \t]+PCRE2_MAJOR[ \t]+([0-9]+)" "\\1" + PCRE2_VERSION_MAJOR "${PCRE2_VERSION_MAJOR_LINE}") + string(REGEX REPLACE "^#define[ \t]+PCRE2_MINOR[ \t]+([0-9]+)" "\\1" + PCRE2_VERSION_MINOR "${PCRE2_VERSION_MINOR_LINE}") + set(PCRE2_VERSION "${PCRE2_VERSION_MAJOR}.${PCRE2_VERSION_MINOR}") +endif() + +include(FindPackageHandleStandardArgs) +find_package_handle_standard_args(PCRE2 + REQUIRED_VARS PCRE2_LIBRARY PCRE2_INCLUDE_DIR + VERSION_VAR PCRE2_VERSION +) + +if(PCRE2_FOUND) + set(PCRE2_LIBRARIES ${PCRE2_LIBRARY}) + set(PCRE2_INCLUDE_DIRS ${PCRE2_INCLUDE_DIR}) + + if(NOT TARGET PCRE2::PCRE2) + add_library(PCRE2::PCRE2 UNKNOWN IMPORTED) + set_target_properties(PCRE2::PCRE2 PROPERTIES + IMPORTED_LOCATION "${PCRE2_LIBRARY}" + INTERFACE_INCLUDE_DIRECTORIES "${PCRE2_INCLUDE_DIR}" + ) + endif() +endif() + +mark_as_advanced(PCRE2_INCLUDE_DIR PCRE2_LIBRARY) diff --git a/cmake/plugins.cmake b/cmake/plugins.cmake new file mode 100644 index 0000000..10b7447 --- /dev/null +++ b/cmake/plugins.cmake @@ -0,0 +1,52 @@ +# +# 3proxy plugin definitions +# +# This file defines functions for building plugins +# + +# Function to add a plugin with dependencies +function(add_3proxy_plugin PLUGIN_NAME) + set(options "") + set(oneValueArgs "") + set(multiValueArgs SOURCES LIBRARIES INCLUDE_DIRS COMPILE_DEFINITIONS LINK_OPTIONS) + + cmake_parse_arguments(PLUGIN "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}) + + if(WIN32) + set(PLUGIN_SUFFIX ".dll") + else() + set(PLUGIN_SUFFIX ".ld.so") + endif() + + add_library(${PLUGIN_NAME} SHARED ${PLUGIN_SOURCES}) + + set_target_properties(${PLUGIN_NAME} PROPERTIES + PREFIX "" + SUFFIX ${PLUGIN_SUFFIX} + LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin + RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin + ) + + # Always link with Threads + target_link_libraries(${PLUGIN_NAME} PRIVATE Threads::Threads) + + if(PLUGIN_LIBRARIES) + target_link_libraries(${PLUGIN_NAME} PRIVATE ${PLUGIN_LIBRARIES}) + endif() + + if(PLUGIN_INCLUDE_DIRS) + target_include_directories(${PLUGIN_NAME} PRIVATE ${PLUGIN_INCLUDE_DIRS}) + endif() + + if(PLUGIN_COMPILE_DEFINITIONS) + target_compile_definitions(${PLUGIN_NAME} PRIVATE ${PLUGIN_COMPILE_DEFINITIONS}) + endif() + + if(PLUGIN_LINK_OPTIONS) + set_target_properties(${PLUGIN_NAME} PROPERTIES LINK_OPTIONS "${PLUGIN_LINK_OPTIONS}") + endif() + + target_include_directories(${PLUGIN_NAME} PRIVATE + ${CMAKE_SOURCE_DIR}/src + ) +endfunction() diff --git a/copying b/copying index 6a0ce50..bae93c7 100644 --- a/copying +++ b/copying @@ -1,8 +1,8 @@ 3proxy 0.9 Public License Agreement -(c) 2000-2020 by 3APA3A (3APA3A@3proxy.ru) -(c) 2000-2020 by 3proxy.org (https://3proxy.org/) -(c) 2000-2020 by Vladimir Dubrovin (vlad@3proxy.ru) +(c) 2000-2025 by 3APA3A (3APA3A@3proxy.ru) +(c) 2000-2025 by 3proxy.org (https://3proxy.org/) +(c) 2000-2025 by Vladimir Dubrovin (vlad@3proxy.org) THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT @@ -38,20 +38,20 @@ terms of compatible license, including: 1. Apache License, Version 2.0 or (at your option) any later version You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 2. GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. You may obtain a copy of the License at - http://www.gnu.org/licenses/gpl.txt + https://www.gnu.org/licenses/gpl.txt 3. GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. You may obtain a copy of the License at - http://www.gnu.org/licenses/lgpl.txt + https://www.gnu.org/licenses/lgpl.txt diff --git a/debian/3proxy.manpages b/debian/3proxy.manpages index f6a505e..e7e4124 100644 --- a/debian/3proxy.manpages +++ b/debian/3proxy.manpages @@ -1,10 +1,11 @@ man/3proxy.8 -man/3proxy.cfg.3 -man/ftppr.8 -man/icqpr.8 -man/pop3p.8 -man/proxy.8 -man/smtpp.8 -man/socks.8 -man/tcppm.8 -man/udppm.8 \ No newline at end of file +man/3proxy.cfg.5 +man/3proxy_ftppr.8 +man/3proxy_pop3p.8 +man/3proxy_tlspr.8 +man/3proxy_proxy.8 +man/3proxy_smtpp.8 +man/3proxy_socks.8 +man/3proxy_tcppm.8 +man/3proxy_udppm.8 +man/3proxy_crypt.8 diff --git a/debian/changelog b/debian/changelog index 5d48b5d..1020ba0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,20 @@ -3proxy (0.9.3-210629140419) buster; urgency=medium - - *3proxy 0.9.3 build - - -- z3APA3A <3apa3a@3proxy.org> Thu, 01 Jul 2021 19:48:44 +0300 +3proxy (0.9.6-1) buster; urgency=medium + + *3proxy 0.9.6 initial build + + -- z3APA3A <3apa3a@3proxy.org> Sat, 11 Apr 2026 13:03:32 +0300 + +3proxy (0.9.5-1) buster; urgency=medium + + *3proxy 0.9.5 initial build + + -- z3APA3A <3apa3a@3proxy.org> Sun, 09 Mar 2025 15:55:48 +0300 + +3proxy (0.9.4-1) buster; urgency=medium + + *3proxy 0.9.4 initial build + + -- z3APA3A <3apa3a@3proxy.org> Fri, 02 Jul 2021 00:47:00 +0300 3proxy (0.9.3-1) buster; urgency=medium diff --git a/debian/conffiles b/debian/conffiles index 5511217..e69de29 100644 --- a/debian/conffiles +++ b/debian/conffiles @@ -1,4 +0,0 @@ -/usr/local/3proxy/conf/3proxy.cfg -/usr/local/3proxy/conf/add3proxyuser.sh -/usr/local/3proxy/conf/bandlimiters -/usr/local/3proxy/conf/counters diff --git a/debian/copyright b/debian/copyright index f6f657a..8cc1448 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,17 +4,10 @@ Upstream-Contact: 3proxy@3proxy.org Source: https://3proxy.org/ Files: * -Copyright: 2000-2020 3APA3A, Vladimir Dubrovin, 3proxy.org +Copyright: 2000-2026 Vladimir Dubrovin License: BSD-3-clause or Apache or GPL-2+ or LGPL-2+ -Files: src/libs/md*.* -Copyright: 1990,1991,1992 RSA Data Security, Inc -License: public-domain +Files: src/libs/blake2*.* +Copyright: 2012, Samuel Neves +License: public-domain (CC0 1.0 Universal) or OpenSSL license or Apache 2.0 -Files: src/libs/regex.* -Copyright: Henry Spencer -License: public-domain - -Files: src/libs/smbdes.c -Copyright: Andrew Tridgell 1998 -License: GPL-2+ diff --git a/debian/postinst b/debian/postinst index dbdbe4b..f5a46a9 100644 --- a/debian/postinst +++ b/debian/postinst @@ -1,10 +1,3 @@ -if [ ! -f /usr/local/3proxy/conf/passwd ]; then \ - touch /usr/local/3proxy/conf/passwd;\ -fi -chown -R proxy:proxy /usr/local/3proxy -chmod 550 /usr/local/3proxy/ -chmod 550 /usr/local/3proxy/conf/ -chmod 440 /usr/local/3proxy/conf/* if /bin/systemctl >/dev/null 2>&1; then \ /usr/sbin/update-rc.d 3proxy disable || true; \ /usr/sbin/chkconfig 3proxy off || true; \ @@ -19,8 +12,8 @@ fi echo "" echo 3proxy installed. if /bin/systemctl >/dev/null 2>&1; then \ - /bin/systemctl stop 3proxy.service \ - /bin/systemctl start 3proxy.service \ + /bin/systemctl stop 3proxy.service ;\ + /bin/systemctl start 3proxy.service ;\ echo use ;\ echo " "systemctl start 3proxy.service ;\ echo to start proxy ;\ @@ -34,10 +27,3 @@ elif [ -x /usr/sbin/service ]; then \ echo " "service 3proxy stop ;\ echo to stop proxy ;\ fi -echo " "/usr/local/3proxy/conf/add3proxyuser.sh -echo to add users -echo "" -echo Default config uses Google\'s DNS. -echo It\'s recommended to use provider supplied DNS or install local recursor, e.g. pdns-recursor. -echo Configure preferred DNS in /usr/local/3proxy/conf/3proxy.cfg. -echo run \'/usr/local/3proxy/conf/add3proxyuser.sh admin password\' to configure \'admin\' user diff --git a/debian/rules b/debian/rules index dc57dd0..aacf054 100644 --- a/debian/rules +++ b/debian/rules @@ -3,14 +3,8 @@ %: dh $@ -override_dh_auto_build: - ln -s Makefile.Linux Makefile || true - dh_auto_build - override_dh_auto_clean: find src/ -type f -name "*.o" -delete find src/ -type f -name "Makefile.var" -delete find bin/ -type f -executable -delete - rm -f Makefile -override_dh_usrlocal: diff --git a/doc/changelog/0/7/0 b/doc/changelog/0/7/0 new file mode 100644 index 0000000..cf57c4e --- /dev/null +++ b/doc/changelog/0/7/0 @@ -0,0 +1,26 @@ + +3proxy 0.7 + +This release is partially forced: while no new significant functions are +added, 0.7 is code is much more stable and less buggy than 0.6. Since +there is no new development for a long time, except few minor bugfixes, +I decided to finally release 0.7. You may want it if you: + + Use HTTP proxy + Use 3proxy under *BSD/Mac OS X/iPhone OS + Use plugins, specially traffic related ones, like PCRE. + +I have no time for active developement. There are interesting features +in nearly ready state, e.g. SSL support / SSL decryption via +certificates spoofing, NAT support and SSL auto-detection. You can step +into development, if you are interested. + +There are some configuration changes: + + auth iponly is now default (because most misconfigurations were + because of default auth none) + maxconn is now 500 by default (because WebKit browsers ignore + standards and create a lot of connections even if proxy is configured) + NTLM is disabled by default (-n options, -n1 to enable) because + NTLMv1 is disabled by default in Windows since Vista and there is no + NTLMv2 library with compatible license. Report me, if any. diff --git a/doc/changelog/0/7/1 b/doc/changelog/0/7/1 new file mode 100644 index 0000000..1d2dd07 --- /dev/null +++ b/doc/changelog/0/7/1 @@ -0,0 +1,35 @@ +3proxy-0.7.1.4 + +!! Fix transparent flag not reset after keep-alive connection, can lead to + + +3proxy-0.7.1.3 + +! traffic displayed incorrectly +! archiver doesn't add suffix if logname contains macro +! fix potential race condition on configuration reload +! fix FTP over HTTP authentication + + +3proxy-0.7.1.2 + +! Request / header size limitation relaxed for HTTP proxy + + +3proxy 0.7.1.1 + +! Linux compilation issues resolved + + +3proxy 0.7.1 + +Minor improvements and bugfixes: + ++ Windows icons added ++ Warnings added for most common misconfigurations ++ ftppr NLSD command supported +! Ignore NTLM handshake if NTLM is not enabled +!! memcpy replaced with memmove for overlapped region +! better EINTR handling on *nix +! FTP proxy debugging output removed (introduced in 0.7), binding for data connection corrected +! memory leak fixed in ldapauth plugin \ No newline at end of file diff --git a/doc/changelog/0/8/0 b/doc/changelog/0/8/0 new file mode 100644 index 0000000..4b0b716 --- /dev/null +++ b/doc/changelog/0/8/0 @@ -0,0 +1,9 @@ ++ IPv6 support ++ back connect support ++ name resolution over TCP, parent proxy support for dnspr ++ SSLPlugin for TLS/SSL traffic decryption +! multiple race conditions fixed +! reduced memory usage +! Generate Forwarded: header instead of X-Forwarded-For: +! Default name resolution is non-blocking in *nix +! multiple race conditions fixed on configuration reload diff --git a/doc/changelog/0/8/1 b/doc/changelog/0/8/1 new file mode 100644 index 0000000..9b801b7 --- /dev/null +++ b/doc/changelog/0/8/1 @@ -0,0 +1 @@ +!!Fix: destination IP may be not checked against ACL \ No newline at end of file diff --git a/doc/changelog/0/8/10 b/doc/changelog/0/8/10 new file mode 100644 index 0000000..ee3bacf --- /dev/null +++ b/doc/changelog/0/8/10 @@ -0,0 +1,2 @@ +! Fix: parent proxy can be used in some cases where it shouldn't +! Fix: bandlimiters may not work for older connections on configuration reload \ No newline at end of file diff --git a/doc/changelog/0/8/11 b/doc/changelog/0/8/11 new file mode 100644 index 0000000..6cbbd90 --- /dev/null +++ b/doc/changelog/0/8/11 @@ -0,0 +1,9 @@ +Minor bugfixes / improvements: +! Fixed: deadlock on insufficient resources +! Fixed: race condition in ssl_plugin +! Fixed: minor memory leak on configuration reload +! Fixed: recursion detection was not working +! Fixed: %n for IPv6 in logging terminates log record +! Fixed: reverse PTR validation (required for dnsauth) +! Fixed: error on external 0.0.0.0 for NOIPV6 (light version) ++ Better support for IPv6 in ftppr \ No newline at end of file diff --git a/doc/changelog/0/8/12 b/doc/changelog/0/8/12 new file mode 100644 index 0000000..177cdb6 --- /dev/null +++ b/doc/changelog/0/8/12 @@ -0,0 +1,5 @@ +Bugfixes: +! Fixed hostname support in SOCKSv5 UDP portmapping +! -fno-strict-aliasing added to gcc options (compiling without this option can lead to unpredictable issues under Debian with gcc 6 and potentially others) +! Fixed LDAP plugin compilation issues (LDAP plugin is still listed as unsupported though) +and some minor fixes and improvements. \ No newline at end of file diff --git a/doc/changelog/0/8/13 b/doc/changelog/0/8/13 new file mode 100644 index 0000000..a1fd0bf --- /dev/null +++ b/doc/changelog/0/8/13 @@ -0,0 +1,3 @@ +Bugfixes: +!! Fixed out-of-bound write and few minor bugs on configuration saving in admin +! fixed: $ is not correctly handled in the beginning of quoted line on configuration parsing \ No newline at end of file diff --git a/doc/changelog/0/8/2 b/doc/changelog/0/8/2 new file mode 100644 index 0000000..d3fc09d --- /dev/null +++ b/doc/changelog/0/8/2 @@ -0,0 +1,3 @@ +!! Fix transparent flag not reset after keep-alive connection, can lead to DoS by authenticated user. +! Do not use SO_REUSEADDR by default (leads to random 00013 errors under some glibc versions) +! Use SASIZE() instead of sizeof() in bind() for FreeBSD compatibility diff --git a/doc/changelog/0/8/3 b/doc/changelog/0/8/3 new file mode 100644 index 0000000..25e2ccc --- /dev/null +++ b/doc/changelog/0/8/3 @@ -0,0 +1 @@ +! fixed: use SASIZE() instead of sizeof() in connect() for FreeBSD compatibility \ No newline at end of file diff --git a/doc/changelog/0/8/4 b/doc/changelog/0/8/4 new file mode 100644 index 0000000..5704690 --- /dev/null +++ b/doc/changelog/0/8/4 @@ -0,0 +1,5 @@ ++ Build PamPlugin on *nix ++ stacksize and -S options, stacksize defaults changed for FreeBSD ++ extip redirection type added +! SSL plugin fix to correct handling of certificates path +! fixed random errors on IPv6 connect diff --git a/doc/changelog/0/8/5 b/doc/changelog/0/8/5 new file mode 100644 index 0000000..ba0960c --- /dev/null +++ b/doc/changelog/0/8/5 @@ -0,0 +1 @@ +!Fix: mutex was used prior to initialization on 'log' command processing \ No newline at end of file diff --git a/doc/changelog/0/8/6 b/doc/changelog/0/8/6 new file mode 100644 index 0000000..14bb3be --- /dev/null +++ b/doc/changelog/0/8/6 @@ -0,0 +1 @@ +! Fix: random 00012 errors in some configurations \ No newline at end of file diff --git a/doc/changelog/0/8/7 b/doc/changelog/0/8/7 new file mode 100644 index 0000000..f804d18 --- /dev/null +++ b/doc/changelog/0/8/7 @@ -0,0 +1,15 @@ +! Fix 'daemon' command for Linux +! Fix 'extip' redirections 00009 errors +! Fix counters for older Win platforms +! Resolve logging race conditions +! attempt to fix pam_auth race conditions +! FTP proxy workaround for broken gethostname() on some libc limplementations +! authcache IP matching corrected +! fix SOCKSv5 BIND/UDP ASSOC +! use setreuid/setregid instead of setuid / setgid + ++ OpenWatcom makefiles for Windows ++ -u2 support for proxy ++ support %i in logformat ++ force/noforce configuration commands to disconnect / do not disconnect clients if nolonger match ACL after configuration change ++ support longer external passwords diff --git a/doc/changelog/0/8/8 b/doc/changelog/0/8/8 new file mode 100644 index 0000000..6fdd82b --- /dev/null +++ b/doc/changelog/0/8/8 @@ -0,0 +1,3 @@ +!! Fix resolver for non-compressed reply parsing (on mixed-case sensitive resolvers) +! Fix plugins export on OpenWatcom compiler (light version) +! Fix SOCKSv5 \ No newline at end of file diff --git a/doc/changelog/0/8/9 b/doc/changelog/0/8/9 new file mode 100644 index 0000000..f0b226b --- /dev/null +++ b/doc/changelog/0/8/9 @@ -0,0 +1 @@ +! Fix: tcppm may fail if used with parent proxy \ No newline at end of file diff --git a/doc/changelog/0/9/0 b/doc/changelog/0/9/0 new file mode 100644 index 0000000..c9ef990 --- /dev/null +++ b/doc/changelog/0/9/0 @@ -0,0 +1,6 @@ ++ Socket options, interface binding ++ Connection limiting / connection rate limiting ++ RADIUS support (beta) ++ Zero copy (splice) support for Linux ++ Possibility to limit user to single IP (via authentication cache) +! bugfixes, improvements \ No newline at end of file diff --git a/doc/changelog/0/9/1 b/doc/changelog/0/9/1 new file mode 100644 index 0000000..c12cdd5 --- /dev/null +++ b/doc/changelog/0/9/1 @@ -0,0 +1,8 @@ +Bugfixes: +! Fixed: socket may be closed before all data received/sent +! Fixed: bandlimin non-working +! Fixed: countall/nocountall +! Fixed: few race conditions + +Improvements: ++ deb/rpm build, systemd support (experimental) \ No newline at end of file diff --git a/doc/changelog/0/9/2 b/doc/changelog/0/9/2 new file mode 100644 index 0000000..d60694a --- /dev/null +++ b/doc/changelog/0/9/2 @@ -0,0 +1,9 @@ +Bugfixes: +! Fixed: bandwidth limiters (once again) +! Fixed: data filtering plugins (PCREPlugin, SSLPlugin). SSLPlugin use on Linux requires to disable splice (-s0) +! FIxed: standalone proxies do not react on HUP (Ctrl+C) in Linux/Unix +! Fixed: few minor bugs + +Improvements: ++ deb for arm platforms (experimental) ++ Openssl 1.1 support for SSLPlugin \ No newline at end of file diff --git a/doc/changelog/0/9/3 b/doc/changelog/0/9/3 new file mode 100644 index 0000000..0d8fffc --- /dev/null +++ b/doc/changelog/0/9/3 @@ -0,0 +1,11 @@ +Bugfixes: +! Fixed: systemd description file (proxy may fail to start after reboot or via systemctl) +! Fixed: group/account creation in installation scripts +! Fixed: countall/nocounall do not work in some configurations +! Fixed: counters do not work if counter file is not specified +! Fixed: counters without rotation (type N) are incorrectly shown in web admin interface +! Fixed: %n may be incomplete or missed in long log records +! Fixed: connect back functionality does not work + +Improvements: ++ Docker builds \ No newline at end of file diff --git a/doc/changelog/0/9/4 b/doc/changelog/0/9/4 new file mode 100644 index 0000000..bdaf728 --- /dev/null +++ b/doc/changelog/0/9/4 @@ -0,0 +1,4 @@ +! Fix: invalid handling of '-' character in ACL hostname +! Fix: minor bugfixes and improvements ++ parentretry command added (defaults to 2) to retry connections to parent proxies +- icqpr related code (OSCAR proxy) removed, due to drop of OSCAR support by messengers \ No newline at end of file diff --git a/doc/changelog/0/9/5 b/doc/changelog/0/9/5 new file mode 100644 index 0000000..77f0970 --- /dev/null +++ b/doc/changelog/0/9/5 @@ -0,0 +1,7 @@ +!! Security fix: proxy can potentially crash on on some platforms due to overlapping regions in strcpy() (thanks to @lenix123 for reporting) ++ new proxy service type: `tlspr` - SNI proxy, may also be used as parent `tls` type, sniffs hostname from TLS handhake, read more in https://github.com/3proxy/3proxy/wiki/tlspr https://github.com/3proxy/3proxy/wiki/How-To-(incomplete)#TLSPR ++ new proxy service type: `auto` - autodetect proxy type between `proxy` and `socks` ++ SSLPlugin is rewritten, production-ready, supports TLS (SSL) server (may be used to create https:// type proxy), certificates checks and cypher options, see https://github.com/3proxy/3proxy/wiki/SSLPlugin ++ -g option is added for grace delay to reduce CPU load, see https://github.com/3proxy/3proxy/wiki/High-Load +! Multiple minor bugfixes +! More supported sockets options \ No newline at end of file diff --git a/doc/changelog/0/9/6 b/doc/changelog/0/9/6 new file mode 100644 index 0000000..d394d87 --- /dev/null +++ b/doc/changelog/0/9/6 @@ -0,0 +1,9 @@ ++ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios. ++ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header. ++ tlspr is supported in auto ++ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI ++ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems ++ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5 ++ cmake environment added +! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy +! Multiple minor bugfixes diff --git a/doc/html/faqe.html b/doc/html/faqe.html index a460002..fe178e1 100644 --- a/doc/html/faqe.html +++ b/doc/html/faqe.html @@ -1,2 +1,2 @@ -

See HowTo:

\ No newline at end of file +

See HowTo:

\ No newline at end of file diff --git a/doc/html/faqr.html b/doc/html/faqr.html index e9546af..023d097 100644 --- a/doc/html/faqr.html +++ b/doc/html/faqr.html @@ -1,2 +1,2 @@ -

См. HowTo

\ No newline at end of file +

См. HowTo

\ No newline at end of file diff --git a/doc/html/highload.html b/doc/html/highload.html index a3693cf..a91f829 100644 --- a/doc/html/highload.html +++ b/doc/html/highload.html @@ -1,12 +1,12 @@ -

Optimizing 3proxy for high load

-

Precaution 1: 3proxy was not initially developed for high load and is positioned as a SOHO product, the main reason is "one connection - one thread" model 3proxy uses. 3proxy is known to work with above 200,000 connections under proper configuration, but use it in production environment under high loads at your own risk and do not expect too much. -

Precaution 2: This documentation is incomplete and is not sufficient. High loads may require very specific system tuning including, but not limited to specific or cusomized kernels, builds, settings, sysctls, options, etc. All this is not covered by this documentation. +

Optimizing 3proxy for High Load

+

Precaution 1: 3proxy was not initially developed for high load and is positioned as a SOHO product. The main reason is the "one connection - one thread" model 3proxy uses. 3proxy is known to work with over 200,000 connections under proper configuration, but use it in a production environment under high loads at your own risk and do not expect too much. +

Precaution 2: This documentation is incomplete and insufficient. High loads may require very specific system tuning including, but not limited to, specific or customized kernels, builds, settings, sysctls, options, etc. All of this is not covered by this documentation.

Configuring 'maxconn'

-A number of simulatineous connections per service is limited by 'maxconn' option. -Default maxconn value since 3proxy 0.8 is 500. You may want to set 'maxconn' -to higher value. Under this configuration: +The number of simultaneous connections per service is limited by the 'maxconn' option. +The default maxconn value since 3proxy 0.8 is 500. You may want to set 'maxconn' +to a higher value. Under this configuration: 
 maxconn 1000
 proxy -p3129
@@ -14,53 +14,53 @@ proxy -p3128
 socks
maxconn for every service is 1000, and there are 3 services running -(2 proxy and 1 socks), so, for all services there can be up to 3000 -simulatineous connections to 3proxy. -

Avoid setting 'maxconn' to arbitrary high value, it should be carefully -choosen to protect system and proxy from resources exhaution. Setting maxconn -above resources available can lead to denial of service conditions. -

Understanding resources requirements

-Each running service require: +(2 proxy and 1 socks), so for all services there can be up to 3000 +simultaneous connections to 3proxy. +

Avoid setting 'maxconn' to an arbitrarily high value; it should be carefully +chosen to protect the system and proxy from resource exhaustion. Setting maxconn +above available resources can lead to denial of service conditions. +

Understanding Resource Requirements

+Each running service requires:
    -
  • 1*thread (process) -
  • 1*socket (file descriptor) +
  • 1 thread (process) +
  • 1 socket (file descriptor)
  • 1 stack memory segment + some heap memory, ~64K-128K depending on the system
-Each connected client require: +Each connected client requires:
    -
  • 1*thread (process) -
  • 2*socket (file descriptor). For FTP 4 sockets are required. -
    Under linux since 0.9 splice() is used. It's much more effective, but requires -
    2*socket (file descriptor) + 2*pipe (file descriptors) = 4 file descriptors. -
    For FTP 4 sockets and 2 pipes are required with splice(). -
    Up to 128K (up to 256K in the case of splice()) of kernel buffers memory. This is theoretical maximum, actual numbers depend on connection quality and traffic amount. +
  • 1 thread (process) +
  • 2 sockets (file descriptors). For FTP, 4 sockets are required. +
    Under Linux since 0.9, splice() is used. It's much more efficient but requires +
    2 sockets (file descriptors) + 2 pipes (file descriptors) = 4 file descriptors. +
    For FTP with splice(), 4 sockets and 2 pipes are required. +
    Up to 128K (up to 256K in the case of splice()) of kernel buffer memory. This is the theoretical maximum; actual numbers depend on connection quality and traffic amount.
    1 additional socket (file descriptor) during name resolution for non-cached names
    1 additional socket during authentication or logging for RADIUS authentication or logging. -
  • 1*ephemeral port (3*ephemeral ports for FTP connection). -
  • 1 stack memory segment of ~32K-128K depending on the system + at least 16K and up to few MB (for 'proxy' and 'ftppr') of heap memory. If you are short of memory, prefer 'socks' to 'proxy' and 'ftppr'. -
  • a lot of system buffers, specially in the case of slow network connections. +
  • 1 ephemeral port (3 ephemeral ports for FTP connections). +
  • 1 stack memory segment of ~32K-128K depending on the system + at least 16K and up to a few MB (for 'proxy' and 'ftppr') of heap memory. If you are short on memory, prefer 'socks' over 'proxy' and 'ftppr'. +
  • Many system buffers, especially in the case of slow network connections.
Also, additional resources like system buffers are required for network activity.

Setting ulimits

Hard and soft ulimits must be set above calculated requirements. Under Linux, you can -check limits of running process with +check the limits of a running process with 
 cat /proc/PID/limits
-where PID is a pid of the process. -Validate ulimits match your expectation, especially if you run 3proxy under dedicated account -by adding e.g. +where PID is the process ID. +Validate that ulimits match your expectations, especially if you run 3proxy under a dedicated account +by adding, e.g.: 
 system "ulimit -Ha >>/tmp/3proxy.ulim.hard"
 system "ulimit -Sa >>/tmp/3proxy.ulim.soft"
-in the beginning (before first service started) and the end of config file. -Make both hard restart (that is kill and start 3proxy process) and soft restart -by sending SIGUSR1 to 3proxy process, check ulimits recorded to files match your -expecation. In systemd based distros (e.g. latest Debian / Ubuntu) changing limits.conf -is not enough, limits must be ajusted in systemd configuration, e.g. by setting +at the beginning (before the first service is started) and at the end of the config file. +Perform both a hard restart (i.e., kill and start the 3proxy process) and a soft restart +by sending SIGUSR1 to the 3proxy process; check that the ulimits recorded to files match your +expectations. In systemd-based distros (e.g., latest Debian/Ubuntu), changing limits.conf +is not enough; limits must be adjusted in the systemd configuration, e.g., by setting: 
 DefaultLimitDATA=infinity
 DefaultLimitSTACK=infinity
@@ -73,51 +73,51 @@ DefaultLimitMEMLOCK=infinity
in user.conf / system.conf -

Extending system limitation

+

Extending System Limitations

-Check manuals / documentation for your system limitations e.g. system-wide limit for number of open files +Check the manuals/documentation for your system's limitations, e.g., the system-wide limit for the number of open files (fs.file-max in Linux). You may need to change sysctls or even rebuild the kernel from source.

-To help with socket-based system-dependant settings, since 0.9-devel 3proxy supports different -socket options which can be set via -ol option for listening socket, -oc for proxy-to-client -socket and -os for proxy-to-server socket. Example: +To help with socket-based system-dependent settings, since 0.9-devel, 3proxy supports different +socket options which can be set via the -ol option for the listening socket, -oc for the proxy-to-client +socket, and -os for the proxy-to-server socket. Example: 

 proxy -olSO_REUSEADDR,SO_REUSEPORT -ocTCP_TIMESTAMPS,TCP_NODELAY -osTCP_NODELAY
-available options are system dependant. +Available options are system-dependent. -

Using 3proxy in virtual environment

+

Using 3proxy in a Virtual Environment

-If 3proxy is used in VPS environment, there can be additional limitations. -For example, kernel resources / system CPU usage / IOCTLs can be limited in a different way, and this can become a bottleneck. -Since 0.9 devel, 3proxy uses splice() by default on Linux, splice() prevents network traffic from being copied from -kernel space to 3proxy process and generally increases throughput, epecially in the case of high volume traffic. It especially -true for virtual environment (it can improve thoughput up to 10 times) unless there are additional kernel limitations. -Since some work is moved to kernel, it requires up to 2 times more kernel resources in terms of CPU, memory and IOCTLs. -If your hosting additionally limits kernel resources (you can see it as nearly 100% CPU usage without any real CPU activity for -any application which performs IOCTLS), use -s0 option to disable splice() usage for given service e.g. -
 
+If 3proxy is used in a VPS environment, there can be additional limitations.
+For example, kernel resources, system CPU usage, and IOCTLs can be limited differently, and this can become a bottleneck.
+Since 0.9-devel, 3proxy uses splice() by default on Linux. splice() prevents network traffic from being copied from
+kernel space to the 3proxy process and generally increases throughput, especially in the case of high-volume traffic. This is especially
+true for virtual environments (it can improve throughput up to 10 times) unless there are additional kernel limitations.
+Since some work is moved to the kernel, it requires up to 2 times more kernel resources in terms of CPU, memory, and IOCTLs.
+If your hosting additionally limits kernel resources (you can see this as nearly 100% CPU usage without any real CPU activity for
+any application performing IOCTLs), use the -s0 option to disable splice() usage for a given service, e.g.:
+
 socks -s0
 

 
-
Extending ephemeral port range

+
Extending the Ephemeral Port Range

 
-Check ephemeral port range for your system and extend it to the number of the
+Check the ephemeral port range for your system and extend it to the number of
 ports required.
-Ephimeral range is always limited to maximum number of ports (64K). To extend the
-number of outgoing connections above this limit, extending ephemeral port range
-is not enough, you need additional actions:
+The ephemeral range is always limited to the maximum number of ports (64K). To extend the
+number of outgoing connections above this limit, extending the ephemeral port range
+is not enough; you need additional actions:
 
    
 
  1.  Configure multiple outgoing IPs
-
  2.  Make sure 3proxy is configured to use different outgoing IP by either setting
-external IP via RADIUS
+
  3.  Make sure 3proxy is configured to use a different outgoing IP by either setting
+the external IP via RADIUS:
 
     radius secret 1.2.3.4
 auth radius
 proxy
 
    
 or by using multiple services with different external
-interfaces, example:
+interfaces, for example:
 
     allow user1,user11,user111
 proxy -p1111 -e1.1.1.1
@@ -133,7 +133,7 @@ proxy -p4444 -e4.4.4.4
 flush
 
    
 or via "parent extip" rotation,
-e.g.
+e.g.:
 
     allow user1,user11,user111
 parent 1000 extip 1.1.1.1 0
@@ -156,8 +156,8 @@ socks
 
    
 
     
    
-Under latest Linux version you can also start multiple services with different
-external addresses on the single port with SO_REUSEPORT on listening socket to
+Under the latest Linux versions, you can also start multiple services with different
+external addresses on a single port with SO_REUSEPORT on the listening socket to
 evenly distribute incoming connections between outgoing interfaces:
 
     socks -olSO_REUSEPORT -p3128 -e 1.1.1.1
@@ -165,123 +165,136 @@ socks -olSO_REUSEPORT -p3128 -e 2.2.2.2
 socks -olSO_REUSEPORT -p3128 -e 3.3.3.3
 socks -olSO_REUSEPORT -p3128 -e 4.4.4.4
 
    
-for Web browsing last two examples are not recommended, because same client can get
-different external address for different requests, you should choose external
+For web browsing, the last two examples are not recommended because the same client can get
+a different external address for different requests; you should choose the external
 interface with user-based rules instead.
-
  4.  You may need additional system dependant actions to use same port on different IPs,
-usually by adding SO_REUSEADDR (SO_PORT_SCALABILITY for Windows) socket option to
-external socket. This option can be set (since 0.9 devel) with -os option:
+
  5.  You may need additional system-dependent actions to use the same port on different IPs,
+usually by adding the SO_REUSEADDR (SO_PORT_SCALABILITY for Windows) socket option to
+the external socket. This option can be set (since 0.9-devel) with the -os option:
 
     proxy -p3128 -e1.2.3.4 -osSO_REUSEADDR
 
    
-Behavior for SO_REUSEADDR and SO_REUSEPORT is different between different system,
-even between different kernel versions and can lead to unexpected results.
-Specifics is described here.
-Use this options only if actually required and if you fully understand possible
-consiquences. E.g. SO_REUSEPORT can help to establish more connections than the
-number of the client port available, but it can also lead to situation connections
-are randomely fail due to ip+port pairs collision if remote or local system 
+The behavior for SO_REUSEADDR and SO_REUSEPORT is different between different systems,
+even between different kernel versions, and can lead to unexpected results.
+The specifics are described here.
+Use these options only if actually required and if you fully understand the possible
+consequences. For example, SO_REUSEPORT can help establish more connections than the
+number of client ports available, but it can also lead to situations where connections
+randomly fail due to IP+port pair collisions if the remote or local system
 doesn't support this trick.
 

 
-
Setting stacksize

+
Setting Stack Size

 
 'stacksize' is a size added to all stack allocations and can be both positive and
-negative. Stack is required in functions call. 3proxy itself doesn't require large
+negative. Stack is required for function calls. 3proxy itself doesn't require a large
 stack, but it can be required if some
-purely-written libc, 3rd party libraries or system functions called. There is known\
+poorly written libc, 3rd party libraries, or system functions are called. There is known
 dirty code in Unix ODBC
-implementations, build-in DNS resolvers, especially in the case of IPv6 and large
-number of interfaces. Under most 64-bit system extending stacksize will lead
-to additional memory space usage, but do not require actual commited memory,
-so you can inrease stacksize to relatively large value (e.g. 1024000) without
-the need to add additional phisical memory,
-but it's system/libc dependant and requires additional testing under your
-installation. Don't forget about memory related ulimts.
-
For 32-bit systems address space can be a bottlneck you should consider. If
-you're short of address space you can try to use negative stack size.
+implementations and built-in DNS resolvers, especially in the case of IPv6 and a large
+number of interfaces. Under most 64-bit systems, extending stacksize will lead
+to additional memory space usage but does not require actual committed memory,
+so you can increase stacksize to a relatively large value (e.g., 1024000) without
+the need to add additional physical memory,
+but it's system/libc dependent and requires additional testing under your
+installation. Don't forget about memory-related ulimits.
+
For 32-bit systems, address space can be a bottleneck you should consider. If
+you're short on address space, you can try using a negative stack size.
 
-
Known system issues

+
Known System Issues

 
-There are known race condition issues in Linux / glibc resolver. The probability
-of race condition arises under configuration with IPv6, large number of interfaces
-or IP addresses or resolvers configured. In this case, install local recursor and
-use 3proxy built-in resolver (nserver / nscache / nscache6).
-
Do not use public resolvers

-Public resolvers like ones from Google have ratelimits. For large number of
-requests install local caching recursor (ISC bind named, PowerDNS recursor, etc).
+There are known race condition issues in the Linux/glibc resolver. The probability
+of a race condition arises under configuration with IPv6, a large number of interfaces
+or IP addresses, or with resolvers configured. In this case, install a local recursor and
+use 3proxy's built-in resolver (nserver / nscache / nscache6).
+
Do Not Use Public Resolvers

+Public resolvers like those from Google have rate limits. For a large number of
+requests, install a local caching recursor (ISC bind named, PowerDNS recursor, etc).
 
-
Avoid large lists

+
Avoid Large Lists

 
 Currently, 3proxy is not optimized to use large ACLs, user lists, etc. All lists
-are processed lineary. In devel version you can use RADIUS authentication to avoid
-user lists and ACLs in 3proxy itself. Also, RADIUS allows to easily set outgoing IP
-on per-user basis or more sophisicated logics.
-RADIUS is a new beta feature, test it before using in production.
+are processed linearly. In the devel version, you can use RADIUS authentication to avoid
+user lists and ACLs in 3proxy itself. Also, RADIUS allows you to easily set an outgoing IP
+on a per-user basis or implement more sophisticated logic.
+RADIUS is a new beta feature; test it before using it in production.
 
-
Avoid changing configuration too often

+
Avoid Changing Configuration Too Often

 
-Every configuration reload requires additional resources. Do not do frequent
-changes, like users addition/deletaion via connfiguration, use alternative
+Every configuration reload requires additional resources. Do not make frequent
+changes, such as user addition/deletion via configuration; use alternative
 authentication methods instead, like RADIUS.
 
-
Consider using 'noforce'

+
Consider Using 'noforce'

 
-'force' behaviour (default) re-authenticates all connections after
-configuration reload, it may be resource consuming on large number of
-connections. Consider adding 'noforce' command before services started
-to prevent connections reauthentication.
+The 'force' behavior (default) re-authenticates all connections after
+configuration reload; it may be resource-consuming with a large number of
+connections. Consider adding the 'noforce' command before services are started
+to prevent connection re-authentication.
 
-
Do not monitor configuration files directly

+
Do Not Monitor Configuration Files Directly

 
-Using configuration file directly in 'monitor' can lead to race condition where
-configuration is reloaded while file is being written.
+Using a configuration file directly in 'monitor' can lead to a race condition where
+the configuration is reloaded while the file is being written.
 To avoid race conditions:
 
    
 
  1.  Update config files only if there is no lock file
-
  2.  Create lock file then 3proxy configuration is updated, e.g. with
+
  3.  Create a lock file when the 3proxy configuration is updated, e.g., with
 "touch /some/path/3proxy/3proxy.lck". If you generate config files
-asynchronously, e.g. by user's request via web, you should consider
-implementing existance checking and file creation as atomic operation.
-
  4. add
+asynchronously, e.g., by a user's request via web, you should consider
+implementing existence checking and file creation as an atomic operation.
+
  5.  Add
 
     system "rm /some/path/3proxy/3proxy.lck"
 
    
-at the end of config file to remove it after configuration is successfully loaded
-
  6.  Use a dedicated version file to monitor, e.g.
+at the end of the config file to remove it after the configuration is successfully loaded
+
  7.  Use a dedicated version file to monitor, e.g.:
 
     monitor "/some/path/3proxy/3proxy.ver"
 
    
-
  8.  After config is updated, change version file for 3proxy to reload configuration,
-e.g. with "touch /some/path/3proxy/3proxy.ver".
+
  9.  After the config is updated, change the version file for 3proxy to reload the configuration,
+e.g., with "touch /some/path/3proxy/3proxy.ver".
 

 
-
Use TCP_NODELAY to speed-up connections with small amount of data

+
Use TCP_NODELAY to Speed Up Connections with Small Amounts of Data

 
-If most requests require exchange with a small amount of data in a both ways
-without the need for bandwidth, e.g. messengers or small web request,
-you can eliminate Nagle's algorithm delay with TCP_NODELAY flag. Usage example:
+If most requests require an exchange with a small amount of data in both directions
+without the need for bandwidth, e.g., messengers or small web requests,
+you can eliminate Nagle's algorithm delay with the TCP_NODELAY flag. Usage example:
 
 proxy -osTCP_NODELAY -ocTCP_NODELAY
 

 sets TCP_NODELAY for client (oc) and server (os) connections.
-
Do not use TCP_NODELAY on slow connections with high delays and then
+
Do not use TCP_NODELAY on slow connections with high delays when
 connection bandwidth is a bottleneck.
 
-
Use splice to speedup large data amount transfers

+
Use Splice to Speed Up Large Data Amount Transfers

 
-splice() allows to copy data between connections without copying to process
-addres space. It can speedup proxy on high bandwidth connections, if most
+splice() allows copying data between connections without copying to the process
+address space. It can speed up the proxy on high-bandwidth connections if most
 connections require large data transfers. Splice is enabled by default on Linux
-since 0.9, "-s0" disables splice usage. Example:
+since 0.9; "-s0" disables splice usage. Example:
 
 proxy -s0
 

-Splice is only available on Linux. Splice requires more system buffers and file descriptors,
+Splice is only available on Linux. Splice requires more system buffers and file descriptors
 and produces more IOCTLs but reduces process memory and overall CPU usage.
-Disable splice if there is a lot of short-living connections with no bandwidth
+Disable splice if there are a lot of short-lived connections with no bandwidth
 requirements.
-
Use splice only on high-speed connections (e.g. 10GBE), if processor, memory speed or
+
Use splice only on high-speed connections (e.g., 10GbE) when the processor, memory speed, or
 system bus are bottlenecks.
-
TCP_NODELAY and splice are not contrary to each over and should be combined on
+
TCP_NODELAY and splice are not contrary to each other and should be combined on
 high-speed connections.
+
+
Add Grace Delay to Reduce System Calls

+
+
proxy -g8000,3,10

+The first parameter is the average read size we want to keep, the second parameter is
+the minimal number of packets in the same direction to apply the algorithm,
+and the last value is the delay added after polling and prior to reading data.
+The example above adds a 10-millisecond delay before reading data if the average
+polling size is below 8000 bytes and 3 read operations have been made in the same
+direction. It's especially useful with splice. 
logdump 1 1
 is useful
+to see how grace delays work; choose a delay value to avoid filling the read
+pipe/buffer (typically 64K) but keep the request sizes close to the chosen average
+on large file uploads/downloads.
diff --git a/doc/html/howtoe.html b/doc/html/howtoe.html
index 0fffb14..dc7f585 100644
--- a/doc/html/howtoe.html
+++ b/doc/html/howtoe.html
@@ -1,43 +1,47 @@
 
    
- 
  • 3APA3A 3proxy tiny proxy server HowTo
+ 
  • 3APA3A 3proxy Tiny Proxy Server HowTo
  
    Under construction, very incomplete
  
 
    
  
      
@@ -64,36 +70,53 @@
 	
        
 		
      • How to compile 3proxy with Visual C++
 
        
-Extract source code files from 3proxy.tgz (with WinZip or another utility).
-Use nmake /f Makefile.msvc command
+Extract source code files from 3proxy.tgz (with WinZip or another utility) or use git.
+
+
        +nmake /f Makefile.msvc
+
        
+Binaries will be placed in the bin/ directory.
 
        
-		
      • How to compile 3proxy with Intel C Compiler under Windows
+		
      • How to compile 3proxy with CMake
 
        
-See How to compile 3proxy with Visual C++
-Use Makefile.intl instead of Makefile.msvc
-
        
-		
      • How to compile 3proxy with GCC under Windows
        • 
-
        
-Extract source files from 3proxy.tgz (for example with tar -xzf 3proxy.tgz command if you have tar installed)
-Use make -f Makefile.win command. 
-If you want to use POSIX emulation Cygwin library (normally you shouldn't) - use make -f Makefile.unix instead.
-Windows specific things (like installing as service) will not be available if compiled with Cygwin emulation.
+CMake provides a cross-platform build system. It works on Windows (MSVC, MinGW), Linux, macOS, and BSD.
+
        Basic build steps:
+
        +mkdir build
+cd build
+cmake ..
+cmake --build .
+
        
+On Windows with Visual Studio, you can also generate a solution file:
+
        +cmake -G "Visual Studio 17 2022" -A x64 ..
+cmake --build . --config Release
+
        
+Optional features can be controlled with cmake options:
+
        +cmake -D3PROXY_USE_OPENSSL=ON -D3PROXY_USE_PCRE2=ON ..
+
        
+Available options: 3PROXY_USE_OPENSSL, 3PROXY_USE_PCRE2, 3PROXY_USE_PAM, 3PROXY_USE_ODBC.
+
        Binaries will be placed in the build/bin/ directory.
 
        
 		
      • How to compile 3proxy with GCC under Unix/Linux
        • 
 
        
-Use
+For Linux, use:
 
        -make -f Makefile.Linux
+ln -sf Makefile.Linux Makefile
+make
 
        
-for Linux or Cygwin, Makefile.Solaris* (depending on compiler version) for Solaris
-and Makefile.unix for different Unix-like OS. On BSD derivered systems make
-sure to use GNU make, sometimes it's called gmake instead of make.
-
        Compilation is tested under FreeBSD/i386, NetBSD/i386, OpenBSD/i386, 
-RH Linux/Alpha, Debian/i386, Gentoo/i386, Gentoo/PPC, Solaris/x86 but you
-shouldn't have problems under different Solaris, BSD or linux compatible systems.
-For different systems you may be required to patch Makefile or even source codes.
-If you want to use ODBC support, make sure to install ODBC for unix, remove -DNOODBC
-option from makefile compiler options and add ODBC library to linker variable.
+For FreeBSD, use:
+
        +ln -sf Makefile.FreeBSD Makefile
+make
+
        
+For other Unix-like systems, use Makefile.unix. On BSD-derived systems, make
+sure to use GNU make; sometimes it's called gmake instead of make.
+
        Compilation is tested under FreeBSD, NetBSD, OpenBSD, Linux, Solaris, and macOS.
+
        For ODBC support, install Unix ODBC libraries, remove -DNOODBC from the makefile,
+and add the ODBC library to the linker variable.
+
        Binaries will be placed in the bin/ directory.
 
        
 	
      
 
      
@@ -103,65 +126,140 @@ option from makefile compiler options and add ODBC library to linker variable.
 		
    • How to install/remove 3proxy under Windows NT/2000/XP
 
      
 Unpack 3proxy.zip to any directory, for example
-c:\Program Files\3proxy. If needed, create directory for storing log files,
-ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration).
-If you use 3proxy before 0.6 Add
-
      -service
-
      
-string into 3proxy.cfg. Now, start command prompt (cmd.exe).
-Change directory to 3proxy installation and run 3proxy.exe --install:
+c:\Program Files\3proxy. If needed, create a directory for storing log files,
+ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (see Server configuration).
+Now, start a command prompt (cmd.exe).
+Change to the 3proxy installation directory and run 3proxy.exe --install:
 
       D:\>C:
 C:\>cd C:\Program Files\3proxy
 C:\Program Files\3proxy>3proxy.exe --install
 
      
-Now, you should have 3proxy service installed and running. If service is not
-started, remove "service" string from 3proxy.cfg, run 3proxy.exe manually
-and correct all errors.
+Now, you should have the 3proxy service installed and running. If the service is not
+started, run 3proxy.exe manually and correct all errors.
 
      
-To remove 3proxy run 3proxy --remove:
+To remove 3proxy, run 3proxy --remove:
 
       D:\>C:
 C:\>cd C:\Program Files\3proxy
 C:\Program Files\3proxy>net stop 3proxy
 C:\Program Files\3proxy>3proxy.exe --remove
 
      
-Now you can simply remove 3proxy installation directory.
-
      
-		
    • How to install/remove 3proxy under Windows 95/98/ME
-
      
-Unpack 3proxy.zip to any directory, for example
-c:\Program Files\3proxy. If needed, create directory for storing log files,
-ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration).
-Remove string
-
      -service
-
      
-from 3proxy.cfg and add
-
      -daemon
-
      
-if you want 3proxy to run in background.
-Create shortcut for 3proxy.exe and place it in autostart or add
-to registry with regedit.exe:
-
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      
-Type: String
-
      3proxy = "c:\Program Files\3proxy.exe" "C:\Program Files\3proxy.cfg"
      
-You must use quotes if path contains space. If neccessary, restart Windows.
-If service is not started, check log. Remove "daemon" command from 3proxy.cfg,
-start 3proxy.exe manually and correct all errors.
+Now you can simply remove the 3proxy installation directory.
 
      
 		
    • How to install/remove 3proxy under Unix/Linux
 
      
-Complie 3proxy (see Compilation). Copy
-executables to any appropriate location (for example /usr/local/3proxy/sbin
-for servers and /usr/local/3proxy/bin for utilities).
-Create /usr/local/etc/3proxy.cfg. 
-(see Server configuration).
-You can change default configuration file location by specifing configuration file
-in 3proxy command line.
-Add 3proxy to system startup scripts.
+Using Makefile:
+
      Compile 3proxy (see Compilation) then run:
+
      +sudo make install
+
      
+This installs binaries to /usr/local/3proxy/sbin/, configuration to /etc/3proxy/,
+and sets up chroot directories. Default configuration file is /etc/3proxy/3proxy.cfg.
+
      
+
      
+Using CMake:
+
      +mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+
      
+
      
+
      
+Using pre-built packages from GitHub:
+
      Download .deb or .rpm packages from GitHub Releases.
+
      For Debian/Ubuntu:
+
      +sudo dpkg -i 3proxy_*.deb
+
      
+For RHEL/CentOS/Fedora:
+
      +sudo rpm -i 3proxy-*.rpm
+
      
+
      
+
      
+Add 3proxy to the system startup scripts or use systemd:
+
      +sudo systemctl enable 3proxy
+sudo systemctl start 3proxy
+
      
+
      
+		
    • How to install/remove 3proxy under macOS
+
      
+Using CMake (recommended):
+
      +mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+
      
+This installs:
+
        
+
      • Binaries to /usr/local/bin/
        • 
+
      • Configuration to /etc/3proxy/
        • 
+
      • Plugins to /usr/local/lib/3proxy/
        • 
+
      • Launchd plist to /Library/LaunchDaemons/org.3proxy.3proxy.plist
        • 
+
      
+
      
+
      
+Using Makefile:
+
      +ln -sf Makefile.FreeBSD Makefile
+make
+sudo make install
+
      
+This installs binaries to /usr/local/3proxy/bin/ and configuration to /usr/local/etc/3proxy/.
+
      
+
      
+Service management with launchd:
+
      After installation via cmake, the service can be managed with launchctl:
+
      +# Load and start the service
+sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+# Stop the service
+sudo launchctl stop org.3proxy.3proxy
+
+# Start the service
+sudo launchctl start org.3proxy.3proxy
+
+# Unload and disable the service
+sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
      
+The service runs as user proxy (created during installation).
+Configuration file: /etc/3proxy/3proxy.cfg
+
      
+		
    • How to use 3proxy with Docker
+
      
+Using pre-built images from GitHub Container Registry:
+
      +docker pull ghcr.io/3proxy/3proxy:latest
+
      
+
      
+
      
+Building Docker images:
+
      Two Dockerfiles are provided:
+
        
+
      • Dockerfile.minimal - minimal static build, no plugins, configuration from stdin:
+
        +docker build -f Dockerfile.minimal -t 3proxy.minimal .
+docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal
+
        
+Then enter configuration followed by "end" command.
+
        • 
+
      • Dockerfile.full - full build with plugins (SSL, PCRE, Transparent):
+
        +docker build -f Dockerfile.full -t 3proxy.full .
+docker run -p 3129:3129 -v /path/to/config:/usr/local/3proxy/conf 3proxy.full
+
        
+The configuration file must be placed at /path/to/config/3proxy.cfg.
+
        • 
+
      
+
      
+
      
+By default, 3proxy runs in chroot environment with uid/gid 65535. Use nserver in config for DNS resolution in chroot.
+For non-chroot execution, mount config to /etc/3proxy.
 
      
 	
    
 
    
@@ -169,36 +267,36 @@ Add 3proxy to system startup scripts.
 
    
 	
      
   
    • How to make 3proxy start
-
      Valid configuration file is required.
+
      A valid configuration file is required.
 
-    
    • How to make limitation (access, bandwidth, traffic, connections) work
-
       Most probable reasons for non-working limitations: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.
+    
    • How to make limitations (access, bandwidth, traffic, connections) work
+
       The most probable reasons for non-working limitations: 'auth none' or no auth is used. For any ACL-based feature, one of 'iponly', 'nbname', or 'strong' auth is required. The sequence of commands may be invalid. Commands are executed one-by-one, and 'proxy', 'tcppm', 'socks', or another service commands must follow a valid configuration. An invalid sequence of ACLs. The first matching ACL is used (except for internal redirections, see below). If an ACL contains at least one record, the last record is assumed to be 'deny *'.
 
-    
    • How to make 3proxy to run as a service
-
      Possible reasons for 3proxy starts manually but fails to start as a service:
+    
    • How to make 3proxy run as a service
+
      Possible reasons for 3proxy starting manually but failing to start as a service:
 
        
-
      • there are relative paths in configuration file for included files,
-log files, etc. Always use absolute paths. For example
-$"c:\3proxy\networks.local" instead of  $networks.local. For debugging remove
-'service' and 'daemon', log to stdout an try to execute 3proxy from command
-line from some different directory (for example from disk root).
-
      • SYSTEM account doesn't have access to executable file, configuration files,
+
      • there are relative paths in the configuration file for included files,
+log files, etc. Always use absolute paths. For example,
+$"c:\3proxy\networks.local" instead of $networks.local. For debugging, remove
+'service' and 'daemon', log to stdout, and try to execute 3proxy from the command
+line from a different directory (for example, from the disk root).
+
      • the SYSTEM account doesn't have access to the executable file, configuration files,
 log files, etc.
-
      • configuration files is not located in default path (3proxy.cfg in same
-location with 3proxy.exe). For alternative configuration file location use
+
      • the configuration file is not located in the default path (3proxy.cfg in the same
+location as 3proxy.exe). For an alternative configuration file location, use
 
         3proxy --install full_path_to_configuration_file
 
        
-
      • user has no rights to install or start service
-
      • service is already installed and/or started
+
      • the user has no rights to install or start the service
+
      • the service is already installed and/or started
 
 
      
 
-
      How to understant internal and external
+
      How to understand internal and external
 
      
 Both internal and external IPs are IPs of the host running 3proxy itself.
-This configuration option is usefull in situation 3proxy is running on the
-border host with 2 (or more) connections: e.g. LAN and WAN with different IPs
+This configuration option is useful in situations where 3proxy is running on a
+border host with 2 (or more) connections: e.g., LAN and WAN with different IPs
 
            LAN connection +-------------+ Internet connection
 LAN <-------------->| 3proxy host |<-------------------> INTERNET
@@ -206,60 +304,60 @@ LAN <-------------->| 3proxy host |<-------------------> INTERNET
 	           |               |
               Internal IP       External IP
 
      
-If 3proxy is used on the host with single connection, both internal and
-external are usually same IP.
-
      Internal should exist and be UP on the moment 3proxy is started and
+If 3proxy is used on a host with a single connection, both internal and
+external are usually the same IP.
+
      The internal interface should exist and be UP at the moment 3proxy is started and
 should never be disconnected/DOWN. If this interface is periodically
-disconnected (e.g. direct link between 2 hosts), do not specify internal
+disconnected (e.g., a direct link between 2 hosts), do not specify an internal
 address or use 0.0.0.0 instead. In this case, if you have 2 or more
-interfaces you must use firewall (preferably) or 3proxy ACLs to avoid open
-proxy situation. 
+interfaces, you must use a firewall (preferably) or 3proxy ACLs to avoid an open
+proxy situation.
 
      
-External IP (if specified) must exist in the momet 3proxy
-serves client request. If external interface is no specified (or 0.0.0.0),
-system select external IP. It may be possible to access resources of internal
-network, to prevent this use ACLs. In addition, SOCKSv5 will not support BIND
-operation, required for incoming connections (this operation is quite rarely
-implemented in SOCKSv5 clients and usually is not required). In case of
-dynamic address, do not specify external or use external 0.0.0.0 or, if
-external address is required, create a script to determine current external
-IP and save it to file, and use external "$path_to_file" with "monitor" command
-to automatically reload configuration on address change.
+The external IP (if specified) must exist at the moment 3proxy
+serves a client request. If the external interface is not specified (or 0.0.0.0),
+the system selects the external IP. It may be possible to access resources of the internal
+network; to prevent this, use ACLs. In addition, SOCKSv5 will not support the BIND
+operation, which is required for incoming connections (this operation is quite rarely
+implemented in SOCKSv5 clients and is usually not required). In case of
+a dynamic address, do not specify external or use external 0.0.0.0, or, if
+an external address is required, create a script to determine the current external
+IP and save it to a file, and use external "$path_to_file" with the "monitor" command
+to automatically reload the configuration on address change.
 
     
    • How to make ODBC logging work?
 
      
-Check you use system DSN. 
-Check SQL request is valid. 
-The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually.
-Under Unix, you may also want to adjust 'stacksize' parameter.
+Check that you are using a system DSN.
+Check that the SQL request is valid.
+The best way to check is to use file or stdout logging, get the SQL request from the log file or console, and execute this request manually.
+Under Unix, you may also want to adjust the 'stacksize' parameter.
 
     
    • How to make IPv6 work
-
       Proxy can not access destination directly over IPv6 if client requests IPv4 address.
-To access IPv6 destination, either IPv6 address or hostname  must be used in request.
-Best solution is to enable option to resolve hostnames via proxy on client side.
+
       The proxy cannot access a destination directly over IPv6 if the client requests an IPv4 address.
+To access an IPv6 destination, either an IPv6 address or a hostname must be used in the request.
+The best solution is to enable the option to resolve hostnames via the proxy on the client side.
 
     
    • How to fix 3proxy crashes
-
       default stacksize may be insufficient, if some non-default plugins
-  are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with
-  invalid system defined values (few versionds of FreeBSD on amd64).
-  Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.
+
       The default stacksize may be insufficient if some non-default plugins
+  are used (e.g., PAM and ODBC on Linux) or if compiled on some platforms with
+  invalid system-defined values (a few versions of FreeBSD on amd64).
+  The problem can be resolved with the 'stacksize' command or '-S' option starting with 3proxy 0.8.4.
 
 
-		
    • Where to find configuration example
+		
    • Where to find a configuration example
 
      
-Server configuration example 3proxy.cfg.sample is in any 3proxy distribution.
+A server configuration example, 3proxy.cfg.sample, is included in every 3proxy distribution.
 
      
 		
    • How to set up logging
 
      
-3proxy can log to stdout, file, ODBC datasource and
-syslog (Unix/Linux/Cygwin only). For using ODBC under Unix/Linux you must
-compile 3proxy with Unix ODBC libraries, see Compilation.
-You can control logging from 3proxy.cfg for all services or you can control
-logging of individual service, for example 
-/usr/local/sbin/socks -l/var/log/socks.log starts SOCKS proxy with logging to file.
-For universal proxy (3proxy) log file rotation and archiving is supported.
-Log type is defined with "log" configuration file command or with
--l switch on individual service invokation. log or -l is stdout logging.
+3proxy can log to stdout, a file, an ODBC datasource, or
+syslog (Unix/Linux/Cygwin only). To use ODBC under Unix/Linux, you must
+compile 3proxy with Unix ODBC libraries; see Compilation.
+You can control logging from 3proxy.cfg for all services, or you can control
+logging for an individual service. For example,
+/usr/local/sbin/socks -l/var/log/socks.log starts a SOCKS proxy with logging to a file.
+For the universal proxy (3proxy), log file rotation and archiving are supported.
+The log type is defined with the "log" configuration file command or with the
+-l switch on individual service invocation. log or -l with no argument is stdout logging.
 
       	log filename
 
      
@@ -267,7 +365,7 @@ and
 
       	-lfilename
 
      
-specify filename for logging
+specify a filename for logging.
 
       	log @ident
 
      
@@ -275,28 +373,28 @@ and
 
       	-l@ident
 
      
-specify ident for syslog logging. If filename within "log" command contains
-'%' characters, it's processes as format specificator (see "logformat"). E.g.
-log c:\3proxy\logs\%y%m%d.log D creates file like c:\3proxy\logs\060729.log,
-date is generated based on local time.
+specify an ident for syslog logging. If the filename within the "log" command contains
+'%' characters, it is processed as a format specifier (see "logformat"). E.g.,
+log c:\3proxy\logs\%y%m%d.log D creates a file like c:\3proxy\logs\060729.log;
+the date is generated based on local time.
 
       	log &connstring
 
      
 
-specifies ODBC connection string, connstring is in format
-datasource,username,password (2 last are optional of
-datasource does not require or already has authentication information). 
-Also, you must specify logformat to build SQL query, to insert recod into
-log, see How to setup logging format
+specifies an ODBC connection string; connstring is in the format
+datasource,username,password (the last two are optional if the
+datasource does not require or already has authentication information).
+Also, you must specify logformat to build the SQL query to insert a record into
+the log; see How to set up logging format
 
      
 
      
-Rotation and archiving may be set up with log, rotate  archiver commands
+Rotation and archiving may be set up with log, rotate, and archiver commands.
 
       	log filename LOGTYPE
 
      
-sets rotation type. LOGTYPE may be:
+sets the rotation type. LOGTYPE may be:
 
        
-	
      • M, monthely
+	
      • M, monthly
 	
      • W, weekly
 	
      • D, daily
 	
      • H, hourly
@@ -305,55 +403,55 @@ sets rotation type. LOGTYPE may be:
 
         	rotate NUMBER
 
        
-	specifies number of files in rotation (that is how many files to keep).
+	specifies the number of files in rotation (i.e., how many files to keep).
 
         	archiver EXT COMMAND PARAMETERS
 
        
-	Sets external archiver. EXT is extention of archived files
-	(for example zip, gz, Z, rar etc) COMMAND and PARAMETERS are command
-	to execute and command line PARAMETERS. Originale file is not deleted by
-	3proxy, this work is left for archiver.
-	You can pass original filename to archiver with %F macro and archive filename with %A.
+	Sets an external archiver. EXT is the extension of archived files
+	(for example, zip, gz, Z, rar, etc.). COMMAND and PARAMETERS are the command
+	to execute and its command-line parameters. The original file is not deleted by
+	3proxy; this work is left for the archiver.
+	You can pass the original filename to the archiver with the %F macro and the archive filename with %A.
 	Examples are located in
 	3proxy.cfg.sample
 
        
-		
      • How to setup logging format
+		
      • How to set up logging format
 
        
-	Since 0.3 version log format may be set with "logformat" command.
-	First symbol of log format specifies format of date and time and
-	should be L (LOCAL) or G (GMT - Grinwitch Meridian Time). Format
-	string may contains some macro substitutions:
+	Since version 0.3, the log format may be set with the "logformat" command.
+	The first symbol of the log format specifies the format of the date and time and
+	should be L (LOCAL) or G (GMT - Greenwich Meridian Time). The format
+	string may contain some macro substitutions:
 	
          
 
        • 	 %y - Year (2 digits)
 
        • 	 %Y - Year (4 digits)
 
        • 	 %m - Month (2 digits)
-
        • 	 %o - mOnth (3 letter abbriviation)
+
        • 	 %o - Month (3-letter abbreviation)
 
        • 	 %d - Day (2 digits)
 
        • 	 %H - Hour (2 digits)
 
        • 	 %M - Minute (2 digits)
 
        • 	 %S - Second (2 digits)
-
        • 	 %t - Timestamp (seconds since January, 1 1970 00:00:00 GMT)
+
        • 	 %t - Timestamp (seconds since January 1, 1970 00:00:00 GMT)
 
        • 	 %. - Milliseconds
-
        • 	 %z - Timezone in mail format (from GMT, '+' east, '-' west HHMM), For example Moscow winter time is +0300.
+
        • 	 %z - Timezone in mail format (from GMT, '+' east, '-' west HHMM). For example, Moscow winter time is +0300.
 
        • 	 %U - Username ('-' if unknown).
-
        • 	 %N - Service name (PROXY, SOCKS, POP3P, etc)
+
        • 	 %N - Service name (PROXY, SOCKS, POP3P, etc.)
 
        • 	 %p - Service port
-
        • 	 %E - Error code (see. Log error codes reference)
+
        • 	 %E - Error code (see Log error codes reference)
 
        • 	 %C - client IP
 
        • 	 %c - client port
 
        • 	 %R - target IP
 
        • 	 %r - target port
-
        • 	 %e - external IP address used to establish connection
+
        • 	 %e - external IP address used to establish the connection
 
        • 	 %Q - requested IP
 
        • 	 %q - requested port
-
        • 	 %I - bytes received from target
-
        • 	 %O - bytes sent to target
-
        • 	 %n - host name from request
-
        • 	 %h - hops  before target (if redirection or chaning is used).
+
        • 	 %I - bytes received from the target
+
        • 	 %O - bytes sent to the target
+
        • 	 %n - hostname from the request
+
        • 	 %h - hops before the target (if redirection or chaining is used);
 	 see How to use chains and parent proxies)
-
        • 	 %T - service specific text (for example URL requested). %X-YT
+
        • 	 %T - service-specific text (for example, the requested URL). %X-YT,
 	 where X and Y are positive numbers, only displays fields
- 	 (space delimited) X to Y of the text. An example is %1-2T.
+	 (space-delimited) X to Y of the text. An example is %1-2T.
 	
        
 	Example:
 
        @@ -366,23 +464,23 @@ logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
 
        (no line breaks)
 
        
 
        
-	If ODBC used, logformat should specify SQL command,
-	to insert record into log, for example
+	If ODBC is used, logformat should specify the SQL command
+	to insert a record into the log, for example:
 
         logformat "-\'+_GINSERT INTO proxystat  VALUES (%t, '%c', '%U', %I)"
        
 
        (no line breaks)
 
        -\'+_ instructs to replace characters \ and ' with _
 
        
-		
      • How to use log analizers with 3proxy
+		
      • How to use log analyzers with 3proxy
 
        
-Just make format of 3proxy logs compatible with format supported by your
-favourite log analizer. Examples of compatible logformats are:
+Just make the format of 3proxy logs compatible with a format supported by your
+favorite log analyzer. Examples of compatible logformats are:
 
        
 For Squid access.log:
 
        
 "- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"
 
        
-or, more compatible format without %D
+or, a more compatible format without %D:
 
         "- +_G%t.%.      1 %C TCP_MISS/200 %I %1-1T %2-2T %U
  DIRECT/%R application/unknown"
@@ -403,7 +501,7 @@ ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
 
        
 ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
 
        -"-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
+"-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
 	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
 	%D	%O	%I	%r	TCP	Connect	-	-
 	-	%E	-	-	-	-	-"
@@ -412,30 +510,30 @@ HTTPD standard log (Apache and others):
 
        
 "-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" %E %I"
 
        
-or more compatible without error code
+or a more compatible format without the error code:
 
        
 "-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" 200 %I"
 
        
-		
      • How to start any of proxy services (HTTP, SOCKS etc)
+		
      • How to start any of the proxy services (HTTP, SOCKS, etc.)
 
        
 3proxy is distributed in 2 variants: as a set of standalone modules (proxy,
-socks, pop3p, tcppm, udppm) and as universal proxy server. These services are
-absolutely independant, and if you use 3proxy you needn't any of standalone
+socks, pop3p, tcppm, udppm) and as a universal proxy server. These services are
+absolutely independent, and if you use 3proxy, you don't need any of the standalone
 modules.
-
        Standalone modules are only configurable via command line interface while
-3proxy uses configuration file. Many functions, such as ODBC logging, log
-rotation, access control, etc are only available in 3proxy, not in standalone
+
        Standalone modules are only configurable via the command line interface, while
+3proxy uses a configuration file. Many functions, such as ODBC logging, log
+rotation, access control, etc., are only available in 3proxy, not in standalone
 proxies.
-Standalone module may be started from command line, for example:
+A standalone module may be started from the command line, for example:
 
         $/sbin/socks -l/var/log/socks.log -i127.0.0.1
 
        
-Starts SOCKS server binded to localhost ip, port 1080 with logging to
+Starts a SOCKS server bound to localhost IP, port 1080, with logging to
 /var/log/socks.log.
-You can get help for any standalone service with -? command line option.
+You can get help for any standalone service with the -? command line option.
 
        
-If 3proxy is used you should start all services in 3proxy.cfg file. 3proxy.cfg
-is executed by 3proxy as a batch file. Example of 3proxy.cfg and command syntaxys
+If 3proxy is used, you should start all services in the 3proxy.cfg file. 3proxy.cfg
+is executed by 3proxy as a batch file. An example of 3proxy.cfg and command syntax
 can be found in
 3proxy.cfg.sample.
 
        @@ -445,19 +543,19 @@ internal 127.0.0.1
 external 192.168.1.1
 proxy
 socks -p3129
-pop3p 
+pop3p
 
        
-Starts 3 services: HTTP PROXY, SOCKS and POP3 PROXY. Each listens localhost
-interface with default port (3128 for HTTP, 1080 for SOCKS and 110 for POP3P)
-except socks started with port 3129.
-All logs are in file /var/log/3proxy.log (with daily date modification and
-rotation). 30 last files are stored.
+Starts 3 services: HTTP PROXY, SOCKS, and POP3 PROXY. Each listens on the localhost
+interface with the default port (3128 for HTTP, 1080 for SOCKS, and 110 for POP3P)
+except socks, which is started with port 3129.
+All logs are in the file /var/log/3proxy.log (with daily date modification and
+rotation). The 30 most recent files are stored.
 
        
-		
      • How to bind service to specific interface and port?
+		
      • How to bind a service to a specific interface and port?
 
        
--i options specifies internal interface, -p - listening port. No space are
-allowed. To bind 'proxy' service to port 8080 on interfaces 192.168.1.1
-and 192.168.2.1 use
+The -i option specifies the internal interface; -p specifies the listening port. No spaces are
+allowed. To bind the 'proxy' service to port 8080 on interfaces 192.168.1.1
+and 192.168.2.1, use:
 
         proxy -p8080 -i192.168.1.1
 proxy -p8080 -i192.168.2.1
@@ -465,52 +563,382 @@ proxy -p8080 -i192.168.2.1
 
        
   
      • How to resolve names through a parent proxy
        • 
   
        
-  A: Use one of proxy, connect+, socks4+ or socks5+ as a parent type. 3proxy
-  itself still performs a name resolution, it's required e.g. to ACLs matching.
-  So, if no name resolution must be performed by 3proxy itself add a command
+  A: Use one of proxy, connect+, socks4+, or socks5+ as the parent type. 3proxy
+  itself still performs name resolution; it's required, e.g., for ACL matching.
+  So, if no name resolution must be performed by 3proxy itself, add the command
   
           fakeresolve
        
-  this command resolves any name to 127.0.0.2 address.
+  This command resolves any name to the 127.0.0.2 address.
   
        
-  
      • How to setup FTP proxy
        • 
+  
      • How to set up an FTP proxy
        • 
   
        
-  There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP ப
-  (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start additional
-  proxy service, 'proxy' supports FTP over HTTP, configure 'proxy' port as an FTP proxy. For ftp clients and file
-  managers use ftppr. FTP proxy supports both active and passive mode with client, but always use passive mode with FTP servers.
+  There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP
+  (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start an additional
+  proxy service; 'proxy' supports FTP over HTTP. Configure the 'proxy' port as an FTP proxy. For FTP clients and file
+  managers, use ftppr. The FTP proxy supports both active and passive mode with the client but always uses passive mode with FTP servers.
   
        
+  
      • How to set up an SNI proxy (tlspr)
        • 
+  
        
+    An SNI proxy can be used to transparently redirect any TLS traffic with an external router or via local redirection rules. It can also be used
+    to extract hostnames from TLS to use in ACLs in combination with SOCKS or HTTP(s) proxy and/or the Transparent plugin. It can also be used to require TLS or mTLS between services. The TLS handshake contains no
+    port information; if tlspr is used as a standalone service, the destination port may be either detected with the Transparent plugin or configured with the -P option (default 443).
+  
        
+    Options:
+
        +-P <port>  - destination port (default: 443)
+-c <level> - TLS check level:
+  0 (default) - allow non-TLS traffic
+  1 - require TLS, only check client HELLO packet
+  2 - require TLS, check both client and server HELLO
+  3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3)
+  4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3)
+
        
+
        
+SNI Break (DPI Bypass):
+
        tlspr can be used as a parent with the "tls" type to implement SNI splitting for DPI bypass (similar to NoDPI/GoodByeDPI).
+The client sends the first part of the TLS ClientHello, tlspr splits it at the SNI extension and sends it in two TCP packets,
+which can bypass some DPI systems that look for blocked hostnames in TLS handshakes.
+
        To enable SNI break, use parent ... tls 0.0.0.0 0 and the -s option on the listening service with TCP_NODELAY:
+
        +auth iponly
+allow *
+parent 1000 tls 0.0.0.0 0
+allow *
+proxy -s -i127.0.0.1 -ocTCP_NODELAY -osTCP_NODELAY -p1443
+
        
+
        
+TCP_NODELAY is required to prevent the kernel from merging the split packets.
+
        
+
        
+Configuration examples:
+
        
+
        
+1. Standalone SNI proxy on port 1443 redirecting to destination port 443:
+
        +tlspr -p1443 -P443 -c1
+
        
+
        
+2. Using tlspr as parent in SOCKS to detect destination hostname from TLS (even when client connects by IP):
+
        +allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * * CONNECT
+parent 1000 tls 0.0.0.0 0
+deny * * some.not.allowed.host
+allow *
+socks
+
        
+
        
+3. Using tlspr with HTTP proxy for TLS hostname-based ACL:
+
        +allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * 443
+parent 1000 tls 0.0.0.0 0
+deny * * blocked.example.com
+allow *
+proxy
+
        
+  
        
+		
      • How to set up TLS/SSL (https proxy, mTLS)
+
        
+Since version 0.9.7, SSL/TLS support is built into 3proxy when compiled with OpenSSL
+(WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated
+into the main binary. The plugin line is no longer required.
+SSL/TLS support can be used to:
+
          
+
        • Create an https:// proxy (TLS-encrypted connection between client and proxy)
          • 
+
        • Implement MITM for TLS traffic inspection
          • 
+
        • Connect to upstream servers via TLS with client certificate authentication
          • 
+
        • Require client certificate authentication (mTLS)
          • 
+
        
+
        
+
        
+Creating an https:// proxy:
+
        To create an https:// proxy, you need a server certificate and key. The certificate must not be self-signed
+and should contain Subject Alternative Names (SAN) for the proxy hostname/IP.
+
        +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_serv
+proxy -p3129
+ssl_noserv
+proxy -p3128
+
        
+
        
+This creates an https:// proxy on port 3129 and an http:// proxy on port 3128.
+Configure clients to use https://proxy-host:3129/ as the proxy URL.
+
        
+
        
+Client certificate authentication (mTLS):
+
        To require clients to authenticate with a certificate, use ssl_server_verify and provide the CA certificate:
+
        +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3129
+
        
+
        
+Only clients with a valid certificate signed by the CA can connect.
+
        
+
        
+MITM for TLS traffic inspection:
+
        To intercept and decrypt TLS traffic, you need a CA certificate to generate spoofed server certificates:
+
        +ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_ca_key /etc/3proxy/certs/ca.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_mitm
+proxy -p3128
+ssl_nomitm
+proxy -p3129
+
        
+
        
+The CA certificate must be trusted by clients. ssl_client_verify ensures the real server certificates are validated.
+Without ssl_client_verify, the proxy is vulnerable to MITM attacks.
+
        
+
        
+TLS client (connect to upstream via TLS):
+
        To connect to upstream servers via TLS with client certificate authentication:
+
        +ssl_client_cert /etc/3proxy/certs/client.crt
+ssl_client_key /etc/3proxy/certs/client.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_cli
+proxy -p3128
+
        
+
        
+Conditional TLS for parent proxy (ssl_client_mode 3):
+
        With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
+
        +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+
        
+
        
+This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
+
        
+		
      • How to create CA and certificates for SSL
+
        
+Creating a Certificate Authority (CA):
+
        For MITM or mTLS, you need a CA. Generate a CA private key and certificate:
+
        +# Generate CA private key
+openssl genrsa -out ca.key 4096
+
+# Generate CA certificate (valid for 10 years)
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=My CA" \
+    -out ca.crt
+
        
+
        
+For MITM, import ca.crt into client browsers/OS as a trusted root CA.
+
        
+
        
+Creating a server certificate for https:// proxy:
+
        The server certificate must have proper Subject Alternative Names (SAN):
+
        +# Generate server private key
+openssl genrsa -out server.key 2048
+
+# Create a certificate signing request (CSR)
+openssl req -new -key server.key \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=proxy.example.com" \
+    -out server.csr
+
+# Create extensions file for SAN
+cat > server.ext << 'EOF'
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = proxy.example.com
+DNS.2 = proxy
+IP.1 = 192.168.1.100
+EOF
+
+# Sign the certificate with CA
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 \
+    -extfile server.ext
+
        
+
        
+For a public https:// proxy, use a CA like Let's Encrypt instead of self-signed.
+
        
+
        
+Creating a client certificate for mTLS:
+
        +# Generate client private key
+openssl genrsa -out client1.key 2048
+
+# Create CSR
+openssl req -new -key client1.key \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=client1" \
+    -out client1.csr
+
+# Create extensions file
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+extendedKeyUsage = clientAuth
+EOF
+
+# Sign with CA
+openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client1.crt -days 365 -sha256 \
+    -extfile client.ext
+
+# Create PKCS#12 bundle for browser import
+openssl pkcs12 -export -out client1.p12 \
+    -inkey client1.key -in client1.crt -certfile ca.crt
+
        
+
        
+Import client1.p12 into the client browser or OS certificate store.
+
        
+
        
+Quick setup script for development/testing:
+
        +#!/bin/sh
+# Creates CA, server, and client certificates for SSLPlugin testing
+
+# CA
+openssl genrsa -out ca.key 4096
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/CN=3proxy CA" -out ca.crt
+
+# Server
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
+cat > server.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
+EOF
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
+
+# Client
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/CN=client" -out client.csr
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+extendedKeyUsage = clientAuth
+EOF
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
+openssl pkcs12 -export -out client.p12 -passout pass: \
+    -inkey client.key -in client.crt -certfile ca.crt
+
        
+		
      • How to use PCRE filtering (regular expressions)
+
        
+Since version 0.9.7, PCRE (Perl Compatible Regular Expressions) filtering is built into
+3proxy when compiled with PCRE2 support (WITH_PCRE). Previously available as PCREPlugin,
+the functionality is now integrated into the main binary. The plugin line is no longer required.
+
        
+
        
+PCRE filtering can be used to create matching and replacement rules with regular expressions
+for client requests, client and server headers, and client and server data.
+
        
+
        
+Commands:
+
        +pcre TYPE FILTER_ACTION REGEXP [ACE]
+pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
+pcre_extend FILTER_ACTION [ACE]
+pcre_options OPTION1 [...]
+
        
+
        
+
          
+
        • TYPE - type of filtered data (comma-delimited list):
+ 
            
+ 
          • request - content of the client's request (e.g., HTTP GET request string)
+ 
          • cliheader - content of the client request headers
+ 
          • srvheader - content of the server's reply headers
+ 
          • clidata - data received from the client (e.g., HTTP POST data)
+ 
          • srvdata - data received from the server (e.g., HTML page)
+ 
          
+
        • FILTER_ACTION - action on match:
+ 
            
+ 
          • allow - allow this request without checking the rest of the rules
+ 
          • deny - deny this request without checking the rest of the rules
+ 
          • dunno - continue with the rest of the rules (useful with pcre_rewrite)
+ 
          
+
        • REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching is required.
+
        • REWRITE_EXPRESSION - substitution string. May contain Perl-style substrings
+$1, $2, etc. $0 means the whole matched string. \r and \n may be used to insert new lines.
+
        • ACE - access control entry (user names, source IPs, destination IPs, ports, etc.),
+identical to allow/deny/bandlimin commands. The regular expression is only matched if the ACL
+matches the connection data.
+
        
+
        
+
        
+Examples:
+
        +# Block requests containing specific keywords for certain users
+pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
+
+# Block responses with specific content type
+pcre srvheader deny "Content-type: application"
+
+# Replace content in both directions (censorship)
+pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
+pcre_extend deny * 192.168.0.1/16
+
        
+
        
+Note: Regular expressions don't require authentication and cannot replace
+authentication and/or allow/deny ACLs.
+
        
 		
      • How to limit service access
 
        
-First, always specify internal interface to accept incoming connection with
+First, always specify the internal interface to accept incoming connections with the
 'internal' configuration command or '-i' service command. (See
-How to start any of proxy services (HTTP, SOCKS etc)). If
-no internal interface is specified your proxy will act as open one.
-
        It's also important to specify external interface to prevent access to
+How to start any of the proxy services (HTTP, SOCKS, etc.)). If
+no internal interface is specified, your proxy will act as an open proxy.
+
        It's also important to specify the external interface to prevent access to the
 internal network with 'external' or -e.
-
        3proxy with configuration files allows to use authentication and
-authorization for user's access. Authentication is possible by
-username/password or user's NetBIOS name. Authentication type is specified by
-'auth' command.  
+
        3proxy with configuration files allows you to use authentication and
+authorization for user access. Authentication is possible by
+username/password or the user's NetBIOS name. The authentication type is specified by the
+'auth' command.
 
         auth none
 
        
-Disables both authentication and authorization. You can not use ACLs.
+Disables both authentication and authorization. You cannot use ACLs.
 
         auth iponly
 
        
-Specifies no authentication, ACLs authorization is used.
+Specifies no authentication; ACL-based authorization is used.
 
         auth nbname
 
        
-Authentication by NetBIOS name + ACLs. NetBIOS name of 'messenger' service
-is obrained before ACL validation. If no name is obtained it's assumed to be
-empty. Messenger is started by default in Windows NT/2000/XP. For Win9x
-WinPopUP need to be launched. This type of authentication may be spoofed
-by privileged local user.
+Authentication by NetBIOS name + ACLs. The NetBIOS name of the 'messenger' service
+is obtained before ACL validation. If no name is obtained, it's assumed to be
+empty. Messenger is started by default in Windows NT/2000/XP. For Win9x,
+WinPopUP needs to be launched. This type of authentication may be spoofed
+by a privileged local user.
 
         auth strong
 
        
-Authentication by username/password. If user is not registered his
+Authentication by username/password. If the user is not registered, their
 access is denied regardless of ACLs.
 
        
 Different services can have different authentication levels.
@@ -524,30 +952,30 @@ socks
 
        • 
 
 It's possible to authorize access by client IP address, IP address or requested resource,
-target port, time, etc after authentication.
+target port, time, etc., after authentication.
 (See How to limit resource access).
-
        Since 0.6 version double authentication is possible, e.g.
+
        Since version 0.6, double authentication is possible, e.g.:
 
         auth iponly strong
 allow * * 192.168.0.0/16
 allow user1,user2
 proxy
 
        
-strong authentication will only be used if ACL requires username to deside if
-access must be granted. That is, in example, strong username authentication
-is not required to access 192.168.0.0/16
-
        0.6 version introduces authentication (username) caching to increase
-productivity. It's recommended to use authentication caching with resource
-or time consuming authentication types, such as nbname or external plugins
+Strong authentication will only be used if the ACL requires a username to decide if
+access must be granted. That is, in the example, strong username authentication
+is not required to access 192.168.0.0/16.
+
        Version 0.6 introduces authentication (username) caching to increase
+performance. It's recommended to use authentication caching with resource-
+or time-consuming authentication types, such as nbname or external plugins
 (WindowsAuthentication).
-Caching can be set with 'authcache' command with 2 parameters: caching type
-and caching time (in seconds). Caching type defines the type of cached access:
-'ip' - after successful authentication all connections during caching time
-from same IP are assigned to the same user, username is not requested.
-"ip,user" - username is requested and all connections from the same IP are
+Caching can be set with the 'authcache' command with 2 parameters: caching type
+and caching time (in seconds). The caching type defines the type of cached access:
+'ip' - after successful authentication, all connections during the caching time
+from the same IP are assigned to the same user; the username is not requested.
+"ip,user" - the username is requested, and all connections from the same IP are
 assigned to the same user without actual authentication. "user" - same as above,
 but IP is not checked. "user,password" - username and password are checked
-against cached ones. For authentication special authentication type 'cache'
+against cached ones. For authentication, the special authentication type 'cache'
 must be used.
  Example:
 
        @@ -556,42 +984,42 @@ auth cache strong windows
 proxy -n
 
        
 
        
-Please note, that caching affects security. Never use caching for access to
+Please note that caching affects security. Never use caching for access to
 critical resources, such as web administration.
-  
        authcache can be used to bind user's sessions to ip with 'limit' option, with
+  
        authcache can be used to bind a user's sessions to an IP with the 'limit' option. With
   
        -  autchcache ip,user,pass,limit 120
+  authcache ip,user,pass,limit 120
   auth cache strong
        
-  user will not be able to use more than a single IP during cache time (120 sec).
+  the user will not be able to use more than a single IP during the cache time (120 sec).
   
        
-		
      • How to create user list
+		
      • How to create a user list
 
        
-Userslist is created with 'users' command.
+The user list is created with the 'users' command.
 
         users USERDESC ...
 
        
-With a single command it's possible to define few users, or you
-can use few 'users' commands. USERDESC is user description. Description
-consists of three semicolon delimited parts - login, password type and
+With a single command, it's possible to define a few users, or you
+can use multiple 'users' commands. USERDESC is a user description. The description
+consists of three semicolon-delimited parts - login, password type, and
 
         users admin:CL:bigsecret test:CL:password test1:CL:password1
 users "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
 users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
 
        
-Please note the usage of quotation sign: it's required to comment out $ sign
-overwise used as a file inclusion macro.
-Next password types are available:
+Please note the usage of quotation marks: they're required to escape the $ sign,
+which is otherwise used as a file inclusion macro.
+The following password types are available:
 
          
 	
        • No password type: use system authentication.
 	
        • CL - cleartext password
-	
        • CR - crypt password, only MD5 crypt passwords are supported
+	
        • CR - crypt password; only MD5 crypt passwords are supported
 	
        • NT - NT-hashed (MD4) passwords in hex, as used in pwdump or SAMBA
 
        
 NT and crypt passwords can be used to import accounts from Windows/SAMBA or
-Unix. For Windows you can use pwdump family of utilities.
-It's convenient to store accounts apart and include account file with $ macro.
-Because for included files newlines are treated as a space, it's possible to
-use atandard passwd file format:
+Unix. For Windows, you can use the pwdump family of utilities.
+It's convenient to store accounts separately and include an account file with the $ macro.
+Because for included files, newlines are treated as spaces, it's possible to
+use a standard passwd file format:
 
         users $/etc/.3proxypasswd
 
        
@@ -599,48 +1027,48 @@ or
 
         users $"c:\Program Files\3proxy\passwords"
 
        
-It's possible to create NT and crypt passwords with mycrypt utility included
-in distribution.
-
        Userlist is system-wide. To manage user access to specific service use ACLs.
+It's possible to create NT and crypt passwords with the 3proxy_crypt utility included
+in the distribution.
+
        The user list is system-wide. To manage user access to a specific service, use ACLs.
 
        
 		
      • How to limit user access to resources
 
        
-Commands allow, deny and flush are used to manage ACLs:
+The commands allow, deny, and flush are used to manage ACLs:
 
        
 allow <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist> <weekdaylist> <timeperiodlist>
-
        deny <userlist> <sourcelist> <targetlist>  <weekdaylist> <timeperiodlist>
+
        deny <userlist> <sourcelist> <targetlist> <weekdaylist> <timeperiodlist>
 
        flush
         
 
        
-'flush' command is used to finish with existing ACL and to start new one.
+The 'flush' command is used to finish with the existing ACL and start a new one.
 It's required to have different ACLs for different services.
-'allow' is used to allow connection and 'deny' to deny connection. 'allow'
-command can be extended by 'parent' command to manage redirections (see How to manage redirections)). If ACL
-is empty it allow everything. If ACL is not empty, first matching ACL entry
-is searched for user request and ACL action (allow or deny) performed. If
-no matching record found, connection is denied and user will be asked to
-re-authenticate (requested for username/password). To prevent this request
-add 'deny *' to the end of list.
+'allow' is used to allow a connection, and 'deny' to deny a connection. The 'allow'
+command can be extended by the 'parent' command to manage redirections (see How to manage redirections). If the ACL
+is empty, it allows everything. If the ACL is not empty, the first matching ACL entry
+is searched for the user request, and the ACL action (allow or deny) is performed. If
+no matching record is found, the connection is denied, and the user will be asked to
+re-authenticate (prompted for username/password). To prevent this prompt,
+add 'deny *' to the end of the list.
 
          
-	
        • <userlist> - comma delimited list of users
-	
        • <sourcelist> - comma delimited list of source (client) networks. 
-		Networks can be defined as single IP address or in CIDR form
-		xxx.yyy.zzz.mmm/l, where l - is the length of network mask
+	
        • <userlist> - comma-delimited list of users
+	
        • <sourcelist> - comma-delimited list of source (client) networks.
+		Networks can be defined as a single IP address or in CIDR form
+		xxx.yyy.zzz.mmm/l, where l is the length of the network mask
 		(a number of non-zero bits). 192.168.1.0/24
-		means network with 255.255.255.0 mask.
-	
        • <targetlist> - comma delimited list of target (server) networks.
-		In 3proxy 0.6 and above it's allowed to use hostnames with wildmasks
-		in targetlist. Wildmask may only present in the begginning or at the
-		end of the hostname, e.g. 
+		means a network with a 255.255.255.0 mask.
+	
        • <targetlist> - comma-delimited list of target (server) networks.
+		In 3proxy 0.6 and above, it's allowed to use hostnames with wildmasks
+		in the targetlist. A wildmask may only appear at the beginning or at the
+		end of the hostname, e.g.,
 		192.168.0.0/16,www.example.com,*wrongsite.com,*wrongcontent*.
-	
        • <targetportlist> - comma delimited list of ports. I
-		It's possible to define port ranges with -, e.g. 80,1024-65535
+	
        • <targetportlist> - comma-delimited list of ports.
+		It's possible to define port ranges with -, e.g., 80,1024-65535
 		means port 80 and all unprivileged ports.
-	
        • <commandlist> - the list of allowed actions
-
          		CONNECT	- establish outgoing TCP connection. e.g. POP3 or SOCKSv5
-
          		BIND - allow incoming TCP connection (SOCKSv5)
-
          		UDPASSOC - create UDP association (SOCKSv5)
-
          		ICMPASSOC - create ICMP association (not implemented)
+	
        • <commandlist> - the list of allowed actions:
+
          		CONNECT	- establish an outgoing TCP connection, e.g., POP3 or SOCKSv5
+
          		BIND - allow an incoming TCP connection (SOCKSv5)
+
          		UDPASSOC - create a UDP association (SOCKSv5)
+
          		ICMPASSOC - create an ICMP association (not implemented)
 
          		HTTP_GET - HTTP GET request (HTTP proxy)
 
          		HTTP_PUT - HTTP PUT request (HTTP proxy)
 
          		HTTP_POST - HTTP POST request (HTTP proxy)
@@ -648,45 +1076,45 @@ add 'deny *' to the end of list.
 
          		HTTP_CONNECT - HTTP CONNECT, aka HTTPS request (HTTP proxy)
 
          		HTTP_OTHER - another HTTP request (HTTP proxy)
 
          		HTTP - any HTTP request except HTTP_CONNECT (HTTP proxy)
-
          		HTTPS - alias to HTTP_CONNECT (HTTP proxy)
+
          		HTTPS - alias for HTTP_CONNECT (HTTP proxy)
 
          		FTP_GET - FTP get request (http, ftp proxy)
 
          		FTP_PUT - FTP put request (ftp proxy)
 
          		FTP_LIST - FTP list request (http, ftp proxy)
 
          		FTP - any FTP request
 
          		ADMIN - administration interface access
 
          
-	
        • <weeksdays> - week days numbers or periods (0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday).
-	
        • <timeperiodlists> - a list of time periods in HH:MM:SS-HH:MM:SS format. For example,
+	
        • <weekdays> - weekday numbers or periods (0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday).
+	
        • <timeperiodlist> - a list of time periods in HH:MM:SS-HH:MM:SS format. For example,
 		00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
-		
+
 
        
-* in ACL means "any".
-Usage examples could be found in 3proxy.cfg.sample.
+* in an ACL means "any".
+Usage examples can be found in 3proxy.cfg.sample.
 
        
 		
      • How to manage redirections
 
        
-Redirections are usefull to e.g. forward requests from specific clients
-to different servers or proxy server. Additionally, redirections are usefull
-to convert proxy interface from ont format to another, e.g. requests from
-SOCKS proxy can be redirected to parent HTTP proxy, or SOCKSv5 client can be
-redirected to SOCKSv4 proxy.
-
        Because 3proxy understand "transparent" web request, it can be used as an
-intermediate software between HTTP proxy and NAT server for transparent HTTP
-forwarding, because it can convert "Web server" request issued by client to
-"proxy request" required by proxy server. A simplest redirection is:
+Redirections are useful to, e.g., forward requests from specific clients
+to different servers or proxy servers. Additionally, redirections are useful
+to convert the proxy interface from one format to another, e.g., requests from
+a SOCKS proxy can be redirected to a parent HTTP proxy, or a SOCKSv5 client can be
+redirected to a SOCKSv4 proxy.
+
        Because 3proxy understands "transparent" web requests, it can be used as an
+intermediate software between an HTTP proxy and a NAT server for transparent HTTP
+forwarding, because it can convert a "Web server" request issued by a client to a
+"proxy request" required by a proxy server. A simple redirection is:
 
         auth iponly
 allow *
 parent 1000 http 192.168.1.1 3128
 proxy
 
        
-All trafiic of HTTP proxy is redirected to parent proxy 192.168.1.1 port 3128.
-
        If port number is '0', IP address from 'parent' is used as external address
+All traffic of the HTTP proxy is redirected to the parent proxy 192.168.1.1 port 3128.
+
        If the port number is '0', the IP address from 'parent' is used as the external address
 for this connection (that is like -eIP, but only for connections matching
 'allow').
-
        Special case of redirection are local redirections. In this case both IP is
-0.0.0.0 and port is 0. It's only usseful with SOCKS service. In this case no
-new connection is established, but request is parsed by corresponding local
+
        A special case of redirection is local redirections. In this case, both the IP is
+0.0.0.0 and the port is 0. It's only useful with the SOCKS service. In this case, no
+new connection is established, but the request is parsed by the corresponding local
 service. E.g.:
 
         auth iponly
@@ -698,25 +1126,25 @@ allow * * * 110
 parent 1000 pop3 0.0.0.0 0
 socks
 
        
-In this case all SOCKS traffic with destination port 80 is forwarded to local
-'proxy' service, destination port 21 to 'ftppr' and 110 to 'pop3pr'. There is
-no need to run these services expicitly. Local redirections are usefull if
-you want to see and control via ACLs protocol specific parameters, e.g.
-filenames requests thorugh FTP while clients are using SOCKS.
+In this case, all SOCKS traffic with destination port 80 is forwarded to the local
+'proxy' service, destination port 21 to 'ftppr', and 110 to 'pop3pr'. There is
+no need to run these services explicitly. Local redirections are useful if
+you want to see and control via ACLs protocol-specific parameters, e.g.,
+filenames requested through FTP while clients are using SOCKS.
 
        
-    
      •  ࠢ 묨 ७ࠢﬨ
+    
      • How to manage local redirections
 
        
 
        Q: What is it for?
        
-A: To have control based on request and to have URLs and another protocol specific parameters to be logged.
+A: To have control based on the request and to have URLs and other protocol-specific parameters logged.
 
-
        Q: What are restrictions?
        
-A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.
+
        Q: What are the restrictions?
        
+A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends the username, but not the password); for SOCKSv5, only cleartext password authentication is supported.
 
-
        Q: What are advantages?
        
-A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.
+
        Q: What are the advantages?
        
+A: You only need to set up a SOCKS proxy in browser settings. You can use a socksifier, e.g., FreeCAP or SocksCAP, with an application that is not proxy-aware.
 
-
        Q: How to setup?
        
-A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:
+
        Q: How to set it up?
        
+A: You should specify a parent proxy with an IP of 0.0.0.0 and port 0. Examples:
 
         auth iponly
 allow * * * 80,8080-8088
@@ -729,19 +1157,19 @@ allow * * * 80,8080-8088
 allow * * * 21,2121
 parent 1000 ftp 0.0.0.0 0
 allow * * * 21,2121
-#redirect ports 21 and 2121 to local 
+#redirect ports 21 and 2121 to local
 #ftp proxy
 
 
 allow *
-#allow rest of connections directly
+#allow the rest of connections directly
 
 socks
-#now let socks server to start
+#now let the socks server start
 
        
 
-
        Q: How it affects different ACL rules
        
-A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
+
        Q: How does it affect different ACL rules?
        
+A: After local redirections, rules are applied again to the protocol-level request. The redirection rule itself is skipped. This makes it possible to redirect the request again to an external proxy depending on the request itself.
 
         allow * * * 80,8080-8088
 parent 1000 http 0.0.0.0 0
@@ -751,33 +1179,32 @@ allow * * $c:\3proxy\local.nets 80,8080-8088
 #allow direct access to local.nets networks
 allow * * * 80,8080-8088
 parent 1000 http proxy.3proxy.org 3128
-#use parent caching proxy for rest of the networks
+#use parent caching proxy for the rest of the networks
 
 allow *
-#allow direct connections for rest of socks
+#allow direct connections for the rest of socks
 #requests
 
        
 
-		
      • How to balance traffic between few external channgels?
+		
      • How to balance traffic between multiple external channels?
 
        
-Proxy itself doesn't manage network level routing. The only way to control
-outgoing channel is to select external interface. It's possible to make
-external interface (what is usually selected with 'external' command or
-'-e' option) random by using local redirection with external port 0.
+The proxy itself doesn't manage network-level routing. The only way to control
+the outgoing channel is to select the external interface. It's possible to make
+the external interface (what is usually selected with the 'external' command or
+'-e' option) random by using local redirection with an external port of 0.
 
         auth iponly
 allow *
 parent 500 http 10.1.1.101 0
 parent 500 http 10.2.1.102 0
 
        
-Now external interface is randomly selected with 0.5 probability between
+Now the external interface is randomly selected with 0.5 probability between
 10.1.1.101 and 10.2.1.102. To work as expected, different default routes
-must between 2 interfaces.
-used
+must be used between the 2 interfaces.
 
        
-If both interface addresses are in same network, e.g. 10.1.1.101 and 10.1.1.102
-and you want to select random gateway between 10.1.1.1 and 10.1.1.2, you must
-control it by using routing table, in case there is no default gateway route
+If both interface addresses are in the same network, e.g., 10.1.1.101 and 10.1.1.102,
+and you want to select a random gateway between 10.1.1.1 and 10.1.1.2, you must
+control it by using the routing table, in case there is no default gateway route
 for Windows:
 
          route add -p 10.1.1.1 10.1.1.101
@@ -785,33 +1212,33 @@ for Windows:
  route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
  route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.2
 
        
-If you have no second address yet, just add it. Under Linux/Unix it's better
+If you don't have a second address yet, just add it. Under Linux/Unix, it's better
 to use source routing.
 
        
 		
      • How to manage proxy chains
 
        
-parent command may also be used to build a proxy chains. In this case
-few 'parent' commands are used for single 'allow' rule with different
-weights (first argument of parent command). Chain may contain any number
-of proxy servers, but it should be noted that every hope significantly
-reduces productivity. It's possible to mix different types of proxy within
-single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. Weight different from
-1000 is used to build random chains. if weight W is below 1000, this proxy
-will be used as a next chain hop with probability of W/1000. That is, if
-the weight is 250 probability this proxy will be used for the next hope is
-25%. 'parent' records with common weight of 1000 establish a group, one of
-these record will be used for the hop with probability according to weight.
-Warning: each group must have a weight even of 1000. As follows, common
-weight of all 'parent' records must also be even of 1000. If common weight
-of 'parent' records in te chain is 3000, chain has 3 hops and must be formed
+The parent command may also be used to build proxy chains. In this case,
+multiple 'parent' commands are used for a single 'allow' rule with different
+weights (the first argument of the parent command). A chain may contain any number
+of proxy servers, but it should be noted that every hop significantly
+reduces performance. It's possible to mix different types of proxies within a
+single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. A weight different from
+1000 is used to build random chains. If weight W is below 1000, this proxy
+will be used as the next chain hop with a probability of W/1000. That is, if
+the weight is 250, the probability that this proxy will be used for the next hop is
+25%. 'parent' records with a combined weight of 1000 establish a group; one of
+these records will be used for the hop with a probability according to the weight.
+Warning: each group must have a weight that is a multiple of 1000. As follows, the combined
+weight of all 'parent' records must also be a multiple of 1000. If the combined weight
+of 'parent' records in the chain is 3000, the chain has 3 hops and must be formed
 of 3 groups. Example:
 
         allow *
 parent 500 socks5 192.168.1.1 1080
 parent 500 connect 192.168.10.1 3128
 
        
-In this case we have 1 parent proxy (1 hop) which is randomely choosen between
-2 hosts: 192.168.1.1 and 192.168.10.1. 2 records form a single group.
+In this case, we have 1 parent proxy (1 hop) which is randomly chosen between
+2 hosts: 192.168.1.1 and 192.168.10.1. The 2 records form a single group.
 
         allow * * * 80
 parent 1000 socks5 192.168.10.1 1080
@@ -819,33 +1246,33 @@ parent 1000 connect 192.168.20.1 3128
 parent 300 socks4 192.168.30.1 1080
 parent 700 socks5 192.168.40.1 1080
 
        
-In this case we have 3 groups (3 hops in the chain). First hop is 192.168.10.1,
-second hop is 192.168.20.1 and 3rd one is either 192.168.30.1 with probability
-of 30% or 192.168.40.1 with probability of 70%.
+In this case, we have 3 groups (3 hops in the chain). The first hop is 192.168.10.1,
+the second hop is 192.168.20.1, and the 3rd one is either 192.168.30.1 with a probability
+of 30% or 192.168.40.1 with a probability of 70%.
 
        
 
 		
      • How to limit bandwidth
 
        
-3proxy supports bandwidth filters. To manage filters bandlimin/bandlimout and
-nobandlimin/nobandlimout. 'in' means incoming and 'out' - outgoing traffic.
+3proxy supports bandwidth filters. Use the bandlimin/bandlimout and
+nobandlimin/nobandlimout commands to manage filters. 'in' means incoming and 'out' means outgoing traffic.
 
        
 bandlimin <bitrate> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
 
        nobandlimin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
         
 
        
 Commands are applied to all services. Imagine bandwidth filters as a series of
-pipes.  Bitrate is a pipe's width and ACLs controls the flow thorugh this pipe.
+pipes. Bitrate is a pipe's width, and ACLs control the flow through this pipe.
 
           bandlimin 57600 * 192.168.10.16
   bandlimin 57600 * 192.168.10.17
   bandlimin 57600 * 192.168.10.18
   bandlimin 57600 * 192.168.10.19
 
        
-Create 4 separete pipes for 4 client with emulation of modem connection.
+Create 4 separate pipes for 4 clients with emulation of a modem connection.
 
           bandlimin 57600 * 192.168.10.16/30
 
        
-Create single pipe for all 4 clients. That is 4 clients share modem connection.
+Create a single pipe for all 4 clients. That is, 4 clients share a modem connection.
 In this example:
 
           nobandlimin * * * 110
@@ -857,7 +1284,7 @@ limitation.
 		
      • How to limit traffic amount
 
        
 
        
-counter <filename> <type> <reportpath>  
+counter <filename> <type> <reportpath>
 
        countin <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
 
        nocountin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
 
        countout <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
@@ -865,20 +1292,20 @@ counter <filename> <type> <reportpath>
         
 
        
 
        
-You can set traffic limit per day (D), week (W), month (M), year (Y) or
-absolute ('N'), as specified by 'type' argument of counterin command.
-Traffic information is stored in binary file specified by 'filename' argument.
-countersutil utility can be used to manage this file.
-reportpath specifies location of text reports, type parameter of 'counter'
-command controls how often text reports are created. amount is amount of
-allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.
+You can set a traffic limit per day (D), week (W), month (M), year (Y), or
+absolute ('N'), as specified by the 'type' argument of the counterin command.
+Traffic information is stored in a binary file specified by the 'filename' argument.
+The countersutil utility can be used to manage this file.
+The reportpath specifies the location of text reports; the type parameter of the 'counter'
+command controls how often text reports are created. The amount is the amount of
+allowed traffic in megabytes (MB). nocountin allows you to set exclusions.
 
        
   
      • How to fix incorrect traffic accounting
 
-  
        3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
+  
        3proxy accounts for protocol-level traffic. Providers count channel- or IP-level traffic with network and transport headers. In addition, 3proxy does not count DNS resolutions, pings, floods, scans, etc. This accounts for approximately a 10% difference. That is why you should have a 15% reserve if you use 3proxy to limit your traffic. If the difference with your provider is significantly above 10%, you should look for traffic bypassing the proxy server, for example connections through NAT, traffic originating from the host with the proxy installed, traffic from server applications, etc.
   
      • How to configure name resolution and DNS caching
   
        
-  For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord.
+  For name resolution and caching, use the commands nserver, nscache / nscache6, and nsrecord.
   
           nserver 192.168.1.2
   nserver 192.168.1.3:5353/tcp
        
@@ -888,79 +1315,126 @@ allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.
   
           nscache 65535
   nscache6 65535
        
-  sets name cache size for IPv4 and IPv6. Name cache must be large enouth, if presents.
-  name cache is only used if nserver is configured.
+  sets name cache size for IPv4 and IPv6. The name cache must be large enough, if present.
+  The name cache is only used if nserver is configured.
   
           nsrecord server.mycompany.example.com 192.168.1.1
   nsrecord www.porno.com 127.0.0.2
   ...
   deny * * 127.0.0.2
        
-  adds static nsrecords. Also, static nsrecords are used for dnspr, unless -s option is specified.
-  Since 0.8 version, parent proxy may be configured for dnspr.
+  adds static nsrecords. Also, static nsrecords are used for dnspr, unless the -s option is specified.
+  Since version 0.8, a parent proxy may be configured for dnspr.
 
        
   
      • How to use IPv6
   
        
-  IPv6 is supported since 0.8. Please note, some proxy protolos, e.g. SOCKSv4,
-  do not  support IPv6. SOCKSv5 supports IPv6 with special request type (must be
-  implemented by client).
+  IPv6 is supported since version 0.8. Please note that some proxy protocols, e.g., SOCKSv4,
+  do not support IPv6. SOCKSv5 supports IPv6 with a special request type (which must be
+  implemented by the client).
   
        
   3proxy supports proxying from IPv4 and IPv6 networks to IPv4,
-  IPv6 and mixed networks. IPv6 address may be used in
-  internal, external, parent commands, ACLs, -i and -e options,etc.
-  external command and -e options may be given twice for each service - once with IPv4
-  and once with IPv6 address. internal can be given only once, to bind to all IPv4 and
-  IPv6 addresses use [0:0:0:0:0:0:0:0] or [::]. 
+  IPv6, and mixed networks. An IPv6 address may be used in
+  internal, external, and parent commands, ACLs, -i and -e options, etc.
+  The external command and -e options may be given twice for each service—once with an IPv4
+  and once with an IPv6 address. internal can be given only once; to bind to all IPv4 and
+  IPv6 addresses, use [0:0:0:0:0:0:0:0] or [::].
   
        
-  Any service may be configured with -4, -46, -64, -6 options to specify decied
-  priority for name to IPv4/IPv6 address resolution (IPv4 only, IPv4 priority,
+  Any service may be configured with -4, -46, -64, or -6 options to specify the desired
+  priority for name-to-IPv4/IPv6 address resolution (IPv4 only, IPv4 priority,
   IPv6 priority, IPv6 only).
   
        	
   
      • How to use connect back
   
        
-  In example, users needs access from external network to proxy server located
-  on the host 192.168.1.2. This host can not be accessed from external network,
-  but it has access to external network with with external address 1.1.1.1.
-  Also, user has access to the host 2.2.2.2 (IP address may be dynamic) with
-  hostname host.dyndns.example.org via external network. User needs 2 instances
-  of 3proxy, first one on the host 192.168.1.2 with config
+  For example, a user needs access from an external network to a proxy server located
+  on the host 192.168.1.2. This host cannot be accessed from the external network,
+  but it has access to the external network with an external address 1.1.1.1.
+  Also, the user has access to the host 2.2.2.2 (IP address may be dynamic) with
+  hostname host.dyndns.example.org via the external network. The user needs 2 instances
+  of 3proxy, the first one on the host 192.168.1.2 with the config
   
           users user:CL:password
   auth strong
   allow user
   proxy -rhost.dyndns.example.org:1234
        
-  second one on the host.dyndns.example.org (2.2.2.2) with config
+  and the second one on host.dyndns.example.org (2.2.2.2) with the config
   
           auth iponly
   allow * * 1.1.1.1
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128
        
-  For browser settings proxy is host.dyndns.example.org:3128.
-  
        	
+  For browser settings, the proxy is host.dyndns.example.org:3128.
+  
        
+  
      • How to use HAProxy PROXY protocol
+  
        
+  3proxy supports HAProxy PROXY protocol v1 for both receiving and sending client
+  IP information. This is useful when 3proxy is behind a load balancer or when
+  passing client information to a parent proxy.
+  
        
+  
        
+  Receiving PROXY protocol header:
+  
        Use the -H option to make 3proxy expect a PROXY protocol v1 header
+  on incoming connections. This allows 3proxy to receive the real client IP address
+  from HAProxy or another load balancer:
+  
        +proxy -H -p3128
+socks -H -p1080
+
        
+  
        
+  The PROXY protocol header must be sent before any protocol-specific data.
+  
        
+  
        
+  Sending PROXY protocol header to parent proxy:
+  
        Use the ha parent type to send a PROXY protocol v1 header to
+  the parent proxy. This must be the last parent in the chain:
+  
        +allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+
        
+  
        
+  This configuration sends the client IP information to the SOCKS5 parent proxy
+  via the PROXY protocol.
+  
        
+  
      • How to set TCP maximum segment size (MSS)
+  
        
+  Use the maxseg command to set the TCP maximum segment size (MSS)
+  for outgoing connections. This can be useful to work around path MTU discovery
+  issues or to optimize traffic for specific network conditions:
+  
        +maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+
        
+  
        
+  The value is specified in bytes. This setting uses the TCP_MAXSEG socket option
+  and may not be supported on all platforms. A typical use case is to reduce MSS
+  to avoid fragmentation in VPN tunnels or to work around MTU issues with certain
+  network paths.
+  
        
 	
      
 
 
      
 	
    • Client configuration
 
      
 
      
-	
    • Administering and information analisys
+	
    • Administering and information analysis
 
      
 	
        
 		
      • How to obtain latest 3proxy version
 
        
-Latest version of 3proxy may be obtained
-here.
-New version may have changes and incompatibilities with previous one in files
-format or commands. Please, read CHANGELOG file and another documentation
-before installing new version.
+The latest version of 3proxy may be obtained
+here.
+A new version may have changes and incompatibilities with the previous one in file
+formats or commands. Please read the CHANGELOG file and other documentation
+before installing a new version.
 
        
 		
      • How to control 3proxy service under Windows NT/2000/XP
 
        
-If installed as system service, 3proxy understands Windows service commands
-for START, STOP, PAUSE and RESUME. If service is PAUSEd, no new connections
-are accepted while older connections are processed. Currently there is no
-support for dynamic configuration change, so, you have to restart service
+If installed as a system service, 3proxy understands Windows service commands
+for START, STOP, PAUSE, and RESUME. If the service is PAUSEd, no new connections
+are accepted while older connections are processed. Currently, there is no
+support for dynamic configuration changes, so you have to restart the service
 completely if you have changed any configuration.
 
-You can control 3proxy service via "Services" administration ot via "net" command:
+You can control the 3proxy service via "Services" administration or via the "net" command:
 
         	net start 3proxy
 	net stop 3proxy
@@ -971,8 +1445,8 @@ You can control 3proxy service via "Services" administration ot via "net" comman
 		
      • Log error codes reference
 
        
 	
          
-		
        • 0 - Operation successfully complited (connection
-			was closed by one of peers)
+		
        • 0 - Operation successfully completed (connection
+			was closed by one of the peers)
 		
        • 1-9 - AUTHENTICATION ERRORS
 		
        • 1 - Access denied by ACL (deny)
 		
        • 2 - Redirection (should not appear)
@@ -1031,10 +1505,10 @@ You can control 3proxy service via "Services" administration ot via "net" comman
 
          
 	
        
 
        
-	
      • How To ask quiestion not in How To?
+	
      • How to ask a question not in How To?
 
        
 	Ask it in Github.
-	Don't try to ask something before reading this document.
+	Please read this document before asking a question.
  
      
 
 
    
diff --git a/doc/html/howtor.html b/doc/html/howtor.html
index 708f3bd..c2df08d 100644
--- a/doc/html/howtor.html
+++ b/doc/html/howtor.html
@@ -5,16 +5,15 @@
   
  • Компиляция
   
   
  • Установка и удаление 3proxy
   
   
  • Конфигурация сервера
   
   
  • Конфигурация и настройка клиентов
   
      
@@ -71,64 +76,67 @@
   
        
     
      • Как скомпилировать 3proxy Visual C++
     
        
-    Извлеките файлы из архива 3proxy.tgz (например, с помощью WinZip).
-    Используйте команду nmake /f Makefile.msvc.
+    Извлеките файлы из архива 3proxy.tgz (например, с помощью WinZip) или используйте git.
+    
        +    nmake /f Makefile.msvc
+    
        
+    Исполняемые файлы будут помещены в каталог bin/.
     
        
-    
      • Как скомпилировать 3proxy Intel C Compiler под Windows
+    
      • Как скомпилировать 3proxy с помощью CMake
     
        
-    См. Как скомпилировать 3proxy Visual C++. 
-    Используйте Makefile.intl вместо Makefile.msvc
-    
        
-    
      • Как скомпилировать 3proxy GCC под Windows
        • 
-    
        
-    Извлеките файлы из архива 3proxy.tgz (например, с помощью WinZip или, при наличии
-    Cygwin, tar -xzf 3proxy.tgz).
-    Используйте команду make -f Makefile.win. Если по каким-то причинам вы хотите использовать
-    библиотеку POSIX-эмуляции CygWin - используйте make -f Makefile.unix.
-    При использовании CygWin, функции, специфичные для Windows (такие, как запуск в
-    качестве службы) будут недоступны.
+    CMake предоставляет кроссплатформенную систему сборки. Работает на Windows (MSVC, MinGW), Linux, macOS и BSD.
+    
        Базовые шаги сборки:
+    
        +    mkdir build
+    cd build
+    cmake ..
+    cmake --build .
        
+    На Windows с Visual Studio можно также сгенерировать файл решения:
+    
        +    cmake -G "Visual Studio 17 2022" -A x64 ..
+    cmake --build . --config Release
        
+    Опциональные функции можно включить через параметры cmake:
+    
        +    cmake -D3PROXY_USE_OPENSSL=ON -D3PROXY_USE_PCRE2=ON ..
        
+    Доступные опции: 3PROXY_USE_OPENSSL, 3PROXY_USE_PCRE2, 3PROXY_USE_PAM, 3PROXY_USE_ODBC.
+    
        Исполняемые файлы будут помещены в каталог build/bin/.
     
        
     
      • Как скомпилировать 3proxy GCC под Unix/Linux
        • 
     
        
-    Используйте make -f Makefile.unix. Должен использоваться GNU make, на
-    некоторых системах необходимо использовать gmake вместо make. Под Linux
-    необходимо использовать Makefile.Linux, под Solaris - Makefile.Solaris-* (в
-    зависимости от используемого компилятора). Компиляция проверена в FreeBSD/i386,
-    OpenBSD/i386, NetBSD/i386, RH Linux/Alpha, Debian/i386, Gentoo/i386, Gentoo/PPC,
-    Solaris 10, но должно собираться в любых версиях *BSD/Linux/Solaris.
-    В других системах может потребоваться модификация make-файла и/или исходных текстов.
-    Для компиляции с поддержкой ODBC необходимо убрать -DNOODBC из флагов
-    компиляции и добавить -lodbc (или другую ODBC-библиотеку) к флагам линковщика.
-    
        
-	
      • Как скомпилировать 3proxy Compaq C Compiler под Unix/Linux
        • 
-	
        
-	Используйте make -f Makefile.ccc. Компиляция проверена в RH Linux 7.1/Alpha.
-    В других системах может потребоваться модификация файла и/или исходных текстов.
+    Для Linux используйте:
+    
        +    ln -sf Makefile.Linux Makefile
+    make
        
+    Для FreeBSD используйте:
+    
        +    ln -sf Makefile.FreeBSD Makefile
+    make
        
+    Для других Unix-подобных систем используйте Makefile.unix. На BSD-производных системах
+    убедитесь, что используете GNU make; иногда он называется gmake вместо make.
+    
        Компиляция проверена на FreeBSD, NetBSD, OpenBSD, Linux, Solaris и macOS.
+    
        Для поддержки ODBC необходимо установить Unix ODBC, убрать -DNOODBC из флагов
+    компиляции и добавить ODBC-библиотеку к флагам линковщика.
+    
        Исполняемые файлы будут помещены в каталог bin/.
     
        
   
      
 
      
 
    • Установка и удаление 3proxy
 
      
 
        
-  
      • Как установить/удалить 3proxy под Windows 95/98/ME/NT/2000/XP/2003 как службу
+  
      • Как установить/удалить 3proxy под Windows NT/2000/XP/2003 как службу
   
        
-  Извлеките файлы из архива 3proxy.zip в любой каталог 
+  Извлеките файлы из архива 3proxy.zip в любой каталог
   (например, c:\Program Files\3proxy). Если необходимо, создайте каталог для
   хранения файлов журналов. Создайте файл конфигурации 3proxy.cfg в
   каталоге 3proxy (см. раздел Конфигурация сервера).
-  Если используется версия более ранняя, чем 0.6, добавьте строку
-  
        -  service
        
-  в файл 3proxy.cfg. Откройте командную строку (cmd.exe).
+  Откройте командную строку (cmd.exe).
   Перейдите в каталог с 3proxy и дайте команду 3proxy.exe --install:
   
           D:\>C:
   C:\>cd C:\Program Files\3proxy
   C:\Program Files\3proxy>3proxy.exe --install
        
   Сервис должен быть установлен и запущен. Если сервис не запускается,
-  проверьте содержимое файла журнала,
-  попробуйте удалить строку service из 3proxy.cfg, запустить 3proxy.exe вручную
-  и проанализировать сообщения об ошибках.
+  попробуйте запустить 3proxy.exe вручную и проанализировать сообщения об ошибках.
   
        
   Для удаления 3proxy необходимо остановить сервис и дать
   команду 3proxy.exe --remove:
@@ -138,43 +146,110 @@
   C:\Program Files\3proxy>net stop 3proxy
   C:\Program Files\3proxy>3proxy.exe --remove
после чего каталог 3proxy можно удалить. -

- Установка в качестве системной службы под Windows 9x поддерживается с версии 0.5 -

-
  • Как установить/удалить 3proxy под Windows 95/98/ME -

    - Извлеките файлы из архива 3proxy.zip в любой каталог - (например, c:\Program Files\3proxy). Если необходимо, создайте каталог для - хранения файлов журналов. Создайте файл конфигурации 3proxy.cfg в - каталоге 3proxy (См. раздел Конфигурация сервера). - В файле конфигурации удалите строку - 

    -  service
    - и добавьте строку - 
    -  daemon
    - Создайте ярлык для 3proxy.exe и поместите его в автозагрузку либо с помощью - редактора реестра regedit.exe добавьте в разделе -
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    - строковый параметр -
    3proxy = "c:\Program Files\3proxy.exe" "C:\Program Files\3proxy.cfg"
    - Использование кавычек при наличии в пути пробела обязательно. - Перезагрузитесь. - Если сервер не запускается, - проверьте содержимое файла журнала, - попробуйте удалить строку daemon из 3proxy.cfg, запустить 3proxy.exe вручную - и проанализировать сообщения об ошибках.

  • Как установить/удалить 3proxy под Unix/Linux

    - Скомпилируйте 3proxy (см. раздел Компиляция). Скопируйте - исполняемые файлы в подходящий каталог (например, /usr/local/3proxy/sbin для - серверных приложений или /usr/local/3proxy/bin для клиентских утилит). - Создайте файл /usr/local/etc/3proxy.cfg. - (См. раздел Конфигурация сервера). - Изменить расположение файла конфигурации можно, задав параметр при вызове - 3proxy или изменив путь в файле 3proxy.c до компиляции. - Добавьте вызов 3proxy в скрипты начальной инициализации. + С помощью Makefile: +
    Скомпилируйте 3proxy (см. раздел Компиляция), затем выполните: + 

    +  sudo make install
    + Это установит исполняемые файлы в /usr/local/3proxy/sbin/, + конфигурацию в /etc/3proxy/ и настроит chroot-каталоги. + Файл конфигурации по умолчанию: /etc/3proxy/3proxy.cfg. +

    +

    + С помощью CMake: + 

    +  mkdir build && cd build
+  cmake ..
+  cmake --build .
+  sudo cmake --install .
    +

    +

    + С помощью готовых пакетов из GitHub: +
    Скачайте .deb или .rpm пакеты со страницы GitHub Releases. +
    Для Debian/Ubuntu: + 

    +  sudo dpkg -i 3proxy_*.deb
    + Для RHEL/CentOS/Fedora: + 
    +  sudo rpm -i 3proxy-*.rpm
    +

    +

    + Добавьте 3proxy в скрипты автозапуска или используйте systemd: + 

    +  sudo systemctl enable 3proxy
+  sudo systemctl start 3proxy
    +

    +
  • Как установить/удалить 3proxy под macOS +

    + С помощью CMake (рекомендуется): + 

    +  mkdir build && cd build
+  cmake ..
+  cmake --build .
+  sudo cmake --install .
    + Это установит: +
      +
    • Исполняемые файлы в /usr/local/bin/
      • +
    • Конфигурацию в /etc/3proxy/
      • +
    • Плагины в /usr/local/lib/3proxy/
      • +
    • Launchd plist в /Library/LaunchDaemons/org.3proxy.3proxy.plist
      • +
    +

    +

    + С помощью Makefile: + 

    +  ln -sf Makefile.FreeBSD Makefile
+  make
+  sudo make install
    + Это установит исполняемые файлы в /usr/local/3proxy/bin/ и конфигурацию в /usr/local/etc/3proxy/. +

    +

    + Управление службой через launchd: +
    После установки через cmake службой можно управлять с помощью launchctl: + 

    +  # Загрузить и запустить службу
+  sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+  # Остановить службу
+  sudo launchctl stop org.3proxy.3proxy
+
+  # Запустить службу
+  sudo launchctl start org.3proxy.3proxy
+
+  # Выгрузить и отключить службу
+  sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
    + Служба запускается от имени пользователя proxy (создаётся при установке). + Файл конфигурации: /etc/3proxy/3proxy.cfg +

    +
  • Как использовать 3proxy с Docker +

    + Использование готовых образов из GitHub Container Registry: + 

    +  docker pull ghcr.io/3proxy/3proxy:latest
    +

    +

    + Сборка Docker-образов: +
    Предоставляются два Dockerfile: +

      +
    • Dockerfile.minimal - минимальная статическая сборка без плагинов, конфигурация из stdin: + 
      +  docker build -f Dockerfile.minimal -t 3proxy.minimal .
+  docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal
      + Затем введите конфигурацию, завершив командой "end". +
      • +
    • Dockerfile.full - полная сборка с плагинами (SSL, PCRE, Transparent): + 
      +  docker build -f Dockerfile.full -t 3proxy.full .
+  docker run -p 3129:3129 -v /path/to/config:/usr/local/3proxy/conf 3proxy.full
      + Файл конфигурации должен находиться по пути /path/to/config/3proxy.cfg. +
      • +
    +

    +

    + По умолчанию 3proxy работает в chroot-окружении с uid/gid 65535. Используйте nserver в конфигурации для DNS-разрешения в chroot. + Для запуска без chroot монтируйте конфигурацию в /etc/3proxy.

    @@ -218,7 +293,7 @@
  • Служба уже установлена или запущена

    -
  • Как разобраться с internal и external
    • +
  • Как разобраться с internal и external

    • Убедитесь, что выправильно понимаете что такое internal и external адреса. Оба адреса - это адреса, принадлежищие хосту, на котором установлен 3proxy. @@ -439,7 +514,7 @@ - Internal External 0x0 Allowed" Формат ISA 2000/2004 firewall FWSEXTD.log (поля разделены табуляцией): 

    -  "-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
+  "-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
   %H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
   %D	%O	%I	%r	TCP	Connect	-	-
   -	%E	-	-	-	-	-"
    @@ -508,6 +583,341 @@ через http прокси, дополнительного прокси поднимать не надо. Для FTP-клиентов необходимо поднять ftppr. FTP прокси всегда работает с FTP сервером в пассивном режиме.

    +
  • Как настроить SNI proxy (tlspr)
    • +

    + SNI proxy может быть использован для транспарентного перенаправления любого TLS трафика (например HTTPS) на внешнем маршрутизаторе + или локальными правилами. Так же можно использовать его для извлечения имени хоста из TLS хендшейка с целью логгирования или использования в ACL. + Еще одна задача которую может решать модуль - требование наличия TLS или mTLS (mutual TLS). + Если tlspr используется как отдельный сервис без использования плагина Transparent, то необходимо задать порт назначения через опцию -P (по умолчанию 443), + т.к. TLS хендшейк не содержит информации о порте назначения. +

    + Опции: +

    +-P <порт>  - порт назначения (по умолчанию: 443)
+-c <уровень> - уровень проверки TLS:
+  0 (по умолчанию) - пропустить трафик без TLS
+  1 - требовать TLS, проверять наличие client HELLO
+  2 - требовать TLS, проверять наличие client и server HELLO
+  3 - требовать TLS, проверять наличие серверного сертификата (не совместим с TLS 1.3+)
+  4 - требовать взаимный (mutual) TLS, проверять что сервер запрашивает сертификат и клиент его отправляет (не совместим с TLS 1.3+)
+
    +

    +SNI Break (обход DPI): +
    tlspr может использоваться как родительский прокси типа "tls" для реализации SNI-фрагментации (аналог NoDPI/GoodByeDPI). +Клиент отправляет первую часть TLS ClientHello, tlspr разбивает его на расширении SNI и отправляет двумя TCP-пакетами, +что позволяет обойти некоторые DPI-системы, ищущие заблокированные имена хостов в TLS-рукопожатиях. +
    Для включения SNI break используйте parent ... tls 0.0.0.0 0 и опцию -s на слушающем сервисе с TCP_NODELAY: +

    +auth iponly
+allow *
+parent 1000 tls 0.0.0.0 0
+allow *
+proxy -s -i127.0.0.1 -ocTCP_NODELAY -osTCP_NODELAY -p1443
+
    +

    +TCP_NODELAY необходим, чтобы ядро не объединяло разделенные пакеты. +

    +

    +Примеры конфигурации: +

    +

    +1. Отдельный SNI proxy на порту 1443 с перенаправлением на порт назначения 443: +

    +tlspr -p1443 -P443 -c1
+
    +

    +2. Использование tlspr как родительского прокси в SOCKS для обнаружения hostname из TLS (даже если клиент подключается по IP): +

    +allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * * CONNECT
+parent 1000 tls 0.0.0.0 0
+deny * * some.not.allowed.host
+allow *
+socks
+
    +

    +3. Использование tlspr с HTTP proxy для ACL по имени хоста TLS: +

    +allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * 443
+parent 1000 tls 0.0.0.0 0
+deny * * blocked.example.com
+allow *
+proxy
+
    +

    + +
  • Как настроить TLS/SSL (https прокси, mTLS) +

    +Начиная с версии 0.9.7 поддержка TLS/SSL встроена в 3proxy при компиляции с OpenSSL +(WITH_SSL). Ранее доступная как SSLPlugin, функциональность теперь интегрирована +в основной бинарный файл. Строка plugin больше не нужна. +TLS/SSL может использоваться для: +

      +
    • Создания https:// прокси (TLS-шифрованное соединение между клиентом и прокси)
      • +
    • Реализации MITM для инспекции TLS-трафика
      • +
    • Соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату
      • +
    • Требования аутентификации по клиентскому сертификату (mTLS)
      • +
    +

    +

    +Создание https:// прокси: +
    Для создания https:// прокси требуется сертификат и ключ сервера. Сертификат не должен быть самоподписанным +и должен содержать альтернативные имена (SAN) для имени хоста/IP прокси. +

    +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_serv
+proxy -p3129
+ssl_noserv
+proxy -p3128
+
    +

    +Создаётся https:// прокси на порту 3129 и http:// прокси на порту 3128. +Настройте клиенты на использование https://proxy-host:3129/ в качестве URL прокси. +

    +

    +Аутентификация по клиентскому сертификату (mTLS): +
    Чтобы требовать от клиентов аутентификацию по сертификату, используйте ssl_server_verify и укажите CA-сертификат: +

    +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3129
+
    +

    +Только клиенты с действительным сертификатом, подписанным CA, смогут подключиться. +

    +

    +MITM для инспекции TLS-трафика: +
    Для перехвата и расшифровки TLS-трафика требуется CA-сертификат для генерации подделанных серверных сертификатов: +

    +ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_ca_key /etc/3proxy/certs/ca.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_mitm
+proxy -p3128
+ssl_nomitm
+proxy -p3129
+
    +

    +CA-сертификат должен быть доверенным для клиентов. ssl_client_verify обеспечивает проверку реальных серверных сертификатов. +Без ssl_client_verify прокси уязвим для MITM-атак. +

    +

    +TLS-клиент (соединение с вышестоящим сервером через TLS): +
    Для соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату: +

    +ssl_client_cert /etc/3proxy/certs/client.crt
+ssl_client_key /etc/3proxy/certs/client.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_cli
+proxy -p3128
+
    +

    +Условное TLS для parent прокси (ssl_client_mode 3): +
    При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации: +

    +ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+
    +

    +Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps. +

    +
  • Как создать CA и сертификаты для SSL +

    +Создание удостоверяющего центра (CA): +
    Для MITM или mTLS требуется CA. Сгенерируйте закрытый ключ CA и сертификат: +

    +# Генерация закрытого ключа CA
+openssl genrsa -out ca.key 4096
+
+# Генерация сертификата CA (действителен 10 лет)
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=My CA" \
+    -out ca.crt
+
    +

    +Для MITM импортируйте ca.crt в браузеры/ОС клиентов как доверенный корневой CA. +

    +

    +Создание серверного сертификата для https:// прокси: +
    Серверный сертификат должен иметь правильные альтернативные имена (SAN): +

    +# Генерация закрытого ключа сервера
+openssl genrsa -out server.key 2048
+
+# Создание запроса на подпись сертификата (CSR)
+openssl req -new -key server.key \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=proxy.example.com" \
+    -out server.csr
+
+# Создание файла расширений для SAN
+cat > server.ext << 'EOF'
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = proxy.example.com
+DNS.2 = proxy
+IP.1 = 192.168.1.100
+EOF
+
+# Подписание сертификата CA
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 \
+    -extfile server.ext
+
    +

    +Для публичного https:// прокси используйте CA вроде Let's Encrypt вместо самоподписанного. +

    +

    +Создание клиентского сертификата для mTLS: +

    +# Генерация закрытого ключа клиента
+openssl genrsa -out client1.key 2048
+
+# Создание CSR
+openssl req -new -key client1.key \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=client1" \
+    -out client1.csr
+
+# Создание файла расширений
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+extendedKeyUsage = clientAuth
+EOF
+
+# Подписание CA
+openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client1.crt -days 365 -sha256 \
+    -extfile client.ext
+
+# Создание PKCS#12 для импорта в браузер
+openssl pkcs12 -export -out client1.p12 \
+    -inkey client1.key -in client1.crt -certfile ca.crt
+
    +

    +Импортируйте client1.p12 в хранилище сертификатов браузера или ОС клиента. +

    +

    +Скрипт быстрой настройки для разработки/тестирования: +

    +#!/bin/sh
+# Создаёт CA, серверный и клиентский сертификаты для тестирования SSLPlugin
+
+# CA
+openssl genrsa -out ca.key 4096
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/CN=3proxy CA" -out ca.crt
+
+# Сервер
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
+cat > server.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
+EOF
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
+
+# Клиент
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/CN=client" -out client.csr
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+extendedKeyUsage = clientAuth
+EOF
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
+openssl pkcs12 -export -out client.p12 -passout pass: \
+    -inkey client.key -in client.crt -certfile ca.crt
+
    + +
  • Как использовать PCRE-фильтрацию (регулярные выражения) +

    +Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy при компиляции с поддержкой +PCRE2 (WITH_PCRE). Ранее доступная как PCREPlugin, функциональность теперь интегрирована +в основной бинарный файл. Строка plugin больше не нужна. +

    +

    +PCRE-фильтрация может использоваться для создания правил поиска и замены с регулярными +выражениями для запросов клиентов, заголовков клиента и сервера, а также данных. +

    +

    +Команды: +

    +pcre TYPE FILTER_ACTION REGEXP [ACE]
+pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
+pcre_extend FILTER_ACTION [ACE]
+pcre_options OPTION1 [...]
+
    +

    +

      +
    • TYPE - тип фильтруемых данных (список через запятую): +
        +
      • request - содержимое запроса клиента (например, строка HTTP GET-запроса) +
      • cliheader - содержимое заголовков запроса клиента +
      • srvheader - содержимое заголовков ответа сервера +
      • clidata - данные полученные от клиента (например, данные POST-запроса) +
      • srvdata - данные полученные от сервера (например, HTML-страница) +
      +
    • FILTER_ACTION - действие при совпадении: +
        +
      • allow - разрешить запрос без проверки остальных правил +
      • deny - запретить запрос без проверки остальных правил +
      • dunno - продолжить проверку правил (полезно для pcre_rewrite) +
      +
    • REGEXP - регулярное выражение PCRE (Perl). Используйте * если проверка не требуется. +
    • REWRITE_EXPRESSION - строка замены. Может содержать Perl-подстановки +$1, $2 и т.д. $0 - вся найденная подстрока. \r и \n для вставки новых строк. +
    • ACE - элемент списка контроля доступа (имена пользователей, IP источника, +IP назначения, порты и т.д.), аналогичный командам allow/deny/bandlimin. +Регулярное выражение проверяется только при совпадении ACL с данными соединения. +
    +

    +

    +Примеры: +

    +# Блокировать запросы с определёнными ключевыми словами для некоторых пользователей
+pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
+
+# Блокировать ответы с определённым content-type
+pcre srvheader deny "Content-type: application"
+
+# Замена содержимого в обоих направлениях (цензура)
+pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
+pcre_extend deny * 192.168.0.1/16
+
    +

    +Примечание: Регулярные выражения не требуют авторизации и не могут заменить +авторизацию и/или ACL allow/deny. +

    +
  • Как ограничить доступ к службе

    Во-первых, для ограничения доступа необходимо указать внутренний интерфейс, @@ -632,7 +1042,7 @@ или 

       users $"c:\Program Files\3proxy\passwords"
    - Шифрованные NT и crypt пароли можно создавать с помощью утилиты mycrypt. + Шифрованные NT и crypt пароли можно создавать с помощью утилиты 3proxy_crypt.
    Список пользователей един для всех служб. Разграничение доступа по службам необходимо производить с помощью списков доступа.

    @@ -1009,7 +1419,55 @@ allow * * 1.1.1.1 tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128 В настройках браузера указывается host.dyndns.example.org:3128. -

    +

    +
  • Как использовать протокол HAProxy PROXY +

    + 3proxy поддерживает протокол HAProxy PROXY v1 как для приёма, так и для + отправки информации об IP-адресе клиента. Это полезно, когда 3proxy находится + за балансировщиком нагрузки или при передаче информации о клиенте родительскому прокси. +

    +

    + Приём заголовка PROXY протокола: +
    Используйте опцию -H, чтобы 3proxy ожидал заголовок PROXY протокола v1 + на входящих соединениях. Это позволяет 3proxy получать реальный IP-адрес клиента + от HAProxy или другого балансировщика нагрузки: + 

    +proxy -H -p3128
+socks -H -p1080
+
    +

    + Заголовок PROXY протокола должен быть отправлен до любых протокольных данных. +

    +

    + Отправка заголовка PROXY протокола родительскому прокси: +
    Используйте тип родительского прокси ha для отправки заголовка + PROXY протокола v1 родительскому прокси. Это должен быть последний родитель в цепочке: + 

    +allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+
    +

    + Эта конфигурация отправляет информацию об IP-адресе клиента SOCKS5 родительскому + прокси через PROXY протокол. +

    +
  • Как установить максимальный размер сегмента TCP (MSS) +

    + Используйте команду maxseg для установки максимального размера + сегмента TCP (MSS) для исходящих соединений. Это может быть полезно для обхода + проблем с Path MTU Discovery или для оптимизации трафика в специфических + сетевых условиях: + 

    +maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+
    +

    + Значение указывается в байтах. Эта настройка использует опцию сокета TCP_MAXSEG + и может не поддерживаться на всех платформах. Типичный случай использования - + уменьшение MSS для избежания фрагментации в VPN туннелях или для обхода проблем + с MTU на определённых сетевых путях. +

  • Конфигурация клиентов @@ -1066,9 +1524,9 @@ прокси-серверы для доступа к разным ресурсам. Эта возможность разбирается в статьях
    Microsoft: Q296591 A Description of the Automatic Discovery Feature -
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;296591 +
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;296591
    Netscape: Navigator Proxy Auto-Config File Format -
    http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html +
    http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
  • Как настраивать FTP клиент

    Настройка FTP клиента для работы через SOCKS прокси не отличается от настройки @@ -1124,20 +1582,14 @@

  • Как использовать 3proxy с программой, не поддерживающей работу с прокси-сервером

    - Можно использовать любую программу-редиректор, например, - SocksCAP или - FreeCAP. 3proxy поддерживает исходящие + Можно использовать любую программу-редиректор. 3proxy поддерживает исходящие и обратные TCP и UDP соединения, но редиректоры могут иметь свои ограничения, кроме того, некоторые плохо написаные приложения не поддаются "соксификации". Если программе требуется обращаться к небольшому набору серверов (например, игровых), то проблему можно решить с помощью портмаппинга.

  • Как использовать 3proxy с играми

    - Оптимальный варинт - использовать соксификатор (Как использовать - 3proxy с программой, не поддерживающей работу с прокси-сервером). - FreeCap 3.13 проверен с играми на движке - Unreal (включая Unreal Tournament), Half-Life (включая Counter-Strike) и - другими. Если по каким-то причинам соксификатор не работает или недоступен, + Если по каким-то причинам соксификатор не работает или недоступен, то необходимо использовать отображения портов (обычно игры, кроме mood-подобных, работают по протоколу UDP, надо использовать udppm). Нужно иметь ввиду, что для udppm требуется отдельный маппинг для каждого @@ -1162,7 +1614,7 @@

  • Где взять свежую версию

    Свежую версию всегда можно взять - здесь. Обратите внимание, + здесь. Обратите внимание, что в новой версии может измениться порядок лицензирования или команды конфигурации, поэтому прежде чем устанавливать новую версии программы обязательно ознакомьтесь с документацией. diff --git a/doc/html/index.html b/doc/html/index.html index e370c9f..7802dc5 100644 --- a/doc/html/index.html +++ b/doc/html/index.html @@ -1,16 +1,18 @@ -3proxy documentation

    3proxy documentation

    -Security recommendations
    -Optimizing 3proxy for high loads
    -How To (English, very incomplete)
    -How To (Russian)
    -

    Man pages: -
    3proxy.8 -
    ftppr.8 -
    pop3p.8 -
    proxy.8 -
    smtpp.8 -
    socks.8 -
    tcppm.8 -
    udppm.8 -
    3proxy.cfg.3 - +3proxy documentation

    3proxy documentation

    +Security recommendations
    +Optimizing 3proxy for high loads
    +How To (English, very incomplete)
    +How To (Russian)
    +

    Man pages:

    +
    3proxy_crypt.8 +
    3proxy.8 +
    ftppr.8 +
    pop3p.8 +
    proxy.8 +
    smtpp.8 +
    socks.8 +
    tcppm.8 +
    tlspr.8 +
    udppm.8 +
    3proxy.cfg.5 + diff --git a/doc/html/man5/3proxy.cfg.5.html b/doc/html/man5/3proxy.cfg.5.html new file mode 100644 index 0000000..b9f3393 --- /dev/null +++ b/doc/html/man5/3proxy.cfg.5.html @@ -0,0 +1,1294 @@ + + + + + + + +

    3proxy.cfg

    + +NAME
    +DESCRIPTION
    +PLUGINS
    +SSL/TLS SUPPORT
    +MITM Commands
    +Server TLS Commands
    +Client TLS Commands
    +SSL Parameters
    +PCRE FILTERING
    +PCRE Commands
    +PCRE Parameters
    +BUGS
    +SEE ALSO
    +TRIVIA
    +AUTHORS
    + +
    + + +

    NAME + +

    + + + +

    3proxy.cfg +3proxy configuration file

    + +

    DESCRIPTION + +

    + + +

    Common +structure:
    +Configuration file is a text file 3proxy reads configuration +from. Each line of the file is a command executed +immediately, as if it were given from the console. The +sequence of commands is important. The configuration file is +actually a script for the 3proxy executable. Each line of +the file is treated as a blank (space or tab) separated +command line. Additional space characters are ignored. Think +about 3proxy as "application level router" with +console interface.

    + +

    Comments:
    +Any line beginning with a space character or ´#´ +character is a comment. It´s ignored. <LF>s are +ignored. <CR> is the end of a command.

    + +

    Quotation:
    +The quotation character is " (double quote). Quotation +must be used to quote spaces or other special characters. To +use a quotation character inside a quoted string, the +character must be doubled (BASIC convention). For example, +to use HELLO "WORLD" as an argument, you should +write it as "HELLO ""WORLD""". +Good practice is to quote any argument you use.

    + +

    File inclusion: +
    +You can include file by using $FILENAME macro (replace +FILENAME with a path to file, for example +$/usr/local/etc/3proxy/conf.incl or
    +$"c:\\Program Files\3proxy\include.cfg" Quotation +is required in last example because path contains space +character. For included file <CR> (end of line +characters) is treated as space character (arguments +delimiter instead of end of command delimiter). Thus, +include files are only useful to store long single-line +commands (like userlist, network lists, etc). To use dollar +sign somewhere in argument it must be quoted. Recursion is +not allowed.

    + +

    Next commands +start gateway services:

    + +

    proxy +[options]
    +socks     [options]
    +pop3p     [options]
    +smtpp     [options]
    +ftppr     [options]
    +admin     [options]
    +dnspr     [options]
    +tcppm     [options] <SRCPORT> <DSTADDR> +<DSTPORT>
    +udppm     [options] <SRCPORT> <DSTADDR> +<DSTPORT>
    +Descriptions:
    +proxy     HTTP/HTTPS proxy (default port 3128)
    +socks     SOCKS 4/4.5/5 proxy (default port 1080)
    +tlspr     SNI proxy (destination address is taken from TLS +handshake), may be used to redirect any TLS-based traffic +
    +auto     Proxy with protocol autoselection between proxy / +socks / tlspr
    +pop3p     POP3 proxy (default port 110)
    +smtpp     SMTP proxy (default port 25)
    +ftppr     FTP proxy (default port 21)
    +admin     Web interface (default port 80)
    +dnspr     caching DNS proxy (default port 53)
    +tcppm     TCP portmapper. Destination address (DSTADDR) can +be a Unix domain socket using the syntax +unix:/path/to/socket (e.g., tcppm 8080 +unix:/var/run/app.sock 0). On Linux, abstract sockets use +unix:@socketname syntax. When using Unix socket +destination, the port number is ignored but must be +specified for syntax compatibility.
    +udppm     UDP portmapper

    + +

    Options:
    +-p    NUMBER change default server port to NUMBER +
    +-6     Only resolve IPv6 addresses. IPv4 addresses are +packed in IPv6 in IPV6_V6ONLY compatible way.
    +-4     Only resolve IPv4 addresses
    +-46     Prefer IPv4. Resolve IPv6 addresses if IPv4 address +is not resolvable
    +-64     Prefer IPv6. Resolve IPv4 addresses if IPv6 address +is not resolvable
    +-e     External address. IP address of the interface the +proxy should initiate connections from. External IP must be +specified if you need incoming connections. By default the +system will decide which address to use in accordance with +the routing table.
    +-i     Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. Unix domain sockets can be specified with +-iunix:/path/to/socket syntax. On Linux, abstract +sockets use -iunix:@socketname syntax.
    +-Di    INTERFACE, -DeINTERFACE bind +internal (-Di) / external (-De) interface to +given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is +supported by the system. You may need to run as root or have +CAP_NET_RAW capability in order to bind to an +interface, depending on the system, so this option may +require root privileges and can be incompatible with some +configuration commands like chroot and setuid +(and daemon if setcap is used).
    +-ni    PATH, -nePATH (Linux only) +Switch to the network namespace identified by the filesystem +path PATH (e.g. /var/run/netns/myns or +/proc/PID/ns/net) for the listening socket +(-ni) or for outgoing connections (-ne). With +-ni the current namespace is saved before opening the +listening socket and restored immediately after binding, so +that the rest of the process (outgoing connections, child +threads) runs in the original namespace unless -ne is +also given. With -ne the process switches to the +specified namespace after the listening socket is bound (and +after restoring from -ni if applicable). Requires +CAP_SYS_ADMIN (or CAP_NET_ADMIN on recent +kernels) and is incompatible with +chroot/setuid/daemon if privileges are +dropped before the switch takes effect.
    +-Ne     (for socks) External NAT address (between 3proxy and +destination server) to report to client for CONNECT and +BIND. By default external address is reported. It’s +only useful in the case of IP-IP NAT (will not work for +PAT).
    +-Ni     (for socks) Internal NAT address (between client and +3proxy) to report to client for UDPASSOC. By default +internal address is reported. It’s only useful in the +case of IP-IP NAT (will not work for PAT).
    +-R    HOST:port listen on given local +HOST:port for incoming connections instead of making remote +outgoing connection. Can be used with another 3proxy service +running -r option for connect back functionality. Most +commonly used with tcppm. HOST can be given as IP or +hostname, useful in case of dynamic DNS.
    +-r    HOST:port connect to given remote +HOST:port instead of listening local connection on -p or +default port. Can be used with another 3proxy service +running -R option for connect back functionality. Most +commonly used with proxy or socks. HOST can be given as IP +or hostname, useful in case of dynamic DNS.
    +-oc    OPTIONS, -osOPTIONS, +-olOPTIONS, -orOPTIONS, +-oROPTIONS options for proxy-to-client +(-oc), proxy-to-server (-os), proxy listening +(-ol), connect back client (-or), connect back +listening (-oR) sockets. Options like TCP_CORK, +TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, +USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, +SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, +SO_DONTROUTE may be supported depending on OS.
    +-H     (for all services) Expect HAProxy PROXY protocol v1 +header on incoming connection. This allows the proxy to +receive real client IP address from HAProxy or other load +balancer that supports the PROXY protocol. The header must +be sent before any protocol-specific data.
    + +-g(    GRACE_TRAFF,GRACE_NUM,GRACE_DELAY) +delay GRACE_DELAY milliseconds before polling if average +polling size is below GRACE_TRAFF bytes and GRACE_NUM read +operations in a single direction are detected within 1 +second. Useful to minimize polling -s
    +(for admin) secure, allow only secure operations, currently +only traffic counters view without ability to reset.
    +(for dnspr) simple, do not use resolver and 3proxy cache, +always use external DNS server.
    +(for udppm) singlepacket, expect only one packet from both +client and server
    +-u     Never ask for username/password
    +-u2     (for socks) require username/password in +authentication methods
    +-a     (for proxy) anonymous proxy (no information about +client reported)
    +-a1     (for proxy) anonymous proxy (random client +information reported)
    +-a2     (for proxy) generate Via: and X-Forwarded-For: +instead of Forwarded:
    +Also, all options mentioned for proxy(8) +socks(8) pop3p(8) tcppm(8) +udppm(8) ftppr(8)
    +are also supported.
    +Portmapping services listen at SRCPORT and connect to +DSTADDR:DSTPORT HTTP and SOCKS proxies are standard.
    +POP3 proxy must be configured as POP3 server and requires +username in the form of: pop3username@pop3server. If POP3 +proxy access must be authenticated, you can specify username +as proxy_username:proxy_password:POP3_username@pop3server +
    +DNS proxy resolves any types of records but only hostnames +are cached. It requires nserver/nscache to be +configured. If nserver is configured as TCP, +redirections are applied on connection, so parent proxy may +be used to resolve names to IP.
    +FTP proxy can be used as FTP server in any FTP client or +configured as FTP proxy on a client with FTP proxy support. +Username format is one of
    +FTPuser@FTPServer
    +FTPuser:FTPpassword@FTPserver
    +proxyuser:proxypassword:FTPuser:FTPpassword@FTPserver
    +Please note, if you use FTP client interface for FTP proxy +do not add FTPpassword and FTPServer to username, because +FTP client does it for you. That is, if you use 3proxy with +authentication use proxyuser:proxypassword:FTPuser as FTP +username, otherwise do not change original FTP user name

    + +

    include +<path>
    +Include config file

    + +

    config +<path>
    +Path to configuration file to use on 3proxy restart or to +save configuration.

    + +

    writable +
    +ReOpens configuration file for write access via Web +interface, and rereads it. Usually should be first command +on config file but in combination with config it can be used +anywhere to open alternate config file. Think twice before +using it.

    + +

    end
    +End of configuration

    + +

    log +[[@|&]logfile] [<LOGTYPE>]
    +sets logfile for all gateways
    +@ (for Unix) use syslog, filename is used as ident name
    +& use ODBC, filename consists of comma-delimited +datasource,username,password (username and password are +optional)
    +radius - use RADIUS for logging
    +LOGTYPE is one of:
    +c     Minutely
    +H     Hourly
    +D     Daily
    +W     Weekly (starting from Sunday)
    +M     Monthly
    +Y     Annually
    +if logfile is not specified logging goes to stdout. You can +specify individual logging options for gateway by using -l +option in gateway configuration.
    +log command supports same format specifications for filename +template as "logformat" (if filename contains +´%´ sign it´s believed to be template). As +with "logformat" filename must begin with +´L´ or ´G´ to specify Local or +Grinwitch time zone for all time-based format +specificators.

    + +

    rotate +<n>
    +how many archived log files to keep

    + + +

    logformat +<format>
    +Format for log record. First symbol in format must be L +(local time) or G (absolute Grinwitch time). It can be +preceeded with -XXX+Y where XXX is list of characters to be +filtered in user input (any non-printable characters are +filtered too in this case) and Y is replacement character. +For example, "-,%+ L" in the beginning of +logformat means comma and percent are replaced with space +and all time based elemnts are in local time zone.
    +You can use:

    + +

    %y Year in 2 +digit format
    +%Y Year in 4 digit format
    +%m Month number
    +%o Month abbreviation
    +%d Day
    +%H Hour
    +%M Minute
    +%S Second
    +%t Timestamp (in seconds since 01-Jan-1970)
    +%. milliseconds
    +%z time zone (from Greenwich)
    +%D request duration (in milliseconds)
    +%b average send rate per request (in bytes per second); this +speed is typically below the connection speed shown by the +download manager.
    +%B average receive rate per request (in bytes per second); +this speed is typically below the connection speed shown by +the download manager.
    +%U Username
    +%N service Name
    +%p service Port
    +%E Error code
    +%C Client IP
    +%c Client port
    +%R Remote IP
    +%r Remote port
    +%i Internal IP used to accept client connection
    +%e External IP used to establish connection
    +%Q Requested IP
    +%q Requested port
    +%n requested hostname
    +%I bytes In
    +%O bytes Out
    +%h Hops (redirections) count
    +%T service specific Text
    +%N1-N2T (N1 and N2 are positive numbers) log only fields +from N1 through N2 of service-specific text
    +In the case of ODBC logging, logformat specifies an SQL +statement, for example:
    +logformat "-´+_Linsert into log (l_date, l_user, +l_service, l_in, l_out, l_descr) values (´%d-%m-%Y +%H:%M:%S´, ´%U´, ´%N´, %I, %O, +´%T´)"

    + +

    logdump +<in_traffic_limit> <out_traffic_limit> +
    +Immediately creates additional log records if given amount +of incoming/outgoing traffic is achieved for connection, +without waiting for connection to finish. It may be useful +to prevent information about long-lasting downloads on +server shutdown.

    + + +

    delimchar +<char>
    +Sets the delimiter character used to separate username from +hostname in proxy authentication strings (e.g. for FTP, POP3 +proxies). Default is ´@´. For example, to use +´#´ instead: delimchar #. This allows usernames +to contain the ´@´ character.

    + +

    archiver +<ext> <commandline>
    +Archiver to use for log files. <ext> is file extension +produced by archiver. Filename will be last argument to +archiver, optionally you can use %A as produced archive name +and %F as filename.

    + +

    timeouts +<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> +<STRING_LONG> <CONNECTION_SHORT> +<CONNECTION_LONG> <DNS> <CHAIN> +<CONNECT> <CONNECTBACK>
    +Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, +60, 15, 5.
    +BYTE_SHORT     short timeout for single byte, is usually +used for receiving single byte from stream.
    +BYTE_LONG     long timeout for single byte, is usually used +for receiving first byte in frame (for example first byte in +socks request).
    +STRING_SHORT     short timeout, for character string within +stream (for example to wait between 2 HTTP headers)
    +STRING_LONG     long timeout, for first string in stream +(for example to wait for HTTP request).
    +CONNECTION_SHORT     inactivity timeout for short +connections (HTTP, POP3, etc).
    +CONNECTION_LONG     inactivity timeout for long connection +(SOCKS, portmappers, etc).
    +DNS     timeout for DNS request before requesting next +server
    +CHAIN     timeout for reading data from chained connection +
    +default timeouts 1 5 30 60 180 1800 15 60 15 5

    + +

    maxseg +<value>
    +Sets TCP maximum segment size (MSS) for outgoing +connections. This can be used to work around path MTU +discovery issues or to optimize traffic for specific network +conditions.

    + +

    radius +<NAS_SECRET> +<radius_server_1[:port][/local_address_1] +<radius_server_2[:port][/local_address_2] +
    +Configures RADIUS servers to be used for logging and +authentication (log and auth types must be set to radius). +port and local address to use with given server may be +specified.
    +Attributes within request: User-Name, Password: (username +and password if presented by client), Service Type: +Authenticate-Only, NAS-Port-Type: NAS-Port-Virtual, +NAS-Port-ID: (proxy service port, e.g. 1080), +NAS-IPv6-Address / NAS-IP-Address: (proxy interface accessed +by client), NAS-Identifier: (text identifing proxy, e.g. +PROXY or SOCKSv5), Framed-IPv6-Address / Framed-IP-Address: +(IP address of the client), Called-Station-ID: (requested +Hostname, if presents), Login-Service: (type of request, +e.g. 1001 - SOCKS CONNECT, 1010 - HTTP GET, 1013 - HTTP +CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host +/ Login-IP-Host: (requested IP).
    +Supported reply attributes for authentication: +Framed-IP-Address / Framed-IPv6-Address (IP to assign to +user), Reply-Message. Use authcache to speedup +authentication. RADIUS feature is currently +experimental.

    + +

    nserver +<ipaddr>[:port][/tcp]
    +Nameserver to use for name resolutions. If none specified +system routines for name resolution is used. Optional port +number may be specified. If optional /tcp is added to IP +address, name resolution is performed over TCP.

    + + +

    authnserver +<ipaddr>[:port][/tcp]
    +Nameserver to use for DNS-based authentication (e.g. dnsname +auth type). If not specified, nserver is used. The syntax is +the same as for nserver.

    + +

    nscache +<cachesize> nscache6 +<cachesize>
    +Cache <cachesize> records for name resolution +(nscache for IPv4, nscache6 for IPv6). The +cache size should usually be large enough (for example, +65536).

    + +

    nsrecord +<hostname> <hostaddr>
    +Adds static record to nscache. nscache must be +enabled. If 0.0.0.0 is used as a hostaddr host will never +resolve, it can be used to blacklist something or together +with dialer command to set up UDL for dialing.

    + + +

    fakeresolve +
    +All names are resolved to the 127.0.0.2 address. Useful if +all requests are redirected to a parent proxy with +http, socks4+, connect+ or +socks5+.

    + +

    dialer +<progname>
    +Execute progname if external name can´t be resolved. +Hint: if you use nscache, dialer may not work, because names +will be resolved through cache. In this case you can use +something like http://dial.right.now/ from browser to set up +connection.

    + +

    internal +<ipaddr>
    +sets ip address of internal interface. This IP address will +be used to bind gateways. Alternatively you can use -i +option for individual gateways. Since 0.8 version, IPv6 +address may be used.
    +Unix domain sockets are supported with the syntax +unix:/path/to/socket (e.g., internal +unix:/var/run/3proxy.sock). On Linux, abstract (fileless) +Unix sockets are supported with the syntax +unix:@socketname (e.g., internal unix:@3proxy). When +using Unix sockets, the socket file is automatically created +and removed on service start/stop.

    + +

    external +<ipaddr>
    +sets ip address of external interface. This IP address will +be source address for all connections made by proxy. +Alternatively you can use -e option to specify individual +address for gateway. Since 0.8 version External or -e +can be given twice: once with IPv4 and once with IPv6 +address.

    + +

    maxconn +<number>
    +sets the maximum number of simultaneous connections to each +service started after this command at the network level. +Default is 100.
    +To limit clients, use connlim instead. maxconn +will silently ignore new connections, while connlim +will report back to the client that the connection limit has +been reached.

    + +

    backlog +
    +sets the listening socket backlog of new connections. +Default is 1 + maxconn/8. Maximum value is capped by +kernel tunable somaxconn.

    + +

    service +
    +(deprecated). Indicates that 3proxy should behave as a +Windows 95/98/NT/2000/XP service; has no effect under Unix. +Not required for 3proxy 0.6 and above. If you upgraded from +a previous version of 3proxy, use --remove and --install to +reinstall the service.

    + +

    daemon +
    +Should be specified to close the console. Do not use +´daemon´ with ´service´. At least +under FreeBSD, daemon should precede any proxy +service and log commands to avoid socket problems. Always +place it in the beginning of the configuration file.

    + +

    auth +<authtype> [...]
    +Type of user authorization. Currently supported:
    +none     - no authentication or authorization required.
    +Note: if auth is none, any IP-based limitation, redirection, +etc. will not work. This is the default authentication type +
    +iponly     - authentication by access control list with +username ignored.
    +Appropriate for most cases
    +useronly     - authentication by username without checking +for any password with authorization by ACLs. Useful for e.g. +SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as +a username)
    +dnsname     - authentication by DNS hostname with +authorization by ACLs. The DNS hostname is resolved via a +PTR (reverse) record and validated (the resolved name must +resolve to the same IP address). It´s recommended to +use authcache by IP for this authentication. NB: there is no +password check; the name may be spoofed.
    +strong     - username/password authentication required. It +will work with SOCKSv5, FTP, POP3 and HTTP proxy.
    +cache     - cached authentication, may be used with +´authcache´.
    +radius     - authentication with RADIUS.
    +Plugins may add additional authentication types.

    + +

    It´s +possible to use multiple authentication types in the same +command. E.g.
    +auth iponly strong
    +In this case, ´strong´ authentication will be +used only if resource access cannot be performed with +´iponly´ authentication, that is, a username is +required in the ACL. It´s useful to protect access to +some resources with a password while allowing passwordless +access to other resources, or to use IP-based authentication +for dedicated laptops and request a username/password for +shared ones.

    + + +

    authcache +<cachtype> <cachtime> <cachesize> +
    +Cache authentication information for a given amount of time +(cachetime) in seconds. cachesize limits number of cache +entries. Cachetype is one of:
    +ip     - after successful authentication all connections +during caching time from same IP are assigned to the same +user, username is not requested.
    +ip,user     username is requested and all connections from +the same IP are assigned to the same user without actual +authentication.
    +user     - same as above, but IP is not checked.
    +user,password     - both username and password are checked +against cached ones.
    +limit     - limit user to use only one ip, ´ip´ +and ´user´ are required
    +ack     - only use cached auth if user access service with +same ACL
    +ext     - cache external IP
    +Use auth type cache for cached authentication

    + +

    allow +<userlist> <sourcelist> <targetlist> +<targetportlist> <operationlist> +<weekdayslist> <timeperiodslist>
    +deny     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +redirect     <ip> <port> <userlist> +<sourcelist> <targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +Access control entries. All lists are comma-separated, no +spaces are allowed. Usernames are case sensitive (if used +with authtype nbname username must be in uppercase). Source +and target lists may contain IP addresses (W.X.Y.Z), ranges +A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs (W.X.Y.Z/L). Since +0.6, the targetlist may also contain host names, instead of +addresses. It´s possible to use a wildmask in the +beginning and at the end of the hostname, e.g. *badsite.com +or *badcontent*. The hostname is only checked if a hostname +is present in the request. Targetportlist may contain ports +(X) or port ranges lists (X-Y). For any field * sign means +ANY. If access list is empty it´s assumed to be
    +allow *
    +If access list is not empty last item in access list is +assumed to be
    +deny *
    +You may want explicitly add deny * to the end of access list +to prevent HTTP proxy from requesting user´s password. +Access lists are checked after user have requested any +resource. If you want 3proxy to reject connections from +specific addresses immediately without any conditions you +should either bind proxy to appropriate interface only or to +use ip filters.

    + +

    Operation is one +of:
    +CONNECT     establish outgoing TCP connection
    +BIND     bind TCP port for listening
    +UDPASSOC     make UDP association
    +ICMPASSOC     make ICMP association (for future use)
    +HTTP_GET     HTTP GET request
    +HTTP_PUT     HTTP PUT request
    +HTTP_POST     HTTP POST request
    +HTTP_HEAD     HTTP HEAD request
    +HTTP_CONNECT     HTTP CONNECT request
    +HTTP_OTHER     over HTTP request
    +HTTP     matches any HTTP request except HTTP_CONNECT +
    +HTTPS     same as HTTP_CONNECT
    +FTP_GET     FTP get request
    +FTP_PUT     FTP put request
    +FTP_LIST     FTP list request
    +FTP_DATA     FTP data connection. Note: FTP_DATA requires +access to dynamic non-privileged (1024-65535) ports on the +remote side.
    +FTP     matches any FTP/FTP Data request
    +ADMIN     access to administration interface

    + +

    Weekdays are +week day numbers or periods, 0 or 7 means Sunday, 1 is +Monday, 1-5 means Monday through Friday.
    +Timeperiodlists is a list of time periods in +HH:MM:SS-HH:MM:SS format. For example, +00:00:00-08:00:00,17:00:00-24:00:00 lists non-working +hours.

    + +

    parent +<weight> <type> <ip> <port> +<username> <password>
    +this command must follow "allow" rule. It extends +last allow rule to build proxy chain. Proxies may be +grouped. Proxy inside the group is selected randomly. If few +groups are specified one proxy is randomly picked from each +group and chain of proxies is created (that is second proxy +connected through first one and so on). Weight is used to +group proxies. Weight is a number between 1 and 1000. +Weights are summed and proxies are grouped together until +the weight of the group is 1000. That is:
    +allow *
    +parent 500 socks5 192.168.10.1 1080
    +parent 500 connect 192.168.10.1 3128
    +makes 3proxy to randomly choose between 2 proxies for all +outgoing connections. These 2 proxies form 1 group +(summarized weight is 1000).
    +allow * * * 80
    +parent 1000 socks5 192.168.10.1 1080
    +parent 1000 connect 192.168.20.1 3128
    +parent 300 socks4 192.168.30.1 1080
    +parent 700 socks5 192.168.40.1 1080
    +creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and +third is (192.168.30.1 with probability of 0.3 or +192.168.40.1 with probability of 0.7) for outgoing web +connections. Chains are only applied to new connections, +pipelined (keep-alive) requests in the same connection use +the same chain.

    + +

    type is one of: +
    +extip     does not actually redirect the request; it sets +the external address for this request to <ip>. +It can be chained with another parent type. It’s +useful to set the external IP based on ACL or make it +random.
    +tcp     simply redirect connection. TCP is always last in +chain. This type of proxy is a simple TCP redirection, it +does not support parent authentication.
    +http     redirect to HTTP proxy. HTTP is always the last +chain. It should only be used with http (proxy) service, if +used with different service, it works as tcp redirection. +
    +pop3     redirect to POP3 proxy (only local redirection is +supported, can only be used as a first hop in chaining) +
    +ftp     redirect to FTP proxy (only local redirection is +supported, can only be used as a first hop in chaining) +
    +connect     parent is HTTP CONNECT method proxy
    +connect+     parent is HTTP CONNECT proxy with name +resolution (hostname is used instead of IP if available) +
    +socks4     parent is SOCKSv4 proxy
    +socks4+     parent is SOCKSv4 proxy with name resolution +(SOCKSv4a)
    +socks5     parent is SOCKSv5 proxy
    +socks5+     parent is SOCKSv5 proxy with name resolution +
    +socks4b     parent is SOCKS4b (broken SOCKSv4 implementation +with shortened server reply; I never saw this kind of +server, but they say there are some). Normally you should +not use this option. Do not confuse this option with +SOCKSv4a (socks4+).
    +socks5b     parent is SOCKS5b (broken SOCKSv5 implementation +with shortened server reply. I think you will never find it +useful). Never use this option unless you know exactly you +need it.
    +admin     redirect request to local ´admin´ +service (with -s parameter).
    +ha     send HAProxy PROXY protocol v1 header to parent +proxy. Must be the last in the proxy chain. Useful for +passing client IP information to the parent proxy. Example: +parent 1000 ha
    +Use "+" proxy only with fakeresolve +option

    + +

    IP and port are +ip addres and port of parent proxy server. If IP is zero, ip +is taken from original request, only port is changed. If +port is zero, it´s taken from original request, only +IP is changed. If both IP and port are zero - it´s a +special case of local redirection, it works only with +socks proxy. In case of local redirection request is +redirected to different service, ftp locally +redirects to ftppr pop3 locally redirects to pop3p +http locally redirects to proxy admin locally +redirects to the admin -s service.
    +Unix domain sockets can be used instead of IP address with +the syntax unix:/path/to/socket (e.g., parent 1000 +socks5 unix:/var/run/parent.sock 1080). On Linux, abstract +(fileless) Unix sockets are supported with +unix:@socketname syntax (e.g., parent 1000 http +unix:@parent.proxy 3128). When using Unix sockets, the port +number is ignored but must be specified for syntax +compatibility.

    + +

    Main purpose of +local redirections is to have the requested resource (URL or +POP3 username) logged and protocol-specific filters applied. +In case of local redirection, ACLs are reviewed twice: +first, by the SOCKS proxy up to the ´parent´ +command and then by the gateway service the connection is +redirected to (HTTP, FTP or POP3) after the +´parent´ command. It means an additional +´allow´ command is required for redirected +requests, for example:
    +allow * * * 80
    +parent 1000 http 0.0.0.0 0
    +allow * * * 80 HTTP_GET,HTTP_POST
    +socks
    +redirects all SOCKS requests with target port 80 to local +HTTP proxy, local HTTP proxy parses requests and allows only +GET and POST requests.
    +parent 1000 http 1.2.3.4 0
    +Changes the external address for a given connection to +1.2.3.4 (equivalent to -e1.2.3.4)
    +Optional username and password are used to authenticate on +parent proxy. Username of ´*´ means username +must be supplied by user.

    + + +

    parentretries +<number>
    +Number of retries to connect to parent proxy. Default is +1.

    + +

    nolog +<n>
    +extends last allow or deny command to prevent logging, e.g. +
    +allow * * 192.168.1.1
    +nolog

    + +

    weight +<n>
    +extends last allow or deny command to set weight for this +request
    +allow * * 192.168.1.1
    +weight 100
    +Weight may be used for different purposes.

    + +

    force
    +noforce
    +If force is specified for service, configuration reload will +require all current sessions of this service to be +re-authenticated. If ACL is changed or user account is +removed, old connections which do not match current are +closed. noforce allows to keep previously authenticated +connections.

    + + +

    bandlimin +<rate> <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +nobandlimin     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +bandlimout     <rate> <userlist> +<sourcelist> <targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +nobandlimout     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +bandlim sets a bandwidth limitation filter to +<rate> bps (bits per second). If you want to +specify bytes per second, multiply your value by 8. bandlim +rules act in the same manner as allow/deny rules, except for +one thing: bandwidth limiting is applied to all services, +not to some specific service. bandlimin and +nobandlimin apply to incoming traffic
    +bandlimout     and nobandlimout apply to outgoing +traffic
    +If you want to ratelimit your clients with IPs +192.168.10.16/30 (4 addresses) to 57600 bps, you have to +specify 4 rules like
    +bandlimin 57600 * 192.168.10.16
    +bandlimin 57600 * 192.168.10.17
    +bandlimin 57600 * 192.168.10.18
    +bandlimin 57600 * 192.168.10.19
    +and each of your clients will have a 56K channel. If you +specify
    +bandlimin 57600 * 192.168.10.16/30
    +you will have a 56K channel shared between all clients. If +you want, for example, to limit all speed except access to +POP3, you can use
    +nobandlimin * * * 110
    +before the rest of bandlim rules.

    + +

    connlim +<rate> <period> <userlist> +<sourcelist> <targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +noconnlim     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +connlim sets connections rate limit per time period for +traffic pattern controlled by ACL. Period is in seconds. If +period is 0, connlim limits a number of parallel +connections.
    +connlim 100 60 * 127.0.0.1
    +allows 100 connections per minute for 127.0.0.1.
    +connlim 20 0 * 127.0.0.1
    +allows 20 simultaneous connections for 127.0.0.1.
    +Like with bandlimin, if an individual limit is +required per client, a separate rule must be added for every +client. Like with nobandlimin, noconnlim adds an +exception.

    + +

    counter +<filename> <reporttype> +<reportname>
    +countin     <number> <type> <limit> +<userlist> <sourcelist> <targetlist> +<targetportlist> <operationlist> +<weekdayslist> <timeperiodslist>
    +nocountin     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +countout     <number> <type> <limit> +<userlist> <sourcelist> <targetlist> +<targetportlist> <operationlist> +<weekdayslist> <timeperiodslist>
    +nocountout     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>
    +countall     <number> <type> <limit> +<userlist> <sourcelist> <targetlist> +<targetportlist> <operationlist> +<weekdayslist> <timeperiodslist>
    +nocountall     <userlist> <sourcelist> +<targetlist> <targetportlist> +<operationlist> <weekdayslist> +<timeperiodslist>

    + +

    counter, +countin, nocountin, countout, nocountout, countall, +nocountall commands are used to set a traffic limit in MB +for a period of time (day, week or month). Filename is a +path to a special file where traffic information is +permanently stored. The number is the sequential number of +the record in this file. If the number is 0, this counter is +not preserved in the counter file (that is, if the proxy is +restarted, all counters with 0 are flushed); otherwise, it +should be a unique sequential number which points to the +position of the counter within the file. Type specifies a +type of counter. Type is one of:
    +H     - counter is reset hourly
    +D     - counter is reset daily
    +W     - counter is reset weekly
    +M     - counter is reset monthly
    +reporttype/reportname may be used to generate traffic +reports. Reporttype is one of D, W, M, H (hourly) and +reportname specifies the filename template for reports. The +report is a text file with counter values in the format: +
    +<COUNTERNUMBER> <TRAF>
    +The rest of parameters is identical to +bandlim/nobandlim.

    + +

    users +username[:pwtype:password] ...
    +pwtype is one of:
    +none (empty) - use system authentication
    +CL     - password is cleartext
    +CR     - password is crypt-style password
    +NT     - password is NT password (in hex)
    +example:
    +users test1:CL:password1 +"test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
    +users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
    +Note: double quotes are required because the password +contains a $ sign.

    + +

    flush +
    +empty the active access list. The access list must be +flushed every time you create a new access list for a new +service. For example:
    +allow *
    +pop3p
    +flush
    +allow * 192.168.1.0/24
    +socks
    +sets different ACLs for pop3p and socks

    + +

    system +<command>
    +execute system command

    + +

    pidfile +<filename>
    +write pid of current process to file. It can be used to +manipulate 3proxy with signals under Unix. Currently next +signals are available:

    + +

    monitor +<filename>
    +If file monitored changes in modification time or size, +3proxy reloads configuration within one minute. Any number +of files may be monitored.

    + +

    setuid +<uid>
    +calls setuid(uid), uid can be numeric or since 0.9 username. +Unix only. Warning: under some Linux kernels setuid() works +for current thread only. It makes it impossible to suid for +all threads.

    + +

    setgid +<gid>
    +calls setgid(gid), gid can be numeric or since 0.9 +groupname. Unix only.

    + +

    chroot +<path> [<uid>] +[<gid>]
    +calls chroot(path) and sets gid/uid. Unix only. uid/gid +supported since 0.9, can be numeric or +username/groupname

    + + +

    stacksize +<value_to_add_to_default_stack_size>
    +Change the default size for thread stacks. May be required +in some situations, e.g. with non-default plugins, or on +some platforms (some FreeBSD versions may require adjusting +the stack size due to an incorrectly defined value in system +header files; this value is also often required to be +changed for ODBC and PAM support on Linux). If you +experience 3proxy crash on request processing, try to set +some positive value. You may start with stacksize 65536 and +then find the minimal value for the service to work. If you +experience memory shortage, you can try to experiment with +negative values.

    + +

    PLUGINS + +

    + + +

    plugin +<path_to_shared_library> +<function_to_call> [<arg1> ...]
    +Loads specified library and calls given export function with +given arguments, as
    +int functions_to_call(struct pluginlink * pl, int argc, char +* argv[]);
    +function_to_call must return 0 in case of success, value +> 0 to indicate error.

    + + +

    filtermaxsize +<max_size_of_data_to_filter>
    +If Content-length (or another data length) is greater than +the given value, no data filtering will be performed through +filtering plugins to avoid data corruption and/or +Content-Length changing. Default is 1MB (1048576).

    + +

    SSL/TLS SUPPORT + +

    + + +

    SSL/TLS support +is built into 3proxy (since 0.9.7) when compiled with +OpenSSL (WITH_SSL). Previously available as SSLPlugin, the +functionality is now integrated into the main binary. The +plugin line is no longer required.

    + +

    SSL/TLS can be +used for: - transparent MITM (Man-in-the-Middle) for TLS +traffic inspection - https:// proxy (TLS-encrypted +connection between client and proxy) - TLS client +connections to upstream servers with certificate +authentication - mTLS (mutual TLS) requiring client +certificates

    + +

    MITM Commands + +

    + + +

    ssl_mitm +- spoof certificates for services started below. Usage +without ssl_client_verify is insecure.
    +ssl_nomitm     - do not spoof certificates for services +started below

    + +

    Server TLS Commands + +

    + + +

    ssl_serv +(or ssl_server) - require TLS connection from clients for +services below
    +ssl_noserv     (or ssl_noserver) - do not require TLS +connection from clients for services below

    + +

    Client TLS Commands + +

    + + +

    ssl_cli +(or ssl_client) - establish TLS connection to upstream +server for services below
    +ssl_nocli     (or ssl_noclient) - do not establish TLS +connection to upstream server for services below

    + +

    SSL Parameters + +

    + + + +

    ssl_server_cert +/path/to/cert - Server certificate (should not be +self-signed, must contain SAN) for ssl_serv
    +ssl_server_key     /path/to/key - Server certificate +key for ssl_server_cert or generated MITM certificate +
    +ssl_client_cert     /path/to/cert - Client +certificate for authentication on upstream server (used with +ssl_cli)
    +ssl_client_key     /path/to/key - Client certificate +key for ssl_client_cert
    +ssl_client_ciphersuites     ciphersuites_list - TLS +client ciphers for TLS 1.3
    +ssl_server_ciphersuites     ciphersuites_list - TLS +server ciphers for TLS 1.3
    +ssl_client_cipher_list     ciphers_list - TLS client +ciphers for TLS 1.2 and below
    +ssl_server_cipher_list     ciphers_list - TLS server +ciphers for TLS 1.2 and below
    +ssl_client_min_proto_version     tls_version - TLS +client minimum TLS version (e.g., TLSv1.2)
    +ssl_server_min_proto_version     tls_version - TLS +server minimum TLS version
    +ssl_client_max_proto_version     tls_version - TLS +client maximum TLS version
    +ssl_server_max_proto_version     tls_version - TLS +server maximum TLS version
    +ssl_client_verify     - verify the certificate for the +upstream server (used with ssl_mitm or ssl_cli)
    +ssl_client_no_verify     - do not verify the certificate for +the upstream server (default)
    +ssl_server_verify     - require client certificate +authentication (mTLS) for ssl_serv
    +ssl_server_no_verify     - do not require client certificate +(default)
    +ssl_server_ca_file     /path/to/cafile - CA +certificate file for MITM
    +ssl_server_ca_key     /path/to/cakey - key for +ssl_server_ca_file MITM CA
    +ssl_server_ca_dir     /path/to/cadir - CA directory +for ssl_server_verify
    +ssl_server_ca_store     /path/to/castore - CA store +for ssl_server_verify (OpenSSL 3.0+)
    +ssl_client_ca_file     /path/to/cafile - CA file for +ssl_client_verify
    +ssl_client_ca_dir     /path/to/cadir - CA directory +for ssl_client_verify
    +ssl_client_ca_store     /path/to/castore - CA store +for ssl_client_verify (OpenSSL 3.0+)
    +ssl_client_sni     hostname - SNI hostname to send to +upstream server
    +ssl_client_alpn     protocol1 protocol2 ... - ALPN +protocols to negotiate with upstream server
    +ssl_client_mode     mode - when to establish TLS +connection: 0 - on connect (default), 1 - after +authentication, 2 - before data, 3 - only for secure parent +types (ending with ’s’)
    +ssl_certcache     /path/to/cache/ - location for the +generated MITM certificates cache

    + +

    PCRE FILTERING + +

    + + +

    PCRE (Perl +Compatible Regular Expressions) filtering is built into +3proxy (since 0.9.7) when compiled with PCRE2 support +(WITH_PCRE). Previously available as PCREPlugin, the +functionality is now integrated into the main binary. The +plugin line is no longer required.

    + +

    PCRE filtering +allows creating matching and replacement rules with regular +expressions for client requests, headers, and data.

    + +

    PCRE Commands + +

    + + +

    pcre +TYPE FILTER_ACTION REGEXP [ACE]
    +Apply a rule for matching regular expression.
    +pcre_rewrite     TYPE FILTER_ACTION REGEXP +REWRITE_EXPRESSION [ACE]
    +Match and replace with rewrite expression.
    +pcre_extend     FILTER_ACTION [ACE]
    +Extend the ACL of the last pcre or pcre_rewrite command by +adding an additional ACE.
    +pcre_options     OPTION1 [OPTION2 ...]
    +Set matching options. Both PCRE2 native options and PCRE +compatibility options are supported. PCRE options are mapped +to their PCRE2 equivalents for backward compatibility.
    +PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE, +PCRE2_DOTALL, PCRE2_EXTENDED, PCRE2_DOLLAR_ENDONLY, +PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE, +PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF, +PCRE2_ALT_BSUX, PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES, +PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE, PCRE2_LITERAL, +PCRE2_MATCH_INVALID_UTF.
    +PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE, +PCRE_DOTALL, PCRE_EXTENDED, PCRE_ANCHORED, +PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL, +PCRE_UNGREEDY, PCRE_NOTEMPTY, PCRE_UTF8, +PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT, +PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART, +PCRE_FIRSTLINE, PCRE_DUPNAMES, PCRE_NEWLINE_CR, +PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY, +PCRE_NEWLINE_ANYCRLF, PCRE_BSR_ANYCRLF, +PCRE_BSR_UNICODE.

    + +

    PCRE Parameters + +

    + + +

    TYPE - type of +filtered data (comma-delimited list):
    +request - content of the client’s request (e.g., HTTP +GET request string)
    +cliheader - content of the client request headers
    +srvheader - content of the server’s reply headers
    +clidata - data received from the client (e.g., HTTP POST +data)
    +srvdata - data received from the server (e.g., HTML +page)

    + +

    FILTER_ACTION - +action on match:
    +allow - allow this request without checking the rest of the +rules
    +deny - deny this request without checking the rest of the +rules
    +dunno - continue with the rest of the rules (useful with +pcre_rewrite)

    + +

    REGEXP - PCRE +(Perl) regular expression. Use * if no regexp matching is +required.

    + + +

    REWRITE_EXPRESSION +- substitution string. May contain Perl-style substrings $1, +$2, etc. $0 means the whole matched string. \r and \n may be +used to insert new lines; the string may be empty +("").

    + +

    ACE - access +control entry (user names, source IPs, destination IPs, +ports, etc.), identical to allow/deny/bandlimin commands. +The regular expression is only matched if the ACL matches +the connection data. Warning: Regular expressions +don’t require authentication and cannot replace +authentication and/or allow/deny ACLs.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    TRIVIA + +

    + + +

    3APA3A is +pronounced as ``zaraza´´.

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/3proxy.8.html b/doc/html/man8/3proxy.8.html new file mode 100644 index 0000000..fe6a017 --- /dev/null +++ b/doc/html/man8/3proxy.8.html @@ -0,0 +1,221 @@ + + + + + + + +

    3proxy

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +SIGNALS
    +FILES
    +BUGS
    +SEE ALSO
    +TRIVIA
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    3proxy - +3[APA3A] tiny proxy server, or trivial proxy server, or free +proxy server

    + +

    SYNOPSIS + +

    + + +

    3proxy +[config_file]
    +3proxy     [--install]
    +3proxy     [--remove]

    + +

    DESCRIPTION + +

    + + +

    3proxy is +a universal proxy server. It can be used to provide internal +users with fully controllable access to external resources +or to provide external users with access to internal +resources. 3proxy is not developed to replace +squid(8), but it can extend the functionality of an +existing caching proxy. It can be used to route requests +between different types of clients and proxy servers. Think +about it as application level gateway with configuration +like hardware router has for network layer. It can establish +multiple gateways with HTTP and HTTPS proxy with FTP over +HTTP support, SOCKS v4, v4.5 and v5, POP3 proxy, UDP and TCP +portmappers. Each gateway is started from the configuration +file like an independent service proxy(8) +socks(8) pop3p(8) tcppm(8) +udppm(8) ftppr(8) dnspr but +3proxy is not a kind of wrapper or superserver for +these daemons. It just has the same code compiled in, but +provides much more functionality. SOCKSv5 implementation +allows you to use 3proxy with any UDP or TCP based client +applications designed without proxy support (with +SocksCAP, FreeCAP or another client-side +redirector under Windows or with a socksification library +under Unix). So you can play your favourite games, listen to +music, exchange files and messages and even accept incoming +connections behind a proxy server.

    + +

    dnspr +does not exist as an independent service. It’s a DNS +caching proxy (it requires nscache and nserver +to be set in the configuration. Only A-records are cached. +Please note that this caching is mostly a ’hack’ +and has nothing to do with a real DNS server, but it works +perfectly for SOHO networks.

    + +

    3proxy supports +access control lists (ACL) like network router. Source and +destination networks and destination port can be specified. +In addition, usernames and gateway action (for example GET +or POST) can be used in ACLs. In order to filter request on +username basis user must be authenticated somehow. There are +few authentication types including password authentication +and authentication by NetBIOS name for Windows clients +(it´s very like ident authentication). Depending on +ACL action request can be allowed, denied or redirected to +another host or to another proxy server or even to a chain +of proxy servers.

    + +

    It supports +different types of logging: to logfiles, syslog(3) +(only under Unix) or to an ODBC database. Logging format is +tunable to provide compatibility with existing log file +parsers. It makes it possible to use 3proxy with IIS, ISA, +Apache or Squid log parsers.

    + +

    OPTIONS + +

    + + + +

    config_file

    + +

    Name of config file. See +3proxy.cfg(3) for configuration file format. Under +Windows, if config_file is not specified, 3proxy +looks for a file named 3proxy.cfg in the default +location (in the same directory as the executable file and +in the current directory). Under Unix, if no config file is +specified, 3proxy reads configuration from stdin. It makes +it possible to use the 3proxy.cfg file as an executable +script just by setting +x mode and adding
    +#!/usr/local/3proxy/3proxy
    +as a first line in 3proxy.cfg

    + +

    --install

    + +

    (Windows NT family only) +install 3proxy as a system service

    + +

    --remove

    + +

    (Windows NT family only) remove +3proxy from system services

    + +

    SIGNALS + +

    + + +

    Under Unix there +are a few signals 3proxy catches. See kill(1). +
    +SIGTERM

    + +

    clean up connections and +exit

    + +

    SIGPAUSE

    + +

    stop accepting new connections, +on second signal - start and re-read configuration

    + +

    SIGCONT

    + +

    start to accept new +connections

    + +

    SIGUSR1

    + +

    reload configuration

    + +

    Under Windows, +if 3proxy is installed as a service you can use +standard service management to start, stop, pause and +continue the 3proxy service, for example:
    +net start 3proxy
    +net stop 3proxy
    +net pause 3proxy
    +net continue 3proxy

    + +

    Web admin +service can also be used to reload configuration. Use wget +to automate this task.

    + +

    FILES + +

    + + + +

    /usr/local/3proxy/3proxy.cfg +(3proxy.cfg)

    + +

    3proxy configuration +file

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy.cfg(5), +proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), +kill(1), syslogd(8),
    +https://3proxy.org/

    + +

    TRIVIA + +

    + + +

    3APA3A is +pronounced as ``zaraza´´.

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/3proxy_crypt.8.html b/doc/html/man8/3proxy_crypt.8.html new file mode 100644 index 0000000..cd4b338 --- /dev/null +++ b/doc/html/man8/3proxy_crypt.8.html @@ -0,0 +1,168 @@ + + + + + + + +

    3proxy_crypt

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +EXAMPLE
    +NOTES
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + + +

    3proxy_crypt +- utility to generate encrypted passwords for 3proxy

    + +

    SYNOPSIS + +

    + + + +

    3proxy_crypt +password
    +3proxy_crypt     salt password

    + +

    DESCRIPTION + +

    + + + +

    3proxy_crypt +is a utility to generate encrypted password hashes for use +with 3proxy configuration. Encrypted passwords allow the +system to avoid storing passwords in cleartext in +configuration files.

    + +

    When invoked +with a single argument, it produces an NT password hash +(MD4-based, suitable for NTLM authentication). The output is +prefixed with NT:.

    + +

    When invoked +with two arguments (salt and password), it produces a +BLAKE2b password hash. The salt length is limited to 64 +characters. The output is prefixed with CR:.

    + +

    The resulting +hash can be used in the 3proxy configuration file with the +users directive instead of a cleartext password.

    + +

    OPTIONS + +

    + + + +

    password

    + +

    Cleartext password to +encrypt.

    + + + + + + + + +
    + + +

    salt

    		 + + +

    Salt string for BLAKE2b hashing (max 64 characters).

    		 +
    + +

    EXAMPLE + +

    + + +

    Generate NT +password hash:

    + +

    3proxy_crypt +MySecretPassword

    + +

    Result:

    + + +

    NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7

    + +

    Generate BLAKE2b password hash +with salt:

    + +

    3proxy_crypt MySalt +MySecretPassword

    + +

    Result:

    + +

    CR:$3$MySalt$...

    + +

    Using in 3proxy.cfg:

    + +

    users +user1:CR:$3$MySalt$...

    + +

    NOTES + +

    + + +

    The NT hash uses +the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash uses +the BLAKE2 cryptographic hash function.

    + +

    When a password +hash is prefixed with NT: or CR:, 3proxy uses +the corresponding algorithm to verify passwords instead of +comparing cleartext strings.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +3proxy.cfg(5),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/ftppr.8.html b/doc/html/man8/ftppr.8.html new file mode 100644 index 0000000..2782867 --- /dev/null +++ b/doc/html/man8/ftppr.8.html @@ -0,0 +1,258 @@ + + + + + + + +

    ftppr

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    ftppr - +FTP proxy gateway service

    + +

    SYNOPSIS + +

    + + +

    ftppr +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]

    + +

    DESCRIPTION + +

    + + +

    ftppr is +FTP gateway service to allow internal users to access +external FTP servers.

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never look for username +authentication.

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -h

    		 + + +

    Default destination. It’s +used if the target address is not specified by the user.

    + + +

    -p

    		 + + +

    Port. Port proxy listens for +incoming connections. Default is 21.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You can use any +FTP client, regardless of FTP proxy support. For a client +with FTP proxy support, configure internal_ip and +port in the FTP proxy parameters. For clients without +FTP proxy support, use internal_ip and port as +the FTP server. The address of the real FTP server must be +configured as a part of the FTP username. The format for the +username is username@server, where +server is the address of the FTP server and +username is the user´s login on this FTP +server. The login itself may contain an ´@´ +sign. Only cleartext authentication is currently +supported.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +proxy(8), pop3p(8), socks(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/pop3p.8.html b/doc/html/man8/pop3p.8.html new file mode 100644 index 0000000..4da4516 --- /dev/null +++ b/doc/html/man8/pop3p.8.html @@ -0,0 +1,258 @@ + + + + + + + +

    pop3p

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    pop3p - +POP3 proxy gateway service

    + +

    SYNOPSIS + +

    + + +

    pop3p +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]

    + +

    DESCRIPTION + +

    + + +

    pop3p is +POP3 gateway service to allow internal users to access +external POP3 servers.

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never look for username +authentication.

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -p

    		 + + +

    Port. Port proxy listens for +incoming connections. Default is 110.

    + + +

    -h

    		 + + +

    Default destination. It’s +used if the target address is not specified by the user.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You can use any +MUA (Mail User Agent) with POP3 support. Set the client to +use internal_ip and port as a POP3 server. The +address of the real POP3 server must be configured as a part +of the POP3 username. The format for the username is +username@server, where server is the +address of the POP3 server and username is the +user´s login on this POP3 server. The login itself may +contain an ´@´ sign. Only cleartext +authentication is supported, because challenge-response +authentication (APOP, CRAM-MD5, etc.) requires a challenge +from the server before we know which server to connect +to.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/proxy.8.html b/doc/html/man8/proxy.8.html new file mode 100644 index 0000000..c0ccb7a --- /dev/null +++ b/doc/html/man8/proxy.8.html @@ -0,0 +1,263 @@ + + + + + + + +

    proxy

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    proxy - +HTTP proxy gateway service

    + +

    SYNOPSIS + +

    + + +

    proxy +[-d][-a] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip]

    + +

    DESCRIPTION + +

    + + +

    proxy is +HTTP gateway service with HTTPS and FTP over HTTPS +support.

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never ask for username +authentication

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/proxy.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -a

    		 + + +

    Anonymous. Hide information +about client.

    + + +

    -a1

    		 + + +

    Anonymous. Show fake information +about client.

    + + +

    -p

    		 + + +

    Port. Port proxy listens for +incoming connections. Default is 3128.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ preceeds +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You should use a +client with HTTP proxy support or configure a router to +redirect HTTP traffic to the proxy (transparent proxy). +Configure the client to connect to internal_ip and +port. HTTPS support allows you to use almost any +TCP-based protocol. If you need to limit clients, use +3proxy(8) instead.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/smtpp.8.html b/doc/html/man8/smtpp.8.html new file mode 100644 index 0000000..c6084b6 --- /dev/null +++ b/doc/html/man8/smtpp.8.html @@ -0,0 +1,258 @@ + + + + + + + +

    smtpp

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    smtpp - +SMTP proxy gateway service

    + +

    SYNOPSIS + +

    + + +

    smtpp +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]

    + +

    DESCRIPTION + +

    + + +

    smtpp is +SMTP gateway service to allow internal users to access +external SMTP servers.

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never look for username +authentication.

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -p

    		 + + +

    Port. Port proxy listens for +incoming connections. Default is 25.

    + + +

    -h

    		 + + +

    Default destination. It’s +used if the target address is not specified by the user.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You can use any +MUA (Mail User Agent) with SMTP authentication support. Set +the client to use internal_ip and port as an +SMTP server. The address of the real SMTP server must be +configured as a part of the SMTP username. The format for +the username is username@server, where +server is the address of the SMTP server and +username is the user´s login on this SMTP +server. The login itself may contain an ´@´ +sign. Only cleartext authentication is supported, because +challenge-response authentication (CRAM-MD5, SPA, etc.) +requires a challenge from the server before we know which +server to connect to.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/socks.8.html b/doc/html/man8/socks.8.html new file mode 100644 index 0000000..40e0fba --- /dev/null +++ b/doc/html/man8/socks.8.html @@ -0,0 +1,276 @@ + + + + + + + +

    socks

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    socks - +SOCKS 4/4.5/5 gateway service

    + +

    SYNOPSIS + +

    + + +

    socks +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip]

    + +

    DESCRIPTION + +

    + + +

    socks is +SOCKS server. It supports SOCKSv4, SOCKSv4.5 (extension to +v4 for server side name resolution) and SOCKSv5. SOCKSv5 +specification allows both outgoing and reverse TCP +connections and UDP portmapping.

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never ask for username +authentication

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. +External IP must be specified if you need incoming +connections. By default, the system will decide which +address to use in accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -Ne

    		 + + +

    External NAT address 3proxy reports to client for +CONNECT/BIND. This is external address of NAT between 3proxy +and destination server. By default, the external address is +reported. It’s only useful in the case of IP-IP NAT +and does not work with port translation.

    + + +

    -Ni

    		 + + +

    Internal NAT address 3proxy +reports to client for UDPASSOC. This is external address of +the NAT between 3proxy and the client, client uses to +connect to 3proxy. By default, the internal address is +reported. It’s only useful in the case of IP-IP NAT +and does not work with port translation.

    + + +

    -i

    		 + + +

    Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. Unix +domain sockets can be specified with +-iunix:/path/to/socket syntax (e.g., +-iunix:/var/run/socks.sock). On Linux, abstract sockets use +-iunix:@socketname syntax.

    + + +

    -p

    		 + + +

    Port. Port proxy listens for +incoming connections. Default is 1080.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ preceeds +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You should use a +client with SOCKS support or use some socksification support +(for example SocksCAP or FreeCAP). Configure +client to use internal_ip and port. SOCKS +allows you to use almost any application protocol without +limitation. This implementation also allows you to open +privileged ports on the server (if socks has sufficient +privileges). If you need to control access, use +3proxy(8) instead.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +proxy(8), ftppr(8), pop3p(8), tcppm(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/tcppm.8.html b/doc/html/man8/tcppm.8.html new file mode 100644 index 0000000..df8c3e8 --- /dev/null +++ b/doc/html/man8/tcppm.8.html @@ -0,0 +1,241 @@ + + + + + + + +

    tcppm

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +ARGUMENTS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    tcppm - +TCP port mapper

    + +

    SYNOPSIS + +

    + + +

    tcppm +[-d] [-l[[@]logfile]] +[-iinternal_ip] [-eexternal_ip] +local_port remote_host remote_port

    + +

    DESCRIPTION + +

    + + + +

    tcppm +forwards connections from local to remote TCP port

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    ARGUMENTS + +

    + + + +

    local_port

    + +

    - port tcppm accepts +connections on

    + +

    remote_host

    + +

    - IP address of the host the +connection is forwarded to. Unix domain sockets can be +specified with the syntax unix:/path/to/socket (e.g., +unix:/var/run/app.sock). On Linux, abstract (fileless) Unix +sockets use the syntax unix:@socketname (e.g., +unix:@app.socket).

    + +

    remote_port

    + +

    - remote port the connection is +forwarded to. Ignored when using Unix socket destination, +but must be specified (use any positive value) for syntax +compatibility.

    + +

    CLIENTS + +

    + + +

    Any TCP-based +application can be used as a client. Use internal_ip +and local_port as the destination in the client +application. The connection is forwarded to +remote_host:remote_port

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/tlspr.8.html b/doc/html/man8/tlspr.8.html new file mode 100644 index 0000000..cd82638 --- /dev/null +++ b/doc/html/man8/tlspr.8.html @@ -0,0 +1,298 @@ + + + + + + + +

    tlspr

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    tlspr - +SNI proxy gateway service

    + +

    SYNOPSIS + +

    + + +

    tlspr +[-d][-a] [-l[[@]logfile]] +[-plistening_port] +[-Pdestination_port] +[-ctls_check_level] +[-iinternal_ip] +[-eexternal_ip]

    + +

    DESCRIPTION + +

    + + +

    tlspr is +an SNI gateway service (destination host is taken from TLS +handshake). The destination port must be specified via the +-P option (or it may be detected with the Transparent +plugin).

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -u

    		 + + +

    Never ask for username +authentication

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts +connections to. By default, connections to any interface are +accepted. It´s usually unsafe. Unix domain sockets can +be specified with -iunix:/path/to/socket syntax +(e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract +sockets use -iunix:@socketname syntax.

    + + +

    -a

    		 + + +

    Anonymous. Hide information +about client.

    + + +

    -a1

    		 + + +

    Anonymous. Show fake information +about client.

    + + +

    -p

    		 + + +

    listening_port. Port proxy +listens for incoming connections. Default is 1443.

    + + +

    -P

    		 + + +

    destination_port. Port to +establish outgoing connections. Required unless the +Transparent plugin is used, because the TLS handshake does +not contain port information. Default is 443.

    + + +

    -c

    		 + + +

    TLS_CHECK_LEVEL. 0 (default) - +allow non-TLS traffic to pass, 1 - require TLS, only check +client HELLO packet, 2 - require TLS, check both client and +server HELLO, 3 - require TLS, check that the server sends a +certificate (not compatible with TLS 1.3), 4 - require +mutual TLS, check that the server sends a certificate +request and the client sends a certificate (not compatible +with TLS 1.3)

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    CLIENTS + +

    + + +

    You should use a +client with TLS support or configure a router to redirect +TLS traffic to the proxy (transparent proxy). Configure the +client to connect to internal_ip and port. If +you need to limit clients, use 3proxy(8) instead.

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +ftppr(8), proxy(8), socks(8), pop3p(8), smtpp(8), tcppm(8), +udppm(8), syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/man8/udppm.8.html b/doc/html/man8/udppm.8.html new file mode 100644 index 0000000..09c79c1 --- /dev/null +++ b/doc/html/man8/udppm.8.html @@ -0,0 +1,248 @@ + + + + + + + +

    udppm

    + +NAME
    +SYNOPSIS
    +DESCRIPTION
    +OPTIONS
    +ARGUMENTS
    +CLIENTS
    +BUGS
    +SEE ALSO
    +AUTHORS
    + +
    + + +

    NAME + +

    + + +

    udppm - +UDP port mapper

    + +

    SYNOPSIS + +

    + + +

    udppm +[-ds] [-l[[@]logfile]] +[-iinternal_ip] [-eexternal_ip] +local_port remote_host remote_port

    + +

    DESCRIPTION + +

    + + + +

    udppm +forwards datagrams from local to remote UDP port

    + +

    OPTIONS + +

    + + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -I

    		 + + +

    Inetd mode. Standalone service +only.

    + + +

    -d

    		 + + +

    Daemonize. Detach service from +console and run in the background.

    + + +

    -t

    		 + + +

    Be silenT. Do not log +start/stop/accept error records.

    + + +

    -e

    		 + + +

    External address. IP address of +the interface the proxy should initiate datagrams from. By +default, the system will decide which address to use in +accordance with the routing table.

    + +

    -niPATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH before opening +the listening socket. The current namespace is saved and +restored immediately after binding, so outgoing connections +run in the original namespace unless -ne is also +given.

    + +

    -nePATH

    + +

    (Linux only) Switch to the +network namespace identified by PATH after the +listening socket has been bound (and after restoring from +-ni if applicable). Both options accept any namespace +file path (e.g. /var/run/netns/myns or +/proc/PID/ns/net) and require +CAP_SYS_ADMIN.

    + + + + + + + + + + + + + + + + + + + + + + +
    + + +

    -i

    		 + + +

    Internal address. IP address the proxy accepts datagrams +to. By default, connections to any interface are accepted. +It´s usually unsafe.

    + + +

    -l

    		 + + +

    Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging.

    + + +

    -s

    		 + + +

    Single packet. By default, only +one client can use the udppm service, but if -s is +specified, only one packet will be forwarded between client +and server. This allows the service to be shared between +multiple clients for single-packet services (for example, +name lookups).

    + + +

    -S

    		 + + +

    Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes.

    + +

    ARGUMENTS + +

    + + + +

    local_port

    + +

    - port udppm accepts datagrams +on

    + +

    remote_host

    + +

    - IP address of the host +datagrams are forwarded to

    + +

    remote_port

    + +

    - remote port datagrams are +forwarded to

    + +

    CLIENTS + +

    + + +

    Any UDP-based +application can be used as a client. Use internal_ip +and local_port as the destination in the client +application. All datagrams are forwarded to +remote_host:remote_port

    + +

    BUGS + +

    + + +

    Report all bugs +to 3proxy@3proxy.org

    + +

    SEE ALSO + +

    + + +

    3proxy(8), +proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), +syslogd(8),
    +https://3proxy.org/

    + +

    AUTHORS + +

    + + +

    3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)

    +
    + + diff --git a/doc/html/plugins/PCREPlugin.html b/doc/html/plugins/PCREPlugin.html index fb0892a..64297c6 100644 --- a/doc/html/plugins/PCREPlugin.html +++ b/doc/html/plugins/PCREPlugin.html @@ -1,10 +1,13 @@ +

    3proxy PCRE (Perl Compatible Regular Expressions) Filtering

    -

    3proxy Perl Compatible Regular Expressions (PCRE) plugin

    +

    Note: Since version 0.9.7, PCRE filtering is built into 3proxy and does not require +a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with +PCRE2 support (WITH_PCRE). The plugin line is no longer needed.

    -This filtering plugin can be used to create matching and replace -rules with regular expressions for client's request, client and -servers header and client and server data. It adds 3 additional -configuration commands: +

    This filtering functionality can be used to create matching and replacement +rules with regular expressions for client requests, client and +server headers, and client and server data. It adds 3 additional +configuration commands:

     pcre TYPE FILTER_ACTION REGEXP [ACE]
@@ -12,11 +15,11 @@ pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
 pcre_extend FILTER_ACTION [ACE]
 pcre_options OPTION1 [...]
    -pcre - allows to apply some rule for matching -
    pcre_rewrite - in addition to 'pcre' allows to substitute substrings -
    pcre_extend - extends ACL of the last pcre or pcre_rewrite comand by -adding additional ACE (like with allow/deny configuration commands). -
    pcre_options - allows to set matching options. Awailable options are: +pcre - allows applying a rule for matching +
    pcre_rewrite - in addition to 'pcre', allows substituting substrings +
    pcre_extend - extends the ACL of the last pcre or pcre_rewrite command by +adding an additional ACE (like with allow/deny configuration commands). +
    pcre_options - allows setting matching options. Available options are: PCRE_CASELESS, PCRE_MULTILINE, PCRE_DOTALL, @@ -32,7 +35,7 @@ PCRE_UTF8, PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT, -PCRE_PARTIAL, +PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART, PCRE_FIRSTLINE, @@ -47,48 +50,41 @@ PCRE_BSR_UNICODE
    • TYPE - type of filtered data. May contain one or more -(comma delimited list) values: +(comma-delimited list) values:
        -
      • request - content of client's request e.g. HTTP GET request string. -(known problem: changing request string doesn't change IP of the host to connect) -
      • cliheader - content of client request headers, e.g. HTTP request header. -
      • srvheader - content of server's reply headers, e.g. HTTP status and headers. -
      • clidata - data received from client, e.g. HTTP POST request data -
      • srvdata - data received from server, e.g. HTML page +
      • request - content of the client's request, e.g., the HTTP GET request string. +(known problem: changing the request string doesn't change the IP of the host to connect to) +
      • cliheader - content of the client request headers, e.g., HTTP request headers. +
      • srvheader - content of the server's reply headers, e.g., HTTP status and headers. +
      • clidata - data received from the client, e.g., HTTP POST request data +
      • srvdata - data received from the server, e.g., an HTML page
    • FILTER_ACTION - action on match -
        allow - allow this request without checking rest of the given type -of the rules -
      • deny - deny this request without checking rest of the rules -
      • dunno - continue with the rest of rules (useful with pcre_rewrite) +
        • allow - allow this request without checking the rest of the rules for the given type +
        • deny - deny this request without checking the rest of the rules +
        • dunno - continue with the rest of the rules (useful with pcre_rewrite)
        -
      • REGEXP - PCRE (perl) regular expression. Use * if no regexp matching -required. -
      • REWRITE_EXPRESSION - substitution string. May contain perl-style +
      • REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching +is required. +
      • REWRITE_EXPRESSION - substitution string. May contain Perl-style substrings -(not tested) $1, $2. $0 - means whole matched string. \r and \n may be used -to insert new strings, string may be empty (""). +(not tested) $1, $2. $0 means the whole matched string. \r and \n may be used +to insert new strings; the string may be empty ("").
      • ACE - access control entry (user names, source IPs, destination IPs, -ports, etc), absolutely identical to allow/deny/bandlimin commands. -Regular expression is only matched if ACL matches connection data. +ports, etc.), absolutely identical to allow/deny/bandlimin commands. +The regular expression is only matched if the ACL matches the connection data. Warning: -reqular expression doesn't require authentication and can not replace +Regular expressions don't require authentication and cannot replace authentication and/or allow/deny ACLs.

      Example:

      -plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
      -

      Download:

      -
        -
      • Plugin is included into 3proxy 0.6 binary and source distribution -
      • Example configuration (by Dennis Garber): NoPornLitest.cfg -
      - +© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/PCREPlugin.ru.html b/doc/html/plugins/PCREPlugin.ru.html index 047079c..cff579e 100644 --- a/doc/html/plugins/PCREPlugin.ru.html +++ b/doc/html/plugins/PCREPlugin.ru.html @@ -1,8 +1,12 @@ -

      Плагин регулярных выражений совместимых с Perl (PCRE) для 3proxy

      +

      Фильтрация PCRE (Perl Compatible Regular Expressions) в 3proxy

      -Фильтрующий плагин используется для создания правил поиска и замены +

      Примечание: Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует +отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой +PCRE2 (WITH_PCRE). Строка plugin больше не нужна.

      + +

      Фильтрующий плагин используется для создания правил поиска и замены регулярных выражений в запросе, заголовков запроса и ответа и данных. -Добавляет поддержку 3х новых команд в файле конфигурации: +Добавляет поддержку 3х новых команд в файле конфигурации:

       pcre TYPE FILTER_ACTION REGEXP [ACE]
@@ -30,7 +34,7 @@ PCRE_UTF8,
 PCRE_NO_AUTO_CAPTURE,
 PCRE_NO_UTF8_CHECK,
 PCRE_AUTO_CALLOUT,
-PCRE_PARTIAL,     
+PCRE_PARTIAL,
 PCRE_DFA_SHORTEST,
 PCRE_DFA_RESTART,
 PCRE_FIRSTLINE,
@@ -56,9 +60,9 @@ PCRE_BSR_UNICODE
  
    • srvdata - данные полученные от сервера, например содержимое HTML-страницы
  • FILTER_ACTION - действие при совпадении. Может принимать значение -
      allow - разрешить данный запрос без просмотра дальнейших правил +
      • allow - разрешить данный запрос без просмотра дальнейших правил
      • deny - запретить данный запрос без просмотра дальнейших правил -
      • dunno - продолжить анализ правил (полезно для pcre_rewrite) +
      • dunno - продолжить анализ правил (полезно для pcre_rewrite)
    • REGEXP - регулярное выражение в формате PCRE (perl). Используйте * если не требуется проерка регулярного выражения. @@ -76,15 +80,10 @@ PCRE_BSR_UNICODE

      Пример:

      -plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
      -

      Загрузить:

      -
        -
      • Плагин включен в дистрибутив 3proxy 0.6 -
      • Пример конфигурации (by Dennis Garber): NoPornLitest.cfg -
      +© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/SSLPlugin.html b/doc/html/plugins/SSLPlugin.html index 008baa7..b33c070 100644 --- a/doc/html/plugins/SSLPlugin.html +++ b/doc/html/plugins/SSLPlugin.html @@ -1,34 +1,124 @@ -

      3proxy SSL/TLS plugin

      +

      3proxy SSL/TLS Support

      -Plugin can be used to transparently decypher SSL/TLS data. Plugin should never be used in production environment due to -potential securiy reasons. +

      Note: Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require +a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with +OpenSSL support (WITH_SSL). The plugin line is no longer needed.

      -
      -ssl_certcache PATH_TO_CACHE
-ssl_mitm
-ssl_nomitm
-
      -ssl_certcache - path to certificates cache. For transparent spoofing cache must contain 3 files: 3proxy.pem - public -self-signed certificates, 3proxy.key - key for public certificates, server.key - this key will be used to generates -spoofed certificates. -Generated certificates will be placed to the same path. -
      ssl_mitm - spoof certificates for services started below +

      SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption +for proxy traffic, and authenticate using client certificates.

      + +

      For transparent certificate spoofing (MITM):

      + +
      ssl_mitm - spoof certificates for services started below. Usage without ssl_client_verify is insecure.
      ssl_nomitm - do not spoof certificates for services started below +

      To protect traffic to the server (https:// proxy):

      -

      Example:

      +ssl_serv (or ssl_server) - require TLS connection from clients for services below +
      ssl_noserv (or ssl_noserver) - do not require TLS connection from clients for services below + +

      To use TLS for upstream connections:

      + +ssl_cli (or ssl_client) - establish TLS connection to upstream server for services below +
      ssl_nocli (or ssl_noclient) - do not establish TLS connection to upstream server for services below + +

      Parameters:

      + +
      ssl_server_cert /path/to/cert - Server certificate (should not be self-signed and must contain an Alternative Name) for ssl_serv +
      ssl_server_key /path/to/key - Server certificate key for ssl_server_cert or generated MITM certificate +
      ssl_client_cert /path/to/cert - Client certificate for authentication on upstream server (used with ssl_cli) +
      ssl_client_key /path/to/key - Client certificate key for ssl_client_cert +
      ssl_client_ciphersuites ciphersuites_list - TLS client ciphers for TLS 1.3, e.g., ssl_client_ciphersuites TLS_AES_128_GCM_SHA256 +
      ssl_server_ciphersuites ciphersuites_list - TLS server ciphers for TLS 1.3 +
      ssl_client_cipher_list ciphers_list - TLS client ciphers for TLS 1.2 and below, e.g., ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 +
      ssl_server_cipher_list ciphers_list - TLS server ciphers for TLS 1.2 and below +
      ssl_client_min_proto_version tls_version - TLS client minimum TLS version (e.g., TLSv1.2) +
      ssl_server_min_proto_version tls_version - TLS server minimum TLS version (e.g., TLSv1.2) +
      ssl_client_max_proto_version tls_version - TLS client maximum TLS version (e.g., TLSv1.2) +
      ssl_server_max_proto_version tls_version - TLS server maximum TLS version (e.g., TLSv1.2) +
      ssl_client_verify - verify the certificate for the upstream server in TLS client functionality (used with ssl_mitm or ssl_cli) +
      ssl_client_no_verify - do not verify the certificate for the upstream server in TLS client functionality (default) +
      ssl_server_verify - require client certificate authentication (mTLS) for ssl_serv +
      ssl_server_no_verify - do not require client certificate (default) +
      ssl_server_ca_file /path/to/cafile - CA certificate file for MITM +
      ssl_server_ca_key /path/to/cakey - key for ssl_server_ca_file MITM CA +
      ssl_server_ca_dir /path/to/cadir - CA directory for ssl_server_verify +
      ssl_server_ca_store /path/to/castore - CA store for ssl_server_verify (OpenSSL 3.0+) +
      ssl_client_ca_file /path/to/cafile - CA file for ssl_client_verify +
      ssl_client_ca_dir /path/to/cadir - CA directory for ssl_client_verify +
      ssl_client_ca_store /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+) +
      ssl_client_sni hostname - SNI hostname to send to upstream server (overrides the requested hostname) +
      ssl_client_alpn protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1) +
      ssl_client_mode mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's') +
      ssl_certcache /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured. +The cache may contain 3 files: 3proxy.pem - public +self-signed certificates (used if ssl_server_ca_file is not configured), +3proxy.key - key for public certificates, used if ssl_server_ca_key is not configured, server.key - this key is used if ssl_server_key is not configured to generate +spoofed certificates. If server.key is absent, 3proxy.key is used to generate certificates. +Generated certificates are placed in the same path. + + +

      MITM example:

      -plugin /path/to/SslPlugin.dll ssl_plugin
-ssl_certcache /path/to/cache/
+ssl_server_ca_file /path/to/cafile
+ssl_server_ca_key /path/to/cakey
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
      +MITM's traffic with a spoofed certificate for the port 3128 proxy. -

      Download:

      -
        -
      • Plugin included into 3proxy 0.8 -
      +

      https:// proxy example:

      +
      +ssl_server_cert path_to_cert
+ssl_server_key path_to_key
+ssl_serv
+proxy -p33128
+ssl_noserv
+proxy -p3128
+
      +Creates an https:// proxy on port 33128 and an http:// proxy on port 3128 + +

      TLS client example (connect to upstream via TLS):

      +
      +ssl_client_cert /path/to/client.crt
+ssl_client_key /path/to/client.key
+ssl_client_verify
+ssl_client_ca_file /path/to/ca.crt
+ssl_cli
+proxy -p3128
+
      +Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication. + +

      Conditional TLS for parent proxy (ssl_client_mode 3):

      +
      +ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+
      +Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps. + +

      mTLS example (require client certificate):

      +
      +ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/server.key
+ssl_server_ca_file /path/to/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3128
+
      +Creates an https:// proxy that requires client certificate authentication. © Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/SSLPlugin.ru.html b/doc/html/plugins/SSLPlugin.ru.html index 51b9399..dc9238b 100644 --- a/doc/html/plugins/SSLPlugin.ru.html +++ b/doc/html/plugins/SSLPlugin.ru.html @@ -1,32 +1,120 @@ -

      Плагин SSL/TLS для 3proxy

      +

      3proxy SSL/TLS поддержка

      -Плагин используется для транспарентной дешифровки SSL-трафика с подменой сертификата. -Плагин не должен использоваться в рабочем окружении, т.к. его использование дает возможность обхода проверок SSL. +

      Примечание: Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует +отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой +OpenSSL (WITH_SSL). Строка plugin больше не нужна.

      +

      Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.

      +

      Для прозрачного перехвата трафика (MITM):

      + +
      ssl_mitm - подменять сертификаты для сервисов, запущенных ниже. Использование без ssl_client_verify небезопасно. +
      ssl_nomitm - не подменять сертификаты для сервисов, запущенных ниже. + +

      Для защиты трафика прокси-сервера (https:// proxy):

      + +ssl_serv (или ssl_server) - требовать TLS-соединение от клиентов для сервисов, запущенных ниже +
      ssl_noserv (или ssl_noserver) - не требовать TLS-соединение от клиентов для сервисов, запущенных ниже + +

      Для использования TLS при соединении к вышестоящему серверу:

      + +ssl_cli (или ssl_client) - устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже +
      ssl_nocli (или ssl_noclient) - не устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже + +

      Параметры:

      + +
      ssl_server_cert /path/to/cert - сертификат сервера (не должен быть самоподписанным, должен содержать альтернативные имена) для ssl_serv +
      ssl_server_key /path/to/key - ключ сертификата сервера для ssl_server_cert или сгенерированного MITM-сертификата +
      ssl_client_cert /path/to/cert - клиентский сертификат для аутентификации на вышестоящем сервере (используется с ssl_cli) +
      ssl_client_key /path/to/key - ключ клиентского сертификата для ssl_client_cert +
      ssl_client_ciphersuites ciphersuites_list - наборы шифров TLS для TLS 1.3 (клиент), пример: ssl_client_ciphersuites TLS_AES_128_GCM_SHA256 +
      ssl_server_ciphersuites ciphersuites_list - наборы шифров TLS для TLS 1.3 (сервер) +
      ssl_client_cipher_list ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (клиент), пример: ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 +
      ssl_server_cipher_list ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (сервер) +
      ssl_client_min_proto_version tls_version - минимальная версия TLS клиента (например, ssl_client_min_proto_version TLSv1.2) +
      ssl_server_min_proto_version tls_version - минимальная версия TLS сервера +
      ssl_client_max_proto_version tls_version - максимальная версия TLS клиента +
      ssl_server_max_proto_version tls_version - максимальная версия TLS сервера +
      ssl_client_verify - проверять сертификат вышестоящего сервера (используется с ssl_mitm или ssl_cli) +
      ssl_client_no_verify - не проверять сертификат вышестоящего сервера (по умолчанию) +
      ssl_server_verify - требовать клиентский сертификат (mTLS) для ssl_serv +
      ssl_server_no_verify - не требовать клиентский сертификат (по умолчанию) +
      ssl_server_ca_file /path/to/cafile - файл CA-сертификата для MITM +
      ssl_server_ca_key /path/to/cakey - ключ CA-сертификата ssl_server_ca_file для MITM +
      ssl_server_ca_dir /path/to/cadir - директория CA-сертификатов для ssl_server_verify +
      ssl_server_ca_store /path/to/castore - хранилище CA-сертификатов для ssl_server_verify (OpenSSL 3.0+) +
      ssl_client_ca_file /path/to/cafile - файл CA-сертификатов для ssl_client_verify +
      ssl_client_ca_dir /path/to/cadir - директория CA-сертификатов для ssl_client_verify +
      ssl_client_ca_store /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+) +
      ssl_client_sni hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста) +
      ssl_client_alpn протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1) +
      ssl_client_mode режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's') +
      ssl_certcache /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать +файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file, +ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан, +3proxy.key используется для генерации серверного сертификата. + +

      Пример MITM:

      -ssl_certcache PATH_TO_CACHE
-ssl_mitm
-ssl_nomitm
-
      -ssl_certcache - путь к кэшу сертификатов. Для транспорентной подмены сертификатов в кэше должно находиться 3 файла: 3proxy.pem - публичный -самоподписанный сертификат, 3proxy.key - ключ от этого сертификата, server.key - ключ с которым будут генерироваться подменные сертификаты. -Сгенерированные сертификаты будут помещаться в этот же каталог. -
      ssl_mitm - подменять сертитфикаты для запущенных ниже сервисов -
      ssl_nomitm - не подменять сертитфикаты для запущенных ниже сервисов - - -

      Пример:

      -
      -plugin /path/to/SslPlugin.dll ssl_plugin
-ssl_certcache /path/to/cache/
+ssl_server_ca_file /path/to/cafile
+ssl_server_ca_key /path/to/cakey
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
      +Перехватывается трафик в прокси на порту 3128. -

      Загрузить:

      -
        -
      • Плагин включен в дистрибутив 3proxy 0.8 -
      +

      Пример конфигурации https:// прокси:

      +
      +ssl_server_cert path_to_cert
+ssl_server_key path_to_key
+ssl_serv
+proxy -p33128
+ssl_noserv
+proxy -p3128
+
      +На порту 33128 создается https:// прокси, на порту 3128 - http:// прокси. + +

      Пример TLS-клиента (соединение к вышестоящему серверу через TLS):

      +
      +ssl_client_cert /path/to/client.crt
+ssl_client_key /path/to/client.key
+ssl_client_verify
+ssl_client_ca_file /path/to/ca.crt
+ssl_cli
+proxy -p3128
+
      +Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату. + +

      Условное TLS для parent прокси (ssl_client_mode 3):

      +
      +ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+
      +Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps. + +

      Пример mTLS (требование клиентского сертификата):

      +
      +ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/server.key
+ssl_server_ca_file /path/to/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3128
+
      +Создается https:// прокси, требующий аутентификацию по клиентскому сертификату. + +© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/StringsPlugin.html b/doc/html/plugins/StringsPlugin.html index f0f76cc..815ae17 100644 --- a/doc/html/plugins/StringsPlugin.html +++ b/doc/html/plugins/StringsPlugin.html @@ -1,16 +1,16 @@ -

      3proxy strings substitution plugin

      -May be used to make interface more pretty or to translate proxy server -messages to different language. All messages are taken from proxy.c and -moved to external text file (e.g. rus.3ps). On the moment of -writing there are 15 sections. Sections are delimited with "[end]". +

      3proxy Strings Substitution Plugin

      +This may be used to make the interface more attractive or to translate proxy server +messages to a different language. All messages are taken from proxy.c and +moved to an external text file (e.g., rus.3ps). At the time of +writing, there are 15 sections. Sections are delimited with "[end]".

      Example:

      plugin "StringsPlugin.dll" start c:\3proxy\bin\rus.3ps

      Download:

        -
      • Plugin is included into 3proxy 0.6 binary and source distribution +
      • Plugin is included in the 3proxy 0.6 binary and source distribution
      -©Kirill Lopuchov \ No newline at end of file +© Kirill Lopuchov diff --git a/doc/html/plugins/StringsPlugin.ru.html b/doc/html/plugins/StringsPlugin.ru.html index 8f03e40..a749812 100644 --- a/doc/html/plugins/StringsPlugin.ru.html +++ b/doc/html/plugins/StringsPlugin.ru.html @@ -1,4 +1,4 @@ -

      Плагин подмены строк 3proxy

      +

      Плагин подмены строк 3proxy

      Используется, в частности, для руссификации сообщений выдаваемых 3proxy. Для корректной работы требуется 0.6 версия 3proxy. @@ -15,4 +15,4 @@ plugin "StringsPlugin.dll" start c:\3proxy\bin\rus-win1251.3ps

      Загрузить:

      • Плагин включен в дистрибутив 3proxy 0.6 -
      +
    diff --git a/doc/html/plugins/TrafficPlugin.html b/doc/html/plugins/TrafficPlugin.html index dc4cb4b..3ad6324 100644 --- a/doc/html/plugins/TrafficPlugin.html +++ b/doc/html/plugins/TrafficPlugin.html @@ -1,15 +1,15 @@ -

    3proxy traffic correction plugin

    -3proxy logs and counts traffic on application level, while provider usually does -it on network or link level. It's significant if you use 3proxy for billing, -especially in case where network packets are small, e.g. network games. +

    3proxy Traffic Correction Plugin

    +3proxy logs and counts traffic at the application level, while providers usually do +so at the network or link level. This is significant if you use 3proxy for billing, +especially in cases where network packets are small, e.g., online games.

    -This plugin attempts to correct 3proxy computations to approximate network or -link level traffic by using either fixed coefficients by port number or -attempting to predict number and sizes of network packets. +This plugin attempts to correct 3proxy's computations to approximate network or +link-level traffic by using either fixed coefficients by port number or +by attempting to predict the number and sizes of network packets.

    Usage:

      -
    1. Extract TrafficPlugin.dll to the same folder with 3proxy executable. -
    2. Start plugin in 3proxy.cfg with +
    3. Extract TrafficPlugin.dll to the same folder as the 3proxy executable. +
    4. Start the plugin in 3proxy.cfg with: 
      plugin TrafficPlugin.dll start
    5. Add correction rules: @@ -17,36 +17,36 @@ attempting to predict number and sizes of network packets. FOR FIXED COEFFICIENTS MODE: 
      trafcorrect m <service> <target port> <coefficient>
      -where <service> - one of proxy, socks4, socks45, socks5, tcppm, udppm, pop3p, * matches "any". -
      <target port> - target port, * matches any +where <service> - one of proxy, socks4, socks45, socks5, tcppm, udppm, pop3p; * matches "any". +
      <target port> - target port; * matches any
      <coefficient> - coefficient to multiply traffic for this port.
      -FOR PACKET HEADER PREDICTION MODE +FOR PACKET HEADER PREDICTION MODE: 
      trafcorrect p <service> <tcp/udp> <target port> [empty packet size]
      -tcp ot udp - transport level protocol to apply rule +tcp or udp - transport-level protocol to apply the rule to
      -empty packet size - average size of "empty" packet, that is sum of average network/transport headers. -You can use network sniffer, such is Ethereal to discover it. Usually packet size -is 42 for UDP and +empty packet size - average size of an "empty" packet, i.e., the sum of average network/transport headers. +You can use a network sniffer such as Ethereal to discover it. Usually, the packet size +is 42 for UDP and
      Modes can be mixed. -
      Plugin creates a list of rules, first matching rule will be applied. +
      The plugin creates a list of rules; the first matching rule will be applied.
    -For any mode plugin approximates traffic, logged or counted amount is not exact. +For any mode, the plugin approximates traffic; the logged or counted amount is not exact.

    Example:

    plugin "TrafficPlugin.dll" start
 trafcorrect m socks5 6112 4.5
 trafcorrect m socks5 * 1.1
    -wrong usage: +Wrong usage: 
    trafcorrect m socks5 * 1.1
 trafcorrect m socks5 6112 4.5
    -second rule will never be applied. +The second rule will never be applied.

    Download:

      -
    • Plugin is included into 3proxy 0.6 binary and source distribution +
    • Plugin is included in the 3proxy 0.6 binary and source distribution
    -©Maslov Michael aka Flexx(rus) +© Maslov Michael aka Flexx(rus) \ No newline at end of file diff --git a/doc/html/plugins/TrafficPlugin.ru.html b/doc/html/plugins/TrafficPlugin.ru.html index 00469c2..3d69e74 100644 --- a/doc/html/plugins/TrafficPlugin.ru.html +++ b/doc/html/plugins/TrafficPlugin.ru.html @@ -1,4 +1,4 @@ -

    Плагин коррекции траффика 3proxy

    +

    Плагин коррекции траффика 3proxy

    Как известно, 3proxy считает траффик не сетевой, а прикладной. Обычно прикладной траффик немного меньше (примерно на 10%) чем сетевой, однако в некоторых случаях, например когда пользователи сети играют в @@ -46,7 +46,7 @@ trafcorrect p <сервис> <tcp/udp> <исходящий пор Когда происходит окончание соединения выполняется первое подходящее правило. Подсчет трафика в любом режиме не является точным, это некоторая аппроксимация -позволяющаяподсчитать трафик с точностью до нескольких процентов. +позволяющая подсчитать трафик с точностью до нескольких процентов.

    Пример:

    @@ -66,4 +66,4 @@ trafcorrect m socks5 6112 4.5
 
    Загрузить:
    
 
      
  
    • Плагин включен в дистрибутив 3proxy 0.6
-
    
+
    • diff --git a/doc/html/plugins/TransparentPlugin.html b/doc/html/plugins/TransparentPlugin.html index 0072318..93e993c 100644 --- a/doc/html/plugins/TransparentPlugin.html +++ b/doc/html/plugins/TransparentPlugin.html @@ -1,9 +1,9 @@ -

    3proxy TransparentPlugin plugin (Linux/BSD only)

    +

    3proxy TransparentPlugin (Linux/BSD only)

    -Plugin can turn 3proxy into transparent proxy for virtually any TCP-based protocol +This plugin can turn 3proxy into a transparent proxy for virtually any TCP-based protocol and use all 3proxy features - redirections, parent proxies, ACLs, traffic limitations, -etc. TransparentPlugin plugin takes destination IP:port from Linux and uses this -information as a target IP in proxy. An example of usage: +etc. The TransparentPlugin takes the destination IP:port from Linux and uses this +information as the target IP in the proxy. An example usage: 
     plugin /path/to/TransparentPlugin.ld.so transparent_plugin
@@ -19,13 +19,13 @@ notransparent
 proxy
    Now, any TCP traffic transparently redirected to port 12345 will be routed via -parent SOCKSv5 proxy and logged, all URLs for web requests are visible in logs. -Paremeters '127.0.0.1 11111' in this case are not used and are overwritten by -destination IP:port for each transparent connection. +the parent SOCKSv5 proxy and logged; all URLs for web requests are visible in logs. +The parameters '127.0.0.1 11111' in this case are not used and are overwritten by +the destination IP:port for each transparent connection.

    Download:

      -
    • Plugin included into 3proxy 0.8 -
    +
  • Plugin is included in 3proxy 0.8 +
    • © Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/TransparentPlugin.ru.html b/doc/html/plugins/TransparentPlugin.ru.html index 6347a0f..229cf13 100644 --- a/doc/html/plugins/TransparentPlugin.ru.html +++ b/doc/html/plugins/TransparentPlugin.ru.html @@ -28,6 +28,6 @@ HTTP-запросов по порту TCP/80 будут видны параме

    Загрузить:

    • Плагин включен в дистрибутив 3proxy 0.8 -
    + © Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/WindowsAuthentication.html b/doc/html/plugins/WindowsAuthentication.html index d22d8e2..b9acaf9 100644 --- a/doc/html/plugins/WindowsAuthentication.html +++ b/doc/html/plugins/WindowsAuthentication.html @@ -1,33 +1,33 @@ -

    3proxy Windows Authentication plugin

    -Support for cleartext authentication against Windows domain or local Windows account. +

    3proxy Windows Authentication Plugin

    +Support for cleartext authentication against a Windows domain or local Windows account.

    Usage:

      -
    1. Extract WindowsAuthentication.dll to the same folder with 3proxy executable. -
    2. Create 3ProxyAllowedGroup - Windows system group allowed to use proxy. - You can choose different group name. Group can be either local or +
    3. Extract WindowsAuthentication.dll to the same folder as the 3proxy executable. +
    4. Create 3ProxyAllowedGroup - a Windows system group allowed to use the proxy. + You can choose a different group name. The group can be either local or Active Directory. Every account allowed to use 3proxy must be included in this group either directly or through group nesting. -
    5. Configure plugin with 'plugin' command in 3proxy.cfg, e.g.: +
    6. Configure the plugin with the 'plugin' command in 3proxy.cfg, e.g.: 
      
 plugin "WindowsAuthentication.dll" WindowsAuthentication "3ProxyAllowedGroup"
      -
      WindowsAuthentication.dll - location of DLL, if DLL is located in different folder -from 3proxy.exe you must specify complete path to DLL here. 3ProxyAllowedGroup - Windows +
      WindowsAuthentication.dll - location of the DLL; if the DLL is located in a different folder +from 3proxy.exe, you must specify the complete path to the DLL here. 3ProxyAllowedGroup - the Windows system group allowed to use 3proxy. -After plugin is loaded, 'windows' authentication type is supported. +After the plugin is loaded, the 'windows' authentication type is supported.
    7. Configure 'auth windows' for services that require Windows authentication. -
    8. It's recommended you also configure authentication caching (see 'authcache'), - to prevent excessive workload for domain controller. Example: +
    9. It is recommended that you also configure authentication caching (see 'authcache') + to prevent excessive workload on the domain controller. Example: 
        authcache user,pass 900
  auth cache windows
      -
    10. NTLM authentication is not currently supported for plugins, you should use proxy -n key to disable it. +
    11. NTLM authentication is not currently supported for plugins; you should use the proxy -n switch to disable it.

    Download:

      -
    • Plugin is included into 3proxy 0.6 binary and source distribution -
    \ No newline at end of file +
  • Plugin is included in the 3proxy 0.6 binary and source distribution +
    • \ No newline at end of file diff --git a/doc/html/plugins/WindowsAuthentication.ru.html b/doc/html/plugins/WindowsAuthentication.ru.html index 7c857c7..b8f4bfe 100644 --- a/doc/html/plugins/WindowsAuthentication.ru.html +++ b/doc/html/plugins/WindowsAuthentication.ru.html @@ -1,4 +1,4 @@ -

    Плагин аутентификации Windows для 3proxy

    +

    Плагин аутентификации Windows для 3proxy

    Поддерживается только аутентификация открытым текстом в домене или на локальной машине Windows.

    Использование

      @@ -31,5 +31,5 @@ auth windows

      Загрузить:

      • Плагин включен в дистрибутив 3proxy 0.6 -
      + diff --git a/doc/html/securityen.html b/doc/html/securityen.html index 1be0d0c..81ff3e3 100644 --- a/doc/html/securityen.html +++ b/doc/html/securityen.html @@ -1,35 +1,33 @@ -

      3proxy security considirations

      - +

      3proxy Security Considerations

        -
      • Never install 3proxy suid. If you need it to run suid write some -wrapper with fixed configuration file. -
      • Make configuration file only available to account 3proxy starts with. -
      • Under Windows if 3proxy is used as service create new -unprivileged local account without "logon locally" right. Assign this account -to 3proxy service. -
      • Under unix use chroot to jail 3proxy (make sure files included in -configuration file after 'chroot' command, if any, are available from jail) -
      • Under Unix, either start 3proxy with unprivileged account or, if you need +
      • Never install 3proxy suid. If you need it to run suid, write a +wrapper with a fixed configuration file. +
      • Make the configuration file accessible only to the account 3proxy starts with. +
      • Under Windows, if 3proxy is used as a service, create a new +unprivileged local account without "logon locally" rights. Assign this account +to the 3proxy service. +
      • Under Unix, use chroot to jail 3proxy (make sure files included in +the configuration file after the 'chroot' command, if any, are available from within the jail). +
      • Under Unix, either start 3proxy with an unprivileged account or, if you need some privileged ports to be used by 3proxy, use setgid/setuid commands inside -3proxy.cfg immediately after last occurance of service binded to -privileged port in configuration file (setgid must preceed setuid). -
      • Allways use full paths in configuration file +3proxy.cfg immediately after the last occurrence of a service bound to a +privileged port in the configuration file (setgid must precede setuid). +
      • Always use full paths in the configuration file.
      • Try to avoid 'strong' authentication, because only cleartext -authentication method is currently available. +authentication is currently available.
      • Always specify internal and external interfaces. -
      • Always limit connections to internal network and localhost (to 127.0.0.1 and -all interfaces) with ACLs. Be carefull, because BIND command in SOCKS requies -BIND method with external interface IP address to be allowed. -
      • Before 3proxy 0.8 always use nserver and nscache under Unix, overwise DoS attack is possible -with unreachable DNS server (because gethostbyname will block over threads). -
      • Keep logs in secure location, because some confidential information from -user's request can be logged. +
      • Always limit connections to the internal network and localhost (to 127.0.0.1 and +all interfaces) with ACLs. Be careful, because the BIND command in SOCKS requires the +BIND method with the external interface IP address to be allowed. +
      • Before 3proxy 0.8, always use nserver and nscache under Unix; otherwise, a DoS attack is possible +with an unreachable DNS server (because gethostbyname will block other threads). +
      • Keep logs in a secure location, because some confidential information from +user requests can be logged.
      • Use -xyz+A character filtering sequences for 'logformat', especially with -ODBC logging to prevent SQL and log record injections. -
      • Immediately report all service crashes to developers +ODBC logging, to prevent SQL and log record injections. +
      • Immediately report all service crashes to the developers.
      • Participate in code audit :) -
    - +

    diff --git a/doc/ru/example1.txt b/doc/ru/example1.txt index 7c426a8..5b34c4e 100644 --- a/doc/ru/example1.txt +++ b/doc/ru/example1.txt @@ -3,26 +3,26 @@ KOI8-R Kirill Lopuchov, lopuchov at mail ru <3proxy> - Internet- ( , Internet-). , Internet- proxy-, NAT ( ) IP . +Довольно часто перед системным администратором встает задача предоставить доступ к Internet-ресурсам группе пользователей (небольшой офис, Internet-кафе). Данную задачу можно решить, настроив на Internet-шлюзе proxy-сервер, службу NAT (трансляция сетевых адресов) или раздать каждому пользователю реальный IP адрес. - - proxy-. proxy Squid, :), squid SOCKS4/5-, TCP/UP -. PROXY-, "3proxy" (http://3proxy.ru/), . . . , Win9x/2000/XP Linux FreeBSD. +Давайте рассмотрим самый простой способ подключения - установку proxy-сервера. Традиционно для этих целей применяется популярный proxy Squid, но не всегда бывает необходимость в столь тяжеловатой программе :), да и в squid отсутствуют такие иногда необходимые вещи как SOCKS4/5-сервер, TCP/UP порт-маппинг. Поэтому вторым номером хочется представить вашему вниманию PROXY-сервер, под названием "3proxy" (http://3proxy.ru/), разработанный нашим программистом из г. Нижний Новгород. Одним из главных его достоинств является компактность и высокая переносимость. Код сервера написан так, что легко компилируется как для Win9x/2000/XP так и для Linux и FreeBSD. - : +Сервер поддерживает следующие возможности: HTTP(S) proxy; FTP over HTTP proxy; SOCKS4/5 proxy; POP3 proxy; -TCP & UDP ; - ; - ( , :) ); - , ; - proxy- ip ; - ODBC (-, proxy) syslog . . +TCP & UDP маппинг портов; +листы доступа к различным службам и адресам; +ограничение пропускной способности канала каждого пользователя (чтобы пользователь не съел весь канал, качая кучу файлов в несколько потоков :) ); +ограничение трафика пользователя на день, неделю и месяц; +авторизацию пользователей ко всем proxy-службам по имени и паролю или по ip адресам; +ведение журналов через ODBC (по-моему, такого нет ни в одном proxy) и syslog и т. д. - :-|. Inernet- ( ) - 25% . , , 2- wwwoffle , 3proxy :) +К недостаткам можно отнести отсутствие кэширования информации :-|. Но в последнее время Inernet-контент становится все более динамичным (то есть не поддающийся кэшированию) и может быть для кого-то экономия в 25% трафика за счет его кэширования не будет столь критична. Для тех пользователей, кому она может оказаться критичной, автор предлагает использовать цепочку из 2-х серверов и в качестве кэша такие сервера как wwwoffle или им подобные, либо ждать появления поддержки кеша в 3proxy :) - +Установка # wget http://3proxy.ru/current/3proxy.tgz # tar -xvzf 3proxy.tgz @@ -35,64 +35,64 @@ TCP & UDP # touch /usr/local/3proxy/3proxy.cfg # chown -R nobody:nogroup /usr/local/3proxy - 3proxy.cfg -, - 3proxy.cfg.sample +Далее приведу небольшой пример конфигурационного файла 3proxy.cfg с +комментариями, более подробную информацию по конфигурированию можно +найти файле 3proxy.cfg.sample или в HowTo http://3proxy.ru/howtor.asp - FAQ http://3proxy.ru/faqr.asp +и FAQ http://3proxy.ru/faqr.asp -------------3proxy.cfg------------- -# !! -# !! +# ВНИМАНИЕ !! не должны быть пробелов +# перед любыми опциями конфигурации !! -# ip- DNS- +# ip-адрес DNS-сервера провайдера или локального nserver 127.0.0.1 timeouts 1 5 30 60 180 1800 15 60 -# vasia, petia vova -# 24555, 14656 45455 +# Создаем двух пользователей vasia, petia и vova +# и назначаем им пароли 24555, 14656 и 45455 соответственно users vasia:CL:24555 users petia:CL:14656 users vova:CL:45455 -# - -# +# Лог-файл со списком запросов пользователей +# будет создаваться каждый день новый log /usr/local/3proxy/logs/3proxy.log D logformat "%d-%m-%Y %H:%M:%S %U %C:%c %R:%r %O %I %T" -# , -# +# Внешний интерфейс, +# через который будут уходить запросы от сервера external 10.1.1.1 -# ip- , -# +# ip-адрес интерфейса, на котором будут приниматься +# запросы от клиентов internal 192.168.1.1 -# +# Устанавливаем тип авторизации по имени и паролю auth strong -# 80,8080-8088 +# Разрешаем доступ к портам 80,8080-8088 allow * * * 80,8080-8088 -# parent, -# ip, , +# Расскоментировать секцию parent, если у вас есть прокси верхнего +# уровня и заменить ip, порт, имя пользователя и пароль на свои значения # parent 1000 http 192.168.0.1 8080 username passwd # allow * -# HTTP-proxy (3128) -# (-n) c NTLM-) +# Запускаем службу HTTP-proxy на порту (3128) и +# (-n) c отключенной NTLM-авторизацией) proxy -p3128 -n -# -# vasia petia 20000 bps, -# vova 10000 bps +# Ограничиваем толшину канала для пользователей +# vasia и petia в 20000 bps, +# а для vova 10000 bps bandlimin 20000 vasia,petia bandlimin 10000 vova -# nobody -# ( uid gid nobody -# . id nobody) +# Запускаем сервер от пользователя nobody +# (возможно в вашей ОС uid и gid пользователя nobody +# будут другими. Для их определения воспользуйтесь коммандой id nobody) setgid 65534 setuid 65534 ------------------------------------ - , 3proxy : +После того как мы создали конфигурационный файл сервера, запускаем 3proxy командой: /usr/local/3proxy/3proxy /usr/local/3proxy/3proxy.cfg diff --git a/doc/ru/iodbc.txt b/doc/ru/iodbc.txt index 627bb3e..4b39521 100644 --- a/doc/ru/iodbc.txt +++ b/doc/ru/iodbc.txt @@ -2,9 +2,9 @@ KOI8-R Kirill Lopuchov, lopuchov at mail ru - SQL- . 3proxy ODBC- , ODBC-. - Windows, , , Unix. FreeBSD SQLite. , ( mysql postgresql odbc-) +Ведение логов сервера в SQL-базе имеет свои приемущества перед обычными текстовыми файлами. 3proxy поддерживает ведение логов через ODBC-менеджер в любой базе данных, имеющих ODBC-драйвер. Этот менеджер стал стандартом де-факто в среде Windows, чего, к сожалению, не скажешь про Unix. Поэтому далее рассмотрим на примере FreeBSD настройку ведения логов в базе SQLite. Эта база данных выбрана в качестве примера потому, что она проста в установке и настроке (в принципе настройка ведения логов в любой другой базе mysql или postgresql отличается только настройкой его odbc-драйвера) - SQLite + Устанавливаем SQLite wget http://www.sqlite.org/sqlite-2.8.14.tar.gz tar -xvzf sqlite-2.8.14.tar.gz cd sqlite @@ -12,7 +12,7 @@ cd sqlite gmake gmake install - iODBC + Устанавливаем iODBC менеджер wget http://www.iodbc.org/libiodbc-3.51.2.tar.gz tar -xvzf libiodbc-3.51.2.tar.gz cd libiodbc-3.51.2 @@ -20,24 +20,24 @@ cd libiodbc-3.51.2 make make install - odbc SQLite + Устанавливаем odbc драйвер SQLite wget http://www.ch-werner.de/sqliteodbc/sqliteodbc-0.62.tar.gz tar -xvzf sqliteodbc-0.62.tar.gz cd sqliteodbc-0.62 ./configure - configure : + Если у вас скрипт configure выдал ошибку : (configure: error: SQLite library too old) - , (SQLITE_COMPILE=1 - . 5092 if endif) configure + то ее можно попробовать обойти, вставив (SQLITE_COMPILE=1 + в стр. 5092 после условия if endif) в файле configure make make install - iODBC - /etc/odbcinst.ini /etc/odbc.ini + Далее настраиваем записи для iODBC менеджера в +файлах /etc/odbcinst.ini и /etc/odbc.ini - odbc +Настраиваем odbc драйвер --------------/etc/odbcinst.ini------------- [ODBC Drivers] SQLite=Installed @@ -46,8 +46,8 @@ SQLite=Installed Driver=/usr/local/lib/libsqliteodbc.so --------------------------------------- - DSN c "sqlite", - : /usr/local/3proxy/logs.db +Создаем DSN для базы c именем "sqlite", которая будет +располагаться в каталоге: /usr/local/3proxy/logs.db --------------/etc/odbc.ini---------------- [ODBC Data Sources] @@ -61,8 +61,8 @@ Database=/usr/local/3proxy/logs.db Timeout=2000 --------------------------------------- - (logformat -. 3proxy.cfg.sample ) +Создаем базу для логов и таблицу в формате (logformat +см. описание в 3proxy.cfg.sample ) sqlite /usr/local/3proxy/logs.db @@ -79,7 +79,7 @@ sqlite>create table log ( ...>); - 3proxy.cfg +Добавляем следующие записи в конфигурационный файл 3proxy.cfg ---------------3proxy.cfg----------------- log &sqlite @@ -88,12 +88,12 @@ l_descr) values ('%d-%m-%Y', '%H:%M:%S', '%U', '%N', %I, %O, '%T')" ------------------------------------------ -C 3proxy c iODBC, Makefile.unix +Cобрать 3proxy c поддрежкой iODBC, для этого в Makefile.unix поменять CFLAGS = -Wall -O2 -c -pthread -D_THREAD_SAFE -D_REENTRANT -DWITH_STD_MALLOC -I/usr/local/include LIBS = -L /usr/local/lib -lodbc - +и дать команды make clean make -f Makefile.unix diff --git a/doc/ru/odbc.txt b/doc/ru/odbc.txt index d0ca46a..31027d4 100644 --- a/doc/ru/odbc.txt +++ b/doc/ru/odbc.txt @@ -1,6 +1,6 @@ Eugene: Re: 3proxy 0.6 + iODBC + PostgreSQL 22.11.2007 19:04:23 - - . -1. unixODBC. + Наконец-то я разобрался и запустил. +1. Я использовал пакет unixODBC. 2. /etc/unixODBC/odbc.ini [proxy] Description = PostgreSQL ODBC driver @@ -12,7 +12,7 @@ ServerName = localhost Description = PostgreSQL ODBC driver Driver = /usr/local/lib/psqlodbcw.so Setup = /usr/lib/libodbcpsqlS.so -4. psqlodbc-08.02.0500, postgresql.org ( psqlodbcw.so). +4. Собирал вручную psqlodbc-08.02.0500, слитый с postgresql.org (получился psqlodbcw.so). 5. 3proxy.conf log &proxy,logger,123 logformat "LINSERT INTO logger (ldatetime,username,userip,trafin,trafout,service,host,port, @@ -20,9 +20,9 @@ url) VALUES ('%Y-%m-%d %H:%M:%S','%U','%C', '%I','%O','%N', '%n','%r','%T');" - odbc.ini - ODBC. - libiodbc - libiodbc.so. +То есть пароли и логины в odbc.ini прописывать не надо - система падает на драйвере ODBC. +Использовать libiodbc тоже не надо - система падает на libiodbc.so. - unixODBC + psqlodbc postgresql.org, -DSAFESQL, . - myodbc + unixODBC . -, ;) \ No newline at end of file +Все вышесказанное справедливо для unixODBC + psqlodbc производства postgresql.org, как с -DSAFESQL, так и без оного. +С myodbc + unixODBC проблем не наблюдалось никаких. +Шаманство, в общем ;) \ No newline at end of file diff --git a/man/3proxy.8 b/man/3proxy.8 index 0a26479..09987a2 100644 --- a/man/3proxy.8 +++ b/man/3proxy.8 @@ -1,4 +1,4 @@ -.TH 3proxy "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH 3proxy "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B 3proxy \- 3[APA3A] tiny proxy server, or trivial proxy server, or free proxy @@ -14,18 +14,18 @@ server .RI [ \-\-remove ] .SH DESCRIPTION .B 3proxy -is universal proxy server. It can be used to provide internal users wuth +is a universal proxy server. It can be used to provide internal users with fully controllable access to external resources or to provide external users with access to internal resources. 3proxy is not developed to replace .BR squid (8), -but it can extend functionality of existing cashing proxy. +but it can extend the functionality of an existing caching proxy. It can be used to route requests between different types of clients and proxy servers. Think about it as application level gateway with configuration like hardware router has for network layer. It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support, SOCKS v4, v4.5 and v5, POP3 proxy, UDP and TCP portmappers. Each gateway is started -from configuration file like independant service +from the configuration file like an independent service .BR proxy (8) .BR socks (8) .BR pop3p (8) @@ -35,24 +35,24 @@ from configuration file like independant service .BR dnspr but .BR 3proxy -is not a kind of wrapper or superserver for this daemons. It just has same +is not a kind of wrapper or superserver for these daemons. It just has the same code compiled in, but provides much more functionality. SOCKSv5 -implementatation allows to use 3proxy with any UDP or TCP based client +implementation allows you to use 3proxy with any UDP or TCP based client applications designed without proxy support (with .IR SocksCAP , .I FreeCAP -or another client-side redirector under Windows of with socksification library -under Unix). So you can play your favourite games, listen music, exchange -files and messages and even accept incoming connections behind proxy server. +or another client-side redirector under Windows or with a socksification library +under Unix). So you can play your favourite games, listen to music, exchange +files and messages and even accept incoming connections behind a proxy server. .PP .I dnspr -does not exist as independant service. It\' DNS caching proxy (it requires +does not exist as an independent service. It's a DNS caching proxy (it requires .I nscache and .I nserver -to be set in configuration. Only A-records are cached. Please note, the -this caching is mostly a 'hack' and has nothing to do with real +to be set in the configuration. Only A-records are cached. Please note that +this caching is mostly a 'hack' and has nothing to do with a real DNS server, but it works perfectly for SOHO networks. .PP @@ -65,9 +65,9 @@ NetBIOS name for Windows clients (it\'s very like ident authentication). Depending on ACL action request can be allowed, denied or redirected to another host or to another proxy server or even to a chain of proxy servers. .PP -It supports different types of logging: to logfiles, +It supports different types of logging: to logfiles, .BR syslog (3) -(only under Unix) or to ODBC database. Logging format is turnable to provide +(only under Unix) or to an ODBC database. Logging format is tunable to provide compatibility with existing log file parsers. It makes it possible to use 3proxy with IIS, ISA, Apache or Squid log parsers. .SH OPTIONS @@ -77,12 +77,12 @@ Name of config file. See .BR 3proxy.cfg (3) for configuration file format. Under Windows, if config_file is not specified, .BR 3proxy -looks for file named +looks for a file named .I 3proxy.cfg -in the default location (in same directory with executable file and in current +in the default location (in the same directory as the executable file and in the current directory). Under Unix, if no config file is specified, 3proxy reads -configuration from stdin. It makes it possible to use 3proxy.cfg file as -executable script just by setting +x mode and adding +configuration from stdin. It makes it possible to use the 3proxy.cfg file as +an executable script just by setting +x mode and adding .br #!/usr/local/3proxy/3proxy .br @@ -98,28 +98,28 @@ as a system service .BR 3proxy from system services .SH SIGNALS -Under Unix there are few signals +Under Unix there are a few signals .BR 3proxy catches. See .BR kill (1). .TP .B SIGTERM -cleanup connections and exit +clean up connections and exit .TP .B SIGPAUSE -stop to accept new connections, on second signal - start and re-read +stop accepting new connections, on second signal - start and re-read configuration .TP .B SIGCONT -start to accept new conenctions +start to accept new connections .TP .B SIGUSR1 reload configuration .PP Under Windows, if .BR 3proxy -is installed as service you can standard service management to start, stop, -pause and continue 3proxy service, for example: +is installed as a service you can use standard service management to start, stop, +pause and continue the 3proxy service, for example: .br .BR "net start 3proxy" .br @@ -138,14 +138,11 @@ wget to automate this task. configuration file .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO -3proxy.cfg(3), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), +3proxy.cfg(5), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), kill(1), syslogd(8), .br https://3proxy.org/ -.SH TRIVIA -3APA3A is pronounced as \`\`zaraza\'\'. .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/3proxy.cfg.3 b/man/3proxy.cfg.3 deleted file mode 100644 index 047ad27..0000000 --- a/man/3proxy.cfg.3 +++ /dev/null @@ -1,1067 +0,0 @@ -.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server" -.SH NAME -.B 3proxy.cfg -3proxy configuration file -.SH DESCRIPTION - Common structure: -.br - Configuration file is a text file 3proxy reads configuration from. Each line -of the file is a command executed immediately, as it was given from -console. Sequence of commands is important. Configuration file as actually a -script for 3proxy executable. -Each line of the file is treated as a blank (space or tab) separated -command line. Additional space characters are ignored. -Think about 3proxy as "application level router" with console interface. - -.br - Comments: -.br - Any string beginning with space character or \'#\' character is comment. It\'s -ignored. s are ignored. is end of command. - -.br - Quotation: -.br - Quotation character is " (double quote). Quotation must be used to quote -spaces or another special characters. To use quotation character inside -quotation character must be dubbed (BASIC convention). For example to use -HELLO "WORLD" as an argument you should use it as "HELLO ""WORLD""". -Good practice is to quote any argument you use. - -.br - File inclusion: -.br - You can include file by using $FILENAME macro (replace FILENAME with a path -to file, for example $/usr/local/etc/3proxy/conf.incl or - $"c:\\\\Program Files\\3proxy\\include.cfg" Quotation is -required in last example because path contains space character. -For included file (end of line characters) is treated as space character -(arguments delimiter instead of end of command delimiter). -Thus, include files are only useful to store long signle-line commands -(like userlist, network lists, etc). -To use dollar sign somewhere in argument it must be quoted. -Recursion is not allowed. - -.br - Next commands start gateway services: - -.br -.B proxy -[options] -.br -.B socks -[options] -.br -.B pop3p -[options] -.br -.B ftppr -[options] -.br -.B admin -[options] -.br -.B dnspr -[options] -.br -.B tcppm -[options] - -.br -.B udppm -[options] - -.br - Descriptions: -.br -.B proxy -HTTP/HTTPS proxy (default port 3128) -.br -.B socks -SOCKS 4/4.5/5 proxy (default port 1080) -.br -.B pop3p -POP3 proxy (default port 110) -.br -.B ftppr -FTP proxy (default port 21) -.br -.B admin -Web interface (default port 80) -.br -.B dnspr -caching DNS proxy (default port 53) -.br -.B tcppm -TCP portmapper -.br -.B udppm -UDP portmapper - -.br - Options: -.br -.B -pNUMBER -change default server port to NUMBER -.br -.B -n -disable NTLM authentication (required if passwords are stored in Unix crypt format). -.br -.B -n1 -enable NTLMv1 authentication. -.br -.B -s - (for admin) secure, allow only secure operations, currently only traffic counters -view without ability to reset. -.br - (for dnspr) simple, do not use resolver and 3proxy cache, always use external DNS server. -.br - (for udppm) singlepacket, expect only one packet from both client and server -.br -.B -u -Never ask for username/password -.br -.B -u2 -(for socks) require username/password in authentication methods -.br -.B -a -(for proxy) anonymous proxy (no information about client reported) -.br -.B -a1 -(for proxy) anonymous proxy (random client information reported) -.br -.B -a2 -(for proxy) generate Via: and X-Forwared-For: instead of Forwarded: -.br -.B -6 -Only resolve IPv6 addresses. IPv4 addresses are packed in IPv6 in IPV6_V6ONLY compatible way. -.br -.B -4 -Only resolve IPv4 addresses -.br -.B -46 -Resolve IPv6 addresses if IPv4 address is not resolvable -.br -.B -64 -Resolve IPv4 addresses if IPv6 address is not resolvable -.br -.B -RHOST:port -listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS. -.br -.B -rHOST:port -connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS. -.br -.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS -options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets. -Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS. -.br -.B -DiINTERFACE, -DeINTERFACE -bind internal interface / external inteface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE supported by system. You may need to run as root or to have CAP_NET_RAW capability in order to bind to interface, depending on system, so this option may require root privileges and can be incompatible with some configuraton commands like chroot and setuid (and daemon if setcap is used). -.br -.B -e -External address. IP address of interface proxy should initiate connections -from. External IP must be specified if you need incoming connections. -By default system will deside which address to use in accordance -with routing table. -.br -.B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. -.br -.B -N -(for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC -By default external address is reported. It's only useful in the case -of IP-IP NAT (will not work for PAT) -.br - Also, all options mentioned for -.BR proxy (8) -.BR socks (8) -.BR pop3p (8) -.BR tcppm (8) -.BR udppm (8) -.BR ftppr (8) - are also supported. -.br - Portmapping services listen at SRCPORT and connect to DSTADDR:DSTPORT -HTTP and SOCKS proxies are standard. -.br - POP3 proxy must be configured as POP3 server and requires username in the form of: -pop3username@pop3server. If POP3 proxy access must be authenticated, you can -specify username as proxy_username:proxy_password:POP3_username@pop3server -.br - DNS proxy resolves any types of records but only hostnames are cached. It -requires nserver/nscache to be configured. If nserver is configured as TCP, -redirections are applied on connection, so parent proxy may be used to resolve -names to IP. -.br - FTP proxy can be used as FTP server in any FTP client or configured as FTP -proxy on a client with FTP proxy support. Username format is one of -.br - FTPuser@FTPServer -.br - FTPuser:FTPpassword@FTPserver -.br - proxyuser:proxypassword:FTPuser:FTPpassword@FTPserver -.br - Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name - -.br -.B include - -.br - Include config file - -.br -.B config - -.br - Path to configuration file to use on 3proxy restart or to save configuration. - -.br -.B writable -.br - ReOpens configuration file for write access via Web interface, -and rereads it. Usually should be first command on config file -but in combination with config -it can be used anywhere to open -alternate config file. Think twice before using it. - -.br -.B end -.br - End of configuration - -.br -.B log -[[@|&]logfile] [] -.br - sets logfile for all gateways -.br - @ (for Unix) use syslog, filename is used as ident name -.br - & use ODBC, filename consists of comma-delimited datasource,username,password (username and password are optional) -.br - radius - use RADIUS for logging -.br - LOGTYPE is one of: -.br - M Monthly -.br - W Weekly (starting from Sunday) -.br - D Daily -.br - H Hourly -.br - if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l -option in gateway configuration. -.br - log command supports same format specifications for filename template -as "logformat" (if filename contains \'%\' sign it\'s believed to be template). -As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or -Grinwitch time zone for all time-based format specificators. - -.br -.B rotate - - how many archived log files to keep - -.br -.B logformat - -.br - Format for log record. First symbol in format must be L (local time) -or G (absolute Grinwitch time). -It can be preceeded with -XXX+Y where XXX is list of characters to be -filtered in user input (any non-printable characters are filtered too -in this case) and Y is replacement character. For example, "-,%+ L" in -the beginning of logformat means comma and percent are replaced -with space and all time based elemnts are in local time zone. -.br - You can use: - -.br - %y Year in 2 digit format -.br - %Y Year in 4 digit format -.br - %m Month number -.br - %o Month abbriviature -.br - %d Day -.br - %H Hour -.br - %M Minute -.br - %S Second -.br - %t Timstamp (in seconds since 01-Jan-1970) -.br - %. milliseconds -.br - %z timeZone (from Grinvitch) -.br - %D request duration (in milliseconds) -.br - %b average send rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager. -.br - %B average receive rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager. -.br - %U Username -.br - %N service Name -.br - %p service Port -.br - %E Error code -.br - %C Client IP -.br - %c Client port -.br - %R Remote IP -.br - %r Remote port -.br - %i Internal IP used to accept client connection -.br - %e External IP used to establish connection -.br - %Q Requested IP -.br - %q Requested port -.br - %n requested hostname -.br - %I bytes In -.br - %O bytes Out -.br - %h Hops (redirections) count -.br - %T service specific Text -.br - %N1-N2T (N1 and N2 are positive numbers) log only fields from N1 thorugh N2 of service specific text -.br - in the case of ODBC logging logformat specifies SQL statement, for exmample: -.br - logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')" - -.br -.B logdump - -.br - Immediately creates additional log records if given amount of incoming/outgoing -traffic is achieved for connection, without waiting for connection to finish. -It may be useful to prevent information about long-lasting downloads on server -shutdown. - -.br -.B archiver - -.br - Archiver to use for log files. is file extension produced by -archiver. Filename will be last argument to archiver, optionally you -can use %A as produced archive name and %F as filename. - -.br -.B timeouts - -.br - Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5. -.br - BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream. -.br - BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request). -.br - STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers) -.br - STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request). -.br - CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc). -.br - CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc). -.br - DNS timeout for DNS request before requesting next server -.br - CHAIN timeout for reading data from chained connection -.br - default timeouts 1 5 30 60 180 1800 15 60 15 5 - -.br -.B radius - -.br - Configures RADIUS servers to be used for logging and authentication (log and auth types -must be set to radius). port and local address to use with given server may be specified. -.br - Attributes within request: User-Name, Password: (username and password if presented by client), -Service Type: Authenticate-Only, -NAS-Port-Type: NAS-Port-Virtual, -NAS-Port-ID: (proxy service port, e.g. 1080), -NAS-IPv6-Address / NAS-IP-Address: (proxy interface accessed by client), -NAS-Identifier: (text identifing proxy, e.g. PROXY or SOCKSv5), -Framed-IPv6-Address / Framed-IP-Address: (IP address of the client), -Called-Station-ID: (requested Hostname, if presents), -Login-Service: (type of request, e.g. 1001 - SOCKS CONNECT, 1010 - HTTP GET, 1013 - HTTP CONNECT), -Login-TCP-Port: (requested port), -Login-IPv6-Host / Login-IP-Host: (requested IP). -.br - Supported reply attributes for authentication: -Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message. -Use authcache to speedup authentication. RADIUS feature is currently experimental. - -.br -.B nserver -[:port][/tcp] -.br - Nameserver to use for name resolutions. If none specified -system routines for name resolution is -used. Optional port number may be specified. -If optional /tcp is added to IP address, name resolution is -performed over TCP. - -.br -.B nscache - -.B nscache6 - -.br - Cache records for name resolution (nscache for IPv4, -nscache6 for IPv6). Cachesize usually should be large enougth -(for example 65536). - -.br -.B nsrecord - -.br - Adds static record to nscache. nscache must be enabled. If 0.0.0.0 -is used as a hostaddr host will never resolve, it can be used to -blacklist something or together with -.B dialer -command to set up UDL for dialing. - -.br -.B fakeresolve -.br - All names are resolved to 127.0.0.2 address. Usefull if all requests are -redirected to parent proxy with http, socks4+, connect+ or socks5+. - -.br -.B dialer - -.br - Execute progname if external name can\'t be resolved. -Hint: if you use nscache, dialer may not work, because names will -be resolved through cache. In this case you can use something like -http://dial.right.now/ from browser to set up connection. - - -.br -.B internal - -.br - sets ip address of internal interface. This IP address will be used -to bind gateways. Alternatively you can use -i option for individual -gateways. Since 0.8 version, IPv6 address may be used. - -.br -.B external - -.br - sets ip address of external interface. This IP address will be source -address for all connections made by proxy. Alternatively you can use -e -option to specify individual address for gateway. Since 0.8 version -External or -e can be given twice: once with IPv4 and once with IPv6 address. - -.br -.B maxconn - -.br - sets maximum number of simulationeous connections to each services -started after this command. Default is 100. - -.br -.B service -.br - (depricated). Indicates 3proxy to behave as Windows 95/98/NT/2000/XP -service, no effect for Unix. Not required for 3proxy 0.6 and above. If -you upgraded from previous version of 3proxy use --remove and --install -to reinstall service. - -.br -.B daemon -.br - Should be specified to close console. Do not use \'daemon\' with \'service\'. -At least under FreeBSD \'daemon\' should preceed any proxy service -and log commands to avoid sockets problem. Always place it in the beginning -of the configuration file. - -.br -.B auth - [...] -.br - Type of user authorization. Currently supported: -.br - none - no authentication or authorization required. -.br - Note: is auth is none any ip based limitation, redirection, etc will not work. -This is default authentication type -.br - iponly - authentication by access control list with username ignored. - Appropriate for most cases -.br - useronly - authentication by username without checking for any password with -authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN / -AOL screen name as a username) -.br - dnsname - authentication by DNS hostnname with authorization by ACLs. -DNS hostname is resolved via PTR (reverse) record and validated (resolved -name must resolve to same IP address). It\'s recommended to use authcache by -ip for this authentication. -NB: there is no any password check, name may be spoofed. -.br - strong - username/password authentication required. It will work with -SOCKSv5, FTP, POP3 and HTTP proxy. -.br - cache - cached authentication, may be used with \'authcache\'. -.br - radius - authentication with RADIUS. -.br - Plugins may add additional authentication types. - -.br - It\'s possible to use few authentication types in the same commands. E.g. -.br - auth iponly strong -.br - In this case \'strong\' authentication will be used only in case resource -access can not be performed with \'iponly\' authentication, that is username is -required in ACL. It\'s usefull to protect access to some resources with -password allowing passwordless access to another resources, or to use -IP-based authentication for dedicated laptops and request username/password for -shared ones. - -.br -.B authcache - -.br - Cache authentication information to given amount of time (cachetime) in seconds. -Cahtype is one of: -.br - ip - after successful authentication all connections during caching time -from same IP are assigned to the same user, username is not requested. -.br - ip,user username is requested and all connections from the same IP are -assigned to the same user without actual authentication. -.br - user - same as above, but IP is not checked. -.br - user,password - both username and password are checked against cached ones. -.br - limit - limit user to use only one ip, \'ip\' and \'user\' are required -.br - acl - only use cached auth if user access service with same ACL -.br - ext - cache external IP -.br -Use auth type \'cache\' for cached authentication - -.br -.B allow - - -.br -.B deny - - -.br - Access control entries. All lists are comma-separated, no spaces are -allowed. Usernames are case sensitive (if used with authtype nbname -username must be in uppercase). Source and target lists may contain -IP addresses (W.X.Y.Z), ranges A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs (W.X.Y.Z/L). -Since 0.6, targetlist may also contain host names, -instead of addresses. It\'s possible to use wildmask in -the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. -Hostname is only checked if hostname presents in request. -Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field * -sign means ANY. If access list is empty it\'s assumed to be -.br - allow * -.br - If access list is not empty last item in access list is assumed to be -.br - deny * -.br - You may want explicitly add deny * to the end of access list to prevent -HTTP proxy from requesting user\'s password. -Access lists are checked after user have requested any resource. -If you want 3proxy to reject connections from specific addresses -immediately without any conditions you should either bind proxy -to appropriate interface only or to use ip filters. - -.br - Operation is one of: -.br - CONNECT establish outgoing TCP connection -.br - BIND bind TCP port for listening -.br - UDPASSOC make UDP association -.br - ICMPASSOC make ICMP association (for future use) -.br - HTTP_GET HTTP GET request -.br - HTTP_PUT HTTP PUT request -.br - HTTP_POST HTTP POST request -.br - HTTP_HEAD HTTP HEAD request -.br - HTTP_CONNECT HTTP CONNECT request -.br - HTTP_OTHER over HTTP request -.br - HTTP matches any HTTP request except HTTP_CONNECT -.br - HTTPS same as HTTP_CONNECT -.br - FTP_GET FTP get request -.br - FTP_PUT FTP put request -.br - FTP_LIST FTP list request -.br - FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic -non-ptivileged (1024-65535) ports on remote side. -.br - FTP matches any FTP/FTP Data request -.br - ADMIN access to administration interface - -.br - Weeksdays are week days numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday. -.br - Timeperiodlists is a list of time -periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours. - -.br -.B parent - -.br - this command must follow "allow" rule. It extends last allow rule to -build proxy chain. Proxies may be grouped. Proxy inside the -group is selected randomly. If few groups are specified one proxy -is randomly picked from each group and chain of proxies is created -(that is second proxy connected through first one and so on). -Weight is used to group proxies. Weigt is a number between 1 and 1000. -Weights are summed and proxies are grouped together untill weight of -group is 1000. That is: -.br - allow * -.br - parent 500 socks5 192.168.10.1 1080 -.br - parent 500 connect 192.168.10.1 3128 -.br - makes 3proxy to randomly choose between 2 proxies for all outgoing -connections. These 2 proxies form 1 group (summarized weight is 1000). -.br - allow * * * 80 -.br - parent 1000 socks5 192.168.10.1 1080 -.br - parent 1000 connect 192.168.20.1 3128 -.br - parent 300 socks4 192.168.30.1 1080 -.br - parent 700 socks5 192.168.40.1 1080 -.br - creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and third -is (192.168.30.1 with probability of 0.3 or 192.168.40.1 -with probability of 0.7) for outgoing web connections. Chains are only applied to new connections, pipelined (keep-alive) requests in the same connection use the same chain. - -.br - type is one of: -.br - extip does not actully redirect request, it sets external address for this request to . It can be chained with another parent types. It's usefaul to set external IP based on ACL or make it random. -.br - tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication. -.br - http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service, -if used with different service, it works as tcp redirection. -.br - pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining) -.br - ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining) -.br - connect parent is HTTP CONNECT method proxy -.br - connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available) -.br - socks4 parent is SOCKSv4 proxy -.br - socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a) -.br - socks5 parent is SOCKSv5 proxy -.br - socks5+ parent is SOCKSv5 proxy with name resolution -.br - socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened -server reply. I never saw this kind ofservers byt they say there are). -Normally you should not use this option. Do not mess this option with -SOCKSv4a (socks4+). -.br - socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened -server reply. I think you will never find it useful). Never use this option -unless you know exactly you need it. -.br - admin redirect request to local \'admin\' service (with -s parameter). -.br - Use "+" proxy only with "fakeresolve" option -.br - - IP and port are ip addres and port of parent proxy server. -If IP is zero, ip is taken from original request, only port is changed. -If port is zero, it\'s taken from original request, only IP is changed. -If both IP and port are zero - it\'s a special case of local redirection, -it works only with -.B socks -proxy. In case of local redirection request is redirected to different service, -.B ftp -locally redirects to -.B ftppr -.B pop3 -locally redirects to -.B pop3p -.B http -locally redurects to -.B proxy -.B admin -locally redirects to admin -s service. - -.br - Main purpose of local redirections is to have requested resource -(URL or POP3 username) logged and protocol-specific filters to be applied. -In case of local redirection ACLs are revied twice: first, by SOCKS proxy up to \'parent\' -command and then with gateway service connection is -redirected (HTTP, FTP or POP3) after \'parent\' command. It means, -additional \'allow\' command is required for redirected requests, for -example: -.br - allow * * * 80 -.br - parent 1000 http 0.0.0.0 0 -.br - allow * * * 80 HTTP_GET,HTTP_POST -.br - socks -.br - redirects all SOCKS requests with target port 80 to local HTTP proxy, -local HTTP proxy parses requests and allows only GET and POST requests. -.br - parent 1000 http 1.2.3.4 0 -.br - Changes external address for given connection to 1.2.3.4 (an equivalent to -e1.2.3.4) -.br - Optional username and password are used to authenticate on parent -proxy. Username of \'*\' means username must be supplied by user. - - -.br -.B nolog - -.br - extends last allow or deny command to prevent logging, e.g. -.br -allow * * 192.168.1.1 -.br -nolog - - -.br -.B weight - -.br - extends last allow or deny command to set weight for this request -.br - allow * * 192.168.1.1 -.br - weight 100 -.br - Weight may be used for different purposes. - - -.br -.B force -.br -.B noforce -.br - If force is specified for service, configuration reload will require all current -sessions of this service to be re-authenticated. If ACL is changed or user account -is removed, old connections which do not match current are closed. -noforce allows to keep previously authenticated connections. - -.br -.B bandlimin - - -.br -.B nobandlimin - - -.br -.B bandlimout - - -.br -.B nobandlimout - - -.br - bandlim sets bandwith limitation filter to bps (bits per second) -If you want to specife bytes per second - multiply your value to 8. -bandlim rules act in a same manner as allow/deny rules except -one thing: bandwidth limiting is applied to all services, not to some -specific service. -bandlimin and nobandlimin applies to incoming traffic -bandlimout and nobandlimout applies to outgoing traffic -If tou want to ratelimit your clients with IPs 192.168.10.16/30 (4 -addresses) to 57600 bps you have to specify 4 rules like -.br - bandlimin 57600 * 192.168.10.16 -.br - bandlimin 57600 * 192.168.10.17 -.br - bandlimin 57600 * 192.168.10.18 -.br - bandlimin 57600 * 192.168.10.19 -.br - and every of you clients will have 56K channel. If you specify -.br - bandlimin 57600 * 192.168.10.16/30 -.br - you will have 56K channel shared between all clients. -if you want, for example, to limit all speed ecept access to POP3 you can use -.br - nobandlimin * * * 110 -.br - before the rest of bandlim rules. - -.br -.B connlim - - -.br -.B noconnlim - - -.br - connlim sets connections rate limit per time period for traffic -pattern controlled by ACL. Period is in seconds. If period is 0, -connlim limits a number of parallel connections. -.br - connlim 100 60 * 127.0.0.1 -.br - allows 100 connections per minute for 127.0.0.1. -.br - connlim 20 0 * 127.0.0.1 -.br - allows 20 simulationeous connections for 127.0.0.1. -.br - Like with bandlimin, if individual limit is required per client, separate -rule mustbe added for every client. Like with nobanlimin, noconnlim adds an -exception. - - - -.br -.B counter - -.br -.B countin - - -.br -.B nocountin - - -.br -.B countout - - -.br -.B nocountout - - -.br -.B countall - - -.br -.B nocountall - - -.br - - counter, countin, nocountin, countout, noucountout, countall, -nocountall commands are used to set traffic limit -in MB for period of time (day, week or month). Filename is a path -to a special file where traffic information is permanently stored. -number is sequential number of record in this file. If number is 0 -this counter is not preserved in counter file (that is -if proxy restarted all counters with 0 are flushed) overwise it -should be unique sequential number which points to position of -the couter within the file. -Type specifies a type of counter. Type is one of: -.br - H - counter is resetted hourly -.br - D - counter is resetted daily -.br - W - counter is resetted weekly -.br - M - counter is resetted monthely -.br - reporttype/repotname may be used to generate traffic reports. -Reporttype is one of D,W,M,H(hourly) and repotname specifies filename -template for reports. Report is text file with counter values in -format: -.br - -.br - The rest of parameters is identical to bandlim/nobandlim. - -.br -.B users -username[:pwtype:password] ... -.br - pwtype is one of: -.br - none (empty) - use system authentication -.br - CL - password is cleartext -.br - CR - password is crypt-style password -.br - NT - password is NT password (in hex) -.br - example: -.br - users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." -.br - users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 -.br - Note: double quotes are requiered because password contains $ sign. - -.br -.B flush -.br - empty active access list. Access list must be flushed avery time you creating -new access list for new service. For example: -.br - allow * -.br - pop3p -.br - flush -.br - allow * 192.168.1.0/24 -.br - socks -.br - sets different ACLs for -.B pop3p -and -.B socks - -.br -.B system - -.br - execute system command - -.br -.B pidfile - -.br - write pid of current process to file. It can be used to manipulate -3proxy with signals under Unix. Currently next signals are available: - -.br -.B monitor - -.br - If file monitored changes in modification time or size, 3proxy reloads -configuration within one minute. Any number of files may be monitored. - -.br -.B setuid - -.br - calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux -kernels setuid() works for current thread only. It makes it impossible to suid -for all threads. - -.br -.B setgid - -.br - calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only. - -.br -.B chroot - [] [] -.br - calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname - -.br -.B stacksize - -.br - Change default size for threads stack. May be required in some situation, -e.g. with non-default plugins, on on some platforms (some FreeBSD version -may require adjusting stack size due to invalid defined value in system -header files, this value is also oftent reqruied to be changed for ODBC and -PAM support on Linux. If you experience 3proxy -crash on request processing, try to set some positive value. You may start with -stacksize 65536 -and then find the minimal value for service to work. If you experience -memory shortage, you can try to experiment with negative values. - -.SH PLUGINS - -.br -.B plugin - [ ...] -.br - Loads specified library and calls given export function with given arguments, -as -.br - int functions_to_call(struct pluginlink * pl, int argc, char * argv[]); -.br - function_to_call must return 0 in case of success, value > 0 to indicate error. - -.br -.B filtermaxsize - -.br - If Content-length (or another data length) is greater than given value, no -data filtering will be performed thorugh filtering plugins to avoid data -corruption and/or Content-Length chaging. Default is 1MB (1048576). - -.SH BUGS -Report all bugs to -.BR 3proxy@3proxy.ru -.SH SEE ALSO -3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), -.br - https://3proxy.org/ -.SH TRIVIA -3APA3A is pronounced as \`\`zaraza\'\'. -.SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) diff --git a/man/3proxy.cfg.5 b/man/3proxy.cfg.5 new file mode 100644 index 0000000..f536b41 --- /dev/null +++ b/man/3proxy.cfg.5 @@ -0,0 +1,1363 @@ +.TH 3proxy.cfg "5" "May 2026" "3proxy 0.9" "Universal proxy server" +.SH NAME +.B 3proxy.cfg +3proxy configuration file +.SH DESCRIPTION + Common structure: +.br + Configuration file is a text file 3proxy reads configuration from. Each line +of the file is a command executed immediately, as if it were given from the +console. The sequence of commands is important. The configuration file is actually a +script for the 3proxy executable. +Each line of the file is treated as a blank (space or tab) separated +command line. Additional space characters are ignored. +Think about 3proxy as "application level router" with console interface. + +.br + Comments: +.br + Any line beginning with a space character or \'#\' character is a comment. It\'s +ignored. s are ignored. is the end of a command. + +.br + Quotation: +.br + The quotation character is " (double quote). Quotation must be used to quote +spaces or other special characters. To use a quotation character inside +a quoted string, the character must be doubled (BASIC convention). For example, to use +HELLO "WORLD" as an argument, you should write it as "HELLO ""WORLD""". +Good practice is to quote any argument you use. + +.br + File inclusion: +.br + You can include file by using $FILENAME macro (replace FILENAME with a path +to file, for example $/usr/local/etc/3proxy/conf.incl or + $"c:\\\\Program Files\\3proxy\\include.cfg" Quotation is +required in last example because path contains space character. +For included file (end of line characters) is treated as space character +(arguments delimiter instead of end of command delimiter). +Thus, include files are only useful to store long single-line commands +(like userlist, network lists, etc). +To use dollar sign somewhere in argument it must be quoted. +Recursion is not allowed. + +.br + Next commands start gateway services: + +.br +.B proxy +[options] +.br +.B socks +[options] +.br +.B pop3p +[options] +.br +.B smtpp +[options] +.br +.B ftppr +[options] +.br +.B admin +[options] +.br +.B dnspr +[options] +.br +.B tcppm +[options] +\fI\fR \fI\fR \fI\fR +.br +.B udppm +[options] +\fI\fR \fI\fR \fI\fR +.br + Descriptions: +.br +.B proxy +HTTP/HTTPS proxy (default port 3128) +.br +.B socks +SOCKS 4/4.5/5 proxy (default port 1080) +.br +.B tlspr +SNI proxy (destination address is taken from TLS handshake), may be used to redirect any TLS-based traffic +.br +.B auto +Proxy with protocol autoselection between proxy / socks / tlspr +.br +.B pop3p +POP3 proxy (default port 110) +.br +.B smtpp +SMTP proxy (default port 25) +.br +.B ftppr +FTP proxy (default port 21) +.br +.B admin +Web interface (default port 80) +.br +.B dnspr +caching DNS proxy (default port 53) +.br +.B tcppm +TCP portmapper. Destination address (DSTADDR) can be a Unix domain socket +using the syntax +.I unix:/path/to/socket +(e.g., tcppm 8080 unix:/var/run/app.sock 0). On Linux, abstract sockets use +.I unix:@socketname +syntax. When using Unix socket destination, the port number is ignored +but must be specified for syntax compatibility. +.br +.B udppm +UDP portmapper + +.br + Options: +.br +.B -p\fINUMBER\fR +change default server port to NUMBER +.br +.B -6 +Only resolve IPv6 addresses. IPv4 addresses are packed in IPv6 in IPV6_V6ONLY compatible way. +.br +.B -4 +Only resolve IPv4 addresses +.br +.B -46 +Prefer IPv4. Resolve IPv6 addresses if IPv4 address is not resolvable +.br +.B -64 +Prefer IPv6. Resolve IPv4 addresses if IPv6 address is not resolvable +.br +.B -e +External address. IP address of the interface the proxy should initiate connections +from. External IP must be specified if you need incoming connections. +By default the system will decide which address to use in accordance +with the routing table. +.br +.B -i +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax. On Linux, abstract sockets use +.I -iunix:@socketname +syntax. +.br +.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR +bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used). +.br +.B -ni\fIPATH\fB, -ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by the filesystem path \fIPATH\fR (e.g. \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) for the listening socket (\fB-ni\fR) or for outgoing connections (\fB-ne\fR). +With \fB-ni\fR the current namespace is saved before opening the listening socket and restored immediately after binding, so that the rest of the process (outgoing connections, child threads) runs in the original namespace unless \fB-ne\fR is also given. +With \fB-ne\fR the process switches to the specified namespace after the listening socket is bound (and after restoring from \fB-ni\fR if applicable). +Requires \fBCAP_SYS_ADMIN\fR (or \fBCAP_NET_ADMIN\fR on recent kernels) and is incompatible with \fBchroot\fR/\fBsetuid\fR/\fBdaemon\fR if privileges are dropped before the switch takes effect. +.br +.B -Ne +(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT). +.br +.B -Ni +(for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT). +.br +.B -R\fIHOST\fB:\fIport\fR +listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS. +.br +.B -r\fIHOST\fB:\fIport\fR +connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS. +.br +.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR +options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets. +Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS. +.br +.B -H +(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection. +This allows the proxy to receive real client IP address from HAProxy or other +load balancer that supports the PROXY protocol. The header must be sent before +any protocol-specific data. +.br +.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR) +delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling +.B -s + (for admin) secure, allow only secure operations, currently only traffic counters +view without ability to reset. +.br + (for dnspr) simple, do not use resolver and 3proxy cache, always use external DNS server. +.br + (for udppm) singlepacket, expect only one packet from both client and server +.br +.B -u +Never ask for username/password +.br +.B -u2 +(for socks) require username/password in authentication methods +.br +.B -a +(for proxy) anonymous proxy (no information about client reported) +.br +.B -a1 +(for proxy) anonymous proxy (random client information reported) +.br +.B -a2 +(for proxy) generate Via: and X-Forwarded-For: instead of Forwarded: +.br + Also, all options mentioned for +.BR proxy (8) +.BR socks (8) +.BR pop3p (8) +.BR tcppm (8) +.BR udppm (8) +.BR ftppr (8) + are also supported. +.br + Portmapping services listen at SRCPORT and connect to DSTADDR:DSTPORT +HTTP and SOCKS proxies are standard. +.br + POP3 proxy must be configured as POP3 server and requires username in the form of: +pop3username@pop3server. If POP3 proxy access must be authenticated, you can +specify username as proxy_username:proxy_password:POP3_username@pop3server +.br + DNS proxy resolves any types of records but only hostnames are cached. It +requires \fBnserver\fR/\fBnscache\fR to be configured. If \fBnserver\fR is configured as TCP, +redirections are applied on connection, so parent proxy may be used to resolve +names to IP. +.br + FTP proxy can be used as FTP server in any FTP client or configured as FTP +proxy on a client with FTP proxy support. Username format is one of +.br + FTPuser@FTPServer +.br + FTPuser:FTPpassword@FTPserver +.br + proxyuser:proxypassword:FTPuser:FTPpassword@FTPserver +.br + Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name + +.br +.BR include +\fI\fR +.br + Include config file + +.br +.BR config +\fI\fR +.br + Path to configuration file to use on 3proxy restart or to save configuration. + +.br +.B writable +.br + ReOpens configuration file for write access via Web interface, +and rereads it. Usually should be first command on config file +but in combination with config +it can be used anywhere to open +alternate config file. Think twice before using it. + +.br +.B end +.br + End of configuration + +.br +.BR log +[[@|&]\fIlogfile\fR] [\fI\fR] +.br + sets logfile for all gateways +.br + @ (for Unix) use syslog, filename is used as ident name +.br + & use ODBC, filename consists of comma-delimited datasource,username,password (username and password are optional) +.br + radius - use RADIUS for logging +.br + LOGTYPE is one of: +.br + \fBc\fR Minutely +.br + \fBH\fR Hourly +.br + \fBD\fR Daily +.br + \fBW\fR Weekly (starting from Sunday) +.br + \fBM\fR Monthly +.br + \fBY\fR Annually +.br + if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l +option in gateway configuration. +.br + log command supports same format specifications for filename template +as "logformat" (if filename contains \'%\' sign it\'s believed to be template). +As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or +Grinwitch time zone for all time-based format specificators. + +.br +.BR rotate +\fI\fR + how many archived log files to keep + +.br +.BR logformat +\fI\fR +.br + Format for log record. First symbol in format must be L (local time) +or G (absolute Grinwitch time). +It can be preceeded with -XXX+Y where XXX is list of characters to be +filtered in user input (any non-printable characters are filtered too +in this case) and Y is replacement character. For example, "-,%+ L" in +the beginning of logformat means comma and percent are replaced +with space and all time based elemnts are in local time zone. +.br + You can use: + +.br + %y Year in 2 digit format +.br + %Y Year in 4 digit format +.br + %m Month number +.br + %o Month abbreviation +.br + %d Day +.br + %H Hour +.br + %M Minute +.br + %S Second +.br + %t Timestamp (in seconds since 01-Jan-1970) +.br + %. milliseconds +.br + %z time zone (from Greenwich) +.br + %D request duration (in milliseconds) +.br + %b average send rate per request (in bytes per second); this speed is typically below the connection speed shown by the download manager. +.br + %B average receive rate per request (in bytes per second); this speed is typically below the connection speed shown by the download manager. +.br + %U Username +.br + %N service Name +.br + %p service Port +.br + %E Error code +.br + %C Client IP +.br + %c Client port +.br + %R Remote IP +.br + %r Remote port +.br + %i Internal IP used to accept client connection +.br + %e External IP used to establish connection +.br + %Q Requested IP +.br + %q Requested port +.br + %n requested hostname +.br + %I bytes In +.br + %O bytes Out +.br + %h Hops (redirections) count +.br + %T service specific Text +.br + %N1-N2T (N1 and N2 are positive numbers) log only fields from N1 through N2 of service-specific text +.br + In the case of ODBC logging, logformat specifies an SQL statement, for example: +.br + logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')" + +.br +.BR logdump +\fI\fR \fI\fR +.br + Immediately creates additional log records if given amount of incoming/outgoing +traffic is achieved for connection, without waiting for connection to finish. +It may be useful to prevent information about long-lasting downloads on server +shutdown. + +.br +.BR delimchar +\fI\fR +.br + Sets the delimiter character used to separate username from hostname in proxy +authentication strings (e.g. for FTP, POP3 proxies). Default is \'@\'. For example, +to use \'#\' instead: delimchar #. This allows usernames to contain the \'@\' character. + +.br +.BR archiver +\fI\fR \fI\fR +.br + Archiver to use for log files. is file extension produced by +archiver. Filename will be last argument to archiver, optionally you +can use %A as produced archive name and %F as filename. + +.br +.BR timeouts +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +.br + Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5. +.br + \fBBYTE_SHORT\fR short timeout for single byte, is usually used for receiving single byte from stream. +.br + \fBBYTE_LONG\fR long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request). +.br + \fBSTRING_SHORT\fR short timeout, for character string within stream (for example to wait between 2 HTTP headers) +.br + \fBSTRING_LONG\fR long timeout, for first string in stream (for example to wait for HTTP request). +.br + \fBCONNECTION_SHORT\fR inactivity timeout for short connections (HTTP, POP3, etc). +.br + \fBCONNECTION_LONG\fR inactivity timeout for long connection (SOCKS, portmappers, etc). +.br + \fBDNS\fR timeout for DNS request before requesting next server +.br + \fBCHAIN\fR timeout for reading data from chained connection +.br + default timeouts 1 5 30 60 180 1800 15 60 15 5 + +.br +.BR maxseg +\fI\fR +.br + Sets TCP maximum segment size (MSS) for outgoing connections. This can be used +to work around path MTU discovery issues or to optimize traffic for specific +network conditions. + +.br +.BR radius +\fI\fR \fI\fR[:\fIport\fR][/\fItcp\fR] +.br + Nameserver to use for name resolutions. If none specified +system routines for name resolution is +used. Optional port number may be specified. +If optional /tcp is added to IP address, name resolution is +performed over TCP. + +.br +.BR authnserver +\fI\fR[:\fIport\fR][/\fItcp\fR] +.br + Nameserver to use for DNS-based authentication (e.g. dnsname auth type). +If not specified, nserver is used. The syntax is the same as for nserver. + +.br +.BR nscache +\fI\fR +.BR nscache6 +\fI\fR +.br + Cache \fI\fR records for name resolution (\fBnscache\fR for IPv4, +\fBnscache6\fR for IPv6). The cache size should usually be large enough +(for example, 65536). + +.br +.BR nsrecord +\fI\fR \fI\fR +.br + Adds static record to nscache. \fBnscache\fR must be enabled. If 0.0.0.0 +is used as a hostaddr host will never resolve, it can be used to +blacklist something or together with +.B dialer +command to set up UDL for dialing. + +.br +.B fakeresolve +.br + All names are resolved to the 127.0.0.2 address. Useful if all requests are +redirected to a parent proxy with \fBhttp\fR, \fBsocks4+\fR, \fBconnect+\fR or \fBsocks5+\fR. + +.br +.BR dialer +\fI\fR +.br + Execute progname if external name can\'t be resolved. +Hint: if you use nscache, dialer may not work, because names will +be resolved through cache. In this case you can use something like +http://dial.right.now/ from browser to set up connection. + + +.br +.BR internal +\fI\fR +.br + sets ip address of internal interface. This IP address will be used +to bind gateways. Alternatively you can use -i option for individual +gateways. Since 0.8 version, IPv6 address may be used. +.br +Unix domain sockets are supported with the syntax +.I unix:/path/to/socket +(e.g., internal unix:/var/run/3proxy.sock). On Linux, abstract (fileless) +Unix sockets are supported with the syntax +.I unix:@socketname +(e.g., internal unix:@3proxy). When using Unix sockets, the socket file +is automatically created and removed on service start/stop. + +.br +.BR external +\fI\fR +.br + sets ip address of external interface. This IP address will be source +address for all connections made by proxy. Alternatively you can use -e +option to specify individual address for gateway. Since 0.8 version +External or \fB-e\fR can be given twice: once with IPv4 and once with IPv6 address. + +.br +.BR maxconn +\fI\fR +.br + sets the maximum number of simultaneous connections to each service +started after this command at the network level. Default is 100. +.br + To limit clients, use \fBconnlim\fR instead. \fBmaxconn\fR will silently ignore +new connections, while \fBconnlim\fR will report back to the client that +the connection limit has been reached. + +.br +.B backlog +.br + sets the listening socket backlog of new connections. Default is +1 + \fBmaxconn\fR/8. Maximum value is capped by kernel tunable somaxconn. + +.br +.B service +.br + (deprecated). Indicates that 3proxy should behave as a Windows 95/98/NT/2000/XP +service; has no effect under Unix. Not required for 3proxy 0.6 and above. If +you upgraded from a previous version of 3proxy, use --remove and --install +to reinstall the service. + +.br +.B daemon +.br + Should be specified to close the console. Do not use \'daemon\' with \'service\'. +At least under FreeBSD, \fBdaemon\fR should precede any proxy service +and log commands to avoid socket problems. Always place it in the beginning +of the configuration file. + +.br +.BR auth +\fI\fR [...] +.br + Type of user authorization. Currently supported: +.br + \fBnone\fR - no authentication or authorization required. +.br + Note: if auth is none, any IP-based limitation, redirection, etc. will not work. +This is the default authentication type +.br + \fBiponly\fR - authentication by access control list with username ignored. + Appropriate for most cases +.br + \fBuseronly\fR - authentication by username without checking for any password with +authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN / +AOL screen name as a username) +.br + \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs. +The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved +name must resolve to the same IP address). It\'s recommended to use authcache by +IP for this authentication. +NB: there is no password check; the name may be spoofed. +.br + \fBstrong\fR - username/password authentication required. It will work with +SOCKSv5, FTP, POP3 and HTTP proxy. +.br + \fBcache\fR - cached authentication, may be used with \'authcache\'. +.br + \fBradius\fR - authentication with RADIUS. +.br + Plugins may add additional authentication types. + +.br + It\'s possible to use multiple authentication types in the same command. E.g. +.br + auth iponly strong +.br + In this case, \'strong\' authentication will be used only if resource +access cannot be performed with \'iponly\' authentication, that is, a username is +required in the ACL. It\'s useful to protect access to some resources with +a password while allowing passwordless access to other resources, or to use +IP-based authentication for dedicated laptops and request a username/password for +shared ones. + +.br +.BR authcache +\fI\fR \fI\fR \fI\fR +.br + Cache authentication information for a given amount of time (cachetime) in seconds. +cachesize limits number of cache entries. +Cachetype is one of: +.br + \fBip\fR - after successful authentication all connections during caching time +from same IP are assigned to the same user, username is not requested. +.br + \fBip,user\fR username is requested and all connections from the same IP are +assigned to the same user without actual authentication. +.br + \fBuser\fR - same as above, but IP is not checked. +.br + \fBuser,password\fR - both username and password are checked against cached ones. +.br + \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required +.br + \fBack\fR - only use cached auth if user access service with same ACL +.br + \fBext\fR - cache external IP +.br +Use auth type \fBcache\fR for cached authentication + +.br +.BR allow +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR deny +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR redirect +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br + Access control entries. All lists are comma-separated, no spaces are +allowed. Usernames are case sensitive (if used with authtype nbname +username must be in uppercase). Source and target lists may contain +IP addresses (W.X.Y.Z), ranges A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs (W.X.Y.Z/L). +Since 0.6, the targetlist may also contain host names, +instead of addresses. It\'s possible to use a wildmask in +the beginning and at the end of the hostname, e.g. *badsite.com or *badcontent*. +The hostname is only checked if a hostname is present in the request. +Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field * +sign means ANY. If access list is empty it\'s assumed to be +.br + allow * +.br + If access list is not empty last item in access list is assumed to be +.br + deny * +.br + You may want explicitly add deny * to the end of access list to prevent +HTTP proxy from requesting user\'s password. +Access lists are checked after user have requested any resource. +If you want 3proxy to reject connections from specific addresses +immediately without any conditions you should either bind proxy +to appropriate interface only or to use ip filters. + +.br + Operation is one of: +.br + \fBCONNECT\fR establish outgoing TCP connection +.br + \fBBIND\fR bind TCP port for listening +.br + \fBUDPASSOC\fR make UDP association +.br + \fBICMPASSOC\fR make ICMP association (for future use) +.br + \fBHTTP_GET\fR HTTP GET request +.br + \fBHTTP_PUT\fR HTTP PUT request +.br + \fBHTTP_POST\fR HTTP POST request +.br + \fBHTTP_HEAD\fR HTTP HEAD request +.br + \fBHTTP_CONNECT\fR HTTP CONNECT request +.br + \fBHTTP_OTHER\fR over HTTP request +.br + \fBHTTP\fR matches any HTTP request except HTTP_CONNECT +.br + \fBHTTPS\fR same as HTTP_CONNECT +.br + \fBFTP_GET\fR FTP get request +.br + \fBFTP_PUT\fR FTP put request +.br + \fBFTP_LIST\fR FTP list request +.br + \fBFTP_DATA\fR FTP data connection. Note: FTP_DATA requires access to dynamic +non-privileged (1024-65535) ports on the remote side. +.br + \fBFTP\fR matches any FTP/FTP Data request +.br + \fBADMIN\fR access to administration interface + +.br + Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday. +.br + Timeperiodlists is a list of time +periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours. + +.br +.BR parent +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +.br + this command must follow "allow" rule. It extends last allow rule to +build proxy chain. Proxies may be grouped. Proxy inside the +group is selected randomly. If few groups are specified one proxy +is randomly picked from each group and chain of proxies is created +(that is second proxy connected through first one and so on). +Weight is used to group proxies. Weight is a number between 1 and 1000. +Weights are summed and proxies are grouped together until the weight of +the group is 1000. That is: +.br + allow * +.br + parent 500 socks5 192.168.10.1 1080 +.br + parent 500 connect 192.168.10.1 3128 +.br + makes 3proxy to randomly choose between 2 proxies for all outgoing +connections. These 2 proxies form 1 group (summarized weight is 1000). +.br + allow * * * 80 +.br + parent 1000 socks5 192.168.10.1 1080 +.br + parent 1000 connect 192.168.20.1 3128 +.br + parent 300 socks4 192.168.30.1 1080 +.br + parent 700 socks5 192.168.40.1 1080 +.br + creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and third +is (192.168.30.1 with probability of 0.3 or 192.168.40.1 +with probability of 0.7) for outgoing web connections. Chains are only applied to new connections, pipelined (keep-alive) requests in the same connection use the same chain. + +.br + type is one of: +.br + \fBextip\fR does not actually redirect the request; it sets the external address for this request to \fI\fR. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random. +.br + \fBtcp\fR simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication. +.br + \fBhttp\fR redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service, +if used with different service, it works as tcp redirection. +.br + \fBpop3\fR redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining) +.br + \fBftp\fR redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining) +.br + \fBconnect\fR parent is HTTP CONNECT method proxy +.br + \fBconnect+\fR parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available) +.br + \fBsocks4\fR parent is SOCKSv4 proxy +.br + \fBsocks4+\fR parent is SOCKSv4 proxy with name resolution (SOCKSv4a) +.br + \fBsocks5\fR parent is SOCKSv5 proxy +.br + \fBsocks5+\fR parent is SOCKSv5 proxy with name resolution +.br + \fBsocks4b\fR parent is SOCKS4b (broken SOCKSv4 implementation with shortened +server reply; I never saw this kind of server, but they say there are some). +Normally you should not use this option. Do not confuse this option with +SOCKSv4a (\fBsocks4+\fR). +.br + \fBsocks5b\fR parent is SOCKS5b (broken SOCKSv5 implementation with shortened +server reply. I think you will never find it useful). Never use this option +unless you know exactly you need it. +.br + \fBadmin\fR redirect request to local \'admin\' service (with -s parameter). +.br +\fBha\fR send HAProxy PROXY protocol v1 header to parent proxy. Must be the last +in the proxy chain. Useful for passing client IP information to the parent proxy. +Example: parent 1000 ha +.br +Use "+" proxy only with \fBfakeresolve\fR option +.br + + IP and port are ip addres and port of parent proxy server. +If IP is zero, ip is taken from original request, only port is changed. +If port is zero, it\'s taken from original request, only IP is changed. +If both IP and port are zero - it\'s a special case of local redirection, +it works only with +.B socks +proxy. In case of local redirection request is redirected to different service, +.B ftp +locally redirects to +.B ftppr +.B pop3 +locally redirects to +.B pop3p +.B http +locally redirects to +.B proxy +.B admin +locally redirects to the admin -s service. +.br +Unix domain sockets can be used instead of IP address with the syntax +.I unix:/path/to/socket +(e.g., parent 1000 socks5 unix:/var/run/parent.sock 1080). On Linux, +abstract (fileless) Unix sockets are supported with +.I unix:@socketname +syntax (e.g., parent 1000 http unix:@parent.proxy 3128). When using Unix +sockets, the port number is ignored but must be specified for syntax compatibility. + +.br + Main purpose of local redirections is to have the requested resource +(URL or POP3 username) logged and protocol-specific filters applied. +In case of local redirection, ACLs are reviewed twice: first, by the SOCKS proxy up to the \'parent\' +command and then by the gateway service the connection is +redirected to (HTTP, FTP or POP3) after the \'parent\' command. It means +an additional \'allow\' command is required for redirected requests, for +example: +.br + allow * * * 80 +.br + parent 1000 http 0.0.0.0 0 +.br + allow * * * 80 HTTP_GET,HTTP_POST +.br + socks +.br + redirects all SOCKS requests with target port 80 to local HTTP proxy, +local HTTP proxy parses requests and allows only GET and POST requests. +.br + parent 1000 http 1.2.3.4 0 +.br + Changes the external address for a given connection to 1.2.3.4 (equivalent to \fB-e1.2.3.4\fR) +.br + Optional username and password are used to authenticate on parent +proxy. Username of \'*\' means username must be supplied by user. + +.br +.BR parentretries +\fI\fR +.br + Number of retries to connect to parent proxy. Default is 1. + + +.br +.BR nolog +\fI\fR +.br + extends last allow or deny command to prevent logging, e.g. +.br +allow * * 192.168.1.1 +.br +nolog + + +.br +.BR weight +\fI\fR +.br + extends last allow or deny command to set weight for this request +.br + allow * * 192.168.1.1 +.br + weight 100 +.br + Weight may be used for different purposes. + + +.br +.B force +.br +.B noforce +.br + If force is specified for service, configuration reload will require all current +sessions of this service to be re-authenticated. If ACL is changed or user account +is removed, old connections which do not match current are closed. +noforce allows to keep previously authenticated connections. + +.br +.BR bandlimin +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR nobandlimin +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR bandlimout +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR nobandlimout +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br + bandlim sets a bandwidth limitation filter to \fI\fR bps (bits per second). +If you want to specify bytes per second, multiply your value by 8. +bandlim rules act in the same manner as allow/deny rules, except for +one thing: bandwidth limiting is applied to all services, not to some +specific service. +\fBbandlimin\fR and \fBnobandlimin\fR apply to incoming traffic +.br +\fBbandlimout\fR and \fBnobandlimout\fR apply to outgoing traffic +.br +If you want to ratelimit your clients with IPs 192.168.10.16/30 (4 +addresses) to 57600 bps, you have to specify 4 rules like +.br + bandlimin 57600 * 192.168.10.16 +.br + bandlimin 57600 * 192.168.10.17 +.br + bandlimin 57600 * 192.168.10.18 +.br + bandlimin 57600 * 192.168.10.19 +.br + and each of your clients will have a 56K channel. If you specify +.br + bandlimin 57600 * 192.168.10.16/30 +.br + you will have a 56K channel shared between all clients. +If you want, for example, to limit all speed except access to POP3, you can use +.br + nobandlimin * * * 110 +.br + before the rest of bandlim rules. + +.br +.BR connlim +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR noconnlim +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br + connlim sets connections rate limit per time period for traffic +pattern controlled by ACL. Period is in seconds. If period is 0, +\fBconnlim\fR limits a number of parallel connections. +.br + connlim 100 60 * 127.0.0.1 +.br + allows 100 connections per minute for 127.0.0.1. +.br + connlim 20 0 * 127.0.0.1 +.br + allows 20 simultaneous connections for 127.0.0.1. +.br + Like with \fBbandlimin\fR, if an individual limit is required per client, a separate +rule must be added for every client. Like with nobandlimin, noconnlim adds an +exception. + + + +.br +.BR counter +\fI\fR \fI\fR \fI\fR +.br +.BR countin +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR nocountin +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR countout +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR nocountout +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR countall +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br +.BR nocountall +\fI\fR \fI\fR \fI\fR \fI\fR \fI\fR +\fI\fR \fI\fR +.br + + counter, countin, nocountin, countout, nocountout, countall, +nocountall commands are used to set a traffic limit +in MB for a period of time (day, week or month). Filename is a path +to a special file where traffic information is permanently stored. +The number is the sequential number of the record in this file. If the number is 0, +this counter is not preserved in the counter file (that is, +if the proxy is restarted, all counters with 0 are flushed); otherwise, it +should be a unique sequential number which points to the position of +the counter within the file. +Type specifies a type of counter. Type is one of: +.br + \fBH\fR - counter is reset hourly +.br + \fBD\fR - counter is reset daily +.br + \fBW\fR - counter is reset weekly +.br + \fBM\fR - counter is reset monthly +.br + reporttype/reportname may be used to generate traffic reports. +Reporttype is one of D, W, M, H (hourly) and reportname specifies the filename +template for reports. The report is a text file with counter values in +the format: +.br + \fI\fR \fI\fR +.br + The rest of parameters is identical to \fBbandlim\fR/\fBnobandlim\fR. + +.br +.BR users +\fIusername\fR[:\fIpwtype\fR:\fIpassword\fR] ... +.br + pwtype is one of: +.br + none (empty) - use system authentication +.br + \fBCL\fR - password is cleartext +.br + \fBCR\fR - password is crypt-style password +.br + \fBNT\fR - password is NT password (in hex) +.br + example: +.br + users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." +.br + users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 +.br + Note: double quotes are required because the password contains a $ sign. + +.br +.B flush +.br + empty the active access list. The access list must be flushed every time you create a +new access list for a new service. For example: +.br + allow * +.br + pop3p +.br + flush +.br + allow * 192.168.1.0/24 +.br + socks +.br + sets different ACLs for +.B pop3p +and +.B socks + +.br +.BR system +\fI\fR +.br + execute system command + +.br +.BR pidfile +\fI\fR +.br + write pid of current process to file. It can be used to manipulate +3proxy with signals under Unix. Currently next signals are available: + +.br +.BR monitor +\fI\fR +.br + If file monitored changes in modification time or size, 3proxy reloads +configuration within one minute. Any number of files may be monitored. + +.br +.BR setuid +\fI\fR +.br + calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux +kernels setuid() works for current thread only. It makes it impossible to suid +for all threads. + +.br +.BR setgid +\fI\fR +.br + calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only. + +.br +.BR chroot +\fI\fR [\fI\fR] [\fI\fR] +.br + calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname + +.br +.BR stacksize +\fI\fR +.br + Change the default size for thread stacks. May be required in some situations, +e.g. with non-default plugins, or on some platforms (some FreeBSD versions +may require adjusting the stack size due to an incorrectly defined value in system +header files; this value is also often required to be changed for ODBC and +PAM support on Linux). If you experience 3proxy +crash on request processing, try to set some positive value. You may start with +stacksize 65536 +and then find the minimal value for the service to work. If you experience +memory shortage, you can try to experiment with negative values. + +.SH PLUGINS + +.br +.BR plugin +\fI\fR \fI\fR [\fI\fR ...] +.br + Loads specified library and calls given export function with given arguments, +as +.br + int functions_to_call(struct pluginlink * pl, int argc, char * argv[]); +.br + function_to_call must return 0 in case of success, value > 0 to indicate error. + +.br +.BR filtermaxsize +\fI\fR +.br + If Content-length (or another data length) is greater than the given value, no +data filtering will be performed through filtering plugins to avoid data +corruption and/or Content-Length changing. Default is 1MB (1048576). + +.SH SSL/TLS SUPPORT +SSL/TLS support is built into 3proxy (since 0.9.7) when compiled with OpenSSL +(WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated +into the main binary. The plugin line is no longer required. + +SSL/TLS can be used for: +- transparent MITM (Man-in-the-Middle) for TLS traffic inspection +- https:// proxy (TLS-encrypted connection between client and proxy) +- TLS client connections to upstream servers with certificate authentication +- mTLS (mutual TLS) requiring client certificates + +.SS MITM Commands +.br +.BR ssl_mitm +- spoof certificates for services started below. Usage without ssl_client_verify is insecure. +.br +.BR ssl_nomitm +- do not spoof certificates for services started below + +.SS Server TLS Commands +.br +.BR ssl_serv +(or ssl_server) - require TLS connection from clients for services below +.br +.BR ssl_noserv +(or ssl_noserver) - do not require TLS connection from clients for services below + +.SS Client TLS Commands +.br +.BR ssl_cli +(or ssl_client) - establish TLS connection to upstream server for services below +.br +.BR ssl_nocli +(or ssl_noclient) - do not establish TLS connection to upstream server for services below + +.SS SSL Parameters +.br +.BR ssl_server_cert +\fI/path/to/cert\fR - Server certificate (should not be self-signed, must contain SAN) for ssl_serv +.br +.BR ssl_server_key +\fI/path/to/key\fR - Server certificate key for ssl_server_cert or generated MITM certificate +.br +.BR ssl_client_cert +\fI/path/to/cert\fR - Client certificate for authentication on upstream server (used with ssl_cli) +.br +.BR ssl_client_key +\fI/path/to/key\fR - Client certificate key for ssl_client_cert +.br +.BR ssl_client_ciphersuites +\fIciphersuites_list\fR - TLS client ciphers for TLS 1.3 +.br +.BR ssl_server_ciphersuites +\fIciphersuites_list\fR - TLS server ciphers for TLS 1.3 +.br +.BR ssl_client_cipher_list +\fIciphers_list\fR - TLS client ciphers for TLS 1.2 and below +.br +.BR ssl_server_cipher_list +\fIciphers_list\fR - TLS server ciphers for TLS 1.2 and below +.br +.BR ssl_client_min_proto_version +\fItls_version\fR - TLS client minimum TLS version (e.g., TLSv1.2) +.br +.BR ssl_server_min_proto_version +\fItls_version\fR - TLS server minimum TLS version +.br +.BR ssl_client_max_proto_version +\fItls_version\fR - TLS client maximum TLS version +.br +.BR ssl_server_max_proto_version +\fItls_version\fR - TLS server maximum TLS version +.br +.BR ssl_client_verify +- verify the certificate for the upstream server (used with ssl_mitm or ssl_cli) +.br +.BR ssl_client_no_verify +- do not verify the certificate for the upstream server (default) +.br +.BR ssl_server_verify +- require client certificate authentication (mTLS) for ssl_serv +.br +.BR ssl_server_no_verify +- do not require client certificate (default) +.br +.BR ssl_server_ca_file +\fI/path/to/cafile\fR - CA certificate file for MITM +.br +.BR ssl_server_ca_key +\fI/path/to/cakey\fR - key for ssl_server_ca_file MITM CA +.br +.BR ssl_server_ca_dir +\fI/path/to/cadir\fR - CA directory for ssl_server_verify +.br +.BR ssl_server_ca_store +\fI/path/to/castore\fR - CA store for ssl_server_verify (OpenSSL 3.0+) +.br +.BR ssl_client_ca_file +\fI/path/to/cafile\fR - CA file for ssl_client_verify +.br +.BR ssl_client_ca_dir +\fI/path/to/cadir\fR - CA directory for ssl_client_verify +.br +.BR ssl_client_ca_store +\fI/path/to/castore\fR - CA store for ssl_client_verify (OpenSSL 3.0+) +.br +.BR ssl_client_sni +\fIhostname\fR - SNI hostname to send to upstream server +.br +.BR ssl_client_alpn +\fIprotocol1 protocol2 ...\fR - ALPN protocols to negotiate with upstream server +.br +.BR ssl_client_mode +\fImode\fR - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's') +.br +.BR ssl_certcache +\fI/path/to/cache/\fR - location for the generated MITM certificates cache + +.SH PCRE FILTERING +PCRE (Perl Compatible Regular Expressions) filtering is built into 3proxy +(since 0.9.7) when compiled with PCRE2 support (WITH_PCRE). Previously +available as PCREPlugin, the functionality is now integrated into the main +binary. The plugin line is no longer required. + +PCRE filtering allows creating matching and replacement rules with regular +expressions for client requests, headers, and data. + +.SS PCRE Commands +.br +.BR pcre +\fITYPE FILTER_ACTION REGEXP [ACE]\fR +.br +Apply a rule for matching regular expression. +.br +.BR pcre_rewrite +\fITYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]\fR +.br +Match and replace with rewrite expression. +.br +.BR pcre_extend +\fIFILTER_ACTION [ACE]\fR +.br +Extend the ACL of the last pcre or pcre_rewrite command by adding an additional ACE. +.br +.BR pcre_options +\fIOPTION1 [OPTION2 ...]\fR +.br +Set matching options. Both PCRE2 native options and PCRE compatibility options +are supported. PCRE options are mapped to their PCRE2 equivalents for backward +compatibility. +.br +PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE, PCRE2_DOTALL, PCRE2_EXTENDED, +PCRE2_DOLLAR_ENDONLY, PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE, +PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF, PCRE2_ALT_BSUX, +PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES, PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE, +PCRE2_LITERAL, PCRE2_MATCH_INVALID_UTF. +.br +PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE, PCRE_DOTALL, PCRE_EXTENDED, +PCRE_ANCHORED, PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL, PCRE_UNGREEDY, +PCRE_NOTEMPTY, PCRE_UTF8, PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT, +PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART, PCRE_FIRSTLINE, PCRE_DUPNAMES, +PCRE_NEWLINE_CR, PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY, PCRE_NEWLINE_ANYCRLF, +PCRE_BSR_ANYCRLF, PCRE_BSR_UNICODE. + +.SS PCRE Parameters +TYPE - type of filtered data (comma-delimited list): +.br + request - content of the client's request (e.g., HTTP GET request string) +.br + cliheader - content of the client request headers +.br + srvheader - content of the server's reply headers +.br + clidata - data received from the client (e.g., HTTP POST data) +.br + srvdata - data received from the server (e.g., HTML page) + +FILTER_ACTION - action on match: +.br + allow - allow this request without checking the rest of the rules +.br + deny - deny this request without checking the rest of the rules +.br + dunno - continue with the rest of the rules (useful with pcre_rewrite) + +REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching is required. + +REWRITE_EXPRESSION - substitution string. May contain Perl-style substrings +$1, $2, etc. $0 means the whole matched string. \er and \en may be used +to insert new lines; the string may be empty (""). + +ACE - access control entry (user names, source IPs, destination IPs, ports, etc.), +identical to allow/deny/bandlimin commands. The regular expression is only +matched if the ACL matches the connection data. +Warning: Regular expressions don't require authentication and cannot replace +authentication and/or allow/deny ACLs. + +.SH BUGS +Report all bugs to +.BR 3proxy@3proxy.org +.SH SEE ALSO +3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), +.br + https://3proxy.org/ +.SH AUTHORS +3proxy is designed by Vladimir Dubrovin diff --git a/man/3proxy_crypt.8 b/man/3proxy_crypt.8 new file mode 100644 index 0000000..625155c --- /dev/null +++ b/man/3proxy_crypt.8 @@ -0,0 +1,80 @@ +.TH 3proxy_crypt "8" "May 2026" "3proxy 0.9" "Universal proxy server" +.SH NAME +.B 3proxy_crypt +\- utility to generate encrypted passwords for 3proxy +.SH SYNOPSIS +.B 3proxy_crypt +.I password +.br +.B 3proxy_crypt +.I salt password +.SH DESCRIPTION +.B 3proxy_crypt +is a utility to generate encrypted password hashes for use with 3proxy +configuration. Encrypted passwords allow the system to avoid storing +passwords in cleartext in configuration files. +.PP +When invoked with a single argument, it produces an NT password hash +(MD4-based, suitable for NTLM authentication). The output is prefixed with +.BR NT: . +.PP +When invoked with two arguments (salt and password), it produces a BLAKE2b +password hash. The salt length is limited to 64 characters. The output is +prefixed with +.BR CR: . +.PP +The resulting hash can be used in the 3proxy configuration file with the +.B users +directive instead of a cleartext password. +.SH OPTIONS +.TP +.I password +Cleartext password to encrypt. +.TP +.I salt +Salt string for BLAKE2b hashing (max 64 characters). +.SH EXAMPLE +.TP +Generate NT password hash: +.RS +3proxy_crypt MySecretPassword +.RE +.TP +Result: +.RS +NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7 +.RE +.TP +Generate BLAKE2b password hash with salt: +.RS +3proxy_crypt MySalt MySecretPassword +.RE +.TP +Result: +.RS +CR:$3$MySalt$... +.RE +.TP +Using in 3proxy.cfg: +.RS +users user1:CR:$3$MySalt$... +.RE +.SH NOTES +The NT hash uses the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash +uses the BLAKE2 cryptographic hash function. +.PP +When a password hash is prefixed with +.B NT: +or +.BR CR: , +3proxy uses the corresponding algorithm to verify passwords instead of +comparing cleartext strings. +.SH BUGS +Report all bugs to +.BR 3proxy@3proxy.org +.SH SEE ALSO +3proxy(8), 3proxy.cfg(5), +.br +https://3proxy.org/ +.SH AUTHORS +3proxy is designed by Vladimir Dubrovin diff --git a/man/ftppr.8 b/man/ftppr.8 index 3f477aa..93665d4 100644 --- a/man/ftppr.8 +++ b/man/ftppr.8 @@ -1,4 +1,4 @@ -.TH ftppr "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH ftppr "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B ftppr \- FTP proxy gateway service @@ -19,7 +19,7 @@ servers. Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. @@ -28,17 +28,40 @@ Be silenT. Do not log start/stop/accept error records. Never look for username authentication. .TP .B -e -External address. IP address of interface proxy should initiate connections -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -h -Default destination. It's used if targed address is not specified by user. +Default destination. It's used if the target address is not specified by the user. .TP .B -p Port. Port proxy listens for incoming connections. Default is 21. @@ -48,7 +71,7 @@ Log. By default logging is to stdout. If .I logfile is specified logging is to file. Under Unix, if .RI \' @ \' -preceeds +precedes .IR logfile , syslog is used for logging. .TP @@ -56,32 +79,31 @@ syslog is used for logging. Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy crashes. .SH CLIENTS -You can use any FTP client, regardless of FTP proxy support. For client with -FTP proxy support configure +You can use any FTP client, regardless of FTP proxy support. For a client with +FTP proxy support, configure .I internal_ip and .IR port -in FTP proxy parameters. -For clients without FTP proxy support use +in the FTP proxy parameters. +For clients without FTP proxy support, use .I internal_ip and .IR port -as FTP server. Address of real FTP server must be configured as a part of -FTP username. Format for username is -.IR username \fB@ server , +as the FTP server. The address of the real FTP server must be configured as a part of +the FTP username. The format for the username is +.IR username @ server , where .I server -is address of FTP server and +is the address of the FTP server and .I username -is user\'s login on this FTP server. Login itself may contain \'@\' sign. +is the user\'s login on this FTP server. The login itself may contain an \'@\' sign. Only cleartext authentication is currently supported. .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), proxy(8), pop3p(8), socks(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/pop3p.8 b/man/pop3p.8 index 338337b..d8d0345 100644 --- a/man/pop3p.8 +++ b/man/pop3p.8 @@ -1,4 +1,4 @@ -.TH pop3p "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH pop3p "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B pop3p \- POP3 proxy gateway service @@ -19,7 +19,7 @@ servers. Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. @@ -28,27 +28,50 @@ Be silenT. Do not log start/stop/accept error records. Never look for username authentication. .TP .B -e -External address. IP address of interface proxy should initiate connections -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -p Port. Port proxy listens for incoming connections. Default is 110. .TP .B -h -Default destination. It's used if targed address is not specified by user. +Default destination. It's used if the target address is not specified by the user. .TP .B -l Log. By default logging is to stdout. If .I logfile is specified logging is to file. Under Unix, if .RI \' @ \' -preceeds +precedes .IR logfile , syslog is used for logging. .TP @@ -56,28 +79,27 @@ syslog is used for logging. Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy crashes. .SH CLIENTS -You can use any MUA (Mail User Agent) with POP3 support. Set client to use +You can use any MUA (Mail User Agent) with POP3 support. Set the client to use .I internal_ip and .IR port -as a POP3 server. Address of real POP3 server must be configured as a part of -POP3 username. Format for username is -.IR username \fB@ server , +as a POP3 server. The address of the real POP3 server must be configured as a part of +the POP3 username. The format for the username is +.IR username @ server , where .I server -is address of POP3 server and +is the address of the POP3 server and .I username -is user\'s login on this POP3 server. Login itself may contain \'@\' sign. +is the user\'s login on this POP3 server. The login itself may contain an \'@\' sign. Only cleartext authentication is supported, because challenge-response -authentication (APOP, CRAM-MD5, etc) requires challenge from server before -we know which server to connect. +authentication (APOP, CRAM-MD5, etc.) requires a challenge from the server before +we know which server to connect to. .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/proxy.8 b/man/proxy.8 index 4ddbf17..d3c4385 100644 --- a/man/proxy.8 +++ b/man/proxy.8 @@ -1,4 +1,4 @@ -.TH proxy "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH proxy "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B proxy \- HTTP proxy gateway service @@ -17,7 +17,7 @@ is HTTP gateway service with HTTPS and FTP over HTTPS support. Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. @@ -26,14 +26,37 @@ Be silenT. Do not log start/stop/accept error records. Never ask for username authentication .TP .B -e -External address. IP address of interface proxy should initiate connections -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/proxy.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -a Anonymous. Hide information about client. @@ -57,22 +80,21 @@ syslog is used for logging. Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy crashes. .SH CLIENTS -You should use client with HTTP proxy support or configure router to redirect -HTTP traffic to proxy (transparent proxy). Configure client to connect to +You should use a client with HTTP proxy support or configure a router to redirect +HTTP traffic to the proxy (transparent proxy). Configure the client to connect to .I internal_ip and .IR port . -HTTPS support allows to use almost any TCP based protocol. If you need to +HTTPS support allows you to use almost any TCP-based protocol. If you need to limit clients, use .BR 3proxy (8) instead. .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/smtpp.8 b/man/smtpp.8 index 6669509..767dce7 100644 --- a/man/smtpp.8 +++ b/man/smtpp.8 @@ -1,4 +1,4 @@ -.TH smtpp "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH smtpp "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B smtpp \- SMTP proxy gateway service @@ -19,7 +19,7 @@ servers. Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. @@ -28,27 +28,50 @@ Be silenT. Do not log start/stop/accept error records. Never look for username authentication. .TP .B -e -External address. IP address of interface proxy should initiate connections -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -p Port. Port proxy listens for incoming connections. Default is 25. .TP .B -h -Default destination. It's used if targed address is not specified by user. +Default destination. It's used if the target address is not specified by the user. .TP .B -l Log. By default logging is to stdout. If .I logfile is specified logging is to file. Under Unix, if .RI \' @ \' -preceeds +precedes .IR logfile , syslog is used for logging. .TP @@ -57,28 +80,27 @@ Increase or decrease stack size. You may want to try something like -S8192 if yo crashes. .SH CLIENTS You can use any MUA (Mail User Agent) with SMTP authentication support. -Set client to use +Set the client to use .I internal_ip and .IR port -as a SMTP server. Address of real SMTP server must be configured as a part of -SMTP username. Format for username is -.IR username \fB@ server , +as an SMTP server. The address of the real SMTP server must be configured as a part of +the SMTP username. The format for the username is +.IR username @ server , where .I server -is address of SMTP server and +is the address of the SMTP server and .I username -is user\'s login on this SMTP server. Login itself may contain \'@\' sign. +is the user\'s login on this SMTP server. The login itself may contain an \'@\' sign. Only cleartext authentication is supported, because challenge-response -authentication (CRAM-MD5, SPA, etc) requires challenge from server before -we know which server to connect. +authentication (CRAM-MD5, SPA, etc.) requires a challenge from the server before +we know which server to connect to. .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/socks.8 b/man/socks.8 index 8a7960c..ec49d53 100644 --- a/man/socks.8 +++ b/man/socks.8 @@ -1,4 +1,4 @@ -.TH socks "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH socks "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B socks \- SOCKS 4/4.5/5 gateway service @@ -19,7 +19,7 @@ outgoing and reverse TCP connections and UDP portmapping. Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. @@ -28,19 +28,50 @@ Be silenT. Do not log start/stop/accept error records. Never ask for username authentication .TP .B -e -External address. IP address of interface proxy should initiate connections +External address. IP address of the interface the proxy should initiate connections from. External IP must be specified if you need incoming connections. -By default system will deside which address to use in accordance -with routing table. +By default, the system will decide which address to use in accordance +with the routing table. .TP -.B -N -External NAT address 3proxy reports to client for BIND and UDPASSOC -By default external address is reported. It's only useful in the case -of IP-IP NAT (will not work for PAT) +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. +.TP +.B -Ne +External NAT address 3proxy reports to client for CONNECT/BIND. +This is external address of NAT between 3proxy and destination server. +By default, the external address is reported. It's only useful in the case +of IP-IP NAT and does not work with port translation. +.TP +.B -Ni +Internal NAT address 3proxy reports to client for UDPASSOC. +This is external address of the NAT between 3proxy and the client, client +uses to connect to 3proxy. +By default, the internal address is reported. It's only useful in the case +of IP-IP NAT and does not work with port translation. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/socks.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -p Port. Port proxy listens for incoming connections. Default is 1080. @@ -58,7 +89,7 @@ syslog is used for logging. Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy crashes. .SH CLIENTS -You should use client with SOCKS support or use some socksification support +You should use a client with SOCKS support or use some socksification support (for example .I SocksCAP or @@ -67,18 +98,17 @@ Configure client to use .I internal_ip and .IR port . -SOCKS allows to use almost any application protocol without limitation. This -implementation also allows to open priviledged port on server (if socks has -sufficient privileges). If you need to control access use +SOCKS allows you to use almost any application protocol without limitation. This +implementation also allows you to open privileged ports on the server (if socks has +sufficient privileges). If you need to control access, use .BR 3proxy (8) instead. .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), proxy(8), ftppr(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/tcppm.8 b/man/tcppm.8 index de65ec5..0145977 100644 --- a/man/tcppm.8 +++ b/man/tcppm.8 @@ -1,4 +1,4 @@ -.TH tcppm "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH tcppm "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B tcppm \- TCP port mapper @@ -17,27 +17,50 @@ forwards connections from local to remote TCP port Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. .TP .B -e -External address. IP address of interface proxy should initiate connections -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts connections to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. .TP .B -l Log. By default logging is to stdout. If .I logfile is specified logging is to file. Under Unix, if .RI \' @ \' -preceeds +precedes .IR logfile , syslog is used for logging. .TP @@ -47,27 +70,34 @@ crashes. .SH ARGUMENTS .TP .I local_port -- port tcppm accepts connection +- port tcppm accepts connections on .TP .I remote_host -- IP address of the host connection is forwarded to +- IP address of the host the connection is forwarded to. Unix domain sockets +can be specified with the syntax +.I unix:/path/to/socket +(e.g., unix:/var/run/app.sock). On Linux, abstract (fileless) Unix sockets +use the syntax +.I unix:@socketname +(e.g., unix:@app.socket). .TP .I remote_port -- remote port connection is forwarded to +- remote port the connection is forwarded to. Ignored when using Unix socket +destination, but must be specified (use any positive value) for syntax +compatibility. .SH CLIENTS -Any TCP based application can be used as a client. Use +Any TCP-based application can be used as a client. Use .I internal_ip and .I local_port -as a destination in client application. Connection is forwarded to +as the destination in the client application. The connection is forwarded to .IR remote_host : remote_port .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/man/tlspr.8 b/man/tlspr.8 new file mode 100644 index 0000000..d9a30c9 --- /dev/null +++ b/man/tlspr.8 @@ -0,0 +1,107 @@ +.TH tlspr "8" "May 2026" "3proxy 0.9" "Universal proxy server" +.SH NAME +.B tlspr +\- SNI proxy gateway service +.SH SYNOPSIS +.BR "tlspr " [ -d ][ -a ] +.IB \fR[ -l \fR[ \fR[ @ \fR] logfile \fR]] +.IB \fR[ -p listening_port\fR] +.IB \fR[ -P destination_port\fR] +.IB \fR[ -c tls_check_level\fR] +.IB \fR[ -i internal_ip\fR] +.IB \fR[ -e external_ip\fR] +.SH DESCRIPTION +.B tlspr +is an SNI gateway service (destination host is taken from TLS handshake). The destination port must be specified via the -P option (or it may be detected with the Transparent plugin). +.SH OPTIONS +.TP +.B -I +Inetd mode. Standalone service only. +.TP +.B -d +Daemonize. Detach service from console and run in the background. +.TP +.B -t +Be silenT. Do not log start/stop/accept error records. +.TP +.B -u +Never ask for username authentication +.TP +.B -e +External address. IP address of the interface the proxy should initiate connections +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. +.TP +.B -i +Internal address. IP address the proxy accepts connections to. +By default, connections to any interface are accepted. It\'s usually unsafe. +Unix domain sockets can be specified with +.I -iunix:/path/to/socket +syntax (e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract sockets use +.I -iunix:@socketname +syntax. +.TP +.B -a +Anonymous. Hide information about client. +.TP +.B -a1 +Anonymous. Show fake information about client. +.TP +.B -p +listening_port. Port proxy listens for incoming connections. Default is 1443. +.TP +.B -P +destination_port. Port to establish outgoing connections. Required unless the Transparent plugin is used, because the TLS handshake does not contain port information. Default is 443. +.TP +.B -c +TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3) +.TP +.B -l +Log. By default logging is to stdout. If +.I logfile +is specified logging is to file. Under Unix, if +.RI \' @ \' +precedes +.IR logfile , +syslog is used for logging. +.TP +.B -S +Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy +crashes. +.SH CLIENTS +You should use a client with TLS support or configure a router to redirect +TLS traffic to the proxy (transparent proxy). Configure the client to connect to +.I internal_ip +and +.IR port . +If you need to limit clients, use +.BR 3proxy (8) +instead. +.SH BUGS +Report all bugs to +.BR 3proxy@3proxy.org +.SH SEE ALSO +3proxy(8), ftppr(8), proxy(8), socks(8), pop3p(8), smtpp(8), tcppm(8), udppm(8), syslogd(8), +.br +https://3proxy.org/ +.SH AUTHORS +3proxy is designed by Vladimir Dubrovin diff --git a/man/udppm.8 b/man/udppm.8 index 9f704c8..03cbed3 100644 --- a/man/udppm.8 +++ b/man/udppm.8 @@ -1,9 +1,9 @@ -.TH udppm "8" "January 2019" "3proxy 0.9" "Universal proxy server" +.TH udppm "8" "May 2026" "3proxy 0.9" "Universal proxy server" .SH NAME .B udppm \- UDP port mapper .SH SYNOPSIS -.BR "pop3p " [ -ds ] +.BR "udppm " [ -ds ] .IB \fR[ -l \fR[ \fR[ @ \fR] logfile \fR]] .IB \fR[ -i internal_ip\fR] .IB \fR[ -e external_ip\fR] @@ -17,35 +17,53 @@ forwards datagrams from local to remote UDP port Inetd mode. Standalone service only. .TP .B -d -Daemonise. Detach service from console and run in the background. +Daemonize. Detach service from console and run in the background. .TP .B -t Be silenT. Do not log start/stop/accept error records. .TP .B -e -External address. IP address of interface proxy should initiate datagrams -from. -By default system will deside which address to use in accordance -with routing table. +External address. IP address of the interface the proxy should initiate datagrams +from. +By default, the system will decide which address to use in accordance +with the routing table. +.TP +.B \-ni\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +before opening the listening socket. The current namespace is saved and restored +immediately after binding, so outgoing connections run in the original namespace +unless +.B \-ne +is also given. +.TP +.B \-ne\fIPATH\fR +(Linux only) Switch to the network namespace identified by +.I PATH +after the listening socket has been bound (and after restoring from +.B \-ni +if applicable). Both options accept any namespace file path +(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) +and require \fBCAP_SYS_ADMIN\fR. .TP .B -i -Internal address. IP address proxy accepts datagrams to. -By default connection to any interface is accepted. It\'s usually unsafe. +Internal address. IP address the proxy accepts datagrams to. +By default, connections to any interface are accepted. It\'s usually unsafe. .TP .B -l Log. By default logging is to stdout. If .I logfile is specified logging is to file. Under Unix, if .RI \' @ \' -preceeds +precedes .IR logfile , syslog is used for logging. .TP .B -s -Single packet. By default only one client can use udppm service, but -if -s is specified only one packet will be forwarded between client and server. -It allows to share service between multiple clients for single packet services -(for example name lookups). +Single packet. By default, only one client can use the udppm service, but +if -s is specified, only one packet will be forwarded between client and server. +This allows the service to be shared between multiple clients for single-packet services +(for example, name lookups). .TP .B -S Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy @@ -53,7 +71,7 @@ crashes. .SH ARGUMENTS .TP .I local_port -- port udppm accepts datagrams +- port udppm accepts datagrams on .TP .I remote_host - IP address of the host datagrams are forwarded to @@ -61,19 +79,18 @@ crashes. .I remote_port - remote port datagrams are forwarded to .SH CLIENTS -Any UDP based application can be used as a client. Use +Any UDP-based application can be used as a client. Use .I internal_ip and .I local_port -as a destination in client application. All datagrams are forwarded to +as the destination in the client application. All datagrams are forwarded to .IR remote_host : remote_port .SH BUGS Report all bugs to -.BR 3proxy@3proxy.ru +.BR 3proxy@3proxy.org .SH SEE ALSO 3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS -3proxy is designed by Vladimir 3APA3A Dubrovin -.RI ( 3proxy@3proxy.ru ) +3proxy is designed by Vladimir Dubrovin diff --git a/rus.3ps b/rus.3ps index c55d3cd..9c91621 100644 --- a/rus.3ps +++ b/rus.3ps @@ -95,7 +95,7 @@ value {\n [end]










    \n 

    
-(c)3APA3A, Владимир Дубровин и 3proxy.ru\n
+(c)3APA3A, Владимир Дубровин и 3proxy.ru\n
 \n
 
 [end]
diff --git a/scripts/3proxy-linux-install.sh b/scripts/3proxy-linux-install.sh
deleted file mode 100644
index d352852..0000000
--- a/scripts/3proxy-linux-install.sh
+++ /dev/null
@@ -1,985 +0,0 @@
-#!/bin/bash
-# 3proxy build and install script for Debian Linux 
-# Release 2.0 at 29.12.2016
-# (с) Evgeniy Solovyev 
-# mail-to: eugen-soloviov@yandex.ru
-
-ScriptPath=""
-Src3proxyDirPath=""
-ScriptName=""
-ScriptFullName=""
-SourceRoot=""
-
-ResourcesData=""
-
-
-ProxyVersion=""
-LasestProxyVersion=""
-LasestProxyVersionLink=""
-UseSudo=0
-PacketFiles=""
-NeedSourceUpdate=0
-
-
-main()
-{
-	local msgNewVersion
-	local msgInsertYorN
-	
-	VarsInit
-	LoadResources
-	CheckRunConditions
-	
-	if [ $UseSudo == 1 ]
-	then
-		sudo bash "${0}"
-		exit $?
-	fi
-	
-	CheckLocation
-	GetLasestVersionInfo
-	
-	SourceDownloadOrUpdate
-	
-	cd "${SourceRoot}"
-	
-	Build3Proxy
-	BinInstall
-	ManInstall
-	CreateLogDir
-	CopyConfig
-	SetInit
-	Pack3proxyFiles
-}
-
-VarsInit()
-{
-	cd `dirname $0`
-	ScriptPath="${PWD}"
-	ScriptName=`basename $0`
-	ScriptFullName="${ScriptPath}/${ScriptName}"
-}
-
-CheckLocation()
-{
-	Src3proxyDirPath="${ScriptPath}"
-	
-	if echo ${ScriptPath} | grep -e "/scripts$"
-	then
-		if [ -e "../src/version.h" ]
-		then
-			ProxyVersion=`cat "../src/version.h" | awk '/VERSION/ { gsub("\"", "\n"); print; exit }' | grep "3proxy"`
-			cd ../
-			SourceRoot="${PWD}"
-			cd ../
-			Src3proxyDirPath="${PWD}"
-			cd "${ScriptPath}"
-		fi
-	fi
-}
-
-GetLasestVersionInfo()
-{
-	local Githublink
-	local msg
-	
-	Githublink=`wget https://github.com/z3APA3A/3proxy/releases/latest -O /dev/stdout |
-	awk '/ "${ConfigDir}/3proxy.cfg"
-
-	PacketFiles=`echo -e "${PacketFiles}\n${ConfigDir}/3proxy.cfg"`
-}
-
-
-SetInit()
-{
-	LoadGlobalResource "InitScript" > "/etc/init.d/3proxy"
-	chown root:root "/etc/init.d/3proxy"
-	chmod 755 "/etc/init.d/3proxy"
-	
-	PacketFiles=`echo -e "${PacketFiles}\n/etc/init.d/3proxy"`
-	update-rc.d 3proxy defaults
-}
-
-Pack3proxyFiles()
-{
-	local CPU_Arc
-	CPU_Arc=`uname -m`
-	cd ../
-	tar -czPpvf "${ProxyVersion}-${CPU_Arc}.tar.gz" $PacketFiles
-}
-
-LoadResources()
-{
-	local StartRow
-	local EndRow
-	local LngLabel
-	local msgResourceErr="\aError! Script could not find resources!"
-	
-	if env | grep -q 'LANG=ru_RU.UTF-8' 
-	then
-		LngLabel="RU"
-#LngLabel="EN"
-	else
-		LngLabel="EN"
-	fi
-	
-	StartRow=`cat "${ScriptFullName}" | awk "/^#Resources_${LngLabel}/ { print NR; exit}"`
-	
-	if [ -z "${StartRow}" ]
-	then
-		echo -e "${msgResourceErr}"
-		exit 255
-	fi
-	
-	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#Resources_${LngLabel}_end/ { print NR; exit}"`
-	
-	if [ -z "${EndRow}" ]
-	then
-		echo -e "${msgResourceErr}"
-		exit 255
-	fi
-	
-	ResourcesData=`cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'`
-}
-
-
-# $1 - Name of Resource
-GetResource()
-{
-	local StartRow
-	local EndRow
-	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
-	
-	StartRow=`echo "${ResourcesData}" | awk "/^#Resource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${StartRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	EndRow=`echo "${ResourcesData}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${EndRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	echo "${ResourcesData}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
-}
-
-
-# $1 - Name of Resource
-LoadGlobalResource()
-{
-	local StartRow
-	local EndRow
-	local LngLabel
-	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
-	
-	
-	StartRow=`cat "${ScriptFullName}" | awk "/^#Resource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${StartRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${EndRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
-}
-
-
-CheckPacketInstall()
-{
-	if [ `dpkg -l ${1} 2>&1 | wc -l` -le 1 ]  
-	then
-		echo 0
-		return
-	fi
-	if [ `dpkg -l ${1} | grep -e ^un | wc -l` == 1 ]
-	then
-		echo 0
-		return
-	fi
-	
-	echo 1
-}
-
-main
-exit 0
-
-#Resources_EN
-
-#Resource=msgSudoNotInstalled
-\aThe script is running under the account a non-privileged user.
-"Sudo" package is not installed in the system.
-The script can not continue, as the execution of operations,
-requiring rights "root" - is not possible!
-Please run the script under the account "root",
-or install and configure "sudo" package!
-#endResource=msgSudoNotInstalled
-
-#Resource=msgUserNotMemberOfSudoGroup
-\aThe script is running under account a non-privileged user.
-The account of the current user is not included in the "sudo" group!
-The script can not continue, as the execution of operations,
-requiring rights "root" - is not possible!
-Please run the script under the account "root",
-or configure "sudo" package!
-#endResource=msgUserNotMemberOfSudoGroup
-
-#Resource=msgSystemUseProxy
-\aAttention! The operating system uses proxy-server.
-For correctly work of package manager "apt" 
-in the file "/etc/sudoers" should be present line:
-Defaults env_keep = "http_proxy https_proxy"
-#endResource=msgSystemUseProxy
-
-#Resource=msgDoYouWishContinue
-Do you wish to the script continued executing? (y/n):
-#endResource=msgDoYouWishContinue
-
-#Resource=msgPleaseInsertYorN
-\a\nPlease insert "y" or "n"!
-#endResource=msgPleaseInsertYorN
-
-#Resource=msgInternetConnectionError
-\aError downloading "https://github.com/z3APA3A/3proxy/releases/latest"!
-Please check the settings of the Internet connection.
-#endResource=msgInternetConnectionError
-
-#Resource=msgNewVersion
-The new version of "3proxy" detected, do you want download it?
-#endResource=msgNewVersion
-
-#Resource=msgBuildEssentialNotInstalled
-\aPackage "build-essential" was not installed.
-The installation can not be continued!
-#endResource=msgBuildEssentialNotInstalled
-
-#Resources_EN_end
-
-#Resources_RU
-
-#Resource=msgSudoNotInstalled
-\aСкрипт запущен под учётной записью обычного пользователя.
-В системе не установлен пакет "sudo".
-Скрипт не может продолжить работу, так как выполнение операций,
-требующих прав "root" - не представляется возможным!
-Пожалуйста, запустите скрипт под учётной записью "root", 
-либо установите и настройте пакет "sudo"!
-#endResource=msgSudoNotInstalled
-
-#Resource=msgUserNotMemberOfSudoGroup
-\aСкрипт запущен под учётной записью обычного пользователя.
-Учётная запись текущего пользователя не включена в группу "sudo"!
-Скрипт не может продолжить работу, так как выполнение операций,
-требующих прав "root" - не представляется возможным!
-Пожалуйста, запустите скрипт под учётной записью "root", 
-либо настройте пакет "sudo"!
-#endResource=msgUserNotMemberOfSudoGroup
-
-#Resource=msgSystemUseProxy
-\aВнимание! В системе используется прокси-сервер.
-Чтобы менеджер пакетов "apt" работал корректно,
-в файле "/etc/sudoers" должна присутствовать строка:
-Defaults env_keep = "http_proxy https_proxy"
-#endResource=msgSystemUseProxy
-
-#Resource=msgDoYouWishContinue
-Хотите чтобы скрипт дальше продолжил работу? (y/n):
-#endResource=msgDoYouWishContinue
-
-#Resource=msgPleaseInsertYorN
-\a\nПожалуйста введите "y" или "n"!
-#endResource=msgPleaseInsertYorN
-
-#Resource=msgInternetConnectionError
-\aОшибка закачки "https://github.com/z3APA3A/3proxy/releases/latest"!
-Пожалуйста, проверьте настройки интернет соединения.
-#endResource=msgInternetConnectionError
-
-#Resource=msgNewVersion
-Обнаружена новая версия "3proxy", скачать её (y/n)?
-#endResource=msgNewVersion
-
-#Resource=msgBuildEssentialNotInstalled
-\aПакет "build-essential" не был установлен.
-Дальнейшая установка не может быть продолжена!
-#endResource=msgBuildEssentialNotInstalled
-
-#Resources_RU_end
-
-
-#Resource=ConfigFile
-noconfig
-# If in this file have line "noconfig", then 3proxy not to be runned!
-# For usung this configuration file 3proxy you must to delete 
-# or comment out the line with "noconfig".
-
-daemon
-# Parameter "daemon" - means run 3proxy as daemon
-
-
-pidfile /tmp/3proxy.pid
-# PID file location 
-# This parameter must have the same value as 
-# the variable "PidFile" in  the script "/etc/init.d/3proxy"
-
-
-# Configuration file location
-config /etc/3proxy/3proxy.cfg
-
-
-internal 127.0.0.1
-# Internal is address of interface proxy will listen for incoming requests
-# 127.0.0.1 means only localhost will be able to use this proxy. This is
-# address you should specify for clients as proxy IP.
-# You MAY use 0.0.0.0 but you shouldn't, because it's a chance for you to
-# have open proxy in your network in this case.
-
-external 192.168.0.1
-# External is address 3proxy uses for outgoing connections. 0.0.0.0 means any
-# interface. Using 0.0.0.0 is not good because it allows to connect to 127.0.0.1
-
-
-# DNS IP addresses
-nserver 8.8.8.8
-nserver 8.8.4.4
-
-
-# DNS cache size
-nscache 65536
-
-# Timeouts settings
-timeouts 1 5 30 60 180 1800 15 60
-
-
-# log file location
-log /var/log/3proxy/3proxy.log D
-
-# log file format
-logformat "L%C - %U [%d-%o-%Y %H:%M:%S %z] ""%T"" %E %I %O %N/%R:%r"
-
-archiver gz /usr/bin/gzip %F
-# If archiver specified log file will be compressed after closing.
-# you should specify extension, path to archiver and command line, %A will be
-# substituted with archive file name, %f - with original file name.
-# Original file will not be removed, so archiver should care about it.
-
-rotate 30
-# We will keep last 30 log files
-
-proxy -p3128
-# Run http/https proxy on port 3128
-
-auth none
-# No authentication is requires
-
-setgid 65534
-setuid 65534
-# Run 3proxy under account "nobody" with group "nobody"
-#endResource=ConfigFile
-
-
-#Resource=InitScript
-#!/bin/sh
-#
-# 3proxy daemon control script
-#
-### BEGIN INIT INFO
-# Provides:          3proxy
-# Required-Start:    $network $remote_fs $syslog
-# Required-Stop:     $network $remote_fs $syslog
-# Should-Start:      $named
-# Should-Stop:       $named
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: 3proxy HTTP Proxy
-### END INIT INFO
-
-
-ScriptName="3proxy"
-ScriptFullName="/etc/init.d/3proxy"
-
-ConfigFile="/etc/3proxy/3proxy.cfg"
-LogDir="/var/log/3proxy"
-PidFile="/tmp/3proxy.pid"
-
-ResourcesData=""
-
-main()
-{
-	LoadResources
-	
-	if [ ! -d "${LogDir}" ]
-	then
-		mkdir -p "${LogDir}";
-	fi
-	
-	case "$1" in
-		start)		Start ;;
-		stop)		Stop ;;
-		restart)	Stop; Start ;;
-		status)		Status ;;
-		*)			ShowHelp;;
-	esac
-}
-
-Start()
-{
-	local msg
-	local ProxyPID
-	
-	if [ ! -f "${ConfigFile}" ]
-	then
-		msg=`GetResource "msgConfigFileNotFound"`
-		printf "${msg}" "${ConfigFile}"
-		return
-	fi
-	
-	if cat "${ConfigFile}" | grep -qe "^noconfig"
-	then
-		msg=`GetResource "msgNoconfigDetected"`
-		printf "${msg}" "${ConfigFile}"
-		return
-	fi
-	
-	ProxyPID=`Get3proxyPID`
-	
-	if [ ! -z "${ProxyPID}" ]
-	then
-		msg=`GetResource "msg3proxyAlreadyRunning"`
-		printf "${msg}" "${ProxyPID}"
-		return
-	fi
-	
-	3proxy "${ConfigFile}"
-	sleep 1
-	
-	ProxyPID=`Get3proxyPID`
-	
-	if [ ! -f "${PidFile}" ] 
-	then
-		msg=`GetResource "msg3proxyStartProblems"`
-		printf "${msg}"
-		return
-	fi
-	
-	if [ `cat "${PidFile}"` != "${ProxyPID}" ]
-	then
-		msg=`GetResource "msg3proxyStartProblems"`
-		printf "${msg}"
-		return
-	fi
-	
-	msg=`GetResource "msg3proxyStartedSuccessfully"`
-	printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S` "${ProxyPID}"
-
-}
-
-Stop()
-{
-	local msg
-	local ProxyPID
-	
-	ProxyPID=`Get3proxyPID`
-	
-	if [ -f "${PidFile}" ] 
-	then
-		if [ `cat "${PidFile}"` = "${ProxyPID}" ]
-		then
-			kill -9 "${ProxyPID}"
-			rm -f "${PidFile}"
-			
-			msg=`GetResource "msg3proxyStoppedSuccessfully"`
-			printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S`
-			
-			return
-		fi
-	fi
-	
-	if [ -z "${ProxyPID}" ]
-	then
-		msg=`GetResource "msg3proxyProxyNotDetected"`
-		printf "${msg}"
-		
-		return
-	fi
-	
-	pkill -o 3proxy
-	
-	msg=`GetResource "msg3proxyStoppedByKillall"`
-	printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S` "${PidFile}"
-	
-}
-
-Status()
-{
-	local msg
-	local ProxyPID
-	
-	if [ -f "${PidFile}" ] 
-	then
-		msg=`GetResource "msgPidFileExists"`
-		printf "${msg}" "${PidFile}" `cat "${PidFile}"`
-	else
-		msg=`GetResource "msgPidFileNotExists"`
-		printf "${msg}" "${PidFile}"
-	fi
-	
-	ProxyPID=`Get3proxyPID`
-	
-	if [ ! -z  "${ProxyPID}" ]
-	then
-		msg=`GetResource "msg3proxyProcessDetected"`
-		printf "${msg}"
-		ps -ef | awk '$8 ~ /^3proxy/ { print "User: " $1 "\tPID: " $2 }'
-	else
-		msg=`GetResource "msg3proxyProcessNotDetected"`
-		printf "${msg}"
-	fi
-}
-
-ShowHelp()
-{
-	local msg
-	
-	msg=`GetResource "msg3proxyHelp"`
-	printf "${msg}" "${ScriptFullName}" "${ScriptName}"
-}
-
-Get3proxyPID()
-{
-	ps -ef | awk '$8 ~ /^3proxy/ { print $2; exit }'
-}
-
-LoadResources()
-{
-	local StartRow
-	local EndRow
-	local LngLabel
-	local msgResourceErr="\aError! Script could not find resources!"
-	
-	if env | grep -q 'LANG=ru_RU.UTF-8' 
-	then
-		LngLabel="RU"
-	else
-		LngLabel="EN"
-	fi
-	
-	StartRow=`cat "${ScriptFullName}" | awk "/^#Resources_${LngLabel}/ { print NR; exit}"`
-	
-	if [ -z "${StartRow}" ]
-	then
-		echo -e "${msgResourceErr}"
-		exit 255
-	fi
-	
-	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#Resources_${LngLabel}_end/ { print NR; exit}"`
-	
-	if [ -z "${EndRow}" ]
-	then
-		echo -e "${msgResourceErr}"
-		exit 255
-	fi
-	
-	ResourcesData=`cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'`
-}
-
-# $1 - Name of Resource
-GetResource()
-{
-	local StartRow
-	local EndRow
-	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
-	
-	StartRow=`echo "${ResourcesData}" | awk "/^#Resource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${StartRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	EndRow=`echo "${ResourcesData}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
-	
-	if [ -z "${EndRow}" ]
-	then
-		echo -e "${msgResourceErr}" > /dev/stderr
-		exit 255
-	fi
-	
-	echo "${ResourcesData}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
-}
-
-
-main $@
-exit 0;
-
-#Resources_EN
-
-#Resource=msg3proxyHelp
-Usage:
-\t%s {start|stop|restart}
-or
-\tservice %s {start|stop|restart|status}\\n
-#endResource=msg3proxyHelp
-
-#Resource=msgConfigFileNotFound
-\a3proxy configuration file - "%s" is not found!\\n
-#endResource=msgConfigFileNotFound
-
-#Resource=msgNoconfigDetected
-Parameter "noconfig" found in 3proxy configuration file -
-"% s" !
-To run 3proxy this parameter should be disabled.\\n
-#endResource=msgNoconfigDetected
-
-#Resource=msg3proxyAlreadyRunning
-\a3proxy already running PID: %s\\n
-#endResource=msg3proxyAlreadyRunning
-
-#Resource=msg3proxyStartProblems
-With the start of 3proxy, something is wrong! 
-Use: service 3proxy status\\n
-#endResource=msg3proxyStartProblems
-
-#Resource=msg3proxyStartedSuccessfully
-[ %s %s ] 3proxy started successfully! PID: %s\\n
-#endResource=msg3proxyStartedSuccessfully
-
-#Resource=msg3proxyStoppedSuccessfully
-[ %s %s ] 3proxy stopped successfully!\\n
-#endResource=msg3proxyStoppedSuccessfully
-
-#Resource=msg3proxyProxyNotDetected
-Process "3proxy" is not detected!\\n
-#endResource=msg3proxyProxyNotDetected
-
-#Resource=msg3proxyStoppedByKillall
-[ %s %s ] Command "pkill -o 3proxy" was executed,
-because process number was not stored in "%s",
-but in fact 3proxy was runned!\\n
-#endResource=msg3proxyStoppedByKillall
-
-#Resource=msgPidFileExists
-File "%s" exists. It contains the PID: %s\\n
-#endResource=msgPidFileExists
-
-#Resource=msgPidFileNotExists
-File "%s" not found, that is, PID 3proxy was not stored!\\n
-#endResource=msgPidFileNotExists
-
-#Resource=msg3proxyProcessDetected
-Process 3proxy detected:\\n
-#endResource=msg3proxyProcessDetected
-
-#Resource=msg3proxyProcessNotDetected
-Processes of 3proxy is not found!\\n
-#endResource=msg3proxyProcessNotDetected
-
-#Resources_EN_end
-
-
-#Resources_RU
-
-#Resource=msg3proxyHelp
-Используйте:
-\t%s {start|stop|restart}
-или
-\tservice %s {start|stop|restart|status}\\n
-#endResource=msg3proxyHelp
-
-#Resource=msgConfigFileNotFound
-\aФайл конфигурации 3proxy - "%s", не найден!\\n
-#endResource=msgConfigFileNotFound
-
-#Resource=msgNoconfigDetected
-\aОбнаружен параметр "noconfig" в файле конфигурации 3proxy -
-"%s" !
-Для запуска 3proxy этот параметр нужно отключить.\\n
-#endResource=msgNoconfigDetected
-
-#Resource=msg3proxyAlreadyRunning
-\a3proxy уже запущен PID: %s\\n
-#endResource=msg3proxyAlreadyRunning
-
-#Resource=msg3proxyStartProblems
-\aСо стартом 3proxy, что-то не так!
-Используйте: service 3proxy status\\n
-#endResource=msg3proxyStartProblems
-
-#Resource=msg3proxyStartedSuccessfully
-[ %s %s ] 3proxy успешно стартовал! PID: %s\\n
-#endResource=msg3proxyStartedSuccessfully
-
-#Resource=msg3proxyStoppedSuccessfully
-[ %s %s ] 3proxy успешно остановлен!\\n
-#endResource=msg3proxyStoppedSuccessfully
-
-#Resource=msg3proxyProxyNotDetected
-Процесс "3proxy" не обнаружен!\\n
-#endResource=msg3proxyProxyNotDetected
-
-#Resource=msg3proxyStoppedByKillall
-[ %s %s ] Выполнена команда "pkill -o 3proxy",
-т.к. номер процесса не записан в "%s",
-но по факту 3proxy рабатал!\\n
-#endResource=msg3proxyStoppedByKillall
-
-#Resource=msgPidFileExists
-Файл "%s" есть. Он содержит PID: %s\\n
-#endResource=msgPidFileExists
-
-#Resource=msgPidFileNotExists
-Файл "%s" не найден, т.е. PID 3proxy не был сохранён!\\n
-#endResource=msgPidFileNotExists
-
-#Resource=msg3proxyProcessDetected
-Обнаружен процесс 3proxy:\\n
-#endResource=msg3proxyProcessDetected
-
-#Resource=msg3proxyProcessNotDetected
-Процессов 3proxy не обнаружено!\\n
-#endResource=msg3proxyProcessNotDetected
-
-#Resources_RU_end
-#endResource=InitScript
diff --git a/scripts/3proxy.cfg b/scripts/3proxy.cfg
index 30b4024..660467b 100644
--- a/scripts/3proxy.cfg
+++ b/scripts/3proxy.cfg
@@ -1,25 +1,4 @@
-nscache 65536
-nserver 8.8.8.8
-nserver 8.8.4.4
+#!/usr/local/bin/3proxy
 
-config /conf/3proxy.cfg
-monitor /conf/3proxy.cfg
-
-log /logs/3proxy-%y%m%d.log D
-rotate 60
-counter /count/3proxy.3cf
-
-users $/conf/passwd
-
-include /conf/counters
-include /conf/bandlimiters
-
-auth strong
-deny * * 127.0.0.1
-allow *
-proxy -n
-socks
-flush
-allow admin
-
-admin -p8080
+#use standard syslog logging
+log @3proxy
diff --git a/scripts/3proxy.cfg.chroot b/scripts/3proxy.cfg.chroot
index ea50682..805a7ba 100644
--- a/scripts/3proxy.cfg.chroot
+++ b/scripts/3proxy.cfg.chroot
@@ -1,5 +1,4 @@
 #!/bin/3proxy
 #daemon
-pidfile /var/run/3proxy/3proxy.pid
 chroot /usr/local/3proxy proxy proxy
 include /conf/3proxy.cfg
diff --git a/scripts/3proxy.cfg.inchroot b/scripts/3proxy.cfg.inchroot
new file mode 100644
index 0000000..30b4024
--- /dev/null
+++ b/scripts/3proxy.cfg.inchroot
@@ -0,0 +1,25 @@
+nscache 65536
+nserver 8.8.8.8
+nserver 8.8.4.4
+
+config /conf/3proxy.cfg
+monitor /conf/3proxy.cfg
+
+log /logs/3proxy-%y%m%d.log D
+rotate 60
+counter /count/3proxy.3cf
+
+users $/conf/passwd
+
+include /conf/counters
+include /conf/bandlimiters
+
+auth strong
+deny * * 127.0.0.1
+allow *
+proxy -n
+socks
+flush
+allow admin
+
+admin -p8080
diff --git a/scripts/3proxy.service b/scripts/3proxy.service
index a31d0fd..cdb3af2 100644
--- a/scripts/3proxy.service
+++ b/scripts/3proxy.service
@@ -12,6 +12,7 @@ Restart=on-failure
 RestartSec=60s
 LimitNOFILE=65536
 LimitNPROC=32768
+RuntimeDirectory=3proxy
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/3proxy.service.in b/scripts/3proxy.service.in
new file mode 100644
index 0000000..917e088
--- /dev/null
+++ b/scripts/3proxy.service.in
@@ -0,0 +1,23 @@
+[Unit]
+Description=3proxy tiny proxy server
+Documentation=man:3proxy(1)
+After=network.target
+
+[Service]
+Type=simple
+User=proxy
+Group=proxy
+Environment=CONFIGFILE=/etc/3proxy/3proxy.cfg
+ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/3proxy ${CONFIGFILE}
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=60s
+LimitNOFILE=65536
+LimitNPROC=32768
+RuntimeDirectory=3proxy
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=3proxy.service
diff --git a/scripts/3proxy.tmpfiles.in b/scripts/3proxy.tmpfiles.in
new file mode 100644
index 0000000..a021fc3
--- /dev/null
+++ b/scripts/3proxy.tmpfiles.in
@@ -0,0 +1,3 @@
+# tmpfiles.d configuration for 3proxy
+# This creates the runtime directory for 3proxy
+d /run/3proxy 0755 proxy proxy -
diff --git a/scripts/add3proxyuser.sh b/scripts/add3proxyuser.sh
index 8f6b5d5..131873f 100644
--- a/scripts/add3proxyuser.sh
+++ b/scripts/add3proxyuser.sh
@@ -6,10 +6,10 @@ if [ $3 ]; then
 	echo countin \"`wc -l /etc/3proxy/conf/counters|awk '{print $1}'`/$1\" D $3 $1 >> /etc/3proxy/conf/counters
 fi
 if [ $2 ]; then  
-	echo $1:`/bin/mycrypt $$ $2` >> /etc/3proxy/conf/passwd
+	echo $1:`/bin/3proxy_crypt $$ $2` >> /etc/3proxy/conf/passwd
 else
 	echo usage: $0 username password [day_limit] [bandwidth]
 	echo "	"day_limit - traffic limit in MB per day
-	echo "	"bandwidth - bandwith in bits per second 1048576 = 1Mbps
+	echo "	"bandwidth - bandwidth in bits per second 1048576 = 1Mbps
 fi
 
diff --git a/scripts/debian/3proxy.manpages b/scripts/debian/3proxy.manpages
deleted file mode 100644
index 13e77e1..0000000
--- a/scripts/debian/3proxy.manpages
+++ /dev/null
@@ -1,9 +0,0 @@
-man/3proxy.8
-man/3proxy.cfg.3
-man/ftppr.8
-man/pop3p.8
-man/proxy.8
-man/smtpp.8
-man/socks.8
-man/tcppm.8
-man/udppm.8
\ No newline at end of file
diff --git a/scripts/debian/changelog b/scripts/debian/changelog
deleted file mode 100644
index a17b770..0000000
--- a/scripts/debian/changelog
+++ /dev/null
@@ -1,12 +0,0 @@
-3proxy (0.9.3-1) buster; urgency=medium
-
-  *3proxy 0.9.3 initial build
-
- -- z3APA3A <3apa3a@3proxy.org>  Thu, 03 Dec 2020 21:13:58 +0300
-
-3proxy (0.9.2-1) buster; urgency=medium
-
-  *3proxy 0.9.2 initial build
-
- -- z3APA3A <3apa3a@3proxy.org>  Thu, 19 Nov 2020 19:19:19 +0300
-
diff --git a/scripts/debian/compat b/scripts/debian/compat
deleted file mode 100644
index f11c82a..0000000
--- a/scripts/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-9
\ No newline at end of file
diff --git a/scripts/debian/conffiles b/scripts/debian/conffiles
deleted file mode 100644
index 5511217..0000000
--- a/scripts/debian/conffiles
+++ /dev/null
@@ -1,4 +0,0 @@
-/usr/local/3proxy/conf/3proxy.cfg
-/usr/local/3proxy/conf/add3proxyuser.sh
-/usr/local/3proxy/conf/bandlimiters
-/usr/local/3proxy/conf/counters
diff --git a/scripts/debian/control b/scripts/debian/control
deleted file mode 100644
index 30ec490..0000000
--- a/scripts/debian/control
+++ /dev/null
@@ -1,18 +0,0 @@
-Source: 3proxy
-Maintainer: z3APA3A <3apa3a@3proxy.org>
-Section: net
-Priority: optional
-Standards-Version: 4.0.0
-Build-Depends: debhelper (>=10)
-Homepage: https://3proxy.org/
-Vcs-Git: https://github.com/z3APA3A/3proxy
-Vcs-Browser: https://github.com/z3APA3A/3proxy
-
-Package: 3proxy
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: tiny free proxy server
- 3Proxy tiny free proxy server is really tiny freeware proxy servers set. 
- It includes HTTP proxy with HTTPS and FTP support, SOCKSv4/SOCKSv4.5/SOCKSv5 proxy (socks/socks.exe), POP3 proxy, SMTP proxy, FTP proxy, caching DNS proxy, TCP and UDP portmappers.
- You can use every proxy as a standalone program (socks, proxy, tcppm, udppm, pop3p) or use combined program (3proxy). Combined proxy additionally supports features like access control, bandwidth limiting, limiting daily/weekly/monthly traffic amount, proxy chaining, log rotation, syslog and ODBC logging, etc.
- It's created to be small, simple and yet very functional. 
\ No newline at end of file
diff --git a/scripts/debian/copyright b/scripts/debian/copyright
deleted file mode 100644
index f6f657a..0000000
--- a/scripts/debian/copyright
+++ /dev/null
@@ -1,20 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: 3proxy
-Upstream-Contact: 3proxy@3proxy.org
-Source: https://3proxy.org/
-
-Files: *
-Copyright: 2000-2020 3APA3A, Vladimir Dubrovin, 3proxy.org
-License: BSD-3-clause or Apache or GPL-2+ or LGPL-2+
-
-Files: src/libs/md*.*
-Copyright: 1990,1991,1992  RSA Data Security, Inc
-License: public-domain
-
-Files: src/libs/regex.*
-Copyright: Henry Spencer
-License: public-domain
-
-Files: src/libs/smbdes.c
-Copyright: Andrew Tridgell 1998
-License: GPL-2+
diff --git a/scripts/debian/postinst b/scripts/debian/postinst
deleted file mode 100644
index dbdbe4b..0000000
--- a/scripts/debian/postinst
+++ /dev/null
@@ -1,43 +0,0 @@
-if [ ! -f /usr/local/3proxy/conf/passwd ]; then \
- touch /usr/local/3proxy/conf/passwd;\
-fi
-chown -R proxy:proxy /usr/local/3proxy
-chmod 550  /usr/local/3proxy/
-chmod 550  /usr/local/3proxy/conf/
-chmod 440  /usr/local/3proxy/conf/*
-if /bin/systemctl >/dev/null 2>&1; then \
- /usr/sbin/update-rc.d 3proxy disable || true; \
- /usr/sbin/chkconfig 3proxy off || true; \
- /bin/systemctl enable 3proxy.service; \
-elif [ -x /usr/sbin/update-rc.d ]; then \
- /usr/sbin/update-rc.d 3proxy defaults; \
- /usr/sbin/update-rc.d 3proxy enable; \
-elif [ -x /usr/sbin/chkconfig ]; then \
- /usr/sbin/chkconfig 3proxy on; \
-fi
-
-echo ""
-echo 3proxy installed.
-if /bin/systemctl >/dev/null 2>&1; then \
- /bin/systemctl stop 3proxy.service \
- /bin/systemctl start 3proxy.service \
- echo use ;\
- echo "  "systemctl start 3proxy.service ;\
- echo to start proxy ;\
- echo "  "systemctl stop 3proxy.service ;\
- echo to stop proxy ;\
-elif [ -x /usr/sbin/service ]; then \
- /usr/sbin/service 3proxy stop  || true;\
- /usr/sbin/service 3proxy start  || true;\
- echo "  "service 3proxy start ;\
- echo to start proxy ;\
- echo "  "service 3proxy stop ;\
- echo to stop proxy ;\
-fi
-echo "  "/usr/local/3proxy/conf/add3proxyuser.sh
-echo to add users
-echo ""
-echo Default config uses Google\'s DNS.
-echo It\'s recommended to use provider supplied DNS or install local recursor, e.g. pdns-recursor.
-echo Configure preferred DNS in /usr/local/3proxy/conf/3proxy.cfg.
-echo run \'/usr/local/3proxy/conf/add3proxyuser.sh admin password\' to configure \'admin\' user
diff --git a/scripts/debian/preinst b/scripts/debian/preinst
deleted file mode 100644
index f000a2e..0000000
--- a/scripts/debian/preinst
+++ /dev/null
@@ -1,4 +0,0 @@
-if [ -x /usr/sbin/useradd ]; then \
- /usr/bin/getent group proxy >/dev/null || (/usr/sbin/groupadd -f -r proxy || true); \
- /usr/bin/getent passwd proxy >/dev/null || (/usr/sbin/useradd -Mr -s /bin/false -g proxy -c 3proxy proxy || true); \
-fi
diff --git a/scripts/debian/rules b/scripts/debian/rules
deleted file mode 100644
index dc57dd0..0000000
--- a/scripts/debian/rules
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/make -f
-
-%:
-	dh $@
-
-override_dh_auto_build:
-	ln -s Makefile.Linux Makefile || true
-	dh_auto_build
-
-override_dh_auto_clean:
-	find src/ -type f -name "*.o" -delete
-	find src/ -type f -name "Makefile.var" -delete
-	find bin/ -type f -executable -delete
-	rm -f Makefile
-
-override_dh_usrlocal:
diff --git a/scripts/debian/source/format b/scripts/debian/source/format
deleted file mode 100644
index 163aaf8..0000000
--- a/scripts/debian/source/format
+++ /dev/null
@@ -1 +0,0 @@
-3.0 (quilt)
diff --git a/scripts/init.d/3proxy.in b/scripts/init.d/3proxy.in
new file mode 100644
index 0000000..494ec08
--- /dev/null
+++ b/scripts/init.d/3proxy.in
@@ -0,0 +1,109 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          3proxy
+# Required-Start:    $network $local_fs
+# Required-Stop:     $network $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop 3proxy
+# Description:       Start/stop 3proxy, tiny proxy server
+### END INIT INFO
+# chkconfig: 2345 20 80
+# description: 3proxy tiny proxy server
+
+DAEMON=@CMAKE_INSTALL_FULL_BINDIR@/3proxy
+CONFIGFILE=/etc/3proxy/3proxy.cfg
+PIDFILE=/var/run/3proxy/3proxy.pid
+USER=proxy
+GROUP=proxy
+
+# Source function library if available
+if [ -f /etc/init.d/functions ]; then
+    . /etc/init.d/functions
+fi
+
+case "$1" in
+   start)
+       echo -n "Starting 3Proxy: "
+
+       if [ ! -d /var/run/3proxy ]; then
+           mkdir -p /var/run/3proxy
+           chown $USER:$GROUP /var/run/3proxy 2>/dev/null || true
+       fi
+
+       if command -v start-stop-daemon >/dev/null 2>&1; then
+           # Debian/Ubuntu style
+           start-stop-daemon --start --quiet --pidfile $PIDFILE \
+               --chuid $USER:$GROUP --exec $DAEMON -- $CONFIGFILE
+       elif [ -f /etc/init.d/functions ]; then
+           # RedHat/CentOS style
+           daemon --user=$USER $DAEMON $CONFIGFILE
+       else
+           # Fallback
+           su -s /bin/sh $USER -c "$DAEMON $CONFIGFILE"
+       fi
+
+       RETVAL=$?
+       echo
+       [ $RETVAL = 0 ] && touch /var/lock/subsys/3proxy
+       ;;
+
+   stop)
+       echo -n "Stopping 3Proxy: "
+
+       if command -v start-stop-daemon >/dev/null 2>&1; then
+           # Debian/Ubuntu style
+           start-stop-daemon --stop --quiet --pidfile $PIDFILE
+       elif [ -f /etc/init.d/functions ]; then
+           # RedHat/CentOS style
+           killproc -p $PIDFILE $DAEMON
+       else
+           # Fallback
+           if [ -f $PIDFILE ]; then
+               kill `cat $PIDFILE` 2>/dev/null
+           else
+               killall 3proxy 2>/dev/null
+           fi
+       fi
+
+       RETVAL=$?
+       echo
+       [ $RETVAL = 0 ] && rm -f /var/lock/subsys/3proxy
+       ;;
+
+   restart|reload)
+       echo -n "Reloading 3Proxy: "
+       if [ -f $PIDFILE ]; then
+           kill -s USR1 `cat $PIDFILE` 2>/dev/null
+           RETVAL=$?
+       else
+           echo "PID file not found, cannot reload"
+           RETVAL=1
+       fi
+       echo
+       ;;
+
+   status)
+       if command -v status >/dev/null 2>&1; then
+           status -p $PIDFILE $DAEMON
+       elif [ -f $PIDFILE ]; then
+           if kill -0 `cat $PIDFILE` 2>/dev/null; then
+               echo "3proxy is running (pid `cat $PIDFILE`)"
+               RETVAL=0
+           else
+               echo "3proxy is dead but pid file exists"
+               RETVAL=1
+           fi
+       else
+           echo "3proxy is not running"
+           RETVAL=3
+       fi
+       ;;
+
+   *)
+       echo "Usage: $0 {start|stop|restart|reload|status}"
+       exit 1
+esac
+exit ${RETVAL:-0}
diff --git a/scripts/install-unix.sh b/scripts/install-unix.sh
deleted file mode 100644
index a54c91e..0000000
--- a/scripts/install-unix.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-cd ..
-cp Makefile.unix Makefile
-make
-if [ ! -d /usr/local/etc/3proxy/bin ]; then mkdir -p /usr/local/etc/3proxy/bin/; fi
-install bin/3proxy /usr/local/bin/3proxy
-install bin/mycrypt /usr/local/bin/mycrypt
-install scripts/rc.d/proxy.sh /usr/local/etc/rc.d/proxy.sh
-install scripts/add3proxyuser.sh /usr/local/etc/3proxy/bin/
-if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then
- echo /usr/local/etc/3proxy/3proxy.cfg already exists
-else
- install scripts/3proxy.cfg /usr/local/etc/3proxy/
- if [ ! -d /var/log/3proxy/ ]; then
-  mkdir /var/log/3proxy/
- fi
- touch /usr/local/etc/3proxy/passwd
- touch /usr/local/etc/3proxy/counters
- touch /usr/local/etc/3proxy/bandlimiters
- echo Run /usr/local/etc/3proxy/bin/add3proxyuser.sh to add \'admin\' user
-fi
-
diff --git a/scripts/org.3proxy.3proxy.plist.in b/scripts/org.3proxy.3proxy.plist.in
new file mode 100644
index 0000000..1e53129
--- /dev/null
+++ b/scripts/org.3proxy.3proxy.plist.in
@@ -0,0 +1,35 @@
+
+
+
+
+    Label
+    org.3proxy.3proxy
+    ProgramArguments
+    
+        @CMAKE_INSTALL_FULL_BINDIR@/3proxy
+        /etc/3proxy/3proxy.cfg
+    
+    UserName
+    proxy
+    GroupName
+    proxy
+    RunAtLoad
+    
+    KeepAlive
+    
+    StandardOutPath
+    /var/log/3proxy.log
+    StandardErrorPath
+    /var/log/3proxy.log
+    SoftResourceLimits
+    
+        NumberOfFiles
+        65536
+    
+    HardResourceLimits
+    
+        NumberOfFiles
+        65536
+    
+
+
diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh
new file mode 100644
index 0000000..3fbd223
--- /dev/null
+++ b/scripts/postinstall.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Post-install script for 3proxy
+# Creates proxy user and group if they don't exist
+
+set -e
+
+# Check if user already exists
+if id proxy >/dev/null 2>&1; then
+    echo "User 'proxy' already exists"
+    exit 0
+fi
+
+echo "Creating proxy user and group..."
+
+# Determine which commands are available
+if command -v groupadd >/dev/null 2>&1; then
+    # Linux (shadow-utils)
+    groupadd -r proxy 2>/dev/null || true
+    useradd -r -g proxy -d /var/run/3proxy -s /usr/sbin/nologin proxy 2>/dev/null || true
+elif command -v addgroup >/dev/null 2>&1; then
+    # Alpine Linux / BusyBox
+    addgroup -S proxy 2>/dev/null || true
+    adduser -S -D -H -G proxy -s /sbin/nologin proxy 2>/dev/null || true
+elif command -v pw >/dev/null 2>&1; then
+    # FreeBSD
+    pw groupadd proxy 2>/dev/null || true
+    pw useradd proxy -g proxy -d /var/run/3proxy -s /usr/sbin/nologin 2>/dev/null || true
+elif command -v dscl >/dev/null 2>&1; then
+    # macOS
+    dscl . create /Groups/proxy 2>/dev/null || true
+    dscl . create /Users/proxy 2>/dev/null || true
+    dscl . create /Users/proxy UserShell /usr/bin/false 2>/dev/null || true
+    dscl . create /Users/proxy NFSHomeDirectory /var/run/3proxy 2>/dev/null || true
+else
+    echo "Warning: Could not create proxy user - no suitable user management tool found"
+    exit 0
+fi
+
+if id proxy >/dev/null 2>&1; then
+    echo "User 'proxy' created successfully"
+else
+    echo "Warning: Failed to create user 'proxy'"
+fi
+
+exit 0
diff --git a/scripts/rc.d/3proxy b/scripts/rc.d/3proxy
new file mode 100644
index 0000000..f293671
--- /dev/null
+++ b/scripts/rc.d/3proxy
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# PROVIDE: 3proxy
+# REQUIRE: LOGIN DAEMON
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="3proxy"
+rcvar="3proxy_enable"
+
+command="/usr/local/3proxy/bin/3proxy"
+pidfile="/var/run/3proxy/${name}.pid"
+command_args="${3proxy_config:-/usr/local/etc/3proxy/3proxy.cfg}"
+required_files="${3proxy_config:-/usr/local/etc/3proxy/3proxy.cfg}"
+
+start_precmd="3proxy_precmd"
+
+3proxy_precmd()
+{
+    if [ ! -d /var/run/3proxy ]; then
+        mkdir -p /var/run/3proxy
+    fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/scripts/rc.d/3proxy.in b/scripts/rc.d/3proxy.in
new file mode 100644
index 0000000..7d77e0f
--- /dev/null
+++ b/scripts/rc.d/3proxy.in
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# PROVIDE: 3proxy
+# REQUIRE: LOGIN DAEMON
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="3proxy"
+rcvar="3proxy_enable"
+
+command="@CMAKE_INSTALL_FULL_BINDIR@/3proxy"
+pidfile="/var/run/3proxy/${name}.pid"
+command_args="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
+required_files="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
+command_user="proxy:proxy"
+
+start_precmd="3proxy_precmd"
+
+3proxy_precmd()
+{
+    if [ ! -d /var/run/3proxy ]; then
+        mkdir -p /var/run/3proxy
+        chown proxy:proxy /var/run/3proxy
+    fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/scripts/rh/3proxy.spec b/scripts/rh/3proxy.spec
index 8380e3b..aacca79 100644
--- a/scripts/rh/3proxy.spec
+++ b/scripts/rh/3proxy.spec
@@ -1,6 +1,6 @@
 Name:           3proxy
-Version:        0.9.3
-Release:        1
+Version:        0.9.6
+Release:        1%{?dist}
 Summary:        3proxy tiny proxy server
 License:        GPL/LGPL/Apache/BSD
 URL:            https://3proxy.org/
@@ -13,11 +13,15 @@ Source:		https://github.com/%{packager}/%{name}/archive/%{version}.tar.gz
 3proxy is lightweight yet powerful proxy server
 
 %prep
-%setup -q -n %{name}-%{version}
+%setup -q
 ln -s Makefile.Linux Makefile
 
 %build
-make
+%if "%{?PAMLIB}" != ""
+    make PAMLIB=%{?PAMLIB}
+%else
+    make
+%endif
 
 %install
 make DESTDIR=%buildroot install
@@ -28,13 +32,15 @@ make clean
 
 %files
 /bin/3proxy
-/bin/ftppr
-/bin/mycrypt
-/bin/pop3p
-/bin/proxy
-/bin/socks
-/bin/tcppm
-/bin/udppm
+/bin/3proxy_crypt
+/bin/3proxy_ftppr
+/bin/3proxy_pop3p
+/bin/3proxy_proxy
+/bin/3proxy_smtpp
+/bin/3proxy_socks
+/bin/3proxy_tcppm
+/bin/3proxy_tlspr
+/bin/3proxy_udppm
 %config(noreplace) /etc/3proxy/3proxy.cfg
 /etc/3proxy/conf
 /etc/init.d/3proxy
@@ -43,31 +49,9 @@ make clean
 %config(noreplace) /usr/local/3proxy/conf/add3proxyuser.sh
 %config(noreplace) /usr/local/3proxy/conf/bandlimiters
 %config(noreplace) /usr/local/3proxy/conf/counters
-/usr/local/3proxy/libexec/PCREPlugin.ld.so
-/usr/local/3proxy/libexec/StringsPlugin.ld.so
-/usr/local/3proxy/libexec/TrafficPlugin.ld.so
-/usr/local/3proxy/libexec/TransparentPlugin.ld.so
-%if "%{_arch}" == "arm"
-/usr/share/man/man3/3proxy.cfg.3
-/usr/share/man/man8/3proxy.8
-/usr/share/man/man8/ftppr.8
-/usr/share/man/man8/pop3p.8
-/usr/share/man/man8/proxy.8
-/usr/share/man/man8/smtpp.8
-/usr/share/man/man8/socks.8
-/usr/share/man/man8/tcppm.8
-/usr/share/man/man8/udppm.8
-%else
-/usr/share/man/man3/3proxy.cfg.3.gz
-/usr/share/man/man8/3proxy.8.gz
-/usr/share/man/man8/ftppr.8.gz
-/usr/share/man/man8/pop3p.8.gz
-/usr/share/man/man8/proxy.8.gz
-/usr/share/man/man8/smtpp.8.gz
-/usr/share/man/man8/socks.8.gz
-/usr/share/man/man8/tcppm.8.gz
-/usr/share/man/man8/udppm.8.gz
-%endif
+/usr/local/3proxy/libexec/*.ld.so
+/usr/share/man/man5/3proxy.cfg.5
+/usr/share/man/man8/*
 /var/log/3proxy
 
 %doc doc/*
diff --git a/src/3proxy.c b/src/3proxy.c
index cce4e78..1e4544f 100644
--- a/src/3proxy.c
+++ b/src/3proxy.c
@@ -1,21 +1,24 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
 #include "proxy.h"
+#ifdef WITH_SSL
+void ssl_install(void);
+#endif
+#ifdef WITH_PCRE
+void pcre_install(void);
+#endif
 #ifndef _WIN32
 #include 
 #ifndef NOPLUGINS
 #include 
 #endif
 #else
-#ifdef WITH_SSL
-#include 
-#endif
 
 #endif
 
@@ -68,10 +71,10 @@ void __stdcall CommandHandler( DWORD dwCommand )
 	conf.paused++;
 	Sleep(2000);
         SetStatus( SERVICE_STOPPED, 0, 0 );
-#ifndef NOODBC
-	pthread_mutex_lock(&log_mutex);
+#ifdef WITH_ODBC
+	_3proxy_mutex_lock(&log_mutex);
 	close_sql();
-	pthread_mutex_unlock(&log_mutex);
+	_3proxy_mutex_unlock(&log_mutex);
 #endif
         break;
     case SERVICE_CONTROL_PAUSE:
@@ -121,13 +124,6 @@ void mysigpause (int sig){
 
 void mysigterm (int sig){
 	conf.paused++;
-	usleep(999*SLEEPTIME);
-	usleep(999*SLEEPTIME);
-#ifndef NOODBC
-	pthread_mutex_lock(&log_mutex);
-	close_sql();
-	pthread_mutex_unlock(&log_mutex);
-#endif
 	conf.timetoexit = 1;
 }
 
@@ -144,8 +140,10 @@ int timechanged (time_t oldtime, time_t newtime, ROTATION lt){
 	struct tm tmold;
 	struct tm *tm;
 	tm = localtime(&oldtime);
+	if(!tm) return 0;
 	tmold = *tm;
 	tm = localtime(&newtime);
+	if(!tm) return 0;
 	switch(lt){
 		case MINUTELY:
 			if(tm->tm_min != tmold.tm_min)return 1;
@@ -209,7 +207,7 @@ void dumpcounters(struct trafcount *tlin, int counterd){
 		if(cfp){
 			for(tl = tlin; cfp && tl; tl = tl->next){
 				if(tl->type >= conf.countertype)
-					fprintf(cfp, "%05d %020"PRINTF_INT64_MODIFIER"u%s%s\n", tl->number, tl->traf64, tl->comment?" #" : "", tl->comment? tl->comment : "");
+					fprintf(cfp, "%05d %020"PRIu64"%s%s\n", tl->number, tl->traf64, tl->comment?" #" : "", tl->comment? tl->comment : "");
 			}
 			fclose(cfp);
 		}
@@ -217,17 +215,17 @@ void dumpcounters(struct trafcount *tlin, int counterd){
 
 
 	cheader.updated = conf.time;
-	lseek(counterd, 0, SEEK_SET);
-	write(counterd, &cheader, sizeof(struct counter_header));			
+	if(lseek(counterd, 0, SEEK_SET) >= 0 && write(counterd, &cheader, sizeof(struct counter_header))){}
 	for(tl=tlin; tl; tl = tl->next){
 		if(tl->number){
-			lseek(counterd, 
+			if(lseek(counterd, 
 				sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
-				SEEK_SET);
-			crecord.traf64 = tl->traf64;
-			crecord.cleared = tl->cleared;
-			crecord.updated = tl->updated;
-			write(counterd, &crecord, sizeof(struct counter_record));
+				SEEK_SET) >= 0){
+			    crecord.traf64 = tl->traf64;
+			    crecord.cleared = tl->cleared;
+			    crecord.updated = tl->updated;
+			    if(write(counterd, &crecord, sizeof(struct counter_record))){}
+			}
 		}
 		if(tl->type!=NEVER && timechanged(tl->cleared, conf.time, tl->type)){
 			tl->cleared = conf.time;
@@ -270,9 +268,11 @@ void cyclestep(void){
 	}
 	if(timechanged(basetime, conf.time, DAILY)) {
 		tm = localtime(&conf.time);
-		wday = (1 << tm->tm_wday);
-		tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
-		basetime = mktime(tm);
+		if(tm){
+			wday = (1 << tm->tm_wday);
+			tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
+			basetime = mktime(tm);
+		}
 	}
 	if(conf.logname) {
 		if(timechanged(conf.logtime, conf.time, conf.logtype)) {
@@ -318,7 +318,7 @@ void cyclestep(void){
 						else
 							strcat((char *)tmpbuf, (char *)conf.archiver[i]);
 					}
-					system((char *)tmpbuf+1);
+					if(system((char *)tmpbuf+1)){}
 				}
 			}
 		}
@@ -489,7 +489,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
   }
 #endif
 #endif
-  conf.conffile = mystrdup((argc==2)?argv[1]:(char*)DEFAULTCONFIG);
+  conf.conffile = strdup((argc==2)?argv[1]:(char*)DEFAULTCONFIG);
   if(conf.conffile && *conf.conffile != '-') {
 	fp = confopen();
 #ifndef _WIN32
@@ -511,15 +511,29 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 	return 1;
   }
 
-  pthread_mutex_init(&config_mutex, NULL);
-  pthread_mutex_init(&bandlim_mutex, NULL);
-  pthread_mutex_init(&connlim_mutex, NULL);
-  pthread_mutex_init(&hash_mutex, NULL);
-  pthread_mutex_init(&tc_mutex, NULL);
-  pthread_mutex_init(&pwl_mutex, NULL);
-  pthread_mutex_init(&log_mutex, NULL);
+  _3proxy_mutex_init(&config_mutex);
+  _3proxy_mutex_init(&bandlim_mutex);
+  _3proxy_mutex_init(&connlim_mutex);
+  _3proxy_mutex_init(&tc_mutex);
+  _3proxy_mutex_init(&log_mutex);
 #ifndef NORADIUS
-  pthread_mutex_init(&rad_mutex, NULL);
+  _3proxy_mutex_init(&rad_mutex);
+#endif
+#ifdef _WIN32
+  conf.threadinit = CreateSemaphore(NULL, 1, 1, NULL);
+  if(!conf.threadinit){
+    fprintf(stderr, "semaphore init failed\n");
+    return 1;
+  }
+#else
+  _3proxy_mutex_init(&conf.threadinit);
+#endif
+
+#ifdef WITH_SSL
+  ssl_install();
+#endif
+#ifdef WITH_PCRE
+  pcre_install();
 #endif
 
   freeconf(&conf);
@@ -527,7 +541,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
   conf.version++;
 
   if(res) RETURN(res);
-  if(!writable)fclose(fp);
+  if(!writable){fclose(fp); fp = NULL;}
 
 #ifdef _WIN32
   
@@ -558,6 +572,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 
 CLEARRETURN:
 
+ if(fp && fp != stdin) {fclose(fp); fp = NULL;}
  return 0;
 
 }
diff --git a/src/3proxy.rc b/src/3proxy.rc
index 041646d..e65242c 100644
--- a/src/3proxy.rc
+++ b/src/3proxy.rc
@@ -10,7 +10,7 @@ BEGIN
     BEGIN
         BLOCK "040904E4"
         BEGIN
-            VALUE "Comments", "3proxy - tiny proxy server, http://3proxy.org/\0"
+            VALUE "Comments", "3proxy - tiny proxy server, https://3proxy.org/\0"
             VALUE "CompanyName", "Vladimir Dubrovin\0"
             VALUE "FileDescription", "3proxy - tiny proxy server\0"
             VALUE "FileVersion", RELEASE3PROXY
diff --git a/src/3proxy_crypt.c b/src/3proxy_crypt.c
new file mode 100644
index 0000000..b936ee7
--- /dev/null
+++ b/src/3proxy_crypt.c
@@ -0,0 +1,294 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+#include "libs/blake2.h"
+#ifdef WITH_SSL
+#include 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include 
+#include 
+#endif
+#endif
+#include 
+
+#define MD5_SIZE 16
+
+#ifdef _WIN32
+#pragma warning (disable : 4996)
+#endif
+
+
+void tohex(unsigned char *in, unsigned char *out, int len);
+
+static unsigned char itoa64[] =
+        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+
+#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+EVP_MD *md4_hash = NULL;
+EVP_MD *md5_hash = NULL;
+#endif
+
+void
+_crypt_to64(unsigned char *s, unsigned long v, int n)
+{
+        while (--n >= 0) {
+                *s++ = itoa64[v&0x3f];
+                v >>= 6;
+        }
+}
+
+
+#ifdef WITH_SSL
+unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPassword, int ctohex)
+{
+	unsigned char szUnicodePass[513];
+	unsigned int nPasswordLen;
+	EVP_MD_CTX *ctx;
+	unsigned int len=sizeof(szUnicodePass);
+	unsigned int i;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	const EVP_MD *md4 = md4_hash;
+#else
+	const EVP_MD *md4 = EVP_md4();
+#endif
+	if(md4 == NULL) return NULL;
+
+	/*
+	 *	NT passwords are unicode.  Convert plain text password
+	 *	to unicode by inserting a zero every other byte
+	 */
+	nPasswordLen = (int)strlen((char *)szPassword);
+	if(nPasswordLen > 255)nPasswordLen = 255;
+	for (i = 0; i < nPasswordLen; i++) {
+		szUnicodePass[i << 1] = szPassword[i];
+		szUnicodePass[(i << 1) + 1] = 0;
+	}
+
+	/* Encrypt Unicode password to a 16-byte MD4 hash */
+	ctx = EVP_MD_CTX_new();
+	if(!ctx) return NULL;
+	if(!EVP_DigestInit_ex(ctx, md4, NULL)){
+	    EVP_MD_CTX_free(ctx);
+	    return NULL;
+	}
+	EVP_DigestUpdate(ctx, szUnicodePass, (nPasswordLen<<1));
+	EVP_DigestFinal_ex(ctx, szUnicodePass, &len);
+	EVP_MD_CTX_free(ctx);
+	if (ctohex){
+		tohex(szUnicodePass, szHash, 16);
+	}
+	else memcpy(szHash, szUnicodePass, 16);
+	memset(szUnicodePass, 0, sizeof szUnicodePass);
+	return szHash;
+}
+#endif
+
+
+unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){
+
+ const unsigned char *ep;
+ unsigned char	*magic;
+ unsigned char  *p;
+ const unsigned char *sp;
+ unsigned char	final[MD5_SIZE] = {0};
+ int sl;
+ unsigned long l;
+
+#if defined(WITH_SSL)
+#ifndef WITHMAIN
+ if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
+	EVP_MD_CTX	*ctx, *ctx1;
+	unsigned int len;
+	int pl, i;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	const EVP_MD *md5 = md5_hash;
+#else
+	const EVP_MD *md5 = EVP_md5();
+#endif
+	if(md5 == NULL) {
+	    *passwd = 0;
+	    return NULL;
+	}
+
+	sp = salt +3;
+	sl = (int)(ep - sp);
+	magic = (unsigned char *)"$1$";
+
+	ctx = EVP_MD_CTX_new();
+	if(!ctx) {
+	    *passwd = 0;
+	    return NULL;
+	}
+	EVP_DigestInit_ex(ctx, md5, NULL);
+
+	/* The password first, since that is what is most unknown */
+	EVP_DigestUpdate(ctx,pw,strlen((char *)pw));
+
+	/* Then our magic string */
+	EVP_DigestUpdate(ctx,magic,strlen((char *)magic));
+
+	/* Then the raw salt */
+	EVP_DigestUpdate(ctx,sp,sl);
+
+	/* Then just as many unsigned characters of the MD5(pw,salt,pw) */
+	ctx1 = EVP_MD_CTX_new();
+	if(!ctx1) {
+	    EVP_MD_CTX_free(ctx);
+	    *passwd = 0;
+	    return NULL;
+	}
+	EVP_DigestInit_ex(ctx1, md5, NULL);
+	EVP_DigestUpdate(ctx1,pw,strlen((char *)pw));
+	EVP_DigestUpdate(ctx1,sp,sl);
+	EVP_DigestUpdate(ctx1,pw,strlen((char *)pw));
+	EVP_DigestFinal_ex(ctx1,final,&len);
+	for(pl = (int)strlen((char *)pw); pl > 0; pl -= MD5_SIZE)
+		EVP_DigestUpdate(ctx,final,pl>MD5_SIZE ? MD5_SIZE : pl);
+
+	/* Don't leave anything around in vm they could use. */
+	memset(final,0,sizeof final);
+
+	/* Then something really weird... */
+	for (i = (int)strlen((char *)pw); i ; i >>= 1)
+		if(i&1)
+		    EVP_DigestUpdate(ctx, final, 1);
+		else
+		    EVP_DigestUpdate(ctx, pw, 1);
+
+
+	EVP_DigestFinal_ex(ctx,final,&len);
+	EVP_MD_CTX_free(ctx);
+
+	/*
+	 * and now, just to make sure things don't run too fast
+	 * On a 60 Mhz Pentium this takes 34 msec, so you would
+	 * need 30 seconds to build a 1000 entry dictionary...
+	 */
+	for(i=0;i<1000;i++) {
+		EVP_MD_CTX_reset(ctx1);
+		EVP_DigestInit_ex(ctx1, md5, NULL);
+		if(i & 1)
+			EVP_DigestUpdate(ctx1,pw,strlen((char *)pw));
+		else
+			EVP_DigestUpdate(ctx1,final,MD5_SIZE);
+
+		if(i % 3)
+			EVP_DigestUpdate(ctx1,sp,sl);
+
+		if(i % 7)
+			EVP_DigestUpdate(ctx1,pw,strlen((char *)pw));
+
+		if(i & 1)
+			EVP_DigestUpdate(ctx1,final,MD5_SIZE);
+		else
+			EVP_DigestUpdate(ctx1,pw,strlen((char *)pw));
+		EVP_DigestFinal_ex(ctx1,final,&len);
+	}
+	EVP_MD_CTX_free(ctx1);
+ }
+ else
+#endif
+#endif
+  if(salt[0] == '$' && salt[1] == '3' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
+    sp = salt +3;
+    sl = (int)(ep - sp);
+    magic = (unsigned char *)"$3$";
+    {
+        blake2b_state S;
+        if(blake2b_init(&S, MD5_SIZE) != 0 ||
+           blake2b_update(&S, pw, strlen((char *)pw) + 1) != 0 ||
+           blake2b_update(&S, sp, sl) != 0 ||
+           blake2b_final(&S, final, MD5_SIZE) != 0) {
+            *passwd = 0;
+            return NULL;
+        }
+    }
+ }
+ else {
+	*passwd = 0;
+	return passwd;
+ }
+
+ strcpy((char *)passwd,(char *)magic);
+ strncat((char *)passwd,(char *)sp,sl);
+ strcat((char *)passwd,"$");
+ p = passwd + strlen((char *)passwd);
+
+ l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
+ _crypt_to64(p,l,4); p += 4;
+ l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
+ _crypt_to64(p,l,4); p += 4;
+ l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
+ _crypt_to64(p,l,4); p += 4;
+ l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
+ _crypt_to64(p,l,4); p += 4;
+ l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
+ _crypt_to64(p,l,4); p += 4;
+ l =                    final[11]                ;
+ _crypt_to64(p,l,2); p += 2;
+ *p = '\0';
+ return passwd;
+}
+
+#ifdef WITHMAIN
+#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include 
+#endif
+#include 
+int main(int argc, char* argv[]){
+	unsigned char buf1[128];
+	unsigned char buf2[128];
+	unsigned i;
+	if(argc < 2 || argc > 3) {
+		fprintf(stderr, "usage: \n"
+#ifdef WITH_SSL
+			"\t%s \n"
+#endif
+			"\t%s  \n"
+#ifdef WITH_SSL
+			"Performs NT crypt if no salt specified, BLAKE2 crypt with salt\n"
+#else
+			"Performs BLAKE2 crypt with salt\n"
+#endif
+			,
+#ifdef WITH_SSL
+			argv[0],
+#endif
+			argv[0]);
+			return 1;
+	}
+#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+        OSSL_PROVIDER_load(NULL, "legacy");
+        OSSL_PROVIDER_load(NULL, "default");
+        md4_hash = EVP_MD_fetch(NULL, "MD4", NULL);
+        if (md4_hash == NULL) {
+	    fprintf(stderr, "Error fetching MD4\n");
+        }
+#endif
+	if(argc == 2) {
+#ifdef WITH_SSL
+		{ unsigned char *nt = ntpwdhash(buf1, (unsigned char *)argv[1], 1);
+		  if(nt) printf("NT:%s\n", nt); }
+#else
+		fprintf(stderr, "NT crypt not available (compiled without OpenSSL)\n");
+#endif
+	}
+	else {
+		unsigned char *cr;
+		i = (int)strlen((char *)argv[1]);
+		if (i > 64) argv[1][64] = 0;
+		sprintf((char *)buf1, "$3$%.64s$", argv[1]);
+		cr = mycrypt((unsigned char *)argv[2], buf1, buf2);
+		if(cr) printf("CR:%s\n", cr);
+	}
+	return 0;
+}
+
+#endif
diff --git a/src/Makefile.inc b/src/Makefile.inc
index a0b1e52..f949826 100644
--- a/src/Makefile.inc
+++ b/src/Makefile.inc
@@ -2,12 +2,14 @@
 # 3 proxy common Makefile
 #
 
-all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
-
+all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) allplugins
 
 sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockmap.c
 
+udpsockmap$(OBJSUFFICS): udpsockmap.c proxy.h structures.h
+	$(CC) $(COUT)udpsockmap$(OBJSUFFICS) $(CFLAGS) udpsockmap.c
+
 common$(OBJSUFFICS): common.c proxy.h structures.h
 	$(CC) $(CFLAGS) common.c
 
@@ -20,62 +22,64 @@ base64$(OBJSUFFICS): base64.c
 ftp$(OBJSUFFICS): ftp.c proxy.h structures.h
 	$(CC) $(CFLAGS) ftp.c
 
-#$(COMPATLIBS): 
-#	$(CC) $(CFLAGS) strncasecmp.c
-
 sockgetchar$(OBJSUFFICS): sockgetchar.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockgetchar.c
 
 proxy$(OBJSUFFICS): proxy.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS proxy.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS $(DEFINEOPTION)NOUDPMAIN proxy.c
 
 pop3p$(OBJSUFFICS): pop3p.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP pop3p.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN pop3p.c
 
 smtpp$(OBJSUFFICS): smtpp.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP smtpp.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN smtpp.c
 
 ftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP ftppr.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN ftppr.c
 
 tcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tcppm.c
-
-socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tcppm.c
 
 udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP udppm.c
 
+tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tlspr.c
+
+
+socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN socks.c
+
 3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
 	$(CC) $(CFLAGS) 3proxy.c
 
-$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) hash$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) hash$(OBJSUFFICS) $(LIBS)
+
+$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
 mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
 	$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
 
-
-
 srvproxy$(OBJSUFFICS): proxy.c proxy.h structures.h
 	$(CC) $(COUT)srvproxy$(OBJSUFFICS) $(CFLAGS) proxy.c
 
@@ -91,6 +95,12 @@ srvftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h
 srvtcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h
 	$(CC) $(COUT)srvtcppm$(OBJSUFFICS) $(CFLAGS) tcppm.c
 
+srvtlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h
+	$(CC) $(COUT)srvtlspr$(OBJSUFFICS) $(CFLAGS) tlspr.c
+
+srvauto$(OBJSUFFICS): auto.c proxy.h structures.h
+	$(CC) $(COUT)srvauto$(OBJSUFFICS) $(CFLAGS) auto.c
+
 srvsocks$(OBJSUFFICS): socks.c proxy.h structures.h
 	$(CC) $(COUT)srvsocks$(OBJSUFFICS) $(CFLAGS) socks.c
 
@@ -106,6 +116,24 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
 auth$(OBJSUFFICS): auth.c proxy.h structures.h
 	$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
 
+acl$(OBJSUFFICS): acl.c proxy.h structures.h
+	$(CC) $(COUT)acl$(OBJSUFFICS) $(CFLAGS) acl.c
+
+limiter$(OBJSUFFICS): limiter.c proxy.h structures.h
+	$(CC) $(COUT)limiter$(OBJSUFFICS) $(CFLAGS) limiter.c
+
+redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
+	$(CC) $(COUT)redirect$(OBJSUFFICS) $(CFLAGS) redirect.c
+
+hash$(OBJSUFFICS): hash.c proxy.h structures.h
+	$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
+
+hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h libs/blake2.h
+	$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
+
+resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
+	$(CC) $(COUT)resolve$(OBJSUFFICS) $(CFLAGS) resolve.c
+
 authradius$(OBJSUFFICS): authradius.c proxy.h structures.h
 	$(CC) $(COUT)authradius$(OBJSUFFICS) $(CFLAGS) authradius.c
 
@@ -118,31 +146,30 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
 datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
 	$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
 
-mycrypt$(OBJSUFFICS): mycrypt.c
-	$(CC) $(COUT)mycrypt$(OBJSUFFICS) $(CFLAGS) mycrypt.c
+3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c libs/blake2.h
+	$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
 
-mycryptmain$(OBJSUFFICS): mycrypt.c
-	$(CC) $(COUT)mycryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN mycrypt.c
+3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c libs/blake2.h
+	$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
 
-$(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)mycrypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) base64$(OBJSUFFICS) mycryptmain$(OBJSUFFICS)
+blake2$(OBJSUFFICS):  libs/blake2b-ref.c
+	$(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c
 
-
-md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
-	$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
-
-smbdes$(OBJSUFFICS):  libs/smbdes.c
-	$(CC) $(COUT)smbdes$(OBJSUFFICS) $(CFLAGS) libs/smbdes.c
-
-md5$(OBJSUFFICS):  libs/md5.h libs/md5.c
-	$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
-
-ntlm$(OBJSUFFICS):  ntlm.c
-	$(CC) $(COUT)ntlm$(OBJSUFFICS) $(CFLAGS) ntlm.c
+$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) $(LIBS)
 
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
 
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+ssllib$(OBJSUFFICS): ssllib.c structures.h proxy.h ssl.h
+	$(CC) $(COUT)ssllib$(OBJSUFFICS) $(CFLAGS) ssllib.c
+
+ssl$(OBJSUFFICS): ssl.c structures.h proxy.h ssl.h
+	$(CC) $(COUT)ssl$(OBJSUFFICS) $(CFLAGS) ssl.c
+
+pcre$(OBJSUFFICS): pcre.c structures.h
+	$(CC) $(COUT)pcre$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITH_PCRE pcre.c
+
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(SSL_OBJS) $(PCRE_OBJS) $(COMPATLIBS) $(VERSIONDEP)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(SSL_OBJS) $(PCRE_OBJS) $(COMPATLIBS) $(LIBS) $(PCRE_LIBS)
 
diff --git a/src/acl.c b/src/acl.c
new file mode 100644
index 0000000..53a51ae
--- /dev/null
+++ b/src/acl.c
@@ -0,0 +1,169 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
+	int addrlen;
+	unsigned char *ip, *ipf, *ipt;
+
+
+	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
+
+	ip = (unsigned char *)SAADDR(sa);
+	ipf = (unsigned char *)&ipentry->ip_from;
+	ipt = (unsigned char *)&ipentry->ip_to;
+
+
+	addrlen = SAADDRLEN(sa);
+
+	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
+	return 1;
+
+}
+
+int ACLmatches(struct ace* acentry, struct clientparam * param){
+	struct userlist * userentry;
+	struct iplist *ipentry;
+	struct portlist *portentry;
+	struct period *periodentry;
+	unsigned char * username;
+	struct hostname * hstentry=NULL;
+	int i;
+	int match = 0;
+
+	username = param->username?param->username:(unsigned char *)"-";
+	if(acentry->src) {
+	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)¶m->sincr, ipentry)) {
+			break;
+		}
+	 if(!ipentry) return 0;
+	}
+	if((acentry->dst && (!SAISNULL(¶m->req) || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
+	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)¶m->req, ipentry)) {
+			break;
+		}
+	 if(!ipentry) {
+		 if(acentry->dstnames && param->hostname){
+			for(i=0; param->hostname[i]; i++){
+				param->hostname[i] = tolower(param->hostname[i]);
+			}
+			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
+			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
+				int lname, lhost;
+				switch(hstentry->matchtype){
+					case 0:
+#ifndef _WIN32
+					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#else
+					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#endif
+					break;
+
+					case 1:
+					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
+						match = 1;
+					break;
+
+					case 2:
+					lname = strlen((char *)hstentry->name);
+					lhost = strlen((char *)param->hostname);
+					if(lhost > lname){
+						if(!strncasecmp((char *)param->hostname + (lhost - lname),
+							(char *)hstentry->name,
+							lname))
+								match = 1;
+					}
+					break;
+
+					default:
+					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
+					break;
+        			}
+				if(match) break;
+			}
+		 }
+	 }
+	 if(!ipentry && !hstentry) return 0;
+	}
+	if(acentry->ports && (*SAPORT(¶m->req) || param->operation == BIND)) {
+	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
+		if(ntohs(*SAPORT(¶m->req)) >= portentry->startport &&
+			   ntohs(*SAPORT(¶m->req)) <= portentry->endport) {
+			break;
+		}
+		if(!portentry) return 0;
+	}
+	if(acentry->wdays){
+		if(!(acentry -> wdays & wday)) return 0;
+	}
+	if(acentry->periods){
+	 int start_time = (int)(param->time_start - basetime);
+	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
+		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
+			break;
+		}
+		if(!periodentry) return 0;
+	}
+	if(acentry->users){
+	 for(userentry = acentry->users; userentry; userentry = userentry->next)
+		if(!strcmp((char *)username, (char *)userentry->user)){
+			break;
+		}
+	 if(!userentry) return 0;
+	}
+	if(acentry->operation) {
+		if((acentry->operation & param->operation) != param->operation){
+				 return 0;
+		}
+	}
+	if(acentry->weight && (acentry->weight < param->weight)) return 0;
+	return 1;
+}
+
+
+int checkACL(struct clientparam * param){
+	struct ace* acentry;
+
+	if(!param->srv->acl) {
+		return 0;
+	}
+	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
+		if(ACLmatches(acentry, param)) {
+			param->nolog = acentry->nolog;
+			param->weight = acentry->weight;
+			if(acentry->action == 2) {
+				struct ace dup;
+				int res=60,i=0;
+
+
+				if(param->operation < 256 && !(param->operation & (CONNECT|UDPASSOC))){
+					continue;
+				}
+				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
+					continue;
+				}
+				if(param->remsock != INVALID_SOCKET && (param->operation != UDPASSOC || param->ctrlsocksrv != INVALID_SOCKET)) {
+					return 0;
+				}
+				for(; i < conf.parentretries; i++){
+					dup = *acentry;
+					res = handleredirect(param, &dup);
+					if(!res) break;
+					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
+					param->remsock = INVALID_SOCKET;
+				}
+				return res;
+			}
+			return acentry->action;
+		}
+	}
+	return 3;
+}
diff --git a/src/auth.c b/src/auth.c
index 634b092..68b9bdc 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -1,656 +1,15 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
 #include "proxy.h"
+#include "libs/blake2.h"
 
-
-int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){
-	unsigned char *buf;
-	unsigned char *username;
-	int res;
-	int len=0;
-	unsigned char * user, *pass;
-
-
-	user = redir->extuser;
-	pass = redir->extpass;
-	if (!param->srvbufsize){
-		param->srvbufsize = SRVBUFSIZE;
-		param->srvbuf = myalloc(param->srvbufsize);
-	}
-	buf = param->srvbuf;
-	username = buf + 2048;
-	if(user) {
-		if (*user == '*') {
-			if(!param->username) return 4;
-			user = param->username;
-			pass = param->password;
-		}
-	}
-	switch(redir->type){
-		case R_TCP:
-		case R_HTTP:
-			return 0;
-		case R_CONNECT:
-		case R_CONNECTP:
-		{
-			len = sprintf((char *)buf, "CONNECT ");
-			if(redir->type == R_CONNECTP && hostname) {
-				char * needreplace;
-				needreplace = strchr((char *)hostname, ':');
-				if(needreplace) buf[len++] = '[';
-				len += sprintf((char *)buf + len, "%.256s", (char *)hostname);
-				if(needreplace) buf[len++] = ']';
-			}
-			else {
-				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = '[';
-				len += myinet_ntop(*SAFAMILY(addr), SAADDR(addr), (char *)buf+len, 256);
-				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = ']';
-			}
-			len += sprintf((char *)buf + len,
-				":%hu HTTP/1.0\r\nConnection: keep-alive\r\n", ntohs(*SAPORT(addr)));
-			if(user){
-				len += sprintf((char *)buf + len, "Proxy-Authorization: Basic ");
-				sprintf((char *)username, "%.128s:%.128s", user, pass?pass:(unsigned char *)"");
-				en64(username, buf+len, (int)strlen((char *)username));
-				len = (int)strlen((char *)buf);
-				len += sprintf((char *)buf + len, "\r\n");
-			}
-			len += sprintf((char *)buf + len, "\r\n");
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
-				return 31;
-			param->statssrv64+=len;
-			param->nwrites++;
-			if((res = sockgetlinebuf(param, SERVER,buf,13,'\n',conf.timeouts[CHAIN_TO])) < 13)
-				return 32;
-			if(buf[9] != '2') return 33;
-			while((res = sockgetlinebuf(param, SERVER,buf,1023,'\n', conf.timeouts[CHAIN_TO])) > 2);
-			if(res <= 0) return 34;
-			return 0;
-		}
-		case R_SOCKS4:
-		case R_SOCKS4P:
-		case R_SOCKS4B:
-		{
-
-			if(*SAFAMILY(addr) != AF_INET) return 44;
-			buf[0] = 4;
-			buf[1] = 1;
-			memcpy(buf+2, SAPORT(addr), 2);
-			if(redir->type == R_SOCKS4P && hostname) {
-				buf[4] = buf[5] = buf[6] = 0;
-				buf[7] = 3;
-			}
-			else memcpy(buf+4, SAADDR(addr), 4);
-			if(!user)user = (unsigned char *)"anonymous";
-			len = (int)strlen((char *)user) + 1;
-			memcpy(buf+8, user, len);
-			len += 8;
-			if(redir->type == R_SOCKS4P && hostname) {
-				int hostnamelen;
-
-				hostnamelen = (int)strlen((char *)hostname) + 1;
-				if(hostnamelen > 255) hostnamelen = 255;
-				memcpy(buf+len, hostname, hostnamelen);
-				len += hostnamelen;
-			}
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
-				return 41;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if((len = sockgetlinebuf(param, SERVER, buf, (redir->type == R_SOCKS4B)? 3:8, EOF, conf.timeouts[CHAIN_TO])) != ((redir->type == R_SOCKS4B)? 3:8)){
-				return 42;
-			}
-			if(buf[1] != 90) {
-				return 43;
-			}
-
-		}
-		return 0;
-
-		case R_SOCKS5:
-		case R_SOCKS5P:
-		case R_SOCKS5B:
-		{
-		 int inbuf = 0;
-			buf[0] = 5;
-			buf[1] = 1;
-			buf[2] = user? 2 : 0;
-			if(socksend(param->remsock, buf, 3, conf.timeouts[CHAIN_TO]) != 3){
-				return 51;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if(sockgetlinebuf(param, SERVER, buf, 2, EOF, conf.timeouts[CHAIN_TO]) != 2){
-				return 52;
-			}
-			if(buf[0] != 5) {
-				return 53;
-			}
-			if(buf[1] != 0 && !(buf[1] == 2 && user)){
-				return 54;
-			}
-			if(buf[1] == 2){
-				buf[inbuf++] = 1;
-				buf[inbuf] = (unsigned char)strlen((char *)user);
-				memcpy(buf+inbuf+1, user, buf[inbuf]);
-				inbuf += buf[inbuf] + 1;
-				buf[inbuf] = pass?(unsigned char)strlen((char *)pass):0;
-				if(pass)memcpy(buf+inbuf+1, pass, buf[inbuf]);
-				inbuf += buf[inbuf] + 1;
-				if(socksend(param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
-					return 51;
-				}
-				param->statssrv64+=inbuf;
-				param->nwrites++;
-				if(sockgetlinebuf(param, SERVER, buf, 2, EOF, 60) != 2){
-					return 55;
-				}
-				if(buf[0] != 1 || buf[1] != 0) {
-					return 56;
-				}
-			}
-			buf[0] = 5;
-			buf[1] = 1;
-			buf[2] = 0;
-			if(redir->type == R_SOCKS5P && hostname) {
-				buf[3] = 3;
-				len = (int)strlen((char *)hostname);
-				if(len > 255) len = 255;
-				buf[4] = len;
-				memcpy(buf + 5, hostname, len);
-				len += 5;
-			}
-			else {
-				len = 3;
-				buf[len++] = (*SAFAMILY(addr) == AF_INET)? 1 : 4;
-				memcpy(buf+len, SAADDR(addr), SAADDRLEN(addr));
-				len += SAADDRLEN(addr);
-			}
-			memcpy(buf+len, SAPORT(addr), 2);
-			len += 2;
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
-				return 51;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if(sockgetlinebuf(param, SERVER, buf, 4, EOF, conf.timeouts[CHAIN_TO]) != 4){
-				return 57;
-			}
-			if(buf[0] != 5) {
-				return 53;
-			}
-			if(buf[1] != 0) {
-				return 60 + (buf[1] % 10);
-			}
-			switch (buf[3]) {
-			case 1:
-			    if (redir->type == R_SOCKS5B ||  sockgetlinebuf(param, SERVER, buf, 6, EOF, conf.timeouts[CHAIN_TO]) == 6)
-				    break;
-			    return 59;
-			case 3:
-			    if (sockgetlinebuf(param, SERVER, buf, 256, 0, conf.timeouts[CHAIN_TO]) > 1)
-				    break;
-			    return 59;
-			case 4:
-			    if (sockgetlinebuf(param, SERVER, buf, 18, EOF, conf.timeouts[CHAIN_TO]) == 18)
-				    break;
-			    return 59;
-			default:
-			    return 58;
-			}
-			return 0;
-		}
-
-		default:
-
-			return 30;
-	}
-}
-
-
-int handleredirect(struct clientparam * param, struct ace * acentry){
-	int connected = 0;
-	int weight = 1000;
-	int res;
-	int done = 0;
-	struct chain * cur;
-	struct chain * redir = NULL;
-	int r2;
-
-	if(param->remsock != INVALID_SOCKET) {
-		return 0;
-	}
-	if(SAISNULL(¶m->req) || !*SAPORT(¶m->req)) {
-		return 100;
-	}
-
-	r2 = (myrand(param, sizeof(struct clientparam))%1000);
-
-	for(cur = acentry->chains; cur; cur=cur->next){
-		if(((weight = weight - cur->weight) > r2)|| done) {
-			if(weight <= 0) {
-				weight += 1000;
-				done = 0;
-				r2 = (myrand(param, sizeof(struct clientparam))%1000);
-			}
-			continue;
-		}
-		param->redirected++;
-		done = 1;
-		if(weight <= 0) {
-			weight += 1000;
-			done = 0;
-			r2 = (myrand(param, sizeof(struct clientparam))%1000);
-		}
-		if(!connected){
-			if(cur->type == R_EXTIP){
-				param->sinsl = cur->addr;
-				if(SAISNULL(¶m->sinsl))param->sinsl = param->sincr;
-#ifndef NOIPV6
-				else if(cur->cidr && *SAFAMILY(¶m->sinsl) == AF_INET6){
-					uint16_t c;
-					int i;
-
-					for(i = 0; i < 8; i++){
-						if(i==4)myrand(¶m->sincr, sizeof(param->sincr));
-						else if(i==6) myrand(¶m->req, sizeof(param->req));
-
-						if(i*16 >= cur->cidr) ((uint16_t *)SAADDR(¶m->sinsl))[i] |= rand();
-						else if ((i+1)*16 >  cur->cidr){
-							c = rand();
-							c >>= (cur->cidr - (i*16));
-							c |= ntohs(((uint16_t *)SAADDR(¶m->sinsl))[i]);
-							((uint16_t *)SAADDR(¶m->sinsl))[i] = htons(c);
-						}
-					}
-				}
-#endif
-				if(cur->next)continue;
-				return 0;
-			}
-			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
-				if(cur->extuser){
-					if(param->extusername)
-						myfree(param->extusername);
-					param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
-					if(cur->extpass){
-						if(param->extpassword)
-							myfree(param->extpassword);
-						param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
-					}
-					if(*cur->extuser == '*' && !param->username) return 4;
-				}
-				switch(cur->type){
-					case R_POP3:
-						param->redirectfunc = pop3pchild;
-						break;
-					case R_FTP:
-						param->redirectfunc = ftpprchild;
-						break;
-					case R_ADMIN:
-						param->redirectfunc = adminchild;
-						break;
-					case R_SMTP:
-						param->redirectfunc = smtppchild;
-						break;
-					default:
-						param->redirectfunc = proxychild;
-				}
-				if(cur->next)continue;
-				return 0;
-			}
-			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
-				unsigned short port = *SAPORT(¶m->sinsr);
-				param->sinsr = cur->addr;
-				*SAPORT(¶m->sinsr) = port;
-			}
-			else if(SAISNULL(&cur->addr) && *SAPORT(&cur->addr)) *SAPORT(¶m->sinsr) = *SAPORT(&cur->addr);
-			else {
-				param->sinsr = cur->addr;
-			}
-
-			if((res = alwaysauth(param))){
-				return (res >= 10)? res : 60+res;
-			}
-		}
-		else {
-			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
-			if(res) return res;
-		}
-		redir = cur;
-		param->redirtype = redir->type;
-		if(redir->type == R_TCP || redir->type ==R_HTTP) {
-			if(cur->extuser){
-				if(*cur -> extuser == '*' && !param->username) return 4;
-				if(param->extusername)
-					myfree(param->extusername);
-				param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
-				if(cur->extpass){
-					if(param->extpassword)
-						myfree(param->extpassword);
-					param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
-				}
-			}
-			return 0;
-		}
-		connected = 1;
-	}
-
-	if(!connected || !redir) return 0;
-	return clientnegotiate(redir, param, (struct sockaddr *)¶m->req, param->hostname);
-}
-
-int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
-	int addrlen;
-	unsigned char *ip, *ipf, *ipt;
-
-
-	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
-
-	ip = (unsigned char *)SAADDR(sa);
-	ipf = (unsigned char *)&ipentry->ip_from;
-	ipt = (unsigned char *)&ipentry->ip_to;
-
-
-	addrlen = SAADDRLEN(sa);
-	
-	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
-	return 1;
-	
-}
-
-int ACLmatches(struct ace* acentry, struct clientparam * param){
-	struct userlist * userentry;
-	struct iplist *ipentry;
-	struct portlist *portentry;
-	struct period *periodentry;
-	unsigned char * username;
-	struct hostname * hstentry=NULL;
-	int i;
-	int match = 0;
-	
-	username = param->username?param->username:(unsigned char *)"-";
-	if(acentry->src) {
-	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
-		if(IPInentry((struct sockaddr *)¶m->sincr, ipentry)) {
-			break;
-		}
-	 if(!ipentry) return 0;
-	}
-	if((acentry->dst && !SAISNULL(¶m->req)) || (acentry->dstnames && param->hostname)) {
-	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
-		if(IPInentry((struct sockaddr *)¶m->req, ipentry)) {
-			break;
-		}
-	 if(!ipentry) {
-		 if(acentry->dstnames && param->hostname){
-			for(i=0; param->hostname[i]; i++){
-				param->hostname[i] = tolower(param->hostname[i]);
-			}
-			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
-			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
-				int lname, lhost;
-				switch(hstentry->matchtype){
-					case 0:
-#ifndef _WIN32
-					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
-#else
-					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
-#endif
-					break;
-
-					case 1:
-					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
-						match = 1;
-					break;
-
-					case 2:
-					lname = strlen((char *)hstentry->name);
-					lhost = strlen((char *)param->hostname);
-					if(lhost > lname){
-						if(!strncasecmp((char *)param->hostname + (lhost - lname),
-							(char *)hstentry->name,
-							lname))
-								match = 1;
-					}
-					break;
-
-					default:
-					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
-					break;
-        			}
-				if(match) break;
-			}
-		 }
-	 }
-	 if(!ipentry && !hstentry) return 0;
-	}
-	if(acentry->ports && *SAPORT(¶m->req)) {
-	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
-		if(ntohs(*SAPORT(¶m->req)) >= portentry->startport &&
-			   ntohs(*SAPORT(¶m->req)) <= portentry->endport) {
-			break;
-		}
-		if(!portentry) return 0;
-	}
-	if(acentry->wdays){
-		if(!(acentry -> wdays & wday)) return 0;
-	}
-	if(acentry->periods){
-	 int start_time = (int)(param->time_start - basetime);
-	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
-		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
-			break;
-		}
-		if(!periodentry) return 0;
-	}
-	if(acentry->users){
-	 for(userentry = acentry->users; userentry; userentry = userentry->next)
-		if(!strcmp((char *)username, (char *)userentry->user)){
-			break;
-		}
-	 if(!userentry) return 0;
-	}
-	if(acentry->operation) {
-		if((acentry->operation & param->operation) != param->operation){
-				 return 0;
-		}
-	}
-	if(acentry->weight && (acentry->weight < param->weight)) return 0;
-	return 1;
-}
-
-
-int startconnlims (struct clientparam *param){
-	struct connlim * ce;
-	time_t delta;
-	uint64_t rating;
-	int ret = 0;
-
-	pthread_mutex_lock(&connlim_mutex);
-	for(ce = conf.connlimiter; ce; ce = ce->next) {
-		if(ACLmatches(ce->ace, param)){
-			if(ce->ace->action == NOCONNLIM)break;
-			if(!ce->period){
-				if(ce->rate <= ce->rating) {
-					ret = 1;
-					break;
-				}
-				ce->rating++;
-				continue;
-			}
-			delta = conf.time - ce->basetime;
-			if(ce->period <= delta || ce->basetime > conf.time){
-				ce->basetime = conf.time;
-				ce->rating = 0x100000;
-				continue;
-			}
-			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
-			if (rating > (ce->rate<<20)) {
-				ret = 2;
-				break;
-			}
-			ce->rating = rating;
-			ce->basetime = conf.time;
-		}
-	}
-	pthread_mutex_unlock(&connlim_mutex);
-	return ret;
-}
-
-void stopconnlims (struct clientparam *param){
-	struct connlim * ce;
-
-	pthread_mutex_lock(&connlim_mutex);
-	for(ce = conf.connlimiter; ce; ce = ce->next) {
-		if(ACLmatches(ce->ace, param)){
-			if(ce->ace->action == NOCONNLIM)break;
-			if(!ce->period && ce->rating){
-				ce->rating--;
-				continue;
-			}
-		}
-	}
-	pthread_mutex_unlock(&connlim_mutex);
-}
-
-static void initbandlims (struct clientparam *param){
-	struct bandlim * be;
-	int i;
-
-	param->bandlimfunc = NULL;
-	param->bandlims[0] = NULL;
-	param->bandlimsout[0] = NULL;
-	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
-	for(i=0, be = conf.bandlimiter; be && inext) {
-		if(ACLmatches(be->ace, param)){
-			if(be->ace->action == NOBANDLIM) {
-				break;
-			}
-			param->bandlims[i++] = be;
-			param->bandlimfunc = conf.bandlimfunc;
-		}
-	}
-	if(ibandlims[i] = NULL;
-	for(i=0, be = conf.bandlimiterout; be && inext) {
-		if(ACLmatches(be->ace, param)){
-			if(be->ace->action == NOBANDLIM) {
-				break;
-			}
-			param->bandlimsout[i++] = be;
-			param->bandlimfunc = conf.bandlimfunc;
-		}
-	}
-	if(ibandlimsout[i] = NULL;
-	param->bandlimver = conf.bandlimver;
-}
-
-unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
-	unsigned sleeptime = 0, nsleeptime;
-	time_t sec;
-	unsigned msec;
-	unsigned now;
-	int i;
-
-#ifdef _WIN32
-	struct timeb tb;
-
-	ftime(&tb);
-	sec = (unsigned)tb.time;
-	msec = (unsigned)tb.millitm*1000;
-#else
-	struct timeval tv;
-	gettimeofday(&tv, NULL);
-
-	sec = tv.tv_sec;
-	msec = tv.tv_usec;
-#endif
-	
-	if(!nbytesin && !nbytesout) return 0;
-	pthread_mutex_lock(&bandlim_mutex);
-	if(param->bandlimver != conf.bandlimver){
-		initbandlims(param);
-		param->bandlimver = conf.bandlimver;
-	}
-	for(i=0; nbytesin&& ibandlims[i]; i++){
-		if( !param->bandlims[i]->basetime || 
-			param->bandlims[i]->basetime > sec ||
-			param->bandlims[i]->basetime < (sec - 120)
-		  )
-		{
-			param->bandlims[i]->basetime = sec;
-			param->bandlims[i]->nexttime = 0;
-			continue;
-		}
-		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
-		nsleeptime = (param->bandlims[i]->nexttime > now)?
-			param->bandlims[i]->nexttime - now : 0;
-		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
-		param->bandlims[i]->basetime = sec;
-		param->bandlims[i]->nexttime = msec + nsleeptime + ((nbytesin > 512)? ((nbytesin+32)/64)*(((64*8*1000000)/param->bandlims[i]->rate)) : ((nbytesin+1) * (8*1000000))/param->bandlims[i]->rate);
-	}
-	for(i=0; nbytesout && ibandlimsout[i]; i++){
-		if( !param->bandlimsout[i]->basetime || 
-			param->bandlimsout[i]->basetime > sec ||
-			param->bandlimsout[i]->basetime < (sec - 120)
-		  )
-		{
-			param->bandlimsout[i]->basetime = sec;
-			param->bandlimsout[i]->nexttime = 0;
-			continue;
-		}
-		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
-		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
-			param->bandlimsout[i]->nexttime - now : 0;
-		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
-		param->bandlimsout[i]->basetime = sec;
-		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
-	}
-	pthread_mutex_unlock(&bandlim_mutex);
-	return sleeptime/1000;
-}
-
-void trafcountfunc(struct clientparam *param){
-	struct trafcount * tc;
-	int countout = 0;
-
-	pthread_mutex_lock(&tc_mutex);
-	for(tc = conf.trafcounter; tc; tc = tc->next) {
-		if(ACLmatches(tc->ace, param)){
-
-			if(tc->ace->action == NOCOUNTIN) {
-				countout = 1;
-				break;
-			}
-			if(tc->ace->action == NOCOUNTALL) break;
-			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
-				countout = 1;
-				continue;
-			}
-			tc->traf64 += param->statssrv64;
-			tc->updated = conf.time;
-		}
-	}
-	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
-		if(ACLmatches(tc->ace, param)){
-			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
-			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
-				continue;
-			}
-			tc->traf64 += param->statscli64;
-			tc->updated = conf.time;
-		}
-	}
-
-	pthread_mutex_unlock(&tc_mutex);
-}
+void initbandlims(struct clientparam *param);
 
 int alwaysauth(struct clientparam * param){
 	int res;
@@ -658,17 +17,17 @@ int alwaysauth(struct clientparam * param){
 	int countout = 0;
 
 
-	if(conf.connlimiter && param->remsock == INVALID_SOCKET && startconnlims(param)) return 95;
+	if(conf.connlimiter && !param->connlim  && startconnlims(param)) return 10;
 	res = doconnect(param);
 	if(!res){
 		if(conf.bandlimfunc && (conf.bandlimiter||conf.bandlimiterout)){
-			pthread_mutex_lock(&bandlim_mutex);
+			_3proxy_mutex_lock(&bandlim_mutex);
 			initbandlims(param);
-			pthread_mutex_unlock(&bandlim_mutex);
+			_3proxy_mutex_unlock(&bandlim_mutex);
 		}
 
 		if(conf.trafcountfunc && conf.trafcounter) {
-			pthread_mutex_lock(&tc_mutex);
+			_3proxy_mutex_lock(&tc_mutex);
 			for(tc = conf.trafcounter; tc; tc = tc->next) {
 				if(tc->disabled) continue;
 				if(ACLmatches(tc->ace, param)){
@@ -681,9 +40,12 @@ int alwaysauth(struct clientparam * param){
 						countout = 1;
 						if(tc->ace->action != COUNTALL) continue;
 					}
-					if(tc->traflim64 <= tc->traf64) return 10;
+					if(tc->traflim64 <= tc->traf64) {
+					    _3proxy_mutex_unlock(&tc_mutex);
+					    return 10;
+					}
 					param->trafcountfunc = conf.trafcountfunc;
-					param->maxtrafin64 = tc->traflim64 - tc->traf64; 
+					param->maxtrafin64 = tc->traflim64 - tc->traf64;
 				}
 			}
 			if(countout)for(tc = conf.trafcounter; tc; tc = tc->next) {
@@ -693,126 +55,58 @@ int alwaysauth(struct clientparam * param){
 					if(tc->ace->action != COUNTOUT && tc->ace->action !=  COUNTALL) {
 						continue;
 					}
-					if(tc->traflim64 <= tc->traf64) return 10;
+					if(tc->traflim64 <= tc->traf64) {
+					    _3proxy_mutex_unlock(&tc_mutex);
+					    return 10;
+					}
 					param->trafcountfunc = conf.trafcountfunc;
-					param->maxtrafout64 = tc->traflim64 - tc->traf64; 
+					param->maxtrafout64 = tc->traflim64 - tc->traf64;
 				}
 			}
-			pthread_mutex_unlock(&tc_mutex);
+			_3proxy_mutex_unlock(&tc_mutex);
 		}
 	}
 	return res;
 }
 
-int checkACL(struct clientparam * param){
-	struct ace* acentry;
-
-	if(!param->srv->acl) {
-		return 0;
-	}
-	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
-		if(ACLmatches(acentry, param)) {
-			param->nolog = acentry->nolog;
-			param->weight = acentry->weight;
-			if(acentry->action == 2) {
-				struct ace dup;
-				int res=60,i=0;
-
-				if(param->operation < 256 && !(param->operation & CONNECT)){
-					continue;
-				}
-				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
-					continue;
-				}
-				if(param->remsock != INVALID_SOCKET) {
-					return 0;
-				}
-				for(; i < conf.parentretries; i++){
-					dup = *acentry;
-					res = handleredirect(param, &dup);
-					if(!res) break;
-					if(param->remsock != INVALID_SOCKET) so._closesocket(param->remsock);
-					param->remsock = INVALID_SOCKET;
-				}
-				return res;
-			}
-			return acentry->action;
-		}
-	}
-	return 3;
-}
-
-struct authcache {
-	char * username;
-	char * password;
-	time_t expires;
-#ifndef NOIPV6
-	struct sockaddr_in6 sa, sinsl;
-#else
-	struct sockaddr_in sa, sinsl;
-#endif
-	struct ace *acl;
-	struct authcache *next;
-} *authc = NULL;
-
 int cacheauth(struct clientparam * param){
-	struct authcache *ac, *last=NULL;
+	struct authcache ac;
+	uint32_t ttl;
 
-	pthread_mutex_lock(&hash_mutex);
-	for(ac = authc; ac; ){
-		if(ac->expires <= conf.time){
-			if(ac->username)myfree(ac->username);
-			if(ac->password)myfree(ac->password);
-			if(!last){
-				authc = ac->next;
-				myfree(ac);
-				ac = authc;
-			}
-			else {
-				last->next = ac->next;
-				myfree(ac);
-				ac = last->next;
-			}
-			continue;
-			
-		}
-		if(
-		 (!(conf.authcachetype&2) || (param->username && ac->username && !strcmp(ac->username, (char *)param->username))) &&
-		 (!(conf.authcachetype&4) || (ac->password && param->password && !strcmp(ac->password, (char *)param->password))) &&
-		 (!(conf.authcachetype&16) || (ac->acl == param->srv->acl))
-		) {
 
-			if(!(conf.authcachetype&1)
-				|| ((*SAFAMILY(&ac->sa) ==  *SAFAMILY(¶m->sincr) 
-				   && !memcmp(SAADDR(&ac->sa), SAADDR(¶m->sincr), SAADDRLEN(&ac->sa))))){
-
-				if(conf.authcachetype&32) {
-					param->sinsl = ac->sinsl;
-				}
-				if(param->username){
-					myfree(param->username);
-				}
-				param->username = (unsigned char *)mystrdup(ac->username);
-				pthread_mutex_unlock(&hash_mutex);
-				return 0;
-			}
-			else if ((conf.authcachetype&1) && (conf.authcachetype&8)) {
-				pthread_mutex_unlock(&hash_mutex);
-				return 10;
-			}
-		}
-		last = ac;
-		ac = ac->next;
+	if(
+	((conf.authcachetype & 2) && !param->username) ||
+	((conf.authcachetype & 4) && !param->password) ||
+	(
+	 (conf.authcachetype & 1) && *SAFAMILY(¶m->sincr) != AF_INET
+#ifndef NOIPv6
+	    && *SAFAMILY(¶m->sincr) != AF_INET6
+#endif
+	) || (!hashresolv(&auth_table, param, &ac, &ttl))) {
+	    return 4;
+	}
+	if((conf.authcachetype & 1) &&(conf.authcachetype & 8) &&
+	 (ac.sincr_family != *SAFAMILY(¶m->sincr) ||
+	 memcmp(ac.sincr_addr, SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr))
+	)) {
+	    return 10;
 	}
 
-	pthread_mutex_unlock(&hash_mutex);
-	return 4;
+	if(!(conf.authcachetype&2) && *ac.username){
+	    if(param->username) free(param->username);
+	    param->username = (unsigned char *)strdup((char *)ac.username);
+	}
+	if((conf.authcachetype & 32)){
+	    memset(¶m->sinsl, 0, sizeof(param->sinsl));
+	    *(SAFAMILY(¶m->sinsl)) = ac.sinsl_family;
+	    memcpy(SAADDR(¶m->sinsl), ac.sinsl_addr, SAADDRLEN(¶m->sinsl));
+	}
+	return 0;
 }
 
 int doauth(struct clientparam * param){
 	int res = 0;
 	struct auth *authfuncs;
-	struct authcache *ac;
 	char * tmp;
 	int ret = 0;
 
@@ -823,51 +117,30 @@ int doauth(struct clientparam * param){
 				(res = (*authfuncs->authorize)(param)))
 					return res;
 			if(conf.authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(conf.authcachetype&4) || (!param->pwtype && param->password))){
-				pthread_mutex_lock(&hash_mutex);
-				for(ac = authc; ac; ac = ac->next){
-					if(
-					   (!(conf.authcachetype&2) || !strcmp(ac->username, (char *)param->username)) &&
-					   (!(conf.authcachetype&1) || (*SAFAMILY(&ac->sa) ==  *SAFAMILY(¶m->sincr) && !memcmp(SAADDR(&ac->sa), SAADDR(¶m->sincr), SAADDRLEN(&ac->sa))))  &&
-					   (!(conf.authcachetype&4) || (ac->password && !strcmp(ac->password, (char *)param->password))) &&
-					   (!(conf.authcachetype&16) || (ac->acl == param->srv->acl))
-					) {
-						ac->expires = conf.time + conf.authcachetime;
-						if(strcmp(ac->username, (char *)param->username)){
-							tmp = ac->username;
-							ac->username = mystrdup((char *)param->username);
-							myfree(tmp);
-						}
-						if((conf.authcachetype&4)){
-							tmp = ac->password;
-							ac->password = mystrdup((char *)param->password);
-							myfree(tmp);
-						}
-						ac->sa = param->sincr;
-						if(conf.authcachetype&32) {
-							ac->sinsl = param-> sinsl;
-							*SAPORT(&ac->sinsl) = 0;
-						}
+			    struct authcache ac={.username=""};
 
-						break;
-					}
-				}
-				if(!ac){
-					ac = myalloc(sizeof(struct authcache));
-					if(ac){
-						ac->expires = conf.time + conf.authcachetime;
-						ac->username = param->username?mystrdup((char *)param->username):NULL;
-						ac->sa = param->sincr;
-						ac->password = NULL;
-						if((conf.authcachetype&4) && param->password) ac->password = mystrdup((char *)param->password);
-						if(conf.authcachetype&32) {
-							ac->sinsl = param->sinsl;
-							*SAPORT(&ac->sinsl) = 0;
-						}
-					}
-					ac->next = authc;
-					authc = ac;
-				}
-				pthread_mutex_unlock(&hash_mutex);
+			    if(param->username) {
+				strncpy((char *)ac.username, (char *)param->username, 64);
+				ac.username[63] = 0;
+			    }
+			    if(*SAFAMILY(¶m->sincr) == AF_INET
+#ifndef NOIPv6
+				 || *SAFAMILY(¶m->sincr) == AF_INET6
+#endif
+			    ) {
+				ac.sincr_family = *SAFAMILY(¶m->sincr);
+				memcpy(ac.sincr_addr, SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr));
+			    }
+
+			    if(*SAFAMILY(¶m->sinsl) == AF_INET
+#ifndef NOIPv6
+				 || *SAFAMILY(¶m->sinsl) == AF_INET6
+#endif
+			    ) {
+				ac.sinsl_family = *SAFAMILY(¶m->sinsl);
+				memcpy(ac.sinsl_addr, SAADDR(¶m->sinsl), SAADDRLEN(¶m->sinsl));
+			    }
+			    hashadd(&auth_table, param, &ac, conf.time + param->srv->authcachetime);
 			}
 			break;
 		}
@@ -875,9 +148,16 @@ int doauth(struct clientparam * param){
 		if(ret > 9) return ret;
 	}
 	if(!res){
-		return alwaysauth(param);
+		ret = alwaysauth(param);
+		if (param->afterauthfilters){
+		    FILTER_ACTION action;
+
+		    action = handleafterauthflt(param);
+		    if(action != PASS) return 19;
+		}
 	}
 
+
 	return ret;
 }
 
@@ -916,14 +196,14 @@ int dnsauth(struct clientparam * param){
 		sprintf(s, "ip6.arpa");
 	}
 	else {
-		u = ntohl(*(unsigned long *)SAADDR(¶m->sincr));
+		u = ntohl(*(uint32_t *)SAADDR(¶m->sincr));
 
-		sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", 
+		sprintf(buf, "%u.%u.%u.%u.in-addr.arpa",
 			((u&0x000000FF)),
 			((u&0x0000FF00)>>8),
 			((u&0x00FF0000)>>16),
 			((u&0xFF000000)>>24));
-	
+
 	}
 	if(!udpresolve(*SAFAMILY(¶m->sincr), (unsigned char *)buf, (unsigned char *)addr, NULL, param, 1)) {
 		return 3;
@@ -936,62 +216,46 @@ int dnsauth(struct clientparam * param){
 }
 
 int strongauth(struct clientparam * param){
-	struct passwords * pwl;
+	static char dummy;
 	unsigned char buf[256];
+	char pass[256] = {0};
 
-
-	if(!param->username) return 4;
-	pthread_mutex_lock(&pwl_mutex);
-	for(pwl = conf.pwl; pwl; pwl=pwl->next){
-		if(!strcmp((char *)pwl->user, (char *)param->username)) switch(pwl->pwtype) {
-			case CL:
-				if(!pwl->password || !*pwl->password){
-					break;
-				}
-				else if (!param->pwtype && param->password && !strcmp((char *)param->password, (char *)pwl->password)){
-					break;
-				}
-#ifndef NOCRYPT
-				else if (param->pwtype == 2 && param->password) {
-					ntpwdhash(buf, pwl->password, 0);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf+16, param->password+8, 24)) {
-						break;
-					}
-				}
+	if (!param->username) return 4;
+	if (!param->pwtype && param->password) {
+		if (pwl_table.ihashtable && hashresolv(&pwl_table, param->username, pass, NULL)) {
+			switch(pass[0]){
+			    case CL: {
+			    int pwlen = strlen((char *)param->password);
+			    if(pwlen > 255) pwlen = 255;
+			    if((unsigned)pwlen < pwl_table.recsize) {
+				if(!strncmp(pass + 1, (char *)param->password, pwl_table.recsize - 1)) return 0;
+			    } else {
+				blake2b_state S;
+				unsigned hashsz;
+				hashsz = pwl_table.recsize - 1 < 64 ? pwl_table.recsize - 1 : 64;
+				memset(buf, 0, pwl_table.recsize - 1);
+				blake2b_init(&S, hashsz);
+				blake2b_update(&S, param->password, pwlen + 1);
+				blake2b_final(&S, buf, hashsz);
+				if(!memcmp(pass + 1, buf, pwl_table.recsize - 1)) return 0;
+			    }
+			    return 6;
+			    }
+			    case CR:
+			    if (mycrypt(param->password, (unsigned char *)pass + 1, buf) &&
+			        !strcmp(pass + 1, (char *)buf))
+				return 0;
+			    else return 7;
+#ifdef WITH_SSL
+			    case NT:
+			    if(ntpwdhash(buf, param->password, 1) && !strcmp(pass + 1, (char *)buf)) return 0;
+			    else return 8;
 #endif
-				pthread_mutex_unlock(&pwl_mutex);
-				return 6;
-#ifndef NOCRYPT
-			case CR:
-				if(param->password && !param->pwtype && !strcmp((char *)pwl->password, (char *)mycrypt(param->password, pwl->password,buf))) {
-					break;
-				}
-				pthread_mutex_unlock(&pwl_mutex);
-				return 7;
-			case NT:
-				if(param->password && !param->pwtype && !memcmp(pwl->password, ntpwdhash(buf,param->password, 1), 32)) {
-					break;
-				}
-				else if (param->pwtype == 2){
-					fromhex(pwl->password, buf, 16);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf + 16, param->password+8, 24)) {
-						break;
-					}
-				}
-				pthread_mutex_unlock(&pwl_mutex);
-				return 8;
-#endif				
-			default:
-				pthread_mutex_unlock(&pwl_mutex);
-				return 999;
+			    default:
+			    break;
+			}
 		}
-		else continue;
-		pthread_mutex_unlock(&pwl_mutex);
-		return 0;
 	}
-	pthread_mutex_unlock(&pwl_mutex);
 	return 5;
 }
 
@@ -1004,530 +268,14 @@ struct auth authfuncs[] = {
 	{authfuncs+4, dnsauth, checkACL, "dnsname"},
 	{authfuncs+5, strongauth, checkACL, "strong"},
 	{authfuncs+6, cacheauth, checkACL, "cache"},
+	{authfuncs+7, cacheauth, NULL, "cacheacl"},
 #ifndef NORADIUS
 #define AUTHOFFSET 1
-	{authfuncs+7, radauth, checkACL, "radius"},
+	{authfuncs+8, radauth, checkACL, "radius"},
 #else
 #define AUTHOFFSET 0
 #endif
-	{authfuncs+7+AUTHOFFSET, NULL, NULL, "none"},
+	{authfuncs+8+AUTHOFFSET, NULL, NULL, "none"},
 	{NULL, NULL, NULL, ""}
 };
 
-
-
-struct hashtable dns_table = {0, 4, {0,0,0,0}, NULL, NULL, NULL};
-struct hashtable dns6_table = {0, 16, {0,0,0,0}, NULL, NULL, NULL};
-
-
-void nametohash(const unsigned char * name, unsigned char *hash, unsigned char *rnd){
-	unsigned i, j, k;
-	memcpy(hash, rnd, sizeof(unsigned)*4);
-	for(i=0, j=0, k=0; name[j]; j++){
-		hash[i] += (toupper(name[j]) - 32)+rnd[((toupper(name[j]))*29277+rnd[(k+j+i)%16]+k+j+i)%16];
-		if(++i == sizeof(unsigned)*4) {
-			i = 0;
-			k++;
-		}
-	}
-}
-
-unsigned hashindex(struct hashtable *ht, const unsigned char* hash){
-	unsigned t1, t2, t3, t4;
-	t1 = *(unsigned *)hash;
-	t2 = *(unsigned *)(hash + sizeof(unsigned));
-	t3 = *(unsigned *)(hash + (2*sizeof(unsigned)));
-	t4 = *(unsigned *)(hash + (3*sizeof(unsigned)));
-	return (t1 + (t2 * 7) + (t3 * 17) + (t4 * 29) ) % (ht->hashsize >> 2);
-}
-
-
-void destroyhashtable(struct hashtable *ht){
-	pthread_mutex_lock(&hash_mutex);
-	if(ht->hashtable){
-		myfree(ht->hashtable);
-		ht->hashtable = NULL;
-	}
-	if(ht->hashvalues){
-		myfree(ht->hashvalues);
-		ht->hashvalues = NULL;
-	}
-	ht->hashsize = 0;
-	pthread_mutex_unlock(&hash_mutex);
-}
-
-#define hvalue(I) ((struct hashentry *)((char *)ht->hashvalues + (I)*(sizeof(struct hashentry) + ht->recsize - 4)))
-int inithashtable(struct hashtable *ht, unsigned nhashsize){
-	unsigned i;
-	clock_t c;
-
-
-#ifdef _WIN32
-	struct timeb tb;
-
-	ftime(&tb);
-
-#else
-	struct timeval tb;
-	struct timezone tz;
-	gettimeofday(&tb, &tz);
-#endif
-	c = clock();
-
-	if(nhashsize<4) return 1;
-	pthread_mutex_lock(&hash_mutex);
-	if(ht->hashtable){
-		myfree(ht->hashtable);
-		ht->hashtable = NULL;
-	}
-	if(ht->hashvalues){
-		myfree(ht->hashvalues);
-		ht->hashvalues = NULL;
-	}
-	ht->hashsize = 0;
-	if(!(ht->hashtable = myalloc((nhashsize>>2) *  sizeof(struct hashentry *)))){
-		pthread_mutex_unlock(&hash_mutex);
-		return 2;
-	}
-	if(!(ht->hashvalues = myalloc(nhashsize * (sizeof(struct hashentry) + (ht->recsize-4))))){
-		myfree(ht->hashtable);
-		ht->hashtable = NULL;
-		pthread_mutex_unlock(&hash_mutex);
-		return 3;
-	}
-	ht->hashsize = nhashsize;
-	ht->rnd[0] = myrand(&tb, sizeof(tb));
-	ht->rnd[1] = myrand(ht->hashtable, sizeof(ht->hashtable));
-	ht->rnd[2] = myrand(&c, sizeof(c));
-	ht->rnd[3] = myrand(ht->hashvalues,sizeof(ht->hashvalues));
-	memset(ht->hashtable, 0, (ht->hashsize>>2) * sizeof(struct hashentry *));
-	memset(ht->hashvalues, 0, ht->hashsize * (sizeof(struct hashentry) + ht->recsize -4));
-
-	for(i = 0; i< (ht->hashsize - 1); i++) {
-		hvalue(i)->next = hvalue(i+1);
-	}
-	ht->hashempty = ht->hashvalues;
-	pthread_mutex_unlock(&hash_mutex);
-	return 0;
-}
-
-void hashadd(struct hashtable *ht, const unsigned char* name, unsigned char* value, time_t expires){
-        struct hashentry * hen, *he;
-        struct hashentry ** hep;
-
-	unsigned index;
-	
-	pthread_mutex_lock(&hash_mutex);
-	if(!ht||!value||!name||!ht->hashtable||!ht->hashempty) {
-		pthread_mutex_unlock(&hash_mutex);
-		return;
-	}
-	hen = ht->hashempty;
-	ht->hashempty = ht->hashempty->next;
-	nametohash(name, hen->hash, (unsigned char *)ht->rnd);
-	memcpy(hen->value, value, ht->recsize);
-	hen->expires = expires;
-	hen->next = NULL;
-	index = hashindex(ht, hen->hash);
-
-	for(hep = ht->hashtable + index; (he = *hep)!=NULL; ){
-		if(he->expires < conf.time || !memcmp(hen->hash, he->hash, sizeof(he->hash))) {
-			(*hep) = he->next;
-			he->expires = 0;
-			he->next = ht->hashempty;
-			ht->hashempty = he;
-		}
-		else hep=&(he->next);
-	}
-	hen->next = ht->hashtable[index];
-	ht->hashtable[index] = hen;
-	pthread_mutex_unlock(&hash_mutex);
-}
-
-unsigned long hashresolv(struct hashtable *ht, const unsigned char* name, unsigned char* value, unsigned *ttl){
-	unsigned char hash[sizeof(unsigned)*4];
-        struct hashentry ** hep;
-	struct hashentry *he;
-	unsigned index;
-
-	pthread_mutex_lock(&hash_mutex);
-	if(!ht || !ht->hashtable || !name) {
-		pthread_mutex_unlock(&hash_mutex);
-		return 0;
-	}
-	nametohash(name, hash, (unsigned char *)ht->rnd);
-	index = hashindex(ht, hash);
-	for(hep = ht->hashtable + index; (he = *hep)!=NULL; ){
-		if(he->expires < conf.time) {
-			(*hep) = he->next;
-			he->expires = 0;
-			he->next = ht->hashempty;
-			ht->hashempty = he;
-		}
-		else if(!memcmp(hash, he->hash, sizeof(unsigned)*4)){
-			if(ttl) *ttl = (unsigned)(he->expires - conf.time);
-			memcpy(value, he->value, ht->recsize);
-			pthread_mutex_unlock(&hash_mutex);
-			return 1;
-		}
-		else hep=&(he->next);
-	}
-	pthread_mutex_unlock(&hash_mutex);
-	return 0;
-}
-
-struct nserver nservers[MAXNSERVERS] = {{{0},0}, {{0},0}, {{0},0}, {{0},0}, {{0},0}};
-struct nserver authnserver;
-
-
-unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, unsigned *retttl, struct clientparam* param, int makeauth){
-
-	int i,n;
-	unsigned long retval;
-
-	if((af == AF_INET) && (retval = hashresolv(&dns_table, name, value, retttl))) {
-		return retval;
-	}
-	if((af == AF_INET6) && (retval = hashresolv(&dns6_table, name, value, retttl))) {
-		return retval;
-	}
-	n = (makeauth && !SAISNULL(&authnserver.addr))? 1 : numservers;
-	for(i=0; isinsl : &addr;
-		sinsr = (param && !makeauth)? ¶m->sinsr : &addr;
-		memset(sinsl, 0, sizeof(addr));
-		memset(sinsr, 0, sizeof(addr));
-		
-
-		if(makeauth && !SAISNULL(&authnserver.addr)){
-			usetcp = authnserver.usetcp;
-			*SAFAMILY(sinsl) = *SAFAMILY(&authnserver.addr);
-		}
-		else {
-			usetcp = nservers[i].usetcp;
-			*SAFAMILY(sinsl) = *SAFAMILY(&nservers[i].addr);
-		}
-		if((sock=so._socket(SASOCK(sinsl), usetcp?SOCK_STREAM:SOCK_DGRAM, usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) break;
-		if(so._bind(sock,(struct sockaddr *)sinsl,SASIZE(sinsl))){
-			so._shutdown(sock, SHUT_RDWR);
-			so._closesocket(sock);
-			break;
-		}
-		if(makeauth && !SAISNULL(&authnserver.addr)){
-			*sinsr = authnserver.addr;
-		}
-		else {
-			*sinsr = nservers[i].addr;
-		}
-		if(usetcp){
-			if(connectwithpoll(sock,(struct sockaddr *)sinsr,SASIZE(sinsr),CONNECT_TO)) {
-				so._shutdown(sock, SHUT_RDWR);
-				so._closesocket(sock);
-				break;
-			}
-#ifdef TCP_NODELAY
-			{
-				int opt = 1;
-				setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&opt, sizeof(opt));
-			}
-#endif
-		}
-		len = (int)strlen((char *)name);
-		
-		serial = myrand(name,len);
-		*(unsigned short*)buf = serial; /* query id */
-		buf[2] = 1; 			/* recursive */
-		buf[3] = 0;
-		buf[4] = 0;
-		buf[5] = 1;			/* 1 request */
-		buf[6] = buf[7] = 0;		/* no replies */
-		buf[8] = buf[9] = 0;		/* no ns count */
-		buf[10] = buf[11] = 0;		/* no additional */
-		if(len > 255) {
-			len = 255;
-		}
-		memcpy(buf + 13, name, len);
-		len += 13;
-		buf[len] = 0;
-		for(s2 = buf + 12; (s1 = (unsigned char *)strchr((char *)s2 + 1, '.')); s2 = s1)*s2 = (unsigned char)((s1 - s2) - 1);
-		*s2 = (len - (int)(s2 - buf)) - 1;
-		len++;
-		buf[len++] = 0;
-		buf[len++] = (makeauth == 1)? 0x0c : (af==AF_INET6? 0x1c:0x01);	/* PTR:host address */
-		buf[len++] = 0;
-		buf[len++] = 1;			/* INET */
-		if(usetcp){
-			buf-=2;
-			*(unsigned short*)buf = htons(len);
-			len+=2;
-		}
-
-		if(socksendto(sock, (struct sockaddr *)sinsr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
-			so._shutdown(sock, SHUT_RDWR);
-			so._closesocket(sock);
-			continue;
-		}
-		if(param) param->statscli64 += len;
-		len = sockrecvfrom(sock, (struct sockaddr *)sinsr, buf, 4096, conf.timeouts[DNS_TO]*1000);
-		so._shutdown(sock, SHUT_RDWR);
-		so._closesocket(sock);
-		if(len <= 13) {
-			continue;
-		}
-		if(param) param->statssrv64 += len;
-		if(usetcp){
-			unsigned short us;
-			us = ntohs(*(unsigned short*)buf);
-			len-=2;
-			buf+=2;
-			if(us > 4096 || us < len || (us > len && sockrecvfrom(sock, (struct sockaddr *)sinsr, buf+len, us-len, conf.timeouts[DNS_TO]*1000) != us-len)) {
-				continue;
-			}
-		}
-		if(*(unsigned short *)buf != serial)continue;
-		if((na = buf[7] + (((unsigned short)buf[6])<<8)) < 1) {
-			return 0;
-		}
-		nq = buf[5] + (((unsigned short)buf[4])<<8);
-		if (nq != 1) {
-			continue;			/* we did only 1 request */
-		}
-		for(k = 13; k= len) {
-			continue;
-		}
-		k += 4;
-		if(na > 255) na = 255;			/* somebody is very evil */
-		for (j = 0; j < na; j++) {		/* now there should be answers */
-			while(buf[k] < 192 && buf[k] !=0 && (k+buf[k]+14) < len) k+= (buf[k] + 1);
-			if(!buf[k]) k--;
-			if((k+(af == AF_INET6?28:16)) > len) {
-				break;
-			}
-			flen = buf[k+11] + (((unsigned short)buf[k+10])<<8);
-			if((k+12+flen) > len) {
-				break;
-			}
-			if(makeauth != 1){
-				if(buf[k+2] != 0 || buf[k+3] != (af == AF_INET6?0x1c:0x1) || flen != (af == AF_INET6?16:4)) {
-					k+= (12 + flen);
-					continue; 		/* we need A IPv4 */
-				}
-				ttl = ntohl(*(unsigned long *)(buf + k + 6));
-				memcpy(value, buf + k + 12, af == AF_INET6? 16:4);
-				if(ttl < 60 || ttl > (3600*12)) ttl = 300;
-				hashadd(af == AF_INET6?&dns6_table:&dns_table, name, value, conf.time+ttl);
-				if(retttl) *retttl = ttl;
-				return 1;
-			}
-			else {
-				
-				if(buf[k+2] != 0 || buf[k+3] != 0x0c) {
-					k+= (12 + flen);
-					continue; 		/* we need A PTR */
-				}
-				for (s2 = buf + k + 12; s2 < (buf + k + 12 + len) && *s2; ){
-					s1 = s2 + ((unsigned)*s2) + 1;
-					*s2 = '.';
-					s2 = s1;
-				}
-				*s2 = 0;
-				if(param->username)myfree(param->username);
-				param->username = (unsigned char *)mystrdup ((char *)buf + k + 13);
-				
-				return udpresolve(af,param->username, value, NULL, NULL, 2);
-			}
-		}
-	}
-	return 0;
-}
-
-unsigned long myresolver(int af, unsigned char * name, unsigned char * value){
- return udpresolve(af, name, value, NULL, NULL, 0);
-}
-
-unsigned long fakeresolver (int af, unsigned char *name, unsigned char * value){
- memset(value, 0, af == AF_INET6? 16 : 4);
- if(af == AF_INET6){
-	memset(value, 0, 16);
-	value[15] = 2;
- }
- else {
-	value[0] = 127;
-	value[1] = 0;
-	value[2] = 0;
-	value[3] = 2;
- }
- return 1;
-}
-
-#ifndef NOODBC
-
-SQLHENV  henv = NULL;
-SQLHSTMT hstmt = NULL;
-SQLHDBC hdbc = NULL;
-char * sqlstring = NULL;
-
-
-void close_sql(){
-	if(hstmt) {
-		SQLFreeHandle(SQL_HANDLE_STMT, hstmt);
-		hstmt = NULL;
-	}
-	if(hdbc){
-		SQLDisconnect(hdbc);
-		SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
-		hdbc = NULL;
-	}
-	if(henv) {
-		SQLFreeHandle(SQL_HANDLE_ENV, henv);
-		henv = NULL;
-	}
-}
-
-int attempt = 0;
-time_t attempt_time = 0;
-
-int init_sql(char * s){
-	SQLRETURN  retcode;
-	char * datasource;
-	char * username;
-	char * password;
-	char * string;
-
-	if(!s) return 0;
-	if(!sqlstring || strcmp(sqlstring, s)){
-		string = sqlstring;
-		sqlstring=mystrdup(s);
-		if(string)myfree(string);
-	}
-
-	if(hstmt || hdbc || henv) close_sql();
-	attempt++;
-	attempt_time = time(0);
-	if(!henv){
-		retcode = SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HANDLE, &henv);
-		if (!henv || (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO)){
-			henv = NULL;
-			return 0;
-		}
-		retcode = SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION, (void*)SQL_OV_ODBC3, 0); 
-
-		if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO) {
-			return 0;
-		}
-	}
-	if(!hdbc){
-		retcode = SQLAllocHandle(SQL_HANDLE_DBC, henv, &hdbc); 
-		if (!hdbc || (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO)) {
-			hdbc = NULL;
-			SQLFreeHandle(SQL_HANDLE_ENV, henv);
-			henv = NULL;
-			return 0;
-		}
-	       	SQLSetConnectAttr(hdbc, SQL_LOGIN_TIMEOUT, (void*)15, 0);
-	}
-	string = mystrdup(sqlstring);
-	if(!string) return 0;
-	datasource = strtok(string, ",");
-	username = strtok(NULL, ",");
-	password = strtok(NULL, ",");
-	
-
-         /* Connect to data source */
-        retcode = SQLConnect(hdbc, (SQLCHAR*) datasource, (SQLSMALLINT)strlen(datasource),
-                (SQLCHAR*) username, (SQLSMALLINT)((username)?strlen(username):0),
-                (SQLCHAR*) password, (SQLSMALLINT)((password)?strlen(password):0));
-
-	myfree(string);
-	if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO){
-		SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
-		hdbc = NULL;
-		SQLFreeHandle(SQL_HANDLE_ENV, henv);
-		henv = NULL;
-		return 0;
-	}
-        retcode = SQLAllocHandle(SQL_HANDLE_STMT, hdbc, &hstmt); 
-        if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO){
-		close_sql();
-		return 0;
-	}
-	return 1;
-}
-
-void sqlerr (char *buf){
-	if(conf.stdlog){
-		fprintf(conf.stdlog, "%s\n", buf);
-		fflush(conf.stdlog);
-	}
-	pthread_mutex_unlock(&log_mutex);
-}
-
-unsigned char statbuf[8192];
-
-void logsql(struct clientparam * param, const unsigned char *s) {
-	SQLRETURN ret;
-	int len;
-
-
-	if(param->nolog) return;
-	pthread_mutex_lock(&log_mutex);
-	len = dobuf(param, statbuf, s, (unsigned char *)"\'");
-
-	if(attempt > 5){
-		time_t t;
-
-		t = time(0);
-		if (t - attempt_time < 180){
-			sqlerr((char *)statbuf);
-			return;
-		}
-	}
-	if(!hstmt){
-		if(!init_sql(sqlstring)) {
-			sqlerr((char *)statbuf);
-			return;
-		}
-	}
-	if(hstmt){
-		ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
-		if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
-			close_sql();
-			if(!init_sql(sqlstring)){
-				sqlerr((char *)statbuf);
-				return;
-			}
-			if(hstmt) {
-				ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
-				if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
-					sqlerr((char *)statbuf);
-					return;
-				}
-				attempt = 0;
-			}
-		}
-		attempt = 0;
-	}
-	pthread_mutex_unlock(&log_mutex);
-}
-
-#endif
diff --git a/src/authradius.c b/src/authradius.c
index 862e02d..bc41fe5 100644
--- a/src/authradius.c
+++ b/src/authradius.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2000-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2000-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -8,7 +8,7 @@
 
 #ifndef NORADIUS
 #include "proxy.h"
-#include "libs/md5.h"
+#include 
 
 #define AUTH_VECTOR_LEN         16
 #define MAX_STRING_LEN          254
@@ -72,6 +72,8 @@
 #define PW_ACCT_INPUT_PACKETS		47
 #define PW_ACCT_OUTPUT_PACKETS		48
 #define PW_ACCT_TERMINATE_CAUSE		49
+#define PW_ACCT_INPUT_GIGAWORDS		52
+#define PW_ACCT_OUTPUT_GIGAWORDS	53
 
 #define PW_EVENT_TIMESTAMP		55
 
@@ -166,7 +168,7 @@ static int ntry = 0;
 int nradservers = 0;
 char radiussecret[64]="";
 
-pthread_mutex_t rad_mutex;
+_3proxy_mutex_t rad_mutex;
 
 void md5_calc(unsigned char *output, unsigned char *input,
 		     unsigned int inputlen);
@@ -183,14 +185,25 @@ char *strNcpy(char *dest, const char *src, int n)
 	return dest;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+extern EVP_MD *md4_hash;
+extern EVP_MD *md5_hash;
+#endif
+
+
 void md5_calc(unsigned char *output, unsigned char *input,
 		     unsigned int inlen)
 {
-	MD5_CTX	context;
-
-	MD5Init(&context);
-	MD5Update(&context, input, inlen);
-	MD5Final(output, &context);
+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+	unsigned int len = 0;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_DigestInit_ex(ctx, md5_hash, NULL);
+#else
+	EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+#endif
+	EVP_DigestUpdate(ctx, input, inlen);
+	EVP_DigestFinal_ex(ctx, output, &len);
+	EVP_MD_CTX_free(ctx);
 }
 
 
@@ -306,11 +319,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 	int total_length;
 	int len;
 	int op;
-#ifdef NOIPV6
-	struct  sockaddr_in     saremote;
-#else
-	struct  sockaddr_in6     saremote;
-#endif
+	PROXYSOCKADDRTYPE     saremote;
 	struct pollfd fds[1];
 	char vector[AUTH_VECTOR_LEN];
 	radius_packet_t packet, rpacket;
@@ -324,18 +333,18 @@ int radsend(struct clientparam * param, int auth, int stop){
 	char buf[64];
 
 
-	if(!radiussecret || !nradservers) {
+	if(!nradservers) {
 		return 4;
 	}
 
 	memset(&packet, 0, sizeof(packet));
 
 
-	pthread_mutex_lock(&rad_mutex);
+	_3proxy_mutex_lock(&rad_mutex);
 	if(auth)random_vector(packet.vector, param);
 
 	id = ((ntry++) & 0xff);
-	pthread_mutex_unlock(&rad_mutex);
+	_3proxy_mutex_unlock(&rad_mutex);
 
 	packet.code = auth?PW_AUTHENTICATION_REQUEST:PW_ACCOUNTING_REQUEST;
 	packet.id=id;
@@ -368,7 +377,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 	/* NAS-Port */
 	*ptr++ =  PW_NAS_PORT_ID;
 	*ptr++ = 6;
-	(*(uint32_t *)ptr)=htonl((uint32_t)ntohs((*SAPORT(¶m->srv->intsa))));
+	(*(uint32_t *)ptr)=htonl(param->srv?(uint32_t)ntohs((*SAPORT(¶m->srv->intsa))):0);
 	ptr+=4;
 	total_length+=6;
 
@@ -391,7 +400,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 	/* NAS-Identifier */
 	if(conf.stringtable){
 		*ptr++ = PW_NAS_IDENTIFIER;
-		len = strlen(conf.stringtable[SERVICES+param->service]);
+		len = strlen((char *)conf.stringtable[SERVICES+param->service]);
 		*ptr++ = (2 + len);
 		memcpy(ptr, conf.stringtable[SERVICES+param->service], len);
 		ptr += len;
@@ -416,7 +425,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 	/* Called-Station-ID */
 	if(param->hostname){
 		*ptr++ = PW_CALLED_STATION_ID;
-		len = strlen(param->hostname);
+		len = strlen((char *)param->hostname);
 		*ptr++ = (2 + len);
 		memcpy(ptr, param->hostname, len);
 		ptr += len;
@@ -424,20 +433,18 @@ int radsend(struct clientparam * param, int auth, int stop){
 	}
 
 	/* Login-Service */
-	op = param->operation;
-	for(len=0; op; len++)op>>=1;
 	*ptr++ =  PW_LOGIN_SERVICE;
-	*ptr++ = 4;
-	(*(uint16_t *)ptr)=htons((uint16_t)(len + 1000));
-	ptr+=2;
-	total_length+=4;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl(param->operation<<8);
+	ptr+=4;
+	total_length+=6;
 
 	/* Login-TCP-Port */
 	*ptr++ =  PW_LOGIN_TCP_PORT;
-	*ptr++ = 4;
-	(*(uint16_t *)ptr)=*SAPORT(¶m->req);
-	ptr+=2;
-	total_length+=4;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl((uint32_t)ntohs((*SAPORT(¶m->req))));
+	ptr+=4;
+	total_length+=6;
 
 
 	if(*SAFAMILY(¶m->req) == AF_INET6){
@@ -458,7 +465,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 
 	/* Username */
 	if(param->username){
-	    len = strlen(param->username);
+	    len = strlen((char *)param->username);
 	    if(len>128)len=128;
 	    *ptr++ = PW_USER_NAME;
 	    *ptr++ = len + 2;
@@ -474,12 +481,28 @@ int radsend(struct clientparam * param, int auth, int stop){
 		(*(uint32_t *)ptr)=htonl((uint32_t)param->statssrv64);
 		ptr+=4;
 		total_length+=6;
+		/* Acct-Input-Gigawords */
+		if(param->statssrv64 > 0xFFFFFFFFULL){
+			*ptr++ = PW_ACCT_INPUT_GIGAWORDS;
+			*ptr++ = 6;
+			(*(uint32_t *)ptr)=htonl((uint32_t)(param->statssrv64 >> 32));
+			ptr+=4;
+			total_length+=6;
+		}
 		/* Acct-Output-Octets */
 		*ptr++ =  PW_ACCT_OUTPUT_OCTETS;
 		*ptr++ = 6;
 		(*(uint32_t *)ptr)=htonl((uint32_t)param->statscli64);
 		ptr+=4;
 		total_length+=6;
+		/* Acct-Output-Gigawords */
+		if(param->statscli64 > 0xFFFFFFFFULL){
+			*ptr++ = PW_ACCT_OUTPUT_GIGAWORDS;
+			*ptr++ = 6;
+			(*(uint32_t *)ptr)=htonl((uint32_t)(param->statscli64 >> 32));
+			ptr+=4;
+			total_length+=6;
+		}
 		/* Acct-Input-Packets */
 		*ptr++ =  PW_ACCT_INPUT_PACKETS;
 		*ptr++ = 6;
@@ -501,12 +524,12 @@ int radsend(struct clientparam * param, int auth, int stop){
 	}
 	
 	if(auth && param->password){
-    	    len = strlen(param->password);
+    	    len = strlen((char *)param->password);
 	    if(len > 128) len = 128;
 	    *ptr++ = PW_PASSWORD;
 	    ptr++;
 	    memcpy(ptr, param->password, len);
-	    rad_pwencode(ptr,
+	    rad_pwencode((char *)ptr,
 		     &len,
 		     radiussecret, 
 		     (char *)packet.vector);
@@ -543,8 +566,8 @@ int radsend(struct clientparam * param, int auth, int stop){
 /*
 		if(auth) {
 */
-			if(sockfd >= 0) so._closesocket(sockfd);
-			if ((sockfd = so._socket(SASOCK(&saremote), SOCK_DGRAM, 0)) < 0) {
+			if(sockfd >= 0) so._closesocket(so.state, sockfd);
+			if ((sockfd = so._socket(so.state, SASOCK(&saremote), SOCK_DGRAM, 0)) < 0) {
 			    return 4;
 			}
 			remsock = sockfd;
@@ -552,8 +575,8 @@ int radsend(struct clientparam * param, int auth, int stop){
 		}
 		else remsock = radiuslist[loop].logsock;
 */
-		so._bind(param->remsock,(struct sockaddr *)&radiuslist[loop].localaddr,SASIZE(&radiuslist[loop].localaddr));
-		len = so._sendto(remsock, (char *)&packet, total_length, 0,
+		so._bind(so.state, remsock,(struct sockaddr *)&radiuslist[loop].localaddr,SASIZE(&radiuslist[loop].localaddr));
+		len = so._sendto(so.state, remsock, (char *)&packet, total_length, 0,
 		      (struct sockaddr *)&saremote, sizeof(saremote));
 		if(len != ntohs(packet.length)){
 			continue;
@@ -562,13 +585,13 @@ int radsend(struct clientparam * param, int auth, int stop){
 	        memset(fds, 0, sizeof(fds));
 	        fds[0].fd = remsock;
 	        fds[0].events = POLLIN;
-		if(so._poll(fds, 1, conf.timeouts[SINGLEBYTE_L]*1000) <= 0) {
+		if(so._poll(so.state, fds, 1, conf.timeouts[SINGLEBYTE_L]*1000) <= 0) {
 			continue;
 		}
 
 		salen = sizeof(saremote);
 				
-		data_len = so._recvfrom(remsock, (char *)&rpacket, sizeof(packet)-16,
+		data_len = so._recvfrom(so.state, remsock, (char *)&rpacket, sizeof(packet)-16,
 			0, (struct sockaddr *)&saremote, &salen);
 
 
@@ -584,7 +607,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 			continue;
 		}
 
-		if (calc_replydigest((char *)&rpacket, packet.vector, radiussecret,
+		if (calc_replydigest((char *)&rpacket, (char *)packet.vector, radiussecret,
 			data_len) ){
 			continue;
 		}
@@ -612,7 +635,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 			if(!vendor && attr[0] == PW_VENDOR_SPECIFIC) {
 				if (attr[1] < 6 || count < 6) RETURN(4);
 				vendorlen = attr[1]-6;
-				vendor = htonl(*((int*)(attr +2)));
+				vendor = htonl(*((uint32_t *)(attr +2)));
 				count -= 6;
 				attr += 6;
 				continue;
@@ -650,13 +673,16 @@ int radsend(struct clientparam * param, int auth, int stop){
 		res = 4;
 	}
 CLEANRET:
-	if(sockfd >= 0) so._closesocket(sockfd);
+	if(sockfd >= 0) so._closesocket(so.state, sockfd);
 	return res;
 }
 
 int radauth(struct clientparam * param){
+	int res;
 	/*radsend(param, 0, 0);*/
-	return radsend(param, 1, 0);
+	res = radsend(param, 1, 0);
+	if(!res && param->srv->logfunc == logradius)radsend(param, 0, 0);
+	return res;
 }
 
 void logradius(struct clientparam * param, const unsigned char *s) {
diff --git a/src/auto.c b/src/auto.c
new file mode 100644
index 0000000..91025c2
--- /dev/null
+++ b/src/auto.c
@@ -0,0 +1,36 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+
+void * autochild(struct clientparam* param) {
+    int len;
+
+    if(!param->clibuf){
+	if(!(param->clibuf = malloc(SRVBUFSIZE))) return 0;
+	param->clibufsize = SRVBUFSIZE;
+	param->clioffset = param->cliinbuf = 0;
+    }
+    len = sockfillbuffcli(param, 1, CONNECTION_S);
+    if (len != 1){
+	param->res = 801;
+	dolog(param, (unsigned char *)"");
+    }
+    if(*param->clibuf == 4 || *param->clibuf == 5) {
+	param->service = S_SOCKS;
+	return sockschild(param);
+    }
+    if(*param->clibuf == 22) {
+	param->service = S_TLSPR;
+	return tlsprchild(param);
+    }
+    param->service = S_PROXY;
+    return proxychild(param);
+}
+
diff --git a/src/base64.c b/src/base64.c
index e6d0295..e1cfd4f 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -1,5 +1,5 @@
 /*
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
diff --git a/src/common.c b/src/common.c
index 001a4a7..38159d7 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -22,10 +22,15 @@ int randomizer = 1;
 
 
  void daemonize(void){
-	if(fork() > 0) {
+	pid_t pid = fork();
+	if(pid > 0) {
 		usleep(SLEEPTIME);
 		_exit(0); 
 	}
+	if(pid < 0) {
+		perror("fork()");
+		return;
+	}
 	setsid();
  }
 
@@ -33,42 +38,44 @@ int randomizer = 1;
 
 unsigned char **stringtable = NULL;
 
-#ifdef WITH_LINUX_FUTEX
-int sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
-{
-	return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
-}
-int mutex_lock(int *val)
-{
-	int c;
-	if ((c = __sync_val_compare_and_swap(val, 0, 1)) != 0)
-		do {
-			if(c == 2 || __sync_val_compare_and_swap(val, 1, 2) != 0)
-				sys_futex(val, FUTEX_WAIT_PRIVATE, 2, NULL, NULL, 0);
-		} while ((c = __sync_val_compare_and_swap(val, 0, 2)) != 0);
-	
-	return 0;
-}
-
-int mutex_unlock(int *val)
-{
-	if(__sync_fetch_and_sub (val, 1) != 1){
-		*val = 0;
-		sys_futex(val, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
-	}
-	
-	
-	return 0;
+#ifdef WITH_UN
+void make_un(const unsigned char *path, struct sockaddr_un * sun){
+        memset(sun, 0, sizeof(*sun));
+        sun->sun_family = AF_UNIX;
+        strncpy(sun->sun_path, (char *)path, sizeof(sun->sun_path) - 1);
+        if(*path == '@')*sun->sun_path = 0;
 }
 #endif
 
+
 int myinet_ntop(int af, void *src, char *dst, socklen_t size){
+#ifdef WITH_UN
+ if(af == AF_UNIX){
+	struct sockaddr_un *sun = (struct sockaddr_un *)src;
+	int ephemeral = 0;
+	char *path = sun->sun_path;
+	char *basename;
+	if(!path[0] && path[1]){
+	    ephemeral = 1;
+	    *dst++ = '@';
+	    path++;
+	}
+	basename  = strrchr(path, '/');
+	if(basename) basename++;
+	else basename = path;
+	if(size > 0){
+		strncpy(dst, basename, (size > 40) ? 40 : size - (ephemeral + 1));
+		dst[((size > 40) ? 40 : size - (ephemeral + 1))] = 0;
+	}
+	return (int)strlen(dst);
+ }
+#endif
 #ifndef NOIPV6
  if(af != AF_INET6){
-#endif 
+#endif
 	unsigned u = ntohl(((struct in_addr *)src)->s_addr);
- 	return sprintf(dst, "%u.%u.%u.%u", 
-		((u&0xFF000000)>>24), 
+ 	return sprintf(dst, "%u.%u.%u.%u",
+		((u&0xFF000000)>>24),
 		((u&0x00FF0000)>>16),
 		((u&0x0000FF00)>>8),
 		((u&0x000000FF)));
@@ -77,7 +84,7 @@ int myinet_ntop(int af, void *src, char *dst, socklen_t size){
  *dst = 0;
  inet_ntop(af, src, dst, size);
  return (int)strlen(dst);
-#endif 
+#endif
 }
 
 char *rotations[] = {
@@ -92,43 +99,89 @@ char *rotations[] = {
 };
 
 
-struct extparam conf = {
-	{1, 5, 30, 60, 180, 1800, 15, 60, 15, 5, 0, 0},
-	NULL,
-	NULL,
-	NULL, NULL,
-	NULL,
-	NULL,
-	NULL,
+int timeouts[12] = {
+	1,    /* SINGLEBYTE_S */
+	5,    /* SINGLEBYTE_L */
+	30,   /* STRING_S */
+	60,   /* STRING_L */
+	180,  /* CONNECTION_S */
+	1800, /* CONNECTION_L */
+	15,   /* DNS_TO */
+	60,   /* CHAIN_TO */
+	15,   /* CONNECT_TO */
+	5,    /* CONNBACK_TO */
 	0,
-	0, -1, 0, 0, 0, 0, 
-	0, 500, 0, 0, 0, 0, 0, 2,
-	6, 600,
-	1048576,
-	NULL, NULL,
-	NONE, NONE,
-	NULL,
-#ifndef NOIPV6
-	{AF_INET},{AF_INET6},{AF_INET}, 
+	0
+};
+
+struct extparam conf = {
+#ifdef _WIN32
+	.threadinit = NULL,
 #else
-	{AF_INET},{AF_INET}, 
+	.threadinit = 0,
 #endif
-	NULL,
-	NULL,
-	doconnect,
-	lognone,
-	NULL,
-	NULL,
-	NULL, NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	(time_t)0, (time_t)0,
-	0,0,
-	'@',
+	.timeouts = timeouts,
+	.acl = NULL,
+	.conffile = NULL,
+	.bandlimiter = NULL,
+	.bandlimiterout = NULL,
+	.connlimiter = NULL,
+	.trafcounter = NULL,
+	.services = NULL,
+	.stacksize = 0,
+	.counterd = -1,
+	.haveerror = 0,
+	.rotate = 0,
+	.paused = 0,
+	.archiverc = 0,
+	.demon = 0,
+	.maxchild = 500,
+	.backlog = 0,
+	.needreload = 0,
+	.timetoexit = 0,
+	.version = 0,
+	.noforce = 0,
+	.bandlimver = 0,
+	.parentretries = 2,
+	.authcachetype = 6,
+	.authcachetime = 600,
+	.filtermaxsize = 1048576,
+	.gracetraf = 0,
+	.gracenum = 0,
+	.gracedelay = 0,
+	.maxseg = 0,
+	.logname = NULL,
+	.archiver = NULL,
+	.logtype = NONE,
+	.countertype = NONE,
+	.counterfile = NULL,
+#ifndef NOIPV6
+	.intsa = {AF_INET},
+	.extsa6 = {AF_INET6},
+	.extsa = {AF_INET},
+#else
+	.intsa = {AF_INET},
+	.extsa = {AF_INET},
+#endif
+	.pwl = NULL,
+	.authenticate = NULL,
+	.authfunc = doconnect,
+	.logfunc = lognone,
+	.bandlimfunc = NULL,
+	.trafcountfunc = NULL,
+	.logtarget = NULL,
+	.logformat = NULL,
+	.fmon = NULL,
+	.filters = NULL,
+	.authfuncs = NULL,
+	.stdlog = NULL,
+	.demanddialprog = NULL,
+	.stringtable = NULL,
+	.logtime = (time_t)0,
+	.time = (time_t)0,
+	.logdumpsrv = 0,
+	.logdumpcli = 0,
+	.delimchar = '@',
 };
 
 int numservers=0;
@@ -171,6 +224,7 @@ int
 	FD_ZERO(&writefd);
 	FD_ZERO(&oobfd);
 	for(i=0; i= FD_SETSIZE) continue;
 		if((fds[i].events&POLLIN))FD_SET(fds[i].fd, &readfd);
 		if((fds[i].events&POLLOUT))FD_SET(fds[i].fd, &writefd);
 		if((fds[i].events&POLLPRI))FD_SET(fds[i].fd, &oobfd);
@@ -179,6 +233,7 @@ int
 	}
 	if((num = select(((int)(maxfd))+1, &readfd, &writefd, &oobfd, &tv)) < 1) return num;
 	for(i=0; i= FD_SETSIZE) continue;
 		if(FD_ISSET(fds[i].fd, &readfd)) fds[i].revents |= POLLIN;
 		if(FD_ISSET(fds[i].fd, &writefd)) fds[i].revents |= POLLOUT;
 		if(FD_ISSET(fds[i].fd, &oobfd)) fds[i].revents |= POLLPRI;
@@ -188,35 +243,142 @@ int
 #endif
 #endif
 
-struct sockfuncs so = {
-	socket,
-	accept,
-	bind,
-	listen,
-	connect,
-	getpeername,
-	getsockname,
-	getsockopt,
-	setsockopt,
+
+#ifdef _WIN32
+    SOCKET WINAPI def_socket(void* state, int domain, int type, int protocol){
+        return socket(domain, type, protocol);
+    }
+    SOCKET WINAPI def_accept(void* state, SOCKET s, struct sockaddr * addr, int * addrlen){
+	return accept(s, addr, addrlen);
+    }
+    int WINAPI def_bind(void* state, SOCKET s, const struct sockaddr *addr, int addrlen){
+	return bind(s, addr, addrlen);
+    }
+    int WINAPI def_listen(void* state, SOCKET s, int backlog){
+	return listen(s, backlog);
+    }
+    int WINAPI def_connect(void* state, SOCKET s, const struct sockaddr *name, int namelen){
+	return connect(s, name, namelen);
+    }
+    int WINAPI def_getpeername(void* state, SOCKET s, struct sockaddr * name, int * namelen){
+	return getpeername(s, name, namelen);
+    }
+    int WINAPI def_getsockname(void* state, SOCKET s, struct sockaddr * name, int * namelen){
+	return 	getsockname(s, name, namelen);
+    }
+    int WINAPI def_getsockopt(void* state, SOCKET s, int level, int optname, char * optval, int * optlen){
+	return getsockopt(s, level, optname, optval, optlen);
+    }
+    int WINAPI def_setsockopt(void* state, SOCKET s, int level, int optname, const char *optval, int optlen){
+	return setsockopt(s, level, optname, optval, optlen);
+    }
+    int WINAPI def_poll(void* state, struct pollfd *fds, unsigned int nfds, int timeout){
 #ifndef WITH_POLL
 #ifndef WITH_WSAPOLL
-	mypoll,
+	return mypoll(fds, nfds, timeout);
 #else
-	WSAPoll,
+	return WSAPoll(fds, nfds, timeout);
 #endif
 #else
-	poll,
+	return poll(fds, nfds, timeout);
 #endif
-	(void *)send,
-	(void *)sendto,
-	(void *)recv,
-	(void *)recvfrom,
-	shutdown,
-#ifdef _WIN32
-	closesocket
+    }
+    int WINAPI def_send(void* state, SOCKET s, const char *msg, int len, int flags){
+	return send(s, msg, len, flags);
+    }
+    int WINAPI def_sendto(void* state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen){
+        return sendto(s, msg, len, flags, to, tolen);
+    }
+        
+    int WINAPI def_recv(void* state, SOCKET s, char *buf, int len, int flags){
+	return recv(s, buf, len, flags);
+    }
+    int WINAPI def_recvfrom(void* state, SOCKET s, char * buf, int len, int flags, struct sockaddr * from, int * fromlen){
+	return recvfrom(s, buf, len, flags, from, fromlen);
+    }
+    int WINAPI def_shutdown(void* state, SOCKET s, int how){
+	return shutdown(s, how);
+    }
+    int WINAPI def_closesocket(void* state, SOCKET s){
+	usleep(SLEEPTIME);
+	return closesocket(s);
+    }
 #else
-	close
+    SOCKET def_socket(void* state, int domain, int type, int protocol){
+        return socket(domain, type, protocol);
+    }
+    SOCKET def_accept(void* state, SOCKET s, struct sockaddr * addr, socklen_t* addrlen){
+	return accept(s, addr, addrlen);
+    }
+    int def_bind(void* state, SOCKET s, const struct sockaddr *addr, socklen_t addrlen){
+	return bind(s, addr, addrlen);
+    }
+    int def_getpeername(void* state, SOCKET s, struct sockaddr * name, socklen_t* namelen){
+	return getpeername(s, name, namelen);
+    }
+    int def_getsockname(void* state, SOCKET s, struct sockaddr * name, socklen_t* namelen){
+	return 	getsockname(s, name, namelen);
+    }
+    int def_listen(void* state, SOCKET s, int backlog){
+	return listen(s, backlog);
+    }
+    int def_connect(void* state, SOCKET s, const struct sockaddr *name, socklen_t namelen){
+	return connect(s, name, namelen);
+    }
+    int def_getsockopt(void* state, SOCKET s, int level, int optname, void * optval, socklen_t * optlen){
+	return getsockopt(s, level, optname, optval, optlen);
+    }
+    int def_setsockopt(void* state, int s, int level, int optname, const void *optval, socklen_t optlen){
+	return setsockopt(s, level, optname, optval, optlen);
+    }
+
+    int def_poll(void* state, struct pollfd *fds, nfds_t nfds, int timeout){
+#ifndef WITH_POLL
+	return mypoll(fds, nfds, timeout);
+#else
+	return poll(fds, nfds, timeout);
 #endif
+    }
+
+    ssize_t def_send(void* state, SOCKET s, const void *msg, size_t len, int flags){
+	return send(s, msg, len, flags);
+    }
+    ssize_t def_sendto(void* state, SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, socklen_t tolen){
+	return sendto(s, msg, len, flags, to, tolen);
+    }
+    ssize_t def_recv(void* state, SOCKET s, void *buf, size_t len, int flags){
+	return recv(s, buf, len, flags);
+    }
+    ssize_t def_recvfrom(void* state, SOCKET s, void * buf, size_t len, int flags, struct sockaddr * from, socklen_t* fromlen){
+	return recvfrom(s, buf, len, flags, from, fromlen);
+    }
+    int def_shutdown(void* state, SOCKET s, int how){
+	return shutdown(s, how);
+    }
+    int def_closesocket(void* state, SOCKET s){
+	return close(s);
+    }
+#endif
+
+struct sockfuncs so = {
+	NULL,
+	NULL,
+	def_socket,
+	def_accept,
+	def_bind,
+	def_listen,
+	def_connect,
+	def_getpeername,
+	def_getsockname,
+	def_getsockopt,
+	def_setsockopt,
+	def_poll,
+	def_send,
+	def_sendto,
+	def_recv,
+	def_recvfrom,
+	def_shutdown,
+	def_closesocket
 };
 
 #ifdef _WINCE
@@ -268,7 +430,7 @@ int ceparseargs(const char *str){
 
 int parsehost(int family, unsigned char *host, struct sockaddr *sa){
 	char *sp=NULL,*se=NULL;
-	unsigned short port=0;
+	uint16_t port=0;
 	int ret = 0;
 
 	if(!host) return 2;
@@ -287,7 +449,7 @@ int parsehost(int family, unsigned char *host, struct sockaddr *sa){
 	return ret;
 }
 
-int parsehostname(char *hostname, struct clientparam *param, unsigned short port){
+int parsehostname(char *hostname, struct clientparam *param, uint16_t port){
 	char *sp=NULL,*se=NULL;
 	int ret = 0;
 
@@ -301,8 +463,8 @@ int parsehostname(char *hostname, struct clientparam *param, unsigned short port
 		*se = 0;
 	}
 	if(hostname != (char *)param->hostname){
-		if(param->hostname) myfree(param->hostname);
-		param->hostname = (unsigned char *)mystrdup(hostname + (se!=0));
+		if(param->hostname) free(param->hostname);
+		param->hostname = (unsigned char *)strdup(hostname + (se!=0));
 	}
 	if(sp){
 		port = atoi(sp+1);
@@ -324,12 +486,12 @@ int parseusername(char *username, struct clientparam *param, int extpasswd){
 		*se = 0;
 		if(sp) *sp = 0;
 		if(*(sb+1)) {
-			if(param->password) myfree(param->password);
-			param->password = (unsigned char *)mystrdup(sb+1);
+			if(param->password) free(param->password);
+			param->password = (unsigned char *)strdup(sb+1);
 		}
 		if(*username) {
-			if(param->username) myfree(param->username);
-			param->username = (unsigned char *)mystrdup(username);
+			if(param->username) free(param->username);
+			param->username = (unsigned char *)strdup(username);
 		}
 		username = se+1;
 	 }
@@ -337,19 +499,19 @@ int parseusername(char *username, struct clientparam *param, int extpasswd){
 		if(!sp) sp = strchr(username, ':');
 		if(sp){
 			*sp = 0;
-			if(param->extpassword) myfree(param->extpassword);
-			param->extpassword = (unsigned char *) mystrdup(sp+1);
+			if(param->extpassword) free(param->extpassword);
+			param->extpassword = (unsigned char *) strdup(sp+1);
 		}
 	}
-	if(param->extusername) myfree(param->extusername);
-	param->extusername = (unsigned char *)mystrdup(username);
+	if(param->extusername) free(param->extusername);
+	param->extusername = (unsigned char *)strdup(username);
 	if(sb) *sb = ':';
 	if(se) *se = ':';
 	if(sp) *sp = ':';
 	return 0;
 }
 
-int parseconnusername(char *username, struct clientparam *param, int extpasswd, unsigned short port){
+int parseconnusername(char *username, struct clientparam *param, int extpasswd, uint16_t port){
 	char *sb, *se;
 	if(!username || !*username) return 1;
         if ((sb=strchr(username, conf.delimchar)) == NULL){
@@ -366,7 +528,7 @@ int parseconnusername(char *username, struct clientparam *param, int extpasswd,
 }
 
 
-int connectwithpoll(SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to){
+int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to){
 		struct pollfd fds[1];
 #ifdef _WIN32
 		unsigned long ul = 1;
@@ -374,14 +536,15 @@ int connectwithpoll(SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to){
 #else
 		fcntl(sock,F_SETFL, O_NONBLOCK | fcntl(sock,F_GETFL));
 #endif
-		if(so._connect(sock,sa,size)) {
-			if(errno != EAGAIN && errno != EINPROGRESS) return (13);
+		if(param?param->srv->so._connect(param->sostate, sock,sa,size) : so._connect(so.state, sock,sa,size)) {
+			if(errno != EAGAIN && errno != EINPROGRESS) return 13;
 		}
+		if(!errno) return 0;
 	        memset(fds, 0, sizeof(fds));
 	        fds[0].fd = sock;
 	        fds[0].events = POLLOUT;
-		if(so._poll(fds, 1, to*1000) <= 0) {
-			return (13);
+		if((param?param->srv->so._poll(param->sostate, fds, 1, to*1000):so._poll(so.state, fds, 1, to*1000)) <= 0 || !(fds[0].revents & POLLOUT) || (fds[0].revents & (POLLERR|POLLHUP))) {
+			return 13;
 		}
 		return 0;
 }
@@ -394,11 +557,12 @@ int doconnect(struct clientparam * param){
  if (*SAFAMILY(¶m->sincl) == *SAFAMILY(¶m->req) && !memcmp(SAADDR(¶m->sincl), SAADDR(¶m->req), SAADDRLEN(¶m->req)) &&
 	*SAPORT(¶m->sincl) == *SAPORT(¶m->req)) return 519;
 
- if (param->operation == ADMIN || param->operation == DNSRESOLVE || param->operation == BIND || param->operation == UDPASSOC)
+ if (param->operation == ADMIN || (( param->operation == DNSRESOLVE || param->operation == BIND || param->operation == UDPASSOC) && !param->redirected))
 	return 0;
  if (param->remsock != INVALID_SOCKET){
+	if(param->operation == UDPASSOC) return 0;
 	size = sizeof(param->sinsr);
-	if(so._getpeername(param->remsock, (struct sockaddr *)¶m->sinsr, &size)==-1) {return (14);}
+	if(param->srv->so._getpeername(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsr, &size)==-1) {return (14);}
  }
  else {
 	struct linger lg = {1,conf.timeouts[SINGLEBYTE_S]};
@@ -411,31 +575,17 @@ int doconnect(struct clientparam * param){
 		memcpy(SAADDR(¶m->sinsr), SAADDR(¶m->req), SAADDRLEN(¶m->req)); 
 	}
 	if(!*SAPORT(¶m->sinsr))*SAPORT(¶m->sinsr) = *SAPORT(¶m->req);
-	if ((param->remsock=so._socket(SASOCK(¶m->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
-	setopts(param->remsock, param->srv->srvsockopts);
-
-	so._setsockopt(param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
-#ifdef REUSE
-	{
-		int opt;
-
-#ifdef SO_REUSEADDR
-		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
-#endif
-#ifdef SO_REUSEPORT
-		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
-#endif
-	}
-#endif
-#ifdef SO_BINDTODEVICE
-	if(param->srv->obindtodevice) {
-		if(so._setsockopt(param->remsock, SOL_SOCKET, SO_BINDTODEVICE, param->srv->obindtodevice, strlen(param->srv->obindtodevice) + 1))
-			return 12;
-	}
+	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(¶m->sinsr), SOCK_STREAM, 
+#ifdef WITH_UN
+	    *SAFAMILY(¶m->sinsr) == AF_UNIX? 0 :
 #endif
+	    IPPROTO_TCP
+	)) == INVALID_SOCKET) {return (11);}
 	if(SAISNULL(¶m->sinsl)){
+#ifdef WITH_UN
+	    if(*SAFAMILY(¶m->sinsr) == AF_UNIX) param->sinsl = param->sinsr;
+	    else 
+#endif
 #ifndef NOIPV6
 		if(*SAFAMILY(¶m->sinsr) == AF_INET6) param->sinsl = param->srv->extsa6;
 		else
@@ -443,22 +593,64 @@ int doconnect(struct clientparam * param){
 			param->sinsl = param->srv->extsa;
 	}
 	*SAPORT(¶m->sinsl) = 0;
-	if(so._bind(param->remsock, (struct sockaddr*)¶m->sinsl, SASIZE(¶m->sinsl))==-1) {
+	setopts(param->remsock, param->srv->srvsockopts);
+
+	param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+#ifdef REUSE
+	{
+		int opt;
+
+#ifdef SO_REUSEADDR
+		opt = 1;
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
+#endif
+#ifdef SO_REUSEPORT
+		opt = 1;
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
+#endif
+	}
+#endif
+#if defined SO_BINDTODEVICE
+	if(param->srv->obindtodevice) {
+		if(param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_BINDTODEVICE, param->srv->obindtodevice, strlen(param->srv->obindtodevice) + 1))
+			return 12;
+	}
+#elif defined IP_BOUND_IF
+	if(param->srv->obindtodevice) {
+	    int idx;
+	    idx = if_nametoindex(param->srv->obindtodevice);
+	    if(!idx || (*SAFAMILY(¶m->sinsl) == AF_INET && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IP, IP_BOUND_IF, &idx, sizeof(idx))))
+			return 12;
+#ifndef NOIPV6
+	    if(*SAFAMILY(¶m->sinsl) == AF_INET6 && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IPV6, IPV6_BOUND_IF, &idx, sizeof(idx))) return 12;
+#endif
+	}
+#endif
+#ifdef WITH_UN
+	if(*SAFAMILY(¶m->sinsl) != AF_UNIX)
+#endif
+	if(param->srv->so._bind(param->sostate, param->remsock, (struct sockaddr*)¶m->sinsl, SASIZE(¶m->sinsl))==-1) {
 		return 12;
 	}
 	
-	if(param->operation >= 256 || (param->operation & CONNECT)){
-		if(connectwithpoll(param->remsock,(struct sockaddr *)¶m->sinsr,SASIZE(¶m->sinsr),CONNECT_TO)) {
+	if(param->operation >= 256 || (param->operation & CONNECT) || param->redirected){
+		if(connectwithpoll(param, param->remsock,(struct sockaddr *)¶m->sinsr,SASIZE(¶m->sinsr),conf.timeouts[CONNECT_TO])) {
 			return 13;
 		}
 	}
 	size = sizeof(param->sinsl);
-	if(so._getsockname(param->remsock, (struct sockaddr *)¶m->sinsl, &size)==-1) {return (15);}
+	if(param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsl, &size)==-1) {return (15);}
+ }
+ if (param->nconnectfilters){
+    FILTER_ACTION action;
+    
+    action = handleconnectflt(param);
+    if(action != PASS) return 19;
  }
  return 0;
 }
 
-int scanaddr(const unsigned char *s, unsigned long * ip, unsigned long * mask) {
+int scanaddr(const unsigned char *s, uint32_t * ip, uint32_t * mask) {
 	unsigned d1, d2, d3, d4, m;
 	int res;
 	if ((res = sscanf((char *)s, "%u.%u.%u.%u/%u", &d1, &d2, &d3, &d4, &m)) < 4) return 0;
@@ -470,11 +662,11 @@ int scanaddr(const unsigned char *s, unsigned long * ip, unsigned long * mask) {
 
 RESOLVFUNC resolvfunc = NULL;
 #ifndef _WIN32
-pthread_mutex_t gethostbyname_mutex;
+_3proxy_mutex_t gethostbyname_mutex;
 int ghbn_init = 0;
 #endif
 
-
+#ifndef NOSTDRESOLVE
 #ifdef GETHOSTBYNAME_R
 struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 	struct hostent *result;
@@ -489,10 +681,11 @@ struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 #endif
 }
 #endif
+#endif
 
 #ifdef NOIPV6
-unsigned long getip(unsigned char *name){
-	unsigned long retval;
+uint32_t getip(unsigned char *name){
+	uint32_t retval;
 	int i;
 	int ndots = 0;
 	struct hostent *hp=NULL;
@@ -522,24 +715,28 @@ unsigned long getip(unsigned char *name){
 		if(conf.demanddialprog) system(conf.demanddialprog);
 		return (*tmpresolv)(AF_INET, name, (unsigned char *)&retval)?retval:0;
 	}
+#ifndef NOSTDRESOLVE
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
 	if(!ghbn_init){
-		pthread_mutex_init(&gethostbyname_mutex, NULL);
+		_3proxy_mutex_init(&gethostbyname_mutex);
 		ghbn_init++;
 	}
-	pthread_mutex_lock(&gethostbyname_mutex);
+	_3proxy_mutex_lock(&gethostbyname_mutex);
 #endif
 	hp=gethostbyname((char *)name);
 	if (!hp && conf.demanddialprog) {
 		system(conf.demanddialprog);
 		hp=gethostbyname((char *)name);
 	}
-	retval = hp?*(unsigned long *)hp->h_addr:0;
+	retval = hp?*(uint32_t *)hp->h_addr:0;
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
-	pthread_mutex_unlock(&gethostbyname_mutex);
+	_3proxy_mutex_unlock(&gethostbyname_mutex);
 #endif
 #ifdef GETHOSTBYNAME_R
 #undef gethostbyname
+#endif
+#else
+	retval=0;
 #endif
 	return retval;
 }
@@ -577,7 +774,7 @@ int afdetect(unsigned char *name){
 
 }
 
-unsigned long getip46(int family, unsigned char *name,  struct sockaddr *sa){
+uint32_t getip46(int family, unsigned char *name,  struct sockaddr *sa){
 #ifndef NOIPV6
 	int detect;
 	struct addrinfo *ai, hint;
@@ -597,7 +794,7 @@ unsigned long getip46(int family, unsigned char *name,  struct sockaddr *sa){
 	if(detect != -1){
 		if(family == 4 && detect != AF_INET) return 0;
 		*SAFAMILY(sa) = (family == 6)? AF_INET6 : detect;
-		return inet_pton(*SAFAMILY(sa), (char *)name, SAADDR(sa))? *SAFAMILY(sa) : 0; 
+		return inet_pton(*SAFAMILY(sa), (char *)name, SAADDR(sa))>0? *SAFAMILY(sa) : 0; 
 	}
 
 
diff --git a/src/conf.c b/src/conf.c
index fcdecdc..1427419 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1,12 +1,19 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
 #include "proxy.h"
+#include "libs/blake2.h"
+#ifdef WITH_SSL
+void ssl_install(void);
+#endif
+#ifdef WITH_PCRE
+void pcre_install(void);
+#endif
 #ifndef _WIN32
 #include 
 #include 
@@ -20,12 +27,10 @@
 #define DEFAULTCONFIG conf.stringtable[25]
 #endif
 
-pthread_mutex_t bandlim_mutex;
-pthread_mutex_t connlim_mutex;
-pthread_mutex_t tc_mutex;
-pthread_mutex_t pwl_mutex;
-pthread_mutex_t hash_mutex;
-pthread_mutex_t config_mutex;
+_3proxy_mutex_t bandlim_mutex;
+_3proxy_mutex_t connlim_mutex;
+_3proxy_mutex_t tc_mutex;
+_3proxy_mutex_t config_mutex;
 
 int haveerror = 0;
 int linenum = 0;
@@ -105,11 +110,12 @@ unsigned char * dologname (unsigned char *buf, unsigned char *name, const unsign
 	struct tm *ts;
 
 	ts = localtime(&t);
+	if(strlen((char *)name) >= 4096){
+	    *buf = 0;
+	    return buf;
+	}
 	if(strchr((char *)name, '%')){
-		struct clientparam fakecli;
-
-		memset(&fakecli, 0, sizeof(fakecli));
-		dobuf2(&fakecli, buf, NULL, NULL, ts, (char *)name);
+		dobuf2(NULL, buf, NULL, NULL, ts, (char *)name);
 	}
 	else switch(lt){
 		case NONE:
@@ -151,7 +157,7 @@ int start_proxy_thread(struct child * chp){
   HANDLE h;
 #endif
 
-	conf.threadinit = 1;
+	_3proxy_sem_lock(conf.threadinit);
 #ifdef _WIN32
 #ifndef _WINCE
 	h = (HANDLE)_beginthreadex((LPSECURITY_ATTRIBUTES )NULL, 16384+conf.stacksize, (void *)startsrv, (void *) chp, (DWORD)0, &thread);
@@ -166,7 +172,8 @@ int start_proxy_thread(struct child * chp){
 	pthread_create(&thread, &pa, startsrv, (void *)chp);
 	pthread_attr_destroy(&pa);
 #endif
-	while(conf.threadinit)usleep(SLEEPTIME);
+	_3proxy_sem_lock(conf.threadinit);
+	_3proxy_sem_unlock(conf.threadinit);
 	if(haveerror)  {
 		fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
 		return(40);
@@ -184,9 +191,8 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.port = 3128;
 		childdef.isudp = 0;
 		childdef.service = S_PROXY;
-		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, proxy may run very slow\n", linenum);
 		}
 #endif
@@ -217,13 +223,19 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.port = 1080;
 		childdef.isudp = 0;
 		childdef.service = S_SOCKS;
-		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, socks may run very slow\n", linenum);
 		}
 #endif
 	}
+	else if(!strcmp((char *)argv[0], "auto")) {
+		childdef.pf = autochild;
+		childdef.port = 8080;
+		childdef.isudp = 0;
+		childdef.service = S_AUTO;
+		childdef.helpmessage = "";
+	}
 	else if(!strcmp((char *)argv[0], "tcppm")) {
 		childdef.pf = tcppmchild;
 		childdef.port = 0;
@@ -231,6 +243,13 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_TCPPM;
 		childdef.helpmessage = "";
 	}
+	else if(!strcmp((char *)argv[0], "tlspr")) {
+		childdef.pf = tlsprchild;
+		childdef.port = 1443;
+		childdef.isudp = 0;
+		childdef.service = S_TLSPR;
+		childdef.helpmessage = "";
+	}
 	else if(!strcmp((char *)argv[0], "udppm")) {
 		childdef.pf = udppmchild;
 		childdef.port = 0;
@@ -251,7 +270,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_DNSPR;
 		childdef.helpmessage = " -s - simple DNS forwarding - do not use 3proxy resolver / name cache\n";
 #ifndef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize) || resolvfunc == fakeresolver){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize) || resolvfunc == fakeresolver){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, dnspr will not work as expected\n", linenum);
 		}
 #endif
@@ -260,17 +279,23 @@ static int h_proxy(int argc, unsigned char ** argv){
 }
 
 static int h_internal(int argc, unsigned char ** argv){
-	getip46(46, argv[1], (struct sockaddr *)&conf.intsa);
+#ifdef WITH_UN
+	if(!strncmp((char *)argv[1], "unix:", 5)){
+		make_un(argv[1] +5, (struct sockaddr_un *)&conf.intsa);
+	}
+	else
+#endif
+		getip46(46, argv[1], (struct sockaddr *)&conf.intsa);
 	return 0;
 }
 
 static int h_external(int argc, unsigned char ** argv){
 	int res;
 #ifndef NOIPV6
-	struct sockaddr_in6 sa6;
+	PROXYSOCKADDRTYPE sa6;
 	memset(&sa6, 0, sizeof(sa6));
 	res = getip46(46, argv[1], (struct sockaddr *)&sa6);
-	if(!res) return 1; 
+	if(!res) return 1;
 	if (*SAFAMILY(&sa6)==AF_INET) conf.extsa = sa6;
 	else conf.extsa6 = sa6;
 #else
@@ -290,7 +315,7 @@ static int h_log(int argc, unsigned char ** argv){
 		notchanged = 1;
 	}
 	if(!notchanged && conf.logtarget){
-		myfree(conf.logtarget);
+		free(conf.logtarget);
 		conf.logtarget = NULL;
 	}
 	if(argc > 1) {
@@ -298,7 +323,7 @@ static int h_log(int argc, unsigned char ** argv){
 			conf.logfunc = lognone;
 			return 0;
 		}
-		if(!notchanged) conf.logtarget = (unsigned char *)mystrdup((char *)argv[1]);
+		if(!notchanged) conf.logtarget = (unsigned char *)strdup((char *)argv[1]);
 		if(*argv[1]=='@'){
 #ifndef _WIN32
 			conf.logfunc = logsyslog;
@@ -306,18 +331,18 @@ static int h_log(int argc, unsigned char ** argv){
 			openlog((char *)conf.logtarget+1, LOG_PID, LOG_DAEMON);
 #endif
 		}
-#ifndef NOODBC
+#ifdef WITH_ODBC
 		else if(*argv[1]=='&'){
-			if(notchanged) return 0;
 			conf.logfunc = logsql;
-			pthread_mutex_lock(&log_mutex);
+			if(notchanged) return 0;
+			_3proxy_mutex_lock(&log_mutex);
 			close_sql();
 			init_sql((char *)argv[1]+1);
-			pthread_mutex_unlock(&log_mutex);
+			_3proxy_mutex_unlock(&log_mutex);
 		}
 #endif
 #ifndef NORADIUS
-		else if(!strcmp(argv[1],"radius")){
+		else if(!strcmp((char *)argv[1],"radius")){
 			conf.logfunc = logradius;
 		}
 #endif
@@ -328,8 +353,8 @@ static int h_log(int argc, unsigned char ** argv){
 			conf.logfunc = logstdout;
 			if(notchanged) return 0;
 			conf.logtime = time(0);
-			if(conf.logname)myfree(conf.logname);
-			conf.logname = (unsigned char *)mystrdup((char *)argv[1]);
+			if(conf.logname)free(conf.logname);
+			conf.logname = (unsigned char *)strdup((char *)argv[1]);
 			if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.logtime), "a", conf.stdlog);
 			else conf.stdlog = fopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.logtime), "a");
 			if(!conf.stdlog){
@@ -370,8 +395,8 @@ static int h_daemon(int argc, unsigned char **argv){
 }
 
 static int h_config(int argc, unsigned char **argv){
-	if(conf.conffile)myfree(conf.conffile);
-	conf.conffile = mystrdup((char *)argv[1]);
+	if(conf.conffile)free(conf.conffile);
+	conf.conffile = strdup((char *)argv[1]);
 	if(!conf.conffile) return 21;
 	return 0;
 }
@@ -393,10 +418,10 @@ static int h_include(int argc, unsigned char **argv){
 static int h_archiver(int argc, unsigned char **argv){
 	int j;
 
-	conf.archiver = myalloc(argc * sizeof(char *));
+	conf.archiver = malloc(argc * sizeof(char *));
 	if(conf.archiver) {
 		conf.archiverc = argc;
-		for(j = 0; j < conf.archiverc; j++) conf.archiver[j] = (unsigned char *)mystrdup((char *)argv[j]);
+		for(j = 0; j < conf.archiverc; j++) conf.archiver[j] = (unsigned char *)strdup((char *)argv[j]);
 	}
 	return 0;
 }
@@ -414,18 +439,6 @@ static int h_counter(int argc, unsigned char **argv){
 			fprintf(stderr, "Not a counter file %s, line %d\n", argv[1], linenum);
 			return 2;
 		}
-#ifdef _TIME64_T_DEFINED
-#ifdef _MAX__TIME64_T
-#define MAX_COUNTER_TIME (_MAX__TIME64_T)
-#elif defined (MAX__TIME64_T)
-#define MAX_COUNTER_TIME (MAX__TIME64_T)
-#else
-#define MAX_COUNTER_TIME (0x793406fff)
-#endif 
-#else
-#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
-#endif
-
 		if(ch1.updated < 0 || ch1.updated >= MAX_COUNTER_TIME){
 			fprintf(stderr, "Invalid or corrupted counter file %s. Use countersutil utility to convert from older version\n", argv[1]);
 			return 3;
@@ -434,8 +447,8 @@ static int h_counter(int argc, unsigned char **argv){
 	}
 	if(argc >=4) {
 		conf.countertype = getrotate(*argv[2]);
-		if(conf.counterfile) myfree(conf.counterfile);
-		conf.counterfile = mystrdup((char *)argv[3]);
+		if(conf.counterfile) free(conf.counterfile);
+		conf.counterfile = strdup((char *)argv[3]);
 	}
 	return 0;
 }
@@ -445,10 +458,15 @@ static int h_rotate(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_maxseg(int argc, unsigned char **argv){
+	conf.maxseg = atoi((char *)argv[1]);
+	return 0;
+}
+
 static int h_logformat(int argc, unsigned char **argv){
 	unsigned char * old = conf.logformat;
-	conf.logformat = (unsigned char *)mystrdup((char *)argv[1]);
-	if(old) myfree(old);
+	conf.logformat = (unsigned char *)strdup((char *)argv[1]);
+	if(old) free(old);
 	return 0;
 }
 
@@ -477,7 +495,7 @@ static int h_auth(int argc, unsigned char **argv){
 	for(argc--; argc; argc--){
 	  for(au = authfuncs; au; au=au->next){
 		if(!strcmp((char *)argv[argc], au->desc)){
-			newau = myalloc(sizeof(struct auth));
+			newau = malloc(sizeof(struct auth));
 			if(!newau) {
 				return 21;
 			}
@@ -496,46 +514,59 @@ static int h_auth(int argc, unsigned char **argv){
 }
 
 static int h_users(int argc, unsigned char **argv){
-  int j;
-  unsigned char *arg;
-  struct passwords *pwl = NULL;
-
-	for (j = 1; juser = (unsigned char *)mystrdup((char *)argv[j]);
-			pwl->pwtype = SYS;
-		}
-		else {
-			*arg = 0;
-			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
-
-			if((arg[1] == 'C' && arg[2] == 'L' && (pwl->pwtype = CL)) ||
-				(arg[1] == 'C' && arg[2] == 'R' && (pwl->pwtype = CR)) ||
-				(arg[1] == 'N' && arg[2] == 'T' && (pwl->pwtype = NT)) ||
-				(arg[1] == 'L' && arg[2] == 'M' && (pwl->pwtype = LM))){
-				pwl->password = (unsigned char *)mystrdup((char *)arg+4);
-			}
-			else {
-				pwl->password = (unsigned char *) mystrdup((char *)arg + 1);
-				pwl->pwtype = UN;
-			}
-			if(!pwl->password) return 3;
-		}
-		if(!pwl->user) return 21;
-		pthread_mutex_lock(&pwl_mutex);
-		pwl->next = conf.pwl;
-		conf.pwl = pwl;
-		pthread_mutex_unlock(&pwl_mutex);
+    static char dummy;
+    int j;
+    unsigned char *arg;
+    char *pw[2];
+    char pass[256];
+    int l;
 
+    for (j = 1; j < argc; j++) {
+        arg = (unsigned char *)strchr((char *)argv[j], ':');
+        if (!arg) continue;
+        *arg = 0;
+        pw[0] = (char *)argv[j];
 
+        if (!pwl_table.ihashtable && inithashtable(&pwl_table, 16, 32, 1048576))
+                    return 3;
+	memset(pass, 0, sizeof(pass));
+        if (arg[1] && arg[2] && arg[3] == ':') {
+            pw[1] = (char *)(arg + 4);
+            if (arg[1] == 'N' && arg[2] == 'T') {
+#ifdef WITH_SSL
+		*pass = NT;
+#else
+                continue;
+#endif
+            }
+            else if (arg[1] == 'C' && arg[2] == 'R') {
+		*pass = CR;
+            }
+            else if (arg[1] == 'C' && arg[2] == 'L') {
+		*pass = CL;
+            } else {
+                continue;
+            }
+        } else {
+    	    *pass = CL;
+            pw[1] = (char *)(arg + 1);
+        }
+	l = strlen(pw[1]);
+	if(l > 255) l = 255;
+	if((unsigned)l >= pwl_table.recsize) {
+	    if(*pass != CL) continue;
+	    blake2b_state S;
+	    unsigned hashsz;
+	    hashsz = pwl_table.recsize - 1 < 64 ? pwl_table.recsize - 1 : 64;
+	    blake2b_init(&S, hashsz);
+	    blake2b_update(&S, pw[1], l + 1);
+	    blake2b_final(&S, pass+1, hashsz);
+	} else {
+	    memcpy(pass + 1, pw[1], l);
 	}
-	return 0;
+        hashadd(&pwl_table, pw[0], pass, MAX_COUNTER_TIME);
+    }
+    return 0;
 }
 
 static int h_maxconn(int argc, unsigned char **argv){
@@ -558,6 +589,14 @@ static int h_maxconn(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_backlog(int argc, unsigned char **argv){
+	conf.backlog = atoi((char *)argv[1]);
+	if(conf.backlog < 0) {
+		return(1);
+	}
+	return 0;
+}
+
 static int h_flush(int argc, unsigned char **argv){
 	freeacl(conf.acl);
 	conf.acl = NULL;
@@ -611,14 +650,14 @@ static int h_fakeresolve(int argc, unsigned char **argv){
 }
 
 static int h_nscache(int argc, unsigned char **argv){
-  int res;
+  unsigned res;
 
-	res = atoi((char *)argv[1]);
+	res = (unsigned)atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(inithashtable(&dns_table, (unsigned)res)){
+	if(dns_table.growlimit != res && inithashtable(&dns_table, (res >> 2), (res >> 2), res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@@ -634,14 +673,14 @@ static int h_parentretries(int argc, unsigned char **argv){
 }
 
 static int h_nscache6(int argc, unsigned char **argv){
-  int res;
+  unsigned res;
 
-	res = atoi((char *)argv[1]);
+	res = (unsigned)atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(inithashtable(&dns6_table, (unsigned)res)){
+	if(dns6_table.growlimit != res &&inithashtable(&dns6_table, (res>>2), (res>>2), res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@@ -649,11 +688,7 @@ static int h_nscache6(int argc, unsigned char **argv){
 }
 
 static int h_nsrecord(int argc, unsigned char **argv){
-#ifndef NOIPV6
-	struct sockaddr_in6 sa;
-#else
-	struct sockaddr_in sa;
-#endif
+	PROXYSOCKADDRTYPE sa;
 	memset(&sa, 0, sizeof(sa));
 	if(!getip46(46, argv[2], (struct sockaddr *)&sa)) return 1;
 
@@ -662,8 +697,8 @@ static int h_nsrecord(int argc, unsigned char **argv){
 }
 
 static int h_dialer(int argc, unsigned char **argv){
-	if(conf.demanddialprog) myfree(conf.demanddialprog);
-	conf.demanddialprog = mystrdup((char *)argv[1]);
+	if(conf.demanddialprog) free(conf.demanddialprog);
+	conf.demanddialprog = strdup((char *)argv[1]);
 	return 0;
 }
 
@@ -692,14 +727,14 @@ static int h_pidfile(int argc, unsigned char **argv){
 static int h_monitor(int argc, unsigned char **argv){
   struct filemon * fm;
 
-	fm = myalloc(sizeof (struct filemon));
+	fm = malloc(sizeof (struct filemon));
 	if(!fm) return 21;
 	if(stat((char *)argv[1], &fm->sb)){
-		myfree(fm);
+		free(fm);
 		fprintf(stderr, "Warning: file %s doesn't exist on line %d\n", argv[1], linenum);
 	}
 	else {
-		fm->path = mystrdup((char *)argv[1]);
+		fm->path = strdup((char *)argv[1]);
 		if(!fm->path) return 21;
 		fm->next = conf.fmon;
 		conf.fmon = fm;
@@ -707,10 +742,34 @@ static int h_monitor(int argc, unsigned char **argv){
 	return 0;
 }
 
+
+struct redirdesc redirs[] = {
+    {R_TCP, "tcp", tcppmchild},
+    {R_CONNECT, "connect", proxychild},
+    {R_SOCKS4, "socks4", sockschild},
+    {R_SOCKS5, "socks5", sockschild},
+    {R_HTTP, "http", proxychild},
+    {R_POP3, "pop3", pop3pchild},
+    {R_SMTP, "smtp", smtppchild},
+    {R_FTP, "ftp", ftpprchild},
+    {R_CONNECTP, "connect+", proxychild},
+    {R_SOCKS4P, "socks4+", sockschild},
+    {R_SOCKS5P, "socks5+", sockschild},
+    {R_SOCKS4B, "socks4b", sockschild},
+    {R_SOCKS5B, "socks5b", sockschild},
+    {R_ADMIN, "admin", adminchild},
+    {R_EXTIP, "extip", NULL},
+    {R_TLS, "tls", tlsprchild},
+    {R_HA, "ha", NULL},
+    {R_DNS, "dns", dnsprchild},
+    {0, NULL, NULL}
+};
+
 static int h_parent(int argc, unsigned char **argv){
   struct ace *acl = NULL;
   struct chain *chains;
-  char * cidr;
+  char * cidr = NULL;
+  int i;
 
 	acl = conf.acl;
 	while(acl && acl->next) acl = acl->next;
@@ -720,7 +779,7 @@ static int h_parent(int argc, unsigned char **argv){
 	}
 	acl->action = 2;
 
-	chains = myalloc(sizeof(struct chain));
+	chains = malloc(sizeof(struct chain));
 	if(!chains){
 		return(21);
 	}
@@ -728,39 +787,52 @@ static int h_parent(int argc, unsigned char **argv){
 	chains->weight = (unsigned)atoi((char *)argv[1]);
 	if(chains->weight == 0 || chains->weight >1000) {
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
+		free(chains);
 		return(3);
 	}
-	if(!strcmp((char *)argv[2], "tcp"))chains->type = R_TCP;
-	else if(!strcmp((char *)argv[2], "http"))chains->type = R_HTTP;
-	else if(!strcmp((char *)argv[2], "connect"))chains->type = R_CONNECT;
-	else if(!strcmp((char *)argv[2], "socks4"))chains->type = R_SOCKS4;
-	else if(!strcmp((char *)argv[2], "socks5"))chains->type = R_SOCKS5;
-	else if(!strcmp((char *)argv[2], "connect+"))chains->type = R_CONNECTP;
-	else if(!strcmp((char *)argv[2], "socks4+"))chains->type = R_SOCKS4P;
-	else if(!strcmp((char *)argv[2], "socks5+"))chains->type = R_SOCKS5P;
-	else if(!strcmp((char *)argv[2], "socks4b"))chains->type = R_SOCKS4B;
-	else if(!strcmp((char *)argv[2], "socks5b"))chains->type = R_SOCKS5B;
-	else if(!strcmp((char *)argv[2], "pop3"))chains->type = R_POP3;
-	else if(!strcmp((char *)argv[2], "ftp"))chains->type = R_FTP;
-	else if(!strcmp((char *)argv[2], "admin"))chains->type = R_ADMIN;
-	else if(!strcmp((char *)argv[2], "extip"))chains->type = R_EXTIP;
-	else if(!strcmp((char *)argv[2], "smtp"))chains->type = R_SMTP;
-	else {
+	for(i = 0; redirs[i].name ; i++){
+	    int len;
+	    len = strlen(redirs[i].name);
+	    if(!strncmp((char *)argv[2], redirs[i].name, len)
+		&& (argv[2][len] == 0 || (argv[2][len] == 's' && argv[2][len+1] == 0))
+	    ) {
+		chains->type = redirs[i].redir;
+		if(argv[2][len] == 's') chains->secure = 1;
+		break;
+	    }
+	}
+	if(!redirs[i].name) {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
+		free(chains);
 		return(4);
 	}
-	cidr = strchr(argv[3], '/');
+#ifdef WITH_UN
+	if(!strncmp((char *)argv[3], "unix:", 5)){
+	    make_un(argv[3] + 5, (struct sockaddr_un*)&chains->addr);
+	}
+	else {
+#endif
+	cidr = strchr((char *)argv[3], '/');
 	if(cidr) *cidr = 0;
-	getip46(46, argv[3], (struct sockaddr *)&chains->addr);
-	chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
-	if(!chains->exthost) return 21;
+	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) {
+		free(chains);
+		return (5);
+	}
+#ifdef WITH_UN
+	}
+#endif
+	chains->exthost = (unsigned char *)strdup((char *)argv[3]);
+	if(!chains->exthost) {
+		free(chains);
+		return 21;
+	}
 	if(cidr){
 		*cidr = '/';
 		chains->cidr = atoi(cidr + 1);
 	}
-	*SAPORT(&chains->addr) = htons((unsigned short)atoi((char *)argv[4]));
-	if(argc > 5) chains->extuser = (unsigned char *)mystrdup((char *)argv[5]);
-	if(argc > 6) chains->extpass = (unsigned char *)mystrdup((char *)argv[6]);
+	*SAPORT(&chains->addr) = htons((uint16_t)atoi((char *)argv[4]));
+	if(argc > 5) chains->extuser = (unsigned char *)strdup((char *)argv[5]);
+	if(argc > 6) chains->extpass = (unsigned char *)strdup((char *)argv[6]);
 	if(!acl->chains) {
 		acl->chains = chains;
 	}
@@ -789,11 +861,7 @@ static int h_nolog(int argc, unsigned char **argv){
 }
 
 int scanipl(unsigned char *arg, struct iplist *dst){
-#ifndef NOIPV6
-	struct sockaddr_in6 sa;
-#else
-	struct sockaddr_in sa;
-#endif
+	PROXYSOCKADDRTYPE sa;
         char * slash, *dash;
 	int masklen, addrlen;
 	int res;
@@ -812,7 +880,7 @@ int scanipl(unsigned char *arg, struct iplist *dst){
 	memcpy(&dst->ip_from, SAADDR(&sa), SAADDRLEN(&sa));
 	dst->family = *SAFAMILY(&sa);
 	if(dash){
-		if(afdetect(dash+1) == -1) return 1;
+		if(afdetect((unsigned char *)dash+1) == -1) return 1;
 		if(!getip46(46, (unsigned char *)dash+1, (struct sockaddr *)&sa)) return 2;
 		memcpy(&dst->ip_to, SAADDR(&sa), SAADDRLEN(&sa));
 		if(*SAFAMILY(&sa) != dst->family || memcmp(&dst->ip_to, &dst->ip_from, SAADDRLEN(&sa)) < 0) return 3;
@@ -850,18 +918,18 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 	struct hostname *hostnamel=NULL;
 	int res;
 
-	acl = myalloc(sizeof(struct ace));
+	acl = malloc(sizeof(struct ace));
 	if(!acl) return acl;
 	memset(acl, 0, sizeof(struct ace));
 		if(argc > 0 && strcmp("*", (char *)argv[0])) {
 			arg = argv[0];
 			arg = (unsigned char *)strtok((char *)arg, ",");
-			do {
+			if(arg) do {
 				if(!acl->users) {
-					acl->users = userl = myalloc(sizeof(struct userlist));
+					acl->users = userl = malloc(sizeof(struct userlist));
 				}
 				else {
-					userl->next = myalloc(sizeof(struct userlist));
+					userl->next = malloc(sizeof(struct userlist));
 					userl = userl -> next;
 				}
 				if(!userl) {
@@ -869,18 +937,18 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 					return(NULL);
 				}
 				memset(userl, 0, sizeof(struct userlist));
-				userl->user=(unsigned char*)mystrdup((char *)arg);
+				userl->user=(unsigned char*)strdup((char *)arg);
 				if(!userl->user) return NULL;
 			} while((arg = (unsigned char *)strtok((char *)NULL, ",")));
 		}
 		if(argc > 1  && strcmp("*", (char *)argv[1])) {
 			arg = (unsigned char *)strtok((char *)argv[1], ",");
-			do {
+			if(arg) do {
 				if(!acl->src) {
-					acl->src = ipl = myalloc(sizeof(struct iplist));
+					acl->src = ipl = malloc(sizeof(struct iplist));
 				}
 				else {
-					ipl->next = myalloc(sizeof(struct iplist));
+					ipl->next = malloc(sizeof(struct iplist));
 					ipl = ipl -> next;
 				}
 				if(!ipl) {
@@ -896,7 +964,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 		}
 		if(argc > 2 && strcmp("*", (char *)argv[2])) {
 			arg = (unsigned char *)strtok((char *)argv[2], ",");
-			do {
+			if(arg) do {
 			 int arglen;
 			 unsigned char *pattern;
 			 struct iplist tmpip={NULL};
@@ -905,10 +973,10 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 			 if(scanipl(arg, &tmpip)){
 				if(!arglen) continue;
 				if(!acl->dstnames) {
-					acl->dstnames = hostnamel = myalloc(sizeof(struct hostname));
+					acl->dstnames = hostnamel = malloc(sizeof(struct hostname));
 				}
 				else {
-					hostnamel->next = myalloc(sizeof(struct hostname));
+					hostnamel->next = malloc(sizeof(struct hostname));
 					hostnamel = hostnamel -> next;
 				}
 				if(!hostnamel){
@@ -928,7 +996,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 					arglen--;
 					hostnamel->matchtype ^= MATCHBEGIN;
 				}
-				hostnamel->name = (unsigned char *) mystrdup( (char *)pattern);
+				hostnamel->name = (unsigned char *) strdup( (char *)pattern);
 				if(!hostnamel->name) {
 					fprintf(stderr, "No memory for ACL entry, line %d\n", linenum);
 					return(NULL);
@@ -937,10 +1005,10 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 			 else {
 				
 				if(!acl->dst) {
-					acl->dst = ipl = myalloc(sizeof(struct iplist));
+					acl->dst = ipl = malloc(sizeof(struct iplist));
 				}
 				else {
-					ipl->next = myalloc(sizeof(struct iplist));
+					ipl->next = malloc(sizeof(struct iplist));
 					ipl = ipl -> next;
 				}
 				if(!ipl) {
@@ -953,12 +1021,12 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 		}
 		if(argc > 3 && strcmp("*", (char *)argv[3])) {
 			arg = (unsigned char *)strtok((char *)argv[3], ",");
-			do {
+			if(arg) do {
 				if(!acl->ports) {
-					acl->ports = portl = myalloc(sizeof(struct portlist));
+					acl->ports = portl = malloc(sizeof(struct portlist));
 				}
 				else {
-					portl->next = myalloc(sizeof(struct portlist));
+					portl->next = malloc(sizeof(struct portlist));
 					portl = portl -> next;
 				}
 				if(!portl) {
@@ -976,7 +1044,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 		}
 		if(argc > 4 && strcmp("*", (char *)argv[4])) {
 			arg = (unsigned char *)strtok((char *)argv[4], ",");	
-			do {
+			if(arg) do {
 				if(!strcmp((char *)arg, "CONNECT")){
 					acl->operation |= CONNECT;
 				}
@@ -1084,7 +1152,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 				t2 = (t2 * 60) + (arg[12] - '0') * 10 + (arg[13] - '0');
 				t2 = (t2 * 60) + (arg[15] - '0') * 10 + (arg[16] - '0');
 				if(t2 < t1) break;
-				sp = myalloc(sizeof(struct period));
+				sp = malloc(sizeof(struct period));
 				if(sp){
 					sp->fromtime = t1;
 					sp->totime = t2;
@@ -1163,15 +1231,18 @@ static int h_ace(int argc, unsigned char **argv){
 	acl->action = res;
 	switch(acl->action){
 	case REDIRECT:
-		acl->chains = myalloc(sizeof(struct chain));
+		acl->chains = malloc(sizeof(struct chain));
 		if(!acl->chains) {
 			freeacl(acl);
 			return(21);
 		}
-		memset(acl->chains, 0, sizeof(struct chain)); 
+		memset(acl->chains, 0, sizeof(struct chain));
 		acl->chains->type = R_HTTP;
-		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
-		*SAPORT(&acl->chains->addr) = htons((unsigned short)atoi((char *)argv[2]));
+		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) {
+			freeacl(acl);
+			return 5;
+		}
+		*SAPORT(&acl->chains->addr) = htons((uint16_t)atoi((char *)argv[2]));
 		acl->chains->weight = 1000;
 	case ALLOW:
 	case DENY:
@@ -1187,7 +1258,7 @@ static int h_ace(int argc, unsigned char **argv){
 		break;
 	case CONNLIM:
 	case NOCONNLIM:
-		ncl = myalloc(sizeof(struct connlim));
+		ncl = malloc(sizeof(struct connlim));
 		if(!ncl) {
 			freeacl(acl);
 			return(21);
@@ -1198,7 +1269,7 @@ static int h_ace(int argc, unsigned char **argv){
 			sscanf((char *)argv[1], "%u", &ncl->rate);
 			sscanf((char *)argv[2], "%u", &ncl->period);
 		}
-		pthread_mutex_lock(&connlim_mutex);
+		_3proxy_mutex_lock(&connlim_mutex);
 		if(!conf.connlimiter){
 			conf.connlimiter = ncl;
 		}
@@ -1208,13 +1279,13 @@ static int h_ace(int argc, unsigned char **argv){
 			for(cli = conf.connlimiter; cli->next; cli = cli->next);
 			cli->next = ncl;
 		}
-		pthread_mutex_unlock(&connlim_mutex);			
+		_3proxy_mutex_unlock(&connlim_mutex);			
 		break;
 
 	case BANDLIM:
 	case NOBANDLIM:
 
-		nbl = myalloc(sizeof(struct bandlim));
+		nbl = malloc(sizeof(struct bandlim));
 		if(!nbl) {
 			freeacl(acl);
 			return(21);
@@ -1224,13 +1295,13 @@ static int h_ace(int argc, unsigned char **argv){
 		if(acl->action == BANDLIM) {
 			sscanf((char *)argv[1], "%u", &nbl->rate);
 			if(nbl->rate < 300) {
-				myfree(nbl);
+				free(nbl);
 				freeacl(acl);
 				fprintf(stderr, "Wrong bandwidth specified, line %d\n", linenum);
 				return(4);
 			}
 		}
-		pthread_mutex_lock(&bandlim_mutex);
+		_3proxy_mutex_lock(&bandlim_mutex);
 		if(!strcmp((char *)argv[0], "bandlimin") || !strcmp((char *)argv[0], "nobandlimin")){
 			if(!conf.bandlimiter){
 				conf.bandlimiter = nbl;
@@ -1254,7 +1325,7 @@ static int h_ace(int argc, unsigned char **argv){
 			}
 		}
 		conf.bandlimver++;
-		pthread_mutex_unlock(&bandlim_mutex);			
+		_3proxy_mutex_unlock(&bandlim_mutex);			
 		break;
 
 	case COUNTIN:
@@ -1264,7 +1335,7 @@ static int h_ace(int argc, unsigned char **argv){
 	case COUNTALL:
 	case NOCOUNTALL:
 		if(!conf.trafcountfunc) conf.trafcountfunc = trafcountfunc;
-		tl = myalloc(sizeof(struct trafcount));
+		tl = malloc(sizeof(struct trafcount));
 		if(!tl) {
 			freeacl(acl);
 			return(21);
@@ -1278,14 +1349,14 @@ static int h_ace(int argc, unsigned char **argv){
 			tl->comment = ( char *)argv[1];
 			while(isdigit(*tl->comment))tl->comment++;
 			if(*tl->comment== '/')tl->comment++;
-			tl->comment = mystrdup(tl->comment);
+			tl->comment = strdup(tl->comment);
 
 			sscanf((char *)argv[1], "%u", &tl->number);
 			sscanf((char *)argv[3], "%lu", &lim);
 			tl->type = getrotate(*argv[2]);
 			tl->traflim64 =  ((uint64_t)lim)*(1024*1024);
 			if(!tl->traflim64) {
-				myfree(tl);
+				free(tl);
 				freeacl(acl);
 				fprintf(stderr, "Wrong traffic limit specified, line %d\n", linenum);
 				return(6);
@@ -1295,17 +1366,18 @@ static int h_ace(int argc, unsigned char **argv){
 					sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
 					SEEK_SET);
 				memset(&crecord, 0, sizeof(struct counter_record));
-				read(conf.counterd, &crecord, sizeof(struct counter_record));
-				tl->traf64 = crecord.traf64;
-				tl->cleared = crecord.cleared;
-				tl->updated = crecord.updated;
-				if(tl->cleared < 0 || tl->cleared >=  MAX_COUNTER_TIME || tl->updated < 0 || tl->updated >=  MAX_COUNTER_TIME){
-					fprintf(stderr, "Invalid, incompatible or corrupted counter file.\n");
-					return(6);
+				if(read(conf.counterd, &crecord, sizeof(struct counter_record)) == sizeof(struct counter_record)){
+				    tl->traf64 = crecord.traf64;
+				    tl->cleared = crecord.cleared;
+				    tl->updated = crecord.updated;
+				    if(tl->cleared < 0 || tl->cleared >=  MAX_COUNTER_TIME || tl->updated < 0 || tl->updated >=  MAX_COUNTER_TIME){
+					    fprintf(stderr, "Invalid, incompatible or corrupted counter file.\n");
+					    return(6);
+				    }
 				}
 			}
 		}
-		pthread_mutex_lock(&tc_mutex);
+		_3proxy_mutex_lock(&tc_mutex);
 		if(!conf.trafcounter){
 			conf.trafcounter = tl;
 		}
@@ -1315,7 +1387,7 @@ static int h_ace(int argc, unsigned char **argv){
 			for(ntl = conf.trafcounter; ntl->next; ntl = ntl->next);
 			ntl->next = tl;
 		}
-		pthread_mutex_unlock(&tc_mutex);
+		_3proxy_mutex_unlock(&tc_mutex);
 			
 	}
 	return 0;
@@ -1341,48 +1413,30 @@ static int h_delimchar(int argc, unsigned char **argv){
 
 #ifndef NORADIUS
 static int h_radius(int argc, unsigned char **argv){
-	unsigned short port;
+	uint16_t port;
 
-/*
-	int oldrad;
-#ifdef NOIPV6
-	struct  sockaddr_in bindaddr;
-#else
-	struct  sockaddr_in6 bindaddr;
-#endif
-
-	oldrad = nradservers;
-	nradservers = 0;
-	for(; oldrad; oldrad--){
-		if(radiuslist[oldrad].logsock >= 0) so._closesocket(radiuslist[oldrad].logsock);
-		radiuslist[oldrad].logsock = -1;
-	}
-*/
 	memset(radiuslist, 0, sizeof(radiuslist));
-	if(strlen(argv[1]) > 63) argv[1][63] = 0;
-	strcpy(radiussecret, argv[1]);
+	if(strlen((char *)argv[1]) > 63) argv[1][63] = 0;
+	strcpy(radiussecret, (char *)argv[1]);
 	for( nradservers=0; nradservers < MAXRADIUS && nradservers < argc -2; nradservers++){
 		char *s = 0;
-		if((s=strchr(argv[nradservers + 2], '/'))){
+		if((s=strchr((char *)argv[nradservers + 2], '/'))){
 			*s = 0;
 			s++;
 		}
 		if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
-		if( s && !getip46(46, s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
+		if( s && !getip46(46, (unsigned char *)s, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
 		if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
 		port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
 		radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
  	        *SAPORT(&radiuslist[nradservers].logaddr) = htons(port+1);
-/*
-		bindaddr = radiuslist[nradservers].localaddr;
-		if ((radiuslist[nradservers].logsock = so._socket(SASOCK(&radiuslist[nradservers].logaddr), SOCK_DGRAM, 0)) < 0) return 2;
-		if (so._bind(radiuslist[nradservers].logsock, (struct sockaddr *)&bindaddr, SASIZE(&bindaddr))) return 3;
-*/
 	}
 	return 0;
 }
 #endif
 static int h_authcache(int argc, unsigned char **argv){
+	int authcachesize = 0;
+
 	conf.authcachetype = 0;
 	if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
 	if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
@@ -1390,13 +1444,35 @@ static int h_authcache(int argc, unsigned char **argv){
 	if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
 	if(strstr((char *) *(argv + 1), "acl")) conf.authcachetype |= 16;
 	if(strstr((char *) *(argv + 1), "ext")) conf.authcachetype |= 32;
+	if(strstr((char *) *(argv + 1), "dstaddr")) conf.authcachetype |= 64;
+	if(strstr((char *) *(argv + 1), "dstport")) conf.authcachetype |= 128;
+	if(strstr((char *) *(argv + 1), "dsthost")) conf.authcachetype |= 256;
+	if(strstr((char *) *(argv + 1), "dstoper")) conf.authcachetype |= 512;
+	if(strstr((char *) *(argv + 1), "srvaddr")) conf.authcachetype |= 1024;
+	if(strstr((char *) *(argv + 1), "srvport")) conf.authcachetype |= 2048;
 	if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
+	if(argc > 3) authcachesize  = (unsigned) atoi((char *) *(argv + 3));
 	if(!conf.authcachetype) conf.authcachetype = 6;
 	if(!conf.authcachetime) conf.authcachetime = 600;
+	if(!authcachesize) authcachesize = 65536*4;
+	if(auth_table.growlimit != authcachesize && inithashtable(&auth_table, authcachesize < 1024? authcachesize:1024, authcachesize < 1024? authcachesize:1024, authcachesize)){
+		fprintf(stderr, "Failed to initialize auth cache\n");
+		return 2;
+	}
 	return 0;
 }
 
 static int h_plugin(int argc, unsigned char **argv){
+#ifdef WITH_SSL
+	if(argc >= 3 && !strcmp((char *)argv[2], "ssl_plugin")){
+		return 0;
+	}
+#endif
+#ifdef WITH_PCRE
+	if(argc >= 3 && !strcmp((char *)argv[2], "pcre_plugin")){
+		return 0;
+	}
+#endif
 #ifdef NOPLUGINS
 	return 999;
 #else
@@ -1426,9 +1502,15 @@ static int h_plugin(int argc, unsigned char **argv){
 #else	
 	void *hi, *fp;
 	hi = dlopen((char *)argv[1], RTLD_LAZY);
-	if(!hi) return 1;
+	if(!hi) {
+	    fprintf(stderr, "%s", dlerror());
+	    return 1;
+	}
 	fp = dlsym(hi, (char *)argv[2]);
-	if(!fp) return 2;
+	if(!fp) {
+	    fprintf(stderr, "%s", dlerror());
+	    return 2;
+	}
 	return (*(PLUGINFUNC)fp)(&pluginlink, argc - 2, (char **)argv + 2);
 #endif
 #endif
@@ -1511,7 +1593,7 @@ static int h_chroot(int argc, unsigned char **argv){
 			p--;
 			*p = 0;
 		}
-		chrootp = mystrdup((char *)argv[1]);
+		chrootp = strdup((char *)argv[1]);
 		if(!chrootp) return 21;
 	}
 	if (gid && setregid(gid,gid)) {
@@ -1522,7 +1604,7 @@ static int h_chroot(int argc, unsigned char **argv){
 		fprintf(stderr, "Unable to set uid %d", (int)uid);
 		return(5);
 	}
-	chdir("/");
+	if(chdir("/")){}
 	return 0;
 }
 #endif
@@ -1593,7 +1675,7 @@ struct commands commandhandlers[]={
 	{commandhandlers+53, "filtermaxsize", h_filtermaxsize, 2, 2},
 	{commandhandlers+54, "nolog", h_nolog, 1, 1},
 	{commandhandlers+55, "weight", h_nolog, 2, 2},
-	{commandhandlers+56, "authcache", h_authcache, 2, 3},
+	{commandhandlers+56, "authcache", h_authcache, 2, 4},
 	{commandhandlers+57, "smtpp", h_proxy, 1, 0},
 	{commandhandlers+58, "delimchar",h_delimchar, 2, 2},
 	{commandhandlers+59, "authnserver", h_authnserver, 2, 2},
@@ -1601,8 +1683,12 @@ struct commands commandhandlers[]={
 	{commandhandlers+61, "force", h_force, 1, 1},
 	{commandhandlers+62, "noforce", h_noforce, 1, 1},
 	{commandhandlers+63, "parentretries", h_parentretries, 2, 2},
+	{commandhandlers+64, "auto", h_proxy, 1, 0},
+	{commandhandlers+65, "backlog", h_backlog, 2, 2},
+	{commandhandlers+66, "tlspr", h_proxy, 1, 0},
+	{commandhandlers+67, "maxseg", h_maxseg, 2, 2},
 #ifndef NORADIUS
-	{commandhandlers+64, "radius", h_radius, 3, 0},
+	{commandhandlers+68, "radius", h_radius, 3, 0},
 #endif
 	{specificcommands, 	 "", h_noop, 1, 0}
 };
@@ -1629,7 +1715,7 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 	 }
          switch(*str){
 		case '\0': 
-			if(comment) return -1;
+			if(comment || incbegin) return -1;
 			argm[argc] = 0;
 			return argc;
 		case '$':
@@ -1653,28 +1739,28 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 				*str = 0;
 				space = 1;
 				if(incbegin){
-					argc--;
-					if((fd = open((char *)incbegin+1, O_RDONLY)) <= 0){
+					if(argc) argc--;
+					if((fd = open((char *)incbegin+1, O_RDONLY)) < 0){
 						fprintf(stderr, "Failed to open %s\n", incbegin+1);
-						break;
+						return -1;
 					}
 					if((*bufsize - *inbuf)  0 && argm[argc]!=(incbegin+1)) {
 						len = (int)strlen((char *)argm[argc]);
 						memmove(buf+*inbuf, argm[argc], len);
 					}
 					if((res = read(fd, buf+*inbuf+len, STRINGBUF-(1+len))) <= 0) {
 						perror((char *)incbegin+1);
 						close(fd);
-						break;
+						return -1;
 					}
 					close(fd);
 					buf[*inbuf+res+len] = 0;
@@ -1713,7 +1799,7 @@ int readconfig(FILE * fp){
   struct commands * cm;
   int res = 0;
 
-  if( !(buf = myalloc(bufsize)) || ! (argv = myalloc((NPARAMS + 1) * sizeof(unsigned char *))) ) {
+  if( !(buf = malloc(bufsize)) || ! (argv = malloc((NPARAMS + 1) * sizeof(unsigned char *))) ) {
 		fprintf(stderr, "No memory for configuration");
 		return(10);
   }
@@ -1743,21 +1829,25 @@ int readconfig(FILE * fp){
 
 	res = 1;
 	for(cm = commandhandlers; cm; cm = cm->next){
-		if(!strcmp((char *)argv[0], (char *)cm->command) && argc >= cm->minargs && (!cm->maxargs || argc <= cm->maxargs)){
-			res = (*cm->handler)(argc, argv);
-			if(res > 0){
-				fprintf(stderr, "Command: '%s' failed with code %d, line %d\n", argv[0], res, linenum);
-				return(linenum);
-			}
-			if(!res) break;
+		if(!strcmp((char *)argv[0], (char *)cm->command)){
+		    if(argc < cm->minargs || (cm->maxargs && argc > cm->maxargs)){
+			fprintf(stderr, "Command: '%s' wrong number of arguments , line %d\n", argv[0], linenum);
+			return(linenum);
+		    }
+		    res = (*cm->handler)(argc, argv);
+		    if(res > 0){
+			fprintf(stderr, "Command: '%s' failed with code %d, line %d\n", argv[0], res, linenum);
+			return(linenum);
+		    }
+		    if(!res) break;
 		}
 	}
 	if(res != 1)continue;
 	fprintf(stderr, "Unknown command: '%s' line %d\n", argv[0], linenum);
 	return(linenum);
   }
-  myfree(buf);
-  myfree(argv);
+  free(buf);
+  free(argv);
   return 0;
 
 }
@@ -1766,8 +1856,8 @@ int readconfig(FILE * fp){
 
 void freepwl(struct passwords *pwl){
 	for(; pwl; pwl = (struct passwords *)itfree(pwl, pwl->next)){
-		if(pwl->user)myfree(pwl->user);
-		if(pwl->password)myfree(pwl->password);
+		if(pwl->user)free(pwl->user);
+		if(pwl->password)free(pwl->password);
 	}
 }
 
@@ -1777,11 +1867,9 @@ void freeconf(struct extparam *confp){
  struct bandlim * blout;
  struct connlim * cl;
  struct trafcount * tc;
- struct passwords *pw;
  struct ace *acl;
  struct filemon *fm;
  int counterd, archiverc;
- unsigned char *logname, *logtarget;
  unsigned char **archiver;
  unsigned char * logformat;
 
@@ -1790,40 +1878,30 @@ void freeconf(struct extparam *confp){
 
 
 
- pthread_mutex_lock(&tc_mutex);
+ _3proxy_mutex_lock(&tc_mutex);
  confp->trafcountfunc = NULL;
  tc = confp->trafcounter;
  confp->trafcounter = NULL;
  counterd = confp->counterd;
  confp->counterd = -1;
  confp->countertype = NONE;
- pthread_mutex_unlock(&tc_mutex);
+ _3proxy_mutex_unlock(&tc_mutex);
 
- pthread_mutex_lock(&bandlim_mutex);
+ _3proxy_mutex_lock(&bandlim_mutex);
  bl = confp->bandlimiter;
  blout = confp->bandlimiterout;
  confp->bandlimiter = NULL;
  confp->bandlimiterout = NULL;
  confp->bandlimfunc = NULL;
  confp->bandlimver++;
- pthread_mutex_unlock(&bandlim_mutex);
- pthread_mutex_lock(&connlim_mutex);
+ _3proxy_mutex_unlock(&bandlim_mutex);
+ _3proxy_mutex_lock(&connlim_mutex);
  cl = confp->connlimiter;
  confp->connlimiter = NULL;
- pthread_mutex_unlock(&connlim_mutex);
+ _3proxy_mutex_unlock(&connlim_mutex);
 
- pthread_mutex_lock(&pwl_mutex);
- pw = confp->pwl;
- confp->pwl = NULL;
- pthread_mutex_unlock(&pwl_mutex);
+ destroyhashtable(&pwl_table);
 
-
-/*
- logtarget = confp->logtarget;
- confp->logtarget = NULL;
- logname = confp->logname;
- confp->logname = NULL;
-*/
  confp->logfunc = lognone;
  logformat = confp->logformat;
  confp->logformat = NULL;
@@ -1847,6 +1925,7 @@ void freeconf(struct extparam *confp){
  *SAFAMILY(&confp->intsa) = AF_INET;
  *SAFAMILY(&confp->extsa) = AF_INET;
  confp->maxchild = 100;
+ confp->backlog = 0;
  resolvfunc = NULL;
  numservers = 0;
  acl = confp->acl;
@@ -1860,13 +1939,12 @@ void freeconf(struct extparam *confp){
  }
  if(tc)dumpcounters(tc,counterd);
  for(; tc; tc = (struct trafcount *) itfree(tc, tc->next)){
-	if(tc->comment)myfree(tc->comment);
+	if(tc->comment)free(tc->comment);
 	freeacl(tc->ace);
  }
 
  
  freeacl(acl);
- freepwl(pw);
  for(; bl; bl = (struct bandlim *) itfree(bl, bl->next)) freeacl(bl->ace);
  for(; blout; blout = (struct bandlim *) itfree(blout, blout->next))freeacl(blout->ace);
  for(; cl; cl = (struct connlim *) itfree(cl, cl->next)) freeacl(cl->ace);
@@ -1875,22 +1953,14 @@ void freeconf(struct extparam *confp){
 	close(counterd);
  }
  for(; fm; fm = (struct filemon *)itfree(fm, fm->next)){
-	if(fm->path) myfree(fm->path);
+	if(fm->path) free(fm->path);
  }
-/*
- if(logtarget) {
-	myfree(logtarget);
- }
- if(logname) {
-	myfree(logname);
- }
-*/
  if(logformat) {
-	myfree(logformat);
+	free(logformat);
  }
  if(archiver) {
-	for(i = 0; i < archiverc; i++) myfree(archiver[i]);
-	myfree(archiver);
+	for(i = 0; i < archiverc; i++) free(archiver[i]);
+	free(archiver);
  }
  havelog = 0;
 }
@@ -1899,6 +1969,13 @@ int reload (void){
 	FILE *fp;
 	int error = -2;
 
+	_3proxy_mutex_lock(&config_mutex);
+#ifdef WITH_SSL
+	ssl_install();
+#endif
+#ifdef WITH_PCRE
+	pcre_install();
+#endif
 	conf.paused++;
 	freeconf(&conf);
 	conf.paused++;
@@ -1912,5 +1989,6 @@ int reload (void){
 		}
 		if(!writable)fclose(fp);
 	}
+	_3proxy_mutex_unlock(&config_mutex);
 	return error;
 }
diff --git a/src/datatypes.c b/src/datatypes.c
index fb304ed..467723d 100644
--- a/src/datatypes.c
+++ b/src/datatypes.c
@@ -1,5 +1,5 @@
 /*
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -9,7 +9,7 @@
 
 static void pr_unsigned64(struct node *node, CBFUNC cbf, void*cb){
 	char buf[32];
-	if(node->value)(*cbf)(cb, buf, sprintf(buf, "%"PRINTF_INT64_MODIFIER"u", *(uint64_t *)node->value));
+	if(node->value)(*cbf)(cb, buf, sprintf(buf, "%"PRIu64"", *(uint64_t *)node->value));
 }
 
 static void pr_integer(struct node *node, CBFUNC cbf, void*cb){
@@ -44,7 +44,7 @@ static void pr_traffic(struct node *node, CBFUNC cbf, void*cb){
 
 static void pr_port(struct node *node, CBFUNC cbf, void*cb){
 	char buf[8];
-	if(node->value)(*cbf)(cb, buf, sprintf(buf, "%hu", ntohs(*(unsigned short*)node->value)));
+	if(node->value)(*cbf)(cb, buf, sprintf(buf, "%hu", (unsigned short)ntohs(*(uint16_t*)node->value)));
 }
 
 static void pr_datetime(struct node *node, CBFUNC cbf, void*cb){
@@ -96,7 +96,7 @@ static void pr_wdays(struct node *node, CBFUNC cbf, void*cb){
 static void pr_time(struct node *node, CBFUNC cbf, void*cb){
 	char buf[16];
 	int t = *(int *)node;
-	
+
 	(*cbf)(cb, buf, sprintf(buf, "%02d:%02d:%02d", (t/3600)%24, (t/60)%60, t%60));
 }
 
@@ -132,6 +132,12 @@ static void pr_string(struct node *node, CBFUNC cbf, void*cb){
 	else (*cbf)(cb, "(NULL)", 6);
 }
 
+static void pr_password(struct node *node, CBFUNC cbf, void*cb){
+	if(node->value && *(unsigned char *)node->value){
+		(*cbf)(cb, "********", 8);
+	}
+}
+
 static void pr_rotation(struct node *node, CBFUNC cbf, void*cb){
 	char * lstrings[] = {
 		"N", "C", "H", "D", "W", "M", "Y", "N"
@@ -156,7 +162,7 @@ static void pr_operations(struct node *node, CBFUNC cbf, void*cb){
 	if(operation & HTTP){
 		if((operation & HTTP) == HTTP)
 		 (*cbf)(cb, buf, sprintf(buf, "HTTP"));
-		else 
+		else
 		 (*cbf)(cb, buf, sprintf(buf, "%s%s%s%s%s%s%s%s%s",
 			(operation & HTTP_GET)? "HTTP_GET" : "",
 			((operation & HTTP_GET) && (operation & (HTTP_PUT|HTTP_POST|HTTP_HEAD|HTTP_OTHER)))? "," : "",
@@ -239,6 +245,18 @@ static void pr_userlist(struct node *node, CBFUNC cbf, void*cb){
 	}
 }
 
+static void pr_hostname(struct node *node, CBFUNC cbf, void*cb){
+	struct hostname *hl = (struct hostname *)node->value;
+	if(!hl) {
+		(*cbf)(cb, "*", 1);
+		return;
+	}
+	for(; hl; hl = hl->next){
+	 (*cbf)(cb, (char *)hl->name, (int)strlen((char *)hl->name));
+	 if(hl->next)(*cbf)(cb, ",", 1);
+	}
+}
+
 int printiple(char *buf, struct iplist* ipl){
 	 int addrlen = (ipl->family == AF_INET6)?16:4, i;
 	 i = myinet_ntop(ipl->family, &ipl->ip_from, buf, addrlen);
@@ -315,34 +333,36 @@ static void * ef_pwlist_type(struct node * node){
 			return "NT";
 		case LM:
 			return "LM";
+		case UN:
+			return "UN";
 		default:
 			return "UNKNOWN";
 	}
 }
 
+static void * ef_hostname_next(struct node * node){
+	return ((struct hostname *)node->value) -> next;
+}
+
+static void * ef_hostname_name(struct node * node){
+	return ((struct hostname *)node->value) -> name;
+}
+
+static void * ef_hostname_matchtype(struct node * node){
+	return &((struct hostname *)node->value) -> matchtype;
+}
+
 static void * ef_chain_next(struct node * node){
 	return ((struct chain *)node->value) -> next;
 }
 
 static void * ef_chain_type(struct node * node){
-	switch (((struct chain *)node->value) -> type) {
-		case R_TCP:
-			return "tcp";
-		case R_CONNECT:
-			return "connect";
-		case R_SOCKS4:
-			return "socks4";
-		case R_SOCKS5:
-			return "socks5";
-		case R_HTTP:
-			return "http";
-		case R_FTP:
-			return "ftp";
-		case R_POP3:
-			return "pop3";
-		default:
-			return "";
+	int i;
+
+	for(i=0; redirs[i].name; i++){
+	    if(((struct chain *)node->value) -> type == redirs[i].redir) return redirs[i].name;
 	}
+	return "";
 }
 
 static void * ef_chain_addr(struct node * node){
@@ -361,6 +381,18 @@ static void * ef_chain_password(struct node * node){
 	return ((struct chain *)node->value) -> extpass;
 }
 
+static void * ef_chain_secure(struct node * node){
+	return &((struct chain *)node->value) -> secure;
+}
+
+static void * ef_chain_exthost(struct node * node){
+	return ((struct chain *)node->value) -> exthost;
+}
+
+static void * ef_chain_cidr(struct node * node){
+	return &((struct chain *)node->value) -> cidr;
+}
+
 static void * ef_ace_next(struct node * node){
 	return ((struct ace *)node->value) -> next;
 }
@@ -391,6 +423,9 @@ static void * ef_ace_dst(struct node * node){
 	return ((struct ace *)node->value) -> dst;
 }
 
+static void * ef_ace_dstnames(struct node * node){
+	return ((struct ace *)node->value) -> dstnames;
+}
 
 static void * ef_ace_ports(struct node * node){
 	return ((struct ace *)node->value) -> ports;
@@ -408,6 +443,13 @@ static void * ef_ace_period(struct node * node){
 	return ((struct ace *)node->value) -> periods;
 }
 
+static void * ef_ace_weight(struct node * node){
+	return &((struct ace *)node->value) -> weight;
+}
+
+static void * ef_ace_nolog(struct node * node){
+	return &((struct ace *)node->value) -> nolog;
+}
 
 static void * ef_bandlimit_next(struct node * node){
 	return ((struct bandlim *)node->value) -> next;
@@ -501,6 +543,14 @@ static void * ef_server_childcount(struct node * node){
 	return &((struct srvparam *)node->value) -> childcount;
 }
 
+static void * ef_server_maxchild(struct node * node){
+	return &((struct srvparam *)node->value) -> maxchild;
+}
+
+static void * ef_server_backlog(struct node * node){
+	return &((struct srvparam *)node->value) -> backlog;
+}
+
 static void * ef_server_log(struct node * node){
 	if(((struct srvparam *)node->value) -> logfunc == lognone)	return "none";
 #ifndef NORADIUS
@@ -511,7 +561,7 @@ static void * ef_server_log(struct node * node){
 #ifndef _WIN32
 	else if(((struct srvparam *)node->value) -> logfunc == logsyslog)	return "syslog";
 #endif
-#ifndef NOODBC
+#ifdef WITH_ODBC
 	else if(((struct srvparam *)node->value) -> logfunc == logsql)	return "odbc";
 #endif
 	return NULL;
@@ -557,16 +607,68 @@ static void * ef_server_extsa6(struct node * node){
 }
 #endif
 
+static void * ef_server_intNat(struct node * node){
+	return &((struct srvparam *)node->value) -> intNat;
+}
+
+static void * ef_server_extNat(struct node * node){
+	return &((struct srvparam *)node->value) -> extNat;
+}
+
 static void * ef_server_acl(struct node * node){
 	return ((struct srvparam *)node->value) -> acl;
 }
 
 static void * ef_server_singlepacket(struct node * node){
-	return &((struct srvparam *)node->value) -> singlepacket;
+	return &((struct srvparam *)node->value) -> s_option;
 }
 
-static void * ef_server_usentlm(struct node * node){
-	return &((struct srvparam *)node->value) -> usentlm;
+static void * ef_server_needuser(struct node * node){
+	return &((struct srvparam *)node->value) -> needuser;
+}
+
+static void * ef_server_transparent(struct node * node){
+	return &((struct srvparam *)node->value) -> transparent;
+}
+
+static void * ef_server_anonymous(struct node * node){
+	return &((struct srvparam *)node->value) -> anonymous;
+}
+
+static void * ef_server_requirecert(struct node * node){
+	return &((struct srvparam *)node->value) -> requirecert;
+}
+
+static void * ef_server_haproxy(struct node * node){
+	return &((struct srvparam *)node->value) -> haproxy;
+}
+
+static void * ef_server_authcachetype(struct node * node){
+	return &((struct srvparam *)node->value) -> authcachetype;
+}
+
+static void * ef_server_authcachetime(struct node * node){
+	return &((struct srvparam *)node->value) -> authcachetime;
+}
+
+static void * ef_server_gracetraf(struct node * node){
+	return &((struct srvparam *)node->value) -> gracetraf;
+}
+
+static void * ef_server_gracenum(struct node * node){
+	return &((struct srvparam *)node->value) -> gracenum;
+}
+
+static void * ef_server_gracedelay(struct node * node){
+	return &((struct srvparam *)node->value) -> gracedelay;
+}
+
+static void * ef_server_logdumpsrv(struct node * node){
+	return &((struct srvparam *)node->value) -> logdumpsrv;
+}
+
+static void * ef_server_logdumpcli(struct node * node){
+	return &((struct srvparam *)node->value) -> logdumpcli;
 }
 
 static void * ef_server_starttime(struct node * node){
@@ -586,12 +688,12 @@ static void * ef_client_type(struct node * node){
 static void * ef_client_operation(struct node * node){
 	if(!((struct clientparam *)node->value) -> operation) return NULL;
 	return &((struct clientparam *)node->value) -> operation;
-	
+
 }
 
 static void * ef_client_redirected(struct node * node){
 	return &((struct clientparam *)node->value) -> redirected;
-	
+
 }
 
 static void * ef_client_hostname(struct node * node){
@@ -630,6 +732,26 @@ static void * ef_client_pwtype(struct node * node){
 	return &((struct clientparam *)node->value) -> pwtype;
 }
 
+static void * ef_client_redirtype(struct node * node){
+	int i;
+	for(i=0; redirs[i].name; i++){
+	    if(((struct clientparam *)node->value) -> redirtype == redirs[i].redir) return redirs[i].name;
+	}
+	return "";
+}
+
+static void * ef_client_weight(struct node * node){
+	return &((struct clientparam *)node->value) -> weight;
+}
+
+static void * ef_client_nolog(struct node * node){
+	return &((struct clientparam *)node->value) -> nolog;
+}
+
+static void * ef_client_transparent(struct node * node){
+	return &((struct clientparam *)node->value) -> transparent;
+}
+
 static void * ef_client_threadid(struct node * node){
 	return &((struct clientparam *)node->value) -> threadid;
 }
@@ -663,155 +785,179 @@ static void * ef_period_next(struct node * node){
 }
 
 static struct property prop_portlist[] = {
-	{prop_portlist + 1, "start", ef_portlist_start, TYPE_PORT, "port range start"},
-	{prop_portlist + 2, "end", ef_portlist_end, TYPE_PORT, "port range end"},
-	{NULL, "next", ef_portlist_next, TYPE_PORTLIST, "next"}
+	{"start", ef_portlist_start, TYPE_PORT, "port range start"},
+	{"end", ef_portlist_end, TYPE_PORT, "port range end"},
+	{"next", ef_portlist_next, TYPE_PORTLIST, "next"}
 };
 
 static struct property prop_userlist[] = {
-	{prop_userlist+1, "user", ef_userlist_user, TYPE_STRING, "user name"},
-	{NULL, "next", ef_userlist_next, TYPE_USERLIST, "next"}
+	{"user", ef_userlist_user, TYPE_STRING, "user name"},
+	{"next", ef_userlist_next, TYPE_USERLIST, "next"}
+};
+
+static struct property prop_hostname[] = {
+	{"name", ef_hostname_name, TYPE_STRING, "hostname pattern"},
+	{"matchtype", ef_hostname_matchtype, TYPE_INTEGER, "match type"},
+	{"next", ef_hostname_next, TYPE_HOSTNAME, "next"}
 };
 
 static struct property prop_pwlist[] = {
-	{prop_pwlist + 1, "user", ef_pwlist_user, TYPE_STRING, "user name"},
-	{prop_pwlist + 2, "password", ef_pwlist_password, TYPE_STRING, "password string"},
-	{prop_pwlist + 3, "type", ef_pwlist_type, TYPE_STRING, "password type"},
-	{NULL, "next", ef_pwlist_next, TYPE_PWLIST, "next"}
+	{"user", ef_pwlist_user, TYPE_STRING, "user name"},
+	{"password", ef_pwlist_password, TYPE_PASSWORD, "password string"},
+	{"type", ef_pwlist_type, TYPE_STRING, "password type"},
+	{"next", ef_pwlist_next, TYPE_PWLIST, "next"}
 };
 
 static struct property prop_chain[] = {
-	{prop_chain + 1, "addr", ef_chain_addr, TYPE_SA, "parent address"},
-	{prop_chain + 2, "type", ef_chain_type, TYPE_STRING, "parent type"},
-	{prop_chain + 3, "weight", ef_chain_weight, TYPE_SHORT, "parent weight 0-1000"},
-	{prop_chain + 4, "user", ef_chain_user, TYPE_STRING, "parent login"},
-	{prop_chain + 5, "password", ef_chain_password, TYPE_STRING, "parent password"},
-	{NULL, "next", ef_chain_next, TYPE_CHAIN, "next"}
+	{"addr", ef_chain_addr, TYPE_SA, "parent address"},
+	{"type", ef_chain_type, TYPE_STRING, "parent type"},
+	{"weight", ef_chain_weight, TYPE_SHORT, "parent weight 0-1000"},
+	{"user", ef_chain_user, TYPE_STRING, "parent login"},
+	{"password", ef_chain_password, TYPE_PASSWORD, "parent password"},
+	{"secure", ef_chain_secure, TYPE_INTEGER, "secure mode"},
+	{"exthost", ef_chain_exthost, TYPE_STRING, "external hostname"},
+	{"cidr", ef_chain_cidr, TYPE_SHORT, "CIDR"},
+	{"next", ef_chain_next, TYPE_CHAIN, "next"}
 };
 
 static struct property prop_period[] = {
-	{prop_period + 1, "fromtime", ef_period_fromtime, TYPE_TIME, "from time" },
-	{prop_period + 2, "totime", ef_period_totime, TYPE_TIME, "to time" },
-	{NULL, "next", ef_period_next, TYPE_PERIOD, "next"}
+	{"fromtime", ef_period_fromtime, TYPE_TIME, "from time" },
+	{"totime", ef_period_totime, TYPE_TIME, "to time" },
+	{"next", ef_period_next, TYPE_PERIOD, "next"}
 };
 
 static struct property prop_ace[] = {
-	{prop_ace + 1, "type", ef_ace_type, TYPE_STRING, "ace action"},
-	{prop_ace + 2, "operations", ef_ace_operations, TYPE_OPERATIONS, "request type"},
-	{prop_ace + 3, "users", ef_ace_users, TYPE_USERLIST, "list of users"},
-	{prop_ace + 4, "src", ef_ace_src, TYPE_IPLIST, "list of source ips"},
-	{prop_ace + 5, "dst", ef_ace_dst, TYPE_IPLIST, "list of destination ips"},
-	{prop_ace + 6, "ports", ef_ace_ports, TYPE_PORTLIST, "list of destination ports"},
-	{prop_ace + 7, "chain", ef_ace_chain, TYPE_CHAIN, "redirect to parent(s)"},
-	{prop_ace + 8, "wdays", ef_ace_weekdays, TYPE_WEEKDAYS, "days of week"},
-	{prop_ace + 9, "periods", ef_ace_period, TYPE_PERIOD, "time of the day"},
-	{NULL, "next", ef_ace_next, TYPE_ACE, "next"}
+	{"type", ef_ace_type, TYPE_STRING, "ace action"},
+	{"operations", ef_ace_operations, TYPE_OPERATIONS, "request type"},
+	{"users", ef_ace_users, TYPE_USERLIST, "list of users"},
+	{"src", ef_ace_src, TYPE_IPLIST, "list of source ips"},
+	{"dst", ef_ace_dst, TYPE_IPLIST, "list of destination ips"},
+	{"dstnames", ef_ace_dstnames, TYPE_HOSTNAME, "list of destination hostnames"},
+	{"ports", ef_ace_ports, TYPE_PORTLIST, "list of destination ports"},
+	{"chain", ef_ace_chain, TYPE_CHAIN, "redirect to parent(s)"},
+	{"wdays", ef_ace_weekdays, TYPE_WEEKDAYS, "days of week"},
+	{"periods", ef_ace_period, TYPE_PERIOD, "time of the day"},
+	{"weight", ef_ace_weight, TYPE_INTEGER, "ace weight"},
+	{"nolog", ef_ace_nolog, TYPE_INTEGER, "do not log"},
+	{"next", ef_ace_next, TYPE_ACE, "next"}
 };
 
 static struct property prop_bandlimit[] = {
-	{prop_bandlimit + 1, "ace", ef_bandlimit_ace, TYPE_ACE, "acl to apply"},
-	{prop_bandlimit + 2, "rate", ef_bandlimit_rate, TYPE_UNSIGNED, "max allowed bandwidth"},
-	{NULL, "next", ef_bandlimit_next, TYPE_BANDLIMIT, "next"}
+	{"ace", ef_bandlimit_ace, TYPE_ACE, "acl to apply"},
+	{"rate", ef_bandlimit_rate, TYPE_UNSIGNED, "max allowed bandwidth"},
+	{"next", ef_bandlimit_next, TYPE_BANDLIMIT, "next"}
 };
 
 static struct property prop_trafcounter[] = {
-	{prop_trafcounter + 1, "disabled", ef_trafcounter_disabled, TYPE_INTEGER, "counter status"},
-	{prop_trafcounter + 2, "ace", ef_trafcounter_ace, TYPE_ACE, "traffic to count"},
-	{prop_trafcounter + 3, "number", ef_trafcounter_number, TYPE_UNSIGNED, "counter number"},
-	{prop_trafcounter + 4, "type", ef_trafcounter_type, TYPE_ROTATION, "rotation type"},
-
-
-	{prop_trafcounter + 5, "traffic", ef_trafcounter_traffic64, TYPE_UNSIGNED64, "counter value"},
-	{prop_trafcounter + 6, "limit", ef_trafcounter_limit64, TYPE_UNSIGNED64, "counter limit"},
-	{prop_trafcounter + 7, "cleared", ef_trafcounter_cleared, TYPE_DATETIME, "last rotated"},
-	{prop_trafcounter + 8, "updated", ef_trafcounter_updated, TYPE_DATETIME, "last updated"},
-	{prop_trafcounter + 9, "comment", ef_trafcounter_comment, TYPE_STRING, "counter comment"},
-	{NULL, "next", ef_trafcounter_next, TYPE_TRAFCOUNTER}
+	{"disabled", ef_trafcounter_disabled, TYPE_INTEGER, "counter status"},
+	{"ace", ef_trafcounter_ace, TYPE_ACE, "traffic to count"},
+	{"number", ef_trafcounter_number, TYPE_UNSIGNED, "counter number"},
+	{"type", ef_trafcounter_type, TYPE_ROTATION, "rotation type"},
+	{"traffic", ef_trafcounter_traffic64, TYPE_UNSIGNED64, "counter value"},
+	{"limit", ef_trafcounter_limit64, TYPE_UNSIGNED64, "counter limit"},
+	{"cleared", ef_trafcounter_cleared, TYPE_DATETIME, "last rotated"},
+	{"updated", ef_trafcounter_updated, TYPE_DATETIME, "last updated"},
+	{"comment", ef_trafcounter_comment, TYPE_STRING, "counter comment"},
+	{"next", ef_trafcounter_next, TYPE_TRAFCOUNTER, "next"}
 };
 
-/*
-*/
-
 static struct property prop_server[] = {
-	{prop_server + 1, "servicetype", ef_server_type, TYPE_STRING, "type of the service/client"},
-	{prop_server + 2, "target", ef_server_target, TYPE_STRING, "portmapper target ip"},
-	{prop_server + 3, "targetport", ef_server_targetport, TYPE_PORT, "portmapper target port"},
-	{prop_server + 4, "starttime", ef_server_starttime, TYPE_DATETIME, "service started seconds"},
-	{prop_server + 5, "auth", ef_server_auth, TYPE_STRING, "service authentication type"},
-	{prop_server + 6, "acl", ef_server_acl, TYPE_ACE, "access control list"},
-	{prop_server + 7, "singlepacket", ef_server_singlepacket, TYPE_INTEGER, "is single packet redirection"},
-	{prop_server + 8, "usentlm", ef_server_usentlm, TYPE_INTEGER, "allow NTLM authentication"},
-	{prop_server + 9, "log", ef_server_log, TYPE_STRING, "type of logging"},
-	{prop_server + 10, "logtarget", ef_server_logtarget, TYPE_STRING, "log target options"},
-	{prop_server + 11, "logformat", ef_server_logformat, TYPE_STRING, "logging format string"},
-	{prop_server + 12, "nonprintable", ef_server_nonprintable, TYPE_STRING, "non printable characters"},
-	{prop_server + 13, "replacement", ef_server_replacement, TYPE_CHAR, "replacement character"},
-	{prop_server + 14, "childcount", ef_server_childcount, TYPE_INTEGER, "number of servers connected"},
-	{prop_server + 15, "intsa", ef_server_intsa, TYPE_SA, "ip address of internal interface"},
-	{prop_server + 16, "extsa", ef_server_extsa, TYPE_SA, "ip address of external interface"},
+	{"servicetype", ef_server_type, TYPE_STRING, "type of the service/client"},
+	{"target", ef_server_target, TYPE_STRING, "portmapper target ip"},
+	{"targetport", ef_server_targetport, TYPE_PORT, "portmapper target port"},
+	{"starttime", ef_server_starttime, TYPE_DATETIME, "service started seconds"},
+	{"auth", ef_server_auth, TYPE_STRING, "service authentication type"},
+	{"acl", ef_server_acl, TYPE_ACE, "access control list"},
+	{"singlepacket", ef_server_singlepacket, TYPE_INTEGER, "is single packet redirection"},
+	{"log", ef_server_log, TYPE_STRING, "type of logging"},
+	{"logtarget", ef_server_logtarget, TYPE_STRING, "log target options"},
+	{"logformat", ef_server_logformat, TYPE_STRING, "logging format string"},
+	{"nonprintable", ef_server_nonprintable, TYPE_STRING, "non printable characters"},
+	{"replacement", ef_server_replacement, TYPE_CHAR, "replacement character"},
+	{"childcount", ef_server_childcount, TYPE_INTEGER, "number of servers connected"},
+	{"maxchild", ef_server_maxchild, TYPE_INTEGER, "max concurrent connections"},
+	{"backlog", ef_server_backlog, TYPE_INTEGER, "listen backlog"},
+	{"needuser", ef_server_needuser, TYPE_INTEGER, "require user authentication"},
+	{"transparent", ef_server_transparent, TYPE_INTEGER, "transparent proxy"},
+	{"anonymous", ef_server_anonymous, TYPE_INTEGER, "anonymous mode"},
+	{"requirecert", ef_server_requirecert, TYPE_INTEGER, "require client certificate"},
+	{"haproxy", ef_server_haproxy, TYPE_INTEGER, "HAProxy protocol"},
+	{"authcachetype", ef_server_authcachetype, TYPE_UNSIGNED, "authentication cache type"},
+	{"authcachetime", ef_server_authcachetime, TYPE_UNSIGNED, "authentication cache time"},
+	{"gracetraf", ef_server_gracetraf, TYPE_INTEGER, "grace traffic"},
+	{"gracenum", ef_server_gracenum, TYPE_INTEGER, "grace number"},
+	{"gracedelay", ef_server_gracedelay, TYPE_INTEGER, "grace delay"},
+	{"logdumpsrv", ef_server_logdumpsrv, TYPE_UNSIGNED, "log dump server traffic"},
+	{"logdumpcli", ef_server_logdumpcli, TYPE_UNSIGNED, "log dump client traffic"},
+	{"intsa", ef_server_intsa, TYPE_SA, "ip address of internal interface"},
+	{"extsa", ef_server_extsa, TYPE_SA, "ip address of external interface"},
+	{"intnat", ef_server_intNat, TYPE_SA, "internal NAT address"},
+	{"extnat", ef_server_extNat, TYPE_SA, "external NAT address"},
 #ifndef NOIPV6
-	{prop_server + 17, "extsa6", ef_server_extsa6, TYPE_SA, "ipv6 address of external interface"},
-	{prop_server + 18, "child", ef_server_child, TYPE_CLIENT, "connected clients"},
-#else
-	{prop_server + 17, "child", ef_server_child, TYPE_CLIENT, "connected clients"},
+	{"extsa6", ef_server_extsa6, TYPE_SA, "ipv6 address of external interface"},
 #endif
-	{NULL, "next", ef_server_next, TYPE_SERVER, "next"}
+	{"child", ef_server_child, TYPE_CLIENT, "connected clients"},
+	{"next", ef_server_next, TYPE_SERVER, "next"}
 };
 
 
 static struct property prop_client[] = {
-	{prop_client + 1, "servicetype", ef_client_type, TYPE_STRING, "type of the client"},
-	{prop_client + 2, "threadid", ef_client_threadid, TYPE_INTEGER, "process thread id"},
-	{prop_client + 3, "starttime", ef_client_starttime, TYPE_DATETIME, "client started seconds"},
-	{prop_client + 4, "starttime_msec", ef_client_starttime_msec, TYPE_UNSIGNED, "client started milliseconds"},
-	{prop_client + 5, "redirected", ef_client_redirected, TYPE_INTEGER, "number of redirections"},
-	{prop_client + 6, "operation", ef_client_operation, TYPE_OPERATIONS, "action requested by client"},
-	{prop_client + 7, "hostname", ef_client_hostname, TYPE_STRING, "name of the requested host"},
-	{prop_client + 8, "extusername", ef_client_extusername, TYPE_STRING, "username for requested host"},
-	{prop_client + 9, "extpassword", ef_client_extpassword, TYPE_STRING, "password for requested host"},
-	{prop_client + 10, "username", ef_client_username, TYPE_STRING, "client username"},
-	{prop_client + 11, "password", ef_client_password, TYPE_STRING, "client password"},
-	{prop_client + 12, "clisa", ef_client_clisa, TYPE_SA, "client sa"},
-	{prop_client + 13, "srvsa", ef_client_srvsa, TYPE_SA, "target server sa"},
-	{prop_client + 14, "reqsa", ef_client_reqsa, TYPE_SA, "requested server sa"},
-	{prop_client + 15, "bytesin", ef_client_bytesin64, TYPE_UNSIGNED64, "bytes from server to client"},
-	{prop_client + 16, "bytesout", ef_client_bytesout64, TYPE_UNSIGNED64, "bytes from client to server"},
-	{prop_client + 17, "maxtrafin", ef_client_maxtrafin64, TYPE_UNSIGNED64, "maximum traffic allowed for download"},
-	{prop_client + 18, "maxtrafout", ef_client_maxtrafout64, TYPE_UNSIGNED64, "maximum traffic allowed for upload"},
-	{prop_client + 19, "pwtype", ef_client_pwtype, TYPE_INTEGER, "type of client password"},
-	{prop_client + 20, "clisock", ef_client_clisock, TYPE_INTEGER, "client socket"},
-	{prop_client + 21, "remsock", ef_client_remsock, TYPE_INTEGER, "remote socket"},
-	{NULL, "next", ef_client_next, TYPE_CLIENT, "next"}
-
-	
+	{"servicetype", ef_client_type, TYPE_STRING, "type of the client"},
+	{"threadid", ef_client_threadid, TYPE_UNSIGNED64, "process thread id"},
+	{"starttime", ef_client_starttime, TYPE_DATETIME, "client started seconds"},
+	{"starttime_msec", ef_client_starttime_msec, TYPE_UNSIGNED, "client started milliseconds"},
+	{"redirected", ef_client_redirected, TYPE_INTEGER, "number of redirections"},
+	{"operation", ef_client_operation, TYPE_OPERATIONS, "action requested by client"},
+	{"hostname", ef_client_hostname, TYPE_STRING, "name of the requested host"},
+	{"extusername", ef_client_extusername, TYPE_STRING, "username for requested host"},
+	{"extpassword", ef_client_extpassword, TYPE_PASSWORD, "password for requested host"},
+	{"username", ef_client_username, TYPE_STRING, "client username"},
+	{"password", ef_client_password, TYPE_PASSWORD, "client password"},
+	{"clisa", ef_client_clisa, TYPE_SA, "client sa"},
+	{"srvsa", ef_client_srvsa, TYPE_SA, "target server sa"},
+	{"reqsa", ef_client_reqsa, TYPE_SA, "requested server sa"},
+	{"bytesin", ef_client_bytesin64, TYPE_UNSIGNED64, "bytes from server to client"},
+	{"bytesout", ef_client_bytesout64, TYPE_UNSIGNED64, "bytes from client to server"},
+	{"maxtrafin", ef_client_maxtrafin64, TYPE_UNSIGNED64, "maximum traffic allowed for download"},
+	{"maxtrafout", ef_client_maxtrafout64, TYPE_UNSIGNED64, "maximum traffic allowed for upload"},
+	{"pwtype", ef_client_pwtype, TYPE_INTEGER, "type of client password"},
+	{"redirtype", ef_client_redirtype, TYPE_STRING, "redirection type"},
+	{"weight", ef_client_weight, TYPE_INTEGER, "weight"},
+	{"nolog", ef_client_nolog, TYPE_INTEGER, "do not log"},
+	{"transparent", ef_client_transparent, TYPE_INTEGER, "transparent proxy"},
+	{"clisock", ef_client_clisock, TYPE_INTEGER, "client socket"},
+	{"remsock", ef_client_remsock, TYPE_INTEGER, "remote socket"},
+	{"next", ef_client_next, TYPE_CLIENT, "next"}
 };
 
 struct datatype datatypes[64] = {
-	{"integer", NULL, pr_integer, NULL},
-	{"short", NULL, pr_short, NULL},
-	{"char", NULL, pr_char, NULL},
-	{"unsigned", NULL, pr_unsigned, NULL},
-	{"unsigned64", NULL, pr_unsigned64, NULL},
-	{"traffic", NULL, pr_traffic, NULL},
-	{"port", NULL, pr_port, NULL},
-	{"ip", NULL, pr_ip, NULL},
-	{"sa", NULL, pr_sa, NULL},
-	{"cidr", NULL, pr_cidr, NULL},
-	{"string", NULL, pr_string, NULL},
-	{"datetime", NULL, pr_datetime, NULL},
-	{"operations", NULL, pr_operations, NULL},
-	{"rotation", NULL, pr_rotation, NULL},
-	{"portlist", ef_portlist_next, pr_portlist, prop_portlist},
-	{"iplist", ef_iplist_next, pr_iplist, NULL},
-	{"userlist", ef_userlist_next, pr_userlist, prop_userlist},
-	{"pwlist", ef_pwlist_next, NULL, prop_pwlist},
-	{"chain", ef_chain_next, NULL, prop_chain},
-	{"ace", ef_ace_next, NULL, prop_ace},
-	{"bandlimit", ef_bandlimit_next, NULL, prop_bandlimit},
-	{"trafcounter", ef_trafcounter_next, NULL, prop_trafcounter},
-	{"client", ef_client_next, NULL, prop_client},
-	{"weekdays", NULL, pr_wdays, NULL},
-	{"time", NULL, pr_time, NULL},
-	{"period", ef_period_next, NULL, prop_period},
-	{"server", ef_server_next, NULL, prop_server}
+	{"integer", NULL, pr_integer, NULL, 0},
+	{"short", NULL, pr_short, NULL, 0},
+	{"char", NULL, pr_char, NULL, 0},
+	{"unsigned", NULL, pr_unsigned, NULL, 0},
+	{"unsigned64", NULL, pr_unsigned64, NULL, 0},
+	{"traffic", NULL, pr_traffic, NULL, 0},
+	{"port", NULL, pr_port, NULL, 0},
+	{"ip", NULL, pr_ip, NULL, 0},
+	{"sa", NULL, pr_sa, NULL, 0},
+	{"cidr", NULL, pr_cidr, NULL, 0},
+	{"string", NULL, pr_string, NULL, 0},
+	{"datetime", NULL, pr_datetime, NULL, 0},
+	{"operations", NULL, pr_operations, NULL, 0},
+	{"rotation", NULL, pr_rotation, NULL, 0},
+	{"portlist", ef_portlist_next, pr_portlist, prop_portlist, sizeof(prop_portlist)/sizeof(struct property)},
+	{"iplist", ef_iplist_next, pr_iplist, NULL, 0},
+	{"userlist", ef_userlist_next, pr_userlist, prop_userlist, sizeof(prop_userlist)/sizeof(struct property)},
+	{"pwlist", ef_pwlist_next, NULL, prop_pwlist, sizeof(prop_pwlist)/sizeof(struct property)},
+	{"chain", ef_chain_next, NULL, prop_chain, sizeof(prop_chain)/sizeof(struct property)},
+	{"ace", ef_ace_next, NULL, prop_ace, sizeof(prop_ace)/sizeof(struct property)},
+	{"bandlimit", ef_bandlimit_next, NULL, prop_bandlimit, sizeof(prop_bandlimit)/sizeof(struct property)},
+	{"trafcounter", ef_trafcounter_next, NULL, prop_trafcounter, sizeof(prop_trafcounter)/sizeof(struct property)},
+	{"client", ef_client_next, NULL, prop_client, sizeof(prop_client)/sizeof(struct property)},
+	{"weekdays", NULL, pr_wdays, NULL, 0},
+	{"time", NULL, pr_time, NULL, 0},
+	{"period", ef_period_next, NULL, prop_period, sizeof(prop_period)/sizeof(struct property)},
+	{"server", ef_server_next, NULL, prop_server, sizeof(prop_server)/sizeof(struct property)},
+	{"password", NULL, pr_password, NULL, 0},
+	{"hostname", ef_hostname_next, pr_hostname, prop_hostname, sizeof(prop_hostname)/sizeof(struct property)}
 };
diff --git a/src/dnspr.c b/src/dnspr.c
index bdf2e61..9a3fb01 100644
--- a/src/dnspr.c
+++ b/src/dnspr.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -17,7 +17,7 @@
 
 
 void * dnsprchild(struct clientparam* param) {
- unsigned long ip = 0;
+ uint32_t ip = 0;
  unsigned char *bbuf;
  unsigned char *buf, *s1, *s2;
  char * host = NULL;
@@ -26,29 +26,29 @@ void * dnsprchild(struct clientparam* param) {
  int res, i;
  int len;
  unsigned type=0;
- unsigned ttl;
+ uint32_t ttl;
  unsigned char addr[16];
 #ifdef _WIN32
 	unsigned long ul = 1;
 #endif
 
 
- if(!(bbuf = myalloc(BUFSIZE+2))){
+ if(!(bbuf = malloc(BUFSIZE+2))){
 	param->srv->fds.events = POLLIN;
 	RETURN (21);
  }
  buf = bbuf+2;
  size = sizeof(param->sincr);
- i = so._recvfrom(param->srv->srvsock, (char *)buf, BUFSIZE, 0, (struct sockaddr *)¶m->sincr, &size); 
+ i = param->srv->so._recvfrom(param->sostate, param->srv->srvsock, (char *)buf, BUFSIZE, 0, (struct sockaddr *)¶m->sincr, &size); 
  size = sizeof(param->sinsl);
  getsockname(param->srv->srvsock, (struct sockaddr *)¶m->sincl, &size);
 #ifdef _WIN32
-	if((param->clisock=so._socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
+	if((param->clisock=param->srv->so._socket(param->sostate, AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
 		RETURN(818);
 	}
 	ioctlsocket(param->clisock, FIONBIO, &ul);
-	if(so._setsockopt(param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
-	if(so._bind(param->clisock,(struct sockaddr *)¶m->sincl,SASIZE(¶m->sincl))) {
+	if(param->srv->so._setsockopt(param->sostate, param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
+	if(param->srv->so._bind(param->sostate, param->clisock,(struct sockaddr *)¶m->sincl,SASIZE(¶m->sincl))) {
 		RETURN(822);
 	}
 
@@ -75,14 +75,14 @@ void * dnsprchild(struct clientparam* param) {
  }
  if(len > (i-4)) {RETURN(817);}
 
- host = mystrdup((char *)buf+13);
+ host = strdup((char *)buf+13);
  if(!host) {RETURN(21);}
 
  for(s2 = buf + 12; (s1 = (unsigned char *)strchr((char *)s2 + 1, '.')); s2 = s1)*s2 = (unsigned char)((s1 - s2) - 1); 
  *s2 = (len - (int)(s2 - buf)) - 1;
 
  type = ((unsigned)buf[len+1])*256 + (unsigned)buf[len+2];
- if((type==0x01 || type==0x1c) && !param->srv->singlepacket){
+ if((type==0x01 || type==0x1c) && !param->srv->s_option){
  	ip = udpresolve((type==0x1c)?AF_INET6:AF_INET, (unsigned char *)host, addr, &ttl, param, 0);
  }
 
@@ -109,7 +109,7 @@ void * dnsprchild(struct clientparam* param) {
 	unsigned a, b, c, d;
 	sscanf(host, "%u.%u.%u.%u", &a, &b, &c, &d);
 	ip = htonl((d<<24) ^ (c<<16) ^ (b<<8) ^ a);
-	if(*SAFAMILY(¶m->sincl) == AF_INET &&  ip == *(unsigned long*)SAADDR(¶m->sincl)){
+	if(*SAFAMILY(¶m->sincl) == AF_INET &&  ip == *(uint32_t *)SAADDR(¶m->sincl)){
 		buf[2] = 0x85;
 		buf[3] = 0x80;
 		buf[6] = 0;
@@ -130,17 +130,17 @@ void * dnsprchild(struct clientparam* param) {
 	else ip = 0;
  }
  if(!ip && numservers){
-	if((param->remsock=so._socket(SASOCK(&nservers[0].addr), nservers[0].usetcp? SOCK_STREAM:SOCK_DGRAM, nservers[0].usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {
+	if((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&nservers[0].addr), nservers[0].usetcp? SOCK_STREAM:SOCK_DGRAM, nservers[0].usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {
 		RETURN(818);
 	}
 	memset(¶m->sinsl, 0, sizeof(param->sinsl));
 	*SAFAMILY(¶m->sinsl) = *SAFAMILY(&nservers[0].addr);
-	if(so._bind(param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {
+	if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {
 		RETURN(819);
 	}
 	param->sinsr = nservers[0].addr;
 	if(nservers[0].usetcp) {
-		if(connectwithpoll(param->remsock,(struct sockaddr *)¶m->sinsr,SASIZE(¶m->sinsr),CONNECT_TO)) RETURN(830);
+		if(connectwithpoll(param, param->remsock,(struct sockaddr *)¶m->sinsr,SASIZE(¶m->sinsr),conf.timeouts[CONNECT_TO])) RETURN(830);
 		buf-=2;
 		*(unsigned short*)buf = htons(i);
 		i+=2;
@@ -153,12 +153,12 @@ void * dnsprchild(struct clientparam* param) {
 #endif
 	}
 
-	if(socksendto(param->remsock, (struct sockaddr *)¶m->sinsr, buf, i, conf.timeouts[SINGLEBYTE_L]*1000) != i){
+	if(socksendto(param, param->remsock, (struct sockaddr *)¶m->sinsr, buf, i, conf.timeouts[SINGLEBYTE_L]*1000) != i){
 		RETURN(820);
 	}
 	param->statscli64 += i;
 	param->nwrites++;
-	len = sockrecvfrom(param->remsock, (struct sockaddr *)¶m->sinsr, buf, BUFSIZE, conf.timeouts[DNS_TO]*1000);
+	len = sockrecvfrom(param, param->remsock, (struct sockaddr *)¶m->sinsr, buf, BUFSIZE, conf.timeouts[DNS_TO]*1000);
 	if(len <= 13) {
 		RETURN(821);
 	}
@@ -174,7 +174,7 @@ void * dnsprchild(struct clientparam* param) {
 		if(len != us) RETURN(832);
 	}
 	if(buf[6] || buf[7]){
-		if(socksendto(param->clisock, (struct sockaddr *)¶m->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
+		if(socksendto(param, param->clisock, (struct sockaddr *)¶m->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
 			RETURN(822);
 		}
 		RETURN(0);
@@ -185,7 +185,7 @@ void * dnsprchild(struct clientparam* param) {
 	buf[2] = 0x85;
 	buf[3] = 0x83;
  }
- res = socksendto(param->clisock, (struct sockaddr *)¶m->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000); 
+ res = socksendto(param, param->clisock, (struct sockaddr *)¶m->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000); 
  if(res != len){RETURN(819);}
  if(!ip) {RETURN(888);}
 
@@ -200,8 +200,8 @@ CLEANRET:
 	}
 	dolog(param, buf);
  }
- if(bbuf)myfree(bbuf);
- if(host)myfree(host);
+ if(bbuf)free(bbuf);
+ if(host)free(host);
 #ifndef _WIN32
  param->clisock = INVALID_SOCKET;
 #endif
diff --git a/src/ftp.c b/src/ftp.c
index 6f6931c..b2bd75b 100644
--- a/src/ftp.c
+++ b/src/ftp.c
@@ -1,5 +1,5 @@
 /*
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -29,7 +29,7 @@ int ftplogin(struct clientparam *param, char *nbuf, int *innbuf) {
 		return 702;
 	}
 	sprintf(buf, "USER %.128s\r\n", param->extusername?param->extusername:(unsigned char *)"anonymous");
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 703;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -46,7 +46,7 @@ int ftplogin(struct clientparam *param, char *nbuf, int *innbuf) {
 					param->extpassword:(unsigned char *)"")
 				:(unsigned char *)"3proxy@");
 		res = (int)strlen(buf);
-		if((int)socksend(param->remsock, (unsigned char *)buf, res, conf.timeouts[STRING_S]) != (int)strlen(buf)){
+		if((int)socksend(param, param->remsock, (unsigned char *)buf, res, conf.timeouts[STRING_S]) != (int)strlen(buf)){
 			return 705;
 		}
 	param->statscli64 += res;
@@ -77,7 +77,7 @@ int ftpcd(struct clientparam *param, unsigned char* path, char *nbuf, int *innbu
 	int inbuf = 0;
 
 	sprintf(buf, "CWD %.512s\r\n", path);
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 711;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -110,7 +110,7 @@ int ftpres(struct clientparam *param, unsigned char * buf, int l){
 int ftpsyst(struct clientparam *param, unsigned char *buf, unsigned len){
 	int i;
 
-	if(socksend(param->remsock, (unsigned char *)"SYST\r\n", 6, conf.timeouts[STRING_S]) != 6){
+	if(socksend(param, param->remsock, (unsigned char *)"SYST\r\n", 6, conf.timeouts[STRING_S]) != 6){
 		return 721;
 	}
 	param->statscli64 += 6;
@@ -121,7 +121,7 @@ int ftpsyst(struct clientparam *param, unsigned char *buf, unsigned len){
 	buf[3] = 0;
 	if(atoi((char *)buf)/100 != 2) return 723;
 	buf[i-2] = 0;
-	strcpy((char *)buf, (char *)buf+4);
+	memmove((char *)buf, (char *)buf+4, strlen((char *)buf+4)+1);
 	return 0;
 }
 
@@ -129,7 +129,7 @@ int ftppwd(struct clientparam *param, unsigned char *buf, unsigned len){
 	int i;
 	char *b, *e;
 
-	if(socksend(param->remsock, (unsigned char *)"PWD\r\n", 5, conf.timeouts[STRING_S]) != 5){
+	if(socksend(param, param->remsock, (unsigned char *)"PWD\r\n", 5, conf.timeouts[STRING_S]) != 5){
 		return 731;
 	}
 	param->statscli64 += 5;
@@ -145,7 +145,7 @@ int ftppwd(struct clientparam *param, unsigned char *buf, unsigned len){
 		b++;
 		*e = 0;
 	}
-	strcpy((char *)buf, b);
+	memmove((char *)buf, b, strlen(b)+1);
 	return 0;
 }
 
@@ -154,7 +154,7 @@ int ftptype(struct clientparam *param, unsigned char* f_type){
 	int i;
 
 	sprintf(buf, "TYPE %.512s\r\n", f_type);
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 741;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -176,7 +176,7 @@ SOCKET ftpdata(struct clientparam *param){
 	unsigned short b5, b6;
 	SASIZETYPE sasize;
 
-	if(socksend(param->remsock, (unsigned char *)"PASV\r\n", 6, conf.timeouts[STRING_S]) != 6){
+	if(socksend(param, param->remsock, (unsigned char *)"PASV\r\n", 6, conf.timeouts[STRING_S]) != 6){
 		return INVALID_SOCKET;
 	}
 	param->statscli64 += 6;
@@ -189,19 +189,19 @@ SOCKET ftpdata(struct clientparam *param){
 	if(!(sb = strchr(buf+4, '(')) || !(se= strchr(sb, ')'))) return INVALID_SOCKET;
 	if(sscanf(sb+1, "%lu,%lu,%lu,%lu,%hu,%hu", &b1, &b2, &b3, &b4, &b5, &b6)!=6) return INVALID_SOCKET;
 	sasize = sizeof(param->sinsl);
-	if(so._getsockname(param->remsock, (struct sockaddr *)¶m->sinsl, &sasize)){return INVALID_SOCKET;}
+	if(param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsl, &sasize)){return INVALID_SOCKET;}
 	sasize = sizeof(param->sinsr);
-	if(so._getpeername(param->remsock, (struct sockaddr *)¶m->sinsr, &sasize)){return INVALID_SOCKET;}
+	if(param->srv->so._getpeername(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsr, &sasize)){return INVALID_SOCKET;}
 	rem = param->remsock;
 	param->remsock = INVALID_SOCKET;
 	param->req = param->sinsr;
-	*SAPORT(¶m->req) = *SAPORT(¶m->sinsr) = htons((unsigned short)((b5<<8)^b6));
+	*SAPORT(¶m->req) = *SAPORT(¶m->sinsr) = htons((uint16_t)((b5<<8)^b6));
 	*SAPORT(¶m->sinsl) = 0;
 	i = param->operation;
 	param->operation = FTP_DATA;
 	if((param->res = (*param->srv->authfunc)(param))) {
 		if(param->remsock != INVALID_SOCKET) {
-			so._closesocket(param->remsock);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 		}
 		memset(¶m->sinsl, 0, sizeof(param->sinsl));
@@ -227,8 +227,8 @@ SOCKET ftpcommand(struct clientparam *param, unsigned char * command, unsigned c
 	sprintf(buf, "%.15s%s%.512s\r\n", command, arg?
 		(unsigned char *)" ":(unsigned char *)"", 
 		arg?arg:(unsigned char *)"");
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
-		so._closesocket(s);
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -236,11 +236,11 @@ SOCKET ftpcommand(struct clientparam *param, unsigned char * command, unsigned c
 	while((i = sockgetlinebuf(param, SERVER, (unsigned char *)buf, sizeof(buf) - 1, '\n', conf.timeouts[STRING_L])) > 0 && (i < 3 || !isnumber(*buf) || buf[3] == '-')){
 	}
 	if(i < 3) {
-		so._closesocket(s);
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	if(buf[0] != '1') {
-		so._closesocket(s);
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	return s;
diff --git a/src/ftppr.c b/src/ftppr.c
index 71eb8cc..30c1739 100644
--- a/src/ftppr.c
+++ b/src/ftppr.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -24,12 +24,12 @@ void * ftpprchild(struct clientparam* param) {
  struct linger lg;
  struct pollfd fds;
 
- if(!(buf = myalloc(BUFSIZE))) RETURN(876);
+ if(!(buf = malloc(BUFSIZE))) RETURN(876);
  param->ctrlsock = param->clisock;
  param->operation = CONNECT;
  lg.l_onoff = 1;
  lg.l_linger = conf.timeouts[STRING_L];;
- if(socksend(param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
+ if(socksend(param, param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
  for(;;){
 	i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 10, '\n', conf.timeouts[CONNECTION_S]);
 	if(!i) {
@@ -38,19 +38,19 @@ void * ftpprchild(struct clientparam* param) {
 	if(i<4) {RETURN(802);}
 	buf[i] = 0;
 	if ((se=(unsigned char *)strchr((char *)buf, '\r'))) *se = 0;
-	if (req) myfree (req);
+	if (req) free (req);
 	req = NULL;
 
 	if (!strncasecmp((char *)buf, "OPEN ", 5)){
 		if(parsehostname((char *)buf+5, param, 21)){RETURN(803);}
 		if(param->remsock != INVALID_SOCKET) {
-			so._shutdown(param->remsock, SHUT_RDWR);
-			so._closesocket(param->remsock);
+			param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 		}
 		if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
 		param->ctrlsocksrv = param->remsock;
-		if(socksend(param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
+		if(socksend(param, param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
 		status = 1;
 	}
 	else if (!strncasecmp((char *)buf, "USER ", 5)){
@@ -59,19 +59,19 @@ void * ftpprchild(struct clientparam* param) {
 			if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
 			param->ctrlsocksrv = param->remsock;
 		}
-		if(socksend(param->ctrlsock, (unsigned char *)"331 ok\r\n", 8, conf.timeouts[STRING_S])!=8) {RETURN (807);}
+		if(socksend(param, param->ctrlsock, (unsigned char *)"331 ok\r\n", 8, conf.timeouts[STRING_S])!=8) {RETURN (807);}
 		status = 2;
 
 	}
 	else if (!strncasecmp((char *)buf, "PASS ", 5)){
-		param->extpassword = (unsigned char *)mystrdup((char *)buf+5);
+		param->extpassword = (unsigned char *)strdup((char *)buf+5);
 		inbuf = BUFSIZE;
 		res = ftplogin(param, (char *)buf, &inbuf);
 		param->res = res;
-		if(inbuf && inbuf != BUFSIZE && socksend(param->ctrlsock, buf, inbuf, conf.timeouts[STRING_S])!=inbuf) {RETURN (807);}
+		if(inbuf && inbuf != BUFSIZE && socksend(param, param->ctrlsock, buf, inbuf, conf.timeouts[STRING_S])!=inbuf) {RETURN (807);}
 		if(!res) status = 3;
 		sprintf((char *)buf, "%.128s@%.128s%c%hu", param->extusername, param->hostname, (ntohs(*SAPORT(¶m->sinsr))==21)?0:':', ntohs(*SAPORT(¶m->sinsr)));
-		req = mystrdup((char *)buf);
+		req = strdup((char *)buf);
 #ifndef WITHMAIN
 		{
 			int action, reqbufsize, reqsize;
@@ -105,27 +105,27 @@ void * ftpprchild(struct clientparam* param) {
 		}
 #endif
 		if(sc != INVALID_SOCKET) {
-			so._shutdown(sc, SHUT_RDWR);
-			so._closesocket(sc);
+			param->srv->so._shutdown(param->sostate, sc, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, sc);
 			sc = INVALID_SOCKET;
 		}
 		if(ss != INVALID_SOCKET) {
-			so._shutdown(ss, SHUT_RDWR);
-			so._closesocket(ss);
+			param->srv->so._shutdown(param->sostate, ss, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, ss);
 			ss = INVALID_SOCKET;
 		}
 		if(clidatasock != INVALID_SOCKET) {
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = INVALID_SOCKET;
 		}
 		if ((clidatasock=socket(SASOCK(¶m->sincl), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {RETURN(821);}
 		*SAPORT(¶m->sincl) = 0;
-		if(so._bind(clidatasock, (struct sockaddr *)¶m->sincl, SASIZE(¶m->sincl))){RETURN(822);}
+		if(param->srv->so._bind(param->sostate, clidatasock, (struct sockaddr *)¶m->sincl, SASIZE(¶m->sincl))){RETURN(822);}
 		if (pasv) {
-			if(so._listen(clidatasock, 1)) {RETURN(823);}
+			if(param->srv->so._listen(param->sostate, clidatasock, 1)) {RETURN(823);}
 			sasize = sizeof(param->sincl);
-			if(so._getsockname(clidatasock, (struct sockaddr *)¶m->sincl, &sasize)){RETURN(824);}
+			if(param->srv->so._getsockname(param->sostate, clidatasock, (struct sockaddr *)¶m->sincl, &sasize)){RETURN(824);}
 			if(pasv == 1){
 				if(*SAFAMILY(¶m->sincl) == AF_INET)
 					sprintf((char *)buf, "227 OK (%u,%u,%u,%u,%u,%u)\r\n",
@@ -152,9 +152,9 @@ void * ftpprchild(struct clientparam* param) {
 			unsigned short b5, b6;
 
 			if(sscanf((char *)buf+5, "%lu,%lu,%lu,%lu,%hu,%hu", &b1, &b2, &b3, &b4, &b5, &b6)!=6) {RETURN(828);}
-			*SAPORT(¶m->sincr) = htons((unsigned short)((b5<<8)^b6));
-			if(connectwithpoll(clidatasock, (struct sockaddr *)¶m->sincr, SASIZE(¶m->sincr),CONNECT_TO)) {
-				so._closesocket(clidatasock);
+			*SAPORT(¶m->sincr) = htons((uint16_t)((b5<<8)^b6));
+			if(connectwithpoll(param, clidatasock, (struct sockaddr *)¶m->sincr, SASIZE(¶m->sincr),conf.timeouts[CONNECT_TO])) {
+				param->srv->so._closesocket(param->sostate, clidatasock);
 				clidatasock = INVALID_SOCKET;
 				RETURN(826);
 			}
@@ -173,7 +173,7 @@ void * ftpprchild(struct clientparam* param) {
 			if(action != PASS) RETURN(879);
 		}
 #endif
-		if(socksend(param->ctrlsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])!=(int)strlen((char *)buf)) {RETURN (825);}
+		if(socksend(param, param->ctrlsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])!=(int)strlen((char *)buf)) {RETURN (825);}
 		status = 4;
 	}
 	else if (status == 4 && (
@@ -208,38 +208,38 @@ void * ftpprchild(struct clientparam* param) {
 			fds.fd = clidatasock;
 			fds.events = POLLIN;
 
-			res = so._poll (&fds, 1, conf.timeouts[STRING_L]*1000);
+			res = param->srv->so._poll (param->sostate, &fds, 1, conf.timeouts[STRING_L]*1000);
 			if(res != 1) {
 				RETURN(857);
 			}
 			sasize = sizeof(param->sincr);
-			ss = so._accept(clidatasock, (struct sockaddr *)¶m->sincr, &sasize);
+			ss = param->srv->so._accept(param->sostate, clidatasock, (struct sockaddr *)¶m->sincr, &sasize);
 			if (ss == INVALID_SOCKET) { RETURN (858);}
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = ss;
 			ss = INVALID_SOCKET;
 		}
 		if(clidatasock == INVALID_SOCKET){RETURN(828);}
-		req = mystrdup((char *)buf);
+		req = strdup((char *)buf);
 		buf[4] = 0;
 		status = 3;
 		ss = ftpcommand(param, buf, arg? buf+5 : NULL);
 		if (ss == INVALID_SOCKET) {
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = INVALID_SOCKET;
 			
-			if(socksend(param->ctrlsock, (unsigned char *)"550 err\r\n", 9, conf.timeouts[STRING_S])!=9) {RETURN (831);}
+			if(socksend(param, param->ctrlsock, (unsigned char *)"550 err\r\n", 9, conf.timeouts[STRING_S])!=9) {RETURN (831);}
 			continue;
 		}
 
-		if(socksend(param->ctrlsock, (unsigned char *)"125 data\r\n", 10, conf.timeouts[STRING_S]) != 10) {
+		if(socksend(param, param->ctrlsock, (unsigned char *)"125 data\r\n", 10, conf.timeouts[STRING_S]) != 10) {
 			param->remsock = INVALID_SOCKET;
 			RETURN (832);
 		}
 		if(param->srvoffset < param->srvinbuf)while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', 0)) > 3){
-			if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
+			if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
 			if(isnumber(*buf) && buf[3] != '-') {
 				ressent = 1;
 				break;
@@ -247,17 +247,17 @@ void * ftpprchild(struct clientparam* param) {
 		}
 		sc = param->remsock;
 		param->remsock = ss;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
-		so._setsockopt(clidatasock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+		param->srv->so._setsockopt(param->sostate, clidatasock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
 		param->clisock = clidatasock;
 		res = mapsocket(param, conf.timeouts[CONNECTION_S]);
 		if(param->remsock != INVALID_SOCKET) {
-			so._shutdown (param->remsock, SHUT_RDWR);
-			so._closesocket(param->remsock);
+			param->srv->so._shutdown (param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 		}
 		if(param->clisock != INVALID_SOCKET) {
-			so._shutdown (param->clisock, SHUT_RDWR);
-			so._closesocket(param->clisock);
+			param->srv->so._shutdown (param->sostate, param->clisock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->clisock);
 		}
 		param->clisock = param->ctrlsock;
 		param->remsock = sc;
@@ -266,7 +266,7 @@ void * ftpprchild(struct clientparam* param) {
 		clidatasock = INVALID_SOCKET;
 		if(!ressent){
 			while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', conf.timeouts[STRING_L])) > 3){
-				if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
+				if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
 				if(isnumber(*buf) && buf[3] != '-') break;
 			}
 			if(i < 3) {RETURN(834);}
@@ -274,26 +274,26 @@ void * ftpprchild(struct clientparam* param) {
 	}
 	else {
 		if(status < 3) {
-			if(socksend(param->remsock, (unsigned char *)"530 login\r\n", 11, conf.timeouts[STRING_S])!=1) {RETURN (810);}
+			if(socksend(param, param->remsock, (unsigned char *)"530 login\r\n", 11, conf.timeouts[STRING_S])!=1) {RETURN (810);}
 			continue;
 		}
 		if(!strncasecmp((char *)buf, "QUIT", 4)) status = 5;
-		if(!strncasecmp((char *)buf, "CWD ", 4)) req = mystrdup((char *)buf);
+		if(!strncasecmp((char *)buf, "CWD ", 4)) req = strdup((char *)buf);
 		i = (int)strlen((char *)buf);
 		buf[i++] = '\r';
 		buf[i++] = '\n';
-		if(socksend(param->remsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (811);}
+		if(socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (811);}
  param->statscli64+=(i);
 		param->nwrites++;
 		while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', conf.timeouts[STRING_L])) > 0){
-			if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (812);}
+			if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (812);}
 			if(i > 4 && isnumber(*buf) && buf[3] != '-') break;
 		}
 		if(status == 5) {RETURN (0);}
 		if(i < 3) {RETURN (813);}
 	}
 	sasize = sizeof(param->sincr);
-	if(so._getpeername(param->ctrlsock, (struct sockaddr *)¶m->sincr, &sasize)){RETURN(819);}
+	if(param->srv->so._getpeername(param->sostate, param->ctrlsock, (struct sockaddr *)¶m->sincr, &sasize)){RETURN(819);}
 	if(req && (param->statscli64 || param->statssrv64)){
 		dolog(param, (unsigned char *)req);
 	}
@@ -302,24 +302,24 @@ void * ftpprchild(struct clientparam* param) {
 CLEANRET:
 
  if(sc != INVALID_SOCKET) {
-	so._shutdown(sc, SHUT_RDWR);
-	so._closesocket(sc);
+	param->srv->so._shutdown(param->sostate, sc, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, sc);
  }
  if(ss != INVALID_SOCKET) {
-	so._shutdown(ss, SHUT_RDWR);
-	so._closesocket(ss);
+	param->srv->so._shutdown(param->sostate, ss, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, ss);
  }
  if(clidatasock != INVALID_SOCKET) {
-	so._shutdown(clidatasock, SHUT_RDWR);
-	so._closesocket(clidatasock);
+	param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, clidatasock);
  }
  sasize = sizeof(param->sincr);
- so._getpeername(param->ctrlsock, (struct sockaddr *)¶m->sincr, &sasize);
+ param->srv->so._getpeername(param->sostate, param->ctrlsock, (struct sockaddr *)¶m->sincr, &sasize);
  if(param->res != 0 || param->statscli64 || param->statssrv64 ){
 	dolog(param, (unsigned char *)((req && (param->res > 802))? req:NULL));
  }
- if(req) myfree(req);
- if(buf) myfree(buf);
+ if(req) free(req);
+ if(buf) free(buf);
  freeparam(param);
  return (NULL);
 }
diff --git a/src/hash.c b/src/hash.c
new file mode 100644
index 0000000..6d3e97d
--- /dev/null
+++ b/src/hash.c
@@ -0,0 +1,315 @@
+#include "proxy.h"
+
+struct hashentry {
+        time_t expires;
+        uint32_t inext;
+        char value[4];
+};
+
+
+
+void destroyhashtable(struct hashtable *ht){
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    if(ht->ihashtable){
+	free(ht->ihashtable);
+	ht->ihashtable = NULL;
+    }
+    if(ht->hashvalues){
+	free(ht->hashvalues);
+	ht->hashvalues = NULL;
+    }
+    if(ht->hashhashvalues){
+	free(ht->hashhashvalues);
+	ht->hashhashvalues = NULL;
+    }
+    ht->poolsize = 0;
+    ht->tablesize = 0;
+    ht->ihashempty = 0;
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    _3proxy_mutex_destroy(&ht->hash_mutex);
+}
+
+#define hashindex(ht, tablesize, hash) (murmurhash3(hash, ht->hash_size, ht->entropy) % tablesize)
+#define hvalue(ht,I) ((struct hashentry *)(ht->hashvalues + (I-1)*(sizeof(struct hashentry) + ht->recsize - 4)))
+#define hhash(ht,I) ((ht->hashhashvalues + (I-1)*(ht->hash_size)))
+
+int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit){
+    unsigned i;
+    clock_t c;
+
+#ifdef _WIN32
+    struct timeb tb;
+
+    ftime(&tb);
+
+#else
+    struct timeval tb;
+    struct timezone tz;
+    gettimeofday(&tb, &tz);
+#endif
+    c = clock();
+
+    if(tablesize < 2 || poolsize < tablesize || growlimit < poolsize) return 1;
+    if(ht->ihashtable){
+        _3proxy_mutex_lock(&ht->hash_mutex);
+	if(ht->ihashtable){
+	    free(ht->ihashtable);
+	    ht->ihashtable = NULL;
+	}
+	if(ht->hashvalues){
+	    free(ht->hashvalues);
+	    ht->hashvalues = NULL;
+	}
+	if(ht->hashhashvalues){
+	    free(ht->hashhashvalues);
+	    ht->hashhashvalues = NULL;
+	}
+	ht->poolsize = 0;
+	ht->tablesize = 0;
+    }
+    else {
+	_3proxy_mutex_init(&ht->hash_mutex);
+        _3proxy_mutex_lock(&ht->hash_mutex);
+    }
+    if(!(ht->ihashtable = malloc(tablesize *  sizeof(uint32_t)))
+    || !(ht->hashvalues = malloc(poolsize * (sizeof(struct hashentry) + ht->recsize - 4)))
+    || !(ht->hashhashvalues = malloc(poolsize * ht->hash_size))
+    ){
+	free(ht->ihashtable);
+	ht->ihashtable = NULL;
+	free(ht->hashvalues);
+	ht->hashvalues = NULL;
+	_3proxy_mutex_unlock(&ht->hash_mutex);
+	return 3;
+    }
+    ht->poolsize = poolsize;
+    ht->tablesize = tablesize;
+    ht->growlimit = growlimit;
+    ht->entropy = myrand(ht, sizeof(struct hashtable));
+    memset(ht->ihashtable, 0, ht->tablesize * sizeof(uint32_t));
+    memset(ht->hashvalues, 0, ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4));
+
+    for(i = 1; i < ht->poolsize; i++) {
+	hvalue(ht,i)->inext = i+1;
+    }
+    ht->ihashempty = 1;
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    return 0;
+}
+
+static void hashcompact(struct hashtable *ht){
+    int i;
+    uint32_t he, *hep;
+    
+    if((conf.time - ht->compacted) < 300 || !ht->tablesize || !ht->poolsize || ht->ihashempty) return;
+    for(i = 0; i < ht->tablesize; i++){
+	for(hep = ht->ihashtable + i; (he = *hep) != 0; ){
+	    if(hvalue(ht,he)->expires < conf.time ) {
+		(*hep) = hvalue(ht,he)->inext;
+		hvalue(ht,he)->expires = 0;
+		hvalue(ht,he)->inext = ht->ihashempty;
+		ht->ihashempty = he;
+	    }
+	    else hep=&(hvalue(ht,he)->inext);
+	}
+    }
+    ht->compacted = conf.time;
+    if(ht->ihashempty) return;
+}
+
+static void hashgrow(struct hashtable *ht){
+    unsigned newsize = (ht->poolsize + (ht->poolsize >> 1));
+    unsigned i;
+    void * newvalues;
+    
+    if(!ht->tablesize || !ht->poolsize) return;
+    if(ht->poolsize / ht->tablesize < 4) hashcompact(ht);
+    if(ht->ihashempty) return;
+    if(ht->poolsize >= ht->growlimit) return;
+    if(newsize > ht->growlimit) newsize = ht->growlimit;
+    newvalues = realloc(ht->hashvalues, newsize * (sizeof(struct hashentry) + ht->recsize - 4));
+    if(!newvalues) return;
+    ht->hashvalues = newvalues;
+    newvalues = realloc(ht->hashhashvalues, newsize * ht->hash_size);
+    if(!newvalues) return;
+    ht->hashhashvalues = newvalues;
+    memset(ht->hashvalues + (ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4)), 0, (newsize - ht->poolsize) * (sizeof(struct hashentry) + ht->recsize - 4));
+    for(i = ht->poolsize + 1; i < newsize; i++) {
+	hvalue(ht,i)->inext = i+1;
+    }
+    hvalue(ht,newsize)->inext = ht->ihashempty;
+    ht->ihashempty = ht->poolsize + 1;
+    ht->poolsize = newsize;
+    if (ht->poolsize / ht->tablesize > 10) {
+        unsigned newtablesize = ht->poolsize / 3;
+        uint32_t *newitable = malloc(newtablesize * sizeof(uint32_t));
+        if (newitable) {
+            unsigned j;
+            memset(newitable, 0, newtablesize * sizeof(uint32_t));
+            for (j = 0; j < ht->tablesize; j++) {
+                uint32_t he = ht->ihashtable[j];
+                while (he) {
+                    uint32_t next = hvalue(ht, he)->inext;
+                    unsigned idx = hashindex(ht, newtablesize, hhash(ht, he));
+                    hvalue(ht, he)->inext = newitable[idx];
+                    newitable[idx] = he;
+                    he = next;
+                }
+            }
+            free(ht->ihashtable);
+            ht->ihashtable = newitable;
+            ht->tablesize = newtablesize;
+        }
+    }
+}
+
+
+
+void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
+    uint32_t hen, he;
+    uint32_t *hep;
+    int overwrite = 0;
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t index;
+    uint32_t last = 0;
+    
+    if(!ht||!value||!name||!ht->ihashtable) {
+	return;
+    }
+
+    ht->index2hash_add(ht, name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht, ht->tablesize, hash);
+
+    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
+	if(hvalue(ht,he)->expires < conf.time || !memcmp(hash, hhash(ht,he), ht->hash_size)) {
+	    (*hep) = hvalue(ht,he)->inext;
+	    hvalue(ht,he)->expires = 0;
+	    hvalue(ht,he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else {
+	    hep=&(hvalue(ht,he)->inext);
+	    last = he;
+	}
+    }
+
+    if(!ht->ihashempty){
+	hashgrow(ht);
+    }
+
+    if(ht->ihashempty){
+	hen = ht->ihashempty;
+	ht->ihashempty = hvalue(ht,ht->ihashempty)->inext;
+	hvalue(ht,hen)->inext = ht->ihashtable[index];
+	ht->ihashtable[index] = hen;
+    }
+    else {
+	hen = last;
+    }
+    if(hen){
+	memcpy(hhash(ht,hen), hash, ht->hash_size);
+	memcpy(hvalue(ht,hen)->value, value, ht->recsize);
+	hvalue(ht,hen)->expires = expires;
+    }
+
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+}
+
+int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t *hep;
+    uint32_t he;
+    uint32_t index;
+
+    if(!ht || !ht->ihashtable || !name) {
+	return 0;
+    }
+    ht->index2hash_search(ht,name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht, ht->tablesize, hash);
+    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
+	if(hvalue(ht, he)->expires < conf.time) {
+	    (*hep) = hvalue(ht,he)->inext;
+	    hvalue(ht,he)->expires = 0;
+	    hvalue(ht,he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else if(!memcmp(hash, hhash(ht,he), ht->hash_size)){
+	    if(ttl) *ttl = (uint32_t)(hvalue(ht,he)->expires - conf.time);
+	    memcpy(value, hvalue(ht,he)->value, ht->recsize);
+	    _3proxy_mutex_unlock(&ht->hash_mutex);
+	    return 1;
+	}
+	else hep=&(hvalue(ht,he)->inext);
+    }
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    return 0;
+}
+
+void hashdelete(struct hashtable *ht, void *name){
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t *hep;
+    uint32_t he;
+    uint32_t index;
+
+    if(!ht || !ht->ihashtable || !name) {
+	return;
+    }
+    ht->index2hash_search(ht, name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht, ht->tablesize, hash);
+    for(hep = ht->ihashtable + index; (he = *hep) != 0; ){
+	if((hvalue(ht, he)->expires && hvalue(ht, he)->expires < conf.time) || !memcmp(hash, hhash(ht, he), ht->hash_size)) {
+	    (*hep) = hvalue(ht, he)->inext;
+	    hvalue(ht, he)->expires = 0;
+	    hvalue(ht, he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else hep = &(hvalue(ht, he)->inext);
+    }
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+}
+
+#define MURMUR_C1 0xcc9e2d51u
+#define MURMUR_C2 0x1b873593u
+
+uint32_t murmurhash3(const void *key, int len, uint32_t seed) {
+    const uint8_t *data = (const uint8_t *)key;
+    const int nblocks = len / 4;
+    uint32_t h = seed;
+    int i;
+    const uint32_t *blocks = (const uint32_t *)(data);
+    const uint8_t *tail = data + nblocks * 4;
+    uint32_t k;
+
+    for (i = 0; i < nblocks; i++) {
+        memcpy(&k, blocks + i, sizeof(k));
+        k *= MURMUR_C1;
+        k = (k << 15) | (k >> 17);
+        k *= MURMUR_C2;
+        h ^= k;
+        h = (h << 13) | (h >> 19);
+        h = h * 5 + 0xe6546b64u;
+    }
+
+    k = 0;
+    switch (len & 3) {
+        case 3: k ^= (uint32_t)tail[2] << 16; /* fall through */
+        case 2: k ^= (uint32_t)tail[1] << 8;  /* fall through */
+        case 1: k ^= (uint32_t)tail[0];
+                k *= MURMUR_C1;
+                k = (k << 15) | (k >> 17);
+                k *= MURMUR_C2;
+                h ^= k;
+    }
+
+    h ^= (uint32_t)len;
+    h ^= h >> 16;
+    h *= 0x85ebca6bu;
+    h ^= h >> 13;
+    h *= 0xc2b2ae35u;
+    h ^= h >> 16;
+
+    return h;
+}
diff --git a/src/hashtables.c b/src/hashtables.c
new file mode 100644
index 0000000..eed8022
--- /dev/null
+++ b/src/hashtables.c
@@ -0,0 +1,87 @@
+#include "proxy.h"
+#include "libs/blake2.h"
+
+
+static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    blake2b_state S;
+    int len;
+
+    len = strlen((const char*)index);
+    memset(hash, 0, ht->hash_size);
+    if(len <= ht->hash_size) memcpy(hash, index, len);
+    else {
+	blake2b_init(&S, ht->hash_size);
+	blake2b_update(&S, index, strlen((const char*)index) + 1);
+	blake2b_final(&S, hash, ht->hash_size);
+    }
+}
+
+static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
+    blake2b_state S;
+    struct clientparam *param = (struct clientparam *)index;
+    unsigned type = param->srv->authcachetype;
+    int len = 0, oplen = 0, acllen = 0, ulen = 0, plen = 0, hlen = 0, a1len = 0, a2len = 0, a3len = 0, p1len=0, p2len = 0;
+
+
+    if((type & 2) && param->username) ulen = strlen((const char *)param->username) + 1;
+    if((type & 4) && param->password) plen = strlen((const char *)param->password) + 1;
+    if((type & 1) && !(type & 8)) a1len = SAADDRLEN(¶m->sincr);
+    if((type & 16)) acllen = sizeof(param->srv->acl);
+    if((type & 64)) a2len = SAADDRLEN(¶m->req);
+    if((type & 128)) p1len = 2 ;
+    if((type & 256) && param->hostname) hlen = strlen((const char *)param->hostname) + 1;
+    if((type & 512)) oplen = sizeof(param->operation);
+    if((type & 1024)) a3len = SAADDRLEN(¶m->srv->intsa);
+    if((type & 2048)) p2len = 2;
+
+    memset(hash, 0, ht->hash_size);
+    if(ulen + plen + a1len + acllen + a2len + p1len + hlen + oplen + a3len + p2len <= ht->hash_size){
+	int offset = 0;
+	if((type & 2) && param->username){ memcpy(hash + offset, param->username, ulen); offset += ulen; }
+	if((type & 4) && param->password){ memcpy(hash + offset, param->password, plen); offset += plen; }
+	if((type & 1) && !(type & 8)){ memcpy(hash + offset, SAADDR(¶m->sincr), a1len); offset += a1len; }
+	if((type & 16)){ memcpy(hash + offset, ¶m->srv->acl, acllen); offset += acllen; }
+	if((type & 64)){ memcpy(hash + offset, SAADDR(¶m->req), a2len); offset += a2len; }
+	if((type & 128)){ memcpy(hash + offset, SAPORT(¶m->req), p1len); offset += 2; }
+	if((type & 256) && param->hostname){ memcpy(hash + offset, param->hostname, hlen); offset += hlen; }
+	if((type & 512)){ memcpy(hash + offset, ¶m->operation, oplen); offset += oplen; }
+	if((type & 1024)){ memcpy(hash + offset, SAADDR(¶m->srv->intsa), a3len); offset += a3len; }
+	if((type & 2048)){ memcpy(hash + offset, SAPORT(¶m->srv->intsa), p2len); offset += 2; }
+    }
+    else {
+	blake2b_init(&S, ht->hash_size);
+	if((type & 2) && param->username)blake2b_update(&S, param->username, ulen);
+        if((type & 4) && param->password)blake2b_update(&S, param->password, plen);
+	if((type & 1) && !(type & 8))blake2b_update(&S, SAADDR(¶m->sincr), a1len);
+	if((type & 16))blake2b_update(&S, ¶m->srv->acl, acllen);
+	if((type & 64))blake2b_update(&S, SAADDR(¶m->req), a2len);
+	if((type & 128))blake2b_update(&S, SAPORT(¶m->req), 2);
+	if((type & 256) && param->hostname)blake2b_update(&S, param->hostname, hlen);
+	if((type & 512))blake2b_update(&S, ¶m->operation, sizeof(param->operation));
+	if((type & 1024))blake2b_update(&S, SAADDR(¶m->srv->intsa), a3len);
+	if((type & 2048))blake2b_update(&S, SAPORT(¶m->srv->intsa), 2);
+	blake2b_final(&S, hash, ht->hash_size);
+    }
+}
+
+void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+
+    memcpy(hash, param->hash, ht->hash_size);
+}
+
+static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    blake2b_state S;
+    blake2b_init(&S, ht->hash_size);
+    blake2b_update(&S, SAADDR(¶m->srv->intsa), SAADDRLEN(¶m->srv->intsa));
+    blake2b_update(&S, SAPORT(¶m->srv->intsa), 2);
+    blake2b_update(&S, SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr));
+    blake2b_update(&S, SAPORT(¶m->sincr), 2);
+    blake2b_final(&S, hash, ht->hash_size);
+}
+
+struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 32};
+struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 32};
+struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct authcache), 64};
+struct hashtable pwl_table = {char_index2hash, char_index2hash, 64, 64};
diff --git a/src/libs/blake2-impl.h b/src/libs/blake2-impl.h
new file mode 100644
index 0000000..c1df82e
--- /dev/null
+++ b/src/libs/blake2-impl.h
@@ -0,0 +1,160 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves .  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+#ifndef BLAKE2_IMPL_H
+#define BLAKE2_IMPL_H
+
+#include 
+#include 
+
+#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L)
+  #if   defined(_MSC_VER)
+    #define BLAKE2_INLINE __inline
+  #elif defined(__GNUC__)
+    #define BLAKE2_INLINE __inline__
+  #else
+    #define BLAKE2_INLINE
+  #endif
+#else
+  #define BLAKE2_INLINE inline
+#endif
+
+static BLAKE2_INLINE uint32_t load32( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint32_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint32_t )( p[0] ) <<  0) |
+         (( uint32_t )( p[1] ) <<  8) |
+         (( uint32_t )( p[2] ) << 16) |
+         (( uint32_t )( p[3] ) << 24) ;
+#endif
+}
+
+static BLAKE2_INLINE uint64_t load64( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint64_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint64_t )( p[0] ) <<  0) |
+         (( uint64_t )( p[1] ) <<  8) |
+         (( uint64_t )( p[2] ) << 16) |
+         (( uint64_t )( p[3] ) << 24) |
+         (( uint64_t )( p[4] ) << 32) |
+         (( uint64_t )( p[5] ) << 40) |
+         (( uint64_t )( p[6] ) << 48) |
+         (( uint64_t )( p[7] ) << 56) ;
+#endif
+}
+
+static BLAKE2_INLINE uint16_t load16( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint16_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |
+                      (( uint32_t )( p[1] ) <<  8));
+#endif
+}
+
+static BLAKE2_INLINE void store16( void *dst, uint16_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  *p++ = ( uint8_t )w; w >>= 8;
+  *p++ = ( uint8_t )w;
+#endif
+}
+
+static BLAKE2_INLINE void store32( void *dst, uint32_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+#endif
+}
+
+static BLAKE2_INLINE void store64( void *dst, uint64_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+  p[4] = (uint8_t)(w >> 32);
+  p[5] = (uint8_t)(w >> 40);
+  p[6] = (uint8_t)(w >> 48);
+  p[7] = (uint8_t)(w >> 56);
+#endif
+}
+
+static BLAKE2_INLINE uint64_t load48( const void *src )
+{
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint64_t )( p[0] ) <<  0) |
+         (( uint64_t )( p[1] ) <<  8) |
+         (( uint64_t )( p[2] ) << 16) |
+         (( uint64_t )( p[3] ) << 24) |
+         (( uint64_t )( p[4] ) << 32) |
+         (( uint64_t )( p[5] ) << 40) ;
+}
+
+static BLAKE2_INLINE void store48( void *dst, uint64_t w )
+{
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+  p[4] = (uint8_t)(w >> 32);
+  p[5] = (uint8_t)(w >> 40);
+}
+
+static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c )
+{
+  return ( w >> c ) | ( w << ( 32 - c ) );
+}
+
+static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c )
+{
+  return ( w >> c ) | ( w << ( 64 - c ) );
+}
+
+/* prevents compiler optimizing out memset() */
+static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n)
+{
+  static void *(*const volatile memset_v)(void *, int, size_t) = &memset;
+  memset_v(v, 0, n);
+}
+
+#endif
diff --git a/src/libs/blake2.h b/src/libs/blake2.h
new file mode 100644
index 0000000..a51262c
--- /dev/null
+++ b/src/libs/blake2.h
@@ -0,0 +1,197 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves .  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+#ifndef BLAKE2_H
+#define BLAKE2_H
+
+#include 
+#include 
+
+#if defined(WATCOM)
+#define BLAKE2_PACKED(x) _Packed x
+#elif defined(_MSC_VER)
+#define BLAKE2_PACKED(x) __pragma(pack(push, 1)) x __pragma(pack(pop))
+#else
+#define BLAKE2_PACKED(x) x __attribute__((packed))
+#endif
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+  enum blake2s_constant
+  {
+    BLAKE2S_BLOCKBYTES = 64,
+    BLAKE2S_OUTBYTES   = 32,
+    BLAKE2S_KEYBYTES   = 32,
+    BLAKE2S_SALTBYTES  = 8,
+    BLAKE2S_PERSONALBYTES = 8
+  };
+
+  enum blake2b_constant
+  {
+    BLAKE2B_BLOCKBYTES = 128,
+    BLAKE2B_OUTBYTES   = 64,
+    BLAKE2B_KEYBYTES   = 64,
+    BLAKE2B_SALTBYTES  = 16,
+    BLAKE2B_PERSONALBYTES = 16
+  };
+
+  typedef struct blake2s_state__
+  {
+    uint32_t h[8];
+    uint32_t t[2];
+    uint32_t f[2];
+    uint8_t  buf[BLAKE2S_BLOCKBYTES];
+    size_t   buflen;
+    size_t   outlen;
+    uint8_t  last_node;
+  } blake2s_state;
+
+  typedef struct blake2b_state__
+  {
+    uint64_t h[8];
+    uint64_t t[2];
+    uint64_t f[2];
+    uint8_t  buf[BLAKE2B_BLOCKBYTES];
+    size_t   buflen;
+    size_t   outlen;
+    uint8_t  last_node;
+  } blake2b_state;
+
+  typedef struct blake2sp_state__
+  {
+    blake2s_state S[8][1];
+    blake2s_state R[1];
+    uint8_t       buf[8 * BLAKE2S_BLOCKBYTES];
+    size_t        buflen;
+    size_t        outlen;
+  } blake2sp_state;
+
+  typedef struct blake2bp_state__
+  {
+    blake2b_state S[4][1];
+    blake2b_state R[1];
+    uint8_t       buf[4 * BLAKE2B_BLOCKBYTES];
+    size_t        buflen;
+    size_t        outlen;
+  } blake2bp_state;
+
+
+  BLAKE2_PACKED(struct blake2s_param__
+  {
+    uint8_t  digest_length; /* 1 */
+    uint8_t  key_length;    /* 2 */
+    uint8_t  fanout;        /* 3 */
+    uint8_t  depth;         /* 4 */
+    uint32_t leaf_length;   /* 8 */
+    uint32_t node_offset;  /* 12 */
+    uint16_t xof_length;    /* 14 */
+    uint8_t  node_depth;    /* 15 */
+    uint8_t  inner_length;  /* 16 */
+    /* uint8_t  reserved[0]; */
+    uint8_t  salt[BLAKE2S_SALTBYTES]; /* 24 */
+    uint8_t  personal[BLAKE2S_PERSONALBYTES];  /* 32 */
+  });
+
+  typedef struct blake2s_param__ blake2s_param;
+
+  BLAKE2_PACKED(struct blake2b_param__
+  {
+    uint8_t  digest_length; /* 1 */
+    uint8_t  key_length;    /* 2 */
+    uint8_t  fanout;        /* 3 */
+    uint8_t  depth;         /* 4 */
+    uint32_t leaf_length;   /* 8 */
+    uint32_t node_offset;   /* 12 */
+    uint32_t xof_length;    /* 16 */
+    uint8_t  node_depth;    /* 17 */
+    uint8_t  inner_length;  /* 18 */
+    uint8_t  reserved[14];  /* 32 */
+    uint8_t  salt[BLAKE2B_SALTBYTES]; /* 48 */
+    uint8_t  personal[BLAKE2B_PERSONALBYTES];  /* 64 */
+  });
+
+  typedef struct blake2b_param__ blake2b_param;
+
+  typedef struct blake2xs_state__
+  {
+    blake2s_state S[1];
+    blake2s_param P[1];
+  } blake2xs_state;
+
+  typedef struct blake2xb_state__
+  {
+    blake2b_state S[1];
+    blake2b_param P[1];
+  } blake2xb_state;
+
+  /* Padded structs result in a compile-time error */
+  enum {
+    BLAKE2_DUMMY_1 = 1/(int)(sizeof(blake2s_param) == BLAKE2S_OUTBYTES),
+    BLAKE2_DUMMY_2 = 1/(int)(sizeof(blake2b_param) == BLAKE2B_OUTBYTES)
+  };
+
+  /* Streaming API */
+  int blake2s_init( blake2s_state *S, size_t outlen );
+  int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2s_init_param( blake2s_state *S, const blake2s_param *P );
+  int blake2s_update( blake2s_state *S, const void *in, size_t inlen );
+  int blake2s_final( blake2s_state *S, void *out, size_t outlen );
+
+  int blake2b_init( blake2b_state *S, size_t outlen );
+  int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2b_init_param( blake2b_state *S, const blake2b_param *P );
+  int blake2b_update( blake2b_state *S, const void *in, size_t inlen );
+  int blake2b_final( blake2b_state *S, void *out, size_t outlen );
+
+  int blake2sp_init( blake2sp_state *S, size_t outlen );
+  int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );
+  int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );
+
+  int blake2bp_init( blake2bp_state *S, size_t outlen );
+  int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );
+  int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );
+
+  /* Variable output length API */
+  int blake2xs_init( blake2xs_state *S, const size_t outlen );
+  int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );
+  int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );
+  int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);
+
+  int blake2xb_init( blake2xb_state *S, const size_t outlen );
+  int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );
+  int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );
+  int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);
+
+  /* Simple API */
+  int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  /* This is simply an alias for blake2b */
+  int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff --git a/src/libs/blake2b-ref.c b/src/libs/blake2b-ref.c
new file mode 100644
index 0000000..cd38b1b
--- /dev/null
+++ b/src/libs/blake2b-ref.c
@@ -0,0 +1,379 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves .  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+
+#include 
+#include 
+#include 
+
+#include "blake2.h"
+#include "blake2-impl.h"
+
+static const uint64_t blake2b_IV[8] =
+{
+  0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
+  0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
+  0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
+  0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
+};
+
+static const uint8_t blake2b_sigma[12][16] =
+{
+  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
+  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
+  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
+  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
+  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
+  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
+  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
+  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
+  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
+  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
+  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
+  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
+};
+
+
+static void blake2b_set_lastnode( blake2b_state *S )
+{
+  S->f[1] = (uint64_t)-1;
+}
+
+/* Some helper functions, not necessarily useful */
+static int blake2b_is_lastblock( const blake2b_state *S )
+{
+  return S->f[0] != 0;
+}
+
+static void blake2b_set_lastblock( blake2b_state *S )
+{
+  if( S->last_node ) blake2b_set_lastnode( S );
+
+  S->f[0] = (uint64_t)-1;
+}
+
+static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc )
+{
+  S->t[0] += inc;
+  S->t[1] += ( S->t[0] < inc );
+}
+
+static void blake2b_init0( blake2b_state *S )
+{
+  size_t i;
+  memset( S, 0, sizeof( blake2b_state ) );
+
+  for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
+}
+
+/* init xors IV with input parameter block */
+int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
+{
+  const uint8_t *p = ( const uint8_t * )( P );
+  size_t i;
+
+  blake2b_init0( S );
+
+  /* IV XOR ParamBlock */
+  for( i = 0; i < 8; ++i )
+    S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
+
+  S->outlen = P->digest_length;
+  return 0;
+}
+
+
+
+int blake2b_init( blake2b_state *S, size_t outlen )
+{
+  blake2b_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
+
+  P->digest_length = (uint8_t)outlen;
+  P->key_length    = 0;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store32( &P->node_offset, 0 );
+  store32( &P->xof_length, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  memset( P->reserved, 0, sizeof( P->reserved ) );
+  memset( P->salt,     0, sizeof( P->salt ) );
+  memset( P->personal, 0, sizeof( P->personal ) );
+  return blake2b_init_param( S, P );
+}
+
+
+int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )
+{
+  blake2b_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
+
+  if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
+
+  P->digest_length = (uint8_t)outlen;
+  P->key_length    = (uint8_t)keylen;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store32( &P->node_offset, 0 );
+  store32( &P->xof_length, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  memset( P->reserved, 0, sizeof( P->reserved ) );
+  memset( P->salt,     0, sizeof( P->salt ) );
+  memset( P->personal, 0, sizeof( P->personal ) );
+
+  if( blake2b_init_param( S, P ) < 0 ) return -1;
+
+  {
+    uint8_t block[BLAKE2B_BLOCKBYTES];
+    memset( block, 0, BLAKE2B_BLOCKBYTES );
+    memcpy( block, key, keylen );
+    blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
+    secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
+  }
+  return 0;
+}
+
+#define G(r,i,a,b,c,d)                      \
+  do {                                      \
+    a = a + b + m[blake2b_sigma[r][2*i+0]]; \
+    d = rotr64(d ^ a, 32);                  \
+    c = c + d;                              \
+    b = rotr64(b ^ c, 24);                  \
+    a = a + b + m[blake2b_sigma[r][2*i+1]]; \
+    d = rotr64(d ^ a, 16);                  \
+    c = c + d;                              \
+    b = rotr64(b ^ c, 63);                  \
+  } while(0)
+
+#define ROUND(r)                    \
+  do {                              \
+    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
+    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
+    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
+    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
+    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
+    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
+    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
+    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
+  } while(0)
+
+static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] )
+{
+  uint64_t m[16];
+  uint64_t v[16];
+  size_t i;
+
+  for( i = 0; i < 16; ++i ) {
+    m[i] = load64( block + i * sizeof( m[i] ) );
+  }
+
+  for( i = 0; i < 8; ++i ) {
+    v[i] = S->h[i];
+  }
+
+  v[ 8] = blake2b_IV[0];
+  v[ 9] = blake2b_IV[1];
+  v[10] = blake2b_IV[2];
+  v[11] = blake2b_IV[3];
+  v[12] = blake2b_IV[4] ^ S->t[0];
+  v[13] = blake2b_IV[5] ^ S->t[1];
+  v[14] = blake2b_IV[6] ^ S->f[0];
+  v[15] = blake2b_IV[7] ^ S->f[1];
+
+  ROUND( 0 );
+  ROUND( 1 );
+  ROUND( 2 );
+  ROUND( 3 );
+  ROUND( 4 );
+  ROUND( 5 );
+  ROUND( 6 );
+  ROUND( 7 );
+  ROUND( 8 );
+  ROUND( 9 );
+  ROUND( 10 );
+  ROUND( 11 );
+
+  for( i = 0; i < 8; ++i ) {
+    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+  }
+}
+
+#undef G
+#undef ROUND
+
+int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )
+{
+  const unsigned char * in = (const unsigned char *)pin;
+  if( inlen > 0 )
+  {
+    size_t left = S->buflen;
+    size_t fill = BLAKE2B_BLOCKBYTES - left;
+    if( inlen > fill )
+    {
+      S->buflen = 0;
+      memcpy( S->buf + left, in, fill ); /* Fill buffer */
+      blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
+      blake2b_compress( S, S->buf ); /* Compress */
+      in += fill; inlen -= fill;
+      while(inlen > BLAKE2B_BLOCKBYTES) {
+        blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
+        blake2b_compress( S, in );
+        in += BLAKE2B_BLOCKBYTES;
+        inlen -= BLAKE2B_BLOCKBYTES;
+      }
+    }
+    memcpy( S->buf + S->buflen, in, inlen );
+    S->buflen += inlen;
+  }
+  return 0;
+}
+
+int blake2b_final( blake2b_state *S, void *out, size_t outlen )
+{
+  uint8_t buffer[BLAKE2B_OUTBYTES] = {0};
+  size_t i;
+
+  if( out == NULL || outlen < S->outlen )
+    return -1;
+
+  if( blake2b_is_lastblock( S ) )
+    return -1;
+
+  blake2b_increment_counter( S, S->buflen );
+  blake2b_set_lastblock( S );
+  memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */
+  blake2b_compress( S, S->buf );
+
+  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
+    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
+
+  memcpy( out, buffer, S->outlen );
+  secure_zero_memory(buffer, sizeof(buffer));
+  return 0;
+}
+
+/* inlen, at least, should be uint64_t. Others can be size_t. */
+int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )
+{
+  blake2b_state S[1];
+
+  /* Verify parameters */
+  if ( NULL == in && inlen > 0 ) return -1;
+
+  if ( NULL == out ) return -1;
+
+  if( NULL == key && keylen > 0 ) return -1;
+
+  if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;
+
+  if( keylen > BLAKE2B_KEYBYTES ) return -1;
+
+  if( keylen > 0 )
+  {
+    if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
+  }
+  else
+  {
+    if( blake2b_init( S, outlen ) < 0 ) return -1;
+  }
+
+  blake2b_update( S, ( const uint8_t * )in, inlen );
+  blake2b_final( S, out, outlen );
+  return 0;
+}
+
+int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {
+  return blake2b(out, outlen, in, inlen, key, keylen);
+}
+
+#if defined(SUPERCOP)
+int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
+{
+  return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );
+}
+#endif
+
+#if defined(BLAKE2B_SELFTEST)
+#include 
+#include "blake2-kat.h"
+int main( void )
+{
+  uint8_t key[BLAKE2B_KEYBYTES];
+  uint8_t buf[BLAKE2_KAT_LENGTH];
+  size_t i, step;
+
+  for( i = 0; i < BLAKE2B_KEYBYTES; ++i )
+    key[i] = ( uint8_t )i;
+
+  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
+    buf[i] = ( uint8_t )i;
+
+  /* Test simple API */
+  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
+  {
+    uint8_t hash[BLAKE2B_OUTBYTES];
+    blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );
+
+    if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
+    {
+      goto fail;
+    }
+  }
+
+  /* Test streaming API */
+  for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) {
+    for (i = 0; i < BLAKE2_KAT_LENGTH; ++i) {
+      uint8_t hash[BLAKE2B_OUTBYTES];
+      blake2b_state S;
+      uint8_t * p = buf;
+      size_t mlen = i;
+      int err = 0;
+
+      if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {
+        goto fail;
+      }
+
+      while (mlen >= step) {
+        if ( (err = blake2b_update(&S, p, step)) < 0 ) {
+          goto fail;
+        }
+        mlen -= step;
+        p += step;
+      }
+      if ( (err = blake2b_update(&S, p, mlen)) < 0) {
+        goto fail;
+      }
+      if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {
+        goto fail;
+      }
+
+      if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {
+        goto fail;
+      }
+    }
+  }
+
+  puts( "ok" );
+  return 0;
+fail:
+  puts("error");
+  return -1;
+}
+#endif
diff --git a/src/libs/md4.c b/src/libs/md4.c
deleted file mode 100644
index 2e53711..0000000
--- a/src/libs/md4.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/*
- * md4c.c	MD4 message-digest algorithm
- *
- *   License to copy and use this software is granted provided that it
- *   is identified as the "RSA Data Security, Inc. MD4 Message-Digest
- *   Algorithm" in all material mentioning or referencing this software
- *   or this function.
- *
- *   License is also granted to make and use derivative works provided
- *   that such works are identified as "derived from the RSA Data
- *   Security, Inc. MD4 Message-Digest Algorithm" in all material
- *   mentioning or referencing the derived work.
- *
- *   RSA Data Security, Inc. makes no representations concerning either
- *   the merchantability of this software or the suitability of this
- *   software for any particular purpose. It is provided "as is"
- *   without express or implied warranty of any kind.
- *
- *   These notices must be retained in any copies of any part of this
- *   documentation and/or software.
- *
- * Copyright 1990,1991,1992  RSA Data Security, Inc.
- */
-
-
-#include "md4.h"
-
-/* Constants for MD4Transform routine.
- */
-#define S11 3
-#define S12 7
-#define S13 11
-#define S14 19
-#define S21 3
-#define S22 5
-#define S23 9
-#define S24 13
-#define S31 3
-#define S32 9
-#define S33 11
-#define S34 15
-
-static void MD4Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
-static void Encode PROTO_LIST
-  ((unsigned char *, UINT4 *, unsigned int));
-static void Decode PROTO_LIST
-  ((UINT4 *, unsigned char *, unsigned int));
-static void MD4_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
-static void MD4_memset PROTO_LIST ((POINTER, int, unsigned int));
-
-static unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G and H are basic MD4 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-
-/* ROTATE_LEFT rotates x left n bits.
- */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG and HH are transformations for rounds 1, 2 and 3 */
-/* Rotation is separate from addition to prevent recomputation */
-
-#define FF(a, b, c, d, x, s) { \
-    (a) += F ((b), (c), (d)) + (x); \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-#define GG(a, b, c, d, x, s) { \
-    (a) += G ((b), (c), (d)) + (x) + (UINT4)0x5a827999; \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-#define HH(a, b, c, d, x, s) { \
-    (a) += H ((b), (c), (d)) + (x) + (UINT4)0x6ed9eba1; \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-
-void md4_calc(output, input, inlen)
-unsigned char *output;
-unsigned char *input;                                /* input block */
-unsigned int inlen;                     /* length of input block */
-{
-	MD4_CTX	context;
-
-	MD4Init(&context);
-	MD4Update(&context, input, inlen);
-	MD4Final(output, &context);
-}
-
-/* MD4 initialization. Begins an MD4 operation, writing a new context.
- */
-void MD4Init (context)
-MD4_CTX *context;                                        /* context */
-{
-  context->count[0] = context->count[1] = 0;
-
-  /* Load magic initialization constants.
-   */
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
-
-/* MD4 block update operation. Continues an MD4 message-digest
-     operation, processing another message block, and updating the
-     context.
- */
-void MD4Update (context, input, inputLen)
-MD4_CTX *context;                                        /* context */
-unsigned char *input;                                /* input block */
-unsigned int inputLen;                     /* length of input block */
-{
-  unsigned int i, index, partLen;
-
-  /* Compute number of bytes mod 64 */
-  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
-  /* Update number of bits */
-  if ((context->count[0] += ((UINT4)inputLen << 3))
-      < ((UINT4)inputLen << 3))
-    context->count[1]++;
-  context->count[1] += ((UINT4)inputLen >> 29);
-
-  partLen = 64 - index;
-
-  /* Transform as many times as possible.
-   */
-  if (inputLen >= partLen) {
-    MD4_memcpy
-      ((POINTER)&context->buffer[index], (POINTER)input, partLen);
-    MD4Transform (context->state, context->buffer);
-
-    for (i = partLen; i + 63 < inputLen; i += 64)
-      MD4Transform (context->state, &input[i]);
-
-    index = 0;
-  }
-  else
-    i = 0;
-
-  /* Buffer remaining input */
-  MD4_memcpy
-    ((POINTER)&context->buffer[index], (POINTER)&input[i],
-     inputLen-i);
-}
-
-/* MD4 finalization. Ends an MD4 message-digest operation, writing the
-     the message digest and zeroizing the context.
- */
-void MD4Final (digest, context)
-unsigned char digest[16];                         /* message digest */
-MD4_CTX *context;                                        /* context */
-{
-  unsigned char bits[8];
-  unsigned int index, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64.
-   */
-  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (index < 56) ? (56 - index) : (120 - index);
-  MD4Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD4Update (context, bits, 8);
-  /* Store state in digest */
-  Encode (digest, context->state, 16);
-
-  /* Zeroize sensitive information.
-   */
-  MD4_memset ((POINTER)context, 0, sizeof (*context));
-}
-
-/* MD4 basic transformation. Transforms state based on block.
- */
-static void MD4Transform (state, block)
-UINT4 state[4];
-unsigned char block[64];
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
-
-  /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11); /* 1 */
-  FF (d, a, b, c, x[ 1], S12); /* 2 */
-  FF (c, d, a, b, x[ 2], S13); /* 3 */
-  FF (b, c, d, a, x[ 3], S14); /* 4 */
-  FF (a, b, c, d, x[ 4], S11); /* 5 */
-  FF (d, a, b, c, x[ 5], S12); /* 6 */
-  FF (c, d, a, b, x[ 6], S13); /* 7 */
-  FF (b, c, d, a, x[ 7], S14); /* 8 */
-  FF (a, b, c, d, x[ 8], S11); /* 9 */
-  FF (d, a, b, c, x[ 9], S12); /* 10 */
-  FF (c, d, a, b, x[10], S13); /* 11 */
-  FF (b, c, d, a, x[11], S14); /* 12 */
-  FF (a, b, c, d, x[12], S11); /* 13 */
-  FF (d, a, b, c, x[13], S12); /* 14 */
-  FF (c, d, a, b, x[14], S13); /* 15 */
-  FF (b, c, d, a, x[15], S14); /* 16 */
-
-  /* Round 2 */
-  GG (a, b, c, d, x[ 0], S21); /* 17 */
-  GG (d, a, b, c, x[ 4], S22); /* 18 */
-  GG (c, d, a, b, x[ 8], S23); /* 19 */
-  GG (b, c, d, a, x[12], S24); /* 20 */
-  GG (a, b, c, d, x[ 1], S21); /* 21 */
-  GG (d, a, b, c, x[ 5], S22); /* 22 */
-  GG (c, d, a, b, x[ 9], S23); /* 23 */
-  GG (b, c, d, a, x[13], S24); /* 24 */
-  GG (a, b, c, d, x[ 2], S21); /* 25 */
-  GG (d, a, b, c, x[ 6], S22); /* 26 */
-  GG (c, d, a, b, x[10], S23); /* 27 */
-  GG (b, c, d, a, x[14], S24); /* 28 */
-  GG (a, b, c, d, x[ 3], S21); /* 29 */
-  GG (d, a, b, c, x[ 7], S22); /* 30 */
-  GG (c, d, a, b, x[11], S23); /* 31 */
-  GG (b, c, d, a, x[15], S24); /* 32 */
-
-  /* Round 3 */
-  HH (a, b, c, d, x[ 0], S31); /* 33 */
-  HH (d, a, b, c, x[ 8], S32); /* 34 */
-  HH (c, d, a, b, x[ 4], S33); /* 35 */
-  HH (b, c, d, a, x[12], S34); /* 36 */
-  HH (a, b, c, d, x[ 2], S31); /* 37 */
-  HH (d, a, b, c, x[10], S32); /* 38 */
-  HH (c, d, a, b, x[ 6], S33); /* 39 */
-  HH (b, c, d, a, x[14], S34); /* 40 */
-  HH (a, b, c, d, x[ 1], S31); /* 41 */
-  HH (d, a, b, c, x[ 9], S32); /* 42 */
-  HH (c, d, a, b, x[ 5], S33); /* 43 */
-  HH (b, c, d, a, x[13], S34); /* 44 */
-  HH (a, b, c, d, x[ 3], S31); /* 45 */
-  HH (d, a, b, c, x[11], S32); /* 46 */
-  HH (c, d, a, b, x[ 7], S33); /* 47 */
-  HH (b, c, d, a, x[15], S34); /* 48 */
-
-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
-
-  /* Zeroize sensitive information.
-   */
-  MD4_memset ((POINTER)x, 0, sizeof (x));
-}
-
-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-     a multiple of 4.
- */
-static void Encode (output, input, len)
-unsigned char *output;
-UINT4 *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4) {
-    output[j] = (unsigned char)(input[i] & 0xff);
-    output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
-    output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
-    output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
-}
-
-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-     a multiple of 4.
- */
-static void Decode (output, input, len)
-
-UINT4 *output;
-unsigned char *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4)
-    output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-      (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
-}
-
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-static void MD4_memcpy (output, input, len)
-POINTER output;
-POINTER input;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-    output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-static void MD4_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-    ((char *)output)[i] = (char)value;
-}
diff --git a/src/libs/md4.h b/src/libs/md4.h
deleted file mode 100644
index de07d79..0000000
--- a/src/libs/md4.h
+++ /dev/null
@@ -1,83 +0,0 @@
-#ifndef _LRAD_MD4_H
-#define _LRAD_MD4_H
-
-#ifndef _LRAD_PROTO_H
-#define _LRAD_PROTO_H
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-  function argument prototyping.
-  The following makes PROTOTYPES default to 0 if it has not already
-  been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#  if __STDC__
-#    define PROTOTYPES 1
-#  else
-#    define PROTOTYPES 0
-#  endif
-#endif
-
-/* POINTER defines a generic pointer type */
-typedef unsigned char *POINTER;
-#define _POINTER_T
-
-/* UINT2 defines a two byte word */
-typedef unsigned short int UINT2;
-#define _UINT2_T
-
-/* UINT4 defines a four byte word */
-typedef unsigned int UINT4;
-#define _UINT4_T
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-  returns an empty list.
- */
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else
-#define PROTO_LIST(list) ()
-#endif
-#endif /* _LRAD_PROTO_H */
-
-/* MD4.H - header file for MD4C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-   rights reserved.
-
-   License to copy and use this software is granted provided that it
-   is identified as the "RSA Data Security, Inc. MD4 Message-Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   License is also granted to make and use derivative works provided
-   that such works are identified as "derived from the RSA Data
-   Security, Inc. MD4 Message-Digest Algorithm" in all material
-   mentioning or referencing the derived work.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
- */
-
-/* MD4 context. */
-typedef struct {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-} MD4_CTX;
-
-void md4_calc (unsigned char *, unsigned char *, unsigned int);
-void MD4Init PROTO_LIST ((MD4_CTX *));
-void MD4Update PROTO_LIST
-  ((MD4_CTX *, unsigned char *, unsigned int));
-void MD4Final PROTO_LIST ((unsigned char [16], MD4_CTX *));
-
-#endif /* _LRAD_MD4_H */
diff --git a/src/libs/md5.c b/src/libs/md5.c
deleted file mode 100644
index f80abcb..0000000
--- a/src/libs/md5.c
+++ /dev/null
@@ -1,345 +0,0 @@
-/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-#include "md5.h"
-
-/* Constants for MD5Transform routine.
- */
-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-
-void librad_md5_calc(unsigned char *output, unsigned char *input,
-		     unsigned int inputlen);
-static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64]));
-static void Encode PROTO_LIST
-  ((unsigned char *, UINT4 *, unsigned int));
-static void Decode PROTO_LIST
-  ((UINT4 *, const unsigned char *, unsigned int));
-static void MD5_memcpy PROTO_LIST ((POINTER, CONSTPOINTER, unsigned int));
-static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
-
-static const unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G, H and I are basic MD5 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
-
-/* ROTATE_LEFT rotates x left n bits.
- */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
-Rotation is separate from addition to prevent recomputation.
- */
-#define FF(a, b, c, d, x, s, ac) { \
- (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define GG(a, b, c, d, x, s, ac) { \
- (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define HH(a, b, c, d, x, s, ac) { \
- (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define II(a, b, c, d, x, s, ac) { \
- (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-
-void librad_md5_calc(unsigned char *output, unsigned char *input,
-		     unsigned int inlen)
-{
-	MD5_CTX	context;
-
-	MD5Init(&context);
-	MD5Update(&context, input, inlen);
-	MD5Final(output, &context);
-}
-
-/* MD5 initialization. Begins an MD5 operation, writing a new context.
- */
-void MD5Init (context)
-MD5_CTX *context;                                        /* context */
-{
-  context->count[0] = context->count[1] = 0;
-  /* Load magic initialization constants.
-*/
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
-
-/* MD5 block update operation. Continues an MD5 message-digest
-  operation, processing another message block, and updating the
-  context.
- */
-void MD5Update (context, input, inputLen)
-MD5_CTX *context;                                        /* context */
-const unsigned char *input;                                /* input block */
-unsigned int inputLen;                     /* length of input block */
-{
-  unsigned int i, index, partLen;
-
-  /* Compute number of bytes mod 64 */
-  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
-
-  /* Update number of bits */
-  if ((context->count[0] += ((UINT4)inputLen << 3))
-   < ((UINT4)inputLen << 3))
- context->count[1]++;
-  context->count[1] += ((UINT4)inputLen >> 29);
-
-  partLen = 64 - index;
-
-  /* Transform as many times as possible.
-*/
-  if (inputLen >= partLen) {
- MD5_memcpy
-   ((POINTER)&context->buffer[index], (CONSTPOINTER)input, partLen);
- MD5Transform (context->state, context->buffer);
-
- for (i = partLen; i + 63 < inputLen; i += 64)
-   MD5Transform (context->state, &input[i]);
-
- index = 0;
-  }
-  else
- i = 0;
-
-  /* Buffer remaining input */
-  MD5_memcpy
- ((POINTER)&context->buffer[index], (CONSTPOINTER)&input[i],
-  inputLen-i);
-}
-
-/* MD5 finalization. Ends an MD5 message-digest operation, writing the
-  the message digest and zeroizing the context.
- */
-void MD5Final (digest, context)
-unsigned char digest[16];                         /* message digest */
-MD5_CTX *context;                                       /* context */
-{
-  unsigned char bits[8];
-  unsigned int index, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64.
-*/
-  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (index < 56) ? (56 - index) : (120 - index);
-  MD5Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD5Update (context, bits, 8);
-
-  /* Store state in digest */
-  Encode (digest, context->state, 16);
-
-  /* Zeroize sensitive information.
-*/
-  MD5_memset ((POINTER)context, 0, sizeof (*context));
-}
-
-/* MD5 basic transformation. Transforms state based on block.
- */
-static void MD5Transform (state, block)
-UINT4 state[4];
-const unsigned char block[64];
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
-
-  /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
-  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
-  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
-  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
-  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
-  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
-  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
-  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
-  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
-  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
-  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
-  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
-  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
-  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
-  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
-  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
-
- /* Round 2 */
-  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
-  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
-  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
-  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
-  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
-  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
-  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
-  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
-  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
-  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
-  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
-  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
-  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
-  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
-  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
-  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
-
-  /* Round 3 */
-  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
-  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
-  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
-  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
-  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
-  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
-  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
-  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
-  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
-  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
-  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
-  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
-  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
-  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
-  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
-  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
-
-  /* Round 4 */
-  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
-  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
-  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
-  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
-  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
-  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
-  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
-  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
-  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
-  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
-  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
-  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
-  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
-  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
-  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
-  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
-
-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
-
-  /* Zeroize sensitive information.
-*/
-  MD5_memset ((POINTER)x, 0, sizeof (x));
-}
-
-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-  a multiple of 4.
- */
-static void Encode (output, input, len)
-unsigned char *output;
-UINT4 *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4) {
- output[j] = (unsigned char)(input[i] & 0xff);
- output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
- output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
- output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
-}
-
-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-  a multiple of 4.
- */
-static void Decode (output, input, len)
-UINT4 *output;
-const unsigned char *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4)
- output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
-}
-
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-
-static void MD5_memcpy (output, input, len)
-POINTER output;
-CONSTPOINTER input;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
- output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-static void MD5_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
- ((char *)output)[i] = (char)value;
-}
diff --git a/src/libs/md5.h b/src/libs/md5.h
deleted file mode 100644
index 9209cde..0000000
--- a/src/libs/md5.h
+++ /dev/null
@@ -1,94 +0,0 @@
-#ifndef _LRAD_MD5_H
-#define _LRAD_MD5_H
-
-#ifndef _LRAD_PROTO_H
-#define _LRAD_PROTO_H
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-  function argument prototyping.
-  The following makes PROTOTYPES default to 0 if it has not already
-  been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#  if __STDC__
-#    define PROTOTYPES 1
-#  else
-#    define PROTOTYPES 0
-#  endif
-#endif
-
-/* POINTER defines a generic pointer type */
-#ifndef _POINTER_T
-typedef unsigned char *POINTER;
-#endif
-typedef const unsigned char *CONSTPOINTER;
-
-/* UINT2 defines a two byte word */
-#ifndef _UINT2_T
-typedef unsigned short int UINT2;
-#endif
-
-/* UINT4 defines a four byte word */
-#ifndef _UINT4_T
-typedef unsigned int UINT4;
-#endif
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-  returns an empty list.
- */
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else
-#define PROTO_LIST(list) ()
-#endif
-#endif /* _LRAD_PROTO_H */
-
-/*
- *  FreeRADIUS defines to ensure globally unique MD5 function names,
- *  so that we don't pick up vendor-specific broken MD5 libraries.
- */
-#define MD5_CTX		librad_MD5_CTX
-#define MD5Init		librad_MD5Init
-#define MD5Update	librad_MD5Update
-#define MD5Final       	librad_MD5Final
-
-/* MD5.H - header file for MD5C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/* MD5 context. */
-typedef struct {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-} MD5_CTX;
-
-void MD5Init PROTO_LIST ((MD5_CTX *));
-void MD5Update PROTO_LIST
-  ((MD5_CTX *, const unsigned char *, unsigned int));
-void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
-#endif /* _LRAD_MD5_H */
diff --git a/src/libs/regex.c b/src/libs/regex.c
deleted file mode 100644
index 82ae70a..0000000
--- a/src/libs/regex.c
+++ /dev/null
@@ -1,3821 +0,0 @@
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include "regex.h"
-
-/* utility definitions */
-#ifdef _POSIX2_RE_DUP_MAX
-#define	DUPMAX	_POSIX2_RE_DUP_MAX
-#else
-#define	DUPMAX	255
-#endif
-#define	INFINITY	(DUPMAX + 1)
-#define	NC		(CHAR_MAX - CHAR_MIN + 1)
-typedef unsigned char uch;
-
-/* for old systems with bcopy() but no memmove() */
-#ifdef USEBCOPY
-#define	memmove(d, s, c)	bcopy(s, d, c)
-#endif
-
-#define	MAGIC1	((('r'^0200)<<8) | 'e')
-
-/*
- * The internal representation is a *strip*, a sequence of
- * operators ending with an endmarker.  (Some terminology etc. is a
- * historical relic of earlier versions which used multiple strips.)
- * Certain oddities in the representation are there to permit running
- * the machinery backwards; in particular, any deviation from sequential
- * flow must be marked at both its source and its destination.  Some
- * fine points:
- *
- * - OPLUS_ and O_PLUS are *inside* the loop they create.
- * - OQUEST_ and O_QUEST are *outside* the bypass they create.
- * - OCH_ and O_CH are *outside* the multi-way branch they create, while
- *   OOR1 and OOR2 are respectively the end and the beginning of one of
- *   the branches.  Note that there is an implicit OOR2 following OCH_
- *   and an implicit OOR1 preceding O_CH.
- *
- * In state representations, an operator's bit is on to signify a state
- * immediately *preceding* "execution" of that operator.
- */
-typedef long sop;		/* strip operator */
-typedef long sopno;
-#define	OPRMASK	0x7c000000
-#define	OPDMASK	0x03ffffff
-#define	OPSHIFT	(26)
-#define	OP(n)	((n)&OPRMASK)
-#define	OPND(n)	((n)&OPDMASK)
-#define	SOP(op, opnd)	((op)|(opnd))
-/* operators			   meaning	operand			*/
-/*						(back, fwd are offsets)	*/
-#define	OEND	(1< uch [csetsize] */
-	uch mask;		/* bit within array */
-	uch hash;		/* hash code */
-	size_t smultis;
-	char *multis;		/* -> char[smulti]  ab\0cd\0ef\0\0 */
-} cset;
-/* note that CHadd and CHsub are unsafe, and CHIN doesn't yield 0/1 */
-#define	CHadd(cs, c)	((cs)->ptr[(uch)(c)] |= (cs)->mask, (cs)->hash += (c))
-#define	CHsub(cs, c)	((cs)->ptr[(uch)(c)] &= ~(cs)->mask, (cs)->hash -= (c))
-#define	CHIN(cs, c)	((cs)->ptr[(uch)(c)] & (cs)->mask)
-#define	MCadd(p, cs, cp)	mcadd(p, cs, cp)	/* regcomp() internal fns */
-
-/* stuff for character categories */
-typedef unsigned char cat_t;
-
-/*
- * main compiled-expression structure
- */
-struct re_guts {
-	int magic;
-#		define	MAGIC2	((('R'^0200)<<8)|'E')
-	sop *strip;		/* malloced area for strip */
-	int csetsize;		/* number of bits in a cset vector */
-	int ncsets;		/* number of csets in use */
-	cset *sets;		/* -> cset [ncsets] */
-	uch *setbits;		/* -> uch[csetsize][ncsets/CHAR_BIT] */
-	int cflags;		/* copy of regcomp() cflags argument */
-	sopno nstates;		/* = number of sops */
-	sopno firststate;	/* the initial OEND (normally 0) */
-	sopno laststate;	/* the final OEND */
-	int iflags;		/* internal flags */
-#		define	USEBOL	01	/* used ^ */
-#		define	USEEOL	02	/* used $ */
-#		define	BAD	04	/* something wrong */
-	int nbol;		/* number of ^ used */
-	int neol;		/* number of $ used */
-	int ncategories;	/* how many character categories */
-	cat_t *categories;	/* ->catspace[-CHAR_MIN] */
-	char *must;		/* match must contain this string */
-	int mlen;		/* length of must */
-	size_t nsub;		/* copy of re_nsub */
-	int backrefs;		/* does it use back references? */
-	sopno nplus;		/* how deep does it nest +s? */
-	/* catspace must be last */
-	cat_t catspace[1];	/* actually [NC] */
-};
-
-/* misc utilities */
-#define	OUT	(CHAR_MAX+1)	/* a non-character value */
-#define	ISWORD(c)	(isalnum(c) || (c) == '_')
-
-
-/* character-class table */
-static struct cclass {
-	char *name;
-	char *chars;
-	char *multis;
-} cclasses[] = {
-	{"alnum","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",""},
-	{"alpha",	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",	""},
-	{"blank"," \t",	""},
-	{"cntrl","\007\b\t\n\v\f\r\1\2\3\4\5\6\16\17\20\21\22\23\24\25\26\27\30\31\32\33\34\35\36\37\177",""},
-	{"digit","0123456789",""},
-	{"graph","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~",""},
-	{"lower","abcdefghijklmnopqrstuvwxyz",""},
-	{"print","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~ ",""},
-	{"punct","!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~",""},
-	{"space","\t\n\v\f\r ",	""},
-	{"upper","ABCDEFGHIJKLMNOPQRSTUVWXYZ",""},
-	{"xdigit","0123456789ABCDEFabcdef",""},
-	{NULL,NULL,""}
-};
-
-/* character-name table */
-static struct cname {
-	char *name;
-	char code;
-} cnames[] = {
-	{"NUL",	'\0'},
-	{"SOH",	'\001'},
-	{"STX",	'\002'},
-	{"ETX",	'\003'},
-	{"EOT",	'\004'},
-	{"ENQ",	'\005'},
-	{"ACK",	'\006'},
-	{"BEL",	'\007'},
-	{"alert",	'\007'},
-	{"BS",		'\010'},
-	{"backspace",	'\b'},
-	{"HT",		'\011'},
-	{"tab",		'\t'},
-	{"LF",		'\012'},
-	{"newline",	'\n'},
-	{"VT",		'\013'},
-	{"vertical-tab",	'\v'},
-	{"FF",		'\014'},
-	{"form-feed",	'\f'},
-	{"CR",		'\015'},
-	{"carriage-return",	'\r'},
-	{"SO",	'\016'},
-	{"SI",	'\017'},
-	{"DLE",	'\020'},
-	{"DC1",	'\021'},
-	{"DC2",	'\022'},
-	{"DC3",	'\023'},
-	{"DC4",	'\024'},
-	{"NAK",	'\025'},
-	{"SYN",	'\026'},
-	{"ETB",	'\027'},
-	{"CAN",	'\030'},
-	{"EM",	'\031'},
-	{"SUB",	'\032'},
-	{"ESC",	'\033'},
-	{"IS4",	'\034'},
-	{"FS",	'\034'},
-	{"IS3",	'\035'},
-	{"GS",	'\035'},
-	{"IS2",	'\036'},
-	{"RS",	'\036'},
-	{"IS1",	'\037'},
-	{"US",	'\037'},
-	{"space",		' '},
-	{"exclamation-mark",	'!'},
-	{"quotation-mark",	'"'},
-	{"number-sign",		'#'},
-	{"dollar-sign",		'$'},
-	{"percent-sign",		'%'},
-	{"ampersand",		'&'},
-	{"apostrophe",		'\''},
-	{"left-parenthesis",	'('},
-	{"right-parenthesis",	')'},
-	{"asterisk",	'*'},
-	{"plus-sign",	'+'},
-	{"comma",	','},
-	{"hyphen",	'-'},
-	{"hyphen-minus",	'-'},
-	{"period",	'.'},
-	{"full-stop",	'.'},
-	{"slash",	'/'},
-	{"solidus",	'/'},
-	{"zero",		'0'},
-	{"one",		'1'},
-	{"two",		'2'},
-	{"three",	'3'},
-	{"four",		'4'},
-	{"five",		'5'},
-	{"six",		'6'},
-	{"seven",	'7'},
-	{"eight",	'8'},
-	{"nine",		'9'},
-	{"colon",	':'},
-	{"semicolon",	';'},
-	{"less-than-sign",	'<'},
-	{"equals-sign",		'='},
-	{"greater-than-sign",	'>'},
-	{"question-mark",	'?'},
-	{"commercial-at",	'@'},
-	{"left-square-bracket",	'['},
-	{"backslash",		'\\'},
-	{"reverse-solidus",	'\\'},
-	{"right-square-bracket",	']'},
-	{"circumflex",		'^'},
-	{"circumflex-accent",	'^'},
-	{"underscore",		'_'},
-	{"low-line",		'_'},
-	{"grave-accent",		'`'},
-	{"left-brace",		'{'},
-	{"left-curly-bracket",	'{'},
-	{"vertical-line",	'|'},
-	{"right-brace",		'}'},
-	{"right-curly-bracket",	'}'},
-	{"tilde",		'~'},
-	{"DEL",	'\177'},
-	{NULL,	0}
-};
-
-
-/*
- * parse structure, passed up and down to avoid global variables and
- * other clumsinesses
- */
-struct parse {
-	char *next;		/* next character in RE */
-	char *end;		/* end of string (-> NUL normally) */
-	int error;		/* has an error been seen? */
-	sop *strip;		/* malloced strip */
-	sopno ssize;		/* malloced strip size (allocated) */
-	sopno slen;		/* malloced strip length (used) */
-	int ncsalloc;		/* number of csets allocated */
-	struct re_guts *g;
-#	define	NPAREN	10	/* we need to remember () 1-9 for back refs */
-	sopno pbegin[NPAREN];	/* -> ( ([0] unused) */
-	sopno pend[NPAREN];	/* -> ) ([0] unused) */
-};
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-static void p_ere(register struct parse *p, int stop);
-static void p_ere_exp(register struct parse *p);
-static void p_str(register struct parse *p);
-static void p_bre(register struct parse *p, register int end1, register int end2);
-static int p_simp_re(register struct parse *p, int starordinary);
-static int p_count(register struct parse *p);
-static void p_bracket(register struct parse *p);
-static void p_b_term(register struct parse *p, register cset *cs);
-static void p_b_cclass(register struct parse *p, register cset *cs);
-static void p_b_eclass(register struct parse *p, register cset *cs);
-static char p_b_symbol(register struct parse *p);
-static char p_b_coll_elem(register struct parse *p, int endc);
-static char othercase(int ch);
-static void bothcases(register struct parse *p, int ch);
-static void ordinary(register struct parse *p, register int ch);
-static void nonnewline(register struct parse *p);
-static void repeat(register struct parse *p, sopno start, int from, int to);
-static int seterr(register struct parse *p, int e);
-static cset *allocset(register struct parse *p);
-static void freeset(register struct parse *p, register cset *cs);
-static int freezeset(register struct parse *p, register cset *cs);
-static int firstch(register struct parse *p, register cset *cs);
-static int nch(register struct parse *p, register cset *cs);
-static void mcadd(register struct parse *p, register cset *cs, register char *cp);
-static void mcinvert(register struct parse *p, register cset *cs);
-static void mccase(register struct parse *p, register cset *cs);
-static int isinsets(register struct re_guts *g, int c);
-static int samesets(register struct re_guts *g, int c1, int c2);
-static void categorize(struct parse *p, register struct re_guts *g);
-static sopno dupl(register struct parse *p, sopno start, sopno finish);
-static void doemit(register struct parse *p, sop op, size_t opnd);
-static void doinsert(register struct parse *p, sop op, size_t opnd, sopno pos);
-static void dofwd(register struct parse *p, sopno pos, sop value);
-static void enlarge(register struct parse *p, sopno size);
-static void stripsnug(register struct parse *p, register struct re_guts *g);
-static void findmust(register struct parse *p, register struct re_guts *g);
-static sopno pluscount(register struct parse *p, register struct re_guts *g);
-
-#ifdef __cplusplus
-}
-#endif
-
-static char nuls[10];		/* place to point scanner in event of error */
-
-/*
- * macros for use with parse structure
- * BEWARE:  these know that the parse structure is named `p' !!!
- */
-#define	PEEK()	(*p->next)
-#define	PEEK2()	(*(p->next+1))
-#define	MORE()	(p->next < p->end)
-#define	MORE2()	(p->next+1 < p->end)
-#define	SEE(c)	(MORE() && PEEK() == (c))
-#define	SEETWO(a, b)	(MORE() && MORE2() && PEEK() == (a) && PEEK2() == (b))
-#define	EAT(c)	((SEE(c)) ? (NEXT(), 1) : 0)
-#define	EATTWO(a, b)	((SEETWO(a, b)) ? (NEXT2(), 1) : 0)
-#define	NEXT()	(p->next++)
-#define	NEXT2()	(p->next += 2)
-#define	NEXTn(n)	(p->next += (n))
-#define	GETNEXT()	(*p->next++)
-#define	SETERROR(e)	seterr(p, (e))
-#define	REQUIRE(co, e)	((co) || SETERROR(e))
-#define	MUSTSEE(c, e)	(REQUIRE(MORE() && PEEK() == (c), e))
-#define	MUSTEAT(c, e)	(REQUIRE(MORE() && GETNEXT() == (c), e))
-#define	MUSTNOTSEE(c, e)	(REQUIRE(!MORE() || PEEK() != (c), e))
-#define	EMIT(op, sopnd)	doemit(p, (sop)(op), (size_t)(sopnd))
-#define	INSERT(op, pos)	doinsert(p, (sop)(op), HERE()-(pos)+1, pos)
-#define	AHEAD(pos)		dofwd(p, pos, HERE()-(pos))
-#define	ASTERN(sop, pos)	EMIT(sop, HERE()-pos)
-#define	HERE()		(p->slen)
-#define	THERE()		(p->slen - 1)
-#define	THERETHERE()	(p->slen - 2)
-#define	DROP(n)	(p->slen -= (n))
-
-#define	never	0		/* some s have bugs too */
-
-int				/* 0 success, otherwise REG_something */
-regcomp(preg, pattern, cflags)
-regex_t *preg;
-const char *pattern;
-int cflags;
-{
-	struct parse pa;
-	register struct re_guts *g;
-	register struct parse *p = &pa;
-	register int i;
-	register size_t len;
-#define	GOODFLAGS(f)	((f)&~REG_DUMP)
-
-	cflags = GOODFLAGS(cflags);
-	if ((cflags®_EXTENDED) && (cflags®_NOSPEC))
-		return(REG_INVARG);
-
-	if (cflags®_PEND) {
-		if (preg->re_endp < pattern)
-			return(REG_INVARG);
-		len = preg->re_endp - pattern;
-	} else
-		len = strlen((char *)pattern);
-
-	/* do the mallocs early so failure handling is easy */
-	g = (struct re_guts *)malloc(sizeof(struct re_guts) +
-							(NC-1)*sizeof(cat_t));
-	if (g == NULL)
-		return(REG_ESPACE);
-	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
-	p->strip = (sop *)malloc(p->ssize * sizeof(sop));
-	p->slen = 0;
-	if (p->strip == NULL) {
-		free((char *)g);
-		return(REG_ESPACE);
-	}
-
-	/* set things up */
-	p->g = g;
-	p->next = (char *)pattern;	/* convenience; we do not modify it */
-	p->end = p->next + len;
-	p->error = 0;
-	p->ncsalloc = 0;
-	for (i = 0; i < NPAREN; i++) {
-		p->pbegin[i] = 0;
-		p->pend[i] = 0;
-	}
-	g->csetsize = NC;
-	g->sets = NULL;
-	g->setbits = NULL;
-	g->ncsets = 0;
-	g->cflags = cflags;
-	g->iflags = 0;
-	g->nbol = 0;
-	g->neol = 0;
-	g->must = NULL;
-	g->mlen = 0;
-	g->nsub = 0;
-	g->ncategories = 1;	/* category 0 is "everything else" */
-	g->categories = &g->catspace[-(CHAR_MIN)];
-	(void) memset((char *)g->catspace, 0, NC*sizeof(cat_t));
-	g->backrefs = 0;
-
-	/* do it */
-	EMIT(OEND, 0);
-	g->firststate = THERE();
-	if (cflags®_EXTENDED)
-		p_ere(p, OUT);
-	else if (cflags®_NOSPEC)
-		p_str(p);
-	else
-		p_bre(p, OUT, OUT);
-	EMIT(OEND, 0);
-	g->laststate = THERE();
-
-	/* tidy up loose ends and fill things in */
-	categorize(p, g);
-	stripsnug(p, g);
-	findmust(p, g);
-	g->nplus = pluscount(p, g);
-	g->magic = MAGIC2;
-	preg->re_nsub = g->nsub;
-	preg->re_g = g;
-	preg->re_magic = MAGIC1;
-	/* not debugging, so can't rely on the assert() in regexec() */
-	if (g->iflags&BAD)
-		SETERROR(REG_ASSERT);
-
-	/* win or lose, we're done */
-	if (p->error != 0)	/* lose */
-		regfree(preg);
-	return(p->error);
-#undef GOODFLAGS
-}
-
-/*
- - p_ere - ERE parser top level, concatenation and alternation
- == static void p_ere(register struct parse *p, int stop);
- */
-static void
-p_ere(p, stop)
-register struct parse *p;
-int stop;			/* character this ERE should end at */
-{
-	register char c;
-	register sopno prevback;
-	register sopno prevfwd;
-	register sopno conc;
-	register int first = 1;		/* is this the first alternative? */
-
-	for (;;) {
-		/* do a bunch of concatenated expressions */
-		conc = HERE();
-		while (MORE() && (c = PEEK()) != '|' && c != stop)
-			p_ere_exp(p);
-		REQUIRE(HERE() != conc, REG_EMPTY);	/* require nonempty */
-
-		if (!EAT('|'))
-			break;		/* NOTE BREAK OUT */
-
-		if (first) {
-			INSERT(OCH_, conc);	/* offset is wrong */
-			prevfwd = conc;
-			prevback = conc;
-			first = 0;
-		}
-		ASTERN(OOR1, prevback);
-		prevback = THERE();
-		AHEAD(prevfwd);			/* fix previous offset */
-		prevfwd = HERE();
-		EMIT(OOR2, 0);			/* offset is very wrong */
-	}
-
-	if (!first) {		/* tail-end fixups */
-		AHEAD(prevfwd);
-		ASTERN(O_CH, prevback);
-	}
-
-	assert(!MORE() || SEE(stop));
-}
-
-/*
- - p_ere_exp - parse one subERE, an atom possibly followed by a repetition op
- == static void p_ere_exp(register struct parse *p);
- */
-static void
-p_ere_exp(p)
-register struct parse *p;
-{
-	register char c;
-	register sopno pos;
-	register int count;
-	register int count2;
-	register sopno subno;
-	int wascaret = 0;
-
-	assert(MORE());		/* caller should have ensured this */
-	c = GETNEXT();
-
-	pos = HERE();
-	switch (c) {
-	case '(':
-		REQUIRE(MORE(), REG_EPAREN);
-		p->g->nsub++;
-		subno = p->g->nsub;
-		if (subno < NPAREN)
-			p->pbegin[subno] = HERE();
-		EMIT(OLPAREN, subno);
-		if (!SEE(')'))
-			p_ere(p, ')');
-		if (subno < NPAREN) {
-			p->pend[subno] = HERE();
-			assert(p->pend[subno] != 0);
-		}
-		EMIT(ORPAREN, subno);
-		MUSTEAT(')', REG_EPAREN);
-		break;
-	case '^':
-		EMIT(OBOL, 0);
-		p->g->iflags |= USEBOL;
-		p->g->nbol++;
-		wascaret = 1;
-		break;
-	case '$':
-		EMIT(OEOL, 0);
-		p->g->iflags |= USEEOL;
-		p->g->neol++;
-		break;
-	case '|':
-		SETERROR(REG_EMPTY);
-		break;
-	case '*':
-	case '+':
-	case '?':
-		SETERROR(REG_BADRPT);
-		break;
-	case '.':
-		if (p->g->cflags®_NEWLINE)
-			nonnewline(p);
-		else
-			EMIT(OANY, 0);
-		break;
-	case '[':
-		p_bracket(p);
-		break;
-	case '\\':
-		REQUIRE(MORE(), REG_EESCAPE);
-		c = GETNEXT();
-		ordinary(p, c);
-		break;
-	case '{':		/* okay as ordinary except if digit follows */
-		REQUIRE(!MORE() || !isdigit(PEEK()), REG_BADRPT);
-		/* FALLTHROUGH */
-	default:
-		ordinary(p, c);
-		break;
-	}
-
-	if (!MORE())
-		return;
-	c = PEEK();
-	/* we call { a repetition if followed by a digit */
-	if (!( c == '*' || c == '+' || c == '?' ||
-				(c == '{' && MORE2() && isdigit(PEEK2())) ))
-		return;		/* no repetition, we're done */
-	NEXT();
-
-	REQUIRE(!wascaret, REG_BADRPT);
-	switch (c) {
-	case '*':	/* implemented as +? */
-		/* this case does not require the (y|) trick, noKLUDGE */
-		INSERT(OPLUS_, pos);
-		ASTERN(O_PLUS, pos);
-		INSERT(OQUEST_, pos);
-		ASTERN(O_QUEST, pos);
-		break;
-	case '+':
-		INSERT(OPLUS_, pos);
-		ASTERN(O_PLUS, pos);
-		break;
-	case '?':
-		/* KLUDGE: emit y? as (y|) until subtle bug gets fixed */
-		INSERT(OCH_, pos);		/* offset slightly wrong */
-		ASTERN(OOR1, pos);		/* this one's right */
-		AHEAD(pos);			/* fix the OCH_ */
-		EMIT(OOR2, 0);			/* offset very wrong... */
-		AHEAD(THERE());			/* ...so fix it */
-		ASTERN(O_CH, THERETHERE());
-		break;
-	case '{':
-		count = p_count(p);
-		if (EAT(',')) {
-			if (isdigit(PEEK())) {
-				count2 = p_count(p);
-				REQUIRE(count <= count2, REG_BADBR);
-			} else		/* single number with comma */
-				count2 = INFINITY;
-		} else		/* just a single number */
-			count2 = count;
-		repeat(p, pos, count, count2);
-		if (!EAT('}')) {	/* error heuristics */
-			while (MORE() && PEEK() != '}')
-				NEXT();
-			REQUIRE(MORE(), REG_EBRACE);
-			SETERROR(REG_BADBR);
-		}
-		break;
-	}
-
-	if (!MORE())
-		return;
-	c = PEEK();
-	if (!( c == '*' || c == '+' || c == '?' ||
-				(c == '{' && MORE2() && isdigit(PEEK2())) ) )
-		return;
-	SETERROR(REG_BADRPT);
-}
-
-/*
- - p_str - string (no metacharacters) "parser"
- == static void p_str(register struct parse *p);
- */
-static void
-p_str(p)
-register struct parse *p;
-{
-	REQUIRE(MORE(), REG_EMPTY);
-	while (MORE())
-		ordinary(p, GETNEXT());
-}
-
-/*
- - p_bre - BRE parser top level, anchoring and concatenation
- == static void p_bre(register struct parse *p, register int end1, \
- ==	register int end2);
- * Giving end1 as OUT essentially eliminates the end1/end2 check.
- *
- * This implementation is a bit of a kludge, in that a trailing $ is first
- * taken as an ordinary character and then revised to be an anchor.  The
- * only undesirable side effect is that '$' gets included as a character
- * category in such cases.  This is fairly harmless; not worth fixing.
- * The amount of lookahead needed to avoid this kludge is excessive.
- */
-static void
-p_bre(p, end1, end2)
-register struct parse *p;
-register int end1;		/* first terminating character */
-register int end2;		/* second terminating character */
-{
-	register sopno start = HERE();
-	register int first = 1;			/* first subexpression? */
-	register int wasdollar = 0;
-
-	if (EAT('^')) {
-		EMIT(OBOL, 0);
-		p->g->iflags |= USEBOL;
-		p->g->nbol++;
-	}
-	while (MORE() && !SEETWO(end1, end2)) {
-		wasdollar = p_simp_re(p, first);
-		first = 0;
-	}
-	if (wasdollar) {	/* oops, that was a trailing anchor */
-		DROP(1);
-		EMIT(OEOL, 0);
-		p->g->iflags |= USEEOL;
-		p->g->neol++;
-	}
-
-	REQUIRE(HERE() != start, REG_EMPTY);	/* require nonempty */
-}
-
-/*
- - p_simp_re - parse a simple RE, an atom possibly followed by a repetition
- == static int p_simp_re(register struct parse *p, int starordinary);
- */
-static int			/* was the simple RE an unbackslashed $? */
-p_simp_re(p, starordinary)
-register struct parse *p;
-int starordinary;		/* is a leading * an ordinary character? */
-{
-	register int c;
-	register int count;
-	register int count2;
-	register sopno pos;
-	register int i;
-	register sopno subno;
-#	define	BACKSL	(1<g->cflags®_NEWLINE)
-			nonnewline(p);
-		else
-			EMIT(OANY, 0);
-		break;
-	case '[':
-		p_bracket(p);
-		break;
-	case BACKSL|'{':
-		SETERROR(REG_BADRPT);
-		break;
-	case BACKSL|'(':
-		p->g->nsub++;
-		subno = p->g->nsub;
-		if (subno < NPAREN)
-			p->pbegin[subno] = HERE();
-		EMIT(OLPAREN, subno);
-		/* the MORE here is an error heuristic */
-		if (MORE() && !SEETWO('\\', ')'))
-			p_bre(p, '\\', ')');
-		if (subno < NPAREN) {
-			p->pend[subno] = HERE();
-			assert(p->pend[subno] != 0);
-		}
-		EMIT(ORPAREN, subno);
-		REQUIRE(EATTWO('\\', ')'), REG_EPAREN);
-		break;
-	case BACKSL|')':	/* should not get here -- must be user */
-	case BACKSL|'}':
-		SETERROR(REG_EPAREN);
-		break;
-	case BACKSL|'1':
-	case BACKSL|'2':
-	case BACKSL|'3':
-	case BACKSL|'4':
-	case BACKSL|'5':
-	case BACKSL|'6':
-	case BACKSL|'7':
-	case BACKSL|'8':
-	case BACKSL|'9':
-		i = (c&~BACKSL) - '0';
-		assert(i < NPAREN);
-		if (p->pend[i] != 0) {
-			assert(i <= p->g->nsub);
-			EMIT(OBACK_, i);
-			assert(p->pbegin[i] != 0);
-			assert(OP(p->strip[p->pbegin[i]]) == OLPAREN);
-			assert(OP(p->strip[p->pend[i]]) == ORPAREN);
-			(void) dupl(p, p->pbegin[i]+1, p->pend[i]);
-			EMIT(O_BACK, i);
-		} else
-			SETERROR(REG_ESUBREG);
-		p->g->backrefs = 1;
-		break;
-	case '*':
-		REQUIRE(starordinary, REG_BADRPT);
-		/* FALLTHROUGH */
-	default:
-		ordinary(p, (char)c);	/* takes off BACKSL, if any */
-		break;
-	}
-
-	if (EAT('*')) {		/* implemented as +? */
-		/* this case does not require the (y|) trick, noKLUDGE */
-		INSERT(OPLUS_, pos);
-		ASTERN(O_PLUS, pos);
-		INSERT(OQUEST_, pos);
-		ASTERN(O_QUEST, pos);
-	} else if (EATTWO('\\', '{')) {
-		count = p_count(p);
-		if (EAT(',')) {
-			if (MORE() && isdigit(PEEK())) {
-				count2 = p_count(p);
-				REQUIRE(count <= count2, REG_BADBR);
-			} else		/* single number with comma */
-				count2 = INFINITY;
-		} else		/* just a single number */
-			count2 = count;
-		repeat(p, pos, count, count2);
-		if (!EATTWO('\\', '}')) {	/* error heuristics */
-			while (MORE() && !SEETWO('\\', '}'))
-				NEXT();
-			REQUIRE(MORE(), REG_EBRACE);
-			SETERROR(REG_BADBR);
-		}
-	} else if (c == (unsigned char)'$')	/* $ (but not \$) ends it */
-		return(1);
-
-	return(0);
-}
-
-/*
- - p_count - parse a repetition count
- == static int p_count(register struct parse *p);
- */
-static int			/* the value */
-p_count(p)
-register struct parse *p;
-{
-	register int count = 0;
-	register int ndigits = 0;
-
-	while (MORE() && isdigit(PEEK()) && count <= DUPMAX) {
-		count = count*10 + (GETNEXT() - '0');
-		ndigits++;
-	}
-
-	REQUIRE(ndigits > 0 && count <= DUPMAX, REG_BADBR);
-	return(count);
-}
-
-/*
- - p_bracket - parse a bracketed character list
- == static void p_bracket(register struct parse *p);
- *
- * Note a significant property of this code:  if the allocset() did SETERROR,
- * no set operations are done.
- */
-static void
-p_bracket(p)
-register struct parse *p;
-{
-	register cset *cs = allocset(p);
-	register int invert = 0;
-
-	/* Dept of Truly Sickening Special-Case Kludges */
-	if (p->next + 5 < p->end && strncmp(p->next, "[:<:]]", 6) == 0) {
-		EMIT(OBOW, 0);
-		NEXTn(6);
-		return;
-	}
-	if (p->next + 5 < p->end && strncmp(p->next, "[:>:]]", 6) == 0) {
-		EMIT(OEOW, 0);
-		NEXTn(6);
-		return;
-	}
-
-	if (EAT('^'))
-		invert++;	/* make note to invert set at end */
-	if (EAT(']'))
-		CHadd(cs, ']');
-	else if (EAT('-'))
-		CHadd(cs, '-');
-	while (MORE() && PEEK() != ']' && !SEETWO('-', ']'))
-		p_b_term(p, cs);
-	if (EAT('-'))
-		CHadd(cs, '-');
-	MUSTEAT(']', REG_EBRACK);
-
-	if (p->error != 0)	/* don't mess things up further */
-		return;
-
-	if (p->g->cflags®_ICASE) {
-		register int i;
-		register int ci;
-
-		for (i = p->g->csetsize - 1; i >= 0; i--)
-			if (CHIN(cs, i) && isalpha(i)) {
-				ci = othercase(i);
-				if (ci != i)
-					CHadd(cs, ci);
-			}
-		if (cs->multis != NULL)
-			mccase(p, cs);
-	}
-	if (invert) {
-		register int i;
-
-		for (i = p->g->csetsize - 1; i >= 0; i--)
-			if (CHIN(cs, i))
-				CHsub(cs, i);
-			else
-				CHadd(cs, i);
-		if (p->g->cflags®_NEWLINE)
-			CHsub(cs, '\n');
-		if (cs->multis != NULL)
-			mcinvert(p, cs);
-	}
-
-	assert(cs->multis == NULL);		/* xxx */
-
-	if (nch(p, cs) == 1) {		/* optimize singleton sets */
-		ordinary(p, firstch(p, cs));
-		freeset(p, cs);
-	} else
-		EMIT(OANYOF, freezeset(p, cs));
-}
-
-/*
- - p_b_term - parse one term of a bracketed character list
- == static void p_b_term(register struct parse *p, register cset *cs);
- */
-static void
-p_b_term(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register char c;
-	register char start, finish;
-	register int i;
-
-	/* classify what we've got */
-	switch ((MORE()) ? PEEK() : '\0') {
-	case '[':
-		c = (MORE2()) ? PEEK2() : '\0';
-		break;
-	case '-':
-		SETERROR(REG_ERANGE);
-		return;			/* NOTE RETURN */
-		break;
-	default:
-		c = '\0';
-		break;
-	}
-
-	switch (c) {
-	case ':':		/* character class */
-		NEXT2();
-		REQUIRE(MORE(), REG_EBRACK);
-		c = PEEK();
-		REQUIRE(c != '-' && c != ']', REG_ECTYPE);
-		p_b_cclass(p, cs);
-		REQUIRE(MORE(), REG_EBRACK);
-		REQUIRE(EATTWO(':', ']'), REG_ECTYPE);
-		break;
-	case '=':		/* equivalence class */
-		NEXT2();
-		REQUIRE(MORE(), REG_EBRACK);
-		c = PEEK();
-		REQUIRE(c != '-' && c != ']', REG_ECOLLATE);
-		p_b_eclass(p, cs);
-		REQUIRE(MORE(), REG_EBRACK);
-		REQUIRE(EATTWO('=', ']'), REG_ECOLLATE);
-		break;
-	default:		/* symbol, ordinary character, or range */
-/* xxx revision needed for multichar stuff */
-		start = p_b_symbol(p);
-		if (SEE('-') && MORE2() && PEEK2() != ']') {
-			/* range */
-			NEXT();
-			if (EAT('-'))
-				finish = '-';
-			else
-				finish = p_b_symbol(p);
-		} else
-			finish = start;
-/* xxx what about signed chars here... */
-		REQUIRE(start <= finish, REG_ERANGE);
-		for (i = start; i <= finish; i++)
-			CHadd(cs, i);
-		break;
-	}
-}
-
-/*
- - p_b_cclass - parse a character-class name and deal with it
- == static void p_b_cclass(register struct parse *p, register cset *cs);
- */
-static void
-p_b_cclass(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register char *sp = p->next;
-	register struct cclass *cp;
-	register size_t len;
-	register char *u;
-	register char c;
-
-	while (MORE() && isalpha(PEEK()))
-		NEXT();
-	len = p->next - sp;
-	for (cp = cclasses; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
-			break;
-	if (cp->name == NULL) {
-		/* oops, didn't find it */
-		SETERROR(REG_ECTYPE);
-		return;
-	}
-
-	u = cp->chars;
-	while ((c = *u++) != '\0')
-		CHadd(cs, c);
-	for (u = cp->multis; *u != '\0'; u += strlen(u) + 1)
-		MCadd(p, cs, u);
-}
-
-/*
- - p_b_eclass - parse an equivalence-class name and deal with it
- == static void p_b_eclass(register struct parse *p, register cset *cs);
- *
- * This implementation is incomplete. xxx
- */
-static void
-p_b_eclass(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register char c;
-
-	c = p_b_coll_elem(p, '=');
-	CHadd(cs, c);
-}
-
-/*
- - p_b_symbol - parse a character or [..]ed multicharacter collating symbol
- == static char p_b_symbol(register struct parse *p);
- */
-static char			/* value of symbol */
-p_b_symbol(p)
-register struct parse *p;
-{
-	register char value;
-
-	REQUIRE(MORE(), REG_EBRACK);
-	if (!EATTWO('[', '.'))
-		return(GETNEXT());
-
-	/* collating symbol */
-	value = p_b_coll_elem(p, '.');
-	REQUIRE(EATTWO('.', ']'), REG_ECOLLATE);
-	return(value);
-}
-
-/*
- - p_b_coll_elem - parse a collating-element name and look it up
- == static char p_b_coll_elem(register struct parse *p, int endc);
- */
-static char			/* value of collating element */
-p_b_coll_elem(p, endc)
-register struct parse *p;
-int endc;			/* name ended by endc,']' */
-{
-	register char *sp = p->next;
-	register struct cname *cp;
-	register int len;
-
-	while (MORE() && !SEETWO(endc, ']'))
-		NEXT();
-	if (!MORE()) {
-		SETERROR(REG_EBRACK);
-		return(0);
-	}
-	len = p->next - sp;
-	for (cp = cnames; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
-			return(cp->code);	/* known name */
-	if (len == 1)
-		return(*sp);	/* single character */
-	SETERROR(REG_ECOLLATE);			/* neither */
-	return(0);
-}
-
-/*
- - othercase - return the case counterpart of an alphabetic
- == static char othercase(int ch);
- */
-static char			/* if no counterpart, return ch */
-othercase(ch)
-int ch;
-{
-	assert(isalpha(ch));
-	if (isupper(ch))
-		return(tolower(ch));
-	else if (islower(ch))
-		return(toupper(ch));
-	else			/* peculiar, but could happen */
-		return(ch);
-}
-
-/*
- - bothcases - emit a dualcase version of a two-case character
- == static void bothcases(register struct parse *p, int ch);
- *
- * Boy, is this implementation ever a kludge...
- */
-static void
-bothcases(p, ch)
-register struct parse *p;
-int ch;
-{
-	register char *oldnext = p->next;
-	register char *oldend = p->end;
-	char bracket[3];
-
-	assert(othercase(ch) != ch);	/* p_bracket() would recurse */
-	p->next = bracket;
-	p->end = bracket+2;
-	bracket[0] = ch;
-	bracket[1] = ']';
-	bracket[2] = '\0';
-	p_bracket(p);
-	assert(p->next == bracket+2);
-	p->next = oldnext;
-	p->end = oldend;
-}
-
-/*
- - ordinary - emit an ordinary character
- == static void ordinary(register struct parse *p, register int ch);
- */
-static void
-ordinary(p, ch)
-register struct parse *p;
-register int ch;
-{
-	register cat_t *cap = p->g->categories;
-
-	if ((p->g->cflags®_ICASE) && isalpha(ch) && othercase(ch) != ch)
-		bothcases(p, ch);
-	else {
-		EMIT(OCHAR, (unsigned char)ch);
-		if (cap[ch] == 0)
-			cap[ch] = p->g->ncategories++;
-	}
-}
-
-/*
- - nonnewline - emit REG_NEWLINE version of OANY
- == static void nonnewline(register struct parse *p);
- *
- * Boy, is this implementation ever a kludge...
- */
-static void
-nonnewline(p)
-register struct parse *p;
-{
-	register char *oldnext = p->next;
-	register char *oldend = p->end;
-	char bracket[4];
-
-	p->next = bracket;
-	p->end = bracket+3;
-	bracket[0] = '^';
-	bracket[1] = '\n';
-	bracket[2] = ']';
-	bracket[3] = '\0';
-	p_bracket(p);
-	assert(p->next == bracket+3);
-	p->next = oldnext;
-	p->end = oldend;
-}
-
-/*
- - repeat - generate code for a bounded repetition, recursively if needed
- == static void repeat(register struct parse *p, sopno start, int from, int to);
- */
-static void
-repeat(p, start, from, to)
-register struct parse *p;
-sopno start;			/* operand from here to end of strip */
-int from;			/* repeated from this number */
-int to;				/* to this number of times (maybe INFINITY) */
-{
-	register sopno finish = HERE();
-#	define	N	2
-#	define	INF	3
-#	define	REP(f, t)	((f)*8 + (t))
-#	define	MAP(n)	(((n) <= 1) ? (n) : ((n) == INFINITY) ? INF : N)
-	register sopno copy;
-
-	if (p->error != 0)	/* head off possible runaway recursion */
-		return;
-
-	assert(from <= to);
-
-	switch (REP(MAP(from), MAP(to))) {
-	case REP(0, 0):			/* must be user doing this */
-		DROP(finish-start);	/* drop the operand */
-		break;
-	case REP(0, 1):			/* as x{1,1}? */
-	case REP(0, N):			/* as x{1,n}? */
-	case REP(0, INF):		/* as x{1,}? */
-		/* KLUDGE: emit y? as (y|) until subtle bug gets fixed */
-		INSERT(OCH_, start);		/* offset is wrong... */
-		repeat(p, start+1, 1, to);
-		ASTERN(OOR1, start);
-		AHEAD(start);			/* ... fix it */
-		EMIT(OOR2, 0);
-		AHEAD(THERE());
-		ASTERN(O_CH, THERETHERE());
-		break;
-	case REP(1, 1):			/* trivial case */
-		/* done */
-		break;
-	case REP(1, N):			/* as x?x{1,n-1} */
-		/* KLUDGE: emit y? as (y|) until subtle bug gets fixed */
-		INSERT(OCH_, start);
-		ASTERN(OOR1, start);
-		AHEAD(start);
-		EMIT(OOR2, 0);			/* offset very wrong... */
-		AHEAD(THERE());			/* ...so fix it */
-		ASTERN(O_CH, THERETHERE());
-		copy = dupl(p, start+1, finish+1);
-		assert(copy == finish+4);
-		repeat(p, copy, 1, to-1);
-		break;
-	case REP(1, INF):		/* as x+ */
-		INSERT(OPLUS_, start);
-		ASTERN(O_PLUS, start);
-		break;
-	case REP(N, N):			/* as xx{m-1,n-1} */
-		copy = dupl(p, start, finish);
-		repeat(p, copy, from-1, to-1);
-		break;
-	case REP(N, INF):		/* as xx{n-1,INF} */
-		copy = dupl(p, start, finish);
-		repeat(p, copy, from-1, to);
-		break;
-	default:			/* "can't happen" */
-		SETERROR(REG_ASSERT);	/* just in case */
-		break;
-	}
-}
-
-/*
- - seterr - set an error condition
- == static int seterr(register struct parse *p, int e);
- */
-static int			/* useless but makes type checking happy */
-seterr(p, e)
-register struct parse *p;
-int e;
-{
-	if (p->error == 0)	/* keep earliest error condition */
-		p->error = e;
-	p->next = nuls;		/* try to bring things to a halt */
-	p->end = nuls;
-	return(0);		/* make the return value well-defined */
-}
-
-/*
- - allocset - allocate a set of characters for []
- == static cset *allocset(register struct parse *p);
- */
-static cset *
-allocset(p)
-register struct parse *p;
-{
-	register int no = p->g->ncsets++;
-	register size_t nc;
-	register size_t nbytes;
-	register cset *cs;
-	register size_t css = (size_t)p->g->csetsize;
-	register int i;
-
-	if (no >= p->ncsalloc) {	/* need another column of space */
-		p->ncsalloc += CHAR_BIT;
-		nc = p->ncsalloc;
-		assert(nc % CHAR_BIT == 0);
-		nbytes = nc / CHAR_BIT * css;
-		if (p->g->sets == NULL)
-			p->g->sets = (cset *)malloc(nc * sizeof(cset));
-		else
-			p->g->sets = (cset *)realloc((char *)p->g->sets,
-							nc * sizeof(cset));
-		if (p->g->setbits == NULL)
-			p->g->setbits = (uch *)malloc(nbytes);
-		else {
-			p->g->setbits = (uch *)realloc((char *)p->g->setbits,
-								nbytes);
-			/* xxx this isn't right if setbits is now NULL */
-			for (i = 0; i < no; i++)
-				p->g->sets[i].ptr = p->g->setbits + css*(i/CHAR_BIT);
-		}
-		if (p->g->sets != NULL && p->g->setbits != NULL)
-			(void) memset((char *)p->g->setbits + (nbytes - css),
-								0, css);
-		else {
-			no = 0;
-			SETERROR(REG_ESPACE);
-			/* caller's responsibility not to do set ops */
-		}
-	}
-
-	assert(p->g->sets != NULL);	/* xxx */
-	cs = &p->g->sets[no];
-	cs->ptr = p->g->setbits + css*((no)/CHAR_BIT);
-	cs->mask = 1 << ((no) % CHAR_BIT);
-	cs->hash = 0;
-	cs->smultis = 0;
-	cs->multis = NULL;
-
-	return(cs);
-}
-
-/*
- - freeset - free a now-unused set
- == static void freeset(register struct parse *p, register cset *cs);
- */
-static void
-freeset(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register int i;
-	register cset *top = &p->g->sets[p->g->ncsets];
-	register size_t css = (size_t)p->g->csetsize;
-
-	for (i = 0; i < css; i++)
-		CHsub(cs, i);
-	if (cs == top-1)	/* recover only the easy case */
-		p->g->ncsets--;
-}
-
-/*
- - freezeset - final processing on a set of characters
- == static int freezeset(register struct parse *p, register cset *cs);
- *
- * The main task here is merging identical sets.  This is usually a waste
- * of time (although the hash code minimizes the overhead), but can win
- * big if REG_ICASE is being used.  REG_ICASE, by the way, is why the hash
- * is done using addition rather than xor -- all ASCII [aA] sets xor to
- * the same value!
- */
-static int			/* set number */
-freezeset(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register uch h = cs->hash;
-	register int i;
-	register cset *top = &p->g->sets[p->g->ncsets];
-	register cset *cs2;
-	register size_t css = (size_t)p->g->csetsize;
-
-	/* look for an earlier one which is the same */
-	for (cs2 = &p->g->sets[0]; cs2 < top; cs2++)
-		if (cs2->hash == h && cs2 != cs) {
-			/* maybe */
-			for (i = 0; i < css; i++)
-				if (!!CHIN(cs2, i) != !!CHIN(cs, i))
-					break;		/* no */
-			if (i == css)
-				break;			/* yes */
-		}
-
-	if (cs2 < top) {	/* found one */
-		freeset(p, cs);
-		cs = cs2;
-	}
-
-	return((int)(cs - p->g->sets));
-}
-
-/*
- - firstch - return first character in a set (which must have at least one)
- == static int firstch(register struct parse *p, register cset *cs);
- */
-static int			/* character; there is no "none" value */
-firstch(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register int i;
-	register size_t css = (size_t)p->g->csetsize;
-
-	for (i = 0; i < css; i++)
-		if (CHIN(cs, i))
-			return((char)i);
-	assert(never);
-	return(0);		/* arbitrary */
-}
-
-/*
- - nch - number of characters in a set
- == static int nch(register struct parse *p, register cset *cs);
- */
-static int
-nch(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	register int i;
-	register size_t css = (size_t)p->g->csetsize;
-	register int n = 0;
-
-	for (i = 0; i < css; i++)
-		if (CHIN(cs, i))
-			n++;
-	return(n);
-}
-
-/*
- - mcadd - add a collating element to a cset
- == static void mcadd(register struct parse *p, register cset *cs, \
- ==	register char *cp);
- */
-static void
-mcadd(p, cs, cp)
-register struct parse *p;
-register cset *cs;
-register char *cp;
-{
-	register size_t oldend = cs->smultis;
-
-	cs->smultis += strlen(cp) + 1;
-	if (cs->multis == NULL)
-		cs->multis = malloc(cs->smultis);
-	else
-		cs->multis = realloc(cs->multis, cs->smultis);
-	if (cs->multis == NULL) {
-		SETERROR(REG_ESPACE);
-		return;
-	}
-
-	(void) strcpy(cs->multis + oldend - 1, cp);
-	cs->multis[cs->smultis - 1] = '\0';
-}
-
-/*
- - mcinvert - invert the list of collating elements in a cset
- == static void mcinvert(register struct parse *p, register cset *cs);
- *
- * This would have to know the set of possibilities.  Implementation
- * is deferred.
- */
-static void
-mcinvert(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	assert(cs->multis == NULL);	/* xxx */
-}
-
-/*
- - mccase - add case counterparts of the list of collating elements in a cset
- == static void mccase(register struct parse *p, register cset *cs);
- *
- * This would have to know the set of possibilities.  Implementation
- * is deferred.
- */
-static void
-mccase(p, cs)
-register struct parse *p;
-register cset *cs;
-{
-	assert(cs->multis == NULL);	/* xxx */
-}
-
-/*
- - isinsets - is this character in any sets?
- == static int isinsets(register struct re_guts *g, int c);
- */
-static int			/* predicate */
-isinsets(g, c)
-register struct re_guts *g;
-int c;
-{
-	register uch *col;
-	register int i;
-	register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
-	register unsigned uc = (unsigned char)c;
-
-	for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
-		if (col[uc] != 0)
-			return(1);
-	return(0);
-}
-
-/*
- - samesets - are these two characters in exactly the same sets?
- == static int samesets(register struct re_guts *g, int c1, int c2);
- */
-static int			/* predicate */
-samesets(g, c1, c2)
-register struct re_guts *g;
-int c1;
-int c2;
-{
-	register uch *col;
-	register int i;
-	register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
-	register unsigned uc1 = (unsigned char)c1;
-	register unsigned uc2 = (unsigned char)c2;
-
-	for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
-		if (col[uc1] != col[uc2])
-			return(0);
-	return(1);
-}
-
-/*
- - categorize - sort out character categories
- == static void categorize(struct parse *p, register struct re_guts *g);
- */
-static void
-categorize(p, g)
-struct parse *p;
-register struct re_guts *g;
-{
-	register cat_t *cats = g->categories;
-	register int c;
-	register int c2;
-	register cat_t cat;
-
-	/* avoid making error situations worse */
-	if (p->error != 0)
-		return;
-
-	for (c = CHAR_MIN; c <= CHAR_MAX; c++)
-		if (cats[c] == 0 && isinsets(g, c)) {
-			cat = g->ncategories++;
-			cats[c] = cat;
-			for (c2 = c+1; c2 <= CHAR_MAX; c2++)
-				if (cats[c2] == 0 && samesets(g, c, c2))
-					cats[c2] = cat;
-		}
-}
-
-/*
- - dupl - emit a duplicate of a bunch of sops
- == static sopno dupl(register struct parse *p, sopno start, sopno finish);
- */
-static sopno			/* start of duplicate */
-dupl(p, start, finish)
-register struct parse *p;
-sopno start;			/* from here */
-sopno finish;			/* to this less one */
-{
-	register sopno ret = HERE();
-	register sopno len = finish - start;
-
-	assert(finish >= start);
-	if (len == 0)
-		return(ret);
-	enlarge(p, p->ssize + len);	/* this many unexpected additions */
-	assert(p->ssize >= p->slen + len);
-	(void) memcpy((char *)(p->strip + p->slen),
-		(char *)(p->strip + start), (size_t)len*sizeof(sop));
-	p->slen += len;
-	return(ret);
-}
-
-/*
- - doemit - emit a strip operator
- == static void doemit(register struct parse *p, sop op, size_t opnd);
- *
- * It might seem better to implement this as a macro with a function as
- * hard-case backup, but it's just too big and messy unless there are
- * some changes to the data structures.  Maybe later.
- */
-static void
-doemit(p, op, opnd)
-register struct parse *p;
-sop op;
-size_t opnd;
-{
-	/* avoid making error situations worse */
-	if (p->error != 0)
-		return;
-
-	/* deal with oversize operands ("can't happen", more or less) */
-	assert(opnd < 1<slen >= p->ssize)
-		enlarge(p, (p->ssize+1) / 2 * 3);	/* +50% */
-	assert(p->slen < p->ssize);
-
-	/* finally, it's all reduced to the easy case */
-	p->strip[p->slen++] = SOP(op, opnd);
-}
-
-/*
- - doinsert - insert a sop into the strip
- == static void doinsert(register struct parse *p, sop op, size_t opnd, sopno pos);
- */
-static void
-doinsert(p, op, opnd, pos)
-register struct parse *p;
-sop op;
-size_t opnd;
-sopno pos;
-{
-	register sopno sn;
-	register sop s;
-	register int i;
-
-	/* avoid making error situations worse */
-	if (p->error != 0)
-		return;
-
-	sn = HERE();
-	EMIT(op, opnd);		/* do checks, ensure space */
-	assert(HERE() == sn+1);
-	s = p->strip[sn];
-
-	/* adjust paren pointers */
-	assert(pos > 0);
-	for (i = 1; i < NPAREN; i++) {
-		if (p->pbegin[i] >= pos) {
-			p->pbegin[i]++;
-		}
-		if (p->pend[i] >= pos) {
-			p->pend[i]++;
-		}
-	}
-
-	memmove((char *)&p->strip[pos+1], (char *)&p->strip[pos],
-						(HERE()-pos-1)*sizeof(sop));
-	p->strip[pos] = s;
-}
-
-/*
- - dofwd - complete a forward reference
- == static void dofwd(register struct parse *p, sopno pos, sop value);
- */
-static void
-dofwd(p, pos, value)
-register struct parse *p;
-register sopno pos;
-sop value;
-{
-	/* avoid making error situations worse */
-	if (p->error != 0)
-		return;
-
-	assert(value < 1<strip[pos] = OP(p->strip[pos]) | value;
-}
-
-/*
- - enlarge - enlarge the strip
- == static void enlarge(register struct parse *p, sopno size);
- */
-static void
-enlarge(p, size)
-register struct parse *p;
-register sopno size;
-{
-	register sop *sp;
-
-	if (p->ssize >= size)
-		return;
-
-	sp = (sop *)realloc(p->strip, size*sizeof(sop));
-	if (sp == NULL) {
-		SETERROR(REG_ESPACE);
-		return;
-	}
-	p->strip = sp;
-	p->ssize = size;
-}
-
-/*
- - stripsnug - compact the strip
- == static void stripsnug(register struct parse *p, register struct re_guts *g);
- */
-static void
-stripsnug(p, g)
-register struct parse *p;
-register struct re_guts *g;
-{
-	g->nstates = p->slen;
-	g->strip = (sop *)realloc((char *)p->strip, p->slen * sizeof(sop));
-	if (g->strip == NULL) {
-		SETERROR(REG_ESPACE);
-		g->strip = p->strip;
-	}
-}
-
-/*
- - findmust - fill in must and mlen with longest mandatory literal string
- == static void findmust(register struct parse *p, register struct re_guts *g);
- *
- * This algorithm could do fancy things like analyzing the operands of |
- * for common subsequences.  Someday.  This code is simple and finds most
- * of the interesting cases.
- *
- * Note that must and mlen got initialized during setup.
- */
-static void
-findmust(p, g)
-struct parse *p;
-register struct re_guts *g;
-{
-	register sop *scan;
-	sop *start;
-	register sop *newstart;
-	register sopno newlen;
-	register sop s;
-	register char *cp;
-	register sopno i;
-
-	/* avoid making error situations worse */
-	if (p->error != 0)
-		return;
-
-	/* find the longest OCHAR sequence in strip */
-	newlen = 0;
-	scan = g->strip + 1;
-	do {
-		s = *scan++;
-		switch (OP(s)) {
-		case OCHAR:		/* sequence member */
-			if (newlen == 0)		/* new sequence */
-				newstart = scan - 1;
-			newlen++;
-			break;
-		case OPLUS_:		/* things that don't break one */
-		case OLPAREN:
-		case ORPAREN:
-			break;
-		case OQUEST_:		/* things that must be skipped */
-		case OCH_:
-			scan--;
-			do {
-				scan += OPND(s);
-				s = *scan;
-				/* assert() interferes w debug printouts */
-				if (OP(s) != O_QUEST && OP(s) != O_CH &&
-							OP(s) != OOR2) {
-					g->iflags |= BAD;
-					return;
-				}
-			} while (OP(s) != O_QUEST && OP(s) != O_CH);
-			/* fallthrough */
-		default:		/* things that break a sequence */
-			if (newlen > g->mlen) {		/* ends one */
-				start = newstart;
-				g->mlen = newlen;
-			}
-			newlen = 0;
-			break;
-		}
-	} while (OP(s) != OEND);
-
-	if (g->mlen == 0)		/* there isn't one */
-		return;
-
-	/* turn it into a character string */
-	g->must = malloc((size_t)g->mlen + 1);
-	if (g->must == NULL) {		/* argh; just forget it */
-		g->mlen = 0;
-		return;
-	}
-	cp = g->must;
-	scan = start;
-	for (i = g->mlen; i > 0; i--) {
-		while (OP(s = *scan++) != OCHAR)
-			continue;
-		assert(cp < g->must + g->mlen);
-		*cp++ = (char)OPND(s);
-	}
-	assert(cp == g->must + g->mlen);
-	*cp++ = '\0';		/* just on general principles */
-}
-
-/*
- - pluscount - count + nesting
- == static sopno pluscount(register struct parse *p, register struct re_guts *g);
- */
-static sopno			/* nesting depth */
-pluscount(p, g)
-struct parse *p;
-register struct re_guts *g;
-{
-	register sop *scan;
-	register sop s;
-	register sopno plusnest = 0;
-	register sopno maxnest = 0;
-
-	if (p->error != 0)
-		return(0);	/* there may not be an OEND */
-
-	scan = g->strip + 1;
-	do {
-		s = *scan++;
-		switch (OP(s)) {
-		case OPLUS_:
-			plusnest++;
-			break;
-		case O_PLUS:
-			if (plusnest > maxnest)
-				maxnest = plusnest;
-			plusnest--;
-			break;
-		}
-	} while (OP(s) != OEND);
-	if (plusnest != 0)
-		g->iflags |= BAD;
-	return(maxnest);
-}
-
-static int nope = 0;		/* for use in asserts; shuts lint up */
-
-/* macros for manipulating states, small version */
-#define	states	unsigned
-#define	states1	unsigned	/* for later use in regexec() decision */
-#define	CLEAR(v)	((v) = 0)
-#define	SET0(v, n)	((v) &= ~((unsigned)1 << (n)))
-#define	SET1(v, n)	((v) |= (unsigned)1 << (n))
-#define	ISSET(v, n)	((v) & ((unsigned)1 << (n)))
-#define	ASSIGN(d, s)	((d) = (s))
-#define	EQ(a, b)	((a) == (b))
-#define	STATEVARS	int dummy	/* dummy version */
-#define	STATESETUP(m, n)	/* nothing */
-#define	STATETEARDOWN(m)	/* nothing */
-#define	SETUP(v)	((v) = 0)
-#define	onestate	unsigned
-#define	INIT(o, n)	((o) = (unsigned)1 << (n))
-#define	INC(o)	((o) <<= 1)
-#define	ISSTATEIN(v, o)	((v) & (o))
-/* some abbreviations; note that some of these know variable names! */
-/* do "if I'm here, I can also be there" etc without branches */
-#define	FWD(dst, src, n)	((dst) |= ((unsigned)(src)&(here)) << (n))
-#define	BACK(dst, src, n)	((dst) |= ((unsigned)(src)&(here)) >> (n))
-#define	ISSETBACK(v, n)	((v) & ((unsigned)here >> (n)))
-/* function names */
-#define SNAMES			/* engine.c looks after details */
-
-/*
- * The matching engine and friends.  This file is #included by regexec.c
- * after suitable #defines of a variety of macros used herein, so that
- * different state representations can be used without duplicating masses
- * of code.
- */
-
-#ifdef SNAMES
-#define	matcher	smatcher
-#define	fast	sfast
-#define	slow	sslow
-#define	dissect	sdissect
-#define	backref	sbackref
-#define	step	sstep
-#define	print	sprint
-#define	at	sat
-#define	match	smat
-#endif
-#ifdef LNAMES
-#define	matcher	lmatcher
-#define	fast	lfast
-#define	slow	lslow
-#define	dissect	ldissect
-#define	backref	lbackref
-#define	step	lstep
-#define	print	lprint
-#define	at	lat
-#define	match	lmat
-#endif
-
-/* another structure passed up and down to avoid zillions of parameters */
-struct match {
-	struct re_guts *g;
-	int eflags;
-	regmatch_t *pmatch;	/* [nsub+1] (0 element unused) */
-	char *offp;		/* offsets work from here */
-	char *beginp;		/* start of string -- virtual NUL precedes */
-	char *endp;		/* end of string -- virtual NUL here */
-	char *coldp;		/* can be no match starting before here */
-	char **lastpos;		/* [nplus+1] */
-	STATEVARS;
-	states st;		/* current states */
-	states fresh;		/* states for a fresh start */
-	states tmp;		/* temporary */
-	states empty;		/* empty set of states */
-};
-
-static int matcher(register struct re_guts *g, char *string, size_t nmatch, regmatch_t pmatch[], int eflags);
-static char *dissect(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static char *backref(register struct match *m, char *start, char *stop, sopno startst, sopno stopst, sopno lev);
-static char *fast(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static char *slow(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static states step(register struct re_guts *g, sopno start, sopno stop, register states bef, int ch, register states aft);
-#define	BOL	(OUT+1)
-#define	EOL	(BOL+1)
-#define	BOLEOL	(BOL+2)
-#define	NOTHING	(BOL+3)
-#define	BOW	(BOL+4)
-#define	EOW	(BOL+5)
-#define	CODEMAX	(BOL+5)		/* highest code used */
-#define	NONCHAR(c)	((c) > CHAR_MAX)
-#define	NNONCHAR	(CODEMAX-CHAR_MAX)
-#define	SP(t, s, c)	/* nothing */
-#define	AT(t, p1, p2, s1, s2)	/* nothing */
-#define	NOTE(s)	/* nothing */
-
-/*
- - matcher - the actual matching engine
- == static int matcher(register struct re_guts *g, char *string, \
- ==	size_t nmatch, regmatch_t pmatch[], int eflags);
- */
-static int			/* 0 success, REG_NOMATCH failure */
-matcher(g, string, nmatch, pmatch, eflags)
-register struct re_guts *g;
-char *string;
-size_t nmatch;
-regmatch_t pmatch[];
-int eflags;
-{
-	register char *endp;
-	register int i;
-	struct match mv;
-	register struct match *m = &mv;
-	register char *dp;
-	const register sopno gf = g->firststate+1;	/* +1 for OEND */
-	const register sopno gl = g->laststate;
-	char *start;
-	char *stop;
-
-	/* simplify the situation where possible */
-	if (g->cflags®_NOSUB)
-		nmatch = 0;
-	if (eflags®_STARTEND) {
-		start = string + pmatch[0].rm_so;
-		stop = string + pmatch[0].rm_eo;
-	} else {
-		start = string;
-		stop = start + strlen(start);
-	}
-	if (stop < start)
-		return(REG_INVARG);
-
-	/* prescreening; this does wonders for this rather slow code */
-	if (g->must != NULL) {
-		for (dp = start; dp < stop; dp++)
-			if (*dp == g->must[0] && stop - dp >= g->mlen &&
-				memcmp(dp, g->must, (size_t)g->mlen) == 0)
-				break;
-		if (dp == stop)		/* we didn't find g->must */
-			return(REG_NOMATCH);
-	}
-
-	/* match struct setup */
-	m->g = g;
-	m->eflags = eflags;
-	m->pmatch = NULL;
-	m->lastpos = NULL;
-	m->offp = string;
-	m->beginp = start;
-	m->endp = stop;
-	STATESETUP(m, 4);
-	SETUP(m->st);
-	SETUP(m->fresh);
-	SETUP(m->tmp);
-	SETUP(m->empty);
-	CLEAR(m->empty);
-
-	/* this loop does only one repetition except for backrefs */
-	for (;;) {
-		endp = fast(m, start, stop, gf, gl);
-		if (endp == NULL) {		/* a miss */
-			STATETEARDOWN(m);
-			return(REG_NOMATCH);
-		}
-		if (nmatch == 0 && !g->backrefs)
-			break;		/* no further info needed */
-
-		/* where? */
-		assert(m->coldp != NULL);
-		for (;;) {
-			NOTE("finding start");
-			endp = slow(m, m->coldp, stop, gf, gl);
-			if (endp != NULL)
-				break;
-			assert(m->coldp < m->endp);
-			m->coldp++;
-		}
-		if (nmatch == 1 && !g->backrefs)
-			break;		/* no further info needed */
-
-		/* oh my, he wants the subexpressions... */
-		if (m->pmatch == NULL)
-			m->pmatch = (regmatch_t *)malloc((m->g->nsub + 1) *
-							sizeof(regmatch_t));
-		if (m->pmatch == NULL) {
-			STATETEARDOWN(m);
-			return(REG_ESPACE);
-		}
-		for (i = 1; i <= m->g->nsub; i++)
-			m->pmatch[i].rm_so = m->pmatch[i].rm_eo = -1;
-		if (!g->backrefs && !(m->eflags®_BACKR)) {
-			NOTE("dissecting");
-			dp = dissect(m, m->coldp, endp, gf, gl);
-		} else {
-			if (g->nplus > 0 && m->lastpos == NULL)
-				m->lastpos = (char **)malloc((g->nplus+1) *
-							sizeof(char *));
-			if (g->nplus > 0 && m->lastpos == NULL) {
-				free(m->pmatch);
-				STATETEARDOWN(m);
-				return(REG_ESPACE);
-			}
-			NOTE("backref dissect");
-			dp = backref(m, m->coldp, endp, gf, gl, (sopno)0);
-		}
-		if (dp != NULL)
-			break;
-
-		/* uh-oh... we couldn't find a subexpression-level match */
-		assert(g->backrefs);	/* must be back references doing it */
-		assert(g->nplus == 0 || m->lastpos != NULL);
-		for (;;) {
-			if (dp != NULL || endp <= m->coldp)
-				break;		/* defeat */
-			NOTE("backoff");
-			endp = slow(m, m->coldp, endp-1, gf, gl);
-			if (endp == NULL)
-				break;		/* defeat */
-			/* try it on a shorter possibility */
-			NOTE("backoff dissect");
-			dp = backref(m, m->coldp, endp, gf, gl, (sopno)0);
-		}
-		assert(dp == NULL || dp == endp);
-		if (dp != NULL)		/* found a shorter one */
-			break;
-
-		/* despite initial appearances, there is no match here */
-		NOTE("false alarm");
-		start = m->coldp + 1;	/* recycle starting later */
-		assert(start <= stop);
-	}
-
-	/* fill in the details if requested */
-	if (nmatch > 0) {
-		pmatch[0].rm_so = m->coldp - m->offp;
-		pmatch[0].rm_eo = endp - m->offp;
-	}
-	if (nmatch > 1) {
-		assert(m->pmatch != NULL);
-		for (i = 1; i < nmatch; i++)
-			if (i <= m->g->nsub)
-				pmatch[i] = m->pmatch[i];
-			else {
-				pmatch[i].rm_so = -1;
-				pmatch[i].rm_eo = -1;
-			}
-	}
-
-	if (m->pmatch != NULL)
-		free((char *)m->pmatch);
-	if (m->lastpos != NULL)
-		free((char *)m->lastpos);
-	STATETEARDOWN(m);
-	return(0);
-}
-
-/*
- - dissect - figure out what matched what, no back references
- == static char *dissect(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* == stop (success) always */
-dissect(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register int i;
-	register sopno ss;	/* start sop of current subRE */
-	register sopno es;	/* end sop of current subRE */
-	register char *sp;	/* start of string matched by it */
-	register char *stp;	/* string matched by it cannot pass here */
-	register char *rest;	/* start of rest of string */
-	register char *tail;	/* string unmatched by rest of RE */
-	register sopno ssub;	/* start sop of subsubRE */
-	register sopno esub;	/* end sop of subsubRE */
-	register char *ssp;	/* start of string matched by subsubRE */
-	register char *sep;	/* end of string matched by subsubRE */
-	register char *oldssp;	/* previous ssp */
-	register char *dp;
-
-	AT("diss", start, stop, startst, stopst);
-	sp = start;
-	for (ss = startst; ss < stopst; ss = es) {
-		/* identify end of subRE */
-		es = ss;
-		switch (OP(m->g->strip[es])) {
-		case OPLUS_:
-		case OQUEST_:
-			es += OPND(m->g->strip[es]);
-			break;
-		case OCH_:
-			while (OP(m->g->strip[es]) != O_CH)
-				es += OPND(m->g->strip[es]);
-			break;
-		}
-		es++;
-
-		/* figure out what it matched */
-		switch (OP(m->g->strip[ss])) {
-		case OEND:
-			assert(nope);
-			break;
-		case OCHAR:
-			sp++;
-			break;
-		case OBOL:
-		case OEOL:
-		case OBOW:
-		case OEOW:
-			break;
-		case OANY:
-		case OANYOF:
-			sp++;
-			break;
-		case OBACK_:
-		case O_BACK:
-			assert(nope);
-			break;
-		/* cases where length of match is hard to find */
-		case OQUEST_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = es - 1;
-			/* did innards match? */
-			if (slow(m, sp, rest, ssub, esub) != NULL) {
-				dp = dissect(m, sp, rest, ssub, esub);
-				assert(dp == rest);
-			} else		/* no */
-				assert(sp == rest);
-			sp = rest;
-			break;
-		case OPLUS_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = es - 1;
-			ssp = sp;
-			oldssp = ssp;
-			for (;;) {	/* find last match of innards */
-				sep = slow(m, ssp, rest, ssub, esub);
-				if (sep == NULL || sep == ssp)
-					break;	/* failed or matched null */
-				oldssp = ssp;	/* on to next try */
-				ssp = sep;
-			}
-			if (sep == NULL) {
-				/* last successful match */
-				sep = ssp;
-				ssp = oldssp;
-			}
-			assert(sep == rest);	/* must exhaust substring */
-			assert(slow(m, ssp, sep, ssub, esub) == rest);
-			dp = dissect(m, ssp, sep, ssub, esub);
-			assert(dp == sep);
-			sp = rest;
-			break;
-		case OCH_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = ss + OPND(m->g->strip[ss]) - 1;
-			assert(OP(m->g->strip[esub]) == OOR1);
-			for (;;) {	/* find first matching branch */
-				if (slow(m, sp, rest, ssub, esub) == rest)
-					break;	/* it matched all of it */
-				/* that one missed, try next one */
-				assert(OP(m->g->strip[esub]) == OOR1);
-				esub++;
-				assert(OP(m->g->strip[esub]) == OOR2);
-				ssub = esub + 1;
-				esub += OPND(m->g->strip[esub]);
-				if (OP(m->g->strip[esub]) == OOR2)
-					esub--;
-				else
-					assert(OP(m->g->strip[esub]) == O_CH);
-			}
-			dp = dissect(m, sp, rest, ssub, esub);
-			assert(dp == rest);
-			sp = rest;
-			break;
-		case O_PLUS:
-		case O_QUEST:
-		case OOR1:
-		case OOR2:
-		case O_CH:
-			assert(nope);
-			break;
-		case OLPAREN:
-			i = OPND(m->g->strip[ss]);
-			assert(0 < i && i <= m->g->nsub);
-			m->pmatch[i].rm_so = sp - m->offp;
-			break;
-		case ORPAREN:
-			i = OPND(m->g->strip[ss]);
-			assert(0 < i && i <= m->g->nsub);
-			m->pmatch[i].rm_eo = sp - m->offp;
-			break;
-		default:		/* uh oh */
-			assert(nope);
-			break;
-		}
-	}
-
-	assert(sp == stop);
-	return(sp);
-}
-
-/*
- - backref - figure out what matched what, figuring in back references
- == static char *backref(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst, sopno lev);
- */
-static char *			/* == stop (success) or NULL (failure) */
-backref(m, start, stop, startst, stopst, lev)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-sopno lev;			/* PLUS nesting level */
-{
-	register int i;
-	register sopno ss;	/* start sop of current subRE */
-	register char *sp;	/* start of string matched by it */
-	register sopno ssub;	/* start sop of subsubRE */
-	register sopno esub;	/* end sop of subsubRE */
-	register char *ssp;	/* start of string matched by subsubRE */
-	register char *dp;
-	register size_t len;
-	register int hard;
-	register sop s;
-	register regoff_t offsave;
-	register cset *cs;
-
-	AT("back", start, stop, startst, stopst);
-	sp = start;
-
-	/* get as far as we can with easy stuff */
-	hard = 0;
-	for (ss = startst; !hard && ss < stopst; ss++)
-		switch (OP(s = m->g->strip[ss])) {
-		case OCHAR:
-			if (sp == stop || *sp++ != (char)OPND(s))
-				return(NULL);
-			break;
-		case OANY:
-			if (sp == stop)
-				return(NULL);
-			sp++;
-			break;
-		case OANYOF:
-			cs = &m->g->sets[OPND(s)];
-			if (sp == stop || !CHIN(cs, *sp++))
-				return(NULL);
-			break;
-		case OBOL:
-			if ( (sp == m->beginp && !(m->eflags®_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags®_NEWLINE)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OEOL:
-			if ( (sp == m->endp && !(m->eflags®_NOTEOL)) ||
-					(sp < m->endp && *sp == '\n' &&
-						(m->g->cflags®_NEWLINE)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OBOW:
-			if (( (sp == m->beginp && !(m->eflags®_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags®_NEWLINE)) ||
-					(sp > m->beginp &&
-							!ISWORD(*(sp-1))) ) &&
-					(sp < m->endp && ISWORD(*sp)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OEOW:
-			if (( (sp == m->endp && !(m->eflags®_NOTEOL)) ||
-					(sp < m->endp && *sp == '\n' &&
-						(m->g->cflags®_NEWLINE)) ||
-					(sp < m->endp && !ISWORD(*sp)) ) &&
-					(sp > m->beginp && ISWORD(*(sp-1))) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case O_QUEST:
-			break;
-		case OOR1:	/* matches null but needs to skip */
-			ss++;
-			s = m->g->strip[ss];
-			do {
-				assert(OP(s) == OOR2);
-				ss += OPND(s);
-			} while (OP(s = m->g->strip[ss]) != O_CH);
-			/* note that the ss++ gets us past the O_CH */
-			break;
-		default:	/* have to make a choice */
-			hard = 1;
-			break;
-		}
-	if (!hard) {		/* that was it! */
-		if (sp != stop)
-			return(NULL);
-		return(sp);
-	}
-	ss--;			/* adjust for the for's final increment */
-
-	/* the hard stuff */
-	AT("hard", sp, stop, ss, stopst);
-	s = m->g->strip[ss];
-	switch (OP(s)) {
-	case OBACK_:		/* the vilest depths */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		if (m->pmatch[i].rm_eo == -1)
-			return(NULL);
-		assert(m->pmatch[i].rm_so != -1);
-		len = m->pmatch[i].rm_eo - m->pmatch[i].rm_so;
-		assert(stop - m->beginp >= len);
-		if (sp > stop - len)
-			return(NULL);	/* not enough left to match */
-		ssp = m->offp + m->pmatch[i].rm_so;
-		if (memcmp(sp, ssp, len) != 0)
-			return(NULL);
-		while (m->g->strip[ss] != SOP(O_BACK, i))
-			ss++;
-		return(backref(m, sp+len, stop, ss+1, stopst, lev));
-		break;
-	case OQUEST_:		/* to null or not */
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);	/* not */
-		return(backref(m, sp, stop, ss+OPND(s)+1, stopst, lev));
-		break;
-	case OPLUS_:
-		assert(m->lastpos != NULL);
-		assert(lev+1 <= m->g->nplus);
-		m->lastpos[lev+1] = sp;
-		return(backref(m, sp, stop, ss+1, stopst, lev+1));
-		break;
-	case O_PLUS:
-		if (sp == m->lastpos[lev])	/* last pass matched null */
-			return(backref(m, sp, stop, ss+1, stopst, lev-1));
-		/* try another pass */
-		m->lastpos[lev] = sp;
-		dp = backref(m, sp, stop, ss-OPND(s)+1, stopst, lev);
-		if (dp == NULL)
-			return(backref(m, sp, stop, ss+1, stopst, lev-1));
-		else
-			return(dp);
-		break;
-	case OCH_:		/* find the right one, if any */
-		ssub = ss + 1;
-		esub = ss + OPND(s) - 1;
-		assert(OP(m->g->strip[esub]) == OOR1);
-		for (;;) {	/* find first matching branch */
-			dp = backref(m, sp, stop, ssub, esub, lev);
-			if (dp != NULL)
-				return(dp);
-			/* that one missed, try next one */
-			if (OP(m->g->strip[esub]) == O_CH)
-				return(NULL);	/* there is none */
-			esub++;
-			assert(OP(m->g->strip[esub]) == OOR2);
-			ssub = esub + 1;
-			esub += OPND(m->g->strip[esub]);
-			if (OP(m->g->strip[esub]) == OOR2)
-				esub--;
-			else
-				assert(OP(m->g->strip[esub]) == O_CH);
-		}
-		break;
-	case OLPAREN:		/* must undo assignment if rest fails */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		offsave = m->pmatch[i].rm_so;
-		m->pmatch[i].rm_so = sp - m->offp;
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);
-		m->pmatch[i].rm_so = offsave;
-		return(NULL);
-		break;
-	case ORPAREN:		/* must undo assignment if rest fails */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		offsave = m->pmatch[i].rm_eo;
-		m->pmatch[i].rm_eo = sp - m->offp;
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);
-		m->pmatch[i].rm_eo = offsave;
-		return(NULL);
-		break;
-	default:		/* uh oh */
-		assert(nope);
-		break;
-	}
-
-	/* "can't happen" */
-	assert(nope);
-	/* NOTREACHED */
-	return((char *)NULL);	/* dummy */
-}
-
-/*
- - fast - step through the string at top speed
- == static char *fast(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* where tentative match ended, or NULL */
-fast(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register states st = m->st;
-	register states fresh = m->fresh;
-	register states tmp = m->tmp;
-	register char *p = start;
-	register int c = (start == m->beginp) ? OUT : *(start-1);
-	register int lastc;	/* previous c */
-	register int flagch;
-	register int i;
-	register char *coldp;	/* last p after which no match was underway */
-
-	CLEAR(st);
-	SET1(st, startst);
-	st = step(m->g, startst, stopst, st, NOTHING, st);
-	ASSIGN(fresh, st);
-	SP("start", st, *p);
-	coldp = NULL;
-	for (;;) {
-		/* next character */
-		lastc = c;
-		c = (p == m->endp) ? OUT : *p;
-		if (EQ(st, fresh))
-			coldp = p;
-
-		/* is there an EOL and/or BOL between lastc and c? */
-		flagch = '\0';
-		i = 0;
-		if ( (lastc == '\n' && m->g->cflags®_NEWLINE) ||
-				(lastc == OUT && !(m->eflags®_NOTBOL)) ) {
-			flagch = BOL;
-			i = m->g->nbol;
-		}
-		if ( (c == '\n' && m->g->cflags®_NEWLINE) ||
-				(c == OUT && !(m->eflags®_NOTEOL)) ) {
-			flagch = (flagch == BOL) ? BOLEOL : EOL;
-			i += m->g->neol;
-		}
-		if (i != 0) {
-			for (; i > 0; i--)
-				st = step(m->g, startst, stopst, st, flagch, st);
-			SP("boleol", st, c);
-		}
-
-		/* how about a word boundary? */
-		if ( (flagch == BOL || (lastc != OUT && !ISWORD(lastc))) &&
-					(c != OUT && ISWORD(c)) ) {
-			flagch = BOW;
-		}
-		if ( (lastc != OUT && ISWORD(lastc)) &&
-				(flagch == EOL || (c != OUT && !ISWORD(c))) ) {
-			flagch = EOW;
-		}
-		if (flagch == BOW || flagch == EOW) {
-			st = step(m->g, startst, stopst, st, flagch, st);
-			SP("boweow", st, c);
-		}
-
-		/* are we done? */
-		if (ISSET(st, stopst) || p == stop)
-			break;		/* NOTE BREAK OUT */
-
-		/* no, we must deal with this character */
-		ASSIGN(tmp, st);
-		ASSIGN(st, fresh);
-		assert(c != OUT);
-		st = step(m->g, startst, stopst, tmp, c, st);
-		SP("aft", st, c);
-		assert(EQ(step(m->g, startst, stopst, st, NOTHING, st), st));
-		p++;
-	}
-
-	assert(coldp != NULL);
-	m->coldp = coldp;
-	if (ISSET(st, stopst))
-		return(p+1);
-	else
-		return(NULL);
-}
-
-/*
- - slow - step through the string more deliberately
- == static char *slow(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* where it ended */
-slow(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register states st = m->st;
-	register states empty = m->empty;
-	register states tmp = m->tmp;
-	register char *p = start;
-	register int c = (start == m->beginp) ? OUT : *(start-1);
-	register int lastc;	/* previous c */
-	register int flagch;
-	register int i;
-	register char *matchp;	/* last p at which a match ended */
-
-	AT("slow", start, stop, startst, stopst);
-	CLEAR(st);
-	SET1(st, startst);
-	SP("sstart", st, *p);
-	st = step(m->g, startst, stopst, st, NOTHING, st);
-	matchp = NULL;
-	for (;;) {
-		/* next character */
-		lastc = c;
-		c = (p == m->endp) ? OUT : *p;
-
-		/* is there an EOL and/or BOL between lastc and c? */
-		flagch = '\0';
-		i = 0;
-		if ( (lastc == '\n' && m->g->cflags®_NEWLINE) ||
-				(lastc == OUT && !(m->eflags®_NOTBOL)) ) {
-			flagch = BOL;
-			i = m->g->nbol;
-		}
-		if ( (c == '\n' && m->g->cflags®_NEWLINE) ||
-				(c == OUT && !(m->eflags®_NOTEOL)) ) {
-			flagch = (flagch == BOL) ? BOLEOL : EOL;
-			i += m->g->neol;
-		}
-		if (i != 0) {
-			for (; i > 0; i--)
-				st = step(m->g, startst, stopst, st, flagch, st);
-			SP("sboleol", st, c);
-		}
-
-		/* how about a word boundary? */
-		if ( (flagch == BOL || (lastc != OUT && !ISWORD(lastc))) &&
-					(c != OUT && ISWORD(c)) ) {
-			flagch = BOW;
-		}
-		if ( (lastc != OUT && ISWORD(lastc)) &&
-				(flagch == EOL || (c != OUT && !ISWORD(c))) ) {
-			flagch = EOW;
-		}
-		if (flagch == BOW || flagch == EOW) {
-			st = step(m->g, startst, stopst, st, flagch, st);
-			SP("sboweow", st, c);
-		}
-
-		/* are we done? */
-		if (ISSET(st, stopst))
-			matchp = p;
-		if (EQ(st, empty) || p == stop)
-			break;		/* NOTE BREAK OUT */
-
-		/* no, we must deal with this character */
-		ASSIGN(tmp, st);
-		ASSIGN(st, empty);
-		assert(c != OUT);
-		st = step(m->g, startst, stopst, tmp, c, st);
-		SP("saft", st, c);
-		assert(EQ(step(m->g, startst, stopst, st, NOTHING, st), st));
-		p++;
-	}
-
-	return(matchp);
-}
-
-
-/*
- - step - map set of states reachable before char to set reachable after
- == static states step(register struct re_guts *g, sopno start, sopno stop, \
- ==	register states bef, int ch, register states aft);
- == #define	BOL	(OUT+1)
- == #define	EOL	(BOL+1)
- == #define	BOLEOL	(BOL+2)
- == #define	NOTHING	(BOL+3)
- == #define	BOW	(BOL+4)
- == #define	EOW	(BOL+5)
- == #define	CODEMAX	(BOL+5)		// highest code used
- == #define	NONCHAR(c)	((c) > CHAR_MAX)
- == #define	NNONCHAR	(CODEMAX-CHAR_MAX)
- */
-static states
-step(g, start, stop, bef, ch, aft)
-register struct re_guts *g;
-sopno start;			/* start state within strip */
-sopno stop;			/* state after stop state within strip */
-register states bef;		/* states reachable before */
-int ch;				/* character or NONCHAR code */
-register states aft;		/* states already known reachable after */
-{
-	register cset *cs;
-	register sop s;
-	register sopno pc;
-	register onestate here;		/* note, macros know this name */
-	register sopno look;
-	register long i;
-
-	for (pc = start, INIT(here, pc); pc != stop; pc++, INC(here)) {
-		s = g->strip[pc];
-		switch (OP(s)) {
-		case OEND:
-			assert(pc == stop-1);
-			break;
-		case OCHAR:
-			/* only characters can match */
-			assert(!NONCHAR(ch) || ch != (char)OPND(s));
-			if (ch == (char)OPND(s))
-				FWD(aft, bef, 1);
-			break;
-		case OBOL:
-			if (ch == BOL || ch == BOLEOL)
-				FWD(aft, bef, 1);
-			break;
-		case OEOL:
-			if (ch == EOL || ch == BOLEOL)
-				FWD(aft, bef, 1);
-			break;
-		case OBOW:
-			if (ch == BOW)
-				FWD(aft, bef, 1);
-			break;
-		case OEOW:
-			if (ch == EOW)
-				FWD(aft, bef, 1);
-			break;
-		case OANY:
-			if (!NONCHAR(ch))
-				FWD(aft, bef, 1);
-			break;
-		case OANYOF:
-			cs = &g->sets[OPND(s)];
-			if (!NONCHAR(ch) && CHIN(cs, ch))
-				FWD(aft, bef, 1);
-			break;
-		case OBACK_:		/* ignored here */
-		case O_BACK:
-			FWD(aft, aft, 1);
-			break;
-		case OPLUS_:		/* forward, this is just an empty */
-			FWD(aft, aft, 1);
-			break;
-		case O_PLUS:		/* both forward and back */
-			FWD(aft, aft, 1);
-			i = ISSETBACK(aft, OPND(s));
-			BACK(aft, aft, OPND(s));
-			if (!i && ISSETBACK(aft, OPND(s))) {
-				/* oho, must reconsider loop body */
-				pc -= OPND(s) + 1;
-				INIT(here, pc);
-			}
-			break;
-		case OQUEST_:		/* two branches, both forward */
-			FWD(aft, aft, 1);
-			FWD(aft, aft, OPND(s));
-			break;
-		case O_QUEST:		/* just an empty */
-			FWD(aft, aft, 1);
-			break;
-		case OLPAREN:		/* not significant here */
-		case ORPAREN:
-			FWD(aft, aft, 1);
-			break;
-		case OCH_:		/* mark the first two branches */
-			FWD(aft, aft, 1);
-			assert(OP(g->strip[pc+OPND(s)]) == OOR2);
-			FWD(aft, aft, OPND(s));
-			break;
-		case OOR1:		/* done a branch, find the O_CH */
-			if (ISSTATEIN(aft, here)) {
-				for (look = 1;
-						OP(s = g->strip[pc+look]) != O_CH;
-						look += OPND(s))
-					assert(OP(s) == OOR2);
-				FWD(aft, aft, look);
-			}
-			break;
-		case OOR2:		/* propagate OCH_'s marking */
-			FWD(aft, aft, 1);
-			if (OP(g->strip[pc+OPND(s)]) != O_CH) {
-				assert(OP(g->strip[pc+OPND(s)]) == OOR2);
-				FWD(aft, aft, OPND(s));
-			}
-			break;
-		case O_CH:		/* just empty */
-			FWD(aft, aft, 1);
-			break;
-		default:		/* ooooops... */
-			assert(nope);
-			break;
-		}
-	}
-
-	return(aft);
-}
-
-#undef	matcher
-#undef	fast
-#undef	slow
-#undef	dissect
-#undef	backref
-#undef	step
-#undef	print
-#undef	at
-#undef	match
-
-/* now undo things */
-#undef	states
-#undef	CLEAR
-#undef	SET0
-#undef	SET1
-#undef	ISSET
-#undef	ASSIGN
-#undef	EQ
-#undef	STATEVARS
-#undef	STATESETUP
-#undef	STATETEARDOWN
-#undef	SETUP
-#undef	onestate
-#undef	INIT
-#undef	INC
-#undef	ISSTATEIN
-#undef	FWD
-#undef	BACK
-#undef	ISSETBACK
-#undef	SNAMES
-
-/* macros for manipulating states, large version */
-#define	states	char *
-#define	CLEAR(v)	memset(v, 0, m->g->nstates)
-#define	SET0(v, n)	((v)[n] = 0)
-#define	SET1(v, n)	((v)[n] = 1)
-#define	ISSET(v, n)	((v)[n])
-#define	ASSIGN(d, s)	memcpy(d, s, m->g->nstates)
-#define	EQ(a, b)	(memcmp(a, b, m->g->nstates) == 0)
-#define	STATEVARS	int vn; char *space
-#define	STATESETUP(m, nv)	{ (m)->space = malloc((nv)*(m)->g->nstates); \
-				if ((m)->space == NULL) return(REG_ESPACE); \
-				(m)->vn = 0; }
-#define	STATETEARDOWN(m)	{ free((m)->space); }
-#define	SETUP(v)	((v) = &m->space[m->vn++ * m->g->nstates])
-#define	onestate	int
-#define	INIT(o, n)	((o) = (n))
-#define	INC(o)	((o)++)
-#define	ISSTATEIN(v, o)	((v)[o])
-/* some abbreviations; note that some of these know variable names! */
-/* do "if I'm here, I can also be there" etc without branches */
-#define	FWD(dst, src, n)	((dst)[here+(n)] |= (src)[here])
-#define	BACK(dst, src, n)	((dst)[here-(n)] |= (src)[here])
-#define	ISSETBACK(v, n)	((v)[here - (n)])
-/* function names */
-#define	LNAMES			/* flag */
-
-/*
- * The matching engine and friends.  This file is #included by regexec.c
- * after suitable #defines of a variety of macros used herein, so that
- * different state representations can be used without duplicating masses
- * of code.
- */
-
-#ifdef SNAMES
-#define	matcher	smatcher
-#define	fast	sfast
-#define	slow	sslow
-#define	dissect	sdissect
-#define	backref	sbackref
-#define	step	sstep
-#define	print	sprint
-#define	at	sat
-#define	match	smat
-#endif
-#ifdef LNAMES
-#define	matcher	lmatcher
-#define	fast	lfast
-#define	slow	lslow
-#define	dissect	ldissect
-#define	backref	lbackref
-#define	step	lstep
-#define	print	lprint
-#define	at	lat
-#define	match	lmat
-#endif
-
-/* another structure passed up and down to avoid zillions of parameters */
-struct match {
-	struct re_guts *g;
-	int eflags;
-	regmatch_t *pmatch;	/* [nsub+1] (0 element unused) */
-	char *offp;		/* offsets work from here */
-	char *beginp;		/* start of string -- virtual NUL precedes */
-	char *endp;		/* end of string -- virtual NUL here */
-	char *coldp;		/* can be no match starting before here */
-	char **lastpos;		/* [nplus+1] */
-	STATEVARS;
-	states st;		/* current states */
-	states fresh;		/* states for a fresh start */
-	states tmp;		/* temporary */
-	states empty;		/* empty set of states */
-};
-
-static int matcher(register struct re_guts *g, char *string, size_t nmatch, regmatch_t pmatch[], int eflags);
-static char *dissect(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static char *backref(register struct match *m, char *start, char *stop, sopno startst, sopno stopst, sopno lev);
-static char *fast(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static char *slow(register struct match *m, char *start, char *stop, sopno startst, sopno stopst);
-static states step(register struct re_guts *g, sopno start, sopno stop, register states bef, int ch, register states aft);
-#define	BOL	(OUT+1)
-#define	EOL	(BOL+1)
-#define	BOLEOL	(BOL+2)
-#define	NOTHING	(BOL+3)
-#define	BOW	(BOL+4)
-#define	EOW	(BOL+5)
-#define	CODEMAX	(BOL+5)		/* highest code used */
-#define	NONCHAR(c)	((c) > CHAR_MAX)
-#define	NNONCHAR	(CODEMAX-CHAR_MAX)
-#define	SP(t, s, c)	/* nothing */
-#define	AT(t, p1, p2, s1, s2)	/* nothing */
-#define	NOTE(s)	/* nothing */
-
-/*
- - matcher - the actual matching engine
- == static int matcher(register struct re_guts *g, char *string, \
- ==	size_t nmatch, regmatch_t pmatch[], int eflags);
- */
-static int			/* 0 success, REG_NOMATCH failure */
-matcher(g, string, nmatch, pmatch, eflags)
-register struct re_guts *g;
-char *string;
-size_t nmatch;
-regmatch_t pmatch[];
-int eflags;
-{
-	register char *endp;
-	register int i;
-	struct match mv;
-	register struct match *m = &mv;
-	register char *dp;
-	const register sopno gf = g->firststate+1;	/* +1 for OEND */
-	const register sopno gl = g->laststate;
-	char *start;
-	char *stop;
-
-	/* simplify the situation where possible */
-	if (g->cflags®_NOSUB)
-		nmatch = 0;
-	if (eflags®_STARTEND) {
-		start = string + pmatch[0].rm_so;
-		stop = string + pmatch[0].rm_eo;
-	} else {
-		start = string;
-		stop = start + strlen(start);
-	}
-	if (stop < start)
-		return(REG_INVARG);
-
-	/* prescreening; this does wonders for this rather slow code */
-	if (g->must != NULL) {
-		for (dp = start; dp < stop; dp++)
-			if (*dp == g->must[0] && stop - dp >= g->mlen &&
-				memcmp(dp, g->must, (size_t)g->mlen) == 0)
-				break;
-		if (dp == stop)		/* we didn't find g->must */
-			return(REG_NOMATCH);
-	}
-
-	/* match struct setup */
-	m->g = g;
-	m->eflags = eflags;
-	m->pmatch = NULL;
-	m->lastpos = NULL;
-	m->offp = string;
-	m->beginp = start;
-	m->endp = stop;
-	STATESETUP(m, 4);
-	SETUP(m->st);
-	SETUP(m->fresh);
-	SETUP(m->tmp);
-	SETUP(m->empty);
-	CLEAR(m->empty);
-
-	/* this loop does only one repetition except for backrefs */
-	for (;;) {
-		endp = fast(m, start, stop, gf, gl);
-		if (endp == NULL) {		/* a miss */
-			STATETEARDOWN(m);
-			return(REG_NOMATCH);
-		}
-		if (nmatch == 0 && !g->backrefs)
-			break;		/* no further info needed */
-
-		/* where? */
-		assert(m->coldp != NULL);
-		for (;;) {
-			NOTE("finding start");
-			endp = slow(m, m->coldp, stop, gf, gl);
-			if (endp != NULL)
-				break;
-			assert(m->coldp < m->endp);
-			m->coldp++;
-		}
-		if (nmatch == 1 && !g->backrefs)
-			break;		/* no further info needed */
-
-		/* oh my, he wants the subexpressions... */
-		if (m->pmatch == NULL)
-			m->pmatch = (regmatch_t *)malloc((m->g->nsub + 1) *
-							sizeof(regmatch_t));
-		if (m->pmatch == NULL) {
-			STATETEARDOWN(m);
-			return(REG_ESPACE);
-		}
-		for (i = 1; i <= m->g->nsub; i++)
-			m->pmatch[i].rm_so = m->pmatch[i].rm_eo = -1;
-		if (!g->backrefs && !(m->eflags®_BACKR)) {
-			NOTE("dissecting");
-			dp = dissect(m, m->coldp, endp, gf, gl);
-		} else {
-			if (g->nplus > 0 && m->lastpos == NULL)
-				m->lastpos = (char **)malloc((g->nplus+1) *
-							sizeof(char *));
-			if (g->nplus > 0 && m->lastpos == NULL) {
-				free(m->pmatch);
-				STATETEARDOWN(m);
-				return(REG_ESPACE);
-			}
-			NOTE("backref dissect");
-			dp = backref(m, m->coldp, endp, gf, gl, (sopno)0);
-		}
-		if (dp != NULL)
-			break;
-
-		/* uh-oh... we couldn't find a subexpression-level match */
-		assert(g->backrefs);	/* must be back references doing it */
-		assert(g->nplus == 0 || m->lastpos != NULL);
-		for (;;) {
-			if (dp != NULL || endp <= m->coldp)
-				break;		/* defeat */
-			NOTE("backoff");
-			endp = slow(m, m->coldp, endp-1, gf, gl);
-			if (endp == NULL)
-				break;		/* defeat */
-			/* try it on a shorter possibility */
-			NOTE("backoff dissect");
-			dp = backref(m, m->coldp, endp, gf, gl, (sopno)0);
-		}
-		assert(dp == NULL || dp == endp);
-		if (dp != NULL)		/* found a shorter one */
-			break;
-
-		/* despite initial appearances, there is no match here */
-		NOTE("false alarm");
-		start = m->coldp + 1;	/* recycle starting later */
-		assert(start <= stop);
-	}
-
-	/* fill in the details if requested */
-	if (nmatch > 0) {
-		pmatch[0].rm_so = m->coldp - m->offp;
-		pmatch[0].rm_eo = endp - m->offp;
-	}
-	if (nmatch > 1) {
-		assert(m->pmatch != NULL);
-		for (i = 1; i < nmatch; i++)
-			if (i <= m->g->nsub)
-				pmatch[i] = m->pmatch[i];
-			else {
-				pmatch[i].rm_so = -1;
-				pmatch[i].rm_eo = -1;
-			}
-	}
-
-	if (m->pmatch != NULL)
-		free((char *)m->pmatch);
-	if (m->lastpos != NULL)
-		free((char *)m->lastpos);
-	STATETEARDOWN(m);
-	return(0);
-}
-
-/*
- - dissect - figure out what matched what, no back references
- == static char *dissect(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* == stop (success) always */
-dissect(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register int i;
-	register sopno ss;	/* start sop of current subRE */
-	register sopno es;	/* end sop of current subRE */
-	register char *sp;	/* start of string matched by it */
-	register char *stp;	/* string matched by it cannot pass here */
-	register char *rest;	/* start of rest of string */
-	register char *tail;	/* string unmatched by rest of RE */
-	register sopno ssub;	/* start sop of subsubRE */
-	register sopno esub;	/* end sop of subsubRE */
-	register char *ssp;	/* start of string matched by subsubRE */
-	register char *sep;	/* end of string matched by subsubRE */
-	register char *oldssp;	/* previous ssp */
-	register char *dp;
-
-	AT("diss", start, stop, startst, stopst);
-	sp = start;
-	for (ss = startst; ss < stopst; ss = es) {
-		/* identify end of subRE */
-		es = ss;
-		switch (OP(m->g->strip[es])) {
-		case OPLUS_:
-		case OQUEST_:
-			es += OPND(m->g->strip[es]);
-			break;
-		case OCH_:
-			while (OP(m->g->strip[es]) != O_CH)
-				es += OPND(m->g->strip[es]);
-			break;
-		}
-		es++;
-
-		/* figure out what it matched */
-		switch (OP(m->g->strip[ss])) {
-		case OEND:
-			assert(nope);
-			break;
-		case OCHAR:
-			sp++;
-			break;
-		case OBOL:
-		case OEOL:
-		case OBOW:
-		case OEOW:
-			break;
-		case OANY:
-		case OANYOF:
-			sp++;
-			break;
-		case OBACK_:
-		case O_BACK:
-			assert(nope);
-			break;
-		/* cases where length of match is hard to find */
-		case OQUEST_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = es - 1;
-			/* did innards match? */
-			if (slow(m, sp, rest, ssub, esub) != NULL) {
-				dp = dissect(m, sp, rest, ssub, esub);
-				assert(dp == rest);
-			} else		/* no */
-				assert(sp == rest);
-			sp = rest;
-			break;
-		case OPLUS_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = es - 1;
-			ssp = sp;
-			oldssp = ssp;
-			for (;;) {	/* find last match of innards */
-				sep = slow(m, ssp, rest, ssub, esub);
-				if (sep == NULL || sep == ssp)
-					break;	/* failed or matched null */
-				oldssp = ssp;	/* on to next try */
-				ssp = sep;
-			}
-			if (sep == NULL) {
-				/* last successful match */
-				sep = ssp;
-				ssp = oldssp;
-			}
-			assert(sep == rest);	/* must exhaust substring */
-			assert(slow(m, ssp, sep, ssub, esub) == rest);
-			dp = dissect(m, ssp, sep, ssub, esub);
-			assert(dp == sep);
-			sp = rest;
-			break;
-		case OCH_:
-			stp = stop;
-			for (;;) {
-				/* how long could this one be? */
-				rest = slow(m, sp, stp, ss, es);
-				assert(rest != NULL);	/* it did match */
-				/* could the rest match the rest? */
-				tail = slow(m, rest, stop, es, stopst);
-				if (tail == stop)
-					break;		/* yes! */
-				/* no -- try a shorter match for this one */
-				stp = rest - 1;
-				assert(stp >= sp);	/* it did work */
-			}
-			ssub = ss + 1;
-			esub = ss + OPND(m->g->strip[ss]) - 1;
-			assert(OP(m->g->strip[esub]) == OOR1);
-			for (;;) {	/* find first matching branch */
-				if (slow(m, sp, rest, ssub, esub) == rest)
-					break;	/* it matched all of it */
-				/* that one missed, try next one */
-				assert(OP(m->g->strip[esub]) == OOR1);
-				esub++;
-				assert(OP(m->g->strip[esub]) == OOR2);
-				ssub = esub + 1;
-				esub += OPND(m->g->strip[esub]);
-				if (OP(m->g->strip[esub]) == OOR2)
-					esub--;
-				else
-					assert(OP(m->g->strip[esub]) == O_CH);
-			}
-			dp = dissect(m, sp, rest, ssub, esub);
-			assert(dp == rest);
-			sp = rest;
-			break;
-		case O_PLUS:
-		case O_QUEST:
-		case OOR1:
-		case OOR2:
-		case O_CH:
-			assert(nope);
-			break;
-		case OLPAREN:
-			i = OPND(m->g->strip[ss]);
-			assert(0 < i && i <= m->g->nsub);
-			m->pmatch[i].rm_so = sp - m->offp;
-			break;
-		case ORPAREN:
-			i = OPND(m->g->strip[ss]);
-			assert(0 < i && i <= m->g->nsub);
-			m->pmatch[i].rm_eo = sp - m->offp;
-			break;
-		default:		/* uh oh */
-			assert(nope);
-			break;
-		}
-	}
-
-	assert(sp == stop);
-	return(sp);
-}
-
-/*
- - backref - figure out what matched what, figuring in back references
- == static char *backref(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst, sopno lev);
- */
-static char *			/* == stop (success) or NULL (failure) */
-backref(m, start, stop, startst, stopst, lev)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-sopno lev;			/* PLUS nesting level */
-{
-	register int i;
-	register sopno ss;	/* start sop of current subRE */
-	register char *sp;	/* start of string matched by it */
-	register sopno ssub;	/* start sop of subsubRE */
-	register sopno esub;	/* end sop of subsubRE */
-	register char *ssp;	/* start of string matched by subsubRE */
-	register char *dp;
-	register size_t len;
-	register int hard;
-	register sop s;
-	register regoff_t offsave;
-	register cset *cs;
-
-	AT("back", start, stop, startst, stopst);
-	sp = start;
-
-	/* get as far as we can with easy stuff */
-	hard = 0;
-	for (ss = startst; !hard && ss < stopst; ss++)
-		switch (OP(s = m->g->strip[ss])) {
-		case OCHAR:
-			if (sp == stop || *sp++ != (char)OPND(s))
-				return(NULL);
-			break;
-		case OANY:
-			if (sp == stop)
-				return(NULL);
-			sp++;
-			break;
-		case OANYOF:
-			cs = &m->g->sets[OPND(s)];
-			if (sp == stop || !CHIN(cs, *sp++))
-				return(NULL);
-			break;
-		case OBOL:
-			if ( (sp == m->beginp && !(m->eflags®_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags®_NEWLINE)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OEOL:
-			if ( (sp == m->endp && !(m->eflags®_NOTEOL)) ||
-					(sp < m->endp && *sp == '\n' &&
-						(m->g->cflags®_NEWLINE)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OBOW:
-			if (( (sp == m->beginp && !(m->eflags®_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags®_NEWLINE)) ||
-					(sp > m->beginp &&
-							!ISWORD(*(sp-1))) ) &&
-					(sp < m->endp && ISWORD(*sp)) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case OEOW:
-			if (( (sp == m->endp && !(m->eflags®_NOTEOL)) ||
-					(sp < m->endp && *sp == '\n' &&
-						(m->g->cflags®_NEWLINE)) ||
-					(sp < m->endp && !ISWORD(*sp)) ) &&
-					(sp > m->beginp && ISWORD(*(sp-1))) )
-				{ /* yes */ }
-			else
-				return(NULL);
-			break;
-		case O_QUEST:
-			break;
-		case OOR1:	/* matches null but needs to skip */
-			ss++;
-			s = m->g->strip[ss];
-			do {
-				assert(OP(s) == OOR2);
-				ss += OPND(s);
-			} while (OP(s = m->g->strip[ss]) != O_CH);
-			/* note that the ss++ gets us past the O_CH */
-			break;
-		default:	/* have to make a choice */
-			hard = 1;
-			break;
-		}
-	if (!hard) {		/* that was it! */
-		if (sp != stop)
-			return(NULL);
-		return(sp);
-	}
-	ss--;			/* adjust for the for's final increment */
-
-	/* the hard stuff */
-	AT("hard", sp, stop, ss, stopst);
-	s = m->g->strip[ss];
-	switch (OP(s)) {
-	case OBACK_:		/* the vilest depths */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		if (m->pmatch[i].rm_eo == -1)
-			return(NULL);
-		assert(m->pmatch[i].rm_so != -1);
-		len = m->pmatch[i].rm_eo - m->pmatch[i].rm_so;
-		assert(stop - m->beginp >= len);
-		if (sp > stop - len)
-			return(NULL);	/* not enough left to match */
-		ssp = m->offp + m->pmatch[i].rm_so;
-		if (memcmp(sp, ssp, len) != 0)
-			return(NULL);
-		while (m->g->strip[ss] != SOP(O_BACK, i))
-			ss++;
-		return(backref(m, sp+len, stop, ss+1, stopst, lev));
-		break;
-	case OQUEST_:		/* to null or not */
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);	/* not */
-		return(backref(m, sp, stop, ss+OPND(s)+1, stopst, lev));
-		break;
-	case OPLUS_:
-		assert(m->lastpos != NULL);
-		assert(lev+1 <= m->g->nplus);
-		m->lastpos[lev+1] = sp;
-		return(backref(m, sp, stop, ss+1, stopst, lev+1));
-		break;
-	case O_PLUS:
-		if (sp == m->lastpos[lev])	/* last pass matched null */
-			return(backref(m, sp, stop, ss+1, stopst, lev-1));
-		/* try another pass */
-		m->lastpos[lev] = sp;
-		dp = backref(m, sp, stop, ss-OPND(s)+1, stopst, lev);
-		if (dp == NULL)
-			return(backref(m, sp, stop, ss+1, stopst, lev-1));
-		else
-			return(dp);
-		break;
-	case OCH_:		/* find the right one, if any */
-		ssub = ss + 1;
-		esub = ss + OPND(s) - 1;
-		assert(OP(m->g->strip[esub]) == OOR1);
-		for (;;) {	/* find first matching branch */
-			dp = backref(m, sp, stop, ssub, esub, lev);
-			if (dp != NULL)
-				return(dp);
-			/* that one missed, try next one */
-			if (OP(m->g->strip[esub]) == O_CH)
-				return(NULL);	/* there is none */
-			esub++;
-			assert(OP(m->g->strip[esub]) == OOR2);
-			ssub = esub + 1;
-			esub += OPND(m->g->strip[esub]);
-			if (OP(m->g->strip[esub]) == OOR2)
-				esub--;
-			else
-				assert(OP(m->g->strip[esub]) == O_CH);
-		}
-		break;
-	case OLPAREN:		/* must undo assignment if rest fails */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		offsave = m->pmatch[i].rm_so;
-		m->pmatch[i].rm_so = sp - m->offp;
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);
-		m->pmatch[i].rm_so = offsave;
-		return(NULL);
-		break;
-	case ORPAREN:		/* must undo assignment if rest fails */
-		i = OPND(s);
-		assert(0 < i && i <= m->g->nsub);
-		offsave = m->pmatch[i].rm_eo;
-		m->pmatch[i].rm_eo = sp - m->offp;
-		dp = backref(m, sp, stop, ss+1, stopst, lev);
-		if (dp != NULL)
-			return(dp);
-		m->pmatch[i].rm_eo = offsave;
-		return(NULL);
-		break;
-	default:		/* uh oh */
-		assert(nope);
-		break;
-	}
-
-	/* "can't happen" */
-	assert(nope);
-	/* NOTREACHED */
-	return((char *)NULL);	/* dummy */
-}
-
-/*
- - fast - step through the string at top speed
- == static char *fast(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* where tentative match ended, or NULL */
-fast(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register states st = m->st;
-	register states fresh = m->fresh;
-	register states tmp = m->tmp;
-	register char *p = start;
-	register int c = (start == m->beginp) ? OUT : *(start-1);
-	register int lastc;	/* previous c */
-	register int flagch;
-	register int i;
-	register char *coldp;	/* last p after which no match was underway */
-
-	CLEAR(st);
-	SET1(st, startst);
-	st = step(m->g, startst, stopst, st, NOTHING, st);
-	ASSIGN(fresh, st);
-	SP("start", st, *p);
-	coldp = NULL;
-	for (;;) {
-		/* next character */
-		lastc = c;
-		c = (p == m->endp) ? OUT : *p;
-		if (EQ(st, fresh))
-			coldp = p;
-
-		/* is there an EOL and/or BOL between lastc and c? */
-		flagch = '\0';
-		i = 0;
-		if ( (lastc == '\n' && m->g->cflags®_NEWLINE) ||
-				(lastc == OUT && !(m->eflags®_NOTBOL)) ) {
-			flagch = BOL;
-			i = m->g->nbol;
-		}
-		if ( (c == '\n' && m->g->cflags®_NEWLINE) ||
-				(c == OUT && !(m->eflags®_NOTEOL)) ) {
-			flagch = (flagch == BOL) ? BOLEOL : EOL;
-			i += m->g->neol;
-		}
-		if (i != 0) {
-			for (; i > 0; i--)
-				st = step(m->g, startst, stopst, st, flagch, st);
-			SP("boleol", st, c);
-		}
-
-		/* how about a word boundary? */
-		if ( (flagch == BOL || (lastc != OUT && !ISWORD(lastc))) &&
-					(c != OUT && ISWORD(c)) ) {
-			flagch = BOW;
-		}
-		if ( (lastc != OUT && ISWORD(lastc)) &&
-				(flagch == EOL || (c != OUT && !ISWORD(c))) ) {
-			flagch = EOW;
-		}
-		if (flagch == BOW || flagch == EOW) {
-			st = step(m->g, startst, stopst, st, flagch, st);
-			SP("boweow", st, c);
-		}
-
-		/* are we done? */
-		if (ISSET(st, stopst) || p == stop)
-			break;		/* NOTE BREAK OUT */
-
-		/* no, we must deal with this character */
-		ASSIGN(tmp, st);
-		ASSIGN(st, fresh);
-		assert(c != OUT);
-		st = step(m->g, startst, stopst, tmp, c, st);
-		SP("aft", st, c);
-		assert(EQ(step(m->g, startst, stopst, st, NOTHING, st), st));
-		p++;
-	}
-
-	assert(coldp != NULL);
-	m->coldp = coldp;
-	if (ISSET(st, stopst))
-		return(p+1);
-	else
-		return(NULL);
-}
-
-/*
- - slow - step through the string more deliberately
- == static char *slow(register struct match *m, char *start, \
- ==	char *stop, sopno startst, sopno stopst);
- */
-static char *			/* where it ended */
-slow(m, start, stop, startst, stopst)
-register struct match *m;
-char *start;
-char *stop;
-sopno startst;
-sopno stopst;
-{
-	register states st = m->st;
-	register states empty = m->empty;
-	register states tmp = m->tmp;
-	register char *p = start;
-	register int c = (start == m->beginp) ? OUT : *(start-1);
-	register int lastc;	/* previous c */
-	register int flagch;
-	register int i;
-	register char *matchp;	/* last p at which a match ended */
-
-	AT("slow", start, stop, startst, stopst);
-	CLEAR(st);
-	SET1(st, startst);
-	SP("sstart", st, *p);
-	st = step(m->g, startst, stopst, st, NOTHING, st);
-	matchp = NULL;
-	for (;;) {
-		/* next character */
-		lastc = c;
-		c = (p == m->endp) ? OUT : *p;
-
-		/* is there an EOL and/or BOL between lastc and c? */
-		flagch = '\0';
-		i = 0;
-		if ( (lastc == '\n' && m->g->cflags®_NEWLINE) ||
-				(lastc == OUT && !(m->eflags®_NOTBOL)) ) {
-			flagch = BOL;
-			i = m->g->nbol;
-		}
-		if ( (c == '\n' && m->g->cflags®_NEWLINE) ||
-				(c == OUT && !(m->eflags®_NOTEOL)) ) {
-			flagch = (flagch == BOL) ? BOLEOL : EOL;
-			i += m->g->neol;
-		}
-		if (i != 0) {
-			for (; i > 0; i--)
-				st = step(m->g, startst, stopst, st, flagch, st);
-			SP("sboleol", st, c);
-		}
-
-		/* how about a word boundary? */
-		if ( (flagch == BOL || (lastc != OUT && !ISWORD(lastc))) &&
-					(c != OUT && ISWORD(c)) ) {
-			flagch = BOW;
-		}
-		if ( (lastc != OUT && ISWORD(lastc)) &&
-				(flagch == EOL || (c != OUT && !ISWORD(c))) ) {
-			flagch = EOW;
-		}
-		if (flagch == BOW || flagch == EOW) {
-			st = step(m->g, startst, stopst, st, flagch, st);
-			SP("sboweow", st, c);
-		}
-
-		/* are we done? */
-		if (ISSET(st, stopst))
-			matchp = p;
-		if (EQ(st, empty) || p == stop)
-			break;		/* NOTE BREAK OUT */
-
-		/* no, we must deal with this character */
-		ASSIGN(tmp, st);
-		ASSIGN(st, empty);
-		assert(c != OUT);
-		st = step(m->g, startst, stopst, tmp, c, st);
-		SP("saft", st, c);
-		assert(EQ(step(m->g, startst, stopst, st, NOTHING, st), st));
-		p++;
-	}
-
-	return(matchp);
-}
-
-
-static states
-step(g, start, stop, bef, ch, aft)
-register struct re_guts *g;
-sopno start;			/* start state within strip */
-sopno stop;			/* state after stop state within strip */
-register states bef;		/* states reachable before */
-int ch;				/* character or NONCHAR code */
-register states aft;		/* states already known reachable after */
-{
-	register cset *cs;
-	register sop s;
-	register sopno pc;
-	register onestate here;		/* note, macros know this name */
-	register sopno look;
-	register long i;
-
-	for (pc = start, INIT(here, pc); pc != stop; pc++, INC(here)) {
-		s = g->strip[pc];
-		switch (OP(s)) {
-		case OEND:
-			assert(pc == stop-1);
-			break;
-		case OCHAR:
-			/* only characters can match */
-			assert(!NONCHAR(ch) || ch != (char)OPND(s));
-			if (ch == (char)OPND(s))
-				FWD(aft, bef, 1);
-			break;
-		case OBOL:
-			if (ch == BOL || ch == BOLEOL)
-				FWD(aft, bef, 1);
-			break;
-		case OEOL:
-			if (ch == EOL || ch == BOLEOL)
-				FWD(aft, bef, 1);
-			break;
-		case OBOW:
-			if (ch == BOW)
-				FWD(aft, bef, 1);
-			break;
-		case OEOW:
-			if (ch == EOW)
-				FWD(aft, bef, 1);
-			break;
-		case OANY:
-			if (!NONCHAR(ch))
-				FWD(aft, bef, 1);
-			break;
-		case OANYOF:
-			cs = &g->sets[OPND(s)];
-			if (!NONCHAR(ch) && CHIN(cs, ch))
-				FWD(aft, bef, 1);
-			break;
-		case OBACK_:		/* ignored here */
-		case O_BACK:
-			FWD(aft, aft, 1);
-			break;
-		case OPLUS_:		/* forward, this is just an empty */
-			FWD(aft, aft, 1);
-			break;
-		case O_PLUS:		/* both forward and back */
-			FWD(aft, aft, 1);
-			i = ISSETBACK(aft, OPND(s));
-			BACK(aft, aft, OPND(s));
-			if (!i && ISSETBACK(aft, OPND(s))) {
-				/* oho, must reconsider loop body */
-				pc -= OPND(s) + 1;
-				INIT(here, pc);
-			}
-			break;
-		case OQUEST_:		/* two branches, both forward */
-			FWD(aft, aft, 1);
-			FWD(aft, aft, OPND(s));
-			break;
-		case O_QUEST:		/* just an empty */
-			FWD(aft, aft, 1);
-			break;
-		case OLPAREN:		/* not significant here */
-		case ORPAREN:
-			FWD(aft, aft, 1);
-			break;
-		case OCH_:		/* mark the first two branches */
-			FWD(aft, aft, 1);
-			assert(OP(g->strip[pc+OPND(s)]) == OOR2);
-			FWD(aft, aft, OPND(s));
-			break;
-		case OOR1:		/* done a branch, find the O_CH */
-			if (ISSTATEIN(aft, here)) {
-				for (look = 1;
-						OP(s = g->strip[pc+look]) != O_CH;
-						look += OPND(s))
-					assert(OP(s) == OOR2);
-				FWD(aft, aft, look);
-			}
-			break;
-		case OOR2:		/* propagate OCH_'s marking */
-			FWD(aft, aft, 1);
-			if (OP(g->strip[pc+OPND(s)]) != O_CH) {
-				assert(OP(g->strip[pc+OPND(s)]) == OOR2);
-				FWD(aft, aft, OPND(s));
-			}
-			break;
-		case O_CH:		/* just empty */
-			FWD(aft, aft, 1);
-			break;
-		default:		/* ooooops... */
-			assert(nope);
-			break;
-		}
-	}
-
-	return(aft);
-}
-
-#undef	matcher
-#undef	fast
-#undef	slow
-#undef	dissect
-#undef	backref
-#undef	step
-#undef	print
-#undef	at
-#undef	match
-
-int				/* 0 success, REG_NOMATCH failure */
-regexec(preg, string, nmatch, pmatch, eflags)
-const regex_t *preg;
-const char *string;
-size_t nmatch;
-regmatch_t pmatch[];
-int eflags;
-{
-	register struct re_guts *g = preg->re_g;
-#define	GOODFLAGS(f)	((f)&(REG_NOTBOL|REG_NOTEOL|REG_STARTEND))
-
-	if (preg->re_magic != MAGIC1 || g->magic != MAGIC2)
-		return(REG_BADPAT);
-	assert(!(g->iflags&BAD));
-	if (g->iflags&BAD)		/* backstop for no-debug case */
-		return(REG_BADPAT);
-	eflags = GOODFLAGS(eflags);
-
-	if (g->nstates <= CHAR_BIT*sizeof(states1) && !(eflags®_LARGE))
-		return(smatcher(g, (char *)string, nmatch, pmatch, eflags));
-	else
-		return(lmatcher(g, (char *)string, nmatch, pmatch, eflags));
-#undef GOODFLAGS
-}
-/*
- - regfree - free everything
- = extern void regfree(regex_t *);
- */
-void
-regfree(preg)
-regex_t *preg;
-{
-	register struct re_guts *g;
-
-	if (preg->re_magic != MAGIC1)	/* oops */
-		return;			/* nice to complain, but hard */
-
-	g = preg->re_g;
-	if (g == NULL || g->magic != MAGIC2)	/* oops again */
-		return;
-	preg->re_magic = 0;		/* mark it invalid */
-	g->magic = 0;			/* mark it invalid */
-
-	if (g->strip != NULL)
-		free((char *)g->strip);
-	if (g->sets != NULL)
-		free((char *)g->sets);
-	if (g->setbits != NULL)
-		free((char *)g->setbits);
-	if (g->must != NULL)
-		free(g->must);
-	free((char *)g);
-}
-
-#ifdef WITH_MAIN
-int main(int argc, char* argv[]){
- regex_t preg;
- int i, s;
- if(argc<2) return 1;
- if (regcomp(&preg, argv[1], REG_NOSUB)) {
-	fprintf(stderr, "Failed to compile regex\n");
-	return 2;
- }
- for (i = 2; i
-#include 
-
-
-#define uchar unsigned char
-
-static const uchar perm1[56] = {57, 49, 41, 33, 25, 17,  9,
-			 1, 58, 50, 42, 34, 26, 18,
-			10,  2, 59, 51, 43, 35, 27,
-			19, 11,  3, 60, 52, 44, 36,
-			63, 55, 47, 39, 31, 23, 15,
-			 7, 62, 54, 46, 38, 30, 22,
-			14,  6, 61, 53, 45, 37, 29,
-			21, 13,  5, 28, 20, 12,  4};
-
-static const uchar perm2[48] = {14, 17, 11, 24,  1,  5,
-                         3, 28, 15,  6, 21, 10,
-                        23, 19, 12,  4, 26,  8,
-                        16,  7, 27, 20, 13,  2,
-                        41, 52, 31, 37, 47, 55,
-                        30, 40, 51, 45, 33, 48,
-                        44, 49, 39, 56, 34, 53,
-                        46, 42, 50, 36, 29, 32};
-
-static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10,  2,
-			60, 52, 44, 36, 28, 20, 12,  4,
-			62, 54, 46, 38, 30, 22, 14,  6,
-			64, 56, 48, 40, 32, 24, 16,  8,
-			57, 49, 41, 33, 25, 17,  9,  1,
-			59, 51, 43, 35, 27, 19, 11,  3,
-			61, 53, 45, 37, 29, 21, 13,  5,
-			63, 55, 47, 39, 31, 23, 15,  7};
-
-static const uchar perm4[48] = {   32,  1,  2,  3,  4,  5,
-                            4,  5,  6,  7,  8,  9,
-                            8,  9, 10, 11, 12, 13,
-                           12, 13, 14, 15, 16, 17,
-                           16, 17, 18, 19, 20, 21,
-                           20, 21, 22, 23, 24, 25,
-                           24, 25, 26, 27, 28, 29,
-                           28, 29, 30, 31, 32,  1};
-
-static const uchar perm5[32] = {      16,  7, 20, 21,
-                              29, 12, 28, 17,
-                               1, 15, 23, 26,
-                               5, 18, 31, 10,
-                               2,  8, 24, 14,
-                              32, 27,  3,  9,
-                              19, 13, 30,  6,
-                              22, 11,  4, 25};
-
-
-static const uchar perm6[64] ={ 40,  8, 48, 16, 56, 24, 64, 32,
-                        39,  7, 47, 15, 55, 23, 63, 31,
-                        38,  6, 46, 14, 54, 22, 62, 30,
-                        37,  5, 45, 13, 53, 21, 61, 29,
-                        36,  4, 44, 12, 52, 20, 60, 28,
-                        35,  3, 43, 11, 51, 19, 59, 27,
-                        34,  2, 42, 10, 50, 18, 58, 26,
-                        33,  1, 41,  9, 49, 17, 57, 25};
-
-
-static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
-
-static const uchar sbox[8][4][16] = {
-	{{14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7},
-	 {0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8},
-	 {4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0},
-	 {15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13}},
-
-	{{15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10},
-	 {3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5},
-	 {0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15},
-	 {13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9}},
-
-	{{10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8},
-	 {13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1},
-	 {13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7},
-	 {1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12}},
-
-	{{7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15},
-	 {13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9},
-	 {10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4},
-	 {3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14}},
-
-	{{2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9},
-	 {14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6},
-	 {4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14},
-	 {11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3}},
-
-	{{12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11},
-	 {10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8},
-	 {9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6},
-	 {4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13}},
-
-	{{4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1},
-	 {13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6},
-	 {1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2},
-	 {6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12}},
-
-	{{13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7},
-	 {1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2},
-	 {7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8},
-	 {2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11}}};
-
-static void permute(char *out, const char *in, const uchar *p, int n)
-{
-	int i;
-	for (i=0;i>1;
-	key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
-	key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
-	key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
-	key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
-	key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
-	key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
-	key[7] = str[6]&0x7F;
-	for (i=0;i<8;i++) {
-		key[i] = (key[i]<<1);
-	}
-}
-
-
-static void smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
-{
-	int i;
-	char outb[64];
-	char inb[64];
-	char keyb[64];
-	unsigned char key2[8];
-
-	str_to_key(key, key2);
-
-	for (i=0;i<64;i++) {
-		inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		outb[i] = 0;
-	}
-
-	dohash(outb, inb, keyb);
-
-	for (i=0;i<8;i++) {
-		out[i] = 0;
-	}
-
-	for (i=0;i<64;i++) {
-		if (outb[i])
-			out[i/8] |= (1<<(7-(i%8)));
-	}
-}
-
-/*
- *	Converts the password to uppercase, and creates the LM
- *	password hash.
- */
-void lmpwdhash(const unsigned char *password,unsigned char *lmhash)
-{
-	int i;
-	unsigned char p14[14];
-	static unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
-
-	memset(p14, 0, sizeof(p14));
-	for (i = 0; i < 14 && password[i]; i++) {
-		p14[i] = toupper((int) password[i]);
-	}
-
-	smbhash(lmhash, sp8, p14);
-	smbhash(lmhash+8, sp8, p14+7);
-}
-
-/*
- *	Take the NT or LM password, and return the MSCHAP response
- *
- *	The win_password MUST be exactly 16 bytes long.
- */
-void mschap(const unsigned char *win_password,
-		 const unsigned char *challenge, unsigned char *response)
-{
-	unsigned char p21[21];
-
-	memset(p21, 0, sizeof(p21));
-	memcpy(p21, win_password, 16);
-
-	smbhash(response, challenge, p21);
-	smbhash(response+8, challenge, p21+7);
-	smbhash(response+16, challenge, p21+14);
-}
diff --git a/src/limiter.c b/src/limiter.c
new file mode 100644
index 0000000..02d7d0a
--- /dev/null
+++ b/src/limiter.c
@@ -0,0 +1,204 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int startconnlims (struct clientparam *param){
+	struct connlim * ce;
+	time_t delta;
+	uint64_t rating;
+	int ret = 0;
+
+	param->connlim = 1;
+	_3proxy_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period){
+				if(ce->rate <= ce->rating) {
+					ret = 1;
+					break;
+				}
+				ce->rating++;
+				continue;
+			}
+			delta = conf.time - ce->basetime;
+			if(ce->period <= delta || ce->basetime > conf.time){
+				ce->basetime = conf.time;
+				ce->rating = 0x100000;
+				continue;
+			}
+			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
+			if (rating > (ce->rate<<20)) {
+				ret = 2;
+				break;
+			}
+			ce->rating = rating;
+			ce->basetime = conf.time;
+		}
+	}
+	if(ret) {
+		struct connlim * cee;
+		for(cee = conf.connlimiter; cee != ce; cee = cee->next) {
+			if(ACLmatches(cee->ace, param) && !cee->period && cee->rating) {
+				cee->rating--;
+			}
+		}
+		param->connlim = 0;
+	}
+	_3proxy_mutex_unlock(&connlim_mutex);
+	return ret;
+}
+
+void stopconnlims (struct clientparam *param){
+	struct connlim * ce;
+
+	_3proxy_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period && ce->rating){
+				ce->rating--;
+				continue;
+			}
+		}
+	}
+	_3proxy_mutex_unlock(&connlim_mutex);
+}
+
+void initbandlims (struct clientparam *param){
+	struct bandlim * be;
+	int i;
+
+	param->bandlimfunc = NULL;
+	param->bandlims[0] = NULL;
+	param->bandlimsout[0] = NULL;
+	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
+	for(i=0, be = conf.bandlimiter; be && inext) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlims[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(ibandlims[i] = NULL;
+	for(i=0, be = conf.bandlimiterout; be && inext) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlimsout[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(ibandlimsout[i] = NULL;
+	param->bandlimver = conf.bandlimver;
+}
+
+unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
+	unsigned sleeptime = 0, nsleeptime;
+	time_t sec;
+	unsigned msec;
+	unsigned now;
+	int i;
+
+#ifdef _WIN32
+	struct timeb tb;
+
+	ftime(&tb);
+	sec = (unsigned)tb.time;
+	msec = (unsigned)tb.millitm*1000;
+#else
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+
+	sec = tv.tv_sec;
+	msec = tv.tv_usec;
+#endif
+
+	if(!nbytesin && !nbytesout) return 0;
+	_3proxy_mutex_lock(&bandlim_mutex);
+	if(param->bandlimver != conf.bandlimver){
+		initbandlims(param);
+		param->bandlimver = conf.bandlimver;
+	}
+	for(i=0; nbytesin&& ibandlims[i]; i++){
+		if( !param->bandlims[i]->basetime ||
+			param->bandlims[i]->basetime > sec ||
+			param->bandlims[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlims[i]->basetime = sec;
+			param->bandlims[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlims[i]->nexttime > now)?
+			param->bandlims[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlims[i]->basetime = sec;
+		param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
+	}
+	for(i=0; nbytesout && ibandlimsout[i]; i++){
+		if( !param->bandlimsout[i]->basetime ||
+			param->bandlimsout[i]->basetime > sec ||
+			param->bandlimsout[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlimsout[i]->basetime = sec;
+			param->bandlimsout[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
+			param->bandlimsout[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlimsout[i]->basetime = sec;
+		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
+	}
+	_3proxy_mutex_unlock(&bandlim_mutex);
+	return sleeptime/1000;
+}
+
+void trafcountfunc(struct clientparam *param){
+	struct trafcount * tc;
+	int countout = 0;
+
+	_3proxy_mutex_lock(&tc_mutex);
+	for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+
+			if(tc->ace->action == NOCOUNTIN) {
+				countout = 1;
+				break;
+			}
+			if(tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
+				countout = 1;
+				continue;
+			}
+			tc->traf64 += param->statssrv64;
+			tc->updated = conf.time;
+		}
+	}
+	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
+				continue;
+			}
+			tc->traf64 += param->statscli64;
+			tc->updated = conf.time;
+		}
+	}
+
+	_3proxy_mutex_unlock(&tc_mutex);
+}
+
diff --git a/src/log.c b/src/log.c
index ca9daea..6e39e07 100644
--- a/src/log.c
+++ b/src/log.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2020 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -10,7 +10,7 @@
 
 
 #include "proxy.h"
-pthread_mutex_t log_mutex;
+_3proxy_mutex_t log_mutex;
 int havelog = 0;
 
 
@@ -20,16 +20,8 @@ struct srvparam logsrv;
 
 
 void dolog(struct clientparam * param, const unsigned char *s){
-	static int init = 0;
-
-	if(param)param->srv->logfunc(param, s);
-	else {
-		if(!init){
-			srvinit(&logsrv, &logparam);
-			init = 1;
-		}
-		logstdout(&logparam, s);
-	}
+	if(param && param->srv)param->srv->logfunc(param, s);
+	else logstdout(NULL, s);
 }
 
 
@@ -70,6 +62,9 @@ int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char
 	long timezone;
 	unsigned delay;
 
+	if(!logparam.srv) srvinit(&logsrv, &logparam);
+	if(!param) param = &logparam;
+
 
 
 #ifdef _WIN32
@@ -190,7 +185,7 @@ int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char
 					break;
 
 				case 'N':
-				 if(param->service < 15) {
+				 if(param->service <= MAX_SERVICE) {
 					 len = (conf.stringtable)? (int)strlen((char *)conf.stringtable[SERVICES + param->service]) : 0;
 					 if(len > 20) len = 20;
 					 memcpy(buf+i, (len)?conf.stringtable[SERVICES + param->service]:(unsigned char*)"-", (len)?len:1);
@@ -246,15 +241,15 @@ int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char
 				 i += (int)strlen((char *)buf+i);
 				 break;
 				case 'L':
-				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->cycles);
+				 sprintf((char *)buf+i, "%"PRIu64"", param->cycles);
 				 i += (int)strlen((char *)buf+i);
 				 break;
 				case 'I':
-				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statssrv64);
+				 sprintf((char *)buf+i, "%"PRIu64"", param->statssrv64);
 				 i += (int)strlen((char *)buf+i);
 				 break;
 				case 'O':
-				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statscli64);
+				 sprintf((char *)buf+i, "%"PRIu64"", param->statscli64);
 				 i += (int)strlen((char *)buf+i);
 				 break;
 				case 'h':
@@ -300,6 +295,8 @@ int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char
 						break;
 
 					}
+				case 0:
+				 j--;
 				default:
 				 buf[i++] = format[j];
 			}
@@ -315,15 +312,21 @@ int dobuf(struct clientparam * param, unsigned char * buf, const unsigned char *
 	int i;
 	char * format;
 	time_t t;
+	int has_srv;
 
 	time(&t);
-	if(!param) return 0;
-	if(param->trafcountfunc)(*param->trafcountfunc)(param);
-	format = param->srv->logformat?(char *)param->srv->logformat : DEFLOGFORMAT;
+	has_srv = param && param->srv;
+	if(has_srv){
+		if(param->trafcountfunc)(*param->trafcountfunc)(param);
+		format = param->srv->logformat?(char *)param->srv->logformat : DEFLOGFORMAT;
+	}
+	else {
+		format = DEFLOGFORMAT;
+	}
 	tm = (*format == 'G' || *format == 'g')?
 		gmtime(&t) : localtime(&t);
 	i = dobuf2(param, buf, s, doublec, tm, format + 1);
-	clearstat(param);
+	if(has_srv) clearstat(param);
 	return i;
 }
 
@@ -337,8 +340,8 @@ void logstdout(struct clientparam * param, const unsigned char *s) {
 	unsigned char tmpbuf[8192];
 
 	dobuf(param, tmpbuf, s, NULL);
-	log = param->srv->stdlog?param->srv->stdlog:conf.stdlog?conf.stdlog:stdout;
-	if(!param->nolog)if(fprintf(log, "%s\n", tmpbuf) < 0) {
+	log = (param && param->srv && param->srv->stdlog)?param->srv->stdlog:conf.stdlog?conf.stdlog:stdout;
+	if(!param || !param->nolog)if(fprintf(log, "%s\n", tmpbuf) < 0) {
 		perror("printf()");
 	};
 	if(log != conf.stdlog)fflush(log);
diff --git a/src/mycrypt.c b/src/mycrypt.c
deleted file mode 100644
index c07725f..0000000
--- a/src/mycrypt.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
-
-   please read License Agreement
-
-*/
-#include "libs/md5.h"
-#include "libs/md4.h"
-#include 
-
-#define MD5_SIZE 16
-
-#ifdef _WIN32
-#pragma warning (disable : 4996)
-#endif
-
-
-void tohex(unsigned char *in, unsigned char *out, int len);
-
-static unsigned char itoa64[] =
-        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-void
-_crypt_to64(unsigned char *s, unsigned long v, int n)
-{
-        while (--n >= 0) {
-                *s++ = itoa64[v&0x3f];
-                v >>= 6;
-        }
-}
-
-
-unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPassword, int ctohex)
-{
-	unsigned char szUnicodePass[513];
-	unsigned int nPasswordLen;
-	MD4_CTX ctx;
-	unsigned int i;
-
-	/*
-	 *	NT passwords are unicode.  Convert plain text password
-	 *	to unicode by inserting a zero every other byte
-	 */
-	nPasswordLen = (int)strlen((char *)szPassword);
-	if(nPasswordLen > 255)nPasswordLen = 255;
-	for (i = 0; i < nPasswordLen; i++) {
-		szUnicodePass[i << 1] = szPassword[i];
-		szUnicodePass[(i << 1) + 1] = 0;
-	}
-
-	/* Encrypt Unicode password to a 16-byte MD4 hash */
-	MD4Init(&ctx);
-	MD4Update(&ctx, szUnicodePass, (nPasswordLen<<1));
-	MD4Final(szUnicodePass, &ctx);
-	if (ctohex){
-		tohex(szUnicodePass, szHash, 16);
-	}
-	else memcpy(szHash, szUnicodePass, 16);
-	return szHash;
-}
-
-
-unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){
-
- const unsigned char *ep;
- if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
-	static unsigned char	*magic = (unsigned char *)"$1$";	
-	unsigned char  *p;
-	const unsigned char *sp;
-	unsigned char	final[MD5_SIZE];
-	int sl,pl,i;
-	MD5_CTX	ctx,ctx1;
-	unsigned long l;
-
-	/* Refine the Salt first */
-	sp = salt +3;
-
-	/* get the length of the true salt */
-	sl = (int)(ep - sp);
-
-	MD5Init(&ctx);
-
-	/* The password first, since that is what is most unknown */
-	MD5Update(&ctx,pw,strlen((char *)pw));
-
-	/* Then our magic string */
-	MD5Update(&ctx,magic,strlen((char *)magic));
-
-	/* Then the raw salt */
-	MD5Update(&ctx,sp,sl);
-
-	/* Then just as many unsigned characters of the MD5(pw,salt,pw) */
-	MD5Init(&ctx1);
-	MD5Update(&ctx1,pw,strlen((char *)pw));
-	MD5Update(&ctx1,sp,sl);
-	MD5Update(&ctx1,pw,strlen((char *)pw));
-	MD5Final(final,&ctx1);
-	for(pl = (int)strlen((char *)pw); pl > 0; pl -= MD5_SIZE)
-		MD5Update(&ctx,final,pl>MD5_SIZE ? MD5_SIZE : pl);
-
-	/* Don't leave anything around in vm they could use. */
-	memset(final,0,sizeof final);
-
-	/* Then something really weird... */
-	for (i = (int)strlen((char *)pw); i ; i >>= 1)
-		if(i&1)
-		    MD5Update(&ctx, final, 1);
-		else
-		    MD5Update(&ctx, pw, 1);
-
-	/* Now make the output string */
-	strcpy((char *)passwd,(char *)magic);
-	strncat((char *)passwd,(char *)sp,sl);
-	strcat((char *)passwd,"$");
-
-	MD5Final(final,&ctx);
-
-	/*
-	 * and now, just to make sure things don't run too fast
-	 * On a 60 Mhz Pentium this takes 34 msec, so you would
-	 * need 30 seconds to build a 1000 entry dictionary...
-	 */
-	for(i=0;i<1000;i++) {
-		MD5Init(&ctx1);
-		if(i & 1)
-			MD5Update(&ctx1,pw,strlen((char *)pw));
-		else
-			MD5Update(&ctx1,final,MD5_SIZE);
-
-		if(i % 3)
-			MD5Update(&ctx1,sp,sl);
-
-		if(i % 7)
-			MD5Update(&ctx1,pw,strlen((char *)pw));
-
-		if(i & 1)
-			MD5Update(&ctx1,final,MD5_SIZE);
-		else
-			MD5Update(&ctx1,pw,strlen((char *)pw));
-		MD5Final(final,&ctx1);
-	}
-
-	p = passwd + strlen((char *)passwd);
-
-	l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
-	_crypt_to64(p,l,4); p += 4;
-	l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
-	_crypt_to64(p,l,4); p += 4;
-	l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
-	_crypt_to64(p,l,4); p += 4;
-	l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
-	_crypt_to64(p,l,4); p += 4;
-	l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
-	_crypt_to64(p,l,4); p += 4;
-	l =                    final[11]                ;
-	_crypt_to64(p,l,2); p += 2;
-	*p = '\0';
-
-	/* Don't leave anything around in vm they could use. */
-	memset(final,0,sizeof final);
- }
- else {
-	*passwd = 0;
- }
- return passwd;
-}
-
-#ifdef WITHMAIN
-
-#include 
-int main(int argc, char* argv[]){
-	unsigned char buf[1024];
-	unsigned i;
-	if(argc < 2 || argc > 3) {
-		fprintf(stderr, "usage: \n"
-			"\t%s \n"
-			"\t%s  \n"
-			"Performs NT crypt if no salt specified, MD5 crypt with salt\n"
-			"This software uses:\n"
-			"  RSA Data Security, Inc. MD4 Message-Digest Algorithm\n"
-			"  RSA Data Security, Inc. MD5 Message-Digest Algorithm\n",
-			argv[0],
-			argv[0]);
-			return 1;
-	}
-	if(argc == 2) {
-		printf("NT:%s\n", ntpwdhash(buf, (unsigned char *)argv[1], 1));
-	}
-	else {
-		i = (int)strlen((char *)argv[1]);
-		if (i > 64) argv[1][64] = 0;
-		sprintf((char *)buf, "$1$%s$", argv[1]);
-		printf("CR:%s\n", mycrypt((unsigned char *)argv[2], buf, buf+256));
-	}
-	return 0;
-}
-
-#endif
diff --git a/src/ntlm.c b/src/ntlm.c
deleted file mode 100644
index 21bd0da..0000000
--- a/src/ntlm.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
-
-   please read License Agreement
-
-*/
-
-#include "proxy.h"
-struct ntlmchal {
-	unsigned char sig[8];
-	unsigned char messtype[4];
-	unsigned char dom_len[2];
-	unsigned char dom_max_len[2];
-	unsigned char dom_offset[4];
-	unsigned char flags[4];
-	unsigned char challenge[8];
-	unsigned char reserved[8];
-	unsigned char addr_len[2];
-	unsigned char addr_max_len[2];
-	unsigned char addr_offset[4];
-	unsigned char data[1];
-};
-
-struct ntlmreq {
-	unsigned char sig[8];
-	unsigned char messtype[4];
-	unsigned char flags[4];
-	unsigned char dom_len[2];
-	unsigned char dom_max_len[2];
-	unsigned char dom_offset[4];
-	unsigned char pad1[2];
-	unsigned char host_len[2];
-	unsigned char host_max_len[2];
-	unsigned char host_offset[4];
-	unsigned char pad2[2];
-	unsigned char data[1];
-};
-
-int text2unicode(const char * text, char * buf, int buflen){
-	int count = 0;
-	buflen = ((buflen>>1)<<1);
-	if(!text || !buflen) return 0;
-	do {
-		buf[count++] = toupper(*text++);
-		buf[count++] = '\0';
-	} while (*text && count < buflen);
-	return count;
-}
-
-void unicode2text(const char *unicode, char * buf, int len){
-	int i;
-	if(!unicode || !len) return;
-	for(i=0; isig, "NTLMSSP", 8);
-	chal->messtype[0] = 2;
-	gethostname(hostname, 128);
-	hostname[15] = 0;
-	len = (((int)strlen(hostname)) << 1);
-	chal->dom_len[0] = len;
-	chal->dom_max_len[0] = len;
-	chal->dom_offset[0] =  (unsigned char)((unsigned char *)chal->data - (unsigned char *)chal);
-	chal->flags[0] = 0x03;
-	chal->flags[1] = 0x82;
-	chal->flags[2] = 0x81;
-	chal->flags[3] = 0xA0;
-	text2unicode(hostname, (char *)chal->data, 64);
-	time((time_t *)challenge);
-	memcpy(challenge+4, SAADDR(¶m->sincr), 4);
-	challenge[1]^=*SAPORT(¶m->sincr);
-	for(i = 0; i < 8; i++) challenge[i] ^= myrand(challenge, 8);
-	memcpy(chal->challenge, challenge, 8);
-	en64((unsigned char *)tmpbuf, (unsigned char *)buf, (int)((unsigned char *)chal->data - (unsigned char *)chal) + len);	
-}
diff --git a/src/pcre.c b/src/pcre.c
new file mode 100644
index 0000000..05e9ea4
--- /dev/null
+++ b/src/pcre.c
@@ -0,0 +1,646 @@
+/*
+   (c) 2007-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "structures.h"
+#include 
+#define PCRE2_CODE_UNIT_WIDTH 8
+#define PCRE2_STATIC
+#include 
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifndef isnumber
+#define isnumber(i_n_arg) ((i_n_arg>='0')&&(i_n_arg<='9'))
+#endif
+
+static struct pluginlink * pl;
+
+static _3proxy_mutex_t pcre_mutex;
+
+
+static struct filter pcre_first_filter = {
+	NULL,
+	"Fake filter",
+	NULL, NULL,
+	NULL, NULL,
+	NULL, NULL, NULL,
+	NULL, NULL,
+	NULL, NULL
+};
+
+static struct filter *pcre_last_filter;
+static int pcre_loaded = 0;
+static uint32_t pcre_options = 0;
+
+static struct pcreopt {
+	char * name;
+	uint32_t value;
+} pcreopts[]= {
+
+#ifdef PCRE2_ALLOW_EMPTY_CLASS
+ {"PCRE2_ALLOW_EMPTY_CLASS", PCRE2_ALLOW_EMPTY_CLASS},
+#endif
+#ifdef PCRE2_ALT_BSUX
+ {"PCRE2_ALT_BSUX", PCRE2_ALT_BSUX},
+#endif
+#ifdef PCRE2_AUTO_CALLOUT
+ {"PCRE2_AUTO_CALLOUT", PCRE2_AUTO_CALLOUT},
+#endif
+#ifdef PCRE2_CASELESS
+ {"PCRE2_CASELESS", PCRE2_CASELESS},
+#endif
+#ifdef PCRE2_DOLLAR_ENDONLY
+ {"PCRE2_DOLLAR_ENDONLY", PCRE2_DOLLAR_ENDONLY},
+#endif
+#ifdef PCRE2_DOTALL
+ {"PCRE2_DOTALL", PCRE2_DOTALL},
+#endif
+#ifdef PCRE2_DUPNAMES
+ {"PCRE2_DUPNAMES", PCRE2_DUPNAMES},
+#endif
+#ifdef PCRE2_EXTENDED
+ {"PCRE2_EXTENDED", PCRE2_EXTENDED},
+#endif
+#ifdef PCRE2_FIRSTLINE
+ {"PCRE2_FIRSTLINE", PCRE2_FIRSTLINE},
+#endif
+#ifdef PCRE2_MATCH_UNSET_BACKREF
+ {"PCRE2_MATCH_UNSET_BACKREF", PCRE2_MATCH_UNSET_BACKREF},
+#endif
+#ifdef PCRE2_MULTILINE
+ {"PCRE2_MULTILINE", PCRE2_MULTILINE},
+#endif
+#ifdef PCRE2_NEVER_UCP
+ {"PCRE2_NEVER_UCP", PCRE2_NEVER_UCP},
+#endif
+#ifdef PCRE2_NEVER_UTF
+ {"PCRE2_NEVER_UTF", PCRE2_NEVER_UTF},
+#endif
+#ifdef PCRE2_NO_AUTO_CAPTURE
+ {"PCRE2_NO_AUTO_CAPTURE", PCRE2_NO_AUTO_CAPTURE},
+#endif
+#ifdef PCRE2_NO_AUTO_POSSESS
+ {"PCRE2_NO_AUTO_POSSESS", PCRE2_NO_AUTO_POSSESS},
+#endif
+#ifdef PCRE2_NO_DOTSTAR_ANCHOR
+ {"PCRE2_NO_DOTSTAR_ANCHOR", PCRE2_NO_DOTSTAR_ANCHOR},
+#endif
+#ifdef PCRE2_NO_START_OPTIMIZE
+ {"PCRE2_NO_START_OPTIMIZE", PCRE2_NO_START_OPTIMIZE},
+#endif
+#ifdef PCRE2_UCP
+ {"PCRE2_UCP", PCRE2_UCP},
+#endif
+#ifdef PCRE2_UNGREEDY
+ {"PCRE2_UNGREEDY", PCRE2_UNGREEDY},
+#endif
+#ifdef PCRE2_UTF
+ {"PCRE2_UTF", PCRE2_UTF},
+#endif
+#ifdef PCRE2_NEVER_BACKSLASH_C
+ {"PCRE2_NEVER_BACKSLASH_C", PCRE2_NEVER_BACKSLASH_C},
+#endif
+#ifdef PCRE2_ALT_CIRCUMFLEX
+ {"PCRE2_ALT_CIRCUMFLEX", PCRE2_ALT_CIRCUMFLEX},
+#endif
+#ifdef PCRE2_ALT_VERBNAMES
+ {"PCRE2_ALT_VERBNAMES", PCRE2_ALT_VERBNAMES},
+#endif
+#ifdef PCRE2_USE_OFFSET_LIMIT
+ {"PCRE2_USE_OFFSET_LIMIT", PCRE2_USE_OFFSET_LIMIT},
+#endif
+#ifdef PCRE2_EXTENDED_MORE
+ {"PCRE2_EXTENDED_MORE", PCRE2_EXTENDED_MORE},
+#endif
+#ifdef PCRE2_LITERAL
+ {"PCRE2_LITERAL", PCRE2_LITERAL},
+#endif
+#ifdef PCRE2_MATCH_INVALID_UTF
+ {"PCRE2_MATCH_INVALID_UTF", PCRE2_MATCH_INVALID_UTF},
+#endif
+
+#ifdef PCRE2_CASELESS
+ {"PCRE_CASELESS",           PCRE2_CASELESS},
+#endif
+#ifdef PCRE2_MULTILINE
+ {"PCRE_MULTILINE",          PCRE2_MULTILINE},
+#endif
+#ifdef PCRE2_DOTALL
+ {"PCRE_DOTALL",             PCRE2_DOTALL},
+#endif
+#ifdef PCRE2_EXTENDED
+ {"PCRE_EXTENDED",           PCRE2_EXTENDED},
+#endif
+#ifdef PCRE2_ANCHORED
+ {"PCRE_ANCHORED",           PCRE2_ANCHORED},
+#endif
+#ifdef PCRE2_DOLLAR_ENDONLY
+ {"PCRE_DOLLAR_ENDONLY",     PCRE2_DOLLAR_ENDONLY},
+#endif
+#ifdef PCRE2_EXTENDED_MORE
+ {"PCRE_EXTRA",              PCRE2_EXTENDED_MORE},
+#endif
+#ifdef PCRE2_NOTBOL
+ {"PCRE_NOTBOL",             PCRE2_NOTBOL},
+#endif
+#ifdef PCRE2_NOTEOL
+ {"PCRE_NOTEOL",             PCRE2_NOTEOL},
+#endif
+#ifdef PCRE2_UNGREEDY
+ {"PCRE_UNGREEDY",           PCRE2_UNGREEDY},
+#endif
+#ifdef PCRE2_NOTEMPTY
+ {"PCRE_NOTEMPTY",           PCRE2_NOTEMPTY},
+#endif
+#ifdef PCRE2_UTF
+ {"PCRE_UTF8",               PCRE2_UTF},
+#endif
+#ifdef PCRE2_NO_AUTO_CAPTURE
+ {"PCRE_NO_AUTO_CAPTURE",    PCRE2_NO_AUTO_CAPTURE},
+#endif
+#ifdef PCRE2_MATCH_INVALID_UTF
+ {"PCRE_NO_UTF8_CHECK",      PCRE2_MATCH_INVALID_UTF},
+#endif
+#ifdef PCRE2_AUTO_CALLOUT
+ {"PCRE_AUTO_CALLOUT",       PCRE2_AUTO_CALLOUT},
+#endif
+#ifdef PCRE2_PARTIAL_SOFT
+ {"PCRE_PARTIAL",            PCRE2_PARTIAL_SOFT},
+#endif
+#ifdef PCRE2_DFA_SHORTEST
+ {"PCRE_DFA_SHORTEST",       PCRE2_DFA_SHORTEST},
+#endif
+#ifdef PCRE2_DFA_RESTART
+ {"PCRE_DFA_RESTART",        PCRE2_DFA_RESTART},
+#endif
+#ifdef PCRE2_FIRSTLINE
+ {"PCRE_FIRSTLINE",          PCRE2_FIRSTLINE},
+#endif
+#ifdef PCRE2_DUPNAMES
+ {"PCRE_DUPNAMES",           PCRE2_DUPNAMES},
+#endif
+#ifdef PCRE2_NEWLINE_CR
+ {"PCRE_NEWLINE_CR",         PCRE2_NEWLINE_CR},
+#endif
+#ifdef PCRE2_NEWLINE_LF
+ {"PCRE_NEWLINE_LF",         PCRE2_NEWLINE_LF},
+#endif
+#ifdef PCRE2_NEWLINE_CRLF
+ {"PCRE_NEWLINE_CRLF",       PCRE2_NEWLINE_CRLF},
+#endif
+#ifdef PCRE2_NEWLINE_ANY
+ {"PCRE_NEWLINE_ANY",        PCRE2_NEWLINE_ANY},
+#endif
+#ifdef PCRE2_NEWLINE_ANYCRLF
+ {"PCRE_NEWLINE_ANYCRLF",    PCRE2_NEWLINE_ANYCRLF},
+#endif
+#ifdef PCRE2_BSR_ANYCRLF
+ {"PCRE_BSR_ANYCRLF",        PCRE2_BSR_ANYCRLF},
+#endif
+#ifdef PCRE2_BSR_UNICODE
+ {"PCRE_BSR_UNICODE",        PCRE2_BSR_UNICODE},
+#endif
+
+ {NULL, 0}
+};
+
+struct pcre_filter_data {
+	int users;
+	pcre2_code * re;
+	pcre2_match_data * match_data;
+	int action;
+	char * replace;
+	struct ace *acl;
+};
+
+static void pcre_data_free(struct pcre_filter_data *pcrefd){
+	_3proxy_mutex_lock(&pcre_mutex);
+	pcrefd->users--;
+	if(!pcrefd->users){
+		if(pcrefd->match_data) pcre2_match_data_free(pcrefd->match_data);
+		if(pcrefd->re) pcre2_code_free(pcrefd->re);
+		if(pcrefd->acl) pl->freeacl(pcrefd->acl);
+		if(pcrefd->replace) pl->freefunc(pcrefd->replace);
+		pl->freefunc(pcrefd);
+	}
+	_3proxy_mutex_unlock(&pcre_mutex);
+}
+
+
+
+
+static void* pcre_filter_open(void * idata, struct srvparam * param){
+#define pcrefd ((struct pcre_filter_data *)idata)
+	if(idata){
+		_3proxy_mutex_lock(&pcre_mutex);
+		pcrefd->users++;
+		_3proxy_mutex_unlock(&pcre_mutex);
+	}
+#undef pcrefd
+	return idata;
+}
+
+
+
+static FILTER_ACTION pcre_filter_client(void *fo, struct clientparam * param, void** fc){
+	int res;
+	struct ace tmpace;
+
+	*fc = fo;
+	if(!fo) return PASS;
+#define pcrefd ((struct pcre_filter_data *)fo)
+	if(!pcrefd->acl) return CONTINUE;
+	memset (&tmpace, 0, sizeof(struct ace));
+	tmpace.src = pcrefd->acl->src;
+	res = pl->ACLMatches(&tmpace, param);
+#undef pcrefd
+	return (res)? CONTINUE:PASS;
+}
+
+static FILTER_ACTION pcre_filter_buffer(void *fc, struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
+	PCRE2_SIZE *ovector;
+	int count = 0;
+	struct ace *acl;
+	int match = 0;
+	int replen, num;
+	char * replace;
+	char * tmpbuf, *target, *newbuf;
+	int nreplaces=0;
+#define pcrefd ((struct pcre_filter_data *)fc)
+
+	for(acl = pcrefd->acl; acl; acl=acl->next){
+		if(pl->ACLMatches(pcrefd->acl, param)){
+			match = 1;
+			break;
+		}
+	}
+	if(!match) return CONTINUE;
+	if(!pcrefd->re) return pcrefd->action;
+	for(; offset < *length_p; nreplaces++){
+
+		count = pcre2_match(pcrefd->re, (PCRE2_SPTR)*buf_p, *length_p, offset, 0, pcrefd->match_data, NULL);
+		if(count <= 0) break;
+		ovector = pcre2_get_ovector_pointer(pcrefd->match_data);
+		if(!(replace = pcrefd->replace) || param->nooverwritefilter) return pcrefd->action;
+
+		replen = *length_p - ovector[1];
+		while(*replace){
+			if(*replace == '\\' && *(replace +1)){
+				replace+=2;
+				++replen;
+			}
+			else if(*replace == '$' && isnumber(*(replace+1))){
+				replace ++;
+				num = atoi(replace);
+				while(isnumber(*replace)) replace++;
+				if(num > (count - 1)) continue;
+				replen += (ovector[(num<<1) + 1] - ovector[(num<<1)]);
+			}
+			else {
+				replace++;
+				replen++;
+			}
+		}
+
+		tmpbuf =  pl->mallocfunc(replen);
+		if(!tmpbuf) return CONTINUE;
+		for(target = tmpbuf, replace = pcrefd->replace; *replace; ){
+			if(*replace == '\\' && *(replace +1)){
+				*target++ = replace[1];
+				replace+=2;
+			}
+			else if(*replace == '$' && isnumber(*(replace+1))){
+				replace ++;
+				num = atoi(replace);
+				if(num > (count - 1)) continue;
+				memcpy(target, *buf_p + ovector[(num<<1)], ovector[(num<<1) + 1] - ovector[(num<<1)]);
+				target += (ovector[(num<<1) + 1] - ovector[(num<<1)]);
+				while(isnumber(*replace)) replace++;
+			}
+			else {
+				*target++ = *replace++;
+			}
+		}
+		memcpy(target, *buf_p + ovector[1], *length_p - ovector[1]);
+		if((ovector[0] + replen + 1) > *bufsize_p){
+			newbuf = pl->mallocfunc(ovector[0] + replen + 1);
+			if(!newbuf){
+				pl->freefunc(tmpbuf);
+				return CONTINUE;
+			}
+			memcpy(newbuf, *buf_p, ovector[0]);
+			pl->freefunc(*buf_p);
+			*buf_p = (unsigned char *)newbuf;
+			*bufsize_p = ovector[0] + replen + 1;
+		}
+		memcpy(*buf_p + ovector[0], tmpbuf, replen);
+		pl->freefunc(tmpbuf);
+		(*buf_p)[ovector[0] + replen] = 0;
+		*length_p = ovector[0] + replen;
+		if(ovector[0] + replen <= offset){
+			break;
+		}
+		offset = ovector[0] + (int)strlen(pcrefd->replace);
+	}
+	return nreplaces? pcrefd->action : CONTINUE;
+#undef pcrefd
+}
+
+static void pcre_filter_clear(void *fo){
+}
+
+static void pcre_filter_close(void *fo){
+	if(!fo) return;
+	pcre_data_free((struct pcre_filter_data *)fo);
+}
+
+static int h_pcre(int argc, unsigned char **argv){
+	int action = 0;
+	pcre2_code *re = NULL;
+	pcre2_match_data *match_data = NULL;
+	struct ace *acl;
+	int errcode;
+	PCRE2_SIZE erroffset;
+	struct pcre_filter_data *flt;
+	struct filter *newf;
+	char * replace = NULL;
+
+	if(!strncmp((char *)argv[2], "allow",5)) action = PASS;
+	else if(!strncmp((char *)argv[2], "deny",4)) action = REJECT;
+	else if(!strncmp((char *)argv[2], "remove",6)) action = REMOVE;
+	else if(!strncmp((char *)argv[2], "dunno",5)) action = CONTINUE;
+	else return 1;
+	if(!strncmp((char *)argv[0], "pcre_rewrite", 12)) {
+		int i,j;
+		replace = pl->strdupfunc((char *)argv[4]);
+		if(!replace) return 9;
+		for(i=0, j=0; replace[i]; i++, j++){
+			if(replace[i] == '\\'){
+				switch(replace[i+1]){
+				case 'r':
+					i++;
+					replace[j] = '\r';
+					break;
+				case 'n':
+					i++;
+					replace[j] = '\n';
+					break;
+				case '0':
+					i++;
+					replace[j] = 0;
+					break;
+				case '\\':
+					i++;
+				default:
+					replace[j] = '\\';
+					break;
+				}
+			}
+			else replace[j] = replace[i];
+		}
+		replace[j] = 0;
+	}
+	if(!(acl = pl->make_ace(argc - 4, argv + 4))) return 2;
+	acl->nolog = (strstr((char *)argv[2],"log") == 0);
+	if(*argv[3] && !(*argv[3] == '*' && !argv[3][1]) ){
+		re = pcre2_compile((PCRE2_SPTR)argv[3], PCRE2_ZERO_TERMINATED, pcre_options, &errcode, &erroffset, NULL);
+		if(!re) {
+			pl->freefunc(acl);
+			if(replace) pl->freefunc(replace);
+			return 3;
+		}
+		match_data = pcre2_match_data_create_from_pattern(re, NULL);
+		if(!match_data) {
+			pcre2_code_free(re);
+			pl->freefunc(acl);
+			if(replace) pl->freefunc(replace);
+			return 4;
+		}
+	}
+	flt = pl->mallocfunc(sizeof(struct pcre_filter_data));
+	newf = pl->mallocfunc(sizeof(struct filter));
+
+	if(!flt || !newf) {
+		if(match_data) pcre2_match_data_free(match_data);
+		if(re) pcre2_code_free(re);
+		pl->freefunc(acl);
+		if(replace) pl->freefunc(replace);
+		if(flt) pl->freefunc(flt);
+		return 4;
+	}
+	memset(flt, 0, sizeof(struct pcre_filter_data));
+	memset(newf, 0, sizeof(struct filter));
+	flt->action = action;
+	flt->re = re;
+	flt->match_data = match_data;
+	flt->acl = acl;
+	flt->replace = replace;
+	flt->users = 1;
+	newf->instance = "pcre";
+	newf->data = flt;
+	newf->filter_open = pcre_filter_open;
+	newf->filter_client = pcre_filter_client;
+	if(strstr((char *)argv[1], "request"))newf->filter_request = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "cliheader"))newf->filter_header_cli = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "clidata"))newf->filter_data_cli = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "srvheader"))newf->filter_header_srv = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "srvdata"))newf->filter_data_srv = pcre_filter_buffer;
+	newf->filter_clear = pcre_filter_clear;
+	newf->filter_close = pcre_filter_close;
+
+	if(!pcre_last_filter){
+		newf->next = pcre_first_filter.next;
+		pcre_first_filter.next=newf;
+	}
+	else {
+		newf->next = pcre_last_filter->next;
+		pcre_last_filter->next = newf;
+	}
+	pcre_last_filter=newf;
+
+	return 0;
+}
+
+static int h_pcre_rewrite(int argc, unsigned char **argv){
+	int action = 0;
+	pcre2_code *re = NULL;
+	pcre2_match_data *match_data = NULL;
+	struct ace *acl;
+	int errcode;
+	PCRE2_SIZE erroffset;
+	struct pcre_filter_data *flt;
+	struct filter *newf;
+	char * replace = NULL;
+
+	if(!strncmp((char *)argv[2], "allow",5)) action = PASS;
+	else if(!strncmp((char *)argv[2], "deny",4)) action = REJECT;
+	else if(!strncmp((char *)argv[2], "remove",6)) action = REMOVE;
+	else if(!strncmp((char *)argv[2], "dunno",5)) action = CONTINUE;
+	else return 1;
+	{
+		int i,j;
+		replace = pl->strdupfunc((char *)argv[4]);
+		if(!replace) return 9;
+		for(i=0, j=0; replace[i]; i++, j++){
+			if(replace[i] == '\\'){
+				switch(replace[i+1]){
+				case 'r':
+					i++;
+					replace[j] = '\r';
+					break;
+				case 'n':
+					i++;
+					replace[j] = '\n';
+					break;
+				case '0':
+					i++;
+					replace[j] = 0;
+					break;
+				case '\\':
+					i++;
+				default:
+					replace[j] = '\\';
+					break;
+				}
+			}
+			else replace[j] = replace[i];
+		}
+		replace[j] = 0;
+	}
+	if(!(acl = pl->make_ace(argc - 5, argv + 5))) return 2;
+	acl->nolog = (strstr((char *)argv[2],"log") == 0);
+	if(*argv[3] && !(*argv[3] == '*' && !argv[3][1]) ){
+		re = pcre2_compile((PCRE2_SPTR)argv[3], PCRE2_ZERO_TERMINATED, pcre_options, &errcode, &erroffset, NULL);
+		if(!re) {
+			pl->freefunc(acl);
+			if(replace) pl->freefunc(replace);
+			return 3;
+		}
+		match_data = pcre2_match_data_create_from_pattern(re, NULL);
+		if(!match_data) {
+			pcre2_code_free(re);
+			pl->freefunc(acl);
+			if(replace) pl->freefunc(replace);
+			return 4;
+		}
+	}
+	flt = pl->mallocfunc(sizeof(struct pcre_filter_data));
+	newf = pl->mallocfunc(sizeof(struct filter));
+
+	if(!flt || !newf) {
+		if(match_data) pcre2_match_data_free(match_data);
+		if(re) pcre2_code_free(re);
+		pl->freefunc(acl);
+		if(replace) pl->freefunc(replace);
+		if(flt) pl->freefunc(flt);
+		return 4;
+	}
+	memset(flt, 0, sizeof(struct pcre_filter_data));
+	memset(newf, 0, sizeof(struct filter));
+	flt->action = action;
+	flt->re = re;
+	flt->match_data = match_data;
+	flt->acl = acl;
+	flt->replace = replace;
+	flt->users = 1;
+	newf->instance = "pcre";
+	newf->data = flt;
+	newf->filter_open = pcre_filter_open;
+	newf->filter_client = pcre_filter_client;
+	if(strstr((char *)argv[1], "request"))newf->filter_request = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "cliheader"))newf->filter_header_cli = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "clidata"))newf->filter_data_cli = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "srvheader"))newf->filter_header_srv = pcre_filter_buffer;
+	if(strstr((char *)argv[1], "srvdata"))newf->filter_data_srv = pcre_filter_buffer;
+	newf->filter_clear = pcre_filter_clear;
+	newf->filter_close = pcre_filter_close;
+
+	if(!pcre_last_filter){
+		newf->next = pcre_first_filter.next;
+		pcre_first_filter.next=newf;
+	}
+	else {
+		newf->next = pcre_last_filter->next;
+		pcre_last_filter->next = newf;
+	}
+	pcre_last_filter=newf;
+
+	return 0;
+}
+
+static int h_pcre_extend(int argc, unsigned char **argv){
+	struct ace *acl;
+	if(!pcre_last_filter || !pcre_last_filter->data) return 1;
+	acl = ((struct pcre_filter_data *)pcre_last_filter->data)->acl;
+	if(!acl) return 2;
+	for(; acl->next; acl=acl->next);
+	acl->next = (*pl->make_ace)(argc - 1, argv + 1);
+	if(!acl->next) return 3;
+	return 0;
+}
+
+static int h_pcre_options(int argc, unsigned char **argv){
+	int i,j;
+
+	pcre_options = 0;
+	for(j=1; jsymbols.next;
+		pl->symbols.next = regexp_symbols;
+		pcre_commandhandlers[3].next = pl->commandhandlers->next;
+		pl->commandhandlers->next = pcre_commandhandlers;
+		pcre_first_filter.next = pl->conf->filters;
+		pl->conf->filters = &pcre_first_filter;
+	}
+	else if(pcre_last_filter){
+		pcre_first_filter.next = pcre_last_filter->next;
+		flt = pcre_first_filter.next;
+		for(; flt; flt = tmpflt){
+			tmpflt = flt->next;
+			if(flt->data)
+				pcre_data_free((struct pcre_filter_data *)flt->data);
+			pl->freefunc(flt);
+			if(flt == pcre_last_filter) break;
+		}
+	}
+	pcre_last_filter = NULL;
+ }
+
+#ifdef  __cplusplus
+}
+#endif
diff --git a/src/pcre.h b/src/pcre.h
new file mode 100644
index 0000000..539b7f6
--- /dev/null
+++ b/src/pcre.h
@@ -0,0 +1,6 @@
+#ifndef __pcre_h__
+#define __pcre_h__
+
+void pcre_install(void);
+
+#endif /* __pcre_h__ */
diff --git a/src/plugins.c b/src/plugins.c
index a0681df..dda97ca 100644
--- a/src/plugins.c
+++ b/src/plugins.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -11,8 +11,6 @@
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout);
 void trafcountfunc(struct clientparam *param);
 int checkACL(struct clientparam * param);
-void nametohash(const unsigned char * name, unsigned char *hash);
-unsigned hashindex(const unsigned char* hash);
 void decodeurl(unsigned char *s, int allowcr);
 int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned char ** buff, int *inbuf, int *bufsize);
 struct ace * make_ace (int argc, unsigned char ** argv);
@@ -45,35 +43,34 @@ struct symbol symbols[] = {
 	{symbols+18, "ipauth", (void *) ipauth},
 	{symbols+19, "strongauth", (void *) strongauth},
 	{symbols+20, "checkACL", (void *) checkACL},
-	{symbols+21, "nametohash", (void *) nametohash},
-	{symbols+22, "hashindex", (void *) hashindex},
-	{symbols+23, "nservers", (void *) nservers},
-	{symbols+24, "udpresolve", (void *) udpresolve},
-	{symbols+25, "bandlim_mutex", (void *) &bandlim_mutex},
-	{symbols+26, "tc_mutex", (void *) &tc_mutex},
-	{symbols+27, "hash_mutex", (void *) &hash_mutex},
-	{symbols+28, "pwl_mutex", (void *) &pwl_mutex},
-	{symbols+29, "linenum", (void *) &linenum},
-	{symbols+30, "proxy_stringtable", (void *) proxy_stringtable},
-	{symbols+31, "en64", (void *) en64},
-	{symbols+32, "de64", (void *) de64},
-	{symbols+33, "tohex", (void *) tohex},
-	{symbols+34, "fromhex", (void *) fromhex},
-	{symbols+35, "dnspr", (void *) dnsprchild},
-	{symbols+36, "pop3p", (void *) pop3pchild},
-	{symbols+37, "proxy", (void *) proxychild},
-	{symbols+38, "socks", (void *) sockschild},
-	{symbols+39, "tcppm", (void *) tcppmchild},
-	{symbols+40, "udppm", (void *) udppmchild},
-	{symbols+41, "admin", (void *) adminchild},
-	{symbols+42, "ftppr", (void *) ftpprchild},
-	{symbols+43, "smtpp", (void *) smtppchild},
-	{symbols+44, "authfuncs", (void *) &authfuncs},
-	{symbols+45, "commandhandlers", (void *) &commandhandlers},
-	{symbols+46, "decodeurl", (void *) decodeurl},
-	{symbols+47, "parsestr", (void *) parsestr},
-	{symbols+48, "make_ace", (void *) make_ace},
-	{symbols+49, "freeacl", (void *) freeacl},
+	{symbols+21, "nservers", (void *) nservers},
+	{symbols+22, "udpresolve", (void *) udpresolve},
+	{symbols+23, "bandlim_mutex", (void *) &bandlim_mutex},
+	{symbols+24, "tc_mutex", (void *) &tc_mutex},
+	{symbols+25, "linenum", (void *) &linenum},
+	{symbols+26, "proxy_stringtable", (void *) proxy_stringtable},
+	{symbols+27, "en64", (void *) en64},
+	{symbols+28, "de64", (void *) de64},
+	{symbols+29, "tohex", (void *) tohex},
+	{symbols+30, "fromhex", (void *) fromhex},
+	{symbols+31, "dnspr", (void *) dnsprchild},
+	{symbols+32, "pop3p", (void *) pop3pchild},
+	{symbols+33, "proxy", (void *) proxychild},
+	{symbols+34, "socks", (void *) sockschild},
+	{symbols+35, "tcppm", (void *) tcppmchild},
+	{symbols+36, "udppm", (void *) udppmchild},
+	{symbols+37, "admin", (void *) adminchild},
+	{symbols+38, "ftppr", (void *) ftpprchild},
+	{symbols+39, "smtpp", (void *) smtppchild},
+	{symbols+40, "auto", (void *) smtppchild},
+	{symbols+41, "tlspr", (void *) smtppchild},
+	{symbols+42, "authfuncs", (void *) &authfuncs},
+	{symbols+43, "commandhandlers", (void *) &commandhandlers},
+	{symbols+44, "decodeurl", (void *) decodeurl},
+	{symbols+45, "parsestr", (void *) parsestr},
+	{symbols+46, "make_ace", (void *) make_ace},
+	{symbols+47, "freeacl", (void *) freeacl},
+	{symbols+48, "handleredirect", (void *) handleredirect},
 	{NULL, "", NULL}
 };
 
@@ -108,8 +105,6 @@ struct pluginlink pluginlink = {
 	ACLmatches,		
 	alwaysauth,
 	checkACL,
-	nametohash,
-	hashindex,
 	en64,
 	de64,
 	tohex,
@@ -117,10 +112,10 @@ struct pluginlink pluginlink = {
 	decodeurl,
 	parsestr,
 	make_ace,
-	myalloc,
-	myfree,
-	myrealloc,
-	mystrdup,
+	malloc,
+	free,
+	realloc,
+	strdup,
 	trafcountfunc,
 	proxy_stringtable,
 	&schedule,
diff --git a/src/plugins/FilePlugin/CMakeLists.txt b/src/plugins/FilePlugin/CMakeLists.txt
new file mode 100644
index 0000000..b81be48
--- /dev/null
+++ b/src/plugins/FilePlugin/CMakeLists.txt
@@ -0,0 +1,4 @@
+# FilePlugin
+add_3proxy_plugin(FilePlugin
+    SOURCES FilePlugin.c
+)
diff --git a/src/plugins/FilePlugin/FilePlugin.c b/src/plugins/FilePlugin/FilePlugin.c
index 6833c2c..d211811 100644
--- a/src/plugins/FilePlugin/FilePlugin.c
+++ b/src/plugins/FilePlugin/FilePlugin.c
@@ -1,6 +1,5 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2007-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2007-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -38,13 +37,15 @@ extern "C" {
 #ifndef _WIN32
 #define WINAPI
 #define fp_size_t size_t
+#define fp_ssize_t ssize_t
 #else
 #define fp_size_t int
+#define fp_ssize_t int
 #endif
 
 static struct pluginlink * pl;
 
-static pthread_mutex_t file_mutex;
+static _3proxy_mutex_t file_mutex;
 
 unsigned long preview = 0;
 
@@ -206,7 +207,7 @@ static void closefiles(struct fp_stream *fps){
 static int searchsocket(SOCKET s, struct fp_stream **pfps){
 	struct fp_stream *fps = NULL;
 	int ret = 0;
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	for(fps = fp_streams; fps; fps = fps->next){
 		if(fps->fpd.cp->clisock == s) {
 			ret = 1;
@@ -221,7 +222,7 @@ static int searchsocket(SOCKET s, struct fp_stream **pfps){
 			break;
 		}
 	}
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	*pfps = fps;
 	return ret;
 }
@@ -234,7 +235,7 @@ static void freecallback(struct fp_stream * fps, struct fp_callback * fpc){
 
 static void removefps(struct fp_stream * fps){
 	if(!fp_streams) return;
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	if(fp_streams == fps)fp_streams = fps->next;
 	else {
 		struct fp_stream *fps2;
@@ -247,7 +248,7 @@ static void removefps(struct fp_stream * fps){
 		}
 		
 	}
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	if(fps->callbacks){
 		freecallback(fps, fps->callbacks);
 		fps->callbacks = 0;
@@ -261,7 +262,7 @@ static void removefps(struct fp_stream * fps){
 }
 
 static int WINAPI fp_connect(SOCKET s, const struct sockaddr *name, fp_size_t namelen){
- return sso._connect(s, name, namelen);
+ return sso._connect(sso.state, s, name, namelen);
 }
 
 void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
@@ -286,7 +287,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case  GOT_SMTP_REQ:
 			case  GOT_SMTP_DATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->clisock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			case GOT_HTTP_REQUEST:
@@ -298,7 +299,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_HTTP_SRVDATA:
 				if(!fps->serversent){
 					fps->state = FLUSH_DATA;
-					pl->socksend(fps->fpd.cp->clisock, fp_stringtable[0], (int)strlen(fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
+					pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[0], (int)strlen((char *)fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
 					fps->state = state;
 				}
 				break;
@@ -306,15 +307,15 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_FTP_REQ:
 			case GOT_FTP_SRVDATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->ctrlsock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			default:
 				break;
 		}
-		if(fps->fpd.cp->remsock != INVALID_SOCKET)sso._closesocket(fps->fpd.cp->remsock);
+		if(fps->fpd.cp->remsock != INVALID_SOCKET)sso._closesocket(sso.state, fps->fpd.cp->remsock);
 		fps->fpd.cp->remsock = INVALID_SOCKET;
-		if(fps->fpd.cp->clisock != INVALID_SOCKET)sso._closesocket(fps->fpd.cp->clisock);
+		if(fps->fpd.cp->clisock != INVALID_SOCKET)sso._closesocket(sso.state, fps->fpd.cp->clisock);
 		fps->fpd.cp->clisock = INVALID_SOCKET;
 	}
 }
@@ -358,7 +359,7 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 			if(fps->serversent >= fps->srvhdrwritten){
 				sprintf(fps->buf, "%lx\r\n", len);
 				sendchunk = (int)strlen(fps->buf);
-				if(pl->socksend(fps->fpd.cp->clisock, fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
+				if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
 					return -4;
 				}
 			} 
@@ -397,24 +398,27 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 #endif
 			return -3;
 		}
-		if(pl->socksend(sock, fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
+		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
 			return -4;
 		}
 		len -= res;
 	}
 	if(sendchunk){
-		if(pl->socksend(sock, "\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
+		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)"\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
 			return -4;
 	}
 	fps->state = state;
 	return 0;
 }
 
-static int WINAPI fp_poll(struct pollfd *fds, unsigned int nfds, int timeout){
+#ifdef _WIN32
+static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, int timeout){
+#else
+static int fp_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
+#endif
  struct fp_stream *fps = NULL;
  int res;
  unsigned i;
- int to;
 
  for(i = 0; istate = 0;
-		return sso._send(s, msg, len, flags);
+		return sso._send(sso.state, s, msg, len, flags);
 	}
 	if((((fps->what & FP_CLIHEADER) && (fps->state == GOT_HTTP_REQUEST || fps->state == GOT_HTTP_CLI_HDR2)) || ((fps->what & FP_CLIDATA) && fps->state == GOT_HTTP_CLIDATA))){
 #ifdef _WIN32
@@ -499,11 +507,11 @@ static int WINAPI fp_send(SOCKET s, const char *msg, fp_size_t len, int flags){
 		int hasnonzero = 0, i;
 		
 		for(i=0; i < len; i++){
-			char c = msg[i];
+			char c = ((char *)msg)[i];
 
 			if(c == '\r' || c == '\n') continue;
 			if((c<'0'|| c>'9') && (c<'A' || c>'F') && (c<'a' || c>'f')) {
-				return sso._send(s, msg, len, flags);
+				return sso._send(sso.state, s, msg, len, flags);
 			}
 			if(c != '0') hasnonzero = 1;
 		}
@@ -518,7 +526,7 @@ static int WINAPI fp_send(SOCKET s, const char *msg, fp_size_t len, int flags){
 			}
 			closefiles(fps);
 			fps->state = 0;
-			return sso._send(s, msg, len, flags);
+			return sso._send(sso.state, s, msg, len, flags);
 		}
 		return len;
 	}
@@ -540,9 +548,14 @@ static int WINAPI fp_send(SOCKET s, const char *msg, fp_size_t len, int flags){
 		return res;
 	}
  }
- return sso._send(s, msg, len, flags);
+ return sso._send(sso.state, s, msg, len, flags);
 }
-static int WINAPI fp_sendto(SOCKET s, const void *msg, int len, int flags, const struct sockaddr *to, fp_size_t tolen){
+#ifdef _WIN32
+static int WINAPI fp_sendto(void *state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen
+#else
+static fp_ssize_t fp_sendto(void *state, SOCKET s, const void *msg, fp_size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen
+#endif
+){
  struct fp_stream *fps = NULL;
  int res;
  res = searchsocket(s, &fps);
@@ -658,15 +671,25 @@ static int WINAPI fp_sendto(SOCKET s, const void *msg, int len, int flags, const
 		return res;
 	}
  }
- return sso._sendto(s, msg, len, flags, to, tolen);
+ return sso._sendto(sso.state, s, msg, len, flags, to, tolen);
 }
-static int WINAPI fp_recv(SOCKET s, void *buf, fp_size_t len, int flags){
- return sso._recv(s, buf, len, flags);
+#ifdef _WIN32
+static int WINAPI fp_recv(void *state, SOCKET s, char *buf, int len, int flags
+#else
+static fp_ssize_t fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags
+#endif
+){
+ return sso._recv(sso.state, s, buf, len, flags);
 }
-static int WINAPI fp_recvfrom(SOCKET s, void * buf, fp_size_t len, int flags, struct sockaddr * from, fp_size_t * fromlen){
- return sso._recvfrom(s, buf, len, flags, from, fromlen);
+#ifdef _WIN32
+static int WINAPI fp_recvfrom(void *state, SOCKET s, char *buf, int len, int flags, struct sockaddr * from, int * fromlen
+#else
+static fp_ssize_t fp_recvfrom(void *state, SOCKET s, void *buf, fp_size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen
+#endif
+){
+ return sso._recvfrom(sso.state, s, buf, len, flags, from, fromlen);
 }
-static int WINAPI fp_shutdown(SOCKET s, int how){
+static int WINAPI fp_shutdown(void *state, SOCKET s, int how){
  struct fp_stream *fps = NULL;
 
  int res;
@@ -690,10 +713,10 @@ static int WINAPI fp_shutdown(SOCKET s, int how){
 	}
  }
  
- return sso._shutdown(s, how);
+ return sso._shutdown(sso.state, s, how);
 }
-static int WINAPI fp_closesocket(SOCKET s){
- return sso._closesocket(s);
+static int WINAPI fp_closesocket(void *state, SOCKET s){
+ return sso._closesocket(sso.state, s);
 }
 
 
@@ -731,7 +754,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
  fpc->max_size = max_size;
  fpc->data = data;
  fpc->callback = cb;
- pthread_mutex_lock(&file_mutex);
+ _3proxy_mutex_lock(&file_mutex);
  fps = addfps(cp);
  if(fps){
 	 fpc->next = fps->callbacks;
@@ -740,7 +763,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
 	 if(preview_size > fps->preview_size) fps->preview_size = preview_size;
  }
  else free(fpc);
- pthread_mutex_unlock(&file_mutex);
+ _3proxy_mutex_unlock(&file_mutex);
  return fps?1:0;
 }
 
@@ -754,9 +777,9 @@ static void * fp_open(void * idata, struct srvparam * param){
 
 static FILTER_ACTION fp_client(void *fo, struct clientparam * param, void** fc){
 
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	(*fc) = (void *)addfps(param);
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	return CONTINUE;
 }
 
@@ -766,7 +789,7 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 			closefiles(FC);
 			FC->state = 0;
 		}
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what &FP_REJECT) return REJECT;
 		FC->state = GOT_HTTP_REQUEST;
 		genpaths(FC);
@@ -778,13 +801,13 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 
 static FILTER_ACTION fp_hcli(void *fc, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
 	if(fc && param->service == S_SMTPP) {
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		if(!FC->state)genpaths(FC);
 		FC->state = GOT_SMTP_REQ;
 	}
 	if(fc && param->service == S_FTPPR) {
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		genpaths(FC);
 		FC->state = GOT_FTP_REQ;
@@ -832,6 +855,8 @@ static struct filter fp_filter = {
 	fp_open,
 	fp_client,
 	fp_request,
+	NULL,
+	NULL,
 	fp_hcli,
 	fp_hsrv,
 	NULL,
@@ -850,7 +875,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 	char * dirp;
 	size_t len;
 
-	dirp = (argc > 1)? argv[1] : getenv("TEMP");
+	dirp = (argc > 1)? (char *)argv[1] : getenv("TEMP");
 	len = strlen(dirp);
 	if(!dirp || !len || len > 200 || strchr(dirp, '%')) {
 		fprintf(stderr, "FilePlugin: invalid directory path: %s\n", dirp);
@@ -867,7 +892,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 }
 
 static int h_preview(int argc, unsigned char **argv){
-	preview = atoi(argv[1]);
+	preview = atoi((char *)argv[1]);
 	return 0;
 }
 
@@ -888,7 +913,7 @@ static int file_loaded=0;
 					 int argc, char** argv){
 
 	if(!file_loaded){
-		pthread_mutex_init(&file_mutex, NULL);
+		_3proxy_mutex_init(&file_mutex);
 		file_loaded = 1;
 		pl = pluginlink;
 		memcpy(&sso, pl->so, sizeof(struct sockfuncs));
diff --git a/src/plugins/PCREPlugin/Makefile b/src/plugins/LdapPlugin/Makefile
similarity index 100%
rename from src/plugins/PCREPlugin/Makefile
rename to src/plugins/LdapPlugin/Makefile
diff --git a/src/plugins/LdapPlugin/ldapauth.c b/src/plugins/LdapPlugin/ldapauth.c
index 1572b4d..2d98bd0 100644
--- a/src/plugins/LdapPlugin/ldapauth.c
+++ b/src/plugins/LdapPlugin/ldapauth.c
@@ -61,7 +61,7 @@ int savecounters(void)
  unsigned char *tmpbuf,pat_file[]="%s%s.lc";
 
 
- /* timetoexit !=0 -  .*/
+ /* timetoexit !=0 - будем завершаться.*/
  while (tc != NULL) 
   {
     tcd = tc;
@@ -72,7 +72,7 @@ int savecounters(void)
       sprintf(tmpbuf,pat_file,ldap_dircount,tcd->ace->users->user);
       f=fopen(tmpbuf,"w+b");
       fseek(f,0,SEEK_SET);
-      fprintf(f,"%"PRINTF_INT64_MODIFIER"u %lu %lu\n",tcd->traf64,
+      fprintf(f,"%"PRIu64" %lu %lu\n",tcd->traf64,
 					(unsigned long)tcd->cleared,(unsigned long)tcd->updated);
 
       fclose(f);
@@ -387,7 +387,7 @@ int h_trafgroup(int argc, unsigned char ** argv)
 		
                fseek(f,0,SEEK_SET);
                fgets(buf, 256, f); 
-  	       sscanf(buf,"%"PRINTF_INT64_MODIFIER"u %lu %lu\n",&rcounter.traf64, 
+  	       sscanf(buf,"%"SCNu64" %lu %lu\n",&rcounter.traf64, 
 				&rcounter.cleared, &rcounter.updated);
 
 
diff --git a/src/plugins/PCREPlugin/Makefile.inc b/src/plugins/PCREPlugin/Makefile.inc
deleted file mode 100644
index ba81a9b..0000000
--- a/src/plugins/PCREPlugin/Makefile.inc
+++ /dev/null
@@ -1,62 +0,0 @@
-all: $(BUILDDIR)PCREPlugin$(DLSUFFICS) 
-
-pcre_maketables$(OBJSUFFICS): pcre_maketables.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_maketables.c
-
-pcre_table$(OBJSUFFICS): pcre_table.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_table.c
-
-pcre_ucd$(OBJSUFFICS): pcre_ucd.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_ucd.c
-
-pcre_compile$(OBJSUFFICS): pcre_compile.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_compile.c
-
-pcre_config$(OBJSUFFICS): pcre_config.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_config.c
-
-pcre_dfa_exec$(OBJSUFFICS): pcre_dfa_exec.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_dfa_exec.c
-
-pcre_exec$(OBJSUFFICS): pcre_exec.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_exec.c
-
-pcre_fullinfo$(OBJSUFFICS): pcre_fullinfo.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_fullinfo.c
-
-pcre_get$(OBJSUFFICS): pcre_get.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_get.c
-
-pcre_globals$(OBJSUFFICS): pcre_globals.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_globals.c
-
-pcre_newline$(OBJSUFFICS): pcre_newline.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_newline.c
-
-pcre_ord2utf8$(OBJSUFFICS): pcre_ord2utf8.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_ord2utf8.c
-
-pcre_refcount$(OBJSUFFICS): pcre_refcount.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_refcount.c
-
-pcre_study$(OBJSUFFICS): pcre_study.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_study.c
-
-pcre_tables$(OBJSUFFICS): pcre_tables.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_tables.c
-
-pcre_valid_utf8$(OBJSUFFICS): pcre_valid_utf8.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_valid_utf8.c
-
-pcre_version$(OBJSUFFICS): pcre_version.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_version.c
-
-pcre_xclass$(OBJSUFFICS): pcre_xclass.c
-	$(CC) $(DCFLAGS) $(CFLAGS)  pcre_xclass.c
-
-pcre_plugin$(OBJSUFFICS): pcre_plugin.c
-	$(CC) $(DCFLAGS) $(CFLAGS) pcre_plugin.c
-
-$(BUILDDIR)PCREPlugin$(DLSUFFICS): pcre_compile$(OBJSUFFICS) pcre_config$(OBJSUFFICS) pcre_dfa_exec$(OBJSUFFICS) pcre_exec$(OBJSUFFICS) pcre_fullinfo$(OBJSUFFICS) pcre_get$(OBJSUFFICS) pcre_globals$(OBJSUFFICS) pcre_newline$(OBJSUFFICS) pcre_ord2utf8$(OBJSUFFICS) pcre_refcount$(OBJSUFFICS) pcre_study$(OBJSUFFICS) pcre_tables$(OBJSUFFICS) pcre_valid_utf8$(OBJSUFFICS) pcre_version$(OBJSUFFICS) pcre_xclass$(OBJSUFFICS) pcre_plugin$(OBJSUFFICS) pcre_maketables$(OBJSUFFICS) pcre_ucd$(OBJSUFFICS) pcre_table$(OBJSUFFICS)
-	$(LN) $(LNOUT)../../$(BUILDDIR)PCREPlugin$(DLSUFFICS) $(LDFLAGS) $(DLFLAGS) pcre_compile$(OBJSUFFICS) pcre_config$(OBJSUFFICS) pcre_dfa_exec$(OBJSUFFICS) pcre_exec$(OBJSUFFICS) pcre_fullinfo$(OBJSUFFICS) pcre_get$(OBJSUFFICS) pcre_globals$(OBJSUFFICS) pcre_newline$(OBJSUFFICS) pcre_ord2utf8$(OBJSUFFICS) pcre_refcount$(OBJSUFFICS) pcre_study$(OBJSUFFICS) pcre_tables$(OBJSUFFICS) pcre_valid_utf8$(OBJSUFFICS) pcre_version$(OBJSUFFICS) pcre_xclass$(OBJSUFFICS) pcre_plugin$(OBJSUFFICS) pcre_maketables$(OBJSUFFICS) pcre_ucd$(OBJSUFFICS) pcre_table$(OBJSUFFICS)
-
diff --git a/src/plugins/PCREPlugin/config.h b/src/plugins/PCREPlugin/config.h
deleted file mode 100644
index 50e6ee5..0000000
--- a/src/plugins/PCREPlugin/config.h
+++ /dev/null
@@ -1,352 +0,0 @@
-#define PCRE_STATIC
-/* config.h.  Generated from config.h.in by configure.  */
-/* config.h.in.  Generated from configure.ac by autoheader.  */
-
-/* PCRE is written in Standard C, but there are a few non-standard things it
-can cope with, allowing it to run on SunOS4 and other "close to standard"
-systems.
-
-In environments that support the GNU autotools, config.h.in is converted into
-config.h by the "configure" script. In environments that use CMake,
-config-cmake.in is converted into config.h. If you are going to build PCRE "by
-hand" without using "configure" or CMake, you should copy the distributed
-config.h.generic to config.h, and edit the macro definitions to be the way you
-need them. You must then add -DHAVE_CONFIG_H to all of your compile commands,
-so that config.h is included at the start of every source.
-
-Alternatively, you can avoid editing by using -D on the compiler command line
-to set the macro values. In this case, you do not have to set -DHAVE_CONFIG_H,
-but if you do, default values will be taken from config.h for non-boolean
-macros that are not defined on the command line.
-
-Boolean macros such as HAVE_STDLIB_H and SUPPORT_PCRE8 should either be defined
-(conventionally to 1) for TRUE, and not defined at all for FALSE. All such
-macros are listed as a commented #undef in config.h.generic. Macros such as
-MATCH_LIMIT, whose actual value is relevant, have defaults defined, but are
-surrounded by #ifndef/#endif lines so that the value can be overridden by -D.
-
-PCRE uses memmove() if HAVE_MEMMOVE is defined; otherwise it uses bcopy() if
-HAVE_BCOPY is defined. If your system has neither bcopy() nor memmove(), make
-sure both macros are undefined; an emulation function will then be used. */
-
-/* By default, the \R escape sequence matches any Unicode line ending
-   character or sequence of characters. If BSR_ANYCRLF is defined (to any
-   value), this is changed so that backslash-R matches only CR, LF, or CRLF.
-   The build-time default can be overridden by the user of PCRE at runtime. */
-/* #undef BSR_ANYCRLF */
-
-/* If you are compiling for a system that uses EBCDIC instead of ASCII
-   character codes, define this macro to any value. You must also edit the
-   NEWLINE macro below to set a suitable EBCDIC newline, commonly 21 (0x15).
-   On systems that can use "configure" or CMake to set EBCDIC, NEWLINE is
-   automatically adjusted. When EBCDIC is set, PCRE assumes that all input
-   strings are in EBCDIC. If you do not define this macro, PCRE will assume
-   input strings are ASCII or UTF-8/16/32 Unicode. It is not possible to build
-   a version of PCRE that supports both EBCDIC and UTF-8/16/32. */
-/* #undef EBCDIC */
-
-/* In an EBCDIC environment, define this macro to any value to arrange for the
-   NL character to be 0x25 instead of the default 0x15. NL plays the role that
-   LF does in an ASCII/Unicode environment. The value must also be set in the
-   NEWLINE macro below. On systems that can use "configure" or CMake to set
-   EBCDIC_NL25, the adjustment of NEWLINE is automatic. */
-/* #undef EBCDIC_NL25 */
-
-/* Define to 1 if you have the `bcopy' function. */
-/* #undef HAVE_BCOPY */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_BITS_TYPE_TRAITS_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_BZLIB_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_DIRENT_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_DLFCN_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_EDITLINE_READLINE_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_EDIT_READLINE_READLINE_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_INTTYPES_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_LIMITS_H */
-
-/* Define to 1 if the system has the type `long long'. */
-/* #undef HAVE_LONG_LONG */
-
-/* Define to 1 if you have the `memmove' function. */
-/* #undef HAVE_MEMMOVE */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_MEMORY_H */
-
-/* Define if you have POSIX threads libraries and header files. */
-/* #undef HAVE_PTHREAD */
-
-/* Have PTHREAD_PRIO_INHERIT. */
-/* #undef HAVE_PTHREAD_PRIO_INHERIT */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_READLINE_HISTORY_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_READLINE_READLINE_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_STDINT_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_STDLIB_H */
-
-/* Define to 1 if you have the `strerror' function. */
-/* #undef HAVE_STRERROR */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_STRING */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_STRINGS_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_STRING_H */
-
-/* Define to 1 if you have `strtoimax'. */
-/* #undef HAVE_STRTOIMAX */
-
-/* Define to 1 if you have `strtoll'. */
-/* #undef HAVE_STRTOLL */
-
-/* Define to 1 if you have `strtoq'. */
-/* #undef HAVE_STRTOQ */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_SYS_STAT_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_SYS_TYPES_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_TYPE_TRAITS_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_UNISTD_H */
-
-/* Define to 1 if the system has the type `unsigned long long'. */
-/* #undef HAVE_UNSIGNED_LONG_LONG */
-
-/* Define to 1 if the compiler supports simple visibility declarations. */
-/* #undef HAVE_VISIBILITY */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_WINDOWS_H */
-
-/* Define to 1 if you have the  header file. */
-/* #undef HAVE_ZLIB_H */
-
-/* Define to 1 if you have `_strtoi64'. */
-/* #undef HAVE__STRTOI64 */
-
-/* The value of LINK_SIZE determines the number of bytes used to store links
-   as offsets within the compiled regex. The default is 2, which allows for
-   compiled patterns up to 64K long. This covers the vast majority of cases.
-   However, PCRE can also be compiled to use 3 or 4 bytes instead. This allows
-   for longer patterns in extreme cases. */
-#ifndef LINK_SIZE
-#define LINK_SIZE 2
-#endif
-
-/* Define to the sub-directory where libtool stores uninstalled libraries. */
-/* This is ignored unless you are using libtool. */
-#ifndef LT_OBJDIR
-#define LT_OBJDIR ".libs/"
-#endif
-
-/* The value of MATCH_LIMIT determines the default number of times the
-   internal match() function can be called during a single execution of
-   pcre_exec(). There is a runtime interface for setting a different limit.
-   The limit exists in order to catch runaway regular expressions that take
-   for ever to determine that they do not match. The default is set very large
-   so that it does not accidentally catch legitimate cases. */
-#ifndef MATCH_LIMIT
-#define MATCH_LIMIT 10000000
-#endif
-
-/* The above limit applies to all calls of match(), whether or not they
-   increase the recursion depth. In some environments it is desirable to limit
-   the depth of recursive calls of match() more strictly, in order to restrict
-   the maximum amount of stack (or heap, if NO_RECURSE is defined) that is
-   used. The value of MATCH_LIMIT_RECURSION applies only to recursive calls of
-   match(). To have any useful effect, it must be less than the value of
-   MATCH_LIMIT. The default is to use the same value as MATCH_LIMIT. There is
-   a runtime method for setting a different limit. */
-#ifndef MATCH_LIMIT_RECURSION
-#define MATCH_LIMIT_RECURSION MATCH_LIMIT
-#endif
-
-/* This limit is parameterized just in case anybody ever wants to change it.
-   Care must be taken if it is increased, because it guards against integer
-   overflow caused by enormously large patterns. */
-#ifndef MAX_NAME_COUNT
-#define MAX_NAME_COUNT 10000
-#endif
-
-/* This limit is parameterized just in case anybody ever wants to change it.
-   Care must be taken if it is increased, because it guards against integer
-   overflow caused by enormously large patterns. */
-#ifndef MAX_NAME_SIZE
-#define MAX_NAME_SIZE 32
-#endif
-
-/* The value of NEWLINE determines the default newline character sequence.
-   PCRE client programs can override this by selecting other values at run
-   time. In ASCII environments, the value can be 10 (LF), 13 (CR), or 3338
-   (CRLF); in EBCDIC environments the value can be 21 or 37 (LF), 13 (CR), or
-   3349 or 3365 (CRLF) because there are two alternative codepoints (0x15 and
-   0x25) that are used as the NL line terminator that is equivalent to ASCII
-   LF. In both ASCII and EBCDIC environments the value can also be -1 (ANY),
-   or -2 (ANYCRLF). */
-#ifndef NEWLINE
-#define NEWLINE 10
-#endif
-
-/* PCRE uses recursive function calls to handle backtracking while matching.
-   This can sometimes be a problem on systems that have stacks of limited
-   size. Define NO_RECURSE to any value to get a version that doesn't use
-   recursion in the match() function; instead it creates its own stack by
-   steam using pcre_recurse_malloc() to obtain memory from the heap. For more
-   detail, see the comments and other stuff just above the match() function.
-   */
-/* #undef NO_RECURSE */
-
-/* Name of package */
-#define PACKAGE "pcre"
-
-/* Define to the address where bug reports for this package should be sent. */
-#define PACKAGE_BUGREPORT ""
-
-/* Define to the full name of this package. */
-#define PACKAGE_NAME "PCRE"
-
-/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "PCRE 8.39"
-
-/* Define to the one symbol short name of this package. */
-#define PACKAGE_TARNAME "pcre"
-
-/* Define to the home page for this package. */
-#define PACKAGE_URL ""
-
-/* Define to the version of this package. */
-#define PACKAGE_VERSION "8.39"
-
-/* The value of PARENS_NEST_LIMIT specifies the maximum depth of nested
-   parentheses (of any kind) in a pattern. This limits the amount of system
-   stack that is used while compiling a pattern. */
-#ifndef PARENS_NEST_LIMIT
-#define PARENS_NEST_LIMIT 250
-#endif
-
-/* The value of PCREGREP_BUFSIZE determines the size of buffer used by
-   pcregrep to hold parts of the file it is searching. This is also the
-   minimum value. The actual amount of memory used by pcregrep is three times
-   this number, because it allows for the buffering of "before" and "after"
-   lines. */
-#ifndef PCREGREP_BUFSIZE
-#define PCREGREP_BUFSIZE 20480
-#endif
-
-/* If you are compiling for a system other than a Unix-like system or
-   Win32, and it needs some magic to be inserted before the definition
-   of a function that is exported by the library, define this macro to
-   contain the relevant magic. If you do not define this macro, a suitable
-    __declspec value is used for Windows systems; in other environments
-   "extern" is used for a C compiler and "extern C" for a C++ compiler.
-   This macro apears at the start of every exported function that is part
-   of the external API. It does not appear on functions that are "external"
-   in the C sense, but which are internal to the library. */
-/* #undef PCRE_EXP_DEFN */
-
-/* Define to any value if linking statically (TODO: make nice with Libtool) */
-/* #undef PCRE_STATIC */
-
-/* When calling PCRE via the POSIX interface, additional working storage is
-   required for holding the pointers to capturing substrings because PCRE
-   requires three integers per substring, whereas the POSIX interface provides
-   only two. If the number of expected substrings is small, the wrapper
-   function uses space on the stack, because this is faster than using
-   malloc() for each call. The threshold above which the stack is no longer
-   used is defined by POSIX_MALLOC_THRESHOLD. */
-#ifndef POSIX_MALLOC_THRESHOLD
-#define POSIX_MALLOC_THRESHOLD 10
-#endif
-
-/* Define to necessary symbol if this constant uses a non-standard name on
-   your system. */
-/* #undef PTHREAD_CREATE_JOINABLE */
-
-/* Define to 1 if you have the ANSI C header files. */
-/* #undef STDC_HEADERS */
-
-/* Define to any value to enable support for Just-In-Time compiling. */
-/* #undef SUPPORT_JIT */
-
-/* Define to any value to allow pcregrep to be linked with libbz2, so that it
-   is able to handle .bz2 files. */
-/* #undef SUPPORT_LIBBZ2 */
-
-/* Define to any value to allow pcretest to be linked with libedit. */
-/* #undef SUPPORT_LIBEDIT */
-
-/* Define to any value to allow pcretest to be linked with libreadline. */
-/* #undef SUPPORT_LIBREADLINE */
-
-/* Define to any value to allow pcregrep to be linked with libz, so that it is
-   able to handle .gz files. */
-/* #undef SUPPORT_LIBZ */
-
-/* Define to any value to enable the 16 bit PCRE library. */
-/* #undef SUPPORT_PCRE16 */
-
-/* Define to any value to enable the 32 bit PCRE library. */
-/* #undef SUPPORT_PCRE32 */
-
-/* Define to any value to enable the 8 bit PCRE library. */
-/* #undef SUPPORT_PCRE8 */
-
-/* Define to any value to enable JIT support in pcregrep. */
-/* #undef SUPPORT_PCREGREP_JIT */
-
-/* Define to any value to enable support for Unicode properties. */
-/* #undef SUPPORT_UCP */
-
-/* Define to any value to enable support for the UTF-8/16/32 Unicode encoding.
-   This will work even in an EBCDIC environment, but it is incompatible with
-   the EBCDIC macro. That is, PCRE can support *either* EBCDIC code *or*
-   ASCII/UTF-8/16/32, but not both at once. */
-/* #undef SUPPORT_UTF */
-
-/* Define to any value for valgrind support to find invalid memory reads. */
-/* #undef SUPPORT_VALGRIND */
-
-/* Version number of package */
-#ifndef VERSION
-#define VERSION "8.39"
-#endif
-
-/* Define to empty if `const' does not conform to ANSI C. */
-/* #undef const */
-
-/* Define to the type of a signed integer type of width exactly 64 bits if
-   such a type exists and the standard includes do not define it. */
-/* #undef int64_t */
-
-/* Define to `unsigned int' if  does not define. */
-/* #undef size_t */
diff --git a/src/plugins/PCREPlugin/pcre.h b/src/plugins/PCREPlugin/pcre.h
deleted file mode 100644
index 7055970..0000000
--- a/src/plugins/PCREPlugin/pcre.h
+++ /dev/null
@@ -1,677 +0,0 @@
-/*************************************************
-*       Perl-Compatible Regular Expressions      *
-*************************************************/
-
-/* This is the public header file for the PCRE library, to be #included by
-applications that call the PCRE functions.
-
-           Copyright (c) 1997-2014 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-#ifndef _PCRE_H
-#define _PCRE_H
-
-/* The current PCRE version information. */
-
-#define PCRE_MAJOR          8
-#define PCRE_MINOR          39
-#define PCRE_PRERELEASE     
-#define PCRE_DATE           2016-06-14
-
-/* When an application links to a PCRE DLL in Windows, the symbols that are
-imported have to be identified as such. When building PCRE, the appropriate
-export setting is defined in pcre_internal.h, which includes this file. So we
-don't change existing definitions of PCRE_EXP_DECL and PCRECPP_EXP_DECL. */
-
-#if defined(_WIN32) && !defined(PCRE_STATIC)
-#  ifndef PCRE_EXP_DECL
-#    define PCRE_EXP_DECL  extern __declspec(dllimport)
-#  endif
-#  ifdef __cplusplus
-#    ifndef PCRECPP_EXP_DECL
-#      define PCRECPP_EXP_DECL  extern __declspec(dllimport)
-#    endif
-#    ifndef PCRECPP_EXP_DEFN
-#      define PCRECPP_EXP_DEFN  __declspec(dllimport)
-#    endif
-#  endif
-#endif
-
-/* By default, we use the standard "extern" declarations. */
-
-#ifndef PCRE_EXP_DECL
-#  ifdef __cplusplus
-#    define PCRE_EXP_DECL  extern "C"
-#  else
-#    define PCRE_EXP_DECL  extern
-#  endif
-#endif
-
-#ifdef __cplusplus
-#  ifndef PCRECPP_EXP_DECL
-#    define PCRECPP_EXP_DECL  extern
-#  endif
-#  ifndef PCRECPP_EXP_DEFN
-#    define PCRECPP_EXP_DEFN
-#  endif
-#endif
-
-/* Have to include stdlib.h in order to ensure that size_t is defined;
-it is needed here for malloc. */
-
-#include 
-
-/* Allow for C++ users */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Public options. Some are compile-time only, some are run-time only, and some
-are both. Most of the compile-time options are saved with the compiled regex so
-that they can be inspected during studying (and therefore JIT compiling). Note
-that pcre_study() has its own set of options. Originally, all the options
-defined here used distinct bits. However, almost all the bits in a 32-bit word
-are now used, so in order to conserve them, option bits that were previously
-only recognized at matching time (i.e. by pcre_exec() or pcre_dfa_exec()) may
-also be used for compile-time options that affect only compiling and are not
-relevant for studying or JIT compiling.
-
-Some options for pcre_compile() change its behaviour but do not affect the
-behaviour of the execution functions. Other options are passed through to the
-execution functions and affect their behaviour, with or without affecting the
-behaviour of pcre_compile().
-
-Options that can be passed to pcre_compile() are tagged Cx below, with these
-variants:
-
-C1   Affects compile only
-C2   Does not affect compile; affects exec, dfa_exec
-C3   Affects compile, exec, dfa_exec
-C4   Affects compile, exec, dfa_exec, study
-C5   Affects compile, exec, study
-
-Options that can be set for pcre_exec() and/or pcre_dfa_exec() are flagged with
-E and D, respectively. They take precedence over C3, C4, and C5 settings passed
-from pcre_compile(). Those that are compatible with JIT execution are flagged
-with J. */
-
-#define PCRE_CASELESS           0x00000001  /* C1       */
-#define PCRE_MULTILINE          0x00000002  /* C1       */
-#define PCRE_DOTALL             0x00000004  /* C1       */
-#define PCRE_EXTENDED           0x00000008  /* C1       */
-#define PCRE_ANCHORED           0x00000010  /* C4 E D   */
-#define PCRE_DOLLAR_ENDONLY     0x00000020  /* C2       */
-#define PCRE_EXTRA              0x00000040  /* C1       */
-#define PCRE_NOTBOL             0x00000080  /*    E D J */
-#define PCRE_NOTEOL             0x00000100  /*    E D J */
-#define PCRE_UNGREEDY           0x00000200  /* C1       */
-#define PCRE_NOTEMPTY           0x00000400  /*    E D J */
-#define PCRE_UTF8               0x00000800  /* C4        )          */
-#define PCRE_UTF16              0x00000800  /* C4        ) Synonyms */
-#define PCRE_UTF32              0x00000800  /* C4        )          */
-#define PCRE_NO_AUTO_CAPTURE    0x00001000  /* C1       */
-#define PCRE_NO_UTF8_CHECK      0x00002000  /* C1 E D J  )          */
-#define PCRE_NO_UTF16_CHECK     0x00002000  /* C1 E D J  ) Synonyms */
-#define PCRE_NO_UTF32_CHECK     0x00002000  /* C1 E D J  )          */
-#define PCRE_AUTO_CALLOUT       0x00004000  /* C1       */
-#define PCRE_PARTIAL_SOFT       0x00008000  /*    E D J  ) Synonyms */
-#define PCRE_PARTIAL            0x00008000  /*    E D J  )          */
-
-/* This pair use the same bit. */
-#define PCRE_NEVER_UTF          0x00010000  /* C1        ) Overlaid */
-#define PCRE_DFA_SHORTEST       0x00010000  /*      D    ) Overlaid */
-
-/* This pair use the same bit. */
-#define PCRE_NO_AUTO_POSSESS    0x00020000  /* C1        ) Overlaid */
-#define PCRE_DFA_RESTART        0x00020000  /*      D    ) Overlaid */
-
-#define PCRE_FIRSTLINE          0x00040000  /* C3       */
-#define PCRE_DUPNAMES           0x00080000  /* C1       */
-#define PCRE_NEWLINE_CR         0x00100000  /* C3 E D   */
-#define PCRE_NEWLINE_LF         0x00200000  /* C3 E D   */
-#define PCRE_NEWLINE_CRLF       0x00300000  /* C3 E D   */
-#define PCRE_NEWLINE_ANY        0x00400000  /* C3 E D   */
-#define PCRE_NEWLINE_ANYCRLF    0x00500000  /* C3 E D   */
-#define PCRE_BSR_ANYCRLF        0x00800000  /* C3 E D   */
-#define PCRE_BSR_UNICODE        0x01000000  /* C3 E D   */
-#define PCRE_JAVASCRIPT_COMPAT  0x02000000  /* C5       */
-#define PCRE_NO_START_OPTIMIZE  0x04000000  /* C2 E D    ) Synonyms */
-#define PCRE_NO_START_OPTIMISE  0x04000000  /* C2 E D    )          */
-#define PCRE_PARTIAL_HARD       0x08000000  /*    E D J */
-#define PCRE_NOTEMPTY_ATSTART   0x10000000  /*    E D J */
-#define PCRE_UCP                0x20000000  /* C3       */
-
-/* Exec-time and get/set-time error codes */
-
-#define PCRE_ERROR_NOMATCH          (-1)
-#define PCRE_ERROR_NULL             (-2)
-#define PCRE_ERROR_BADOPTION        (-3)
-#define PCRE_ERROR_BADMAGIC         (-4)
-#define PCRE_ERROR_UNKNOWN_OPCODE   (-5)
-#define PCRE_ERROR_UNKNOWN_NODE     (-5)  /* For backward compatibility */
-#define PCRE_ERROR_NOMEMORY         (-6)
-#define PCRE_ERROR_NOSUBSTRING      (-7)
-#define PCRE_ERROR_MATCHLIMIT       (-8)
-#define PCRE_ERROR_CALLOUT          (-9)  /* Never used by PCRE itself */
-#define PCRE_ERROR_BADUTF8         (-10)  /* Same for 8/16/32 */
-#define PCRE_ERROR_BADUTF16        (-10)  /* Same for 8/16/32 */
-#define PCRE_ERROR_BADUTF32        (-10)  /* Same for 8/16/32 */
-#define PCRE_ERROR_BADUTF8_OFFSET  (-11)  /* Same for 8/16 */
-#define PCRE_ERROR_BADUTF16_OFFSET (-11)  /* Same for 8/16 */
-#define PCRE_ERROR_PARTIAL         (-12)
-#define PCRE_ERROR_BADPARTIAL      (-13)
-#define PCRE_ERROR_INTERNAL        (-14)
-#define PCRE_ERROR_BADCOUNT        (-15)
-#define PCRE_ERROR_DFA_UITEM       (-16)
-#define PCRE_ERROR_DFA_UCOND       (-17)
-#define PCRE_ERROR_DFA_UMLIMIT     (-18)
-#define PCRE_ERROR_DFA_WSSIZE      (-19)
-#define PCRE_ERROR_DFA_RECURSE     (-20)
-#define PCRE_ERROR_RECURSIONLIMIT  (-21)
-#define PCRE_ERROR_NULLWSLIMIT     (-22)  /* No longer actually used */
-#define PCRE_ERROR_BADNEWLINE      (-23)
-#define PCRE_ERROR_BADOFFSET       (-24)
-#define PCRE_ERROR_SHORTUTF8       (-25)
-#define PCRE_ERROR_SHORTUTF16      (-25)  /* Same for 8/16 */
-#define PCRE_ERROR_RECURSELOOP     (-26)
-#define PCRE_ERROR_JIT_STACKLIMIT  (-27)
-#define PCRE_ERROR_BADMODE         (-28)
-#define PCRE_ERROR_BADENDIANNESS   (-29)
-#define PCRE_ERROR_DFA_BADRESTART  (-30)
-#define PCRE_ERROR_JIT_BADOPTION   (-31)
-#define PCRE_ERROR_BADLENGTH       (-32)
-#define PCRE_ERROR_UNSET           (-33)
-
-/* Specific error codes for UTF-8 validity checks */
-
-#define PCRE_UTF8_ERR0               0
-#define PCRE_UTF8_ERR1               1
-#define PCRE_UTF8_ERR2               2
-#define PCRE_UTF8_ERR3               3
-#define PCRE_UTF8_ERR4               4
-#define PCRE_UTF8_ERR5               5
-#define PCRE_UTF8_ERR6               6
-#define PCRE_UTF8_ERR7               7
-#define PCRE_UTF8_ERR8               8
-#define PCRE_UTF8_ERR9               9
-#define PCRE_UTF8_ERR10             10
-#define PCRE_UTF8_ERR11             11
-#define PCRE_UTF8_ERR12             12
-#define PCRE_UTF8_ERR13             13
-#define PCRE_UTF8_ERR14             14
-#define PCRE_UTF8_ERR15             15
-#define PCRE_UTF8_ERR16             16
-#define PCRE_UTF8_ERR17             17
-#define PCRE_UTF8_ERR18             18
-#define PCRE_UTF8_ERR19             19
-#define PCRE_UTF8_ERR20             20
-#define PCRE_UTF8_ERR21             21
-#define PCRE_UTF8_ERR22             22  /* Unused (was non-character) */
-
-/* Specific error codes for UTF-16 validity checks */
-
-#define PCRE_UTF16_ERR0              0
-#define PCRE_UTF16_ERR1              1
-#define PCRE_UTF16_ERR2              2
-#define PCRE_UTF16_ERR3              3
-#define PCRE_UTF16_ERR4              4  /* Unused (was non-character) */
-
-/* Specific error codes for UTF-32 validity checks */
-
-#define PCRE_UTF32_ERR0              0
-#define PCRE_UTF32_ERR1              1
-#define PCRE_UTF32_ERR2              2  /* Unused (was non-character) */
-#define PCRE_UTF32_ERR3              3
-
-/* Request types for pcre_fullinfo() */
-
-#define PCRE_INFO_OPTIONS            0
-#define PCRE_INFO_SIZE               1
-#define PCRE_INFO_CAPTURECOUNT       2
-#define PCRE_INFO_BACKREFMAX         3
-#define PCRE_INFO_FIRSTBYTE          4
-#define PCRE_INFO_FIRSTCHAR          4  /* For backwards compatibility */
-#define PCRE_INFO_FIRSTTABLE         5
-#define PCRE_INFO_LASTLITERAL        6
-#define PCRE_INFO_NAMEENTRYSIZE      7
-#define PCRE_INFO_NAMECOUNT          8
-#define PCRE_INFO_NAMETABLE          9
-#define PCRE_INFO_STUDYSIZE         10
-#define PCRE_INFO_DEFAULT_TABLES    11
-#define PCRE_INFO_OKPARTIAL         12
-#define PCRE_INFO_JCHANGED          13
-#define PCRE_INFO_HASCRORLF         14
-#define PCRE_INFO_MINLENGTH         15
-#define PCRE_INFO_JIT               16
-#define PCRE_INFO_JITSIZE           17
-#define PCRE_INFO_MAXLOOKBEHIND     18
-#define PCRE_INFO_FIRSTCHARACTER    19
-#define PCRE_INFO_FIRSTCHARACTERFLAGS 20
-#define PCRE_INFO_REQUIREDCHAR      21
-#define PCRE_INFO_REQUIREDCHARFLAGS 22
-#define PCRE_INFO_MATCHLIMIT        23
-#define PCRE_INFO_RECURSIONLIMIT    24
-#define PCRE_INFO_MATCH_EMPTY       25
-
-/* Request types for pcre_config(). Do not re-arrange, in order to remain
-compatible. */
-
-#define PCRE_CONFIG_UTF8                    0
-#define PCRE_CONFIG_NEWLINE                 1
-#define PCRE_CONFIG_LINK_SIZE               2
-#define PCRE_CONFIG_POSIX_MALLOC_THRESHOLD  3
-#define PCRE_CONFIG_MATCH_LIMIT             4
-#define PCRE_CONFIG_STACKRECURSE            5
-#define PCRE_CONFIG_UNICODE_PROPERTIES      6
-#define PCRE_CONFIG_MATCH_LIMIT_RECURSION   7
-#define PCRE_CONFIG_BSR                     8
-#define PCRE_CONFIG_JIT                     9
-#define PCRE_CONFIG_UTF16                  10
-#define PCRE_CONFIG_JITTARGET              11
-#define PCRE_CONFIG_UTF32                  12
-#define PCRE_CONFIG_PARENS_LIMIT           13
-
-/* Request types for pcre_study(). Do not re-arrange, in order to remain
-compatible. */
-
-#define PCRE_STUDY_JIT_COMPILE                0x0001
-#define PCRE_STUDY_JIT_PARTIAL_SOFT_COMPILE   0x0002
-#define PCRE_STUDY_JIT_PARTIAL_HARD_COMPILE   0x0004
-#define PCRE_STUDY_EXTRA_NEEDED               0x0008
-
-/* Bit flags for the pcre[16|32]_extra structure. Do not re-arrange or redefine
-these bits, just add new ones on the end, in order to remain compatible. */
-
-#define PCRE_EXTRA_STUDY_DATA             0x0001
-#define PCRE_EXTRA_MATCH_LIMIT            0x0002
-#define PCRE_EXTRA_CALLOUT_DATA           0x0004
-#define PCRE_EXTRA_TABLES                 0x0008
-#define PCRE_EXTRA_MATCH_LIMIT_RECURSION  0x0010
-#define PCRE_EXTRA_MARK                   0x0020
-#define PCRE_EXTRA_EXECUTABLE_JIT         0x0040
-
-/* Types */
-
-struct real_pcre;                 /* declaration; the definition is private  */
-typedef struct real_pcre pcre;
-
-struct real_pcre16;               /* declaration; the definition is private  */
-typedef struct real_pcre16 pcre16;
-
-struct real_pcre32;               /* declaration; the definition is private  */
-typedef struct real_pcre32 pcre32;
-
-struct real_pcre_jit_stack;       /* declaration; the definition is private  */
-typedef struct real_pcre_jit_stack pcre_jit_stack;
-
-struct real_pcre16_jit_stack;     /* declaration; the definition is private  */
-typedef struct real_pcre16_jit_stack pcre16_jit_stack;
-
-struct real_pcre32_jit_stack;     /* declaration; the definition is private  */
-typedef struct real_pcre32_jit_stack pcre32_jit_stack;
-
-/* If PCRE is compiled with 16 bit character support, PCRE_UCHAR16 must contain
-a 16 bit wide signed data type. Otherwise it can be a dummy data type since
-pcre16 functions are not implemented. There is a check for this in pcre_internal.h. */
-#ifndef PCRE_UCHAR16
-#define PCRE_UCHAR16 unsigned short
-#endif
-
-#ifndef PCRE_SPTR16
-#define PCRE_SPTR16 const PCRE_UCHAR16 *
-#endif
-
-/* If PCRE is compiled with 32 bit character support, PCRE_UCHAR32 must contain
-a 32 bit wide signed data type. Otherwise it can be a dummy data type since
-pcre32 functions are not implemented. There is a check for this in pcre_internal.h. */
-#ifndef PCRE_UCHAR32
-#define PCRE_UCHAR32 unsigned int
-#endif
-
-#ifndef PCRE_SPTR32
-#define PCRE_SPTR32 const PCRE_UCHAR32 *
-#endif
-
-/* When PCRE is compiled as a C++ library, the subject pointer type can be
-replaced with a custom type. For conventional use, the public interface is a
-const char *. */
-
-#ifndef PCRE_SPTR
-#define PCRE_SPTR const char *
-#endif
-
-/* The structure for passing additional data to pcre_exec(). This is defined in
-such as way as to be extensible. Always add new fields at the end, in order to
-remain compatible. */
-
-typedef struct pcre_extra {
-  unsigned long int flags;        /* Bits for which fields are set */
-  void *study_data;               /* Opaque data from pcre_study() */
-  unsigned long int match_limit;  /* Maximum number of calls to match() */
-  void *callout_data;             /* Data passed back in callouts */
-  const unsigned char *tables;    /* Pointer to character tables */
-  unsigned long int match_limit_recursion; /* Max recursive calls to match() */
-  unsigned char **mark;           /* For passing back a mark pointer */
-  void *executable_jit;           /* Contains a pointer to a compiled jit code */
-} pcre_extra;
-
-/* Same structure as above, but with 16 bit char pointers. */
-
-typedef struct pcre16_extra {
-  unsigned long int flags;        /* Bits for which fields are set */
-  void *study_data;               /* Opaque data from pcre_study() */
-  unsigned long int match_limit;  /* Maximum number of calls to match() */
-  void *callout_data;             /* Data passed back in callouts */
-  const unsigned char *tables;    /* Pointer to character tables */
-  unsigned long int match_limit_recursion; /* Max recursive calls to match() */
-  PCRE_UCHAR16 **mark;            /* For passing back a mark pointer */
-  void *executable_jit;           /* Contains a pointer to a compiled jit code */
-} pcre16_extra;
-
-/* Same structure as above, but with 32 bit char pointers. */
-
-typedef struct pcre32_extra {
-  unsigned long int flags;        /* Bits for which fields are set */
-  void *study_data;               /* Opaque data from pcre_study() */
-  unsigned long int match_limit;  /* Maximum number of calls to match() */
-  void *callout_data;             /* Data passed back in callouts */
-  const unsigned char *tables;    /* Pointer to character tables */
-  unsigned long int match_limit_recursion; /* Max recursive calls to match() */
-  PCRE_UCHAR32 **mark;            /* For passing back a mark pointer */
-  void *executable_jit;           /* Contains a pointer to a compiled jit code */
-} pcre32_extra;
-
-/* The structure for passing out data via the pcre_callout_function. We use a
-structure so that new fields can be added on the end in future versions,
-without changing the API of the function, thereby allowing old clients to work
-without modification. */
-
-typedef struct pcre_callout_block {
-  int          version;           /* Identifies version of block */
-  /* ------------------------ Version 0 ------------------------------- */
-  int          callout_number;    /* Number compiled into pattern */
-  int         *offset_vector;     /* The offset vector */
-  PCRE_SPTR    subject;           /* The subject being matched */
-  int          subject_length;    /* The length of the subject */
-  int          start_match;       /* Offset to start of this match attempt */
-  int          current_position;  /* Where we currently are in the subject */
-  int          capture_top;       /* Max current capture */
-  int          capture_last;      /* Most recently closed capture */
-  void        *callout_data;      /* Data passed in with the call */
-  /* ------------------- Added for Version 1 -------------------------- */
-  int          pattern_position;  /* Offset to next item in the pattern */
-  int          next_item_length;  /* Length of next item in the pattern */
-  /* ------------------- Added for Version 2 -------------------------- */
-  const unsigned char *mark;      /* Pointer to current mark or NULL    */
-  /* ------------------------------------------------------------------ */
-} pcre_callout_block;
-
-/* Same structure as above, but with 16 bit char pointers. */
-
-typedef struct pcre16_callout_block {
-  int          version;           /* Identifies version of block */
-  /* ------------------------ Version 0 ------------------------------- */
-  int          callout_number;    /* Number compiled into pattern */
-  int         *offset_vector;     /* The offset vector */
-  PCRE_SPTR16  subject;           /* The subject being matched */
-  int          subject_length;    /* The length of the subject */
-  int          start_match;       /* Offset to start of this match attempt */
-  int          current_position;  /* Where we currently are in the subject */
-  int          capture_top;       /* Max current capture */
-  int          capture_last;      /* Most recently closed capture */
-  void        *callout_data;      /* Data passed in with the call */
-  /* ------------------- Added for Version 1 -------------------------- */
-  int          pattern_position;  /* Offset to next item in the pattern */
-  int          next_item_length;  /* Length of next item in the pattern */
-  /* ------------------- Added for Version 2 -------------------------- */
-  const PCRE_UCHAR16 *mark;       /* Pointer to current mark or NULL    */
-  /* ------------------------------------------------------------------ */
-} pcre16_callout_block;
-
-/* Same structure as above, but with 32 bit char pointers. */
-
-typedef struct pcre32_callout_block {
-  int          version;           /* Identifies version of block */
-  /* ------------------------ Version 0 ------------------------------- */
-  int          callout_number;    /* Number compiled into pattern */
-  int         *offset_vector;     /* The offset vector */
-  PCRE_SPTR32  subject;           /* The subject being matched */
-  int          subject_length;    /* The length of the subject */
-  int          start_match;       /* Offset to start of this match attempt */
-  int          current_position;  /* Where we currently are in the subject */
-  int          capture_top;       /* Max current capture */
-  int          capture_last;      /* Most recently closed capture */
-  void        *callout_data;      /* Data passed in with the call */
-  /* ------------------- Added for Version 1 -------------------------- */
-  int          pattern_position;  /* Offset to next item in the pattern */
-  int          next_item_length;  /* Length of next item in the pattern */
-  /* ------------------- Added for Version 2 -------------------------- */
-  const PCRE_UCHAR32 *mark;       /* Pointer to current mark or NULL    */
-  /* ------------------------------------------------------------------ */
-} pcre32_callout_block;
-
-/* Indirection for store get and free functions. These can be set to
-alternative malloc/free functions if required. Special ones are used in the
-non-recursive case for "frames". There is also an optional callout function
-that is triggered by the (?) regex item. For Virtual Pascal, these definitions
-have to take another form. */
-
-#ifndef VPCOMPAT
-PCRE_EXP_DECL void *(*pcre_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre_free)(void *);
-PCRE_EXP_DECL void *(*pcre_stack_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre_stack_free)(void *);
-PCRE_EXP_DECL int   (*pcre_callout)(pcre_callout_block *);
-PCRE_EXP_DECL int   (*pcre_stack_guard)(void);
-
-PCRE_EXP_DECL void *(*pcre16_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre16_free)(void *);
-PCRE_EXP_DECL void *(*pcre16_stack_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre16_stack_free)(void *);
-PCRE_EXP_DECL int   (*pcre16_callout)(pcre16_callout_block *);
-PCRE_EXP_DECL int   (*pcre16_stack_guard)(void);
-
-PCRE_EXP_DECL void *(*pcre32_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre32_free)(void *);
-PCRE_EXP_DECL void *(*pcre32_stack_malloc)(size_t);
-PCRE_EXP_DECL void  (*pcre32_stack_free)(void *);
-PCRE_EXP_DECL int   (*pcre32_callout)(pcre32_callout_block *);
-PCRE_EXP_DECL int   (*pcre32_stack_guard)(void);
-#else   /* VPCOMPAT */
-PCRE_EXP_DECL void *pcre_malloc(size_t);
-PCRE_EXP_DECL void  pcre_free(void *);
-PCRE_EXP_DECL void *pcre_stack_malloc(size_t);
-PCRE_EXP_DECL void  pcre_stack_free(void *);
-PCRE_EXP_DECL int   pcre_callout(pcre_callout_block *);
-PCRE_EXP_DECL int   pcre_stack_guard(void);
-
-PCRE_EXP_DECL void *pcre16_malloc(size_t);
-PCRE_EXP_DECL void  pcre16_free(void *);
-PCRE_EXP_DECL void *pcre16_stack_malloc(size_t);
-PCRE_EXP_DECL void  pcre16_stack_free(void *);
-PCRE_EXP_DECL int   pcre16_callout(pcre16_callout_block *);
-PCRE_EXP_DECL int   pcre16_stack_guard(void);
-
-PCRE_EXP_DECL void *pcre32_malloc(size_t);
-PCRE_EXP_DECL void  pcre32_free(void *);
-PCRE_EXP_DECL void *pcre32_stack_malloc(size_t);
-PCRE_EXP_DECL void  pcre32_stack_free(void *);
-PCRE_EXP_DECL int   pcre32_callout(pcre32_callout_block *);
-PCRE_EXP_DECL int   pcre32_stack_guard(void);
-#endif  /* VPCOMPAT */
-
-/* User defined callback which provides a stack just before the match starts. */
-
-typedef pcre_jit_stack *(*pcre_jit_callback)(void *);
-typedef pcre16_jit_stack *(*pcre16_jit_callback)(void *);
-typedef pcre32_jit_stack *(*pcre32_jit_callback)(void *);
-
-/* Exported PCRE functions */
-
-PCRE_EXP_DECL pcre *pcre_compile(const char *, int, const char **, int *,
-                  const unsigned char *);
-PCRE_EXP_DECL pcre16 *pcre16_compile(PCRE_SPTR16, int, const char **, int *,
-                  const unsigned char *);
-PCRE_EXP_DECL pcre32 *pcre32_compile(PCRE_SPTR32, int, const char **, int *,
-                  const unsigned char *);
-PCRE_EXP_DECL pcre *pcre_compile2(const char *, int, int *, const char **,
-                  int *, const unsigned char *);
-PCRE_EXP_DECL pcre16 *pcre16_compile2(PCRE_SPTR16, int, int *, const char **,
-                  int *, const unsigned char *);
-PCRE_EXP_DECL pcre32 *pcre32_compile2(PCRE_SPTR32, int, int *, const char **,
-                  int *, const unsigned char *);
-PCRE_EXP_DECL int  pcre_config(int, void *);
-PCRE_EXP_DECL int  pcre16_config(int, void *);
-PCRE_EXP_DECL int  pcre32_config(int, void *);
-PCRE_EXP_DECL int  pcre_copy_named_substring(const pcre *, const char *,
-                  int *, int, const char *, char *, int);
-PCRE_EXP_DECL int  pcre16_copy_named_substring(const pcre16 *, PCRE_SPTR16,
-                  int *, int, PCRE_SPTR16, PCRE_UCHAR16 *, int);
-PCRE_EXP_DECL int  pcre32_copy_named_substring(const pcre32 *, PCRE_SPTR32,
-                  int *, int, PCRE_SPTR32, PCRE_UCHAR32 *, int);
-PCRE_EXP_DECL int  pcre_copy_substring(const char *, int *, int, int,
-                  char *, int);
-PCRE_EXP_DECL int  pcre16_copy_substring(PCRE_SPTR16, int *, int, int,
-                  PCRE_UCHAR16 *, int);
-PCRE_EXP_DECL int  pcre32_copy_substring(PCRE_SPTR32, int *, int, int,
-                  PCRE_UCHAR32 *, int);
-PCRE_EXP_DECL int  pcre_dfa_exec(const pcre *, const pcre_extra *,
-                  const char *, int, int, int, int *, int , int *, int);
-PCRE_EXP_DECL int  pcre16_dfa_exec(const pcre16 *, const pcre16_extra *,
-                  PCRE_SPTR16, int, int, int, int *, int , int *, int);
-PCRE_EXP_DECL int  pcre32_dfa_exec(const pcre32 *, const pcre32_extra *,
-                  PCRE_SPTR32, int, int, int, int *, int , int *, int);
-PCRE_EXP_DECL int  pcre_exec(const pcre *, const pcre_extra *, PCRE_SPTR,
-                   int, int, int, int *, int);
-PCRE_EXP_DECL int  pcre16_exec(const pcre16 *, const pcre16_extra *,
-                   PCRE_SPTR16, int, int, int, int *, int);
-PCRE_EXP_DECL int  pcre32_exec(const pcre32 *, const pcre32_extra *,
-                   PCRE_SPTR32, int, int, int, int *, int);
-PCRE_EXP_DECL int  pcre_jit_exec(const pcre *, const pcre_extra *,
-                   PCRE_SPTR, int, int, int, int *, int,
-                   pcre_jit_stack *);
-PCRE_EXP_DECL int  pcre16_jit_exec(const pcre16 *, const pcre16_extra *,
-                   PCRE_SPTR16, int, int, int, int *, int,
-                   pcre16_jit_stack *);
-PCRE_EXP_DECL int  pcre32_jit_exec(const pcre32 *, const pcre32_extra *,
-                   PCRE_SPTR32, int, int, int, int *, int,
-                   pcre32_jit_stack *);
-PCRE_EXP_DECL void pcre_free_substring(const char *);
-PCRE_EXP_DECL void pcre16_free_substring(PCRE_SPTR16);
-PCRE_EXP_DECL void pcre32_free_substring(PCRE_SPTR32);
-PCRE_EXP_DECL void pcre_free_substring_list(const char **);
-PCRE_EXP_DECL void pcre16_free_substring_list(PCRE_SPTR16 *);
-PCRE_EXP_DECL void pcre32_free_substring_list(PCRE_SPTR32 *);
-PCRE_EXP_DECL int  pcre_fullinfo(const pcre *, const pcre_extra *, int,
-                  void *);
-PCRE_EXP_DECL int  pcre16_fullinfo(const pcre16 *, const pcre16_extra *, int,
-                  void *);
-PCRE_EXP_DECL int  pcre32_fullinfo(const pcre32 *, const pcre32_extra *, int,
-                  void *);
-PCRE_EXP_DECL int  pcre_get_named_substring(const pcre *, const char *,
-                  int *, int, const char *, const char **);
-PCRE_EXP_DECL int  pcre16_get_named_substring(const pcre16 *, PCRE_SPTR16,
-                  int *, int, PCRE_SPTR16, PCRE_SPTR16 *);
-PCRE_EXP_DECL int  pcre32_get_named_substring(const pcre32 *, PCRE_SPTR32,
-                  int *, int, PCRE_SPTR32, PCRE_SPTR32 *);
-PCRE_EXP_DECL int  pcre_get_stringnumber(const pcre *, const char *);
-PCRE_EXP_DECL int  pcre16_get_stringnumber(const pcre16 *, PCRE_SPTR16);
-PCRE_EXP_DECL int  pcre32_get_stringnumber(const pcre32 *, PCRE_SPTR32);
-PCRE_EXP_DECL int  pcre_get_stringtable_entries(const pcre *, const char *,
-                  char **, char **);
-PCRE_EXP_DECL int  pcre16_get_stringtable_entries(const pcre16 *, PCRE_SPTR16,
-                  PCRE_UCHAR16 **, PCRE_UCHAR16 **);
-PCRE_EXP_DECL int  pcre32_get_stringtable_entries(const pcre32 *, PCRE_SPTR32,
-                  PCRE_UCHAR32 **, PCRE_UCHAR32 **);
-PCRE_EXP_DECL int  pcre_get_substring(const char *, int *, int, int,
-                  const char **);
-PCRE_EXP_DECL int  pcre16_get_substring(PCRE_SPTR16, int *, int, int,
-                  PCRE_SPTR16 *);
-PCRE_EXP_DECL int  pcre32_get_substring(PCRE_SPTR32, int *, int, int,
-                  PCRE_SPTR32 *);
-PCRE_EXP_DECL int  pcre_get_substring_list(const char *, int *, int,
-                  const char ***);
-PCRE_EXP_DECL int  pcre16_get_substring_list(PCRE_SPTR16, int *, int,
-                  PCRE_SPTR16 **);
-PCRE_EXP_DECL int  pcre32_get_substring_list(PCRE_SPTR32, int *, int,
-                  PCRE_SPTR32 **);
-PCRE_EXP_DECL const unsigned char *pcre_maketables(void);
-PCRE_EXP_DECL const unsigned char *pcre16_maketables(void);
-PCRE_EXP_DECL const unsigned char *pcre32_maketables(void);
-PCRE_EXP_DECL int  pcre_refcount(pcre *, int);
-PCRE_EXP_DECL int  pcre16_refcount(pcre16 *, int);
-PCRE_EXP_DECL int  pcre32_refcount(pcre32 *, int);
-PCRE_EXP_DECL pcre_extra *pcre_study(const pcre *, int, const char **);
-PCRE_EXP_DECL pcre16_extra *pcre16_study(const pcre16 *, int, const char **);
-PCRE_EXP_DECL pcre32_extra *pcre32_study(const pcre32 *, int, const char **);
-PCRE_EXP_DECL void pcre_free_study(pcre_extra *);
-PCRE_EXP_DECL void pcre16_free_study(pcre16_extra *);
-PCRE_EXP_DECL void pcre32_free_study(pcre32_extra *);
-PCRE_EXP_DECL const char *pcre_version(void);
-PCRE_EXP_DECL const char *pcre16_version(void);
-PCRE_EXP_DECL const char *pcre32_version(void);
-
-/* Utility functions for byte order swaps. */
-PCRE_EXP_DECL int  pcre_pattern_to_host_byte_order(pcre *, pcre_extra *,
-                  const unsigned char *);
-PCRE_EXP_DECL int  pcre16_pattern_to_host_byte_order(pcre16 *, pcre16_extra *,
-                  const unsigned char *);
-PCRE_EXP_DECL int  pcre32_pattern_to_host_byte_order(pcre32 *, pcre32_extra *,
-                  const unsigned char *);
-PCRE_EXP_DECL int  pcre16_utf16_to_host_byte_order(PCRE_UCHAR16 *,
-                  PCRE_SPTR16, int, int *, int);
-PCRE_EXP_DECL int  pcre32_utf32_to_host_byte_order(PCRE_UCHAR32 *,
-                  PCRE_SPTR32, int, int *, int);
-
-/* JIT compiler related functions. */
-
-PCRE_EXP_DECL pcre_jit_stack *pcre_jit_stack_alloc(int, int);
-PCRE_EXP_DECL pcre16_jit_stack *pcre16_jit_stack_alloc(int, int);
-PCRE_EXP_DECL pcre32_jit_stack *pcre32_jit_stack_alloc(int, int);
-PCRE_EXP_DECL void pcre_jit_stack_free(pcre_jit_stack *);
-PCRE_EXP_DECL void pcre16_jit_stack_free(pcre16_jit_stack *);
-PCRE_EXP_DECL void pcre32_jit_stack_free(pcre32_jit_stack *);
-PCRE_EXP_DECL void pcre_assign_jit_stack(pcre_extra *,
-                  pcre_jit_callback, void *);
-PCRE_EXP_DECL void pcre16_assign_jit_stack(pcre16_extra *,
-                  pcre16_jit_callback, void *);
-PCRE_EXP_DECL void pcre32_assign_jit_stack(pcre32_extra *,
-                  pcre32_jit_callback, void *);
-PCRE_EXP_DECL void pcre_jit_free_unused_memory(void);
-PCRE_EXP_DECL void pcre16_jit_free_unused_memory(void);
-PCRE_EXP_DECL void pcre32_jit_free_unused_memory(void);
-
-#ifdef __cplusplus
-}  /* extern "C" */
-#endif
-
-#endif /* End of pcre.h */
diff --git a/src/plugins/PCREPlugin/pcre_compile.c b/src/plugins/PCREPlugin/pcre_compile.c
deleted file mode 100644
index 8d35297..0000000
--- a/src/plugins/PCREPlugin/pcre_compile.c
+++ /dev/null
@@ -1,9750 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2016 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_compile(), along with
-supporting internal functions that are not used by other modules. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#define NLBLOCK cd             /* Block containing newline information */
-#define PSSTART start_pattern  /* Field containing pattern start */
-#define PSEND   end_pattern    /* Field containing pattern end */
-
-#include "pcre_internal.h"
-
-
-/* When PCRE_DEBUG is defined, we need the pcre(16|32)_printint() function, which
-is also used by pcretest. PCRE_DEBUG is not defined when building a production
-library. We do not need to select pcre16_printint.c specially, because the
-COMPILE_PCREx macro will already be appropriately set. */
-
-#ifdef PCRE_DEBUG
-/* pcre_printint.c should not include any headers */
-#define PCRE_INCLUDED
-#include "pcre_printint.c"
-#undef PCRE_INCLUDED
-#endif
-
-
-/* Macro for setting individual bits in class bitmaps. */
-
-#define SETBIT(a,b) a[(b)/8] |= (1 << ((b)&7))
-
-/* Maximum length value to check against when making sure that the integer that
-holds the compiled pattern length does not overflow. We make it a bit less than
-INT_MAX to allow for adding in group terminating bytes, so that we don't have
-to check them every time. */
-
-#define OFLOW_MAX (INT_MAX - 20)
-
-/* Definitions to allow mutual recursion */
-
-static int
-  add_list_to_class(pcre_uint8 *, pcre_uchar **, int, compile_data *,
-    const pcre_uint32 *, unsigned int);
-
-static BOOL
-  compile_regex(int, pcre_uchar **, const pcre_uchar **, int *, BOOL, BOOL, int, int,
-    pcre_uint32 *, pcre_int32 *, pcre_uint32 *, pcre_int32 *, branch_chain *,
-    compile_data *, int *);
-
-
-
-/*************************************************
-*      Code parameters and static tables         *
-*************************************************/
-
-/* This value specifies the size of stack workspace that is used during the
-first pre-compile phase that determines how much memory is required. The regex
-is partly compiled into this space, but the compiled parts are discarded as
-soon as they can be, so that hopefully there will never be an overrun. The code
-does, however, check for an overrun. The largest amount I've seen used is 218,
-so this number is very generous.
-
-The same workspace is used during the second, actual compile phase for
-remembering forward references to groups so that they can be filled in at the
-end. Each entry in this list occupies LINK_SIZE bytes, so even when LINK_SIZE
-is 4 there is plenty of room for most patterns. However, the memory can get
-filled up by repetitions of forward references, for example patterns like
-/(?1){0,1999}(b)/, and one user did hit the limit. The code has been changed so
-that the workspace is expanded using malloc() in this situation. The value
-below is therefore a minimum, and we put a maximum on it for safety. The
-minimum is now also defined in terms of LINK_SIZE so that the use of malloc()
-kicks in at the same number of forward references in all cases. */
-
-#define COMPILE_WORK_SIZE (2048*LINK_SIZE)
-#define COMPILE_WORK_SIZE_MAX (100*COMPILE_WORK_SIZE)
-
-/* This value determines the size of the initial vector that is used for
-remembering named groups during the pre-compile. It is allocated on the stack,
-but if it is too small, it is expanded using malloc(), in a similar way to the
-workspace. The value is the number of slots in the list. */
-
-#define NAMED_GROUP_LIST_SIZE  20
-
-/* The overrun tests check for a slightly smaller size so that they detect the
-overrun before it actually does run off the end of the data block. */
-
-#define WORK_SIZE_SAFETY_MARGIN (100)
-
-/* Private flags added to firstchar and reqchar. */
-
-#define REQ_CASELESS    (1 << 0)        /* Indicates caselessness */
-#define REQ_VARY        (1 << 1)        /* Reqchar followed non-literal item */
-/* Negative values for the firstchar and reqchar flags */
-#define REQ_UNSET       (-2)
-#define REQ_NONE        (-1)
-
-/* Repeated character flags. */
-
-#define UTF_LENGTH     0x10000000l      /* The char contains its length. */
-
-/* Table for handling escaped characters in the range '0'-'z'. Positive returns
-are simple data values; negative values are for special things like \d and so
-on. Zero means further processing is needed (for things like \x), or the escape
-is invalid. */
-
-#ifndef EBCDIC
-
-/* This is the "normal" table for ASCII systems or for EBCDIC systems running
-in UTF-8 mode. */
-
-static const short int escapes[] = {
-     0,                       0,
-     0,                       0,
-     0,                       0,
-     0,                       0,
-     0,                       0,
-     CHAR_COLON,              CHAR_SEMICOLON,
-     CHAR_LESS_THAN_SIGN,     CHAR_EQUALS_SIGN,
-     CHAR_GREATER_THAN_SIGN,  CHAR_QUESTION_MARK,
-     CHAR_COMMERCIAL_AT,      -ESC_A,
-     -ESC_B,                  -ESC_C,
-     -ESC_D,                  -ESC_E,
-     0,                       -ESC_G,
-     -ESC_H,                  0,
-     0,                       -ESC_K,
-     0,                       0,
-     -ESC_N,                  0,
-     -ESC_P,                  -ESC_Q,
-     -ESC_R,                  -ESC_S,
-     0,                       0,
-     -ESC_V,                  -ESC_W,
-     -ESC_X,                  0,
-     -ESC_Z,                  CHAR_LEFT_SQUARE_BRACKET,
-     CHAR_BACKSLASH,          CHAR_RIGHT_SQUARE_BRACKET,
-     CHAR_CIRCUMFLEX_ACCENT,  CHAR_UNDERSCORE,
-     CHAR_GRAVE_ACCENT,       ESC_a,
-     -ESC_b,                  0,
-     -ESC_d,                  ESC_e,
-     ESC_f,                   0,
-     -ESC_h,                  0,
-     0,                       -ESC_k,
-     0,                       0,
-     ESC_n,                   0,
-     -ESC_p,                  0,
-     ESC_r,                   -ESC_s,
-     ESC_tee,                 0,
-     -ESC_v,                  -ESC_w,
-     0,                       0,
-     -ESC_z
-};
-
-#else
-
-/* This is the "abnormal" table for EBCDIC systems without UTF-8 support. */
-
-static const short int escapes[] = {
-/*  48 */     0,     0,      0,     '.',    '<',   '(',    '+',    '|',
-/*  50 */   '&',     0,      0,       0,      0,     0,      0,      0,
-/*  58 */     0,     0,    '!',     '$',    '*',   ')',    ';',    '~',
-/*  60 */   '-',   '/',      0,       0,      0,     0,      0,      0,
-/*  68 */     0,     0,    '|',     ',',    '%',   '_',    '>',    '?',
-/*  70 */     0,     0,      0,       0,      0,     0,      0,      0,
-/*  78 */     0,   '`',    ':',     '#',    '@',  '\'',    '=',    '"',
-/*  80 */     0, ESC_a, -ESC_b,       0, -ESC_d, ESC_e,  ESC_f,      0,
-/*  88 */-ESC_h,     0,      0,     '{',      0,     0,      0,      0,
-/*  90 */     0,     0, -ESC_k,       0,      0, ESC_n,      0, -ESC_p,
-/*  98 */     0, ESC_r,      0,     '}',      0,     0,      0,      0,
-/*  A0 */     0,   '~', -ESC_s, ESC_tee,      0,-ESC_v, -ESC_w,      0,
-/*  A8 */     0,-ESC_z,      0,       0,      0,   '[',      0,      0,
-/*  B0 */     0,     0,      0,       0,      0,     0,      0,      0,
-/*  B8 */     0,     0,      0,       0,      0,   ']',    '=',    '-',
-/*  C0 */   '{',-ESC_A, -ESC_B,  -ESC_C, -ESC_D,-ESC_E,      0, -ESC_G,
-/*  C8 */-ESC_H,     0,      0,       0,      0,     0,      0,      0,
-/*  D0 */   '}',     0, -ESC_K,       0,      0,-ESC_N,      0, -ESC_P,
-/*  D8 */-ESC_Q,-ESC_R,      0,       0,      0,     0,      0,      0,
-/*  E0 */  '\\',     0, -ESC_S,       0,      0,-ESC_V, -ESC_W, -ESC_X,
-/*  E8 */     0,-ESC_Z,      0,       0,      0,     0,      0,      0,
-/*  F0 */     0,     0,      0,       0,      0,     0,      0,      0,
-/*  F8 */     0,     0,      0,       0,      0,     0,      0,      0
-};
-
-/* We also need a table of characters that may follow \c in an EBCDIC
-environment for characters 0-31. */
-
-static unsigned char ebcdic_escape_c[] = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_";
-
-#endif
-
-
-/* Table of special "verbs" like (*PRUNE). This is a short table, so it is
-searched linearly. Put all the names into a single string, in order to reduce
-the number of relocations when a shared library is dynamically linked. The
-string is built from string macros so that it works in UTF-8 mode on EBCDIC
-platforms. */
-
-typedef struct verbitem {
-  int   len;                 /* Length of verb name */
-  int   op;                  /* Op when no arg, or -1 if arg mandatory */
-  int   op_arg;              /* Op when arg present, or -1 if not allowed */
-} verbitem;
-
-static const char verbnames[] =
-  "\0"                       /* Empty name is a shorthand for MARK */
-  STRING_MARK0
-  STRING_ACCEPT0
-  STRING_COMMIT0
-  STRING_F0
-  STRING_FAIL0
-  STRING_PRUNE0
-  STRING_SKIP0
-  STRING_THEN;
-
-static const verbitem verbs[] = {
-  { 0, -1,        OP_MARK },
-  { 4, -1,        OP_MARK },
-  { 6, OP_ACCEPT, -1 },
-  { 6, OP_COMMIT, -1 },
-  { 1, OP_FAIL,   -1 },
-  { 4, OP_FAIL,   -1 },
-  { 5, OP_PRUNE,  OP_PRUNE_ARG },
-  { 4, OP_SKIP,   OP_SKIP_ARG  },
-  { 4, OP_THEN,   OP_THEN_ARG  }
-};
-
-static const int verbcount = sizeof(verbs)/sizeof(verbitem);
-
-
-/* Substitutes for [[:<:]] and [[:>:]], which mean start and end of word in
-another regex library. */
-
-static const pcre_uchar sub_start_of_word[] = {
-  CHAR_BACKSLASH, CHAR_b, CHAR_LEFT_PARENTHESIS, CHAR_QUESTION_MARK,
-  CHAR_EQUALS_SIGN, CHAR_BACKSLASH, CHAR_w, CHAR_RIGHT_PARENTHESIS, '\0' };
-
-static const pcre_uchar sub_end_of_word[] = {
-  CHAR_BACKSLASH, CHAR_b, CHAR_LEFT_PARENTHESIS, CHAR_QUESTION_MARK,
-  CHAR_LESS_THAN_SIGN, CHAR_EQUALS_SIGN, CHAR_BACKSLASH, CHAR_w,
-  CHAR_RIGHT_PARENTHESIS, '\0' };
-
-
-/* Tables of names of POSIX character classes and their lengths. The names are
-now all in a single string, to reduce the number of relocations when a shared
-library is dynamically loaded. The list of lengths is terminated by a zero
-length entry. The first three must be alpha, lower, upper, as this is assumed
-for handling case independence. The indices for graph, print, and punct are
-needed, so identify them. */
-
-static const char posix_names[] =
-  STRING_alpha0 STRING_lower0 STRING_upper0 STRING_alnum0
-  STRING_ascii0 STRING_blank0 STRING_cntrl0 STRING_digit0
-  STRING_graph0 STRING_print0 STRING_punct0 STRING_space0
-  STRING_word0  STRING_xdigit;
-
-static const pcre_uint8 posix_name_lengths[] = {
-  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, 6, 0 };
-
-#define PC_GRAPH  8
-#define PC_PRINT  9
-#define PC_PUNCT 10
-
-
-/* Table of class bit maps for each POSIX class. Each class is formed from a
-base map, with an optional addition or removal of another map. Then, for some
-classes, there is some additional tweaking: for [:blank:] the vertical space
-characters are removed, and for [:alpha:] and [:alnum:] the underscore
-character is removed. The triples in the table consist of the base map offset,
-second map offset or -1 if no second map, and a non-negative value for map
-addition or a negative value for map subtraction (if there are two maps). The
-absolute value of the third field has these meanings: 0 => no tweaking, 1 =>
-remove vertical space characters, 2 => remove underscore. */
-
-static const int posix_class_maps[] = {
-  cbit_word,  cbit_digit, -2,             /* alpha */
-  cbit_lower, -1,          0,             /* lower */
-  cbit_upper, -1,          0,             /* upper */
-  cbit_word,  -1,          2,             /* alnum - word without underscore */
-  cbit_print, cbit_cntrl,  0,             /* ascii */
-  cbit_space, -1,          1,             /* blank - a GNU extension */
-  cbit_cntrl, -1,          0,             /* cntrl */
-  cbit_digit, -1,          0,             /* digit */
-  cbit_graph, -1,          0,             /* graph */
-  cbit_print, -1,          0,             /* print */
-  cbit_punct, -1,          0,             /* punct */
-  cbit_space, -1,          0,             /* space */
-  cbit_word,  -1,          0,             /* word - a Perl extension */
-  cbit_xdigit,-1,          0              /* xdigit */
-};
-
-/* Table of substitutes for \d etc when PCRE_UCP is set. They are replaced by
-Unicode property escapes. */
-
-#ifdef SUPPORT_UCP
-static const pcre_uchar string_PNd[]  = {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_N, CHAR_d, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pNd[]  = {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_N, CHAR_d, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PXsp[] = {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_s, CHAR_p, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pXsp[] = {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_s, CHAR_p, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PXwd[] = {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_w, CHAR_d, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pXwd[] = {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_w, CHAR_d, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-
-static const pcre_uchar *substitutes[] = {
-  string_PNd,           /* \D */
-  string_pNd,           /* \d */
-  string_PXsp,          /* \S */   /* Xsp is Perl space, but from 8.34, Perl */
-  string_pXsp,          /* \s */   /* space and POSIX space are the same. */
-  string_PXwd,          /* \W */
-  string_pXwd           /* \w */
-};
-
-/* The POSIX class substitutes must be in the order of the POSIX class names,
-defined above, and there are both positive and negative cases. NULL means no
-general substitute of a Unicode property escape (\p or \P). However, for some
-POSIX classes (e.g. graph, print, punct) a special property code is compiled
-directly. */
-
-static const pcre_uchar string_pL[] =   {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pLl[] =  {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_l, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pLu[] =  {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_u, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_pXan[] = {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_a, CHAR_n, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_h[] =    {
-  CHAR_BACKSLASH, CHAR_h, '\0' };
-static const pcre_uchar string_pXps[] = {
-  CHAR_BACKSLASH, CHAR_p, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_p, CHAR_s, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PL[] =   {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PLl[] =  {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_l, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PLu[] =  {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_L, CHAR_u, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_PXan[] = {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_a, CHAR_n, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-static const pcre_uchar string_H[] =    {
-  CHAR_BACKSLASH, CHAR_H, '\0' };
-static const pcre_uchar string_PXps[] = {
-  CHAR_BACKSLASH, CHAR_P, CHAR_LEFT_CURLY_BRACKET,
-  CHAR_X, CHAR_p, CHAR_s, CHAR_RIGHT_CURLY_BRACKET, '\0' };
-
-static const pcre_uchar *posix_substitutes[] = {
-  string_pL,            /* alpha */
-  string_pLl,           /* lower */
-  string_pLu,           /* upper */
-  string_pXan,          /* alnum */
-  NULL,                 /* ascii */
-  string_h,             /* blank */
-  NULL,                 /* cntrl */
-  string_pNd,           /* digit */
-  NULL,                 /* graph */
-  NULL,                 /* print */
-  NULL,                 /* punct */
-  string_pXps,          /* space */   /* Xps is POSIX space, but from 8.34 */
-  string_pXwd,          /* word  */   /* Perl and POSIX space are the same */
-  NULL,                 /* xdigit */
-  /* Negated cases */
-  string_PL,            /* ^alpha */
-  string_PLl,           /* ^lower */
-  string_PLu,           /* ^upper */
-  string_PXan,          /* ^alnum */
-  NULL,                 /* ^ascii */
-  string_H,             /* ^blank */
-  NULL,                 /* ^cntrl */
-  string_PNd,           /* ^digit */
-  NULL,                 /* ^graph */
-  NULL,                 /* ^print */
-  NULL,                 /* ^punct */
-  string_PXps,          /* ^space */  /* Xps is POSIX space, but from 8.34 */
-  string_PXwd,          /* ^word */   /* Perl and POSIX space are the same */
-  NULL                  /* ^xdigit */
-};
-#define POSIX_SUBSIZE (sizeof(posix_substitutes) / sizeof(pcre_uchar *))
-#endif
-
-#define STRING(a)  # a
-#define XSTRING(s) STRING(s)
-
-/* The texts of compile-time error messages. These are "char *" because they
-are passed to the outside world. Do not ever re-use any error number, because
-they are documented. Always add a new error instead. Messages marked DEAD below
-are no longer used. This used to be a table of strings, but in order to reduce
-the number of relocations needed when a shared library is loaded dynamically,
-it is now one long string. We cannot use a table of offsets, because the
-lengths of inserts such as XSTRING(MAX_NAME_SIZE) are not known. Instead, we
-simply count through to the one we want - this isn't a performance issue
-because these strings are used only when there is a compilation error.
-
-Each substring ends with \0 to insert a null character. This includes the final
-substring, so that the whole string ends with \0\0, which can be detected when
-counting through. */
-
-static const char error_texts[] =
-  "no error\0"
-  "\\ at end of pattern\0"
-  "\\c at end of pattern\0"
-  "unrecognized character follows \\\0"
-  "numbers out of order in {} quantifier\0"
-  /* 5 */
-  "number too big in {} quantifier\0"
-  "missing terminating ] for character class\0"
-  "invalid escape sequence in character class\0"
-  "range out of order in character class\0"
-  "nothing to repeat\0"
-  /* 10 */
-  "internal error: invalid forward reference offset\0"
-  "internal error: unexpected repeat\0"
-  "unrecognized character after (? or (?-\0"
-  "POSIX named classes are supported only within a class\0"
-  "missing )\0"
-  /* 15 */
-  "reference to non-existent subpattern\0"
-  "erroffset passed as NULL\0"
-  "unknown option bit(s) set\0"
-  "missing ) after comment\0"
-  "parentheses nested too deeply\0"  /** DEAD **/
-  /* 20 */
-  "regular expression is too large\0"
-  "failed to get memory\0"
-  "unmatched parentheses\0"
-  "internal error: code overflow\0"
-  "unrecognized character after (?<\0"
-  /* 25 */
-  "lookbehind assertion is not fixed length\0"
-  "malformed number or name after (?(\0"
-  "conditional group contains more than two branches\0"
-  "assertion expected after (?( or (?(?C)\0"
-  "(?R or (?[+-]digits must be followed by )\0"
-  /* 30 */
-  "unknown POSIX class name\0"
-  "POSIX collating elements are not supported\0"
-  "this version of PCRE is compiled without UTF support\0"
-  "spare error\0"  /** DEAD **/
-  "character value in \\x{} or \\o{} is too large\0"
-  /* 35 */
-  "invalid condition (?(0)\0"
-  "\\C not allowed in lookbehind assertion\0"
-  "PCRE does not support \\L, \\l, \\N{name}, \\U, or \\u\0"
-  "number after (?C is > 255\0"
-  "closing ) for (?C expected\0"
-  /* 40 */
-  "recursive call could loop indefinitely\0"
-  "unrecognized character after (?P\0"
-  "syntax error in subpattern name (missing terminator)\0"
-  "two named subpatterns have the same name\0"
-  "invalid UTF-8 string\0"
-  /* 45 */
-  "support for \\P, \\p, and \\X has not been compiled\0"
-  "malformed \\P or \\p sequence\0"
-  "unknown property name after \\P or \\p\0"
-  "subpattern name is too long (maximum " XSTRING(MAX_NAME_SIZE) " characters)\0"
-  "too many named subpatterns (maximum " XSTRING(MAX_NAME_COUNT) ")\0"
-  /* 50 */
-  "repeated subpattern is too long\0"    /** DEAD **/
-  "octal value is greater than \\377 in 8-bit non-UTF-8 mode\0"
-  "internal error: overran compiling workspace\0"
-  "internal error: previously-checked referenced subpattern not found\0"
-  "DEFINE group contains more than one branch\0"
-  /* 55 */
-  "repeating a DEFINE group is not allowed\0"  /** DEAD **/
-  "inconsistent NEWLINE options\0"
-  "\\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number\0"
-  "a numbered reference must not be zero\0"
-  "an argument is not allowed for (*ACCEPT), (*FAIL), or (*COMMIT)\0"
-  /* 60 */
-  "(*VERB) not recognized or malformed\0"
-  "number is too big\0"
-  "subpattern name expected\0"
-  "digit expected after (?+\0"
-  "] is an invalid data character in JavaScript compatibility mode\0"
-  /* 65 */
-  "different names for subpatterns of the same number are not allowed\0"
-  "(*MARK) must have an argument\0"
-  "this version of PCRE is not compiled with Unicode property support\0"
-#ifndef EBCDIC
-  "\\c must be followed by an ASCII character\0"
-#else
-  "\\c must be followed by a letter or one of [\\]^_?\0"
-#endif
-  "\\k is not followed by a braced, angle-bracketed, or quoted name\0"
-  /* 70 */
-  "internal error: unknown opcode in find_fixedlength()\0"
-  "\\N is not supported in a class\0"
-  "too many forward references\0"
-  "disallowed Unicode code point (>= 0xd800 && <= 0xdfff)\0"
-  "invalid UTF-16 string\0"
-  /* 75 */
-  "name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN)\0"
-  "character value in \\u.... sequence is too large\0"
-  "invalid UTF-32 string\0"
-  "setting UTF is disabled by the application\0"
-  "non-hex character in \\x{} (closing brace missing?)\0"
-  /* 80 */
-  "non-octal character in \\o{} (closing brace missing?)\0"
-  "missing opening brace after \\o\0"
-  "parentheses are too deeply nested\0"
-  "invalid range in character class\0"
-  "group name must start with a non-digit\0"
-  /* 85 */
-  "parentheses are too deeply nested (stack check)\0"
-  "digits missing in \\x{} or \\o{}\0"
-  "regular expression is too complicated\0"
-  ;
-
-/* Table to identify digits and hex digits. This is used when compiling
-patterns. Note that the tables in chartables are dependent on the locale, and
-may mark arbitrary characters as digits - but the PCRE compiling code expects
-to handle only 0-9, a-z, and A-Z as digits when compiling. That is why we have
-a private table here. It costs 256 bytes, but it is a lot faster than doing
-character value tests (at least in some simple cases I timed), and in some
-applications one wants PCRE to compile efficiently as well as match
-efficiently.
-
-For convenience, we use the same bit definitions as in chartables:
-
-  0x04   decimal digit
-  0x08   hexadecimal digit
-
-Then we can use ctype_digit and ctype_xdigit in the code. */
-
-/* Using a simple comparison for decimal numbers rather than a memory read
-is much faster, and the resulting code is simpler (the compiler turns it
-into a subtraction and unsigned comparison). */
-
-#define IS_DIGIT(x) ((x) >= CHAR_0 && (x) <= CHAR_9)
-
-#ifndef EBCDIC
-
-/* This is the "normal" case, for ASCII systems, and EBCDIC systems running in
-UTF-8 mode. */
-
-static const pcre_uint8 digitab[] =
-  {
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*   0-  7 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*   8- 15 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  16- 23 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  24- 31 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*    - '  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  ( - /  */
-  0x0c,0x0c,0x0c,0x0c,0x0c,0x0c,0x0c,0x0c, /*  0 - 7  */
-  0x0c,0x0c,0x00,0x00,0x00,0x00,0x00,0x00, /*  8 - ?  */
-  0x00,0x08,0x08,0x08,0x08,0x08,0x08,0x00, /*  @ - G  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  H - O  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  P - W  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  X - _  */
-  0x00,0x08,0x08,0x08,0x08,0x08,0x08,0x00, /*  ` - g  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  h - o  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  p - w  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  x -127 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 128-135 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 136-143 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 144-151 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 152-159 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 160-167 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 168-175 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 176-183 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 184-191 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 192-199 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 200-207 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 208-215 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 216-223 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 224-231 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 232-239 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 240-247 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};/* 248-255 */
-
-#else
-
-/* This is the "abnormal" case, for EBCDIC systems not running in UTF-8 mode. */
-
-static const pcre_uint8 digitab[] =
-  {
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*   0-  7  0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*   8- 15    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  16- 23 10 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  24- 31    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  32- 39 20 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  40- 47    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  48- 55 30 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  56- 63    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*    - 71 40 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  72- |     */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  & - 87 50 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  88- 95    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  - -103 60 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 104- ?     */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 112-119 70 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 120- "     */
-  0x00,0x08,0x08,0x08,0x08,0x08,0x08,0x00, /* 128- g  80 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  h -143    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 144- p  90 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  q -159    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 160- x  A0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  y -175    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  ^ -183 B0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 184-191    */
-  0x00,0x08,0x08,0x08,0x08,0x08,0x08,0x00, /*  { - G  C0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  H -207    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  } - P  D0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  Q -223    */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  \ - X  E0 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  Y -239    */
-  0x0c,0x0c,0x0c,0x0c,0x0c,0x0c,0x0c,0x0c, /*  0 - 7  F0 */
-  0x0c,0x0c,0x00,0x00,0x00,0x00,0x00,0x00};/*  8 -255    */
-
-static const pcre_uint8 ebcdic_chartab[] = { /* chartable partial dup */
-  0x80,0x00,0x00,0x00,0x00,0x01,0x00,0x00, /*   0-  7 */
-  0x00,0x00,0x00,0x00,0x01,0x01,0x00,0x00, /*   8- 15 */
-  0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00, /*  16- 23 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  24- 31 */
-  0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00, /*  32- 39 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  40- 47 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  48- 55 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  56- 63 */
-  0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*    - 71 */
-  0x00,0x00,0x00,0x80,0x00,0x80,0x80,0x80, /*  72- |  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  & - 87 */
-  0x00,0x00,0x00,0x80,0x80,0x80,0x00,0x00, /*  88- 95 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  - -103 */
-  0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x80, /* 104- ?  */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 112-119 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 120- "  */
-  0x00,0x1a,0x1a,0x1a,0x1a,0x1a,0x1a,0x12, /* 128- g  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  h -143 */
-  0x00,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /* 144- p  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  q -159 */
-  0x00,0x00,0x12,0x12,0x12,0x12,0x12,0x12, /* 160- x  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  y -175 */
-  0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  ^ -183 */
-  0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00, /* 184-191 */
-  0x80,0x1a,0x1a,0x1a,0x1a,0x1a,0x1a,0x12, /*  { - G  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  H -207 */
-  0x00,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /*  } - P  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  Q -223 */
-  0x00,0x00,0x12,0x12,0x12,0x12,0x12,0x12, /*  \ - X  */
-  0x12,0x12,0x00,0x00,0x00,0x00,0x00,0x00, /*  Y -239 */
-  0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c, /*  0 - 7  */
-  0x1c,0x1c,0x00,0x00,0x00,0x00,0x00,0x00};/*  8 -255 */
-#endif
-
-
-/* This table is used to check whether auto-possessification is possible
-between adjacent character-type opcodes. The left-hand (repeated) opcode is
-used to select the row, and the right-hand opcode is use to select the column.
-A value of 1 means that auto-possessification is OK. For example, the second
-value in the first row means that \D+\d can be turned into \D++\d.
-
-The Unicode property types (\P and \p) have to be present to fill out the table
-because of what their opcode values are, but the table values should always be
-zero because property types are handled separately in the code. The last four
-columns apply to items that cannot be repeated, so there is no need to have
-rows for them. Note that OP_DIGIT etc. are generated only when PCRE_UCP is
-*not* set. When it is set, \d etc. are converted into OP_(NOT_)PROP codes. */
-
-#define APTROWS (LAST_AUTOTAB_LEFT_OP - FIRST_AUTOTAB_OP + 1)
-#define APTCOLS (LAST_AUTOTAB_RIGHT_OP - FIRST_AUTOTAB_OP + 1)
-
-static const pcre_uint8 autoposstab[APTROWS][APTCOLS] = {
-/* \D \d \S \s \W \w  . .+ \C \P \p \R \H \h \V \v \X \Z \z  $ $M */
-  { 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* \D */
-  { 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1 },  /* \d */
-  { 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1 },  /* \S */
-  { 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* \s */
-  { 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* \W */
-  { 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1 },  /* \w */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* .  */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* .+ */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 },  /* \C */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },  /* \P */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },  /* \p */
-  { 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0 },  /* \R */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0 },  /* \H */
-  { 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0 },  /* \h */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0 },  /* \V */
-  { 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0 },  /* \v */
-  { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0 }   /* \X */
-};
-
-
-/* This table is used to check whether auto-possessification is possible
-between adjacent Unicode property opcodes (OP_PROP and OP_NOTPROP). The
-left-hand (repeated) opcode is used to select the row, and the right-hand
-opcode is used to select the column. The values are as follows:
-
-  0   Always return FALSE (never auto-possessify)
-  1   Character groups are distinct (possessify if both are OP_PROP)
-  2   Check character categories in the same group (general or particular)
-  3   TRUE if the two opcodes are not the same (PROP vs NOTPROP)
-
-  4   Check left general category vs right particular category
-  5   Check right general category vs left particular category
-
-  6   Left alphanum vs right general category
-  7   Left space vs right general category
-  8   Left word vs right general category
-
-  9   Right alphanum vs left general category
- 10   Right space vs left general category
- 11   Right word vs left general category
-
- 12   Left alphanum vs right particular category
- 13   Left space vs right particular category
- 14   Left word vs right particular category
-
- 15   Right alphanum vs left particular category
- 16   Right space vs left particular category
- 17   Right word vs left particular category
-*/
-
-static const pcre_uint8 propposstab[PT_TABSIZE][PT_TABSIZE] = {
-/* ANY LAMP GC  PC  SC ALNUM SPACE PXSPACE WORD CLIST UCNC */
-  { 0,  0,  0,  0,  0,    0,    0,      0,   0,    0,   0 },  /* PT_ANY */
-  { 0,  3,  0,  0,  0,    3,    1,      1,   0,    0,   0 },  /* PT_LAMP */
-  { 0,  0,  2,  4,  0,    9,   10,     10,  11,    0,   0 },  /* PT_GC */
-  { 0,  0,  5,  2,  0,   15,   16,     16,  17,    0,   0 },  /* PT_PC */
-  { 0,  0,  0,  0,  2,    0,    0,      0,   0,    0,   0 },  /* PT_SC */
-  { 0,  3,  6, 12,  0,    3,    1,      1,   0,    0,   0 },  /* PT_ALNUM */
-  { 0,  1,  7, 13,  0,    1,    3,      3,   1,    0,   0 },  /* PT_SPACE */
-  { 0,  1,  7, 13,  0,    1,    3,      3,   1,    0,   0 },  /* PT_PXSPACE */
-  { 0,  0,  8, 14,  0,    0,    1,      1,   3,    0,   0 },  /* PT_WORD */
-  { 0,  0,  0,  0,  0,    0,    0,      0,   0,    0,   0 },  /* PT_CLIST */
-  { 0,  0,  0,  0,  0,    0,    0,      0,   0,    0,   3 }   /* PT_UCNC */
-};
-
-/* This table is used to check whether auto-possessification is possible
-between adjacent Unicode property opcodes (OP_PROP and OP_NOTPROP) when one
-specifies a general category and the other specifies a particular category. The
-row is selected by the general category and the column by the particular
-category. The value is 1 if the particular category is not part of the general
-category. */
-
-static const pcre_uint8 catposstab[7][30] = {
-/* Cc Cf Cn Co Cs Ll Lm Lo Lt Lu Mc Me Mn Nd Nl No Pc Pd Pe Pf Pi Po Ps Sc Sk Sm So Zl Zp Zs */
-  { 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 },  /* C */
-  { 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 },  /* L */
-  { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 },  /* M */
-  { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 },  /* N */
-  { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1 },  /* P */
-  { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1 },  /* S */
-  { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0 }   /* Z */
-};
-
-/* This table is used when checking ALNUM, (PX)SPACE, SPACE, and WORD against
-a general or particular category. The properties in each row are those
-that apply to the character set in question. Duplication means that a little
-unnecessary work is done when checking, but this keeps things much simpler
-because they can all use the same code. For more details see the comment where
-this table is used.
-
-Note: SPACE and PXSPACE used to be different because Perl excluded VT from
-"space", but from Perl 5.18 it's included, so both categories are treated the
-same here. */
-
-static const pcre_uint8 posspropstab[3][4] = {
-  { ucp_L, ucp_N, ucp_N, ucp_Nl },  /* ALNUM, 3rd and 4th values redundant */
-  { ucp_Z, ucp_Z, ucp_C, ucp_Cc },  /* SPACE and PXSPACE, 2nd value redundant */
-  { ucp_L, ucp_N, ucp_P, ucp_Po }   /* WORD */
-};
-
-/* This table is used when converting repeating opcodes into possessified
-versions as a result of an explicit possessive quantifier such as ++. A zero
-value means there is no possessified version - in those cases the item in
-question must be wrapped in ONCE brackets. The table is truncated at OP_CALLOUT
-because all relevant opcodes are less than that. */
-
-static const pcre_uint8 opcode_possessify[] = {
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,   /* 0 - 15  */
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,   /* 16 - 31 */
-
-  0,                       /* NOTI */
-  OP_POSSTAR, 0,           /* STAR, MINSTAR */
-  OP_POSPLUS, 0,           /* PLUS, MINPLUS */
-  OP_POSQUERY, 0,          /* QUERY, MINQUERY */
-  OP_POSUPTO, 0,           /* UPTO, MINUPTO */
-  0,                       /* EXACT */
-  0, 0, 0, 0,              /* POS{STAR,PLUS,QUERY,UPTO} */
-
-  OP_POSSTARI, 0,          /* STARI, MINSTARI */
-  OP_POSPLUSI, 0,          /* PLUSI, MINPLUSI */
-  OP_POSQUERYI, 0,         /* QUERYI, MINQUERYI */
-  OP_POSUPTOI, 0,          /* UPTOI, MINUPTOI */
-  0,                       /* EXACTI */
-  0, 0, 0, 0,              /* POS{STARI,PLUSI,QUERYI,UPTOI} */
-
-  OP_NOTPOSSTAR, 0,        /* NOTSTAR, NOTMINSTAR */
-  OP_NOTPOSPLUS, 0,        /* NOTPLUS, NOTMINPLUS */
-  OP_NOTPOSQUERY, 0,       /* NOTQUERY, NOTMINQUERY */
-  OP_NOTPOSUPTO, 0,        /* NOTUPTO, NOTMINUPTO */
-  0,                       /* NOTEXACT */
-  0, 0, 0, 0,              /* NOTPOS{STAR,PLUS,QUERY,UPTO} */
-
-  OP_NOTPOSSTARI, 0,       /* NOTSTARI, NOTMINSTARI */
-  OP_NOTPOSPLUSI, 0,       /* NOTPLUSI, NOTMINPLUSI */
-  OP_NOTPOSQUERYI, 0,      /* NOTQUERYI, NOTMINQUERYI */
-  OP_NOTPOSUPTOI, 0,       /* NOTUPTOI, NOTMINUPTOI */
-  0,                       /* NOTEXACTI */
-  0, 0, 0, 0,              /* NOTPOS{STARI,PLUSI,QUERYI,UPTOI} */
-
-  OP_TYPEPOSSTAR, 0,       /* TYPESTAR, TYPEMINSTAR */
-  OP_TYPEPOSPLUS, 0,       /* TYPEPLUS, TYPEMINPLUS */
-  OP_TYPEPOSQUERY, 0,      /* TYPEQUERY, TYPEMINQUERY */
-  OP_TYPEPOSUPTO, 0,       /* TYPEUPTO, TYPEMINUPTO */
-  0,                       /* TYPEEXACT */
-  0, 0, 0, 0,              /* TYPEPOS{STAR,PLUS,QUERY,UPTO} */
-
-  OP_CRPOSSTAR, 0,         /* CRSTAR, CRMINSTAR */
-  OP_CRPOSPLUS, 0,         /* CRPLUS, CRMINPLUS */
-  OP_CRPOSQUERY, 0,        /* CRQUERY, CRMINQUERY */
-  OP_CRPOSRANGE, 0,        /* CRRANGE, CRMINRANGE */
-  0, 0, 0, 0,              /* CRPOS{STAR,PLUS,QUERY,RANGE} */
-
-  0, 0, 0,                 /* CLASS, NCLASS, XCLASS */
-  0, 0,                    /* REF, REFI */
-  0, 0,                    /* DNREF, DNREFI */
-  0, 0                     /* RECURSE, CALLOUT */
-};
-
-
-
-/*************************************************
-*            Find an error text                  *
-*************************************************/
-
-/* The error texts are now all in one long string, to save on relocations. As
-some of the text is of unknown length, we can't use a table of offsets.
-Instead, just count through the strings. This is not a performance issue
-because it happens only when there has been a compilation error.
-
-Argument:   the error number
-Returns:    pointer to the error string
-*/
-
-static const char *
-find_error_text(int n)
-{
-const char *s = error_texts;
-for (; n > 0; n--)
-  {
-  while (*s++ != CHAR_NULL) {};
-  if (*s == CHAR_NULL) return "Error text not found (please report)";
-  }
-return s;
-}
-
-
-
-/*************************************************
-*           Expand the workspace                 *
-*************************************************/
-
-/* This function is called during the second compiling phase, if the number of
-forward references fills the existing workspace, which is originally a block on
-the stack. A larger block is obtained from malloc() unless the ultimate limit
-has been reached or the increase will be rather small.
-
-Argument: pointer to the compile data block
-Returns:  0 if all went well, else an error number
-*/
-
-static int
-expand_workspace(compile_data *cd)
-{
-pcre_uchar *newspace;
-int newsize = cd->workspace_size * 2;
-
-if (newsize > COMPILE_WORK_SIZE_MAX) newsize = COMPILE_WORK_SIZE_MAX;
-if (cd->workspace_size >= COMPILE_WORK_SIZE_MAX ||
-    newsize - cd->workspace_size < WORK_SIZE_SAFETY_MARGIN)
- return ERR72;
-
-newspace = (PUBL(malloc))(IN_UCHARS(newsize));
-if (newspace == NULL) return ERR21;
-memcpy(newspace, cd->start_workspace, cd->workspace_size * sizeof(pcre_uchar));
-cd->hwm = (pcre_uchar *)newspace + (cd->hwm - cd->start_workspace);
-if (cd->workspace_size > COMPILE_WORK_SIZE)
-  (PUBL(free))((void *)cd->start_workspace);
-cd->start_workspace = newspace;
-cd->workspace_size = newsize;
-return 0;
-}
-
-
-
-/*************************************************
-*            Check for counted repeat            *
-*************************************************/
-
-/* This function is called when a '{' is encountered in a place where it might
-start a quantifier. It looks ahead to see if it really is a quantifier or not.
-It is only a quantifier if it is one of the forms {ddd} {ddd,} or {ddd,ddd}
-where the ddds are digits.
-
-Arguments:
-  p         pointer to the first char after '{'
-
-Returns:    TRUE or FALSE
-*/
-
-static BOOL
-is_counted_repeat(const pcre_uchar *p)
-{
-if (!IS_DIGIT(*p)) return FALSE;
-p++;
-while (IS_DIGIT(*p)) p++;
-if (*p == CHAR_RIGHT_CURLY_BRACKET) return TRUE;
-
-if (*p++ != CHAR_COMMA) return FALSE;
-if (*p == CHAR_RIGHT_CURLY_BRACKET) return TRUE;
-
-if (!IS_DIGIT(*p)) return FALSE;
-p++;
-while (IS_DIGIT(*p)) p++;
-
-return (*p == CHAR_RIGHT_CURLY_BRACKET);
-}
-
-
-
-/*************************************************
-*            Handle escapes                      *
-*************************************************/
-
-/* This function is called when a \ has been encountered. It either returns a
-positive value for a simple escape such as \n, or 0 for a data character which
-will be placed in chptr. A backreference to group n is returned as negative n.
-When UTF-8 is enabled, a positive value greater than 255 may be returned in
-chptr. On entry, ptr is pointing at the \. On exit, it is on the final
-character of the escape sequence.
-
-Arguments:
-  ptrptr         points to the pattern position pointer
-  chptr          points to a returned data character
-  errorcodeptr   points to the errorcode variable
-  bracount       number of previous extracting brackets
-  options        the options bits
-  isclass        TRUE if inside a character class
-
-Returns:         zero => a data character
-                 positive => a special escape sequence
-                 negative => a back reference
-                 on error, errorcodeptr is set
-*/
-
-static int
-check_escape(const pcre_uchar **ptrptr, pcre_uint32 *chptr, int *errorcodeptr,
-  int bracount, int options, BOOL isclass)
-{
-/* PCRE_UTF16 has the same value as PCRE_UTF8. */
-BOOL utf = (options & PCRE_UTF8) != 0;
-const pcre_uchar *ptr = *ptrptr + 1;
-pcre_uint32 c;
-int escape = 0;
-int i;
-
-GETCHARINCTEST(c, ptr);           /* Get character value, increment pointer */
-ptr--;                            /* Set pointer back to the last byte */
-
-/* If backslash is at the end of the pattern, it's an error. */
-
-if (c == CHAR_NULL) *errorcodeptr = ERR1;
-
-/* Non-alphanumerics are literals. For digits or letters, do an initial lookup
-in a table. A non-zero result is something that can be returned immediately.
-Otherwise further processing may be required. */
-
-#ifndef EBCDIC  /* ASCII/UTF-8 coding */
-/* Not alphanumeric */
-else if (c < CHAR_0 || c > CHAR_z) {}
-else if ((i = escapes[c - CHAR_0]) != 0)
-  { if (i > 0) c = (pcre_uint32)i; else escape = -i; }
-
-#else           /* EBCDIC coding */
-/* Not alphanumeric */
-else if (c < CHAR_a || (!MAX_255(c) || (ebcdic_chartab[c] & 0x0E) == 0)) {}
-else if ((i = escapes[c - 0x48]) != 0)  { if (i > 0) c = (pcre_uint32)i; else escape = -i; }
-#endif
-
-/* Escapes that need further processing, or are illegal. */
-
-else
-  {
-  const pcre_uchar *oldptr;
-  BOOL braced, negated, overflow;
-  int s;
-
-  switch (c)
-    {
-    /* A number of Perl escapes are not handled by PCRE. We give an explicit
-    error. */
-
-    case CHAR_l:
-    case CHAR_L:
-    *errorcodeptr = ERR37;
-    break;
-
-    case CHAR_u:
-    if ((options & PCRE_JAVASCRIPT_COMPAT) != 0)
-      {
-      /* In JavaScript, \u must be followed by four hexadecimal numbers.
-      Otherwise it is a lowercase u letter. */
-      if (MAX_255(ptr[1]) && (digitab[ptr[1]] & ctype_xdigit) != 0
-        && MAX_255(ptr[2]) && (digitab[ptr[2]] & ctype_xdigit) != 0
-        && MAX_255(ptr[3]) && (digitab[ptr[3]] & ctype_xdigit) != 0
-        && MAX_255(ptr[4]) && (digitab[ptr[4]] & ctype_xdigit) != 0)
-        {
-        c = 0;
-        for (i = 0; i < 4; ++i)
-          {
-          register pcre_uint32 cc = *(++ptr);
-#ifndef EBCDIC  /* ASCII/UTF-8 coding */
-          if (cc >= CHAR_a) cc -= 32;               /* Convert to upper case */
-          c = (c << 4) + cc - ((cc < CHAR_A)? CHAR_0 : (CHAR_A - 10));
-#else           /* EBCDIC coding */
-          if (cc >= CHAR_a && cc <= CHAR_z) cc += 64;  /* Convert to upper case */
-          c = (c << 4) + cc - ((cc >= CHAR_0)? CHAR_0 : (CHAR_A - 10));
-#endif
-          }
-
-#if defined COMPILE_PCRE8
-        if (c > (utf ? 0x10ffffU : 0xffU))
-#elif defined COMPILE_PCRE16
-        if (c > (utf ? 0x10ffffU : 0xffffU))
-#elif defined COMPILE_PCRE32
-        if (utf && c > 0x10ffffU)
-#endif
-          {
-          *errorcodeptr = ERR76;
-          }
-        else if (utf && c >= 0xd800 && c <= 0xdfff) *errorcodeptr = ERR73;
-        }
-      }
-    else
-      *errorcodeptr = ERR37;
-    break;
-
-    case CHAR_U:
-    /* In JavaScript, \U is an uppercase U letter. */
-    if ((options & PCRE_JAVASCRIPT_COMPAT) == 0) *errorcodeptr = ERR37;
-    break;
-
-    /* In a character class, \g is just a literal "g". Outside a character
-    class, \g must be followed by one of a number of specific things:
-
-    (1) A number, either plain or braced. If positive, it is an absolute
-    backreference. If negative, it is a relative backreference. This is a Perl
-    5.10 feature.
-
-    (2) Perl 5.10 also supports \g{name} as a reference to a named group. This
-    is part of Perl's movement towards a unified syntax for back references. As
-    this is synonymous with \k{name}, we fudge it up by pretending it really
-    was \k.
-
-    (3) For Oniguruma compatibility we also support \g followed by a name or a
-    number either in angle brackets or in single quotes. However, these are
-    (possibly recursive) subroutine calls, _not_ backreferences. Just return
-    the ESC_g code (cf \k). */
-
-    case CHAR_g:
-    if (isclass) break;
-    if (ptr[1] == CHAR_LESS_THAN_SIGN || ptr[1] == CHAR_APOSTROPHE)
-      {
-      escape = ESC_g;
-      break;
-      }
-
-    /* Handle the Perl-compatible cases */
-
-    if (ptr[1] == CHAR_LEFT_CURLY_BRACKET)
-      {
-      const pcre_uchar *p;
-      for (p = ptr+2; *p != CHAR_NULL && *p != CHAR_RIGHT_CURLY_BRACKET; p++)
-        if (*p != CHAR_MINUS && !IS_DIGIT(*p)) break;
-      if (*p != CHAR_NULL && *p != CHAR_RIGHT_CURLY_BRACKET)
-        {
-        escape = ESC_k;
-        break;
-        }
-      braced = TRUE;
-      ptr++;
-      }
-    else braced = FALSE;
-
-    if (ptr[1] == CHAR_MINUS)
-      {
-      negated = TRUE;
-      ptr++;
-      }
-    else negated = FALSE;
-
-    /* The integer range is limited by the machine's int representation. */
-    s = 0;
-    overflow = FALSE;
-    while (IS_DIGIT(ptr[1]))
-      {
-      if (s > INT_MAX / 10 - 1) /* Integer overflow */
-        {
-        overflow = TRUE;
-        break;
-        }
-      s = s * 10 + (int)(*(++ptr) - CHAR_0);
-      }
-    if (overflow) /* Integer overflow */
-      {
-      while (IS_DIGIT(ptr[1]))
-        ptr++;
-      *errorcodeptr = ERR61;
-      break;
-      }
-
-    if (braced && *(++ptr) != CHAR_RIGHT_CURLY_BRACKET)
-      {
-      *errorcodeptr = ERR57;
-      break;
-      }
-
-    if (s == 0)
-      {
-      *errorcodeptr = ERR58;
-      break;
-      }
-
-    if (negated)
-      {
-      if (s > bracount)
-        {
-        *errorcodeptr = ERR15;
-        break;
-        }
-      s = bracount - (s - 1);
-      }
-
-    escape = -s;
-    break;
-
-    /* The handling of escape sequences consisting of a string of digits
-    starting with one that is not zero is not straightforward. Perl has changed
-    over the years. Nowadays \g{} for backreferences and \o{} for octal are
-    recommended to avoid the ambiguities in the old syntax.
-
-    Outside a character class, the digits are read as a decimal number. If the
-    number is less than 8 (used to be 10), or if there are that many previous
-    extracting left brackets, then it is a back reference. Otherwise, up to
-    three octal digits are read to form an escaped byte. Thus \123 is likely to
-    be octal 123 (cf \0123, which is octal 012 followed by the literal 3). If
-    the octal value is greater than 377, the least significant 8 bits are
-    taken. \8 and \9 are treated as the literal characters 8 and 9.
-
-    Inside a character class, \ followed by a digit is always either a literal
-    8 or 9 or an octal number. */
-
-    case CHAR_1: case CHAR_2: case CHAR_3: case CHAR_4: case CHAR_5:
-    case CHAR_6: case CHAR_7: case CHAR_8: case CHAR_9:
-
-    if (!isclass)
-      {
-      oldptr = ptr;
-      /* The integer range is limited by the machine's int representation. */
-      s = (int)(c -CHAR_0);
-      overflow = FALSE;
-      while (IS_DIGIT(ptr[1]))
-        {
-        if (s > INT_MAX / 10 - 1) /* Integer overflow */
-          {
-          overflow = TRUE;
-          break;
-          }
-        s = s * 10 + (int)(*(++ptr) - CHAR_0);
-        }
-      if (overflow) /* Integer overflow */
-        {
-        while (IS_DIGIT(ptr[1]))
-          ptr++;
-        *errorcodeptr = ERR61;
-        break;
-        }
-      if (s < 8 || s <= bracount)  /* Check for back reference */
-        {
-        escape = -s;
-        break;
-        }
-      ptr = oldptr;      /* Put the pointer back and fall through */
-      }
-
-    /* Handle a digit following \ when the number is not a back reference. If
-    the first digit is 8 or 9, Perl used to generate a binary zero byte and
-    then treat the digit as a following literal. At least by Perl 5.18 this
-    changed so as not to insert the binary zero. */
-
-    if ((c = *ptr) >= CHAR_8) break;
-
-    /* Fall through with a digit less than 8 */
-
-    /* \0 always starts an octal number, but we may drop through to here with a
-    larger first octal digit. The original code used just to take the least
-    significant 8 bits of octal numbers (I think this is what early Perls used
-    to do). Nowadays we allow for larger numbers in UTF-8 mode and 16-bit mode,
-    but no more than 3 octal digits. */
-
-    case CHAR_0:
-    c -= CHAR_0;
-    while(i++ < 2 && ptr[1] >= CHAR_0 && ptr[1] <= CHAR_7)
-        c = c * 8 + *(++ptr) - CHAR_0;
-#ifdef COMPILE_PCRE8
-    if (!utf && c > 0xff) *errorcodeptr = ERR51;
-#endif
-    break;
-
-    /* \o is a relatively new Perl feature, supporting a more general way of
-    specifying character codes in octal. The only supported form is \o{ddd}. */
-
-    case CHAR_o:
-    if (ptr[1] != CHAR_LEFT_CURLY_BRACKET) *errorcodeptr = ERR81; else
-    if (ptr[2] == CHAR_RIGHT_CURLY_BRACKET) *errorcodeptr = ERR86; else
-      {
-      ptr += 2;
-      c = 0;
-      overflow = FALSE;
-      while (*ptr >= CHAR_0 && *ptr <= CHAR_7)
-        {
-        register pcre_uint32 cc = *ptr++;
-        if (c == 0 && cc == CHAR_0) continue;     /* Leading zeroes */
-#ifdef COMPILE_PCRE32
-        if (c >= 0x20000000l) { overflow = TRUE; break; }
-#endif
-        c = (c << 3) + cc - CHAR_0 ;
-#if defined COMPILE_PCRE8
-        if (c > (utf ? 0x10ffffU : 0xffU)) { overflow = TRUE; break; }
-#elif defined COMPILE_PCRE16
-        if (c > (utf ? 0x10ffffU : 0xffffU)) { overflow = TRUE; break; }
-#elif defined COMPILE_PCRE32
-        if (utf && c > 0x10ffffU) { overflow = TRUE; break; }
-#endif
-        }
-      if (overflow)
-        {
-        while (*ptr >= CHAR_0 && *ptr <= CHAR_7) ptr++;
-        *errorcodeptr = ERR34;
-        }
-      else if (*ptr == CHAR_RIGHT_CURLY_BRACKET)
-        {
-        if (utf && c >= 0xd800 && c <= 0xdfff) *errorcodeptr = ERR73;
-        }
-      else *errorcodeptr = ERR80;
-      }
-    break;
-
-    /* \x is complicated. In JavaScript, \x must be followed by two hexadecimal
-    numbers. Otherwise it is a lowercase x letter. */
-
-    case CHAR_x:
-    if ((options & PCRE_JAVASCRIPT_COMPAT) != 0)
-      {
-      if (MAX_255(ptr[1]) && (digitab[ptr[1]] & ctype_xdigit) != 0
-        && MAX_255(ptr[2]) && (digitab[ptr[2]] & ctype_xdigit) != 0)
-        {
-        c = 0;
-        for (i = 0; i < 2; ++i)
-          {
-          register pcre_uint32 cc = *(++ptr);
-#ifndef EBCDIC  /* ASCII/UTF-8 coding */
-          if (cc >= CHAR_a) cc -= 32;               /* Convert to upper case */
-          c = (c << 4) + cc - ((cc < CHAR_A)? CHAR_0 : (CHAR_A - 10));
-#else           /* EBCDIC coding */
-          if (cc >= CHAR_a && cc <= CHAR_z) cc += 64;  /* Convert to upper case */
-          c = (c << 4) + cc - ((cc >= CHAR_0)? CHAR_0 : (CHAR_A - 10));
-#endif
-          }
-        }
-      }    /* End JavaScript handling */
-
-    /* Handle \x in Perl's style. \x{ddd} is a character number which can be
-    greater than 0xff in utf or non-8bit mode, but only if the ddd are hex
-    digits. If not, { used to be treated as a data character. However, Perl
-    seems to read hex digits up to the first non-such, and ignore the rest, so
-    that, for example \x{zz} matches a binary zero. This seems crazy, so PCRE
-    now gives an error. */
-
-    else
-      {
-      if (ptr[1] == CHAR_LEFT_CURLY_BRACKET)
-        {
-        ptr += 2;
-        if (*ptr == CHAR_RIGHT_CURLY_BRACKET)
-          {
-          *errorcodeptr = ERR86;
-          break;
-          }
-        c = 0;
-        overflow = FALSE;
-        while (MAX_255(*ptr) && (digitab[*ptr] & ctype_xdigit) != 0)
-          {
-          register pcre_uint32 cc = *ptr++;
-          if (c == 0 && cc == CHAR_0) continue;     /* Leading zeroes */
-
-#ifdef COMPILE_PCRE32
-          if (c >= 0x10000000l) { overflow = TRUE; break; }
-#endif
-
-#ifndef EBCDIC  /* ASCII/UTF-8 coding */
-          if (cc >= CHAR_a) cc -= 32;               /* Convert to upper case */
-          c = (c << 4) + cc - ((cc < CHAR_A)? CHAR_0 : (CHAR_A - 10));
-#else           /* EBCDIC coding */
-          if (cc >= CHAR_a && cc <= CHAR_z) cc += 64;  /* Convert to upper case */
-          c = (c << 4) + cc - ((cc >= CHAR_0)? CHAR_0 : (CHAR_A - 10));
-#endif
-
-#if defined COMPILE_PCRE8
-          if (c > (utf ? 0x10ffffU : 0xffU)) { overflow = TRUE; break; }
-#elif defined COMPILE_PCRE16
-          if (c > (utf ? 0x10ffffU : 0xffffU)) { overflow = TRUE; break; }
-#elif defined COMPILE_PCRE32
-          if (utf && c > 0x10ffffU) { overflow = TRUE; break; }
-#endif
-          }
-
-        if (overflow)
-          {
-          while (MAX_255(*ptr) && (digitab[*ptr] & ctype_xdigit) != 0) ptr++;
-          *errorcodeptr = ERR34;
-          }
-
-        else if (*ptr == CHAR_RIGHT_CURLY_BRACKET)
-          {
-          if (utf && c >= 0xd800 && c <= 0xdfff) *errorcodeptr = ERR73;
-          }
-
-        /* If the sequence of hex digits does not end with '}', give an error.
-        We used just to recognize this construct and fall through to the normal
-        \x handling, but nowadays Perl gives an error, which seems much more
-        sensible, so we do too. */
-
-        else *errorcodeptr = ERR79;
-        }   /* End of \x{} processing */
-
-      /* Read a single-byte hex-defined char (up to two hex digits after \x) */
-
-      else
-        {
-        c = 0;
-        while (i++ < 2 && MAX_255(ptr[1]) && (digitab[ptr[1]] & ctype_xdigit) != 0)
-          {
-          pcre_uint32 cc;                          /* Some compilers don't like */
-          cc = *(++ptr);                           /* ++ in initializers */
-#ifndef EBCDIC  /* ASCII/UTF-8 coding */
-          if (cc >= CHAR_a) cc -= 32;              /* Convert to upper case */
-          c = c * 16 + cc - ((cc < CHAR_A)? CHAR_0 : (CHAR_A - 10));
-#else           /* EBCDIC coding */
-          if (cc <= CHAR_z) cc += 64;              /* Convert to upper case */
-          c = c * 16 + cc - ((cc >= CHAR_0)? CHAR_0 : (CHAR_A - 10));
-#endif
-          }
-        }     /* End of \xdd handling */
-      }       /* End of Perl-style \x handling */
-    break;
-
-    /* For \c, a following letter is upper-cased; then the 0x40 bit is flipped.
-    An error is given if the byte following \c is not an ASCII character. This
-    coding is ASCII-specific, but then the whole concept of \cx is
-    ASCII-specific. (However, an EBCDIC equivalent has now been added.) */
-
-    case CHAR_c:
-    c = *(++ptr);
-    if (c == CHAR_NULL)
-      {
-      *errorcodeptr = ERR2;
-      break;
-      }
-#ifndef EBCDIC    /* ASCII/UTF-8 coding */
-    if (c > 127)  /* Excludes all non-ASCII in either mode */
-      {
-      *errorcodeptr = ERR68;
-      break;
-      }
-    if (c >= CHAR_a && c <= CHAR_z) c -= 32;
-    c ^= 0x40;
-#else             /* EBCDIC coding */
-    if (c >= CHAR_a && c <= CHAR_z) c += 64;
-    if (c == CHAR_QUESTION_MARK)
-      c = ('\\' == 188 && '`' == 74)? 0x5f : 0xff;
-    else
-      {
-      for (i = 0; i < 32; i++)
-        {
-        if (c == ebcdic_escape_c[i]) break;
-        }
-      if (i < 32) c = i; else *errorcodeptr = ERR68;
-      }
-#endif
-    break;
-
-    /* PCRE_EXTRA enables extensions to Perl in the matter of escapes. Any
-    other alphanumeric following \ is an error if PCRE_EXTRA was set;
-    otherwise, for Perl compatibility, it is a literal. This code looks a bit
-    odd, but there used to be some cases other than the default, and there may
-    be again in future, so I haven't "optimized" it. */
-
-    default:
-    if ((options & PCRE_EXTRA) != 0) switch(c)
-      {
-      default:
-      *errorcodeptr = ERR3;
-      break;
-      }
-    break;
-    }
-  }
-
-/* Perl supports \N{name} for character names, as well as plain \N for "not
-newline". PCRE does not support \N{name}. However, it does support
-quantification such as \N{2,3}. */
-
-if (escape == ESC_N && ptr[1] == CHAR_LEFT_CURLY_BRACKET &&
-     !is_counted_repeat(ptr+2))
-  *errorcodeptr = ERR37;
-
-/* If PCRE_UCP is set, we change the values for \d etc. */
-
-if ((options & PCRE_UCP) != 0 && escape >= ESC_D && escape <= ESC_w)
-  escape += (ESC_DU - ESC_D);
-
-/* Set the pointer to the final character before returning. */
-
-*ptrptr = ptr;
-*chptr = c;
-return escape;
-}
-
-
-
-#ifdef SUPPORT_UCP
-/*************************************************
-*               Handle \P and \p                 *
-*************************************************/
-
-/* This function is called after \P or \p has been encountered, provided that
-PCRE is compiled with support for Unicode properties. On entry, ptrptr is
-pointing at the P or p. On exit, it is pointing at the final character of the
-escape sequence.
-
-Argument:
-  ptrptr         points to the pattern position pointer
-  negptr         points to a boolean that is set TRUE for negation else FALSE
-  ptypeptr       points to an unsigned int that is set to the type value
-  pdataptr       points to an unsigned int that is set to the detailed property value
-  errorcodeptr   points to the error code variable
-
-Returns:         TRUE if the type value was found, or FALSE for an invalid type
-*/
-
-static BOOL
-get_ucp(const pcre_uchar **ptrptr, BOOL *negptr, unsigned int *ptypeptr,
-  unsigned int *pdataptr, int *errorcodeptr)
-{
-pcre_uchar c;
-int i, bot, top;
-const pcre_uchar *ptr = *ptrptr;
-pcre_uchar name[32];
-
-c = *(++ptr);
-if (c == CHAR_NULL) goto ERROR_RETURN;
-
-*negptr = FALSE;
-
-/* \P or \p can be followed by a name in {}, optionally preceded by ^ for
-negation. */
-
-if (c == CHAR_LEFT_CURLY_BRACKET)
-  {
-  if (ptr[1] == CHAR_CIRCUMFLEX_ACCENT)
-    {
-    *negptr = TRUE;
-    ptr++;
-    }
-  for (i = 0; i < (int)(sizeof(name) / sizeof(pcre_uchar)) - 1; i++)
-    {
-    c = *(++ptr);
-    if (c == CHAR_NULL) goto ERROR_RETURN;
-    if (c == CHAR_RIGHT_CURLY_BRACKET) break;
-    name[i] = c;
-    }
-  if (c != CHAR_RIGHT_CURLY_BRACKET) goto ERROR_RETURN;
-  name[i] = 0;
-  }
-
-/* Otherwise there is just one following character */
-
-else
-  {
-  name[0] = c;
-  name[1] = 0;
-  }
-
-*ptrptr = ptr;
-
-/* Search for a recognized property name using binary chop */
-
-bot = 0;
-top = PRIV(utt_size);
-
-while (bot < top)
-  {
-  int r;
-  i = (bot + top) >> 1;
-  r = STRCMP_UC_C8(name, PRIV(utt_names) + PRIV(utt)[i].name_offset);
-  if (r == 0)
-    {
-    *ptypeptr = PRIV(utt)[i].type;
-    *pdataptr = PRIV(utt)[i].value;
-    return TRUE;
-    }
-  if (r > 0) bot = i + 1; else top = i;
-  }
-
-*errorcodeptr = ERR47;
-*ptrptr = ptr;
-return FALSE;
-
-ERROR_RETURN:
-*errorcodeptr = ERR46;
-*ptrptr = ptr;
-return FALSE;
-}
-#endif
-
-
-
-/*************************************************
-*         Read repeat counts                     *
-*************************************************/
-
-/* Read an item of the form {n,m} and return the values. This is called only
-after is_counted_repeat() has confirmed that a repeat-count quantifier exists,
-so the syntax is guaranteed to be correct, but we need to check the values.
-
-Arguments:
-  p              pointer to first char after '{'
-  minp           pointer to int for min
-  maxp           pointer to int for max
-                 returned as -1 if no max
-  errorcodeptr   points to error code variable
-
-Returns:         pointer to '}' on success;
-                 current ptr on error, with errorcodeptr set non-zero
-*/
-
-static const pcre_uchar *
-read_repeat_counts(const pcre_uchar *p, int *minp, int *maxp, int *errorcodeptr)
-{
-int min = 0;
-int max = -1;
-
-while (IS_DIGIT(*p))
-  {
-  min = min * 10 + (int)(*p++ - CHAR_0);
-  if (min > 65535)
-    {
-    *errorcodeptr = ERR5;
-    return p;
-    }
-  }
-
-if (*p == CHAR_RIGHT_CURLY_BRACKET) max = min; else
-  {
-  if (*(++p) != CHAR_RIGHT_CURLY_BRACKET)
-    {
-    max = 0;
-    while(IS_DIGIT(*p))
-      {
-      max = max * 10 + (int)(*p++ - CHAR_0);
-      if (max > 65535)
-        {
-        *errorcodeptr = ERR5;
-        return p;
-        }
-      }
-    if (max < min)
-      {
-      *errorcodeptr = ERR4;
-      return p;
-      }
-    }
-  }
-
-*minp = min;
-*maxp = max;
-return p;
-}
-
-
-
-/*************************************************
-*      Find first significant op code            *
-*************************************************/
-
-/* This is called by several functions that scan a compiled expression looking
-for a fixed first character, or an anchoring op code etc. It skips over things
-that do not influence this. For some calls, it makes sense to skip negative
-forward and all backward assertions, and also the \b assertion; for others it
-does not.
-
-Arguments:
-  code         pointer to the start of the group
-  skipassert   TRUE if certain assertions are to be skipped
-
-Returns:       pointer to the first significant opcode
-*/
-
-static const pcre_uchar*
-first_significant_code(const pcre_uchar *code, BOOL skipassert)
-{
-for (;;)
-  {
-  switch ((int)*code)
-    {
-    case OP_ASSERT_NOT:
-    case OP_ASSERTBACK:
-    case OP_ASSERTBACK_NOT:
-    if (!skipassert) return code;
-    do code += GET(code, 1); while (*code == OP_ALT);
-    code += PRIV(OP_lengths)[*code];
-    break;
-
-    case OP_WORD_BOUNDARY:
-    case OP_NOT_WORD_BOUNDARY:
-    if (!skipassert) return code;
-    /* Fall through */
-
-    case OP_CALLOUT:
-    case OP_CREF:
-    case OP_DNCREF:
-    case OP_RREF:
-    case OP_DNRREF:
-    case OP_DEF:
-    code += PRIV(OP_lengths)[*code];
-    break;
-
-    default:
-    return code;
-    }
-  }
-/* Control never reaches here */
-}
-
-
-
-/*************************************************
-*        Find the fixed length of a branch       *
-*************************************************/
-
-/* Scan a branch and compute the fixed length of subject that will match it,
-if the length is fixed. This is needed for dealing with backward assertions.
-In UTF8 mode, the result is in characters rather than bytes. The branch is
-temporarily terminated with OP_END when this function is called.
-
-This function is called when a backward assertion is encountered, so that if it
-fails, the error message can point to the correct place in the pattern.
-However, we cannot do this when the assertion contains subroutine calls,
-because they can be forward references. We solve this by remembering this case
-and doing the check at the end; a flag specifies which mode we are running in.
-
-Arguments:
-  code     points to the start of the pattern (the bracket)
-  utf      TRUE in UTF-8 / UTF-16 / UTF-32 mode
-  atend    TRUE if called when the pattern is complete
-  cd       the "compile data" structure
-  recurses    chain of recurse_check to catch mutual recursion
-
-Returns:   the fixed length,
-             or -1 if there is no fixed length,
-             or -2 if \C was encountered (in UTF-8 mode only)
-             or -3 if an OP_RECURSE item was encountered and atend is FALSE
-             or -4 if an unknown opcode was encountered (internal error)
-*/
-
-static int
-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
-  recurse_check *recurses)
-{
-int length = -1;
-recurse_check this_recurse;
-register int branchlength = 0;
-register pcre_uchar *cc = code + 1 + LINK_SIZE;
-
-/* Scan along the opcodes for this branch. If we get to the end of the
-branch, check the length against that of the other branches. */
-
-for (;;)
-  {
-  int d;
-  pcre_uchar *ce, *cs;
-  register pcre_uchar op = *cc;
-
-  switch (op)
-    {
-    /* We only need to continue for OP_CBRA (normal capturing bracket) and
-    OP_BRA (normal non-capturing bracket) because the other variants of these
-    opcodes are all concerned with unlimited repeated groups, which of course
-    are not of fixed length. */
-
-    case OP_CBRA:
-    case OP_BRA:
-    case OP_ONCE:
-    case OP_ONCE_NC:
-    case OP_COND:
-    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd,
-      recurses);
-    if (d < 0) return d;
-    branchlength += d;
-    do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* Reached end of a branch; if it's a ket it is the end of a nested call.
-    If it's ALT it is an alternation in a nested call. An ACCEPT is effectively
-    an ALT. If it is END it's the end of the outer call. All can be handled by
-    the same code. Note that we must not include the OP_KETRxxx opcodes here,
-    because they all imply an unlimited repeat. */
-
-    case OP_ALT:
-    case OP_KET:
-    case OP_END:
-    case OP_ACCEPT:
-    case OP_ASSERT_ACCEPT:
-    if (length < 0) length = branchlength;
-      else if (length != branchlength) return -1;
-    if (*cc != OP_ALT) return length;
-    cc += 1 + LINK_SIZE;
-    branchlength = 0;
-    break;
-
-    /* A true recursion implies not fixed length, but a subroutine call may
-    be OK. If the subroutine is a forward reference, we can't deal with
-    it until the end of the pattern, so return -3. */
-
-    case OP_RECURSE:
-    if (!atend) return -3;
-    cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1);  /* Start subpattern */
-    do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End subpattern */
-    if (cc > cs && cc < ce) return -1;                    /* Recursion */
-    else   /* Check for mutual recursion */
-      {
-      recurse_check *r = recurses;
-      for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
-      if (r != NULL) return -1;   /* Mutual recursion */
-      }
-    this_recurse.prev = recurses;
-    this_recurse.group = cs;
-    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
-    if (d < 0) return d;
-    branchlength += d;
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* Skip over assertive subpatterns */
-
-    case OP_ASSERT:
-    case OP_ASSERT_NOT:
-    case OP_ASSERTBACK:
-    case OP_ASSERTBACK_NOT:
-    do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* Skip over things that don't match chars */
-
-    case OP_MARK:
-    case OP_PRUNE_ARG:
-    case OP_SKIP_ARG:
-    case OP_THEN_ARG:
-    cc += cc[1] + PRIV(OP_lengths)[*cc];
-    break;
-
-    case OP_CALLOUT:
-    case OP_CIRC:
-    case OP_CIRCM:
-    case OP_CLOSE:
-    case OP_COMMIT:
-    case OP_CREF:
-    case OP_DEF:
-    case OP_DNCREF:
-    case OP_DNRREF:
-    case OP_DOLL:
-    case OP_DOLLM:
-    case OP_EOD:
-    case OP_EODN:
-    case OP_FAIL:
-    case OP_NOT_WORD_BOUNDARY:
-    case OP_PRUNE:
-    case OP_REVERSE:
-    case OP_RREF:
-    case OP_SET_SOM:
-    case OP_SKIP:
-    case OP_SOD:
-    case OP_SOM:
-    case OP_THEN:
-    case OP_WORD_BOUNDARY:
-    cc += PRIV(OP_lengths)[*cc];
-    break;
-
-    /* Handle literal characters */
-
-    case OP_CHAR:
-    case OP_CHARI:
-    case OP_NOT:
-    case OP_NOTI:
-    branchlength++;
-    cc += 2;
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
-#endif
-    break;
-
-    /* Handle exact repetitions. The count is already in characters, but we
-    need to skip over a multibyte character in UTF8 mode.  */
-
-    case OP_EXACT:
-    case OP_EXACTI:
-    case OP_NOTEXACT:
-    case OP_NOTEXACTI:
-    branchlength += (int)GET2(cc,1);
-    cc += 2 + IMM2_SIZE;
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
-#endif
-    break;
-
-    case OP_TYPEEXACT:
-    branchlength += GET2(cc,1);
-    if (cc[1 + IMM2_SIZE] == OP_PROP || cc[1 + IMM2_SIZE] == OP_NOTPROP)
-      cc += 2;
-    cc += 1 + IMM2_SIZE + 1;
-    break;
-
-    /* Handle single-char matchers */
-
-    case OP_PROP:
-    case OP_NOTPROP:
-    cc += 2;
-    /* Fall through */
-
-    case OP_HSPACE:
-    case OP_VSPACE:
-    case OP_NOT_HSPACE:
-    case OP_NOT_VSPACE:
-    case OP_NOT_DIGIT:
-    case OP_DIGIT:
-    case OP_NOT_WHITESPACE:
-    case OP_WHITESPACE:
-    case OP_NOT_WORDCHAR:
-    case OP_WORDCHAR:
-    case OP_ANY:
-    case OP_ALLANY:
-    branchlength++;
-    cc++;
-    break;
-
-    /* The single-byte matcher isn't allowed. This only happens in UTF-8 mode;
-    otherwise \C is coded as OP_ALLANY. */
-
-    case OP_ANYBYTE:
-    return -2;
-
-    /* Check a class for variable quantification */
-
-    case OP_CLASS:
-    case OP_NCLASS:
-#if defined SUPPORT_UTF || defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-    case OP_XCLASS:
-    /* The original code caused an unsigned overflow in 64 bit systems,
-    so now we use a conditional statement. */
-    if (op == OP_XCLASS)
-      cc += GET(cc, 1);
-    else
-      cc += PRIV(OP_lengths)[OP_CLASS];
-#else
-    cc += PRIV(OP_lengths)[OP_CLASS];
-#endif
-
-    switch (*cc)
-      {
-      case OP_CRSTAR:
-      case OP_CRMINSTAR:
-      case OP_CRPLUS:
-      case OP_CRMINPLUS:
-      case OP_CRQUERY:
-      case OP_CRMINQUERY:
-      case OP_CRPOSSTAR:
-      case OP_CRPOSPLUS:
-      case OP_CRPOSQUERY:
-      return -1;
-
-      case OP_CRRANGE:
-      case OP_CRMINRANGE:
-      case OP_CRPOSRANGE:
-      if (GET2(cc,1) != GET2(cc,1+IMM2_SIZE)) return -1;
-      branchlength += (int)GET2(cc,1);
-      cc += 1 + 2 * IMM2_SIZE;
-      break;
-
-      default:
-      branchlength++;
-      }
-    break;
-
-    /* Anything else is variable length */
-
-    case OP_ANYNL:
-    case OP_BRAMINZERO:
-    case OP_BRAPOS:
-    case OP_BRAPOSZERO:
-    case OP_BRAZERO:
-    case OP_CBRAPOS:
-    case OP_EXTUNI:
-    case OP_KETRMAX:
-    case OP_KETRMIN:
-    case OP_KETRPOS:
-    case OP_MINPLUS:
-    case OP_MINPLUSI:
-    case OP_MINQUERY:
-    case OP_MINQUERYI:
-    case OP_MINSTAR:
-    case OP_MINSTARI:
-    case OP_MINUPTO:
-    case OP_MINUPTOI:
-    case OP_NOTMINPLUS:
-    case OP_NOTMINPLUSI:
-    case OP_NOTMINQUERY:
-    case OP_NOTMINQUERYI:
-    case OP_NOTMINSTAR:
-    case OP_NOTMINSTARI:
-    case OP_NOTMINUPTO:
-    case OP_NOTMINUPTOI:
-    case OP_NOTPLUS:
-    case OP_NOTPLUSI:
-    case OP_NOTPOSPLUS:
-    case OP_NOTPOSPLUSI:
-    case OP_NOTPOSQUERY:
-    case OP_NOTPOSQUERYI:
-    case OP_NOTPOSSTAR:
-    case OP_NOTPOSSTARI:
-    case OP_NOTPOSUPTO:
-    case OP_NOTPOSUPTOI:
-    case OP_NOTQUERY:
-    case OP_NOTQUERYI:
-    case OP_NOTSTAR:
-    case OP_NOTSTARI:
-    case OP_NOTUPTO:
-    case OP_NOTUPTOI:
-    case OP_PLUS:
-    case OP_PLUSI:
-    case OP_POSPLUS:
-    case OP_POSPLUSI:
-    case OP_POSQUERY:
-    case OP_POSQUERYI:
-    case OP_POSSTAR:
-    case OP_POSSTARI:
-    case OP_POSUPTO:
-    case OP_POSUPTOI:
-    case OP_QUERY:
-    case OP_QUERYI:
-    case OP_REF:
-    case OP_REFI:
-    case OP_DNREF:
-    case OP_DNREFI:
-    case OP_SBRA:
-    case OP_SBRAPOS:
-    case OP_SCBRA:
-    case OP_SCBRAPOS:
-    case OP_SCOND:
-    case OP_SKIPZERO:
-    case OP_STAR:
-    case OP_STARI:
-    case OP_TYPEMINPLUS:
-    case OP_TYPEMINQUERY:
-    case OP_TYPEMINSTAR:
-    case OP_TYPEMINUPTO:
-    case OP_TYPEPLUS:
-    case OP_TYPEPOSPLUS:
-    case OP_TYPEPOSQUERY:
-    case OP_TYPEPOSSTAR:
-    case OP_TYPEPOSUPTO:
-    case OP_TYPEQUERY:
-    case OP_TYPESTAR:
-    case OP_TYPEUPTO:
-    case OP_UPTO:
-    case OP_UPTOI:
-    return -1;
-
-    /* Catch unrecognized opcodes so that when new ones are added they
-    are not forgotten, as has happened in the past. */
-
-    default:
-    return -4;
-    }
-  }
-/* Control never gets here */
-}
-
-
-
-/*************************************************
-*    Scan compiled regex for specific bracket    *
-*************************************************/
-
-/* This little function scans through a compiled pattern until it finds a
-capturing bracket with the given number, or, if the number is negative, an
-instance of OP_REVERSE for a lookbehind. The function is global in the C sense
-so that it can be called from pcre_study() when finding the minimum matching
-length.
-
-Arguments:
-  code        points to start of expression
-  utf         TRUE in UTF-8 / UTF-16 / UTF-32 mode
-  number      the required bracket number or negative to find a lookbehind
-
-Returns:      pointer to the opcode for the bracket, or NULL if not found
-*/
-
-const pcre_uchar *
-PRIV(find_bracket)(const pcre_uchar *code, BOOL utf, int number)
-{
-for (;;)
-  {
-  register pcre_uchar c = *code;
-
-  if (c == OP_END) return NULL;
-
-  /* XCLASS is used for classes that cannot be represented just by a bit
-  map. This includes negated single high-valued characters. The length in
-  the table is zero; the actual length is stored in the compiled code. */
-
-  if (c == OP_XCLASS) code += GET(code, 1);
-
-  /* Handle recursion */
-
-  else if (c == OP_REVERSE)
-    {
-    if (number < 0) return (pcre_uchar *)code;
-    code += PRIV(OP_lengths)[c];
-    }
-
-  /* Handle capturing bracket */
-
-  else if (c == OP_CBRA || c == OP_SCBRA ||
-           c == OP_CBRAPOS || c == OP_SCBRAPOS)
-    {
-    int n = (int)GET2(code, 1+LINK_SIZE);
-    if (n == number) return (pcre_uchar *)code;
-    code += PRIV(OP_lengths)[c];
-    }
-
-  /* Otherwise, we can get the item's length from the table, except that for
-  repeated character types, we have to test for \p and \P, which have an extra
-  two bytes of parameters, and for MARK/PRUNE/SKIP/THEN with an argument, we
-  must add in its length. */
-
-  else
-    {
-    switch(c)
-      {
-      case OP_TYPESTAR:
-      case OP_TYPEMINSTAR:
-      case OP_TYPEPLUS:
-      case OP_TYPEMINPLUS:
-      case OP_TYPEQUERY:
-      case OP_TYPEMINQUERY:
-      case OP_TYPEPOSSTAR:
-      case OP_TYPEPOSPLUS:
-      case OP_TYPEPOSQUERY:
-      if (code[1] == OP_PROP || code[1] == OP_NOTPROP) code += 2;
-      break;
-
-      case OP_TYPEUPTO:
-      case OP_TYPEMINUPTO:
-      case OP_TYPEEXACT:
-      case OP_TYPEPOSUPTO:
-      if (code[1 + IMM2_SIZE] == OP_PROP || code[1 + IMM2_SIZE] == OP_NOTPROP)
-        code += 2;
-      break;
-
-      case OP_MARK:
-      case OP_PRUNE_ARG:
-      case OP_SKIP_ARG:
-      case OP_THEN_ARG:
-      code += code[1];
-      break;
-      }
-
-    /* Add in the fixed length from the table */
-
-    code += PRIV(OP_lengths)[c];
-
-  /* In UTF-8 mode, opcodes that are followed by a character may be followed by
-  a multi-byte character. The length in the table is a minimum, so we have to
-  arrange to skip the extra bytes. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-    if (utf) switch(c)
-      {
-      case OP_CHAR:
-      case OP_CHARI:
-      case OP_NOT:
-      case OP_NOTI:
-      case OP_EXACT:
-      case OP_EXACTI:
-      case OP_NOTEXACT:
-      case OP_NOTEXACTI:
-      case OP_UPTO:
-      case OP_UPTOI:
-      case OP_NOTUPTO:
-      case OP_NOTUPTOI:
-      case OP_MINUPTO:
-      case OP_MINUPTOI:
-      case OP_NOTMINUPTO:
-      case OP_NOTMINUPTOI:
-      case OP_POSUPTO:
-      case OP_POSUPTOI:
-      case OP_NOTPOSUPTO:
-      case OP_NOTPOSUPTOI:
-      case OP_STAR:
-      case OP_STARI:
-      case OP_NOTSTAR:
-      case OP_NOTSTARI:
-      case OP_MINSTAR:
-      case OP_MINSTARI:
-      case OP_NOTMINSTAR:
-      case OP_NOTMINSTARI:
-      case OP_POSSTAR:
-      case OP_POSSTARI:
-      case OP_NOTPOSSTAR:
-      case OP_NOTPOSSTARI:
-      case OP_PLUS:
-      case OP_PLUSI:
-      case OP_NOTPLUS:
-      case OP_NOTPLUSI:
-      case OP_MINPLUS:
-      case OP_MINPLUSI:
-      case OP_NOTMINPLUS:
-      case OP_NOTMINPLUSI:
-      case OP_POSPLUS:
-      case OP_POSPLUSI:
-      case OP_NOTPOSPLUS:
-      case OP_NOTPOSPLUSI:
-      case OP_QUERY:
-      case OP_QUERYI:
-      case OP_NOTQUERY:
-      case OP_NOTQUERYI:
-      case OP_MINQUERY:
-      case OP_MINQUERYI:
-      case OP_NOTMINQUERY:
-      case OP_NOTMINQUERYI:
-      case OP_POSQUERY:
-      case OP_POSQUERYI:
-      case OP_NOTPOSQUERY:
-      case OP_NOTPOSQUERYI:
-      if (HAS_EXTRALEN(code[-1])) code += GET_EXTRALEN(code[-1]);
-      break;
-      }
-#else
-    (void)(utf);  /* Keep compiler happy by referencing function argument */
-#endif
-    }
-  }
-}
-
-
-
-/*************************************************
-*   Scan compiled regex for recursion reference  *
-*************************************************/
-
-/* This little function scans through a compiled pattern until it finds an
-instance of OP_RECURSE.
-
-Arguments:
-  code        points to start of expression
-  utf         TRUE in UTF-8 / UTF-16 / UTF-32 mode
-
-Returns:      pointer to the opcode for OP_RECURSE, or NULL if not found
-*/
-
-static const pcre_uchar *
-find_recurse(const pcre_uchar *code, BOOL utf)
-{
-for (;;)
-  {
-  register pcre_uchar c = *code;
-  if (c == OP_END) return NULL;
-  if (c == OP_RECURSE) return code;
-
-  /* XCLASS is used for classes that cannot be represented just by a bit
-  map. This includes negated single high-valued characters. The length in
-  the table is zero; the actual length is stored in the compiled code. */
-
-  if (c == OP_XCLASS) code += GET(code, 1);
-
-  /* Otherwise, we can get the item's length from the table, except that for
-  repeated character types, we have to test for \p and \P, which have an extra
-  two bytes of parameters, and for MARK/PRUNE/SKIP/THEN with an argument, we
-  must add in its length. */
-
-  else
-    {
-    switch(c)
-      {
-      case OP_TYPESTAR:
-      case OP_TYPEMINSTAR:
-      case OP_TYPEPLUS:
-      case OP_TYPEMINPLUS:
-      case OP_TYPEQUERY:
-      case OP_TYPEMINQUERY:
-      case OP_TYPEPOSSTAR:
-      case OP_TYPEPOSPLUS:
-      case OP_TYPEPOSQUERY:
-      if (code[1] == OP_PROP || code[1] == OP_NOTPROP) code += 2;
-      break;
-
-      case OP_TYPEPOSUPTO:
-      case OP_TYPEUPTO:
-      case OP_TYPEMINUPTO:
-      case OP_TYPEEXACT:
-      if (code[1 + IMM2_SIZE] == OP_PROP || code[1 + IMM2_SIZE] == OP_NOTPROP)
-        code += 2;
-      break;
-
-      case OP_MARK:
-      case OP_PRUNE_ARG:
-      case OP_SKIP_ARG:
-      case OP_THEN_ARG:
-      code += code[1];
-      break;
-      }
-
-    /* Add in the fixed length from the table */
-
-    code += PRIV(OP_lengths)[c];
-
-    /* In UTF-8 mode, opcodes that are followed by a character may be followed
-    by a multi-byte character. The length in the table is a minimum, so we have
-    to arrange to skip the extra bytes. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-    if (utf) switch(c)
-      {
-      case OP_CHAR:
-      case OP_CHARI:
-      case OP_NOT:
-      case OP_NOTI:
-      case OP_EXACT:
-      case OP_EXACTI:
-      case OP_NOTEXACT:
-      case OP_NOTEXACTI:
-      case OP_UPTO:
-      case OP_UPTOI:
-      case OP_NOTUPTO:
-      case OP_NOTUPTOI:
-      case OP_MINUPTO:
-      case OP_MINUPTOI:
-      case OP_NOTMINUPTO:
-      case OP_NOTMINUPTOI:
-      case OP_POSUPTO:
-      case OP_POSUPTOI:
-      case OP_NOTPOSUPTO:
-      case OP_NOTPOSUPTOI:
-      case OP_STAR:
-      case OP_STARI:
-      case OP_NOTSTAR:
-      case OP_NOTSTARI:
-      case OP_MINSTAR:
-      case OP_MINSTARI:
-      case OP_NOTMINSTAR:
-      case OP_NOTMINSTARI:
-      case OP_POSSTAR:
-      case OP_POSSTARI:
-      case OP_NOTPOSSTAR:
-      case OP_NOTPOSSTARI:
-      case OP_PLUS:
-      case OP_PLUSI:
-      case OP_NOTPLUS:
-      case OP_NOTPLUSI:
-      case OP_MINPLUS:
-      case OP_MINPLUSI:
-      case OP_NOTMINPLUS:
-      case OP_NOTMINPLUSI:
-      case OP_POSPLUS:
-      case OP_POSPLUSI:
-      case OP_NOTPOSPLUS:
-      case OP_NOTPOSPLUSI:
-      case OP_QUERY:
-      case OP_QUERYI:
-      case OP_NOTQUERY:
-      case OP_NOTQUERYI:
-      case OP_MINQUERY:
-      case OP_MINQUERYI:
-      case OP_NOTMINQUERY:
-      case OP_NOTMINQUERYI:
-      case OP_POSQUERY:
-      case OP_POSQUERYI:
-      case OP_NOTPOSQUERY:
-      case OP_NOTPOSQUERYI:
-      if (HAS_EXTRALEN(code[-1])) code += GET_EXTRALEN(code[-1]);
-      break;
-      }
-#else
-    (void)(utf);  /* Keep compiler happy by referencing function argument */
-#endif
-    }
-  }
-}
-
-
-
-/*************************************************
-*    Scan compiled branch for non-emptiness      *
-*************************************************/
-
-/* This function scans through a branch of a compiled pattern to see whether it
-can match the empty string or not. It is called from could_be_empty()
-below and from compile_branch() when checking for an unlimited repeat of a
-group that can match nothing. Note that first_significant_code() skips over
-backward and negative forward assertions when its final argument is TRUE. If we
-hit an unclosed bracket, we return "empty" - this means we've struck an inner
-bracket whose current branch will already have been scanned.
-
-Arguments:
-  code        points to start of search
-  endcode     points to where to stop
-  utf         TRUE if in UTF-8 / UTF-16 / UTF-32 mode
-  cd          contains pointers to tables etc.
-  recurses    chain of recurse_check to catch mutual recursion
-
-Returns:      TRUE if what is matched could be empty
-*/
-
-static BOOL
-could_be_empty_branch(const pcre_uchar *code, const pcre_uchar *endcode,
-  BOOL utf, compile_data *cd, recurse_check *recurses)
-{
-register pcre_uchar c;
-recurse_check this_recurse;
-
-for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE);
-     code < endcode;
-     code = first_significant_code(code + PRIV(OP_lengths)[c], TRUE))
-  {
-  const pcre_uchar *ccode;
-
-  c = *code;
-
-  /* Skip over forward assertions; the other assertions are skipped by
-  first_significant_code() with a TRUE final argument. */
-
-  if (c == OP_ASSERT)
-    {
-    do code += GET(code, 1); while (*code == OP_ALT);
-    c = *code;
-    continue;
-    }
-
-  /* For a recursion/subroutine call, if its end has been reached, which
-  implies a backward reference subroutine call, we can scan it. If it's a
-  forward reference subroutine call, we can't. To detect forward reference
-  we have to scan up the list that is kept in the workspace. This function is
-  called only when doing the real compile, not during the pre-compile that
-  measures the size of the compiled pattern. */
-
-  if (c == OP_RECURSE)
-    {
-    const pcre_uchar *scode = cd->start_code + GET(code, 1);
-    const pcre_uchar *endgroup = scode;
-    BOOL empty_branch;
-
-    /* Test for forward reference or uncompleted reference. This is disabled
-    when called to scan a completed pattern by setting cd->start_workspace to
-    NULL. */
-
-    if (cd->start_workspace != NULL)
-      {
-      const pcre_uchar *tcode;
-      for (tcode = cd->start_workspace; tcode < cd->hwm; tcode += LINK_SIZE)
-        if ((int)GET(tcode, 0) == (int)(code + 1 - cd->start_code)) return TRUE;
-      if (GET(scode, 1) == 0) return TRUE;    /* Unclosed */
-      }
-
-    /* If the reference is to a completed group, we need to detect whether this
-    is a recursive call, as otherwise there will be an infinite loop. If it is
-    a recursion, just skip over it. Simple recursions are easily detected. For
-    mutual recursions we keep a chain on the stack. */
-
-    do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT);
-    if (code >= scode && code <= endgroup) continue;  /* Simple recursion */
-    else
-      {
-      recurse_check *r = recurses;
-      for (r = recurses; r != NULL; r = r->prev)
-        if (r->group == scode) break;
-      if (r != NULL) continue;   /* Mutual recursion */
-      }
-
-    /* Completed reference; scan the referenced group, remembering it on the
-    stack chain to detect mutual recursions. */
-
-    empty_branch = FALSE;
-    this_recurse.prev = recurses;
-    this_recurse.group = scode;
-
-    do
-      {
-      if (could_be_empty_branch(scode, endcode, utf, cd, &this_recurse))
-        {
-        empty_branch = TRUE;
-        break;
-        }
-      scode += GET(scode, 1);
-      }
-    while (*scode == OP_ALT);
-
-    if (!empty_branch) return FALSE;  /* All branches are non-empty */
-    continue;
-    }
-
-  /* Groups with zero repeats can of course be empty; skip them. */
-
-  if (c == OP_BRAZERO || c == OP_BRAMINZERO || c == OP_SKIPZERO ||
-      c == OP_BRAPOSZERO)
-    {
-    code += PRIV(OP_lengths)[c];
-    do code += GET(code, 1); while (*code == OP_ALT);
-    c = *code;
-    continue;
-    }
-
-  /* A nested group that is already marked as "could be empty" can just be
-  skipped. */
-
-  if (c == OP_SBRA  || c == OP_SBRAPOS ||
-      c == OP_SCBRA || c == OP_SCBRAPOS)
-    {
-    do code += GET(code, 1); while (*code == OP_ALT);
-    c = *code;
-    continue;
-    }
-
-  /* For other groups, scan the branches. */
-
-  if (c == OP_BRA  || c == OP_BRAPOS ||
-      c == OP_CBRA || c == OP_CBRAPOS ||
-      c == OP_ONCE || c == OP_ONCE_NC ||
-      c == OP_COND || c == OP_SCOND)
-    {
-    BOOL empty_branch;
-    if (GET(code, 1) == 0) return TRUE;    /* Hit unclosed bracket */
-
-    /* If a conditional group has only one branch, there is a second, implied,
-    empty branch, so just skip over the conditional, because it could be empty.
-    Otherwise, scan the individual branches of the group. */
-
-    if (c == OP_COND && code[GET(code, 1)] != OP_ALT)
-      code += GET(code, 1);
-    else
-      {
-      empty_branch = FALSE;
-      do
-        {
-        if (!empty_branch && could_be_empty_branch(code, endcode, utf, cd,
-          recurses)) empty_branch = TRUE;
-        code += GET(code, 1);
-        }
-      while (*code == OP_ALT);
-      if (!empty_branch) return FALSE;   /* All branches are non-empty */
-      }
-
-    c = *code;
-    continue;
-    }
-
-  /* Handle the other opcodes */
-
-  switch (c)
-    {
-    /* Check for quantifiers after a class. XCLASS is used for classes that
-    cannot be represented just by a bit map. This includes negated single
-    high-valued characters. The length in PRIV(OP_lengths)[] is zero; the
-    actual length is stored in the compiled code, so we must update "code"
-    here. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    case OP_XCLASS:
-    ccode = code += GET(code, 1);
-    goto CHECK_CLASS_REPEAT;
-#endif
-
-    case OP_CLASS:
-    case OP_NCLASS:
-    ccode = code + PRIV(OP_lengths)[OP_CLASS];
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    CHECK_CLASS_REPEAT:
-#endif
-
-    switch (*ccode)
-      {
-      case OP_CRSTAR:            /* These could be empty; continue */
-      case OP_CRMINSTAR:
-      case OP_CRQUERY:
-      case OP_CRMINQUERY:
-      case OP_CRPOSSTAR:
-      case OP_CRPOSQUERY:
-      break;
-
-      default:                   /* Non-repeat => class must match */
-      case OP_CRPLUS:            /* These repeats aren't empty */
-      case OP_CRMINPLUS:
-      case OP_CRPOSPLUS:
-      return FALSE;
-
-      case OP_CRRANGE:
-      case OP_CRMINRANGE:
-      case OP_CRPOSRANGE:
-      if (GET2(ccode, 1) > 0) return FALSE;  /* Minimum > 0 */
-      break;
-      }
-    break;
-
-    /* Opcodes that must match a character */
-
-    case OP_ANY:
-    case OP_ALLANY:
-    case OP_ANYBYTE:
-
-    case OP_PROP:
-    case OP_NOTPROP:
-    case OP_ANYNL:
-
-    case OP_NOT_HSPACE:
-    case OP_HSPACE:
-    case OP_NOT_VSPACE:
-    case OP_VSPACE:
-    case OP_EXTUNI:
-
-    case OP_NOT_DIGIT:
-    case OP_DIGIT:
-    case OP_NOT_WHITESPACE:
-    case OP_WHITESPACE:
-    case OP_NOT_WORDCHAR:
-    case OP_WORDCHAR:
-
-    case OP_CHAR:
-    case OP_CHARI:
-    case OP_NOT:
-    case OP_NOTI:
-
-    case OP_PLUS:
-    case OP_PLUSI:
-    case OP_MINPLUS:
-    case OP_MINPLUSI:
-
-    case OP_NOTPLUS:
-    case OP_NOTPLUSI:
-    case OP_NOTMINPLUS:
-    case OP_NOTMINPLUSI:
-
-    case OP_POSPLUS:
-    case OP_POSPLUSI:
-    case OP_NOTPOSPLUS:
-    case OP_NOTPOSPLUSI:
-
-    case OP_EXACT:
-    case OP_EXACTI:
-    case OP_NOTEXACT:
-    case OP_NOTEXACTI:
-
-    case OP_TYPEPLUS:
-    case OP_TYPEMINPLUS:
-    case OP_TYPEPOSPLUS:
-    case OP_TYPEEXACT:
-
-    return FALSE;
-
-    /* These are going to continue, as they may be empty, but we have to
-    fudge the length for the \p and \P cases. */
-
-    case OP_TYPESTAR:
-    case OP_TYPEMINSTAR:
-    case OP_TYPEPOSSTAR:
-    case OP_TYPEQUERY:
-    case OP_TYPEMINQUERY:
-    case OP_TYPEPOSQUERY:
-    if (code[1] == OP_PROP || code[1] == OP_NOTPROP) code += 2;
-    break;
-
-    /* Same for these */
-
-    case OP_TYPEUPTO:
-    case OP_TYPEMINUPTO:
-    case OP_TYPEPOSUPTO:
-    if (code[1 + IMM2_SIZE] == OP_PROP || code[1 + IMM2_SIZE] == OP_NOTPROP)
-      code += 2;
-    break;
-
-    /* End of branch */
-
-    case OP_KET:
-    case OP_KETRMAX:
-    case OP_KETRMIN:
-    case OP_KETRPOS:
-    case OP_ALT:
-    return TRUE;
-
-    /* In UTF-8 mode, STAR, MINSTAR, POSSTAR, QUERY, MINQUERY, POSQUERY, UPTO,
-    MINUPTO, and POSUPTO and their caseless and negative versions may be
-    followed by a multibyte character. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-    case OP_STAR:
-    case OP_STARI:
-    case OP_NOTSTAR:
-    case OP_NOTSTARI:
-
-    case OP_MINSTAR:
-    case OP_MINSTARI:
-    case OP_NOTMINSTAR:
-    case OP_NOTMINSTARI:
-
-    case OP_POSSTAR:
-    case OP_POSSTARI:
-    case OP_NOTPOSSTAR:
-    case OP_NOTPOSSTARI:
-
-    case OP_QUERY:
-    case OP_QUERYI:
-    case OP_NOTQUERY:
-    case OP_NOTQUERYI:
-
-    case OP_MINQUERY:
-    case OP_MINQUERYI:
-    case OP_NOTMINQUERY:
-    case OP_NOTMINQUERYI:
-
-    case OP_POSQUERY:
-    case OP_POSQUERYI:
-    case OP_NOTPOSQUERY:
-    case OP_NOTPOSQUERYI:
-
-    if (utf && HAS_EXTRALEN(code[1])) code += GET_EXTRALEN(code[1]);
-    break;
-
-    case OP_UPTO:
-    case OP_UPTOI:
-    case OP_NOTUPTO:
-    case OP_NOTUPTOI:
-
-    case OP_MINUPTO:
-    case OP_MINUPTOI:
-    case OP_NOTMINUPTO:
-    case OP_NOTMINUPTOI:
-
-    case OP_POSUPTO:
-    case OP_POSUPTOI:
-    case OP_NOTPOSUPTO:
-    case OP_NOTPOSUPTOI:
-
-    if (utf && HAS_EXTRALEN(code[1 + IMM2_SIZE])) code += GET_EXTRALEN(code[1 + IMM2_SIZE]);
-    break;
-#endif
-
-    /* MARK, and PRUNE/SKIP/THEN with an argument must skip over the argument
-    string. */
-
-    case OP_MARK:
-    case OP_PRUNE_ARG:
-    case OP_SKIP_ARG:
-    case OP_THEN_ARG:
-    code += code[1];
-    break;
-
-    /* None of the remaining opcodes are required to match a character. */
-
-    default:
-    break;
-    }
-  }
-
-return TRUE;
-}
-
-
-
-/*************************************************
-*    Scan compiled regex for non-emptiness       *
-*************************************************/
-
-/* This function is called to check for left recursive calls. We want to check
-the current branch of the current pattern to see if it could match the empty
-string. If it could, we must look outwards for branches at other levels,
-stopping when we pass beyond the bracket which is the subject of the recursion.
-This function is called only during the real compile, not during the
-pre-compile.
-
-Arguments:
-  code        points to start of the recursion
-  endcode     points to where to stop (current RECURSE item)
-  bcptr       points to the chain of current (unclosed) branch starts
-  utf         TRUE if in UTF-8 / UTF-16 / UTF-32 mode
-  cd          pointers to tables etc
-
-Returns:      TRUE if what is matched could be empty
-*/
-
-static BOOL
-could_be_empty(const pcre_uchar *code, const pcre_uchar *endcode,
-  branch_chain *bcptr, BOOL utf, compile_data *cd)
-{
-while (bcptr != NULL && bcptr->current_branch >= code)
-  {
-  if (!could_be_empty_branch(bcptr->current_branch, endcode, utf, cd, NULL))
-    return FALSE;
-  bcptr = bcptr->outer;
-  }
-return TRUE;
-}
-
-
-
-/*************************************************
-*        Base opcode of repeated opcodes         *
-*************************************************/
-
-/* Returns the base opcode for repeated single character type opcodes. If the
-opcode is not a repeated character type, it returns with the original value.
-
-Arguments:  c opcode
-Returns:    base opcode for the type
-*/
-
-static pcre_uchar
-get_repeat_base(pcre_uchar c)
-{
-return (c > OP_TYPEPOSUPTO)? c :
-       (c >= OP_TYPESTAR)?   OP_TYPESTAR :
-       (c >= OP_NOTSTARI)?   OP_NOTSTARI :
-       (c >= OP_NOTSTAR)?    OP_NOTSTAR :
-       (c >= OP_STARI)?      OP_STARI :
-                             OP_STAR;
-}
-
-
-
-#ifdef SUPPORT_UCP
-/*************************************************
-*        Check a character and a property        *
-*************************************************/
-
-/* This function is called by check_auto_possessive() when a property item
-is adjacent to a fixed character.
-
-Arguments:
-  c            the character
-  ptype        the property type
-  pdata        the data for the type
-  negated      TRUE if it's a negated property (\P or \p{^)
-
-Returns:       TRUE if auto-possessifying is OK
-*/
-
-static BOOL
-check_char_prop(pcre_uint32 c, unsigned int ptype, unsigned int pdata,
-  BOOL negated)
-{
-const pcre_uint32 *p;
-const ucd_record *prop = GET_UCD(c);
-
-switch(ptype)
-  {
-  case PT_LAMP:
-  return (prop->chartype == ucp_Lu ||
-          prop->chartype == ucp_Ll ||
-          prop->chartype == ucp_Lt) == negated;
-
-  case PT_GC:
-  return (pdata == PRIV(ucp_gentype)[prop->chartype]) == negated;
-
-  case PT_PC:
-  return (pdata == prop->chartype) == negated;
-
-  case PT_SC:
-  return (pdata == prop->script) == negated;
-
-  /* These are specials */
-
-  case PT_ALNUM:
-  return (PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-          PRIV(ucp_gentype)[prop->chartype] == ucp_N) == negated;
-
-  /* Perl space used to exclude VT, but from Perl 5.18 it is included, which
-  means that Perl space and POSIX space are now identical. PCRE was changed
-  at release 8.34. */
-
-  case PT_SPACE:    /* Perl space */
-  case PT_PXSPACE:  /* POSIX space */
-  switch(c)
-    {
-    HSPACE_CASES:
-    VSPACE_CASES:
-    return negated;
-
-    default:
-    return (PRIV(ucp_gentype)[prop->chartype] == ucp_Z) == negated;
-    }
-  break;  /* Control never reaches here */
-
-  case PT_WORD:
-  return (PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-          PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-          c == CHAR_UNDERSCORE) == negated;
-
-  case PT_CLIST:
-  p = PRIV(ucd_caseless_sets) + prop->caseset;
-  for (;;)
-    {
-    if (c < *p) return !negated;
-    if (c == *p++) return negated;
-    }
-  break;  /* Control never reaches here */
-  }
-
-return FALSE;
-}
-#endif  /* SUPPORT_UCP */
-
-
-
-/*************************************************
-*        Fill the character property list        *
-*************************************************/
-
-/* Checks whether the code points to an opcode that can take part in auto-
-possessification, and if so, fills a list with its properties.
-
-Arguments:
-  code        points to start of expression
-  utf         TRUE if in UTF-8 / UTF-16 / UTF-32 mode
-  fcc         points to case-flipping table
-  list        points to output list
-              list[0] will be filled with the opcode
-              list[1] will be non-zero if this opcode
-                can match an empty character string
-              list[2..7] depends on the opcode
-
-Returns:      points to the start of the next opcode if *code is accepted
-              NULL if *code is not accepted
-*/
-
-static const pcre_uchar *
-get_chr_property_list(const pcre_uchar *code, BOOL utf,
-  const pcre_uint8 *fcc, pcre_uint32 *list)
-{
-pcre_uchar c = *code;
-pcre_uchar base;
-const pcre_uchar *end;
-pcre_uint32 chr;
-
-#ifdef SUPPORT_UCP
-pcre_uint32 *clist_dest;
-const pcre_uint32 *clist_src;
-#else
-utf = utf;  /* Suppress "unused parameter" compiler warning */
-#endif
-
-list[0] = c;
-list[1] = FALSE;
-code++;
-
-if (c >= OP_STAR && c <= OP_TYPEPOSUPTO)
-  {
-  base = get_repeat_base(c);
-  c -= (base - OP_STAR);
-
-  if (c == OP_UPTO || c == OP_MINUPTO || c == OP_EXACT || c == OP_POSUPTO)
-    code += IMM2_SIZE;
-
-  list[1] = (c != OP_PLUS && c != OP_MINPLUS && c != OP_EXACT && c != OP_POSPLUS);
-
-  switch(base)
-    {
-    case OP_STAR:
-    list[0] = OP_CHAR;
-    break;
-
-    case OP_STARI:
-    list[0] = OP_CHARI;
-    break;
-
-    case OP_NOTSTAR:
-    list[0] = OP_NOT;
-    break;
-
-    case OP_NOTSTARI:
-    list[0] = OP_NOTI;
-    break;
-
-    case OP_TYPESTAR:
-    list[0] = *code;
-    code++;
-    break;
-    }
-  c = list[0];
-  }
-
-switch(c)
-  {
-  case OP_NOT_DIGIT:
-  case OP_DIGIT:
-  case OP_NOT_WHITESPACE:
-  case OP_WHITESPACE:
-  case OP_NOT_WORDCHAR:
-  case OP_WORDCHAR:
-  case OP_ANY:
-  case OP_ALLANY:
-  case OP_ANYNL:
-  case OP_NOT_HSPACE:
-  case OP_HSPACE:
-  case OP_NOT_VSPACE:
-  case OP_VSPACE:
-  case OP_EXTUNI:
-  case OP_EODN:
-  case OP_EOD:
-  case OP_DOLL:
-  case OP_DOLLM:
-  return code;
-
-  case OP_CHAR:
-  case OP_NOT:
-  GETCHARINCTEST(chr, code);
-  list[2] = chr;
-  list[3] = NOTACHAR;
-  return code;
-
-  case OP_CHARI:
-  case OP_NOTI:
-  list[0] = (c == OP_CHARI) ? OP_CHAR : OP_NOT;
-  GETCHARINCTEST(chr, code);
-  list[2] = chr;
-
-#ifdef SUPPORT_UCP
-  if (chr < 128 || (chr < 256 && !utf))
-    list[3] = fcc[chr];
-  else
-    list[3] = UCD_OTHERCASE(chr);
-#elif defined SUPPORT_UTF || !defined COMPILE_PCRE8
-  list[3] = (chr < 256) ? fcc[chr] : chr;
-#else
-  list[3] = fcc[chr];
-#endif
-
-  /* The othercase might be the same value. */
-
-  if (chr == list[3])
-    list[3] = NOTACHAR;
-  else
-    list[4] = NOTACHAR;
-  return code;
-
-#ifdef SUPPORT_UCP
-  case OP_PROP:
-  case OP_NOTPROP:
-  if (code[0] != PT_CLIST)
-    {
-    list[2] = code[0];
-    list[3] = code[1];
-    return code + 2;
-    }
-
-  /* Convert only if we have enough space. */
-
-  clist_src = PRIV(ucd_caseless_sets) + code[1];
-  clist_dest = list + 2;
-  code += 2;
-
-  do {
-     if (clist_dest >= list + 8)
-       {
-       /* Early return if there is not enough space. This should never
-       happen, since all clists are shorter than 5 character now. */
-       list[2] = code[0];
-       list[3] = code[1];
-       return code;
-       }
-     *clist_dest++ = *clist_src;
-     }
-  while(*clist_src++ != NOTACHAR);
-
-  /* All characters are stored. The terminating NOTACHAR
-  is copied form the clist itself. */
-
-  list[0] = (c == OP_PROP) ? OP_CHAR : OP_NOT;
-  return code;
-#endif
-
-  case OP_NCLASS:
-  case OP_CLASS:
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-  case OP_XCLASS:
-  if (c == OP_XCLASS)
-    end = code + GET(code, 0) - 1;
-  else
-#endif
-    end = code + 32 / sizeof(pcre_uchar);
-
-  switch(*end)
-    {
-    case OP_CRSTAR:
-    case OP_CRMINSTAR:
-    case OP_CRQUERY:
-    case OP_CRMINQUERY:
-    case OP_CRPOSSTAR:
-    case OP_CRPOSQUERY:
-    list[1] = TRUE;
-    end++;
-    break;
-
-    case OP_CRPLUS:
-    case OP_CRMINPLUS:
-    case OP_CRPOSPLUS:
-    end++;
-    break;
-
-    case OP_CRRANGE:
-    case OP_CRMINRANGE:
-    case OP_CRPOSRANGE:
-    list[1] = (GET2(end, 1) == 0);
-    end += 1 + 2 * IMM2_SIZE;
-    break;
-    }
-  list[2] = (pcre_uint32)(end - code);
-  return end;
-  }
-return NULL;    /* Opcode not accepted */
-}
-
-
-
-/*************************************************
-*    Scan further character sets for match       *
-*************************************************/
-
-/* Checks whether the base and the current opcode have a common character, in
-which case the base cannot be possessified.
-
-Arguments:
-  code        points to the byte code
-  utf         TRUE in UTF-8 / UTF-16 / UTF-32 mode
-  cd          static compile data
-  base_list   the data list of the base opcode
-
-Returns:      TRUE if the auto-possessification is possible
-*/
-
-static BOOL
-compare_opcodes(const pcre_uchar *code, BOOL utf, const compile_data *cd,
-  const pcre_uint32 *base_list, const pcre_uchar *base_end, int *rec_limit)
-{
-pcre_uchar c;
-pcre_uint32 list[8];
-const pcre_uint32 *chr_ptr;
-const pcre_uint32 *ochr_ptr;
-const pcre_uint32 *list_ptr;
-const pcre_uchar *next_code;
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-const pcre_uchar *xclass_flags;
-#endif
-const pcre_uint8 *class_bitset;
-const pcre_uint8 *set1, *set2, *set_end;
-pcre_uint32 chr;
-BOOL accepted, invert_bits;
-BOOL entered_a_group = FALSE;
-
-if (*rec_limit == 0) return FALSE;
---(*rec_limit);
-
-/* Note: the base_list[1] contains whether the current opcode has greedy
-(represented by a non-zero value) quantifier. This is a different from
-other character type lists, which stores here that the character iterator
-matches to an empty string (also represented by a non-zero value). */
-
-for(;;)
-  {
-  /* All operations move the code pointer forward.
-  Therefore infinite recursions are not possible. */
-
-  c = *code;
-
-  /* Skip over callouts */
-
-  if (c == OP_CALLOUT)
-    {
-    code += PRIV(OP_lengths)[c];
-    continue;
-    }
-
-  if (c == OP_ALT)
-    {
-    do code += GET(code, 1); while (*code == OP_ALT);
-    c = *code;
-    }
-
-  switch(c)
-    {
-    case OP_END:
-    case OP_KETRPOS:
-    /* TRUE only in greedy case. The non-greedy case could be replaced by
-    an OP_EXACT, but it is probably not worth it. (And note that OP_EXACT
-    uses more memory, which we cannot get at this stage.) */
-
-    return base_list[1] != 0;
-
-    case OP_KET:
-    /* If the bracket is capturing, and referenced by an OP_RECURSE, or
-    it is an atomic sub-pattern (assert, once, etc.) the non-greedy case
-    cannot be converted to a possessive form. */
-
-    if (base_list[1] == 0) return FALSE;
-
-    switch(*(code - GET(code, 1)))
-      {
-      case OP_ASSERT:
-      case OP_ASSERT_NOT:
-      case OP_ASSERTBACK:
-      case OP_ASSERTBACK_NOT:
-      case OP_ONCE:
-      case OP_ONCE_NC:
-      /* Atomic sub-patterns and assertions can always auto-possessify their
-      last iterator. However, if the group was entered as a result of checking
-      a previous iterator, this is not possible. */
-
-      return !entered_a_group;
-      }
-
-    code += PRIV(OP_lengths)[c];
-    continue;
-
-    case OP_ONCE:
-    case OP_ONCE_NC:
-    case OP_BRA:
-    case OP_CBRA:
-    next_code = code + GET(code, 1);
-    code += PRIV(OP_lengths)[c];
-
-    while (*next_code == OP_ALT)
-      {
-      if (!compare_opcodes(code, utf, cd, base_list, base_end, rec_limit))
-        return FALSE;
-      code = next_code + 1 + LINK_SIZE;
-      next_code += GET(next_code, 1);
-      }
-
-    entered_a_group = TRUE;
-    continue;
-
-    case OP_BRAZERO:
-    case OP_BRAMINZERO:
-
-    next_code = code + 1;
-    if (*next_code != OP_BRA && *next_code != OP_CBRA
-        && *next_code != OP_ONCE && *next_code != OP_ONCE_NC) return FALSE;
-
-    do next_code += GET(next_code, 1); while (*next_code == OP_ALT);
-
-    /* The bracket content will be checked by the
-    OP_BRA/OP_CBRA case above. */
-    next_code += 1 + LINK_SIZE;
-    if (!compare_opcodes(next_code, utf, cd, base_list, base_end, rec_limit))
-      return FALSE;
-
-    code += PRIV(OP_lengths)[c];
-    continue;
-
-    default:
-    break;
-    }
-
-  /* Check for a supported opcode, and load its properties. */
-
-  code = get_chr_property_list(code, utf, cd->fcc, list);
-  if (code == NULL) return FALSE;    /* Unsupported */
-
-  /* If either opcode is a small character list, set pointers for comparing
-  characters from that list with another list, or with a property. */
-
-  if (base_list[0] == OP_CHAR)
-    {
-    chr_ptr = base_list + 2;
-    list_ptr = list;
-    }
-  else if (list[0] == OP_CHAR)
-    {
-    chr_ptr = list + 2;
-    list_ptr = base_list;
-    }
-
-  /* Character bitsets can also be compared to certain opcodes. */
-
-  else if (base_list[0] == OP_CLASS || list[0] == OP_CLASS
-#ifdef COMPILE_PCRE8
-      /* In 8 bit, non-UTF mode, OP_CLASS and OP_NCLASS are the same. */
-      || (!utf && (base_list[0] == OP_NCLASS || list[0] == OP_NCLASS))
-#endif
-      )
-    {
-#ifdef COMPILE_PCRE8
-    if (base_list[0] == OP_CLASS || (!utf && base_list[0] == OP_NCLASS))
-#else
-    if (base_list[0] == OP_CLASS)
-#endif
-      {
-      set1 = (pcre_uint8 *)(base_end - base_list[2]);
-      list_ptr = list;
-      }
-    else
-      {
-      set1 = (pcre_uint8 *)(code - list[2]);
-      list_ptr = base_list;
-      }
-
-    invert_bits = FALSE;
-    switch(list_ptr[0])
-      {
-      case OP_CLASS:
-      case OP_NCLASS:
-      set2 = (pcre_uint8 *)
-        ((list_ptr == list ? code : base_end) - list_ptr[2]);
-      break;
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-      case OP_XCLASS:
-      xclass_flags = (list_ptr == list ? code : base_end) - list_ptr[2] + LINK_SIZE;
-      if ((*xclass_flags & XCL_HASPROP) != 0) return FALSE;
-      if ((*xclass_flags & XCL_MAP) == 0)
-        {
-        /* No bits are set for characters < 256. */
-        if (list[1] == 0) return TRUE;
-        /* Might be an empty repeat. */
-        continue;
-        }
-      set2 = (pcre_uint8 *)(xclass_flags + 1);
-      break;
-#endif
-
-      case OP_NOT_DIGIT:
-      invert_bits = TRUE;
-      /* Fall through */
-      case OP_DIGIT:
-      set2 = (pcre_uint8 *)(cd->cbits + cbit_digit);
-      break;
-
-      case OP_NOT_WHITESPACE:
-      invert_bits = TRUE;
-      /* Fall through */
-      case OP_WHITESPACE:
-      set2 = (pcre_uint8 *)(cd->cbits + cbit_space);
-      break;
-
-      case OP_NOT_WORDCHAR:
-      invert_bits = TRUE;
-      /* Fall through */
-      case OP_WORDCHAR:
-      set2 = (pcre_uint8 *)(cd->cbits + cbit_word);
-      break;
-
-      default:
-      return FALSE;
-      }
-
-    /* Because the sets are unaligned, we need
-    to perform byte comparison here. */
-    set_end = set1 + 32;
-    if (invert_bits)
-      {
-      do
-        {
-        if ((*set1++ & ~(*set2++)) != 0) return FALSE;
-        }
-      while (set1 < set_end);
-      }
-    else
-      {
-      do
-        {
-        if ((*set1++ & *set2++) != 0) return FALSE;
-        }
-      while (set1 < set_end);
-      }
-
-    if (list[1] == 0) return TRUE;
-    /* Might be an empty repeat. */
-    continue;
-    }
-
-  /* Some property combinations also acceptable. Unicode property opcodes are
-  processed specially; the rest can be handled with a lookup table. */
-
-  else
-    {
-    pcre_uint32 leftop, rightop;
-
-    leftop = base_list[0];
-    rightop = list[0];
-
-#ifdef SUPPORT_UCP
-    accepted = FALSE; /* Always set in non-unicode case. */
-    if (leftop == OP_PROP || leftop == OP_NOTPROP)
-      {
-      if (rightop == OP_EOD)
-        accepted = TRUE;
-      else if (rightop == OP_PROP || rightop == OP_NOTPROP)
-        {
-        int n;
-        const pcre_uint8 *p;
-        BOOL same = leftop == rightop;
-        BOOL lisprop = leftop == OP_PROP;
-        BOOL risprop = rightop == OP_PROP;
-        BOOL bothprop = lisprop && risprop;
-
-        /* There's a table that specifies how each combination is to be
-        processed:
-          0   Always return FALSE (never auto-possessify)
-          1   Character groups are distinct (possessify if both are OP_PROP)
-          2   Check character categories in the same group (general or particular)
-          3   Return TRUE if the two opcodes are not the same
-          ... see comments below
-        */
-
-        n = propposstab[base_list[2]][list[2]];
-        switch(n)
-          {
-          case 0: break;
-          case 1: accepted = bothprop; break;
-          case 2: accepted = (base_list[3] == list[3]) != same; break;
-          case 3: accepted = !same; break;
-
-          case 4:  /* Left general category, right particular category */
-          accepted = risprop && catposstab[base_list[3]][list[3]] == same;
-          break;
-
-          case 5:  /* Right general category, left particular category */
-          accepted = lisprop && catposstab[list[3]][base_list[3]] == same;
-          break;
-
-          /* This code is logically tricky. Think hard before fiddling with it.
-          The posspropstab table has four entries per row. Each row relates to
-          one of PCRE's special properties such as ALNUM or SPACE or WORD.
-          Only WORD actually needs all four entries, but using repeats for the
-          others means they can all use the same code below.
-
-          The first two entries in each row are Unicode general categories, and
-          apply always, because all the characters they include are part of the
-          PCRE character set. The third and fourth entries are a general and a
-          particular category, respectively, that include one or more relevant
-          characters. One or the other is used, depending on whether the check
-          is for a general or a particular category. However, in both cases the
-          category contains more characters than the specials that are defined
-          for the property being tested against. Therefore, it cannot be used
-          in a NOTPROP case.
-
-          Example: the row for WORD contains ucp_L, ucp_N, ucp_P, ucp_Po.
-          Underscore is covered by ucp_P or ucp_Po. */
-
-          case 6:  /* Left alphanum vs right general category */
-          case 7:  /* Left space vs right general category */
-          case 8:  /* Left word vs right general category */
-          p = posspropstab[n-6];
-          accepted = risprop && lisprop ==
-            (list[3] != p[0] &&
-             list[3] != p[1] &&
-            (list[3] != p[2] || !lisprop));
-          break;
-
-          case 9:   /* Right alphanum vs left general category */
-          case 10:  /* Right space vs left general category */
-          case 11:  /* Right word vs left general category */
-          p = posspropstab[n-9];
-          accepted = lisprop && risprop ==
-            (base_list[3] != p[0] &&
-             base_list[3] != p[1] &&
-            (base_list[3] != p[2] || !risprop));
-          break;
-
-          case 12:  /* Left alphanum vs right particular category */
-          case 13:  /* Left space vs right particular category */
-          case 14:  /* Left word vs right particular category */
-          p = posspropstab[n-12];
-          accepted = risprop && lisprop ==
-            (catposstab[p[0]][list[3]] &&
-             catposstab[p[1]][list[3]] &&
-            (list[3] != p[3] || !lisprop));
-          break;
-
-          case 15:  /* Right alphanum vs left particular category */
-          case 16:  /* Right space vs left particular category */
-          case 17:  /* Right word vs left particular category */
-          p = posspropstab[n-15];
-          accepted = lisprop && risprop ==
-            (catposstab[p[0]][base_list[3]] &&
-             catposstab[p[1]][base_list[3]] &&
-            (base_list[3] != p[3] || !risprop));
-          break;
-          }
-        }
-      }
-
-    else
-#endif  /* SUPPORT_UCP */
-
-    accepted = leftop >= FIRST_AUTOTAB_OP && leftop <= LAST_AUTOTAB_LEFT_OP &&
-           rightop >= FIRST_AUTOTAB_OP && rightop <= LAST_AUTOTAB_RIGHT_OP &&
-           autoposstab[leftop - FIRST_AUTOTAB_OP][rightop - FIRST_AUTOTAB_OP];
-
-    if (!accepted) return FALSE;
-
-    if (list[1] == 0) return TRUE;
-    /* Might be an empty repeat. */
-    continue;
-    }
-
-  /* Control reaches here only if one of the items is a small character list.
-  All characters are checked against the other side. */
-
-  do
-    {
-    chr = *chr_ptr;
-
-    switch(list_ptr[0])
-      {
-      case OP_CHAR:
-      ochr_ptr = list_ptr + 2;
-      do
-        {
-        if (chr == *ochr_ptr) return FALSE;
-        ochr_ptr++;
-        }
-      while(*ochr_ptr != NOTACHAR);
-      break;
-
-      case OP_NOT:
-      ochr_ptr = list_ptr + 2;
-      do
-        {
-        if (chr == *ochr_ptr)
-          break;
-        ochr_ptr++;
-        }
-      while(*ochr_ptr != NOTACHAR);
-      if (*ochr_ptr == NOTACHAR) return FALSE;   /* Not found */
-      break;
-
-      /* Note that OP_DIGIT etc. are generated only when PCRE_UCP is *not*
-      set. When it is set, \d etc. are converted into OP_(NOT_)PROP codes. */
-
-      case OP_DIGIT:
-      if (chr < 256 && (cd->ctypes[chr] & ctype_digit) != 0) return FALSE;
-      break;
-
-      case OP_NOT_DIGIT:
-      if (chr > 255 || (cd->ctypes[chr] & ctype_digit) == 0) return FALSE;
-      break;
-
-      case OP_WHITESPACE:
-      if (chr < 256 && (cd->ctypes[chr] & ctype_space) != 0) return FALSE;
-      break;
-
-      case OP_NOT_WHITESPACE:
-      if (chr > 255 || (cd->ctypes[chr] & ctype_space) == 0) return FALSE;
-      break;
-
-      case OP_WORDCHAR:
-      if (chr < 255 && (cd->ctypes[chr] & ctype_word) != 0) return FALSE;
-      break;
-
-      case OP_NOT_WORDCHAR:
-      if (chr > 255 || (cd->ctypes[chr] & ctype_word) == 0) return FALSE;
-      break;
-
-      case OP_HSPACE:
-      switch(chr)
-        {
-        HSPACE_CASES: return FALSE;
-        default: break;
-        }
-      break;
-
-      case OP_NOT_HSPACE:
-      switch(chr)
-        {
-        HSPACE_CASES: break;
-        default: return FALSE;
-        }
-      break;
-
-      case OP_ANYNL:
-      case OP_VSPACE:
-      switch(chr)
-        {
-        VSPACE_CASES: return FALSE;
-        default: break;
-        }
-      break;
-
-      case OP_NOT_VSPACE:
-      switch(chr)
-        {
-        VSPACE_CASES: break;
-        default: return FALSE;
-        }
-      break;
-
-      case OP_DOLL:
-      case OP_EODN:
-      switch (chr)
-        {
-        case CHAR_CR:
-        case CHAR_LF:
-        case CHAR_VT:
-        case CHAR_FF:
-        case CHAR_NEL:
-#ifndef EBCDIC
-        case 0x2028:
-        case 0x2029:
-#endif  /* Not EBCDIC */
-        return FALSE;
-        }
-      break;
-
-      case OP_EOD:    /* Can always possessify before \z */
-      break;
-
-#ifdef SUPPORT_UCP
-      case OP_PROP:
-      case OP_NOTPROP:
-      if (!check_char_prop(chr, list_ptr[2], list_ptr[3],
-            list_ptr[0] == OP_NOTPROP))
-        return FALSE;
-      break;
-#endif
-
-      case OP_NCLASS:
-      if (chr > 255) return FALSE;
-      /* Fall through */
-
-      case OP_CLASS:
-      if (chr > 255) break;
-      class_bitset = (pcre_uint8 *)
-        ((list_ptr == list ? code : base_end) - list_ptr[2]);
-      if ((class_bitset[chr >> 3] & (1 << (chr & 7))) != 0) return FALSE;
-      break;
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-      case OP_XCLASS:
-      if (PRIV(xclass)(chr, (list_ptr == list ? code : base_end) -
-          list_ptr[2] + LINK_SIZE, utf)) return FALSE;
-      break;
-#endif
-
-      default:
-      return FALSE;
-      }
-
-    chr_ptr++;
-    }
-  while(*chr_ptr != NOTACHAR);
-
-  /* At least one character must be matched from this opcode. */
-
-  if (list[1] == 0) return TRUE;
-  }
-
-/* Control never reaches here. There used to be a fail-save return FALSE; here,
-but some compilers complain about an unreachable statement. */
-
-}
-
-
-
-/*************************************************
-*    Scan compiled regex for auto-possession     *
-*************************************************/
-
-/* Replaces single character iterations with their possessive alternatives
-if appropriate. This function modifies the compiled opcode!
-
-Arguments:
-  code        points to start of the byte code
-  utf         TRUE in UTF-8 / UTF-16 / UTF-32 mode
-  cd          static compile data
-
-Returns:      nothing
-*/
-
-static void
-auto_possessify(pcre_uchar *code, BOOL utf, const compile_data *cd)
-{
-register pcre_uchar c;
-const pcre_uchar *end;
-pcre_uchar *repeat_opcode;
-pcre_uint32 list[8];
-int rec_limit;
-
-for (;;)
-  {
-  c = *code;
-
-  /* When a pattern with bad UTF-8 encoding is compiled with NO_UTF_CHECK,
-  it may compile without complaining, but may get into a loop here if the code
-  pointer points to a bad value. This is, of course a documentated possibility,
-  when NO_UTF_CHECK is set, so it isn't a bug, but we can detect this case and
-  just give up on this optimization. */
-
-  if (c >= OP_TABLE_LENGTH) return;
-
-  if (c >= OP_STAR && c <= OP_TYPEPOSUPTO)
-    {
-    c -= get_repeat_base(c) - OP_STAR;
-    end = (c <= OP_MINUPTO) ?
-      get_chr_property_list(code, utf, cd->fcc, list) : NULL;
-    list[1] = c == OP_STAR || c == OP_PLUS || c == OP_QUERY || c == OP_UPTO;
-
-    rec_limit = 1000;
-    if (end != NULL && compare_opcodes(end, utf, cd, list, end, &rec_limit))
-      {
-      switch(c)
-        {
-        case OP_STAR:
-        *code += OP_POSSTAR - OP_STAR;
-        break;
-
-        case OP_MINSTAR:
-        *code += OP_POSSTAR - OP_MINSTAR;
-        break;
-
-        case OP_PLUS:
-        *code += OP_POSPLUS - OP_PLUS;
-        break;
-
-        case OP_MINPLUS:
-        *code += OP_POSPLUS - OP_MINPLUS;
-        break;
-
-        case OP_QUERY:
-        *code += OP_POSQUERY - OP_QUERY;
-        break;
-
-        case OP_MINQUERY:
-        *code += OP_POSQUERY - OP_MINQUERY;
-        break;
-
-        case OP_UPTO:
-        *code += OP_POSUPTO - OP_UPTO;
-        break;
-
-        case OP_MINUPTO:
-        *code += OP_POSUPTO - OP_MINUPTO;
-        break;
-        }
-      }
-    c = *code;
-    }
-  else if (c == OP_CLASS || c == OP_NCLASS || c == OP_XCLASS)
-    {
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    if (c == OP_XCLASS)
-      repeat_opcode = code + GET(code, 1);
-    else
-#endif
-      repeat_opcode = code + 1 + (32 / sizeof(pcre_uchar));
-
-    c = *repeat_opcode;
-    if (c >= OP_CRSTAR && c <= OP_CRMINRANGE)
-      {
-      /* end must not be NULL. */
-      end = get_chr_property_list(code, utf, cd->fcc, list);
-
-      list[1] = (c & 1) == 0;
-
-      rec_limit = 1000;
-      if (compare_opcodes(end, utf, cd, list, end, &rec_limit))
-        {
-        switch (c)
-          {
-          case OP_CRSTAR:
-          case OP_CRMINSTAR:
-          *repeat_opcode = OP_CRPOSSTAR;
-          break;
-
-          case OP_CRPLUS:
-          case OP_CRMINPLUS:
-          *repeat_opcode = OP_CRPOSPLUS;
-          break;
-
-          case OP_CRQUERY:
-          case OP_CRMINQUERY:
-          *repeat_opcode = OP_CRPOSQUERY;
-          break;
-
-          case OP_CRRANGE:
-          case OP_CRMINRANGE:
-          *repeat_opcode = OP_CRPOSRANGE;
-          break;
-          }
-        }
-      }
-    c = *code;
-    }
-
-  switch(c)
-    {
-    case OP_END:
-    return;
-
-    case OP_TYPESTAR:
-    case OP_TYPEMINSTAR:
-    case OP_TYPEPLUS:
-    case OP_TYPEMINPLUS:
-    case OP_TYPEQUERY:
-    case OP_TYPEMINQUERY:
-    case OP_TYPEPOSSTAR:
-    case OP_TYPEPOSPLUS:
-    case OP_TYPEPOSQUERY:
-    if (code[1] == OP_PROP || code[1] == OP_NOTPROP) code += 2;
-    break;
-
-    case OP_TYPEUPTO:
-    case OP_TYPEMINUPTO:
-    case OP_TYPEEXACT:
-    case OP_TYPEPOSUPTO:
-    if (code[1 + IMM2_SIZE] == OP_PROP || code[1 + IMM2_SIZE] == OP_NOTPROP)
-      code += 2;
-    break;
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    case OP_XCLASS:
-    code += GET(code, 1);
-    break;
-#endif
-
-    case OP_MARK:
-    case OP_PRUNE_ARG:
-    case OP_SKIP_ARG:
-    case OP_THEN_ARG:
-    code += code[1];
-    break;
-    }
-
-  /* Add in the fixed length from the table */
-
-  code += PRIV(OP_lengths)[c];
-
-  /* In UTF-8 mode, opcodes that are followed by a character may be followed by
-  a multi-byte character. The length in the table is a minimum, so we have to
-  arrange to skip the extra bytes. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-  if (utf) switch(c)
-    {
-    case OP_CHAR:
-    case OP_CHARI:
-    case OP_NOT:
-    case OP_NOTI:
-    case OP_STAR:
-    case OP_MINSTAR:
-    case OP_PLUS:
-    case OP_MINPLUS:
-    case OP_QUERY:
-    case OP_MINQUERY:
-    case OP_UPTO:
-    case OP_MINUPTO:
-    case OP_EXACT:
-    case OP_POSSTAR:
-    case OP_POSPLUS:
-    case OP_POSQUERY:
-    case OP_POSUPTO:
-    case OP_STARI:
-    case OP_MINSTARI:
-    case OP_PLUSI:
-    case OP_MINPLUSI:
-    case OP_QUERYI:
-    case OP_MINQUERYI:
-    case OP_UPTOI:
-    case OP_MINUPTOI:
-    case OP_EXACTI:
-    case OP_POSSTARI:
-    case OP_POSPLUSI:
-    case OP_POSQUERYI:
-    case OP_POSUPTOI:
-    case OP_NOTSTAR:
-    case OP_NOTMINSTAR:
-    case OP_NOTPLUS:
-    case OP_NOTMINPLUS:
-    case OP_NOTQUERY:
-    case OP_NOTMINQUERY:
-    case OP_NOTUPTO:
-    case OP_NOTMINUPTO:
-    case OP_NOTEXACT:
-    case OP_NOTPOSSTAR:
-    case OP_NOTPOSPLUS:
-    case OP_NOTPOSQUERY:
-    case OP_NOTPOSUPTO:
-    case OP_NOTSTARI:
-    case OP_NOTMINSTARI:
-    case OP_NOTPLUSI:
-    case OP_NOTMINPLUSI:
-    case OP_NOTQUERYI:
-    case OP_NOTMINQUERYI:
-    case OP_NOTUPTOI:
-    case OP_NOTMINUPTOI:
-    case OP_NOTEXACTI:
-    case OP_NOTPOSSTARI:
-    case OP_NOTPOSPLUSI:
-    case OP_NOTPOSQUERYI:
-    case OP_NOTPOSUPTOI:
-    if (HAS_EXTRALEN(code[-1])) code += GET_EXTRALEN(code[-1]);
-    break;
-    }
-#else
-  (void)(utf);  /* Keep compiler happy by referencing function argument */
-#endif
-  }
-}
-
-
-
-/*************************************************
-*           Check for POSIX class syntax         *
-*************************************************/
-
-/* This function is called when the sequence "[:" or "[." or "[=" is
-encountered in a character class. It checks whether this is followed by a
-sequence of characters terminated by a matching ":]" or ".]" or "=]". If we
-reach an unescaped ']' without the special preceding character, return FALSE.
-
-Originally, this function only recognized a sequence of letters between the
-terminators, but it seems that Perl recognizes any sequence of characters,
-though of course unknown POSIX names are subsequently rejected. Perl gives an
-"Unknown POSIX class" error for [:f\oo:] for example, where previously PCRE
-didn't consider this to be a POSIX class. Likewise for [:1234:].
-
-The problem in trying to be exactly like Perl is in the handling of escapes. We
-have to be sure that [abc[:x\]pqr] is *not* treated as containing a POSIX
-class, but [abc[:x\]pqr:]] is (so that an error can be generated). The code
-below handles the special cases \\ and \], but does not try to do any other
-escape processing. This makes it different from Perl for cases such as
-[:l\ower:] where Perl recognizes it as the POSIX class "lower" but PCRE does
-not recognize "l\ower". This is a lesser evil than not diagnosing bad classes
-when Perl does, I think.
-
-A user pointed out that PCRE was rejecting [:a[:digit:]] whereas Perl was not.
-It seems that the appearance of a nested POSIX class supersedes an apparent
-external class. For example, [:a[:digit:]b:] matches "a", "b", ":", or
-a digit.
-
-In Perl, unescaped square brackets may also appear as part of class names. For
-example, [:a[:abc]b:] gives unknown POSIX class "[:abc]b:]". However, for
-[:a[:abc]b][b:] it gives unknown POSIX class "[:abc]b][b:]", which does not
-seem right at all. PCRE does not allow closing square brackets in POSIX class
-names.
-
-Arguments:
-  ptr      pointer to the initial [
-  endptr   where to return the end pointer
-
-Returns:   TRUE or FALSE
-*/
-
-static BOOL
-check_posix_syntax(const pcre_uchar *ptr, const pcre_uchar **endptr)
-{
-pcre_uchar terminator;          /* Don't combine these lines; the Solaris cc */
-terminator = *(++ptr);   /* compiler warns about "non-constant" initializer. */
-for (++ptr; *ptr != CHAR_NULL; ptr++)
-  {
-  if (*ptr == CHAR_BACKSLASH &&
-      (ptr[1] == CHAR_RIGHT_SQUARE_BRACKET ||
-       ptr[1] == CHAR_BACKSLASH))
-    ptr++;
-  else if ((*ptr == CHAR_LEFT_SQUARE_BRACKET && ptr[1] == terminator) ||
-            *ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE;
-  else if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET)
-    {
-    *endptr = ptr;
-    return TRUE;
-    }
-  }
-return FALSE;
-}
-
-
-
-
-/*************************************************
-*          Check POSIX class name                *
-*************************************************/
-
-/* This function is called to check the name given in a POSIX-style class entry
-such as [:alnum:].
-
-Arguments:
-  ptr        points to the first letter
-  len        the length of the name
-
-Returns:     a value representing the name, or -1 if unknown
-*/
-
-static int
-check_posix_name(const pcre_uchar *ptr, int len)
-{
-const char *pn = posix_names;
-register int yield = 0;
-while (posix_name_lengths[yield] != 0)
-  {
-  if (len == posix_name_lengths[yield] &&
-    STRNCMP_UC_C8(ptr, pn, (unsigned int)len) == 0) return yield;
-  pn += posix_name_lengths[yield] + 1;
-  yield++;
-  }
-return -1;
-}
-
-
-/*************************************************
-*    Adjust OP_RECURSE items in repeated group   *
-*************************************************/
-
-/* OP_RECURSE items contain an offset from the start of the regex to the group
-that is referenced. This means that groups can be replicated for fixed
-repetition simply by copying (because the recursion is allowed to refer to
-earlier groups that are outside the current group). However, when a group is
-optional (i.e. the minimum quantifier is zero), OP_BRAZERO or OP_SKIPZERO is
-inserted before it, after it has been compiled. This means that any OP_RECURSE
-items within it that refer to the group itself or any contained groups have to
-have their offsets adjusted. That one of the jobs of this function. Before it
-is called, the partially compiled regex must be temporarily terminated with
-OP_END.
-
-This function has been extended to cope with forward references for recursions
-and subroutine calls. It must check the list of such references for the
-group we are dealing with. If it finds that one of the recursions in the
-current group is on this list, it does not adjust the value in the reference
-(which is a group number). After the group has been scanned, all the offsets in
-the forward reference list for the group are adjusted.
-
-Arguments:
-  group      points to the start of the group
-  adjust     the amount by which the group is to be moved
-  utf        TRUE in UTF-8 / UTF-16 / UTF-32 mode
-  cd         contains pointers to tables etc.
-  save_hwm_offset   the hwm forward reference offset at the start of the group
-
-Returns:     nothing
-*/
-
-static void
-adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd,
-  size_t save_hwm_offset)
-{
-int offset;
-pcre_uchar *hc;
-pcre_uchar *ptr = group;
-
-while ((ptr = (pcre_uchar *)find_recurse(ptr, utf)) != NULL)
-  {
-  for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
-       hc += LINK_SIZE)
-    {
-    offset = (int)GET(hc, 0);
-    if (cd->start_code + offset == ptr + 1) break;
-    }
-
-  /* If we have not found this recursion on the forward reference list, adjust
-  the recursion's offset if it's after the start of this group. */
-
-  if (hc >= cd->hwm)
-    {
-    offset = (int)GET(ptr, 1);
-    if (cd->start_code + offset >= group) PUT(ptr, 1, offset + adjust);
-    }
-
-  ptr += 1 + LINK_SIZE;
-  }
-
-/* Now adjust all forward reference offsets for the group. */
-
-for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
-     hc += LINK_SIZE)
-  {
-  offset = (int)GET(hc, 0);
-  PUT(hc, 0, offset + adjust);
-  }
-}
-
-
-
-/*************************************************
-*        Insert an automatic callout point       *
-*************************************************/
-
-/* This function is called when the PCRE_AUTO_CALLOUT option is set, to insert
-callout points before each pattern item.
-
-Arguments:
-  code           current code pointer
-  ptr            current pattern pointer
-  cd             pointers to tables etc
-
-Returns:         new code pointer
-*/
-
-static pcre_uchar *
-auto_callout(pcre_uchar *code, const pcre_uchar *ptr, compile_data *cd)
-{
-*code++ = OP_CALLOUT;
-*code++ = 255;
-PUT(code, 0, (int)(ptr - cd->start_pattern));  /* Pattern offset */
-PUT(code, LINK_SIZE, 0);                       /* Default length */
-return code + 2 * LINK_SIZE;
-}
-
-
-
-/*************************************************
-*         Complete a callout item                *
-*************************************************/
-
-/* A callout item contains the length of the next item in the pattern, which
-we can't fill in till after we have reached the relevant point. This is used
-for both automatic and manual callouts.
-
-Arguments:
-  previous_callout   points to previous callout item
-  ptr                current pattern pointer
-  cd                 pointers to tables etc
-
-Returns:             nothing
-*/
-
-static void
-complete_callout(pcre_uchar *previous_callout, const pcre_uchar *ptr, compile_data *cd)
-{
-int length = (int)(ptr - cd->start_pattern - GET(previous_callout, 2));
-PUT(previous_callout, 2 + LINK_SIZE, length);
-}
-
-
-
-#ifdef SUPPORT_UCP
-/*************************************************
-*           Get othercase range                  *
-*************************************************/
-
-/* This function is passed the start and end of a class range, in UTF-8 mode
-with UCP support. It searches up the characters, looking for ranges of
-characters in the "other" case. Each call returns the next one, updating the
-start address. A character with multiple other cases is returned on its own
-with a special return value.
-
-Arguments:
-  cptr        points to starting character value; updated
-  d           end value
-  ocptr       where to put start of othercase range
-  odptr       where to put end of othercase range
-
-Yield:        -1 when no more
-               0 when a range is returned
-              >0 the CASESET offset for char with multiple other cases
-                in this case, ocptr contains the original
-*/
-
-static int
-get_othercase_range(pcre_uint32 *cptr, pcre_uint32 d, pcre_uint32 *ocptr,
-  pcre_uint32 *odptr)
-{
-pcre_uint32 c, othercase, next;
-unsigned int co;
-
-/* Find the first character that has an other case. If it has multiple other
-cases, return its case offset value. */
-
-for (c = *cptr; c <= d; c++)
-  {
-  if ((co = UCD_CASESET(c)) != 0)
-    {
-    *ocptr = c++;   /* Character that has the set */
-    *cptr = c;      /* Rest of input range */
-    return (int)co;
-    }
-  if ((othercase = UCD_OTHERCASE(c)) != c) break;
-  }
-
-if (c > d) return -1;  /* Reached end of range */
-
-/* Found a character that has a single other case. Search for the end of the
-range, which is either the end of the input range, or a character that has zero
-or more than one other cases. */
-
-*ocptr = othercase;
-next = othercase + 1;
-
-for (++c; c <= d; c++)
-  {
-  if ((co = UCD_CASESET(c)) != 0 || UCD_OTHERCASE(c) != next) break;
-  next++;
-  }
-
-*odptr = next - 1;     /* End of othercase range */
-*cptr = c;             /* Rest of input range */
-return 0;
-}
-#endif  /* SUPPORT_UCP */
-
-
-
-/*************************************************
-*        Add a character or range to a class     *
-*************************************************/
-
-/* This function packages up the logic of adding a character or range of
-characters to a class. The character values in the arguments will be within the
-valid values for the current mode (8-bit, 16-bit, UTF, etc). This function is
-mutually recursive with the function immediately below.
-
-Arguments:
-  classbits     the bit map for characters < 256
-  uchardptr     points to the pointer for extra data
-  options       the options word
-  cd            contains pointers to tables etc.
-  start         start of range character
-  end           end of range character
-
-Returns:        the number of < 256 characters added
-                the pointer to extra data is updated
-*/
-
-static int
-add_to_class(pcre_uint8 *classbits, pcre_uchar **uchardptr, int options,
-  compile_data *cd, pcre_uint32 start, pcre_uint32 end)
-{
-pcre_uint32 c;
-pcre_uint32 classbits_end = (end <= 0xff ? end : 0xff);
-int n8 = 0;
-
-/* If caseless matching is required, scan the range and process alternate
-cases. In Unicode, there are 8-bit characters that have alternate cases that
-are greater than 255 and vice-versa. Sometimes we can just extend the original
-range. */
-
-if ((options & PCRE_CASELESS) != 0)
-  {
-#ifdef SUPPORT_UCP
-  if ((options & PCRE_UTF8) != 0)
-    {
-    int rc;
-    pcre_uint32 oc, od;
-
-    options &= ~PCRE_CASELESS;   /* Remove for recursive calls */
-    c = start;
-
-    while ((rc = get_othercase_range(&c, end, &oc, &od)) >= 0)
-      {
-      /* Handle a single character that has more than one other case. */
-
-      if (rc > 0) n8 += add_list_to_class(classbits, uchardptr, options, cd,
-        PRIV(ucd_caseless_sets) + rc, oc);
-
-      /* Do nothing if the other case range is within the original range. */
-
-      else if (oc >= start && od <= end) continue;
-
-      /* Extend the original range if there is overlap, noting that if oc < c, we
-      can't have od > end because a subrange is always shorter than the basic
-      range. Otherwise, use a recursive call to add the additional range. */
-
-      else if (oc < start && od >= start - 1) start = oc; /* Extend downwards */
-      else if (od > end && oc <= end + 1)
-        {
-        end = od;       /* Extend upwards */
-        if (end > classbits_end) classbits_end = (end <= 0xff ? end : 0xff);
-        }
-      else n8 += add_to_class(classbits, uchardptr, options, cd, oc, od);
-      }
-    }
-  else
-#endif  /* SUPPORT_UCP */
-
-  /* Not UTF-mode, or no UCP */
-
-  for (c = start; c <= classbits_end; c++)
-    {
-    SETBIT(classbits, cd->fcc[c]);
-    n8++;
-    }
-  }
-
-/* Now handle the original range. Adjust the final value according to the bit
-length - this means that the same lists of (e.g.) horizontal spaces can be used
-in all cases. */
-
-#if defined COMPILE_PCRE8
-#ifdef SUPPORT_UTF
-  if ((options & PCRE_UTF8) == 0)
-#endif
-  if (end > 0xff) end = 0xff;
-
-#elif defined COMPILE_PCRE16
-#ifdef SUPPORT_UTF
-  if ((options & PCRE_UTF16) == 0)
-#endif
-  if (end > 0xffff) end = 0xffff;
-
-#endif /* COMPILE_PCRE[8|16] */
-
-/* Use the bitmap for characters < 256. Otherwise use extra data.*/
-
-for (c = start; c <= classbits_end; c++)
-  {
-  /* Regardless of start, c will always be <= 255. */
-  SETBIT(classbits, c);
-  n8++;
-  }
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-if (start <= 0xff) start = 0xff + 1;
-
-if (end >= start)
-  {
-  pcre_uchar *uchardata = *uchardptr;
-#ifdef SUPPORT_UTF
-  if ((options & PCRE_UTF8) != 0)  /* All UTFs use the same flag bit */
-    {
-    if (start < end)
-      {
-      *uchardata++ = XCL_RANGE;
-      uchardata += PRIV(ord2utf)(start, uchardata);
-      uchardata += PRIV(ord2utf)(end, uchardata);
-      }
-    else if (start == end)
-      {
-      *uchardata++ = XCL_SINGLE;
-      uchardata += PRIV(ord2utf)(start, uchardata);
-      }
-    }
-  else
-#endif  /* SUPPORT_UTF */
-
-  /* Without UTF support, character values are constrained by the bit length,
-  and can only be > 256 for 16-bit and 32-bit libraries. */
-
-#ifdef COMPILE_PCRE8
-    {}
-#else
-  if (start < end)
-    {
-    *uchardata++ = XCL_RANGE;
-    *uchardata++ = start;
-    *uchardata++ = end;
-    }
-  else if (start == end)
-    {
-    *uchardata++ = XCL_SINGLE;
-    *uchardata++ = start;
-    }
-#endif
-
-  *uchardptr = uchardata;   /* Updata extra data pointer */
-  }
-#endif /* SUPPORT_UTF || !COMPILE_PCRE8 */
-
-return n8;    /* Number of 8-bit characters */
-}
-
-
-
-
-/*************************************************
-*        Add a list of characters to a class     *
-*************************************************/
-
-/* This function is used for adding a list of case-equivalent characters to a
-class, and also for adding a list of horizontal or vertical whitespace. If the
-list is in order (which it should be), ranges of characters are detected and
-handled appropriately. This function is mutually recursive with the function
-above.
-
-Arguments:
-  classbits     the bit map for characters < 256
-  uchardptr     points to the pointer for extra data
-  options       the options word
-  cd            contains pointers to tables etc.
-  p             points to row of 32-bit values, terminated by NOTACHAR
-  except        character to omit; this is used when adding lists of
-                  case-equivalent characters to avoid including the one we
-                  already know about
-
-Returns:        the number of < 256 characters added
-                the pointer to extra data is updated
-*/
-
-static int
-add_list_to_class(pcre_uint8 *classbits, pcre_uchar **uchardptr, int options,
-  compile_data *cd, const pcre_uint32 *p, unsigned int except)
-{
-int n8 = 0;
-while (p[0] < NOTACHAR)
-  {
-  int n = 0;
-  if (p[0] != except)
-    {
-    while(p[n+1] == p[0] + n + 1) n++;
-    n8 += add_to_class(classbits, uchardptr, options, cd, p[0], p[n]);
-    }
-  p += n + 1;
-  }
-return n8;
-}
-
-
-
-/*************************************************
-*    Add characters not in a list to a class     *
-*************************************************/
-
-/* This function is used for adding the complement of a list of horizontal or
-vertical whitespace to a class. The list must be in order.
-
-Arguments:
-  classbits     the bit map for characters < 256
-  uchardptr     points to the pointer for extra data
-  options       the options word
-  cd            contains pointers to tables etc.
-  p             points to row of 32-bit values, terminated by NOTACHAR
-
-Returns:        the number of < 256 characters added
-                the pointer to extra data is updated
-*/
-
-static int
-add_not_list_to_class(pcre_uint8 *classbits, pcre_uchar **uchardptr,
-  int options, compile_data *cd, const pcre_uint32 *p)
-{
-BOOL utf = (options & PCRE_UTF8) != 0;
-int n8 = 0;
-if (p[0] > 0)
-  n8 += add_to_class(classbits, uchardptr, options, cd, 0, p[0] - 1);
-while (p[0] < NOTACHAR)
-  {
-  while (p[1] == p[0] + 1) p++;
-  n8 += add_to_class(classbits, uchardptr, options, cd, p[0] + 1,
-    (p[1] == NOTACHAR) ? (utf ? 0x10ffffu : 0xffffffffu) : p[1] - 1);
-  p++;
-  }
-return n8;
-}
-
-
-
-/*************************************************
-*           Compile one branch                   *
-*************************************************/
-
-/* Scan the pattern, compiling it into the a vector. If the options are
-changed during the branch, the pointer is used to change the external options
-bits. This function is used during the pre-compile phase when we are trying
-to find out the amount of memory needed, as well as during the real compile
-phase. The value of lengthptr distinguishes the two phases.
-
-Arguments:
-  optionsptr        pointer to the option bits
-  codeptr           points to the pointer to the current code point
-  ptrptr            points to the current pattern pointer
-  errorcodeptr      points to error code variable
-  firstcharptr      place to put the first required character
-  firstcharflagsptr place to put the first character flags, or a negative number
-  reqcharptr        place to put the last required character
-  reqcharflagsptr   place to put the last required character flags, or a negative number
-  bcptr             points to current branch chain
-  cond_depth        conditional nesting depth
-  cd                contains pointers to tables etc.
-  lengthptr         NULL during the real compile phase
-                    points to length accumulator during pre-compile phase
-
-Returns:            TRUE on success
-                    FALSE, with *errorcodeptr set non-zero on error
-*/
-
-static BOOL
-compile_branch(int *optionsptr, pcre_uchar **codeptr,
-  const pcre_uchar **ptrptr, int *errorcodeptr,
-  pcre_uint32 *firstcharptr, pcre_int32 *firstcharflagsptr,
-  pcre_uint32 *reqcharptr, pcre_int32 *reqcharflagsptr,
-  branch_chain *bcptr, int cond_depth,
-  compile_data *cd, int *lengthptr)
-{
-int repeat_type, op_type;
-int repeat_min = 0, repeat_max = 0;      /* To please picky compilers */
-int bravalue = 0;
-int greedy_default, greedy_non_default;
-pcre_uint32 firstchar, reqchar;
-pcre_int32 firstcharflags, reqcharflags;
-pcre_uint32 zeroreqchar, zerofirstchar;
-pcre_int32 zeroreqcharflags, zerofirstcharflags;
-pcre_int32 req_caseopt, reqvary, tempreqvary;
-int options = *optionsptr;               /* May change dynamically */
-int after_manual_callout = 0;
-int length_prevgroup = 0;
-register pcre_uint32 c;
-int escape;
-register pcre_uchar *code = *codeptr;
-pcre_uchar *last_code = code;
-pcre_uchar *orig_code = code;
-pcre_uchar *tempcode;
-BOOL inescq = FALSE;
-BOOL groupsetfirstchar = FALSE;
-const pcre_uchar *ptr = *ptrptr;
-const pcre_uchar *tempptr;
-const pcre_uchar *nestptr = NULL;
-pcre_uchar *previous = NULL;
-pcre_uchar *previous_callout = NULL;
-size_t item_hwm_offset = 0;
-pcre_uint8 classbits[32];
-
-/* We can fish out the UTF-8 setting once and for all into a BOOL, but we
-must not do this for other options (e.g. PCRE_EXTENDED) because they may change
-dynamically as we process the pattern. */
-
-#ifdef SUPPORT_UTF
-/* PCRE_UTF[16|32] have the same value as PCRE_UTF8. */
-BOOL utf = (options & PCRE_UTF8) != 0;
-#ifndef COMPILE_PCRE32
-pcre_uchar utf_chars[6];
-#endif
-#else
-BOOL utf = FALSE;
-#endif
-
-/* Helper variables for OP_XCLASS opcode (for characters > 255). We define
-class_uchardata always so that it can be passed to add_to_class() always,
-though it will not be used in non-UTF 8-bit cases. This avoids having to supply
-alternative calls for the different cases. */
-
-pcre_uchar *class_uchardata;
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-BOOL xclass;
-pcre_uchar *class_uchardata_base;
-#endif
-
-#ifdef PCRE_DEBUG
-if (lengthptr != NULL) DPRINTF((">> start branch\n"));
-#endif
-
-/* Set up the default and non-default settings for greediness */
-
-greedy_default = ((options & PCRE_UNGREEDY) != 0);
-greedy_non_default = greedy_default ^ 1;
-
-/* Initialize no first byte, no required byte. REQ_UNSET means "no char
-matching encountered yet". It gets changed to REQ_NONE if we hit something that
-matches a non-fixed char first char; reqchar just remains unset if we never
-find one.
-
-When we hit a repeat whose minimum is zero, we may have to adjust these values
-to take the zero repeat into account. This is implemented by setting them to
-zerofirstbyte and zeroreqchar when such a repeat is encountered. The individual
-item types that can be repeated set these backoff variables appropriately. */
-
-firstchar = reqchar = zerofirstchar = zeroreqchar = 0;
-firstcharflags = reqcharflags = zerofirstcharflags = zeroreqcharflags = REQ_UNSET;
-
-/* The variable req_caseopt contains either the REQ_CASELESS value
-or zero, according to the current setting of the caseless flag. The
-REQ_CASELESS leaves the lower 28 bit empty. It is added into the
-firstchar or reqchar variables to record the case status of the
-value. This is used only for ASCII characters. */
-
-req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS:0;
-
-/* Switch on next character until the end of the branch */
-
-for (;; ptr++)
-  {
-  BOOL negate_class;
-  BOOL should_flip_negation;
-  BOOL possessive_quantifier;
-  BOOL is_quantifier;
-  BOOL is_recurse;
-  BOOL reset_bracount;
-  int class_has_8bitchar;
-  int class_one_char;
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-  BOOL xclass_has_prop;
-#endif
-  int newoptions;
-  int recno;
-  int refsign;
-  int skipbytes;
-  pcre_uint32 subreqchar, subfirstchar;
-  pcre_int32 subreqcharflags, subfirstcharflags;
-  int terminator;
-  unsigned int mclength;
-  unsigned int tempbracount;
-  pcre_uint32 ec;
-  pcre_uchar mcbuffer[8];
-
-  /* Come here to restart the loop without advancing the pointer. */
-
-  REDO_LOOP:
-
-  /* Get next character in the pattern */
-
-  c = *ptr;
-
-  /* If we are at the end of a nested substitution, revert to the outer level
-  string. Nesting only happens one level deep. */
-
-  if (c == CHAR_NULL && nestptr != NULL)
-    {
-    ptr = nestptr;
-    nestptr = NULL;
-    c = *ptr;
-    }
-
-  /* If we are in the pre-compile phase, accumulate the length used for the
-  previous cycle of this loop. */
-
-  if (lengthptr != NULL)
-    {
-#ifdef PCRE_DEBUG
-    if (code > cd->hwm) cd->hwm = code;                 /* High water info */
-#endif
-    if (code > cd->start_workspace + cd->workspace_size -
-        WORK_SIZE_SAFETY_MARGIN)                       /* Check for overrun */
-      {
-      *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
-        ERR52 : ERR87;
-      goto FAILED;
-      }
-
-    /* There is at least one situation where code goes backwards: this is the
-    case of a zero quantifier after a class (e.g. [ab]{0}). At compile time,
-    the class is simply eliminated. However, it is created first, so we have to
-    allow memory for it. Therefore, don't ever reduce the length at this point.
-    */
-
-    if (code < last_code) code = last_code;
-
-    /* Paranoid check for integer overflow */
-
-    if (OFLOW_MAX - *lengthptr < code - last_code)
-      {
-      *errorcodeptr = ERR20;
-      goto FAILED;
-      }
-
-    *lengthptr += (int)(code - last_code);
-    DPRINTF(("length=%d added %d c=%c (0x%x)\n", *lengthptr,
-      (int)(code - last_code), c, c));
-
-    /* If "previous" is set and it is not at the start of the work space, move
-    it back to there, in order to avoid filling up the work space. Otherwise,
-    if "previous" is NULL, reset the current code pointer to the start. */
-
-    if (previous != NULL)
-      {
-      if (previous > orig_code)
-        {
-        memmove(orig_code, previous, IN_UCHARS(code - previous));
-        code -= previous - orig_code;
-        previous = orig_code;
-        }
-      }
-    else code = orig_code;
-
-    /* Remember where this code item starts so we can pick up the length
-    next time round. */
-
-    last_code = code;
-    }
-
-  /* In the real compile phase, just check the workspace used by the forward
-  reference list. */
-
-  else if (cd->hwm > cd->start_workspace + cd->workspace_size)
-    {
-    *errorcodeptr = ERR52;
-    goto FAILED;
-    }
-
-  /* If in \Q...\E, check for the end; if not, we have a literal. Otherwise an
-  isolated \E is ignored. */
-
-  if (c != CHAR_NULL)
-    {
-    if (c == CHAR_BACKSLASH && ptr[1] == CHAR_E)
-      {
-      inescq = FALSE;
-      ptr++;
-      continue;
-      }
-    else if (inescq)
-      {
-      if (previous_callout != NULL)
-        {
-        if (lengthptr == NULL)  /* Don't attempt in pre-compile phase */
-          complete_callout(previous_callout, ptr, cd);
-        previous_callout = NULL;
-        }
-      if ((options & PCRE_AUTO_CALLOUT) != 0)
-        {
-        previous_callout = code;
-        code = auto_callout(code, ptr, cd);
-        }
-      goto NORMAL_CHAR;
-      }
-
-    /* Check for the start of a \Q...\E sequence. We must do this here rather
-    than later in case it is immediately followed by \E, which turns it into a
-    "do nothing" sequence. */
-
-    if (c == CHAR_BACKSLASH && ptr[1] == CHAR_Q)
-      {
-      inescq = TRUE;
-      ptr++;
-      continue;
-      }
-    }
-
-  /* In extended mode, skip white space and comments. */
-
-  if ((options & PCRE_EXTENDED) != 0)
-    {
-    const pcre_uchar *wscptr = ptr;
-    while (MAX_255(c) && (cd->ctypes[c] & ctype_space) != 0) c = *(++ptr);
-    if (c == CHAR_NUMBER_SIGN)
-      {
-      ptr++;
-      while (*ptr != CHAR_NULL)
-        {
-        if (IS_NEWLINE(ptr))         /* For non-fixed-length newline cases, */
-          {                          /* IS_NEWLINE sets cd->nllen. */
-          ptr += cd->nllen;
-          break;
-          }
-        ptr++;
-#ifdef SUPPORT_UTF
-        if (utf) FORWARDCHAR(ptr);
-#endif
-        }
-      }
-
-    /* If we skipped any characters, restart the loop. Otherwise, we didn't see
-    a comment. */
-
-    if (ptr > wscptr) goto REDO_LOOP;
-    }
-
-  /* Skip over (?# comments. We need to do this here because we want to know if
-  the next thing is a quantifier, and these comments may come between an item
-  and its quantifier. */
-
-  if (c == CHAR_LEFT_PARENTHESIS && ptr[1] == CHAR_QUESTION_MARK &&
-      ptr[2] == CHAR_NUMBER_SIGN)
-    {
-    ptr += 3;
-    while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
-    if (*ptr == CHAR_NULL)
-      {
-      *errorcodeptr = ERR18;
-      goto FAILED;
-      }
-    continue;
-    }
-
-  /* See if the next thing is a quantifier. */
-
-  is_quantifier =
-    c == CHAR_ASTERISK || c == CHAR_PLUS || c == CHAR_QUESTION_MARK ||
-    (c == CHAR_LEFT_CURLY_BRACKET && is_counted_repeat(ptr+1));
-
-  /* Fill in length of a previous callout, except when the next thing is a
-  quantifier or when processing a property substitution string in UCP mode. */
-
-  if (!is_quantifier && previous_callout != NULL && nestptr == NULL &&
-       after_manual_callout-- <= 0)
-    {
-    if (lengthptr == NULL)      /* Don't attempt in pre-compile phase */
-      complete_callout(previous_callout, ptr, cd);
-    previous_callout = NULL;
-    }
-
-  /* Create auto callout, except for quantifiers, or while processing property
-  strings that are substituted for \w etc in UCP mode. */
-
-  if ((options & PCRE_AUTO_CALLOUT) != 0 && !is_quantifier && nestptr == NULL)
-    {
-    previous_callout = code;
-    code = auto_callout(code, ptr, cd);
-    }
-
-  /* Process the next pattern item. */
-
-  switch(c)
-    {
-    /* ===================================================================*/
-    case CHAR_NULL:                /* The branch terminates at string end */
-    case CHAR_VERTICAL_LINE:       /* or | or ) */
-    case CHAR_RIGHT_PARENTHESIS:
-    *firstcharptr = firstchar;
-    *firstcharflagsptr = firstcharflags;
-    *reqcharptr = reqchar;
-    *reqcharflagsptr = reqcharflags;
-    *codeptr = code;
-    *ptrptr = ptr;
-    if (lengthptr != NULL)
-      {
-      if (OFLOW_MAX - *lengthptr < code - last_code)
-        {
-        *errorcodeptr = ERR20;
-        goto FAILED;
-        }
-      *lengthptr += (int)(code - last_code);   /* To include callout length */
-      DPRINTF((">> end branch\n"));
-      }
-    return TRUE;
-
-
-    /* ===================================================================*/
-    /* Handle single-character metacharacters. In multiline mode, ^ disables
-    the setting of any following char as a first character. */
-
-    case CHAR_CIRCUMFLEX_ACCENT:
-    previous = NULL;
-    if ((options & PCRE_MULTILINE) != 0)
-      {
-      if (firstcharflags == REQ_UNSET)
-        zerofirstcharflags = firstcharflags = REQ_NONE;
-      *code++ = OP_CIRCM;
-      }
-    else *code++ = OP_CIRC;
-    break;
-
-    case CHAR_DOLLAR_SIGN:
-    previous = NULL;
-    *code++ = ((options & PCRE_MULTILINE) != 0)? OP_DOLLM : OP_DOLL;
-    break;
-
-    /* There can never be a first char if '.' is first, whatever happens about
-    repeats. The value of reqchar doesn't change either. */
-
-    case CHAR_DOT:
-    if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-    zerofirstchar = firstchar;
-    zerofirstcharflags = firstcharflags;
-    zeroreqchar = reqchar;
-    zeroreqcharflags = reqcharflags;
-    previous = code;
-    item_hwm_offset = cd->hwm - cd->start_workspace;
-    *code++ = ((options & PCRE_DOTALL) != 0)? OP_ALLANY: OP_ANY;
-    break;
-
-
-    /* ===================================================================*/
-    /* Character classes. If the included characters are all < 256, we build a
-    32-byte bitmap of the permitted characters, except in the special case
-    where there is only one such character. For negated classes, we build the
-    map as usual, then invert it at the end. However, we use a different opcode
-    so that data characters > 255 can be handled correctly.
-
-    If the class contains characters outside the 0-255 range, a different
-    opcode is compiled. It may optionally have a bit map for characters < 256,
-    but those above are are explicitly listed afterwards. A flag byte tells
-    whether the bitmap is present, and whether this is a negated class or not.
-
-    In JavaScript compatibility mode, an isolated ']' causes an error. In
-    default (Perl) mode, it is treated as a data character. */
-
-    case CHAR_RIGHT_SQUARE_BRACKET:
-    if ((cd->external_options & PCRE_JAVASCRIPT_COMPAT) != 0)
-      {
-      *errorcodeptr = ERR64;
-      goto FAILED;
-      }
-    goto NORMAL_CHAR;
-
-    /* In another (POSIX) regex library, the ugly syntax [[:<:]] and [[:>:]] is
-    used for "start of word" and "end of word". As these are otherwise illegal
-    sequences, we don't break anything by recognizing them. They are replaced
-    by \b(?=\w) and \b(?<=\w) respectively. Sequences like [a[:<:]] are
-    erroneous and are handled by the normal code below. */
-
-    case CHAR_LEFT_SQUARE_BRACKET:
-    if (STRNCMP_UC_C8(ptr+1, STRING_WEIRD_STARTWORD, 6) == 0)
-      {
-      nestptr = ptr + 7;
-      ptr = sub_start_of_word;
-      goto REDO_LOOP;
-      }
-
-    if (STRNCMP_UC_C8(ptr+1, STRING_WEIRD_ENDWORD, 6) == 0)
-      {
-      nestptr = ptr + 7;
-      ptr = sub_end_of_word;
-      goto REDO_LOOP;
-      }
-
-    /* Handle a real character class. */
-
-    previous = code;
-    item_hwm_offset = cd->hwm - cd->start_workspace;
-
-    /* PCRE supports POSIX class stuff inside a class. Perl gives an error if
-    they are encountered at the top level, so we'll do that too. */
-
-    if ((ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT ||
-         ptr[1] == CHAR_EQUALS_SIGN) &&
-        check_posix_syntax(ptr, &tempptr))
-      {
-      *errorcodeptr = (ptr[1] == CHAR_COLON)? ERR13 : ERR31;
-      goto FAILED;
-      }
-
-    /* If the first character is '^', set the negation flag and skip it. Also,
-    if the first few characters (either before or after ^) are \Q\E or \E we
-    skip them too. This makes for compatibility with Perl. */
-
-    negate_class = FALSE;
-    for (;;)
-      {
-      c = *(++ptr);
-      if (c == CHAR_BACKSLASH)
-        {
-        if (ptr[1] == CHAR_E)
-          ptr++;
-        else if (STRNCMP_UC_C8(ptr + 1, STR_Q STR_BACKSLASH STR_E, 3) == 0)
-          ptr += 3;
-        else
-          break;
-        }
-      else if (!negate_class && c == CHAR_CIRCUMFLEX_ACCENT)
-        negate_class = TRUE;
-      else break;
-      }
-
-    /* Empty classes are allowed in JavaScript compatibility mode. Otherwise,
-    an initial ']' is taken as a data character -- the code below handles
-    that. In JS mode, [] must always fail, so generate OP_FAIL, whereas
-    [^] must match any character, so generate OP_ALLANY. */
-
-    if (c == CHAR_RIGHT_SQUARE_BRACKET &&
-        (cd->external_options & PCRE_JAVASCRIPT_COMPAT) != 0)
-      {
-      *code++ = negate_class? OP_ALLANY : OP_FAIL;
-      if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-      zerofirstchar = firstchar;
-      zerofirstcharflags = firstcharflags;
-      break;
-      }
-
-    /* If a class contains a negative special such as \S, we need to flip the
-    negation flag at the end, so that support for characters > 255 works
-    correctly (they are all included in the class). */
-
-    should_flip_negation = FALSE;
-
-    /* Extended class (xclass) will be used when characters > 255
-    might match. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    xclass = FALSE;
-    class_uchardata = code + LINK_SIZE + 2;   /* For XCLASS items */
-    class_uchardata_base = class_uchardata;   /* Save the start */
-#endif
-
-    /* For optimization purposes, we track some properties of the class:
-    class_has_8bitchar will be non-zero if the class contains at least one <
-    256 character; class_one_char will be 1 if the class contains just one
-    character; xclass_has_prop will be TRUE if unicode property checks
-    are present in the class. */
-
-    class_has_8bitchar = 0;
-    class_one_char = 0;
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    xclass_has_prop = FALSE;
-#endif
-
-    /* Initialize the 32-char bit map to all zeros. We build the map in a
-    temporary bit of memory, in case the class contains fewer than two
-    8-bit characters because in that case the compiled code doesn't use the bit
-    map. */
-
-    memset(classbits, 0, 32 * sizeof(pcre_uint8));
-
-    /* Process characters until ] is reached. By writing this as a "do" it
-    means that an initial ] is taken as a data character. At the start of the
-    loop, c contains the first byte of the character. */
-
-    if (c != CHAR_NULL) do
-      {
-      const pcre_uchar *oldptr;
-
-#ifdef SUPPORT_UTF
-      if (utf && HAS_EXTRALEN(c))
-        {                           /* Braces are required because the */
-        GETCHARLEN(c, ptr, ptr);    /* macro generates multiple statements */
-        }
-#endif
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-      /* In the pre-compile phase, accumulate the length of any extra
-      data and reset the pointer. This is so that very large classes that
-      contain a zillion > 255 characters no longer overwrite the work space
-      (which is on the stack). We have to remember that there was XCLASS data,
-      however. */
-
-      if (class_uchardata > class_uchardata_base) xclass = TRUE;
-
-      if (lengthptr != NULL && class_uchardata > class_uchardata_base)
-        {
-        *lengthptr += (int)(class_uchardata - class_uchardata_base);
-        class_uchardata = class_uchardata_base;
-        }
-#endif
-
-      /* Inside \Q...\E everything is literal except \E */
-
-      if (inescq)
-        {
-        if (c == CHAR_BACKSLASH && ptr[1] == CHAR_E)  /* If we are at \E */
-          {
-          inescq = FALSE;                   /* Reset literal state */
-          ptr++;                            /* Skip the 'E' */
-          continue;                         /* Carry on with next */
-          }
-        goto CHECK_RANGE;                   /* Could be range if \E follows */
-        }
-
-      /* Handle POSIX class names. Perl allows a negation extension of the
-      form [:^name:]. A square bracket that doesn't match the syntax is
-      treated as a literal. We also recognize the POSIX constructions
-      [.ch.] and [=ch=] ("collating elements") and fault them, as Perl
-      5.6 and 5.8 do. */
-
-      if (c == CHAR_LEFT_SQUARE_BRACKET &&
-          (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT ||
-           ptr[1] == CHAR_EQUALS_SIGN) && check_posix_syntax(ptr, &tempptr))
-        {
-        BOOL local_negate = FALSE;
-        int posix_class, taboffset, tabopt;
-        register const pcre_uint8 *cbits = cd->cbits;
-        pcre_uint8 pbits[32];
-
-        if (ptr[1] != CHAR_COLON)
-          {
-          *errorcodeptr = ERR31;
-          goto FAILED;
-          }
-
-        ptr += 2;
-        if (*ptr == CHAR_CIRCUMFLEX_ACCENT)
-          {
-          local_negate = TRUE;
-          should_flip_negation = TRUE;  /* Note negative special */
-          ptr++;
-          }
-
-        posix_class = check_posix_name(ptr, (int)(tempptr - ptr));
-        if (posix_class < 0)
-          {
-          *errorcodeptr = ERR30;
-          goto FAILED;
-          }
-
-        /* If matching is caseless, upper and lower are converted to
-        alpha. This relies on the fact that the class table starts with
-        alpha, lower, upper as the first 3 entries. */
-
-        if ((options & PCRE_CASELESS) != 0 && posix_class <= 2)
-          posix_class = 0;
-
-        /* When PCRE_UCP is set, some of the POSIX classes are converted to
-        different escape sequences that use Unicode properties \p or \P. Others
-        that are not available via \p or \P generate XCL_PROP/XCL_NOTPROP
-        directly. */
-
-#ifdef SUPPORT_UCP
-        if ((options & PCRE_UCP) != 0)
-          {
-          unsigned int ptype = 0;
-          int pc = posix_class + ((local_negate)? POSIX_SUBSIZE/2 : 0);
-
-          /* The posix_substitutes table specifies which POSIX classes can be
-          converted to \p or \P items. */
-
-          if (posix_substitutes[pc] != NULL)
-            {
-            nestptr = tempptr + 1;
-            ptr = posix_substitutes[pc] - 1;
-            continue;
-            }
-
-          /* There are three other classes that generate special property calls
-          that are recognized only in an XCLASS. */
-
-          else switch(posix_class)
-            {
-            case PC_GRAPH:
-            ptype = PT_PXGRAPH;
-            /* Fall through */
-            case PC_PRINT:
-            if (ptype == 0) ptype = PT_PXPRINT;
-            /* Fall through */
-            case PC_PUNCT:
-            if (ptype == 0) ptype = PT_PXPUNCT;
-            *class_uchardata++ = local_negate? XCL_NOTPROP : XCL_PROP;
-            *class_uchardata++ = ptype;
-            *class_uchardata++ = 0;
-            xclass_has_prop = TRUE;
-            ptr = tempptr + 1;
-            continue;
-
-            /* For the other POSIX classes (ascii, cntrl, xdigit) we are going
-            to fall through to the non-UCP case and build a bit map for
-            characters with code points less than 256. If we are in a negated
-            POSIX class, characters with code points greater than 255 must
-            either all match or all not match. In the special case where we
-            have not yet generated any xclass data, and this is the final item
-            in the overall class, we need do nothing: later on, the opcode
-            OP_NCLASS will be used to indicate that characters greater than 255
-            are acceptable. If we have already seen an xclass item or one may
-            follow (we have to assume that it might if this is not the end of
-            the class), explicitly list all wide codepoints, which will then
-            either not match or match, depending on whether the class is or is
-            not negated. */
-
-            default:
-            if (local_negate &&
-                (xclass || tempptr[2] != CHAR_RIGHT_SQUARE_BRACKET))
-              {
-              *class_uchardata++ = XCL_RANGE;
-              class_uchardata += PRIV(ord2utf)(0x100, class_uchardata);
-              class_uchardata += PRIV(ord2utf)(0x10ffff, class_uchardata);
-              }
-            break;
-            }
-          }
-#endif
-        /* In the non-UCP case, or when UCP makes no difference, we build the
-        bit map for the POSIX class in a chunk of local store because we may be
-        adding and subtracting from it, and we don't want to subtract bits that
-        may be in the main map already. At the end we or the result into the
-        bit map that is being built. */
-
-        posix_class *= 3;
-
-        /* Copy in the first table (always present) */
-
-        memcpy(pbits, cbits + posix_class_maps[posix_class],
-          32 * sizeof(pcre_uint8));
-
-        /* If there is a second table, add or remove it as required. */
-
-        taboffset = posix_class_maps[posix_class + 1];
-        tabopt = posix_class_maps[posix_class + 2];
-
-        if (taboffset >= 0)
-          {
-          if (tabopt >= 0)
-            for (c = 0; c < 32; c++) pbits[c] |= cbits[c + taboffset];
-          else
-            for (c = 0; c < 32; c++) pbits[c] &= ~cbits[c + taboffset];
-          }
-
-        /* Now see if we need to remove any special characters. An option
-        value of 1 removes vertical space and 2 removes underscore. */
-
-        if (tabopt < 0) tabopt = -tabopt;
-        if (tabopt == 1) pbits[1] &= ~0x3c;
-          else if (tabopt == 2) pbits[11] &= 0x7f;
-
-        /* Add the POSIX table or its complement into the main table that is
-        being built and we are done. */
-
-        if (local_negate)
-          for (c = 0; c < 32; c++) classbits[c] |= ~pbits[c];
-        else
-          for (c = 0; c < 32; c++) classbits[c] |= pbits[c];
-
-        ptr = tempptr + 1;
-        /* Every class contains at least one < 256 character. */
-        class_has_8bitchar = 1;
-        /* Every class contains at least two characters. */
-        class_one_char = 2;
-        continue;    /* End of POSIX syntax handling */
-        }
-
-      /* Backslash may introduce a single character, or it may introduce one
-      of the specials, which just set a flag. The sequence \b is a special
-      case. Inside a class (and only there) it is treated as backspace. We
-      assume that other escapes have more than one character in them, so
-      speculatively set both class_has_8bitchar and class_one_char bigger
-      than one. Unrecognized escapes fall through and are either treated
-      as literal characters (by default), or are faulted if
-      PCRE_EXTRA is set. */
-
-      if (c == CHAR_BACKSLASH)
-        {
-        escape = check_escape(&ptr, &ec, errorcodeptr, cd->bracount, options,
-          TRUE);
-        if (*errorcodeptr != 0) goto FAILED;
-        if (escape == 0) c = ec;
-        else if (escape == ESC_b) c = CHAR_BS; /* \b is backspace in a class */
-        else if (escape == ESC_N)          /* \N is not supported in a class */
-          {
-          *errorcodeptr = ERR71;
-          goto FAILED;
-          }
-        else if (escape == ESC_Q)            /* Handle start of quoted string */
-          {
-          if (ptr[1] == CHAR_BACKSLASH && ptr[2] == CHAR_E)
-            {
-            ptr += 2; /* avoid empty string */
-            }
-          else inescq = TRUE;
-          continue;
-          }
-        else if (escape == ESC_E) continue;  /* Ignore orphan \E */
-
-        else
-          {
-          register const pcre_uint8 *cbits = cd->cbits;
-          /* Every class contains at least two < 256 characters. */
-          class_has_8bitchar++;
-          /* Every class contains at least two characters. */
-          class_one_char += 2;
-
-          switch (escape)
-            {
-#ifdef SUPPORT_UCP
-            case ESC_du:     /* These are the values given for \d etc */
-            case ESC_DU:     /* when PCRE_UCP is set. We replace the */
-            case ESC_wu:     /* escape sequence with an appropriate \p */
-            case ESC_WU:     /* or \P to test Unicode properties instead */
-            case ESC_su:     /* of the default ASCII testing. */
-            case ESC_SU:
-            nestptr = ptr;
-            ptr = substitutes[escape - ESC_DU] - 1;  /* Just before substitute */
-            class_has_8bitchar--;                /* Undo! */
-            continue;
-#endif
-            case ESC_d:
-            for (c = 0; c < 32; c++) classbits[c] |= cbits[c+cbit_digit];
-            continue;
-
-            case ESC_D:
-            should_flip_negation = TRUE;
-            for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_digit];
-            continue;
-
-            case ESC_w:
-            for (c = 0; c < 32; c++) classbits[c] |= cbits[c+cbit_word];
-            continue;
-
-            case ESC_W:
-            should_flip_negation = TRUE;
-            for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_word];
-            continue;
-
-            /* Perl 5.004 onwards omitted VT from \s, but restored it at Perl
-            5.18. Before PCRE 8.34, we had to preserve the VT bit if it was
-            previously set by something earlier in the character class.
-            Luckily, the value of CHAR_VT is 0x0b in both ASCII and EBCDIC, so
-            we could just adjust the appropriate bit. From PCRE 8.34 we no
-            longer treat \s and \S specially. */
-
-            case ESC_s:
-            for (c = 0; c < 32; c++) classbits[c] |= cbits[c+cbit_space];
-            continue;
-
-            case ESC_S:
-            should_flip_negation = TRUE;
-            for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_space];
-            continue;
-
-            /* The rest apply in both UCP and non-UCP cases. */
-
-            case ESC_h:
-            (void)add_list_to_class(classbits, &class_uchardata, options, cd,
-              PRIV(hspace_list), NOTACHAR);
-            continue;
-
-            case ESC_H:
-            (void)add_not_list_to_class(classbits, &class_uchardata, options,
-              cd, PRIV(hspace_list));
-            continue;
-
-            case ESC_v:
-            (void)add_list_to_class(classbits, &class_uchardata, options, cd,
-              PRIV(vspace_list), NOTACHAR);
-            continue;
-
-            case ESC_V:
-            (void)add_not_list_to_class(classbits, &class_uchardata, options,
-              cd, PRIV(vspace_list));
-            continue;
-
-            case ESC_p:
-            case ESC_P:
-#ifdef SUPPORT_UCP
-              {
-              BOOL negated;
-              unsigned int ptype = 0, pdata = 0;
-              if (!get_ucp(&ptr, &negated, &ptype, &pdata, errorcodeptr))
-                goto FAILED;
-              *class_uchardata++ = ((escape == ESC_p) != negated)?
-                XCL_PROP : XCL_NOTPROP;
-              *class_uchardata++ = ptype;
-              *class_uchardata++ = pdata;
-              xclass_has_prop = TRUE;
-              class_has_8bitchar--;                /* Undo! */
-              continue;
-              }
-#else
-            *errorcodeptr = ERR45;
-            goto FAILED;
-#endif
-            /* Unrecognized escapes are faulted if PCRE is running in its
-            strict mode. By default, for compatibility with Perl, they are
-            treated as literals. */
-
-            default:
-            if ((options & PCRE_EXTRA) != 0)
-              {
-              *errorcodeptr = ERR7;
-              goto FAILED;
-              }
-            class_has_8bitchar--;    /* Undo the speculative increase. */
-            class_one_char -= 2;     /* Undo the speculative increase. */
-            c = *ptr;                /* Get the final character and fall through */
-            break;
-            }
-          }
-
-        /* Fall through if the escape just defined a single character (c >= 0).
-        This may be greater than 256. */
-
-        escape = 0;
-
-        }   /* End of backslash handling */
-
-      /* A character may be followed by '-' to form a range. However, Perl does
-      not permit ']' to be the end of the range. A '-' character at the end is
-      treated as a literal. Perl ignores orphaned \E sequences entirely. The
-      code for handling \Q and \E is messy. */
-
-      CHECK_RANGE:
-      while (ptr[1] == CHAR_BACKSLASH && ptr[2] == CHAR_E)
-        {
-        inescq = FALSE;
-        ptr += 2;
-        }
-      oldptr = ptr;
-
-      /* Remember if \r or \n were explicitly used */
-
-      if (c == CHAR_CR || c == CHAR_NL) cd->external_flags |= PCRE_HASCRORLF;
-
-      /* Check for range */
-
-      if (!inescq && ptr[1] == CHAR_MINUS)
-        {
-        pcre_uint32 d;
-        ptr += 2;
-        while (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_E) ptr += 2;
-
-        /* If we hit \Q (not followed by \E) at this point, go into escaped
-        mode. */
-
-        while (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_Q)
-          {
-          ptr += 2;
-          if (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_E)
-            { ptr += 2; continue; }
-          inescq = TRUE;
-          break;
-          }
-
-        /* Minus (hyphen) at the end of a class is treated as a literal, so put
-        back the pointer and jump to handle the character that preceded it. */
-
-        if (*ptr == CHAR_NULL || (!inescq && *ptr == CHAR_RIGHT_SQUARE_BRACKET))
-          {
-          ptr = oldptr;
-          goto CLASS_SINGLE_CHARACTER;
-          }
-
-        /* Otherwise, we have a potential range; pick up the next character */
-
-#ifdef SUPPORT_UTF
-        if (utf)
-          {                           /* Braces are required because the */
-          GETCHARLEN(d, ptr, ptr);    /* macro generates multiple statements */
-          }
-        else
-#endif
-        d = *ptr;  /* Not UTF-8 mode */
-
-        /* The second part of a range can be a single-character escape
-        sequence, but not any of the other escapes. Perl treats a hyphen as a
-        literal in such circumstances. However, in Perl's warning mode, a
-        warning is given, so PCRE now faults it as it is almost certainly a
-        mistake on the user's part. */
-
-        if (!inescq)
-          {
-          if (d == CHAR_BACKSLASH)
-            {
-            int descape;
-            descape = check_escape(&ptr, &d, errorcodeptr, cd->bracount, options, TRUE);
-            if (*errorcodeptr != 0) goto FAILED;
-
-            /* 0 means a character was put into d; \b is backspace; any other
-            special causes an error. */
-
-            if (descape != 0)
-              {
-              if (descape == ESC_b) d = CHAR_BS; else
-                {
-                *errorcodeptr = ERR83;
-                goto FAILED;
-                }
-              }
-            }
-
-          /* A hyphen followed by a POSIX class is treated in the same way. */
-
-          else if (d == CHAR_LEFT_SQUARE_BRACKET &&
-                   (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT ||
-                    ptr[1] == CHAR_EQUALS_SIGN) &&
-                   check_posix_syntax(ptr, &tempptr))
-            {
-            *errorcodeptr = ERR83;
-            goto FAILED;
-            }
-          }
-
-        /* Check that the two values are in the correct order. Optimize
-        one-character ranges. */
-
-        if (d < c)
-          {
-          *errorcodeptr = ERR8;
-          goto FAILED;
-          }
-        if (d == c) goto CLASS_SINGLE_CHARACTER;  /* A few lines below */
-
-        /* We have found a character range, so single character optimizations
-        cannot be done anymore. Any value greater than 1 indicates that there
-        is more than one character. */
-
-        class_one_char = 2;
-
-        /* Remember an explicit \r or \n, and add the range to the class. */
-
-        if (d == CHAR_CR || d == CHAR_NL) cd->external_flags |= PCRE_HASCRORLF;
-
-        class_has_8bitchar +=
-          add_to_class(classbits, &class_uchardata, options, cd, c, d);
-
-        continue;   /* Go get the next char in the class */
-        }
-
-      /* Handle a single character - we can get here for a normal non-escape
-      char, or after \ that introduces a single character or for an apparent
-      range that isn't. Only the value 1 matters for class_one_char, so don't
-      increase it if it is already 2 or more ... just in case there's a class
-      with a zillion characters in it. */
-
-      CLASS_SINGLE_CHARACTER:
-      if (class_one_char < 2) class_one_char++;
-
-      /* If xclass_has_prop is false and class_one_char is 1, we have the first
-      single character in the class, and there have been no prior ranges, or
-      XCLASS items generated by escapes. If this is the final character in the
-      class, we can optimize by turning the item into a 1-character OP_CHAR[I]
-      if it's positive, or OP_NOT[I] if it's negative. In the positive case, it
-      can cause firstchar to be set. Otherwise, there can be no first char if
-      this item is first, whatever repeat count may follow. In the case of
-      reqchar, save the previous value for reinstating. */
-
-      if (!inescq &&
-#ifdef SUPPORT_UCP
-          !xclass_has_prop &&
-#endif
-          class_one_char == 1 && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET)
-        {
-        ptr++;
-        zeroreqchar = reqchar;
-        zeroreqcharflags = reqcharflags;
-
-        if (negate_class)
-          {
-#ifdef SUPPORT_UCP
-          int d;
-#endif
-          if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-          zerofirstchar = firstchar;
-          zerofirstcharflags = firstcharflags;
-
-          /* For caseless UTF-8 mode when UCP support is available, check
-          whether this character has more than one other case. If so, generate
-          a special OP_NOTPROP item instead of OP_NOTI. */
-
-#ifdef SUPPORT_UCP
-          if (utf && (options & PCRE_CASELESS) != 0 &&
-              (d = UCD_CASESET(c)) != 0)
-            {
-            *code++ = OP_NOTPROP;
-            *code++ = PT_CLIST;
-            *code++ = d;
-            }
-          else
-#endif
-          /* Char has only one other case, or UCP not available */
-
-            {
-            *code++ = ((options & PCRE_CASELESS) != 0)? OP_NOTI: OP_NOT;
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-            if (utf && c > MAX_VALUE_FOR_SINGLE_CHAR)
-              code += PRIV(ord2utf)(c, code);
-            else
-#endif
-              *code++ = c;
-            }
-
-          /* We are finished with this character class */
-
-          goto END_CLASS;
-          }
-
-        /* For a single, positive character, get the value into mcbuffer, and
-        then we can handle this with the normal one-character code. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-        if (utf && c > MAX_VALUE_FOR_SINGLE_CHAR)
-          mclength = PRIV(ord2utf)(c, mcbuffer);
-        else
-#endif
-          {
-          mcbuffer[0] = c;
-          mclength = 1;
-          }
-        goto ONE_CHAR;
-        }       /* End of 1-char optimization */
-
-      /* There is more than one character in the class, or an XCLASS item
-      has been generated. Add this character to the class. */
-
-      class_has_8bitchar +=
-        add_to_class(classbits, &class_uchardata, options, cd, c, c);
-      }
-
-    /* Loop until ']' reached. This "while" is the end of the "do" far above.
-    If we are at the end of an internal nested string, revert to the outer
-    string. */
-
-    while (((c = *(++ptr)) != CHAR_NULL ||
-           (nestptr != NULL &&
-             (ptr = nestptr, nestptr = NULL, c = *(++ptr)) != CHAR_NULL)) &&
-           (c != CHAR_RIGHT_SQUARE_BRACKET || inescq));
-
-    /* Check for missing terminating ']' */
-
-    if (c == CHAR_NULL)
-      {
-      *errorcodeptr = ERR6;
-      goto FAILED;
-      }
-
-    /* We will need an XCLASS if data has been placed in class_uchardata. In
-    the second phase this is a sufficient test. However, in the pre-compile
-    phase, class_uchardata gets emptied to prevent workspace overflow, so it
-    only if the very last character in the class needs XCLASS will it contain
-    anything at this point. For this reason, xclass gets set TRUE above when
-    uchar_classdata is emptied, and that's why this code is the way it is here
-    instead of just doing a test on class_uchardata below. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    if (class_uchardata > class_uchardata_base) xclass = TRUE;
-#endif
-
-    /* If this is the first thing in the branch, there can be no first char
-    setting, whatever the repeat count. Any reqchar setting must remain
-    unchanged after any kind of repeat. */
-
-    if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-    zerofirstchar = firstchar;
-    zerofirstcharflags = firstcharflags;
-    zeroreqchar = reqchar;
-    zeroreqcharflags = reqcharflags;
-
-    /* If there are characters with values > 255, we have to compile an
-    extended class, with its own opcode, unless there was a negated special
-    such as \S in the class, and PCRE_UCP is not set, because in that case all
-    characters > 255 are in the class, so any that were explicitly given as
-    well can be ignored. If (when there are explicit characters > 255 that must
-    be listed) there are no characters < 256, we can omit the bitmap in the
-    actual compiled code. */
-
-#ifdef SUPPORT_UTF
-    if (xclass && (xclass_has_prop || !should_flip_negation ||
-        (options & PCRE_UCP) != 0))
-#elif !defined COMPILE_PCRE8
-    if (xclass && (xclass_has_prop || !should_flip_negation))
-#endif
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-      {
-      *class_uchardata++ = XCL_END;    /* Marks the end of extra data */
-      *code++ = OP_XCLASS;
-      code += LINK_SIZE;
-      *code = negate_class? XCL_NOT:0;
-      if (xclass_has_prop) *code |= XCL_HASPROP;
-
-      /* If the map is required, move up the extra data to make room for it;
-      otherwise just move the code pointer to the end of the extra data. */
-
-      if (class_has_8bitchar > 0)
-        {
-        *code++ |= XCL_MAP;
-        memmove(code + (32 / sizeof(pcre_uchar)), code,
-          IN_UCHARS(class_uchardata - code));
-        if (negate_class && !xclass_has_prop)
-          for (c = 0; c < 32; c++) classbits[c] = ~classbits[c];
-        memcpy(code, classbits, 32);
-        code = class_uchardata + (32 / sizeof(pcre_uchar));
-        }
-      else code = class_uchardata;
-
-      /* Now fill in the complete length of the item */
-
-      PUT(previous, 1, (int)(code - previous));
-      break;   /* End of class handling */
-      }
-
-    /* Even though any XCLASS list is now discarded, we must allow for
-    its memory. */
-
-    if (lengthptr != NULL)
-      *lengthptr += (int)(class_uchardata - class_uchardata_base);
-#endif
-
-    /* If there are no characters > 255, or they are all to be included or
-    excluded, set the opcode to OP_CLASS or OP_NCLASS, depending on whether the
-    whole class was negated and whether there were negative specials such as \S
-    (non-UCP) in the class. Then copy the 32-byte map into the code vector,
-    negating it if necessary. */
-
-    *code++ = (negate_class == should_flip_negation) ? OP_CLASS : OP_NCLASS;
-    if (lengthptr == NULL)    /* Save time in the pre-compile phase */
-      {
-      if (negate_class)
-        for (c = 0; c < 32; c++) classbits[c] = ~classbits[c];
-      memcpy(code, classbits, 32);
-      }
-    code += 32 / sizeof(pcre_uchar);
-
-    END_CLASS:
-    break;
-
-
-    /* ===================================================================*/
-    /* Various kinds of repeat; '{' is not necessarily a quantifier, but this
-    has been tested above. */
-
-    case CHAR_LEFT_CURLY_BRACKET:
-    if (!is_quantifier) goto NORMAL_CHAR;
-    ptr = read_repeat_counts(ptr+1, &repeat_min, &repeat_max, errorcodeptr);
-    if (*errorcodeptr != 0) goto FAILED;
-    goto REPEAT;
-
-    case CHAR_ASTERISK:
-    repeat_min = 0;
-    repeat_max = -1;
-    goto REPEAT;
-
-    case CHAR_PLUS:
-    repeat_min = 1;
-    repeat_max = -1;
-    goto REPEAT;
-
-    case CHAR_QUESTION_MARK:
-    repeat_min = 0;
-    repeat_max = 1;
-
-    REPEAT:
-    if (previous == NULL)
-      {
-      *errorcodeptr = ERR9;
-      goto FAILED;
-      }
-
-    if (repeat_min == 0)
-      {
-      firstchar = zerofirstchar;    /* Adjust for zero repeat */
-      firstcharflags = zerofirstcharflags;
-      reqchar = zeroreqchar;        /* Ditto */
-      reqcharflags = zeroreqcharflags;
-      }
-
-    /* Remember whether this is a variable length repeat */
-
-    reqvary = (repeat_min == repeat_max)? 0 : REQ_VARY;
-
-    op_type = 0;                    /* Default single-char op codes */
-    possessive_quantifier = FALSE;  /* Default not possessive quantifier */
-
-    /* Save start of previous item, in case we have to move it up in order to
-    insert something before it. */
-
-    tempcode = previous;
-
-    /* Before checking for a possessive quantifier, we must skip over
-    whitespace and comments in extended mode because Perl allows white space at
-    this point. */
-
-    if ((options & PCRE_EXTENDED) != 0)
-      {
-      const pcre_uchar *p = ptr + 1;
-      for (;;)
-        {
-        while (MAX_255(*p) && (cd->ctypes[*p] & ctype_space) != 0) p++;
-        if (*p != CHAR_NUMBER_SIGN) break;
-        p++;
-        while (*p != CHAR_NULL)
-          {
-          if (IS_NEWLINE(p))         /* For non-fixed-length newline cases, */
-            {                        /* IS_NEWLINE sets cd->nllen. */
-            p += cd->nllen;
-            break;
-            }
-          p++;
-#ifdef SUPPORT_UTF
-          if (utf) FORWARDCHAR(p);
-#endif
-          }           /* Loop for comment characters */
-        }             /* Loop for multiple comments */
-      ptr = p - 1;    /* Character before the next significant one. */
-      }
-
-    /* If the next character is '+', we have a possessive quantifier. This
-    implies greediness, whatever the setting of the PCRE_UNGREEDY option.
-    If the next character is '?' this is a minimizing repeat, by default,
-    but if PCRE_UNGREEDY is set, it works the other way round. We change the
-    repeat type to the non-default. */
-
-    if (ptr[1] == CHAR_PLUS)
-      {
-      repeat_type = 0;                  /* Force greedy */
-      possessive_quantifier = TRUE;
-      ptr++;
-      }
-    else if (ptr[1] == CHAR_QUESTION_MARK)
-      {
-      repeat_type = greedy_non_default;
-      ptr++;
-      }
-    else repeat_type = greedy_default;
-
-    /* If previous was a recursion call, wrap it in atomic brackets so that
-    previous becomes the atomic group. All recursions were so wrapped in the
-    past, but it no longer happens for non-repeated recursions. In fact, the
-    repeated ones could be re-implemented independently so as not to need this,
-    but for the moment we rely on the code for repeating groups. */
-
-    if (*previous == OP_RECURSE)
-      {
-      memmove(previous + 1 + LINK_SIZE, previous, IN_UCHARS(1 + LINK_SIZE));
-      *previous = OP_ONCE;
-      PUT(previous, 1, 2 + 2*LINK_SIZE);
-      previous[2 + 2*LINK_SIZE] = OP_KET;
-      PUT(previous, 3 + 2*LINK_SIZE, 2 + 2*LINK_SIZE);
-      code += 2 + 2 * LINK_SIZE;
-      length_prevgroup = 3 + 3*LINK_SIZE;
-
-      /* When actually compiling, we need to check whether this was a forward
-      reference, and if so, adjust the offset. */
-
-      if (lengthptr == NULL && cd->hwm >= cd->start_workspace + LINK_SIZE)
-        {
-        int offset = GET(cd->hwm, -LINK_SIZE);
-        if (offset == previous + 1 - cd->start_code)
-          PUT(cd->hwm, -LINK_SIZE, offset + 1 + LINK_SIZE);
-        }
-      }
-
-    /* Now handle repetition for the different types of item. */
-
-    /* If previous was a character or negated character match, abolish the item
-    and generate a repeat item instead. If a char item has a minimum of more
-    than one, ensure that it is set in reqchar - it might not be if a sequence
-    such as x{3} is the first thing in a branch because the x will have gone
-    into firstchar instead.  */
-
-    if (*previous == OP_CHAR || *previous == OP_CHARI
-        || *previous == OP_NOT || *previous == OP_NOTI)
-      {
-      switch (*previous)
-        {
-        default: /* Make compiler happy. */
-        case OP_CHAR:  op_type = OP_STAR - OP_STAR; break;
-        case OP_CHARI: op_type = OP_STARI - OP_STAR; break;
-        case OP_NOT:   op_type = OP_NOTSTAR - OP_STAR; break;
-        case OP_NOTI:  op_type = OP_NOTSTARI - OP_STAR; break;
-        }
-
-      /* Deal with UTF characters that take up more than one character. It's
-      easier to write this out separately than try to macrify it. Use c to
-      hold the length of the character in bytes, plus UTF_LENGTH to flag that
-      it's a length rather than a small character. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-      if (utf && NOT_FIRSTCHAR(code[-1]))
-        {
-        pcre_uchar *lastchar = code - 1;
-        BACKCHAR(lastchar);
-        c = (int)(code - lastchar);     /* Length of UTF-8 character */
-        memcpy(utf_chars, lastchar, IN_UCHARS(c)); /* Save the char */
-        c |= UTF_LENGTH;                /* Flag c as a length */
-        }
-      else
-#endif /* SUPPORT_UTF */
-
-      /* Handle the case of a single charater - either with no UTF support, or
-      with UTF disabled, or for a single character UTF character. */
-        {
-        c = code[-1];
-        if (*previous <= OP_CHARI && repeat_min > 1)
-          {
-          reqchar = c;
-          reqcharflags = req_caseopt | cd->req_varyopt;
-          }
-        }
-
-      goto OUTPUT_SINGLE_REPEAT;   /* Code shared with single character types */
-      }
-
-    /* If previous was a character type match (\d or similar), abolish it and
-    create a suitable repeat item. The code is shared with single-character
-    repeats by setting op_type to add a suitable offset into repeat_type. Note
-    the the Unicode property types will be present only when SUPPORT_UCP is
-    defined, but we don't wrap the little bits of code here because it just
-    makes it horribly messy. */
-
-    else if (*previous < OP_EODN)
-      {
-      pcre_uchar *oldcode;
-      int prop_type, prop_value;
-      op_type = OP_TYPESTAR - OP_STAR;  /* Use type opcodes */
-      c = *previous;
-
-      OUTPUT_SINGLE_REPEAT:
-      if (*previous == OP_PROP || *previous == OP_NOTPROP)
-        {
-        prop_type = previous[1];
-        prop_value = previous[2];
-        }
-      else prop_type = prop_value = -1;
-
-      oldcode = code;
-      code = previous;                  /* Usually overwrite previous item */
-
-      /* If the maximum is zero then the minimum must also be zero; Perl allows
-      this case, so we do too - by simply omitting the item altogether. */
-
-      if (repeat_max == 0) goto END_REPEAT;
-
-      /* Combine the op_type with the repeat_type */
-
-      repeat_type += op_type;
-
-      /* A minimum of zero is handled either as the special case * or ?, or as
-      an UPTO, with the maximum given. */
-
-      if (repeat_min == 0)
-        {
-        if (repeat_max == -1) *code++ = OP_STAR + repeat_type;
-          else if (repeat_max == 1) *code++ = OP_QUERY + repeat_type;
-        else
-          {
-          *code++ = OP_UPTO + repeat_type;
-          PUT2INC(code, 0, repeat_max);
-          }
-        }
-
-      /* A repeat minimum of 1 is optimized into some special cases. If the
-      maximum is unlimited, we use OP_PLUS. Otherwise, the original item is
-      left in place and, if the maximum is greater than 1, we use OP_UPTO with
-      one less than the maximum. */
-
-      else if (repeat_min == 1)
-        {
-        if (repeat_max == -1)
-          *code++ = OP_PLUS + repeat_type;
-        else
-          {
-          code = oldcode;                 /* leave previous item in place */
-          if (repeat_max == 1) goto END_REPEAT;
-          *code++ = OP_UPTO + repeat_type;
-          PUT2INC(code, 0, repeat_max - 1);
-          }
-        }
-
-      /* The case {n,n} is just an EXACT, while the general case {n,m} is
-      handled as an EXACT followed by an UPTO. */
-
-      else
-        {
-        *code++ = OP_EXACT + op_type;  /* NB EXACT doesn't have repeat_type */
-        PUT2INC(code, 0, repeat_min);
-
-        /* If the maximum is unlimited, insert an OP_STAR. Before doing so,
-        we have to insert the character for the previous code. For a repeated
-        Unicode property match, there are two extra bytes that define the
-        required property. In UTF-8 mode, long characters have their length in
-        c, with the UTF_LENGTH bit as a flag. */
-
-        if (repeat_max < 0)
-          {
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-          if (utf && (c & UTF_LENGTH) != 0)
-            {
-            memcpy(code, utf_chars, IN_UCHARS(c & 7));
-            code += c & 7;
-            }
-          else
-#endif
-            {
-            *code++ = c;
-            if (prop_type >= 0)
-              {
-              *code++ = prop_type;
-              *code++ = prop_value;
-              }
-            }
-          *code++ = OP_STAR + repeat_type;
-          }
-
-        /* Else insert an UPTO if the max is greater than the min, again
-        preceded by the character, for the previously inserted code. If the
-        UPTO is just for 1 instance, we can use QUERY instead. */
-
-        else if (repeat_max != repeat_min)
-          {
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-          if (utf && (c & UTF_LENGTH) != 0)
-            {
-            memcpy(code, utf_chars, IN_UCHARS(c & 7));
-            code += c & 7;
-            }
-          else
-#endif
-          *code++ = c;
-          if (prop_type >= 0)
-            {
-            *code++ = prop_type;
-            *code++ = prop_value;
-            }
-          repeat_max -= repeat_min;
-
-          if (repeat_max == 1)
-            {
-            *code++ = OP_QUERY + repeat_type;
-            }
-          else
-            {
-            *code++ = OP_UPTO + repeat_type;
-            PUT2INC(code, 0, repeat_max);
-            }
-          }
-        }
-
-      /* The character or character type itself comes last in all cases. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-      if (utf && (c & UTF_LENGTH) != 0)
-        {
-        memcpy(code, utf_chars, IN_UCHARS(c & 7));
-        code += c & 7;
-        }
-      else
-#endif
-      *code++ = c;
-
-      /* For a repeated Unicode property match, there are two extra bytes that
-      define the required property. */
-
-#ifdef SUPPORT_UCP
-      if (prop_type >= 0)
-        {
-        *code++ = prop_type;
-        *code++ = prop_value;
-        }
-#endif
-      }
-
-    /* If previous was a character class or a back reference, we put the repeat
-    stuff after it, but just skip the item if the repeat was {0,0}. */
-
-    else if (*previous == OP_CLASS || *previous == OP_NCLASS ||
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-             *previous == OP_XCLASS ||
-#endif
-             *previous == OP_REF   || *previous == OP_REFI ||
-             *previous == OP_DNREF || *previous == OP_DNREFI)
-      {
-      if (repeat_max == 0)
-        {
-        code = previous;
-        goto END_REPEAT;
-        }
-
-      if (repeat_min == 0 && repeat_max == -1)
-        *code++ = OP_CRSTAR + repeat_type;
-      else if (repeat_min == 1 && repeat_max == -1)
-        *code++ = OP_CRPLUS + repeat_type;
-      else if (repeat_min == 0 && repeat_max == 1)
-        *code++ = OP_CRQUERY + repeat_type;
-      else
-        {
-        *code++ = OP_CRRANGE + repeat_type;
-        PUT2INC(code, 0, repeat_min);
-        if (repeat_max == -1) repeat_max = 0;  /* 2-byte encoding for max */
-        PUT2INC(code, 0, repeat_max);
-        }
-      }
-
-    /* If previous was a bracket group, we may have to replicate it in certain
-    cases. Note that at this point we can encounter only the "basic" bracket
-    opcodes such as BRA and CBRA, as this is the place where they get converted
-    into the more special varieties such as BRAPOS and SBRA. A test for >=
-    OP_ASSERT and <= OP_COND includes ASSERT, ASSERT_NOT, ASSERTBACK,
-    ASSERTBACK_NOT, ONCE, ONCE_NC, BRA, BRAPOS, CBRA, CBRAPOS, and COND.
-    Originally, PCRE did not allow repetition of assertions, but now it does,
-    for Perl compatibility. */
-
-    else if (*previous >= OP_ASSERT && *previous <= OP_COND)
-      {
-      register int i;
-      int len = (int)(code - previous);
-      size_t base_hwm_offset = item_hwm_offset;
-      pcre_uchar *bralink = NULL;
-      pcre_uchar *brazeroptr = NULL;
-
-      /* Repeating a DEFINE group is pointless, but Perl allows the syntax, so
-      we just ignore the repeat. */
-
-      if (*previous == OP_COND && previous[LINK_SIZE+1] == OP_DEF)
-        goto END_REPEAT;
-
-      /* There is no sense in actually repeating assertions. The only potential
-      use of repetition is in cases when the assertion is optional. Therefore,
-      if the minimum is greater than zero, just ignore the repeat. If the
-      maximum is not zero or one, set it to 1. */
-
-      if (*previous < OP_ONCE)    /* Assertion */
-        {
-        if (repeat_min > 0) goto END_REPEAT;
-        if (repeat_max < 0 || repeat_max > 1) repeat_max = 1;
-        }
-
-      /* The case of a zero minimum is special because of the need to stick
-      OP_BRAZERO in front of it, and because the group appears once in the
-      data, whereas in other cases it appears the minimum number of times. For
-      this reason, it is simplest to treat this case separately, as otherwise
-      the code gets far too messy. There are several special subcases when the
-      minimum is zero. */
-
-      if (repeat_min == 0)
-        {
-        /* If the maximum is also zero, we used to just omit the group from the
-        output altogether, like this:
-
-        ** if (repeat_max == 0)
-        **   {
-        **   code = previous;
-        **   goto END_REPEAT;
-        **   }
-
-        However, that fails when a group or a subgroup within it is referenced
-        as a subroutine from elsewhere in the pattern, so now we stick in
-        OP_SKIPZERO in front of it so that it is skipped on execution. As we
-        don't have a list of which groups are referenced, we cannot do this
-        selectively.
-
-        If the maximum is 1 or unlimited, we just have to stick in the BRAZERO
-        and do no more at this point. However, we do need to adjust any
-        OP_RECURSE calls inside the group that refer to the group itself or any
-        internal or forward referenced group, because the offset is from the
-        start of the whole regex. Temporarily terminate the pattern while doing
-        this. */
-
-        if (repeat_max <= 1)    /* Covers 0, 1, and unlimited */
-          {
-          *code = OP_END;
-          adjust_recurse(previous, 1, utf, cd, item_hwm_offset);
-          memmove(previous + 1, previous, IN_UCHARS(len));
-          code++;
-          if (repeat_max == 0)
-            {
-            *previous++ = OP_SKIPZERO;
-            goto END_REPEAT;
-            }
-          brazeroptr = previous;    /* Save for possessive optimizing */
-          *previous++ = OP_BRAZERO + repeat_type;
-          }
-
-        /* If the maximum is greater than 1 and limited, we have to replicate
-        in a nested fashion, sticking OP_BRAZERO before each set of brackets.
-        The first one has to be handled carefully because it's the original
-        copy, which has to be moved up. The remainder can be handled by code
-        that is common with the non-zero minimum case below. We have to
-        adjust the value or repeat_max, since one less copy is required. Once
-        again, we may have to adjust any OP_RECURSE calls inside the group. */
-
-        else
-          {
-          int offset;
-          *code = OP_END;
-          adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, item_hwm_offset);
-          memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
-          code += 2 + LINK_SIZE;
-          *previous++ = OP_BRAZERO + repeat_type;
-          *previous++ = OP_BRA;
-
-          /* We chain together the bracket offset fields that have to be
-          filled in later when the ends of the brackets are reached. */
-
-          offset = (bralink == NULL)? 0 : (int)(previous - bralink);
-          bralink = previous;
-          PUTINC(previous, 0, offset);
-          }
-
-        repeat_max--;
-        }
-
-      /* If the minimum is greater than zero, replicate the group as many
-      times as necessary, and adjust the maximum to the number of subsequent
-      copies that we need. If we set a first char from the group, and didn't
-      set a required char, copy the latter from the former. If there are any
-      forward reference subroutine calls in the group, there will be entries on
-      the workspace list; replicate these with an appropriate increment. */
-
-      else
-        {
-        if (repeat_min > 1)
-          {
-          /* In the pre-compile phase, we don't actually do the replication. We
-          just adjust the length as if we had. Do some paranoid checks for
-          potential integer overflow. The INT64_OR_DOUBLE type is a 64-bit
-          integer type when available, otherwise double. */
-
-          if (lengthptr != NULL)
-            {
-            int delta = (repeat_min - 1)*length_prevgroup;
-            if ((INT64_OR_DOUBLE)(repeat_min - 1)*
-                  (INT64_OR_DOUBLE)length_prevgroup >
-                    (INT64_OR_DOUBLE)INT_MAX ||
-                OFLOW_MAX - *lengthptr < delta)
-              {
-              *errorcodeptr = ERR20;
-              goto FAILED;
-              }
-            *lengthptr += delta;
-            }
-
-          /* This is compiling for real. If there is a set first byte for
-          the group, and we have not yet set a "required byte", set it. Make
-          sure there is enough workspace for copying forward references before
-          doing the copy. */
-
-          else
-            {
-            if (groupsetfirstchar && reqcharflags < 0)
-              {
-              reqchar = firstchar;
-              reqcharflags = firstcharflags;
-              }
-
-            for (i = 1; i < repeat_min; i++)
-              {
-              pcre_uchar *hc;
-              size_t this_hwm_offset = cd->hwm - cd->start_workspace;
-              memcpy(code, previous, IN_UCHARS(len));
-
-              while (cd->hwm > cd->start_workspace + cd->workspace_size -
-                     WORK_SIZE_SAFETY_MARGIN -
-                     (this_hwm_offset - base_hwm_offset))
-                {
-                *errorcodeptr = expand_workspace(cd);
-                if (*errorcodeptr != 0) goto FAILED;
-                }
-
-              for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset;
-                   hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
-                   hc += LINK_SIZE)
-                {
-                PUT(cd->hwm, 0, GET(hc, 0) + len);
-                cd->hwm += LINK_SIZE;
-                }
-              base_hwm_offset = this_hwm_offset;
-              code += len;
-              }
-            }
-          }
-
-        if (repeat_max > 0) repeat_max -= repeat_min;
-        }
-
-      /* This code is common to both the zero and non-zero minimum cases. If
-      the maximum is limited, it replicates the group in a nested fashion,
-      remembering the bracket starts on a stack. In the case of a zero minimum,
-      the first one was set up above. In all cases the repeat_max now specifies
-      the number of additional copies needed. Again, we must remember to
-      replicate entries on the forward reference list. */
-
-      if (repeat_max >= 0)
-        {
-        /* In the pre-compile phase, we don't actually do the replication. We
-        just adjust the length as if we had. For each repetition we must add 1
-        to the length for BRAZERO and for all but the last repetition we must
-        add 2 + 2*LINKSIZE to allow for the nesting that occurs. Do some
-        paranoid checks to avoid integer overflow. The INT64_OR_DOUBLE type is
-        a 64-bit integer type when available, otherwise double. */
-
-        if (lengthptr != NULL && repeat_max > 0)
-          {
-          int delta = repeat_max * (length_prevgroup + 1 + 2 + 2*LINK_SIZE) -
-                      2 - 2*LINK_SIZE;   /* Last one doesn't nest */
-          if ((INT64_OR_DOUBLE)repeat_max *
-                (INT64_OR_DOUBLE)(length_prevgroup + 1 + 2 + 2*LINK_SIZE)
-                  > (INT64_OR_DOUBLE)INT_MAX ||
-              OFLOW_MAX - *lengthptr < delta)
-            {
-            *errorcodeptr = ERR20;
-            goto FAILED;
-            }
-          *lengthptr += delta;
-          }
-
-        /* This is compiling for real */
-
-        else for (i = repeat_max - 1; i >= 0; i--)
-          {
-          pcre_uchar *hc;
-          size_t this_hwm_offset = cd->hwm - cd->start_workspace;
-
-          *code++ = OP_BRAZERO + repeat_type;
-
-          /* All but the final copy start a new nesting, maintaining the
-          chain of brackets outstanding. */
-
-          if (i != 0)
-            {
-            int offset;
-            *code++ = OP_BRA;
-            offset = (bralink == NULL)? 0 : (int)(code - bralink);
-            bralink = code;
-            PUTINC(code, 0, offset);
-            }
-
-          memcpy(code, previous, IN_UCHARS(len));
-
-          /* Ensure there is enough workspace for forward references before
-          copying them. */
-
-          while (cd->hwm > cd->start_workspace + cd->workspace_size -
-                 WORK_SIZE_SAFETY_MARGIN -
-                 (this_hwm_offset - base_hwm_offset))
-            {
-            *errorcodeptr = expand_workspace(cd);
-            if (*errorcodeptr != 0) goto FAILED;
-            }
-
-          for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset;
-               hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
-               hc += LINK_SIZE)
-            {
-            PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
-            cd->hwm += LINK_SIZE;
-            }
-          base_hwm_offset = this_hwm_offset;
-          code += len;
-          }
-
-        /* Now chain through the pending brackets, and fill in their length
-        fields (which are holding the chain links pro tem). */
-
-        while (bralink != NULL)
-          {
-          int oldlinkoffset;
-          int offset = (int)(code - bralink + 1);
-          pcre_uchar *bra = code - offset;
-          oldlinkoffset = GET(bra, 1);
-          bralink = (oldlinkoffset == 0)? NULL : bralink - oldlinkoffset;
-          *code++ = OP_KET;
-          PUTINC(code, 0, offset);
-          PUT(bra, 1, offset);
-          }
-        }
-
-      /* If the maximum is unlimited, set a repeater in the final copy. For
-      ONCE brackets, that's all we need to do. However, possessively repeated
-      ONCE brackets can be converted into non-capturing brackets, as the
-      behaviour of (?:xx)++ is the same as (?>xx)++ and this saves having to
-      deal with possessive ONCEs specially.
-
-      Otherwise, when we are doing the actual compile phase, check to see
-      whether this group is one that could match an empty string. If so,
-      convert the initial operator to the S form (e.g. OP_BRA -> OP_SBRA) so
-      that runtime checking can be done. [This check is also applied to ONCE
-      groups at runtime, but in a different way.]
-
-      Then, if the quantifier was possessive and the bracket is not a
-      conditional, we convert the BRA code to the POS form, and the KET code to
-      KETRPOS. (It turns out to be convenient at runtime to detect this kind of
-      subpattern at both the start and at the end.) The use of special opcodes
-      makes it possible to reduce greatly the stack usage in pcre_exec(). If
-      the group is preceded by OP_BRAZERO, convert this to OP_BRAPOSZERO.
-
-      Then, if the minimum number of matches is 1 or 0, cancel the possessive
-      flag so that the default action below, of wrapping everything inside
-      atomic brackets, does not happen. When the minimum is greater than 1,
-      there will be earlier copies of the group, and so we still have to wrap
-      the whole thing. */
-
-      else
-        {
-        pcre_uchar *ketcode = code - 1 - LINK_SIZE;
-        pcre_uchar *bracode = ketcode - GET(ketcode, 1);
-
-        /* Convert possessive ONCE brackets to non-capturing */
-
-        if ((*bracode == OP_ONCE || *bracode == OP_ONCE_NC) &&
-            possessive_quantifier) *bracode = OP_BRA;
-
-        /* For non-possessive ONCE brackets, all we need to do is to
-        set the KET. */
-
-        if (*bracode == OP_ONCE || *bracode == OP_ONCE_NC)
-          *ketcode = OP_KETRMAX + repeat_type;
-
-        /* Handle non-ONCE brackets and possessive ONCEs (which have been
-        converted to non-capturing above). */
-
-        else
-          {
-          /* In the compile phase, check for empty string matching. */
-
-          if (lengthptr == NULL)
-            {
-            pcre_uchar *scode = bracode;
-            do
-              {
-              if (could_be_empty_branch(scode, ketcode, utf, cd, NULL))
-                {
-                *bracode += OP_SBRA - OP_BRA;
-                break;
-                }
-              scode += GET(scode, 1);
-              }
-            while (*scode == OP_ALT);
-            }
-
-          /* A conditional group with only one branch has an implicit empty
-          alternative branch. */
-
-          if (*bracode == OP_COND && bracode[GET(bracode,1)] != OP_ALT)
-            *bracode = OP_SCOND;
-
-          /* Handle possessive quantifiers. */
-
-          if (possessive_quantifier)
-            {
-            /* For COND brackets, we wrap the whole thing in a possessively
-            repeated non-capturing bracket, because we have not invented POS
-            versions of the COND opcodes. Because we are moving code along, we
-            must ensure that any pending recursive references are updated. */
-
-            if (*bracode == OP_COND || *bracode == OP_SCOND)
-              {
-              int nlen = (int)(code - bracode);
-              *code = OP_END;
-              adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
-              memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen));
-              code += 1 + LINK_SIZE;
-              nlen += 1 + LINK_SIZE;
-              *bracode = (*bracode == OP_COND)? OP_BRAPOS : OP_SBRAPOS;
-              *code++ = OP_KETRPOS;
-              PUTINC(code, 0, nlen);
-              PUT(bracode, 1, nlen);
-              }
-
-            /* For non-COND brackets, we modify the BRA code and use KETRPOS. */
-
-            else
-              {
-              *bracode += 1;              /* Switch to xxxPOS opcodes */
-              *ketcode = OP_KETRPOS;
-              }
-
-            /* If the minimum is zero, mark it as possessive, then unset the
-            possessive flag when the minimum is 0 or 1. */
-
-            if (brazeroptr != NULL) *brazeroptr = OP_BRAPOSZERO;
-            if (repeat_min < 2) possessive_quantifier = FALSE;
-            }
-
-          /* Non-possessive quantifier */
-
-          else *ketcode = OP_KETRMAX + repeat_type;
-          }
-        }
-      }
-
-    /* If previous is OP_FAIL, it was generated by an empty class [] in
-    JavaScript mode. The other ways in which OP_FAIL can be generated, that is
-    by (*FAIL) or (?!) set previous to NULL, which gives a "nothing to repeat"
-    error above. We can just ignore the repeat in JS case. */
-
-    else if (*previous == OP_FAIL) goto END_REPEAT;
-
-    /* Else there's some kind of shambles */
-
-    else
-      {
-      *errorcodeptr = ERR11;
-      goto FAILED;
-      }
-
-    /* If the character following a repeat is '+', possessive_quantifier is
-    TRUE. For some opcodes, there are special alternative opcodes for this
-    case. For anything else, we wrap the entire repeated item inside OP_ONCE
-    brackets. Logically, the '+' notation is just syntactic sugar, taken from
-    Sun's Java package, but the special opcodes can optimize it.
-
-    Some (but not all) possessively repeated subpatterns have already been
-    completely handled in the code just above. For them, possessive_quantifier
-    is always FALSE at this stage. Note that the repeated item starts at
-    tempcode, not at previous, which might be the first part of a string whose
-    (former) last char we repeated. */
-
-    if (possessive_quantifier)
-      {
-      int len;
-
-      /* Possessifying an EXACT quantifier has no effect, so we can ignore it.
-      However, QUERY, STAR, or UPTO may follow (for quantifiers such as {5,6},
-      {5,}, or {5,10}). We skip over an EXACT item; if the length of what
-      remains is greater than zero, there's a further opcode that can be
-      handled. If not, do nothing, leaving the EXACT alone. */
-
-      switch(*tempcode)
-        {
-        case OP_TYPEEXACT:
-        tempcode += PRIV(OP_lengths)[*tempcode] +
-          ((tempcode[1 + IMM2_SIZE] == OP_PROP
-          || tempcode[1 + IMM2_SIZE] == OP_NOTPROP)? 2 : 0);
-        break;
-
-        /* CHAR opcodes are used for exacts whose count is 1. */
-
-        case OP_CHAR:
-        case OP_CHARI:
-        case OP_NOT:
-        case OP_NOTI:
-        case OP_EXACT:
-        case OP_EXACTI:
-        case OP_NOTEXACT:
-        case OP_NOTEXACTI:
-        tempcode += PRIV(OP_lengths)[*tempcode];
-#ifdef SUPPORT_UTF
-        if (utf && HAS_EXTRALEN(tempcode[-1]))
-          tempcode += GET_EXTRALEN(tempcode[-1]);
-#endif
-        break;
-
-        /* For the class opcodes, the repeat operator appears at the end;
-        adjust tempcode to point to it. */
-
-        case OP_CLASS:
-        case OP_NCLASS:
-        tempcode += 1 + 32/sizeof(pcre_uchar);
-        break;
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-        case OP_XCLASS:
-        tempcode += GET(tempcode, 1);
-        break;
-#endif
-        }
-
-      /* If tempcode is equal to code (which points to the end of the repeated
-      item), it means we have skipped an EXACT item but there is no following
-      QUERY, STAR, or UPTO; the value of len will be 0, and we do nothing. In
-      all other cases, tempcode will be pointing to the repeat opcode, and will
-      be less than code, so the value of len will be greater than 0. */
-
-      len = (int)(code - tempcode);
-      if (len > 0)
-        {
-        unsigned int repcode = *tempcode;
-
-        /* There is a table for possessifying opcodes, all of which are less
-        than OP_CALLOUT. A zero entry means there is no possessified version.
-        */
-
-        if (repcode < OP_CALLOUT && opcode_possessify[repcode] > 0)
-          *tempcode = opcode_possessify[repcode];
-
-        /* For opcode without a special possessified version, wrap the item in
-        ONCE brackets. Because we are moving code along, we must ensure that any
-        pending recursive references are updated. */
-
-        else
-          {
-          *code = OP_END;
-          adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
-          memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
-          code += 1 + LINK_SIZE;
-          len += 1 + LINK_SIZE;
-          tempcode[0] = OP_ONCE;
-          *code++ = OP_KET;
-          PUTINC(code, 0, len);
-          PUT(tempcode, 1, len);
-          }
-        }
-
-#ifdef NEVER
-      if (len > 0) switch (*tempcode)
-        {
-        case OP_STAR:  *tempcode = OP_POSSTAR; break;
-        case OP_PLUS:  *tempcode = OP_POSPLUS; break;
-        case OP_QUERY: *tempcode = OP_POSQUERY; break;
-        case OP_UPTO:  *tempcode = OP_POSUPTO; break;
-
-        case OP_STARI:  *tempcode = OP_POSSTARI; break;
-        case OP_PLUSI:  *tempcode = OP_POSPLUSI; break;
-        case OP_QUERYI: *tempcode = OP_POSQUERYI; break;
-        case OP_UPTOI:  *tempcode = OP_POSUPTOI; break;
-
-        case OP_NOTSTAR:  *tempcode = OP_NOTPOSSTAR; break;
-        case OP_NOTPLUS:  *tempcode = OP_NOTPOSPLUS; break;
-        case OP_NOTQUERY: *tempcode = OP_NOTPOSQUERY; break;
-        case OP_NOTUPTO:  *tempcode = OP_NOTPOSUPTO; break;
-
-        case OP_NOTSTARI:  *tempcode = OP_NOTPOSSTARI; break;
-        case OP_NOTPLUSI:  *tempcode = OP_NOTPOSPLUSI; break;
-        case OP_NOTQUERYI: *tempcode = OP_NOTPOSQUERYI; break;
-        case OP_NOTUPTOI:  *tempcode = OP_NOTPOSUPTOI; break;
-
-        case OP_TYPESTAR:  *tempcode = OP_TYPEPOSSTAR; break;
-        case OP_TYPEPLUS:  *tempcode = OP_TYPEPOSPLUS; break;
-        case OP_TYPEQUERY: *tempcode = OP_TYPEPOSQUERY; break;
-        case OP_TYPEUPTO:  *tempcode = OP_TYPEPOSUPTO; break;
-
-        case OP_CRSTAR:   *tempcode = OP_CRPOSSTAR; break;
-        case OP_CRPLUS:   *tempcode = OP_CRPOSPLUS; break;
-        case OP_CRQUERY:  *tempcode = OP_CRPOSQUERY; break;
-        case OP_CRRANGE:  *tempcode = OP_CRPOSRANGE; break;
-
-        /* Because we are moving code along, we must ensure that any
-        pending recursive references are updated. */
-
-        default:
-        *code = OP_END;
-        adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
-        memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
-        code += 1 + LINK_SIZE;
-        len += 1 + LINK_SIZE;
-        tempcode[0] = OP_ONCE;
-        *code++ = OP_KET;
-        PUTINC(code, 0, len);
-        PUT(tempcode, 1, len);
-        break;
-        }
-#endif
-      }
-
-    /* In all case we no longer have a previous item. We also set the
-    "follows varying string" flag for subsequently encountered reqchars if
-    it isn't already set and we have just passed a varying length item. */
-
-    END_REPEAT:
-    previous = NULL;
-    cd->req_varyopt |= reqvary;
-    break;
-
-
-    /* ===================================================================*/
-    /* Start of nested parenthesized sub-expression, or comment or lookahead or
-    lookbehind or option setting or condition or all the other extended
-    parenthesis forms.  */
-
-    case CHAR_LEFT_PARENTHESIS:
-    ptr++;
-
-    /* Now deal with various "verbs" that can be introduced by '*'. */
-
-    if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
-         || (MAX_255(ptr[1]) && ((cd->ctypes[ptr[1]] & ctype_letter) != 0))))
-      {
-      int i, namelen;
-      int arglen = 0;
-      const char *vn = verbnames;
-      const pcre_uchar *name = ptr + 1;
-      const pcre_uchar *arg = NULL;
-      previous = NULL;
-      ptr++;
-      while (MAX_255(*ptr) && (cd->ctypes[*ptr] & ctype_letter) != 0) ptr++;
-      namelen = (int)(ptr - name);
-
-      /* It appears that Perl allows any characters whatsoever, other than
-      a closing parenthesis, to appear in arguments, so we no longer insist on
-      letters, digits, and underscores. */
-
-      if (*ptr == CHAR_COLON)
-        {
-        arg = ++ptr;
-        while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
-        arglen = (int)(ptr - arg);
-        if ((unsigned int)arglen > MAX_MARK)
-          {
-          *errorcodeptr = ERR75;
-          goto FAILED;
-          }
-        }
-
-      if (*ptr != CHAR_RIGHT_PARENTHESIS)
-        {
-        *errorcodeptr = ERR60;
-        goto FAILED;
-        }
-
-      /* Scan the table of verb names */
-
-      for (i = 0; i < verbcount; i++)
-        {
-        if (namelen == verbs[i].len &&
-            STRNCMP_UC_C8(name, vn, namelen) == 0)
-          {
-          int setverb;
-
-          /* Check for open captures before ACCEPT and convert it to
-          ASSERT_ACCEPT if in an assertion. */
-
-          if (verbs[i].op == OP_ACCEPT)
-            {
-            open_capitem *oc;
-            if (arglen != 0)
-              {
-              *errorcodeptr = ERR59;
-              goto FAILED;
-              }
-            cd->had_accept = TRUE;
-            for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-              {
-              if (lengthptr != NULL)
-                {
-#ifdef COMPILE_PCRE8
-                *lengthptr += 1 + IMM2_SIZE;
-#elif defined COMPILE_PCRE16
-                *lengthptr += 2 + IMM2_SIZE;
-#elif defined COMPILE_PCRE32
-                *lengthptr += 4 + IMM2_SIZE;
-#endif
-                }
-              else
-                {
-                *code++ = OP_CLOSE;
-                PUT2INC(code, 0, oc->number);
-                }
-              }
-            setverb = *code++ =
-              (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
-
-            /* Do not set firstchar after *ACCEPT */
-            if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-            }
-
-          /* Handle other cases with/without an argument */
-
-          else if (arglen == 0)
-            {
-            if (verbs[i].op < 0)   /* Argument is mandatory */
-              {
-              *errorcodeptr = ERR66;
-              goto FAILED;
-              }
-            setverb = *code++ = verbs[i].op;
-            }
-
-          else
-            {
-            if (verbs[i].op_arg < 0)   /* Argument is forbidden */
-              {
-              *errorcodeptr = ERR59;
-              goto FAILED;
-              }
-            setverb = *code++ = verbs[i].op_arg;
-            if (lengthptr != NULL)    /* In pass 1 just add in the length */
-              {                       /* to avoid potential workspace */
-              *lengthptr += arglen;   /* overflow. */
-              *code++ = 0;
-              }
-            else
-              {
-              *code++ = arglen;
-              memcpy(code, arg, IN_UCHARS(arglen));
-              code += arglen;
-              }
-            *code++ = 0;
-            }
-
-          switch (setverb)
-            {
-            case OP_THEN:
-            case OP_THEN_ARG:
-            cd->external_flags |= PCRE_HASTHEN;
-            break;
-
-            case OP_PRUNE:
-            case OP_PRUNE_ARG:
-            case OP_SKIP:
-            case OP_SKIP_ARG:
-            cd->had_pruneorskip = TRUE;
-            break;
-            }
-
-          break;  /* Found verb, exit loop */
-          }
-
-        vn += verbs[i].len + 1;
-        }
-
-      if (i < verbcount) continue;    /* Successfully handled a verb */
-      *errorcodeptr = ERR60;          /* Verb not recognized */
-      goto FAILED;
-      }
-
-    /* Initialize for "real" parentheses */
-
-    newoptions = options;
-    skipbytes = 0;
-    bravalue = OP_CBRA;
-    item_hwm_offset = cd->hwm - cd->start_workspace;
-    reset_bracount = FALSE;
-
-    /* Deal with the extended parentheses; all are introduced by '?', and the
-    appearance of any of them means that this is not a capturing group. */
-
-    if (*ptr == CHAR_QUESTION_MARK)
-      {
-      int i, set, unset, namelen;
-      int *optset;
-      const pcre_uchar *name;
-      pcre_uchar *slot;
-
-      switch (*(++ptr))
-        {
-        /* ------------------------------------------------------------ */
-        case CHAR_VERTICAL_LINE:  /* Reset capture count for each branch */
-        reset_bracount = TRUE;
-        cd->dupgroups = TRUE;     /* Record (?| encountered */
-        /* Fall through */
-
-        /* ------------------------------------------------------------ */
-        case CHAR_COLON:          /* Non-capturing bracket */
-        bravalue = OP_BRA;
-        ptr++;
-        break;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_LEFT_PARENTHESIS:
-        bravalue = OP_COND;       /* Conditional group */
-        tempptr = ptr;
-
-        /* A condition can be an assertion, a number (referring to a numbered
-        group's having been set), a name (referring to a named group), or 'R',
-        referring to recursion. R and R&name are also permitted for
-        recursion tests.
-
-        There are ways of testing a named group: (?(name)) is used by Python;
-        Perl 5.10 onwards uses (?() or (?('name')).
-
-        There is one unfortunate ambiguity, caused by history. 'R' can be the
-        recursive thing or the name 'R' (and similarly for 'R' followed by
-        digits). We look for a name first; if not found, we try the other case.
-
-        For compatibility with auto-callouts, we allow a callout to be
-        specified before a condition that is an assertion. First, check for the
-        syntax of a callout; if found, adjust the temporary pointer that is
-        used to check for an assertion condition. That's all that is needed! */
-
-        if (ptr[1] == CHAR_QUESTION_MARK && ptr[2] == CHAR_C)
-          {
-          for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
-          if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
-            tempptr += i + 1;
-
-          /* tempptr should now be pointing to the opening parenthesis of the
-          assertion condition. */
-
-          if (*tempptr != CHAR_LEFT_PARENTHESIS)
-            {
-            *errorcodeptr = ERR28;
-            goto FAILED;
-            }
-          }
-
-        /* For conditions that are assertions, check the syntax, and then exit
-        the switch. This will take control down to where bracketed groups,
-        including assertions, are processed. */
-
-        if (tempptr[1] == CHAR_QUESTION_MARK &&
-              (tempptr[2] == CHAR_EQUALS_SIGN ||
-               tempptr[2] == CHAR_EXCLAMATION_MARK ||
-                 (tempptr[2] == CHAR_LESS_THAN_SIGN &&
-                   (tempptr[3] == CHAR_EQUALS_SIGN ||
-                    tempptr[3] == CHAR_EXCLAMATION_MARK))))
-          {
-          cd->iscondassert = TRUE;
-          break;
-          }
-
-        /* Other conditions use OP_CREF/OP_DNCREF/OP_RREF/OP_DNRREF, and all
-        need to skip at least 1+IMM2_SIZE bytes at the start of the group. */
-
-        code[1+LINK_SIZE] = OP_CREF;
-        skipbytes = 1+IMM2_SIZE;
-        refsign = -1;     /* => not a number */
-        namelen = -1;     /* => not a name; must set to avoid warning */
-        name = NULL;      /* Always set to avoid warning */
-        recno = 0;        /* Always set to avoid warning */
-
-        /* Check for a test for recursion in a named group. */
-
-        ptr++;
-        if (*ptr == CHAR_R && ptr[1] == CHAR_AMPERSAND)
-          {
-          terminator = -1;
-          ptr += 2;
-          code[1+LINK_SIZE] = OP_RREF;    /* Change the type of test */
-          }
-
-        /* Check for a test for a named group's having been set, using the Perl
-        syntax (?() or (?('name'), and also allow for the original PCRE
-        syntax of (?(name) or for (?(+n), (?(-n), and just (?(n). */
-
-        else if (*ptr == CHAR_LESS_THAN_SIGN)
-          {
-          terminator = CHAR_GREATER_THAN_SIGN;
-          ptr++;
-          }
-        else if (*ptr == CHAR_APOSTROPHE)
-          {
-          terminator = CHAR_APOSTROPHE;
-          ptr++;
-          }
-        else
-          {
-          terminator = CHAR_NULL;
-          if (*ptr == CHAR_MINUS || *ptr == CHAR_PLUS) refsign = *ptr++;
-            else if (IS_DIGIT(*ptr)) refsign = 0;
-          }
-
-        /* Handle a number */
-
-        if (refsign >= 0)
-          {
-          while (IS_DIGIT(*ptr))
-            {
-            if (recno > INT_MAX / 10 - 1)  /* Integer overflow */
-              {
-              while (IS_DIGIT(*ptr)) ptr++;
-              *errorcodeptr = ERR61;
-              goto FAILED;
-              }
-            recno = recno * 10 + (int)(*ptr - CHAR_0);
-            ptr++;
-            }
-          }
-
-        /* Otherwise we expect to read a name; anything else is an error. When
-        a name is one of a number of duplicates, a different opcode is used and
-        it needs more memory. Unfortunately we cannot tell whether a name is a
-        duplicate in the first pass, so we have to allow for more memory. */
-
-        else
-          {
-          if (IS_DIGIT(*ptr))
-            {
-            *errorcodeptr = ERR84;
-            goto FAILED;
-            }
-          if (!MAX_255(*ptr) || (cd->ctypes[*ptr] & ctype_word) == 0)
-            {
-            *errorcodeptr = ERR28;   /* Assertion expected */
-            goto FAILED;
-            }
-          name = ptr++;
-          while (MAX_255(*ptr) && (cd->ctypes[*ptr] & ctype_word) != 0)
-            {
-            ptr++;
-            }
-          namelen = (int)(ptr - name);
-          if (lengthptr != NULL) skipbytes += IMM2_SIZE;
-          }
-
-        /* Check the terminator */
-
-        if ((terminator > 0 && *ptr++ != (pcre_uchar)terminator) ||
-            *ptr++ != CHAR_RIGHT_PARENTHESIS)
-          {
-          ptr--;                  /* Error offset */
-          *errorcodeptr = ERR26;  /* Malformed number or name */
-          goto FAILED;
-          }
-
-        /* Do no further checking in the pre-compile phase. */
-
-        if (lengthptr != NULL) break;
-
-        /* In the real compile we do the work of looking for the actual
-        reference. If refsign is not negative, it means we have a number in
-        recno. */
-
-        if (refsign >= 0)
-          {
-          if (recno <= 0)
-            {
-            *errorcodeptr = ERR35;
-            goto FAILED;
-            }
-          if (refsign != 0) recno = (refsign == CHAR_MINUS)?
-            cd->bracount - recno + 1 : recno + cd->bracount;
-          if (recno <= 0 || recno > cd->final_bracount)
-            {
-            *errorcodeptr = ERR15;
-            goto FAILED;
-            }
-          PUT2(code, 2+LINK_SIZE, recno);
-          if (recno > cd->top_backref) cd->top_backref = recno;
-          break;
-          }
-
-        /* Otherwise look for the name. */
-
-        slot = cd->name_table;
-        for (i = 0; i < cd->names_found; i++)
-          {
-          if (STRNCMP_UC_UC(name, slot+IMM2_SIZE, namelen) == 0) break;
-          slot += cd->name_entry_size;
-          }
-
-        /* Found the named subpattern. If the name is duplicated, add one to
-        the opcode to change CREF/RREF into DNCREF/DNRREF and insert
-        appropriate data values. Otherwise, just insert the unique subpattern
-        number. */
-
-        if (i < cd->names_found)
-          {
-          int offset = i++;
-          int count = 1;
-          recno = GET2(slot, 0);   /* Number from first found */
-          if (recno > cd->top_backref) cd->top_backref = recno;
-          for (; i < cd->names_found; i++)
-            {
-            slot += cd->name_entry_size;
-            if (STRNCMP_UC_UC(name, slot+IMM2_SIZE, namelen) != 0 ||
-              (slot+IMM2_SIZE)[namelen] != 0) break;
-            count++;
-            }
-
-          if (count > 1)
-            {
-            PUT2(code, 2+LINK_SIZE, offset);
-            PUT2(code, 2+LINK_SIZE+IMM2_SIZE, count);
-            skipbytes += IMM2_SIZE;
-            code[1+LINK_SIZE]++;
-            }
-          else  /* Not a duplicated name */
-            {
-            PUT2(code, 2+LINK_SIZE, recno);
-            }
-          }
-
-        /* If terminator == CHAR_NULL it means that the name followed directly
-        after the opening parenthesis [e.g. (?(abc)...] and in this case there
-        are some further alternatives to try. For the cases where terminator !=
-        CHAR_NULL [things like (?(... or (?('name')... or (?(R&name)... ]
-        we have now checked all the possibilities, so give an error. */
-
-        else if (terminator != CHAR_NULL)
-          {
-          *errorcodeptr = ERR15;
-          goto FAILED;
-          }
-
-        /* Check for (?(R) for recursion. Allow digits after R to specify a
-        specific group number. */
-
-        else if (*name == CHAR_R)
-          {
-          recno = 0;
-          for (i = 1; i < namelen; i++)
-            {
-            if (!IS_DIGIT(name[i]))
-              {
-              *errorcodeptr = ERR15;
-              goto FAILED;
-              }
-            if (recno > INT_MAX / 10 - 1)   /* Integer overflow */
-              {
-              *errorcodeptr = ERR61;
-              goto FAILED;
-              }
-            recno = recno * 10 + name[i] - CHAR_0;
-            }
-          if (recno == 0) recno = RREF_ANY;
-          code[1+LINK_SIZE] = OP_RREF;      /* Change test type */
-          PUT2(code, 2+LINK_SIZE, recno);
-          }
-
-        /* Similarly, check for the (?(DEFINE) "condition", which is always
-        false. */
-
-        else if (namelen == 6 && STRNCMP_UC_C8(name, STRING_DEFINE, 6) == 0)
-          {
-          code[1+LINK_SIZE] = OP_DEF;
-          skipbytes = 1;
-          }
-
-        /* Reference to an unidentified subpattern. */
-
-        else
-          {
-          *errorcodeptr = ERR15;
-          goto FAILED;
-          }
-        break;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_EQUALS_SIGN:                 /* Positive lookahead */
-        bravalue = OP_ASSERT;
-        cd->assert_depth += 1;
-        ptr++;
-        break;
-
-        /* Optimize (?!) to (*FAIL) unless it is quantified - which is a weird
-        thing to do, but Perl allows all assertions to be quantified, and when
-        they contain capturing parentheses there may be a potential use for
-        this feature. Not that that applies to a quantified (?!) but we allow
-        it for uniformity. */
-
-        /* ------------------------------------------------------------ */
-        case CHAR_EXCLAMATION_MARK:            /* Negative lookahead */
-        ptr++;
-        if (*ptr == CHAR_RIGHT_PARENTHESIS && ptr[1] != CHAR_ASTERISK &&
-             ptr[1] != CHAR_PLUS && ptr[1] != CHAR_QUESTION_MARK &&
-            (ptr[1] != CHAR_LEFT_CURLY_BRACKET || !is_counted_repeat(ptr+2)))
-          {
-          *code++ = OP_FAIL;
-          previous = NULL;
-          continue;
-          }
-        bravalue = OP_ASSERT_NOT;
-        cd->assert_depth += 1;
-        break;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_LESS_THAN_SIGN:              /* Lookbehind or named define */
-        switch (ptr[1])
-          {
-          case CHAR_EQUALS_SIGN:               /* Positive lookbehind */
-          bravalue = OP_ASSERTBACK;
-          cd->assert_depth += 1;
-          ptr += 2;
-          break;
-
-          case CHAR_EXCLAMATION_MARK:          /* Negative lookbehind */
-          bravalue = OP_ASSERTBACK_NOT;
-          cd->assert_depth += 1;
-          ptr += 2;
-          break;
-
-          default:                /* Could be name define, else bad */
-          if (MAX_255(ptr[1]) && (cd->ctypes[ptr[1]] & ctype_word) != 0)
-            goto DEFINE_NAME;
-          ptr++;                  /* Correct offset for error */
-          *errorcodeptr = ERR24;
-          goto FAILED;
-          }
-        break;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_GREATER_THAN_SIGN:           /* One-time brackets */
-        bravalue = OP_ONCE;
-        ptr++;
-        break;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_C:                 /* Callout - may be followed by digits; */
-        previous_callout = code;     /* Save for later completion */
-        after_manual_callout = 1;    /* Skip one item before completing */
-        *code++ = OP_CALLOUT;
-          {
-          int n = 0;
-          ptr++;
-          while(IS_DIGIT(*ptr))
-            n = n * 10 + *ptr++ - CHAR_0;
-          if (*ptr != CHAR_RIGHT_PARENTHESIS)
-            {
-            *errorcodeptr = ERR39;
-            goto FAILED;
-            }
-          if (n > 255)
-            {
-            *errorcodeptr = ERR38;
-            goto FAILED;
-            }
-          *code++ = n;
-          PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
-          PUT(code, LINK_SIZE, 0);                          /* Default length */
-          code += 2 * LINK_SIZE;
-          }
-        previous = NULL;
-        continue;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_P:              /* Python-style named subpattern handling */
-        if (*(++ptr) == CHAR_EQUALS_SIGN ||
-            *ptr == CHAR_GREATER_THAN_SIGN)  /* Reference or recursion */
-          {
-          is_recurse = *ptr == CHAR_GREATER_THAN_SIGN;
-          terminator = CHAR_RIGHT_PARENTHESIS;
-          goto NAMED_REF_OR_RECURSE;
-          }
-        else if (*ptr != CHAR_LESS_THAN_SIGN)  /* Test for Python-style defn */
-          {
-          *errorcodeptr = ERR41;
-          goto FAILED;
-          }
-        /* Fall through to handle (?P< as (?< is handled */
-
-
-        /* ------------------------------------------------------------ */
-        DEFINE_NAME:    /* Come here from (?< handling */
-        case CHAR_APOSTROPHE:
-        terminator = (*ptr == CHAR_LESS_THAN_SIGN)?
-          CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
-        name = ++ptr;
-        if (IS_DIGIT(*ptr))
-          {
-          *errorcodeptr = ERR84;   /* Group name must start with non-digit */
-          goto FAILED;
-          }
-        while (MAX_255(*ptr) && (cd->ctypes[*ptr] & ctype_word) != 0) ptr++;
-        namelen = (int)(ptr - name);
-
-        /* In the pre-compile phase, do a syntax check, remember the longest
-        name, and then remember the group in a vector, expanding it if
-        necessary. Duplicates for the same number are skipped; other duplicates
-        are checked for validity. In the actual compile, there is nothing to
-        do. */
-
-        if (lengthptr != NULL)
-          {
-          named_group *ng;
-          pcre_uint32 number = cd->bracount + 1;
-
-          if (*ptr != (pcre_uchar)terminator)
-            {
-            *errorcodeptr = ERR42;
-            goto FAILED;
-            }
-
-          if (cd->names_found >= MAX_NAME_COUNT)
-            {
-            *errorcodeptr = ERR49;
-            goto FAILED;
-            }
-
-          if (namelen + IMM2_SIZE + 1 > cd->name_entry_size)
-            {
-            cd->name_entry_size = namelen + IMM2_SIZE + 1;
-            if (namelen > MAX_NAME_SIZE)
-              {
-              *errorcodeptr = ERR48;
-              goto FAILED;
-              }
-            }
-
-          /* Scan the list to check for duplicates. For duplicate names, if the
-          number is the same, break the loop, which causes the name to be
-          discarded; otherwise, if DUPNAMES is not set, give an error.
-          If it is set, allow the name with a different number, but continue
-          scanning in case this is a duplicate with the same number. For
-          non-duplicate names, give an error if the number is duplicated. */
-
-          ng = cd->named_groups;
-          for (i = 0; i < cd->names_found; i++, ng++)
-            {
-            if (namelen == ng->length &&
-                STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-              {
-              if (ng->number == number) break;
-              if ((options & PCRE_DUPNAMES) == 0)
-                {
-                *errorcodeptr = ERR43;
-                goto FAILED;
-                }
-              cd->dupnames = TRUE;  /* Duplicate names exist */
-              }
-            else if (ng->number == number)
-              {
-              *errorcodeptr = ERR65;
-              goto FAILED;
-              }
-            }
-
-          if (i >= cd->names_found)     /* Not a duplicate with same number */
-            {
-            /* Increase the list size if necessary */
-
-            if (cd->names_found >= cd->named_group_list_size)
-              {
-              int newsize = cd->named_group_list_size * 2;
-              named_group *newspace = (PUBL(malloc))
-                (newsize * sizeof(named_group));
-
-              if (newspace == NULL)
-                {
-                *errorcodeptr = ERR21;
-                goto FAILED;
-                }
-
-              memcpy(newspace, cd->named_groups,
-                cd->named_group_list_size * sizeof(named_group));
-              if (cd->named_group_list_size > NAMED_GROUP_LIST_SIZE)
-                (PUBL(free))((void *)cd->named_groups);
-              cd->named_groups = newspace;
-              cd->named_group_list_size = newsize;
-              }
-
-            cd->named_groups[cd->names_found].name = name;
-            cd->named_groups[cd->names_found].length = namelen;
-            cd->named_groups[cd->names_found].number = number;
-            cd->names_found++;
-            }
-          }
-
-        ptr++;                    /* Move past > or ' in both passes. */
-        goto NUMBERED_GROUP;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_AMPERSAND:            /* Perl recursion/subroutine syntax */
-        terminator = CHAR_RIGHT_PARENTHESIS;
-        is_recurse = TRUE;
-        /* Fall through */
-
-        /* We come here from the Python syntax above that handles both
-        references (?P=name) and recursion (?P>name), as well as falling
-        through from the Perl recursion syntax (?&name). We also come here from
-        the Perl \k or \k'name' back reference syntax and the \k{name}
-        .NET syntax, and the Oniguruma \g<...> and \g'...' subroutine syntax. */
-
-        NAMED_REF_OR_RECURSE:
-        name = ++ptr;
-        if (IS_DIGIT(*ptr))
-          {
-          *errorcodeptr = ERR84;   /* Group name must start with non-digit */
-          goto FAILED;
-          }
-        while (MAX_255(*ptr) && (cd->ctypes[*ptr] & ctype_word) != 0) ptr++;
-        namelen = (int)(ptr - name);
-
-        /* In the pre-compile phase, do a syntax check. We used to just set
-        a dummy reference number, because it was not used in the first pass.
-        However, with the change of recursive back references to be atomic,
-        we have to look for the number so that this state can be identified, as
-        otherwise the incorrect length is computed. If it's not a backwards
-        reference, the dummy number will do. */
-
-        if (lengthptr != NULL)
-          {
-          named_group *ng;
-          recno = 0;
-
-          if (namelen == 0)
-            {
-            *errorcodeptr = ERR62;
-            goto FAILED;
-            }
-          if (*ptr != (pcre_uchar)terminator)
-            {
-            *errorcodeptr = ERR42;
-            goto FAILED;
-            }
-          if (namelen > MAX_NAME_SIZE)
-            {
-            *errorcodeptr = ERR48;
-            goto FAILED;
-            }
-
-          /* Count named back references. */
-
-          if (!is_recurse) cd->namedrefcount++;
-
-          /* We have to allow for a named reference to a duplicated name (this
-          cannot be determined until the second pass). This needs an extra
-          16-bit data item. */
-
-          *lengthptr += IMM2_SIZE;
-
-          /* If this is a forward reference and we are within a (?|...) group,
-          the reference may end up as the number of a group which we are
-          currently inside, that is, it could be a recursive reference. In the
-          real compile this will be picked up and the reference wrapped with
-          OP_ONCE to make it atomic, so we must space in case this occurs. */
-
-          /* In fact, this can happen for a non-forward reference because
-          another group with the same number might be created later. This
-          issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
-          only mode, we finesse the bug by allowing more memory always. */
-
-          *lengthptr += 4 + 4*LINK_SIZE;
-
-          /* It is even worse than that. The current reference may be to an
-          existing named group with a different number (so apparently not
-          recursive) but which later on is also attached to a group with the
-          current number. This can only happen if $(| has been previous
-          encountered. In that case, we allow yet more memory, just in case.
-          (Again, this is fixed "properly" in PCRE2. */
-
-          if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE;
-
-          /* Otherwise, check for recursion here. The name table does not exist
-          in the first pass; instead we must scan the list of names encountered
-          so far in order to get the number. If the name is not found, leave
-          the value of recno as 0 for a forward reference. */
-
-          /* This patch (removing "else") fixes a problem when a reference is
-          to multiple identically named nested groups from within the nest.
-          Once again, it is not the "proper" fix, and it results in an
-          over-allocation of memory. */
-
-          /* else */
-            {
-            ng = cd->named_groups;
-            for (i = 0; i < cd->names_found; i++, ng++)
-              {
-              if (namelen == ng->length &&
-                  STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-                {
-                open_capitem *oc;
-                recno = ng->number;
-                if (is_recurse) break;
-                for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-                  {
-                  if (oc->number == recno)
-                    {
-                    oc->flag = TRUE;
-                    break;
-                    }
-                  }
-                }
-              }
-            }
-          }
-
-        /* In the real compile, search the name table. We check the name
-        first, and then check that we have reached the end of the name in the
-        table. That way, if the name is longer than any in the table, the
-        comparison will fail without reading beyond the table entry. */
-
-        else
-          {
-          slot = cd->name_table;
-          for (i = 0; i < cd->names_found; i++)
-            {
-            if (STRNCMP_UC_UC(name, slot+IMM2_SIZE, namelen) == 0 &&
-                slot[IMM2_SIZE+namelen] == 0)
-              break;
-            slot += cd->name_entry_size;
-            }
-
-          if (i < cd->names_found)
-            {
-            recno = GET2(slot, 0);
-            }
-          else
-            {
-            *errorcodeptr = ERR15;
-            goto FAILED;
-            }
-          }
-
-        /* In both phases, for recursions, we can now go to the code than
-        handles numerical recursion. */
-
-        if (is_recurse) goto HANDLE_RECURSION;
-
-        /* In the second pass we must see if the name is duplicated. If so, we
-        generate a different opcode. */
-
-        if (lengthptr == NULL && cd->dupnames)
-          {
-          int count = 1;
-          unsigned int index = i;
-          pcre_uchar *cslot = slot + cd->name_entry_size;
-
-          for (i++; i < cd->names_found; i++)
-            {
-            if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break;
-            count++;
-            cslot += cd->name_entry_size;
-            }
-
-          if (count > 1)
-            {
-            if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-            previous = code;
-            item_hwm_offset = cd->hwm - cd->start_workspace;
-            *code++ = ((options & PCRE_CASELESS) != 0)? OP_DNREFI : OP_DNREF;
-            PUT2INC(code, 0, index);
-            PUT2INC(code, 0, count);
-
-            /* Process each potentially referenced group. */
-
-            for (; slot < cslot; slot += cd->name_entry_size)
-              {
-              open_capitem *oc;
-              recno = GET2(slot, 0);
-              cd->backref_map |= (recno < 32)? (1 << recno) : 1;
-              if (recno > cd->top_backref) cd->top_backref = recno;
-
-              /* Check to see if this back reference is recursive, that it, it
-              is inside the group that it references. A flag is set so that the
-              group can be made atomic. */
-
-              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-                {
-                if (oc->number == recno)
-                  {
-                  oc->flag = TRUE;
-                  break;
-                  }
-                }
-              }
-
-            continue;  /* End of back ref handling */
-            }
-          }
-
-        /* First pass, or a non-duplicated name. */
-
-        goto HANDLE_REFERENCE;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_R:              /* Recursion, same as (?0) */
-        recno = 0;
-        if (*(++ptr) != CHAR_RIGHT_PARENTHESIS)
-          {
-          *errorcodeptr = ERR29;
-          goto FAILED;
-          }
-        goto HANDLE_RECURSION;
-
-
-        /* ------------------------------------------------------------ */
-        case CHAR_MINUS: case CHAR_PLUS:  /* Recursion or subroutine */
-        case CHAR_0: case CHAR_1: case CHAR_2: case CHAR_3: case CHAR_4:
-        case CHAR_5: case CHAR_6: case CHAR_7: case CHAR_8: case CHAR_9:
-          {
-          const pcre_uchar *called;
-          terminator = CHAR_RIGHT_PARENTHESIS;
-
-          /* Come here from the \g<...> and \g'...' code (Oniguruma
-          compatibility). However, the syntax has been checked to ensure that
-          the ... are a (signed) number, so that neither ERR63 nor ERR29 will
-          be called on this path, nor with the jump to OTHER_CHAR_AFTER_QUERY
-          ever be taken. */
-
-          HANDLE_NUMERICAL_RECURSION:
-
-          if ((refsign = *ptr) == CHAR_PLUS)
-            {
-            ptr++;
-            if (!IS_DIGIT(*ptr))
-              {
-              *errorcodeptr = ERR63;
-              goto FAILED;
-              }
-            }
-          else if (refsign == CHAR_MINUS)
-            {
-            if (!IS_DIGIT(ptr[1]))
-              goto OTHER_CHAR_AFTER_QUERY;
-            ptr++;
-            }
-
-          recno = 0;
-          while(IS_DIGIT(*ptr))
-            {
-            if (recno > INT_MAX / 10 - 1) /* Integer overflow */
-              {
-              while (IS_DIGIT(*ptr)) ptr++;
-              *errorcodeptr = ERR61;
-              goto FAILED;
-              }
-            recno = recno * 10 + *ptr++ - CHAR_0;
-            }
-
-          if (*ptr != (pcre_uchar)terminator)
-            {
-            *errorcodeptr = ERR29;
-            goto FAILED;
-            }
-
-          if (refsign == CHAR_MINUS)
-            {
-            if (recno == 0)
-              {
-              *errorcodeptr = ERR58;
-              goto FAILED;
-              }
-            recno = cd->bracount - recno + 1;
-            if (recno <= 0)
-              {
-              *errorcodeptr = ERR15;
-              goto FAILED;
-              }
-            }
-          else if (refsign == CHAR_PLUS)
-            {
-            if (recno == 0)
-              {
-              *errorcodeptr = ERR58;
-              goto FAILED;
-              }
-            recno += cd->bracount;
-            }
-
-          /* Come here from code above that handles a named recursion */
-
-          HANDLE_RECURSION:
-
-          previous = code;
-          item_hwm_offset = cd->hwm - cd->start_workspace;
-          called = cd->start_code;
-
-          /* When we are actually compiling, find the bracket that is being
-          referenced. Temporarily end the regex in case it doesn't exist before
-          this point. If we end up with a forward reference, first check that
-          the bracket does occur later so we can give the error (and position)
-          now. Then remember this forward reference in the workspace so it can
-          be filled in at the end. */
-
-          if (lengthptr == NULL)
-            {
-            *code = OP_END;
-            if (recno != 0)
-              called = PRIV(find_bracket)(cd->start_code, utf, recno);
-
-            /* Forward reference */
-
-            if (called == NULL)
-              {
-              if (recno > cd->final_bracount)
-                {
-                *errorcodeptr = ERR15;
-                goto FAILED;
-                }
-
-              /* Fudge the value of "called" so that when it is inserted as an
-              offset below, what it actually inserted is the reference number
-              of the group. Then remember the forward reference. */
-
-              called = cd->start_code + recno;
-              if (cd->hwm >= cd->start_workspace + cd->workspace_size -
-                  WORK_SIZE_SAFETY_MARGIN)
-                {
-                *errorcodeptr = expand_workspace(cd);
-                if (*errorcodeptr != 0) goto FAILED;
-                }
-              PUTINC(cd->hwm, 0, (int)(code + 1 - cd->start_code));
-              }
-
-            /* If not a forward reference, and the subpattern is still open,
-            this is a recursive call. We check to see if this is a left
-            recursion that could loop for ever, and diagnose that case. We
-            must not, however, do this check if we are in a conditional
-            subpattern because the condition might be testing for recursion in
-            a pattern such as /(?(R)a+|(?R)b)/, which is perfectly valid.
-            Forever loops are also detected at runtime, so those that occur in
-            conditional subpatterns will be picked up then. */
-
-            else if (GET(called, 1) == 0 && cond_depth <= 0 &&
-                     could_be_empty(called, code, bcptr, utf, cd))
-              {
-              *errorcodeptr = ERR40;
-              goto FAILED;
-              }
-            }
-
-          /* Insert the recursion/subroutine item. It does not have a set first
-          character (relevant if it is repeated, because it will then be
-          wrapped with ONCE brackets). */
-
-          *code = OP_RECURSE;
-          PUT(code, 1, (int)(called - cd->start_code));
-          code += 1 + LINK_SIZE;
-          groupsetfirstchar = FALSE;
-          }
-
-        /* Can't determine a first byte now */
-
-        if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-        continue;
-
-
-        /* ------------------------------------------------------------ */
-        default:              /* Other characters: check option setting */
-        OTHER_CHAR_AFTER_QUERY:
-        set = unset = 0;
-        optset = &set;
-
-        while (*ptr != CHAR_RIGHT_PARENTHESIS && *ptr != CHAR_COLON)
-          {
-          switch (*ptr++)
-            {
-            case CHAR_MINUS: optset = &unset; break;
-
-            case CHAR_J:    /* Record that it changed in the external options */
-            *optset |= PCRE_DUPNAMES;
-            cd->external_flags |= PCRE_JCHANGED;
-            break;
-
-            case CHAR_i: *optset |= PCRE_CASELESS; break;
-            case CHAR_m: *optset |= PCRE_MULTILINE; break;
-            case CHAR_s: *optset |= PCRE_DOTALL; break;
-            case CHAR_x: *optset |= PCRE_EXTENDED; break;
-            case CHAR_U: *optset |= PCRE_UNGREEDY; break;
-            case CHAR_X: *optset |= PCRE_EXTRA; break;
-
-            default:  *errorcodeptr = ERR12;
-                      ptr--;    /* Correct the offset */
-                      goto FAILED;
-            }
-          }
-
-        /* Set up the changed option bits, but don't change anything yet. */
-
-        newoptions = (options | set) & (~unset);
-
-        /* If the options ended with ')' this is not the start of a nested
-        group with option changes, so the options change at this level.
-        If we are not at the pattern start, reset the greedy defaults and the
-        case value for firstchar and reqchar. */
-
-        if (*ptr == CHAR_RIGHT_PARENTHESIS)
-          {
-          greedy_default = ((newoptions & PCRE_UNGREEDY) != 0);
-          greedy_non_default = greedy_default ^ 1;
-          req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS:0;
-
-          /* Change options at this level, and pass them back for use
-          in subsequent branches. */
-
-          *optionsptr = options = newoptions;
-          previous = NULL;       /* This item can't be repeated */
-          continue;              /* It is complete */
-          }
-
-        /* If the options ended with ':' we are heading into a nested group
-        with possible change of options. Such groups are non-capturing and are
-        not assertions of any kind. All we need to do is skip over the ':';
-        the newoptions value is handled below. */
-
-        bravalue = OP_BRA;
-        ptr++;
-        }     /* End of switch for character following (? */
-      }       /* End of (? handling */
-
-    /* Opening parenthesis not followed by '*' or '?'. If PCRE_NO_AUTO_CAPTURE
-    is set, all unadorned brackets become non-capturing and behave like (?:...)
-    brackets. */
-
-    else if ((options & PCRE_NO_AUTO_CAPTURE) != 0)
-      {
-      bravalue = OP_BRA;
-      }
-
-    /* Else we have a capturing group. */
-
-    else
-      {
-      NUMBERED_GROUP:
-      cd->bracount += 1;
-      PUT2(code, 1+LINK_SIZE, cd->bracount);
-      skipbytes = IMM2_SIZE;
-      }
-
-    /* Process nested bracketed regex. First check for parentheses nested too
-    deeply. */
-
-    if ((cd->parens_depth += 1) > PARENS_NEST_LIMIT)
-      {
-      *errorcodeptr = ERR82;
-      goto FAILED;
-      }
-
-    /* All assertions used not to be repeatable, but this was changed for Perl
-    compatibility. All kinds can now be repeated except for assertions that are
-    conditions (Perl also forbids these to be repeated). We copy code into a
-    non-register variable (tempcode) in order to be able to pass its address
-    because some compilers complain otherwise. At the start of a conditional
-    group whose condition is an assertion, cd->iscondassert is set. We unset it
-    here so as to allow assertions later in the group to be quantified. */
-
-    if (bravalue >= OP_ASSERT && bravalue <= OP_ASSERTBACK_NOT &&
-        cd->iscondassert)
-      {
-      previous = NULL;
-      cd->iscondassert = FALSE;
-      }
-    else
-      {
-      previous = code;
-      item_hwm_offset = cd->hwm - cd->start_workspace;
-      }
-
-    *code = bravalue;
-    tempcode = code;
-    tempreqvary = cd->req_varyopt;        /* Save value before bracket */
-    tempbracount = cd->bracount;          /* Save value before bracket */
-    length_prevgroup = 0;                 /* Initialize for pre-compile phase */
-
-    if (!compile_regex(
-         newoptions,                      /* The complete new option state */
-         &tempcode,                       /* Where to put code (updated) */
-         &ptr,                            /* Input pointer (updated) */
-         errorcodeptr,                    /* Where to put an error message */
-         (bravalue == OP_ASSERTBACK ||
-          bravalue == OP_ASSERTBACK_NOT), /* TRUE if back assert */
-         reset_bracount,                  /* True if (?| group */
-         skipbytes,                       /* Skip over bracket number */
-         cond_depth +
-           ((bravalue == OP_COND)?1:0),   /* Depth of condition subpatterns */
-         &subfirstchar,                   /* For possible first char */
-         &subfirstcharflags,
-         &subreqchar,                     /* For possible last char */
-         &subreqcharflags,
-         bcptr,                           /* Current branch chain */
-         cd,                              /* Tables block */
-         (lengthptr == NULL)? NULL :      /* Actual compile phase */
-           &length_prevgroup              /* Pre-compile phase */
-         ))
-      goto FAILED;
-
-    cd->parens_depth -= 1;
-
-    /* If this was an atomic group and there are no capturing groups within it,
-    generate OP_ONCE_NC instead of OP_ONCE. */
-
-    if (bravalue == OP_ONCE && cd->bracount <= tempbracount)
-      *code = OP_ONCE_NC;
-
-    if (bravalue >= OP_ASSERT && bravalue <= OP_ASSERTBACK_NOT)
-      cd->assert_depth -= 1;
-
-    /* At the end of compiling, code is still pointing to the start of the
-    group, while tempcode has been updated to point past the end of the group.
-    The pattern pointer (ptr) is on the bracket.
-
-    If this is a conditional bracket, check that there are no more than
-    two branches in the group, or just one if it's a DEFINE group. We do this
-    in the real compile phase, not in the pre-pass, where the whole group may
-    not be available. */
-
-    if (bravalue == OP_COND && lengthptr == NULL)
-      {
-      pcre_uchar *tc = code;
-      int condcount = 0;
-
-      do {
-         condcount++;
-         tc += GET(tc,1);
-         }
-      while (*tc != OP_KET);
-
-      /* A DEFINE group is never obeyed inline (the "condition" is always
-      false). It must have only one branch. */
-
-      if (code[LINK_SIZE+1] == OP_DEF)
-        {
-        if (condcount > 1)
-          {
-          *errorcodeptr = ERR54;
-          goto FAILED;
-          }
-        bravalue = OP_DEF;   /* Just a flag to suppress char handling below */
-        }
-
-      /* A "normal" conditional group. If there is just one branch, we must not
-      make use of its firstchar or reqchar, because this is equivalent to an
-      empty second branch. */
-
-      else
-        {
-        if (condcount > 2)
-          {
-          *errorcodeptr = ERR27;
-          goto FAILED;
-          }
-        if (condcount == 1) subfirstcharflags = subreqcharflags = REQ_NONE;
-        }
-      }
-
-    /* Error if hit end of pattern */
-
-    if (*ptr != CHAR_RIGHT_PARENTHESIS)
-      {
-      *errorcodeptr = ERR14;
-      goto FAILED;
-      }
-
-    /* In the pre-compile phase, update the length by the length of the group,
-    less the brackets at either end. Then reduce the compiled code to just a
-    set of non-capturing brackets so that it doesn't use much memory if it is
-    duplicated by a quantifier.*/
-
-    if (lengthptr != NULL)
-      {
-      if (OFLOW_MAX - *lengthptr < length_prevgroup - 2 - 2*LINK_SIZE)
-        {
-        *errorcodeptr = ERR20;
-        goto FAILED;
-        }
-      *lengthptr += length_prevgroup - 2 - 2*LINK_SIZE;
-      code++;   /* This already contains bravalue */
-      PUTINC(code, 0, 1 + LINK_SIZE);
-      *code++ = OP_KET;
-      PUTINC(code, 0, 1 + LINK_SIZE);
-      break;    /* No need to waste time with special character handling */
-      }
-
-    /* Otherwise update the main code pointer to the end of the group. */
-
-    code = tempcode;
-
-    /* For a DEFINE group, required and first character settings are not
-    relevant. */
-
-    if (bravalue == OP_DEF) break;
-
-    /* Handle updating of the required and first characters for other types of
-    group. Update for normal brackets of all kinds, and conditions with two
-    branches (see code above). If the bracket is followed by a quantifier with
-    zero repeat, we have to back off. Hence the definition of zeroreqchar and
-    zerofirstchar outside the main loop so that they can be accessed for the
-    back off. */
-
-    zeroreqchar = reqchar;
-    zeroreqcharflags = reqcharflags;
-    zerofirstchar = firstchar;
-    zerofirstcharflags = firstcharflags;
-    groupsetfirstchar = FALSE;
-
-    if (bravalue >= OP_ONCE)
-      {
-      /* If we have not yet set a firstchar in this branch, take it from the
-      subpattern, remembering that it was set here so that a repeat of more
-      than one can replicate it as reqchar if necessary. If the subpattern has
-      no firstchar, set "none" for the whole branch. In both cases, a zero
-      repeat forces firstchar to "none". */
-
-      if (firstcharflags == REQ_UNSET)
-        {
-        if (subfirstcharflags >= 0)
-          {
-          firstchar = subfirstchar;
-          firstcharflags = subfirstcharflags;
-          groupsetfirstchar = TRUE;
-          }
-        else firstcharflags = REQ_NONE;
-        zerofirstcharflags = REQ_NONE;
-        }
-
-      /* If firstchar was previously set, convert the subpattern's firstchar
-      into reqchar if there wasn't one, using the vary flag that was in
-      existence beforehand. */
-
-      else if (subfirstcharflags >= 0 && subreqcharflags < 0)
-        {
-        subreqchar = subfirstchar;
-        subreqcharflags = subfirstcharflags | tempreqvary;
-        }
-
-      /* If the subpattern set a required byte (or set a first byte that isn't
-      really the first byte - see above), set it. */
-
-      if (subreqcharflags >= 0)
-        {
-        reqchar = subreqchar;
-        reqcharflags = subreqcharflags;
-        }
-      }
-
-    /* For a forward assertion, we take the reqchar, if set. This can be
-    helpful if the pattern that follows the assertion doesn't set a different
-    char. For example, it's useful for /(?=abcde).+/. We can't set firstchar
-    for an assertion, however because it leads to incorrect effect for patterns
-    such as /(?=a)a.+/ when the "real" "a" would then become a reqchar instead
-    of a firstchar. This is overcome by a scan at the end if there's no
-    firstchar, looking for an asserted first char. */
-
-    else if (bravalue == OP_ASSERT && subreqcharflags >= 0)
-      {
-      reqchar = subreqchar;
-      reqcharflags = subreqcharflags;
-      }
-    break;     /* End of processing '(' */
-
-
-    /* ===================================================================*/
-    /* Handle metasequences introduced by \. For ones like \d, the ESC_ values
-    are arranged to be the negation of the corresponding OP_values in the
-    default case when PCRE_UCP is not set. For the back references, the values
-    are negative the reference number. Only back references and those types
-    that consume a character may be repeated. We can test for values between
-    ESC_b and ESC_Z for the latter; this may have to change if any new ones are
-    ever created. */
-
-    case CHAR_BACKSLASH:
-    tempptr = ptr;
-    escape = check_escape(&ptr, &ec, errorcodeptr, cd->bracount, options, FALSE);
-    if (*errorcodeptr != 0) goto FAILED;
-
-    if (escape == 0)                  /* The escape coded a single character */
-      c = ec;
-    else
-      {
-      /* For metasequences that actually match a character, we disable the
-      setting of a first character if it hasn't already been set. */
-
-      if (firstcharflags == REQ_UNSET && escape > ESC_b && escape < ESC_Z)
-        firstcharflags = REQ_NONE;
-
-      /* Set values to reset to if this is followed by a zero repeat. */
-
-      zerofirstchar = firstchar;
-      zerofirstcharflags = firstcharflags;
-      zeroreqchar = reqchar;
-      zeroreqcharflags = reqcharflags;
-
-      /* \g or \g'name' is a subroutine call by name and \g or \g'n'
-      is a subroutine call by number (Oniguruma syntax). In fact, the value
-      ESC_g is returned only for these cases. So we don't need to check for <
-      or ' if the value is ESC_g. For the Perl syntax \g{n} the value is
-      -n, and for the Perl syntax \g{name} the result is ESC_k (as
-      that is a synonym for a named back reference). */
-
-      if (escape == ESC_g)
-        {
-        const pcre_uchar *p;
-        pcre_uint32 cf;
-
-        item_hwm_offset = cd->hwm - cd->start_workspace;   /* Normally this is set when '(' is read */
-        terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
-          CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
-
-        /* These two statements stop the compiler for warning about possibly
-        unset variables caused by the jump to HANDLE_NUMERICAL_RECURSION. In
-        fact, because we do the check for a number below, the paths that
-        would actually be in error are never taken. */
-
-        skipbytes = 0;
-        reset_bracount = FALSE;
-
-        /* If it's not a signed or unsigned number, treat it as a name. */
-
-        cf = ptr[1];
-        if (cf != CHAR_PLUS && cf != CHAR_MINUS && !IS_DIGIT(cf))
-          {
-          is_recurse = TRUE;
-          goto NAMED_REF_OR_RECURSE;
-          }
-
-        /* Signed or unsigned number (cf = ptr[1]) is known to be plus or minus
-        or a digit. */
-
-        p = ptr + 2;
-        while (IS_DIGIT(*p)) p++;
-        if (*p != (pcre_uchar)terminator)
-          {
-          *errorcodeptr = ERR57;
-          goto FAILED;
-          }
-        ptr++;
-        goto HANDLE_NUMERICAL_RECURSION;
-        }
-
-      /* \k or \k'name' is a back reference by name (Perl syntax).
-      We also support \k{name} (.NET syntax).  */
-
-      if (escape == ESC_k)
-        {
-        if ((ptr[1] != CHAR_LESS_THAN_SIGN &&
-          ptr[1] != CHAR_APOSTROPHE && ptr[1] != CHAR_LEFT_CURLY_BRACKET))
-          {
-          *errorcodeptr = ERR69;
-          goto FAILED;
-          }
-        is_recurse = FALSE;
-        terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
-          CHAR_GREATER_THAN_SIGN : (*ptr == CHAR_APOSTROPHE)?
-          CHAR_APOSTROPHE : CHAR_RIGHT_CURLY_BRACKET;
-        goto NAMED_REF_OR_RECURSE;
-        }
-
-      /* Back references are handled specially; must disable firstchar if
-      not set to cope with cases like (?=(\w+))\1: which would otherwise set
-      ':' later. */
-
-      if (escape < 0)
-        {
-        open_capitem *oc;
-        recno = -escape;
-
-        /* Come here from named backref handling when the reference is to a
-        single group (i.e. not to a duplicated name. */
-
-        HANDLE_REFERENCE:
-        if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
-        previous = code;
-        item_hwm_offset = cd->hwm - cd->start_workspace;
-        *code++ = ((options & PCRE_CASELESS) != 0)? OP_REFI : OP_REF;
-        PUT2INC(code, 0, recno);
-        cd->backref_map |= (recno < 32)? (1 << recno) : 1;
-        if (recno > cd->top_backref) cd->top_backref = recno;
-
-        /* Check to see if this back reference is recursive, that it, it
-        is inside the group that it references. A flag is set so that the
-        group can be made atomic. */
-
-        for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-          {
-          if (oc->number == recno)
-            {
-            oc->flag = TRUE;
-            break;
-            }
-          }
-        }
-
-      /* So are Unicode property matches, if supported. */
-
-#ifdef SUPPORT_UCP
-      else if (escape == ESC_P || escape == ESC_p)
-        {
-        BOOL negated;
-        unsigned int ptype = 0, pdata = 0;
-        if (!get_ucp(&ptr, &negated, &ptype, &pdata, errorcodeptr))
-          goto FAILED;
-        previous = code;
-        item_hwm_offset = cd->hwm - cd->start_workspace;
-        *code++ = ((escape == ESC_p) != negated)? OP_PROP : OP_NOTPROP;
-        *code++ = ptype;
-        *code++ = pdata;
-        }
-#else
-
-      /* If Unicode properties are not supported, \X, \P, and \p are not
-      allowed. */
-
-      else if (escape == ESC_X || escape == ESC_P || escape == ESC_p)
-        {
-        *errorcodeptr = ERR45;
-        goto FAILED;
-        }
-#endif
-
-      /* For the rest (including \X when Unicode properties are supported), we
-      can obtain the OP value by negating the escape value in the default
-      situation when PCRE_UCP is not set. When it *is* set, we substitute
-      Unicode property tests. Note that \b and \B do a one-character
-      lookbehind, and \A also behaves as if it does. */
-
-      else
-        {
-        if ((escape == ESC_b || escape == ESC_B || escape == ESC_A) &&
-             cd->max_lookbehind == 0)
-          cd->max_lookbehind = 1;
-#ifdef SUPPORT_UCP
-        if (escape >= ESC_DU && escape <= ESC_wu)
-          {
-          nestptr = ptr + 1;                   /* Where to resume */
-          ptr = substitutes[escape - ESC_DU] - 1;  /* Just before substitute */
-          }
-        else
-#endif
-        /* In non-UTF-8 mode, we turn \C into OP_ALLANY instead of OP_ANYBYTE
-        so that it works in DFA mode and in lookbehinds. */
-
-          {
-          previous = (escape > ESC_b && escape < ESC_Z)? code : NULL;
-          item_hwm_offset = cd->hwm - cd->start_workspace;
-          *code++ = (!utf && escape == ESC_C)? OP_ALLANY : escape;
-          }
-        }
-      continue;
-      }
-
-    /* We have a data character whose value is in c. In UTF-8 mode it may have
-    a value > 127. We set its representation in the length/buffer, and then
-    handle it as a data character. */
-
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-    if (utf && c > MAX_VALUE_FOR_SINGLE_CHAR)
-      mclength = PRIV(ord2utf)(c, mcbuffer);
-    else
-#endif
-
-     {
-     mcbuffer[0] = c;
-     mclength = 1;
-     }
-    goto ONE_CHAR;
-
-
-    /* ===================================================================*/
-    /* Handle a literal character. It is guaranteed not to be whitespace or #
-    when the extended flag is set. If we are in a UTF mode, it may be a
-    multi-unit literal character. */
-
-    default:
-    NORMAL_CHAR:
-    mclength = 1;
-    mcbuffer[0] = c;
-
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(c))
-      ACROSSCHAR(TRUE, ptr[1], mcbuffer[mclength++] = *(++ptr));
-#endif
-
-    /* At this point we have the character's bytes in mcbuffer, and the length
-    in mclength. When not in UTF-8 mode, the length is always 1. */
-
-    ONE_CHAR:
-    previous = code;
-    item_hwm_offset = cd->hwm - cd->start_workspace;
-
-    /* For caseless UTF-8 mode when UCP support is available, check whether
-    this character has more than one other case. If so, generate a special
-    OP_PROP item instead of OP_CHARI. */
-
-#ifdef SUPPORT_UCP
-    if (utf && (options & PCRE_CASELESS) != 0)
-      {
-      GETCHAR(c, mcbuffer);
-      if ((c = UCD_CASESET(c)) != 0)
-        {
-        *code++ = OP_PROP;
-        *code++ = PT_CLIST;
-        *code++ = c;
-        if (firstcharflags == REQ_UNSET)
-          firstcharflags = zerofirstcharflags = REQ_NONE;
-        break;
-        }
-      }
-#endif
-
-    /* Caseful matches, or not one of the multicase characters. */
-
-    *code++ = ((options & PCRE_CASELESS) != 0)? OP_CHARI : OP_CHAR;
-    for (c = 0; c < mclength; c++) *code++ = mcbuffer[c];
-
-    /* Remember if \r or \n were seen */
-
-    if (mcbuffer[0] == CHAR_CR || mcbuffer[0] == CHAR_NL)
-      cd->external_flags |= PCRE_HASCRORLF;
-
-    /* Set the first and required bytes appropriately. If no previous first
-    byte, set it from this character, but revert to none on a zero repeat.
-    Otherwise, leave the firstchar value alone, and don't change it on a zero
-    repeat. */
-
-    if (firstcharflags == REQ_UNSET)
-      {
-      zerofirstcharflags = REQ_NONE;
-      zeroreqchar = reqchar;
-      zeroreqcharflags = reqcharflags;
-
-      /* If the character is more than one byte long, we can set firstchar
-      only if it is not to be matched caselessly. */
-
-      if (mclength == 1 || req_caseopt == 0)
-        {
-        firstchar = mcbuffer[0] | req_caseopt;
-        firstchar = mcbuffer[0];
-        firstcharflags = req_caseopt;
-
-        if (mclength != 1)
-          {
-          reqchar = code[-1];
-          reqcharflags = cd->req_varyopt;
-          }
-        }
-      else firstcharflags = reqcharflags = REQ_NONE;
-      }
-
-    /* firstchar was previously set; we can set reqchar only if the length is
-    1 or the matching is caseful. */
-
-    else
-      {
-      zerofirstchar = firstchar;
-      zerofirstcharflags = firstcharflags;
-      zeroreqchar = reqchar;
-      zeroreqcharflags = reqcharflags;
-      if (mclength == 1 || req_caseopt == 0)
-        {
-        reqchar = code[-1];
-        reqcharflags = req_caseopt | cd->req_varyopt;
-        }
-      }
-
-    break;            /* End of literal character handling */
-    }
-  }                   /* end of big loop */
-
-
-/* Control never reaches here by falling through, only by a goto for all the
-error states. Pass back the position in the pattern so that it can be displayed
-to the user for diagnosing the error. */
-
-FAILED:
-*ptrptr = ptr;
-return FALSE;
-}
-
-
-
-/*************************************************
-*     Compile sequence of alternatives           *
-*************************************************/
-
-/* On entry, ptr is pointing past the bracket character, but on return it
-points to the closing bracket, or vertical bar, or end of string. The code
-variable is pointing at the byte into which the BRA operator has been stored.
-This function is used during the pre-compile phase when we are trying to find
-out the amount of memory needed, as well as during the real compile phase. The
-value of lengthptr distinguishes the two phases.
-
-Arguments:
-  options           option bits, including any changes for this subpattern
-  codeptr           -> the address of the current code pointer
-  ptrptr            -> the address of the current pattern pointer
-  errorcodeptr      -> pointer to error code variable
-  lookbehind        TRUE if this is a lookbehind assertion
-  reset_bracount    TRUE to reset the count for each branch
-  skipbytes         skip this many bytes at start (for brackets and OP_COND)
-  cond_depth        depth of nesting for conditional subpatterns
-  firstcharptr      place to put the first required character
-  firstcharflagsptr place to put the first character flags, or a negative number
-  reqcharptr        place to put the last required character
-  reqcharflagsptr   place to put the last required character flags, or a negative number
-  bcptr             pointer to the chain of currently open branches
-  cd                points to the data block with tables pointers etc.
-  lengthptr         NULL during the real compile phase
-                    points to length accumulator during pre-compile phase
-
-Returns:            TRUE on success
-*/
-
-static BOOL
-compile_regex(int options, pcre_uchar **codeptr, const pcre_uchar **ptrptr,
-  int *errorcodeptr, BOOL lookbehind, BOOL reset_bracount, int skipbytes,
-  int cond_depth,
-  pcre_uint32 *firstcharptr, pcre_int32 *firstcharflagsptr,
-  pcre_uint32 *reqcharptr, pcre_int32 *reqcharflagsptr,
-  branch_chain *bcptr, compile_data *cd, int *lengthptr)
-{
-const pcre_uchar *ptr = *ptrptr;
-pcre_uchar *code = *codeptr;
-pcre_uchar *last_branch = code;
-pcre_uchar *start_bracket = code;
-pcre_uchar *reverse_count = NULL;
-open_capitem capitem;
-int capnumber = 0;
-pcre_uint32 firstchar, reqchar;
-pcre_int32 firstcharflags, reqcharflags;
-pcre_uint32 branchfirstchar, branchreqchar;
-pcre_int32 branchfirstcharflags, branchreqcharflags;
-int length;
-unsigned int orig_bracount;
-unsigned int max_bracount;
-branch_chain bc;
-size_t save_hwm_offset;
-
-/* If set, call the external function that checks for stack availability. */
-
-if (PUBL(stack_guard) != NULL && PUBL(stack_guard)())
-  {
-  *errorcodeptr= ERR85;
-  return FALSE;
-  }
-
-/* Miscellaneous initialization */
-
-bc.outer = bcptr;
-bc.current_branch = code;
-
-firstchar = reqchar = 0;
-firstcharflags = reqcharflags = REQ_UNSET;
-
-save_hwm_offset = cd->hwm - cd->start_workspace;
-
-/* Accumulate the length for use in the pre-compile phase. Start with the
-length of the BRA and KET and any extra bytes that are required at the
-beginning. We accumulate in a local variable to save frequent testing of
-lenthptr for NULL. We cannot do this by looking at the value of code at the
-start and end of each alternative, because compiled items are discarded during
-the pre-compile phase so that the work space is not exceeded. */
-
-length = 2 + 2*LINK_SIZE + skipbytes;
-
-/* WARNING: If the above line is changed for any reason, you must also change
-the code that abstracts option settings at the start of the pattern and makes
-them global. It tests the value of length for (2 + 2*LINK_SIZE) in the
-pre-compile phase to find out whether anything has yet been compiled or not. */
-
-/* If this is a capturing subpattern, add to the chain of open capturing items
-so that we can detect them if (*ACCEPT) is encountered. This is also used to
-detect groups that contain recursive back references to themselves. Note that
-only OP_CBRA need be tested here; changing this opcode to one of its variants,
-e.g. OP_SCBRAPOS, happens later, after the group has been compiled. */
-
-if (*code == OP_CBRA)
-  {
-  capnumber = GET2(code, 1 + LINK_SIZE);
-  capitem.number = capnumber;
-  capitem.next = cd->open_caps;
-  capitem.flag = FALSE;
-  cd->open_caps = &capitem;
-  }
-
-/* Offset is set zero to mark that this bracket is still open */
-
-PUT(code, 1, 0);
-code += 1 + LINK_SIZE + skipbytes;
-
-/* Loop for each alternative branch */
-
-orig_bracount = max_bracount = cd->bracount;
-for (;;)
-  {
-  /* For a (?| group, reset the capturing bracket count so that each branch
-  uses the same numbers. */
-
-  if (reset_bracount) cd->bracount = orig_bracount;
-
-  /* Set up dummy OP_REVERSE if lookbehind assertion */
-
-  if (lookbehind)
-    {
-    *code++ = OP_REVERSE;
-    reverse_count = code;
-    PUTINC(code, 0, 0);
-    length += 1 + LINK_SIZE;
-    }
-
-  /* Now compile the branch; in the pre-compile phase its length gets added
-  into the length. */
-
-  if (!compile_branch(&options, &code, &ptr, errorcodeptr, &branchfirstchar,
-        &branchfirstcharflags, &branchreqchar, &branchreqcharflags, &bc,
-        cond_depth, cd, (lengthptr == NULL)? NULL : &length))
-    {
-    *ptrptr = ptr;
-    return FALSE;
-    }
-
-  /* Keep the highest bracket count in case (?| was used and some branch
-  has fewer than the rest. */
-
-  if (cd->bracount > max_bracount) max_bracount = cd->bracount;
-
-  /* In the real compile phase, there is some post-processing to be done. */
-
-  if (lengthptr == NULL)
-    {
-    /* If this is the first branch, the firstchar and reqchar values for the
-    branch become the values for the regex. */
-
-    if (*last_branch != OP_ALT)
-      {
-      firstchar = branchfirstchar;
-      firstcharflags = branchfirstcharflags;
-      reqchar = branchreqchar;
-      reqcharflags = branchreqcharflags;
-      }
-
-    /* If this is not the first branch, the first char and reqchar have to
-    match the values from all the previous branches, except that if the
-    previous value for reqchar didn't have REQ_VARY set, it can still match,
-    and we set REQ_VARY for the regex. */
-
-    else
-      {
-      /* If we previously had a firstchar, but it doesn't match the new branch,
-      we have to abandon the firstchar for the regex, but if there was
-      previously no reqchar, it takes on the value of the old firstchar. */
-
-      if (firstcharflags >= 0 &&
-          (firstcharflags != branchfirstcharflags || firstchar != branchfirstchar))
-        {
-        if (reqcharflags < 0)
-          {
-          reqchar = firstchar;
-          reqcharflags = firstcharflags;
-          }
-        firstcharflags = REQ_NONE;
-        }
-
-      /* If we (now or from before) have no firstchar, a firstchar from the
-      branch becomes a reqchar if there isn't a branch reqchar. */
-
-      if (firstcharflags < 0 && branchfirstcharflags >= 0 && branchreqcharflags < 0)
-        {
-        branchreqchar = branchfirstchar;
-        branchreqcharflags = branchfirstcharflags;
-        }
-
-      /* Now ensure that the reqchars match */
-
-      if (((reqcharflags & ~REQ_VARY) != (branchreqcharflags & ~REQ_VARY)) ||
-          reqchar != branchreqchar)
-        reqcharflags = REQ_NONE;
-      else
-        {
-        reqchar = branchreqchar;
-        reqcharflags |= branchreqcharflags; /* To "or" REQ_VARY */
-        }
-      }
-
-    /* If lookbehind, check that this branch matches a fixed-length string, and
-    put the length into the OP_REVERSE item. Temporarily mark the end of the
-    branch with OP_END. If the branch contains OP_RECURSE, the result is -3
-    because there may be forward references that we can't check here. Set a
-    flag to cause another lookbehind check at the end. Why not do it all at the
-    end? Because common, erroneous checks are picked up here and the offset of
-    the problem can be shown. */
-
-    if (lookbehind)
-      {
-      int fixed_length;
-      *code = OP_END;
-      fixed_length = find_fixedlength(last_branch,  (options & PCRE_UTF8) != 0,
-        FALSE, cd, NULL);
-      DPRINTF(("fixed length = %d\n", fixed_length));
-      if (fixed_length == -3)
-        {
-        cd->check_lookbehind = TRUE;
-        }
-      else if (fixed_length < 0)
-        {
-        *errorcodeptr = (fixed_length == -2)? ERR36 :
-                        (fixed_length == -4)? ERR70: ERR25;
-        *ptrptr = ptr;
-        return FALSE;
-        }
-      else
-        {
-        if (fixed_length > cd->max_lookbehind)
-          cd->max_lookbehind = fixed_length;
-        PUT(reverse_count, 0, fixed_length);
-        }
-      }
-    }
-
-  /* Reached end of expression, either ')' or end of pattern. In the real
-  compile phase, go back through the alternative branches and reverse the chain
-  of offsets, with the field in the BRA item now becoming an offset to the
-  first alternative. If there are no alternatives, it points to the end of the
-  group. The length in the terminating ket is always the length of the whole
-  bracketed item. Return leaving the pointer at the terminating char. */
-
-  if (*ptr != CHAR_VERTICAL_LINE)
-    {
-    if (lengthptr == NULL)
-      {
-      int branch_length = (int)(code - last_branch);
-      do
-        {
-        int prev_length = GET(last_branch, 1);
-        PUT(last_branch, 1, branch_length);
-        branch_length = prev_length;
-        last_branch -= branch_length;
-        }
-      while (branch_length > 0);
-      }
-
-    /* Fill in the ket */
-
-    *code = OP_KET;
-    PUT(code, 1, (int)(code - start_bracket));
-    code += 1 + LINK_SIZE;
-
-    /* If it was a capturing subpattern, check to see if it contained any
-    recursive back references. If so, we must wrap it in atomic brackets.
-    Because we are moving code along, we must ensure that any pending recursive
-    references are updated. In any event, remove the block from the chain. */
-
-    if (capnumber > 0)
-      {
-      if (cd->open_caps->flag)
-        {
-        *code = OP_END;
-        adjust_recurse(start_bracket, 1 + LINK_SIZE,
-          (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
-        memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
-          IN_UCHARS(code - start_bracket));
-        *start_bracket = OP_ONCE;
-        code += 1 + LINK_SIZE;
-        PUT(start_bracket, 1, (int)(code - start_bracket));
-        *code = OP_KET;
-        PUT(code, 1, (int)(code - start_bracket));
-        code += 1 + LINK_SIZE;
-        length += 2 + 2*LINK_SIZE;
-        }
-      cd->open_caps = cd->open_caps->next;
-      }
-
-    /* Retain the highest bracket number, in case resetting was used. */
-
-    cd->bracount = max_bracount;
-
-    /* Set values to pass back */
-
-    *codeptr = code;
-    *ptrptr = ptr;
-    *firstcharptr = firstchar;
-    *firstcharflagsptr = firstcharflags;
-    *reqcharptr = reqchar;
-    *reqcharflagsptr = reqcharflags;
-    if (lengthptr != NULL)
-      {
-      if (OFLOW_MAX - *lengthptr < length)
-        {
-        *errorcodeptr = ERR20;
-        return FALSE;
-        }
-      *lengthptr += length;
-      }
-    return TRUE;
-    }
-
-  /* Another branch follows. In the pre-compile phase, we can move the code
-  pointer back to where it was for the start of the first branch. (That is,
-  pretend that each branch is the only one.)
-
-  In the real compile phase, insert an ALT node. Its length field points back
-  to the previous branch while the bracket remains open. At the end the chain
-  is reversed. It's done like this so that the start of the bracket has a
-  zero offset until it is closed, making it possible to detect recursion. */
-
-  if (lengthptr != NULL)
-    {
-    code = *codeptr + 1 + LINK_SIZE + skipbytes;
-    length += 1 + LINK_SIZE;
-    }
-  else
-    {
-    *code = OP_ALT;
-    PUT(code, 1, (int)(code - last_branch));
-    bc.current_branch = last_branch = code;
-    code += 1 + LINK_SIZE;
-    }
-
-  ptr++;
-  }
-/* Control never reaches here */
-}
-
-
-
-
-/*************************************************
-*          Check for anchored expression         *
-*************************************************/
-
-/* Try to find out if this is an anchored regular expression. Consider each
-alternative branch. If they all start with OP_SOD or OP_CIRC, or with a bracket
-all of whose alternatives start with OP_SOD or OP_CIRC (recurse ad lib), then
-it's anchored. However, if this is a multiline pattern, then only OP_SOD will
-be found, because ^ generates OP_CIRCM in that mode.
-
-We can also consider a regex to be anchored if OP_SOM starts all its branches.
-This is the code for \G, which means "match at start of match position, taking
-into account the match offset".
-
-A branch is also implicitly anchored if it starts with .* and DOTALL is set,
-because that will try the rest of the pattern at all possible matching points,
-so there is no point trying again.... er ....
-
-.... except when the .* appears inside capturing parentheses, and there is a
-subsequent back reference to those parentheses. We haven't enough information
-to catch that case precisely.
-
-At first, the best we could do was to detect when .* was in capturing brackets
-and the highest back reference was greater than or equal to that level.
-However, by keeping a bitmap of the first 31 back references, we can catch some
-of the more common cases more precisely.
-
-... A second exception is when the .* appears inside an atomic group, because
-this prevents the number of characters it matches from being adjusted.
-
-Arguments:
-  code           points to start of expression (the bracket)
-  bracket_map    a bitmap of which brackets we are inside while testing; this
-                  handles up to substring 31; after that we just have to take
-                  the less precise approach
-  cd             points to the compile data block
-  atomcount      atomic group level
-
-Returns:     TRUE or FALSE
-*/
-
-static BOOL
-is_anchored(register const pcre_uchar *code, unsigned int bracket_map,
-  compile_data *cd, int atomcount)
-{
-do {
-   const pcre_uchar *scode = first_significant_code(
-     code + PRIV(OP_lengths)[*code], FALSE);
-   register int op = *scode;
-
-   /* Non-capturing brackets */
-
-   if (op == OP_BRA  || op == OP_BRAPOS ||
-       op == OP_SBRA || op == OP_SBRAPOS)
-     {
-     if (!is_anchored(scode, bracket_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Capturing brackets */
-
-   else if (op == OP_CBRA  || op == OP_CBRAPOS ||
-            op == OP_SCBRA || op == OP_SCBRAPOS)
-     {
-     int n = GET2(scode, 1+LINK_SIZE);
-     int new_map = bracket_map | ((n < 32)? (1 << n) : 1);
-     if (!is_anchored(scode, new_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Positive forward assertions and conditions */
-
-   else if (op == OP_ASSERT || op == OP_COND)
-     {
-     if (!is_anchored(scode, bracket_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Atomic groups */
-
-   else if (op == OP_ONCE || op == OP_ONCE_NC)
-     {
-     if (!is_anchored(scode, bracket_map, cd, atomcount + 1))
-       return FALSE;
-     }
-
-   /* .* is not anchored unless DOTALL is set (which generates OP_ALLANY) and
-   it isn't in brackets that are or may be referenced or inside an atomic
-   group. */
-
-   else if ((op == OP_TYPESTAR || op == OP_TYPEMINSTAR ||
-             op == OP_TYPEPOSSTAR))
-     {
-     if (scode[1] != OP_ALLANY || (bracket_map & cd->backref_map) != 0 ||
-         atomcount > 0 || cd->had_pruneorskip)
-       return FALSE;
-     }
-
-   /* Check for explicit anchoring */
-
-   else if (op != OP_SOD && op != OP_SOM && op != OP_CIRC) return FALSE;
-
-   code += GET(code, 1);
-   }
-while (*code == OP_ALT);   /* Loop for each alternative */
-return TRUE;
-}
-
-
-
-/*************************************************
-*         Check for starting with ^ or .*        *
-*************************************************/
-
-/* This is called to find out if every branch starts with ^ or .* so that
-"first char" processing can be done to speed things up in multiline
-matching and for non-DOTALL patterns that start with .* (which must start at
-the beginning or after \n). As in the case of is_anchored() (see above), we
-have to take account of back references to capturing brackets that contain .*
-because in that case we can't make the assumption. Also, the appearance of .*
-inside atomic brackets or in a pattern that contains *PRUNE or *SKIP does not
-count, because once again the assumption no longer holds.
-
-Arguments:
-  code           points to start of expression (the bracket)
-  bracket_map    a bitmap of which brackets we are inside while testing; this
-                  handles up to substring 31; after that we just have to take
-                  the less precise approach
-  cd             points to the compile data
-  atomcount      atomic group level
-
-Returns:         TRUE or FALSE
-*/
-
-static BOOL
-is_startline(const pcre_uchar *code, unsigned int bracket_map,
-  compile_data *cd, int atomcount)
-{
-do {
-   const pcre_uchar *scode = first_significant_code(
-     code + PRIV(OP_lengths)[*code], FALSE);
-   register int op = *scode;
-
-   /* If we are at the start of a conditional assertion group, *both* the
-   conditional assertion *and* what follows the condition must satisfy the test
-   for start of line. Other kinds of condition fail. Note that there may be an
-   auto-callout at the start of a condition. */
-
-   if (op == OP_COND)
-     {
-     scode += 1 + LINK_SIZE;
-     if (*scode == OP_CALLOUT) scode += PRIV(OP_lengths)[OP_CALLOUT];
-     switch (*scode)
-       {
-       case OP_CREF:
-       case OP_DNCREF:
-       case OP_RREF:
-       case OP_DNRREF:
-       case OP_DEF:
-       case OP_FAIL:
-       return FALSE;
-
-       default:     /* Assertion */
-       if (!is_startline(scode, bracket_map, cd, atomcount)) return FALSE;
-       do scode += GET(scode, 1); while (*scode == OP_ALT);
-       scode += 1 + LINK_SIZE;
-       break;
-       }
-     scode = first_significant_code(scode, FALSE);
-     op = *scode;
-     }
-
-   /* Non-capturing brackets */
-
-   if (op == OP_BRA  || op == OP_BRAPOS ||
-       op == OP_SBRA || op == OP_SBRAPOS)
-     {
-     if (!is_startline(scode, bracket_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Capturing brackets */
-
-   else if (op == OP_CBRA  || op == OP_CBRAPOS ||
-            op == OP_SCBRA || op == OP_SCBRAPOS)
-     {
-     int n = GET2(scode, 1+LINK_SIZE);
-     int new_map = bracket_map | ((n < 32)? (1 << n) : 1);
-     if (!is_startline(scode, new_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Positive forward assertions */
-
-   else if (op == OP_ASSERT)
-     {
-     if (!is_startline(scode, bracket_map, cd, atomcount)) return FALSE;
-     }
-
-   /* Atomic brackets */
-
-   else if (op == OP_ONCE || op == OP_ONCE_NC)
-     {
-     if (!is_startline(scode, bracket_map, cd, atomcount + 1)) return FALSE;
-     }
-
-   /* .* means "start at start or after \n" if it isn't in atomic brackets or
-   brackets that may be referenced, as long as the pattern does not contain
-   *PRUNE or *SKIP, because these break the feature. Consider, for example,
-   /.*?a(*PRUNE)b/ with the subject "aab", which matches "ab", i.e. not at the
-   start of a line. */
-
-   else if (op == OP_TYPESTAR || op == OP_TYPEMINSTAR || op == OP_TYPEPOSSTAR)
-     {
-     if (scode[1] != OP_ANY || (bracket_map & cd->backref_map) != 0 ||
-         atomcount > 0 || cd->had_pruneorskip)
-       return FALSE;
-     }
-
-   /* Check for explicit circumflex; anything else gives a FALSE result. Note
-   in particular that this includes atomic brackets OP_ONCE and OP_ONCE_NC
-   because the number of characters matched by .* cannot be adjusted inside
-   them. */
-
-   else if (op != OP_CIRC && op != OP_CIRCM) return FALSE;
-
-   /* Move on to the next alternative */
-
-   code += GET(code, 1);
-   }
-while (*code == OP_ALT);  /* Loop for each alternative */
-return TRUE;
-}
-
-
-
-/*************************************************
-*       Check for asserted fixed first char      *
-*************************************************/
-
-/* During compilation, the "first char" settings from forward assertions are
-discarded, because they can cause conflicts with actual literals that follow.
-However, if we end up without a first char setting for an unanchored pattern,
-it is worth scanning the regex to see if there is an initial asserted first
-char. If all branches start with the same asserted char, or with a
-non-conditional bracket all of whose alternatives start with the same asserted
-char (recurse ad lib), then we return that char, with the flags set to zero or
-REQ_CASELESS; otherwise return zero with REQ_NONE in the flags.
-
-Arguments:
-  code       points to start of expression (the bracket)
-  flags      points to the first char flags, or to REQ_NONE
-  inassert   TRUE if in an assertion
-
-Returns:     the fixed first char, or 0 with REQ_NONE in flags
-*/
-
-static pcre_uint32
-find_firstassertedchar(const pcre_uchar *code, pcre_int32 *flags,
-  BOOL inassert)
-{
-register pcre_uint32 c = 0;
-int cflags = REQ_NONE;
-
-*flags = REQ_NONE;
-do {
-   pcre_uint32 d;
-   int dflags;
-   int xl = (*code == OP_CBRA || *code == OP_SCBRA ||
-             *code == OP_CBRAPOS || *code == OP_SCBRAPOS)? IMM2_SIZE:0;
-   const pcre_uchar *scode = first_significant_code(code + 1+LINK_SIZE + xl,
-     TRUE);
-   register pcre_uchar op = *scode;
-
-   switch(op)
-     {
-     default:
-     return 0;
-
-     case OP_BRA:
-     case OP_BRAPOS:
-     case OP_CBRA:
-     case OP_SCBRA:
-     case OP_CBRAPOS:
-     case OP_SCBRAPOS:
-     case OP_ASSERT:
-     case OP_ONCE:
-     case OP_ONCE_NC:
-     d = find_firstassertedchar(scode, &dflags, op == OP_ASSERT);
-     if (dflags < 0)
-       return 0;
-     if (cflags < 0) { c = d; cflags = dflags; } else if (c != d || cflags != dflags) return 0;
-     break;
-
-     case OP_EXACT:
-     scode += IMM2_SIZE;
-     /* Fall through */
-
-     case OP_CHAR:
-     case OP_PLUS:
-     case OP_MINPLUS:
-     case OP_POSPLUS:
-     if (!inassert) return 0;
-     if (cflags < 0) { c = scode[1]; cflags = 0; }
-       else if (c != scode[1]) return 0;
-     break;
-
-     case OP_EXACTI:
-     scode += IMM2_SIZE;
-     /* Fall through */
-
-     case OP_CHARI:
-     case OP_PLUSI:
-     case OP_MINPLUSI:
-     case OP_POSPLUSI:
-     if (!inassert) return 0;
-     if (cflags < 0) { c = scode[1]; cflags = REQ_CASELESS; }
-       else if (c != scode[1]) return 0;
-     break;
-     }
-
-   code += GET(code, 1);
-   }
-while (*code == OP_ALT);
-
-*flags = cflags;
-return c;
-}
-
-
-
-/*************************************************
-*     Add an entry to the name/number table      *
-*************************************************/
-
-/* This function is called between compiling passes to add an entry to the
-name/number table, maintaining alphabetical order. Checking for permitted
-and forbidden duplicates has already been done.
-
-Arguments:
-  cd           the compile data block
-  name         the name to add
-  length       the length of the name
-  groupno      the group number
-
-Returns:       nothing
-*/
-
-static void
-add_name(compile_data *cd, const pcre_uchar *name, int length,
-  unsigned int groupno)
-{
-int i;
-pcre_uchar *slot = cd->name_table;
-
-for (i = 0; i < cd->names_found; i++)
-  {
-  int crc = memcmp(name, slot+IMM2_SIZE, IN_UCHARS(length));
-  if (crc == 0 && slot[IMM2_SIZE+length] != 0)
-    crc = -1; /* Current name is a substring */
-
-  /* Make space in the table and break the loop for an earlier name. For a
-  duplicate or later name, carry on. We do this for duplicates so that in the
-  simple case (when ?(| is not used) they are in order of their numbers. In all
-  cases they are in the order in which they appear in the pattern. */
-
-  if (crc < 0)
-    {
-    memmove(slot + cd->name_entry_size, slot,
-      IN_UCHARS((cd->names_found - i) * cd->name_entry_size));
-    break;
-    }
-
-  /* Continue the loop for a later or duplicate name */
-
-  slot += cd->name_entry_size;
-  }
-
-PUT2(slot, 0, groupno);
-memcpy(slot + IMM2_SIZE, name, IN_UCHARS(length));
-slot[IMM2_SIZE + length] = 0;
-cd->names_found++;
-}
-
-
-
-/*************************************************
-*        Compile a Regular Expression            *
-*************************************************/
-
-/* This function takes a string and returns a pointer to a block of store
-holding a compiled version of the expression. The original API for this
-function had no error code return variable; it is retained for backwards
-compatibility. The new function is given a new name.
-
-Arguments:
-  pattern       the regular expression
-  options       various option bits
-  errorcodeptr  pointer to error code variable (pcre_compile2() only)
-                  can be NULL if you don't want a code value
-  errorptr      pointer to pointer to error text
-  erroroffset   ptr offset in pattern where error was detected
-  tables        pointer to character tables or NULL
-
-Returns:        pointer to compiled data block, or NULL on error,
-                with errorptr and erroroffset set
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN pcre * PCRE_CALL_CONVENTION
-pcre_compile(const char *pattern, int options, const char **errorptr,
-  int *erroroffset, const unsigned char *tables)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN pcre16 * PCRE_CALL_CONVENTION
-pcre16_compile(PCRE_SPTR16 pattern, int options, const char **errorptr,
-  int *erroroffset, const unsigned char *tables)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN pcre32 * PCRE_CALL_CONVENTION
-pcre32_compile(PCRE_SPTR32 pattern, int options, const char **errorptr,
-  int *erroroffset, const unsigned char *tables)
-#endif
-{
-#if defined COMPILE_PCRE8
-return pcre_compile2(pattern, options, NULL, errorptr, erroroffset, tables);
-#elif defined COMPILE_PCRE16
-return pcre16_compile2(pattern, options, NULL, errorptr, erroroffset, tables);
-#elif defined COMPILE_PCRE32
-return pcre32_compile2(pattern, options, NULL, errorptr, erroroffset, tables);
-#endif
-}
-
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN pcre * PCRE_CALL_CONVENTION
-pcre_compile2(const char *pattern, int options, int *errorcodeptr,
-  const char **errorptr, int *erroroffset, const unsigned char *tables)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN pcre16 * PCRE_CALL_CONVENTION
-pcre16_compile2(PCRE_SPTR16 pattern, int options, int *errorcodeptr,
-  const char **errorptr, int *erroroffset, const unsigned char *tables)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN pcre32 * PCRE_CALL_CONVENTION
-pcre32_compile2(PCRE_SPTR32 pattern, int options, int *errorcodeptr,
-  const char **errorptr, int *erroroffset, const unsigned char *tables)
-#endif
-{
-REAL_PCRE *re;
-int length = 1;  /* For final END opcode */
-pcre_int32 firstcharflags, reqcharflags;
-pcre_uint32 firstchar, reqchar;
-pcre_uint32 limit_match = PCRE_UINT32_MAX;
-pcre_uint32 limit_recursion = PCRE_UINT32_MAX;
-int newline;
-int errorcode = 0;
-int skipatstart = 0;
-BOOL utf;
-BOOL never_utf = FALSE;
-size_t size;
-pcre_uchar *code;
-const pcre_uchar *codestart;
-const pcre_uchar *ptr;
-compile_data compile_block;
-compile_data *cd = &compile_block;
-
-/* This space is used for "compiling" into during the first phase, when we are
-computing the amount of memory that is needed. Compiled items are thrown away
-as soon as possible, so that a fairly large buffer should be sufficient for
-this purpose. The same space is used in the second phase for remembering where
-to fill in forward references to subpatterns. That may overflow, in which case
-new memory is obtained from malloc(). */
-
-pcre_uchar cworkspace[COMPILE_WORK_SIZE];
-
-/* This vector is used for remembering name groups during the pre-compile. In a
-similar way to cworkspace, it can be expanded using malloc() if necessary. */
-
-named_group named_groups[NAMED_GROUP_LIST_SIZE];
-
-/* Set this early so that early errors get offset 0. */
-
-ptr = (const pcre_uchar *)pattern;
-
-/* We can't pass back an error message if errorptr is NULL; I guess the best we
-can do is just return NULL, but we can set a code value if there is a code
-pointer. */
-
-if (errorptr == NULL)
-  {
-  if (errorcodeptr != NULL) *errorcodeptr = 99;
-  return NULL;
-  }
-
-*errorptr = NULL;
-if (errorcodeptr != NULL) *errorcodeptr = ERR0;
-
-/* However, we can give a message for this error */
-
-if (erroroffset == NULL)
-  {
-  errorcode = ERR16;
-  goto PCRE_EARLY_ERROR_RETURN2;
-  }
-
-*erroroffset = 0;
-
-/* Set up pointers to the individual character tables */
-
-if (tables == NULL) tables = PRIV(default_tables);
-cd->lcc = tables + lcc_offset;
-cd->fcc = tables + fcc_offset;
-cd->cbits = tables + cbits_offset;
-cd->ctypes = tables + ctypes_offset;
-
-/* Check that all undefined public option bits are zero */
-
-if ((options & ~PUBLIC_COMPILE_OPTIONS) != 0)
-  {
-  errorcode = ERR17;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-
-/* If PCRE_NEVER_UTF is set, remember it. */
-
-if ((options & PCRE_NEVER_UTF) != 0) never_utf = TRUE;
-
-/* Check for global one-time settings at the start of the pattern, and remember
-the offset for later. */
-
-cd->external_flags = 0;   /* Initialize here for LIMIT_MATCH/RECURSION */
-
-while (ptr[skipatstart] == CHAR_LEFT_PARENTHESIS &&
-       ptr[skipatstart+1] == CHAR_ASTERISK)
-  {
-  int newnl = 0;
-  int newbsr = 0;
-
-/* For completeness and backward compatibility, (*UTFn) is supported in the
-relevant libraries, but (*UTF) is generic and always supported. Note that
-PCRE_UTF8 == PCRE_UTF16 == PCRE_UTF32. */
-
-#ifdef COMPILE_PCRE8
-  if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_UTF8_RIGHTPAR, 5) == 0)
-    { skipatstart += 7; options |= PCRE_UTF8; continue; }
-#endif
-#ifdef COMPILE_PCRE16
-  if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_UTF16_RIGHTPAR, 6) == 0)
-    { skipatstart += 8; options |= PCRE_UTF16; continue; }
-#endif
-#ifdef COMPILE_PCRE32
-  if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_UTF32_RIGHTPAR, 6) == 0)
-    { skipatstart += 8; options |= PCRE_UTF32; continue; }
-#endif
-
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_UTF_RIGHTPAR, 4) == 0)
-    { skipatstart += 6; options |= PCRE_UTF8; continue; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_UCP_RIGHTPAR, 4) == 0)
-    { skipatstart += 6; options |= PCRE_UCP; continue; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_NO_AUTO_POSSESS_RIGHTPAR, 16) == 0)
-    { skipatstart += 18; options |= PCRE_NO_AUTO_POSSESS; continue; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_NO_START_OPT_RIGHTPAR, 13) == 0)
-    { skipatstart += 15; options |= PCRE_NO_START_OPTIMIZE; continue; }
-
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_LIMIT_MATCH_EQ, 12) == 0)
-    {
-    pcre_uint32 c = 0;
-    int p = skipatstart + 14;
-    while (isdigit(ptr[p]))
-      {
-      if (c > PCRE_UINT32_MAX / 10 - 1) break;   /* Integer overflow */
-      c = c*10 + ptr[p++] - CHAR_0;
-      }
-    if (ptr[p++] != CHAR_RIGHT_PARENTHESIS) break;
-    if (c < limit_match)
-      {
-      limit_match = c;
-      cd->external_flags |= PCRE_MLSET;
-      }
-    skipatstart = p;
-    continue;
-    }
-
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_LIMIT_RECURSION_EQ, 16) == 0)
-    {
-    pcre_uint32 c = 0;
-    int p = skipatstart + 18;
-    while (isdigit(ptr[p]))
-      {
-      if (c > PCRE_UINT32_MAX / 10 - 1) break;   /* Integer overflow check */
-      c = c*10 + ptr[p++] - CHAR_0;
-      }
-    if (ptr[p++] != CHAR_RIGHT_PARENTHESIS) break;
-    if (c < limit_recursion)
-      {
-      limit_recursion = c;
-      cd->external_flags |= PCRE_RLSET;
-      }
-    skipatstart = p;
-    continue;
-    }
-
-  if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_CR_RIGHTPAR, 3) == 0)
-    { skipatstart += 5; newnl = PCRE_NEWLINE_CR; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_LF_RIGHTPAR, 3)  == 0)
-    { skipatstart += 5; newnl = PCRE_NEWLINE_LF; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_CRLF_RIGHTPAR, 5)  == 0)
-    { skipatstart += 7; newnl = PCRE_NEWLINE_CR + PCRE_NEWLINE_LF; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_ANY_RIGHTPAR, 4) == 0)
-    { skipatstart += 6; newnl = PCRE_NEWLINE_ANY; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_ANYCRLF_RIGHTPAR, 8) == 0)
-    { skipatstart += 10; newnl = PCRE_NEWLINE_ANYCRLF; }
-
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_BSR_ANYCRLF_RIGHTPAR, 12) == 0)
-    { skipatstart += 14; newbsr = PCRE_BSR_ANYCRLF; }
-  else if (STRNCMP_UC_C8(ptr+skipatstart+2, STRING_BSR_UNICODE_RIGHTPAR, 12) == 0)
-    { skipatstart += 14; newbsr = PCRE_BSR_UNICODE; }
-
-  if (newnl != 0)
-    options = (options & ~PCRE_NEWLINE_BITS) | newnl;
-  else if (newbsr != 0)
-    options = (options & ~(PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE)) | newbsr;
-  else break;
-  }
-
-/* PCRE_UTF(16|32) have the same value as PCRE_UTF8. */
-utf = (options & PCRE_UTF8) != 0;
-if (utf && never_utf)
-  {
-  errorcode = ERR78;
-  goto PCRE_EARLY_ERROR_RETURN2;
-  }
-
-/* Can't support UTF unless PCRE has been compiled to include the code. The
-return of an error code from PRIV(valid_utf)() is a new feature, introduced in
-release 8.13. It is passed back from pcre_[dfa_]exec(), but at the moment is
-not used here. */
-
-#ifdef SUPPORT_UTF
-if (utf && (options & PCRE_NO_UTF8_CHECK) == 0 &&
-     (errorcode = PRIV(valid_utf)((PCRE_PUCHAR)pattern, -1, erroroffset)) != 0)
-  {
-#if defined COMPILE_PCRE8
-  errorcode = ERR44;
-#elif defined COMPILE_PCRE16
-  errorcode = ERR74;
-#elif defined COMPILE_PCRE32
-  errorcode = ERR77;
-#endif
-  goto PCRE_EARLY_ERROR_RETURN2;
-  }
-#else
-if (utf)
-  {
-  errorcode = ERR32;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-#endif
-
-/* Can't support UCP unless PCRE has been compiled to include the code. */
-
-#ifndef SUPPORT_UCP
-if ((options & PCRE_UCP) != 0)
-  {
-  errorcode = ERR67;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-#endif
-
-/* Check validity of \R options. */
-
-if ((options & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE)) ==
-     (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE))
-  {
-  errorcode = ERR56;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-
-/* Handle different types of newline. The three bits give seven cases. The
-current code allows for fixed one- or two-byte sequences, plus "any" and
-"anycrlf". */
-
-switch (options & PCRE_NEWLINE_BITS)
-  {
-  case 0: newline = NEWLINE; break;   /* Build-time default */
-  case PCRE_NEWLINE_CR: newline = CHAR_CR; break;
-  case PCRE_NEWLINE_LF: newline = CHAR_NL; break;
-  case PCRE_NEWLINE_CR+
-       PCRE_NEWLINE_LF: newline = (CHAR_CR << 8) | CHAR_NL; break;
-  case PCRE_NEWLINE_ANY: newline = -1; break;
-  case PCRE_NEWLINE_ANYCRLF: newline = -2; break;
-  default: errorcode = ERR56; goto PCRE_EARLY_ERROR_RETURN;
-  }
-
-if (newline == -2)
-  {
-  cd->nltype = NLTYPE_ANYCRLF;
-  }
-else if (newline < 0)
-  {
-  cd->nltype = NLTYPE_ANY;
-  }
-else
-  {
-  cd->nltype = NLTYPE_FIXED;
-  if (newline > 255)
-    {
-    cd->nllen = 2;
-    cd->nl[0] = (newline >> 8) & 255;
-    cd->nl[1] = newline & 255;
-    }
-  else
-    {
-    cd->nllen = 1;
-    cd->nl[0] = newline;
-    }
-  }
-
-/* Maximum back reference and backref bitmap. The bitmap records up to 31 back
-references to help in deciding whether (.*) can be treated as anchored or not.
-*/
-
-cd->top_backref = 0;
-cd->backref_map = 0;
-
-/* Reflect pattern for debugging output */
-
-DPRINTF(("------------------------------------------------------------------\n"));
-#ifdef PCRE_DEBUG
-print_puchar(stdout, (PCRE_PUCHAR)pattern);
-#endif
-DPRINTF(("\n"));
-
-/* Pretend to compile the pattern while actually just accumulating the length
-of memory required. This behaviour is triggered by passing a non-NULL final
-argument to compile_regex(). We pass a block of workspace (cworkspace) for it
-to compile parts of the pattern into; the compiled code is discarded when it is
-no longer needed, so hopefully this workspace will never overflow, though there
-is a test for its doing so. */
-
-cd->bracount = cd->final_bracount = 0;
-cd->names_found = 0;
-cd->name_entry_size = 0;
-cd->name_table = NULL;
-cd->dupnames = FALSE;
-cd->dupgroups = FALSE;
-cd->namedrefcount = 0;
-cd->start_code = cworkspace;
-cd->hwm = cworkspace;
-cd->iscondassert = FALSE;
-cd->start_workspace = cworkspace;
-cd->workspace_size = COMPILE_WORK_SIZE;
-cd->named_groups = named_groups;
-cd->named_group_list_size = NAMED_GROUP_LIST_SIZE;
-cd->start_pattern = (const pcre_uchar *)pattern;
-cd->end_pattern = (const pcre_uchar *)(pattern + STRLEN_UC((const pcre_uchar *)pattern));
-cd->req_varyopt = 0;
-cd->parens_depth = 0;
-cd->assert_depth = 0;
-cd->max_lookbehind = 0;
-cd->external_options = options;
-cd->open_caps = NULL;
-
-/* Now do the pre-compile. On error, errorcode will be set non-zero, so we
-don't need to look at the result of the function here. The initial options have
-been put into the cd block so that they can be changed if an option setting is
-found within the regex right at the beginning. Bringing initial option settings
-outside can help speed up starting point checks. */
-
-ptr += skipatstart;
-code = cworkspace;
-*code = OP_BRA;
-
-(void)compile_regex(cd->external_options, &code, &ptr, &errorcode, FALSE,
-  FALSE, 0, 0, &firstchar, &firstcharflags, &reqchar, &reqcharflags, NULL,
-  cd, &length);
-if (errorcode != 0) goto PCRE_EARLY_ERROR_RETURN;
-
-DPRINTF(("end pre-compile: length=%d workspace=%d\n", length,
-  (int)(cd->hwm - cworkspace)));
-
-if (length > MAX_PATTERN_SIZE)
-  {
-  errorcode = ERR20;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-
-/* Compute the size of the data block for storing the compiled pattern. Integer
-overflow should no longer be possible because nowadays we limit the maximum
-value of cd->names_found and cd->name_entry_size. */
-
-size = sizeof(REAL_PCRE) +
-  (length + cd->names_found * cd->name_entry_size) * sizeof(pcre_uchar);
-
-/* Get the memory. */
-
-re = (REAL_PCRE *)(PUBL(malloc))(size);
-if (re == NULL)
-  {
-  errorcode = ERR21;
-  goto PCRE_EARLY_ERROR_RETURN;
-  }
-
-/* Put in the magic number, and save the sizes, initial options, internal
-flags, and character table pointer. NULL is used for the default character
-tables. The nullpad field is at the end; it's there to help in the case when a
-regex compiled on a system with 4-byte pointers is run on another with 8-byte
-pointers. */
-
-re->magic_number = MAGIC_NUMBER;
-re->size = (int)size;
-re->options = cd->external_options;
-re->flags = cd->external_flags;
-re->limit_match = limit_match;
-re->limit_recursion = limit_recursion;
-re->first_char = 0;
-re->req_char = 0;
-re->name_table_offset = sizeof(REAL_PCRE) / sizeof(pcre_uchar);
-re->name_entry_size = cd->name_entry_size;
-re->name_count = cd->names_found;
-re->ref_count = 0;
-re->tables = (tables == PRIV(default_tables))? NULL : tables;
-re->nullpad = NULL;
-#ifdef COMPILE_PCRE32
-re->dummy = 0;
-#else
-re->dummy1 = re->dummy2 = re->dummy3 = 0;
-#endif
-
-/* The starting points of the name/number translation table and of the code are
-passed around in the compile data block. The start/end pattern and initial
-options are already set from the pre-compile phase, as is the name_entry_size
-field. Reset the bracket count and the names_found field. Also reset the hwm
-field; this time it's used for remembering forward references to subpatterns.
-*/
-
-cd->final_bracount = cd->bracount;  /* Save for checking forward references */
-cd->parens_depth = 0;
-cd->assert_depth = 0;
-cd->bracount = 0;
-cd->max_lookbehind = 0;
-cd->name_table = (pcre_uchar *)re + re->name_table_offset;
-codestart = cd->name_table + re->name_entry_size * re->name_count;
-cd->start_code = codestart;
-cd->hwm = (pcre_uchar *)(cd->start_workspace);
-cd->iscondassert = FALSE;
-cd->req_varyopt = 0;
-cd->had_accept = FALSE;
-cd->had_pruneorskip = FALSE;
-cd->check_lookbehind = FALSE;
-cd->open_caps = NULL;
-
-/* If any named groups were found, create the name/number table from the list
-created in the first pass. */
-
-if (cd->names_found > 0)
-  {
-  int i = cd->names_found;
-  named_group *ng = cd->named_groups;
-  cd->names_found = 0;
-  for (; i > 0; i--, ng++)
-    add_name(cd, ng->name, ng->length, ng->number);
-  if (cd->named_group_list_size > NAMED_GROUP_LIST_SIZE)
-    (PUBL(free))((void *)cd->named_groups);
-  }
-
-/* Set up a starting, non-extracting bracket, then compile the expression. On
-error, errorcode will be set non-zero, so we don't need to look at the result
-of the function here. */
-
-ptr = (const pcre_uchar *)pattern + skipatstart;
-code = (pcre_uchar *)codestart;
-*code = OP_BRA;
-(void)compile_regex(re->options, &code, &ptr, &errorcode, FALSE, FALSE, 0, 0,
-  &firstchar, &firstcharflags, &reqchar, &reqcharflags, NULL, cd, NULL);
-re->top_bracket = cd->bracount;
-re->top_backref = cd->top_backref;
-re->max_lookbehind = cd->max_lookbehind;
-re->flags = cd->external_flags | PCRE_MODE;
-
-if (cd->had_accept)
-  {
-  reqchar = 0;              /* Must disable after (*ACCEPT) */
-  reqcharflags = REQ_NONE;
-  }
-
-/* If not reached end of pattern on success, there's an excess bracket. */
-
-if (errorcode == 0 && *ptr != CHAR_NULL) errorcode = ERR22;
-
-/* Fill in the terminating state and check for disastrous overflow, but
-if debugging, leave the test till after things are printed out. */
-
-*code++ = OP_END;
-
-#ifndef PCRE_DEBUG
-if (code - codestart > length) errorcode = ERR23;
-#endif
-
-#ifdef SUPPORT_VALGRIND
-/* If the estimated length exceeds the really used length, mark the extra
-allocated memory as unaddressable, so that any out-of-bound reads can be
-detected. */
-VALGRIND_MAKE_MEM_NOACCESS(code, (length - (code - codestart)) * sizeof(pcre_uchar));
-#endif
-
-/* Fill in any forward references that are required. There may be repeated
-references; optimize for them, as searching a large regex takes time. */
-
-if (cd->hwm > cd->start_workspace)
-  {
-  int prev_recno = -1;
-  const pcre_uchar *groupptr = NULL;
-  while (errorcode == 0 && cd->hwm > cd->start_workspace)
-    {
-    int offset, recno;
-    cd->hwm -= LINK_SIZE;
-    offset = GET(cd->hwm, 0);
-
-    /* Check that the hwm handling hasn't gone wrong. This whole area is
-    rewritten in PCRE2 because there are some obscure cases. */
-
-    if (offset == 0 || codestart[offset-1] != OP_RECURSE)
-      {
-      errorcode = ERR10;
-      break;
-      }
-
-    recno = GET(codestart, offset);
-    if (recno != prev_recno)
-      {
-      groupptr = PRIV(find_bracket)(codestart, utf, recno);
-      prev_recno = recno;
-      }
-    if (groupptr == NULL) errorcode = ERR53;
-      else PUT(((pcre_uchar *)codestart), offset, (int)(groupptr - codestart));
-    }
-  }
-
-/* If the workspace had to be expanded, free the new memory. Set the pointer to
-NULL to indicate that forward references have been filled in. */
-
-if (cd->workspace_size > COMPILE_WORK_SIZE)
-  (PUBL(free))((void *)cd->start_workspace);
-cd->start_workspace = NULL;
-
-/* Give an error if there's back reference to a non-existent capturing
-subpattern. */
-
-if (errorcode == 0 && re->top_backref > re->top_bracket) errorcode = ERR15;
-
-/* Unless disabled, check whether any single character iterators can be
-auto-possessified. The function overwrites the appropriate opcode values, so
-the type of the pointer must be cast. NOTE: the intermediate variable "temp" is
-used in this code because at least one compiler gives a warning about loss of
-"const" attribute if the cast (pcre_uchar *)codestart is used directly in the
-function call. */
-
-if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0)
-  {
-  pcre_uchar *temp = (pcre_uchar *)codestart;
-  auto_possessify(temp, utf, cd);
-  }
-
-/* If there were any lookbehind assertions that contained OP_RECURSE
-(recursions or subroutine calls), a flag is set for them to be checked here,
-because they may contain forward references. Actual recursions cannot be fixed
-length, but subroutine calls can. It is done like this so that those without
-OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The
-exceptional ones forgo this. We scan the pattern to check that they are fixed
-length, and set their lengths. */
-
-if (errorcode == 0 && cd->check_lookbehind)
-  {
-  pcre_uchar *cc = (pcre_uchar *)codestart;
-
-  /* Loop, searching for OP_REVERSE items, and process those that do not have
-  their length set. (Actually, it will also re-process any that have a length
-  of zero, but that is a pathological case, and it does no harm.) When we find
-  one, we temporarily terminate the branch it is in while we scan it. */
-
-  for (cc = (pcre_uchar *)PRIV(find_bracket)(codestart, utf, -1);
-       cc != NULL;
-       cc = (pcre_uchar *)PRIV(find_bracket)(cc, utf, -1))
-    {
-    if (GET(cc, 1) == 0)
-      {
-      int fixed_length;
-      pcre_uchar *be = cc - 1 - LINK_SIZE + GET(cc, -LINK_SIZE);
-      int end_op = *be;
-      *be = OP_END;
-      fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE,
-        cd, NULL);
-      *be = end_op;
-      DPRINTF(("fixed length = %d\n", fixed_length));
-      if (fixed_length < 0)
-        {
-        errorcode = (fixed_length == -2)? ERR36 :
-                    (fixed_length == -4)? ERR70 : ERR25;
-        break;
-        }
-      if (fixed_length > cd->max_lookbehind) cd->max_lookbehind = fixed_length;
-      PUT(cc, 1, fixed_length);
-      }
-    cc += 1 + LINK_SIZE;
-    }
-  }
-
-/* Failed to compile, or error while post-processing */
-
-if (errorcode != 0)
-  {
-  (PUBL(free))(re);
-  PCRE_EARLY_ERROR_RETURN:
-  *erroroffset = (int)(ptr - (const pcre_uchar *)pattern);
-  PCRE_EARLY_ERROR_RETURN2:
-  *errorptr = find_error_text(errorcode);
-  if (errorcodeptr != NULL) *errorcodeptr = errorcode;
-  return NULL;
-  }
-
-/* If the anchored option was not passed, set the flag if we can determine that
-the pattern is anchored by virtue of ^ characters or \A or anything else, such
-as starting with non-atomic .* when DOTALL is set and there are no occurrences
-of *PRUNE or *SKIP.
-
-Otherwise, if we know what the first byte has to be, save it, because that
-speeds up unanchored matches no end. If not, see if we can set the
-PCRE_STARTLINE flag. This is helpful for multiline matches when all branches
-start with ^. and also when all branches start with non-atomic .* for
-non-DOTALL matches when *PRUNE and SKIP are not present. */
-
-if ((re->options & PCRE_ANCHORED) == 0)
-  {
-  if (is_anchored(codestart, 0, cd, 0)) re->options |= PCRE_ANCHORED;
-  else
-    {
-    if (firstcharflags < 0)
-      firstchar = find_firstassertedchar(codestart, &firstcharflags, FALSE);
-    if (firstcharflags >= 0)   /* Remove caseless flag for non-caseable chars */
-      {
-#if defined COMPILE_PCRE8
-      re->first_char = firstchar & 0xff;
-#elif defined COMPILE_PCRE16
-      re->first_char = firstchar & 0xffff;
-#elif defined COMPILE_PCRE32
-      re->first_char = firstchar;
-#endif
-      if ((firstcharflags & REQ_CASELESS) != 0)
-        {
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-        /* We ignore non-ASCII first chars in 8 bit mode. */
-        if (utf)
-          {
-          if (re->first_char < 128)
-            {
-            if (cd->fcc[re->first_char] != re->first_char)
-              re->flags |= PCRE_FCH_CASELESS;
-            }
-          else if (UCD_OTHERCASE(re->first_char) != re->first_char)
-            re->flags |= PCRE_FCH_CASELESS;
-          }
-        else
-#endif
-        if (MAX_255(re->first_char)
-            && cd->fcc[re->first_char] != re->first_char)
-          re->flags |= PCRE_FCH_CASELESS;
-        }
-
-      re->flags |= PCRE_FIRSTSET;
-      }
-
-    else if (is_startline(codestart, 0, cd, 0)) re->flags |= PCRE_STARTLINE;
-    }
-  }
-
-/* For an anchored pattern, we use the "required byte" only if it follows a
-variable length item in the regex. Remove the caseless flag for non-caseable
-bytes. */
-
-if (reqcharflags >= 0 &&
-     ((re->options & PCRE_ANCHORED) == 0 || (reqcharflags & REQ_VARY) != 0))
-  {
-#if defined COMPILE_PCRE8
-  re->req_char = reqchar & 0xff;
-#elif defined COMPILE_PCRE16
-  re->req_char = reqchar & 0xffff;
-#elif defined COMPILE_PCRE32
-  re->req_char = reqchar;
-#endif
-  if ((reqcharflags & REQ_CASELESS) != 0)
-    {
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-    /* We ignore non-ASCII first chars in 8 bit mode. */
-    if (utf)
-      {
-      if (re->req_char < 128)
-        {
-        if (cd->fcc[re->req_char] != re->req_char)
-          re->flags |= PCRE_RCH_CASELESS;
-        }
-      else if (UCD_OTHERCASE(re->req_char) != re->req_char)
-        re->flags |= PCRE_RCH_CASELESS;
-      }
-    else
-#endif
-    if (MAX_255(re->req_char) && cd->fcc[re->req_char] != re->req_char)
-      re->flags |= PCRE_RCH_CASELESS;
-    }
-
-  re->flags |= PCRE_REQCHSET;
-  }
-
-/* Print out the compiled data if debugging is enabled. This is never the
-case when building a production library. */
-
-#ifdef PCRE_DEBUG
-printf("Length = %d top_bracket = %d top_backref = %d\n",
-  length, re->top_bracket, re->top_backref);
-
-printf("Options=%08x\n", re->options);
-
-if ((re->flags & PCRE_FIRSTSET) != 0)
-  {
-  pcre_uchar ch = re->first_char;
-  const char *caseless =
-    ((re->flags & PCRE_FCH_CASELESS) == 0)? "" : " (caseless)";
-  if (PRINTABLE(ch)) printf("First char = %c%s\n", ch, caseless);
-    else printf("First char = \\x%02x%s\n", ch, caseless);
-  }
-
-if ((re->flags & PCRE_REQCHSET) != 0)
-  {
-  pcre_uchar ch = re->req_char;
-  const char *caseless =
-    ((re->flags & PCRE_RCH_CASELESS) == 0)? "" : " (caseless)";
-  if (PRINTABLE(ch)) printf("Req char = %c%s\n", ch, caseless);
-    else printf("Req char = \\x%02x%s\n", ch, caseless);
-  }
-
-#if defined COMPILE_PCRE8
-pcre_printint((pcre *)re, stdout, TRUE);
-#elif defined COMPILE_PCRE16
-pcre16_printint((pcre *)re, stdout, TRUE);
-#elif defined COMPILE_PCRE32
-pcre32_printint((pcre *)re, stdout, TRUE);
-#endif
-
-/* This check is done here in the debugging case so that the code that
-was compiled can be seen. */
-
-if (code - codestart > length)
-  {
-  (PUBL(free))(re);
-  *errorptr = find_error_text(ERR23);
-  *erroroffset = ptr - (pcre_uchar *)pattern;
-  if (errorcodeptr != NULL) *errorcodeptr = ERR23;
-  return NULL;
-  }
-#endif   /* PCRE_DEBUG */
-
-/* Check for a pattern than can match an empty string, so that this information
-can be provided to applications. */
-
-do
-  {
-  if (could_be_empty_branch(codestart, code, utf, cd, NULL))
-    {
-    re->flags |= PCRE_MATCH_EMPTY;
-    break;
-    }
-  codestart += GET(codestart, 1);
-  }
-while (*codestart == OP_ALT);
-
-#if defined COMPILE_PCRE8
-return (pcre *)re;
-#elif defined COMPILE_PCRE16
-return (pcre16 *)re;
-#elif defined COMPILE_PCRE32
-return (pcre32 *)re;
-#endif
-}
-
-/* End of pcre_compile.c */
diff --git a/src/plugins/PCREPlugin/pcre_config.c b/src/plugins/PCREPlugin/pcre_config.c
deleted file mode 100644
index 7cb170c..0000000
--- a/src/plugins/PCREPlugin/pcre_config.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_config(). */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-/* Keep the original link size. */
-static int real_link_size = LINK_SIZE;
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-* Return info about what features are configured *
-*************************************************/
-
-/* This function has an extensible interface so that additional items can be
-added compatibly.
-
-Arguments:
-  what             what information is required
-  where            where to put the information
-
-Returns:           0 if data returned, negative on error
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_config(int what, void *where)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_config(int what, void *where)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_config(int what, void *where)
-#endif
-{
-switch (what)
-  {
-  case PCRE_CONFIG_UTF8:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-  *((int *)where) = 0;
-  return PCRE_ERROR_BADOPTION;
-#else
-#if defined SUPPORT_UTF
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-#endif
-
-  case PCRE_CONFIG_UTF16:
-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE32
-  *((int *)where) = 0;
-  return PCRE_ERROR_BADOPTION;
-#else
-#if defined SUPPORT_UTF
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-#endif
-
-  case PCRE_CONFIG_UTF32:
-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
-  *((int *)where) = 0;
-  return PCRE_ERROR_BADOPTION;
-#else
-#if defined SUPPORT_UTF
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-#endif
-
-  case PCRE_CONFIG_UNICODE_PROPERTIES:
-#ifdef SUPPORT_UCP
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-
-  case PCRE_CONFIG_JIT:
-#ifdef SUPPORT_JIT
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-
-  case PCRE_CONFIG_JITTARGET:
-#ifdef SUPPORT_JIT
-  *((const char **)where) = PRIV(jit_get_target)();
-#else
-  *((const char **)where) = NULL;
-#endif
-  break;
-
-  case PCRE_CONFIG_NEWLINE:
-  *((int *)where) = NEWLINE;
-  break;
-
-  case PCRE_CONFIG_BSR:
-#ifdef BSR_ANYCRLF
-  *((int *)where) = 1;
-#else
-  *((int *)where) = 0;
-#endif
-  break;
-
-  case PCRE_CONFIG_LINK_SIZE:
-  *((int *)where) = real_link_size;
-  break;
-
-  case PCRE_CONFIG_POSIX_MALLOC_THRESHOLD:
-  *((int *)where) = POSIX_MALLOC_THRESHOLD;
-  break;
-
-  case PCRE_CONFIG_PARENS_LIMIT:
-  *((unsigned long int *)where) = PARENS_NEST_LIMIT;
-  break;
-
-  case PCRE_CONFIG_MATCH_LIMIT:
-  *((unsigned long int *)where) = MATCH_LIMIT;
-  break;
-
-  case PCRE_CONFIG_MATCH_LIMIT_RECURSION:
-  *((unsigned long int *)where) = MATCH_LIMIT_RECURSION;
-  break;
-
-  case PCRE_CONFIG_STACKRECURSE:
-#ifdef NO_RECURSE
-  *((int *)where) = 0;
-#else
-  *((int *)where) = 1;
-#endif
-  break;
-
-  default: return PCRE_ERROR_BADOPTION;
-  }
-
-return 0;
-}
-
-/* End of pcre_config.c */
diff --git a/src/plugins/PCREPlugin/pcre_dfa_exec.c b/src/plugins/PCREPlugin/pcre_dfa_exec.c
deleted file mode 100644
index 6967235..0000000
--- a/src/plugins/PCREPlugin/pcre_dfa_exec.c
+++ /dev/null
@@ -1,3675 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language (but see
-below for why this module is different).
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2014 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-/* This module contains the external function pcre_dfa_exec(), which is an
-alternative matching function that uses a sort of DFA algorithm (not a true
-FSM). This is NOT Perl-compatible, but it has advantages in certain
-applications. */
-
-
-/* NOTE ABOUT PERFORMANCE: A user of this function sent some code that improved
-the performance of his patterns greatly. I could not use it as it stood, as it
-was not thread safe, and made assumptions about pattern sizes. Also, it caused
-test 7 to loop, and test 9 to crash with a segfault.
-
-The issue is the check for duplicate states, which is done by a simple linear
-search up the state list. (Grep for "duplicate" below to find the code.) For
-many patterns, there will never be many states active at one time, so a simple
-linear search is fine. In patterns that have many active states, it might be a
-bottleneck. The suggested code used an indexing scheme to remember which states
-had previously been used for each character, and avoided the linear search when
-it knew there was no chance of a duplicate. This was implemented when adding
-states to the state lists.
-
-I wrote some thread-safe, not-limited code to try something similar at the time
-of checking for duplicates (instead of when adding states), using index vectors
-on the stack. It did give a 13% improvement with one specially constructed
-pattern for certain subject strings, but on other strings and on many of the
-simpler patterns in the test suite it did worse. The major problem, I think,
-was the extra time to initialize the index. This had to be done for each call
-of internal_dfa_exec(). (The supplied patch used a static vector, initialized
-only once - I suspect this was the cause of the problems with the tests.)
-
-Overall, I concluded that the gains in some cases did not outweigh the losses
-in others, so I abandoned this code. */
-
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#define NLBLOCK md             /* Block containing newline information */
-#define PSSTART start_subject  /* Field containing processed string start */
-#define PSEND   end_subject    /* Field containing processed string end */
-
-#include "pcre_internal.h"
-
-
-/* For use to indent debugging output */
-
-#define SP "                   "
-
-
-/*************************************************
-*      Code parameters and static tables         *
-*************************************************/
-
-/* These are offsets that are used to turn the OP_TYPESTAR and friends opcodes
-into others, under special conditions. A gap of 20 between the blocks should be
-enough. The resulting opcodes don't have to be less than 256 because they are
-never stored, so we push them well clear of the normal opcodes. */
-
-#define OP_PROP_EXTRA       300
-#define OP_EXTUNI_EXTRA     320
-#define OP_ANYNL_EXTRA      340
-#define OP_HSPACE_EXTRA     360
-#define OP_VSPACE_EXTRA     380
-
-
-/* This table identifies those opcodes that are followed immediately by a
-character that is to be tested in some way. This makes it possible to
-centralize the loading of these characters. In the case of Type * etc, the
-"character" is the opcode for \D, \d, \S, \s, \W, or \w, which will always be a
-small value. Non-zero values in the table are the offsets from the opcode where
-the character is to be found. ***NOTE*** If the start of this table is
-modified, the three tables that follow must also be modified. */
-
-static const pcre_uint8 coptable[] = {
-  0,                             /* End                                    */
-  0, 0, 0, 0, 0,                 /* \A, \G, \K, \B, \b                     */
-  0, 0, 0, 0, 0, 0,              /* \D, \d, \S, \s, \W, \w                 */
-  0, 0, 0,                       /* Any, AllAny, Anybyte                   */
-  0, 0,                          /* \P, \p                                 */
-  0, 0, 0, 0, 0,                 /* \R, \H, \h, \V, \v                     */
-  0,                             /* \X                                     */
-  0, 0, 0, 0, 0, 0,              /* \Z, \z, $, $M, ^, ^M                   */
-  1,                             /* Char                                   */
-  1,                             /* Chari                                  */
-  1,                             /* not                                    */
-  1,                             /* noti                                   */
-  /* Positive single-char repeats                                          */
-  1, 1, 1, 1, 1, 1,              /* *, *?, +, +?, ?, ??                    */
-  1+IMM2_SIZE, 1+IMM2_SIZE,      /* upto, minupto                          */
-  1+IMM2_SIZE,                   /* exact                                  */
-  1, 1, 1, 1+IMM2_SIZE,          /* *+, ++, ?+, upto+                      */
-  1, 1, 1, 1, 1, 1,              /* *I, *?I, +I, +?I, ?I, ??I              */
-  1+IMM2_SIZE, 1+IMM2_SIZE,      /* upto I, minupto I                      */
-  1+IMM2_SIZE,                   /* exact I                                */
-  1, 1, 1, 1+IMM2_SIZE,          /* *+I, ++I, ?+I, upto+I                  */
-  /* Negative single-char repeats - only for chars < 256                   */
-  1, 1, 1, 1, 1, 1,              /* NOT *, *?, +, +?, ?, ??                */
-  1+IMM2_SIZE, 1+IMM2_SIZE,      /* NOT upto, minupto                      */
-  1+IMM2_SIZE,                   /* NOT exact                              */
-  1, 1, 1, 1+IMM2_SIZE,          /* NOT *+, ++, ?+, upto+                  */
-  1, 1, 1, 1, 1, 1,              /* NOT *I, *?I, +I, +?I, ?I, ??I          */
-  1+IMM2_SIZE, 1+IMM2_SIZE,      /* NOT upto I, minupto I                  */
-  1+IMM2_SIZE,                   /* NOT exact I                            */
-  1, 1, 1, 1+IMM2_SIZE,          /* NOT *+I, ++I, ?+I, upto+I              */
-  /* Positive type repeats                                                 */
-  1, 1, 1, 1, 1, 1,              /* Type *, *?, +, +?, ?, ??               */
-  1+IMM2_SIZE, 1+IMM2_SIZE,      /* Type upto, minupto                     */
-  1+IMM2_SIZE,                   /* Type exact                             */
-  1, 1, 1, 1+IMM2_SIZE,          /* Type *+, ++, ?+, upto+                 */
-  /* Character class & ref repeats                                         */
-  0, 0, 0, 0, 0, 0,              /* *, *?, +, +?, ?, ??                    */
-  0, 0,                          /* CRRANGE, CRMINRANGE                    */
-  0, 0, 0, 0,                    /* Possessive *+, ++, ?+, CRPOSRANGE      */
-  0,                             /* CLASS                                  */
-  0,                             /* NCLASS                                 */
-  0,                             /* XCLASS - variable length               */
-  0,                             /* REF                                    */
-  0,                             /* REFI                                   */
-  0,                             /* DNREF                                  */
-  0,                             /* DNREFI                                 */
-  0,                             /* RECURSE                                */
-  0,                             /* CALLOUT                                */
-  0,                             /* Alt                                    */
-  0,                             /* Ket                                    */
-  0,                             /* KetRmax                                */
-  0,                             /* KetRmin                                */
-  0,                             /* KetRpos                                */
-  0,                             /* Reverse                                */
-  0,                             /* Assert                                 */
-  0,                             /* Assert not                             */
-  0,                             /* Assert behind                          */
-  0,                             /* Assert behind not                      */
-  0, 0,                          /* ONCE, ONCE_NC                          */
-  0, 0, 0, 0, 0,                 /* BRA, BRAPOS, CBRA, CBRAPOS, COND       */
-  0, 0, 0, 0, 0,                 /* SBRA, SBRAPOS, SCBRA, SCBRAPOS, SCOND  */
-  0, 0,                          /* CREF, DNCREF                           */
-  0, 0,                          /* RREF, DNRREF                           */
-  0,                             /* DEF                                    */
-  0, 0, 0,                       /* BRAZERO, BRAMINZERO, BRAPOSZERO        */
-  0, 0, 0,                       /* MARK, PRUNE, PRUNE_ARG                 */
-  0, 0, 0, 0,                    /* SKIP, SKIP_ARG, THEN, THEN_ARG         */
-  0, 0, 0, 0,                    /* COMMIT, FAIL, ACCEPT, ASSERT_ACCEPT    */
-  0, 0                           /* CLOSE, SKIPZERO  */
-};
-
-/* This table identifies those opcodes that inspect a character. It is used to
-remember the fact that a character could have been inspected when the end of
-the subject is reached. ***NOTE*** If the start of this table is modified, the
-two tables that follow must also be modified. */
-
-static const pcre_uint8 poptable[] = {
-  0,                             /* End                                    */
-  0, 0, 0, 1, 1,                 /* \A, \G, \K, \B, \b                     */
-  1, 1, 1, 1, 1, 1,              /* \D, \d, \S, \s, \W, \w                 */
-  1, 1, 1,                       /* Any, AllAny, Anybyte                   */
-  1, 1,                          /* \P, \p                                 */
-  1, 1, 1, 1, 1,                 /* \R, \H, \h, \V, \v                     */
-  1,                             /* \X                                     */
-  0, 0, 0, 0, 0, 0,              /* \Z, \z, $, $M, ^, ^M                   */
-  1,                             /* Char                                   */
-  1,                             /* Chari                                  */
-  1,                             /* not                                    */
-  1,                             /* noti                                   */
-  /* Positive single-char repeats                                          */
-  1, 1, 1, 1, 1, 1,              /* *, *?, +, +?, ?, ??                    */
-  1, 1, 1,                       /* upto, minupto, exact                   */
-  1, 1, 1, 1,                    /* *+, ++, ?+, upto+                      */
-  1, 1, 1, 1, 1, 1,              /* *I, *?I, +I, +?I, ?I, ??I              */
-  1, 1, 1,                       /* upto I, minupto I, exact I             */
-  1, 1, 1, 1,                    /* *+I, ++I, ?+I, upto+I                  */
-  /* Negative single-char repeats - only for chars < 256                   */
-  1, 1, 1, 1, 1, 1,              /* NOT *, *?, +, +?, ?, ??                */
-  1, 1, 1,                       /* NOT upto, minupto, exact               */
-  1, 1, 1, 1,                    /* NOT *+, ++, ?+, upto+                  */
-  1, 1, 1, 1, 1, 1,              /* NOT *I, *?I, +I, +?I, ?I, ??I          */
-  1, 1, 1,                       /* NOT upto I, minupto I, exact I         */
-  1, 1, 1, 1,                    /* NOT *+I, ++I, ?+I, upto+I              */
-  /* Positive type repeats                                                 */
-  1, 1, 1, 1, 1, 1,              /* Type *, *?, +, +?, ?, ??               */
-  1, 1, 1,                       /* Type upto, minupto, exact              */
-  1, 1, 1, 1,                    /* Type *+, ++, ?+, upto+                 */
-  /* Character class & ref repeats                                         */
-  1, 1, 1, 1, 1, 1,              /* *, *?, +, +?, ?, ??                    */
-  1, 1,                          /* CRRANGE, CRMINRANGE                    */
-  1, 1, 1, 1,                    /* Possessive *+, ++, ?+, CRPOSRANGE      */
-  1,                             /* CLASS                                  */
-  1,                             /* NCLASS                                 */
-  1,                             /* XCLASS - variable length               */
-  0,                             /* REF                                    */
-  0,                             /* REFI                                   */
-  0,                             /* DNREF                                  */
-  0,                             /* DNREFI                                 */
-  0,                             /* RECURSE                                */
-  0,                             /* CALLOUT                                */
-  0,                             /* Alt                                    */
-  0,                             /* Ket                                    */
-  0,                             /* KetRmax                                */
-  0,                             /* KetRmin                                */
-  0,                             /* KetRpos                                */
-  0,                             /* Reverse                                */
-  0,                             /* Assert                                 */
-  0,                             /* Assert not                             */
-  0,                             /* Assert behind                          */
-  0,                             /* Assert behind not                      */
-  0, 0,                          /* ONCE, ONCE_NC                          */
-  0, 0, 0, 0, 0,                 /* BRA, BRAPOS, CBRA, CBRAPOS, COND       */
-  0, 0, 0, 0, 0,                 /* SBRA, SBRAPOS, SCBRA, SCBRAPOS, SCOND  */
-  0, 0,                          /* CREF, DNCREF                           */
-  0, 0,                          /* RREF, DNRREF                           */
-  0,                             /* DEF                                    */
-  0, 0, 0,                       /* BRAZERO, BRAMINZERO, BRAPOSZERO        */
-  0, 0, 0,                       /* MARK, PRUNE, PRUNE_ARG                 */
-  0, 0, 0, 0,                    /* SKIP, SKIP_ARG, THEN, THEN_ARG         */
-  0, 0, 0, 0,                    /* COMMIT, FAIL, ACCEPT, ASSERT_ACCEPT    */
-  0, 0                           /* CLOSE, SKIPZERO                        */
-};
-
-/* These 2 tables allow for compact code for testing for \D, \d, \S, \s, \W,
-and \w */
-
-static const pcre_uint8 toptable1[] = {
-  0, 0, 0, 0, 0, 0,
-  ctype_digit, ctype_digit,
-  ctype_space, ctype_space,
-  ctype_word,  ctype_word,
-  0, 0                            /* OP_ANY, OP_ALLANY */
-};
-
-static const pcre_uint8 toptable2[] = {
-  0, 0, 0, 0, 0, 0,
-  ctype_digit, 0,
-  ctype_space, 0,
-  ctype_word,  0,
-  1, 1                            /* OP_ANY, OP_ALLANY */
-};
-
-
-/* Structure for holding data about a particular state, which is in effect the
-current data for an active path through the match tree. It must consist
-entirely of ints because the working vector we are passed, and which we put
-these structures in, is a vector of ints. */
-
-typedef struct stateblock {
-  int offset;                     /* Offset to opcode */
-  int count;                      /* Count for repeats */
-  int data;                       /* Some use extra data */
-} stateblock;
-
-#define INTS_PER_STATEBLOCK  (int)(sizeof(stateblock)/sizeof(int))
-
-
-#ifdef PCRE_DEBUG
-/*************************************************
-*             Print character string             *
-*************************************************/
-
-/* Character string printing function for debugging.
-
-Arguments:
-  p            points to string
-  length       number of bytes
-  f            where to print
-
-Returns:       nothing
-*/
-
-static void
-pchars(const pcre_uchar *p, int length, FILE *f)
-{
-pcre_uint32 c;
-while (length-- > 0)
-  {
-  if (isprint(c = *(p++)))
-    fprintf(f, "%c", c);
-  else
-    fprintf(f, "\\x{%02x}", c);
-  }
-}
-#endif
-
-
-
-/*************************************************
-*    Execute a Regular Expression - DFA engine   *
-*************************************************/
-
-/* This internal function applies a compiled pattern to a subject string,
-starting at a given point, using a DFA engine. This function is called from the
-external one, possibly multiple times if the pattern is not anchored. The
-function calls itself recursively for some kinds of subpattern.
-
-Arguments:
-  md                the match_data block with fixed information
-  this_start_code   the opening bracket of this subexpression's code
-  current_subject   where we currently are in the subject string
-  start_offset      start offset in the subject string
-  offsets           vector to contain the matching string offsets
-  offsetcount       size of same
-  workspace         vector of workspace
-  wscount           size of same
-  rlevel            function call recursion level
-
-Returns:            > 0 => number of match offset pairs placed in offsets
-                    = 0 => offsets overflowed; longest matches are present
-                     -1 => failed to match
-                   < -1 => some kind of unexpected problem
-
-The following macros are used for adding states to the two state vectors (one
-for the current character, one for the following character). */
-
-#define ADD_ACTIVE(x,y) \
-  if (active_count++ < wscount) \
-    { \
-    next_active_state->offset = (x); \
-    next_active_state->count  = (y); \
-    next_active_state++; \
-    DPRINTF(("%.*sADD_ACTIVE(%d,%d)\n", rlevel*2-2, SP, (x), (y))); \
-    } \
-  else return PCRE_ERROR_DFA_WSSIZE
-
-#define ADD_ACTIVE_DATA(x,y,z) \
-  if (active_count++ < wscount) \
-    { \
-    next_active_state->offset = (x); \
-    next_active_state->count  = (y); \
-    next_active_state->data   = (z); \
-    next_active_state++; \
-    DPRINTF(("%.*sADD_ACTIVE_DATA(%d,%d,%d)\n", rlevel*2-2, SP, (x), (y), (z))); \
-    } \
-  else return PCRE_ERROR_DFA_WSSIZE
-
-#define ADD_NEW(x,y) \
-  if (new_count++ < wscount) \
-    { \
-    next_new_state->offset = (x); \
-    next_new_state->count  = (y); \
-    next_new_state++; \
-    DPRINTF(("%.*sADD_NEW(%d,%d)\n", rlevel*2-2, SP, (x), (y))); \
-    } \
-  else return PCRE_ERROR_DFA_WSSIZE
-
-#define ADD_NEW_DATA(x,y,z) \
-  if (new_count++ < wscount) \
-    { \
-    next_new_state->offset = (x); \
-    next_new_state->count  = (y); \
-    next_new_state->data   = (z); \
-    next_new_state++; \
-    DPRINTF(("%.*sADD_NEW_DATA(%d,%d,%d) line %d\n", rlevel*2-2, SP, \
-      (x), (y), (z), __LINE__)); \
-    } \
-  else return PCRE_ERROR_DFA_WSSIZE
-
-/* And now, here is the code */
-
-static int
-internal_dfa_exec(
-  dfa_match_data *md,
-  const pcre_uchar *this_start_code,
-  const pcre_uchar *current_subject,
-  int start_offset,
-  int *offsets,
-  int offsetcount,
-  int *workspace,
-  int wscount,
-  int  rlevel)
-{
-stateblock *active_states, *new_states, *temp_states;
-stateblock *next_active_state, *next_new_state;
-
-const pcre_uint8 *ctypes, *lcc, *fcc;
-const pcre_uchar *ptr;
-const pcre_uchar *end_code, *first_op;
-
-dfa_recursion_info new_recursive;
-
-int active_count, new_count, match_count;
-
-/* Some fields in the md block are frequently referenced, so we load them into
-independent variables in the hope that this will perform better. */
-
-const pcre_uchar *start_subject = md->start_subject;
-const pcre_uchar *end_subject = md->end_subject;
-const pcre_uchar *start_code = md->start_code;
-
-#ifdef SUPPORT_UTF
-BOOL utf = (md->poptions & PCRE_UTF8) != 0;
-#else
-BOOL utf = FALSE;
-#endif
-
-BOOL reset_could_continue = FALSE;
-
-rlevel++;
-offsetcount &= (-2);
-
-wscount -= 2;
-wscount = (wscount - (wscount % (INTS_PER_STATEBLOCK * 2))) /
-          (2 * INTS_PER_STATEBLOCK);
-
-DPRINTF(("\n%.*s---------------------\n"
-  "%.*sCall to internal_dfa_exec f=%d\n",
-  rlevel*2-2, SP, rlevel*2-2, SP, rlevel));
-
-ctypes = md->tables + ctypes_offset;
-lcc = md->tables + lcc_offset;
-fcc = md->tables + fcc_offset;
-
-match_count = PCRE_ERROR_NOMATCH;   /* A negative number */
-
-active_states = (stateblock *)(workspace + 2);
-next_new_state = new_states = active_states + wscount;
-new_count = 0;
-
-first_op = this_start_code + 1 + LINK_SIZE +
-  ((*this_start_code == OP_CBRA || *this_start_code == OP_SCBRA ||
-    *this_start_code == OP_CBRAPOS || *this_start_code == OP_SCBRAPOS)
-    ? IMM2_SIZE:0);
-
-/* The first thing in any (sub) pattern is a bracket of some sort. Push all
-the alternative states onto the list, and find out where the end is. This
-makes is possible to use this function recursively, when we want to stop at a
-matching internal ket rather than at the end.
-
-If the first opcode in the first alternative is OP_REVERSE, we are dealing with
-a backward assertion. In that case, we have to find out the maximum amount to
-move back, and set up each alternative appropriately. */
-
-if (*first_op == OP_REVERSE)
-  {
-  int max_back = 0;
-  int gone_back;
-
-  end_code = this_start_code;
-  do
-    {
-    int back = GET(end_code, 2+LINK_SIZE);
-    if (back > max_back) max_back = back;
-    end_code += GET(end_code, 1);
-    }
-  while (*end_code == OP_ALT);
-
-  /* If we can't go back the amount required for the longest lookbehind
-  pattern, go back as far as we can; some alternatives may still be viable. */
-
-#ifdef SUPPORT_UTF
-  /* In character mode we have to step back character by character */
-
-  if (utf)
-    {
-    for (gone_back = 0; gone_back < max_back; gone_back++)
-      {
-      if (current_subject <= start_subject) break;
-      current_subject--;
-      ACROSSCHAR(current_subject > start_subject, *current_subject, current_subject--);
-      }
-    }
-  else
-#endif
-
-  /* In byte-mode we can do this quickly. */
-
-    {
-    gone_back = (current_subject - max_back < start_subject)?
-      (int)(current_subject - start_subject) : max_back;
-    current_subject -= gone_back;
-    }
-
-  /* Save the earliest consulted character */
-
-  if (current_subject < md->start_used_ptr)
-    md->start_used_ptr = current_subject;
-
-  /* Now we can process the individual branches. */
-
-  end_code = this_start_code;
-  do
-    {
-    int back = GET(end_code, 2+LINK_SIZE);
-    if (back <= gone_back)
-      {
-      int bstate = (int)(end_code - start_code + 2 + 2*LINK_SIZE);
-      ADD_NEW_DATA(-bstate, 0, gone_back - back);
-      }
-    end_code += GET(end_code, 1);
-    }
-  while (*end_code == OP_ALT);
- }
-
-/* This is the code for a "normal" subpattern (not a backward assertion). The
-start of a whole pattern is always one of these. If we are at the top level,
-we may be asked to restart matching from the same point that we reached for a
-previous partial match. We still have to scan through the top-level branches to
-find the end state. */
-
-else
-  {
-  end_code = this_start_code;
-
-  /* Restarting */
-
-  if (rlevel == 1 && (md->moptions & PCRE_DFA_RESTART) != 0)
-    {
-    do { end_code += GET(end_code, 1); } while (*end_code == OP_ALT);
-    new_count = workspace[1];
-    if (!workspace[0])
-      memcpy(new_states, active_states, new_count * sizeof(stateblock));
-    }
-
-  /* Not restarting */
-
-  else
-    {
-    int length = 1 + LINK_SIZE +
-      ((*this_start_code == OP_CBRA || *this_start_code == OP_SCBRA ||
-        *this_start_code == OP_CBRAPOS || *this_start_code == OP_SCBRAPOS)
-        ? IMM2_SIZE:0);
-    do
-      {
-      ADD_NEW((int)(end_code - start_code + length), 0);
-      end_code += GET(end_code, 1);
-      length = 1 + LINK_SIZE;
-      }
-    while (*end_code == OP_ALT);
-    }
-  }
-
-workspace[0] = 0;    /* Bit indicating which vector is current */
-
-DPRINTF(("%.*sEnd state = %d\n", rlevel*2-2, SP, (int)(end_code - start_code)));
-
-/* Loop for scanning the subject */
-
-ptr = current_subject;
-for (;;)
-  {
-  int i, j;
-  int clen, dlen;
-  pcre_uint32 c, d;
-  int forced_fail = 0;
-  BOOL partial_newline = FALSE;
-  BOOL could_continue = reset_could_continue;
-  reset_could_continue = FALSE;
-
-  /* Make the new state list into the active state list and empty the
-  new state list. */
-
-  temp_states = active_states;
-  active_states = new_states;
-  new_states = temp_states;
-  active_count = new_count;
-  new_count = 0;
-
-  workspace[0] ^= 1;              /* Remember for the restarting feature */
-  workspace[1] = active_count;
-
-#ifdef PCRE_DEBUG
-  printf("%.*sNext character: rest of subject = \"", rlevel*2-2, SP);
-  pchars(ptr, STRLEN_UC(ptr), stdout);
-  printf("\"\n");
-
-  printf("%.*sActive states: ", rlevel*2-2, SP);
-  for (i = 0; i < active_count; i++)
-    printf("%d/%d ", active_states[i].offset, active_states[i].count);
-  printf("\n");
-#endif
-
-  /* Set the pointers for adding new states */
-
-  next_active_state = active_states + active_count;
-  next_new_state = new_states;
-
-  /* Load the current character from the subject outside the loop, as many
-  different states may want to look at it, and we assume that at least one
-  will. */
-
-  if (ptr < end_subject)
-    {
-    clen = 1;        /* Number of data items in the character */
-#ifdef SUPPORT_UTF
-    GETCHARLENTEST(c, ptr, clen);
-#else
-    c = *ptr;
-#endif  /* SUPPORT_UTF */
-    }
-  else
-    {
-    clen = 0;        /* This indicates the end of the subject */
-    c = NOTACHAR;    /* This value should never actually be used */
-    }
-
-  /* Scan up the active states and act on each one. The result of an action
-  may be to add more states to the currently active list (e.g. on hitting a
-  parenthesis) or it may be to put states on the new list, for considering
-  when we move the character pointer on. */
-
-  for (i = 0; i < active_count; i++)
-    {
-    stateblock *current_state = active_states + i;
-    BOOL caseless = FALSE;
-    const pcre_uchar *code;
-    int state_offset = current_state->offset;
-    int codevalue, rrc;
-    int count;
-
-#ifdef PCRE_DEBUG
-    printf ("%.*sProcessing state %d c=", rlevel*2-2, SP, state_offset);
-    if (clen == 0) printf("EOL\n");
-      else if (c > 32 && c < 127) printf("'%c'\n", c);
-        else printf("0x%02x\n", c);
-#endif
-
-    /* A negative offset is a special case meaning "hold off going to this
-    (negated) state until the number of characters in the data field have
-    been skipped". If the could_continue flag was passed over from a previous
-    state, arrange for it to passed on. */
-
-    if (state_offset < 0)
-      {
-      if (current_state->data > 0)
-        {
-        DPRINTF(("%.*sSkipping this character\n", rlevel*2-2, SP));
-        ADD_NEW_DATA(state_offset, current_state->count,
-          current_state->data - 1);
-        if (could_continue) reset_could_continue = TRUE;
-        continue;
-        }
-      else
-        {
-        current_state->offset = state_offset = -state_offset;
-        }
-      }
-
-    /* Check for a duplicate state with the same count, and skip if found.
-    See the note at the head of this module about the possibility of improving
-    performance here. */
-
-    for (j = 0; j < i; j++)
-      {
-      if (active_states[j].offset == state_offset &&
-          active_states[j].count == current_state->count)
-        {
-        DPRINTF(("%.*sDuplicate state: skipped\n", rlevel*2-2, SP));
-        goto NEXT_ACTIVE_STATE;
-        }
-      }
-
-    /* The state offset is the offset to the opcode */
-
-    code = start_code + state_offset;
-    codevalue = *code;
-
-    /* If this opcode inspects a character, but we are at the end of the
-    subject, remember the fact for use when testing for a partial match. */
-
-    if (clen == 0 && poptable[codevalue] != 0)
-      could_continue = TRUE;
-
-    /* If this opcode is followed by an inline character, load it. It is
-    tempting to test for the presence of a subject character here, but that
-    is wrong, because sometimes zero repetitions of the subject are
-    permitted.
-
-    We also use this mechanism for opcodes such as OP_TYPEPLUS that take an
-    argument that is not a data character - but is always one byte long because
-    the values are small. We have to take special action to deal with  \P, \p,
-    \H, \h, \V, \v and \X in this case. To keep the other cases fast, convert
-    these ones to new opcodes. */
-
-    if (coptable[codevalue] > 0)
-      {
-      dlen = 1;
-#ifdef SUPPORT_UTF
-      if (utf) { GETCHARLEN(d, (code + coptable[codevalue]), dlen); } else
-#endif  /* SUPPORT_UTF */
-      d = code[coptable[codevalue]];
-      if (codevalue >= OP_TYPESTAR)
-        {
-        switch(d)
-          {
-          case OP_ANYBYTE: return PCRE_ERROR_DFA_UITEM;
-          case OP_NOTPROP:
-          case OP_PROP: codevalue += OP_PROP_EXTRA; break;
-          case OP_ANYNL: codevalue += OP_ANYNL_EXTRA; break;
-          case OP_EXTUNI: codevalue += OP_EXTUNI_EXTRA; break;
-          case OP_NOT_HSPACE:
-          case OP_HSPACE: codevalue += OP_HSPACE_EXTRA; break;
-          case OP_NOT_VSPACE:
-          case OP_VSPACE: codevalue += OP_VSPACE_EXTRA; break;
-          default: break;
-          }
-        }
-      }
-    else
-      {
-      dlen = 0;         /* Not strictly necessary, but compilers moan */
-      d = NOTACHAR;     /* if these variables are not set. */
-      }
-
-
-    /* Now process the individual opcodes */
-
-    switch (codevalue)
-      {
-/* ========================================================================== */
-      /* These cases are never obeyed. This is a fudge that causes a compile-
-      time error if the vectors coptable or poptable, which are indexed by
-      opcode, are not the correct length. It seems to be the only way to do
-      such a check at compile time, as the sizeof() operator does not work
-      in the C preprocessor. */
-
-      case OP_TABLE_LENGTH:
-      case OP_TABLE_LENGTH +
-        ((sizeof(coptable) == OP_TABLE_LENGTH) &&
-         (sizeof(poptable) == OP_TABLE_LENGTH)):
-      break;
-
-/* ========================================================================== */
-      /* Reached a closing bracket. If not at the end of the pattern, carry
-      on with the next opcode. For repeating opcodes, also add the repeat
-      state. Note that KETRPOS will always be encountered at the end of the
-      subpattern, because the possessive subpattern repeats are always handled
-      using recursive calls. Thus, it never adds any new states.
-
-      At the end of the (sub)pattern, unless we have an empty string and
-      PCRE_NOTEMPTY is set, or PCRE_NOTEMPTY_ATSTART is set and we are at the
-      start of the subject, save the match data, shifting up all previous
-      matches so we always have the longest first. */
-
-      case OP_KET:
-      case OP_KETRMIN:
-      case OP_KETRMAX:
-      case OP_KETRPOS:
-      if (code != end_code)
-        {
-        ADD_ACTIVE(state_offset + 1 + LINK_SIZE, 0);
-        if (codevalue != OP_KET)
-          {
-          ADD_ACTIVE(state_offset - GET(code, 1), 0);
-          }
-        }
-      else
-        {
-        if (ptr > current_subject ||
-            ((md->moptions & PCRE_NOTEMPTY) == 0 &&
-              ((md->moptions & PCRE_NOTEMPTY_ATSTART) == 0 ||
-                current_subject > start_subject + md->start_offset)))
-          {
-          if (match_count < 0) match_count = (offsetcount >= 2)? 1 : 0;
-            else if (match_count > 0 && ++match_count * 2 > offsetcount)
-              match_count = 0;
-          count = ((match_count == 0)? offsetcount : match_count * 2) - 2;
-          if (count > 0) memmove(offsets + 2, offsets, count * sizeof(int));
-          if (offsetcount >= 2)
-            {
-            offsets[0] = (int)(current_subject - start_subject);
-            offsets[1] = (int)(ptr - start_subject);
-            DPRINTF(("%.*sSet matched string = \"%.*s\"\n", rlevel*2-2, SP,
-              offsets[1] - offsets[0], (char *)current_subject));
-            }
-          if ((md->moptions & PCRE_DFA_SHORTEST) != 0)
-            {
-            DPRINTF(("%.*sEnd of internal_dfa_exec %d: returning %d\n"
-              "%.*s---------------------\n\n", rlevel*2-2, SP, rlevel,
-              match_count, rlevel*2-2, SP));
-            return match_count;
-            }
-          }
-        }
-      break;
-
-/* ========================================================================== */
-      /* These opcodes add to the current list of states without looking
-      at the current character. */
-
-      /*-----------------------------------------------------------------*/
-      case OP_ALT:
-      do { code += GET(code, 1); } while (*code == OP_ALT);
-      ADD_ACTIVE((int)(code - start_code), 0);
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_BRA:
-      case OP_SBRA:
-      do
-        {
-        ADD_ACTIVE((int)(code - start_code + 1 + LINK_SIZE), 0);
-        code += GET(code, 1);
-        }
-      while (*code == OP_ALT);
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_CBRA:
-      case OP_SCBRA:
-      ADD_ACTIVE((int)(code - start_code + 1 + LINK_SIZE + IMM2_SIZE),  0);
-      code += GET(code, 1);
-      while (*code == OP_ALT)
-        {
-        ADD_ACTIVE((int)(code - start_code + 1 + LINK_SIZE),  0);
-        code += GET(code, 1);
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_BRAZERO:
-      case OP_BRAMINZERO:
-      ADD_ACTIVE(state_offset + 1, 0);
-      code += 1 + GET(code, 2);
-      while (*code == OP_ALT) code += GET(code, 1);
-      ADD_ACTIVE((int)(code - start_code + 1 + LINK_SIZE), 0);
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_SKIPZERO:
-      code += 1 + GET(code, 2);
-      while (*code == OP_ALT) code += GET(code, 1);
-      ADD_ACTIVE((int)(code - start_code + 1 + LINK_SIZE), 0);
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_CIRC:
-      if (ptr == start_subject && (md->moptions & PCRE_NOTBOL) == 0)
-        { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_CIRCM:
-      if ((ptr == start_subject && (md->moptions & PCRE_NOTBOL) == 0) ||
-          (ptr != end_subject && WAS_NEWLINE(ptr)))
-        { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EOD:
-      if (ptr >= end_subject)
-        {
-        if ((md->moptions & PCRE_PARTIAL_HARD) != 0)
-          could_continue = TRUE;
-        else { ADD_ACTIVE(state_offset + 1, 0); }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_SOD:
-      if (ptr == start_subject) { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_SOM:
-      if (ptr == start_subject + start_offset) { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-
-/* ========================================================================== */
-      /* These opcodes inspect the next subject character, and sometimes
-      the previous one as well, but do not have an argument. The variable
-      clen contains the length of the current character and is zero if we are
-      at the end of the subject. */
-
-      /*-----------------------------------------------------------------*/
-      case OP_ANY:
-      if (clen > 0 && !IS_NEWLINE(ptr))
-        {
-        if (ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else
-          {
-          ADD_NEW(state_offset + 1, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_ALLANY:
-      if (clen > 0)
-        { ADD_NEW(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EODN:
-      if (clen == 0 && (md->moptions & PCRE_PARTIAL_HARD) != 0)
-        could_continue = TRUE;
-      else if (clen == 0 || (IS_NEWLINE(ptr) && ptr == end_subject - md->nllen))
-        { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_DOLL:
-      if ((md->moptions & PCRE_NOTEOL) == 0)
-        {
-        if (clen == 0 && (md->moptions & PCRE_PARTIAL_HARD) != 0)
-          could_continue = TRUE;
-        else if (clen == 0 ||
-            ((md->poptions & PCRE_DOLLAR_ENDONLY) == 0 && IS_NEWLINE(ptr) &&
-               (ptr == end_subject - md->nllen)
-            ))
-          { ADD_ACTIVE(state_offset + 1, 0); }
-        else if (ptr + 1 >= md->end_subject &&
-                 (md->moptions & (PCRE_PARTIAL_HARD|PCRE_PARTIAL_SOFT)) != 0 &&
-                 NLBLOCK->nltype == NLTYPE_FIXED &&
-                 NLBLOCK->nllen == 2 &&
-                 c == NLBLOCK->nl[0])
-          {
-          if ((md->moptions & PCRE_PARTIAL_HARD) != 0)
-            {
-            reset_could_continue = TRUE;
-            ADD_NEW_DATA(-(state_offset + 1), 0, 1);
-            }
-          else could_continue = partial_newline = TRUE;
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_DOLLM:
-      if ((md->moptions & PCRE_NOTEOL) == 0)
-        {
-        if (clen == 0 && (md->moptions & PCRE_PARTIAL_HARD) != 0)
-          could_continue = TRUE;
-        else if (clen == 0 ||
-            ((md->poptions & PCRE_DOLLAR_ENDONLY) == 0 && IS_NEWLINE(ptr)))
-          { ADD_ACTIVE(state_offset + 1, 0); }
-        else if (ptr + 1 >= md->end_subject &&
-                 (md->moptions & (PCRE_PARTIAL_HARD|PCRE_PARTIAL_SOFT)) != 0 &&
-                 NLBLOCK->nltype == NLTYPE_FIXED &&
-                 NLBLOCK->nllen == 2 &&
-                 c == NLBLOCK->nl[0])
-          {
-          if ((md->moptions & PCRE_PARTIAL_HARD) != 0)
-            {
-            reset_could_continue = TRUE;
-            ADD_NEW_DATA(-(state_offset + 1), 0, 1);
-            }
-          else could_continue = partial_newline = TRUE;
-          }
-        }
-      else if (IS_NEWLINE(ptr))
-        { ADD_ACTIVE(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-
-      case OP_DIGIT:
-      case OP_WHITESPACE:
-      case OP_WORDCHAR:
-      if (clen > 0 && c < 256 &&
-            ((ctypes[c] & toptable1[codevalue]) ^ toptable2[codevalue]) != 0)
-        { ADD_NEW(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_NOT_DIGIT:
-      case OP_NOT_WHITESPACE:
-      case OP_NOT_WORDCHAR:
-      if (clen > 0 && (c >= 256 ||
-            ((ctypes[c] & toptable1[codevalue]) ^ toptable2[codevalue]) != 0))
-        { ADD_NEW(state_offset + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_WORD_BOUNDARY:
-      case OP_NOT_WORD_BOUNDARY:
-        {
-        int left_word, right_word;
-
-        if (ptr > start_subject)
-          {
-          const pcre_uchar *temp = ptr - 1;
-          if (temp < md->start_used_ptr) md->start_used_ptr = temp;
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-          if (utf) { BACKCHAR(temp); }
-#endif
-          GETCHARTEST(d, temp);
-#ifdef SUPPORT_UCP
-          if ((md->poptions & PCRE_UCP) != 0)
-            {
-            if (d == '_') left_word = TRUE; else
-              {
-              int cat = UCD_CATEGORY(d);
-              left_word = (cat == ucp_L || cat == ucp_N);
-              }
-            }
-          else
-#endif
-          left_word = d < 256 && (ctypes[d] & ctype_word) != 0;
-          }
-        else left_word = FALSE;
-
-        if (clen > 0)
-          {
-#ifdef SUPPORT_UCP
-          if ((md->poptions & PCRE_UCP) != 0)
-            {
-            if (c == '_') right_word = TRUE; else
-              {
-              int cat = UCD_CATEGORY(c);
-              right_word = (cat == ucp_L || cat == ucp_N);
-              }
-            }
-          else
-#endif
-          right_word = c < 256 && (ctypes[c] & ctype_word) != 0;
-          }
-        else right_word = FALSE;
-
-        if ((left_word == right_word) == (codevalue == OP_NOT_WORD_BOUNDARY))
-          { ADD_ACTIVE(state_offset + 1, 0); }
-        }
-      break;
-
-
-      /*-----------------------------------------------------------------*/
-      /* Check the next character by Unicode property. We will get here only
-      if the support is in the binary; otherwise a compile-time error occurs.
-      */
-
-#ifdef SUPPORT_UCP
-      case OP_PROP:
-      case OP_NOTPROP:
-      if (clen > 0)
-        {
-        BOOL OK;
-        const pcre_uint32 *cp;
-        const ucd_record * prop = GET_UCD(c);
-        switch(code[1])
-          {
-          case PT_ANY:
-          OK = TRUE;
-          break;
-
-          case PT_LAMP:
-          OK = prop->chartype == ucp_Lu || prop->chartype == ucp_Ll ||
-               prop->chartype == ucp_Lt;
-          break;
-
-          case PT_GC:
-          OK = PRIV(ucp_gentype)[prop->chartype] == code[2];
-          break;
-
-          case PT_PC:
-          OK = prop->chartype == code[2];
-          break;
-
-          case PT_SC:
-          OK = prop->script == code[2];
-          break;
-
-          /* These are specials for combination cases. */
-
-          case PT_ALNUM:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N;
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          switch(c)
-            {
-            HSPACE_CASES:
-            VSPACE_CASES:
-            OK = TRUE;
-            break;
-
-            default:
-            OK = PRIV(ucp_gentype)[prop->chartype] == ucp_Z;
-            break;
-            }
-          break;
-
-          case PT_WORD:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-               c == CHAR_UNDERSCORE;
-          break;
-
-          case PT_CLIST:
-          cp = PRIV(ucd_caseless_sets) + code[2];
-          for (;;)
-            {
-            if (c < *cp) { OK = FALSE; break; }
-            if (c == *cp++) { OK = TRUE; break; }
-            }
-          break;
-
-          case PT_UCNC:
-          OK = c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-               c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-               c >= 0xe000;
-          break;
-
-          /* Should never occur, but keep compilers from grumbling. */
-
-          default:
-          OK = codevalue != OP_PROP;
-          break;
-          }
-
-        if (OK == (codevalue == OP_PROP)) { ADD_NEW(state_offset + 3, 0); }
-        }
-      break;
-#endif
-
-
-
-/* ========================================================================== */
-      /* These opcodes likewise inspect the subject character, but have an
-      argument that is not a data character. It is one of these opcodes:
-      OP_ANY, OP_ALLANY, OP_DIGIT, OP_NOT_DIGIT, OP_WHITESPACE, OP_NOT_SPACE,
-      OP_WORDCHAR, OP_NOT_WORDCHAR. The value is loaded into d. */
-
-      case OP_TYPEPLUS:
-      case OP_TYPEMINPLUS:
-      case OP_TYPEPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 2, 0); }
-      if (clen > 0)
-        {
-        if (d == OP_ANY && ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else if ((c >= 256 && d != OP_DIGIT && d != OP_WHITESPACE && d != OP_WORDCHAR) ||
-            (c < 256 &&
-              (d != OP_ANY || !IS_NEWLINE(ptr)) &&
-              ((ctypes[c] & toptable1[d]) ^ toptable2[d]) != 0))
-          {
-          if (count > 0 && codevalue == OP_TYPEPOSPLUS)
-            {
-            active_count--;            /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW(state_offset, count);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_TYPEQUERY:
-      case OP_TYPEMINQUERY:
-      case OP_TYPEPOSQUERY:
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        if (d == OP_ANY && ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else if ((c >= 256 && d != OP_DIGIT && d != OP_WHITESPACE && d != OP_WORDCHAR) ||
-            (c < 256 &&
-              (d != OP_ANY || !IS_NEWLINE(ptr)) &&
-              ((ctypes[c] & toptable1[d]) ^ toptable2[d]) != 0))
-          {
-          if (codevalue == OP_TYPEPOSQUERY)
-            {
-            active_count--;            /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW(state_offset + 2, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_TYPESTAR:
-      case OP_TYPEMINSTAR:
-      case OP_TYPEPOSSTAR:
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        if (d == OP_ANY && ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else if ((c >= 256 && d != OP_DIGIT && d != OP_WHITESPACE && d != OP_WORDCHAR) ||
-            (c < 256 &&
-              (d != OP_ANY || !IS_NEWLINE(ptr)) &&
-              ((ctypes[c] & toptable1[d]) ^ toptable2[d]) != 0))
-          {
-          if (codevalue == OP_TYPEPOSSTAR)
-            {
-            active_count--;            /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW(state_offset, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_TYPEEXACT:
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        if (d == OP_ANY && ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else if ((c >= 256 && d != OP_DIGIT && d != OP_WHITESPACE && d != OP_WORDCHAR) ||
-            (c < 256 &&
-              (d != OP_ANY || !IS_NEWLINE(ptr)) &&
-              ((ctypes[c] & toptable1[d]) ^ toptable2[d]) != 0))
-          {
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW(state_offset + 1 + IMM2_SIZE + 1, 0); }
-          else
-            { ADD_NEW(state_offset, count); }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_TYPEUPTO:
-      case OP_TYPEMINUPTO:
-      case OP_TYPEPOSUPTO:
-      ADD_ACTIVE(state_offset + 2 + IMM2_SIZE, 0);
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        if (d == OP_ANY && ptr + 1 >= md->end_subject &&
-            (md->moptions & (PCRE_PARTIAL_HARD)) != 0 &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            c == NLBLOCK->nl[0])
-          {
-          could_continue = partial_newline = TRUE;
-          }
-        else if ((c >= 256 && d != OP_DIGIT && d != OP_WHITESPACE && d != OP_WORDCHAR) ||
-            (c < 256 &&
-              (d != OP_ANY || !IS_NEWLINE(ptr)) &&
-              ((ctypes[c] & toptable1[d]) ^ toptable2[d]) != 0))
-          {
-          if (codevalue == OP_TYPEPOSUPTO)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW(state_offset + 2 + IMM2_SIZE, 0); }
-          else
-            { ADD_NEW(state_offset, count); }
-          }
-        }
-      break;
-
-/* ========================================================================== */
-      /* These are virtual opcodes that are used when something like
-      OP_TYPEPLUS has OP_PROP, OP_NOTPROP, OP_ANYNL, or OP_EXTUNI as its
-      argument. It keeps the code above fast for the other cases. The argument
-      is in the d variable. */
-
-#ifdef SUPPORT_UCP
-      case OP_PROP_EXTRA + OP_TYPEPLUS:
-      case OP_PROP_EXTRA + OP_TYPEMINPLUS:
-      case OP_PROP_EXTRA + OP_TYPEPOSPLUS:
-      count = current_state->count;           /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 4, 0); }
-      if (clen > 0)
-        {
-        BOOL OK;
-        const pcre_uint32 *cp;
-        const ucd_record * prop = GET_UCD(c);
-        switch(code[2])
-          {
-          case PT_ANY:
-          OK = TRUE;
-          break;
-
-          case PT_LAMP:
-          OK = prop->chartype == ucp_Lu || prop->chartype == ucp_Ll ||
-            prop->chartype == ucp_Lt;
-          break;
-
-          case PT_GC:
-          OK = PRIV(ucp_gentype)[prop->chartype] == code[3];
-          break;
-
-          case PT_PC:
-          OK = prop->chartype == code[3];
-          break;
-
-          case PT_SC:
-          OK = prop->script == code[3];
-          break;
-
-          /* These are specials for combination cases. */
-
-          case PT_ALNUM:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N;
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          switch(c)
-            {
-            HSPACE_CASES:
-            VSPACE_CASES:
-            OK = TRUE;
-            break;
-
-            default:
-            OK = PRIV(ucp_gentype)[prop->chartype] == ucp_Z;
-            break;
-            }
-          break;
-
-          case PT_WORD:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-               c == CHAR_UNDERSCORE;
-          break;
-
-          case PT_CLIST:
-          cp = PRIV(ucd_caseless_sets) + code[3];
-          for (;;)
-            {
-            if (c < *cp) { OK = FALSE; break; }
-            if (c == *cp++) { OK = TRUE; break; }
-            }
-          break;
-
-          case PT_UCNC:
-          OK = c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-               c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-               c >= 0xe000;
-          break;
-
-          /* Should never occur, but keep compilers from grumbling. */
-
-          default:
-          OK = codevalue != OP_PROP;
-          break;
-          }
-
-        if (OK == (d == OP_PROP))
-          {
-          if (count > 0 && codevalue == OP_PROP_EXTRA + OP_TYPEPOSPLUS)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW(state_offset, count);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EXTUNI_EXTRA + OP_TYPEPLUS:
-      case OP_EXTUNI_EXTRA + OP_TYPEMINPLUS:
-      case OP_EXTUNI_EXTRA + OP_TYPEPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 2, 0); }
-      if (clen > 0)
-        {
-        int lgb, rgb;
-        const pcre_uchar *nptr = ptr + clen;
-        int ncount = 0;
-        if (count > 0 && codevalue == OP_EXTUNI_EXTRA + OP_TYPEPOSPLUS)
-          {
-          active_count--;           /* Remove non-match possibility */
-          next_active_state--;
-          }
-        lgb = UCD_GRAPHBREAK(c);
-        while (nptr < end_subject)
-          {
-          dlen = 1;
-          if (!utf) d = *nptr; else { GETCHARLEN(d, nptr, dlen); }
-          rgb = UCD_GRAPHBREAK(d);
-          if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-          ncount++;
-          lgb = rgb;
-          nptr += dlen;
-          }
-        count++;
-        ADD_NEW_DATA(-state_offset, count, ncount);
-        }
-      break;
-#endif
-
-      /*-----------------------------------------------------------------*/
-      case OP_ANYNL_EXTRA + OP_TYPEPLUS:
-      case OP_ANYNL_EXTRA + OP_TYPEMINPLUS:
-      case OP_ANYNL_EXTRA + OP_TYPEPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 2, 0); }
-      if (clen > 0)
-        {
-        int ncount = 0;
-        switch (c)
-          {
-          case CHAR_VT:
-          case CHAR_FF:
-          case CHAR_NEL:
-#ifndef EBCDIC
-          case 0x2028:
-          case 0x2029:
-#endif  /* Not EBCDIC */
-          if ((md->moptions & PCRE_BSR_ANYCRLF) != 0) break;
-          goto ANYNL01;
-
-          case CHAR_CR:
-          if (ptr + 1 < end_subject && UCHAR21TEST(ptr + 1) == CHAR_LF) ncount = 1;
-          /* Fall through */
-
-          ANYNL01:
-          case CHAR_LF:
-          if (count > 0 && codevalue == OP_ANYNL_EXTRA + OP_TYPEPOSPLUS)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW_DATA(-state_offset, count, ncount);
-          break;
-
-          default:
-          break;
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_VSPACE_EXTRA + OP_TYPEPLUS:
-      case OP_VSPACE_EXTRA + OP_TYPEMINPLUS:
-      case OP_VSPACE_EXTRA + OP_TYPEPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 2, 0); }
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          VSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          break;
-          }
-
-        if (OK == (d == OP_VSPACE))
-          {
-          if (count > 0 && codevalue == OP_VSPACE_EXTRA + OP_TYPEPOSPLUS)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW_DATA(-state_offset, count, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_HSPACE_EXTRA + OP_TYPEPLUS:
-      case OP_HSPACE_EXTRA + OP_TYPEMINPLUS:
-      case OP_HSPACE_EXTRA + OP_TYPEPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + 2, 0); }
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          HSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          break;
-          }
-
-        if (OK == (d == OP_HSPACE))
-          {
-          if (count > 0 && codevalue == OP_HSPACE_EXTRA + OP_TYPEPOSPLUS)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW_DATA(-state_offset, count, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-#ifdef SUPPORT_UCP
-      case OP_PROP_EXTRA + OP_TYPEQUERY:
-      case OP_PROP_EXTRA + OP_TYPEMINQUERY:
-      case OP_PROP_EXTRA + OP_TYPEPOSQUERY:
-      count = 4;
-      goto QS1;
-
-      case OP_PROP_EXTRA + OP_TYPESTAR:
-      case OP_PROP_EXTRA + OP_TYPEMINSTAR:
-      case OP_PROP_EXTRA + OP_TYPEPOSSTAR:
-      count = 0;
-
-      QS1:
-
-      ADD_ACTIVE(state_offset + 4, 0);
-      if (clen > 0)
-        {
-        BOOL OK;
-        const pcre_uint32 *cp;
-        const ucd_record * prop = GET_UCD(c);
-        switch(code[2])
-          {
-          case PT_ANY:
-          OK = TRUE;
-          break;
-
-          case PT_LAMP:
-          OK = prop->chartype == ucp_Lu || prop->chartype == ucp_Ll ||
-            prop->chartype == ucp_Lt;
-          break;
-
-          case PT_GC:
-          OK = PRIV(ucp_gentype)[prop->chartype] == code[3];
-          break;
-
-          case PT_PC:
-          OK = prop->chartype == code[3];
-          break;
-
-          case PT_SC:
-          OK = prop->script == code[3];
-          break;
-
-          /* These are specials for combination cases. */
-
-          case PT_ALNUM:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N;
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          switch(c)
-            {
-            HSPACE_CASES:
-            VSPACE_CASES:
-            OK = TRUE;
-            break;
-
-            default:
-            OK = PRIV(ucp_gentype)[prop->chartype] == ucp_Z;
-            break;
-            }
-          break;
-
-          case PT_WORD:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-               c == CHAR_UNDERSCORE;
-          break;
-
-          case PT_CLIST:
-          cp = PRIV(ucd_caseless_sets) + code[3];
-          for (;;)
-            {
-            if (c < *cp) { OK = FALSE; break; }
-            if (c == *cp++) { OK = TRUE; break; }
-            }
-          break;
-
-          case PT_UCNC:
-          OK = c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-               c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-               c >= 0xe000;
-          break;
-
-          /* Should never occur, but keep compilers from grumbling. */
-
-          default:
-          OK = codevalue != OP_PROP;
-          break;
-          }
-
-        if (OK == (d == OP_PROP))
-          {
-          if (codevalue == OP_PROP_EXTRA + OP_TYPEPOSSTAR ||
-              codevalue == OP_PROP_EXTRA + OP_TYPEPOSQUERY)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW(state_offset + count, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EXTUNI_EXTRA + OP_TYPEQUERY:
-      case OP_EXTUNI_EXTRA + OP_TYPEMINQUERY:
-      case OP_EXTUNI_EXTRA + OP_TYPEPOSQUERY:
-      count = 2;
-      goto QS2;
-
-      case OP_EXTUNI_EXTRA + OP_TYPESTAR:
-      case OP_EXTUNI_EXTRA + OP_TYPEMINSTAR:
-      case OP_EXTUNI_EXTRA + OP_TYPEPOSSTAR:
-      count = 0;
-
-      QS2:
-
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        int lgb, rgb;
-        const pcre_uchar *nptr = ptr + clen;
-        int ncount = 0;
-        if (codevalue == OP_EXTUNI_EXTRA + OP_TYPEPOSSTAR ||
-            codevalue == OP_EXTUNI_EXTRA + OP_TYPEPOSQUERY)
-          {
-          active_count--;           /* Remove non-match possibility */
-          next_active_state--;
-          }
-        lgb = UCD_GRAPHBREAK(c);
-        while (nptr < end_subject)
-          {
-          dlen = 1;
-          if (!utf) d = *nptr; else { GETCHARLEN(d, nptr, dlen); }
-          rgb = UCD_GRAPHBREAK(d);
-          if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-          ncount++;
-          lgb = rgb;
-          nptr += dlen;
-          }
-        ADD_NEW_DATA(-(state_offset + count), 0, ncount);
-        }
-      break;
-#endif
-
-      /*-----------------------------------------------------------------*/
-      case OP_ANYNL_EXTRA + OP_TYPEQUERY:
-      case OP_ANYNL_EXTRA + OP_TYPEMINQUERY:
-      case OP_ANYNL_EXTRA + OP_TYPEPOSQUERY:
-      count = 2;
-      goto QS3;
-
-      case OP_ANYNL_EXTRA + OP_TYPESTAR:
-      case OP_ANYNL_EXTRA + OP_TYPEMINSTAR:
-      case OP_ANYNL_EXTRA + OP_TYPEPOSSTAR:
-      count = 0;
-
-      QS3:
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        int ncount = 0;
-        switch (c)
-          {
-          case CHAR_VT:
-          case CHAR_FF:
-          case CHAR_NEL:
-#ifndef EBCDIC
-          case 0x2028:
-          case 0x2029:
-#endif  /* Not EBCDIC */
-          if ((md->moptions & PCRE_BSR_ANYCRLF) != 0) break;
-          goto ANYNL02;
-
-          case CHAR_CR:
-          if (ptr + 1 < end_subject && UCHAR21TEST(ptr + 1) == CHAR_LF) ncount = 1;
-          /* Fall through */
-
-          ANYNL02:
-          case CHAR_LF:
-          if (codevalue == OP_ANYNL_EXTRA + OP_TYPEPOSSTAR ||
-              codevalue == OP_ANYNL_EXTRA + OP_TYPEPOSQUERY)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW_DATA(-(state_offset + (int)count), 0, ncount);
-          break;
-
-          default:
-          break;
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_VSPACE_EXTRA + OP_TYPEQUERY:
-      case OP_VSPACE_EXTRA + OP_TYPEMINQUERY:
-      case OP_VSPACE_EXTRA + OP_TYPEPOSQUERY:
-      count = 2;
-      goto QS4;
-
-      case OP_VSPACE_EXTRA + OP_TYPESTAR:
-      case OP_VSPACE_EXTRA + OP_TYPEMINSTAR:
-      case OP_VSPACE_EXTRA + OP_TYPEPOSSTAR:
-      count = 0;
-
-      QS4:
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          VSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          break;
-          }
-        if (OK == (d == OP_VSPACE))
-          {
-          if (codevalue == OP_VSPACE_EXTRA + OP_TYPEPOSSTAR ||
-              codevalue == OP_VSPACE_EXTRA + OP_TYPEPOSQUERY)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW_DATA(-(state_offset + (int)count), 0, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_HSPACE_EXTRA + OP_TYPEQUERY:
-      case OP_HSPACE_EXTRA + OP_TYPEMINQUERY:
-      case OP_HSPACE_EXTRA + OP_TYPEPOSQUERY:
-      count = 2;
-      goto QS5;
-
-      case OP_HSPACE_EXTRA + OP_TYPESTAR:
-      case OP_HSPACE_EXTRA + OP_TYPEMINSTAR:
-      case OP_HSPACE_EXTRA + OP_TYPEPOSSTAR:
-      count = 0;
-
-      QS5:
-      ADD_ACTIVE(state_offset + 2, 0);
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          HSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          break;
-          }
-
-        if (OK == (d == OP_HSPACE))
-          {
-          if (codevalue == OP_HSPACE_EXTRA + OP_TYPEPOSSTAR ||
-              codevalue == OP_HSPACE_EXTRA + OP_TYPEPOSQUERY)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW_DATA(-(state_offset + (int)count), 0, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-#ifdef SUPPORT_UCP
-      case OP_PROP_EXTRA + OP_TYPEEXACT:
-      case OP_PROP_EXTRA + OP_TYPEUPTO:
-      case OP_PROP_EXTRA + OP_TYPEMINUPTO:
-      case OP_PROP_EXTRA + OP_TYPEPOSUPTO:
-      if (codevalue != OP_PROP_EXTRA + OP_TYPEEXACT)
-        { ADD_ACTIVE(state_offset + 1 + IMM2_SIZE + 3, 0); }
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        BOOL OK;
-        const pcre_uint32 *cp;
-        const ucd_record * prop = GET_UCD(c);
-        switch(code[1 + IMM2_SIZE + 1])
-          {
-          case PT_ANY:
-          OK = TRUE;
-          break;
-
-          case PT_LAMP:
-          OK = prop->chartype == ucp_Lu || prop->chartype == ucp_Ll ||
-            prop->chartype == ucp_Lt;
-          break;
-
-          case PT_GC:
-          OK = PRIV(ucp_gentype)[prop->chartype] == code[1 + IMM2_SIZE + 2];
-          break;
-
-          case PT_PC:
-          OK = prop->chartype == code[1 + IMM2_SIZE + 2];
-          break;
-
-          case PT_SC:
-          OK = prop->script == code[1 + IMM2_SIZE + 2];
-          break;
-
-          /* These are specials for combination cases. */
-
-          case PT_ALNUM:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N;
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          switch(c)
-            {
-            HSPACE_CASES:
-            VSPACE_CASES:
-            OK = TRUE;
-            break;
-
-            default:
-            OK = PRIV(ucp_gentype)[prop->chartype] == ucp_Z;
-            break;
-            }
-          break;
-
-          case PT_WORD:
-          OK = PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-               PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-               c == CHAR_UNDERSCORE;
-          break;
-
-          case PT_CLIST:
-          cp = PRIV(ucd_caseless_sets) + code[1 + IMM2_SIZE + 2];
-          for (;;)
-            {
-            if (c < *cp) { OK = FALSE; break; }
-            if (c == *cp++) { OK = TRUE; break; }
-            }
-          break;
-
-          case PT_UCNC:
-          OK = c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-               c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-               c >= 0xe000;
-          break;
-
-          /* Should never occur, but keep compilers from grumbling. */
-
-          default:
-          OK = codevalue != OP_PROP;
-          break;
-          }
-
-        if (OK == (d == OP_PROP))
-          {
-          if (codevalue == OP_PROP_EXTRA + OP_TYPEPOSUPTO)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW(state_offset + 1 + IMM2_SIZE + 3, 0); }
-          else
-            { ADD_NEW(state_offset, count); }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EXTUNI_EXTRA + OP_TYPEEXACT:
-      case OP_EXTUNI_EXTRA + OP_TYPEUPTO:
-      case OP_EXTUNI_EXTRA + OP_TYPEMINUPTO:
-      case OP_EXTUNI_EXTRA + OP_TYPEPOSUPTO:
-      if (codevalue != OP_EXTUNI_EXTRA + OP_TYPEEXACT)
-        { ADD_ACTIVE(state_offset + 2 + IMM2_SIZE, 0); }
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        int lgb, rgb;
-        const pcre_uchar *nptr = ptr + clen;
-        int ncount = 0;
-        if (codevalue == OP_EXTUNI_EXTRA + OP_TYPEPOSUPTO)
-          {
-          active_count--;           /* Remove non-match possibility */
-          next_active_state--;
-          }
-        lgb = UCD_GRAPHBREAK(c);
-        while (nptr < end_subject)
-          {
-          dlen = 1;
-          if (!utf) d = *nptr; else { GETCHARLEN(d, nptr, dlen); }
-          rgb = UCD_GRAPHBREAK(d);
-          if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-          ncount++;
-          lgb = rgb;
-          nptr += dlen;
-          }
-        if (nptr >= end_subject && (md->moptions & PCRE_PARTIAL_HARD) != 0)
-            reset_could_continue = TRUE;
-        if (++count >= (int)GET2(code, 1))
-          { ADD_NEW_DATA(-(state_offset + 2 + IMM2_SIZE), 0, ncount); }
-        else
-          { ADD_NEW_DATA(-state_offset, count, ncount); }
-        }
-      break;
-#endif
-
-      /*-----------------------------------------------------------------*/
-      case OP_ANYNL_EXTRA + OP_TYPEEXACT:
-      case OP_ANYNL_EXTRA + OP_TYPEUPTO:
-      case OP_ANYNL_EXTRA + OP_TYPEMINUPTO:
-      case OP_ANYNL_EXTRA + OP_TYPEPOSUPTO:
-      if (codevalue != OP_ANYNL_EXTRA + OP_TYPEEXACT)
-        { ADD_ACTIVE(state_offset + 2 + IMM2_SIZE, 0); }
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        int ncount = 0;
-        switch (c)
-          {
-          case CHAR_VT:
-          case CHAR_FF:
-          case CHAR_NEL:
-#ifndef EBCDIC
-          case 0x2028:
-          case 0x2029:
-#endif  /* Not EBCDIC */
-          if ((md->moptions & PCRE_BSR_ANYCRLF) != 0) break;
-          goto ANYNL03;
-
-          case CHAR_CR:
-          if (ptr + 1 < end_subject && UCHAR21TEST(ptr + 1) == CHAR_LF) ncount = 1;
-          /* Fall through */
-
-          ANYNL03:
-          case CHAR_LF:
-          if (codevalue == OP_ANYNL_EXTRA + OP_TYPEPOSUPTO)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW_DATA(-(state_offset + 2 + IMM2_SIZE), 0, ncount); }
-          else
-            { ADD_NEW_DATA(-state_offset, count, ncount); }
-          break;
-
-          default:
-          break;
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_VSPACE_EXTRA + OP_TYPEEXACT:
-      case OP_VSPACE_EXTRA + OP_TYPEUPTO:
-      case OP_VSPACE_EXTRA + OP_TYPEMINUPTO:
-      case OP_VSPACE_EXTRA + OP_TYPEPOSUPTO:
-      if (codevalue != OP_VSPACE_EXTRA + OP_TYPEEXACT)
-        { ADD_ACTIVE(state_offset + 2 + IMM2_SIZE, 0); }
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          VSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          }
-
-        if (OK == (d == OP_VSPACE))
-          {
-          if (codevalue == OP_VSPACE_EXTRA + OP_TYPEPOSUPTO)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW_DATA(-(state_offset + 2 + IMM2_SIZE), 0, 0); }
-          else
-            { ADD_NEW_DATA(-state_offset, count, 0); }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_HSPACE_EXTRA + OP_TYPEEXACT:
-      case OP_HSPACE_EXTRA + OP_TYPEUPTO:
-      case OP_HSPACE_EXTRA + OP_TYPEMINUPTO:
-      case OP_HSPACE_EXTRA + OP_TYPEPOSUPTO:
-      if (codevalue != OP_HSPACE_EXTRA + OP_TYPEEXACT)
-        { ADD_ACTIVE(state_offset + 2 + IMM2_SIZE, 0); }
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        BOOL OK;
-        switch (c)
-          {
-          HSPACE_CASES:
-          OK = TRUE;
-          break;
-
-          default:
-          OK = FALSE;
-          break;
-          }
-
-        if (OK == (d == OP_HSPACE))
-          {
-          if (codevalue == OP_HSPACE_EXTRA + OP_TYPEPOSUPTO)
-            {
-            active_count--;           /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW_DATA(-(state_offset + 2 + IMM2_SIZE), 0, 0); }
-          else
-            { ADD_NEW_DATA(-state_offset, count, 0); }
-          }
-        }
-      break;
-
-/* ========================================================================== */
-      /* These opcodes are followed by a character that is usually compared
-      to the current subject character; it is loaded into d. We still get
-      here even if there is no subject character, because in some cases zero
-      repetitions are permitted. */
-
-      /*-----------------------------------------------------------------*/
-      case OP_CHAR:
-      if (clen > 0 && c == d) { ADD_NEW(state_offset + dlen + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_CHARI:
-      if (clen == 0) break;
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        if (c == d) { ADD_NEW(state_offset + dlen + 1, 0); } else
-          {
-          unsigned int othercase;
-          if (c < 128)
-            othercase = fcc[c];
-          else
-            /* If we have Unicode property support, we can use it to test the
-            other case of the character. */
-#ifdef SUPPORT_UCP
-            othercase = UCD_OTHERCASE(c);
-#else
-            othercase = NOTACHAR;
-#endif
-
-          if (d == othercase) { ADD_NEW(state_offset + dlen + 1, 0); }
-          }
-        }
-      else
-#endif  /* SUPPORT_UTF */
-      /* Not UTF mode */
-        {
-        if (TABLE_GET(c, lcc, c) == TABLE_GET(d, lcc, d))
-          { ADD_NEW(state_offset + 2, 0); }
-        }
-      break;
-
-
-#ifdef SUPPORT_UCP
-      /*-----------------------------------------------------------------*/
-      /* This is a tricky one because it can match more than one character.
-      Find out how many characters to skip, and then set up a negative state
-      to wait for them to pass before continuing. */
-
-      case OP_EXTUNI:
-      if (clen > 0)
-        {
-        int lgb, rgb;
-        const pcre_uchar *nptr = ptr + clen;
-        int ncount = 0;
-        lgb = UCD_GRAPHBREAK(c);
-        while (nptr < end_subject)
-          {
-          dlen = 1;
-          if (!utf) d = *nptr; else { GETCHARLEN(d, nptr, dlen); }
-          rgb = UCD_GRAPHBREAK(d);
-          if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-          ncount++;
-          lgb = rgb;
-          nptr += dlen;
-          }
-        if (nptr >= end_subject && (md->moptions & PCRE_PARTIAL_HARD) != 0)
-            reset_could_continue = TRUE;
-        ADD_NEW_DATA(-(state_offset + 1), 0, ncount);
-        }
-      break;
-#endif
-
-      /*-----------------------------------------------------------------*/
-      /* This is a tricky like EXTUNI because it too can match more than one
-      character (when CR is followed by LF). In this case, set up a negative
-      state to wait for one character to pass before continuing. */
-
-      case OP_ANYNL:
-      if (clen > 0) switch(c)
-        {
-        case CHAR_VT:
-        case CHAR_FF:
-        case CHAR_NEL:
-#ifndef EBCDIC
-        case 0x2028:
-        case 0x2029:
-#endif  /* Not EBCDIC */
-        if ((md->moptions & PCRE_BSR_ANYCRLF) != 0) break;
-
-        case CHAR_LF:
-        ADD_NEW(state_offset + 1, 0);
-        break;
-
-        case CHAR_CR:
-        if (ptr + 1 >= end_subject)
-          {
-          ADD_NEW(state_offset + 1, 0);
-          if ((md->moptions & PCRE_PARTIAL_HARD) != 0)
-            reset_could_continue = TRUE;
-          }
-        else if (UCHAR21TEST(ptr + 1) == CHAR_LF)
-          {
-          ADD_NEW_DATA(-(state_offset + 1), 0, 1);
-          }
-        else
-          {
-          ADD_NEW(state_offset + 1, 0);
-          }
-        break;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_NOT_VSPACE:
-      if (clen > 0) switch(c)
-        {
-        VSPACE_CASES:
-        break;
-
-        default:
-        ADD_NEW(state_offset + 1, 0);
-        break;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_VSPACE:
-      if (clen > 0) switch(c)
-        {
-        VSPACE_CASES:
-        ADD_NEW(state_offset + 1, 0);
-        break;
-
-        default:
-        break;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_NOT_HSPACE:
-      if (clen > 0) switch(c)
-        {
-        HSPACE_CASES:
-        break;
-
-        default:
-        ADD_NEW(state_offset + 1, 0);
-        break;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_HSPACE:
-      if (clen > 0) switch(c)
-        {
-        HSPACE_CASES:
-        ADD_NEW(state_offset + 1, 0);
-        break;
-
-        default:
-        break;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      /* Match a negated single character casefully. */
-
-      case OP_NOT:
-      if (clen > 0 && c != d) { ADD_NEW(state_offset + dlen + 1, 0); }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      /* Match a negated single character caselessly. */
-
-      case OP_NOTI:
-      if (clen > 0)
-        {
-        unsigned int otherd;
-#ifdef SUPPORT_UTF
-        if (utf && d >= 128)
-          {
-#ifdef SUPPORT_UCP
-          otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-          }
-        else
-#endif  /* SUPPORT_UTF */
-        otherd = TABLE_GET(d, fcc, d);
-        if (c != d && c != otherd)
-          { ADD_NEW(state_offset + dlen + 1, 0); }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_PLUSI:
-      case OP_MINPLUSI:
-      case OP_POSPLUSI:
-      case OP_NOTPLUSI:
-      case OP_NOTMINPLUSI:
-      case OP_NOTPOSPLUSI:
-      caseless = TRUE;
-      codevalue -= OP_STARI - OP_STAR;
-
-      /* Fall through */
-      case OP_PLUS:
-      case OP_MINPLUS:
-      case OP_POSPLUS:
-      case OP_NOTPLUS:
-      case OP_NOTMINPLUS:
-      case OP_NOTPOSPLUS:
-      count = current_state->count;  /* Already matched */
-      if (count > 0) { ADD_ACTIVE(state_offset + dlen + 1, 0); }
-      if (clen > 0)
-        {
-        pcre_uint32 otherd = NOTACHAR;
-        if (caseless)
-          {
-#ifdef SUPPORT_UTF
-          if (utf && d >= 128)
-            {
-#ifdef SUPPORT_UCP
-            otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-            }
-          else
-#endif  /* SUPPORT_UTF */
-          otherd = TABLE_GET(d, fcc, d);
-          }
-        if ((c == d || c == otherd) == (codevalue < OP_NOTSTAR))
-          {
-          if (count > 0 &&
-              (codevalue == OP_POSPLUS || codevalue == OP_NOTPOSPLUS))
-            {
-            active_count--;             /* Remove non-match possibility */
-            next_active_state--;
-            }
-          count++;
-          ADD_NEW(state_offset, count);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_QUERYI:
-      case OP_MINQUERYI:
-      case OP_POSQUERYI:
-      case OP_NOTQUERYI:
-      case OP_NOTMINQUERYI:
-      case OP_NOTPOSQUERYI:
-      caseless = TRUE;
-      codevalue -= OP_STARI - OP_STAR;
-      /* Fall through */
-      case OP_QUERY:
-      case OP_MINQUERY:
-      case OP_POSQUERY:
-      case OP_NOTQUERY:
-      case OP_NOTMINQUERY:
-      case OP_NOTPOSQUERY:
-      ADD_ACTIVE(state_offset + dlen + 1, 0);
-      if (clen > 0)
-        {
-        pcre_uint32 otherd = NOTACHAR;
-        if (caseless)
-          {
-#ifdef SUPPORT_UTF
-          if (utf && d >= 128)
-            {
-#ifdef SUPPORT_UCP
-            otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-            }
-          else
-#endif  /* SUPPORT_UTF */
-          otherd = TABLE_GET(d, fcc, d);
-          }
-        if ((c == d || c == otherd) == (codevalue < OP_NOTSTAR))
-          {
-          if (codevalue == OP_POSQUERY || codevalue == OP_NOTPOSQUERY)
-            {
-            active_count--;            /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW(state_offset + dlen + 1, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_STARI:
-      case OP_MINSTARI:
-      case OP_POSSTARI:
-      case OP_NOTSTARI:
-      case OP_NOTMINSTARI:
-      case OP_NOTPOSSTARI:
-      caseless = TRUE;
-      codevalue -= OP_STARI - OP_STAR;
-      /* Fall through */
-      case OP_STAR:
-      case OP_MINSTAR:
-      case OP_POSSTAR:
-      case OP_NOTSTAR:
-      case OP_NOTMINSTAR:
-      case OP_NOTPOSSTAR:
-      ADD_ACTIVE(state_offset + dlen + 1, 0);
-      if (clen > 0)
-        {
-        pcre_uint32 otherd = NOTACHAR;
-        if (caseless)
-          {
-#ifdef SUPPORT_UTF
-          if (utf && d >= 128)
-            {
-#ifdef SUPPORT_UCP
-            otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-            }
-          else
-#endif  /* SUPPORT_UTF */
-          otherd = TABLE_GET(d, fcc, d);
-          }
-        if ((c == d || c == otherd) == (codevalue < OP_NOTSTAR))
-          {
-          if (codevalue == OP_POSSTAR || codevalue == OP_NOTPOSSTAR)
-            {
-            active_count--;            /* Remove non-match possibility */
-            next_active_state--;
-            }
-          ADD_NEW(state_offset, 0);
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_EXACTI:
-      case OP_NOTEXACTI:
-      caseless = TRUE;
-      codevalue -= OP_STARI - OP_STAR;
-      /* Fall through */
-      case OP_EXACT:
-      case OP_NOTEXACT:
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        pcre_uint32 otherd = NOTACHAR;
-        if (caseless)
-          {
-#ifdef SUPPORT_UTF
-          if (utf && d >= 128)
-            {
-#ifdef SUPPORT_UCP
-            otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-            }
-          else
-#endif  /* SUPPORT_UTF */
-          otherd = TABLE_GET(d, fcc, d);
-          }
-        if ((c == d || c == otherd) == (codevalue < OP_NOTSTAR))
-          {
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW(state_offset + dlen + 1 + IMM2_SIZE, 0); }
-          else
-            { ADD_NEW(state_offset, count); }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_UPTOI:
-      case OP_MINUPTOI:
-      case OP_POSUPTOI:
-      case OP_NOTUPTOI:
-      case OP_NOTMINUPTOI:
-      case OP_NOTPOSUPTOI:
-      caseless = TRUE;
-      codevalue -= OP_STARI - OP_STAR;
-      /* Fall through */
-      case OP_UPTO:
-      case OP_MINUPTO:
-      case OP_POSUPTO:
-      case OP_NOTUPTO:
-      case OP_NOTMINUPTO:
-      case OP_NOTPOSUPTO:
-      ADD_ACTIVE(state_offset + dlen + 1 + IMM2_SIZE, 0);
-      count = current_state->count;  /* Number already matched */
-      if (clen > 0)
-        {
-        pcre_uint32 otherd = NOTACHAR;
-        if (caseless)
-          {
-#ifdef SUPPORT_UTF
-          if (utf && d >= 128)
-            {
-#ifdef SUPPORT_UCP
-            otherd = UCD_OTHERCASE(d);
-#endif  /* SUPPORT_UCP */
-            }
-          else
-#endif  /* SUPPORT_UTF */
-          otherd = TABLE_GET(d, fcc, d);
-          }
-        if ((c == d || c == otherd) == (codevalue < OP_NOTSTAR))
-          {
-          if (codevalue == OP_POSUPTO || codevalue == OP_NOTPOSUPTO)
-            {
-            active_count--;             /* Remove non-match possibility */
-            next_active_state--;
-            }
-          if (++count >= (int)GET2(code, 1))
-            { ADD_NEW(state_offset + dlen + 1 + IMM2_SIZE, 0); }
-          else
-            { ADD_NEW(state_offset, count); }
-          }
-        }
-      break;
-
-
-/* ========================================================================== */
-      /* These are the class-handling opcodes */
-
-      case OP_CLASS:
-      case OP_NCLASS:
-      case OP_XCLASS:
-        {
-        BOOL isinclass = FALSE;
-        int next_state_offset;
-        const pcre_uchar *ecode;
-
-        /* For a simple class, there is always just a 32-byte table, and we
-        can set isinclass from it. */
-
-        if (codevalue != OP_XCLASS)
-          {
-          ecode = code + 1 + (32 / sizeof(pcre_uchar));
-          if (clen > 0)
-            {
-            isinclass = (c > 255)? (codevalue == OP_NCLASS) :
-              ((((pcre_uint8 *)(code + 1))[c/8] & (1 << (c&7))) != 0);
-            }
-          }
-
-        /* An extended class may have a table or a list of single characters,
-        ranges, or both, and it may be positive or negative. There's a
-        function that sorts all this out. */
-
-        else
-         {
-         ecode = code + GET(code, 1);
-         if (clen > 0) isinclass = PRIV(xclass)(c, code + 1 + LINK_SIZE, utf);
-         }
-
-        /* At this point, isinclass is set for all kinds of class, and ecode
-        points to the byte after the end of the class. If there is a
-        quantifier, this is where it will be. */
-
-        next_state_offset = (int)(ecode - start_code);
-
-        switch (*ecode)
-          {
-          case OP_CRSTAR:
-          case OP_CRMINSTAR:
-          case OP_CRPOSSTAR:
-          ADD_ACTIVE(next_state_offset + 1, 0);
-          if (isinclass)
-            {
-            if (*ecode == OP_CRPOSSTAR)
-              {
-              active_count--;           /* Remove non-match possibility */
-              next_active_state--;
-              }
-            ADD_NEW(state_offset, 0);
-            }
-          break;
-
-          case OP_CRPLUS:
-          case OP_CRMINPLUS:
-          case OP_CRPOSPLUS:
-          count = current_state->count;  /* Already matched */
-          if (count > 0) { ADD_ACTIVE(next_state_offset + 1, 0); }
-          if (isinclass)
-            {
-            if (count > 0 && *ecode == OP_CRPOSPLUS)
-              {
-              active_count--;           /* Remove non-match possibility */
-              next_active_state--;
-              }
-            count++;
-            ADD_NEW(state_offset, count);
-            }
-          break;
-
-          case OP_CRQUERY:
-          case OP_CRMINQUERY:
-          case OP_CRPOSQUERY:
-          ADD_ACTIVE(next_state_offset + 1, 0);
-          if (isinclass)
-            {
-            if (*ecode == OP_CRPOSQUERY)
-              {
-              active_count--;           /* Remove non-match possibility */
-              next_active_state--;
-              }
-            ADD_NEW(next_state_offset + 1, 0);
-            }
-          break;
-
-          case OP_CRRANGE:
-          case OP_CRMINRANGE:
-          case OP_CRPOSRANGE:
-          count = current_state->count;  /* Already matched */
-          if (count >= (int)GET2(ecode, 1))
-            { ADD_ACTIVE(next_state_offset + 1 + 2 * IMM2_SIZE, 0); }
-          if (isinclass)
-            {
-            int max = (int)GET2(ecode, 1 + IMM2_SIZE);
-            if (*ecode == OP_CRPOSRANGE)
-              {
-              active_count--;           /* Remove non-match possibility */
-              next_active_state--;
-              }
-            if (++count >= max && max != 0)   /* Max 0 => no limit */
-              { ADD_NEW(next_state_offset + 1 + 2 * IMM2_SIZE, 0); }
-            else
-              { ADD_NEW(state_offset, count); }
-            }
-          break;
-
-          default:
-          if (isinclass) { ADD_NEW(next_state_offset, 0); }
-          break;
-          }
-        }
-      break;
-
-/* ========================================================================== */
-      /* These are the opcodes for fancy brackets of various kinds. We have
-      to use recursion in order to handle them. The "always failing" assertion
-      (?!) is optimised to OP_FAIL when compiling, so we have to support that,
-      though the other "backtracking verbs" are not supported. */
-
-      case OP_FAIL:
-      forced_fail++;    /* Count FAILs for multiple states */
-      break;
-
-      case OP_ASSERT:
-      case OP_ASSERT_NOT:
-      case OP_ASSERTBACK:
-      case OP_ASSERTBACK_NOT:
-        {
-        int rc;
-        int local_offsets[2];
-        int local_workspace[1000];
-        const pcre_uchar *endasscode = code + GET(code, 1);
-
-        while (*endasscode == OP_ALT) endasscode += GET(endasscode, 1);
-
-        rc = internal_dfa_exec(
-          md,                                   /* static match data */
-          code,                                 /* this subexpression's code */
-          ptr,                                  /* where we currently are */
-          (int)(ptr - start_subject),           /* start offset */
-          local_offsets,                        /* offset vector */
-          sizeof(local_offsets)/sizeof(int),    /* size of same */
-          local_workspace,                      /* workspace vector */
-          sizeof(local_workspace)/sizeof(int),  /* size of same */
-          rlevel);                              /* function recursion level */
-
-        if (rc == PCRE_ERROR_DFA_UITEM) return rc;
-        if ((rc >= 0) == (codevalue == OP_ASSERT || codevalue == OP_ASSERTBACK))
-            { ADD_ACTIVE((int)(endasscode + LINK_SIZE + 1 - start_code), 0); }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_COND:
-      case OP_SCOND:
-        {
-        int local_offsets[1000];
-        int local_workspace[1000];
-        int codelink = GET(code, 1);
-        int condcode;
-
-        /* Because of the way auto-callout works during compile, a callout item
-        is inserted between OP_COND and an assertion condition. This does not
-        happen for the other conditions. */
-
-        if (code[LINK_SIZE+1] == OP_CALLOUT)
-          {
-          rrc = 0;
-          if (PUBL(callout) != NULL)
-            {
-            PUBL(callout_block) cb;
-            cb.version          = 1;   /* Version 1 of the callout block */
-            cb.callout_number   = code[LINK_SIZE+2];
-            cb.offset_vector    = offsets;
-#if defined COMPILE_PCRE8
-            cb.subject          = (PCRE_SPTR)start_subject;
-#elif defined COMPILE_PCRE16
-            cb.subject          = (PCRE_SPTR16)start_subject;
-#elif defined COMPILE_PCRE32
-            cb.subject          = (PCRE_SPTR32)start_subject;
-#endif
-            cb.subject_length   = (int)(end_subject - start_subject);
-            cb.start_match      = (int)(current_subject - start_subject);
-            cb.current_position = (int)(ptr - start_subject);
-            cb.pattern_position = GET(code, LINK_SIZE + 3);
-            cb.next_item_length = GET(code, 3 + 2*LINK_SIZE);
-            cb.capture_top      = 1;
-            cb.capture_last     = -1;
-            cb.callout_data     = md->callout_data;
-            cb.mark             = NULL;   /* No (*MARK) support */
-            if ((rrc = (*PUBL(callout))(&cb)) < 0) return rrc;   /* Abandon */
-            }
-          if (rrc > 0) break;                      /* Fail this thread */
-          code += PRIV(OP_lengths)[OP_CALLOUT];    /* Skip callout data */
-          }
-
-        condcode = code[LINK_SIZE+1];
-
-        /* Back reference conditions and duplicate named recursion conditions
-        are not supported */
-
-        if (condcode == OP_CREF || condcode == OP_DNCREF ||
-            condcode == OP_DNRREF)
-          return PCRE_ERROR_DFA_UCOND;
-
-        /* The DEFINE condition is always false, and the assertion (?!) is
-        converted to OP_FAIL. */
-
-        if (condcode == OP_DEF || condcode == OP_FAIL)
-          { ADD_ACTIVE(state_offset + codelink + LINK_SIZE + 1, 0); }
-
-        /* The only supported version of OP_RREF is for the value RREF_ANY,
-        which means "test if in any recursion". We can't test for specifically
-        recursed groups. */
-
-        else if (condcode == OP_RREF)
-          {
-          int value = GET2(code, LINK_SIZE + 2);
-          if (value != RREF_ANY) return PCRE_ERROR_DFA_UCOND;
-          if (md->recursive != NULL)
-            { ADD_ACTIVE(state_offset + LINK_SIZE + 2 + IMM2_SIZE, 0); }
-          else { ADD_ACTIVE(state_offset + codelink + LINK_SIZE + 1, 0); }
-          }
-
-        /* Otherwise, the condition is an assertion */
-
-        else
-          {
-          int rc;
-          const pcre_uchar *asscode = code + LINK_SIZE + 1;
-          const pcre_uchar *endasscode = asscode + GET(asscode, 1);
-
-          while (*endasscode == OP_ALT) endasscode += GET(endasscode, 1);
-
-          rc = internal_dfa_exec(
-            md,                                   /* fixed match data */
-            asscode,                              /* this subexpression's code */
-            ptr,                                  /* where we currently are */
-            (int)(ptr - start_subject),           /* start offset */
-            local_offsets,                        /* offset vector */
-            sizeof(local_offsets)/sizeof(int),    /* size of same */
-            local_workspace,                      /* workspace vector */
-            sizeof(local_workspace)/sizeof(int),  /* size of same */
-            rlevel);                              /* function recursion level */
-
-          if (rc == PCRE_ERROR_DFA_UITEM) return rc;
-          if ((rc >= 0) ==
-                (condcode == OP_ASSERT || condcode == OP_ASSERTBACK))
-            { ADD_ACTIVE((int)(endasscode + LINK_SIZE + 1 - start_code), 0); }
-          else
-            { ADD_ACTIVE(state_offset + codelink + LINK_SIZE + 1, 0); }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_RECURSE:
-        {
-        dfa_recursion_info *ri;
-        int local_offsets[1000];
-        int local_workspace[1000];
-        const pcre_uchar *callpat = start_code + GET(code, 1);
-        int recno = (callpat == md->start_code)? 0 :
-          GET2(callpat, 1 + LINK_SIZE);
-        int rc;
-
-        DPRINTF(("%.*sStarting regex recursion\n", rlevel*2-2, SP));
-
-        /* Check for repeating a recursion without advancing the subject
-        pointer. This should catch convoluted mutual recursions. (Some simple
-        cases are caught at compile time.) */
-
-        for (ri = md->recursive; ri != NULL; ri = ri->prevrec)
-          if (recno == ri->group_num && ptr == ri->subject_position)
-            return PCRE_ERROR_RECURSELOOP;
-
-        /* Remember this recursion and where we started it so as to
-        catch infinite loops. */
-
-        new_recursive.group_num = recno;
-        new_recursive.subject_position = ptr;
-        new_recursive.prevrec = md->recursive;
-        md->recursive = &new_recursive;
-
-        rc = internal_dfa_exec(
-          md,                                   /* fixed match data */
-          callpat,                              /* this subexpression's code */
-          ptr,                                  /* where we currently are */
-          (int)(ptr - start_subject),           /* start offset */
-          local_offsets,                        /* offset vector */
-          sizeof(local_offsets)/sizeof(int),    /* size of same */
-          local_workspace,                      /* workspace vector */
-          sizeof(local_workspace)/sizeof(int),  /* size of same */
-          rlevel);                              /* function recursion level */
-
-        md->recursive = new_recursive.prevrec;  /* Done this recursion */
-
-        DPRINTF(("%.*sReturn from regex recursion: rc=%d\n", rlevel*2-2, SP,
-          rc));
-
-        /* Ran out of internal offsets */
-
-        if (rc == 0) return PCRE_ERROR_DFA_RECURSE;
-
-        /* For each successful matched substring, set up the next state with a
-        count of characters to skip before trying it. Note that the count is in
-        characters, not bytes. */
-
-        if (rc > 0)
-          {
-          for (rc = rc*2 - 2; rc >= 0; rc -= 2)
-            {
-            int charcount = local_offsets[rc+1] - local_offsets[rc];
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-            if (utf)
-              {
-              const pcre_uchar *p = start_subject + local_offsets[rc];
-              const pcre_uchar *pp = start_subject + local_offsets[rc+1];
-              while (p < pp) if (NOT_FIRSTCHAR(*p++)) charcount--;
-              }
-#endif
-            if (charcount > 0)
-              {
-              ADD_NEW_DATA(-(state_offset + LINK_SIZE + 1), 0, (charcount - 1));
-              }
-            else
-              {
-              ADD_ACTIVE(state_offset + LINK_SIZE + 1, 0);
-              }
-            }
-          }
-        else if (rc != PCRE_ERROR_NOMATCH) return rc;
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_BRAPOS:
-      case OP_SBRAPOS:
-      case OP_CBRAPOS:
-      case OP_SCBRAPOS:
-      case OP_BRAPOSZERO:
-        {
-        int charcount, matched_count;
-        const pcre_uchar *local_ptr = ptr;
-        BOOL allow_zero;
-
-        if (codevalue == OP_BRAPOSZERO)
-          {
-          allow_zero = TRUE;
-          codevalue = *(++code);  /* Codevalue will be one of above BRAs */
-          }
-        else allow_zero = FALSE;
-
-        /* Loop to match the subpattern as many times as possible as if it were
-        a complete pattern. */
-
-        for (matched_count = 0;; matched_count++)
-          {
-          int local_offsets[2];
-          int local_workspace[1000];
-
-          int rc = internal_dfa_exec(
-            md,                                   /* fixed match data */
-            code,                                 /* this subexpression's code */
-            local_ptr,                            /* where we currently are */
-            (int)(ptr - start_subject),           /* start offset */
-            local_offsets,                        /* offset vector */
-            sizeof(local_offsets)/sizeof(int),    /* size of same */
-            local_workspace,                      /* workspace vector */
-            sizeof(local_workspace)/sizeof(int),  /* size of same */
-            rlevel);                              /* function recursion level */
-
-          /* Failed to match */
-
-          if (rc < 0)
-            {
-            if (rc != PCRE_ERROR_NOMATCH) return rc;
-            break;
-            }
-
-          /* Matched: break the loop if zero characters matched. */
-
-          charcount = local_offsets[1] - local_offsets[0];
-          if (charcount == 0) break;
-          local_ptr += charcount;    /* Advance temporary position ptr */
-          }
-
-        /* At this point we have matched the subpattern matched_count
-        times, and local_ptr is pointing to the character after the end of the
-        last match. */
-
-        if (matched_count > 0 || allow_zero)
-          {
-          const pcre_uchar *end_subpattern = code;
-          int next_state_offset;
-
-          do { end_subpattern += GET(end_subpattern, 1); }
-            while (*end_subpattern == OP_ALT);
-          next_state_offset =
-            (int)(end_subpattern - start_code + LINK_SIZE + 1);
-
-          /* Optimization: if there are no more active states, and there
-          are no new states yet set up, then skip over the subject string
-          right here, to save looping. Otherwise, set up the new state to swing
-          into action when the end of the matched substring is reached. */
-
-          if (i + 1 >= active_count && new_count == 0)
-            {
-            ptr = local_ptr;
-            clen = 0;
-            ADD_NEW(next_state_offset, 0);
-            }
-          else
-            {
-            const pcre_uchar *p = ptr;
-            const pcre_uchar *pp = local_ptr;
-            charcount = (int)(pp - p);
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-            if (utf) while (p < pp) if (NOT_FIRSTCHAR(*p++)) charcount--;
-#endif
-            ADD_NEW_DATA(-next_state_offset, 0, (charcount - 1));
-            }
-          }
-        }
-      break;
-
-      /*-----------------------------------------------------------------*/
-      case OP_ONCE:
-      case OP_ONCE_NC:
-        {
-        int local_offsets[2];
-        int local_workspace[1000];
-
-        int rc = internal_dfa_exec(
-          md,                                   /* fixed match data */
-          code,                                 /* this subexpression's code */
-          ptr,                                  /* where we currently are */
-          (int)(ptr - start_subject),           /* start offset */
-          local_offsets,                        /* offset vector */
-          sizeof(local_offsets)/sizeof(int),    /* size of same */
-          local_workspace,                      /* workspace vector */
-          sizeof(local_workspace)/sizeof(int),  /* size of same */
-          rlevel);                              /* function recursion level */
-
-        if (rc >= 0)
-          {
-          const pcre_uchar *end_subpattern = code;
-          int charcount = local_offsets[1] - local_offsets[0];
-          int next_state_offset, repeat_state_offset;
-
-          do { end_subpattern += GET(end_subpattern, 1); }
-            while (*end_subpattern == OP_ALT);
-          next_state_offset =
-            (int)(end_subpattern - start_code + LINK_SIZE + 1);
-
-          /* If the end of this subpattern is KETRMAX or KETRMIN, we must
-          arrange for the repeat state also to be added to the relevant list.
-          Calculate the offset, or set -1 for no repeat. */
-
-          repeat_state_offset = (*end_subpattern == OP_KETRMAX ||
-                                 *end_subpattern == OP_KETRMIN)?
-            (int)(end_subpattern - start_code - GET(end_subpattern, 1)) : -1;
-
-          /* If we have matched an empty string, add the next state at the
-          current character pointer. This is important so that the duplicate
-          checking kicks in, which is what breaks infinite loops that match an
-          empty string. */
-
-          if (charcount == 0)
-            {
-            ADD_ACTIVE(next_state_offset, 0);
-            }
-
-          /* Optimization: if there are no more active states, and there
-          are no new states yet set up, then skip over the subject string
-          right here, to save looping. Otherwise, set up the new state to swing
-          into action when the end of the matched substring is reached. */
-
-          else if (i + 1 >= active_count && new_count == 0)
-            {
-            ptr += charcount;
-            clen = 0;
-            ADD_NEW(next_state_offset, 0);
-
-            /* If we are adding a repeat state at the new character position,
-            we must fudge things so that it is the only current state.
-            Otherwise, it might be a duplicate of one we processed before, and
-            that would cause it to be skipped. */
-
-            if (repeat_state_offset >= 0)
-              {
-              next_active_state = active_states;
-              active_count = 0;
-              i = -1;
-              ADD_ACTIVE(repeat_state_offset, 0);
-              }
-            }
-          else
-            {
-#if defined SUPPORT_UTF && !defined COMPILE_PCRE32
-            if (utf)
-              {
-              const pcre_uchar *p = start_subject + local_offsets[0];
-              const pcre_uchar *pp = start_subject + local_offsets[1];
-              while (p < pp) if (NOT_FIRSTCHAR(*p++)) charcount--;
-              }
-#endif
-            ADD_NEW_DATA(-next_state_offset, 0, (charcount - 1));
-            if (repeat_state_offset >= 0)
-              { ADD_NEW_DATA(-repeat_state_offset, 0, (charcount - 1)); }
-            }
-          }
-        else if (rc != PCRE_ERROR_NOMATCH) return rc;
-        }
-      break;
-
-
-/* ========================================================================== */
-      /* Handle callouts */
-
-      case OP_CALLOUT:
-      rrc = 0;
-      if (PUBL(callout) != NULL)
-        {
-        PUBL(callout_block) cb;
-        cb.version          = 1;   /* Version 1 of the callout block */
-        cb.callout_number   = code[1];
-        cb.offset_vector    = offsets;
-#if defined COMPILE_PCRE8
-        cb.subject          = (PCRE_SPTR)start_subject;
-#elif defined COMPILE_PCRE16
-        cb.subject          = (PCRE_SPTR16)start_subject;
-#elif defined COMPILE_PCRE32
-        cb.subject          = (PCRE_SPTR32)start_subject;
-#endif
-        cb.subject_length   = (int)(end_subject - start_subject);
-        cb.start_match      = (int)(current_subject - start_subject);
-        cb.current_position = (int)(ptr - start_subject);
-        cb.pattern_position = GET(code, 2);
-        cb.next_item_length = GET(code, 2 + LINK_SIZE);
-        cb.capture_top      = 1;
-        cb.capture_last     = -1;
-        cb.callout_data     = md->callout_data;
-        cb.mark             = NULL;   /* No (*MARK) support */
-        if ((rrc = (*PUBL(callout))(&cb)) < 0) return rrc;   /* Abandon */
-        }
-      if (rrc == 0)
-        { ADD_ACTIVE(state_offset + PRIV(OP_lengths)[OP_CALLOUT], 0); }
-      break;
-
-
-/* ========================================================================== */
-      default:        /* Unsupported opcode */
-      return PCRE_ERROR_DFA_UITEM;
-      }
-
-    NEXT_ACTIVE_STATE: continue;
-
-    }      /* End of loop scanning active states */
-
-  /* We have finished the processing at the current subject character. If no
-  new states have been set for the next character, we have found all the
-  matches that we are going to find. If we are at the top level and partial
-  matching has been requested, check for appropriate conditions.
-
-  The "forced_ fail" variable counts the number of (*F) encountered for the
-  character. If it is equal to the original active_count (saved in
-  workspace[1]) it means that (*F) was found on every active state. In this
-  case we don't want to give a partial match.
-
-  The "could_continue" variable is true if a state could have continued but
-  for the fact that the end of the subject was reached. */
-
-  if (new_count <= 0)
-    {
-    if (rlevel == 1 &&                               /* Top level, and */
-        could_continue &&                            /* Some could go on, and */
-        forced_fail != workspace[1] &&               /* Not all forced fail & */
-        (                                            /* either... */
-        (md->moptions & PCRE_PARTIAL_HARD) != 0      /* Hard partial */
-        ||                                           /* or... */
-        ((md->moptions & PCRE_PARTIAL_SOFT) != 0 &&  /* Soft partial and */
-         match_count < 0)                            /* no matches */
-        ) &&                                         /* And... */
-        (
-        partial_newline ||                           /* Either partial NL */
-          (                                          /* or ... */
-          ptr >= end_subject &&                /* End of subject and */
-          ptr > md->start_used_ptr)            /* Inspected non-empty string */
-          )
-        )
-      match_count = PCRE_ERROR_PARTIAL;
-    DPRINTF(("%.*sEnd of internal_dfa_exec %d: returning %d\n"
-      "%.*s---------------------\n\n", rlevel*2-2, SP, rlevel, match_count,
-      rlevel*2-2, SP));
-    break;        /* In effect, "return", but see the comment below */
-    }
-
-  /* One or more states are active for the next character. */
-
-  ptr += clen;    /* Advance to next subject character */
-  }               /* Loop to move along the subject string */
-
-/* Control gets here from "break" a few lines above. We do it this way because
-if we use "return" above, we have compiler trouble. Some compilers warn if
-there's nothing here because they think the function doesn't return a value. On
-the other hand, if we put a dummy statement here, some more clever compilers
-complain that it can't be reached. Sigh. */
-
-return match_count;
-}
-
-
-
-
-/*************************************************
-*    Execute a Regular Expression - DFA engine   *
-*************************************************/
-
-/* This external function applies a compiled re to a subject string using a DFA
-engine. This function calls the internal function multiple times if the pattern
-is not anchored.
-
-Arguments:
-  argument_re     points to the compiled expression
-  extra_data      points to extra data or is NULL
-  subject         points to the subject string
-  length          length of subject string (may contain binary zeros)
-  start_offset    where to start in the subject string
-  options         option bits
-  offsets         vector of match offsets
-  offsetcount     size of same
-  workspace       workspace vector
-  wscount         size of same
-
-Returns:          > 0 => number of match offset pairs placed in offsets
-                  = 0 => offsets overflowed; longest matches are present
-                   -1 => failed to match
-                 < -1 => some kind of unexpected problem
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_dfa_exec(const pcre *argument_re, const pcre_extra *extra_data,
-  const char *subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount, int *workspace, int wscount)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_dfa_exec(const pcre16 *argument_re, const pcre16_extra *extra_data,
-  PCRE_SPTR16 subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount, int *workspace, int wscount)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_dfa_exec(const pcre32 *argument_re, const pcre32_extra *extra_data,
-  PCRE_SPTR32 subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount, int *workspace, int wscount)
-#endif
-{
-REAL_PCRE *re = (REAL_PCRE *)argument_re;
-dfa_match_data match_block;
-dfa_match_data *md = &match_block;
-BOOL utf, anchored, startline, firstline;
-const pcre_uchar *current_subject, *end_subject;
-const pcre_study_data *study = NULL;
-
-const pcre_uchar *req_char_ptr;
-const pcre_uint8 *start_bits = NULL;
-BOOL has_first_char = FALSE;
-BOOL has_req_char = FALSE;
-pcre_uchar first_char = 0;
-pcre_uchar first_char2 = 0;
-pcre_uchar req_char = 0;
-pcre_uchar req_char2 = 0;
-int newline;
-
-/* Plausibility checks */
-
-if ((options & ~PUBLIC_DFA_EXEC_OPTIONS) != 0) return PCRE_ERROR_BADOPTION;
-if (re == NULL || subject == NULL || workspace == NULL ||
-   (offsets == NULL && offsetcount > 0)) return PCRE_ERROR_NULL;
-if (offsetcount < 0) return PCRE_ERROR_BADCOUNT;
-if (wscount < 20) return PCRE_ERROR_DFA_WSSIZE;
-if (length < 0) return PCRE_ERROR_BADLENGTH;
-if (start_offset < 0 || start_offset > length) return PCRE_ERROR_BADOFFSET;
-
-/* Check that the first field in the block is the magic number. If it is not,
-return with PCRE_ERROR_BADMAGIC. However, if the magic number is equal to
-REVERSED_MAGIC_NUMBER we return with PCRE_ERROR_BADENDIANNESS, which
-means that the pattern is likely compiled with different endianness. */
-
-if (re->magic_number != MAGIC_NUMBER)
-  return re->magic_number == REVERSED_MAGIC_NUMBER?
-    PCRE_ERROR_BADENDIANNESS:PCRE_ERROR_BADMAGIC;
-if ((re->flags & PCRE_MODE) == 0) return PCRE_ERROR_BADMODE;
-
-/* If restarting after a partial match, do some sanity checks on the contents
-of the workspace. */
-
-if ((options & PCRE_DFA_RESTART) != 0)
-  {
-  if ((workspace[0] & (-2)) != 0 || workspace[1] < 1 ||
-    workspace[1] > (wscount - 2)/INTS_PER_STATEBLOCK)
-      return PCRE_ERROR_DFA_BADRESTART;
-  }
-
-/* Set up study, callout, and table data */
-
-md->tables = re->tables;
-md->callout_data = NULL;
-
-if (extra_data != NULL)
-  {
-  unsigned long int flags = extra_data->flags;
-  if ((flags & PCRE_EXTRA_STUDY_DATA) != 0)
-    study = (const pcre_study_data *)extra_data->study_data;
-  if ((flags & PCRE_EXTRA_MATCH_LIMIT) != 0) return PCRE_ERROR_DFA_UMLIMIT;
-  if ((flags & PCRE_EXTRA_MATCH_LIMIT_RECURSION) != 0)
-    return PCRE_ERROR_DFA_UMLIMIT;
-  if ((flags & PCRE_EXTRA_CALLOUT_DATA) != 0)
-    md->callout_data = extra_data->callout_data;
-  if ((flags & PCRE_EXTRA_TABLES) != 0)
-    md->tables = extra_data->tables;
-  }
-
-/* Set some local values */
-
-current_subject = (const pcre_uchar *)subject + start_offset;
-end_subject = (const pcre_uchar *)subject + length;
-req_char_ptr = current_subject - 1;
-
-#ifdef SUPPORT_UTF
-/* PCRE_UTF(16|32) have the same value as PCRE_UTF8. */
-utf = (re->options & PCRE_UTF8) != 0;
-#else
-utf = FALSE;
-#endif
-
-anchored = (options & (PCRE_ANCHORED|PCRE_DFA_RESTART)) != 0 ||
-  (re->options & PCRE_ANCHORED) != 0;
-
-/* The remaining fixed data for passing around. */
-
-md->start_code = (const pcre_uchar *)argument_re +
-    re->name_table_offset + re->name_count * re->name_entry_size;
-md->start_subject = (const pcre_uchar *)subject;
-md->end_subject = end_subject;
-md->start_offset = start_offset;
-md->moptions = options;
-md->poptions = re->options;
-
-/* If the BSR option is not set at match time, copy what was set
-at compile time. */
-
-if ((md->moptions & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE)) == 0)
-  {
-  if ((re->options & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE)) != 0)
-    md->moptions |= re->options & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE);
-#ifdef BSR_ANYCRLF
-  else md->moptions |= PCRE_BSR_ANYCRLF;
-#endif
-  }
-
-/* Handle different types of newline. The three bits give eight cases. If
-nothing is set at run time, whatever was used at compile time applies. */
-
-switch ((((options & PCRE_NEWLINE_BITS) == 0)? re->options : (pcre_uint32)options) &
-         PCRE_NEWLINE_BITS)
-  {
-  case 0: newline = NEWLINE; break;   /* Compile-time default */
-  case PCRE_NEWLINE_CR: newline = CHAR_CR; break;
-  case PCRE_NEWLINE_LF: newline = CHAR_NL; break;
-  case PCRE_NEWLINE_CR+
-       PCRE_NEWLINE_LF: newline = (CHAR_CR << 8) | CHAR_NL; break;
-  case PCRE_NEWLINE_ANY: newline = -1; break;
-  case PCRE_NEWLINE_ANYCRLF: newline = -2; break;
-  default: return PCRE_ERROR_BADNEWLINE;
-  }
-
-if (newline == -2)
-  {
-  md->nltype = NLTYPE_ANYCRLF;
-  }
-else if (newline < 0)
-  {
-  md->nltype = NLTYPE_ANY;
-  }
-else
-  {
-  md->nltype = NLTYPE_FIXED;
-  if (newline > 255)
-    {
-    md->nllen = 2;
-    md->nl[0] = (newline >> 8) & 255;
-    md->nl[1] = newline & 255;
-    }
-  else
-    {
-    md->nllen = 1;
-    md->nl[0] = newline;
-    }
-  }
-
-/* Check a UTF-8 string if required. Unfortunately there's no way of passing
-back the character offset. */
-
-#ifdef SUPPORT_UTF
-if (utf && (options & PCRE_NO_UTF8_CHECK) == 0)
-  {
-  int erroroffset;
-  int errorcode = PRIV(valid_utf)((pcre_uchar *)subject, length, &erroroffset);
-  if (errorcode != 0)
-    {
-    if (offsetcount >= 2)
-      {
-      offsets[0] = erroroffset;
-      offsets[1] = errorcode;
-      }
-#if defined COMPILE_PCRE8
-    return (errorcode <= PCRE_UTF8_ERR5 && (options & PCRE_PARTIAL_HARD) != 0) ?
-      PCRE_ERROR_SHORTUTF8 : PCRE_ERROR_BADUTF8;
-#elif defined COMPILE_PCRE16
-    return (errorcode <= PCRE_UTF16_ERR1 && (options & PCRE_PARTIAL_HARD) != 0) ?
-      PCRE_ERROR_SHORTUTF16 : PCRE_ERROR_BADUTF16;
-#elif defined COMPILE_PCRE32
-    return PCRE_ERROR_BADUTF32;
-#endif
-    }
-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
-  if (start_offset > 0 && start_offset < length &&
-        NOT_FIRSTCHAR(((PCRE_PUCHAR)subject)[start_offset]))
-    return PCRE_ERROR_BADUTF8_OFFSET;
-#endif
-  }
-#endif
-
-/* If the exec call supplied NULL for tables, use the inbuilt ones. This
-is a feature that makes it possible to save compiled regex and re-use them
-in other programs later. */
-
-if (md->tables == NULL) md->tables = PRIV(default_tables);
-
-/* The "must be at the start of a line" flags are used in a loop when finding
-where to start. */
-
-startline = (re->flags & PCRE_STARTLINE) != 0;
-firstline = (re->options & PCRE_FIRSTLINE) != 0;
-
-/* Set up the first character to match, if available. The first_byte value is
-never set for an anchored regular expression, but the anchoring may be forced
-at run time, so we have to test for anchoring. The first char may be unset for
-an unanchored pattern, of course. If there's no first char and the pattern was
-studied, there may be a bitmap of possible first characters. */
-
-if (!anchored)
-  {
-  if ((re->flags & PCRE_FIRSTSET) != 0)
-    {
-    has_first_char = TRUE;
-    first_char = first_char2 = (pcre_uchar)(re->first_char);
-    if ((re->flags & PCRE_FCH_CASELESS) != 0)
-      {
-      first_char2 = TABLE_GET(first_char, md->tables + fcc_offset, first_char);
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-      if (utf && first_char > 127)
-        first_char2 = UCD_OTHERCASE(first_char);
-#endif
-      }
-    }
-  else
-    {
-    if (!startline && study != NULL &&
-         (study->flags & PCRE_STUDY_MAPPED) != 0)
-      start_bits = study->start_bits;
-    }
-  }
-
-/* For anchored or unanchored matches, there may be a "last known required
-character" set. */
-
-if ((re->flags & PCRE_REQCHSET) != 0)
-  {
-  has_req_char = TRUE;
-  req_char = req_char2 = (pcre_uchar)(re->req_char);
-  if ((re->flags & PCRE_RCH_CASELESS) != 0)
-    {
-    req_char2 = TABLE_GET(req_char, md->tables + fcc_offset, req_char);
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-    if (utf && req_char > 127)
-      req_char2 = UCD_OTHERCASE(req_char);
-#endif
-    }
-  }
-
-/* Call the main matching function, looping for a non-anchored regex after a
-failed match. If not restarting, perform certain optimizations at the start of
-a match. */
-
-for (;;)
-  {
-  int rc;
-
-  if ((options & PCRE_DFA_RESTART) == 0)
-    {
-    const pcre_uchar *save_end_subject = end_subject;
-
-    /* If firstline is TRUE, the start of the match is constrained to the first
-    line of a multiline string. Implement this by temporarily adjusting
-    end_subject so that we stop scanning at a newline. If the match fails at
-    the newline, later code breaks this loop. */
-
-    if (firstline)
-      {
-      PCRE_PUCHAR t = current_subject;
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        while (t < md->end_subject && !IS_NEWLINE(t))
-          {
-          t++;
-          ACROSSCHAR(t < end_subject, *t, t++);
-          }
-        }
-      else
-#endif
-      while (t < md->end_subject && !IS_NEWLINE(t)) t++;
-      end_subject = t;
-      }
-
-    /* There are some optimizations that avoid running the match if a known
-    starting point is not found. However, there is an option that disables
-    these, for testing and for ensuring that all callouts do actually occur.
-    The option can be set in the regex by (*NO_START_OPT) or passed in
-    match-time options. */
-
-    if (((options | re->options) & PCRE_NO_START_OPTIMIZE) == 0)
-      {
-      /* Advance to a known first pcre_uchar (i.e. data item) */
-
-      if (has_first_char)
-        {
-        if (first_char != first_char2)
-          {
-          pcre_uchar csc;
-          while (current_subject < end_subject &&
-                 (csc = UCHAR21TEST(current_subject)) != first_char && csc != first_char2)
-            current_subject++;
-          }
-        else
-          while (current_subject < end_subject &&
-                 UCHAR21TEST(current_subject) != first_char)
-            current_subject++;
-        }
-
-      /* Or to just after a linebreak for a multiline match if possible */
-
-      else if (startline)
-        {
-        if (current_subject > md->start_subject + start_offset)
-          {
-#ifdef SUPPORT_UTF
-          if (utf)
-            {
-            while (current_subject < end_subject &&
-                   !WAS_NEWLINE(current_subject))
-              {
-              current_subject++;
-              ACROSSCHAR(current_subject < end_subject, *current_subject,
-                current_subject++);
-              }
-            }
-          else
-#endif
-          while (current_subject < end_subject && !WAS_NEWLINE(current_subject))
-            current_subject++;
-
-          /* If we have just passed a CR and the newline option is ANY or
-          ANYCRLF, and we are now at a LF, advance the match position by one
-          more character. */
-
-          if (UCHAR21TEST(current_subject - 1) == CHAR_CR &&
-               (md->nltype == NLTYPE_ANY || md->nltype == NLTYPE_ANYCRLF) &&
-               current_subject < end_subject &&
-               UCHAR21TEST(current_subject) == CHAR_NL)
-            current_subject++;
-          }
-        }
-
-      /* Advance to a non-unique first pcre_uchar after study */
-
-      else if (start_bits != NULL)
-        {
-        while (current_subject < end_subject)
-          {
-          register pcre_uint32 c = UCHAR21TEST(current_subject);
-#ifndef COMPILE_PCRE8
-          if (c > 255) c = 255;
-#endif
-          if ((start_bits[c/8] & (1 << (c&7))) != 0) break;
-          current_subject++;
-          }
-        }
-      }
-
-    /* Restore fudged end_subject */
-
-    end_subject = save_end_subject;
-
-    /* The following two optimizations are disabled for partial matching or if
-    disabling is explicitly requested (and of course, by the test above, this
-    code is not obeyed when restarting after a partial match). */
-
-    if (((options | re->options) & PCRE_NO_START_OPTIMIZE) == 0 &&
-        (options & (PCRE_PARTIAL_HARD|PCRE_PARTIAL_SOFT)) == 0)
-      {
-      /* If the pattern was studied, a minimum subject length may be set. This
-      is a lower bound; no actual string of that length may actually match the
-      pattern. Although the value is, strictly, in characters, we treat it as
-      in pcre_uchar units to avoid spending too much time in this optimization.
-      */
-
-      if (study != NULL && (study->flags & PCRE_STUDY_MINLEN) != 0 &&
-          (pcre_uint32)(end_subject - current_subject) < study->minlength)
-        return PCRE_ERROR_NOMATCH;
-
-      /* If req_char is set, we know that that pcre_uchar must appear in the
-      subject for the match to succeed. If the first pcre_uchar is set,
-      req_char must be later in the subject; otherwise the test starts at the
-      match point. This optimization can save a huge amount of work in patterns
-      with nested unlimited repeats that aren't going to match. Writing
-      separate code for cased/caseless versions makes it go faster, as does
-      using an autoincrement and backing off on a match.
-
-      HOWEVER: when the subject string is very, very long, searching to its end
-      can take a long time, and give bad performance on quite ordinary
-      patterns. This showed up when somebody was matching /^C/ on a 32-megabyte
-      string... so we don't do this when the string is sufficiently long. */
-
-      if (has_req_char && end_subject - current_subject < REQ_BYTE_MAX)
-        {
-        register PCRE_PUCHAR p = current_subject + (has_first_char? 1:0);
-
-        /* We don't need to repeat the search if we haven't yet reached the
-        place we found it at last time. */
-
-        if (p > req_char_ptr)
-          {
-          if (req_char != req_char2)
-            {
-            while (p < end_subject)
-              {
-              register pcre_uint32 pp = UCHAR21INCTEST(p);
-              if (pp == req_char || pp == req_char2) { p--; break; }
-              }
-            }
-          else
-            {
-            while (p < end_subject)
-              {
-              if (UCHAR21INCTEST(p) == req_char) { p--; break; }
-              }
-            }
-
-          /* If we can't find the required pcre_uchar, break the matching loop,
-          which will cause a return or PCRE_ERROR_NOMATCH. */
-
-          if (p >= end_subject) break;
-
-          /* If we have found the required pcre_uchar, save the point where we
-          found it, so that we don't search again next time round the loop if
-          the start hasn't passed this point yet. */
-
-          req_char_ptr = p;
-          }
-        }
-      }
-    }   /* End of optimizations that are done when not restarting */
-
-  /* OK, now we can do the business */
-
-  md->start_used_ptr = current_subject;
-  md->recursive = NULL;
-
-  rc = internal_dfa_exec(
-    md,                                /* fixed match data */
-    md->start_code,                    /* this subexpression's code */
-    current_subject,                   /* where we currently are */
-    start_offset,                      /* start offset in subject */
-    offsets,                           /* offset vector */
-    offsetcount,                       /* size of same */
-    workspace,                         /* workspace vector */
-    wscount,                           /* size of same */
-    0);                                /* function recurse level */
-
-  /* Anything other than "no match" means we are done, always; otherwise, carry
-  on only if not anchored. */
-
-  if (rc != PCRE_ERROR_NOMATCH || anchored)
-    {
-    if (rc == PCRE_ERROR_PARTIAL && offsetcount >= 2)
-      {
-      offsets[0] = (int)(md->start_used_ptr - (PCRE_PUCHAR)subject);
-      offsets[1] = (int)(end_subject - (PCRE_PUCHAR)subject);
-      if (offsetcount > 2)
-        offsets[2] = (int)(current_subject - (PCRE_PUCHAR)subject);
-      }
-    return rc;
-    }
-
-  /* Advance to the next subject character unless we are at the end of a line
-  and firstline is set. */
-
-  if (firstline && IS_NEWLINE(current_subject)) break;
-  current_subject++;
-#ifdef SUPPORT_UTF
-  if (utf)
-    {
-    ACROSSCHAR(current_subject < end_subject, *current_subject,
-      current_subject++);
-    }
-#endif
-  if (current_subject > end_subject) break;
-
-  /* If we have just passed a CR and we are now at a LF, and the pattern does
-  not contain any explicit matches for \r or \n, and the newline option is CRLF
-  or ANY or ANYCRLF, advance the match position by one more character. */
-
-  if (UCHAR21TEST(current_subject - 1) == CHAR_CR &&
-      current_subject < end_subject &&
-      UCHAR21TEST(current_subject) == CHAR_NL &&
-      (re->flags & PCRE_HASCRORLF) == 0 &&
-        (md->nltype == NLTYPE_ANY ||
-         md->nltype == NLTYPE_ANYCRLF ||
-         md->nllen == 2))
-    current_subject++;
-
-  }   /* "Bumpalong" loop */
-
-return PCRE_ERROR_NOMATCH;
-}
-
-/* End of pcre_dfa_exec.c */
diff --git a/src/plugins/PCREPlugin/pcre_exec.c b/src/plugins/PCREPlugin/pcre_exec.c
deleted file mode 100644
index ed360f8..0000000
--- a/src/plugins/PCREPlugin/pcre_exec.c
+++ /dev/null
@@ -1,7174 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2014 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-/* This module contains pcre_exec(), the externally visible function that does
-pattern matching using an NFA algorithm, trying to mimic Perl as closely as
-possible. There are also some static supporting functions. */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#define NLBLOCK md             /* Block containing newline information */
-#define PSSTART start_subject  /* Field containing processed string start */
-#define PSEND   end_subject    /* Field containing processed string end */
-
-#include "pcre_internal.h"
-
-/* Undefine some potentially clashing cpp symbols */
-
-#undef min
-#undef max
-
-/* The md->capture_last field uses the lower 16 bits for the last captured
-substring (which can never be greater than 65535) and a bit in the top half
-to mean "capture vector overflowed". This odd way of doing things was
-implemented when it was realized that preserving and restoring the overflow bit
-whenever the last capture number was saved/restored made for a neater
-interface, and doing it this way saved on (a) another variable, which would
-have increased the stack frame size (a big NO-NO in PCRE) and (b) another
-separate set of save/restore instructions. The following defines are used in
-implementing this. */
-
-#define CAPLMASK    0x0000ffff    /* The bits used for last_capture */
-#define OVFLMASK    0xffff0000    /* The bits used for the overflow flag */
-#define OVFLBIT     0x00010000    /* The bit that is set for overflow */
-
-/* Values for setting in md->match_function_type to indicate two special types
-of call to match(). We do it this way to save on using another stack variable,
-as stack usage is to be discouraged. */
-
-#define MATCH_CONDASSERT     1  /* Called to check a condition assertion */
-#define MATCH_CBEGROUP       2  /* Could-be-empty unlimited repeat group */
-
-/* Non-error returns from the match() function. Error returns are externally
-defined PCRE_ERROR_xxx codes, which are all negative. */
-
-#define MATCH_MATCH        1
-#define MATCH_NOMATCH      0
-
-/* Special internal returns from the match() function. Make them sufficiently
-negative to avoid the external error codes. */
-
-#define MATCH_ACCEPT       (-999)
-#define MATCH_KETRPOS      (-998)
-#define MATCH_ONCE         (-997)
-/* The next 5 must be kept together and in sequence so that a test that checks
-for any one of them can use a range. */
-#define MATCH_COMMIT       (-996)
-#define MATCH_PRUNE        (-995)
-#define MATCH_SKIP         (-994)
-#define MATCH_SKIP_ARG     (-993)
-#define MATCH_THEN         (-992)
-#define MATCH_BACKTRACK_MAX MATCH_THEN
-#define MATCH_BACKTRACK_MIN MATCH_COMMIT
-
-/* Maximum number of ints of offset to save on the stack for recursive calls.
-If the offset vector is bigger, malloc is used. This should be a multiple of 3,
-because the offset vector is always a multiple of 3 long. */
-
-#define REC_STACK_SAVE_MAX 30
-
-/* Min and max values for the common repeats; for the maxima, 0 => infinity */
-
-static const char rep_min[] = { 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, };
-static const char rep_max[] = { 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, };
-
-#ifdef PCRE_DEBUG
-/*************************************************
-*        Debugging function to print chars       *
-*************************************************/
-
-/* Print a sequence of chars in printable format, stopping at the end of the
-subject if the requested.
-
-Arguments:
-  p           points to characters
-  length      number to print
-  is_subject  TRUE if printing from within md->start_subject
-  md          pointer to matching data block, if is_subject is TRUE
-
-Returns:     nothing
-*/
-
-static void
-pchars(const pcre_uchar *p, int length, BOOL is_subject, match_data *md)
-{
-pcre_uint32 c;
-BOOL utf = md->utf;
-if (is_subject && length > md->end_subject - p) length = md->end_subject - p;
-while (length-- > 0)
-  if (isprint(c = UCHAR21INCTEST(p))) printf("%c", (char)c); else printf("\\x{%02x}", c);
-}
-#endif
-
-
-
-/*************************************************
-*          Match a back-reference                *
-*************************************************/
-
-/* Normally, if a back reference hasn't been set, the length that is passed is
-negative, so the match always fails. However, in JavaScript compatibility mode,
-the length passed is zero. Note that in caseless UTF-8 mode, the number of
-subject bytes matched may be different to the number of reference bytes.
-
-Arguments:
-  offset      index into the offset vector
-  eptr        pointer into the subject
-  length      length of reference to be matched (number of bytes)
-  md          points to match data block
-  caseless    TRUE if caseless
-
-Returns:      >= 0 the number of subject bytes matched
-              -1 no match
-              -2 partial match; always given if at end subject
-*/
-
-static int
-match_ref(int offset, register PCRE_PUCHAR eptr, int length, match_data *md,
-  BOOL caseless)
-{
-PCRE_PUCHAR eptr_start = eptr;
-register PCRE_PUCHAR p = md->start_subject + md->offset_vector[offset];
-#if defined SUPPORT_UTF && defined SUPPORT_UCP
-BOOL utf = md->utf;
-#endif
-
-#ifdef PCRE_DEBUG
-if (eptr >= md->end_subject)
-  printf("matching subject ");
-else
-  {
-  printf("matching subject ");
-  pchars(eptr, length, TRUE, md);
-  }
-printf(" against backref ");
-pchars(p, length, FALSE, md);
-printf("\n");
-#endif
-
-/* Always fail if reference not set (and not JavaScript compatible - in that
-case the length is passed as zero). */
-
-if (length < 0) return -1;
-
-/* Separate the caseless case for speed. In UTF-8 mode we can only do this
-properly if Unicode properties are supported. Otherwise, we can check only
-ASCII characters. */
-
-if (caseless)
-  {
-#if defined SUPPORT_UTF && defined SUPPORT_UCP
-  if (utf)
-    {
-    /* Match characters up to the end of the reference. NOTE: the number of
-    data units matched may differ, because in UTF-8 there are some characters
-    whose upper and lower case versions code have different numbers of bytes.
-    For example, U+023A (2 bytes in UTF-8) is the upper case version of U+2C65
-    (3 bytes in UTF-8); a sequence of 3 of the former uses 6 bytes, as does a
-    sequence of two of the latter. It is important, therefore, to check the
-    length along the reference, not along the subject (earlier code did this
-    wrong). */
-
-    PCRE_PUCHAR endptr = p + length;
-    while (p < endptr)
-      {
-      pcre_uint32 c, d;
-      const ucd_record *ur;
-      if (eptr >= md->end_subject) return -2;   /* Partial match */
-      GETCHARINC(c, eptr);
-      GETCHARINC(d, p);
-      ur = GET_UCD(d);
-      if (c != d && c != d + ur->other_case)
-        {
-        const pcre_uint32 *pp = PRIV(ucd_caseless_sets) + ur->caseset;
-        for (;;)
-          {
-          if (c < *pp) return -1;
-          if (c == *pp++) break;
-          }
-        }
-      }
-    }
-  else
-#endif
-
-  /* The same code works when not in UTF-8 mode and in UTF-8 mode when there
-  is no UCP support. */
-    {
-    while (length-- > 0)
-      {
-      pcre_uint32 cc, cp;
-      if (eptr >= md->end_subject) return -2;   /* Partial match */
-      cc = UCHAR21TEST(eptr);
-      cp = UCHAR21TEST(p);
-      if (TABLE_GET(cp, md->lcc, cp) != TABLE_GET(cc, md->lcc, cc)) return -1;
-      p++;
-      eptr++;
-      }
-    }
-  }
-
-/* In the caseful case, we can just compare the bytes, whether or not we
-are in UTF-8 mode. */
-
-else
-  {
-  while (length-- > 0)
-    {
-    if (eptr >= md->end_subject) return -2;   /* Partial match */
-    if (UCHAR21INCTEST(p) != UCHAR21INCTEST(eptr)) return -1;
-    }
-  }
-
-return (int)(eptr - eptr_start);
-}
-
-
-
-/***************************************************************************
-****************************************************************************
-                   RECURSION IN THE match() FUNCTION
-
-The match() function is highly recursive, though not every recursive call
-increases the recursive depth. Nevertheless, some regular expressions can cause
-it to recurse to a great depth. I was writing for Unix, so I just let it call
-itself recursively. This uses the stack for saving everything that has to be
-saved for a recursive call. On Unix, the stack can be large, and this works
-fine.
-
-It turns out that on some non-Unix-like systems there are problems with
-programs that use a lot of stack. (This despite the fact that every last chip
-has oodles of memory these days, and techniques for extending the stack have
-been known for decades.) So....
-
-There is a fudge, triggered by defining NO_RECURSE, which avoids recursive
-calls by keeping local variables that need to be preserved in blocks of memory
-obtained from malloc() instead instead of on the stack. Macros are used to
-achieve this so that the actual code doesn't look very different to what it
-always used to.
-
-The original heap-recursive code used longjmp(). However, it seems that this
-can be very slow on some operating systems. Following a suggestion from Stan
-Switzer, the use of longjmp() has been abolished, at the cost of having to
-provide a unique number for each call to RMATCH. There is no way of generating
-a sequence of numbers at compile time in C. I have given them names, to make
-them stand out more clearly.
-
-Crude tests on x86 Linux show a small speedup of around 5-8%. However, on
-FreeBSD, avoiding longjmp() more than halves the time taken to run the standard
-tests. Furthermore, not using longjmp() means that local dynamic variables
-don't have indeterminate values; this has meant that the frame size can be
-reduced because the result can be "passed back" by straight setting of the
-variable instead of being passed in the frame.
-****************************************************************************
-***************************************************************************/
-
-/* Numbers for RMATCH calls. When this list is changed, the code at HEAP_RETURN
-below must be updated in sync.  */
-
-enum { RM1=1, RM2,  RM3,  RM4,  RM5,  RM6,  RM7,  RM8,  RM9,  RM10,
-       RM11,  RM12, RM13, RM14, RM15, RM16, RM17, RM18, RM19, RM20,
-       RM21,  RM22, RM23, RM24, RM25, RM26, RM27, RM28, RM29, RM30,
-       RM31,  RM32, RM33, RM34, RM35, RM36, RM37, RM38, RM39, RM40,
-       RM41,  RM42, RM43, RM44, RM45, RM46, RM47, RM48, RM49, RM50,
-       RM51,  RM52, RM53, RM54, RM55, RM56, RM57, RM58, RM59, RM60,
-       RM61,  RM62, RM63, RM64, RM65, RM66, RM67 };
-
-/* These versions of the macros use the stack, as normal. There are debugging
-versions and production versions. Note that the "rw" argument of RMATCH isn't
-actually used in this definition. */
-
-#ifndef NO_RECURSE
-#define REGISTER register
-
-#ifdef PCRE_DEBUG
-#define RMATCH(ra,rb,rc,rd,re,rw) \
-  { \
-  printf("match() called in line %d\n", __LINE__); \
-  rrc = match(ra,rb,mstart,rc,rd,re,rdepth+1); \
-  printf("to line %d\n", __LINE__); \
-  }
-#define RRETURN(ra) \
-  { \
-  printf("match() returned %d from line %d\n", ra, __LINE__); \
-  return ra; \
-  }
-#else
-#define RMATCH(ra,rb,rc,rd,re,rw) \
-  rrc = match(ra,rb,mstart,rc,rd,re,rdepth+1)
-#define RRETURN(ra) return ra
-#endif
-
-#else
-
-
-/* These versions of the macros manage a private stack on the heap. Note that
-the "rd" argument of RMATCH isn't actually used in this definition. It's the md
-argument of match(), which never changes. */
-
-#define REGISTER
-
-#define RMATCH(ra,rb,rc,rd,re,rw)\
-  {\
-  heapframe *newframe = frame->Xnextframe;\
-  if (newframe == NULL)\
-    {\
-    newframe = (heapframe *)(PUBL(stack_malloc))(sizeof(heapframe));\
-    if (newframe == NULL) RRETURN(PCRE_ERROR_NOMEMORY);\
-    newframe->Xnextframe = NULL;\
-    frame->Xnextframe = newframe;\
-    }\
-  frame->Xwhere = rw;\
-  newframe->Xeptr = ra;\
-  newframe->Xecode = rb;\
-  newframe->Xmstart = mstart;\
-  newframe->Xoffset_top = rc;\
-  newframe->Xeptrb = re;\
-  newframe->Xrdepth = frame->Xrdepth + 1;\
-  newframe->Xprevframe = frame;\
-  frame = newframe;\
-  DPRINTF(("restarting from line %d\n", __LINE__));\
-  goto HEAP_RECURSE;\
-  L_##rw:\
-  DPRINTF(("jumped back to line %d\n", __LINE__));\
-  }
-
-#define RRETURN(ra)\
-  {\
-  heapframe *oldframe = frame;\
-  frame = oldframe->Xprevframe;\
-  if (frame != NULL)\
-    {\
-    rrc = ra;\
-    goto HEAP_RETURN;\
-    }\
-  return ra;\
-  }
-
-
-/* Structure for remembering the local variables in a private frame */
-
-typedef struct heapframe {
-  struct heapframe *Xprevframe;
-  struct heapframe *Xnextframe;
-
-  /* Function arguments that may change */
-
-  PCRE_PUCHAR Xeptr;
-  const pcre_uchar *Xecode;
-  PCRE_PUCHAR Xmstart;
-  int Xoffset_top;
-  eptrblock *Xeptrb;
-  unsigned int Xrdepth;
-
-  /* Function local variables */
-
-  PCRE_PUCHAR Xcallpat;
-#ifdef SUPPORT_UTF
-  PCRE_PUCHAR Xcharptr;
-#endif
-  PCRE_PUCHAR Xdata;
-  PCRE_PUCHAR Xnext;
-  PCRE_PUCHAR Xpp;
-  PCRE_PUCHAR Xprev;
-  PCRE_PUCHAR Xsaved_eptr;
-
-  recursion_info Xnew_recursive;
-
-  BOOL Xcur_is_word;
-  BOOL Xcondition;
-  BOOL Xprev_is_word;
-
-#ifdef SUPPORT_UCP
-  int Xprop_type;
-  unsigned int Xprop_value;
-  int Xprop_fail_result;
-  int Xoclength;
-  pcre_uchar Xocchars[6];
-#endif
-
-  int Xcodelink;
-  int Xctype;
-  unsigned int Xfc;
-  int Xfi;
-  int Xlength;
-  int Xmax;
-  int Xmin;
-  unsigned int Xnumber;
-  int Xoffset;
-  unsigned int Xop;
-  pcre_int32 Xsave_capture_last;
-  int Xsave_offset1, Xsave_offset2, Xsave_offset3;
-  int Xstacksave[REC_STACK_SAVE_MAX];
-
-  eptrblock Xnewptrb;
-
-  /* Where to jump back to */
-
-  int Xwhere;
-
-} heapframe;
-
-#endif
-
-
-/***************************************************************************
-***************************************************************************/
-
-
-
-/*************************************************
-*         Match from current position            *
-*************************************************/
-
-/* This function is called recursively in many circumstances. Whenever it
-returns a negative (error) response, the outer incarnation must also return the
-same response. */
-
-/* These macros pack up tests that are used for partial matching, and which
-appear several times in the code. We set the "hit end" flag if the pointer is
-at the end of the subject and also past the start of the subject (i.e.
-something has been matched). For hard partial matching, we then return
-immediately. The second one is used when we already know we are past the end of
-the subject. */
-
-#define CHECK_PARTIAL()\
-  if (md->partial != 0 && eptr >= md->end_subject && \
-      eptr > md->start_used_ptr) \
-    { \
-    md->hitend = TRUE; \
-    if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL); \
-    }
-
-#define SCHECK_PARTIAL()\
-  if (md->partial != 0 && eptr > md->start_used_ptr) \
-    { \
-    md->hitend = TRUE; \
-    if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL); \
-    }
-
-
-/* Performance note: It might be tempting to extract commonly used fields from
-the md structure (e.g. utf, end_subject) into individual variables to improve
-performance. Tests using gcc on a SPARC disproved this; in the first case, it
-made performance worse.
-
-Arguments:
-   eptr        pointer to current character in subject
-   ecode       pointer to current position in compiled code
-   mstart      pointer to the current match start position (can be modified
-                 by encountering \K)
-   offset_top  current top pointer
-   md          pointer to "static" info for the match
-   eptrb       pointer to chain of blocks containing eptr at start of
-                 brackets - for testing for empty matches
-   rdepth      the recursion depth
-
-Returns:       MATCH_MATCH if matched            )  these values are >= 0
-               MATCH_NOMATCH if failed to match  )
-               a negative MATCH_xxx value for PRUNE, SKIP, etc
-               a negative PCRE_ERROR_xxx value if aborted by an error condition
-                 (e.g. stopped by repeated call or recursion limit)
-*/
-
-static int
-match(REGISTER PCRE_PUCHAR eptr, REGISTER const pcre_uchar *ecode,
-  PCRE_PUCHAR mstart, int offset_top, match_data *md, eptrblock *eptrb,
-  unsigned int rdepth)
-{
-/* These variables do not need to be preserved over recursion in this function,
-so they can be ordinary variables in all cases. Mark some of them with
-"register" because they are used a lot in loops. */
-
-register int  rrc;         /* Returns from recursive calls */
-register int  i;           /* Used for loops not involving calls to RMATCH() */
-register pcre_uint32 c;    /* Character values not kept over RMATCH() calls */
-register BOOL utf;         /* Local copy of UTF flag for speed */
-
-BOOL minimize, possessive; /* Quantifier options */
-BOOL caseless;
-int condcode;
-
-/* When recursion is not being used, all "local" variables that have to be
-preserved over calls to RMATCH() are part of a "frame". We set up the top-level
-frame on the stack here; subsequent instantiations are obtained from the heap
-whenever RMATCH() does a "recursion". See the macro definitions above. Putting
-the top-level on the stack rather than malloc-ing them all gives a performance
-boost in many cases where there is not much "recursion". */
-
-#ifdef NO_RECURSE
-heapframe *frame = (heapframe *)md->match_frames_base;
-
-/* Copy in the original argument variables */
-
-frame->Xeptr = eptr;
-frame->Xecode = ecode;
-frame->Xmstart = mstart;
-frame->Xoffset_top = offset_top;
-frame->Xeptrb = eptrb;
-frame->Xrdepth = rdepth;
-
-/* This is where control jumps back to to effect "recursion" */
-
-HEAP_RECURSE:
-
-/* Macros make the argument variables come from the current frame */
-
-#define eptr               frame->Xeptr
-#define ecode              frame->Xecode
-#define mstart             frame->Xmstart
-#define offset_top         frame->Xoffset_top
-#define eptrb              frame->Xeptrb
-#define rdepth             frame->Xrdepth
-
-/* Ditto for the local variables */
-
-#ifdef SUPPORT_UTF
-#define charptr            frame->Xcharptr
-#endif
-#define callpat            frame->Xcallpat
-#define codelink           frame->Xcodelink
-#define data               frame->Xdata
-#define next               frame->Xnext
-#define pp                 frame->Xpp
-#define prev               frame->Xprev
-#define saved_eptr         frame->Xsaved_eptr
-
-#define new_recursive      frame->Xnew_recursive
-
-#define cur_is_word        frame->Xcur_is_word
-#define condition          frame->Xcondition
-#define prev_is_word       frame->Xprev_is_word
-
-#ifdef SUPPORT_UCP
-#define prop_type          frame->Xprop_type
-#define prop_value         frame->Xprop_value
-#define prop_fail_result   frame->Xprop_fail_result
-#define oclength           frame->Xoclength
-#define occhars            frame->Xocchars
-#endif
-
-#define ctype              frame->Xctype
-#define fc                 frame->Xfc
-#define fi                 frame->Xfi
-#define length             frame->Xlength
-#define max                frame->Xmax
-#define min                frame->Xmin
-#define number             frame->Xnumber
-#define offset             frame->Xoffset
-#define op                 frame->Xop
-#define save_capture_last  frame->Xsave_capture_last
-#define save_offset1       frame->Xsave_offset1
-#define save_offset2       frame->Xsave_offset2
-#define save_offset3       frame->Xsave_offset3
-#define stacksave          frame->Xstacksave
-
-#define newptrb            frame->Xnewptrb
-
-/* When recursion is being used, local variables are allocated on the stack and
-get preserved during recursion in the normal way. In this environment, fi and
-i, and fc and c, can be the same variables. */
-
-#else         /* NO_RECURSE not defined */
-#define fi i
-#define fc c
-
-/* Many of the following variables are used only in small blocks of the code.
-My normal style of coding would have declared them within each of those blocks.
-However, in order to accommodate the version of this code that uses an external
-"stack" implemented on the heap, it is easier to declare them all here, so the
-declarations can be cut out in a block. The only declarations within blocks
-below are for variables that do not have to be preserved over a recursive call
-to RMATCH(). */
-
-#ifdef SUPPORT_UTF
-const pcre_uchar *charptr;
-#endif
-const pcre_uchar *callpat;
-const pcre_uchar *data;
-const pcre_uchar *next;
-PCRE_PUCHAR       pp;
-const pcre_uchar *prev;
-PCRE_PUCHAR       saved_eptr;
-
-recursion_info new_recursive;
-
-BOOL cur_is_word;
-BOOL condition;
-BOOL prev_is_word;
-
-#ifdef SUPPORT_UCP
-int prop_type;
-unsigned int prop_value;
-int prop_fail_result;
-int oclength;
-pcre_uchar occhars[6];
-#endif
-
-int codelink;
-int ctype;
-int length;
-int max;
-int min;
-unsigned int number;
-int offset;
-unsigned int op;
-pcre_int32 save_capture_last;
-int save_offset1, save_offset2, save_offset3;
-int stacksave[REC_STACK_SAVE_MAX];
-
-eptrblock newptrb;
-
-/* There is a special fudge for calling match() in a way that causes it to
-measure the size of its basic stack frame when the stack is being used for
-recursion. The second argument (ecode) being NULL triggers this behaviour. It
-cannot normally ever be NULL. The return is the negated value of the frame
-size. */
-
-if (ecode == NULL)
-  {
-  if (rdepth == 0)
-    return match((PCRE_PUCHAR)&rdepth, NULL, NULL, 0, NULL, NULL, 1);
-  else
-    {
-    int len = (char *)&rdepth - (char *)eptr;
-    return (len > 0)? -len : len;
-    }
-  }
-#endif     /* NO_RECURSE */
-
-/* To save space on the stack and in the heap frame, I have doubled up on some
-of the local variables that are used only in localised parts of the code, but
-still need to be preserved over recursive calls of match(). These macros define
-the alternative names that are used. */
-
-#define allow_zero    cur_is_word
-#define cbegroup      condition
-#define code_offset   codelink
-#define condassert    condition
-#define matched_once  prev_is_word
-#define foc           number
-#define save_mark     data
-
-/* These statements are here to stop the compiler complaining about unitialized
-variables. */
-
-#ifdef SUPPORT_UCP
-prop_value = 0;
-prop_fail_result = 0;
-#endif
-
-
-/* This label is used for tail recursion, which is used in a few cases even
-when NO_RECURSE is not defined, in order to reduce the amount of stack that is
-used. Thanks to Ian Taylor for noticing this possibility and sending the
-original patch. */
-
-TAIL_RECURSE:
-
-/* OK, now we can get on with the real code of the function. Recursive calls
-are specified by the macro RMATCH and RRETURN is used to return. When
-NO_RECURSE is *not* defined, these just turn into a recursive call to match()
-and a "return", respectively (possibly with some debugging if PCRE_DEBUG is
-defined). However, RMATCH isn't like a function call because it's quite a
-complicated macro. It has to be used in one particular way. This shouldn't,
-however, impact performance when true recursion is being used. */
-
-#ifdef SUPPORT_UTF
-utf = md->utf;       /* Local copy of the flag */
-#else
-utf = FALSE;
-#endif
-
-/* First check that we haven't called match() too many times, or that we
-haven't exceeded the recursive call limit. */
-
-if (md->match_call_count++ >= md->match_limit) RRETURN(PCRE_ERROR_MATCHLIMIT);
-if (rdepth >= md->match_limit_recursion) RRETURN(PCRE_ERROR_RECURSIONLIMIT);
-
-/* At the start of a group with an unlimited repeat that may match an empty
-string, the variable md->match_function_type is set to MATCH_CBEGROUP. It is
-done this way to save having to use another function argument, which would take
-up space on the stack. See also MATCH_CONDASSERT below.
-
-When MATCH_CBEGROUP is set, add the current subject pointer to the chain of
-such remembered pointers, to be checked when we hit the closing ket, in order
-to break infinite loops that match no characters. When match() is called in
-other circumstances, don't add to the chain. The MATCH_CBEGROUP feature must
-NOT be used with tail recursion, because the memory block that is used is on
-the stack, so a new one may be required for each match(). */
-
-if (md->match_function_type == MATCH_CBEGROUP)
-  {
-  newptrb.epb_saved_eptr = eptr;
-  newptrb.epb_prev = eptrb;
-  eptrb = &newptrb;
-  md->match_function_type = 0;
-  }
-
-/* Now start processing the opcodes. */
-
-for (;;)
-  {
-  minimize = possessive = FALSE;
-  op = *ecode;
-
-  switch(op)
-    {
-    case OP_MARK:
-    md->nomatch_mark = ecode + 2;
-    md->mark = NULL;    /* In case previously set by assertion */
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode] + ecode[1], offset_top, md,
-      eptrb, RM55);
-    if ((rrc == MATCH_MATCH || rrc == MATCH_ACCEPT) &&
-         md->mark == NULL) md->mark = ecode + 2;
-
-    /* A return of MATCH_SKIP_ARG means that matching failed at SKIP with an
-    argument, and we must check whether that argument matches this MARK's
-    argument. It is passed back in md->start_match_ptr (an overloading of that
-    variable). If it does match, we reset that variable to the current subject
-    position and return MATCH_SKIP. Otherwise, pass back the return code
-    unaltered. */
-
-    else if (rrc == MATCH_SKIP_ARG &&
-        STRCMP_UC_UC_TEST(ecode + 2, md->start_match_ptr) == 0)
-      {
-      md->start_match_ptr = eptr;
-      RRETURN(MATCH_SKIP);
-      }
-    RRETURN(rrc);
-
-    case OP_FAIL:
-    RRETURN(MATCH_NOMATCH);
-
-    case OP_COMMIT:
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-      eptrb, RM52);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    RRETURN(MATCH_COMMIT);
-
-    case OP_PRUNE:
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-      eptrb, RM51);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    RRETURN(MATCH_PRUNE);
-
-    case OP_PRUNE_ARG:
-    md->nomatch_mark = ecode + 2;
-    md->mark = NULL;    /* In case previously set by assertion */
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode] + ecode[1], offset_top, md,
-      eptrb, RM56);
-    if ((rrc == MATCH_MATCH || rrc == MATCH_ACCEPT) &&
-         md->mark == NULL) md->mark = ecode + 2;
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    RRETURN(MATCH_PRUNE);
-
-    case OP_SKIP:
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-      eptrb, RM53);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    md->start_match_ptr = eptr;   /* Pass back current position */
-    RRETURN(MATCH_SKIP);
-
-    /* Note that, for Perl compatibility, SKIP with an argument does NOT set
-    nomatch_mark. When a pattern match ends with a SKIP_ARG for which there was
-    not a matching mark, we have to re-run the match, ignoring the SKIP_ARG
-    that failed and any that precede it (either they also failed, or were not
-    triggered). To do this, we maintain a count of executed SKIP_ARGs. If a
-    SKIP_ARG gets to top level, the match is re-run with md->ignore_skip_arg
-    set to the count of the one that failed. */
-
-    case OP_SKIP_ARG:
-    md->skip_arg_count++;
-    if (md->skip_arg_count <= md->ignore_skip_arg)
-      {
-      ecode += PRIV(OP_lengths)[*ecode] + ecode[1];
-      break;
-      }
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode] + ecode[1], offset_top, md,
-      eptrb, RM57);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-
-    /* Pass back the current skip name by overloading md->start_match_ptr and
-    returning the special MATCH_SKIP_ARG return code. This will either be
-    caught by a matching MARK, or get to the top, where it causes a rematch
-    with md->ignore_skip_arg set to the value of md->skip_arg_count. */
-
-    md->start_match_ptr = ecode + 2;
-    RRETURN(MATCH_SKIP_ARG);
-
-    /* For THEN (and THEN_ARG) we pass back the address of the opcode, so that
-    the branch in which it occurs can be determined. Overload the start of
-    match pointer to do this. */
-
-    case OP_THEN:
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-      eptrb, RM54);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    md->start_match_ptr = ecode;
-    RRETURN(MATCH_THEN);
-
-    case OP_THEN_ARG:
-    md->nomatch_mark = ecode + 2;
-    md->mark = NULL;    /* In case previously set by assertion */
-    RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode] + ecode[1], offset_top,
-      md, eptrb, RM58);
-    if ((rrc == MATCH_MATCH || rrc == MATCH_ACCEPT) &&
-         md->mark == NULL) md->mark = ecode + 2;
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    md->start_match_ptr = ecode;
-    RRETURN(MATCH_THEN);
-
-    /* Handle an atomic group that does not contain any capturing parentheses.
-    This can be handled like an assertion. Prior to 8.13, all atomic groups
-    were handled this way. In 8.13, the code was changed as below for ONCE, so
-    that backups pass through the group and thereby reset captured values.
-    However, this uses a lot more stack, so in 8.20, atomic groups that do not
-    contain any captures generate OP_ONCE_NC, which can be handled in the old,
-    less stack intensive way.
-
-    Check the alternative branches in turn - the matching won't pass the KET
-    for this kind of subpattern. If any one branch matches, we carry on as at
-    the end of a normal bracket, leaving the subject pointer, but resetting
-    the start-of-match value in case it was changed by \K. */
-
-    case OP_ONCE_NC:
-    prev = ecode;
-    saved_eptr = eptr;
-    save_mark = md->mark;
-    do
-      {
-      RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, eptrb, RM64);
-      if (rrc == MATCH_MATCH)  /* Note: _not_ MATCH_ACCEPT */
-        {
-        mstart = md->start_match_ptr;
-        break;
-        }
-      if (rrc == MATCH_THEN)
-        {
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          rrc = MATCH_NOMATCH;
-        }
-
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      ecode += GET(ecode,1);
-      md->mark = save_mark;
-      }
-    while (*ecode == OP_ALT);
-
-    /* If hit the end of the group (which could be repeated), fail */
-
-    if (*ecode != OP_ONCE_NC && *ecode != OP_ALT) RRETURN(MATCH_NOMATCH);
-
-    /* Continue as from after the group, updating the offsets high water
-    mark, since extracts may have been taken. */
-
-    do ecode += GET(ecode, 1); while (*ecode == OP_ALT);
-
-    offset_top = md->end_offset_top;
-    eptr = md->end_match_ptr;
-
-    /* For a non-repeating ket, just continue at this level. This also
-    happens for a repeating ket if no characters were matched in the group.
-    This is the forcible breaking of infinite loops as implemented in Perl
-    5.005. */
-
-    if (*ecode == OP_KET || eptr == saved_eptr)
-      {
-      ecode += 1+LINK_SIZE;
-      break;
-      }
-
-    /* The repeating kets try the rest of the pattern or restart from the
-    preceding bracket, in the appropriate order. The second "call" of match()
-    uses tail recursion, to avoid using another stack frame. */
-
-    if (*ecode == OP_KETRMIN)
-      {
-      RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, eptrb, RM65);
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      ecode = prev;
-      goto TAIL_RECURSE;
-      }
-    else  /* OP_KETRMAX */
-      {
-      RMATCH(eptr, prev, offset_top, md, eptrb, RM66);
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      ecode += 1 + LINK_SIZE;
-      goto TAIL_RECURSE;
-      }
-    /* Control never gets here */
-
-    /* Handle a capturing bracket, other than those that are possessive with an
-    unlimited repeat. If there is space in the offset vector, save the current
-    subject position in the working slot at the top of the vector. We mustn't
-    change the current values of the data slot, because they may be set from a
-    previous iteration of this group, and be referred to by a reference inside
-    the group. A failure to match might occur after the group has succeeded,
-    if something later on doesn't match. For this reason, we need to restore
-    the working value and also the values of the final offsets, in case they
-    were set by a previous iteration of the same bracket.
-
-    If there isn't enough space in the offset vector, treat this as if it were
-    a non-capturing bracket. Don't worry about setting the flag for the error
-    case here; that is handled in the code for KET. */
-
-    case OP_CBRA:
-    case OP_SCBRA:
-    number = GET2(ecode, 1+LINK_SIZE);
-    offset = number << 1;
-
-#ifdef PCRE_DEBUG
-    printf("start bracket %d\n", number);
-    printf("subject=");
-    pchars(eptr, 16, TRUE, md);
-    printf("\n");
-#endif
-
-    if (offset < md->offset_max)
-      {
-      save_offset1 = md->offset_vector[offset];
-      save_offset2 = md->offset_vector[offset+1];
-      save_offset3 = md->offset_vector[md->offset_end - number];
-      save_capture_last = md->capture_last;
-      save_mark = md->mark;
-
-      DPRINTF(("saving %d %d %d\n", save_offset1, save_offset2, save_offset3));
-      md->offset_vector[md->offset_end - number] =
-        (int)(eptr - md->start_subject);
-
-      for (;;)
-        {
-        if (op >= OP_SBRA) md->match_function_type = MATCH_CBEGROUP;
-        RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-          eptrb, RM1);
-        if (rrc == MATCH_ONCE) break;  /* Backing up through an atomic group */
-
-        /* If we backed up to a THEN, check whether it is within the current
-        branch by comparing the address of the THEN that is passed back with
-        the end of the branch. If it is within the current branch, and the
-        branch is one of two or more alternatives (it either starts or ends
-        with OP_ALT), we have reached the limit of THEN's action, so convert
-        the return code to NOMATCH, which will cause normal backtracking to
-        happen from now on. Otherwise, THEN is passed back to an outer
-        alternative. This implements Perl's treatment of parenthesized groups,
-        where a group not containing | does not affect the current alternative,
-        that is, (X) is NOT the same as (X|(*F)). */
-
-        if (rrc == MATCH_THEN)
-          {
-          next = ecode + GET(ecode,1);
-          if (md->start_match_ptr < next &&
-              (*ecode == OP_ALT || *next == OP_ALT))
-            rrc = MATCH_NOMATCH;
-          }
-
-        /* Anything other than NOMATCH is passed back. */
-
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        md->capture_last = save_capture_last;
-        ecode += GET(ecode, 1);
-        md->mark = save_mark;
-        if (*ecode != OP_ALT) break;
-        }
-
-      DPRINTF(("bracket %d failed\n", number));
-      md->offset_vector[offset] = save_offset1;
-      md->offset_vector[offset+1] = save_offset2;
-      md->offset_vector[md->offset_end - number] = save_offset3;
-
-      /* At this point, rrc will be one of MATCH_ONCE or MATCH_NOMATCH. */
-
-      RRETURN(rrc);
-      }
-
-    /* FALL THROUGH ... Insufficient room for saving captured contents. Treat
-    as a non-capturing bracket. */
-
-    /* VVVVVVVVVVVVVVVVVVVVVVVVV */
-    /* VVVVVVVVVVVVVVVVVVVVVVVVV */
-
-    DPRINTF(("insufficient capture room: treat as non-capturing\n"));
-
-    /* VVVVVVVVVVVVVVVVVVVVVVVVV */
-    /* VVVVVVVVVVVVVVVVVVVVVVVVV */
-
-    /* Non-capturing or atomic group, except for possessive with unlimited
-    repeat and ONCE group with no captures. Loop for all the alternatives.
-
-    When we get to the final alternative within the brackets, we used to return
-    the result of a recursive call to match() whatever happened so it was
-    possible to reduce stack usage by turning this into a tail recursion,
-    except in the case of a possibly empty group. However, now that there is
-    the possiblity of (*THEN) occurring in the final alternative, this
-    optimization is no longer always possible.
-
-    We can optimize if we know there are no (*THEN)s in the pattern; at present
-    this is the best that can be done.
-
-    MATCH_ONCE is returned when the end of an atomic group is successfully
-    reached, but subsequent matching fails. It passes back up the tree (causing
-    captured values to be reset) until the original atomic group level is
-    reached. This is tested by comparing md->once_target with the start of the
-    group. At this point, the return is converted into MATCH_NOMATCH so that
-    previous backup points can be taken. */
-
-    case OP_ONCE:
-    case OP_BRA:
-    case OP_SBRA:
-    DPRINTF(("start non-capturing bracket\n"));
-
-    for (;;)
-      {
-      if (op >= OP_SBRA || op == OP_ONCE)
-        md->match_function_type = MATCH_CBEGROUP;
-
-      /* If this is not a possibly empty group, and there are no (*THEN)s in
-      the pattern, and this is the final alternative, optimize as described
-      above. */
-
-      else if (!md->hasthen && ecode[GET(ecode, 1)] != OP_ALT)
-        {
-        ecode += PRIV(OP_lengths)[*ecode];
-        goto TAIL_RECURSE;
-        }
-
-      /* In all other cases, we have to make another call to match(). */
-
-      save_mark = md->mark;
-      save_capture_last = md->capture_last;
-      RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md, eptrb,
-        RM2);
-
-      /* See comment in the code for capturing groups above about handling
-      THEN. */
-
-      if (rrc == MATCH_THEN)
-        {
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          rrc = MATCH_NOMATCH;
-        }
-
-      if (rrc != MATCH_NOMATCH)
-        {
-        if (rrc == MATCH_ONCE)
-          {
-          const pcre_uchar *scode = ecode;
-          if (*scode != OP_ONCE)           /* If not at start, find it */
-            {
-            while (*scode == OP_ALT) scode += GET(scode, 1);
-            scode -= GET(scode, 1);
-            }
-          if (md->once_target == scode) rrc = MATCH_NOMATCH;
-          }
-        RRETURN(rrc);
-        }
-      ecode += GET(ecode, 1);
-      md->mark = save_mark;
-      if (*ecode != OP_ALT) break;
-      md->capture_last = save_capture_last;
-      }
-
-    RRETURN(MATCH_NOMATCH);
-
-    /* Handle possessive capturing brackets with an unlimited repeat. We come
-    here from BRAZERO with allow_zero set TRUE. The offset_vector values are
-    handled similarly to the normal case above. However, the matching is
-    different. The end of these brackets will always be OP_KETRPOS, which
-    returns MATCH_KETRPOS without going further in the pattern. By this means
-    we can handle the group by iteration rather than recursion, thereby
-    reducing the amount of stack needed. */
-
-    case OP_CBRAPOS:
-    case OP_SCBRAPOS:
-    allow_zero = FALSE;
-
-    POSSESSIVE_CAPTURE:
-    number = GET2(ecode, 1+LINK_SIZE);
-    offset = number << 1;
-
-#ifdef PCRE_DEBUG
-    printf("start possessive bracket %d\n", number);
-    printf("subject=");
-    pchars(eptr, 16, TRUE, md);
-    printf("\n");
-#endif
-
-    if (offset >= md->offset_max) goto POSSESSIVE_NON_CAPTURE;
-
-    matched_once = FALSE;
-    code_offset = (int)(ecode - md->start_code);
-
-    save_offset1 = md->offset_vector[offset];
-    save_offset2 = md->offset_vector[offset+1];
-    save_offset3 = md->offset_vector[md->offset_end - number];
-    save_capture_last = md->capture_last;
-
-    DPRINTF(("saving %d %d %d\n", save_offset1, save_offset2, save_offset3));
-
-    /* Each time round the loop, save the current subject position for use
-    when the group matches. For MATCH_MATCH, the group has matched, so we
-    restart it with a new subject starting position, remembering that we had
-    at least one match. For MATCH_NOMATCH, carry on with the alternatives, as
-    usual. If we haven't matched any alternatives in any iteration, check to
-    see if a previous iteration matched. If so, the group has matched;
-    continue from afterwards. Otherwise it has failed; restore the previous
-    capture values before returning NOMATCH. */
-
-    for (;;)
-      {
-      md->offset_vector[md->offset_end - number] =
-        (int)(eptr - md->start_subject);
-      if (op >= OP_SBRA) md->match_function_type = MATCH_CBEGROUP;
-      RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-        eptrb, RM63);
-      if (rrc == MATCH_KETRPOS)
-        {
-        offset_top = md->end_offset_top;
-        ecode = md->start_code + code_offset;
-        save_capture_last = md->capture_last;
-        matched_once = TRUE;
-        mstart = md->start_match_ptr;    /* In case \K changed it */
-        if (eptr == md->end_match_ptr)   /* Matched an empty string */
-          {
-          do ecode += GET(ecode, 1); while (*ecode == OP_ALT);
-          break;
-          }
-        eptr = md->end_match_ptr;
-        continue;
-        }
-
-      /* See comment in the code for capturing groups above about handling
-      THEN. */
-
-      if (rrc == MATCH_THEN)
-        {
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          rrc = MATCH_NOMATCH;
-        }
-
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      md->capture_last = save_capture_last;
-      ecode += GET(ecode, 1);
-      if (*ecode != OP_ALT) break;
-      }
-
-    if (!matched_once)
-      {
-      md->offset_vector[offset] = save_offset1;
-      md->offset_vector[offset+1] = save_offset2;
-      md->offset_vector[md->offset_end - number] = save_offset3;
-      }
-
-    if (allow_zero || matched_once)
-      {
-      ecode += 1 + LINK_SIZE;
-      break;
-      }
-
-    RRETURN(MATCH_NOMATCH);
-
-    /* Non-capturing possessive bracket with unlimited repeat. We come here
-    from BRAZERO with allow_zero = TRUE. The code is similar to the above,
-    without the capturing complication. It is written out separately for speed
-    and cleanliness. */
-
-    case OP_BRAPOS:
-    case OP_SBRAPOS:
-    allow_zero = FALSE;
-
-    POSSESSIVE_NON_CAPTURE:
-    matched_once = FALSE;
-    code_offset = (int)(ecode - md->start_code);
-    save_capture_last = md->capture_last;
-
-    for (;;)
-      {
-      if (op >= OP_SBRA) md->match_function_type = MATCH_CBEGROUP;
-      RMATCH(eptr, ecode + PRIV(OP_lengths)[*ecode], offset_top, md,
-        eptrb, RM48);
-      if (rrc == MATCH_KETRPOS)
-        {
-        offset_top = md->end_offset_top;
-        ecode = md->start_code + code_offset;
-        matched_once = TRUE;
-        mstart = md->start_match_ptr;   /* In case \K reset it */
-        if (eptr == md->end_match_ptr)  /* Matched an empty string */
-          {
-          do ecode += GET(ecode, 1); while (*ecode == OP_ALT);
-          break;
-          }
-        eptr = md->end_match_ptr;
-        continue;
-        }
-
-      /* See comment in the code for capturing groups above about handling
-      THEN. */
-
-      if (rrc == MATCH_THEN)
-        {
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          rrc = MATCH_NOMATCH;
-        }
-
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      ecode += GET(ecode, 1);
-      if (*ecode != OP_ALT) break;
-      md->capture_last = save_capture_last;
-      }
-
-    if (matched_once || allow_zero)
-      {
-      ecode += 1 + LINK_SIZE;
-      break;
-      }
-    RRETURN(MATCH_NOMATCH);
-
-    /* Control never reaches here. */
-
-    /* Conditional group: compilation checked that there are no more than two
-    branches. If the condition is false, skipping the first branch takes us
-    past the end of the item if there is only one branch, but that's exactly
-    what we want. */
-
-    case OP_COND:
-    case OP_SCOND:
-
-    /* The variable codelink will be added to ecode when the condition is
-    false, to get to the second branch. Setting it to the offset to the ALT
-    or KET, then incrementing ecode achieves this effect. We now have ecode
-    pointing to the condition or callout. */
-
-    codelink = GET(ecode, 1);   /* Offset to the second branch */
-    ecode += 1 + LINK_SIZE;     /* From this opcode */
-
-    /* Because of the way auto-callout works during compile, a callout item is
-    inserted between OP_COND and an assertion condition. */
-
-    if (*ecode == OP_CALLOUT)
-      {
-      if (PUBL(callout) != NULL)
-        {
-        PUBL(callout_block) cb;
-        cb.version          = 2;   /* Version 1 of the callout block */
-        cb.callout_number   = ecode[1];
-        cb.offset_vector    = md->offset_vector;
-#if defined COMPILE_PCRE8
-        cb.subject          = (PCRE_SPTR)md->start_subject;
-#elif defined COMPILE_PCRE16
-        cb.subject          = (PCRE_SPTR16)md->start_subject;
-#elif defined COMPILE_PCRE32
-        cb.subject          = (PCRE_SPTR32)md->start_subject;
-#endif
-        cb.subject_length   = (int)(md->end_subject - md->start_subject);
-        cb.start_match      = (int)(mstart - md->start_subject);
-        cb.current_position = (int)(eptr - md->start_subject);
-        cb.pattern_position = GET(ecode, 2);
-        cb.next_item_length = GET(ecode, 2 + LINK_SIZE);
-        cb.capture_top      = offset_top/2;
-        cb.capture_last     = md->capture_last & CAPLMASK;
-        /* Internal change requires this for API compatibility. */
-        if (cb.capture_last == 0) cb.capture_last = -1;
-        cb.callout_data     = md->callout_data;
-        cb.mark             = md->nomatch_mark;
-        if ((rrc = (*PUBL(callout))(&cb)) > 0) RRETURN(MATCH_NOMATCH);
-        if (rrc < 0) RRETURN(rrc);
-        }
-
-      /* Advance ecode past the callout, so it now points to the condition. We
-      must adjust codelink so that the value of ecode+codelink is unchanged. */
-
-      ecode += PRIV(OP_lengths)[OP_CALLOUT];
-      codelink -= PRIV(OP_lengths)[OP_CALLOUT];
-      }
-
-    /* Test the various possible conditions */
-
-    condition = FALSE;
-    switch(condcode = *ecode)
-      {
-      case OP_RREF:         /* Numbered group recursion test */
-      if (md->recursive != NULL)     /* Not recursing => FALSE */
-        {
-        unsigned int recno = GET2(ecode, 1);   /* Recursion group number*/
-        condition = (recno == RREF_ANY || recno == md->recursive->group_num);
-        }
-      break;
-
-      case OP_DNRREF:       /* Duplicate named group recursion test */
-      if (md->recursive != NULL)
-        {
-        int count = GET2(ecode, 1 + IMM2_SIZE);
-        pcre_uchar *slot = md->name_table + GET2(ecode, 1) * md->name_entry_size;
-        while (count-- > 0)
-          {
-          unsigned int recno = GET2(slot, 0);
-          condition = recno == md->recursive->group_num;
-          if (condition) break;
-          slot += md->name_entry_size;
-          }
-        }
-      break;
-
-      case OP_CREF:         /* Numbered group used test */
-      offset = GET2(ecode, 1) << 1;  /* Doubled ref number */
-      condition = offset < offset_top && md->offset_vector[offset] >= 0;
-      break;
-
-      case OP_DNCREF:      /* Duplicate named group used test */
-        {
-        int count = GET2(ecode, 1 + IMM2_SIZE);
-        pcre_uchar *slot = md->name_table + GET2(ecode, 1) * md->name_entry_size;
-        while (count-- > 0)
-          {
-          offset = GET2(slot, 0) << 1;
-          condition = offset < offset_top && md->offset_vector[offset] >= 0;
-          if (condition) break;
-          slot += md->name_entry_size;
-          }
-        }
-      break;
-
-      case OP_DEF:     /* DEFINE - always false */
-      case OP_FAIL:    /* From optimized (?!) condition */
-      break;
-
-      /* The condition is an assertion. Call match() to evaluate it - setting
-      md->match_function_type to MATCH_CONDASSERT causes it to stop at the end
-      of an assertion. */
-
-      default:
-      md->match_function_type = MATCH_CONDASSERT;
-      RMATCH(eptr, ecode, offset_top, md, NULL, RM3);
-      if (rrc == MATCH_MATCH)
-        {
-        if (md->end_offset_top > offset_top)
-          offset_top = md->end_offset_top;  /* Captures may have happened */
-        condition = TRUE;
-
-        /* Advance ecode past the assertion to the start of the first branch,
-        but adjust it so that the general choosing code below works. If the
-        assertion has a quantifier that allows zero repeats we must skip over
-        the BRAZERO. This is a lunatic thing to do, but somebody did! */
-
-        if (*ecode == OP_BRAZERO) ecode++;
-        ecode += GET(ecode, 1);
-        while (*ecode == OP_ALT) ecode += GET(ecode, 1);
-        ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];
-        }
-
-      /* PCRE doesn't allow the effect of (*THEN) to escape beyond an
-      assertion; it is therefore treated as NOMATCH. Any other return is an
-      error. */
-
-      else if (rrc != MATCH_NOMATCH && rrc != MATCH_THEN)
-        {
-        RRETURN(rrc);         /* Need braces because of following else */
-        }
-      break;
-      }
-
-    /* Choose branch according to the condition */
-
-    ecode += condition? PRIV(OP_lengths)[condcode] : codelink;
-
-    /* We are now at the branch that is to be obeyed. As there is only one, we
-    can use tail recursion to avoid using another stack frame, except when
-    there is unlimited repeat of a possibly empty group. In the latter case, a
-    recursive call to match() is always required, unless the second alternative
-    doesn't exist, in which case we can just plough on. Note that, for
-    compatibility with Perl, the | in a conditional group is NOT treated as
-    creating two alternatives. If a THEN is encountered in the branch, it
-    propagates out to the enclosing alternative (unless nested in a deeper set
-    of alternatives, of course). */
-
-    if (condition || ecode[-(1+LINK_SIZE)] == OP_ALT)
-      {
-      if (op != OP_SCOND)
-        {
-        goto TAIL_RECURSE;
-        }
-
-      md->match_function_type = MATCH_CBEGROUP;
-      RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
-      RRETURN(rrc);
-      }
-
-     /* Condition false & no alternative; continue after the group. */
-
-    else
-      {
-      }
-    break;
-
-
-    /* Before OP_ACCEPT there may be any number of OP_CLOSE opcodes,
-    to close any currently open capturing brackets. */
-
-    case OP_CLOSE:
-    number = GET2(ecode, 1);   /* Must be less than 65536 */
-    offset = number << 1;
-
-#ifdef PCRE_DEBUG
-      printf("end bracket %d at *ACCEPT", number);
-      printf("\n");
-#endif
-
-    md->capture_last = (md->capture_last & OVFLMASK) | number;
-    if (offset >= md->offset_max) md->capture_last |= OVFLBIT; else
-      {
-      md->offset_vector[offset] =
-        md->offset_vector[md->offset_end - number];
-      md->offset_vector[offset+1] = (int)(eptr - md->start_subject);
-
-      /* If this group is at or above the current highwater mark, ensure that
-      any groups between the current high water mark and this group are marked
-      unset and then update the high water mark. */
-
-      if (offset >= offset_top)
-        {
-        register int *iptr = md->offset_vector + offset_top;
-        register int *iend = md->offset_vector + offset;
-        while (iptr < iend) *iptr++ = -1;
-        offset_top = offset + 2;
-        }
-      }
-    ecode += 1 + IMM2_SIZE;
-    break;
-
-
-    /* End of the pattern, either real or forced. */
-
-    case OP_END:
-    case OP_ACCEPT:
-    case OP_ASSERT_ACCEPT:
-
-    /* If we have matched an empty string, fail if not in an assertion and not
-    in a recursion if either PCRE_NOTEMPTY is set, or if PCRE_NOTEMPTY_ATSTART
-    is set and we have matched at the start of the subject. In both cases,
-    backtracking will then try other alternatives, if any. */
-
-    if (eptr == mstart && op != OP_ASSERT_ACCEPT &&
-         md->recursive == NULL &&
-         (md->notempty ||
-           (md->notempty_atstart &&
-             mstart == md->start_subject + md->start_offset)))
-      RRETURN(MATCH_NOMATCH);
-
-    /* Otherwise, we have a match. */
-
-    md->end_match_ptr = eptr;           /* Record where we ended */
-    md->end_offset_top = offset_top;    /* and how many extracts were taken */
-    md->start_match_ptr = mstart;       /* and the start (\K can modify) */
-
-    /* For some reason, the macros don't work properly if an expression is
-    given as the argument to RRETURN when the heap is in use. */
-
-    rrc = (op == OP_END)? MATCH_MATCH : MATCH_ACCEPT;
-    RRETURN(rrc);
-
-    /* Assertion brackets. Check the alternative branches in turn - the
-    matching won't pass the KET for an assertion. If any one branch matches,
-    the assertion is true. Lookbehind assertions have an OP_REVERSE item at the
-    start of each branch to move the current point backwards, so the code at
-    this level is identical to the lookahead case. When the assertion is part
-    of a condition, we want to return immediately afterwards. The caller of
-    this incarnation of the match() function will have set MATCH_CONDASSERT in
-    md->match_function type, and one of these opcodes will be the first opcode
-    that is processed. We use a local variable that is preserved over calls to
-    match() to remember this case. */
-
-    case OP_ASSERT:
-    case OP_ASSERTBACK:
-    save_mark = md->mark;
-    if (md->match_function_type == MATCH_CONDASSERT)
-      {
-      condassert = TRUE;
-      md->match_function_type = 0;
-      }
-    else condassert = FALSE;
-
-    /* Loop for each branch */
-
-    do
-      {
-      RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, NULL, RM4);
-
-      /* A match means that the assertion is true; break out of the loop
-      that matches its alternatives. */
-
-      if (rrc == MATCH_MATCH || rrc == MATCH_ACCEPT)
-        {
-        mstart = md->start_match_ptr;   /* In case \K reset it */
-        break;
-        }
-
-      /* If not matched, restore the previous mark setting. */
-
-      md->mark = save_mark;
-
-      /* See comment in the code for capturing groups above about handling
-      THEN. */
-
-      if (rrc == MATCH_THEN)
-        {
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          rrc = MATCH_NOMATCH;
-        }
-
-      /* Anything other than NOMATCH causes the entire assertion to fail,
-      passing back the return code. This includes COMMIT, SKIP, PRUNE and an
-      uncaptured THEN, which means they take their normal effect. This
-      consistent approach does not always have exactly the same effect as in
-      Perl. */
-
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      ecode += GET(ecode, 1);
-      }
-    while (*ecode == OP_ALT);   /* Continue for next alternative */
-
-    /* If we have tried all the alternative branches, the assertion has
-    failed. If not, we broke out after a match. */
-
-    if (*ecode == OP_KET) RRETURN(MATCH_NOMATCH);
-
-    /* If checking an assertion for a condition, return MATCH_MATCH. */
-
-    if (condassert) RRETURN(MATCH_MATCH);
-
-    /* Continue from after a successful assertion, updating the offsets high
-    water mark, since extracts may have been taken during the assertion. */
-
-    do ecode += GET(ecode,1); while (*ecode == OP_ALT);
-    ecode += 1 + LINK_SIZE;
-    offset_top = md->end_offset_top;
-    continue;
-
-    /* Negative assertion: all branches must fail to match for the assertion to
-    succeed. */
-
-    case OP_ASSERT_NOT:
-    case OP_ASSERTBACK_NOT:
-    save_mark = md->mark;
-    if (md->match_function_type == MATCH_CONDASSERT)
-      {
-      condassert = TRUE;
-      md->match_function_type = 0;
-      }
-    else condassert = FALSE;
-
-    /* Loop for each alternative branch. */
-
-    do
-      {
-      RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, NULL, RM5);
-      md->mark = save_mark;   /* Always restore the mark setting */
-
-      switch(rrc)
-        {
-        case MATCH_MATCH:            /* A successful match means */
-        case MATCH_ACCEPT:           /* the assertion has failed. */
-        RRETURN(MATCH_NOMATCH);
-
-        case MATCH_NOMATCH:          /* Carry on with next branch */
-        break;
-
-        /* See comment in the code for capturing groups above about handling
-        THEN. */
-
-        case MATCH_THEN:
-        next = ecode + GET(ecode,1);
-        if (md->start_match_ptr < next &&
-            (*ecode == OP_ALT || *next == OP_ALT))
-          {
-          rrc = MATCH_NOMATCH;
-          break;
-          }
-        /* Otherwise fall through. */
-
-        /* COMMIT, SKIP, PRUNE, and an uncaptured THEN cause the whole
-        assertion to fail to match, without considering any more alternatives.
-        Failing to match means the assertion is true. This is a consistent
-        approach, but does not always have the same effect as in Perl. */
-
-        case MATCH_COMMIT:
-        case MATCH_SKIP:
-        case MATCH_SKIP_ARG:
-        case MATCH_PRUNE:
-        do ecode += GET(ecode,1); while (*ecode == OP_ALT);
-        goto NEG_ASSERT_TRUE;   /* Break out of alternation loop */
-
-        /* Anything else is an error */
-
-        default:
-        RRETURN(rrc);
-        }
-
-      /* Continue with next branch */
-
-      ecode += GET(ecode,1);
-      }
-    while (*ecode == OP_ALT);
-
-    /* All branches in the assertion failed to match. */
-
-    NEG_ASSERT_TRUE:
-    if (condassert) RRETURN(MATCH_MATCH);  /* Condition assertion */
-    ecode += 1 + LINK_SIZE;                /* Continue with current branch */
-    continue;
-
-    /* Move the subject pointer back. This occurs only at the start of
-    each branch of a lookbehind assertion. If we are too close to the start to
-    move back, this match function fails. When working with UTF-8 we move
-    back a number of characters, not bytes. */
-
-    case OP_REVERSE:
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      i = GET(ecode, 1);
-      while (i-- > 0)
-        {
-        eptr--;
-        if (eptr < md->start_subject) RRETURN(MATCH_NOMATCH);
-        BACKCHAR(eptr);
-        }
-      }
-    else
-#endif
-
-    /* No UTF-8 support, or not in UTF-8 mode: count is byte count */
-
-      {
-      eptr -= GET(ecode, 1);
-      if (eptr < md->start_subject) RRETURN(MATCH_NOMATCH);
-      }
-
-    /* Save the earliest consulted character, then skip to next op code */
-
-    if (eptr < md->start_used_ptr) md->start_used_ptr = eptr;
-    ecode += 1 + LINK_SIZE;
-    break;
-
-    /* The callout item calls an external function, if one is provided, passing
-    details of the match so far. This is mainly for debugging, though the
-    function is able to force a failure. */
-
-    case OP_CALLOUT:
-    if (PUBL(callout) != NULL)
-      {
-      PUBL(callout_block) cb;
-      cb.version          = 2;   /* Version 1 of the callout block */
-      cb.callout_number   = ecode[1];
-      cb.offset_vector    = md->offset_vector;
-#if defined COMPILE_PCRE8
-      cb.subject          = (PCRE_SPTR)md->start_subject;
-#elif defined COMPILE_PCRE16
-      cb.subject          = (PCRE_SPTR16)md->start_subject;
-#elif defined COMPILE_PCRE32
-      cb.subject          = (PCRE_SPTR32)md->start_subject;
-#endif
-      cb.subject_length   = (int)(md->end_subject - md->start_subject);
-      cb.start_match      = (int)(mstart - md->start_subject);
-      cb.current_position = (int)(eptr - md->start_subject);
-      cb.pattern_position = GET(ecode, 2);
-      cb.next_item_length = GET(ecode, 2 + LINK_SIZE);
-      cb.capture_top      = offset_top/2;
-      cb.capture_last     = md->capture_last & CAPLMASK;
-      /* Internal change requires this for API compatibility. */
-      if (cb.capture_last == 0) cb.capture_last = -1;
-      cb.callout_data     = md->callout_data;
-      cb.mark             = md->nomatch_mark;
-      if ((rrc = (*PUBL(callout))(&cb)) > 0) RRETURN(MATCH_NOMATCH);
-      if (rrc < 0) RRETURN(rrc);
-      }
-    ecode += 2 + 2*LINK_SIZE;
-    break;
-
-    /* Recursion either matches the current regex, or some subexpression. The
-    offset data is the offset to the starting bracket from the start of the
-    whole pattern. (This is so that it works from duplicated subpatterns.)
-
-    The state of the capturing groups is preserved over recursion, and
-    re-instated afterwards. We don't know how many are started and not yet
-    finished (offset_top records the completed total) so we just have to save
-    all the potential data. There may be up to 65535 such values, which is too
-    large to put on the stack, but using malloc for small numbers seems
-    expensive. As a compromise, the stack is used when there are no more than
-    REC_STACK_SAVE_MAX values to store; otherwise malloc is used.
-
-    There are also other values that have to be saved. We use a chained
-    sequence of blocks that actually live on the stack. Thanks to Robin Houston
-    for the original version of this logic. It has, however, been hacked around
-    a lot, so he is not to blame for the current way it works. */
-
-    case OP_RECURSE:
-      {
-      recursion_info *ri;
-      unsigned int recno;
-
-      callpat = md->start_code + GET(ecode, 1);
-      recno = (callpat == md->start_code)? 0 :
-        GET2(callpat, 1 + LINK_SIZE);
-
-      /* Check for repeating a recursion without advancing the subject pointer.
-      This should catch convoluted mutual recursions. (Some simple cases are
-      caught at compile time.) */
-
-      for (ri = md->recursive; ri != NULL; ri = ri->prevrec)
-        if (recno == ri->group_num && eptr == ri->subject_position)
-          RRETURN(PCRE_ERROR_RECURSELOOP);
-
-      /* Add to "recursing stack" */
-
-      new_recursive.group_num = recno;
-      new_recursive.saved_capture_last = md->capture_last;
-      new_recursive.subject_position = eptr;
-      new_recursive.prevrec = md->recursive;
-      md->recursive = &new_recursive;
-
-      /* Where to continue from afterwards */
-
-      ecode += 1 + LINK_SIZE;
-
-      /* Now save the offset data */
-
-      new_recursive.saved_max = md->offset_end;
-      if (new_recursive.saved_max <= REC_STACK_SAVE_MAX)
-        new_recursive.offset_save = stacksave;
-      else
-        {
-        new_recursive.offset_save =
-          (int *)(PUBL(malloc))(new_recursive.saved_max * sizeof(int));
-        if (new_recursive.offset_save == NULL) RRETURN(PCRE_ERROR_NOMEMORY);
-        }
-      memcpy(new_recursive.offset_save, md->offset_vector,
-            new_recursive.saved_max * sizeof(int));
-
-      /* OK, now we can do the recursion. After processing each alternative,
-      restore the offset data and the last captured value. If there were nested
-      recursions, md->recursive might be changed, so reset it before looping.
-      */
-
-      DPRINTF(("Recursing into group %d\n", new_recursive.group_num));
-      cbegroup = (*callpat >= OP_SBRA);
-      do
-        {
-        if (cbegroup) md->match_function_type = MATCH_CBEGROUP;
-        RMATCH(eptr, callpat + PRIV(OP_lengths)[*callpat], offset_top,
-          md, eptrb, RM6);
-        memcpy(md->offset_vector, new_recursive.offset_save,
-            new_recursive.saved_max * sizeof(int));
-        md->capture_last = new_recursive.saved_capture_last;
-        md->recursive = new_recursive.prevrec;
-        if (rrc == MATCH_MATCH || rrc == MATCH_ACCEPT)
-          {
-          DPRINTF(("Recursion matched\n"));
-          if (new_recursive.offset_save != stacksave)
-            (PUBL(free))(new_recursive.offset_save);
-
-          /* Set where we got to in the subject, and reset the start in case
-          it was changed by \K. This *is* propagated back out of a recursion,
-          for Perl compatibility. */
-
-          eptr = md->end_match_ptr;
-          mstart = md->start_match_ptr;
-          goto RECURSION_MATCHED;        /* Exit loop; end processing */
-          }
-
-        /* PCRE does not allow THEN, SKIP, PRUNE or COMMIT to escape beyond a
-        recursion; they cause a NOMATCH for the entire recursion. These codes
-        are defined in a range that can be tested for. */
-
-        if (rrc >= MATCH_BACKTRACK_MIN && rrc <= MATCH_BACKTRACK_MAX)
-          {
-          if (new_recursive.offset_save != stacksave)
-            (PUBL(free))(new_recursive.offset_save);
-          RRETURN(MATCH_NOMATCH);
-          }
-
-        /* Any return code other than NOMATCH is an error. */
-
-        if (rrc != MATCH_NOMATCH)
-          {
-          DPRINTF(("Recursion gave error %d\n", rrc));
-          if (new_recursive.offset_save != stacksave)
-            (PUBL(free))(new_recursive.offset_save);
-          RRETURN(rrc);
-          }
-
-        md->recursive = &new_recursive;
-        callpat += GET(callpat, 1);
-        }
-      while (*callpat == OP_ALT);
-
-      DPRINTF(("Recursion didn't match\n"));
-      md->recursive = new_recursive.prevrec;
-      if (new_recursive.offset_save != stacksave)
-        (PUBL(free))(new_recursive.offset_save);
-      RRETURN(MATCH_NOMATCH);
-      }
-
-    RECURSION_MATCHED:
-    break;
-
-    /* An alternation is the end of a branch; scan along to find the end of the
-    bracketed group and go to there. */
-
-    case OP_ALT:
-    do ecode += GET(ecode,1); while (*ecode == OP_ALT);
-    break;
-
-    /* BRAZERO, BRAMINZERO and SKIPZERO occur just before a bracket group,
-    indicating that it may occur zero times. It may repeat infinitely, or not
-    at all - i.e. it could be ()* or ()? or even (){0} in the pattern. Brackets
-    with fixed upper repeat limits are compiled as a number of copies, with the
-    optional ones preceded by BRAZERO or BRAMINZERO. */
-
-    case OP_BRAZERO:
-    next = ecode + 1;
-    RMATCH(eptr, next, offset_top, md, eptrb, RM10);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    do next += GET(next, 1); while (*next == OP_ALT);
-    ecode = next + 1 + LINK_SIZE;
-    break;
-
-    case OP_BRAMINZERO:
-    next = ecode + 1;
-    do next += GET(next, 1); while (*next == OP_ALT);
-    RMATCH(eptr, next + 1+LINK_SIZE, offset_top, md, eptrb, RM11);
-    if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-    ecode++;
-    break;
-
-    case OP_SKIPZERO:
-    next = ecode+1;
-    do next += GET(next,1); while (*next == OP_ALT);
-    ecode = next + 1 + LINK_SIZE;
-    break;
-
-    /* BRAPOSZERO occurs before a possessive bracket group. Don't do anything
-    here; just jump to the group, with allow_zero set TRUE. */
-
-    case OP_BRAPOSZERO:
-    op = *(++ecode);
-    allow_zero = TRUE;
-    if (op == OP_CBRAPOS || op == OP_SCBRAPOS) goto POSSESSIVE_CAPTURE;
-      goto POSSESSIVE_NON_CAPTURE;
-
-    /* End of a group, repeated or non-repeating. */
-
-    case OP_KET:
-    case OP_KETRMIN:
-    case OP_KETRMAX:
-    case OP_KETRPOS:
-    prev = ecode - GET(ecode, 1);
-
-    /* If this was a group that remembered the subject start, in order to break
-    infinite repeats of empty string matches, retrieve the subject start from
-    the chain. Otherwise, set it NULL. */
-
-    if (*prev >= OP_SBRA || *prev == OP_ONCE)
-      {
-      saved_eptr = eptrb->epb_saved_eptr;   /* Value at start of group */
-      eptrb = eptrb->epb_prev;              /* Backup to previous group */
-      }
-    else saved_eptr = NULL;
-
-    /* If we are at the end of an assertion group or a non-capturing atomic
-    group, stop matching and return MATCH_MATCH, but record the current high
-    water mark for use by positive assertions. We also need to record the match
-    start in case it was changed by \K. */
-
-    if ((*prev >= OP_ASSERT && *prev <= OP_ASSERTBACK_NOT) ||
-         *prev == OP_ONCE_NC)
-      {
-      md->end_match_ptr = eptr;      /* For ONCE_NC */
-      md->end_offset_top = offset_top;
-      md->start_match_ptr = mstart;
-      RRETURN(MATCH_MATCH);         /* Sets md->mark */
-      }
-
-    /* For capturing groups we have to check the group number back at the start
-    and if necessary complete handling an extraction by setting the offsets and
-    bumping the high water mark. Whole-pattern recursion is coded as a recurse
-    into group 0, so it won't be picked up here. Instead, we catch it when the
-    OP_END is reached. Other recursion is handled here. We just have to record
-    the current subject position and start match pointer and give a MATCH
-    return. */
-
-    if (*prev == OP_CBRA || *prev == OP_SCBRA ||
-        *prev == OP_CBRAPOS || *prev == OP_SCBRAPOS)
-      {
-      number = GET2(prev, 1+LINK_SIZE);
-      offset = number << 1;
-
-#ifdef PCRE_DEBUG
-      printf("end bracket %d", number);
-      printf("\n");
-#endif
-
-      /* Handle a recursively called group. */
-
-      if (md->recursive != NULL && md->recursive->group_num == number)
-        {
-        md->end_match_ptr = eptr;
-        md->start_match_ptr = mstart;
-        RRETURN(MATCH_MATCH);
-        }
-
-      /* Deal with capturing */
-
-      md->capture_last = (md->capture_last & OVFLMASK) | number;
-      if (offset >= md->offset_max) md->capture_last |= OVFLBIT; else
-        {
-        /* If offset is greater than offset_top, it means that we are
-        "skipping" a capturing group, and that group's offsets must be marked
-        unset. In earlier versions of PCRE, all the offsets were unset at the
-        start of matching, but this doesn't work because atomic groups and
-        assertions can cause a value to be set that should later be unset.
-        Example: matching /(?>(a))b|(a)c/ against "ac". This sets group 1 as
-        part of the atomic group, but this is not on the final matching path,
-        so must be unset when 2 is set. (If there is no group 2, there is no
-        problem, because offset_top will then be 2, indicating no capture.) */
-
-        if (offset > offset_top)
-          {
-          register int *iptr = md->offset_vector + offset_top;
-          register int *iend = md->offset_vector + offset;
-          while (iptr < iend) *iptr++ = -1;
-          }
-
-        /* Now make the extraction */
-
-        md->offset_vector[offset] =
-          md->offset_vector[md->offset_end - number];
-        md->offset_vector[offset+1] = (int)(eptr - md->start_subject);
-        if (offset_top <= offset) offset_top = offset + 2;
-        }
-      }
-
-    /* OP_KETRPOS is a possessive repeating ket. Remember the current position,
-    and return the MATCH_KETRPOS. This makes it possible to do the repeats one
-    at a time from the outer level, thus saving stack. This must precede the
-    empty string test - in this case that test is done at the outer level. */
-
-    if (*ecode == OP_KETRPOS)
-      {
-      md->start_match_ptr = mstart;    /* In case \K reset it */
-      md->end_match_ptr = eptr;
-      md->end_offset_top = offset_top;
-      RRETURN(MATCH_KETRPOS);
-      }
-
-    /* For an ordinary non-repeating ket, just continue at this level. This
-    also happens for a repeating ket if no characters were matched in the
-    group. This is the forcible breaking of infinite loops as implemented in
-    Perl 5.005. For a non-repeating atomic group that includes captures,
-    establish a backup point by processing the rest of the pattern at a lower
-    level. If this results in a NOMATCH return, pass MATCH_ONCE back to the
-    original OP_ONCE level, thereby bypassing intermediate backup points, but
-    resetting any captures that happened along the way. */
-
-    if (*ecode == OP_KET || eptr == saved_eptr)
-      {
-      if (*prev == OP_ONCE)
-        {
-        RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, eptrb, RM12);
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        md->once_target = prev;  /* Level at which to change to MATCH_NOMATCH */
-        RRETURN(MATCH_ONCE);
-        }
-      ecode += 1 + LINK_SIZE;    /* Carry on at this level */
-      break;
-      }
-
-    /* The normal repeating kets try the rest of the pattern or restart from
-    the preceding bracket, in the appropriate order. In the second case, we can
-    use tail recursion to avoid using another stack frame, unless we have an
-    an atomic group or an unlimited repeat of a group that can match an empty
-    string. */
-
-    if (*ecode == OP_KETRMIN)
-      {
-      RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, eptrb, RM7);
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      if (*prev == OP_ONCE)
-        {
-        RMATCH(eptr, prev, offset_top, md, eptrb, RM8);
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        md->once_target = prev;  /* Level at which to change to MATCH_NOMATCH */
-        RRETURN(MATCH_ONCE);
-        }
-      if (*prev >= OP_SBRA)    /* Could match an empty string */
-        {
-        RMATCH(eptr, prev, offset_top, md, eptrb, RM50);
-        RRETURN(rrc);
-        }
-      ecode = prev;
-      goto TAIL_RECURSE;
-      }
-    else  /* OP_KETRMAX */
-      {
-      RMATCH(eptr, prev, offset_top, md, eptrb, RM13);
-      if (rrc == MATCH_ONCE && md->once_target == prev) rrc = MATCH_NOMATCH;
-      if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-      if (*prev == OP_ONCE)
-        {
-        RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, eptrb, RM9);
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        md->once_target = prev;
-        RRETURN(MATCH_ONCE);
-        }
-      ecode += 1 + LINK_SIZE;
-      goto TAIL_RECURSE;
-      }
-    /* Control never gets here */
-
-    /* Not multiline mode: start of subject assertion, unless notbol. */
-
-    case OP_CIRC:
-    if (md->notbol && eptr == md->start_subject) RRETURN(MATCH_NOMATCH);
-
-    /* Start of subject assertion */
-
-    case OP_SOD:
-    if (eptr != md->start_subject) RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    /* Multiline mode: start of subject unless notbol, or after any newline. */
-
-    case OP_CIRCM:
-    if (md->notbol && eptr == md->start_subject) RRETURN(MATCH_NOMATCH);
-    if (eptr != md->start_subject &&
-        (eptr == md->end_subject || !WAS_NEWLINE(eptr)))
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    /* Start of match assertion */
-
-    case OP_SOM:
-    if (eptr != md->start_subject + md->start_offset) RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    /* Reset the start of match point */
-
-    case OP_SET_SOM:
-    mstart = eptr;
-    ecode++;
-    break;
-
-    /* Multiline mode: assert before any newline, or before end of subject
-    unless noteol is set. */
-
-    case OP_DOLLM:
-    if (eptr < md->end_subject)
-      {
-      if (!IS_NEWLINE(eptr))
-        {
-        if (md->partial != 0 &&
-            eptr + 1 >= md->end_subject &&
-            NLBLOCK->nltype == NLTYPE_FIXED &&
-            NLBLOCK->nllen == 2 &&
-            UCHAR21TEST(eptr) == NLBLOCK->nl[0])
-          {
-          md->hitend = TRUE;
-          if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-          }
-        RRETURN(MATCH_NOMATCH);
-        }
-      }
-    else
-      {
-      if (md->noteol) RRETURN(MATCH_NOMATCH);
-      SCHECK_PARTIAL();
-      }
-    ecode++;
-    break;
-
-    /* Not multiline mode: assert before a terminating newline or before end of
-    subject unless noteol is set. */
-
-    case OP_DOLL:
-    if (md->noteol) RRETURN(MATCH_NOMATCH);
-    if (!md->endonly) goto ASSERT_NL_OR_EOS;
-
-    /* ... else fall through for endonly */
-
-    /* End of subject assertion (\z) */
-
-    case OP_EOD:
-    if (eptr < md->end_subject) RRETURN(MATCH_NOMATCH);
-    SCHECK_PARTIAL();
-    ecode++;
-    break;
-
-    /* End of subject or ending \n assertion (\Z) */
-
-    case OP_EODN:
-    ASSERT_NL_OR_EOS:
-    if (eptr < md->end_subject &&
-        (!IS_NEWLINE(eptr) || eptr != md->end_subject - md->nllen))
-      {
-      if (md->partial != 0 &&
-          eptr + 1 >= md->end_subject &&
-          NLBLOCK->nltype == NLTYPE_FIXED &&
-          NLBLOCK->nllen == 2 &&
-          UCHAR21TEST(eptr) == NLBLOCK->nl[0])
-        {
-        md->hitend = TRUE;
-        if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-        }
-      RRETURN(MATCH_NOMATCH);
-      }
-
-    /* Either at end of string or \n before end. */
-
-    SCHECK_PARTIAL();
-    ecode++;
-    break;
-
-    /* Word boundary assertions */
-
-    case OP_NOT_WORD_BOUNDARY:
-    case OP_WORD_BOUNDARY:
-      {
-
-      /* Find out if the previous and current characters are "word" characters.
-      It takes a bit more work in UTF-8 mode. Characters > 255 are assumed to
-      be "non-word" characters. Remember the earliest consulted character for
-      partial matching. */
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        /* Get status of previous character */
-
-        if (eptr == md->start_subject) prev_is_word = FALSE; else
-          {
-          PCRE_PUCHAR lastptr = eptr - 1;
-          BACKCHAR(lastptr);
-          if (lastptr < md->start_used_ptr) md->start_used_ptr = lastptr;
-          GETCHAR(c, lastptr);
-#ifdef SUPPORT_UCP
-          if (md->use_ucp)
-            {
-            if (c == '_') prev_is_word = TRUE; else
-              {
-              int cat = UCD_CATEGORY(c);
-              prev_is_word = (cat == ucp_L || cat == ucp_N);
-              }
-            }
-          else
-#endif
-          prev_is_word = c < 256 && (md->ctypes[c] & ctype_word) != 0;
-          }
-
-        /* Get status of next character */
-
-        if (eptr >= md->end_subject)
-          {
-          SCHECK_PARTIAL();
-          cur_is_word = FALSE;
-          }
-        else
-          {
-          GETCHAR(c, eptr);
-#ifdef SUPPORT_UCP
-          if (md->use_ucp)
-            {
-            if (c == '_') cur_is_word = TRUE; else
-              {
-              int cat = UCD_CATEGORY(c);
-              cur_is_word = (cat == ucp_L || cat == ucp_N);
-              }
-            }
-          else
-#endif
-          cur_is_word = c < 256 && (md->ctypes[c] & ctype_word) != 0;
-          }
-        }
-      else
-#endif
-
-      /* Not in UTF-8 mode, but we may still have PCRE_UCP set, and for
-      consistency with the behaviour of \w we do use it in this case. */
-
-        {
-        /* Get status of previous character */
-
-        if (eptr == md->start_subject) prev_is_word = FALSE; else
-          {
-          if (eptr <= md->start_used_ptr) md->start_used_ptr = eptr - 1;
-#ifdef SUPPORT_UCP
-          if (md->use_ucp)
-            {
-            c = eptr[-1];
-            if (c == '_') prev_is_word = TRUE; else
-              {
-              int cat = UCD_CATEGORY(c);
-              prev_is_word = (cat == ucp_L || cat == ucp_N);
-              }
-            }
-          else
-#endif
-          prev_is_word = MAX_255(eptr[-1])
-            && ((md->ctypes[eptr[-1]] & ctype_word) != 0);
-          }
-
-        /* Get status of next character */
-
-        if (eptr >= md->end_subject)
-          {
-          SCHECK_PARTIAL();
-          cur_is_word = FALSE;
-          }
-        else
-#ifdef SUPPORT_UCP
-        if (md->use_ucp)
-          {
-          c = *eptr;
-          if (c == '_') cur_is_word = TRUE; else
-            {
-            int cat = UCD_CATEGORY(c);
-            cur_is_word = (cat == ucp_L || cat == ucp_N);
-            }
-          }
-        else
-#endif
-        cur_is_word = MAX_255(*eptr)
-          && ((md->ctypes[*eptr] & ctype_word) != 0);
-        }
-
-      /* Now see if the situation is what we want */
-
-      if ((*ecode++ == OP_WORD_BOUNDARY)?
-           cur_is_word == prev_is_word : cur_is_word != prev_is_word)
-        RRETURN(MATCH_NOMATCH);
-      }
-    break;
-
-    /* Match any single character type except newline; have to take care with
-    CRLF newlines and partial matching. */
-
-    case OP_ANY:
-    if (IS_NEWLINE(eptr)) RRETURN(MATCH_NOMATCH);
-    if (md->partial != 0 &&
-        eptr + 1 >= md->end_subject &&
-        NLBLOCK->nltype == NLTYPE_FIXED &&
-        NLBLOCK->nllen == 2 &&
-        UCHAR21TEST(eptr) == NLBLOCK->nl[0])
-      {
-      md->hitend = TRUE;
-      if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-      }
-
-    /* Fall through */
-
-    /* Match any single character whatsoever. */
-
-    case OP_ALLANY:
-    if (eptr >= md->end_subject)   /* DO NOT merge the eptr++ here; it must */
-      {                            /* not be updated before SCHECK_PARTIAL. */
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    eptr++;
-#ifdef SUPPORT_UTF
-    if (utf) ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-#endif
-    ecode++;
-    break;
-
-    /* Match a single byte, even in UTF-8 mode. This opcode really does match
-    any byte, even newline, independent of the setting of PCRE_DOTALL. */
-
-    case OP_ANYBYTE:
-    if (eptr >= md->end_subject)   /* DO NOT merge the eptr++ here; it must */
-      {                            /* not be updated before SCHECK_PARTIAL. */
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    eptr++;
-    ecode++;
-    break;
-
-    case OP_NOT_DIGIT:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c < 256 &&
-#endif
-       (md->ctypes[c] & ctype_digit) != 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_DIGIT:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c > 255 ||
-#endif
-       (md->ctypes[c] & ctype_digit) == 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_NOT_WHITESPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c < 256 &&
-#endif
-       (md->ctypes[c] & ctype_space) != 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_WHITESPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c > 255 ||
-#endif
-       (md->ctypes[c] & ctype_space) == 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_NOT_WORDCHAR:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c < 256 &&
-#endif
-       (md->ctypes[c] & ctype_word) != 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_WORDCHAR:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    if (
-#if defined SUPPORT_UTF || !(defined COMPILE_PCRE8)
-       c > 255 ||
-#endif
-       (md->ctypes[c] & ctype_word) == 0
-       )
-      RRETURN(MATCH_NOMATCH);
-    ecode++;
-    break;
-
-    case OP_ANYNL:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    switch(c)
-      {
-      default: RRETURN(MATCH_NOMATCH);
-
-      case CHAR_CR:
-      if (eptr >= md->end_subject)
-        {
-        SCHECK_PARTIAL();
-        }
-      else if (UCHAR21TEST(eptr) == CHAR_LF) eptr++;
-      break;
-
-      case CHAR_LF:
-      break;
-
-      case CHAR_VT:
-      case CHAR_FF:
-      case CHAR_NEL:
-#ifndef EBCDIC
-      case 0x2028:
-      case 0x2029:
-#endif  /* Not EBCDIC */
-      if (md->bsr_anycrlf) RRETURN(MATCH_NOMATCH);
-      break;
-      }
-    ecode++;
-    break;
-
-    case OP_NOT_HSPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    switch(c)
-      {
-      HSPACE_CASES: RRETURN(MATCH_NOMATCH);  /* Byte and multibyte cases */
-      default: break;
-      }
-    ecode++;
-    break;
-
-    case OP_HSPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    switch(c)
-      {
-      HSPACE_CASES: break;  /* Byte and multibyte cases */
-      default: RRETURN(MATCH_NOMATCH);
-      }
-    ecode++;
-    break;
-
-    case OP_NOT_VSPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    switch(c)
-      {
-      VSPACE_CASES: RRETURN(MATCH_NOMATCH);
-      default: break;
-      }
-    ecode++;
-    break;
-
-    case OP_VSPACE:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-    switch(c)
-      {
-      VSPACE_CASES: break;
-      default: RRETURN(MATCH_NOMATCH);
-      }
-    ecode++;
-    break;
-
-#ifdef SUPPORT_UCP
-    /* Check the next character by Unicode property. We will get here only
-    if the support is in the binary; otherwise a compile-time error occurs. */
-
-    case OP_PROP:
-    case OP_NOTPROP:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    GETCHARINCTEST(c, eptr);
-      {
-      const pcre_uint32 *cp;
-      const ucd_record *prop = GET_UCD(c);
-
-      switch(ecode[1])
-        {
-        case PT_ANY:
-        if (op == OP_NOTPROP) RRETURN(MATCH_NOMATCH);
-        break;
-
-        case PT_LAMP:
-        if ((prop->chartype == ucp_Lu ||
-             prop->chartype == ucp_Ll ||
-             prop->chartype == ucp_Lt) == (op == OP_NOTPROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        case PT_GC:
-        if ((ecode[2] != PRIV(ucp_gentype)[prop->chartype]) == (op == OP_PROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        case PT_PC:
-        if ((ecode[2] != prop->chartype) == (op == OP_PROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        case PT_SC:
-        if ((ecode[2] != prop->script) == (op == OP_PROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        /* These are specials */
-
-        case PT_ALNUM:
-        if ((PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-             PRIV(ucp_gentype)[prop->chartype] == ucp_N) == (op == OP_NOTPROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-        which means that Perl space and POSIX space are now identical. PCRE
-        was changed at release 8.34. */
-
-        case PT_SPACE:    /* Perl space */
-        case PT_PXSPACE:  /* POSIX space */
-        switch(c)
-          {
-          HSPACE_CASES:
-          VSPACE_CASES:
-          if (op == OP_NOTPROP) RRETURN(MATCH_NOMATCH);
-          break;
-
-          default:
-          if ((PRIV(ucp_gentype)[prop->chartype] == ucp_Z) ==
-            (op == OP_NOTPROP)) RRETURN(MATCH_NOMATCH);
-          break;
-          }
-        break;
-
-        case PT_WORD:
-        if ((PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-             PRIV(ucp_gentype)[prop->chartype] == ucp_N ||
-             c == CHAR_UNDERSCORE) == (op == OP_NOTPROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        case PT_CLIST:
-        cp = PRIV(ucd_caseless_sets) + ecode[2];
-        for (;;)
-          {
-          if (c < *cp)
-            { if (op == OP_PROP) { RRETURN(MATCH_NOMATCH); } else break; }
-          if (c == *cp++)
-            { if (op == OP_PROP) break; else { RRETURN(MATCH_NOMATCH); } }
-          }
-        break;
-
-        case PT_UCNC:
-        if ((c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-             c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-             c >= 0xe000) == (op == OP_NOTPROP))
-          RRETURN(MATCH_NOMATCH);
-        break;
-
-        /* This should never occur */
-
-        default:
-        RRETURN(PCRE_ERROR_INTERNAL);
-        }
-
-      ecode += 3;
-      }
-    break;
-
-    /* Match an extended Unicode sequence. We will get here only if the support
-    is in the binary; otherwise a compile-time error occurs. */
-
-    case OP_EXTUNI:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-    else
-      {
-      int lgb, rgb;
-      GETCHARINCTEST(c, eptr);
-      lgb = UCD_GRAPHBREAK(c);
-      while (eptr < md->end_subject)
-        {
-        int len = 1;
-        if (!utf) c = *eptr; else { GETCHARLEN(c, eptr, len); }
-        rgb = UCD_GRAPHBREAK(c);
-        if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-        lgb = rgb;
-        eptr += len;
-        }
-      }
-    CHECK_PARTIAL();
-    ecode++;
-    break;
-#endif  /* SUPPORT_UCP */
-
-
-    /* Match a back reference, possibly repeatedly. Look past the end of the
-    item to see if there is repeat information following. The code is similar
-    to that for character classes, but repeated for efficiency. Then obey
-    similar code to character type repeats - written out again for speed.
-    However, if the referenced string is the empty string, always treat
-    it as matched, any number of times (otherwise there could be infinite
-    loops). If the reference is unset, there are two possibilities:
-
-    (a) In the default, Perl-compatible state, set the length negative;
-    this ensures that every attempt at a match fails. We can't just fail
-    here, because of the possibility of quantifiers with zero minima.
-
-    (b) If the JavaScript compatibility flag is set, set the length to zero
-    so that the back reference matches an empty string.
-
-    Otherwise, set the length to the length of what was matched by the
-    referenced subpattern.
-
-    The OP_REF and OP_REFI opcodes are used for a reference to a numbered group
-    or to a non-duplicated named group. For a duplicated named group, OP_DNREF
-    and OP_DNREFI are used. In this case we must scan the list of groups to
-    which the name refers, and use the first one that is set. */
-
-    case OP_DNREF:
-    case OP_DNREFI:
-    caseless = op == OP_DNREFI;
-      {
-      int count = GET2(ecode, 1+IMM2_SIZE);
-      pcre_uchar *slot = md->name_table + GET2(ecode, 1) * md->name_entry_size;
-      ecode += 1 + 2*IMM2_SIZE;
-
-      /* Setting the default length first and initializing 'offset' avoids
-      compiler warnings in the REF_REPEAT code. */
-
-      length = (md->jscript_compat)? 0 : -1;
-      offset = 0;
-
-      while (count-- > 0)
-        {
-        offset = GET2(slot, 0) << 1;
-        if (offset < offset_top && md->offset_vector[offset] >= 0)
-          {
-          length = md->offset_vector[offset+1] - md->offset_vector[offset];
-          break;
-          }
-        slot += md->name_entry_size;
-        }
-      }
-    goto REF_REPEAT;
-
-    case OP_REF:
-    case OP_REFI:
-    caseless = op == OP_REFI;
-    offset = GET2(ecode, 1) << 1;               /* Doubled ref number */
-    ecode += 1 + IMM2_SIZE;
-    if (offset >= offset_top || md->offset_vector[offset] < 0)
-      length = (md->jscript_compat)? 0 : -1;
-    else
-      length = md->offset_vector[offset+1] - md->offset_vector[offset];
-
-    /* Set up for repetition, or handle the non-repeated case */
-
-    REF_REPEAT:
-    switch (*ecode)
-      {
-      case OP_CRSTAR:
-      case OP_CRMINSTAR:
-      case OP_CRPLUS:
-      case OP_CRMINPLUS:
-      case OP_CRQUERY:
-      case OP_CRMINQUERY:
-      c = *ecode++ - OP_CRSTAR;
-      minimize = (c & 1) != 0;
-      min = rep_min[c];                 /* Pick up values from tables; */
-      max = rep_max[c];                 /* zero for max => infinity */
-      if (max == 0) max = INT_MAX;
-      break;
-
-      case OP_CRRANGE:
-      case OP_CRMINRANGE:
-      minimize = (*ecode == OP_CRMINRANGE);
-      min = GET2(ecode, 1);
-      max = GET2(ecode, 1 + IMM2_SIZE);
-      if (max == 0) max = INT_MAX;
-      ecode += 1 + 2 * IMM2_SIZE;
-      break;
-
-      default:               /* No repeat follows */
-      if ((length = match_ref(offset, eptr, length, md, caseless)) < 0)
-        {
-        if (length == -2) eptr = md->end_subject;   /* Partial match */
-        CHECK_PARTIAL();
-        RRETURN(MATCH_NOMATCH);
-        }
-      eptr += length;
-      continue;              /* With the main loop */
-      }
-
-    /* Handle repeated back references. If the length of the reference is
-    zero, just continue with the main loop. If the length is negative, it
-    means the reference is unset in non-Java-compatible mode. If the minimum is
-    zero, we can continue at the same level without recursion. For any other
-    minimum, carrying on will result in NOMATCH. */
-
-    if (length == 0) continue;
-    if (length < 0 && min == 0) continue;
-
-    /* First, ensure the minimum number of matches are present. We get back
-    the length of the reference string explicitly rather than passing the
-    address of eptr, so that eptr can be a register variable. */
-
-    for (i = 1; i <= min; i++)
-      {
-      int slength;
-      if ((slength = match_ref(offset, eptr, length, md, caseless)) < 0)
-        {
-        if (slength == -2) eptr = md->end_subject;   /* Partial match */
-        CHECK_PARTIAL();
-        RRETURN(MATCH_NOMATCH);
-        }
-      eptr += slength;
-      }
-
-    /* If min = max, continue at the same level without recursion.
-    They are not both allowed to be zero. */
-
-    if (min == max) continue;
-
-    /* If minimizing, keep trying and advancing the pointer */
-
-    if (minimize)
-      {
-      for (fi = min;; fi++)
-        {
-        int slength;
-        RMATCH(eptr, ecode, offset_top, md, eptrb, RM14);
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        if (fi >= max) RRETURN(MATCH_NOMATCH);
-        if ((slength = match_ref(offset, eptr, length, md, caseless)) < 0)
-          {
-          if (slength == -2) eptr = md->end_subject;   /* Partial match */
-          CHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        eptr += slength;
-        }
-      /* Control never gets here */
-      }
-
-    /* If maximizing, find the longest string and work backwards */
-
-    else
-      {
-      pp = eptr;
-      for (i = min; i < max; i++)
-        {
-        int slength;
-        if ((slength = match_ref(offset, eptr, length, md, caseless)) < 0)
-          {
-          /* Can't use CHECK_PARTIAL because we don't want to update eptr in
-          the soft partial matching case. */
-
-          if (slength == -2 && md->partial != 0 &&
-              md->end_subject > md->start_used_ptr)
-            {
-            md->hitend = TRUE;
-            if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-            }
-          break;
-          }
-        eptr += slength;
-        }
-
-      while (eptr >= pp)
-        {
-        RMATCH(eptr, ecode, offset_top, md, eptrb, RM15);
-        if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-        eptr -= length;
-        }
-      RRETURN(MATCH_NOMATCH);
-      }
-    /* Control never gets here */
-
-    /* Match a bit-mapped character class, possibly repeatedly. This op code is
-    used when all the characters in the class have values in the range 0-255,
-    and either the matching is caseful, or the characters are in the range
-    0-127 when UTF-8 processing is enabled. The only difference between
-    OP_CLASS and OP_NCLASS occurs when a data character outside the range is
-    encountered.
-
-    First, look past the end of the item to see if there is repeat information
-    following. Then obey similar code to character type repeats - written out
-    again for speed. */
-
-    case OP_NCLASS:
-    case OP_CLASS:
-      {
-      /* The data variable is saved across frames, so the byte map needs to
-      be stored there. */
-#define BYTE_MAP ((pcre_uint8 *)data)
-      data = ecode + 1;                /* Save for matching */
-      ecode += 1 + (32 / sizeof(pcre_uchar)); /* Advance past the item */
-
-      switch (*ecode)
-        {
-        case OP_CRSTAR:
-        case OP_CRMINSTAR:
-        case OP_CRPLUS:
-        case OP_CRMINPLUS:
-        case OP_CRQUERY:
-        case OP_CRMINQUERY:
-        case OP_CRPOSSTAR:
-        case OP_CRPOSPLUS:
-        case OP_CRPOSQUERY:
-        c = *ecode++ - OP_CRSTAR;
-        if (c < OP_CRPOSSTAR - OP_CRSTAR) minimize = (c & 1) != 0;
-        else possessive = TRUE;
-        min = rep_min[c];                 /* Pick up values from tables; */
-        max = rep_max[c];                 /* zero for max => infinity */
-        if (max == 0) max = INT_MAX;
-        break;
-
-        case OP_CRRANGE:
-        case OP_CRMINRANGE:
-        case OP_CRPOSRANGE:
-        minimize = (*ecode == OP_CRMINRANGE);
-        possessive = (*ecode == OP_CRPOSRANGE);
-        min = GET2(ecode, 1);
-        max = GET2(ecode, 1 + IMM2_SIZE);
-        if (max == 0) max = INT_MAX;
-        ecode += 1 + 2 * IMM2_SIZE;
-        break;
-
-        default:               /* No repeat follows */
-        min = max = 1;
-        break;
-        }
-
-      /* First, ensure the minimum number of matches are present. */
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          if (c > 255)
-            {
-            if (op == OP_CLASS) RRETURN(MATCH_NOMATCH);
-            }
-          else
-            if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) RRETURN(MATCH_NOMATCH);
-          }
-        }
-      else
-#endif
-      /* Not UTF mode */
-        {
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          c = *eptr++;
-#ifndef COMPILE_PCRE8
-          if (c > 255)
-            {
-            if (op == OP_CLASS) RRETURN(MATCH_NOMATCH);
-            }
-          else
-#endif
-            if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) RRETURN(MATCH_NOMATCH);
-          }
-        }
-
-      /* If max == min we can continue with the main loop without the
-      need to recurse. */
-
-      if (min == max) continue;
-
-      /* If minimizing, keep testing the rest of the expression and advancing
-      the pointer while it matches the class. */
-
-      if (minimize)
-        {
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM16);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINC(c, eptr);
-            if (c > 255)
-              {
-              if (op == OP_CLASS) RRETURN(MATCH_NOMATCH);
-              }
-            else
-              if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) RRETURN(MATCH_NOMATCH);
-            }
-          }
-        else
-#endif
-        /* Not UTF mode */
-          {
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM17);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            c = *eptr++;
-#ifndef COMPILE_PCRE8
-            if (c > 255)
-              {
-              if (op == OP_CLASS) RRETURN(MATCH_NOMATCH);
-              }
-            else
-#endif
-              if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) RRETURN(MATCH_NOMATCH);
-            }
-          }
-        /* Control never gets here */
-        }
-
-      /* If maximizing, find the longest possible run, then work backwards. */
-
-      else
-        {
-        pp = eptr;
-
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c > 255)
-              {
-              if (op == OP_CLASS) break;
-              }
-            else
-              if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) break;
-            eptr += len;
-            }
-
-          if (possessive) continue;    /* No backtracking */
-
-          for (;;)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM18);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (eptr-- == pp) break;        /* Stop if tried at original pos */
-            BACKCHAR(eptr);
-            }
-          }
-        else
-#endif
-          /* Not UTF mode */
-          {
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            c = *eptr;
-#ifndef COMPILE_PCRE8
-            if (c > 255)
-              {
-              if (op == OP_CLASS) break;
-              }
-            else
-#endif
-              if ((BYTE_MAP[c/8] & (1 << (c&7))) == 0) break;
-            eptr++;
-            }
-
-          if (possessive) continue;    /* No backtracking */
-
-          while (eptr >= pp)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM19);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            eptr--;
-            }
-          }
-
-        RRETURN(MATCH_NOMATCH);
-        }
-#undef BYTE_MAP
-      }
-    /* Control never gets here */
-
-
-    /* Match an extended character class. In the 8-bit library, this opcode is
-    encountered only when UTF-8 mode mode is supported. In the 16-bit and
-    32-bit libraries, codepoints greater than 255 may be encountered even when
-    UTF is not supported. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-    case OP_XCLASS:
-      {
-      data = ecode + 1 + LINK_SIZE;                /* Save for matching */
-      ecode += GET(ecode, 1);                      /* Advance past the item */
-
-      switch (*ecode)
-        {
-        case OP_CRSTAR:
-        case OP_CRMINSTAR:
-        case OP_CRPLUS:
-        case OP_CRMINPLUS:
-        case OP_CRQUERY:
-        case OP_CRMINQUERY:
-        case OP_CRPOSSTAR:
-        case OP_CRPOSPLUS:
-        case OP_CRPOSQUERY:
-        c = *ecode++ - OP_CRSTAR;
-        if (c < OP_CRPOSSTAR - OP_CRSTAR) minimize = (c & 1) != 0;
-        else possessive = TRUE;
-        min = rep_min[c];                 /* Pick up values from tables; */
-        max = rep_max[c];                 /* zero for max => infinity */
-        if (max == 0) max = INT_MAX;
-        break;
-
-        case OP_CRRANGE:
-        case OP_CRMINRANGE:
-        case OP_CRPOSRANGE:
-        minimize = (*ecode == OP_CRMINRANGE);
-        possessive = (*ecode == OP_CRPOSRANGE);
-        min = GET2(ecode, 1);
-        max = GET2(ecode, 1 + IMM2_SIZE);
-        if (max == 0) max = INT_MAX;
-        ecode += 1 + 2 * IMM2_SIZE;
-        break;
-
-        default:               /* No repeat follows */
-        min = max = 1;
-        break;
-        }
-
-      /* First, ensure the minimum number of matches are present. */
-
-      for (i = 1; i <= min; i++)
-        {
-        if (eptr >= md->end_subject)
-          {
-          SCHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        GETCHARINCTEST(c, eptr);
-        if (!PRIV(xclass)(c, data, utf)) RRETURN(MATCH_NOMATCH);
-        }
-
-      /* If max == min we can continue with the main loop without the
-      need to recurse. */
-
-      if (min == max) continue;
-
-      /* If minimizing, keep testing the rest of the expression and advancing
-      the pointer while it matches the class. */
-
-      if (minimize)
-        {
-        for (fi = min;; fi++)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM20);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINCTEST(c, eptr);
-          if (!PRIV(xclass)(c, data, utf)) RRETURN(MATCH_NOMATCH);
-          }
-        /* Control never gets here */
-        }
-
-      /* If maximizing, find the longest possible run, then work backwards. */
-
-      else
-        {
-        pp = eptr;
-        for (i = min; i < max; i++)
-          {
-          int len = 1;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            break;
-            }
-#ifdef SUPPORT_UTF
-          GETCHARLENTEST(c, eptr, len);
-#else
-          c = *eptr;
-#endif
-          if (!PRIV(xclass)(c, data, utf)) break;
-          eptr += len;
-          }
-
-        if (possessive) continue;    /* No backtracking */
-
-        for(;;)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM21);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (eptr-- == pp) break;        /* Stop if tried at original pos */
-#ifdef SUPPORT_UTF
-          if (utf) BACKCHAR(eptr);
-#endif
-          }
-        RRETURN(MATCH_NOMATCH);
-        }
-
-      /* Control never gets here */
-      }
-#endif    /* End of XCLASS */
-
-    /* Match a single character, casefully */
-
-    case OP_CHAR:
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      length = 1;
-      ecode++;
-      GETCHARLEN(fc, ecode, length);
-      if (length > md->end_subject - eptr)
-        {
-        CHECK_PARTIAL();             /* Not SCHECK_PARTIAL() */
-        RRETURN(MATCH_NOMATCH);
-        }
-      while (length-- > 0) if (*ecode++ != UCHAR21INC(eptr)) RRETURN(MATCH_NOMATCH);
-      }
-    else
-#endif
-    /* Not UTF mode */
-      {
-      if (md->end_subject - eptr < 1)
-        {
-        SCHECK_PARTIAL();            /* This one can use SCHECK_PARTIAL() */
-        RRETURN(MATCH_NOMATCH);
-        }
-      if (ecode[1] != *eptr++) RRETURN(MATCH_NOMATCH);
-      ecode += 2;
-      }
-    break;
-
-    /* Match a single character, caselessly. If we are at the end of the
-    subject, give up immediately. */
-
-    case OP_CHARI:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      length = 1;
-      ecode++;
-      GETCHARLEN(fc, ecode, length);
-
-      /* If the pattern character's value is < 128, we have only one byte, and
-      we know that its other case must also be one byte long, so we can use the
-      fast lookup table. We know that there is at least one byte left in the
-      subject. */
-
-      if (fc < 128)
-        {
-        pcre_uint32 cc = UCHAR21(eptr);
-        if (md->lcc[fc] != TABLE_GET(cc, md->lcc, cc)) RRETURN(MATCH_NOMATCH);
-        ecode++;
-        eptr++;
-        }
-
-      /* Otherwise we must pick up the subject character. Note that we cannot
-      use the value of "length" to check for sufficient bytes left, because the
-      other case of the character may have more or fewer bytes.  */
-
-      else
-        {
-        pcre_uint32 dc;
-        GETCHARINC(dc, eptr);
-        ecode += length;
-
-        /* If we have Unicode property support, we can use it to test the other
-        case of the character, if there is one. */
-
-        if (fc != dc)
-          {
-#ifdef SUPPORT_UCP
-          if (dc != UCD_OTHERCASE(fc))
-#endif
-            RRETURN(MATCH_NOMATCH);
-          }
-        }
-      }
-    else
-#endif   /* SUPPORT_UTF */
-
-    /* Not UTF mode */
-      {
-      if (TABLE_GET(ecode[1], md->lcc, ecode[1])
-          != TABLE_GET(*eptr, md->lcc, *eptr)) RRETURN(MATCH_NOMATCH);
-      eptr++;
-      ecode += 2;
-      }
-    break;
-
-    /* Match a single character repeatedly. */
-
-    case OP_EXACT:
-    case OP_EXACTI:
-    min = max = GET2(ecode, 1);
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATCHAR;
-
-    case OP_POSUPTO:
-    case OP_POSUPTOI:
-    possessive = TRUE;
-    /* Fall through */
-
-    case OP_UPTO:
-    case OP_UPTOI:
-    case OP_MINUPTO:
-    case OP_MINUPTOI:
-    min = 0;
-    max = GET2(ecode, 1);
-    minimize = *ecode == OP_MINUPTO || *ecode == OP_MINUPTOI;
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATCHAR;
-
-    case OP_POSSTAR:
-    case OP_POSSTARI:
-    possessive = TRUE;
-    min = 0;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATCHAR;
-
-    case OP_POSPLUS:
-    case OP_POSPLUSI:
-    possessive = TRUE;
-    min = 1;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATCHAR;
-
-    case OP_POSQUERY:
-    case OP_POSQUERYI:
-    possessive = TRUE;
-    min = 0;
-    max = 1;
-    ecode++;
-    goto REPEATCHAR;
-
-    case OP_STAR:
-    case OP_STARI:
-    case OP_MINSTAR:
-    case OP_MINSTARI:
-    case OP_PLUS:
-    case OP_PLUSI:
-    case OP_MINPLUS:
-    case OP_MINPLUSI:
-    case OP_QUERY:
-    case OP_QUERYI:
-    case OP_MINQUERY:
-    case OP_MINQUERYI:
-    c = *ecode++ - ((op < OP_STARI)? OP_STAR : OP_STARI);
-    minimize = (c & 1) != 0;
-    min = rep_min[c];                 /* Pick up values from tables; */
-    max = rep_max[c];                 /* zero for max => infinity */
-    if (max == 0) max = INT_MAX;
-
-    /* Common code for all repeated single-character matches. We first check
-    for the minimum number of characters. If the minimum equals the maximum, we
-    are done. Otherwise, if minimizing, check the rest of the pattern for a
-    match; if there isn't one, advance up to the maximum, one character at a
-    time.
-
-    If maximizing, advance up to the maximum number of matching characters,
-    until eptr is past the end of the maximum run. If possessive, we are
-    then done (no backing up). Otherwise, match at this position; anything
-    other than no match is immediately returned. For nomatch, back up one
-    character, unless we are matching \R and the last thing matched was
-    \r\n, in which case, back up two bytes. When we reach the first optional
-    character position, we can save stack by doing a tail recurse.
-
-    The various UTF/non-UTF and caseful/caseless cases are handled separately,
-    for speed. */
-
-    REPEATCHAR:
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      length = 1;
-      charptr = ecode;
-      GETCHARLEN(fc, ecode, length);
-      ecode += length;
-
-      /* Handle multibyte character matching specially here. There is
-      support for caseless matching if UCP support is present. */
-
-      if (length > 1)
-        {
-#ifdef SUPPORT_UCP
-        pcre_uint32 othercase;
-        if (op >= OP_STARI &&     /* Caseless */
-            (othercase = UCD_OTHERCASE(fc)) != fc)
-          oclength = PRIV(ord2utf)(othercase, occhars);
-        else oclength = 0;
-#endif  /* SUPPORT_UCP */
-
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr <= md->end_subject - length &&
-            memcmp(eptr, charptr, IN_UCHARS(length)) == 0) eptr += length;
-#ifdef SUPPORT_UCP
-          else if (oclength > 0 &&
-                   eptr <= md->end_subject - oclength &&
-                   memcmp(eptr, occhars, IN_UCHARS(oclength)) == 0) eptr += oclength;
-#endif  /* SUPPORT_UCP */
-          else
-            {
-            CHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          }
-
-        if (min == max) continue;
-
-        if (minimize)
-          {
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM22);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr <= md->end_subject - length &&
-              memcmp(eptr, charptr, IN_UCHARS(length)) == 0) eptr += length;
-#ifdef SUPPORT_UCP
-            else if (oclength > 0 &&
-                     eptr <= md->end_subject - oclength &&
-                     memcmp(eptr, occhars, IN_UCHARS(oclength)) == 0) eptr += oclength;
-#endif  /* SUPPORT_UCP */
-            else
-              {
-              CHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            }
-          /* Control never gets here */
-          }
-
-        else  /* Maximize */
-          {
-          pp = eptr;
-          for (i = min; i < max; i++)
-            {
-            if (eptr <= md->end_subject - length &&
-                memcmp(eptr, charptr, IN_UCHARS(length)) == 0) eptr += length;
-#ifdef SUPPORT_UCP
-            else if (oclength > 0 &&
-                     eptr <= md->end_subject - oclength &&
-                     memcmp(eptr, occhars, IN_UCHARS(oclength)) == 0) eptr += oclength;
-#endif  /* SUPPORT_UCP */
-            else
-              {
-              CHECK_PARTIAL();
-              break;
-              }
-            }
-
-          if (possessive) continue;    /* No backtracking */
-          for(;;)
-            {
-            if (eptr <= pp) goto TAIL_RECURSE;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM23);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-#ifdef SUPPORT_UCP
-            eptr--;
-            BACKCHAR(eptr);
-#else   /* without SUPPORT_UCP */
-            eptr -= length;
-#endif  /* SUPPORT_UCP */
-            }
-          }
-        /* Control never gets here */
-        }
-
-      /* If the length of a UTF-8 character is 1, we fall through here, and
-      obey the code as for non-UTF-8 characters below, though in this case the
-      value of fc will always be < 128. */
-      }
-    else
-#endif  /* SUPPORT_UTF */
-      /* When not in UTF-8 mode, load a single-byte character. */
-      fc = *ecode++;
-
-    /* The value of fc at this point is always one character, though we may
-    or may not be in UTF mode. The code is duplicated for the caseless and
-    caseful cases, for speed, since matching characters is likely to be quite
-    common. First, ensure the minimum number of matches are present. If min =
-    max, continue at the same level without recursing. Otherwise, if
-    minimizing, keep trying the rest of the expression and advancing one
-    matching character if failing, up to the maximum. Alternatively, if
-    maximizing, find the maximum number of characters and work backwards. */
-
-    DPRINTF(("matching %c{%d,%d} against subject %.*s\n", fc, min, max,
-      max, (char *)eptr));
-
-    if (op >= OP_STARI)  /* Caseless */
-      {
-#ifdef COMPILE_PCRE8
-      /* fc must be < 128 if UTF is enabled. */
-      foc = md->fcc[fc];
-#else
-#ifdef SUPPORT_UTF
-#ifdef SUPPORT_UCP
-      if (utf && fc > 127)
-        foc = UCD_OTHERCASE(fc);
-#else
-      if (utf && fc > 127)
-        foc = fc;
-#endif /* SUPPORT_UCP */
-      else
-#endif /* SUPPORT_UTF */
-        foc = TABLE_GET(fc, md->fcc, fc);
-#endif /* COMPILE_PCRE8 */
-
-      for (i = 1; i <= min; i++)
-        {
-        pcre_uint32 cc;                 /* Faster than pcre_uchar */
-        if (eptr >= md->end_subject)
-          {
-          SCHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        cc = UCHAR21TEST(eptr);
-        if (fc != cc && foc != cc) RRETURN(MATCH_NOMATCH);
-        eptr++;
-        }
-      if (min == max) continue;
-      if (minimize)
-        {
-        for (fi = min;; fi++)
-          {
-          pcre_uint32 cc;               /* Faster than pcre_uchar */
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM24);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21TEST(eptr);
-          if (fc != cc && foc != cc) RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        /* Control never gets here */
-        }
-      else  /* Maximize */
-        {
-        pp = eptr;
-        for (i = min; i < max; i++)
-          {
-          pcre_uint32 cc;               /* Faster than pcre_uchar */
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            break;
-            }
-          cc = UCHAR21TEST(eptr);
-          if (fc != cc && foc != cc) break;
-          eptr++;
-          }
-        if (possessive) continue;       /* No backtracking */
-        for (;;)
-          {
-          if (eptr == pp) goto TAIL_RECURSE;
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM25);
-          eptr--;
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          }
-        /* Control never gets here */
-        }
-      }
-
-    /* Caseful comparisons (includes all multi-byte characters) */
-
-    else
-      {
-      for (i = 1; i <= min; i++)
-        {
-        if (eptr >= md->end_subject)
-          {
-          SCHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        if (fc != UCHAR21INCTEST(eptr)) RRETURN(MATCH_NOMATCH);
-        }
-
-      if (min == max) continue;
-
-      if (minimize)
-        {
-        for (fi = min;; fi++)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM26);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (fc != UCHAR21INCTEST(eptr)) RRETURN(MATCH_NOMATCH);
-          }
-        /* Control never gets here */
-        }
-      else  /* Maximize */
-        {
-        pp = eptr;
-        for (i = min; i < max; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            break;
-            }
-          if (fc != UCHAR21TEST(eptr)) break;
-          eptr++;
-          }
-        if (possessive) continue;    /* No backtracking */
-        for (;;)
-          {
-          if (eptr == pp) goto TAIL_RECURSE;
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM27);
-          eptr--;
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          }
-        /* Control never gets here */
-        }
-      }
-    /* Control never gets here */
-
-    /* Match a negated single one-byte character. The character we are
-    checking can be multibyte. */
-
-    case OP_NOT:
-    case OP_NOTI:
-    if (eptr >= md->end_subject)
-      {
-      SCHECK_PARTIAL();
-      RRETURN(MATCH_NOMATCH);
-      }
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      register pcre_uint32 ch, och;
-
-      ecode++;
-      GETCHARINC(ch, ecode);
-      GETCHARINC(c, eptr);
-
-      if (op == OP_NOT)
-        {
-        if (ch == c) RRETURN(MATCH_NOMATCH);
-        }
-      else
-        {
-#ifdef SUPPORT_UCP
-        if (ch > 127)
-          och = UCD_OTHERCASE(ch);
-#else
-        if (ch > 127)
-          och = ch;
-#endif /* SUPPORT_UCP */
-        else
-          och = TABLE_GET(ch, md->fcc, ch);
-        if (ch == c || och == c) RRETURN(MATCH_NOMATCH);
-        }
-      }
-    else
-#endif
-      {
-      register pcre_uint32 ch = ecode[1];
-      c = *eptr++;
-      if (ch == c || (op == OP_NOTI && TABLE_GET(ch, md->fcc, ch) == c))
-        RRETURN(MATCH_NOMATCH);
-      ecode += 2;
-      }
-    break;
-
-    /* Match a negated single one-byte character repeatedly. This is almost a
-    repeat of the code for a repeated single character, but I haven't found a
-    nice way of commoning these up that doesn't require a test of the
-    positive/negative option for each character match. Maybe that wouldn't add
-    very much to the time taken, but character matching *is* what this is all
-    about... */
-
-    case OP_NOTEXACT:
-    case OP_NOTEXACTI:
-    min = max = GET2(ecode, 1);
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTUPTO:
-    case OP_NOTUPTOI:
-    case OP_NOTMINUPTO:
-    case OP_NOTMINUPTOI:
-    min = 0;
-    max = GET2(ecode, 1);
-    minimize = *ecode == OP_NOTMINUPTO || *ecode == OP_NOTMINUPTOI;
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTPOSSTAR:
-    case OP_NOTPOSSTARI:
-    possessive = TRUE;
-    min = 0;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTPOSPLUS:
-    case OP_NOTPOSPLUSI:
-    possessive = TRUE;
-    min = 1;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTPOSQUERY:
-    case OP_NOTPOSQUERYI:
-    possessive = TRUE;
-    min = 0;
-    max = 1;
-    ecode++;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTPOSUPTO:
-    case OP_NOTPOSUPTOI:
-    possessive = TRUE;
-    min = 0;
-    max = GET2(ecode, 1);
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATNOTCHAR;
-
-    case OP_NOTSTAR:
-    case OP_NOTSTARI:
-    case OP_NOTMINSTAR:
-    case OP_NOTMINSTARI:
-    case OP_NOTPLUS:
-    case OP_NOTPLUSI:
-    case OP_NOTMINPLUS:
-    case OP_NOTMINPLUSI:
-    case OP_NOTQUERY:
-    case OP_NOTQUERYI:
-    case OP_NOTMINQUERY:
-    case OP_NOTMINQUERYI:
-    c = *ecode++ - ((op >= OP_NOTSTARI)? OP_NOTSTARI: OP_NOTSTAR);
-    minimize = (c & 1) != 0;
-    min = rep_min[c];                 /* Pick up values from tables; */
-    max = rep_max[c];                 /* zero for max => infinity */
-    if (max == 0) max = INT_MAX;
-
-    /* Common code for all repeated single-byte matches. */
-
-    REPEATNOTCHAR:
-    GETCHARINCTEST(fc, ecode);
-
-    /* The code is duplicated for the caseless and caseful cases, for speed,
-    since matching characters is likely to be quite common. First, ensure the
-    minimum number of matches are present. If min = max, continue at the same
-    level without recursing. Otherwise, if minimizing, keep trying the rest of
-    the expression and advancing one matching character if failing, up to the
-    maximum. Alternatively, if maximizing, find the maximum number of
-    characters and work backwards. */
-
-    DPRINTF(("negative matching %c{%d,%d} against subject %.*s\n", fc, min, max,
-      max, (char *)eptr));
-
-    if (op >= OP_NOTSTARI)     /* Caseless */
-      {
-#ifdef SUPPORT_UTF
-#ifdef SUPPORT_UCP
-      if (utf && fc > 127)
-        foc = UCD_OTHERCASE(fc);
-#else
-      if (utf && fc > 127)
-        foc = fc;
-#endif /* SUPPORT_UCP */
-      else
-#endif /* SUPPORT_UTF */
-        foc = TABLE_GET(fc, md->fcc, fc);
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        register pcre_uint32 d;
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(d, eptr);
-          if (fc == d || (unsigned int)foc == d) RRETURN(MATCH_NOMATCH);
-          }
-        }
-      else
-#endif  /* SUPPORT_UTF */
-      /* Not UTF mode */
-        {
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (fc == *eptr || foc == *eptr) RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        }
-
-      if (min == max) continue;
-
-      if (minimize)
-        {
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          register pcre_uint32 d;
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM28);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINC(d, eptr);
-            if (fc == d || (unsigned int)foc == d) RRETURN(MATCH_NOMATCH);
-            }
-          }
-        else
-#endif  /*SUPPORT_UTF */
-        /* Not UTF mode */
-          {
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM29);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            if (fc == *eptr || foc == *eptr) RRETURN(MATCH_NOMATCH);
-            eptr++;
-            }
-          }
-        /* Control never gets here */
-        }
-
-      /* Maximize case */
-
-      else
-        {
-        pp = eptr;
-
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          register pcre_uint32 d;
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(d, eptr, len);
-            if (fc == d || (unsigned int)foc == d) break;
-            eptr += len;
-            }
-          if (possessive) continue;    /* No backtracking */
-          for(;;)
-            {
-            if (eptr <= pp) goto TAIL_RECURSE;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM30);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            eptr--;
-            BACKCHAR(eptr);
-            }
-          }
-        else
-#endif  /* SUPPORT_UTF */
-        /* Not UTF mode */
-          {
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (fc == *eptr || foc == *eptr) break;
-            eptr++;
-            }
-          if (possessive) continue;    /* No backtracking */
-          for (;;)
-            {
-            if (eptr == pp) goto TAIL_RECURSE;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM31);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            eptr--;
-            }
-          }
-        /* Control never gets here */
-        }
-      }
-
-    /* Caseful comparisons */
-
-    else
-      {
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        register pcre_uint32 d;
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(d, eptr);
-          if (fc == d) RRETURN(MATCH_NOMATCH);
-          }
-        }
-      else
-#endif
-      /* Not UTF mode */
-        {
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (fc == *eptr++) RRETURN(MATCH_NOMATCH);
-          }
-        }
-
-      if (min == max) continue;
-
-      if (minimize)
-        {
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          register pcre_uint32 d;
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM32);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINC(d, eptr);
-            if (fc == d) RRETURN(MATCH_NOMATCH);
-            }
-          }
-        else
-#endif
-        /* Not UTF mode */
-          {
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM33);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            if (fc == *eptr++) RRETURN(MATCH_NOMATCH);
-            }
-          }
-        /* Control never gets here */
-        }
-
-      /* Maximize case */
-
-      else
-        {
-        pp = eptr;
-
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          register pcre_uint32 d;
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(d, eptr, len);
-            if (fc == d) break;
-            eptr += len;
-            }
-          if (possessive) continue;    /* No backtracking */
-          for(;;)
-            {
-            if (eptr <= pp) goto TAIL_RECURSE;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM34);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            eptr--;
-            BACKCHAR(eptr);
-            }
-          }
-        else
-#endif
-        /* Not UTF mode */
-          {
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (fc == *eptr) break;
-            eptr++;
-            }
-          if (possessive) continue;    /* No backtracking */
-          for (;;)
-            {
-            if (eptr == pp) goto TAIL_RECURSE;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM35);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            eptr--;
-            }
-          }
-        /* Control never gets here */
-        }
-      }
-    /* Control never gets here */
-
-    /* Match a single character type repeatedly; several different opcodes
-    share code. This is very similar to the code for single characters, but we
-    repeat it in the interests of efficiency. */
-
-    case OP_TYPEEXACT:
-    min = max = GET2(ecode, 1);
-    minimize = TRUE;
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATTYPE;
-
-    case OP_TYPEUPTO:
-    case OP_TYPEMINUPTO:
-    min = 0;
-    max = GET2(ecode, 1);
-    minimize = *ecode == OP_TYPEMINUPTO;
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATTYPE;
-
-    case OP_TYPEPOSSTAR:
-    possessive = TRUE;
-    min = 0;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATTYPE;
-
-    case OP_TYPEPOSPLUS:
-    possessive = TRUE;
-    min = 1;
-    max = INT_MAX;
-    ecode++;
-    goto REPEATTYPE;
-
-    case OP_TYPEPOSQUERY:
-    possessive = TRUE;
-    min = 0;
-    max = 1;
-    ecode++;
-    goto REPEATTYPE;
-
-    case OP_TYPEPOSUPTO:
-    possessive = TRUE;
-    min = 0;
-    max = GET2(ecode, 1);
-    ecode += 1 + IMM2_SIZE;
-    goto REPEATTYPE;
-
-    case OP_TYPESTAR:
-    case OP_TYPEMINSTAR:
-    case OP_TYPEPLUS:
-    case OP_TYPEMINPLUS:
-    case OP_TYPEQUERY:
-    case OP_TYPEMINQUERY:
-    c = *ecode++ - OP_TYPESTAR;
-    minimize = (c & 1) != 0;
-    min = rep_min[c];                 /* Pick up values from tables; */
-    max = rep_max[c];                 /* zero for max => infinity */
-    if (max == 0) max = INT_MAX;
-
-    /* Common code for all repeated single character type matches. Note that
-    in UTF-8 mode, '.' matches a character of any length, but for the other
-    character types, the valid characters are all one-byte long. */
-
-    REPEATTYPE:
-    ctype = *ecode++;      /* Code for the character type */
-
-#ifdef SUPPORT_UCP
-    if (ctype == OP_PROP || ctype == OP_NOTPROP)
-      {
-      prop_fail_result = ctype == OP_NOTPROP;
-      prop_type = *ecode++;
-      prop_value = *ecode++;
-      }
-    else prop_type = -1;
-#endif
-
-    /* First, ensure the minimum number of matches are present. Use inline
-    code for maximizing the speed, and do the type test once at the start
-    (i.e. keep it out of the loop). Separate the UTF-8 code completely as that
-    is tidier. Also separate the UCP code, which can be the same for both UTF-8
-    and single-bytes. */
-
-    if (min > 0)
-      {
-#ifdef SUPPORT_UCP
-      if (prop_type >= 0)
-        {
-        switch(prop_type)
-          {
-          case PT_ANY:
-          if (prop_fail_result) RRETURN(MATCH_NOMATCH);
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            }
-          break;
-
-          case PT_LAMP:
-          for (i = 1; i <= min; i++)
-            {
-            int chartype;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            chartype = UCD_CHARTYPE(c);
-            if ((chartype == ucp_Lu ||
-                 chartype == ucp_Ll ||
-                 chartype == ucp_Lt) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          case PT_GC:
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_CATEGORY(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          case PT_PC:
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_CHARTYPE(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          case PT_SC:
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_SCRIPT(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          case PT_ALNUM:
-          for (i = 1; i <= min; i++)
-            {
-            int category;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L || category == ucp_N) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            switch(c)
-              {
-              HSPACE_CASES:
-              VSPACE_CASES:
-              if (prop_fail_result) RRETURN(MATCH_NOMATCH);
-              break;
-
-              default:
-              if ((UCD_CATEGORY(c) == ucp_Z) == prop_fail_result)
-                RRETURN(MATCH_NOMATCH);
-              break;
-              }
-            }
-          break;
-
-          case PT_WORD:
-          for (i = 1; i <= min; i++)
-            {
-            int category;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L || category == ucp_N || c == CHAR_UNDERSCORE)
-                   == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          case PT_CLIST:
-          for (i = 1; i <= min; i++)
-            {
-            const pcre_uint32 *cp;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            cp = PRIV(ucd_caseless_sets) + prop_value;
-            for (;;)
-              {
-              if (c < *cp)
-                { if (prop_fail_result) break; else { RRETURN(MATCH_NOMATCH); } }
-              if (c == *cp++)
-                { if (prop_fail_result) { RRETURN(MATCH_NOMATCH); } else break; }
-              }
-            }
-          break;
-
-          case PT_UCNC:
-          for (i = 1; i <= min; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-                 c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-                 c >= 0xe000) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          break;
-
-          /* This should not occur */
-
-          default:
-          RRETURN(PCRE_ERROR_INTERNAL);
-          }
-        }
-
-      /* Match extended Unicode sequences. We will get here only if the
-      support is in the binary; otherwise a compile-time error occurs. */
-
-      else if (ctype == OP_EXTUNI)
-        {
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          else
-            {
-            int lgb, rgb;
-            GETCHARINCTEST(c, eptr);
-            lgb = UCD_GRAPHBREAK(c);
-           while (eptr < md->end_subject)
-              {
-              int len = 1;
-              if (!utf) c = *eptr; else { GETCHARLEN(c, eptr, len); }
-              rgb = UCD_GRAPHBREAK(c);
-              if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-              lgb = rgb;
-              eptr += len;
-              }
-            }
-          CHECK_PARTIAL();
-          }
-        }
-
-      else
-#endif     /* SUPPORT_UCP */
-
-/* Handle all other cases when the coding is UTF-8 */
-
-#ifdef SUPPORT_UTF
-      if (utf) switch(ctype)
-        {
-        case OP_ANY:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (IS_NEWLINE(eptr)) RRETURN(MATCH_NOMATCH);
-          if (md->partial != 0 &&
-              eptr + 1 >= md->end_subject &&
-              NLBLOCK->nltype == NLTYPE_FIXED &&
-              NLBLOCK->nllen == 2 &&
-              UCHAR21(eptr) == NLBLOCK->nl[0])
-            {
-            md->hitend = TRUE;
-            if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-            }
-          eptr++;
-          ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-          }
-        break;
-
-        case OP_ALLANY:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          eptr++;
-          ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-          }
-        break;
-
-        case OP_ANYBYTE:
-        if (eptr > md->end_subject - min) RRETURN(MATCH_NOMATCH);
-        eptr += min;
-        break;
-
-        case OP_ANYNL:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          switch(c)
-            {
-            default: RRETURN(MATCH_NOMATCH);
-
-            case CHAR_CR:
-            if (eptr < md->end_subject && UCHAR21(eptr) == CHAR_LF) eptr++;
-            break;
-
-            case CHAR_LF:
-            break;
-
-            case CHAR_VT:
-            case CHAR_FF:
-            case CHAR_NEL:
-#ifndef EBCDIC
-            case 0x2028:
-            case 0x2029:
-#endif  /* Not EBCDIC */
-            if (md->bsr_anycrlf) RRETURN(MATCH_NOMATCH);
-            break;
-            }
-          }
-        break;
-
-        case OP_NOT_HSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          switch(c)
-            {
-            HSPACE_CASES: RRETURN(MATCH_NOMATCH);  /* Byte and multibyte cases */
-            default: break;
-            }
-          }
-        break;
-
-        case OP_HSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          switch(c)
-            {
-            HSPACE_CASES: break;  /* Byte and multibyte cases */
-            default: RRETURN(MATCH_NOMATCH);
-            }
-          }
-        break;
-
-        case OP_NOT_VSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          switch(c)
-            {
-            VSPACE_CASES: RRETURN(MATCH_NOMATCH);
-            default: break;
-            }
-          }
-        break;
-
-        case OP_VSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          switch(c)
-            {
-            VSPACE_CASES: break;
-            default: RRETURN(MATCH_NOMATCH);
-            }
-          }
-        break;
-
-        case OP_NOT_DIGIT:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          GETCHARINC(c, eptr);
-          if (c < 128 && (md->ctypes[c] & ctype_digit) != 0)
-            RRETURN(MATCH_NOMATCH);
-          }
-        break;
-
-        case OP_DIGIT:
-        for (i = 1; i <= min; i++)
-          {
-          pcre_uint32 cc;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21(eptr);
-          if (cc >= 128 || (md->ctypes[cc] & ctype_digit) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          /* No need to skip more bytes - we know it's a 1-byte character */
-          }
-        break;
-
-        case OP_NOT_WHITESPACE:
-        for (i = 1; i <= min; i++)
-          {
-          pcre_uint32 cc;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21(eptr);
-          if (cc < 128 && (md->ctypes[cc] & ctype_space) != 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-          }
-        break;
-
-        case OP_WHITESPACE:
-        for (i = 1; i <= min; i++)
-          {
-          pcre_uint32 cc;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21(eptr);
-          if (cc >= 128 || (md->ctypes[cc] & ctype_space) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          /* No need to skip more bytes - we know it's a 1-byte character */
-          }
-        break;
-
-        case OP_NOT_WORDCHAR:
-        for (i = 1; i <= min; i++)
-          {
-          pcre_uint32 cc;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21(eptr);
-          if (cc < 128 && (md->ctypes[cc] & ctype_word) != 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-          }
-        break;
-
-        case OP_WORDCHAR:
-        for (i = 1; i <= min; i++)
-          {
-          pcre_uint32 cc;
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          cc = UCHAR21(eptr);
-          if (cc >= 128 || (md->ctypes[cc] & ctype_word) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          /* No need to skip more bytes - we know it's a 1-byte character */
-          }
-        break;
-
-        default:
-        RRETURN(PCRE_ERROR_INTERNAL);
-        }  /* End switch(ctype) */
-
-      else
-#endif     /* SUPPORT_UTF */
-
-      /* Code for the non-UTF-8 case for minimum matching of operators other
-      than OP_PROP and OP_NOTPROP. */
-
-      switch(ctype)
-        {
-        case OP_ANY:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (IS_NEWLINE(eptr)) RRETURN(MATCH_NOMATCH);
-          if (md->partial != 0 &&
-              eptr + 1 >= md->end_subject &&
-              NLBLOCK->nltype == NLTYPE_FIXED &&
-              NLBLOCK->nllen == 2 &&
-              *eptr == NLBLOCK->nl[0])
-            {
-            md->hitend = TRUE;
-            if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-            }
-          eptr++;
-          }
-        break;
-
-        case OP_ALLANY:
-        if (eptr > md->end_subject - min)
-          {
-          SCHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        eptr += min;
-        break;
-
-        case OP_ANYBYTE:
-        if (eptr > md->end_subject - min)
-          {
-          SCHECK_PARTIAL();
-          RRETURN(MATCH_NOMATCH);
-          }
-        eptr += min;
-        break;
-
-        case OP_ANYNL:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          switch(*eptr++)
-            {
-            default: RRETURN(MATCH_NOMATCH);
-
-            case CHAR_CR:
-            if (eptr < md->end_subject && *eptr == CHAR_LF) eptr++;
-            break;
-
-            case CHAR_LF:
-            break;
-
-            case CHAR_VT:
-            case CHAR_FF:
-            case CHAR_NEL:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-            case 0x2028:
-            case 0x2029:
-#endif
-            if (md->bsr_anycrlf) RRETURN(MATCH_NOMATCH);
-            break;
-            }
-          }
-        break;
-
-        case OP_NOT_HSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          switch(*eptr++)
-            {
-            default: break;
-            HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-            HSPACE_MULTIBYTE_CASES:
-#endif
-            RRETURN(MATCH_NOMATCH);
-            }
-          }
-        break;
-
-        case OP_HSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          switch(*eptr++)
-            {
-            default: RRETURN(MATCH_NOMATCH);
-            HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-            HSPACE_MULTIBYTE_CASES:
-#endif
-            break;
-            }
-          }
-        break;
-
-        case OP_NOT_VSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          switch(*eptr++)
-            {
-            VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-            VSPACE_MULTIBYTE_CASES:
-#endif
-            RRETURN(MATCH_NOMATCH);
-            default: break;
-            }
-          }
-        break;
-
-        case OP_VSPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          switch(*eptr++)
-            {
-            default: RRETURN(MATCH_NOMATCH);
-            VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-            VSPACE_MULTIBYTE_CASES:
-#endif
-            break;
-            }
-          }
-        break;
-
-        case OP_NOT_DIGIT:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_digit) != 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        case OP_DIGIT:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_digit) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        case OP_NOT_WHITESPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_space) != 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        case OP_WHITESPACE:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_space) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        case OP_NOT_WORDCHAR:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_word) != 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        case OP_WORDCHAR:
-        for (i = 1; i <= min; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_word) == 0)
-            RRETURN(MATCH_NOMATCH);
-          eptr++;
-          }
-        break;
-
-        default:
-        RRETURN(PCRE_ERROR_INTERNAL);
-        }
-      }
-
-    /* If min = max, continue at the same level without recursing */
-
-    if (min == max) continue;
-
-    /* If minimizing, we have to test the rest of the pattern before each
-    subsequent match. Again, separate the UTF-8 case for speed, and also
-    separate the UCP cases. */
-
-    if (minimize)
-      {
-#ifdef SUPPORT_UCP
-      if (prop_type >= 0)
-        {
-        switch(prop_type)
-          {
-          case PT_ANY:
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM36);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if (prop_fail_result) RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_LAMP:
-          for (fi = min;; fi++)
-            {
-            int chartype;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM37);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            chartype = UCD_CHARTYPE(c);
-            if ((chartype == ucp_Lu ||
-                 chartype == ucp_Ll ||
-                 chartype == ucp_Lt) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_GC:
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM38);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_CATEGORY(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_PC:
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM39);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_CHARTYPE(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_SC:
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM40);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((UCD_SCRIPT(c) == prop_value) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_ALNUM:
-          for (fi = min;; fi++)
-            {
-            int category;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM59);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L || category == ucp_N) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM61);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            switch(c)
-              {
-              HSPACE_CASES:
-              VSPACE_CASES:
-              if (prop_fail_result) RRETURN(MATCH_NOMATCH);
-              break;
-
-              default:
-              if ((UCD_CATEGORY(c) == ucp_Z) == prop_fail_result)
-                RRETURN(MATCH_NOMATCH);
-              break;
-              }
-            }
-          /* Control never gets here */
-
-          case PT_WORD:
-          for (fi = min;; fi++)
-            {
-            int category;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM62);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L ||
-                 category == ucp_N ||
-                 c == CHAR_UNDERSCORE)
-                   == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          case PT_CLIST:
-          for (fi = min;; fi++)
-            {
-            const pcre_uint32 *cp;
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM67);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            cp = PRIV(ucd_caseless_sets) + prop_value;
-            for (;;)
-              {
-              if (c < *cp)
-                { if (prop_fail_result) break; else { RRETURN(MATCH_NOMATCH); } }
-              if (c == *cp++)
-                { if (prop_fail_result) { RRETURN(MATCH_NOMATCH); } else break; }
-              }
-            }
-          /* Control never gets here */
-
-          case PT_UCNC:
-          for (fi = min;; fi++)
-            {
-            RMATCH(eptr, ecode, offset_top, md, eptrb, RM60);
-            if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-            if (fi >= max) RRETURN(MATCH_NOMATCH);
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              RRETURN(MATCH_NOMATCH);
-              }
-            GETCHARINCTEST(c, eptr);
-            if ((c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-                 c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-                 c >= 0xe000) == prop_fail_result)
-              RRETURN(MATCH_NOMATCH);
-            }
-          /* Control never gets here */
-
-          /* This should never occur */
-          default:
-          RRETURN(PCRE_ERROR_INTERNAL);
-          }
-        }
-
-      /* Match extended Unicode sequences. We will get here only if the
-      support is in the binary; otherwise a compile-time error occurs. */
-
-      else if (ctype == OP_EXTUNI)
-        {
-        for (fi = min;; fi++)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM41);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          else
-            {
-            int lgb, rgb;
-            GETCHARINCTEST(c, eptr);
-            lgb = UCD_GRAPHBREAK(c);
-            while (eptr < md->end_subject)
-              {
-              int len = 1;
-              if (!utf) c = *eptr; else { GETCHARLEN(c, eptr, len); }
-              rgb = UCD_GRAPHBREAK(c);
-              if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-              lgb = rgb;
-              eptr += len;
-              }
-            }
-          CHECK_PARTIAL();
-          }
-        }
-      else
-#endif     /* SUPPORT_UCP */
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        for (fi = min;; fi++)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM42);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (ctype == OP_ANY && IS_NEWLINE(eptr))
-            RRETURN(MATCH_NOMATCH);
-          GETCHARINC(c, eptr);
-          switch(ctype)
-            {
-            case OP_ANY:               /* This is the non-NL case */
-            if (md->partial != 0 &&    /* Take care with CRLF partial */
-                eptr >= md->end_subject &&
-                NLBLOCK->nltype == NLTYPE_FIXED &&
-                NLBLOCK->nllen == 2 &&
-                c == NLBLOCK->nl[0])
-              {
-              md->hitend = TRUE;
-              if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-              }
-            break;
-
-            case OP_ALLANY:
-            case OP_ANYBYTE:
-            break;
-
-            case OP_ANYNL:
-            switch(c)
-              {
-              default: RRETURN(MATCH_NOMATCH);
-              case CHAR_CR:
-              if (eptr < md->end_subject && UCHAR21(eptr) == CHAR_LF) eptr++;
-              break;
-
-              case CHAR_LF:
-              break;
-
-              case CHAR_VT:
-              case CHAR_FF:
-              case CHAR_NEL:
-#ifndef EBCDIC
-              case 0x2028:
-              case 0x2029:
-#endif  /* Not EBCDIC */
-              if (md->bsr_anycrlf) RRETURN(MATCH_NOMATCH);
-              break;
-              }
-            break;
-
-            case OP_NOT_HSPACE:
-            switch(c)
-              {
-              HSPACE_CASES: RRETURN(MATCH_NOMATCH);
-              default: break;
-              }
-            break;
-
-            case OP_HSPACE:
-            switch(c)
-              {
-              HSPACE_CASES: break;
-              default: RRETURN(MATCH_NOMATCH);
-              }
-            break;
-
-            case OP_NOT_VSPACE:
-            switch(c)
-              {
-              VSPACE_CASES: RRETURN(MATCH_NOMATCH);
-              default: break;
-              }
-            break;
-
-            case OP_VSPACE:
-            switch(c)
-              {
-              VSPACE_CASES: break;
-              default: RRETURN(MATCH_NOMATCH);
-              }
-            break;
-
-            case OP_NOT_DIGIT:
-            if (c < 256 && (md->ctypes[c] & ctype_digit) != 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_DIGIT:
-            if (c >= 256 || (md->ctypes[c] & ctype_digit) == 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_NOT_WHITESPACE:
-            if (c < 256 && (md->ctypes[c] & ctype_space) != 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_WHITESPACE:
-            if (c >= 256 || (md->ctypes[c] & ctype_space) == 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_NOT_WORDCHAR:
-            if (c < 256 && (md->ctypes[c] & ctype_word) != 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_WORDCHAR:
-            if (c >= 256 || (md->ctypes[c] & ctype_word) == 0)
-              RRETURN(MATCH_NOMATCH);
-            break;
-
-            default:
-            RRETURN(PCRE_ERROR_INTERNAL);
-            }
-          }
-        }
-      else
-#endif
-      /* Not UTF mode */
-        {
-        for (fi = min;; fi++)
-          {
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM43);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          if (fi >= max) RRETURN(MATCH_NOMATCH);
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            RRETURN(MATCH_NOMATCH);
-            }
-          if (ctype == OP_ANY && IS_NEWLINE(eptr))
-            RRETURN(MATCH_NOMATCH);
-          c = *eptr++;
-          switch(ctype)
-            {
-            case OP_ANY:               /* This is the non-NL case */
-            if (md->partial != 0 &&    /* Take care with CRLF partial */
-                eptr >= md->end_subject &&
-                NLBLOCK->nltype == NLTYPE_FIXED &&
-                NLBLOCK->nllen == 2 &&
-                c == NLBLOCK->nl[0])
-              {
-              md->hitend = TRUE;
-              if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-              }
-            break;
-
-            case OP_ALLANY:
-            case OP_ANYBYTE:
-            break;
-
-            case OP_ANYNL:
-            switch(c)
-              {
-              default: RRETURN(MATCH_NOMATCH);
-              case CHAR_CR:
-              if (eptr < md->end_subject && *eptr == CHAR_LF) eptr++;
-              break;
-
-              case CHAR_LF:
-              break;
-
-              case CHAR_VT:
-              case CHAR_FF:
-              case CHAR_NEL:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              case 0x2028:
-              case 0x2029:
-#endif
-              if (md->bsr_anycrlf) RRETURN(MATCH_NOMATCH);
-              break;
-              }
-            break;
-
-            case OP_NOT_HSPACE:
-            switch(c)
-              {
-              default: break;
-              HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              HSPACE_MULTIBYTE_CASES:
-#endif
-              RRETURN(MATCH_NOMATCH);
-              }
-            break;
-
-            case OP_HSPACE:
-            switch(c)
-              {
-              default: RRETURN(MATCH_NOMATCH);
-              HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              HSPACE_MULTIBYTE_CASES:
-#endif
-              break;
-              }
-            break;
-
-            case OP_NOT_VSPACE:
-            switch(c)
-              {
-              default: break;
-              VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              VSPACE_MULTIBYTE_CASES:
-#endif
-              RRETURN(MATCH_NOMATCH);
-              }
-            break;
-
-            case OP_VSPACE:
-            switch(c)
-              {
-              default: RRETURN(MATCH_NOMATCH);
-              VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              VSPACE_MULTIBYTE_CASES:
-#endif
-              break;
-              }
-            break;
-
-            case OP_NOT_DIGIT:
-            if (MAX_255(c) && (md->ctypes[c] & ctype_digit) != 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_DIGIT:
-            if (!MAX_255(c) || (md->ctypes[c] & ctype_digit) == 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_NOT_WHITESPACE:
-            if (MAX_255(c) && (md->ctypes[c] & ctype_space) != 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_WHITESPACE:
-            if (!MAX_255(c) || (md->ctypes[c] & ctype_space) == 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_NOT_WORDCHAR:
-            if (MAX_255(c) && (md->ctypes[c] & ctype_word) != 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            case OP_WORDCHAR:
-            if (!MAX_255(c) || (md->ctypes[c] & ctype_word) == 0) RRETURN(MATCH_NOMATCH);
-            break;
-
-            default:
-            RRETURN(PCRE_ERROR_INTERNAL);
-            }
-          }
-        }
-      /* Control never gets here */
-      }
-
-    /* If maximizing, it is worth using inline code for speed, doing the type
-    test once at the start (i.e. keep it out of the loop). Again, keep the
-    UTF-8 and UCP stuff separate. */
-
-    else
-      {
-      pp = eptr;  /* Remember where we started */
-
-#ifdef SUPPORT_UCP
-      if (prop_type >= 0)
-        {
-        switch(prop_type)
-          {
-          case PT_ANY:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            if (prop_fail_result) break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_LAMP:
-          for (i = min; i < max; i++)
-            {
-            int chartype;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            chartype = UCD_CHARTYPE(c);
-            if ((chartype == ucp_Lu ||
-                 chartype == ucp_Ll ||
-                 chartype == ucp_Lt) == prop_fail_result)
-              break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_GC:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            if ((UCD_CATEGORY(c) == prop_value) == prop_fail_result) break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_PC:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            if ((UCD_CHARTYPE(c) == prop_value) == prop_fail_result) break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_SC:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            if ((UCD_SCRIPT(c) == prop_value) == prop_fail_result) break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_ALNUM:
-          for (i = min; i < max; i++)
-            {
-            int category;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L || category == ucp_N) == prop_fail_result)
-              break;
-            eptr+= len;
-            }
-          break;
-
-          /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-          which means that Perl space and POSIX space are now identical. PCRE
-          was changed at release 8.34. */
-
-          case PT_SPACE:    /* Perl space */
-          case PT_PXSPACE:  /* POSIX space */
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            switch(c)
-              {
-              HSPACE_CASES:
-              VSPACE_CASES:
-              if (prop_fail_result) goto ENDLOOP99;  /* Break the loop */
-              break;
-
-              default:
-              if ((UCD_CATEGORY(c) == ucp_Z) == prop_fail_result)
-                goto ENDLOOP99;   /* Break the loop */
-              break;
-              }
-            eptr+= len;
-            }
-          ENDLOOP99:
-          break;
-
-          case PT_WORD:
-          for (i = min; i < max; i++)
-            {
-            int category;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            category = UCD_CATEGORY(c);
-            if ((category == ucp_L || category == ucp_N ||
-                 c == CHAR_UNDERSCORE) == prop_fail_result)
-              break;
-            eptr+= len;
-            }
-          break;
-
-          case PT_CLIST:
-          for (i = min; i < max; i++)
-            {
-            const pcre_uint32 *cp;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            cp = PRIV(ucd_caseless_sets) + prop_value;
-            for (;;)
-              {
-              if (c < *cp)
-                { if (prop_fail_result) break; else goto GOT_MAX; }
-              if (c == *cp++)
-                { if (prop_fail_result) goto GOT_MAX; else break; }
-              }
-            eptr += len;
-            }
-          GOT_MAX:
-          break;
-
-          case PT_UCNC:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLENTEST(c, eptr, len);
-            if ((c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-                 c == CHAR_GRAVE_ACCENT || (c >= 0xa0 && c <= 0xd7ff) ||
-                 c >= 0xe000) == prop_fail_result)
-              break;
-            eptr += len;
-            }
-          break;
-
-          default:
-          RRETURN(PCRE_ERROR_INTERNAL);
-          }
-
-        /* eptr is now past the end of the maximum run */
-
-        if (possessive) continue;    /* No backtracking */
-        for(;;)
-          {
-          if (eptr <= pp) goto TAIL_RECURSE;
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM44);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          eptr--;
-          if (utf) BACKCHAR(eptr);
-          }
-        }
-
-      /* Match extended Unicode grapheme clusters. We will get here only if the
-      support is in the binary; otherwise a compile-time error occurs. */
-
-      else if (ctype == OP_EXTUNI)
-        {
-        for (i = min; i < max; i++)
-          {
-          if (eptr >= md->end_subject)
-            {
-            SCHECK_PARTIAL();
-            break;
-            }
-          else
-            {
-            int lgb, rgb;
-            GETCHARINCTEST(c, eptr);
-            lgb = UCD_GRAPHBREAK(c);
-            while (eptr < md->end_subject)
-              {
-              int len = 1;
-              if (!utf) c = *eptr; else { GETCHARLEN(c, eptr, len); }
-              rgb = UCD_GRAPHBREAK(c);
-              if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-              lgb = rgb;
-              eptr += len;
-              }
-            }
-          CHECK_PARTIAL();
-          }
-
-        /* eptr is now past the end of the maximum run */
-
-        if (possessive) continue;    /* No backtracking */
-
-        /* We use <= pp rather than == pp to detect the start of the run while
-        backtracking because the use of \C in UTF mode can cause BACKCHAR to
-        move back past pp. This is just palliative; the use of \C in UTF mode
-        is fraught with danger. */
-
-        for(;;)
-          {
-          int lgb, rgb;
-          PCRE_PUCHAR fptr;
-
-          if (eptr <= pp) goto TAIL_RECURSE;   /* At start of char run */
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM45);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-
-          /* Backtracking over an extended grapheme cluster involves inspecting
-          the previous two characters (if present) to see if a break is
-          permitted between them. */
-
-          eptr--;
-          if (!utf) c = *eptr; else
-            {
-            BACKCHAR(eptr);
-            GETCHAR(c, eptr);
-            }
-          rgb = UCD_GRAPHBREAK(c);
-
-          for (;;)
-            {
-            if (eptr <= pp) goto TAIL_RECURSE;   /* At start of char run */
-            fptr = eptr - 1;
-            if (!utf) c = *fptr; else
-              {
-              BACKCHAR(fptr);
-              GETCHAR(c, fptr);
-              }
-            lgb = UCD_GRAPHBREAK(c);
-            if ((PRIV(ucp_gbtable)[lgb] & (1 << rgb)) == 0) break;
-            eptr = fptr;
-            rgb = lgb;
-            }
-          }
-        }
-
-      else
-#endif   /* SUPPORT_UCP */
-
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-        switch(ctype)
-          {
-          case OP_ANY:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (IS_NEWLINE(eptr)) break;
-            if (md->partial != 0 &&    /* Take care with CRLF partial */
-                eptr + 1 >= md->end_subject &&
-                NLBLOCK->nltype == NLTYPE_FIXED &&
-                NLBLOCK->nllen == 2 &&
-                UCHAR21(eptr) == NLBLOCK->nl[0])
-              {
-              md->hitend = TRUE;
-              if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-              }
-            eptr++;
-            ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-            }
-          break;
-
-          case OP_ALLANY:
-          if (max < INT_MAX)
-            {
-            for (i = min; i < max; i++)
-              {
-              if (eptr >= md->end_subject)
-                {
-                SCHECK_PARTIAL();
-                break;
-                }
-              eptr++;
-              ACROSSCHAR(eptr < md->end_subject, *eptr, eptr++);
-              }
-            }
-          else
-            {
-            eptr = md->end_subject;   /* Unlimited UTF-8 repeat */
-            SCHECK_PARTIAL();
-            }
-          break;
-
-          /* The byte case is the same as non-UTF8 */
-
-          case OP_ANYBYTE:
-          c = max - min;
-          if (c > (unsigned int)(md->end_subject - eptr))
-            {
-            eptr = md->end_subject;
-            SCHECK_PARTIAL();
-            }
-          else eptr += c;
-          break;
-
-          case OP_ANYNL:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c == CHAR_CR)
-              {
-              if (++eptr >= md->end_subject) break;
-              if (UCHAR21(eptr) == CHAR_LF) eptr++;
-              }
-            else
-              {
-              if (c != CHAR_LF &&
-                  (md->bsr_anycrlf ||
-                   (c != CHAR_VT && c != CHAR_FF && c != CHAR_NEL
-#ifndef EBCDIC
-                    && c != 0x2028 && c != 0x2029
-#endif  /* Not EBCDIC */
-                    )))
-                break;
-              eptr += len;
-              }
-            }
-          break;
-
-          case OP_NOT_HSPACE:
-          case OP_HSPACE:
-          for (i = min; i < max; i++)
-            {
-            BOOL gotspace;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            switch(c)
-              {
-              HSPACE_CASES: gotspace = TRUE; break;
-              default: gotspace = FALSE; break;
-              }
-            if (gotspace == (ctype == OP_NOT_HSPACE)) break;
-            eptr += len;
-            }
-          break;
-
-          case OP_NOT_VSPACE:
-          case OP_VSPACE:
-          for (i = min; i < max; i++)
-            {
-            BOOL gotspace;
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            switch(c)
-              {
-              VSPACE_CASES: gotspace = TRUE; break;
-              default: gotspace = FALSE; break;
-              }
-            if (gotspace == (ctype == OP_NOT_VSPACE)) break;
-            eptr += len;
-            }
-          break;
-
-          case OP_NOT_DIGIT:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c < 256 && (md->ctypes[c] & ctype_digit) != 0) break;
-            eptr+= len;
-            }
-          break;
-
-          case OP_DIGIT:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c >= 256 ||(md->ctypes[c] & ctype_digit) == 0) break;
-            eptr+= len;
-            }
-          break;
-
-          case OP_NOT_WHITESPACE:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c < 256 && (md->ctypes[c] & ctype_space) != 0) break;
-            eptr+= len;
-            }
-          break;
-
-          case OP_WHITESPACE:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c >= 256 ||(md->ctypes[c] & ctype_space) == 0) break;
-            eptr+= len;
-            }
-          break;
-
-          case OP_NOT_WORDCHAR:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c < 256 && (md->ctypes[c] & ctype_word) != 0) break;
-            eptr+= len;
-            }
-          break;
-
-          case OP_WORDCHAR:
-          for (i = min; i < max; i++)
-            {
-            int len = 1;
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            GETCHARLEN(c, eptr, len);
-            if (c >= 256 || (md->ctypes[c] & ctype_word) == 0) break;
-            eptr+= len;
-            }
-          break;
-
-          default:
-          RRETURN(PCRE_ERROR_INTERNAL);
-          }
-
-        if (possessive) continue;    /* No backtracking */
-        for(;;)
-          {
-          if (eptr <= pp) goto TAIL_RECURSE;
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM46);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          eptr--;
-          BACKCHAR(eptr);
-          if (ctype == OP_ANYNL && eptr > pp  && UCHAR21(eptr) == CHAR_NL &&
-              UCHAR21(eptr - 1) == CHAR_CR) eptr--;
-          }
-        }
-      else
-#endif  /* SUPPORT_UTF */
-      /* Not UTF mode */
-        {
-        switch(ctype)
-          {
-          case OP_ANY:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (IS_NEWLINE(eptr)) break;
-            if (md->partial != 0 &&    /* Take care with CRLF partial */
-                eptr + 1 >= md->end_subject &&
-                NLBLOCK->nltype == NLTYPE_FIXED &&
-                NLBLOCK->nllen == 2 &&
-                *eptr == NLBLOCK->nl[0])
-              {
-              md->hitend = TRUE;
-              if (md->partial > 1) RRETURN(PCRE_ERROR_PARTIAL);
-              }
-            eptr++;
-            }
-          break;
-
-          case OP_ALLANY:
-          case OP_ANYBYTE:
-          c = max - min;
-          if (c > (unsigned int)(md->end_subject - eptr))
-            {
-            eptr = md->end_subject;
-            SCHECK_PARTIAL();
-            }
-          else eptr += c;
-          break;
-
-          case OP_ANYNL:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            c = *eptr;
-            if (c == CHAR_CR)
-              {
-              if (++eptr >= md->end_subject) break;
-              if (*eptr == CHAR_LF) eptr++;
-              }
-            else
-              {
-              if (c != CHAR_LF && (md->bsr_anycrlf ||
-                 (c != CHAR_VT && c != CHAR_FF && c != CHAR_NEL
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-                 && c != 0x2028 && c != 0x2029
-#endif
-                 ))) break;
-              eptr++;
-              }
-            }
-          break;
-
-          case OP_NOT_HSPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            switch(*eptr)
-              {
-              default: eptr++; break;
-              HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              HSPACE_MULTIBYTE_CASES:
-#endif
-              goto ENDLOOP00;
-              }
-            }
-          ENDLOOP00:
-          break;
-
-          case OP_HSPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            switch(*eptr)
-              {
-              default: goto ENDLOOP01;
-              HSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              HSPACE_MULTIBYTE_CASES:
-#endif
-              eptr++; break;
-              }
-            }
-          ENDLOOP01:
-          break;
-
-          case OP_NOT_VSPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            switch(*eptr)
-              {
-              default: eptr++; break;
-              VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              VSPACE_MULTIBYTE_CASES:
-#endif
-              goto ENDLOOP02;
-              }
-            }
-          ENDLOOP02:
-          break;
-
-          case OP_VSPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            switch(*eptr)
-              {
-              default: goto ENDLOOP03;
-              VSPACE_BYTE_CASES:
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-              VSPACE_MULTIBYTE_CASES:
-#endif
-              eptr++; break;
-              }
-            }
-          ENDLOOP03:
-          break;
-
-          case OP_NOT_DIGIT:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_digit) != 0) break;
-            eptr++;
-            }
-          break;
-
-          case OP_DIGIT:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_digit) == 0) break;
-            eptr++;
-            }
-          break;
-
-          case OP_NOT_WHITESPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_space) != 0) break;
-            eptr++;
-            }
-          break;
-
-          case OP_WHITESPACE:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_space) == 0) break;
-            eptr++;
-            }
-          break;
-
-          case OP_NOT_WORDCHAR:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (MAX_255(*eptr) && (md->ctypes[*eptr] & ctype_word) != 0) break;
-            eptr++;
-            }
-          break;
-
-          case OP_WORDCHAR:
-          for (i = min; i < max; i++)
-            {
-            if (eptr >= md->end_subject)
-              {
-              SCHECK_PARTIAL();
-              break;
-              }
-            if (!MAX_255(*eptr) || (md->ctypes[*eptr] & ctype_word) == 0) break;
-            eptr++;
-            }
-          break;
-
-          default:
-          RRETURN(PCRE_ERROR_INTERNAL);
-          }
-
-        if (possessive) continue;    /* No backtracking */
-        for (;;)
-          {
-          if (eptr == pp) goto TAIL_RECURSE;
-          RMATCH(eptr, ecode, offset_top, md, eptrb, RM47);
-          if (rrc != MATCH_NOMATCH) RRETURN(rrc);
-          eptr--;
-          if (ctype == OP_ANYNL && eptr > pp  && *eptr == CHAR_LF &&
-              eptr[-1] == CHAR_CR) eptr--;
-          }
-        }
-
-      /* Control never gets here */
-      }
-
-    /* There's been some horrible disaster. Arrival here can only mean there is
-    something seriously wrong in the code above or the OP_xxx definitions. */
-
-    default:
-    DPRINTF(("Unknown opcode %d\n", *ecode));
-    RRETURN(PCRE_ERROR_UNKNOWN_OPCODE);
-    }
-
-  /* Do not stick any code in here without much thought; it is assumed
-  that "continue" in the code above comes out to here to repeat the main
-  loop. */
-
-  }             /* End of main loop */
-/* Control never reaches here */
-
-
-/* When compiling to use the heap rather than the stack for recursive calls to
-match(), the RRETURN() macro jumps here. The number that is saved in
-frame->Xwhere indicates which label we actually want to return to. */
-
-#ifdef NO_RECURSE
-#define LBL(val) case val: goto L_RM##val;
-HEAP_RETURN:
-switch (frame->Xwhere)
-  {
-  LBL( 1) LBL( 2) LBL( 3) LBL( 4) LBL( 5) LBL( 6) LBL( 7) LBL( 8)
-  LBL( 9) LBL(10) LBL(11) LBL(12) LBL(13) LBL(14) LBL(15) LBL(17)
-  LBL(19) LBL(24) LBL(25) LBL(26) LBL(27) LBL(29) LBL(31) LBL(33)
-  LBL(35) LBL(43) LBL(47) LBL(48) LBL(49) LBL(50) LBL(51) LBL(52)
-  LBL(53) LBL(54) LBL(55) LBL(56) LBL(57) LBL(58) LBL(63) LBL(64)
-  LBL(65) LBL(66)
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-  LBL(20) LBL(21)
-#endif
-#ifdef SUPPORT_UTF
-  LBL(16) LBL(18)
-  LBL(22) LBL(23) LBL(28) LBL(30)
-  LBL(32) LBL(34) LBL(42) LBL(46)
-#ifdef SUPPORT_UCP
-  LBL(36) LBL(37) LBL(38) LBL(39) LBL(40) LBL(41) LBL(44) LBL(45)
-  LBL(59) LBL(60) LBL(61) LBL(62) LBL(67)
-#endif  /* SUPPORT_UCP */
-#endif  /* SUPPORT_UTF */
-  default:
-  DPRINTF(("jump error in pcre match: label %d non-existent\n", frame->Xwhere));
-  return PCRE_ERROR_INTERNAL;
-  }
-#undef LBL
-#endif  /* NO_RECURSE */
-}
-
-
-/***************************************************************************
-****************************************************************************
-                   RECURSION IN THE match() FUNCTION
-
-Undefine all the macros that were defined above to handle this. */
-
-#ifdef NO_RECURSE
-#undef eptr
-#undef ecode
-#undef mstart
-#undef offset_top
-#undef eptrb
-#undef flags
-
-#undef callpat
-#undef charptr
-#undef data
-#undef next
-#undef pp
-#undef prev
-#undef saved_eptr
-
-#undef new_recursive
-
-#undef cur_is_word
-#undef condition
-#undef prev_is_word
-
-#undef ctype
-#undef length
-#undef max
-#undef min
-#undef number
-#undef offset
-#undef op
-#undef save_capture_last
-#undef save_offset1
-#undef save_offset2
-#undef save_offset3
-#undef stacksave
-
-#undef newptrb
-
-#endif
-
-/* These two are defined as macros in both cases */
-
-#undef fc
-#undef fi
-
-/***************************************************************************
-***************************************************************************/
-
-
-#ifdef NO_RECURSE
-/*************************************************
-*          Release allocated heap frames         *
-*************************************************/
-
-/* This function releases all the allocated frames. The base frame is on the
-machine stack, and so must not be freed.
-
-Argument: the address of the base frame
-Returns:  nothing
-*/
-
-static void
-release_match_heapframes (heapframe *frame_base)
-{
-heapframe *nextframe = frame_base->Xnextframe;
-while (nextframe != NULL)
-  {
-  heapframe *oldframe = nextframe;
-  nextframe = nextframe->Xnextframe;
-  (PUBL(stack_free))(oldframe);
-  }
-}
-#endif
-
-
-/*************************************************
-*         Execute a Regular Expression           *
-*************************************************/
-
-/* This function applies a compiled re to a subject string and picks out
-portions of the string if it matches. Two elements in the vector are set for
-each substring: the offsets to the start and end of the substring.
-
-Arguments:
-  argument_re     points to the compiled expression
-  extra_data      points to extra data or is NULL
-  subject         points to the subject string
-  length          length of subject string (may contain binary zeros)
-  start_offset    where to start in the subject string
-  options         option bits
-  offsets         points to a vector of ints to be filled in with offsets
-  offsetcount     the number of elements in the vector
-
-Returns:          > 0 => success; value is the number of elements filled in
-                  = 0 => success, but offsets is not big enough
-                   -1 => failed to match
-                 < -1 => some kind of unexpected problem
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_exec(const pcre *argument_re, const pcre_extra *extra_data,
-  PCRE_SPTR subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_exec(const pcre16 *argument_re, const pcre16_extra *extra_data,
-  PCRE_SPTR16 subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_exec(const pcre32 *argument_re, const pcre32_extra *extra_data,
-  PCRE_SPTR32 subject, int length, int start_offset, int options, int *offsets,
-  int offsetcount)
-#endif
-{
-int rc, ocount, arg_offset_max;
-int newline;
-BOOL using_temporary_offsets = FALSE;
-BOOL anchored;
-BOOL startline;
-BOOL firstline;
-BOOL utf;
-BOOL has_first_char = FALSE;
-BOOL has_req_char = FALSE;
-pcre_uchar first_char = 0;
-pcre_uchar first_char2 = 0;
-pcre_uchar req_char = 0;
-pcre_uchar req_char2 = 0;
-match_data match_block;
-match_data *md = &match_block;
-const pcre_uint8 *tables;
-const pcre_uint8 *start_bits = NULL;
-PCRE_PUCHAR start_match = (PCRE_PUCHAR)subject + start_offset;
-PCRE_PUCHAR end_subject;
-PCRE_PUCHAR start_partial = NULL;
-PCRE_PUCHAR match_partial = NULL;
-PCRE_PUCHAR req_char_ptr = start_match - 1;
-
-const pcre_study_data *study;
-const REAL_PCRE *re = (const REAL_PCRE *)argument_re;
-
-#ifdef NO_RECURSE
-heapframe frame_zero;
-frame_zero.Xprevframe = NULL;            /* Marks the top level */
-frame_zero.Xnextframe = NULL;            /* None are allocated yet */
-md->match_frames_base = &frame_zero;
-#endif
-
-/* Check for the special magic call that measures the size of the stack used
-per recursive call of match(). Without the funny casting for sizeof, a Windows
-compiler gave this error: "unary minus operator applied to unsigned type,
-result still unsigned". Hopefully the cast fixes that. */
-
-if (re == NULL && extra_data == NULL && subject == NULL && length == -999 &&
-    start_offset == -999)
-#ifdef NO_RECURSE
-  return -((int)sizeof(heapframe));
-#else
-  return match(NULL, NULL, NULL, 0, NULL, NULL, 0);
-#endif
-
-/* Plausibility checks */
-
-if ((options & ~PUBLIC_EXEC_OPTIONS) != 0) return PCRE_ERROR_BADOPTION;
-if (re == NULL || subject == NULL || (offsets == NULL && offsetcount > 0))
-  return PCRE_ERROR_NULL;
-if (offsetcount < 0) return PCRE_ERROR_BADCOUNT;
-if (length < 0) return PCRE_ERROR_BADLENGTH;
-if (start_offset < 0 || start_offset > length) return PCRE_ERROR_BADOFFSET;
-
-/* Check that the first field in the block is the magic number. If it is not,
-return with PCRE_ERROR_BADMAGIC. However, if the magic number is equal to
-REVERSED_MAGIC_NUMBER we return with PCRE_ERROR_BADENDIANNESS, which
-means that the pattern is likely compiled with different endianness. */
-
-if (re->magic_number != MAGIC_NUMBER)
-  return re->magic_number == REVERSED_MAGIC_NUMBER?
-    PCRE_ERROR_BADENDIANNESS:PCRE_ERROR_BADMAGIC;
-if ((re->flags & PCRE_MODE) == 0) return PCRE_ERROR_BADMODE;
-
-/* These two settings are used in the code for checking a UTF-8 string that
-follows immediately afterwards. Other values in the md block are used only
-during "normal" pcre_exec() processing, not when the JIT support is in use,
-so they are set up later. */
-
-/* PCRE_UTF16 has the same value as PCRE_UTF8. */
-utf = md->utf = (re->options & PCRE_UTF8) != 0;
-md->partial = ((options & PCRE_PARTIAL_HARD) != 0)? 2 :
-              ((options & PCRE_PARTIAL_SOFT) != 0)? 1 : 0;
-
-/* Check a UTF-8 string if required. Pass back the character offset and error
-code for an invalid string if a results vector is available. */
-
-#ifdef SUPPORT_UTF
-if (utf && (options & PCRE_NO_UTF8_CHECK) == 0)
-  {
-  int erroroffset;
-  int errorcode = PRIV(valid_utf)((PCRE_PUCHAR)subject, length, &erroroffset);
-  if (errorcode != 0)
-    {
-    if (offsetcount >= 2)
-      {
-      offsets[0] = erroroffset;
-      offsets[1] = errorcode;
-      }
-#if defined COMPILE_PCRE8
-    return (errorcode <= PCRE_UTF8_ERR5 && md->partial > 1)?
-      PCRE_ERROR_SHORTUTF8 : PCRE_ERROR_BADUTF8;
-#elif defined COMPILE_PCRE16
-    return (errorcode <= PCRE_UTF16_ERR1 && md->partial > 1)?
-      PCRE_ERROR_SHORTUTF16 : PCRE_ERROR_BADUTF16;
-#elif defined COMPILE_PCRE32
-    return PCRE_ERROR_BADUTF32;
-#endif
-    }
-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
-  /* Check that a start_offset points to the start of a UTF character. */
-  if (start_offset > 0 && start_offset < length &&
-      NOT_FIRSTCHAR(((PCRE_PUCHAR)subject)[start_offset]))
-    return PCRE_ERROR_BADUTF8_OFFSET;
-#endif
-  }
-#endif
-
-/* If the pattern was successfully studied with JIT support, run the JIT
-executable instead of the rest of this function. Most options must be set at
-compile time for the JIT code to be usable. Fallback to the normal code path if
-an unsupported flag is set. */
-
-#ifdef SUPPORT_JIT
-if (extra_data != NULL
-    && (extra_data->flags & (PCRE_EXTRA_EXECUTABLE_JIT |
-                             PCRE_EXTRA_TABLES)) == PCRE_EXTRA_EXECUTABLE_JIT
-    && extra_data->executable_jit != NULL
-    && (options & ~PUBLIC_JIT_EXEC_OPTIONS) == 0)
-  {
-  rc = PRIV(jit_exec)(extra_data, (const pcre_uchar *)subject, length,
-       start_offset, options, offsets, offsetcount);
-
-  /* PCRE_ERROR_NULL means that the selected normal or partial matching
-  mode is not compiled. In this case we simply fallback to interpreter. */
-
-  if (rc != PCRE_ERROR_JIT_BADOPTION) return rc;
-  }
-#endif
-
-/* Carry on with non-JIT matching. This information is for finding all the
-numbers associated with a given name, for condition testing. */
-
-md->name_table = (pcre_uchar *)re + re->name_table_offset;
-md->name_count = re->name_count;
-md->name_entry_size = re->name_entry_size;
-
-/* Fish out the optional data from the extra_data structure, first setting
-the default values. */
-
-study = NULL;
-md->match_limit = MATCH_LIMIT;
-md->match_limit_recursion = MATCH_LIMIT_RECURSION;
-md->callout_data = NULL;
-
-/* The table pointer is always in native byte order. */
-
-tables = re->tables;
-
-/* The two limit values override the defaults, whatever their value. */
-
-if (extra_data != NULL)
-  {
-  unsigned long int flags = extra_data->flags;
-  if ((flags & PCRE_EXTRA_STUDY_DATA) != 0)
-    study = (const pcre_study_data *)extra_data->study_data;
-  if ((flags & PCRE_EXTRA_MATCH_LIMIT) != 0)
-    md->match_limit = extra_data->match_limit;
-  if ((flags & PCRE_EXTRA_MATCH_LIMIT_RECURSION) != 0)
-    md->match_limit_recursion = extra_data->match_limit_recursion;
-  if ((flags & PCRE_EXTRA_CALLOUT_DATA) != 0)
-    md->callout_data = extra_data->callout_data;
-  if ((flags & PCRE_EXTRA_TABLES) != 0) tables = extra_data->tables;
-  }
-
-/* Limits in the regex override only if they are smaller. */
-
-if ((re->flags & PCRE_MLSET) != 0 && re->limit_match < md->match_limit)
-  md->match_limit = re->limit_match;
-
-if ((re->flags & PCRE_RLSET) != 0 &&
-    re->limit_recursion < md->match_limit_recursion)
-  md->match_limit_recursion = re->limit_recursion;
-
-/* If the exec call supplied NULL for tables, use the inbuilt ones. This
-is a feature that makes it possible to save compiled regex and re-use them
-in other programs later. */
-
-if (tables == NULL) tables = PRIV(default_tables);
-
-/* Set up other data */
-
-anchored = ((re->options | options) & PCRE_ANCHORED) != 0;
-startline = (re->flags & PCRE_STARTLINE) != 0;
-firstline = (re->options & PCRE_FIRSTLINE) != 0;
-
-/* The code starts after the real_pcre block and the capture name table. */
-
-md->start_code = (const pcre_uchar *)re + re->name_table_offset +
-  re->name_count * re->name_entry_size;
-
-md->start_subject = (PCRE_PUCHAR)subject;
-md->start_offset = start_offset;
-md->end_subject = md->start_subject + length;
-end_subject = md->end_subject;
-
-md->endonly = (re->options & PCRE_DOLLAR_ENDONLY) != 0;
-md->use_ucp = (re->options & PCRE_UCP) != 0;
-md->jscript_compat = (re->options & PCRE_JAVASCRIPT_COMPAT) != 0;
-md->ignore_skip_arg = 0;
-
-/* Some options are unpacked into BOOL variables in the hope that testing
-them will be faster than individual option bits. */
-
-md->notbol = (options & PCRE_NOTBOL) != 0;
-md->noteol = (options & PCRE_NOTEOL) != 0;
-md->notempty = (options & PCRE_NOTEMPTY) != 0;
-md->notempty_atstart = (options & PCRE_NOTEMPTY_ATSTART) != 0;
-
-md->hitend = FALSE;
-md->mark = md->nomatch_mark = NULL;     /* In case never set */
-
-md->recursive = NULL;                   /* No recursion at top level */
-md->hasthen = (re->flags & PCRE_HASTHEN) != 0;
-
-md->lcc = tables + lcc_offset;
-md->fcc = tables + fcc_offset;
-md->ctypes = tables + ctypes_offset;
-
-/* Handle different \R options. */
-
-switch (options & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE))
-  {
-  case 0:
-  if ((re->options & (PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE)) != 0)
-    md->bsr_anycrlf = (re->options & PCRE_BSR_ANYCRLF) != 0;
-  else
-#ifdef BSR_ANYCRLF
-  md->bsr_anycrlf = TRUE;
-#else
-  md->bsr_anycrlf = FALSE;
-#endif
-  break;
-
-  case PCRE_BSR_ANYCRLF:
-  md->bsr_anycrlf = TRUE;
-  break;
-
-  case PCRE_BSR_UNICODE:
-  md->bsr_anycrlf = FALSE;
-  break;
-
-  default: return PCRE_ERROR_BADNEWLINE;
-  }
-
-/* Handle different types of newline. The three bits give eight cases. If
-nothing is set at run time, whatever was used at compile time applies. */
-
-switch ((((options & PCRE_NEWLINE_BITS) == 0)? re->options :
-        (pcre_uint32)options) & PCRE_NEWLINE_BITS)
-  {
-  case 0: newline = NEWLINE; break;   /* Compile-time default */
-  case PCRE_NEWLINE_CR: newline = CHAR_CR; break;
-  case PCRE_NEWLINE_LF: newline = CHAR_NL; break;
-  case PCRE_NEWLINE_CR+
-       PCRE_NEWLINE_LF: newline = (CHAR_CR << 8) | CHAR_NL; break;
-  case PCRE_NEWLINE_ANY: newline = -1; break;
-  case PCRE_NEWLINE_ANYCRLF: newline = -2; break;
-  default: return PCRE_ERROR_BADNEWLINE;
-  }
-
-if (newline == -2)
-  {
-  md->nltype = NLTYPE_ANYCRLF;
-  }
-else if (newline < 0)
-  {
-  md->nltype = NLTYPE_ANY;
-  }
-else
-  {
-  md->nltype = NLTYPE_FIXED;
-  if (newline > 255)
-    {
-    md->nllen = 2;
-    md->nl[0] = (newline >> 8) & 255;
-    md->nl[1] = newline & 255;
-    }
-  else
-    {
-    md->nllen = 1;
-    md->nl[0] = newline;
-    }
-  }
-
-/* Partial matching was originally supported only for a restricted set of
-regexes; from release 8.00 there are no restrictions, but the bits are still
-defined (though never set). So there's no harm in leaving this code. */
-
-if (md->partial && (re->flags & PCRE_NOPARTIAL) != 0)
-  return PCRE_ERROR_BADPARTIAL;
-
-/* If the expression has got more back references than the offsets supplied can
-hold, we get a temporary chunk of working store to use during the matching.
-Otherwise, we can use the vector supplied, rounding down its size to a multiple
-of 3. */
-
-ocount = offsetcount - (offsetcount % 3);
-arg_offset_max = (2*ocount)/3;
-
-if (re->top_backref > 0 && re->top_backref >= ocount/3)
-  {
-  ocount = re->top_backref * 3 + 3;
-  md->offset_vector = (int *)(PUBL(malloc))(ocount * sizeof(int));
-  if (md->offset_vector == NULL) return PCRE_ERROR_NOMEMORY;
-  using_temporary_offsets = TRUE;
-  DPRINTF(("Got memory to hold back references\n"));
-  }
-else md->offset_vector = offsets;
-md->offset_end = ocount;
-md->offset_max = (2*ocount)/3;
-md->capture_last = 0;
-
-/* Reset the working variable associated with each extraction. These should
-never be used unless previously set, but they get saved and restored, and so we
-initialize them to avoid reading uninitialized locations. Also, unset the
-offsets for the matched string. This is really just for tidiness with callouts,
-in case they inspect these fields. */
-
-if (md->offset_vector != NULL)
-  {
-  register int *iptr = md->offset_vector + ocount;
-  register int *iend = iptr - re->top_bracket;
-  if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
-  while (--iptr >= iend) *iptr = -1;
-  if (offsetcount > 0) md->offset_vector[0] = -1;
-  if (offsetcount > 1) md->offset_vector[1] = -1;
-  }
-
-/* Set up the first character to match, if available. The first_char value is
-never set for an anchored regular expression, but the anchoring may be forced
-at run time, so we have to test for anchoring. The first char may be unset for
-an unanchored pattern, of course. If there's no first char and the pattern was
-studied, there may be a bitmap of possible first characters. */
-
-if (!anchored)
-  {
-  if ((re->flags & PCRE_FIRSTSET) != 0)
-    {
-    has_first_char = TRUE;
-    first_char = first_char2 = (pcre_uchar)(re->first_char);
-    if ((re->flags & PCRE_FCH_CASELESS) != 0)
-      {
-      first_char2 = TABLE_GET(first_char, md->fcc, first_char);
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-      if (utf && first_char > 127)
-        first_char2 = UCD_OTHERCASE(first_char);
-#endif
-      }
-    }
-  else
-    if (!startline && study != NULL &&
-      (study->flags & PCRE_STUDY_MAPPED) != 0)
-        start_bits = study->start_bits;
-  }
-
-/* For anchored or unanchored matches, there may be a "last known required
-character" set. */
-
-if ((re->flags & PCRE_REQCHSET) != 0)
-  {
-  has_req_char = TRUE;
-  req_char = req_char2 = (pcre_uchar)(re->req_char);
-  if ((re->flags & PCRE_RCH_CASELESS) != 0)
-    {
-    req_char2 = TABLE_GET(req_char, md->fcc, req_char);
-#if defined SUPPORT_UCP && !(defined COMPILE_PCRE8)
-    if (utf && req_char > 127)
-      req_char2 = UCD_OTHERCASE(req_char);
-#endif
-    }
-  }
-
-
-/* ==========================================================================*/
-
-/* Loop for handling unanchored repeated matching attempts; for anchored regexs
-the loop runs just once. */
-
-for(;;)
-  {
-  PCRE_PUCHAR save_end_subject = end_subject;
-  PCRE_PUCHAR new_start_match;
-
-  /* If firstline is TRUE, the start of the match is constrained to the first
-  line of a multiline string. That is, the match must be before or at the first
-  newline. Implement this by temporarily adjusting end_subject so that we stop
-  scanning at a newline. If the match fails at the newline, later code breaks
-  this loop. */
-
-  if (firstline)
-    {
-    PCRE_PUCHAR t = start_match;
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      while (t < md->end_subject && !IS_NEWLINE(t))
-        {
-        t++;
-        ACROSSCHAR(t < end_subject, *t, t++);
-        }
-      }
-    else
-#endif
-    while (t < md->end_subject && !IS_NEWLINE(t)) t++;
-    end_subject = t;
-    }
-
-  /* There are some optimizations that avoid running the match if a known
-  starting point is not found, or if a known later character is not present.
-  However, there is an option that disables these, for testing and for ensuring
-  that all callouts do actually occur. The option can be set in the regex by
-  (*NO_START_OPT) or passed in match-time options. */
-
-  if (((options | re->options) & PCRE_NO_START_OPTIMIZE) == 0)
-    {
-    /* Advance to a unique first char if there is one. */
-
-    if (has_first_char)
-      {
-      pcre_uchar smc;
-
-      if (first_char != first_char2)
-        while (start_match < end_subject &&
-          (smc = UCHAR21TEST(start_match)) != first_char && smc != first_char2)
-          start_match++;
-      else
-        while (start_match < end_subject && UCHAR21TEST(start_match) != first_char)
-          start_match++;
-      }
-
-    /* Or to just after a linebreak for a multiline match */
-
-    else if (startline)
-      {
-      if (start_match > md->start_subject + start_offset)
-        {
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-          while (start_match < end_subject && !WAS_NEWLINE(start_match))
-            {
-            start_match++;
-            ACROSSCHAR(start_match < end_subject, *start_match,
-              start_match++);
-            }
-          }
-        else
-#endif
-        while (start_match < end_subject && !WAS_NEWLINE(start_match))
-          start_match++;
-
-        /* If we have just passed a CR and the newline option is ANY or ANYCRLF,
-        and we are now at a LF, advance the match position by one more character.
-        */
-
-        if (start_match[-1] == CHAR_CR &&
-             (md->nltype == NLTYPE_ANY || md->nltype == NLTYPE_ANYCRLF) &&
-             start_match < end_subject &&
-             UCHAR21TEST(start_match) == CHAR_NL)
-          start_match++;
-        }
-      }
-
-    /* Or to a non-unique first byte after study */
-
-    else if (start_bits != NULL)
-      {
-      while (start_match < end_subject)
-        {
-        register pcre_uint32 c = UCHAR21TEST(start_match);
-#ifndef COMPILE_PCRE8
-        if (c > 255) c = 255;
-#endif
-        if ((start_bits[c/8] & (1 << (c&7))) != 0) break;
-        start_match++;
-        }
-      }
-    }   /* Starting optimizations */
-
-  /* Restore fudged end_subject */
-
-  end_subject = save_end_subject;
-
-  /* The following two optimizations are disabled for partial matching or if
-  disabling is explicitly requested. */
-
-  if (((options | re->options) & PCRE_NO_START_OPTIMIZE) == 0 && !md->partial)
-    {
-    /* If the pattern was studied, a minimum subject length may be set. This is
-    a lower bound; no actual string of that length may actually match the
-    pattern. Although the value is, strictly, in characters, we treat it as
-    bytes to avoid spending too much time in this optimization. */
-
-    if (study != NULL && (study->flags & PCRE_STUDY_MINLEN) != 0 &&
-        (pcre_uint32)(end_subject - start_match) < study->minlength)
-      {
-      rc = MATCH_NOMATCH;
-      break;
-      }
-
-    /* If req_char is set, we know that that character must appear in the
-    subject for the match to succeed. If the first character is set, req_char
-    must be later in the subject; otherwise the test starts at the match point.
-    This optimization can save a huge amount of backtracking in patterns with
-    nested unlimited repeats that aren't going to match. Writing separate code
-    for cased/caseless versions makes it go faster, as does using an
-    autoincrement and backing off on a match.
-
-    HOWEVER: when the subject string is very, very long, searching to its end
-    can take a long time, and give bad performance on quite ordinary patterns.
-    This showed up when somebody was matching something like /^\d+C/ on a
-    32-megabyte string... so we don't do this when the string is sufficiently
-    long. */
-
-    if (has_req_char && end_subject - start_match < REQ_BYTE_MAX)
-      {
-      register PCRE_PUCHAR p = start_match + (has_first_char? 1:0);
-
-      /* We don't need to repeat the search if we haven't yet reached the
-      place we found it at last time. */
-
-      if (p > req_char_ptr)
-        {
-        if (req_char != req_char2)
-          {
-          while (p < end_subject)
-            {
-            register pcre_uint32 pp = UCHAR21INCTEST(p);
-            if (pp == req_char || pp == req_char2) { p--; break; }
-            }
-          }
-        else
-          {
-          while (p < end_subject)
-            {
-            if (UCHAR21INCTEST(p) == req_char) { p--; break; }
-            }
-          }
-
-        /* If we can't find the required character, break the matching loop,
-        forcing a match failure. */
-
-        if (p >= end_subject)
-          {
-          rc = MATCH_NOMATCH;
-          break;
-          }
-
-        /* If we have found the required character, save the point where we
-        found it, so that we don't search again next time round the loop if
-        the start hasn't passed this character yet. */
-
-        req_char_ptr = p;
-        }
-      }
-    }
-
-#ifdef PCRE_DEBUG  /* Sigh. Some compilers never learn. */
-  printf(">>>> Match against: ");
-  pchars(start_match, end_subject - start_match, TRUE, md);
-  printf("\n");
-#endif
-
-  /* OK, we can now run the match. If "hitend" is set afterwards, remember the
-  first starting point for which a partial match was found. */
-
-  md->start_match_ptr = start_match;
-  md->start_used_ptr = start_match;
-  md->match_call_count = 0;
-  md->match_function_type = 0;
-  md->end_offset_top = 0;
-  md->skip_arg_count = 0;
-  rc = match(start_match, md->start_code, start_match, 2, md, NULL, 0);
-  if (md->hitend && start_partial == NULL)
-    {
-    start_partial = md->start_used_ptr;
-    match_partial = start_match;
-    }
-
-  switch(rc)
-    {
-    /* If MATCH_SKIP_ARG reaches this level it means that a MARK that matched
-    the SKIP's arg was not found. In this circumstance, Perl ignores the SKIP
-    entirely. The only way we can do that is to re-do the match at the same
-    point, with a flag to force SKIP with an argument to be ignored. Just
-    treating this case as NOMATCH does not work because it does not check other
-    alternatives in patterns such as A(*SKIP:A)B|AC when the subject is AC. */
-
-    case MATCH_SKIP_ARG:
-    new_start_match = start_match;
-    md->ignore_skip_arg = md->skip_arg_count;
-    break;
-
-    /* SKIP passes back the next starting point explicitly, but if it is no
-    greater than the match we have just done, treat it as NOMATCH. */
-
-    case MATCH_SKIP:
-    if (md->start_match_ptr > start_match)
-      {
-      new_start_match = md->start_match_ptr;
-      break;
-      }
-    /* Fall through */
-
-    /* NOMATCH and PRUNE advance by one character. THEN at this level acts
-    exactly like PRUNE. Unset ignore SKIP-with-argument. */
-
-    case MATCH_NOMATCH:
-    case MATCH_PRUNE:
-    case MATCH_THEN:
-    md->ignore_skip_arg = 0;
-    new_start_match = start_match + 1;
-#ifdef SUPPORT_UTF
-    if (utf)
-      ACROSSCHAR(new_start_match < end_subject, *new_start_match,
-        new_start_match++);
-#endif
-    break;
-
-    /* COMMIT disables the bumpalong, but otherwise behaves as NOMATCH. */
-
-    case MATCH_COMMIT:
-    rc = MATCH_NOMATCH;
-    goto ENDLOOP;
-
-    /* Any other return is either a match, or some kind of error. */
-
-    default:
-    goto ENDLOOP;
-    }
-
-  /* Control reaches here for the various types of "no match at this point"
-  result. Reset the code to MATCH_NOMATCH for subsequent checking. */
-
-  rc = MATCH_NOMATCH;
-
-  /* If PCRE_FIRSTLINE is set, the match must happen before or at the first
-  newline in the subject (though it may continue over the newline). Therefore,
-  if we have just failed to match, starting at a newline, do not continue. */
-
-  if (firstline && IS_NEWLINE(start_match)) break;
-
-  /* Advance to new matching position */
-
-  start_match = new_start_match;
-
-  /* Break the loop if the pattern is anchored or if we have passed the end of
-  the subject. */
-
-  if (anchored || start_match > end_subject) break;
-
-  /* If we have just passed a CR and we are now at a LF, and the pattern does
-  not contain any explicit matches for \r or \n, and the newline option is CRLF
-  or ANY or ANYCRLF, advance the match position by one more character. In
-  normal matching start_match will aways be greater than the first position at
-  this stage, but a failed *SKIP can cause a return at the same point, which is
-  why the first test exists. */
-
-  if (start_match > (PCRE_PUCHAR)subject + start_offset &&
-      start_match[-1] == CHAR_CR &&
-      start_match < end_subject &&
-      *start_match == CHAR_NL &&
-      (re->flags & PCRE_HASCRORLF) == 0 &&
-        (md->nltype == NLTYPE_ANY ||
-         md->nltype == NLTYPE_ANYCRLF ||
-         md->nllen == 2))
-    start_match++;
-
-  md->mark = NULL;   /* Reset for start of next match attempt */
-  }                  /* End of for(;;) "bumpalong" loop */
-
-/* ==========================================================================*/
-
-/* We reach here when rc is not MATCH_NOMATCH, or if one of the stopping
-conditions is true:
-
-(1) The pattern is anchored or the match was failed by (*COMMIT);
-
-(2) We are past the end of the subject;
-
-(3) PCRE_FIRSTLINE is set and we have failed to match at a newline, because
-    this option requests that a match occur at or before the first newline in
-    the subject.
-
-When we have a match and the offset vector is big enough to deal with any
-backreferences, captured substring offsets will already be set up. In the case
-where we had to get some local store to hold offsets for backreference
-processing, copy those that we can. In this case there need not be overflow if
-certain parts of the pattern were not used, even though there are more
-capturing parentheses than vector slots. */
-
-ENDLOOP:
-
-if (rc == MATCH_MATCH || rc == MATCH_ACCEPT)
-  {
-  if (using_temporary_offsets)
-    {
-    if (arg_offset_max >= 4)
-      {
-      memcpy(offsets + 2, md->offset_vector + 2,
-        (arg_offset_max - 2) * sizeof(int));
-      DPRINTF(("Copied offsets from temporary memory\n"));
-      }
-    if (md->end_offset_top > arg_offset_max) md->capture_last |= OVFLBIT;
-    DPRINTF(("Freeing temporary memory\n"));
-    (PUBL(free))(md->offset_vector);
-    }
-
-  /* Set the return code to the number of captured strings, or 0 if there were
-  too many to fit into the vector. */
-
-  rc = ((md->capture_last & OVFLBIT) != 0 &&
-         md->end_offset_top >= arg_offset_max)?
-    0 : md->end_offset_top/2;
-
-  /* If there is space in the offset vector, set any unused pairs at the end of
-  the pattern to -1 for backwards compatibility. It is documented that this
-  happens. In earlier versions, the whole set of potential capturing offsets
-  was set to -1 each time round the loop, but this is handled differently now.
-  "Gaps" are set to -1 dynamically instead (this fixes a bug). Thus, it is only
-  those at the end that need unsetting here. We can't just unset them all at
-  the start of the whole thing because they may get set in one branch that is
-  not the final matching branch. */
-
-  if (md->end_offset_top/2 <= re->top_bracket && offsets != NULL)
-    {
-    register int *iptr, *iend;
-    int resetcount = 2 + re->top_bracket * 2;
-    if (resetcount > offsetcount) resetcount = offsetcount;
-    iptr = offsets + md->end_offset_top;
-    iend = offsets + resetcount;
-    while (iptr < iend) *iptr++ = -1;
-    }
-
-  /* If there is space, set up the whole thing as substring 0. The value of
-  md->start_match_ptr might be modified if \K was encountered on the success
-  matching path. */
-
-  if (offsetcount < 2) rc = 0; else
-    {
-    offsets[0] = (int)(md->start_match_ptr - md->start_subject);
-    offsets[1] = (int)(md->end_match_ptr - md->start_subject);
-    }
-
-  /* Return MARK data if requested */
-
-  if (extra_data != NULL && (extra_data->flags & PCRE_EXTRA_MARK) != 0)
-    *(extra_data->mark) = (pcre_uchar *)md->mark;
-  DPRINTF((">>>> returning %d\n", rc));
-#ifdef NO_RECURSE
-  release_match_heapframes(&frame_zero);
-#endif
-  return rc;
-  }
-
-/* Control gets here if there has been an error, or if the overall match
-attempt has failed at all permitted starting positions. */
-
-if (using_temporary_offsets)
-  {
-  DPRINTF(("Freeing temporary memory\n"));
-  (PUBL(free))(md->offset_vector);
-  }
-
-/* For anything other than nomatch or partial match, just return the code. */
-
-if (rc != MATCH_NOMATCH && rc != PCRE_ERROR_PARTIAL)
-  {
-  DPRINTF((">>>> error: returning %d\n", rc));
-#ifdef NO_RECURSE
-  release_match_heapframes(&frame_zero);
-#endif
-  return rc;
-  }
-
-/* Handle partial matches - disable any mark data */
-
-if (match_partial != NULL)
-  {
-  DPRINTF((">>>> returning PCRE_ERROR_PARTIAL\n"));
-  md->mark = NULL;
-  if (offsetcount > 1)
-    {
-    offsets[0] = (int)(start_partial - (PCRE_PUCHAR)subject);
-    offsets[1] = (int)(end_subject - (PCRE_PUCHAR)subject);
-    if (offsetcount > 2)
-      offsets[2] = (int)(match_partial - (PCRE_PUCHAR)subject);
-    }
-  rc = PCRE_ERROR_PARTIAL;
-  }
-
-/* This is the classic nomatch case */
-
-else
-  {
-  DPRINTF((">>>> returning PCRE_ERROR_NOMATCH\n"));
-  rc = PCRE_ERROR_NOMATCH;
-  }
-
-/* Return the MARK data if it has been requested. */
-
-if (extra_data != NULL && (extra_data->flags & PCRE_EXTRA_MARK) != 0)
-  *(extra_data->mark) = (pcre_uchar *)md->nomatch_mark;
-#ifdef NO_RECURSE
-  release_match_heapframes(&frame_zero);
-#endif
-return rc;
-}
-
-/* End of pcre_exec.c */
diff --git a/src/plugins/PCREPlugin/pcre_fullinfo.c b/src/plugins/PCREPlugin/pcre_fullinfo.c
deleted file mode 100644
index 28181cc..0000000
--- a/src/plugins/PCREPlugin/pcre_fullinfo.c
+++ /dev/null
@@ -1,246 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2013 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_fullinfo(), which returns
-information about a compiled pattern. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-*        Return info about compiled pattern      *
-*************************************************/
-
-/* This is a newer "info" function which has an extensible interface so
-that additional items can be added compatibly.
-
-Arguments:
-  argument_re      points to compiled code
-  extra_data       points extra data, or NULL
-  what             what information is required
-  where            where to put the information
-
-Returns:           0 if data returned, negative on error
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_fullinfo(const pcre *argument_re, const pcre_extra *extra_data,
-  int what, void *where)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_fullinfo(const pcre16 *argument_re, const pcre16_extra *extra_data,
-  int what, void *where)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_fullinfo(const pcre32 *argument_re, const pcre32_extra *extra_data,
-  int what, void *where)
-#endif
-{
-const REAL_PCRE *re = (const REAL_PCRE *)argument_re;
-const pcre_study_data *study = NULL;
-
-if (re == NULL || where == NULL) return PCRE_ERROR_NULL;
-
-if (extra_data != NULL && (extra_data->flags & PCRE_EXTRA_STUDY_DATA) != 0)
-  study = (const pcre_study_data *)extra_data->study_data;
-
-/* Check that the first field in the block is the magic number. If it is not,
-return with PCRE_ERROR_BADMAGIC. However, if the magic number is equal to
-REVERSED_MAGIC_NUMBER we return with PCRE_ERROR_BADENDIANNESS, which
-means that the pattern is likely compiled with different endianness. */
-
-if (re->magic_number != MAGIC_NUMBER)
-  return re->magic_number == REVERSED_MAGIC_NUMBER?
-    PCRE_ERROR_BADENDIANNESS:PCRE_ERROR_BADMAGIC;
-
-/* Check that this pattern was compiled in the correct bit mode */
-
-if ((re->flags & PCRE_MODE) == 0) return PCRE_ERROR_BADMODE;
-
-switch (what)
-  {
-  case PCRE_INFO_OPTIONS:
-  *((unsigned long int *)where) = re->options & PUBLIC_COMPILE_OPTIONS;
-  break;
-
-  case PCRE_INFO_SIZE:
-  *((size_t *)where) = re->size;
-  break;
-
-  case PCRE_INFO_STUDYSIZE:
-  *((size_t *)where) = (study == NULL)? 0 : study->size;
-  break;
-
-  case PCRE_INFO_JITSIZE:
-#ifdef SUPPORT_JIT
-  *((size_t *)where) =
-      (extra_data != NULL &&
-      (extra_data->flags & PCRE_EXTRA_EXECUTABLE_JIT) != 0 &&
-      extra_data->executable_jit != NULL)?
-    PRIV(jit_get_size)(extra_data->executable_jit) : 0;
-#else
-  *((size_t *)where) = 0;
-#endif
-  break;
-
-  case PCRE_INFO_CAPTURECOUNT:
-  *((int *)where) = re->top_bracket;
-  break;
-
-  case PCRE_INFO_BACKREFMAX:
-  *((int *)where) = re->top_backref;
-  break;
-
-  case PCRE_INFO_FIRSTBYTE:
-  *((int *)where) =
-    ((re->flags & PCRE_FIRSTSET) != 0)? (int)re->first_char :
-    ((re->flags & PCRE_STARTLINE) != 0)? -1 : -2;
-  break;
-
-  case PCRE_INFO_FIRSTCHARACTER:
-    *((pcre_uint32 *)where) =
-      (re->flags & PCRE_FIRSTSET) != 0 ? re->first_char : 0;
-    break;
-
-  case PCRE_INFO_FIRSTCHARACTERFLAGS:
-    *((int *)where) =
-      ((re->flags & PCRE_FIRSTSET) != 0) ? 1 :
-      ((re->flags & PCRE_STARTLINE) != 0) ? 2 : 0;
-    break;
-
-  /* Make sure we pass back the pointer to the bit vector in the external
-  block, not the internal copy (with flipped integer fields). */
-
-  case PCRE_INFO_FIRSTTABLE:
-  *((const pcre_uint8 **)where) =
-    (study != NULL && (study->flags & PCRE_STUDY_MAPPED) != 0)?
-      ((const pcre_study_data *)extra_data->study_data)->start_bits : NULL;
-  break;
-
-  case PCRE_INFO_MINLENGTH:
-  *((int *)where) =
-    (study != NULL && (study->flags & PCRE_STUDY_MINLEN) != 0)?
-      (int)(study->minlength) : -1;
-  break;
-
-  case PCRE_INFO_JIT:
-  *((int *)where) = extra_data != NULL &&
-                    (extra_data->flags & PCRE_EXTRA_EXECUTABLE_JIT) != 0 &&
-                    extra_data->executable_jit != NULL;
-  break;
-
-  case PCRE_INFO_LASTLITERAL:
-  *((int *)where) =
-    ((re->flags & PCRE_REQCHSET) != 0)? (int)re->req_char : -1;
-  break;
-
-  case PCRE_INFO_REQUIREDCHAR:
-    *((pcre_uint32 *)where) =
-      ((re->flags & PCRE_REQCHSET) != 0) ? re->req_char : 0;
-    break;
-
-  case PCRE_INFO_REQUIREDCHARFLAGS:
-    *((int *)where) =
-      ((re->flags & PCRE_REQCHSET) != 0);
-    break;
-
-  case PCRE_INFO_NAMEENTRYSIZE:
-  *((int *)where) = re->name_entry_size;
-  break;
-
-  case PCRE_INFO_NAMECOUNT:
-  *((int *)where) = re->name_count;
-  break;
-
-  case PCRE_INFO_NAMETABLE:
-  *((const pcre_uchar **)where) = (const pcre_uchar *)re + re->name_table_offset;
-  break;
-
-  case PCRE_INFO_DEFAULT_TABLES:
-  *((const pcre_uint8 **)where) = (const pcre_uint8 *)(PRIV(default_tables));
-  break;
-
-  /* From release 8.00 this will always return TRUE because NOPARTIAL is
-  no longer ever set (the restrictions have been removed). */
-
-  case PCRE_INFO_OKPARTIAL:
-  *((int *)where) = (re->flags & PCRE_NOPARTIAL) == 0;
-  break;
-
-  case PCRE_INFO_JCHANGED:
-  *((int *)where) = (re->flags & PCRE_JCHANGED) != 0;
-  break;
-
-  case PCRE_INFO_HASCRORLF:
-  *((int *)where) = (re->flags & PCRE_HASCRORLF) != 0;
-  break;
-
-  case PCRE_INFO_MAXLOOKBEHIND:
-  *((int *)where) = re->max_lookbehind;
-  break;
-
-  case PCRE_INFO_MATCHLIMIT:
-  if ((re->flags & PCRE_MLSET) == 0) return PCRE_ERROR_UNSET;
-  *((pcre_uint32 *)where) = re->limit_match;
-  break;
-
-  case PCRE_INFO_RECURSIONLIMIT:
-  if ((re->flags & PCRE_RLSET) == 0) return PCRE_ERROR_UNSET;
-  *((pcre_uint32 *)where) = re->limit_recursion;
-  break;
-
-  case PCRE_INFO_MATCH_EMPTY:
-  *((int *)where) = (re->flags & PCRE_MATCH_EMPTY) != 0;
-  break;
-
-  default: return PCRE_ERROR_BADOPTION;
-  }
-
-return 0;
-}
-
-/* End of pcre_fullinfo.c */
diff --git a/src/plugins/PCREPlugin/pcre_get.c b/src/plugins/PCREPlugin/pcre_get.c
deleted file mode 100644
index bdfd621..0000000
--- a/src/plugins/PCREPlugin/pcre_get.c
+++ /dev/null
@@ -1,670 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains some convenience functions for extracting substrings
-from the subject string after a regex match has succeeded. The original idea
-for these functions came from Scott Wimer. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-*           Find number for named string         *
-*************************************************/
-
-/* This function is used by the get_first_set() function below, as well
-as being generally available. It assumes that names are unique.
-
-Arguments:
-  code        the compiled regex
-  stringname  the name whose number is required
-
-Returns:      the number of the named parentheses, or a negative number
-                (PCRE_ERROR_NOSUBSTRING) if not found
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_get_stringnumber(const pcre *code, const char *stringname)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_get_stringnumber(const pcre16 *code, PCRE_SPTR16 stringname)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_get_stringnumber(const pcre32 *code, PCRE_SPTR32 stringname)
-#endif
-{
-int rc;
-int entrysize;
-int top, bot;
-pcre_uchar *nametable;
-
-#ifdef COMPILE_PCRE8
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-#ifdef COMPILE_PCRE16
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-#ifdef COMPILE_PCRE32
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-
-bot = 0;
-while (top > bot)
-  {
-  int mid = (top + bot) / 2;
-  pcre_uchar *entry = nametable + entrysize*mid;
-  int c = STRCMP_UC_UC((pcre_uchar *)stringname,
-    (pcre_uchar *)(entry + IMM2_SIZE));
-  if (c == 0) return GET2(entry, 0);
-  if (c > 0) bot = mid + 1; else top = mid;
-  }
-
-return PCRE_ERROR_NOSUBSTRING;
-}
-
-
-
-/*************************************************
-*     Find (multiple) entries for named string   *
-*************************************************/
-
-/* This is used by the get_first_set() function below, as well as being
-generally available. It is used when duplicated names are permitted.
-
-Arguments:
-  code        the compiled regex
-  stringname  the name whose entries required
-  firstptr    where to put the pointer to the first entry
-  lastptr     where to put the pointer to the last entry
-
-Returns:      the length of each entry, or a negative number
-                (PCRE_ERROR_NOSUBSTRING) if not found
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_get_stringtable_entries(const pcre *code, const char *stringname,
-  char **firstptr, char **lastptr)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_get_stringtable_entries(const pcre16 *code, PCRE_SPTR16 stringname,
-  PCRE_UCHAR16 **firstptr, PCRE_UCHAR16 **lastptr)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_get_stringtable_entries(const pcre32 *code, PCRE_SPTR32 stringname,
-  PCRE_UCHAR32 **firstptr, PCRE_UCHAR32 **lastptr)
-#endif
-{
-int rc;
-int entrysize;
-int top, bot;
-pcre_uchar *nametable, *lastentry;
-
-#ifdef COMPILE_PCRE8
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-#ifdef COMPILE_PCRE16
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre16_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-#ifdef COMPILE_PCRE32
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMECOUNT, &top)) != 0)
-  return rc;
-if (top <= 0) return PCRE_ERROR_NOSUBSTRING;
-
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMEENTRYSIZE, &entrysize)) != 0)
-  return rc;
-if ((rc = pcre32_fullinfo(code, NULL, PCRE_INFO_NAMETABLE, &nametable)) != 0)
-  return rc;
-#endif
-
-lastentry = nametable + entrysize * (top - 1);
-bot = 0;
-while (top > bot)
-  {
-  int mid = (top + bot) / 2;
-  pcre_uchar *entry = nametable + entrysize*mid;
-  int c = STRCMP_UC_UC((pcre_uchar *)stringname,
-    (pcre_uchar *)(entry + IMM2_SIZE));
-  if (c == 0)
-    {
-    pcre_uchar *first = entry;
-    pcre_uchar *last = entry;
-    while (first > nametable)
-      {
-      if (STRCMP_UC_UC((pcre_uchar *)stringname,
-        (pcre_uchar *)(first - entrysize + IMM2_SIZE)) != 0) break;
-      first -= entrysize;
-      }
-    while (last < lastentry)
-      {
-      if (STRCMP_UC_UC((pcre_uchar *)stringname,
-        (pcre_uchar *)(last + entrysize + IMM2_SIZE)) != 0) break;
-      last += entrysize;
-      }
-#if defined COMPILE_PCRE8
-    *firstptr = (char *)first;
-    *lastptr = (char *)last;
-#elif defined COMPILE_PCRE16
-    *firstptr = (PCRE_UCHAR16 *)first;
-    *lastptr = (PCRE_UCHAR16 *)last;
-#elif defined COMPILE_PCRE32
-    *firstptr = (PCRE_UCHAR32 *)first;
-    *lastptr = (PCRE_UCHAR32 *)last;
-#endif
-    return entrysize;
-    }
-  if (c > 0) bot = mid + 1; else top = mid;
-  }
-
-return PCRE_ERROR_NOSUBSTRING;
-}
-
-
-
-/*************************************************
-*    Find first set of multiple named strings    *
-*************************************************/
-
-/* This function allows for duplicate names in the table of named substrings.
-It returns the number of the first one that was set in a pattern match.
-
-Arguments:
-  code         the compiled regex
-  stringname   the name of the capturing substring
-  ovector      the vector of matched substrings
-  stringcount  number of captured substrings
-
-Returns:       the number of the first that is set,
-               or the number of the last one if none are set,
-               or a negative number on error
-*/
-
-#if defined COMPILE_PCRE8
-static int
-get_first_set(const pcre *code, const char *stringname, int *ovector,
-  int stringcount)
-#elif defined COMPILE_PCRE16
-static int
-get_first_set(const pcre16 *code, PCRE_SPTR16 stringname, int *ovector,
-  int stringcount)
-#elif defined COMPILE_PCRE32
-static int
-get_first_set(const pcre32 *code, PCRE_SPTR32 stringname, int *ovector,
-  int stringcount)
-#endif
-{
-const REAL_PCRE *re = (const REAL_PCRE *)code;
-int entrysize;
-pcre_uchar *entry;
-#if defined COMPILE_PCRE8
-char *first, *last;
-#elif defined COMPILE_PCRE16
-PCRE_UCHAR16 *first, *last;
-#elif defined COMPILE_PCRE32
-PCRE_UCHAR32 *first, *last;
-#endif
-
-#if defined COMPILE_PCRE8
-if ((re->options & PCRE_DUPNAMES) == 0 && (re->flags & PCRE_JCHANGED) == 0)
-  return pcre_get_stringnumber(code, stringname);
-entrysize = pcre_get_stringtable_entries(code, stringname, &first, &last);
-#elif defined COMPILE_PCRE16
-if ((re->options & PCRE_DUPNAMES) == 0 && (re->flags & PCRE_JCHANGED) == 0)
-  return pcre16_get_stringnumber(code, stringname);
-entrysize = pcre16_get_stringtable_entries(code, stringname, &first, &last);
-#elif defined COMPILE_PCRE32
-if ((re->options & PCRE_DUPNAMES) == 0 && (re->flags & PCRE_JCHANGED) == 0)
-  return pcre32_get_stringnumber(code, stringname);
-entrysize = pcre32_get_stringtable_entries(code, stringname, &first, &last);
-#endif
-if (entrysize <= 0) return entrysize;
-for (entry = (pcre_uchar *)first; entry <= (pcre_uchar *)last; entry += entrysize)
-  {
-  int n = GET2(entry, 0);
-  if (n < stringcount && ovector[n*2] >= 0) return n;
-  }
-return GET2(entry, 0);
-}
-
-
-
-
-/*************************************************
-*      Copy captured string to given buffer      *
-*************************************************/
-
-/* This function copies a single captured substring into a given buffer.
-Note that we use memcpy() rather than strncpy() in case there are binary zeros
-in the string.
-
-Arguments:
-  subject        the subject string that was matched
-  ovector        pointer to the offsets table
-  stringcount    the number of substrings that were captured
-                   (i.e. the yield of the pcre_exec call, unless
-                   that was zero, in which case it should be 1/3
-                   of the offset table size)
-  stringnumber   the number of the required substring
-  buffer         where to put the substring
-  size           the size of the buffer
-
-Returns:         if successful:
-                   the length of the copied string, not including the zero
-                   that is put on the end; can be zero
-                 if not successful:
-                   PCRE_ERROR_NOMEMORY (-6) buffer too small
-                   PCRE_ERROR_NOSUBSTRING (-7) no such captured substring
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_copy_substring(const char *subject, int *ovector, int stringcount,
-  int stringnumber, char *buffer, int size)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_copy_substring(PCRE_SPTR16 subject, int *ovector, int stringcount,
-  int stringnumber, PCRE_UCHAR16 *buffer, int size)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_copy_substring(PCRE_SPTR32 subject, int *ovector, int stringcount,
-  int stringnumber, PCRE_UCHAR32 *buffer, int size)
-#endif
-{
-int yield;
-if (stringnumber < 0 || stringnumber >= stringcount)
-  return PCRE_ERROR_NOSUBSTRING;
-stringnumber *= 2;
-yield = ovector[stringnumber+1] - ovector[stringnumber];
-if (size < yield + 1) return PCRE_ERROR_NOMEMORY;
-memcpy(buffer, subject + ovector[stringnumber], IN_UCHARS(yield));
-buffer[yield] = 0;
-return yield;
-}
-
-
-
-/*************************************************
-*   Copy named captured string to given buffer   *
-*************************************************/
-
-/* This function copies a single captured substring into a given buffer,
-identifying it by name. If the regex permits duplicate names, the first
-substring that is set is chosen.
-
-Arguments:
-  code           the compiled regex
-  subject        the subject string that was matched
-  ovector        pointer to the offsets table
-  stringcount    the number of substrings that were captured
-                   (i.e. the yield of the pcre_exec call, unless
-                   that was zero, in which case it should be 1/3
-                   of the offset table size)
-  stringname     the name of the required substring
-  buffer         where to put the substring
-  size           the size of the buffer
-
-Returns:         if successful:
-                   the length of the copied string, not including the zero
-                   that is put on the end; can be zero
-                 if not successful:
-                   PCRE_ERROR_NOMEMORY (-6) buffer too small
-                   PCRE_ERROR_NOSUBSTRING (-7) no such captured substring
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_copy_named_substring(const pcre *code, const char *subject,
-  int *ovector, int stringcount, const char *stringname,
-  char *buffer, int size)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_copy_named_substring(const pcre16 *code, PCRE_SPTR16 subject,
-  int *ovector, int stringcount, PCRE_SPTR16 stringname,
-  PCRE_UCHAR16 *buffer, int size)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_copy_named_substring(const pcre32 *code, PCRE_SPTR32 subject,
-  int *ovector, int stringcount, PCRE_SPTR32 stringname,
-  PCRE_UCHAR32 *buffer, int size)
-#endif
-{
-int n = get_first_set(code, stringname, ovector, stringcount);
-if (n <= 0) return n;
-#if defined COMPILE_PCRE8
-return pcre_copy_substring(subject, ovector, stringcount, n, buffer, size);
-#elif defined COMPILE_PCRE16
-return pcre16_copy_substring(subject, ovector, stringcount, n, buffer, size);
-#elif defined COMPILE_PCRE32
-return pcre32_copy_substring(subject, ovector, stringcount, n, buffer, size);
-#endif
-}
-
-
-
-/*************************************************
-*      Copy all captured strings to new store    *
-*************************************************/
-
-/* This function gets one chunk of store and builds a list of pointers and all
-of the captured substrings in it. A NULL pointer is put on the end of the list.
-
-Arguments:
-  subject        the subject string that was matched
-  ovector        pointer to the offsets table
-  stringcount    the number of substrings that were captured
-                   (i.e. the yield of the pcre_exec call, unless
-                   that was zero, in which case it should be 1/3
-                   of the offset table size)
-  listptr        set to point to the list of pointers
-
-Returns:         if successful: 0
-                 if not successful:
-                   PCRE_ERROR_NOMEMORY (-6) failed to get store
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_get_substring_list(const char *subject, int *ovector, int stringcount,
-  const char ***listptr)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_get_substring_list(PCRE_SPTR16 subject, int *ovector, int stringcount,
-  PCRE_SPTR16 **listptr)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_get_substring_list(PCRE_SPTR32 subject, int *ovector, int stringcount,
-  PCRE_SPTR32 **listptr)
-#endif
-{
-int i;
-int size = sizeof(pcre_uchar *);
-int double_count = stringcount * 2;
-pcre_uchar **stringlist;
-pcre_uchar *p;
-
-for (i = 0; i < double_count; i += 2)
-  {
-  size += sizeof(pcre_uchar *) + IN_UCHARS(1);
-  if (ovector[i+1] > ovector[i]) size += IN_UCHARS(ovector[i+1] - ovector[i]);
-  }
-
-stringlist = (pcre_uchar **)(PUBL(malloc))(size);
-if (stringlist == NULL) return PCRE_ERROR_NOMEMORY;
-
-#if defined COMPILE_PCRE8
-*listptr = (const char **)stringlist;
-#elif defined COMPILE_PCRE16
-*listptr = (PCRE_SPTR16 *)stringlist;
-#elif defined COMPILE_PCRE32
-*listptr = (PCRE_SPTR32 *)stringlist;
-#endif
-p = (pcre_uchar *)(stringlist + stringcount + 1);
-
-for (i = 0; i < double_count; i += 2)
-  {
-  int len = (ovector[i+1] > ovector[i])? (ovector[i+1] - ovector[i]) : 0;
-  memcpy(p, subject + ovector[i], IN_UCHARS(len));
-  *stringlist++ = p;
-  p += len;
-  *p++ = 0;
-  }
-
-*stringlist = NULL;
-return 0;
-}
-
-
-
-/*************************************************
-*   Free store obtained by get_substring_list    *
-*************************************************/
-
-/* This function exists for the benefit of people calling PCRE from non-C
-programs that can call its functions, but not free() or (PUBL(free))()
-directly.
-
-Argument:   the result of a previous pcre_get_substring_list()
-Returns:    nothing
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre_free_substring_list(const char **pointer)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre16_free_substring_list(PCRE_SPTR16 *pointer)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre32_free_substring_list(PCRE_SPTR32 *pointer)
-#endif
-{
-(PUBL(free))((void *)pointer);
-}
-
-
-
-/*************************************************
-*      Copy captured string to new store         *
-*************************************************/
-
-/* This function copies a single captured substring into a piece of new
-store
-
-Arguments:
-  subject        the subject string that was matched
-  ovector        pointer to the offsets table
-  stringcount    the number of substrings that were captured
-                   (i.e. the yield of the pcre_exec call, unless
-                   that was zero, in which case it should be 1/3
-                   of the offset table size)
-  stringnumber   the number of the required substring
-  stringptr      where to put a pointer to the substring
-
-Returns:         if successful:
-                   the length of the string, not including the zero that
-                   is put on the end; can be zero
-                 if not successful:
-                   PCRE_ERROR_NOMEMORY (-6) failed to get store
-                   PCRE_ERROR_NOSUBSTRING (-7) substring not present
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_get_substring(const char *subject, int *ovector, int stringcount,
-  int stringnumber, const char **stringptr)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_get_substring(PCRE_SPTR16 subject, int *ovector, int stringcount,
-  int stringnumber, PCRE_SPTR16 *stringptr)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_get_substring(PCRE_SPTR32 subject, int *ovector, int stringcount,
-  int stringnumber, PCRE_SPTR32 *stringptr)
-#endif
-{
-int yield;
-pcre_uchar *substring;
-if (stringnumber < 0 || stringnumber >= stringcount)
-  return PCRE_ERROR_NOSUBSTRING;
-stringnumber *= 2;
-yield = ovector[stringnumber+1] - ovector[stringnumber];
-substring = (pcre_uchar *)(PUBL(malloc))(IN_UCHARS(yield + 1));
-if (substring == NULL) return PCRE_ERROR_NOMEMORY;
-memcpy(substring, subject + ovector[stringnumber], IN_UCHARS(yield));
-substring[yield] = 0;
-#if defined COMPILE_PCRE8
-*stringptr = (const char *)substring;
-#elif defined COMPILE_PCRE16
-*stringptr = (PCRE_SPTR16)substring;
-#elif defined COMPILE_PCRE32
-*stringptr = (PCRE_SPTR32)substring;
-#endif
-return yield;
-}
-
-
-
-/*************************************************
-*   Copy named captured string to new store      *
-*************************************************/
-
-/* This function copies a single captured substring, identified by name, into
-new store. If the regex permits duplicate names, the first substring that is
-set is chosen.
-
-Arguments:
-  code           the compiled regex
-  subject        the subject string that was matched
-  ovector        pointer to the offsets table
-  stringcount    the number of substrings that were captured
-                   (i.e. the yield of the pcre_exec call, unless
-                   that was zero, in which case it should be 1/3
-                   of the offset table size)
-  stringname     the name of the required substring
-  stringptr      where to put the pointer
-
-Returns:         if successful:
-                   the length of the copied string, not including the zero
-                   that is put on the end; can be zero
-                 if not successful:
-                   PCRE_ERROR_NOMEMORY (-6) couldn't get memory
-                   PCRE_ERROR_NOSUBSTRING (-7) no such captured substring
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_get_named_substring(const pcre *code, const char *subject,
-  int *ovector, int stringcount, const char *stringname,
-  const char **stringptr)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_get_named_substring(const pcre16 *code, PCRE_SPTR16 subject,
-  int *ovector, int stringcount, PCRE_SPTR16 stringname,
-  PCRE_SPTR16 *stringptr)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_get_named_substring(const pcre32 *code, PCRE_SPTR32 subject,
-  int *ovector, int stringcount, PCRE_SPTR32 stringname,
-  PCRE_SPTR32 *stringptr)
-#endif
-{
-int n = get_first_set(code, stringname, ovector, stringcount);
-if (n <= 0) return n;
-#if defined COMPILE_PCRE8
-return pcre_get_substring(subject, ovector, stringcount, n, stringptr);
-#elif defined COMPILE_PCRE16
-return pcre16_get_substring(subject, ovector, stringcount, n, stringptr);
-#elif defined COMPILE_PCRE32
-return pcre32_get_substring(subject, ovector, stringcount, n, stringptr);
-#endif
-}
-
-
-
-
-/*************************************************
-*       Free store obtained by get_substring     *
-*************************************************/
-
-/* This function exists for the benefit of people calling PCRE from non-C
-programs that can call its functions, but not free() or (PUBL(free))()
-directly.
-
-Argument:   the result of a previous pcre_get_substring()
-Returns:    nothing
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre_free_substring(const char *pointer)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre16_free_substring(PCRE_SPTR16 pointer)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN void PCRE_CALL_CONVENTION
-pcre32_free_substring(PCRE_SPTR32 pointer)
-#endif
-{
-(PUBL(free))((void *)pointer);
-}
-
-/* End of pcre_get.c */
diff --git a/src/plugins/PCREPlugin/pcre_globals.c b/src/plugins/PCREPlugin/pcre_globals.c
deleted file mode 100644
index 659f898..0000000
--- a/src/plugins/PCREPlugin/pcre_globals.c
+++ /dev/null
@@ -1,87 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2014 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains global variables that are exported by the PCRE library.
-PCRE is thread-clean and doesn't use any global variables in the normal sense.
-However, it calls memory allocation and freeing functions via the four
-indirections below, and it can optionally do callouts, using the fifth
-indirection. These values can be changed by the caller, but are shared between
-all threads.
-
-For MS Visual Studio and Symbian OS, there are problems in initializing these
-variables to non-local functions. In these cases, therefore, an indirection via
-a local function is used.
-
-Also, when compiling for Virtual Pascal, things are done differently, and
-global variables are not used. */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-#if defined _MSC_VER || defined  __SYMBIAN32__
-static void* LocalPcreMalloc(size_t aSize)
-  {
-  return malloc(aSize);
-  }
-static void LocalPcreFree(void* aPtr)
-  {
-  free(aPtr);
-  }
-PCRE_EXP_DATA_DEFN void *(*PUBL(malloc))(size_t) = LocalPcreMalloc;
-PCRE_EXP_DATA_DEFN void  (*PUBL(free))(void *) = LocalPcreFree;
-PCRE_EXP_DATA_DEFN void *(*PUBL(stack_malloc))(size_t) = LocalPcreMalloc;
-PCRE_EXP_DATA_DEFN void  (*PUBL(stack_free))(void *) = LocalPcreFree;
-PCRE_EXP_DATA_DEFN int   (*PUBL(callout))(PUBL(callout_block) *) = NULL;
-PCRE_EXP_DATA_DEFN int   (*PUBL(stack_guard))(void) = NULL;
-
-#elif !defined VPCOMPAT
-PCRE_EXP_DATA_DEFN void *(*PUBL(malloc))(size_t) = malloc;
-PCRE_EXP_DATA_DEFN void  (*PUBL(free))(void *) = free;
-PCRE_EXP_DATA_DEFN void *(*PUBL(stack_malloc))(size_t) = malloc;
-PCRE_EXP_DATA_DEFN void  (*PUBL(stack_free))(void *) = free;
-PCRE_EXP_DATA_DEFN int   (*PUBL(callout))(PUBL(callout_block) *) = NULL;
-PCRE_EXP_DATA_DEFN int   (*PUBL(stack_guard))(void) = NULL;
-#endif
-
-/* End of pcre_globals.c */
diff --git a/src/plugins/PCREPlugin/pcre_internal.h b/src/plugins/PCREPlugin/pcre_internal.h
deleted file mode 100644
index 2923b29..0000000
--- a/src/plugins/PCREPlugin/pcre_internal.h
+++ /dev/null
@@ -1,2798 +0,0 @@
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2016 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-/* This header contains definitions that are shared between the different
-modules, but which are not relevant to the exported API. This includes some
-functions whose names all begin with "_pcre_", "_pcre16_" or "_pcre32_"
-depending on the PRIV macro. */
-
-#ifndef PCRE_INTERNAL_H
-#define PCRE_INTERNAL_H
-
-/* Define PCRE_DEBUG to get debugging output on stdout. */
-
-#if 0
-#define PCRE_DEBUG
-#endif
-
-/* PCRE is compiled as an 8 bit library if it is not requested otherwise. */
-
-#if !defined COMPILE_PCRE16 && !defined COMPILE_PCRE32
-#define COMPILE_PCRE8
-#endif
-
-/* If SUPPORT_UCP is defined, SUPPORT_UTF must also be defined. The
-"configure" script ensures this, but not everybody uses "configure". */
-
-#if defined SUPPORT_UCP && !(defined SUPPORT_UTF)
-#define SUPPORT_UTF 1
-#endif
-
-/* We define SUPPORT_UTF if SUPPORT_UTF8 is enabled for compatibility
-reasons with existing code. */
-
-#if defined SUPPORT_UTF8 && !(defined SUPPORT_UTF)
-#define SUPPORT_UTF 1
-#endif
-
-/* Fixme: SUPPORT_UTF8 should be eventually disappear from the code.
-Until then we define it if SUPPORT_UTF is defined. */
-
-#if defined SUPPORT_UTF && !(defined SUPPORT_UTF8)
-#define SUPPORT_UTF8 1
-#endif
-
-/* We do not support both EBCDIC and UTF-8/16/32 at the same time. The "configure"
-script prevents both being selected, but not everybody uses "configure". */
-
-#if defined EBCDIC && defined SUPPORT_UTF
-#error The use of both EBCDIC and SUPPORT_UTF is not supported.
-#endif
-
-/* Use a macro for debugging printing, 'cause that eliminates the use of #ifdef
-inline, and there are *still* stupid compilers about that don't like indented
-pre-processor statements, or at least there were when I first wrote this. After
-all, it had only been about 10 years then...
-
-It turns out that the Mac Debugging.h header also defines the macro DPRINTF, so
-be absolutely sure we get our version. */
-
-#undef DPRINTF
-#ifdef PCRE_DEBUG
-#define DPRINTF(p) printf p
-#else
-#define DPRINTF(p) /* Nothing */
-#endif
-
-
-/* Standard C headers plus the external interface definition. The only time
-setjmp and stdarg are used is when NO_RECURSE is set. */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-/* Valgrind (memcheck) support */
-
-#ifdef SUPPORT_VALGRIND
-#include 
-#endif
-
-/* When compiling a DLL for Windows, the exported symbols have to be declared
-using some MS magic. I found some useful information on this web page:
-http://msdn2.microsoft.com/en-us/library/y4h7bcy6(VS.80).aspx. According to the
-information there, using __declspec(dllexport) without "extern" we have a
-definition; with "extern" we have a declaration. The settings here override the
-setting in pcre.h (which is included below); it defines only PCRE_EXP_DECL,
-which is all that is needed for applications (they just import the symbols). We
-use:
-
-  PCRE_EXP_DECL       for declarations
-  PCRE_EXP_DEFN       for definitions of exported functions
-  PCRE_EXP_DATA_DEFN  for definitions of exported variables
-
-The reason for the two DEFN macros is that in non-Windows environments, one
-does not want to have "extern" before variable definitions because it leads to
-compiler warnings. So we distinguish between functions and variables. In
-Windows, the two should always be the same.
-
-The reason for wrapping this in #ifndef PCRE_EXP_DECL is so that pcretest,
-which is an application, but needs to import this file in order to "peek" at
-internals, can #include pcre.h first to get an application's-eye view.
-
-In principle, people compiling for non-Windows, non-Unix-like (i.e. uncommon,
-special-purpose environments) might want to stick other stuff in front of
-exported symbols. That's why, in the non-Windows case, we set PCRE_EXP_DEFN and
-PCRE_EXP_DATA_DEFN only if they are not already set. */
-
-#ifndef PCRE_EXP_DECL
-#  ifdef _WIN32
-#    ifndef PCRE_STATIC
-#      define PCRE_EXP_DECL       extern __declspec(dllexport)
-#      define PCRE_EXP_DEFN       __declspec(dllexport)
-#      define PCRE_EXP_DATA_DEFN  __declspec(dllexport)
-#    else
-#      define PCRE_EXP_DECL       extern
-#      define PCRE_EXP_DEFN
-#      define PCRE_EXP_DATA_DEFN
-#    endif
-#  else
-#    ifdef __cplusplus
-#      define PCRE_EXP_DECL       extern "C"
-#    else
-#      define PCRE_EXP_DECL       extern
-#    endif
-#    ifndef PCRE_EXP_DEFN
-#      define PCRE_EXP_DEFN       PCRE_EXP_DECL
-#    endif
-#    ifndef PCRE_EXP_DATA_DEFN
-#      define PCRE_EXP_DATA_DEFN
-#    endif
-#  endif
-#endif
-
-/* When compiling with the MSVC compiler, it is sometimes necessary to include
-a "calling convention" before exported function names. (This is secondhand
-information; I know nothing about MSVC myself). For example, something like
-
-  void __cdecl function(....)
-
-might be needed. In order so make this easy, all the exported functions have
-PCRE_CALL_CONVENTION just before their names. It is rarely needed; if not
-set, we ensure here that it has no effect. */
-
-#ifndef PCRE_CALL_CONVENTION
-#define PCRE_CALL_CONVENTION
-#endif
-
-/* We need to have types that specify unsigned 8, 16 and 32-bit integers. We
-cannot determine these outside the compilation (e.g. by running a program as
-part of "configure") because PCRE is often cross-compiled for use on other
-systems. Instead we make use of the maximum sizes that are available at
-preprocessor time in standard C environments. */
-
-typedef unsigned char pcre_uint8;
-
-#if USHRT_MAX == 65535
-typedef unsigned short pcre_uint16;
-typedef short pcre_int16;
-#define PCRE_UINT16_MAX USHRT_MAX
-#define PCRE_INT16_MAX SHRT_MAX
-#elif UINT_MAX == 65535
-typedef unsigned int pcre_uint16;
-typedef int pcre_int16;
-#define PCRE_UINT16_MAX UINT_MAX
-#define PCRE_INT16_MAX INT_MAX
-#else
-#error Cannot determine a type for 16-bit integers
-#endif
-
-#if UINT_MAX == 4294967295U
-typedef unsigned int pcre_uint32;
-typedef int pcre_int32;
-#define PCRE_UINT32_MAX UINT_MAX
-#define PCRE_INT32_MAX INT_MAX
-#elif ULONG_MAX == 4294967295UL
-typedef unsigned long int pcre_uint32;
-typedef long int pcre_int32;
-#define PCRE_UINT32_MAX ULONG_MAX
-#define PCRE_INT32_MAX LONG_MAX
-#else
-#error Cannot determine a type for 32-bit integers
-#endif
-
-/* When checking for integer overflow in pcre_compile(), we need to handle
-large integers. If a 64-bit integer type is available, we can use that.
-Otherwise we have to cast to double, which of course requires floating point
-arithmetic. Handle this by defining a macro for the appropriate type. If
-stdint.h is available, include it; it may define INT64_MAX. Systems that do not
-have stdint.h (e.g. Solaris) may have inttypes.h. The macro int64_t may be set
-by "configure". */
-
-#if defined HAVE_STDINT_H
-#include 
-#elif defined HAVE_INTTYPES_H
-#include 
-#endif
-
-#if defined INT64_MAX || defined int64_t
-#define INT64_OR_DOUBLE int64_t
-#else
-#define INT64_OR_DOUBLE double
-#endif
-
-/* All character handling must be done as unsigned characters. Otherwise there
-are problems with top-bit-set characters and functions such as isspace().
-However, we leave the interface to the outside world as char * or short *,
-because that should make things easier for callers. This character type is
-called pcre_uchar.
-
-The IN_UCHARS macro multiply its argument with the byte size of the current
-pcre_uchar type. Useful for memcpy and such operations, whose require the
-byte size of their input/output buffers.
-
-The MAX_255 macro checks whether its pcre_uchar input is less than 256.
-
-The TABLE_GET macro is designed for accessing elements of tables whose contain
-exactly 256 items. When the character is able to contain more than 256
-items, some check is needed before accessing these tables.
-*/
-
-#if defined COMPILE_PCRE8
-
-typedef unsigned char pcre_uchar;
-#define IN_UCHARS(x) (x)
-#define MAX_255(c) 1
-#define TABLE_GET(c, table, default) ((table)[c])
-
-#elif defined COMPILE_PCRE16
-
-#if USHRT_MAX != 65535
-/* This is a warning message. Change PCRE_UCHAR16 to a 16 bit data type in
-pcre.h(.in) and disable (comment out) this message. */
-#error Warning: PCRE_UCHAR16 is not a 16 bit data type.
-#endif
-
-typedef pcre_uint16 pcre_uchar;
-#define UCHAR_SHIFT (1)
-#define IN_UCHARS(x) ((x) * 2)
-#define MAX_255(c) ((c) <= 255u)
-#define TABLE_GET(c, table, default) (MAX_255(c)? ((table)[c]):(default))
-
-#elif defined COMPILE_PCRE32
-
-typedef pcre_uint32 pcre_uchar;
-#define UCHAR_SHIFT (2)
-#define IN_UCHARS(x) ((x) * 4)
-#define MAX_255(c) ((c) <= 255u)
-#define TABLE_GET(c, table, default) (MAX_255(c)? ((table)[c]):(default))
-
-#else
-#error Unsupported compiling mode
-#endif /* COMPILE_PCRE[8|16|32] */
-
-/* This is an unsigned int value that no character can ever have. UTF-8
-characters only go up to 0x7fffffff (though Unicode doesn't go beyond
-0x0010ffff). */
-
-#define NOTACHAR 0xffffffff
-
-/* PCRE is able to support several different kinds of newline (CR, LF, CRLF,
-"any" and "anycrlf" at present). The following macros are used to package up
-testing for newlines. NLBLOCK, PSSTART, and PSEND are defined in the various
-modules to indicate in which datablock the parameters exist, and what the
-start/end of string field names are. */
-
-#define NLTYPE_FIXED    0     /* Newline is a fixed length string */
-#define NLTYPE_ANY      1     /* Newline is any Unicode line ending */
-#define NLTYPE_ANYCRLF  2     /* Newline is CR, LF, or CRLF */
-
-/* This macro checks for a newline at the given position */
-
-#define IS_NEWLINE(p) \
-  ((NLBLOCK->nltype != NLTYPE_FIXED)? \
-    ((p) < NLBLOCK->PSEND && \
-     PRIV(is_newline)((p), NLBLOCK->nltype, NLBLOCK->PSEND, \
-       &(NLBLOCK->nllen), utf)) \
-    : \
-    ((p) <= NLBLOCK->PSEND - NLBLOCK->nllen && \
-     UCHAR21TEST(p) == NLBLOCK->nl[0] && \
-     (NLBLOCK->nllen == 1 || UCHAR21TEST(p+1) == NLBLOCK->nl[1])       \
-    ) \
-  )
-
-/* This macro checks for a newline immediately preceding the given position */
-
-#define WAS_NEWLINE(p) \
-  ((NLBLOCK->nltype != NLTYPE_FIXED)? \
-    ((p) > NLBLOCK->PSSTART && \
-     PRIV(was_newline)((p), NLBLOCK->nltype, NLBLOCK->PSSTART, \
-       &(NLBLOCK->nllen), utf)) \
-    : \
-    ((p) >= NLBLOCK->PSSTART + NLBLOCK->nllen && \
-     UCHAR21TEST(p - NLBLOCK->nllen) == NLBLOCK->nl[0] &&              \
-     (NLBLOCK->nllen == 1 || UCHAR21TEST(p - NLBLOCK->nllen + 1) == NLBLOCK->nl[1]) \
-    ) \
-  )
-
-/* When PCRE is compiled as a C++ library, the subject pointer can be replaced
-with a custom type. This makes it possible, for example, to allow pcre_exec()
-to process subject strings that are discontinuous by using a smart pointer
-class. It must always be possible to inspect all of the subject string in
-pcre_exec() because of the way it backtracks. Two macros are required in the
-normal case, for sign-unspecified and unsigned char pointers. The former is
-used for the external interface and appears in pcre.h, which is why its name
-must begin with PCRE_. */
-
-#ifdef CUSTOM_SUBJECT_PTR
-#define PCRE_PUCHAR CUSTOM_SUBJECT_PTR
-#else
-#define PCRE_PUCHAR const pcre_uchar *
-#endif
-
-/* Include the public PCRE header and the definitions of UCP character property
-values. */
-
-#include "pcre.h"
-#include "ucp.h"
-
-#ifdef COMPILE_PCRE32
-/* Assert that the public PCRE_UCHAR32 is a 32-bit type */
-typedef int __assert_pcre_uchar32_size[sizeof(PCRE_UCHAR32) == 4 ? 1 : -1];
-#endif
-
-/* When compiling for use with the Virtual Pascal compiler, these functions
-need to have their names changed. PCRE must be compiled with the -DVPCOMPAT
-option on the command line. */
-
-#ifdef VPCOMPAT
-#define strlen(s)        _strlen(s)
-#define strncmp(s1,s2,m) _strncmp(s1,s2,m)
-#define memcmp(s,c,n)    _memcmp(s,c,n)
-#define memcpy(d,s,n)    _memcpy(d,s,n)
-#define memmove(d,s,n)   _memmove(d,s,n)
-#define memset(s,c,n)    _memset(s,c,n)
-#else  /* VPCOMPAT */
-
-/* To cope with SunOS4 and other systems that lack memmove() but have bcopy(),
-define a macro for memmove() if HAVE_MEMMOVE is false, provided that HAVE_BCOPY
-is set. Otherwise, include an emulating function for those systems that have
-neither (there some non-Unix environments where this is the case). */
-
-#ifndef HAVE_MEMMOVE
-#undef  memmove        /* some systems may have a macro */
-#ifdef HAVE_BCOPY
-#define memmove(a, b, c) bcopy(b, a, c)
-#else  /* HAVE_BCOPY */
-static void *
-pcre_memmove(void *d, const void *s, size_t n)
-{
-size_t i;
-unsigned char *dest = (unsigned char *)d;
-const unsigned char *src = (const unsigned char *)s;
-if (dest > src)
-  {
-  dest += n;
-  src += n;
-  for (i = 0; i < n; ++i) *(--dest) = *(--src);
-  return (void *)dest;
-  }
-else
-  {
-  for (i = 0; i < n; ++i) *dest++ = *src++;
-  return (void *)(dest - n);
-  }
-}
-#define memmove(a, b, c) pcre_memmove(a, b, c)
-#endif   /* not HAVE_BCOPY */
-#endif   /* not HAVE_MEMMOVE */
-#endif   /* not VPCOMPAT */
-
-
-/* PCRE keeps offsets in its compiled code as 2-byte quantities (always stored
-in big-endian order) by default. These are used, for example, to link from the
-start of a subpattern to its alternatives and its end. The use of 2 bytes per
-offset limits the size of the compiled regex to around 64K, which is big enough
-for almost everybody. However, I received a request for an even bigger limit.
-For this reason, and also to make the code easier to maintain, the storing and
-loading of offsets from the byte string is now handled by the macros that are
-defined here.
-
-The macros are controlled by the value of LINK_SIZE. This defaults to 2 in
-the config.h file, but can be overridden by using -D on the command line. This
-is automated on Unix systems via the "configure" command. */
-
-#if defined COMPILE_PCRE8
-
-#if LINK_SIZE == 2
-
-#define PUT(a,n,d)   \
-  (a[n] = (d) >> 8), \
-  (a[(n)+1] = (d) & 255)
-
-#define GET(a,n) \
-  (((a)[n] << 8) | (a)[(n)+1])
-
-#define MAX_PATTERN_SIZE (1 << 16)
-
-
-#elif LINK_SIZE == 3
-
-#define PUT(a,n,d)       \
-  (a[n] = (d) >> 16),    \
-  (a[(n)+1] = (d) >> 8), \
-  (a[(n)+2] = (d) & 255)
-
-#define GET(a,n) \
-  (((a)[n] << 16) | ((a)[(n)+1] << 8) | (a)[(n)+2])
-
-#define MAX_PATTERN_SIZE (1 << 24)
-
-
-#elif LINK_SIZE == 4
-
-#define PUT(a,n,d)        \
-  (a[n] = (d) >> 24),     \
-  (a[(n)+1] = (d) >> 16), \
-  (a[(n)+2] = (d) >> 8),  \
-  (a[(n)+3] = (d) & 255)
-
-#define GET(a,n) \
-  (((a)[n] << 24) | ((a)[(n)+1] << 16) | ((a)[(n)+2] << 8) | (a)[(n)+3])
-
-/* Keep it positive */
-#define MAX_PATTERN_SIZE (1 << 30)
-
-#else
-#error LINK_SIZE must be either 2, 3, or 4
-#endif
-
-#elif defined COMPILE_PCRE16
-
-#if LINK_SIZE == 2
-
-/* Redefine LINK_SIZE as a multiple of sizeof(pcre_uchar) */
-#undef LINK_SIZE
-#define LINK_SIZE 1
-
-#define PUT(a,n,d)   \
-  (a[n] = (d))
-
-#define GET(a,n) \
-  (a[n])
-
-#define MAX_PATTERN_SIZE (1 << 16)
-
-#elif LINK_SIZE == 3 || LINK_SIZE == 4
-
-/* Redefine LINK_SIZE as a multiple of sizeof(pcre_uchar) */
-#undef LINK_SIZE
-#define LINK_SIZE 2
-
-#define PUT(a,n,d)   \
-  (a[n] = (d) >> 16), \
-  (a[(n)+1] = (d) & 65535)
-
-#define GET(a,n) \
-  (((a)[n] << 16) | (a)[(n)+1])
-
-/* Keep it positive */
-#define MAX_PATTERN_SIZE (1 << 30)
-
-#else
-#error LINK_SIZE must be either 2, 3, or 4
-#endif
-
-#elif defined COMPILE_PCRE32
-
-/* Only supported LINK_SIZE is 4 */
-/* Redefine LINK_SIZE as a multiple of sizeof(pcre_uchar) */
-#undef LINK_SIZE
-#define LINK_SIZE 1
-
-#define PUT(a,n,d)   \
-  (a[n] = (d))
-
-#define GET(a,n) \
-  (a[n])
-
-/* Keep it positive */
-#define MAX_PATTERN_SIZE (1 << 30)
-
-#else
-#error Unsupported compiling mode
-#endif /* COMPILE_PCRE[8|16|32] */
-
-/* Convenience macro defined in terms of the others */
-
-#define PUTINC(a,n,d)   PUT(a,n,d), a += LINK_SIZE
-
-
-/* PCRE uses some other 2-byte quantities that do not change when the size of
-offsets changes. There are used for repeat counts and for other things such as
-capturing parenthesis numbers in back references. */
-
-#if defined COMPILE_PCRE8
-
-#define IMM2_SIZE 2
-
-#define PUT2(a,n,d)   \
-  a[n] = (d) >> 8; \
-  a[(n)+1] = (d) & 255
-
-/* For reasons that I do not understand, the expression in this GET2 macro is
-treated by gcc as a signed expression, even when a is declared as unsigned. It
-seems that any kind of arithmetic results in a signed value. */
-
-#define GET2(a,n) \
-  (unsigned int)(((a)[n] << 8) | (a)[(n)+1])
-
-#elif defined COMPILE_PCRE16
-
-#define IMM2_SIZE 1
-
-#define PUT2(a,n,d)   \
-   a[n] = d
-
-#define GET2(a,n) \
-   a[n]
-
-#elif defined COMPILE_PCRE32
-
-#define IMM2_SIZE 1
-
-#define PUT2(a,n,d)   \
-   a[n] = d
-
-#define GET2(a,n) \
-   a[n]
-
-#else
-#error Unsupported compiling mode
-#endif /* COMPILE_PCRE[8|16|32] */
-
-#define PUT2INC(a,n,d)  PUT2(a,n,d), a += IMM2_SIZE
-
-/* The maximum length of a MARK name is currently one data unit; it may be
-changed in future to be a fixed number of bytes or to depend on LINK_SIZE. */
-
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-#define MAX_MARK ((1u << 16) - 1)
-#else
-#define MAX_MARK ((1u << 8) - 1)
-#endif
-
-/* There is a proposed future special "UTF-21" mode, in which only the lowest
-21 bits of a 32-bit character are interpreted as UTF, with the remaining 11
-high-order bits available to the application for other uses. In preparation for
-the future implementation of this mode, there are macros that load a data item
-and, if in this special mode, mask it to 21 bits. These macros all have names
-starting with UCHAR21. In all other modes, including the normal 32-bit
-library, the macros all have the same simple definitions. When the new mode is
-implemented, it is expected that these definitions will be varied appropriately
-using #ifdef when compiling the library that supports the special mode. */
-
-#define UCHAR21(eptr)        (*(eptr))
-#define UCHAR21TEST(eptr)    (*(eptr))
-#define UCHAR21INC(eptr)     (*(eptr)++)
-#define UCHAR21INCTEST(eptr) (*(eptr)++)
-
-/* When UTF encoding is being used, a character is no longer just a single
-byte in 8-bit mode or a single short in 16-bit mode. The macros for character
-handling generate simple sequences when used in the basic mode, and more
-complicated ones for UTF characters. GETCHARLENTEST and other macros are not
-used when UTF is not supported. To make sure they can never even appear when
-UTF support is omitted, we don't even define them. */
-
-#ifndef SUPPORT_UTF
-
-/* #define MAX_VALUE_FOR_SINGLE_CHAR */
-/* #define HAS_EXTRALEN(c) */
-/* #define GET_EXTRALEN(c) */
-/* #define NOT_FIRSTCHAR(c) */
-#define GETCHAR(c, eptr) c = *eptr;
-#define GETCHARTEST(c, eptr) c = *eptr;
-#define GETCHARINC(c, eptr) c = *eptr++;
-#define GETCHARINCTEST(c, eptr) c = *eptr++;
-#define GETCHARLEN(c, eptr, len) c = *eptr;
-/* #define GETCHARLENTEST(c, eptr, len) */
-/* #define BACKCHAR(eptr) */
-/* #define FORWARDCHAR(eptr) */
-/* #define ACROSSCHAR(condition, eptr, action) */
-
-#else   /* SUPPORT_UTF */
-
-/* Tests whether the code point needs extra characters to decode. */
-
-#define HASUTF8EXTRALEN(c) ((c) >= 0xc0)
-
-/* Base macro to pick up the remaining bytes of a UTF-8 character, not
-advancing the pointer. */
-
-#define GETUTF8(c, eptr) \
-    { \
-    if ((c & 0x20) == 0) \
-      c = ((c & 0x1f) << 6) | (eptr[1] & 0x3f); \
-    else if ((c & 0x10) == 0) \
-      c = ((c & 0x0f) << 12) | ((eptr[1] & 0x3f) << 6) | (eptr[2] & 0x3f); \
-    else if ((c & 0x08) == 0) \
-      c = ((c & 0x07) << 18) | ((eptr[1] & 0x3f) << 12) | \
-      ((eptr[2] & 0x3f) << 6) | (eptr[3] & 0x3f); \
-    else if ((c & 0x04) == 0) \
-      c = ((c & 0x03) << 24) | ((eptr[1] & 0x3f) << 18) | \
-          ((eptr[2] & 0x3f) << 12) | ((eptr[3] & 0x3f) << 6) | \
-          (eptr[4] & 0x3f); \
-    else \
-      c = ((c & 0x01) << 30) | ((eptr[1] & 0x3f) << 24) | \
-          ((eptr[2] & 0x3f) << 18) | ((eptr[3] & 0x3f) << 12) | \
-          ((eptr[4] & 0x3f) << 6) | (eptr[5] & 0x3f); \
-    }
-
-/* Base macro to pick up the remaining bytes of a UTF-8 character, advancing
-the pointer. */
-
-#define GETUTF8INC(c, eptr) \
-    { \
-    if ((c & 0x20) == 0) \
-      c = ((c & 0x1f) << 6) | (*eptr++ & 0x3f); \
-    else if ((c & 0x10) == 0) \
-      { \
-      c = ((c & 0x0f) << 12) | ((*eptr & 0x3f) << 6) | (eptr[1] & 0x3f); \
-      eptr += 2; \
-      } \
-    else if ((c & 0x08) == 0) \
-      { \
-      c = ((c & 0x07) << 18) | ((*eptr & 0x3f) << 12) | \
-          ((eptr[1] & 0x3f) << 6) | (eptr[2] & 0x3f); \
-      eptr += 3; \
-      } \
-    else if ((c & 0x04) == 0) \
-      { \
-      c = ((c & 0x03) << 24) | ((*eptr & 0x3f) << 18) | \
-          ((eptr[1] & 0x3f) << 12) | ((eptr[2] & 0x3f) << 6) | \
-          (eptr[3] & 0x3f); \
-      eptr += 4; \
-      } \
-    else \
-      { \
-      c = ((c & 0x01) << 30) | ((*eptr & 0x3f) << 24) | \
-          ((eptr[1] & 0x3f) << 18) | ((eptr[2] & 0x3f) << 12) | \
-          ((eptr[3] & 0x3f) << 6) | (eptr[4] & 0x3f); \
-      eptr += 5; \
-      } \
-    }
-
-#if defined COMPILE_PCRE8
-
-/* These macros were originally written in the form of loops that used data
-from the tables whose names start with PRIV(utf8_table). They were rewritten by
-a user so as not to use loops, because in some environments this gives a
-significant performance advantage, and it seems never to do any harm. */
-
-/* Tells the biggest code point which can be encoded as a single character. */
-
-#define MAX_VALUE_FOR_SINGLE_CHAR 127
-
-/* Tests whether the code point needs extra characters to decode. */
-
-#define HAS_EXTRALEN(c) ((c) >= 0xc0)
-
-/* Returns with the additional number of characters if IS_MULTICHAR(c) is TRUE.
-Otherwise it has an undefined behaviour. */
-
-#define GET_EXTRALEN(c) (PRIV(utf8_table4)[(c) & 0x3f])
-
-/* Returns TRUE, if the given character is not the first character
-of a UTF sequence. */
-
-#define NOT_FIRSTCHAR(c) (((c) & 0xc0) == 0x80)
-
-/* Get the next UTF-8 character, not advancing the pointer. This is called when
-we know we are in UTF-8 mode. */
-
-#define GETCHAR(c, eptr) \
-  c = *eptr; \
-  if (c >= 0xc0) GETUTF8(c, eptr);
-
-/* Get the next UTF-8 character, testing for UTF-8 mode, and not advancing the
-pointer. */
-
-#define GETCHARTEST(c, eptr) \
-  c = *eptr; \
-  if (utf && c >= 0xc0) GETUTF8(c, eptr);
-
-/* Get the next UTF-8 character, advancing the pointer. This is called when we
-know we are in UTF-8 mode. */
-
-#define GETCHARINC(c, eptr) \
-  c = *eptr++; \
-  if (c >= 0xc0) GETUTF8INC(c, eptr);
-
-/* Get the next character, testing for UTF-8 mode, and advancing the pointer.
-This is called when we don't know if we are in UTF-8 mode. */
-
-#define GETCHARINCTEST(c, eptr) \
-  c = *eptr++; \
-  if (utf && c >= 0xc0) GETUTF8INC(c, eptr);
-
-/* Base macro to pick up the remaining bytes of a UTF-8 character, not
-advancing the pointer, incrementing the length. */
-
-#define GETUTF8LEN(c, eptr, len) \
-    { \
-    if ((c & 0x20) == 0) \
-      { \
-      c = ((c & 0x1f) << 6) | (eptr[1] & 0x3f); \
-      len++; \
-      } \
-    else if ((c & 0x10)  == 0) \
-      { \
-      c = ((c & 0x0f) << 12) | ((eptr[1] & 0x3f) << 6) | (eptr[2] & 0x3f); \
-      len += 2; \
-      } \
-    else if ((c & 0x08)  == 0) \
-      {\
-      c = ((c & 0x07) << 18) | ((eptr[1] & 0x3f) << 12) | \
-          ((eptr[2] & 0x3f) << 6) | (eptr[3] & 0x3f); \
-      len += 3; \
-      } \
-    else if ((c & 0x04)  == 0) \
-      { \
-      c = ((c & 0x03) << 24) | ((eptr[1] & 0x3f) << 18) | \
-          ((eptr[2] & 0x3f) << 12) | ((eptr[3] & 0x3f) << 6) | \
-          (eptr[4] & 0x3f); \
-      len += 4; \
-      } \
-    else \
-      {\
-      c = ((c & 0x01) << 30) | ((eptr[1] & 0x3f) << 24) | \
-          ((eptr[2] & 0x3f) << 18) | ((eptr[3] & 0x3f) << 12) | \
-          ((eptr[4] & 0x3f) << 6) | (eptr[5] & 0x3f); \
-      len += 5; \
-      } \
-    }
-
-/* Get the next UTF-8 character, not advancing the pointer, incrementing length
-if there are extra bytes. This is called when we know we are in UTF-8 mode. */
-
-#define GETCHARLEN(c, eptr, len) \
-  c = *eptr; \
-  if (c >= 0xc0) GETUTF8LEN(c, eptr, len);
-
-/* Get the next UTF-8 character, testing for UTF-8 mode, not advancing the
-pointer, incrementing length if there are extra bytes. This is called when we
-do not know if we are in UTF-8 mode. */
-
-#define GETCHARLENTEST(c, eptr, len) \
-  c = *eptr; \
-  if (utf && c >= 0xc0) GETUTF8LEN(c, eptr, len);
-
-/* If the pointer is not at the start of a character, move it back until
-it is. This is called only in UTF-8 mode - we don't put a test within the macro
-because almost all calls are already within a block of UTF-8 only code. */
-
-#define BACKCHAR(eptr) while((*eptr & 0xc0) == 0x80) eptr--
-
-/* Same as above, just in the other direction. */
-#define FORWARDCHAR(eptr) while((*eptr & 0xc0) == 0x80) eptr++
-
-/* Same as above, but it allows a fully customizable form. */
-#define ACROSSCHAR(condition, eptr, action) \
-  while((condition) && ((eptr) & 0xc0) == 0x80) action
-
-#elif defined COMPILE_PCRE16
-
-/* Tells the biggest code point which can be encoded as a single character. */
-
-#define MAX_VALUE_FOR_SINGLE_CHAR 65535
-
-/* Tests whether the code point needs extra characters to decode. */
-
-#define HAS_EXTRALEN(c) (((c) & 0xfc00) == 0xd800)
-
-/* Returns with the additional number of characters if IS_MULTICHAR(c) is TRUE.
-Otherwise it has an undefined behaviour. */
-
-#define GET_EXTRALEN(c) 1
-
-/* Returns TRUE, if the given character is not the first character
-of a UTF sequence. */
-
-#define NOT_FIRSTCHAR(c) (((c) & 0xfc00) == 0xdc00)
-
-/* Base macro to pick up the low surrogate of a UTF-16 character, not
-advancing the pointer. */
-
-#define GETUTF16(c, eptr) \
-   { c = (((c & 0x3ff) << 10) | (eptr[1] & 0x3ff)) + 0x10000; }
-
-/* Get the next UTF-16 character, not advancing the pointer. This is called when
-we know we are in UTF-16 mode. */
-
-#define GETCHAR(c, eptr) \
-  c = *eptr; \
-  if ((c & 0xfc00) == 0xd800) GETUTF16(c, eptr);
-
-/* Get the next UTF-16 character, testing for UTF-16 mode, and not advancing the
-pointer. */
-
-#define GETCHARTEST(c, eptr) \
-  c = *eptr; \
-  if (utf && (c & 0xfc00) == 0xd800) GETUTF16(c, eptr);
-
-/* Base macro to pick up the low surrogate of a UTF-16 character, advancing
-the pointer. */
-
-#define GETUTF16INC(c, eptr) \
-   { c = (((c & 0x3ff) << 10) | (*eptr++ & 0x3ff)) + 0x10000; }
-
-/* Get the next UTF-16 character, advancing the pointer. This is called when we
-know we are in UTF-16 mode. */
-
-#define GETCHARINC(c, eptr) \
-  c = *eptr++; \
-  if ((c & 0xfc00) == 0xd800) GETUTF16INC(c, eptr);
-
-/* Get the next character, testing for UTF-16 mode, and advancing the pointer.
-This is called when we don't know if we are in UTF-16 mode. */
-
-#define GETCHARINCTEST(c, eptr) \
-  c = *eptr++; \
-  if (utf && (c & 0xfc00) == 0xd800) GETUTF16INC(c, eptr);
-
-/* Base macro to pick up the low surrogate of a UTF-16 character, not
-advancing the pointer, incrementing the length. */
-
-#define GETUTF16LEN(c, eptr, len) \
-   { c = (((c & 0x3ff) << 10) | (eptr[1] & 0x3ff)) + 0x10000; len++; }
-
-/* Get the next UTF-16 character, not advancing the pointer, incrementing
-length if there is a low surrogate. This is called when we know we are in
-UTF-16 mode. */
-
-#define GETCHARLEN(c, eptr, len) \
-  c = *eptr; \
-  if ((c & 0xfc00) == 0xd800) GETUTF16LEN(c, eptr, len);
-
-/* Get the next UTF-816character, testing for UTF-16 mode, not advancing the
-pointer, incrementing length if there is a low surrogate. This is called when
-we do not know if we are in UTF-16 mode. */
-
-#define GETCHARLENTEST(c, eptr, len) \
-  c = *eptr; \
-  if (utf && (c & 0xfc00) == 0xd800) GETUTF16LEN(c, eptr, len);
-
-/* If the pointer is not at the start of a character, move it back until
-it is. This is called only in UTF-16 mode - we don't put a test within the
-macro because almost all calls are already within a block of UTF-16 only
-code. */
-
-#define BACKCHAR(eptr) if ((*eptr & 0xfc00) == 0xdc00) eptr--
-
-/* Same as above, just in the other direction. */
-#define FORWARDCHAR(eptr) if ((*eptr & 0xfc00) == 0xdc00) eptr++
-
-/* Same as above, but it allows a fully customizable form. */
-#define ACROSSCHAR(condition, eptr, action) \
-  if ((condition) && ((eptr) & 0xfc00) == 0xdc00) action
-
-#elif defined COMPILE_PCRE32
-
-/* These are trivial for the 32-bit library, since all UTF-32 characters fit
-into one pcre_uchar unit. */
-#define MAX_VALUE_FOR_SINGLE_CHAR (0x10ffffu)
-#define HAS_EXTRALEN(c) (0)
-#define GET_EXTRALEN(c) (0)
-#define NOT_FIRSTCHAR(c) (0)
-
-/* Get the next UTF-32 character, not advancing the pointer. This is called when
-we know we are in UTF-32 mode. */
-
-#define GETCHAR(c, eptr) \
-  c = *(eptr);
-
-/* Get the next UTF-32 character, testing for UTF-32 mode, and not advancing the
-pointer. */
-
-#define GETCHARTEST(c, eptr) \
-  c = *(eptr);
-
-/* Get the next UTF-32 character, advancing the pointer. This is called when we
-know we are in UTF-32 mode. */
-
-#define GETCHARINC(c, eptr) \
-  c = *((eptr)++);
-
-/* Get the next character, testing for UTF-32 mode, and advancing the pointer.
-This is called when we don't know if we are in UTF-32 mode. */
-
-#define GETCHARINCTEST(c, eptr) \
-  c = *((eptr)++);
-
-/* Get the next UTF-32 character, not advancing the pointer, not incrementing
-length (since all UTF-32 is of length 1). This is called when we know we are in
-UTF-32 mode. */
-
-#define GETCHARLEN(c, eptr, len) \
-  GETCHAR(c, eptr)
-
-/* Get the next UTF-32character, testing for UTF-32 mode, not advancing the
-pointer, not incrementing the length (since all UTF-32 is of length 1).
-This is called when we do not know if we are in UTF-32 mode. */
-
-#define GETCHARLENTEST(c, eptr, len) \
-  GETCHARTEST(c, eptr)
-
-/* If the pointer is not at the start of a character, move it back until
-it is. This is called only in UTF-32 mode - we don't put a test within the
-macro because almost all calls are already within a block of UTF-32 only
-code.
-These are all no-ops since all UTF-32 characters fit into one pcre_uchar. */
-
-#define BACKCHAR(eptr) do { } while (0)
-
-/* Same as above, just in the other direction. */
-#define FORWARDCHAR(eptr) do { } while (0)
-
-/* Same as above, but it allows a fully customizable form. */
-#define ACROSSCHAR(condition, eptr, action) do { } while (0)
-
-#else
-#error Unsupported compiling mode
-#endif /* COMPILE_PCRE[8|16|32] */
-
-#endif  /* SUPPORT_UTF */
-
-/* Tests for Unicode horizontal and vertical whitespace characters must check a
-number of different values. Using a switch statement for this generates the
-fastest code (no loop, no memory access), and there are several places in the
-interpreter code where this happens. In order to ensure that all the case lists
-remain in step, we use macros so that there is only one place where the lists
-are defined.
-
-These values are also required as lists in pcre_compile.c when processing \h,
-\H, \v and \V in a character class. The lists are defined in pcre_tables.c, but
-macros that define the values are here so that all the definitions are
-together. The lists must be in ascending character order, terminated by
-NOTACHAR (which is 0xffffffff).
-
-Any changes should ensure that the various macros are kept in step with each
-other. NOTE: The values also appear in pcre_jit_compile.c. */
-
-/* ------ ASCII/Unicode environments ------ */
-
-#ifndef EBCDIC
-
-#define HSPACE_LIST \
-  CHAR_HT, CHAR_SPACE, CHAR_NBSP, \
-  0x1680, 0x180e, 0x2000, 0x2001, 0x2002, 0x2003, 0x2004, 0x2005, \
-  0x2006, 0x2007, 0x2008, 0x2009, 0x200A, 0x202f, 0x205f, 0x3000, \
-  NOTACHAR
-
-#define HSPACE_MULTIBYTE_CASES \
-  case 0x1680:  /* OGHAM SPACE MARK */ \
-  case 0x180e:  /* MONGOLIAN VOWEL SEPARATOR */ \
-  case 0x2000:  /* EN QUAD */ \
-  case 0x2001:  /* EM QUAD */ \
-  case 0x2002:  /* EN SPACE */ \
-  case 0x2003:  /* EM SPACE */ \
-  case 0x2004:  /* THREE-PER-EM SPACE */ \
-  case 0x2005:  /* FOUR-PER-EM SPACE */ \
-  case 0x2006:  /* SIX-PER-EM SPACE */ \
-  case 0x2007:  /* FIGURE SPACE */ \
-  case 0x2008:  /* PUNCTUATION SPACE */ \
-  case 0x2009:  /* THIN SPACE */ \
-  case 0x200A:  /* HAIR SPACE */ \
-  case 0x202f:  /* NARROW NO-BREAK SPACE */ \
-  case 0x205f:  /* MEDIUM MATHEMATICAL SPACE */ \
-  case 0x3000   /* IDEOGRAPHIC SPACE */
-
-#define HSPACE_BYTE_CASES \
-  case CHAR_HT: \
-  case CHAR_SPACE: \
-  case CHAR_NBSP
-
-#define HSPACE_CASES \
-  HSPACE_BYTE_CASES: \
-  HSPACE_MULTIBYTE_CASES
-
-#define VSPACE_LIST \
-  CHAR_LF, CHAR_VT, CHAR_FF, CHAR_CR, CHAR_NEL, 0x2028, 0x2029, NOTACHAR
-
-#define VSPACE_MULTIBYTE_CASES \
-  case 0x2028:    /* LINE SEPARATOR */ \
-  case 0x2029     /* PARAGRAPH SEPARATOR */
-
-#define VSPACE_BYTE_CASES \
-  case CHAR_LF: \
-  case CHAR_VT: \
-  case CHAR_FF: \
-  case CHAR_CR: \
-  case CHAR_NEL
-
-#define VSPACE_CASES \
-  VSPACE_BYTE_CASES: \
-  VSPACE_MULTIBYTE_CASES
-
-/* ------ EBCDIC environments ------ */
-
-#else
-#define HSPACE_LIST CHAR_HT, CHAR_SPACE, CHAR_NBSP, NOTACHAR
-
-#define HSPACE_BYTE_CASES \
-  case CHAR_HT: \
-  case CHAR_SPACE: \
-  case CHAR_NBSP
-
-#define HSPACE_CASES HSPACE_BYTE_CASES
-
-#ifdef EBCDIC_NL25
-#define VSPACE_LIST \
-  CHAR_VT, CHAR_FF, CHAR_CR, CHAR_NEL, CHAR_LF, NOTACHAR
-#else
-#define VSPACE_LIST \
-  CHAR_VT, CHAR_FF, CHAR_CR, CHAR_LF, CHAR_NEL, NOTACHAR
-#endif
-
-#define VSPACE_BYTE_CASES \
-  case CHAR_LF: \
-  case CHAR_VT: \
-  case CHAR_FF: \
-  case CHAR_CR: \
-  case CHAR_NEL
-
-#define VSPACE_CASES VSPACE_BYTE_CASES
-#endif  /* EBCDIC */
-
-/* ------ End of whitespace macros ------ */
-
-
-
-/* Private flags containing information about the compiled regex. They used to
-live at the top end of the options word, but that got almost full, so they were
-moved to a 16-bit flags word - which got almost full, so now they are in a
-32-bit flags word. From release 8.00, PCRE_NOPARTIAL is unused, as the
-restrictions on partial matching have been lifted. It remains for backwards
-compatibility. */
-
-#define PCRE_MODE8         0x00000001  /* compiled in 8 bit mode */
-#define PCRE_MODE16        0x00000002  /* compiled in 16 bit mode */
-#define PCRE_MODE32        0x00000004  /* compiled in 32 bit mode */
-#define PCRE_FIRSTSET      0x00000010  /* first_char is set */
-#define PCRE_FCH_CASELESS  0x00000020  /* caseless first char */
-#define PCRE_REQCHSET      0x00000040  /* req_byte is set */
-#define PCRE_RCH_CASELESS  0x00000080  /* caseless requested char */
-#define PCRE_STARTLINE     0x00000100  /* start after \n for multiline */
-#define PCRE_NOPARTIAL     0x00000200  /* can't use partial with this regex */
-#define PCRE_JCHANGED      0x00000400  /* j option used in regex */
-#define PCRE_HASCRORLF     0x00000800  /* explicit \r or \n in pattern */
-#define PCRE_HASTHEN       0x00001000  /* pattern contains (*THEN) */
-#define PCRE_MLSET         0x00002000  /* match limit set by regex */
-#define PCRE_RLSET         0x00004000  /* recursion limit set by regex */
-#define PCRE_MATCH_EMPTY   0x00008000  /* pattern can match empty string */
-
-#if defined COMPILE_PCRE8
-#define PCRE_MODE          PCRE_MODE8
-#elif defined COMPILE_PCRE16
-#define PCRE_MODE          PCRE_MODE16
-#elif defined COMPILE_PCRE32
-#define PCRE_MODE          PCRE_MODE32
-#endif
-#define PCRE_MODE_MASK     (PCRE_MODE8 | PCRE_MODE16 | PCRE_MODE32)
-
-/* Flags for the "extra" block produced by pcre_study(). */
-
-#define PCRE_STUDY_MAPPED  0x0001  /* a map of starting chars exists */
-#define PCRE_STUDY_MINLEN  0x0002  /* a minimum length field exists */
-
-/* Masks for identifying the public options that are permitted at compile
-time, run time, or study time, respectively. */
-
-#define PCRE_NEWLINE_BITS (PCRE_NEWLINE_CR|PCRE_NEWLINE_LF|PCRE_NEWLINE_ANY| \
-                           PCRE_NEWLINE_ANYCRLF)
-
-#define PUBLIC_COMPILE_OPTIONS \
-  (PCRE_CASELESS|PCRE_EXTENDED|PCRE_ANCHORED|PCRE_MULTILINE| \
-   PCRE_DOTALL|PCRE_DOLLAR_ENDONLY|PCRE_EXTRA|PCRE_UNGREEDY|PCRE_UTF8| \
-   PCRE_NO_AUTO_CAPTURE|PCRE_NO_AUTO_POSSESS| \
-   PCRE_NO_UTF8_CHECK|PCRE_AUTO_CALLOUT|PCRE_FIRSTLINE| \
-   PCRE_DUPNAMES|PCRE_NEWLINE_BITS|PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE| \
-   PCRE_JAVASCRIPT_COMPAT|PCRE_UCP|PCRE_NO_START_OPTIMIZE|PCRE_NEVER_UTF)
-
-#define PUBLIC_EXEC_OPTIONS \
-  (PCRE_ANCHORED|PCRE_NOTBOL|PCRE_NOTEOL|PCRE_NOTEMPTY|PCRE_NOTEMPTY_ATSTART| \
-   PCRE_NO_UTF8_CHECK|PCRE_PARTIAL_HARD|PCRE_PARTIAL_SOFT|PCRE_NEWLINE_BITS| \
-   PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE|PCRE_NO_START_OPTIMIZE)
-
-#define PUBLIC_DFA_EXEC_OPTIONS \
-  (PCRE_ANCHORED|PCRE_NOTBOL|PCRE_NOTEOL|PCRE_NOTEMPTY|PCRE_NOTEMPTY_ATSTART| \
-   PCRE_NO_UTF8_CHECK|PCRE_PARTIAL_HARD|PCRE_PARTIAL_SOFT|PCRE_DFA_SHORTEST| \
-   PCRE_DFA_RESTART|PCRE_NEWLINE_BITS|PCRE_BSR_ANYCRLF|PCRE_BSR_UNICODE| \
-   PCRE_NO_START_OPTIMIZE)
-
-#define PUBLIC_STUDY_OPTIONS \
-   (PCRE_STUDY_JIT_COMPILE|PCRE_STUDY_JIT_PARTIAL_SOFT_COMPILE| \
-    PCRE_STUDY_JIT_PARTIAL_HARD_COMPILE|PCRE_STUDY_EXTRA_NEEDED)
-
-#define PUBLIC_JIT_EXEC_OPTIONS \
-   (PCRE_NO_UTF8_CHECK|PCRE_NOTBOL|PCRE_NOTEOL|PCRE_NOTEMPTY|\
-    PCRE_NOTEMPTY_ATSTART|PCRE_PARTIAL_SOFT|PCRE_PARTIAL_HARD)
-
-/* Magic number to provide a small check against being handed junk. */
-
-#define MAGIC_NUMBER  0x50435245UL   /* 'PCRE' */
-
-/* This variable is used to detect a loaded regular expression
-in different endianness. */
-
-#define REVERSED_MAGIC_NUMBER  0x45524350UL   /* 'ERCP' */
-
-/* The maximum remaining length of subject we are prepared to search for a
-req_byte match. */
-
-#define REQ_BYTE_MAX 1000
-
-/* Miscellaneous definitions. The #ifndef is to pacify compiler warnings in
-environments where these macros are defined elsewhere. Unfortunately, there
-is no way to do the same for the typedef. */
-
-typedef int BOOL;
-
-#ifndef FALSE
-#define FALSE   0
-#define TRUE    1
-#endif
-
-/* If PCRE is to support UTF-8 on EBCDIC platforms, we cannot use normal
-character constants like '*' because the compiler would emit their EBCDIC code,
-which is different from their ASCII/UTF-8 code. Instead we define macros for
-the characters so that they always use the ASCII/UTF-8 code when UTF-8 support
-is enabled. When UTF-8 support is not enabled, the definitions use character
-literals. Both character and string versions of each character are needed, and
-there are some longer strings as well.
-
-This means that, on EBCDIC platforms, the PCRE library can handle either
-EBCDIC, or UTF-8, but not both. To support both in the same compiled library
-would need different lookups depending on whether PCRE_UTF8 was set or not.
-This would make it impossible to use characters in switch/case statements,
-which would reduce performance. For a theoretical use (which nobody has asked
-for) in a minority area (EBCDIC platforms), this is not sensible. Any
-application that did need both could compile two versions of the library, using
-macros to give the functions distinct names. */
-
-#ifndef SUPPORT_UTF
-
-/* UTF-8 support is not enabled; use the platform-dependent character literals
-so that PCRE works in both ASCII and EBCDIC environments, but only in non-UTF
-mode. Newline characters are problematic in EBCDIC. Though it has CR and LF
-characters, a common practice has been to use its NL (0x15) character as the
-line terminator in C-like processing environments. However, sometimes the LF
-(0x25) character is used instead, according to this Unicode document:
-
-http://unicode.org/standard/reports/tr13/tr13-5.html
-
-PCRE defaults EBCDIC NL to 0x15, but has a build-time option to select 0x25
-instead. Whichever is *not* chosen is defined as NEL.
-
-In both ASCII and EBCDIC environments, CHAR_NL and CHAR_LF are synonyms for the
-same code point. */
-
-#ifdef EBCDIC
-
-#ifndef EBCDIC_NL25
-#define CHAR_NL                     '\x15'
-#define CHAR_NEL                    '\x25'
-#define STR_NL                      "\x15"
-#define STR_NEL                     "\x25"
-#else
-#define CHAR_NL                     '\x25'
-#define CHAR_NEL                    '\x15'
-#define STR_NL                      "\x25"
-#define STR_NEL                     "\x15"
-#endif
-
-#define CHAR_LF                     CHAR_NL
-#define STR_LF                      STR_NL
-
-#define CHAR_ESC                    '\047'
-#define CHAR_DEL                    '\007'
-#define CHAR_NBSP                   '\x41'
-#define STR_ESC                     "\047"
-#define STR_DEL                     "\007"
-
-#else  /* Not EBCDIC */
-
-/* In ASCII/Unicode, linefeed is '\n' and we equate this to NL for
-compatibility. NEL is the Unicode newline character; make sure it is
-a positive value. */
-
-#define CHAR_LF                     '\n'
-#define CHAR_NL                     CHAR_LF
-#define CHAR_NEL                    ((unsigned char)'\x85')
-#define CHAR_ESC                    '\033'
-#define CHAR_DEL                    '\177'
-#define CHAR_NBSP                   ((unsigned char)'\xa0')
-
-#define STR_LF                      "\n"
-#define STR_NL                      STR_LF
-#define STR_NEL                     "\x85"
-#define STR_ESC                     "\033"
-#define STR_DEL                     "\177"
-
-#endif  /* EBCDIC */
-
-/* The remaining definitions work in both environments. */
-
-#define CHAR_NULL                   '\0'
-#define CHAR_HT                     '\t'
-#define CHAR_VT                     '\v'
-#define CHAR_FF                     '\f'
-#define CHAR_CR                     '\r'
-#define CHAR_BS                     '\b'
-#define CHAR_BEL                    '\a'
-
-#define CHAR_SPACE                  ' '
-#define CHAR_EXCLAMATION_MARK       '!'
-#define CHAR_QUOTATION_MARK         '"'
-#define CHAR_NUMBER_SIGN            '#'
-#define CHAR_DOLLAR_SIGN            '$'
-#define CHAR_PERCENT_SIGN           '%'
-#define CHAR_AMPERSAND              '&'
-#define CHAR_APOSTROPHE             '\''
-#define CHAR_LEFT_PARENTHESIS       '('
-#define CHAR_RIGHT_PARENTHESIS      ')'
-#define CHAR_ASTERISK               '*'
-#define CHAR_PLUS                   '+'
-#define CHAR_COMMA                  ','
-#define CHAR_MINUS                  '-'
-#define CHAR_DOT                    '.'
-#define CHAR_SLASH                  '/'
-#define CHAR_0                      '0'
-#define CHAR_1                      '1'
-#define CHAR_2                      '2'
-#define CHAR_3                      '3'
-#define CHAR_4                      '4'
-#define CHAR_5                      '5'
-#define CHAR_6                      '6'
-#define CHAR_7                      '7'
-#define CHAR_8                      '8'
-#define CHAR_9                      '9'
-#define CHAR_COLON                  ':'
-#define CHAR_SEMICOLON              ';'
-#define CHAR_LESS_THAN_SIGN         '<'
-#define CHAR_EQUALS_SIGN            '='
-#define CHAR_GREATER_THAN_SIGN      '>'
-#define CHAR_QUESTION_MARK          '?'
-#define CHAR_COMMERCIAL_AT          '@'
-#define CHAR_A                      'A'
-#define CHAR_B                      'B'
-#define CHAR_C                      'C'
-#define CHAR_D                      'D'
-#define CHAR_E                      'E'
-#define CHAR_F                      'F'
-#define CHAR_G                      'G'
-#define CHAR_H                      'H'
-#define CHAR_I                      'I'
-#define CHAR_J                      'J'
-#define CHAR_K                      'K'
-#define CHAR_L                      'L'
-#define CHAR_M                      'M'
-#define CHAR_N                      'N'
-#define CHAR_O                      'O'
-#define CHAR_P                      'P'
-#define CHAR_Q                      'Q'
-#define CHAR_R                      'R'
-#define CHAR_S                      'S'
-#define CHAR_T                      'T'
-#define CHAR_U                      'U'
-#define CHAR_V                      'V'
-#define CHAR_W                      'W'
-#define CHAR_X                      'X'
-#define CHAR_Y                      'Y'
-#define CHAR_Z                      'Z'
-#define CHAR_LEFT_SQUARE_BRACKET    '['
-#define CHAR_BACKSLASH              '\\'
-#define CHAR_RIGHT_SQUARE_BRACKET   ']'
-#define CHAR_CIRCUMFLEX_ACCENT      '^'
-#define CHAR_UNDERSCORE             '_'
-#define CHAR_GRAVE_ACCENT           '`'
-#define CHAR_a                      'a'
-#define CHAR_b                      'b'
-#define CHAR_c                      'c'
-#define CHAR_d                      'd'
-#define CHAR_e                      'e'
-#define CHAR_f                      'f'
-#define CHAR_g                      'g'
-#define CHAR_h                      'h'
-#define CHAR_i                      'i'
-#define CHAR_j                      'j'
-#define CHAR_k                      'k'
-#define CHAR_l                      'l'
-#define CHAR_m                      'm'
-#define CHAR_n                      'n'
-#define CHAR_o                      'o'
-#define CHAR_p                      'p'
-#define CHAR_q                      'q'
-#define CHAR_r                      'r'
-#define CHAR_s                      's'
-#define CHAR_t                      't'
-#define CHAR_u                      'u'
-#define CHAR_v                      'v'
-#define CHAR_w                      'w'
-#define CHAR_x                      'x'
-#define CHAR_y                      'y'
-#define CHAR_z                      'z'
-#define CHAR_LEFT_CURLY_BRACKET     '{'
-#define CHAR_VERTICAL_LINE          '|'
-#define CHAR_RIGHT_CURLY_BRACKET    '}'
-#define CHAR_TILDE                  '~'
-
-#define STR_HT                      "\t"
-#define STR_VT                      "\v"
-#define STR_FF                      "\f"
-#define STR_CR                      "\r"
-#define STR_BS                      "\b"
-#define STR_BEL                     "\a"
-
-#define STR_SPACE                   " "
-#define STR_EXCLAMATION_MARK        "!"
-#define STR_QUOTATION_MARK          "\""
-#define STR_NUMBER_SIGN             "#"
-#define STR_DOLLAR_SIGN             "$"
-#define STR_PERCENT_SIGN            "%"
-#define STR_AMPERSAND               "&"
-#define STR_APOSTROPHE              "'"
-#define STR_LEFT_PARENTHESIS        "("
-#define STR_RIGHT_PARENTHESIS       ")"
-#define STR_ASTERISK                "*"
-#define STR_PLUS                    "+"
-#define STR_COMMA                   ","
-#define STR_MINUS                   "-"
-#define STR_DOT                     "."
-#define STR_SLASH                   "/"
-#define STR_0                       "0"
-#define STR_1                       "1"
-#define STR_2                       "2"
-#define STR_3                       "3"
-#define STR_4                       "4"
-#define STR_5                       "5"
-#define STR_6                       "6"
-#define STR_7                       "7"
-#define STR_8                       "8"
-#define STR_9                       "9"
-#define STR_COLON                   ":"
-#define STR_SEMICOLON               ";"
-#define STR_LESS_THAN_SIGN          "<"
-#define STR_EQUALS_SIGN             "="
-#define STR_GREATER_THAN_SIGN       ">"
-#define STR_QUESTION_MARK           "?"
-#define STR_COMMERCIAL_AT           "@"
-#define STR_A                       "A"
-#define STR_B                       "B"
-#define STR_C                       "C"
-#define STR_D                       "D"
-#define STR_E                       "E"
-#define STR_F                       "F"
-#define STR_G                       "G"
-#define STR_H                       "H"
-#define STR_I                       "I"
-#define STR_J                       "J"
-#define STR_K                       "K"
-#define STR_L                       "L"
-#define STR_M                       "M"
-#define STR_N                       "N"
-#define STR_O                       "O"
-#define STR_P                       "P"
-#define STR_Q                       "Q"
-#define STR_R                       "R"
-#define STR_S                       "S"
-#define STR_T                       "T"
-#define STR_U                       "U"
-#define STR_V                       "V"
-#define STR_W                       "W"
-#define STR_X                       "X"
-#define STR_Y                       "Y"
-#define STR_Z                       "Z"
-#define STR_LEFT_SQUARE_BRACKET     "["
-#define STR_BACKSLASH               "\\"
-#define STR_RIGHT_SQUARE_BRACKET    "]"
-#define STR_CIRCUMFLEX_ACCENT       "^"
-#define STR_UNDERSCORE              "_"
-#define STR_GRAVE_ACCENT            "`"
-#define STR_a                       "a"
-#define STR_b                       "b"
-#define STR_c                       "c"
-#define STR_d                       "d"
-#define STR_e                       "e"
-#define STR_f                       "f"
-#define STR_g                       "g"
-#define STR_h                       "h"
-#define STR_i                       "i"
-#define STR_j                       "j"
-#define STR_k                       "k"
-#define STR_l                       "l"
-#define STR_m                       "m"
-#define STR_n                       "n"
-#define STR_o                       "o"
-#define STR_p                       "p"
-#define STR_q                       "q"
-#define STR_r                       "r"
-#define STR_s                       "s"
-#define STR_t                       "t"
-#define STR_u                       "u"
-#define STR_v                       "v"
-#define STR_w                       "w"
-#define STR_x                       "x"
-#define STR_y                       "y"
-#define STR_z                       "z"
-#define STR_LEFT_CURLY_BRACKET      "{"
-#define STR_VERTICAL_LINE           "|"
-#define STR_RIGHT_CURLY_BRACKET     "}"
-#define STR_TILDE                   "~"
-
-#define STRING_ACCEPT0              "ACCEPT\0"
-#define STRING_COMMIT0              "COMMIT\0"
-#define STRING_F0                   "F\0"
-#define STRING_FAIL0                "FAIL\0"
-#define STRING_MARK0                "MARK\0"
-#define STRING_PRUNE0               "PRUNE\0"
-#define STRING_SKIP0                "SKIP\0"
-#define STRING_THEN                 "THEN"
-
-#define STRING_alpha0               "alpha\0"
-#define STRING_lower0               "lower\0"
-#define STRING_upper0               "upper\0"
-#define STRING_alnum0               "alnum\0"
-#define STRING_ascii0               "ascii\0"
-#define STRING_blank0               "blank\0"
-#define STRING_cntrl0               "cntrl\0"
-#define STRING_digit0               "digit\0"
-#define STRING_graph0               "graph\0"
-#define STRING_print0               "print\0"
-#define STRING_punct0               "punct\0"
-#define STRING_space0               "space\0"
-#define STRING_word0                "word\0"
-#define STRING_xdigit               "xdigit"
-
-#define STRING_DEFINE               "DEFINE"
-#define STRING_WEIRD_STARTWORD      "[:<:]]"
-#define STRING_WEIRD_ENDWORD        "[:>:]]"
-
-#define STRING_CR_RIGHTPAR              "CR)"
-#define STRING_LF_RIGHTPAR              "LF)"
-#define STRING_CRLF_RIGHTPAR            "CRLF)"
-#define STRING_ANY_RIGHTPAR             "ANY)"
-#define STRING_ANYCRLF_RIGHTPAR         "ANYCRLF)"
-#define STRING_BSR_ANYCRLF_RIGHTPAR     "BSR_ANYCRLF)"
-#define STRING_BSR_UNICODE_RIGHTPAR     "BSR_UNICODE)"
-#define STRING_UTF8_RIGHTPAR            "UTF8)"
-#define STRING_UTF16_RIGHTPAR           "UTF16)"
-#define STRING_UTF32_RIGHTPAR           "UTF32)"
-#define STRING_UTF_RIGHTPAR             "UTF)"
-#define STRING_UCP_RIGHTPAR             "UCP)"
-#define STRING_NO_AUTO_POSSESS_RIGHTPAR "NO_AUTO_POSSESS)"
-#define STRING_NO_START_OPT_RIGHTPAR    "NO_START_OPT)"
-#define STRING_LIMIT_MATCH_EQ           "LIMIT_MATCH="
-#define STRING_LIMIT_RECURSION_EQ       "LIMIT_RECURSION="
-
-#else  /* SUPPORT_UTF */
-
-/* UTF-8 support is enabled; always use UTF-8 (=ASCII) character codes. This
-works in both modes non-EBCDIC platforms, and on EBCDIC platforms in UTF-8 mode
-only. */
-
-#define CHAR_HT                     '\011'
-#define CHAR_VT                     '\013'
-#define CHAR_FF                     '\014'
-#define CHAR_CR                     '\015'
-#define CHAR_LF                     '\012'
-#define CHAR_NL                     CHAR_LF
-#define CHAR_NEL                    ((unsigned char)'\x85')
-#define CHAR_BS                     '\010'
-#define CHAR_BEL                    '\007'
-#define CHAR_ESC                    '\033'
-#define CHAR_DEL                    '\177'
-
-#define CHAR_NULL                   '\0'
-#define CHAR_SPACE                  '\040'
-#define CHAR_EXCLAMATION_MARK       '\041'
-#define CHAR_QUOTATION_MARK         '\042'
-#define CHAR_NUMBER_SIGN            '\043'
-#define CHAR_DOLLAR_SIGN            '\044'
-#define CHAR_PERCENT_SIGN           '\045'
-#define CHAR_AMPERSAND              '\046'
-#define CHAR_APOSTROPHE             '\047'
-#define CHAR_LEFT_PARENTHESIS       '\050'
-#define CHAR_RIGHT_PARENTHESIS      '\051'
-#define CHAR_ASTERISK               '\052'
-#define CHAR_PLUS                   '\053'
-#define CHAR_COMMA                  '\054'
-#define CHAR_MINUS                  '\055'
-#define CHAR_DOT                    '\056'
-#define CHAR_SLASH                  '\057'
-#define CHAR_0                      '\060'
-#define CHAR_1                      '\061'
-#define CHAR_2                      '\062'
-#define CHAR_3                      '\063'
-#define CHAR_4                      '\064'
-#define CHAR_5                      '\065'
-#define CHAR_6                      '\066'
-#define CHAR_7                      '\067'
-#define CHAR_8                      '\070'
-#define CHAR_9                      '\071'
-#define CHAR_COLON                  '\072'
-#define CHAR_SEMICOLON              '\073'
-#define CHAR_LESS_THAN_SIGN         '\074'
-#define CHAR_EQUALS_SIGN            '\075'
-#define CHAR_GREATER_THAN_SIGN      '\076'
-#define CHAR_QUESTION_MARK          '\077'
-#define CHAR_COMMERCIAL_AT          '\100'
-#define CHAR_A                      '\101'
-#define CHAR_B                      '\102'
-#define CHAR_C                      '\103'
-#define CHAR_D                      '\104'
-#define CHAR_E                      '\105'
-#define CHAR_F                      '\106'
-#define CHAR_G                      '\107'
-#define CHAR_H                      '\110'
-#define CHAR_I                      '\111'
-#define CHAR_J                      '\112'
-#define CHAR_K                      '\113'
-#define CHAR_L                      '\114'
-#define CHAR_M                      '\115'
-#define CHAR_N                      '\116'
-#define CHAR_O                      '\117'
-#define CHAR_P                      '\120'
-#define CHAR_Q                      '\121'
-#define CHAR_R                      '\122'
-#define CHAR_S                      '\123'
-#define CHAR_T                      '\124'
-#define CHAR_U                      '\125'
-#define CHAR_V                      '\126'
-#define CHAR_W                      '\127'
-#define CHAR_X                      '\130'
-#define CHAR_Y                      '\131'
-#define CHAR_Z                      '\132'
-#define CHAR_LEFT_SQUARE_BRACKET    '\133'
-#define CHAR_BACKSLASH              '\134'
-#define CHAR_RIGHT_SQUARE_BRACKET   '\135'
-#define CHAR_CIRCUMFLEX_ACCENT      '\136'
-#define CHAR_UNDERSCORE             '\137'
-#define CHAR_GRAVE_ACCENT           '\140'
-#define CHAR_a                      '\141'
-#define CHAR_b                      '\142'
-#define CHAR_c                      '\143'
-#define CHAR_d                      '\144'
-#define CHAR_e                      '\145'
-#define CHAR_f                      '\146'
-#define CHAR_g                      '\147'
-#define CHAR_h                      '\150'
-#define CHAR_i                      '\151'
-#define CHAR_j                      '\152'
-#define CHAR_k                      '\153'
-#define CHAR_l                      '\154'
-#define CHAR_m                      '\155'
-#define CHAR_n                      '\156'
-#define CHAR_o                      '\157'
-#define CHAR_p                      '\160'
-#define CHAR_q                      '\161'
-#define CHAR_r                      '\162'
-#define CHAR_s                      '\163'
-#define CHAR_t                      '\164'
-#define CHAR_u                      '\165'
-#define CHAR_v                      '\166'
-#define CHAR_w                      '\167'
-#define CHAR_x                      '\170'
-#define CHAR_y                      '\171'
-#define CHAR_z                      '\172'
-#define CHAR_LEFT_CURLY_BRACKET     '\173'
-#define CHAR_VERTICAL_LINE          '\174'
-#define CHAR_RIGHT_CURLY_BRACKET    '\175'
-#define CHAR_TILDE                  '\176'
-#define CHAR_NBSP                   ((unsigned char)'\xa0')
-
-#define STR_HT                      "\011"
-#define STR_VT                      "\013"
-#define STR_FF                      "\014"
-#define STR_CR                      "\015"
-#define STR_NL                      "\012"
-#define STR_BS                      "\010"
-#define STR_BEL                     "\007"
-#define STR_ESC                     "\033"
-#define STR_DEL                     "\177"
-
-#define STR_SPACE                   "\040"
-#define STR_EXCLAMATION_MARK        "\041"
-#define STR_QUOTATION_MARK          "\042"
-#define STR_NUMBER_SIGN             "\043"
-#define STR_DOLLAR_SIGN             "\044"
-#define STR_PERCENT_SIGN            "\045"
-#define STR_AMPERSAND               "\046"
-#define STR_APOSTROPHE              "\047"
-#define STR_LEFT_PARENTHESIS        "\050"
-#define STR_RIGHT_PARENTHESIS       "\051"
-#define STR_ASTERISK                "\052"
-#define STR_PLUS                    "\053"
-#define STR_COMMA                   "\054"
-#define STR_MINUS                   "\055"
-#define STR_DOT                     "\056"
-#define STR_SLASH                   "\057"
-#define STR_0                       "\060"
-#define STR_1                       "\061"
-#define STR_2                       "\062"
-#define STR_3                       "\063"
-#define STR_4                       "\064"
-#define STR_5                       "\065"
-#define STR_6                       "\066"
-#define STR_7                       "\067"
-#define STR_8                       "\070"
-#define STR_9                       "\071"
-#define STR_COLON                   "\072"
-#define STR_SEMICOLON               "\073"
-#define STR_LESS_THAN_SIGN          "\074"
-#define STR_EQUALS_SIGN             "\075"
-#define STR_GREATER_THAN_SIGN       "\076"
-#define STR_QUESTION_MARK           "\077"
-#define STR_COMMERCIAL_AT           "\100"
-#define STR_A                       "\101"
-#define STR_B                       "\102"
-#define STR_C                       "\103"
-#define STR_D                       "\104"
-#define STR_E                       "\105"
-#define STR_F                       "\106"
-#define STR_G                       "\107"
-#define STR_H                       "\110"
-#define STR_I                       "\111"
-#define STR_J                       "\112"
-#define STR_K                       "\113"
-#define STR_L                       "\114"
-#define STR_M                       "\115"
-#define STR_N                       "\116"
-#define STR_O                       "\117"
-#define STR_P                       "\120"
-#define STR_Q                       "\121"
-#define STR_R                       "\122"
-#define STR_S                       "\123"
-#define STR_T                       "\124"
-#define STR_U                       "\125"
-#define STR_V                       "\126"
-#define STR_W                       "\127"
-#define STR_X                       "\130"
-#define STR_Y                       "\131"
-#define STR_Z                       "\132"
-#define STR_LEFT_SQUARE_BRACKET     "\133"
-#define STR_BACKSLASH               "\134"
-#define STR_RIGHT_SQUARE_BRACKET    "\135"
-#define STR_CIRCUMFLEX_ACCENT       "\136"
-#define STR_UNDERSCORE              "\137"
-#define STR_GRAVE_ACCENT            "\140"
-#define STR_a                       "\141"
-#define STR_b                       "\142"
-#define STR_c                       "\143"
-#define STR_d                       "\144"
-#define STR_e                       "\145"
-#define STR_f                       "\146"
-#define STR_g                       "\147"
-#define STR_h                       "\150"
-#define STR_i                       "\151"
-#define STR_j                       "\152"
-#define STR_k                       "\153"
-#define STR_l                       "\154"
-#define STR_m                       "\155"
-#define STR_n                       "\156"
-#define STR_o                       "\157"
-#define STR_p                       "\160"
-#define STR_q                       "\161"
-#define STR_r                       "\162"
-#define STR_s                       "\163"
-#define STR_t                       "\164"
-#define STR_u                       "\165"
-#define STR_v                       "\166"
-#define STR_w                       "\167"
-#define STR_x                       "\170"
-#define STR_y                       "\171"
-#define STR_z                       "\172"
-#define STR_LEFT_CURLY_BRACKET      "\173"
-#define STR_VERTICAL_LINE           "\174"
-#define STR_RIGHT_CURLY_BRACKET     "\175"
-#define STR_TILDE                   "\176"
-
-#define STRING_ACCEPT0              STR_A STR_C STR_C STR_E STR_P STR_T "\0"
-#define STRING_COMMIT0              STR_C STR_O STR_M STR_M STR_I STR_T "\0"
-#define STRING_F0                   STR_F "\0"
-#define STRING_FAIL0                STR_F STR_A STR_I STR_L "\0"
-#define STRING_MARK0                STR_M STR_A STR_R STR_K "\0"
-#define STRING_PRUNE0               STR_P STR_R STR_U STR_N STR_E "\0"
-#define STRING_SKIP0                STR_S STR_K STR_I STR_P "\0"
-#define STRING_THEN                 STR_T STR_H STR_E STR_N
-
-#define STRING_alpha0               STR_a STR_l STR_p STR_h STR_a "\0"
-#define STRING_lower0               STR_l STR_o STR_w STR_e STR_r "\0"
-#define STRING_upper0               STR_u STR_p STR_p STR_e STR_r "\0"
-#define STRING_alnum0               STR_a STR_l STR_n STR_u STR_m "\0"
-#define STRING_ascii0               STR_a STR_s STR_c STR_i STR_i "\0"
-#define STRING_blank0               STR_b STR_l STR_a STR_n STR_k "\0"
-#define STRING_cntrl0               STR_c STR_n STR_t STR_r STR_l "\0"
-#define STRING_digit0               STR_d STR_i STR_g STR_i STR_t "\0"
-#define STRING_graph0               STR_g STR_r STR_a STR_p STR_h "\0"
-#define STRING_print0               STR_p STR_r STR_i STR_n STR_t "\0"
-#define STRING_punct0               STR_p STR_u STR_n STR_c STR_t "\0"
-#define STRING_space0               STR_s STR_p STR_a STR_c STR_e "\0"
-#define STRING_word0                STR_w STR_o STR_r STR_d       "\0"
-#define STRING_xdigit               STR_x STR_d STR_i STR_g STR_i STR_t
-
-#define STRING_DEFINE               STR_D STR_E STR_F STR_I STR_N STR_E
-#define STRING_WEIRD_STARTWORD      STR_LEFT_SQUARE_BRACKET STR_COLON STR_LESS_THAN_SIGN STR_COLON STR_RIGHT_SQUARE_BRACKET STR_RIGHT_SQUARE_BRACKET
-#define STRING_WEIRD_ENDWORD        STR_LEFT_SQUARE_BRACKET STR_COLON STR_GREATER_THAN_SIGN STR_COLON STR_RIGHT_SQUARE_BRACKET STR_RIGHT_SQUARE_BRACKET
-
-#define STRING_CR_RIGHTPAR              STR_C STR_R STR_RIGHT_PARENTHESIS
-#define STRING_LF_RIGHTPAR              STR_L STR_F STR_RIGHT_PARENTHESIS
-#define STRING_CRLF_RIGHTPAR            STR_C STR_R STR_L STR_F STR_RIGHT_PARENTHESIS
-#define STRING_ANY_RIGHTPAR             STR_A STR_N STR_Y STR_RIGHT_PARENTHESIS
-#define STRING_ANYCRLF_RIGHTPAR         STR_A STR_N STR_Y STR_C STR_R STR_L STR_F STR_RIGHT_PARENTHESIS
-#define STRING_BSR_ANYCRLF_RIGHTPAR     STR_B STR_S STR_R STR_UNDERSCORE STR_A STR_N STR_Y STR_C STR_R STR_L STR_F STR_RIGHT_PARENTHESIS
-#define STRING_BSR_UNICODE_RIGHTPAR     STR_B STR_S STR_R STR_UNDERSCORE STR_U STR_N STR_I STR_C STR_O STR_D STR_E STR_RIGHT_PARENTHESIS
-#define STRING_UTF8_RIGHTPAR            STR_U STR_T STR_F STR_8 STR_RIGHT_PARENTHESIS
-#define STRING_UTF16_RIGHTPAR           STR_U STR_T STR_F STR_1 STR_6 STR_RIGHT_PARENTHESIS
-#define STRING_UTF32_RIGHTPAR           STR_U STR_T STR_F STR_3 STR_2 STR_RIGHT_PARENTHESIS
-#define STRING_UTF_RIGHTPAR             STR_U STR_T STR_F STR_RIGHT_PARENTHESIS
-#define STRING_UCP_RIGHTPAR             STR_U STR_C STR_P STR_RIGHT_PARENTHESIS
-#define STRING_NO_AUTO_POSSESS_RIGHTPAR STR_N STR_O STR_UNDERSCORE STR_A STR_U STR_T STR_O STR_UNDERSCORE STR_P STR_O STR_S STR_S STR_E STR_S STR_S STR_RIGHT_PARENTHESIS
-#define STRING_NO_START_OPT_RIGHTPAR    STR_N STR_O STR_UNDERSCORE STR_S STR_T STR_A STR_R STR_T STR_UNDERSCORE STR_O STR_P STR_T STR_RIGHT_PARENTHESIS
-#define STRING_LIMIT_MATCH_EQ           STR_L STR_I STR_M STR_I STR_T STR_UNDERSCORE STR_M STR_A STR_T STR_C STR_H STR_EQUALS_SIGN
-#define STRING_LIMIT_RECURSION_EQ       STR_L STR_I STR_M STR_I STR_T STR_UNDERSCORE STR_R STR_E STR_C STR_U STR_R STR_S STR_I STR_O STR_N STR_EQUALS_SIGN
-
-#endif  /* SUPPORT_UTF */
-
-/* Escape items that are just an encoding of a particular data value. */
-
-#ifndef ESC_a
-#define ESC_a CHAR_BEL
-#endif
-
-#ifndef ESC_e
-#define ESC_e CHAR_ESC
-#endif
-
-#ifndef ESC_f
-#define ESC_f CHAR_FF
-#endif
-
-#ifndef ESC_n
-#define ESC_n CHAR_LF
-#endif
-
-#ifndef ESC_r
-#define ESC_r CHAR_CR
-#endif
-
-/* We can't officially use ESC_t because it is a POSIX reserved identifier
-(presumably because of all the others like size_t). */
-
-#ifndef ESC_tee
-#define ESC_tee CHAR_HT
-#endif
-
-/* Codes for different types of Unicode property */
-
-#define PT_ANY        0    /* Any property - matches all chars */
-#define PT_LAMP       1    /* L& - the union of Lu, Ll, Lt */
-#define PT_GC         2    /* Specified general characteristic (e.g. L) */
-#define PT_PC         3    /* Specified particular characteristic (e.g. Lu) */
-#define PT_SC         4    /* Script (e.g. Han) */
-#define PT_ALNUM      5    /* Alphanumeric - the union of L and N */
-#define PT_SPACE      6    /* Perl space - Z plus 9,10,12,13 */
-#define PT_PXSPACE    7    /* POSIX space - Z plus 9,10,11,12,13 */
-#define PT_WORD       8    /* Word - L plus N plus underscore */
-#define PT_CLIST      9    /* Pseudo-property: match character list */
-#define PT_UCNC      10    /* Universal Character nameable character */
-#define PT_TABSIZE   11    /* Size of square table for autopossessify tests */
-
-/* The following special properties are used only in XCLASS items, when POSIX
-classes are specified and PCRE_UCP is set - in other words, for Unicode
-handling of these classes. They are not available via the \p or \P escapes like
-those in the above list, and so they do not take part in the autopossessifying
-table. */
-
-#define PT_PXGRAPH   11    /* [:graph:] - characters that mark the paper */
-#define PT_PXPRINT   12    /* [:print:] - [:graph:] plus non-control spaces */
-#define PT_PXPUNCT   13    /* [:punct:] - punctuation characters */
-
-/* Flag bits and data types for the extended class (OP_XCLASS) for classes that
-contain characters with values greater than 255. */
-
-#define XCL_NOT       0x01    /* Flag: this is a negative class */
-#define XCL_MAP       0x02    /* Flag: a 32-byte map is present */
-#define XCL_HASPROP   0x04    /* Flag: property checks are present. */
-
-#define XCL_END       0    /* Marks end of individual items */
-#define XCL_SINGLE    1    /* Single item (one multibyte char) follows */
-#define XCL_RANGE     2    /* A range (two multibyte chars) follows */
-#define XCL_PROP      3    /* Unicode property (2-byte property code follows) */
-#define XCL_NOTPROP   4    /* Unicode inverted property (ditto) */
-
-/* These are escaped items that aren't just an encoding of a particular data
-value such as \n. They must have non-zero values, as check_escape() returns 0
-for a data character.  Also, they must appear in the same order as in the
-opcode definitions below, up to ESC_z. There's a dummy for OP_ALLANY because it
-corresponds to "." in DOTALL mode rather than an escape sequence. It is also
-used for [^] in JavaScript compatibility mode, and for \C in non-utf mode. In
-non-DOTALL mode, "." behaves like \N.
-
-The special values ESC_DU, ESC_du, etc. are used instead of ESC_D, ESC_d, etc.
-when PCRE_UCP is set and replacement of \d etc by \p sequences is required.
-They must be contiguous, and remain in order so that the replacements can be
-looked up from a table.
-
-Negative numbers are used to encode a backreference (\1, \2, \3, etc.) in
-check_escape(). There are two tests in the code for an escape
-greater than ESC_b and less than ESC_Z to detect the types that may be
-repeated. These are the types that consume characters. If any new escapes are
-put in between that don't consume a character, that code will have to change.
-*/
-
-enum { ESC_A = 1, ESC_G, ESC_K, ESC_B, ESC_b, ESC_D, ESC_d, ESC_S, ESC_s,
-       ESC_W, ESC_w, ESC_N, ESC_dum, ESC_C, ESC_P, ESC_p, ESC_R, ESC_H,
-       ESC_h, ESC_V, ESC_v, ESC_X, ESC_Z, ESC_z,
-       ESC_E, ESC_Q, ESC_g, ESC_k,
-       ESC_DU, ESC_du, ESC_SU, ESC_su, ESC_WU, ESC_wu };
-
-
-/********************** Opcode definitions ******************/
-
-/****** NOTE NOTE NOTE ******
-
-Starting from 1 (i.e. after OP_END), the values up to OP_EOD must correspond in
-order to the list of escapes immediately above. Furthermore, values up to
-OP_DOLLM must not be changed without adjusting the table called autoposstab in
-pcre_compile.c
-
-Whenever this list is updated, the two macro definitions that follow must be
-updated to match. The possessification table called "opcode_possessify" in
-pcre_compile.c must also be updated, and also the tables called "coptable"
-and "poptable" in pcre_dfa_exec.c.
-
-****** NOTE NOTE NOTE ******/
-
-
-/* The values between FIRST_AUTOTAB_OP and LAST_AUTOTAB_RIGHT_OP, inclusive,
-are used in a table for deciding whether a repeated character type can be
-auto-possessified. */
-
-#define FIRST_AUTOTAB_OP       OP_NOT_DIGIT
-#define LAST_AUTOTAB_LEFT_OP   OP_EXTUNI
-#define LAST_AUTOTAB_RIGHT_OP  OP_DOLLM
-
-enum {
-  OP_END,            /* 0 End of pattern */
-
-  /* Values corresponding to backslashed metacharacters */
-
-  OP_SOD,            /* 1 Start of data: \A */
-  OP_SOM,            /* 2 Start of match (subject + offset): \G */
-  OP_SET_SOM,        /* 3 Set start of match (\K) */
-  OP_NOT_WORD_BOUNDARY,  /*  4 \B */
-  OP_WORD_BOUNDARY,      /*  5 \b */
-  OP_NOT_DIGIT,          /*  6 \D */
-  OP_DIGIT,              /*  7 \d */
-  OP_NOT_WHITESPACE,     /*  8 \S */
-  OP_WHITESPACE,         /*  9 \s */
-  OP_NOT_WORDCHAR,       /* 10 \W */
-  OP_WORDCHAR,           /* 11 \w */
-
-  OP_ANY,            /* 12 Match any character except newline (\N) */
-  OP_ALLANY,         /* 13 Match any character */
-  OP_ANYBYTE,        /* 14 Match any byte (\C); different to OP_ANY for UTF-8 */
-  OP_NOTPROP,        /* 15 \P (not Unicode property) */
-  OP_PROP,           /* 16 \p (Unicode property) */
-  OP_ANYNL,          /* 17 \R (any newline sequence) */
-  OP_NOT_HSPACE,     /* 18 \H (not horizontal whitespace) */
-  OP_HSPACE,         /* 19 \h (horizontal whitespace) */
-  OP_NOT_VSPACE,     /* 20 \V (not vertical whitespace) */
-  OP_VSPACE,         /* 21 \v (vertical whitespace) */
-  OP_EXTUNI,         /* 22 \X (extended Unicode sequence */
-  OP_EODN,           /* 23 End of data or \n at end of data (\Z) */
-  OP_EOD,            /* 24 End of data (\z) */
-
-  /* Line end assertions */
-
-  OP_DOLL,           /* 25 End of line - not multiline */
-  OP_DOLLM,          /* 26 End of line - multiline */
-  OP_CIRC,           /* 27 Start of line - not multiline */
-  OP_CIRCM,          /* 28 Start of line - multiline */
-
-  /* Single characters; caseful must precede the caseless ones */
-
-  OP_CHAR,           /* 29 Match one character, casefully */
-  OP_CHARI,          /* 30 Match one character, caselessly */
-  OP_NOT,            /* 31 Match one character, not the given one, casefully */
-  OP_NOTI,           /* 32 Match one character, not the given one, caselessly */
-
-  /* The following sets of 13 opcodes must always be kept in step because
-  the offset from the first one is used to generate the others. */
-
-  /* Repeated characters; caseful must precede the caseless ones */
-
-  OP_STAR,           /* 33 The maximizing and minimizing versions of */
-  OP_MINSTAR,        /* 34 these six opcodes must come in pairs, with */
-  OP_PLUS,           /* 35 the minimizing one second. */
-  OP_MINPLUS,        /* 36 */
-  OP_QUERY,          /* 37 */
-  OP_MINQUERY,       /* 38 */
-
-  OP_UPTO,           /* 39 From 0 to n matches of one character, caseful*/
-  OP_MINUPTO,        /* 40 */
-  OP_EXACT,          /* 41 Exactly n matches */
-
-  OP_POSSTAR,        /* 42 Possessified star, caseful */
-  OP_POSPLUS,        /* 43 Possessified plus, caseful */
-  OP_POSQUERY,       /* 44 Posesssified query, caseful */
-  OP_POSUPTO,        /* 45 Possessified upto, caseful */
-
-  /* Repeated characters; caseless must follow the caseful ones */
-
-  OP_STARI,          /* 46 */
-  OP_MINSTARI,       /* 47 */
-  OP_PLUSI,          /* 48 */
-  OP_MINPLUSI,       /* 49 */
-  OP_QUERYI,         /* 50 */
-  OP_MINQUERYI,      /* 51 */
-
-  OP_UPTOI,          /* 52 From 0 to n matches of one character, caseless */
-  OP_MINUPTOI,       /* 53 */
-  OP_EXACTI,         /* 54 */
-
-  OP_POSSTARI,       /* 55 Possessified star, caseless */
-  OP_POSPLUSI,       /* 56 Possessified plus, caseless */
-  OP_POSQUERYI,      /* 57 Posesssified query, caseless */
-  OP_POSUPTOI,       /* 58 Possessified upto, caseless */
-
-  /* The negated ones must follow the non-negated ones, and match them */
-  /* Negated repeated character, caseful; must precede the caseless ones */
-
-  OP_NOTSTAR,        /* 59 The maximizing and minimizing versions of */
-  OP_NOTMINSTAR,     /* 60 these six opcodes must come in pairs, with */
-  OP_NOTPLUS,        /* 61 the minimizing one second. They must be in */
-  OP_NOTMINPLUS,     /* 62 exactly the same order as those above. */
-  OP_NOTQUERY,       /* 63 */
-  OP_NOTMINQUERY,    /* 64 */
-
-  OP_NOTUPTO,        /* 65 From 0 to n matches, caseful */
-  OP_NOTMINUPTO,     /* 66 */
-  OP_NOTEXACT,       /* 67 Exactly n matches */
-
-  OP_NOTPOSSTAR,     /* 68 Possessified versions, caseful */
-  OP_NOTPOSPLUS,     /* 69 */
-  OP_NOTPOSQUERY,    /* 70 */
-  OP_NOTPOSUPTO,     /* 71 */
-
-  /* Negated repeated character, caseless; must follow the caseful ones */
-
-  OP_NOTSTARI,       /* 72 */
-  OP_NOTMINSTARI,    /* 73 */
-  OP_NOTPLUSI,       /* 74 */
-  OP_NOTMINPLUSI,    /* 75 */
-  OP_NOTQUERYI,      /* 76 */
-  OP_NOTMINQUERYI,   /* 77 */
-
-  OP_NOTUPTOI,       /* 78 From 0 to n matches, caseless */
-  OP_NOTMINUPTOI,    /* 79 */
-  OP_NOTEXACTI,      /* 80 Exactly n matches */
-
-  OP_NOTPOSSTARI,    /* 81 Possessified versions, caseless */
-  OP_NOTPOSPLUSI,    /* 82 */
-  OP_NOTPOSQUERYI,   /* 83 */
-  OP_NOTPOSUPTOI,    /* 84 */
-
-  /* Character types */
-
-  OP_TYPESTAR,       /* 85 The maximizing and minimizing versions of */
-  OP_TYPEMINSTAR,    /* 86 these six opcodes must come in pairs, with */
-  OP_TYPEPLUS,       /* 87 the minimizing one second. These codes must */
-  OP_TYPEMINPLUS,    /* 88 be in exactly the same order as those above. */
-  OP_TYPEQUERY,      /* 89 */
-  OP_TYPEMINQUERY,   /* 90 */
-
-  OP_TYPEUPTO,       /* 91 From 0 to n matches */
-  OP_TYPEMINUPTO,    /* 92 */
-  OP_TYPEEXACT,      /* 93 Exactly n matches */
-
-  OP_TYPEPOSSTAR,    /* 94 Possessified versions */
-  OP_TYPEPOSPLUS,    /* 95 */
-  OP_TYPEPOSQUERY,   /* 96 */
-  OP_TYPEPOSUPTO,    /* 97 */
-
-  /* These are used for character classes and back references; only the
-  first six are the same as the sets above. */
-
-  OP_CRSTAR,         /* 98 The maximizing and minimizing versions of */
-  OP_CRMINSTAR,      /* 99 all these opcodes must come in pairs, with */
-  OP_CRPLUS,         /* 100 the minimizing one second. These codes must */
-  OP_CRMINPLUS,      /* 101 be in exactly the same order as those above. */
-  OP_CRQUERY,        /* 102 */
-  OP_CRMINQUERY,     /* 103 */
-
-  OP_CRRANGE,        /* 104 These are different to the three sets above. */
-  OP_CRMINRANGE,     /* 105 */
-
-  OP_CRPOSSTAR,      /* 106 Possessified versions */
-  OP_CRPOSPLUS,      /* 107 */
-  OP_CRPOSQUERY,     /* 108 */
-  OP_CRPOSRANGE,     /* 109 */
-
-  /* End of quantifier opcodes */
-
-  OP_CLASS,          /* 110 Match a character class, chars < 256 only */
-  OP_NCLASS,         /* 111 Same, but the bitmap was created from a negative
-                              class - the difference is relevant only when a
-                              character > 255 is encountered. */
-  OP_XCLASS,         /* 112 Extended class for handling > 255 chars within the
-                              class. This does both positive and negative. */
-  OP_REF,            /* 113 Match a back reference, casefully */
-  OP_REFI,           /* 114 Match a back reference, caselessly */
-  OP_DNREF,          /* 115 Match a duplicate name backref, casefully */
-  OP_DNREFI,         /* 116 Match a duplicate name backref, caselessly */
-  OP_RECURSE,        /* 117 Match a numbered subpattern (possibly recursive) */
-  OP_CALLOUT,        /* 118 Call out to external function if provided */
-
-  OP_ALT,            /* 119 Start of alternation */
-  OP_KET,            /* 120 End of group that doesn't have an unbounded repeat */
-  OP_KETRMAX,        /* 121 These two must remain together and in this */
-  OP_KETRMIN,        /* 122 order. They are for groups the repeat for ever. */
-  OP_KETRPOS,        /* 123 Possessive unlimited repeat. */
-
-  /* The assertions must come before BRA, CBRA, ONCE, and COND, and the four
-  asserts must remain in order. */
-
-  OP_REVERSE,        /* 124 Move pointer back - used in lookbehind assertions */
-  OP_ASSERT,         /* 125 Positive lookahead */
-  OP_ASSERT_NOT,     /* 126 Negative lookahead */
-  OP_ASSERTBACK,     /* 127 Positive lookbehind */
-  OP_ASSERTBACK_NOT, /* 128 Negative lookbehind */
-
-  /* ONCE, ONCE_NC, BRA, BRAPOS, CBRA, CBRAPOS, and COND must come immediately
-  after the assertions, with ONCE first, as there's a test for >= ONCE for a
-  subpattern that isn't an assertion. The POS versions must immediately follow
-  the non-POS versions in each case. */
-
-  OP_ONCE,           /* 129 Atomic group, contains captures */
-  OP_ONCE_NC,        /* 130 Atomic group containing no captures */
-  OP_BRA,            /* 131 Start of non-capturing bracket */
-  OP_BRAPOS,         /* 132 Ditto, with unlimited, possessive repeat */
-  OP_CBRA,           /* 133 Start of capturing bracket */
-  OP_CBRAPOS,        /* 134 Ditto, with unlimited, possessive repeat */
-  OP_COND,           /* 135 Conditional group */
-
-  /* These five must follow the previous five, in the same order. There's a
-  check for >= SBRA to distinguish the two sets. */
-
-  OP_SBRA,           /* 136 Start of non-capturing bracket, check empty  */
-  OP_SBRAPOS,        /* 137 Ditto, with unlimited, possessive repeat */
-  OP_SCBRA,          /* 138 Start of capturing bracket, check empty */
-  OP_SCBRAPOS,       /* 139 Ditto, with unlimited, possessive repeat */
-  OP_SCOND,          /* 140 Conditional group, check empty */
-
-  /* The next two pairs must (respectively) be kept together. */
-
-  OP_CREF,           /* 141 Used to hold a capture number as condition */
-  OP_DNCREF,         /* 142 Used to point to duplicate names as a condition */
-  OP_RREF,           /* 143 Used to hold a recursion number as condition */
-  OP_DNRREF,         /* 144 Used to point to duplicate names as a condition */
-  OP_DEF,            /* 145 The DEFINE condition */
-
-  OP_BRAZERO,        /* 146 These two must remain together and in this */
-  OP_BRAMINZERO,     /* 147 order. */
-  OP_BRAPOSZERO,     /* 148 */
-
-  /* These are backtracking control verbs */
-
-  OP_MARK,           /* 149 always has an argument */
-  OP_PRUNE,          /* 150 */
-  OP_PRUNE_ARG,      /* 151 same, but with argument */
-  OP_SKIP,           /* 152 */
-  OP_SKIP_ARG,       /* 153 same, but with argument */
-  OP_THEN,           /* 154 */
-  OP_THEN_ARG,       /* 155 same, but with argument */
-  OP_COMMIT,         /* 156 */
-
-  /* These are forced failure and success verbs */
-
-  OP_FAIL,           /* 157 */
-  OP_ACCEPT,         /* 158 */
-  OP_ASSERT_ACCEPT,  /* 159 Used inside assertions */
-  OP_CLOSE,          /* 160 Used before OP_ACCEPT to close open captures */
-
-  /* This is used to skip a subpattern with a {0} quantifier */
-
-  OP_SKIPZERO,       /* 161 */
-
-  /* This is not an opcode, but is used to check that tables indexed by opcode
-  are the correct length, in order to catch updating errors - there have been
-  some in the past. */
-
-  OP_TABLE_LENGTH
-};
-
-/* *** NOTE NOTE NOTE *** Whenever the list above is updated, the two macro
-definitions that follow must also be updated to match. There are also tables
-called "opcode_possessify" in pcre_compile.c and "coptable" and "poptable" in
-pcre_dfa_exec.c that must be updated. */
-
-
-/* This macro defines textual names for all the opcodes. These are used only
-for debugging, and some of them are only partial names. The macro is referenced
-only in pcre_printint.c, which fills out the full names in many cases (and in
-some cases doesn't actually use these names at all). */
-
-#define OP_NAME_LIST \
-  "End", "\\A", "\\G", "\\K", "\\B", "\\b", "\\D", "\\d",         \
-  "\\S", "\\s", "\\W", "\\w", "Any", "AllAny", "Anybyte",         \
-  "notprop", "prop", "\\R", "\\H", "\\h", "\\V", "\\v",           \
-  "extuni",  "\\Z", "\\z",                                        \
-  "$", "$", "^", "^", "char", "chari", "not", "noti",             \
-  "*", "*?", "+", "+?", "?", "??",                                \
-  "{", "{", "{",                                                  \
-  "*+","++", "?+", "{",                                           \
-  "*", "*?", "+", "+?", "?", "??",                                \
-  "{", "{", "{",                                                  \
-  "*+","++", "?+", "{",                                           \
-  "*", "*?", "+", "+?", "?", "??",                                \
-  "{", "{", "{",                                                  \
-  "*+","++", "?+", "{",                                           \
-  "*", "*?", "+", "+?", "?", "??",                                \
-  "{", "{", "{",                                                  \
-  "*+","++", "?+", "{",                                           \
-  "*", "*?", "+", "+?", "?", "??", "{", "{", "{",                 \
-  "*+","++", "?+", "{",                                           \
-  "*", "*?", "+", "+?", "?", "??", "{", "{",                      \
-  "*+","++", "?+", "{",                                           \
-  "class", "nclass", "xclass", "Ref", "Refi", "DnRef", "DnRefi",  \
-  "Recurse", "Callout",                                           \
-  "Alt", "Ket", "KetRmax", "KetRmin", "KetRpos",                  \
-  "Reverse", "Assert", "Assert not", "AssertB", "AssertB not",    \
-  "Once", "Once_NC",                                              \
-  "Bra", "BraPos", "CBra", "CBraPos",                             \
-  "Cond",                                                         \
-  "SBra", "SBraPos", "SCBra", "SCBraPos",                         \
-  "SCond",                                                        \
-  "Cond ref", "Cond dnref", "Cond rec", "Cond dnrec", "Cond def", \
-  "Brazero", "Braminzero", "Braposzero",                          \
-  "*MARK", "*PRUNE", "*PRUNE", "*SKIP", "*SKIP",                  \
-  "*THEN", "*THEN", "*COMMIT", "*FAIL",                           \
-  "*ACCEPT", "*ASSERT_ACCEPT",                                    \
-  "Close", "Skip zero"
-
-
-/* This macro defines the length of fixed length operations in the compiled
-regex. The lengths are used when searching for specific things, and also in the
-debugging printing of a compiled regex. We use a macro so that it can be
-defined close to the definitions of the opcodes themselves.
-
-As things have been extended, some of these are no longer fixed lenths, but are
-minima instead. For example, the length of a single-character repeat may vary
-in UTF-8 mode. The code that uses this table must know about such things. */
-
-#define OP_LENGTHS \
-  1,                             /* End                                    */ \
-  1, 1, 1, 1, 1,                 /* \A, \G, \K, \B, \b                     */ \
-  1, 1, 1, 1, 1, 1,              /* \D, \d, \S, \s, \W, \w                 */ \
-  1, 1, 1,                       /* Any, AllAny, Anybyte                   */ \
-  3, 3,                          /* \P, \p                                 */ \
-  1, 1, 1, 1, 1,                 /* \R, \H, \h, \V, \v                     */ \
-  1,                             /* \X                                     */ \
-  1, 1, 1, 1, 1, 1,              /* \Z, \z, $, $M ^, ^M                    */ \
-  2,                             /* Char  - the minimum length             */ \
-  2,                             /* Chari  - the minimum length            */ \
-  2,                             /* not                                    */ \
-  2,                             /* noti                                   */ \
-  /* Positive single-char repeats                             ** These are */ \
-  2, 2, 2, 2, 2, 2,              /* *, *?, +, +?, ?, ??       ** minima in */ \
-  2+IMM2_SIZE, 2+IMM2_SIZE,      /* upto, minupto             ** mode      */ \
-  2+IMM2_SIZE,                   /* exact                                  */ \
-  2, 2, 2, 2+IMM2_SIZE,          /* *+, ++, ?+, upto+                      */ \
-  2, 2, 2, 2, 2, 2,              /* *I, *?I, +I, +?I, ?I, ??I ** UTF-8     */ \
-  2+IMM2_SIZE, 2+IMM2_SIZE,      /* upto I, minupto I                      */ \
-  2+IMM2_SIZE,                   /* exact I                                */ \
-  2, 2, 2, 2+IMM2_SIZE,          /* *+I, ++I, ?+I, upto+I                  */ \
-  /* Negative single-char repeats - only for chars < 256                   */ \
-  2, 2, 2, 2, 2, 2,              /* NOT *, *?, +, +?, ?, ??                */ \
-  2+IMM2_SIZE, 2+IMM2_SIZE,      /* NOT upto, minupto                      */ \
-  2+IMM2_SIZE,                   /* NOT exact                              */ \
-  2, 2, 2, 2+IMM2_SIZE,          /* Possessive NOT *, +, ?, upto           */ \
-  2, 2, 2, 2, 2, 2,              /* NOT *I, *?I, +I, +?I, ?I, ??I          */ \
-  2+IMM2_SIZE, 2+IMM2_SIZE,      /* NOT upto I, minupto I                  */ \
-  2+IMM2_SIZE,                   /* NOT exact I                            */ \
-  2, 2, 2, 2+IMM2_SIZE,          /* Possessive NOT *I, +I, ?I, upto I      */ \
-  /* Positive type repeats                                                 */ \
-  2, 2, 2, 2, 2, 2,              /* Type *, *?, +, +?, ?, ??               */ \
-  2+IMM2_SIZE, 2+IMM2_SIZE,      /* Type upto, minupto                     */ \
-  2+IMM2_SIZE,                   /* Type exact                             */ \
-  2, 2, 2, 2+IMM2_SIZE,          /* Possessive *+, ++, ?+, upto+           */ \
-  /* Character class & ref repeats                                         */ \
-  1, 1, 1, 1, 1, 1,              /* *, *?, +, +?, ?, ??                    */ \
-  1+2*IMM2_SIZE, 1+2*IMM2_SIZE,  /* CRRANGE, CRMINRANGE                    */ \
-  1, 1, 1, 1+2*IMM2_SIZE,        /* Possessive *+, ++, ?+, CRPOSRANGE      */ \
-  1+(32/sizeof(pcre_uchar)),     /* CLASS                                  */ \
-  1+(32/sizeof(pcre_uchar)),     /* NCLASS                                 */ \
-  0,                             /* XCLASS - variable length               */ \
-  1+IMM2_SIZE,                   /* REF                                    */ \
-  1+IMM2_SIZE,                   /* REFI                                   */ \
-  1+2*IMM2_SIZE,                 /* DNREF                                  */ \
-  1+2*IMM2_SIZE,                 /* DNREFI                                 */ \
-  1+LINK_SIZE,                   /* RECURSE                                */ \
-  2+2*LINK_SIZE,                 /* CALLOUT                                */ \
-  1+LINK_SIZE,                   /* Alt                                    */ \
-  1+LINK_SIZE,                   /* Ket                                    */ \
-  1+LINK_SIZE,                   /* KetRmax                                */ \
-  1+LINK_SIZE,                   /* KetRmin                                */ \
-  1+LINK_SIZE,                   /* KetRpos                                */ \
-  1+LINK_SIZE,                   /* Reverse                                */ \
-  1+LINK_SIZE,                   /* Assert                                 */ \
-  1+LINK_SIZE,                   /* Assert not                             */ \
-  1+LINK_SIZE,                   /* Assert behind                          */ \
-  1+LINK_SIZE,                   /* Assert behind not                      */ \
-  1+LINK_SIZE,                   /* ONCE                                   */ \
-  1+LINK_SIZE,                   /* ONCE_NC                                */ \
-  1+LINK_SIZE,                   /* BRA                                    */ \
-  1+LINK_SIZE,                   /* BRAPOS                                 */ \
-  1+LINK_SIZE+IMM2_SIZE,         /* CBRA                                   */ \
-  1+LINK_SIZE+IMM2_SIZE,         /* CBRAPOS                                */ \
-  1+LINK_SIZE,                   /* COND                                   */ \
-  1+LINK_SIZE,                   /* SBRA                                   */ \
-  1+LINK_SIZE,                   /* SBRAPOS                                */ \
-  1+LINK_SIZE+IMM2_SIZE,         /* SCBRA                                  */ \
-  1+LINK_SIZE+IMM2_SIZE,         /* SCBRAPOS                               */ \
-  1+LINK_SIZE,                   /* SCOND                                  */ \
-  1+IMM2_SIZE, 1+2*IMM2_SIZE,    /* CREF, DNCREF                           */ \
-  1+IMM2_SIZE, 1+2*IMM2_SIZE,    /* RREF, DNRREF                           */ \
-  1,                             /* DEF                                    */ \
-  1, 1, 1,                       /* BRAZERO, BRAMINZERO, BRAPOSZERO        */ \
-  3, 1, 3,                       /* MARK, PRUNE, PRUNE_ARG                 */ \
-  1, 3,                          /* SKIP, SKIP_ARG                         */ \
-  1, 3,                          /* THEN, THEN_ARG                         */ \
-  1, 1, 1, 1,                    /* COMMIT, FAIL, ACCEPT, ASSERT_ACCEPT    */ \
-  1+IMM2_SIZE, 1                 /* CLOSE, SKIPZERO                        */
-
-/* A magic value for OP_RREF to indicate the "any recursion" condition. */
-
-#define RREF_ANY  0xffff
-
-/* Compile time error code numbers. They are given names so that they can more
-easily be tracked. When a new number is added, the table called eint in
-pcreposix.c must be updated. */
-
-enum { ERR0,  ERR1,  ERR2,  ERR3,  ERR4,  ERR5,  ERR6,  ERR7,  ERR8,  ERR9,
-       ERR10, ERR11, ERR12, ERR13, ERR14, ERR15, ERR16, ERR17, ERR18, ERR19,
-       ERR20, ERR21, ERR22, ERR23, ERR24, ERR25, ERR26, ERR27, ERR28, ERR29,
-       ERR30, ERR31, ERR32, ERR33, ERR34, ERR35, ERR36, ERR37, ERR38, ERR39,
-       ERR40, ERR41, ERR42, ERR43, ERR44, ERR45, ERR46, ERR47, ERR48, ERR49,
-       ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
-       ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
-       ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
-       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
-
-/* JIT compiling modes. The function list is indexed by them. */
-
-enum { JIT_COMPILE, JIT_PARTIAL_SOFT_COMPILE, JIT_PARTIAL_HARD_COMPILE,
-       JIT_NUMBER_OF_COMPILE_MODES };
-
-/* The real format of the start of the pcre block; the index of names and the
-code vector run on as long as necessary after the end. We store an explicit
-offset to the name table so that if a regex is compiled on one host, saved, and
-then run on another where the size of pointers is different, all might still
-be well.
-
-The size of the structure must be a multiple of 8 bytes. For the case of
-compiled-on-4 and run-on-8, we include an extra pointer that is always NULL so
-that there are an even number of pointers which therefore are a multiple of 8
-bytes.
-
-It is necessary to fork the struct for the 32 bit library, since it needs to
-use pcre_uint32 for first_char and req_char. We can't put an ifdef inside the
-typedef because pcretest needs access to the struct of the 8-, 16- and 32-bit
-variants.
-
-*** WARNING ***
-When new fields are added to these structures, remember to adjust the code in
-pcre_byte_order.c that is concerned with swapping the byte order of the fields
-when a compiled regex is reloaded on a host with different endianness.
-*** WARNING ***
-There is also similar byte-flipping code in pcretest.c, which is used for
-testing the byte-flipping features. It must also be kept in step.
-*** WARNING ***
-*/
-
-typedef struct real_pcre8_or_16 {
-  pcre_uint32 magic_number;
-  pcre_uint32 size;               /* Total that was malloced */
-  pcre_uint32 options;            /* Public options */
-  pcre_uint32 flags;              /* Private flags */
-  pcre_uint32 limit_match;        /* Limit set from regex */
-  pcre_uint32 limit_recursion;    /* Limit set from regex */
-  pcre_uint16 first_char;         /* Starting character */
-  pcre_uint16 req_char;           /* This character must be seen */
-  pcre_uint16 max_lookbehind;     /* Longest lookbehind (characters) */
-  pcre_uint16 top_bracket;        /* Highest numbered group */
-  pcre_uint16 top_backref;        /* Highest numbered back reference */
-  pcre_uint16 name_table_offset;  /* Offset to name table that follows */
-  pcre_uint16 name_entry_size;    /* Size of any name items */
-  pcre_uint16 name_count;         /* Number of name items */
-  pcre_uint16 ref_count;          /* Reference count */
-  pcre_uint16 dummy1;             /* To ensure size is a multiple of 8 */
-  pcre_uint16 dummy2;             /* To ensure size is a multiple of 8 */
-  pcre_uint16 dummy3;             /* To ensure size is a multiple of 8 */
-  const pcre_uint8 *tables;       /* Pointer to tables or NULL for std */
-  void             *nullpad;      /* NULL padding */
-} real_pcre8_or_16;
-
-typedef struct real_pcre8_or_16 real_pcre;
-typedef struct real_pcre8_or_16 real_pcre16;
-
-typedef struct real_pcre32 {
-  pcre_uint32 magic_number;
-  pcre_uint32 size;               /* Total that was malloced */
-  pcre_uint32 options;            /* Public options */
-  pcre_uint32 flags;              /* Private flags */
-  pcre_uint32 limit_match;        /* Limit set from regex */
-  pcre_uint32 limit_recursion;    /* Limit set from regex */
-  pcre_uint32 first_char;         /* Starting character */
-  pcre_uint32 req_char;           /* This character must be seen */
-  pcre_uint16 max_lookbehind;     /* Longest lookbehind (characters) */
-  pcre_uint16 top_bracket;        /* Highest numbered group */
-  pcre_uint16 top_backref;        /* Highest numbered back reference */
-  pcre_uint16 name_table_offset;  /* Offset to name table that follows */
-  pcre_uint16 name_entry_size;    /* Size of any name items */
-  pcre_uint16 name_count;         /* Number of name items */
-  pcre_uint16 ref_count;          /* Reference count */
-  pcre_uint16 dummy;              /* To ensure size is a multiple of 8 */
-  const pcre_uint8 *tables;       /* Pointer to tables or NULL for std */
-  void             *nullpad;      /* NULL padding */
-} real_pcre32;
-
-#if defined COMPILE_PCRE8
-#define REAL_PCRE real_pcre
-#elif defined COMPILE_PCRE16
-#define REAL_PCRE real_pcre16
-#elif defined COMPILE_PCRE32
-#define REAL_PCRE real_pcre32
-#endif
-
-/* Assert that the size of REAL_PCRE is divisible by 8 */
-typedef int __assert_real_pcre_size_divisible_8[(sizeof(REAL_PCRE) % 8) == 0 ? 1 : -1];
-
-/* Needed in pcretest to access some fields in the real_pcre* structures
- * directly. They're unified for 8/16/32 bits since the structs only differ
- * after these fields; if that ever changes, need to fork those defines into
- * 8/16 and 32 bit versions. */
-#define REAL_PCRE_MAGIC(re)     (((REAL_PCRE*)re)->magic_number)
-#define REAL_PCRE_SIZE(re)      (((REAL_PCRE*)re)->size)
-#define REAL_PCRE_OPTIONS(re)   (((REAL_PCRE*)re)->options)
-#define REAL_PCRE_FLAGS(re)     (((REAL_PCRE*)re)->flags)
-
-/* The format of the block used to store data from pcre_study(). The same
-remark (see NOTE above) about extending this structure applies. */
-
-typedef struct pcre_study_data {
-  pcre_uint32 size;               /* Total that was malloced */
-  pcre_uint32 flags;              /* Private flags */
-  pcre_uint8 start_bits[32];      /* Starting char bits */
-  pcre_uint32 minlength;          /* Minimum subject length */
-} pcre_study_data;
-
-/* Structure for building a chain of open capturing subpatterns during
-compiling, so that instructions to close them can be compiled when (*ACCEPT) is
-encountered. This is also used to identify subpatterns that contain recursive
-back references to themselves, so that they can be made atomic. */
-
-typedef struct open_capitem {
-  struct open_capitem *next;    /* Chain link */
-  pcre_uint16 number;           /* Capture number */
-  pcre_uint16 flag;             /* Set TRUE if recursive back ref */
-} open_capitem;
-
-/* Structure for building a list of named groups during the first pass of
-compiling. */
-
-typedef struct named_group {
-  const pcre_uchar  *name;          /* Points to the name in the pattern */
-  int                length;        /* Length of the name */
-  pcre_uint32        number;        /* Group number */
-} named_group;
-
-/* Structure for passing "static" information around between the functions
-doing the compiling, so that they are thread-safe. */
-
-typedef struct compile_data {
-  const pcre_uint8 *lcc;            /* Points to lower casing table */
-  const pcre_uint8 *fcc;            /* Points to case-flipping table */
-  const pcre_uint8 *cbits;          /* Points to character type table */
-  const pcre_uint8 *ctypes;         /* Points to table of type maps */
-  const pcre_uchar *start_workspace;/* The start of working space */
-  const pcre_uchar *start_code;     /* The start of the compiled code */
-  const pcre_uchar *start_pattern;  /* The start of the pattern */
-  const pcre_uchar *end_pattern;    /* The end of the pattern */
-  pcre_uchar *hwm;                  /* High watermark of workspace */
-  open_capitem *open_caps;          /* Chain of open capture items */
-  named_group *named_groups;        /* Points to vector in pre-compile */
-  pcre_uchar *name_table;           /* The name/number table */
-  int  names_found;                 /* Number of entries so far */
-  int  name_entry_size;             /* Size of each entry */
-  int  named_group_list_size;       /* Number of entries in the list */
-  int  workspace_size;              /* Size of workspace */
-  unsigned int bracount;            /* Count of capturing parens as we compile */
-  int  final_bracount;              /* Saved value after first pass */
-  int  max_lookbehind;              /* Maximum lookbehind (characters) */
-  int  top_backref;                 /* Maximum back reference */
-  unsigned int backref_map;         /* Bitmap of low back refs */
-  unsigned int namedrefcount;       /* Number of backreferences by name */
-  int  parens_depth;                /* Depth of nested parentheses */
-  int  assert_depth;                /* Depth of nested assertions */
-  pcre_uint32 external_options;     /* External (initial) options */
-  pcre_uint32 external_flags;       /* External flag bits to be set */
-  int  req_varyopt;                 /* "After variable item" flag for reqbyte */
-  BOOL had_accept;                  /* (*ACCEPT) encountered */
-  BOOL had_pruneorskip;             /* (*PRUNE) or (*SKIP) encountered */
-  BOOL check_lookbehind;            /* Lookbehinds need later checking */
-  BOOL dupnames;                    /* Duplicate names exist */
-  BOOL dupgroups;                   /* Duplicate groups exist: (?| found */
-  BOOL iscondassert;                /* Next assert is a condition */
-  int  nltype;                      /* Newline type */
-  int  nllen;                       /* Newline string length */
-  pcre_uchar nl[4];                 /* Newline string when fixed length */
-} compile_data;
-
-/* Structure for maintaining a chain of pointers to the currently incomplete
-branches, for testing for left recursion while compiling. */
-
-typedef struct branch_chain {
-  struct branch_chain *outer;
-  pcre_uchar *current_branch;
-} branch_chain;
-
-/* Structure for mutual recursion detection. */
-
-typedef struct recurse_check {
-  struct recurse_check *prev;
-  const pcre_uchar *group;
-} recurse_check;
-
-/* Structure for items in a linked list that represents an explicit recursive
-call within the pattern; used by pcre_exec(). */
-
-typedef struct recursion_info {
-  struct recursion_info *prevrec; /* Previous recursion record (or NULL) */
-  unsigned int group_num;         /* Number of group that was called */
-  int *offset_save;               /* Pointer to start of saved offsets */
-  int saved_max;                  /* Number of saved offsets */
-  int saved_capture_last;         /* Last capture number */
-  PCRE_PUCHAR subject_position;   /* Position at start of recursion */
-} recursion_info;
-
-/* A similar structure for pcre_dfa_exec(). */
-
-typedef struct dfa_recursion_info {
-  struct dfa_recursion_info *prevrec;
-  int group_num;
-  PCRE_PUCHAR subject_position;
-} dfa_recursion_info;
-
-/* Structure for building a chain of data for holding the values of the subject
-pointer at the start of each subpattern, so as to detect when an empty string
-has been matched by a subpattern - to break infinite loops; used by
-pcre_exec(). */
-
-typedef struct eptrblock {
-  struct eptrblock *epb_prev;
-  PCRE_PUCHAR epb_saved_eptr;
-} eptrblock;
-
-
-/* Structure for passing "static" information around between the functions
-doing traditional NFA matching, so that they are thread-safe. */
-
-typedef struct match_data {
-  unsigned long int match_call_count;      /* As it says */
-  unsigned long int match_limit;           /* As it says */
-  unsigned long int match_limit_recursion; /* As it says */
-  int   *offset_vector;           /* Offset vector */
-  int    offset_end;              /* One past the end */
-  int    offset_max;              /* The maximum usable for return data */
-  int    nltype;                  /* Newline type */
-  int    nllen;                   /* Newline string length */
-  int    name_count;              /* Number of names in name table */
-  int    name_entry_size;         /* Size of entry in names table */
-  unsigned int skip_arg_count;    /* For counting SKIP_ARGs */
-  unsigned int ignore_skip_arg;   /* For re-run when SKIP arg name not found */
-  pcre_uchar *name_table;         /* Table of names */
-  pcre_uchar nl[4];               /* Newline string when fixed */
-  const  pcre_uint8 *lcc;         /* Points to lower casing table */
-  const  pcre_uint8 *fcc;         /* Points to case-flipping table */
-  const  pcre_uint8 *ctypes;      /* Points to table of type maps */
-  BOOL   notbol;                  /* NOTBOL flag */
-  BOOL   noteol;                  /* NOTEOL flag */
-  BOOL   utf;                     /* UTF-8 / UTF-16 flag */
-  BOOL   jscript_compat;          /* JAVASCRIPT_COMPAT flag */
-  BOOL   use_ucp;                 /* PCRE_UCP flag */
-  BOOL   endonly;                 /* Dollar not before final \n */
-  BOOL   notempty;                /* Empty string match not wanted */
-  BOOL   notempty_atstart;        /* Empty string match at start not wanted */
-  BOOL   hitend;                  /* Hit the end of the subject at some point */
-  BOOL   bsr_anycrlf;             /* \R is just any CRLF, not full Unicode */
-  BOOL   hasthen;                 /* Pattern contains (*THEN) */
-  const  pcre_uchar *start_code;  /* For use when recursing */
-  PCRE_PUCHAR start_subject;      /* Start of the subject string */
-  PCRE_PUCHAR end_subject;        /* End of the subject string */
-  PCRE_PUCHAR start_match_ptr;    /* Start of matched string */
-  PCRE_PUCHAR end_match_ptr;      /* Subject position at end match */
-  PCRE_PUCHAR start_used_ptr;     /* Earliest consulted character */
-  int    partial;                 /* PARTIAL options */
-  int    end_offset_top;          /* Highwater mark at end of match */
-  pcre_int32 capture_last;        /* Most recent capture number + overflow flag */
-  int    start_offset;            /* The start offset value */
-  int    match_function_type;     /* Set for certain special calls of MATCH() */
-  eptrblock *eptrchain;           /* Chain of eptrblocks for tail recursions */
-  int    eptrn;                   /* Next free eptrblock */
-  recursion_info *recursive;      /* Linked list of recursion data */
-  void  *callout_data;            /* To pass back to callouts */
-  const  pcre_uchar *mark;        /* Mark pointer to pass back on success */
-  const  pcre_uchar *nomatch_mark;/* Mark pointer to pass back on failure */
-  const  pcre_uchar *once_target; /* Where to back up to for atomic groups */
-#ifdef NO_RECURSE
-  void  *match_frames_base;       /* For remembering malloc'd frames */
-#endif
-} match_data;
-
-/* A similar structure is used for the same purpose by the DFA matching
-functions. */
-
-typedef struct dfa_match_data {
-  const pcre_uchar *start_code;     /* Start of the compiled pattern */
-  const pcre_uchar *start_subject ; /* Start of the subject string */
-  const pcre_uchar *end_subject;    /* End of subject string */
-  const pcre_uchar *start_used_ptr; /* Earliest consulted character */
-  const pcre_uint8 *tables;         /* Character tables */
-  int   start_offset;               /* The start offset value */
-  int   moptions;                   /* Match options */
-  int   poptions;                   /* Pattern options */
-  int   nltype;                     /* Newline type */
-  int   nllen;                      /* Newline string length */
-  pcre_uchar nl[4];                 /* Newline string when fixed */
-  void *callout_data;               /* To pass back to callouts */
-  dfa_recursion_info *recursive;    /* Linked list of recursion data */
-} dfa_match_data;
-
-/* Bit definitions for entries in the pcre_ctypes table. */
-
-#define ctype_space   0x01
-#define ctype_letter  0x02
-#define ctype_digit   0x04
-#define ctype_xdigit  0x08
-#define ctype_word    0x10   /* alphanumeric or '_' */
-#define ctype_meta    0x80   /* regexp meta char or zero (end pattern) */
-
-/* Offsets for the bitmap tables in pcre_cbits. Each table contains a set
-of bits for a class map. Some classes are built by combining these tables. */
-
-#define cbit_space     0      /* [:space:] or \s */
-#define cbit_xdigit   32      /* [:xdigit:] */
-#define cbit_digit    64      /* [:digit:] or \d */
-#define cbit_upper    96      /* [:upper:] */
-#define cbit_lower   128      /* [:lower:] */
-#define cbit_word    160      /* [:word:] or \w */
-#define cbit_graph   192      /* [:graph:] */
-#define cbit_print   224      /* [:print:] */
-#define cbit_punct   256      /* [:punct:] */
-#define cbit_cntrl   288      /* [:cntrl:] */
-#define cbit_length  320      /* Length of the cbits table */
-
-/* Offsets of the various tables from the base tables pointer, and
-total length. */
-
-#define lcc_offset      0
-#define fcc_offset    256
-#define cbits_offset  512
-#define ctypes_offset (cbits_offset + cbit_length)
-#define tables_length (ctypes_offset + 256)
-
-/* Internal function and data prefixes. */
-
-#if defined COMPILE_PCRE8
-#ifndef PUBL
-#define PUBL(name) pcre_##name
-#endif
-#ifndef PRIV
-#define PRIV(name) _pcre_##name
-#endif
-#elif defined COMPILE_PCRE16
-#ifndef PUBL
-#define PUBL(name) pcre16_##name
-#endif
-#ifndef PRIV
-#define PRIV(name) _pcre16_##name
-#endif
-#elif defined COMPILE_PCRE32
-#ifndef PUBL
-#define PUBL(name) pcre32_##name
-#endif
-#ifndef PRIV
-#define PRIV(name) _pcre32_##name
-#endif
-#else
-#error Unsupported compiling mode
-#endif /* COMPILE_PCRE[8|16|32] */
-
-/* Layout of the UCP type table that translates property names into types and
-codes. Each entry used to point directly to a name, but to reduce the number of
-relocations in shared libraries, it now has an offset into a single string
-instead. */
-
-typedef struct {
-  pcre_uint16 name_offset;
-  pcre_uint16 type;
-  pcre_uint16 value;
-} ucp_type_table;
-
-
-/* Internal shared data tables. These are tables that are used by more than one
-of the exported public functions. They have to be "external" in the C sense,
-but are not part of the PCRE public API. The data for these tables is in the
-pcre_tables.c module. */
-
-#ifdef COMPILE_PCRE8
-extern const int            PRIV(utf8_table1)[];
-extern const int            PRIV(utf8_table1_size);
-extern const int            PRIV(utf8_table2)[];
-extern const int            PRIV(utf8_table3)[];
-extern const pcre_uint8     PRIV(utf8_table4)[];
-#endif /* COMPILE_PCRE8 */
-
-extern const char           PRIV(utt_names)[];
-extern const ucp_type_table PRIV(utt)[];
-extern const int            PRIV(utt_size);
-
-extern const pcre_uint8     PRIV(OP_lengths)[];
-extern const pcre_uint8     PRIV(default_tables)[];
-
-extern const pcre_uint32    PRIV(hspace_list)[];
-extern const pcre_uint32    PRIV(vspace_list)[];
-
-
-/* Internal shared functions. These are functions that are used by more than
-one of the exported public functions. They have to be "external" in the C
-sense, but are not part of the PCRE public API. */
-
-/* String comparison functions. */
-#if defined COMPILE_PCRE8
-
-#define STRCMP_UC_UC(str1, str2) \
-  strcmp((char *)(str1), (char *)(str2))
-#define STRCMP_UC_C8(str1, str2) \
-  strcmp((char *)(str1), (str2))
-#define STRNCMP_UC_UC(str1, str2, num) \
-  strncmp((char *)(str1), (char *)(str2), (num))
-#define STRNCMP_UC_C8(str1, str2, num) \
-  strncmp((char *)(str1), (str2), (num))
-#define STRLEN_UC(str) strlen((const char *)str)
-
-#elif defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-
-extern int               PRIV(strcmp_uc_uc)(const pcre_uchar *,
-                           const pcre_uchar *);
-extern int               PRIV(strcmp_uc_c8)(const pcre_uchar *,
-                           const char *);
-extern int               PRIV(strncmp_uc_uc)(const pcre_uchar *,
-                           const pcre_uchar *, unsigned int num);
-extern int               PRIV(strncmp_uc_c8)(const pcre_uchar *,
-                           const char *, unsigned int num);
-extern unsigned int      PRIV(strlen_uc)(const pcre_uchar *str);
-
-#define STRCMP_UC_UC(str1, str2) \
-  PRIV(strcmp_uc_uc)((str1), (str2))
-#define STRCMP_UC_C8(str1, str2) \
-  PRIV(strcmp_uc_c8)((str1), (str2))
-#define STRNCMP_UC_UC(str1, str2, num) \
-  PRIV(strncmp_uc_uc)((str1), (str2), (num))
-#define STRNCMP_UC_C8(str1, str2, num) \
-  PRIV(strncmp_uc_c8)((str1), (str2), (num))
-#define STRLEN_UC(str) PRIV(strlen_uc)(str)
-
-#endif /* COMPILE_PCRE[8|16|32] */
-
-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
-
-#define STRCMP_UC_UC_TEST(str1, str2) STRCMP_UC_UC(str1, str2)
-#define STRCMP_UC_C8_TEST(str1, str2) STRCMP_UC_C8(str1, str2)
-
-#elif defined COMPILE_PCRE32
-
-extern int               PRIV(strcmp_uc_uc_utf)(const pcre_uchar *,
-                           const pcre_uchar *);
-extern int               PRIV(strcmp_uc_c8_utf)(const pcre_uchar *,
-                           const char *);
-
-#define STRCMP_UC_UC_TEST(str1, str2) \
-  (utf ? PRIV(strcmp_uc_uc_utf)((str1), (str2)) : PRIV(strcmp_uc_uc)((str1), (str2)))
-#define STRCMP_UC_C8_TEST(str1, str2) \
-  (utf ? PRIV(strcmp_uc_c8_utf)((str1), (str2)) : PRIV(strcmp_uc_c8)((str1), (str2)))
-
-#endif /* COMPILE_PCRE[8|16|32] */
-
-extern const pcre_uchar *PRIV(find_bracket)(const pcre_uchar *, BOOL, int);
-extern BOOL              PRIV(is_newline)(PCRE_PUCHAR, int, PCRE_PUCHAR,
-                           int *, BOOL);
-extern unsigned int      PRIV(ord2utf)(pcre_uint32, pcre_uchar *);
-extern int               PRIV(valid_utf)(PCRE_PUCHAR, int, int *);
-extern BOOL              PRIV(was_newline)(PCRE_PUCHAR, int, PCRE_PUCHAR,
-                           int *, BOOL);
-extern BOOL              PRIV(xclass)(pcre_uint32, const pcre_uchar *, BOOL);
-
-#ifdef SUPPORT_JIT
-extern void              PRIV(jit_compile)(const REAL_PCRE *,
-                           PUBL(extra) *, int);
-extern int               PRIV(jit_exec)(const PUBL(extra) *,
-                           const pcre_uchar *, int, int, int, int *, int);
-extern void              PRIV(jit_free)(void *);
-extern int               PRIV(jit_get_size)(void *);
-extern const char*       PRIV(jit_get_target)(void);
-#endif
-
-/* Unicode character database (UCD) */
-
-typedef struct {
-  pcre_uint8 script;     /* ucp_Arabic, etc. */
-  pcre_uint8 chartype;   /* ucp_Cc, etc. (general categories) */
-  pcre_uint8 gbprop;     /* ucp_gbControl, etc. (grapheme break property) */
-  pcre_uint8 caseset;    /* offset to multichar other cases or zero */
-  pcre_int32 other_case; /* offset to other case, or zero if none */
-} ucd_record;
-
-extern const pcre_uint32 PRIV(ucd_caseless_sets)[];
-extern const ucd_record  PRIV(ucd_records)[];
-extern const pcre_uint8  PRIV(ucd_stage1)[];
-extern const pcre_uint16 PRIV(ucd_stage2)[];
-extern const pcre_uint32 PRIV(ucp_gentype)[];
-extern const pcre_uint32 PRIV(ucp_gbtable)[];
-#ifdef SUPPORT_JIT
-extern const int         PRIV(ucp_typerange)[];
-#endif
-
-#ifdef SUPPORT_UCP
-/* UCD access macros */
-
-#define UCD_BLOCK_SIZE 128
-#define GET_UCD(ch) (PRIV(ucd_records) + \
-        PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
-        UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
-
-#define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
-#define UCD_SCRIPT(ch)      GET_UCD(ch)->script
-#define UCD_CATEGORY(ch)    PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
-#define UCD_GRAPHBREAK(ch)  GET_UCD(ch)->gbprop
-#define UCD_CASESET(ch)     GET_UCD(ch)->caseset
-#define UCD_OTHERCASE(ch)   ((pcre_uint32)((int)ch + (int)(GET_UCD(ch)->other_case)))
-
-#endif /* SUPPORT_UCP */
-
-#endif
-
-/* End of pcre_internal.h */
diff --git a/src/plugins/PCREPlugin/pcre_maketables.c b/src/plugins/PCREPlugin/pcre_maketables.c
deleted file mode 100644
index 78235ae..0000000
--- a/src/plugins/PCREPlugin/pcre_maketables.c
+++ /dev/null
@@ -1,144 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2007 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_maketables(), which builds
-character tables for PCRE in the current locale. The file is compiled on its
-own as part of the PCRE library. However, it is also included in the
-compilation of dftables.c, in which case the macro DFTABLES is defined. */
-
-
-#ifndef DFTABLES
-#  ifdef HAVE_CONFIG_H
-#  include "config.h"
-#  endif
-#  include "pcre_internal.h"
-#endif
-
-
-/*************************************************
-*           Create PCRE character tables         *
-*************************************************/
-
-/* This function builds a set of character tables for use by PCRE and returns
-a pointer to them. They are build using the ctype functions, and consequently
-their contents will depend upon the current locale setting. When compiled as
-part of the library, the store is obtained via pcre_malloc(), but when compiled
-inside dftables, use malloc().
-
-Arguments:   none
-Returns:     pointer to the contiguous block of data
-*/
-
-const unsigned char *
-pcre_maketables(void)
-{
-unsigned char *yield, *p;
-int i;
-
-#ifndef DFTABLES
-yield = (unsigned char*)(pcre_malloc)(tables_length);
-#else
-yield = (unsigned char*)malloc(tables_length);
-#endif
-
-if (yield == NULL) return NULL;
-p = yield;
-
-/* First comes the lower casing table */
-
-for (i = 0; i < 256; i++) *p++ = tolower(i);
-
-/* Next the case-flipping table */
-
-for (i = 0; i < 256; i++) *p++ = islower(i)? toupper(i) : tolower(i);
-
-/* Then the character class tables. Don't try to be clever and save effort on
-exclusive ones - in some locales things may be different. Note that the table
-for "space" includes everything "isspace" gives, including VT in the default
-locale. This makes it work for the POSIX class [:space:]. Note also that it is
-possible for a character to be alnum or alpha without being lower or upper,
-such as "male and female ordinals" (\xAA and \xBA) in the fr_FR locale (at
-least under Debian Linux's locales as of 12/2005). So we must test for alnum
-specially. */
-
-memset(p, 0, cbit_length);
-for (i = 0; i < 256; i++)
-  {
-  if (isdigit(i)) p[cbit_digit  + i/8] |= 1 << (i&7);
-  if (isupper(i)) p[cbit_upper  + i/8] |= 1 << (i&7);
-  if (islower(i)) p[cbit_lower  + i/8] |= 1 << (i&7);
-  if (isalnum(i)) p[cbit_word   + i/8] |= 1 << (i&7);
-  if (i == '_')   p[cbit_word   + i/8] |= 1 << (i&7);
-  if (isspace(i)) p[cbit_space  + i/8] |= 1 << (i&7);
-  if (isxdigit(i))p[cbit_xdigit + i/8] |= 1 << (i&7);
-  if (isgraph(i)) p[cbit_graph  + i/8] |= 1 << (i&7);
-  if (isprint(i)) p[cbit_print  + i/8] |= 1 << (i&7);
-  if (ispunct(i)) p[cbit_punct  + i/8] |= 1 << (i&7);
-  if (iscntrl(i)) p[cbit_cntrl  + i/8] |= 1 << (i&7);
-  }
-p += cbit_length;
-
-/* Finally, the character type table. In this, we exclude VT from the white
-space chars, because Perl doesn't recognize it as such for \s and for comments
-within regexes. */
-
-for (i = 0; i < 256; i++)
-  {
-  int x = 0;
-  if (i != 0x0b && isspace(i)) x += ctype_space;
-  if (isalpha(i)) x += ctype_letter;
-  if (isdigit(i)) x += ctype_digit;
-  if (isxdigit(i)) x += ctype_xdigit;
-  if (isalnum(i) || i == '_') x += ctype_word;
-
-  /* Note: strchr includes the terminating zero in the characters it considers.
-  In this instance, that is ok because we want binary zero to be flagged as a
-  meta-character, which in this sense is any character that terminates a run
-  of data characters. */
-
-  if (strchr("\\*+?{^.$|()[", i) != 0) x += ctype_meta;
-  *p++ = x;
-  }
-
-return yield;
-}
-
-/* End of pcre_maketables.c */
diff --git a/src/plugins/PCREPlugin/pcre_newline.c b/src/plugins/PCREPlugin/pcre_newline.c
deleted file mode 100644
index 220ec4e..0000000
--- a/src/plugins/PCREPlugin/pcre_newline.c
+++ /dev/null
@@ -1,211 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains internal functions for testing newlines when more than
-one kind of newline is to be recognized. When a newline is found, its length is
-returned. In principle, we could implement several newline "types", each
-referring to a different set of newline characters. At present, PCRE supports
-only NLTYPE_FIXED, which gets handled without these functions, NLTYPE_ANYCRLF,
-and NLTYPE_ANY. The full list of Unicode newline characters is taken from
-http://unicode.org/unicode/reports/tr18/. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-
-/*************************************************
-*      Check for newline at given position       *
-*************************************************/
-
-/* It is guaranteed that the initial value of ptr is less than the end of the
-string that is being processed.
-
-Arguments:
-  ptr          pointer to possible newline
-  type         the newline type
-  endptr       pointer to the end of the string
-  lenptr       where to return the length
-  utf          TRUE if in utf mode
-
-Returns:       TRUE or FALSE
-*/
-
-BOOL
-PRIV(is_newline)(PCRE_PUCHAR ptr, int type, PCRE_PUCHAR endptr, int *lenptr,
-  BOOL utf)
-{
-pcre_uint32 c;
-(void)utf;
-#ifdef SUPPORT_UTF
-if (utf)
-  {
-  GETCHAR(c, ptr);
-  }
-else
-#endif  /* SUPPORT_UTF */
-  c = *ptr;
-
-/* Note that this function is called only for ANY or ANYCRLF. */
-
-if (type == NLTYPE_ANYCRLF) switch(c)
-  {
-  case CHAR_LF: *lenptr = 1; return TRUE;
-  case CHAR_CR: *lenptr = (ptr < endptr - 1 && ptr[1] == CHAR_LF)? 2 : 1;
-               return TRUE;
-  default: return FALSE;
-  }
-
-/* NLTYPE_ANY */
-
-else switch(c)
-  {
-#ifdef EBCDIC
-  case CHAR_NEL:
-#endif
-  case CHAR_LF:
-  case CHAR_VT:
-  case CHAR_FF: *lenptr = 1; return TRUE;
-
-  case CHAR_CR:
-  *lenptr = (ptr < endptr - 1 && ptr[1] == CHAR_LF)? 2 : 1;
-  return TRUE;
-
-#ifndef EBCDIC
-#ifdef COMPILE_PCRE8
-  case CHAR_NEL: *lenptr = utf? 2 : 1; return TRUE;
-  case 0x2028:                                       /* LS */
-  case 0x2029: *lenptr = 3; return TRUE;             /* PS */
-#else /* COMPILE_PCRE16 || COMPILE_PCRE32 */
-  case CHAR_NEL:
-  case 0x2028:                                       /* LS */
-  case 0x2029: *lenptr = 1; return TRUE;             /* PS */
-#endif  /* COMPILE_PCRE8 */
-#endif  /* Not EBCDIC */
-
-  default: return FALSE;
-  }
-}
-
-
-
-/*************************************************
-*     Check for newline at previous position     *
-*************************************************/
-
-/* It is guaranteed that the initial value of ptr is greater than the start of
-the string that is being processed.
-
-Arguments:
-  ptr          pointer to possible newline
-  type         the newline type
-  startptr     pointer to the start of the string
-  lenptr       where to return the length
-  utf          TRUE if in utf mode
-
-Returns:       TRUE or FALSE
-*/
-
-BOOL
-PRIV(was_newline)(PCRE_PUCHAR ptr, int type, PCRE_PUCHAR startptr, int *lenptr,
-  BOOL utf)
-{
-pcre_uint32 c;
-(void)utf;
-ptr--;
-#ifdef SUPPORT_UTF
-if (utf)
-  {
-  BACKCHAR(ptr);
-  GETCHAR(c, ptr);
-  }
-else
-#endif  /* SUPPORT_UTF */
-  c = *ptr;
-
-/* Note that this function is called only for ANY or ANYCRLF. */
-
-if (type == NLTYPE_ANYCRLF) switch(c)
-  {
-  case CHAR_LF:
-  *lenptr = (ptr > startptr && ptr[-1] == CHAR_CR)? 2 : 1;
-  return TRUE;
-
-  case CHAR_CR: *lenptr = 1; return TRUE;
-  default: return FALSE;
-  }
-
-/* NLTYPE_ANY */
-
-else switch(c)
-  {
-  case CHAR_LF:
-  *lenptr = (ptr > startptr && ptr[-1] == CHAR_CR)? 2 : 1;
-  return TRUE;
-
-#ifdef EBCDIC
-  case CHAR_NEL:
-#endif
-  case CHAR_VT:
-  case CHAR_FF:
-  case CHAR_CR: *lenptr = 1; return TRUE;
-
-#ifndef EBCDIC
-#ifdef COMPILE_PCRE8
-  case CHAR_NEL: *lenptr = utf? 2 : 1; return TRUE;
-  case 0x2028:                                       /* LS */
-  case 0x2029: *lenptr = 3; return TRUE;             /* PS */
-#else /* COMPILE_PCRE16 || COMPILE_PCRE32 */
-  case CHAR_NEL:
-  case 0x2028:                                       /* LS */
-  case 0x2029: *lenptr = 1; return TRUE;             /* PS */
-#endif  /* COMPILE_PCRE8 */
-#endif  /* NotEBCDIC */
-
-  default: return FALSE;
-  }
-}
-
-/* End of pcre_newline.c */
diff --git a/src/plugins/PCREPlugin/pcre_ord2utf8.c b/src/plugins/PCREPlugin/pcre_ord2utf8.c
deleted file mode 100644
index 2e02f38..0000000
--- a/src/plugins/PCREPlugin/pcre_ord2utf8.c
+++ /dev/null
@@ -1,95 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This file contains a private PCRE function that converts an ordinal
-character value into a UTF8 string. */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#define COMPILE_PCRE8
-
-#include "pcre_internal.h"
-
-/*************************************************
-*       Convert character value to UTF-8         *
-*************************************************/
-
-/* This function takes an integer value in the range 0 - 0x10ffff
-and encodes it as a UTF-8 character in 1 to 4 pcre_uchars.
-
-Arguments:
-  cvalue     the character value
-  buffer     pointer to buffer for result - at least 6 pcre_uchars long
-
-Returns:     number of characters placed in the buffer
-*/
-
-unsigned
-int
-PRIV(ord2utf)(pcre_uint32 cvalue, pcre_uchar *buffer)
-{
-#ifdef SUPPORT_UTF
-
-register int i, j;
-
-for (i = 0; i < PRIV(utf8_table1_size); i++)
-  if ((int)cvalue <= PRIV(utf8_table1)[i]) break;
-buffer += i;
-for (j = i; j > 0; j--)
- {
- *buffer-- = 0x80 | (cvalue & 0x3f);
- cvalue >>= 6;
- }
-*buffer = PRIV(utf8_table2)[i] | cvalue;
-return i + 1;
-
-#else
-
-(void)(cvalue);  /* Keep compiler happy; this function won't ever be */
-(void)(buffer);  /* called when SUPPORT_UTF is not defined. */
-return 0;
-
-#endif
-}
-
-/* End of pcre_ord2utf8.c */
diff --git a/src/plugins/PCREPlugin/pcre_plugin.c b/src/plugins/PCREPlugin/pcre_plugin.c
deleted file mode 100644
index a444035..0000000
--- a/src/plugins/PCREPlugin/pcre_plugin.c
+++ /dev/null
@@ -1,398 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2007-2008 by ZARAZA <3APA3A@security.nnov.ru>
-
-   please read License Agreement
-
-*/
-
-#include "../../structures.h"
-#include 
-#include "pcre.h"
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#ifndef isnumber
-#define isnumber(i_n_arg) ((i_n_arg>='0')&&(i_n_arg<='9'))
-#endif
-
-static struct pluginlink * pl;
-
-static pthread_mutex_t pcre_mutex;
-
-
-static struct filter pcre_first_filter = {
-	NULL,
-	"Fake filter",
-	NULL, NULL,
-	NULL, NULL,
-	NULL, NULL, NULL,
-	NULL, NULL,
-	NULL, NULL
-};
-
-static struct filter *pcre_last_filter;
-static int pcre_loaded = 0;
-static int pcre_options = 0;
-
-static struct pcreopt {
-	char * name;
-	int value;	
-} pcreopts[]= {
-
- {"PCRE_CASELESS",           0x00000001},
- {"PCRE_MULTILINE",          0x00000002},
- {"PCRE_DOTALL",             0x00000004},
- {"PCRE_EXTENDED",           0x00000008},
- {"PCRE_ANCHORED",           0x00000010},
- {"PCRE_DOLLAR_ENDONLY",     0x00000020},
- {"PCRE_EXTRA",              0x00000040},
- {"PCRE_NOTBOL",             0x00000080},
- {"PCRE_NOTEOL",             0x00000100},
- {"PCRE_UNGREEDY",           0x00000200},
- {"PCRE_NOTEMPTY",           0x00000400},
- {"PCRE_UTF8",               0x00000800},
- {"PCRE_NO_AUTO_CAPTURE",    0x00001000},
- {"PCRE_NO_UTF8_CHECK",      0x00002000},
- {"PCRE_AUTO_CALLOUT",       0x00004000},
- {"PCRE_PARTIAL",            0x00008000},
- {"PCRE_DFA_SHORTEST",       0x00010000},
- {"PCRE_DFA_RESTART",        0x00020000},
- {"PCRE_FIRSTLINE",          0x00040000},
- {"PCRE_DUPNAMES",           0x00080000},
- {"PCRE_NEWLINE_CR",         0x00100000},
- {"PCRE_NEWLINE_LF",         0x00200000},
- {"PCRE_NEWLINE_CRLF",       0x00300000},
- {"PCRE_NEWLINE_ANY",        0x00400000},
- {"PCRE_NEWLINE_ANYCRLF",    0x00500000},
- {"PCRE_BSR_ANYCRLF",        0x00800000},
- {"PCRE_BSR_UNICODE",        0x01000000},
- {NULL, 0}
-};
-
-struct pcre_filter_data {
-	int users;
-	pcre * re;
-	int action;
-	char * replace;
-	struct ace *acl;
-};
-
-static void pcre_data_free(struct pcre_filter_data *pcrefd){
-	pthread_mutex_lock(&pcre_mutex);
-	pcrefd->users--;
-	if(!pcrefd->users){
-		if(pcrefd->re) pl->freefunc(pcrefd->re);
-		if(pcrefd->acl) pl->freeacl(pcrefd->acl);
-		if(pcrefd->replace) pl->freefunc(pcrefd->replace);
-		pl->freefunc(pcrefd);
-	}
-	pthread_mutex_unlock(&pcre_mutex);
-}
-
-
-
-
-static void* pcre_filter_open(void * idata, struct srvparam * param){
-#define pcrefd ((struct pcre_filter_data *)idata)
-	if(idata){
-		pthread_mutex_lock(&pcre_mutex);
-		pcrefd->users++;
-		pthread_mutex_unlock(&pcre_mutex);
-	}
-#undef pcrefd
-	return idata;
-}
-
-
-
-static FILTER_ACTION pcre_filter_client(void *fo, struct clientparam * param, void** fc){
-	int res;
-	struct ace tmpace;
-
-	*fc = fo;
-	if(!fo) return PASS;
-#define pcrefd ((struct pcre_filter_data *)fo)
-	if(!pcrefd->acl) return CONTINUE;
-	memset (&tmpace, 0, sizeof(struct ace));
-	tmpace.src = pcrefd->acl->src;
-	res = pl->ACLMatches(&tmpace, param);
-#undef pcrefd
-	return (res)? CONTINUE:PASS;
-}
-
-static FILTER_ACTION pcre_filter_buffer(void *fc, struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
-	int ovector[48];
-	int count = 0;
-	struct ace *acl;
-	int match = 0;
-	int replen, num;
-	char * replace;
-	char * tmpbuf, *target, *newbuf;
-	int nreplaces=0;
-#define pcrefd ((struct pcre_filter_data *)fc)
-
-	for(acl = pcrefd->acl; acl; acl=acl->next){
-		if(pl->ACLMatches(pcrefd->acl, param)){
-			match = 1;
-			break;
-		}
-	}
-	if(!match) return CONTINUE;
-	if(!pcrefd->re) return pcrefd->action;
-	for(; offset < *length_p; nreplaces++){
-
-		count = pcre_exec(pcrefd->re, NULL, (char *)*buf_p, *length_p, offset, 0, ovector, 48);
-		if(count <= 0) break;
-		if(!(replace = pcrefd->replace) || param->nooverwritefilter) return pcrefd->action;
-
-		replen = *length_p - ovector[1];
-		while(*replace){
-			if(*replace == '\\' && *(replace +1)){
-				replace+=2;
-				++replen;
-			}
-			else if(*replace == '$' && isnumber(*(replace+1))){
-				replace ++;
-				num = atoi(replace);
-				while(isnumber(*replace)) replace++;
-				if(num > (count - 1)) continue;
-				replen += (ovector[(num<<1) + 1] - ovector[(num<<1)]);
-			}
-			else {
-				replace++;
-				replen++;
-			}
-		}
-
-		tmpbuf =  pl->mallocfunc(replen);
-		if(!tmpbuf) return CONTINUE;
-		for(target = tmpbuf, replace = pcrefd->replace; *replace; ){
-			if(*replace == '\\' && *(replace +1)){
-				*target++ = replace[1];
-				replace+=2;
-			}
-			else if(*replace == '$' && isnumber(*(replace+1))){
-				replace ++;
-				num = atoi(replace);
-				if(num > (count - 1)) continue;
-				memcpy(target, *buf_p + ovector[(num<<1)], ovector[(num<<1) + 1] - ovector[(num<<1)]);
-				target += (ovector[(num<<1) + 1] - ovector[(num<<1)]);
-				while(isnumber(*replace)) replace++;
-			}
-			else {
-				*target++ = *replace++;
-			}
-		}
-		memcpy(target, *buf_p + ovector[1], *length_p - ovector[1]);
-		if((ovector[0] + replen + 1) > *bufsize_p){
-			newbuf = pl->mallocfunc(ovector[0] + replen + 1);
-			if(!newbuf){
-				pl->freefunc(tmpbuf);
-				return CONTINUE;
-			}
-			memcpy(newbuf, *buf_p, ovector[0]);
-			pl->freefunc(*buf_p);
-			*buf_p = (unsigned char *)newbuf;
-			*bufsize_p = ovector[0] + replen + 1;
-		}
-		memcpy(*buf_p + ovector[0], tmpbuf, replen);
-		pl->freefunc(tmpbuf);
-		(*buf_p)[ovector[0] + replen] = 0;
-		*length_p = ovector[0] + replen;
-		if(ovector[0] + replen <= offset){
-			break;
-		}
-		offset = ovector[0] + (int)strlen(pcrefd->replace);
-	}
-	return nreplaces? pcrefd->action : CONTINUE;
-#undef pcrefd
-}
-
-static void pcre_filter_clear(void *fo){
-}
-
-static void pcre_filter_close(void *fo){
-	if(!fo) return;
-	pcre_data_free((struct pcre_filter_data *)fo);
-}
-
-static int h_pcre(int argc, unsigned char **argv){
-	int action = 0;
-	pcre *re = NULL;
-	struct ace *acl;
-	int offset = 4;
-	const char * errptr;
-	struct pcre_filter_data *flt;
-	struct filter *newf;
-	char *replace = NULL;
-	
-	if(!strncmp((char *)argv[2], "allow",5)) action = PASS;
-	else if(!strncmp((char *)argv[2], "deny",4)) action = REJECT;
-	else if(!strncmp((char *)argv[2], "remove",6)) action = REMOVE;
-	else if(!strncmp((char *)argv[2], "dunno",5)) action = CONTINUE;
-	else return 1;
-	if(!strncmp((char *)argv[0], "pcre_rewrite", 12)) {
-		int i,j;
-		offset = 5;
-		replace = pl->strdupfunc((char *)argv[4]);
-		if(!replace) return 9;
-		for(i=0, j=0; replace[i]; i++, j++){
-			if(replace[i] == '\\'){
-				switch(replace[i+1]){
-				case 'r':
-					i++;
-					replace[j] = '\r';
-					break;
-				case 'n':
-					i++;
-					replace[j] = '\n';
-					break;
-				case '0':
-					i++;
-					replace[j] = 0;
-					break;
-				case '\\':
-					i++;
-				default:
-					replace[j] = '\\';
-					break;
-				}
-			}
-			else replace[j] = replace[i];
-		}
-		replace[j] = 0;
-	}
-	if(!(acl = pl->make_ace(argc - offset, argv + offset))) return 2;
-	acl->nolog = (strstr((char *)argv[2],"log") == 0);
-	if(*argv[3] && !(*argv[3] == '*' && !argv[3][1]) ){
-		re = pcre_compile((char *)argv[3], pcre_options, &errptr, &offset, NULL);
-		if(!re) {
-			pl->freefunc(acl);
-			if(replace) pl->freefunc(replace);
-			return 3;
-		}
-	}
-	flt = pl->mallocfunc(sizeof(struct pcre_filter_data));
-	newf = pl->mallocfunc(sizeof(struct filter));
-	
-	if(!flt || !newf) {
-		pl->freefunc(acl);
-		pl->freefunc(re);
-		if(replace) pl->freefunc(replace);
-		if(flt) pl->freefunc(flt);
-		return 4;
-	}
-	memset(flt, 0, sizeof(struct pcre_filter_data));
-	memset(newf, 0, sizeof(struct filter));
-	flt->action = action;
-	flt->re = re;
-	flt->acl = acl;
-	flt->replace = replace;
-	flt->users = 1;
-	newf->instance = "pcre";
-	newf->data = flt;
-	newf->filter_open = pcre_filter_open;
-	newf->filter_client = pcre_filter_client;
-	if(strstr((char *)argv[1], "request"))newf->filter_request = pcre_filter_buffer;
-	if(strstr((char *)argv[1], "cliheader"))newf->filter_header_cli = pcre_filter_buffer;
-	if(strstr((char *)argv[1], "clidata"))newf->filter_data_cli = pcre_filter_buffer;
-	if(strstr((char *)argv[1], "srvheader"))newf->filter_header_srv = pcre_filter_buffer;
-	if(strstr((char *)argv[1], "srvdata"))newf->filter_data_srv = pcre_filter_buffer;
-	newf->filter_clear = pcre_filter_clear;
-	newf->filter_close = pcre_filter_close;
-	
-	if(!pcre_last_filter){
-		newf->next = pcre_first_filter.next;
-		pcre_first_filter.next=newf;
-	}
-	else {
-		newf->next = pcre_last_filter->next;
-		pcre_last_filter->next = newf;
-	}
-	pcre_last_filter=newf;
-
-	return 0;
-}
-
-static int h_pcre_extend(int argc, unsigned char **argv){
-	struct ace *acl;
-	if(!pcre_last_filter || !pcre_last_filter->data) return 1;
-	acl = ((struct pcre_filter_data *)pcre_last_filter->data)->acl;
-	if(!acl) return 2;
-	for(; acl->next; acl=acl->next);
-	acl->next = (*pl->make_ace)(argc - 1, argv + 1);
-	if(!acl->next) return 3;
-	return 0;
-}
-
-static int h_pcre_options(int argc, unsigned char **argv){
-	int i,j;
-
-	pcre_options = 0;
-	for(j=1; jmallocfunc;
-		pcre_free = pl->freefunc;
-		pcre_loaded = 1;
-		pthread_mutex_init(&pcre_mutex, NULL);
-		regexp_symbols[2].next = pl->symbols.next;
-		pl->symbols.next = regexp_symbols;
-		pcre_commandhandlers[3].next = pl->commandhandlers->next;
-		pl->commandhandlers->next = pcre_commandhandlers;
-		pcre_first_filter.next = pl->conf->filters;
-		pl->conf->filters = &pcre_first_filter;
-	}
-	else if(pcre_last_filter){
-		pcre_first_filter.next = pcre_last_filter->next;
-		flt = pcre_first_filter.next;
-		for(; flt; flt = tmpflt){
-			tmpflt = flt->next;
-			if(flt->data)
-				pcre_data_free((struct pcre_filter_data *)flt->data);
-			pl->freefunc(flt);
-			if(flt == pcre_last_filter) break;
-		}
-	}
-	pcre_last_filter = NULL;
-	return 0;
-		
- }
-#ifdef  __cplusplus
-}
-#endif
diff --git a/src/plugins/PCREPlugin/pcre_refcount.c b/src/plugins/PCREPlugin/pcre_refcount.c
deleted file mode 100644
index 6a33c18..0000000
--- a/src/plugins/PCREPlugin/pcre_refcount.c
+++ /dev/null
@@ -1,93 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_refcount(), which is an
-auxiliary function that can be used to maintain a reference count in a compiled
-pattern data block. This might be helpful in applications where the block is
-shared by different users. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-*           Maintain reference count             *
-*************************************************/
-
-/* The reference count is a 16-bit field, initialized to zero. It is not
-possible to transfer a non-zero count from one host to a different host that
-has a different byte order - though I can't see why anyone in their right mind
-would ever want to do that!
-
-Arguments:
-  argument_re   points to compiled code
-  adjust        value to add to the count
-
-Returns:        the (possibly updated) count value (a non-negative number), or
-                a negative error number
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre_refcount(pcre *argument_re, int adjust)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre16_refcount(pcre16 *argument_re, int adjust)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN int PCRE_CALL_CONVENTION
-pcre32_refcount(pcre32 *argument_re, int adjust)
-#endif
-{
-REAL_PCRE *re = (REAL_PCRE *)argument_re;
-if (re == NULL) return PCRE_ERROR_NULL;
-if (re->magic_number != MAGIC_NUMBER) return PCRE_ERROR_BADMAGIC;
-if ((re->flags & PCRE_MODE) == 0) return PCRE_ERROR_BADMODE;
-re->ref_count = (-adjust > re->ref_count)? 0 :
-                (adjust + re->ref_count > 65535)? 65535 :
-                re->ref_count + adjust;
-return re->ref_count;
-}
-
-/* End of pcre_refcount.c */
diff --git a/src/plugins/PCREPlugin/pcre_study.c b/src/plugins/PCREPlugin/pcre_study.c
deleted file mode 100644
index 89051df..0000000
--- a/src/plugins/PCREPlugin/pcre_study.c
+++ /dev/null
@@ -1,1687 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_study(), along with local
-supporting functions. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-#define SET_BIT(c) start_bits[c/8] |= (1 << (c&7))
-
-/* Returns from set_start_bits() */
-
-enum { SSB_FAIL, SSB_DONE, SSB_CONTINUE, SSB_UNKNOWN };
-
-
-
-/*************************************************
-*   Find the minimum subject length for a group  *
-*************************************************/
-
-/* Scan a parenthesized group and compute the minimum length of subject that
-is needed to match it. This is a lower bound; it does not mean there is a
-string of that length that matches. In UTF8 mode, the result is in characters
-rather than bytes.
-
-Arguments:
-  re              compiled pattern block
-  code            pointer to start of group (the bracket)
-  startcode       pointer to start of the whole pattern's code
-  options         the compiling options
-  recurses        chain of recurse_check to catch mutual recursion
-  countptr        pointer to call count (to catch over complexity)
-
-Returns:   the minimum length
-           -1 if \C in UTF-8 mode or (*ACCEPT) was encountered
-           -2 internal error (missing capturing bracket)
-           -3 internal error (opcode not listed)
-*/
-
-static int
-find_minlength(const REAL_PCRE *re, const pcre_uchar *code,
-  const pcre_uchar *startcode, int options, recurse_check *recurses,
-  int *countptr)
-{
-int length = -1;
-/* PCRE_UTF16 has the same value as PCRE_UTF8. */
-BOOL utf = (options & PCRE_UTF8) != 0;
-BOOL had_recurse = FALSE;
-recurse_check this_recurse;
-register int branchlength = 0;
-register pcre_uchar *cc = (pcre_uchar *)code + 1 + LINK_SIZE;
-
-if ((*countptr)++ > 1000) return -1;   /* too complex */
-
-if (*code == OP_CBRA || *code == OP_SCBRA ||
-    *code == OP_CBRAPOS || *code == OP_SCBRAPOS) cc += IMM2_SIZE;
-
-/* Scan along the opcodes for this branch. If we get to the end of the
-branch, check the length against that of the other branches. */
-
-for (;;)
-  {
-  int d, min;
-  pcre_uchar *cs, *ce;
-  register pcre_uchar op = *cc;
-
-  switch (op)
-    {
-    case OP_COND:
-    case OP_SCOND:
-
-    /* If there is only one branch in a condition, the implied branch has zero
-    length, so we don't add anything. This covers the DEFINE "condition"
-    automatically. */
-
-    cs = cc + GET(cc, 1);
-    if (*cs != OP_ALT)
-      {
-      cc = cs + 1 + LINK_SIZE;
-      break;
-      }
-
-    /* Otherwise we can fall through and treat it the same as any other
-    subpattern. */
-
-    case OP_CBRA:
-    case OP_SCBRA:
-    case OP_BRA:
-    case OP_SBRA:
-    case OP_CBRAPOS:
-    case OP_SCBRAPOS:
-    case OP_BRAPOS:
-    case OP_SBRAPOS:
-    case OP_ONCE:
-    case OP_ONCE_NC:
-    d = find_minlength(re, cc, startcode, options, recurses, countptr);
-    if (d < 0) return d;
-    branchlength += d;
-    do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* ACCEPT makes things far too complicated; we have to give up. */
-
-    case OP_ACCEPT:
-    case OP_ASSERT_ACCEPT:
-    return -1;
-
-    /* Reached end of a branch; if it's a ket it is the end of a nested
-    call. If it's ALT it is an alternation in a nested call. If it is END it's
-    the end of the outer call. All can be handled by the same code. If an
-    ACCEPT was previously encountered, use the length that was in force at that
-    time, and pass back the shortest ACCEPT length. */
-
-    case OP_ALT:
-    case OP_KET:
-    case OP_KETRMAX:
-    case OP_KETRMIN:
-    case OP_KETRPOS:
-    case OP_END:
-    if (length < 0 || (!had_recurse && branchlength < length))
-      length = branchlength;
-    if (op != OP_ALT) return length;
-    cc += 1 + LINK_SIZE;
-    branchlength = 0;
-    had_recurse = FALSE;
-    break;
-
-    /* Skip over assertive subpatterns */
-
-    case OP_ASSERT:
-    case OP_ASSERT_NOT:
-    case OP_ASSERTBACK:
-    case OP_ASSERTBACK_NOT:
-    do cc += GET(cc, 1); while (*cc == OP_ALT);
-    /* Fall through */
-
-    /* Skip over things that don't match chars */
-
-    case OP_REVERSE:
-    case OP_CREF:
-    case OP_DNCREF:
-    case OP_RREF:
-    case OP_DNRREF:
-    case OP_DEF:
-    case OP_CALLOUT:
-    case OP_SOD:
-    case OP_SOM:
-    case OP_EOD:
-    case OP_EODN:
-    case OP_CIRC:
-    case OP_CIRCM:
-    case OP_DOLL:
-    case OP_DOLLM:
-    case OP_NOT_WORD_BOUNDARY:
-    case OP_WORD_BOUNDARY:
-    cc += PRIV(OP_lengths)[*cc];
-    break;
-
-    /* Skip over a subpattern that has a {0} or {0,x} quantifier */
-
-    case OP_BRAZERO:
-    case OP_BRAMINZERO:
-    case OP_BRAPOSZERO:
-    case OP_SKIPZERO:
-    cc += PRIV(OP_lengths)[*cc];
-    do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* Handle literal characters and + repetitions */
-
-    case OP_CHAR:
-    case OP_CHARI:
-    case OP_NOT:
-    case OP_NOTI:
-    case OP_PLUS:
-    case OP_PLUSI:
-    case OP_MINPLUS:
-    case OP_MINPLUSI:
-    case OP_POSPLUS:
-    case OP_POSPLUSI:
-    case OP_NOTPLUS:
-    case OP_NOTPLUSI:
-    case OP_NOTMINPLUS:
-    case OP_NOTMINPLUSI:
-    case OP_NOTPOSPLUS:
-    case OP_NOTPOSPLUSI:
-    branchlength++;
-    cc += 2;
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
-#endif
-    break;
-
-    case OP_TYPEPLUS:
-    case OP_TYPEMINPLUS:
-    case OP_TYPEPOSPLUS:
-    branchlength++;
-    cc += (cc[1] == OP_PROP || cc[1] == OP_NOTPROP)? 4 : 2;
-    break;
-
-    /* Handle exact repetitions. The count is already in characters, but we
-    need to skip over a multibyte character in UTF8 mode.  */
-
-    case OP_EXACT:
-    case OP_EXACTI:
-    case OP_NOTEXACT:
-    case OP_NOTEXACTI:
-    branchlength += GET2(cc,1);
-    cc += 2 + IMM2_SIZE;
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
-#endif
-    break;
-
-    case OP_TYPEEXACT:
-    branchlength += GET2(cc,1);
-    cc += 2 + IMM2_SIZE + ((cc[1 + IMM2_SIZE] == OP_PROP
-      || cc[1 + IMM2_SIZE] == OP_NOTPROP)? 2 : 0);
-    break;
-
-    /* Handle single-char non-literal matchers */
-
-    case OP_PROP:
-    case OP_NOTPROP:
-    cc += 2;
-    /* Fall through */
-
-    case OP_NOT_DIGIT:
-    case OP_DIGIT:
-    case OP_NOT_WHITESPACE:
-    case OP_WHITESPACE:
-    case OP_NOT_WORDCHAR:
-    case OP_WORDCHAR:
-    case OP_ANY:
-    case OP_ALLANY:
-    case OP_EXTUNI:
-    case OP_HSPACE:
-    case OP_NOT_HSPACE:
-    case OP_VSPACE:
-    case OP_NOT_VSPACE:
-    branchlength++;
-    cc++;
-    break;
-
-    /* "Any newline" might match two characters, but it also might match just
-    one. */
-
-    case OP_ANYNL:
-    branchlength += 1;
-    cc++;
-    break;
-
-    /* The single-byte matcher means we can't proceed in UTF-8 mode. (In
-    non-UTF-8 mode \C will actually be turned into OP_ALLANY, so won't ever
-    appear, but leave the code, just in case.) */
-
-    case OP_ANYBYTE:
-#ifdef SUPPORT_UTF
-    if (utf) return -1;
-#endif
-    branchlength++;
-    cc++;
-    break;
-
-    /* For repeated character types, we have to test for \p and \P, which have
-    an extra two bytes of parameters. */
-
-    case OP_TYPESTAR:
-    case OP_TYPEMINSTAR:
-    case OP_TYPEQUERY:
-    case OP_TYPEMINQUERY:
-    case OP_TYPEPOSSTAR:
-    case OP_TYPEPOSQUERY:
-    if (cc[1] == OP_PROP || cc[1] == OP_NOTPROP) cc += 2;
-    cc += PRIV(OP_lengths)[op];
-    break;
-
-    case OP_TYPEUPTO:
-    case OP_TYPEMINUPTO:
-    case OP_TYPEPOSUPTO:
-    if (cc[1 + IMM2_SIZE] == OP_PROP
-      || cc[1 + IMM2_SIZE] == OP_NOTPROP) cc += 2;
-    cc += PRIV(OP_lengths)[op];
-    break;
-
-    /* Check a class for variable quantification */
-
-    case OP_CLASS:
-    case OP_NCLASS:
-#if defined SUPPORT_UTF || defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-    case OP_XCLASS:
-    /* The original code caused an unsigned overflow in 64 bit systems,
-    so now we use a conditional statement. */
-    if (op == OP_XCLASS)
-      cc += GET(cc, 1);
-    else
-      cc += PRIV(OP_lengths)[OP_CLASS];
-#else
-    cc += PRIV(OP_lengths)[OP_CLASS];
-#endif
-
-    switch (*cc)
-      {
-      case OP_CRPLUS:
-      case OP_CRMINPLUS:
-      case OP_CRPOSPLUS:
-      branchlength++;
-      /* Fall through */
-
-      case OP_CRSTAR:
-      case OP_CRMINSTAR:
-      case OP_CRQUERY:
-      case OP_CRMINQUERY:
-      case OP_CRPOSSTAR:
-      case OP_CRPOSQUERY:
-      cc++;
-      break;
-
-      case OP_CRRANGE:
-      case OP_CRMINRANGE:
-      case OP_CRPOSRANGE:
-      branchlength += GET2(cc,1);
-      cc += 1 + 2 * IMM2_SIZE;
-      break;
-
-      default:
-      branchlength++;
-      break;
-      }
-    break;
-
-    /* Backreferences and subroutine calls are treated in the same way: we find
-    the minimum length for the subpattern. A recursion, however, causes an
-    a flag to be set that causes the length of this branch to be ignored. The
-    logic is that a recursion can only make sense if there is another
-    alternation that stops the recursing. That will provide the minimum length
-    (when no recursion happens). A backreference within the group that it is
-    referencing behaves in the same way.
-
-    If PCRE_JAVASCRIPT_COMPAT is set, a backreference to an unset bracket
-    matches an empty string (by default it causes a matching failure), so in
-    that case we must set the minimum length to zero. */
-
-    case OP_DNREF:     /* Duplicate named pattern back reference */
-    case OP_DNREFI:
-    if ((options & PCRE_JAVASCRIPT_COMPAT) == 0)
-      {
-      int count = GET2(cc, 1+IMM2_SIZE);
-      pcre_uchar *slot = (pcre_uchar *)re +
-        re->name_table_offset + GET2(cc, 1) * re->name_entry_size;
-      d = INT_MAX;
-      while (count-- > 0)
-        {
-        ce = cs = (pcre_uchar *)PRIV(find_bracket)(startcode, utf, GET2(slot, 0));
-        if (cs == NULL) return -2;
-        do ce += GET(ce, 1); while (*ce == OP_ALT);
-        if (cc > cs && cc < ce)     /* Simple recursion */
-          {
-          d = 0;
-          had_recurse = TRUE;
-          break;
-          }
-        else
-          {
-          recurse_check *r = recurses;
-          for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
-          if (r != NULL)           /* Mutual recursion */
-            {
-            d = 0;
-            had_recurse = TRUE;
-            break;
-            }
-          else
-            {
-            int dd;
-            this_recurse.prev = recurses;
-            this_recurse.group = cs;
-            dd = find_minlength(re, cs, startcode, options, &this_recurse,
-              countptr);
-            if (dd < d) d = dd;
-            }
-          }
-        slot += re->name_entry_size;
-        }
-      }
-    else d = 0;
-    cc += 1 + 2*IMM2_SIZE;
-    goto REPEAT_BACK_REFERENCE;
-
-    case OP_REF:      /* Single back reference */
-    case OP_REFI:
-    if ((options & PCRE_JAVASCRIPT_COMPAT) == 0)
-      {
-      ce = cs = (pcre_uchar *)PRIV(find_bracket)(startcode, utf, GET2(cc, 1));
-      if (cs == NULL) return -2;
-      do ce += GET(ce, 1); while (*ce == OP_ALT);
-      if (cc > cs && cc < ce)    /* Simple recursion */
-        {
-        d = 0;
-        had_recurse = TRUE;
-        }
-      else
-        {
-        recurse_check *r = recurses;
-        for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
-        if (r != NULL)           /* Mutual recursion */
-          {
-          d = 0;
-          had_recurse = TRUE;
-          }
-        else
-          {
-          this_recurse.prev = recurses;
-          this_recurse.group = cs;
-          d = find_minlength(re, cs, startcode, options, &this_recurse,
-            countptr);
-          }
-        }
-      }
-    else d = 0;
-    cc += 1 + IMM2_SIZE;
-
-    /* Handle repeated back references */
-
-    REPEAT_BACK_REFERENCE:
-    switch (*cc)
-      {
-      case OP_CRSTAR:
-      case OP_CRMINSTAR:
-      case OP_CRQUERY:
-      case OP_CRMINQUERY:
-      case OP_CRPOSSTAR:
-      case OP_CRPOSQUERY:
-      min = 0;
-      cc++;
-      break;
-
-      case OP_CRPLUS:
-      case OP_CRMINPLUS:
-      case OP_CRPOSPLUS:
-      min = 1;
-      cc++;
-      break;
-
-      case OP_CRRANGE:
-      case OP_CRMINRANGE:
-      case OP_CRPOSRANGE:
-      min = GET2(cc, 1);
-      cc += 1 + 2 * IMM2_SIZE;
-      break;
-
-      default:
-      min = 1;
-      break;
-      }
-
-    branchlength += min * d;
-    break;
-
-    /* We can easily detect direct recursion, but not mutual recursion. This is
-    caught by a recursion depth count. */
-
-    case OP_RECURSE:
-    cs = ce = (pcre_uchar *)startcode + GET(cc, 1);
-    do ce += GET(ce, 1); while (*ce == OP_ALT);
-    if (cc > cs && cc < ce)    /* Simple recursion */
-      had_recurse = TRUE;
-    else
-      {
-      recurse_check *r = recurses;
-      for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
-      if (r != NULL)           /* Mutual recursion */
-        had_recurse = TRUE;
-      else
-        {
-        this_recurse.prev = recurses;
-        this_recurse.group = cs;
-        branchlength += find_minlength(re, cs, startcode, options,
-          &this_recurse, countptr);
-        }
-      }
-    cc += 1 + LINK_SIZE;
-    break;
-
-    /* Anything else does not or need not match a character. We can get the
-    item's length from the table, but for those that can match zero occurrences
-    of a character, we must take special action for UTF-8 characters. As it
-    happens, the "NOT" versions of these opcodes are used at present only for
-    ASCII characters, so they could be omitted from this list. However, in
-    future that may change, so we include them here so as not to leave a
-    gotcha for a future maintainer. */
-
-    case OP_UPTO:
-    case OP_UPTOI:
-    case OP_NOTUPTO:
-    case OP_NOTUPTOI:
-    case OP_MINUPTO:
-    case OP_MINUPTOI:
-    case OP_NOTMINUPTO:
-    case OP_NOTMINUPTOI:
-    case OP_POSUPTO:
-    case OP_POSUPTOI:
-    case OP_NOTPOSUPTO:
-    case OP_NOTPOSUPTOI:
-
-    case OP_STAR:
-    case OP_STARI:
-    case OP_NOTSTAR:
-    case OP_NOTSTARI:
-    case OP_MINSTAR:
-    case OP_MINSTARI:
-    case OP_NOTMINSTAR:
-    case OP_NOTMINSTARI:
-    case OP_POSSTAR:
-    case OP_POSSTARI:
-    case OP_NOTPOSSTAR:
-    case OP_NOTPOSSTARI:
-
-    case OP_QUERY:
-    case OP_QUERYI:
-    case OP_NOTQUERY:
-    case OP_NOTQUERYI:
-    case OP_MINQUERY:
-    case OP_MINQUERYI:
-    case OP_NOTMINQUERY:
-    case OP_NOTMINQUERYI:
-    case OP_POSQUERY:
-    case OP_POSQUERYI:
-    case OP_NOTPOSQUERY:
-    case OP_NOTPOSQUERYI:
-
-    cc += PRIV(OP_lengths)[op];
-#ifdef SUPPORT_UTF
-    if (utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
-#endif
-    break;
-
-    /* Skip these, but we need to add in the name length. */
-
-    case OP_MARK:
-    case OP_PRUNE_ARG:
-    case OP_SKIP_ARG:
-    case OP_THEN_ARG:
-    cc += PRIV(OP_lengths)[op] + cc[1];
-    break;
-
-    /* The remaining opcodes are just skipped over. */
-
-    case OP_CLOSE:
-    case OP_COMMIT:
-    case OP_FAIL:
-    case OP_PRUNE:
-    case OP_SET_SOM:
-    case OP_SKIP:
-    case OP_THEN:
-    cc += PRIV(OP_lengths)[op];
-    break;
-
-    /* This should not occur: we list all opcodes explicitly so that when
-    new ones get added they are properly considered. */
-
-    default:
-    return -3;
-    }
-  }
-/* Control never gets here */
-}
-
-
-
-/*************************************************
-*      Set a bit and maybe its alternate case    *
-*************************************************/
-
-/* Given a character, set its first byte's bit in the table, and also the
-corresponding bit for the other version of a letter if we are caseless. In
-UTF-8 mode, for characters greater than 127, we can only do the caseless thing
-when Unicode property support is available.
-
-Arguments:
-  start_bits    points to the bit map
-  p             points to the character
-  caseless      the caseless flag
-  cd            the block with char table pointers
-  utf           TRUE for UTF-8 / UTF-16 / UTF-32 mode
-
-Returns:        pointer after the character
-*/
-
-static const pcre_uchar *
-set_table_bit(pcre_uint8 *start_bits, const pcre_uchar *p, BOOL caseless,
-  compile_data *cd, BOOL utf)
-{
-pcre_uint32 c = *p;
-
-#ifdef COMPILE_PCRE8
-SET_BIT(c);
-
-#ifdef SUPPORT_UTF
-if (utf && c > 127)
-  {
-  GETCHARINC(c, p);
-#ifdef SUPPORT_UCP
-  if (caseless)
-    {
-    pcre_uchar buff[6];
-    c = UCD_OTHERCASE(c);
-    (void)PRIV(ord2utf)(c, buff);
-    SET_BIT(buff[0]);
-    }
-#endif  /* Not SUPPORT_UCP */
-  return p;
-  }
-#else   /* Not SUPPORT_UTF */
-(void)(utf);   /* Stops warning for unused parameter */
-#endif  /* SUPPORT_UTF */
-
-/* Not UTF-8 mode, or character is less than 127. */
-
-if (caseless && (cd->ctypes[c] & ctype_letter) != 0) SET_BIT(cd->fcc[c]);
-return p + 1;
-#endif  /* COMPILE_PCRE8 */
-
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-if (c > 0xff)
-  {
-  c = 0xff;
-  caseless = FALSE;
-  }
-SET_BIT(c);
-
-#ifdef SUPPORT_UTF
-if (utf && c > 127)
-  {
-  GETCHARINC(c, p);
-#ifdef SUPPORT_UCP
-  if (caseless)
-    {
-    c = UCD_OTHERCASE(c);
-    if (c > 0xff)
-      c = 0xff;
-    SET_BIT(c);
-    }
-#endif  /* SUPPORT_UCP */
-  return p;
-  }
-#else   /* Not SUPPORT_UTF */
-(void)(utf);   /* Stops warning for unused parameter */
-#endif  /* SUPPORT_UTF */
-
-if (caseless && (cd->ctypes[c] & ctype_letter) != 0) SET_BIT(cd->fcc[c]);
-return p + 1;
-#endif
-}
-
-
-
-/*************************************************
-*     Set bits for a positive character type     *
-*************************************************/
-
-/* This function sets starting bits for a character type. In UTF-8 mode, we can
-only do a direct setting for bytes less than 128, as otherwise there can be
-confusion with bytes in the middle of UTF-8 characters. In a "traditional"
-environment, the tables will only recognize ASCII characters anyway, but in at
-least one Windows environment, some higher bytes bits were set in the tables.
-So we deal with that case by considering the UTF-8 encoding.
-
-Arguments:
-  start_bits     the starting bitmap
-  cbit type      the type of character wanted
-  table_limit    32 for non-UTF-8; 16 for UTF-8
-  cd             the block with char table pointers
-
-Returns:         nothing
-*/
-
-static void
-set_type_bits(pcre_uint8 *start_bits, int cbit_type, unsigned int table_limit,
-  compile_data *cd)
-{
-register pcre_uint32 c;
-for (c = 0; c < table_limit; c++) start_bits[c] |= cd->cbits[c+cbit_type];
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-if (table_limit == 32) return;
-for (c = 128; c < 256; c++)
-  {
-  if ((cd->cbits[c/8] & (1 << (c&7))) != 0)
-    {
-    pcre_uchar buff[6];
-    (void)PRIV(ord2utf)(c, buff);
-    SET_BIT(buff[0]);
-    }
-  }
-#endif
-}
-
-
-/*************************************************
-*     Set bits for a negative character type     *
-*************************************************/
-
-/* This function sets starting bits for a negative character type such as \D.
-In UTF-8 mode, we can only do a direct setting for bytes less than 128, as
-otherwise there can be confusion with bytes in the middle of UTF-8 characters.
-Unlike in the positive case, where we can set appropriate starting bits for
-specific high-valued UTF-8 characters, in this case we have to set the bits for
-all high-valued characters. The lowest is 0xc2, but we overkill by starting at
-0xc0 (192) for simplicity.
-
-Arguments:
-  start_bits     the starting bitmap
-  cbit type      the type of character wanted
-  table_limit    32 for non-UTF-8; 16 for UTF-8
-  cd             the block with char table pointers
-
-Returns:         nothing
-*/
-
-static void
-set_nottype_bits(pcre_uint8 *start_bits, int cbit_type, unsigned int table_limit,
-  compile_data *cd)
-{
-register pcre_uint32 c;
-for (c = 0; c < table_limit; c++) start_bits[c] |= ~cd->cbits[c+cbit_type];
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-if (table_limit != 32) for (c = 24; c < 32; c++) start_bits[c] = 0xff;
-#endif
-}
-
-
-
-/*************************************************
-*          Create bitmap of starting bytes       *
-*************************************************/
-
-/* This function scans a compiled unanchored expression recursively and
-attempts to build a bitmap of the set of possible starting bytes. As time goes
-by, we may be able to get more clever at doing this. The SSB_CONTINUE return is
-useful for parenthesized groups in patterns such as (a*)b where the group
-provides some optional starting bytes but scanning must continue at the outer
-level to find at least one mandatory byte. At the outermost level, this
-function fails unless the result is SSB_DONE.
-
-Arguments:
-  code         points to an expression
-  start_bits   points to a 32-byte table, initialized to 0
-  utf          TRUE if in UTF-8 / UTF-16 / UTF-32 mode
-  cd           the block with char table pointers
-
-Returns:       SSB_FAIL     => Failed to find any starting bytes
-               SSB_DONE     => Found mandatory starting bytes
-               SSB_CONTINUE => Found optional starting bytes
-               SSB_UNKNOWN  => Hit an unrecognized opcode
-*/
-
-static int
-set_start_bits(const pcre_uchar *code, pcre_uint8 *start_bits, BOOL utf,
-  compile_data *cd)
-{
-register pcre_uint32 c;
-int yield = SSB_DONE;
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-int table_limit = utf? 16:32;
-#else
-int table_limit = 32;
-#endif
-
-#if 0
-/* ========================================================================= */
-/* The following comment and code was inserted in January 1999. In May 2006,
-when it was observed to cause compiler warnings about unused values, I took it
-out again. If anybody is still using OS/2, they will have to put it back
-manually. */
-
-/* This next statement and the later reference to dummy are here in order to
-trick the optimizer of the IBM C compiler for OS/2 into generating correct
-code. Apparently IBM isn't going to fix the problem, and we would rather not
-disable optimization (in this module it actually makes a big difference, and
-the pcre module can use all the optimization it can get). */
-
-volatile int dummy;
-/* ========================================================================= */
-#endif
-
-do
-  {
-  BOOL try_next = TRUE;
-  const pcre_uchar *tcode = code + 1 + LINK_SIZE;
-
-  if (*code == OP_CBRA || *code == OP_SCBRA ||
-      *code == OP_CBRAPOS || *code == OP_SCBRAPOS) tcode += IMM2_SIZE;
-
-  while (try_next)    /* Loop for items in this branch */
-    {
-    int rc;
-
-    switch(*tcode)
-      {
-      /* If we reach something we don't understand, it means a new opcode has
-      been created that hasn't been added to this code. Hopefully this problem
-      will be discovered during testing. */
-
-      default:
-      return SSB_UNKNOWN;
-
-      /* Fail for a valid opcode that implies no starting bits. */
-
-      case OP_ACCEPT:
-      case OP_ASSERT_ACCEPT:
-      case OP_ALLANY:
-      case OP_ANY:
-      case OP_ANYBYTE:
-      case OP_CIRC:
-      case OP_CIRCM:
-      case OP_CLOSE:
-      case OP_COMMIT:
-      case OP_COND:
-      case OP_CREF:
-      case OP_DEF:
-      case OP_DNCREF:
-      case OP_DNREF:
-      case OP_DNREFI:
-      case OP_DNRREF:
-      case OP_DOLL:
-      case OP_DOLLM:
-      case OP_END:
-      case OP_EOD:
-      case OP_EODN:
-      case OP_EXTUNI:
-      case OP_FAIL:
-      case OP_MARK:
-      case OP_NOT:
-      case OP_NOTEXACT:
-      case OP_NOTEXACTI:
-      case OP_NOTI:
-      case OP_NOTMINPLUS:
-      case OP_NOTMINPLUSI:
-      case OP_NOTMINQUERY:
-      case OP_NOTMINQUERYI:
-      case OP_NOTMINSTAR:
-      case OP_NOTMINSTARI:
-      case OP_NOTMINUPTO:
-      case OP_NOTMINUPTOI:
-      case OP_NOTPLUS:
-      case OP_NOTPLUSI:
-      case OP_NOTPOSPLUS:
-      case OP_NOTPOSPLUSI:
-      case OP_NOTPOSQUERY:
-      case OP_NOTPOSQUERYI:
-      case OP_NOTPOSSTAR:
-      case OP_NOTPOSSTARI:
-      case OP_NOTPOSUPTO:
-      case OP_NOTPOSUPTOI:
-      case OP_NOTPROP:
-      case OP_NOTQUERY:
-      case OP_NOTQUERYI:
-      case OP_NOTSTAR:
-      case OP_NOTSTARI:
-      case OP_NOTUPTO:
-      case OP_NOTUPTOI:
-      case OP_NOT_HSPACE:
-      case OP_NOT_VSPACE:
-      case OP_PRUNE:
-      case OP_PRUNE_ARG:
-      case OP_RECURSE:
-      case OP_REF:
-      case OP_REFI:
-      case OP_REVERSE:
-      case OP_RREF:
-      case OP_SCOND:
-      case OP_SET_SOM:
-      case OP_SKIP:
-      case OP_SKIP_ARG:
-      case OP_SOD:
-      case OP_SOM:
-      case OP_THEN:
-      case OP_THEN_ARG:
-      return SSB_FAIL;
-
-      /* A "real" property test implies no starting bits, but the fake property
-      PT_CLIST identifies a list of characters. These lists are short, as they
-      are used for characters with more than one "other case", so there is no
-      point in recognizing them for OP_NOTPROP. */
-
-      case OP_PROP:
-      if (tcode[1] != PT_CLIST) return SSB_FAIL;
-        {
-        const pcre_uint32 *p = PRIV(ucd_caseless_sets) + tcode[2];
-        while ((c = *p++) < NOTACHAR)
-          {
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-          if (utf)
-            {
-            pcre_uchar buff[6];
-            (void)PRIV(ord2utf)(c, buff);
-            c = buff[0];
-            }
-#endif
-          if (c > 0xff) SET_BIT(0xff); else SET_BIT(c);
-          }
-        }
-      try_next = FALSE;
-      break;
-
-      /* We can ignore word boundary tests. */
-
-      case OP_WORD_BOUNDARY:
-      case OP_NOT_WORD_BOUNDARY:
-      tcode++;
-      break;
-
-      /* If we hit a bracket or a positive lookahead assertion, recurse to set
-      bits from within the subpattern. If it can't find anything, we have to
-      give up. If it finds some mandatory character(s), we are done for this
-      branch. Otherwise, carry on scanning after the subpattern. */
-
-      case OP_BRA:
-      case OP_SBRA:
-      case OP_CBRA:
-      case OP_SCBRA:
-      case OP_BRAPOS:
-      case OP_SBRAPOS:
-      case OP_CBRAPOS:
-      case OP_SCBRAPOS:
-      case OP_ONCE:
-      case OP_ONCE_NC:
-      case OP_ASSERT:
-      rc = set_start_bits(tcode, start_bits, utf, cd);
-      if (rc == SSB_FAIL || rc == SSB_UNKNOWN) return rc;
-      if (rc == SSB_DONE) try_next = FALSE; else
-        {
-        do tcode += GET(tcode, 1); while (*tcode == OP_ALT);
-        tcode += 1 + LINK_SIZE;
-        }
-      break;
-
-      /* If we hit ALT or KET, it means we haven't found anything mandatory in
-      this branch, though we might have found something optional. For ALT, we
-      continue with the next alternative, but we have to arrange that the final
-      result from subpattern is SSB_CONTINUE rather than SSB_DONE. For KET,
-      return SSB_CONTINUE: if this is the top level, that indicates failure,
-      but after a nested subpattern, it causes scanning to continue. */
-
-      case OP_ALT:
-      yield = SSB_CONTINUE;
-      try_next = FALSE;
-      break;
-
-      case OP_KET:
-      case OP_KETRMAX:
-      case OP_KETRMIN:
-      case OP_KETRPOS:
-      return SSB_CONTINUE;
-
-      /* Skip over callout */
-
-      case OP_CALLOUT:
-      tcode += 2 + 2*LINK_SIZE;
-      break;
-
-      /* Skip over lookbehind and negative lookahead assertions */
-
-      case OP_ASSERT_NOT:
-      case OP_ASSERTBACK:
-      case OP_ASSERTBACK_NOT:
-      do tcode += GET(tcode, 1); while (*tcode == OP_ALT);
-      tcode += 1 + LINK_SIZE;
-      break;
-
-      /* BRAZERO does the bracket, but carries on. */
-
-      case OP_BRAZERO:
-      case OP_BRAMINZERO:
-      case OP_BRAPOSZERO:
-      rc = set_start_bits(++tcode, start_bits, utf, cd);
-      if (rc == SSB_FAIL || rc == SSB_UNKNOWN) return rc;
-/* =========================================================================
-      See the comment at the head of this function concerning the next line,
-      which was an old fudge for the benefit of OS/2.
-      dummy = 1;
-  ========================================================================= */
-      do tcode += GET(tcode,1); while (*tcode == OP_ALT);
-      tcode += 1 + LINK_SIZE;
-      break;
-
-      /* SKIPZERO skips the bracket. */
-
-      case OP_SKIPZERO:
-      tcode++;
-      do tcode += GET(tcode,1); while (*tcode == OP_ALT);
-      tcode += 1 + LINK_SIZE;
-      break;
-
-      /* Single-char * or ? sets the bit and tries the next item */
-
-      case OP_STAR:
-      case OP_MINSTAR:
-      case OP_POSSTAR:
-      case OP_QUERY:
-      case OP_MINQUERY:
-      case OP_POSQUERY:
-      tcode = set_table_bit(start_bits, tcode + 1, FALSE, cd, utf);
-      break;
-
-      case OP_STARI:
-      case OP_MINSTARI:
-      case OP_POSSTARI:
-      case OP_QUERYI:
-      case OP_MINQUERYI:
-      case OP_POSQUERYI:
-      tcode = set_table_bit(start_bits, tcode + 1, TRUE, cd, utf);
-      break;
-
-      /* Single-char upto sets the bit and tries the next */
-
-      case OP_UPTO:
-      case OP_MINUPTO:
-      case OP_POSUPTO:
-      tcode = set_table_bit(start_bits, tcode + 1 + IMM2_SIZE, FALSE, cd, utf);
-      break;
-
-      case OP_UPTOI:
-      case OP_MINUPTOI:
-      case OP_POSUPTOI:
-      tcode = set_table_bit(start_bits, tcode + 1 + IMM2_SIZE, TRUE, cd, utf);
-      break;
-
-      /* At least one single char sets the bit and stops */
-
-      case OP_EXACT:
-      tcode += IMM2_SIZE;
-      /* Fall through */
-      case OP_CHAR:
-      case OP_PLUS:
-      case OP_MINPLUS:
-      case OP_POSPLUS:
-      (void)set_table_bit(start_bits, tcode + 1, FALSE, cd, utf);
-      try_next = FALSE;
-      break;
-
-      case OP_EXACTI:
-      tcode += IMM2_SIZE;
-      /* Fall through */
-      case OP_CHARI:
-      case OP_PLUSI:
-      case OP_MINPLUSI:
-      case OP_POSPLUSI:
-      (void)set_table_bit(start_bits, tcode + 1, TRUE, cd, utf);
-      try_next = FALSE;
-      break;
-
-      /* Special spacing and line-terminating items. These recognize specific
-      lists of characters. The difference between VSPACE and ANYNL is that the
-      latter can match the two-character CRLF sequence, but that is not
-      relevant for finding the first character, so their code here is
-      identical. */
-
-      case OP_HSPACE:
-      SET_BIT(CHAR_HT);
-      SET_BIT(CHAR_SPACE);
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-#ifdef COMPILE_PCRE8
-        SET_BIT(0xC2);  /* For U+00A0 */
-        SET_BIT(0xE1);  /* For U+1680, U+180E */
-        SET_BIT(0xE2);  /* For U+2000 - U+200A, U+202F, U+205F */
-        SET_BIT(0xE3);  /* For U+3000 */
-#elif defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-        SET_BIT(0xA0);
-        SET_BIT(0xFF);  /* For characters > 255 */
-#endif  /* COMPILE_PCRE[8|16|32] */
-        }
-      else
-#endif /* SUPPORT_UTF */
-        {
-#ifndef EBCDIC
-        SET_BIT(0xA0);
-#endif  /* Not EBCDIC */
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-        SET_BIT(0xFF);  /* For characters > 255 */
-#endif  /* COMPILE_PCRE[16|32] */
-        }
-      try_next = FALSE;
-      break;
-
-      case OP_ANYNL:
-      case OP_VSPACE:
-      SET_BIT(CHAR_LF);
-      SET_BIT(CHAR_VT);
-      SET_BIT(CHAR_FF);
-      SET_BIT(CHAR_CR);
-#ifdef SUPPORT_UTF
-      if (utf)
-        {
-#ifdef COMPILE_PCRE8
-        SET_BIT(0xC2);  /* For U+0085 */
-        SET_BIT(0xE2);  /* For U+2028, U+2029 */
-#elif defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-        SET_BIT(CHAR_NEL);
-        SET_BIT(0xFF);  /* For characters > 255 */
-#endif  /* COMPILE_PCRE[8|16|32] */
-        }
-      else
-#endif /* SUPPORT_UTF */
-        {
-        SET_BIT(CHAR_NEL);
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-        SET_BIT(0xFF);  /* For characters > 255 */
-#endif
-        }
-      try_next = FALSE;
-      break;
-
-      /* Single character types set the bits and stop. Note that if PCRE_UCP
-      is set, we do not see these op codes because \d etc are converted to
-      properties. Therefore, these apply in the case when only characters less
-      than 256 are recognized to match the types. */
-
-      case OP_NOT_DIGIT:
-      set_nottype_bits(start_bits, cbit_digit, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      case OP_DIGIT:
-      set_type_bits(start_bits, cbit_digit, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      /* The cbit_space table has vertical tab as whitespace; we no longer
-      have to play fancy tricks because Perl added VT to its whitespace at
-      release 5.18. PCRE added it at release 8.34. */
-
-      case OP_NOT_WHITESPACE:
-      set_nottype_bits(start_bits, cbit_space, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      case OP_WHITESPACE:
-      set_type_bits(start_bits, cbit_space, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      case OP_NOT_WORDCHAR:
-      set_nottype_bits(start_bits, cbit_word, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      case OP_WORDCHAR:
-      set_type_bits(start_bits, cbit_word, table_limit, cd);
-      try_next = FALSE;
-      break;
-
-      /* One or more character type fudges the pointer and restarts, knowing
-      it will hit a single character type and stop there. */
-
-      case OP_TYPEPLUS:
-      case OP_TYPEMINPLUS:
-      case OP_TYPEPOSPLUS:
-      tcode++;
-      break;
-
-      case OP_TYPEEXACT:
-      tcode += 1 + IMM2_SIZE;
-      break;
-
-      /* Zero or more repeats of character types set the bits and then
-      try again. */
-
-      case OP_TYPEUPTO:
-      case OP_TYPEMINUPTO:
-      case OP_TYPEPOSUPTO:
-      tcode += IMM2_SIZE;  /* Fall through */
-
-      case OP_TYPESTAR:
-      case OP_TYPEMINSTAR:
-      case OP_TYPEPOSSTAR:
-      case OP_TYPEQUERY:
-      case OP_TYPEMINQUERY:
-      case OP_TYPEPOSQUERY:
-      switch(tcode[1])
-        {
-        default:
-        case OP_ANY:
-        case OP_ALLANY:
-        return SSB_FAIL;
-
-        case OP_HSPACE:
-        SET_BIT(CHAR_HT);
-        SET_BIT(CHAR_SPACE);
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-#ifdef COMPILE_PCRE8
-          SET_BIT(0xC2);  /* For U+00A0 */
-          SET_BIT(0xE1);  /* For U+1680, U+180E */
-          SET_BIT(0xE2);  /* For U+2000 - U+200A, U+202F, U+205F */
-          SET_BIT(0xE3);  /* For U+3000 */
-#elif defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-          SET_BIT(0xA0);
-          SET_BIT(0xFF);  /* For characters > 255 */
-#endif  /* COMPILE_PCRE[8|16|32] */
-          }
-        else
-#endif /* SUPPORT_UTF */
-#ifndef EBCDIC
-          SET_BIT(0xA0);
-#endif  /* Not EBCDIC */
-        break;
-
-        case OP_ANYNL:
-        case OP_VSPACE:
-        SET_BIT(CHAR_LF);
-        SET_BIT(CHAR_VT);
-        SET_BIT(CHAR_FF);
-        SET_BIT(CHAR_CR);
-#ifdef SUPPORT_UTF
-        if (utf)
-          {
-#ifdef COMPILE_PCRE8
-          SET_BIT(0xC2);  /* For U+0085 */
-          SET_BIT(0xE2);  /* For U+2028, U+2029 */
-#elif defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-          SET_BIT(CHAR_NEL);
-          SET_BIT(0xFF);  /* For characters > 255 */
-#endif  /* COMPILE_PCRE16 */
-          }
-        else
-#endif /* SUPPORT_UTF */
-          SET_BIT(CHAR_NEL);
-        break;
-
-        case OP_NOT_DIGIT:
-        set_nottype_bits(start_bits, cbit_digit, table_limit, cd);
-        break;
-
-        case OP_DIGIT:
-        set_type_bits(start_bits, cbit_digit, table_limit, cd);
-        break;
-
-        /* The cbit_space table has vertical tab as whitespace; we no longer
-        have to play fancy tricks because Perl added VT to its whitespace at
-        release 5.18. PCRE added it at release 8.34. */
-
-        case OP_NOT_WHITESPACE:
-        set_nottype_bits(start_bits, cbit_space, table_limit, cd);
-        break;
-
-        case OP_WHITESPACE:
-        set_type_bits(start_bits, cbit_space, table_limit, cd);
-        break;
-
-        case OP_NOT_WORDCHAR:
-        set_nottype_bits(start_bits, cbit_word, table_limit, cd);
-        break;
-
-        case OP_WORDCHAR:
-        set_type_bits(start_bits, cbit_word, table_limit, cd);
-        break;
-        }
-
-      tcode += 2;
-      break;
-
-      /* Character class where all the information is in a bit map: set the
-      bits and either carry on or not, according to the repeat count. If it was
-      a negative class, and we are operating with UTF-8 characters, any byte
-      with a value >= 0xc4 is a potentially valid starter because it starts a
-      character with a value > 255. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-      case OP_XCLASS:
-      if ((tcode[1 + LINK_SIZE] & XCL_HASPROP) != 0)
-        return SSB_FAIL;
-      /* All bits are set. */
-      if ((tcode[1 + LINK_SIZE] & XCL_MAP) == 0 && (tcode[1 + LINK_SIZE] & XCL_NOT) != 0)
-        return SSB_FAIL;
-#endif
-      /* Fall through */
-
-      case OP_NCLASS:
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-      if (utf)
-        {
-        start_bits[24] |= 0xf0;              /* Bits for 0xc4 - 0xc8 */
-        memset(start_bits+25, 0xff, 7);      /* Bits for 0xc9 - 0xff */
-        }
-#endif
-#if defined COMPILE_PCRE16 || defined COMPILE_PCRE32
-      SET_BIT(0xFF);                         /* For characters > 255 */
-#endif
-      /* Fall through */
-
-      case OP_CLASS:
-        {
-        pcre_uint8 *map;
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-        map = NULL;
-        if (*tcode == OP_XCLASS)
-          {
-          if ((tcode[1 + LINK_SIZE] & XCL_MAP) != 0)
-            map = (pcre_uint8 *)(tcode + 1 + LINK_SIZE + 1);
-          tcode += GET(tcode, 1);
-          }
-        else
-#endif
-          {
-          tcode++;
-          map = (pcre_uint8 *)tcode;
-          tcode += 32 / sizeof(pcre_uchar);
-          }
-
-        /* In UTF-8 mode, the bits in a bit map correspond to character
-        values, not to byte values. However, the bit map we are constructing is
-        for byte values. So we have to do a conversion for characters whose
-        value is > 127. In fact, there are only two possible starting bytes for
-        characters in the range 128 - 255. */
-
-#if defined SUPPORT_UTF || !defined COMPILE_PCRE8
-        if (map != NULL)
-#endif
-          {
-#if defined SUPPORT_UTF && defined COMPILE_PCRE8
-          if (utf)
-            {
-            for (c = 0; c < 16; c++) start_bits[c] |= map[c];
-            for (c = 128; c < 256; c++)
-              {
-              if ((map[c/8] & (1 << (c&7))) != 0)
-                {
-                int d = (c >> 6) | 0xc0;            /* Set bit for this starter */
-                start_bits[d/8] |= (1 << (d&7));    /* and then skip on to the */
-                c = (c & 0xc0) + 0x40 - 1;          /* next relevant character. */
-                }
-              }
-            }
-          else
-#endif
-            {
-            /* In non-UTF-8 mode, the two bit maps are completely compatible. */
-            for (c = 0; c < 32; c++) start_bits[c] |= map[c];
-            }
-          }
-
-        /* Advance past the bit map, and act on what follows. For a zero
-        minimum repeat, continue; otherwise stop processing. */
-
-        switch (*tcode)
-          {
-          case OP_CRSTAR:
-          case OP_CRMINSTAR:
-          case OP_CRQUERY:
-          case OP_CRMINQUERY:
-          case OP_CRPOSSTAR:
-          case OP_CRPOSQUERY:
-          tcode++;
-          break;
-
-          case OP_CRRANGE:
-          case OP_CRMINRANGE:
-          case OP_CRPOSRANGE:
-          if (GET2(tcode, 1) == 0) tcode += 1 + 2 * IMM2_SIZE;
-            else try_next = FALSE;
-          break;
-
-          default:
-          try_next = FALSE;
-          break;
-          }
-        }
-      break; /* End of bitmap class handling */
-
-      }      /* End of switch */
-    }        /* End of try_next loop */
-
-  code += GET(code, 1);   /* Advance to next branch */
-  }
-while (*code == OP_ALT);
-return yield;
-}
-
-
-
-
-
-/*************************************************
-*          Study a compiled expression           *
-*************************************************/
-
-/* This function is handed a compiled expression that it must study to produce
-information that will speed up the matching. It returns a pcre[16]_extra block
-which then gets handed back to pcre_exec().
-
-Arguments:
-  re        points to the compiled expression
-  options   contains option bits
-  errorptr  points to where to place error messages;
-            set NULL unless error
-
-Returns:    pointer to a pcre[16]_extra block, with study_data filled in and
-              the appropriate flags set;
-            NULL on error or if no optimization possible
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN pcre_extra * PCRE_CALL_CONVENTION
-pcre_study(const pcre *external_re, int options, const char **errorptr)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN pcre16_extra * PCRE_CALL_CONVENTION
-pcre16_study(const pcre16 *external_re, int options, const char **errorptr)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN pcre32_extra * PCRE_CALL_CONVENTION
-pcre32_study(const pcre32 *external_re, int options, const char **errorptr)
-#endif
-{
-int min;
-int count = 0;
-BOOL bits_set = FALSE;
-pcre_uint8 start_bits[32];
-PUBL(extra) *extra = NULL;
-pcre_study_data *study;
-const pcre_uint8 *tables;
-pcre_uchar *code;
-compile_data compile_block;
-const REAL_PCRE *re = (const REAL_PCRE *)external_re;
-
-
-*errorptr = NULL;
-
-if (re == NULL || re->magic_number != MAGIC_NUMBER)
-  {
-  *errorptr = "argument is not a compiled regular expression";
-  return NULL;
-  }
-
-if ((re->flags & PCRE_MODE) == 0)
-  {
-#if defined COMPILE_PCRE8
-  *errorptr = "argument not compiled in 8 bit mode";
-#elif defined COMPILE_PCRE16
-  *errorptr = "argument not compiled in 16 bit mode";
-#elif defined COMPILE_PCRE32
-  *errorptr = "argument not compiled in 32 bit mode";
-#endif
-  return NULL;
-  }
-
-if ((options & ~PUBLIC_STUDY_OPTIONS) != 0)
-  {
-  *errorptr = "unknown or incorrect option bit(s) set";
-  return NULL;
-  }
-
-code = (pcre_uchar *)re + re->name_table_offset +
-  (re->name_count * re->name_entry_size);
-
-/* For an anchored pattern, or an unanchored pattern that has a first char, or
-a multiline pattern that matches only at "line starts", there is no point in
-seeking a list of starting bytes. */
-
-if ((re->options & PCRE_ANCHORED) == 0 &&
-    (re->flags & (PCRE_FIRSTSET|PCRE_STARTLINE)) == 0)
-  {
-  int rc;
-
-  /* Set the character tables in the block that is passed around */
-
-  tables = re->tables;
-
-#if defined COMPILE_PCRE8
-  if (tables == NULL)
-    (void)pcre_fullinfo(external_re, NULL, PCRE_INFO_DEFAULT_TABLES,
-    (void *)(&tables));
-#elif defined COMPILE_PCRE16
-  if (tables == NULL)
-    (void)pcre16_fullinfo(external_re, NULL, PCRE_INFO_DEFAULT_TABLES,
-    (void *)(&tables));
-#elif defined COMPILE_PCRE32
-  if (tables == NULL)
-    (void)pcre32_fullinfo(external_re, NULL, PCRE_INFO_DEFAULT_TABLES,
-    (void *)(&tables));
-#endif
-
-  compile_block.lcc = tables + lcc_offset;
-  compile_block.fcc = tables + fcc_offset;
-  compile_block.cbits = tables + cbits_offset;
-  compile_block.ctypes = tables + ctypes_offset;
-
-  /* See if we can find a fixed set of initial characters for the pattern. */
-
-  memset(start_bits, 0, 32 * sizeof(pcre_uint8));
-  rc = set_start_bits(code, start_bits, (re->options & PCRE_UTF8) != 0,
-    &compile_block);
-  bits_set = rc == SSB_DONE;
-  if (rc == SSB_UNKNOWN)
-    {
-    *errorptr = "internal error: opcode not recognized";
-    return NULL;
-    }
-  }
-
-/* Find the minimum length of subject string. */
-
-switch(min = find_minlength(re, code, code, re->options, NULL, &count))
-  {
-  case -2: *errorptr = "internal error: missing capturing bracket"; return NULL;
-  case -3: *errorptr = "internal error: opcode not recognized"; return NULL;
-  default: break;
-  }
-
-/* If a set of starting bytes has been identified, or if the minimum length is
-greater than zero, or if JIT optimization has been requested, or if
-PCRE_STUDY_EXTRA_NEEDED is set, get a pcre[16]_extra block and a
-pcre_study_data block. The study data is put in the latter, which is pointed to
-by the former, which may also get additional data set later by the calling
-program. At the moment, the size of pcre_study_data is fixed. We nevertheless
-save it in a field for returning via the pcre_fullinfo() function so that if it
-becomes variable in the future, we don't have to change that code. */
-
-if (bits_set || min > 0 || (options & (
-#ifdef SUPPORT_JIT
-    PCRE_STUDY_JIT_COMPILE | PCRE_STUDY_JIT_PARTIAL_SOFT_COMPILE |
-    PCRE_STUDY_JIT_PARTIAL_HARD_COMPILE |
-#endif
-    PCRE_STUDY_EXTRA_NEEDED)) != 0)
-  {
-  extra = (PUBL(extra) *)(PUBL(malloc))
-    (sizeof(PUBL(extra)) + sizeof(pcre_study_data));
-  if (extra == NULL)
-    {
-    *errorptr = "failed to get memory";
-    return NULL;
-    }
-
-  study = (pcre_study_data *)((char *)extra + sizeof(PUBL(extra)));
-  extra->flags = PCRE_EXTRA_STUDY_DATA;
-  extra->study_data = study;
-
-  study->size = sizeof(pcre_study_data);
-  study->flags = 0;
-
-  /* Set the start bits always, to avoid unset memory errors if the
-  study data is written to a file, but set the flag only if any of the bits
-  are set, to save time looking when none are. */
-
-  if (bits_set)
-    {
-    study->flags |= PCRE_STUDY_MAPPED;
-    memcpy(study->start_bits, start_bits, sizeof(start_bits));
-    }
-  else memset(study->start_bits, 0, 32 * sizeof(pcre_uint8));
-
-#ifdef PCRE_DEBUG
-  if (bits_set)
-    {
-    pcre_uint8 *ptr = start_bits;
-    int i;
-
-    printf("Start bits:\n");
-    for (i = 0; i < 32; i++)
-      printf("%3d: %02x%s", i * 8, *ptr++, ((i + 1) & 0x7) != 0? " " : "\n");
-    }
-#endif
-
-  /* Always set the minlength value in the block, because the JIT compiler
-  makes use of it. However, don't set the bit unless the length is greater than
-  zero - the interpretive pcre_exec() and pcre_dfa_exec() needn't waste time
-  checking the zero case. */
-
-  if (min > 0)
-    {
-    study->flags |= PCRE_STUDY_MINLEN;
-    study->minlength = min;
-    }
-  else study->minlength = 0;
-
-  /* If JIT support was compiled and requested, attempt the JIT compilation.
-  If no starting bytes were found, and the minimum length is zero, and JIT
-  compilation fails, abandon the extra block and return NULL, unless
-  PCRE_STUDY_EXTRA_NEEDED is set. */
-
-#ifdef SUPPORT_JIT
-  extra->executable_jit = NULL;
-  if ((options & PCRE_STUDY_JIT_COMPILE) != 0)
-    PRIV(jit_compile)(re, extra, JIT_COMPILE);
-  if ((options & PCRE_STUDY_JIT_PARTIAL_SOFT_COMPILE) != 0)
-    PRIV(jit_compile)(re, extra, JIT_PARTIAL_SOFT_COMPILE);
-  if ((options & PCRE_STUDY_JIT_PARTIAL_HARD_COMPILE) != 0)
-    PRIV(jit_compile)(re, extra, JIT_PARTIAL_HARD_COMPILE);
-
-  if (study->flags == 0 && (extra->flags & PCRE_EXTRA_EXECUTABLE_JIT) == 0 &&
-      (options & PCRE_STUDY_EXTRA_NEEDED) == 0)
-    {
-#if defined COMPILE_PCRE8
-    pcre_free_study(extra);
-#elif defined COMPILE_PCRE16
-    pcre16_free_study(extra);
-#elif defined COMPILE_PCRE32
-    pcre32_free_study(extra);
-#endif
-    extra = NULL;
-    }
-#endif
-  }
-
-return extra;
-}
-
-
-/*************************************************
-*          Free the study data                   *
-*************************************************/
-
-/* This function frees the memory that was obtained by pcre_study().
-
-Argument:   a pointer to the pcre[16]_extra block
-Returns:    nothing
-*/
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN void
-pcre_free_study(pcre_extra *extra)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN void
-pcre16_free_study(pcre16_extra *extra)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN void
-pcre32_free_study(pcre32_extra *extra)
-#endif
-{
-if (extra == NULL)
-  return;
-#ifdef SUPPORT_JIT
-if ((extra->flags & PCRE_EXTRA_EXECUTABLE_JIT) != 0 &&
-     extra->executable_jit != NULL)
-  PRIV(jit_free)(extra->executable_jit);
-#endif
-PUBL(free)(extra);
-}
-
-/* End of pcre_study.c */
diff --git a/src/plugins/PCREPlugin/pcre_table.c b/src/plugins/PCREPlugin/pcre_table.c
deleted file mode 100644
index db75bb8..0000000
--- a/src/plugins/PCREPlugin/pcre_table.c
+++ /dev/null
@@ -1,194 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* This file was automatically written by the dftables auxiliary
-program. It contains character tables that are used when no external
-tables are passed to PCRE by the application that calls it. The tables
-are used only for characters whose code values are less than 256.
-
-The following #includes are present because without them gcc 4.x may remove
-the array definition from the final binary if PCRE is built into a static
-library and dead code stripping is activated. This leads to link errors.
-Pulling in the header ensures that the array gets flagged as "someone
-outside this compilation unit might reference this" and so it will always
-be supplied to the linker. */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-const pcre_uint8 PRIV(default_tables)[] = {
-
-/* This table is a lower casing table. */
-
-    0,  1,  2,  3,  4,  5,  6,  7,
-    8,  9, 10, 11, 12, 13, 14, 15,
-   16, 17, 18, 19, 20, 21, 22, 23,
-   24, 25, 26, 27, 28, 29, 30, 31,
-   32, 33, 34, 35, 36, 37, 38, 39,
-   40, 41, 42, 43, 44, 45, 46, 47,
-   48, 49, 50, 51, 52, 53, 54, 55,
-   56, 57, 58, 59, 60, 61, 62, 63,
-   64, 97, 98, 99,100,101,102,103,
-  104,105,106,107,108,109,110,111,
-  112,113,114,115,116,117,118,119,
-  120,121,122, 91, 92, 93, 94, 95,
-   96, 97, 98, 99,100,101,102,103,
-  104,105,106,107,108,109,110,111,
-  112,113,114,115,116,117,118,119,
-  120,121,122,123,124,125,126,127,
-  128,129,130,131,132,133,134,135,
-  136,137,138,139,140,141,142,143,
-  144,145,146,147,148,149,150,151,
-  152,153,154,155,156,157,158,159,
-  160,161,162,163,164,165,166,167,
-  168,169,170,171,172,173,174,175,
-  176,177,178,179,180,181,182,183,
-  184,185,186,187,188,189,190,191,
-  192,193,194,195,196,197,198,199,
-  200,201,202,203,204,205,206,207,
-  208,209,210,211,212,213,214,215,
-  216,217,218,219,220,221,222,223,
-  224,225,226,227,228,229,230,231,
-  232,233,234,235,236,237,238,239,
-  240,241,242,243,244,245,246,247,
-  248,249,250,251,252,253,254,255,
-
-/* This table is a case flipping table. */
-
-    0,  1,  2,  3,  4,  5,  6,  7,
-    8,  9, 10, 11, 12, 13, 14, 15,
-   16, 17, 18, 19, 20, 21, 22, 23,
-   24, 25, 26, 27, 28, 29, 30, 31,
-   32, 33, 34, 35, 36, 37, 38, 39,
-   40, 41, 42, 43, 44, 45, 46, 47,
-   48, 49, 50, 51, 52, 53, 54, 55,
-   56, 57, 58, 59, 60, 61, 62, 63,
-   64, 97, 98, 99,100,101,102,103,
-  104,105,106,107,108,109,110,111,
-  112,113,114,115,116,117,118,119,
-  120,121,122, 91, 92, 93, 94, 95,
-   96, 65, 66, 67, 68, 69, 70, 71,
-   72, 73, 74, 75, 76, 77, 78, 79,
-   80, 81, 82, 83, 84, 85, 86, 87,
-   88, 89, 90,123,124,125,126,127,
-  128,129,130,131,132,133,134,135,
-  136,137,138,139,140,141,142,143,
-  144,145,146,147,148,149,150,151,
-  152,153,154,155,156,157,158,159,
-  160,161,162,163,164,165,166,167,
-  168,169,170,171,172,173,174,175,
-  176,177,178,179,180,181,182,183,
-  184,185,186,187,188,189,190,191,
-  192,193,194,195,196,197,198,199,
-  200,201,202,203,204,205,206,207,
-  208,209,210,211,212,213,214,215,
-  216,217,218,219,220,221,222,223,
-  224,225,226,227,228,229,230,231,
-  232,233,234,235,236,237,238,239,
-  240,241,242,243,244,245,246,247,
-  248,249,250,251,252,253,254,255,
-
-/* This table contains bit maps for various character classes.
-Each map is 32 bytes long and the bits run from the least
-significant end of each byte. The classes that have their own
-maps are: space, xdigit, digit, upper, lower, word, graph
-print, punct, and cntrl. Other classes are built from combinations. */
-
-  0x00,0x3e,0x00,0x00,0x01,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0x00,0x00,0xff,0x03,
-  0x7e,0x00,0x00,0x00,0x7e,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0x00,0x00,0xff,0x03,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0xfe,0xff,0xff,0x07,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0xfe,0xff,0xff,0x07,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0x00,0x00,0xff,0x03,
-  0xfe,0xff,0xff,0x87,0xfe,0xff,0xff,0x07,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,
-  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,
-  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0x00,0x00,0x00,0x00,0xfe,0xff,0x00,0xfc,
-  0x01,0x00,0x00,0xf8,0x01,0x00,0x00,0x78,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-  0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-
-/* This table identifies various classes of character by individual bits:
-  0x01   white space character
-  0x02   letter
-  0x04   decimal digit
-  0x08   hexadecimal digit
-  0x10   alphanumeric or '_'
-  0x80   regular expression metacharacter or binary zero
-*/
-
-  0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*   0-  7 */
-  0x00,0x01,0x01,0x00,0x01,0x01,0x00,0x00, /*   8- 15 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  16- 23 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /*  24- 31 */
-  0x01,0x00,0x00,0x00,0x80,0x00,0x00,0x00, /*    - '  */
-  0x80,0x80,0x80,0x80,0x00,0x00,0x80,0x00, /*  ( - /  */
-  0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c, /*  0 - 7  */
-  0x1c,0x1c,0x00,0x00,0x00,0x00,0x00,0x80, /*  8 - ?  */
-  0x00,0x1a,0x1a,0x1a,0x1a,0x1a,0x1a,0x12, /*  @ - G  */
-  0x12,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /*  H - O  */
-  0x12,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /*  P - W  */
-  0x12,0x12,0x12,0x80,0x80,0x00,0x80,0x10, /*  X - _  */
-  0x00,0x1a,0x1a,0x1a,0x1a,0x1a,0x1a,0x12, /*  ` - g  */
-  0x12,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /*  h - o  */
-  0x12,0x12,0x12,0x12,0x12,0x12,0x12,0x12, /*  p - w  */
-  0x12,0x12,0x12,0x80,0x80,0x00,0x00,0x00, /*  x -127 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 128-135 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 136-143 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 144-151 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 152-159 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 160-167 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 168-175 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 176-183 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 184-191 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 192-199 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 200-207 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 208-215 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 216-223 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 224-231 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 232-239 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* 240-247 */
-  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};/* 248-255 */
-
-/* End of pcre_chartables.c */
diff --git a/src/plugins/PCREPlugin/pcre_tables.c b/src/plugins/PCREPlugin/pcre_tables.c
deleted file mode 100644
index a0e0e24..0000000
--- a/src/plugins/PCREPlugin/pcre_tables.c
+++ /dev/null
@@ -1,728 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-#ifndef PCRE_INCLUDED
-
-/* This module contains some fixed tables that are used by more than one of the
-PCRE code modules. The tables are also #included by the pcretest program, which
-uses macros to change their names from _pcre_xxx to xxxx, thereby avoiding name
-clashes with the library. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-#endif /* PCRE_INCLUDED */
-
-/* Table of sizes for the fixed-length opcodes. It's defined in a macro so that
-the definition is next to the definition of the opcodes in pcre_internal.h. */
-
-const pcre_uint8 PRIV(OP_lengths)[] = { OP_LENGTHS };
-
-/* Tables of horizontal and vertical whitespace characters, suitable for
-adding to classes. */
-
-const pcre_uint32 PRIV(hspace_list)[] = { HSPACE_LIST };
-const pcre_uint32 PRIV(vspace_list)[] = { VSPACE_LIST };
-
-
-
-/*************************************************
-*           Tables for UTF-8 support             *
-*************************************************/
-
-/* These are the breakpoints for different numbers of bytes in a UTF-8
-character. */
-
-#if (defined SUPPORT_UTF && defined COMPILE_PCRE8) \
-  || (defined PCRE_INCLUDED && (defined SUPPORT_PCRE16 || defined SUPPORT_PCRE32))
-
-/* These tables are also required by pcretest in 16- or 32-bit mode. */
-
-const int PRIV(utf8_table1)[] =
-  { 0x7f, 0x7ff, 0xffff, 0x1fffff, 0x3ffffff, 0x7fffffff};
-
-const int PRIV(utf8_table1_size) = sizeof(PRIV(utf8_table1)) / sizeof(int);
-
-/* These are the indicator bits and the mask for the data bits to set in the
-first byte of a character, indexed by the number of additional bytes. */
-
-const int PRIV(utf8_table2)[] = { 0,    0xc0, 0xe0, 0xf0, 0xf8, 0xfc};
-const int PRIV(utf8_table3)[] = { 0xff, 0x1f, 0x0f, 0x07, 0x03, 0x01};
-
-/* Table of the number of extra bytes, indexed by the first byte masked with
-0x3f. The highest number for a valid UTF-8 first byte is in fact 0x3d. */
-
-const pcre_uint8 PRIV(utf8_table4)[] = {
-  1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-  1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-  2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
-  3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5 };
-
-#endif /* (SUPPORT_UTF && COMPILE_PCRE8) || (PCRE_INCLUDED && SUPPORT_PCRE[16|32])*/
-
-#ifdef SUPPORT_UTF
-
-/* Table to translate from particular type value to the general value. */
-
-const pcre_uint32 PRIV(ucp_gentype)[] = {
-  ucp_C, ucp_C, ucp_C, ucp_C, ucp_C,  /* Cc, Cf, Cn, Co, Cs */
-  ucp_L, ucp_L, ucp_L, ucp_L, ucp_L,  /* Ll, Lu, Lm, Lo, Lt */
-  ucp_M, ucp_M, ucp_M,                /* Mc, Me, Mn */
-  ucp_N, ucp_N, ucp_N,                /* Nd, Nl, No */
-  ucp_P, ucp_P, ucp_P, ucp_P, ucp_P,  /* Pc, Pd, Pe, Pf, Pi */
-  ucp_P, ucp_P,                       /* Ps, Po */
-  ucp_S, ucp_S, ucp_S, ucp_S,         /* Sc, Sk, Sm, So */
-  ucp_Z, ucp_Z, ucp_Z                 /* Zl, Zp, Zs */
-};
-
-/* This table encodes the rules for finding the end of an extended grapheme
-cluster. Every code point has a grapheme break property which is one of the
-ucp_gbXX values defined in ucp.h. The 2-dimensional table is indexed by the
-properties of two adjacent code points. The left property selects a word from
-the table, and the right property selects a bit from that word like this:
-
-  ucp_gbtable[left-property] & (1 << right-property)
-
-The value is non-zero if a grapheme break is NOT permitted between the relevant
-two code points. The breaking rules are as follows:
-
-1. Break at the start and end of text (pretty obviously).
-
-2. Do not break between a CR and LF; otherwise, break before and   after
-   controls.
-
-3. Do not break Hangul syllable sequences, the rules for which are:
-
-    L may be followed by L, V, LV or LVT
-    LV or V may be followed by V or T
-    LVT or T may be followed by T
-
-4. Do not break before extending characters.
-
-The next two rules are only for extended grapheme clusters (but that's what we
-are implementing).
-
-5. Do not break before SpacingMarks.
-
-6. Do not break after Prepend characters.
-
-7. Otherwise, break everywhere.
-*/
-
-const pcre_uint32 PRIV(ucp_gbtable[]) = {
-   (1< 0x10ffff is not permitted
-PCRE_UTF8_ERR14  3-byte character with value 0xd000-0xdfff is not permitted
-PCRE_UTF8_ERR15  Overlong 2-byte sequence
-PCRE_UTF8_ERR16  Overlong 3-byte sequence
-PCRE_UTF8_ERR17  Overlong 4-byte sequence
-PCRE_UTF8_ERR18  Overlong 5-byte sequence (won't ever occur)
-PCRE_UTF8_ERR19  Overlong 6-byte sequence (won't ever occur)
-PCRE_UTF8_ERR20  Isolated 0x80 byte (not within UTF-8 character)
-PCRE_UTF8_ERR21  Byte with the illegal value 0xfe or 0xff
-PCRE_UTF8_ERR22  Unused (was non-character)
-
-Arguments:
-  string       points to the string
-  length       length of string, or -1 if the string is zero-terminated
-  errp         pointer to an error position offset variable
-
-Returns:       = 0    if the string is a valid UTF-8 string
-               > 0    otherwise, setting the offset of the bad character
-*/
-
-int
-PRIV(valid_utf)(PCRE_PUCHAR string, int length, int *erroroffset)
-{
-#ifdef SUPPORT_UTF
-register PCRE_PUCHAR p;
-
-if (length < 0)
-  {
-  for (p = string; *p != 0; p++);
-  length = (int)(p - string);
-  }
-
-for (p = string; length-- > 0; p++)
-  {
-  register pcre_uchar ab, c, d;
-
-  c = *p;
-  if (c < 128) continue;                /* ASCII character */
-
-  if (c < 0xc0)                         /* Isolated 10xx xxxx byte */
-    {
-    *erroroffset = (int)(p - string);
-    return PCRE_UTF8_ERR20;
-    }
-
-  if (c >= 0xfe)                        /* Invalid 0xfe or 0xff bytes */
-    {
-    *erroroffset = (int)(p - string);
-    return PCRE_UTF8_ERR21;
-    }
-
-  ab = PRIV(utf8_table4)[c & 0x3f];     /* Number of additional bytes */
-  if (length < ab)
-    {
-    *erroroffset = (int)(p - string);          /* Missing bytes */
-    return ab - length;                 /* Codes ERR1 to ERR5 */
-    }
-  length -= ab;                         /* Length remaining */
-
-  /* Check top bits in the second byte */
-
-  if (((d = *(++p)) & 0xc0) != 0x80)
-    {
-    *erroroffset = (int)(p - string) - 1;
-    return PCRE_UTF8_ERR6;
-    }
-
-  /* For each length, check that the remaining bytes start with the 0x80 bit
-  set and not the 0x40 bit. Then check for an overlong sequence, and for the
-  excluded range 0xd800 to 0xdfff. */
-
-  switch (ab)
-    {
-    /* 2-byte character. No further bytes to check for 0x80. Check first byte
-    for for xx00 000x (overlong sequence). */
-
-    case 1: if ((c & 0x3e) == 0)
-      {
-      *erroroffset = (int)(p - string) - 1;
-      return PCRE_UTF8_ERR15;
-      }
-    break;
-
-    /* 3-byte character. Check third byte for 0x80. Then check first 2 bytes
-      for 1110 0000, xx0x xxxx (overlong sequence) or
-          1110 1101, 1010 xxxx (0xd800 - 0xdfff) */
-
-    case 2:
-    if ((*(++p) & 0xc0) != 0x80)     /* Third byte */
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR7;
-      }
-    if (c == 0xe0 && (d & 0x20) == 0)
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR16;
-      }
-    if (c == 0xed && d >= 0xa0)
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR14;
-      }
-    break;
-
-    /* 4-byte character. Check 3rd and 4th bytes for 0x80. Then check first 2
-       bytes for for 1111 0000, xx00 xxxx (overlong sequence), then check for a
-       character greater than 0x0010ffff (f4 8f bf bf) */
-
-    case 3:
-    if ((*(++p) & 0xc0) != 0x80)     /* Third byte */
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR7;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Fourth byte */
-      {
-      *erroroffset = (int)(p - string) - 3;
-      return PCRE_UTF8_ERR8;
-      }
-    if (c == 0xf0 && (d & 0x30) == 0)
-      {
-      *erroroffset = (int)(p - string) - 3;
-      return PCRE_UTF8_ERR17;
-      }
-    if (c > 0xf4 || (c == 0xf4 && d > 0x8f))
-      {
-      *erroroffset = (int)(p - string) - 3;
-      return PCRE_UTF8_ERR13;
-      }
-    break;
-
-    /* 5-byte and 6-byte characters are not allowed by RFC 3629, and will be
-    rejected by the length test below. However, we do the appropriate tests
-    here so that overlong sequences get diagnosed, and also in case there is
-    ever an option for handling these larger code points. */
-
-    /* 5-byte character. Check 3rd, 4th, and 5th bytes for 0x80. Then check for
-    1111 1000, xx00 0xxx */
-
-    case 4:
-    if ((*(++p) & 0xc0) != 0x80)     /* Third byte */
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR7;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Fourth byte */
-      {
-      *erroroffset = (int)(p - string) - 3;
-      return PCRE_UTF8_ERR8;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Fifth byte */
-      {
-      *erroroffset = (int)(p - string) - 4;
-      return PCRE_UTF8_ERR9;
-      }
-    if (c == 0xf8 && (d & 0x38) == 0)
-      {
-      *erroroffset = (int)(p - string) - 4;
-      return PCRE_UTF8_ERR18;
-      }
-    break;
-
-    /* 6-byte character. Check 3rd-6th bytes for 0x80. Then check for
-    1111 1100, xx00 00xx. */
-
-    case 5:
-    if ((*(++p) & 0xc0) != 0x80)     /* Third byte */
-      {
-      *erroroffset = (int)(p - string) - 2;
-      return PCRE_UTF8_ERR7;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Fourth byte */
-      {
-      *erroroffset = (int)(p - string) - 3;
-      return PCRE_UTF8_ERR8;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Fifth byte */
-      {
-      *erroroffset = (int)(p - string) - 4;
-      return PCRE_UTF8_ERR9;
-      }
-    if ((*(++p) & 0xc0) != 0x80)     /* Sixth byte */
-      {
-      *erroroffset = (int)(p - string) - 5;
-      return PCRE_UTF8_ERR10;
-      }
-    if (c == 0xfc && (d & 0x3c) == 0)
-      {
-      *erroroffset = (int)(p - string) - 5;
-      return PCRE_UTF8_ERR19;
-      }
-    break;
-    }
-
-  /* Character is valid under RFC 2279, but 4-byte and 5-byte characters are
-  excluded by RFC 3629. The pointer p is currently at the last byte of the
-  character. */
-
-  if (ab > 3)
-    {
-    *erroroffset = (int)(p - string) - ab;
-    return (ab == 4)? PCRE_UTF8_ERR11 : PCRE_UTF8_ERR12;
-    }
-  }
-
-#else  /* Not SUPPORT_UTF */
-(void)(string);  /* Keep picky compilers happy */
-(void)(length);
-(void)(erroroffset);
-#endif
-
-return PCRE_UTF8_ERR0;   /* This indicates success */
-}
-
-/* End of pcre_valid_utf8.c */
diff --git a/src/plugins/PCREPlugin/pcre_version.c b/src/plugins/PCREPlugin/pcre_version.c
deleted file mode 100644
index d2ed0a5..0000000
--- a/src/plugins/PCREPlugin/pcre_version.c
+++ /dev/null
@@ -1,99 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2012 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains the external function pcre_version(), which returns a
-string that identifies the PCRE version that is in use. */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-*          Return version string                 *
-*************************************************/
-
-/* These macros are the standard way of turning unquoted text into C strings.
-They allow macros like PCRE_MAJOR to be defined without quotes, which is
-convenient for user programs that want to test its value. */
-
-#define STRING(a)  # a
-#define XSTRING(s) STRING(s)
-
-/* A problem turned up with PCRE_PRERELEASE, which is defined empty for
-production releases. Originally, it was used naively in this code:
-
-  return XSTRING(PCRE_MAJOR)
-         "." XSTRING(PCRE_MINOR)
-             XSTRING(PCRE_PRERELEASE)
-         " " XSTRING(PCRE_DATE);
-
-However, when PCRE_PRERELEASE is empty, this leads to an attempted expansion of
-STRING(). The C standard states: "If (before argument substitution) any
-argument consists of no preprocessing tokens, the behavior is undefined." It
-turns out the gcc treats this case as a single empty string - which is what we
-really want - but Visual C grumbles about the lack of an argument for the
-macro. Unfortunately, both are within their rights. To cope with both ways of
-handling this, I had resort to some messy hackery that does a test at run time.
-I could find no way of detecting that a macro is defined as an empty string at
-pre-processor time. This hack uses a standard trick for avoiding calling
-the STRING macro with an empty argument when doing the test. */
-
-#if defined COMPILE_PCRE8
-PCRE_EXP_DEFN const char * PCRE_CALL_CONVENTION
-pcre_version(void)
-#elif defined COMPILE_PCRE16
-PCRE_EXP_DEFN const char * PCRE_CALL_CONVENTION
-pcre16_version(void)
-#elif defined COMPILE_PCRE32
-PCRE_EXP_DEFN const char * PCRE_CALL_CONVENTION
-pcre32_version(void)
-#endif
-{
-return (XSTRING(Z PCRE_PRERELEASE)[1] == 0)?
-  XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) :
-  XSTRING(PCRE_MAJOR.PCRE_MINOR) XSTRING(PCRE_PRERELEASE PCRE_DATE);
-}
-
-/* End of pcre_version.c */
diff --git a/src/plugins/PCREPlugin/pcre_xclass.c b/src/plugins/PCREPlugin/pcre_xclass.c
deleted file mode 100644
index 94cfcad..0000000
--- a/src/plugins/PCREPlugin/pcre_xclass.c
+++ /dev/null
@@ -1,269 +0,0 @@
-#define HAVE_CONFIG_H
-/*************************************************
-*      Perl-Compatible Regular Expressions       *
-*************************************************/
-
-/* PCRE is a library of functions to support regular expressions whose syntax
-and semantics are as close as possible to those of the Perl 5 language.
-
-                       Written by Philip Hazel
-           Copyright (c) 1997-2013 University of Cambridge
-
------------------------------------------------------------------------------
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-
-    * Neither the name of the University of Cambridge nor the names of its
-      contributors may be used to endorse or promote products derived from
-      this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
------------------------------------------------------------------------------
-*/
-
-
-/* This module contains an internal function that is used to match an extended
-class. It is used by both pcre_exec() and pcre_def_exec(). */
-
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "pcre_internal.h"
-
-
-/*************************************************
-*       Match character against an XCLASS        *
-*************************************************/
-
-/* This function is called to match a character against an extended class that
-might contain values > 255 and/or Unicode properties.
-
-Arguments:
-  c           the character
-  data        points to the flag byte of the XCLASS data
-
-Returns:      TRUE if character matches, else FALSE
-*/
-
-BOOL
-PRIV(xclass)(pcre_uint32 c, const pcre_uchar *data, BOOL utf)
-{
-pcre_uchar t;
-BOOL negated = (*data & XCL_NOT) != 0;
-
-(void)utf;
-#ifdef COMPILE_PCRE8
-/* In 8 bit mode, this must always be TRUE. Help the compiler to know that. */
-utf = TRUE;
-#endif
-
-/* Character values < 256 are matched against a bitmap, if one is present. If
-not, we still carry on, because there may be ranges that start below 256 in the
-additional data. */
-
-if (c < 256)
-  {
-  if ((*data & XCL_HASPROP) == 0)
-    {
-    if ((*data & XCL_MAP) == 0) return negated;
-    return (((pcre_uint8 *)(data + 1))[c/8] & (1 << (c&7))) != 0;
-    }
-  if ((*data & XCL_MAP) != 0 &&
-    (((pcre_uint8 *)(data + 1))[c/8] & (1 << (c&7))) != 0)
-    return !negated; /* char found */
-  }
-
-/* First skip the bit map if present. Then match against the list of Unicode
-properties or large chars or ranges that end with a large char. We won't ever
-encounter XCL_PROP or XCL_NOTPROP when UCP support is not compiled. */
-
-if ((*data++ & XCL_MAP) != 0) data += 32 / sizeof(pcre_uchar);
-
-while ((t = *data++) != XCL_END)
-  {
-  pcre_uint32 x, y;
-  if (t == XCL_SINGLE)
-    {
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      GETCHARINC(x, data); /* macro generates multiple statements */
-      }
-    else
-#endif
-      x = *data++;
-    if (c == x) return !negated;
-    }
-  else if (t == XCL_RANGE)
-    {
-#ifdef SUPPORT_UTF
-    if (utf)
-      {
-      GETCHARINC(x, data); /* macro generates multiple statements */
-      GETCHARINC(y, data); /* macro generates multiple statements */
-      }
-    else
-#endif
-      {
-      x = *data++;
-      y = *data++;
-      }
-    if (c >= x && c <= y) return !negated;
-    }
-
-#ifdef SUPPORT_UCP
-  else  /* XCL_PROP & XCL_NOTPROP */
-    {
-    const ucd_record *prop = GET_UCD(c);
-    BOOL isprop = t == XCL_PROP;
-
-    switch(*data)
-      {
-      case PT_ANY:
-      if (isprop) return !negated;
-      break;
-
-      case PT_LAMP:
-      if ((prop->chartype == ucp_Lu || prop->chartype == ucp_Ll ||
-           prop->chartype == ucp_Lt) == isprop) return !negated;
-      break;
-
-      case PT_GC:
-      if ((data[1] == PRIV(ucp_gentype)[prop->chartype]) == isprop)
-        return !negated;
-      break;
-
-      case PT_PC:
-      if ((data[1] == prop->chartype) == isprop) return !negated;
-      break;
-
-      case PT_SC:
-      if ((data[1] == prop->script) == isprop) return !negated;
-      break;
-
-      case PT_ALNUM:
-      if ((PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-           PRIV(ucp_gentype)[prop->chartype] == ucp_N) == isprop)
-        return !negated;
-      break;
-
-      /* Perl space used to exclude VT, but from Perl 5.18 it is included,
-      which means that Perl space and POSIX space are now identical. PCRE
-      was changed at release 8.34. */
-
-      case PT_SPACE:    /* Perl space */
-      case PT_PXSPACE:  /* POSIX space */
-      switch(c)
-        {
-        HSPACE_CASES:
-        VSPACE_CASES:
-        if (isprop) return !negated;
-        break;
-
-        default:
-        if ((PRIV(ucp_gentype)[prop->chartype] == ucp_Z) == isprop)
-          return !negated;
-        break;
-        }
-      break;
-
-      case PT_WORD:
-      if ((PRIV(ucp_gentype)[prop->chartype] == ucp_L ||
-           PRIV(ucp_gentype)[prop->chartype] == ucp_N || c == CHAR_UNDERSCORE)
-             == isprop)
-        return !negated;
-      break;
-
-      case PT_UCNC:
-      if (c < 0xa0)
-        {
-        if ((c == CHAR_DOLLAR_SIGN || c == CHAR_COMMERCIAL_AT ||
-             c == CHAR_GRAVE_ACCENT) == isprop)
-          return !negated;
-        }
-      else
-        {
-        if ((c < 0xd800 || c > 0xdfff) == isprop)
-          return !negated;
-        }
-      break;
-
-      /* The following three properties can occur only in an XCLASS, as there
-      is no \p or \P coding for them. */
-
-      /* Graphic character. Implement this as not Z (space or separator) and
-      not C (other), except for Cf (format) with a few exceptions. This seems
-      to be what Perl does. The exceptional characters are:
-
-      U+061C           Arabic Letter Mark
-      U+180E           Mongolian Vowel Separator
-      U+2066 - U+2069  Various "isolate"s
-      */
-
-      case PT_PXGRAPH:
-      if ((PRIV(ucp_gentype)[prop->chartype] != ucp_Z &&
-            (PRIV(ucp_gentype)[prop->chartype] != ucp_C ||
-              (prop->chartype == ucp_Cf &&
-                c != 0x061c && c != 0x180e && (c < 0x2066 || c > 0x2069))
-         )) == isprop)
-        return !negated;
-      break;
-
-      /* Printable character: same as graphic, with the addition of Zs, i.e.
-      not Zl and not Zp, and U+180E. */
-
-      case PT_PXPRINT:
-      if ((prop->chartype != ucp_Zl &&
-           prop->chartype != ucp_Zp &&
-            (PRIV(ucp_gentype)[prop->chartype] != ucp_C ||
-              (prop->chartype == ucp_Cf &&
-                c != 0x061c && (c < 0x2066 || c > 0x2069))
-         )) == isprop)
-        return !negated;
-      break;
-
-      /* Punctuation: all Unicode punctuation, plus ASCII characters that
-      Unicode treats as symbols rather than punctuation, for Perl
-      compatibility (these are $+<=>^`|~). */
-
-      case PT_PXPUNCT:
-      if ((PRIV(ucp_gentype)[prop->chartype] == ucp_P ||
-            (c < 128 && PRIV(ucp_gentype)[prop->chartype] == ucp_S)) == isprop)
-        return !negated;
-      break;
-
-      /* This should never occur, but compilers may mutter if there is no
-      default. */
-
-      default:
-      return FALSE;
-      }
-
-    data += 2;
-    }
-#endif  /* SUPPORT_UCP */
-  }
-
-return negated;   /* char did not match */
-}
-
-/* End of pcre_xclass.c */
diff --git a/src/plugins/PCREPlugin/ucp.h b/src/plugins/PCREPlugin/ucp.h
deleted file mode 100644
index 2fa0029..0000000
--- a/src/plugins/PCREPlugin/ucp.h
+++ /dev/null
@@ -1,224 +0,0 @@
-/*************************************************
-*          Unicode Property Table handler        *
-*************************************************/
-
-#ifndef _UCP_H
-#define _UCP_H
-
-/* This file contains definitions of the property values that are returned by
-the UCD access macros. New values that are added for new releases of Unicode
-should always be at the end of each enum, for backwards compatibility.
-
-IMPORTANT: Note also that the specific numeric values of the enums have to be
-the same as the values that are generated by the maint/MultiStage2.py script,
-where the equivalent property descriptive names are listed in vectors.
-
-ALSO: The specific values of the first two enums are assumed for the table
-called catposstab in pcre_compile.c. */
-
-/* These are the general character categories. */
-
-enum {
-  ucp_C,     /* Other */
-  ucp_L,     /* Letter */
-  ucp_M,     /* Mark */
-  ucp_N,     /* Number */
-  ucp_P,     /* Punctuation */
-  ucp_S,     /* Symbol */
-  ucp_Z      /* Separator */
-};
-
-/* These are the particular character categories. */
-
-enum {
-  ucp_Cc,    /* Control */
-  ucp_Cf,    /* Format */
-  ucp_Cn,    /* Unassigned */
-  ucp_Co,    /* Private use */
-  ucp_Cs,    /* Surrogate */
-  ucp_Ll,    /* Lower case letter */
-  ucp_Lm,    /* Modifier letter */
-  ucp_Lo,    /* Other letter */
-  ucp_Lt,    /* Title case letter */
-  ucp_Lu,    /* Upper case letter */
-  ucp_Mc,    /* Spacing mark */
-  ucp_Me,    /* Enclosing mark */
-  ucp_Mn,    /* Non-spacing mark */
-  ucp_Nd,    /* Decimal number */
-  ucp_Nl,    /* Letter number */
-  ucp_No,    /* Other number */
-  ucp_Pc,    /* Connector punctuation */
-  ucp_Pd,    /* Dash punctuation */
-  ucp_Pe,    /* Close punctuation */
-  ucp_Pf,    /* Final punctuation */
-  ucp_Pi,    /* Initial punctuation */
-  ucp_Po,    /* Other punctuation */
-  ucp_Ps,    /* Open punctuation */
-  ucp_Sc,    /* Currency symbol */
-  ucp_Sk,    /* Modifier symbol */
-  ucp_Sm,    /* Mathematical symbol */
-  ucp_So,    /* Other symbol */
-  ucp_Zl,    /* Line separator */
-  ucp_Zp,    /* Paragraph separator */
-  ucp_Zs     /* Space separator */
-};
-
-/* These are grapheme break properties. Note that the code for processing them
-assumes that the values are less than 16. If more values are added that take
-the number to 16 or more, the code will have to be rewritten. */
-
-enum {
-  ucp_gbCR,                /*  0 */
-  ucp_gbLF,                /*  1 */
-  ucp_gbControl,           /*  2 */
-  ucp_gbExtend,            /*  3 */
-  ucp_gbPrepend,           /*  4 */
-  ucp_gbSpacingMark,       /*  5 */
-  ucp_gbL,                 /*  6 Hangul syllable type L */
-  ucp_gbV,                 /*  7 Hangul syllable type V */
-  ucp_gbT,                 /*  8 Hangul syllable type T */
-  ucp_gbLV,                /*  9 Hangul syllable type LV */
-  ucp_gbLVT,               /* 10 Hangul syllable type LVT */
-  ucp_gbRegionalIndicator, /* 11 */
-  ucp_gbOther              /* 12 */
-};
-
-/* These are the script identifications. */
-
-enum {
-  ucp_Arabic,
-  ucp_Armenian,
-  ucp_Bengali,
-  ucp_Bopomofo,
-  ucp_Braille,
-  ucp_Buginese,
-  ucp_Buhid,
-  ucp_Canadian_Aboriginal,
-  ucp_Cherokee,
-  ucp_Common,
-  ucp_Coptic,
-  ucp_Cypriot,
-  ucp_Cyrillic,
-  ucp_Deseret,
-  ucp_Devanagari,
-  ucp_Ethiopic,
-  ucp_Georgian,
-  ucp_Glagolitic,
-  ucp_Gothic,
-  ucp_Greek,
-  ucp_Gujarati,
-  ucp_Gurmukhi,
-  ucp_Han,
-  ucp_Hangul,
-  ucp_Hanunoo,
-  ucp_Hebrew,
-  ucp_Hiragana,
-  ucp_Inherited,
-  ucp_Kannada,
-  ucp_Katakana,
-  ucp_Kharoshthi,
-  ucp_Khmer,
-  ucp_Lao,
-  ucp_Latin,
-  ucp_Limbu,
-  ucp_Linear_B,
-  ucp_Malayalam,
-  ucp_Mongolian,
-  ucp_Myanmar,
-  ucp_New_Tai_Lue,
-  ucp_Ogham,
-  ucp_Old_Italic,
-  ucp_Old_Persian,
-  ucp_Oriya,
-  ucp_Osmanya,
-  ucp_Runic,
-  ucp_Shavian,
-  ucp_Sinhala,
-  ucp_Syloti_Nagri,
-  ucp_Syriac,
-  ucp_Tagalog,
-  ucp_Tagbanwa,
-  ucp_Tai_Le,
-  ucp_Tamil,
-  ucp_Telugu,
-  ucp_Thaana,
-  ucp_Thai,
-  ucp_Tibetan,
-  ucp_Tifinagh,
-  ucp_Ugaritic,
-  ucp_Yi,
-  /* New for Unicode 5.0: */
-  ucp_Balinese,
-  ucp_Cuneiform,
-  ucp_Nko,
-  ucp_Phags_Pa,
-  ucp_Phoenician,
-  /* New for Unicode 5.1: */
-  ucp_Carian,
-  ucp_Cham,
-  ucp_Kayah_Li,
-  ucp_Lepcha,
-  ucp_Lycian,
-  ucp_Lydian,
-  ucp_Ol_Chiki,
-  ucp_Rejang,
-  ucp_Saurashtra,
-  ucp_Sundanese,
-  ucp_Vai,
-  /* New for Unicode 5.2: */
-  ucp_Avestan,
-  ucp_Bamum,
-  ucp_Egyptian_Hieroglyphs,
-  ucp_Imperial_Aramaic,
-  ucp_Inscriptional_Pahlavi,
-  ucp_Inscriptional_Parthian,
-  ucp_Javanese,
-  ucp_Kaithi,
-  ucp_Lisu,
-  ucp_Meetei_Mayek,
-  ucp_Old_South_Arabian,
-  ucp_Old_Turkic,
-  ucp_Samaritan,
-  ucp_Tai_Tham,
-  ucp_Tai_Viet,
-  /* New for Unicode 6.0.0: */
-  ucp_Batak,
-  ucp_Brahmi,
-  ucp_Mandaic,
-  /* New for Unicode 6.1.0: */
-  ucp_Chakma,
-  ucp_Meroitic_Cursive,
-  ucp_Meroitic_Hieroglyphs,
-  ucp_Miao,
-  ucp_Sharada,
-  ucp_Sora_Sompeng,
-  ucp_Takri,
-  /* New for Unicode 7.0.0: */
-  ucp_Bassa_Vah,
-  ucp_Caucasian_Albanian,
-  ucp_Duployan,
-  ucp_Elbasan,
-  ucp_Grantha,
-  ucp_Khojki,
-  ucp_Khudawadi,
-  ucp_Linear_A,
-  ucp_Mahajani,
-  ucp_Manichaean,
-  ucp_Mende_Kikakui,
-  ucp_Modi,
-  ucp_Mro,
-  ucp_Nabataean,
-  ucp_Old_North_Arabian,
-  ucp_Old_Permic,
-  ucp_Pahawh_Hmong,
-  ucp_Palmyrene,
-  ucp_Psalter_Pahlavi,
-  ucp_Pau_Cin_Hau,
-  ucp_Siddham,
-  ucp_Tirhuta,
-  ucp_Warang_Citi
-};
-
-#endif
-
-/* End of ucp.h */
diff --git a/src/plugins/PamAuth/CMakeLists.txt b/src/plugins/PamAuth/CMakeLists.txt
new file mode 100644
index 0000000..6143bab
--- /dev/null
+++ b/src/plugins/PamAuth/CMakeLists.txt
@@ -0,0 +1,19 @@
+# PamAuth - requires PAM
+
+if(NOT PAM_FOUND)
+    message(STATUS "PamAuth requires PAM, skipping")
+    return()
+endif()
+
+add_3proxy_plugin(PamAuth
+    SOURCES pamauth.c
+)
+
+if(TARGET PAM::PAM)
+    target_link_libraries(PamAuth PRIVATE PAM::PAM)
+else()
+    target_link_libraries(PamAuth PRIVATE ${PAM_LIBRARIES})
+    if(PAM_INCLUDE_DIRS)
+        target_include_directories(PamAuth PRIVATE ${PAM_INCLUDE_DIRS})
+    endif()
+endif()
diff --git a/src/plugins/PamAuth/Makefile.inc b/src/plugins/PamAuth/Makefile.inc
index 8acd72a..a15c991 100644
--- a/src/plugins/PamAuth/Makefile.inc
+++ b/src/plugins/PamAuth/Makefile.inc
@@ -1,7 +1,10 @@
+PAMLIB ?= pam
+
 all: $(BUILDDIR)pamauth$(DLSUFFICS)
 
 pamauth$(OBJSUFFICS): pamauth.c
 	$(CC) $(DCFLAGS) $(CFLAGS) pamauth.c
 
 $(BUILDDIR)pamauth$(DLSUFFICS): pamauth$(OBJSUFFICS)
-	$(LN) $(LNOUT)../../$(BUILDDIR)pamauth$(DLSUFFICS) $(LDFLAGS) $(DLFLAGS) $(LIBSPREFIX)pam$(LIBSSUFFIX) pamauth$(OBJSUFFICS)
+	$(LN) $(LNOUT)../../$(BUILDDIR)pamauth$(DLSUFFICS) $(LDFLAGS) $(DLFLAGS) $(LIBSPREFIX)$(PAMLIB)$(LIBSSUFFIX) pamauth$(OBJSUFFICS)
+
diff --git a/src/plugins/PamAuth/PAMAUTH.TXT b/src/plugins/PamAuth/PAMAUTH.TXT
index 82b5bf4..e256cff 100644
--- a/src/plugins/PamAuth/PAMAUTH.TXT
+++ b/src/plugins/PamAuth/PAMAUTH.TXT
@@ -1,27 +1,27 @@
- PAM   3proxy ( *NIX)
+Плагин PAM авторизации для 3proxy (ОС *NIX)
 (c)  Kirill Lopuchov lopuchov@mail.ru
 
 
-                              
-   *NIX	 .     
-freebsd 5.2  Linux Debian 4.
+                              Описание
+Работает только на *NIX	системах . Работоспособность проверялась на  
+freebsd 5.2 и Linux Debian 4.
 
 
-                          PAM 
+                         Настройка PAM 
 
- PAM   3proxy     Linux debian 4 ,   
-/etc/pam.d/3proxy.      
+Настраиваем PAM сервис для 3proxy  на примере для Linux debian 4 , создаем файл 
+/etc/pam.d/3proxy. Прописываем в нем следующую строку 
 
 @include common-auth
-                           
+                         Настройка плагина 
 
 ----------------------------3proxy.cfg-------------------------------
-# start -    
-# 3proxy -   PAM
+# start - имя процедуры инициализации плагина
+# 3proxy - имя сервиса PAM
 
 plugin "pamauth.so" start 3proxy
 
-#    
+# рекомендуется включать кеширование авторизации
 authcache user,password 60
 auth cache pam
 allow *
diff --git a/src/plugins/PamAuth/pamauth.c b/src/plugins/PamAuth/pamauth.c
index da65ee9..d4f3791 100644
--- a/src/plugins/PamAuth/pamauth.c
+++ b/src/plugins/PamAuth/pamauth.c
@@ -1,7 +1,7 @@
 /* plugin for 3proxy with PAM auth only for *NIX (linux,*bsd)
 Kirill Lopuchov 
 
-   Compile with: gcc -shared -o pamauth.so pamauth.c -lpam  -DNOODBC
+   Compile with: gcc -shared -o pamauth.so pamauth.c -lpam
 */
 
 #include "../../structures.h"
@@ -12,7 +12,7 @@ Kirill Lopuchov 
 #include 
 
 
-pthread_mutex_t pam_mutex;
+_3proxy_mutex_t pam_mutex;
 
 static int         already_loaded = 0;
 
@@ -89,10 +89,10 @@ static int pamfunc(struct clientparam *param)
   /*start process auth */  
   conv.appdata_ptr = (char *) param->password;
 
-  pthread_mutex_lock(&pam_mutex);
+  _3proxy_mutex_lock(&pam_mutex);
   if (!pamh)
     {
-	retval = pam_start ((char *)service, "3proxy@" , &conv, &pamh);
+	retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh);
     }
    if (retval == PAM_SUCCESS)
        retval = pam_set_item (pamh, PAM_USER, param->username); 
@@ -102,6 +102,8 @@ static int pamfunc(struct clientparam *param)
 /*fprintf(stderr,"pam_set_item2 rc=%d\n",retval); */       
    if (retval == PAM_SUCCESS)
          retval = pam_authenticate (pamh, 0);  
+   if (retval == PAM_SUCCESS)
+       retval = pam_acct_mgmt (pamh, 0);
 /*fprintf(stderr,"pam_authenticate rc=%d\n",retval);*/
    
    if (retval == PAM_SUCCESS) {  /*auth OK*/  rc=0;   }
@@ -111,7 +113,7 @@ static int pamfunc(struct clientparam *param)
       retval = pam_end (pamh, retval);
    if (retval != PAM_SUCCESS)
       {  pamh = NULL;   }
-  pthread_mutex_unlock(&pam_mutex);
+  _3proxy_mutex_unlock(&pam_mutex);
 
   return rc;
 
@@ -132,13 +134,13 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, unsigne
  if(argc < 2) return 1;
  pl = pluginlink;
  if(service) free(service);
- service=strdup((char *)argv[1]); 
+ service=(unsigned char *)strdup((char *)argv[1]); 
 
  if (already_loaded) { return (0); }
 
  already_loaded = 1;
     
- pthread_mutex_init(&pam_mutex, NULL);
+ _3proxy_mutex_init(&pam_mutex);
  pamauth.authenticate = pamfunc;
  pamauth.authorize = pluginlink->checkACL;
  pamauth.desc = "pam";
diff --git a/src/plugins/SSLPlugin/Makefile b/src/plugins/SSLPlugin/Makefile
deleted file mode 100644
index e7c51ad..0000000
--- a/src/plugins/SSLPlugin/Makefile
+++ /dev/null
@@ -1 +0,0 @@
-include Makefile.var
diff --git a/src/plugins/SSLPlugin/Makefile.inc b/src/plugins/SSLPlugin/Makefile.inc
deleted file mode 100644
index 1afc984..0000000
--- a/src/plugins/SSLPlugin/Makefile.inc
+++ /dev/null
@@ -1,14 +0,0 @@
-all: $(BUILDDIR)SSLPlugin$(DLSUFFICS)
-
-
-
-ssl_plugin$(OBJSUFFICS): ssl_plugin.c
-	$(CC) $(DCFLAGS) $(CFLAGS) ssl_plugin.c
-
-my_ssl$(OBJSUFFICS): my_ssl.c
-	$(CC) $(DCFLAGS) $(CFLAGS) my_ssl.c
-
-
-$(BUILDDIR)SSLPlugin$(DLSUFFICS): ssl_plugin$(OBJSUFFICS) my_ssl$(OBJSUFFICS)
-	$(LN) $(LNOUT)../../$(BUILDDIR)SSLPlugin$(DLSUFFICS) $(LDFLAGS) $(DLFLAGS) ssl_plugin$(OBJSUFFICS) my_ssl$(OBJSUFFICS) $(LIBS) 
-	
\ No newline at end of file
diff --git a/src/plugins/SSLPlugin/my_ssl.c b/src/plugins/SSLPlugin/my_ssl.c
deleted file mode 100644
index 86bf2fb..0000000
--- a/src/plugins/SSLPlugin/my_ssl.c
+++ /dev/null
@@ -1,496 +0,0 @@
-
-#define _CRT_SECURE_NO_WARNINGS
-
-#include "../../structures.h"
-#include 
-#include 
-#ifndef _WIN32
-#include 
-#endif
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include "../../proxy.h"
-#include "my_ssl.h"
-
-
-
-
-typedef struct _ssl_conn {
-	SSL_CTX *ctx;
-	SSL *ssl;
-} ssl_conn;
-
-static X509 *CA_cert = NULL;
-static EVP_PKEY *CA_key = NULL;
-static EVP_PKEY *server_key = NULL;
-static X509_NAME *name = NULL;
-
-pthread_mutex_t ssl_file_mutex;
-
-
-static char errbuf[256];
-
-static char hexMap[] = { 
-                          '0', '1', '2', '3', '4', '5', '6', '7', 
-                          '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
-                        }; 
-
-static BIO *bio_err=NULL;
-
-
-static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length) 
-{
-	char *p;
-	size_t i;
-	
-	if ( str_length < ( (bin_length*2)+1) ) 
-		return 0; 
-
-	p = str; 
-	for ( i=0; i < bin_length; ++i )  
-	{ 
-		*p++ = hexMap[(*(unsigned char *)bin) >> 4];  
-		*p++ = hexMap[(*(unsigned char *)bin) & 0xf]; 
-		++bin;
-	} 
-	
-	*p = 0; 
-
-	return p - str; 
-}
-
-static int add_ext(X509 *cert, int nid, char *value)
-{
-	X509_EXTENSION *ex;
-	X509V3_CTX ctx;
-	/* This sets the 'context' of the extensions. */
-	/* No configuration database */
-	X509V3_set_ctx_nodb(&ctx);
-	/* Issuer and subject certs: both the target since it is self signed,
-	 * no request and no CRL
-	 */
-	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
-	ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
-	if (!ex)
-		return 0;
-
-	X509_add_ext(cert,ex,-1);
-	X509_EXTENSION_free(ex);
-	return 1;
-}
-
-extern char *cert_path;
-
-void del_ext(X509 *dst_cert, int nid, int where){
-	int ex;
-
-	ex = X509_get_ext_by_NID(dst_cert, nid, where);
-	if(ex>=0){
-		X509_EXTENSION *ext;
-		if((ext = X509_delete_ext(dst_cert, ex))) X509_EXTENSION_free(ext);
-	}
-
-}
-
-SSL_CERT ssl_copy_cert(SSL_CERT cert)
-{
-	int err = -1;
-	BIO *fcache;
-	X509 *src_cert = (X509 *) cert;
-	X509 *dst_cert = NULL;
-
-	EVP_PKEY *pk = NULL;
-	RSA *rsa = NULL;
-
-	unsigned char p1[] = "RU";
-	unsigned char p2[] = "3proxy";
-	unsigned char p3[] = "3proxy CA";
-
-	int hash_size = 20;
-	char hash_sha1[20];
-	char hash_name_sha1[(20*2) + 1];
-	char cache_name[256];
-
-	err = X509_digest(src_cert, EVP_sha1(), hash_sha1, NULL);
-	if(!err){
-		X509_free(dst_cert);
-		return NULL;
-	}
-
-	bin2hex(hash_sha1, 20, hash_name_sha1, sizeof(hash_name_sha1));
-	sprintf(cache_name, "%s%s.pem", cert_path, hash_name_sha1);
-	/* check if certificate is already cached */
-	fcache = BIO_new_file(cache_name, "rb");
-	if ( fcache != NULL ) {
-#ifndef _WIN32
-		flock(BIO_get_fd(fcache, NULL), LOCK_SH);
-#endif
-		dst_cert = PEM_read_bio_X509(fcache, &dst_cert, NULL, NULL);
-#ifndef _WIN32
-		flock(BIO_get_fd(fcache, NULL), LOCK_UN);
-#endif
-		BIO_free(fcache);
-		if ( dst_cert != NULL ){
-			return dst_cert;
-		}
-	}
-
-	/* proceed if certificate is not cached */
-	dst_cert = X509_dup(src_cert);
-	if ( dst_cert == NULL ) {
-		return NULL;
-	}
-	del_ext(dst_cert, NID_crl_distribution_points, -1);
-	del_ext(dst_cert, NID_info_access, -1);
-	del_ext(dst_cert, NID_authority_key_identifier, -1);
-	del_ext(dst_cert, NID_certificate_policies, 0);
-
-	err = X509_set_pubkey(dst_cert, server_key);
-	if ( err == 0 ) {
-		X509_free(dst_cert);
-		return NULL;
-	}
-
-
-	err = X509_set_issuer_name(dst_cert, name);
-	if(!err){
-		X509_free(dst_cert);
-		return NULL;
-	}
-	err = X509_sign(dst_cert, CA_key, EVP_sha256());
-	if(!err){
-		X509_free(dst_cert);
-		return NULL;
-	}
-
-	/* write to cache */
-
-	fcache = BIO_new_file(cache_name, "wb");
-	if ( fcache != NULL ) {
-#ifndef _WIN32
-		flock(BIO_get_fd(fcache, NULL), LOCK_EX);
-#endif
-		PEM_write_bio_X509(fcache, dst_cert);
-#ifndef _WIN32
-		flock(BIO_get_fd(fcache, NULL), LOCK_UN);
-#endif
-		BIO_free(fcache);
-	}
-	return dst_cert;
-}
-
-
-SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CERT *server_cert, char **errSSL)
-{
-	int err = 0;
-	X509 *cert;
-	ssl_conn *conn;
-
-	*errSSL = NULL;
-
-	conn = (ssl_conn *)malloc(sizeof(ssl_conn));
-	if ( conn == NULL ){
-		return NULL;
-	}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	conn->ctx = SSL_CTX_new(SSLv23_client_method());
-#else
-	conn->ctx = SSL_CTX_new(TLS_client_method());
-#endif
-	if ( conn->ctx == NULL ) {
-		free(conn);
-		return NULL;
-	}
-
-	conn->ssl = SSL_new(conn->ctx);
-	if ( conn->ssl == NULL ) {
-		SSL_CTX_free(conn->ctx);
-		free(conn);
-		return NULL;
-	}
-
-	if(!SSL_set_fd(conn->ssl, s)){
-		ssl_conn_free(conn);
-		return NULL;
-	}
-	if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
-	err = SSL_connect(conn->ssl);
-	if ( err == -1 ) {
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
-		ssl_conn_free(conn);
-		return NULL;
-	}
-
-	cert = SSL_get_peer_certificate(conn->ssl);     
-	if(!cert) {
-		ssl_conn_free(conn);
-		return NULL;
-	}
-
-	/* TODO: Verify certificate */
-
-	*server_cert = cert;
-
-	return conn;
-}
-
-SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CERT server_cert, char** errSSL)
-{
-	int err = 0;
-	X509 *cert;
-	ssl_conn *conn;
-
-	*errSSL = NULL;
-
-	conn = (ssl_conn *)malloc(sizeof(ssl_conn));
-	if ( conn == NULL )
-		return NULL;
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	conn->ctx = SSL_CTX_new(SSLv23_server_method());
-#else
-	conn->ctx = SSL_CTX_new(TLS_server_method());
-#endif
-	if ( conn->ctx == NULL ) {
-		free(conn);
-		return NULL;
-	}
-
-	err = SSL_CTX_use_certificate(conn->ctx, (X509 *) server_cert);
-	if ( err <= 0 ) {
-		SSL_CTX_free(conn->ctx);
-		free(conn);
-		return NULL;
-	}
-
-	err = SSL_CTX_use_PrivateKey(conn->ctx, server_key);
-	if ( err <= 0 ) {
-		SSL_CTX_free(conn->ctx);
-		free(conn);
-		return NULL;
-	}
-/*
-	err = SSL_CTX_load_verify_locations(conn->ctx, "3proxy.pem",
-                                   NULL);
-	if ( err <= 0 ) {
-		SSL_CTX_free(conn->ctx);
-		free(conn);
-		return NULL;
-	}
-*/
-
-	conn->ssl = SSL_new(conn->ctx);
-	if ( conn->ssl == NULL ) {
-		SSL_CTX_free(conn->ctx);
-		free(conn);
-		return NULL;
-	}
-
-	SSL_set_fd(conn->ssl, (int)s);
-	err = SSL_accept(conn->ssl);
-	if ( err <= 0 ) {
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
-		ssl_conn_free(conn);
-		return NULL;
-	}
-
-	//
-	// client certificate
-	// TODO: is it required?
-	//
-	cert = SSL_get_peer_certificate(conn->ssl);     
-
-	if ( cert != NULL )
-		X509_free(cert);
-
-	return conn;
-}
-
-int ssl_read(SSL_CONN connection, void * buf, int bufsize)
-{
-	ssl_conn *conn = (ssl_conn *) connection;
-
-	return SSL_read(conn->ssl, buf, bufsize);
-}
-
-int ssl_write(SSL_CONN connection, void * buf, int bufsize)
-{
-	ssl_conn *conn = (ssl_conn *) connection;
-
-	return SSL_write(conn->ssl, buf, bufsize);
-}
-int ssl_pending(SSL_CONN connection)
-{
-	ssl_conn *conn = (ssl_conn *) connection;
-
-	return SSL_pending(conn->ssl);
-}
-
-void ssl_conn_free(SSL_CONN connection)
-{
-	ssl_conn *conn = (ssl_conn *) connection;
-
-	if(conn){
-		if(conn->ssl){
-			SSL_shutdown(conn->ssl);
-			SSL_free(conn->ssl);
-		}
-		if(conn->ctx) SSL_CTX_free(conn->ctx);
-		free(conn);
-	}
-}
-
-void _ssl_cert_free(SSL_CERT cert)
-{
-	X509_free((X509 *)cert);
-}
-
-
- 
-/* This array will store all of the mutexes available to OpenSSL. */ 
-static pthread_mutex_t *mutex_buf= NULL;
- 
- 
-static void locking_function(int mode, int n, const char * file, int line)
-{
-  if (mode & CRYPTO_LOCK)
-    pthread_mutex_lock(mutex_buf + n);
-  else
-    pthread_mutex_unlock(mutex_buf + n);
-}
- 
-static unsigned long id_function(void)
-{
-#ifdef _WIN32
-  return ((unsigned long)GetCurrentThreadId());
-#else
-  return ((unsigned long)pthread_self());
-#endif
-}
- 
-int thread_setup(void)
-{
-  int i;
- 
-  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(pthread_mutex_t));
-  if (!mutex_buf)
-    return 0;
-  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    pthread_mutex_init(mutex_buf +i, NULL);
-  CRYPTO_set_id_callback(id_function);
-  CRYPTO_set_locking_callback(locking_function);
-  return 1;
-}
- 
-int thread_cleanup(void)
-{
-  int i;
- 
-  if (!mutex_buf)
-    return 0;
-  CRYPTO_set_id_callback(NULL);
-  CRYPTO_set_locking_callback(NULL);
-  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    pthread_mutex_destroy(mutex_buf +i);
-  free(mutex_buf);
-  mutex_buf = NULL;
-  return 1;
-}
-
-
-
-int ssl_file_init = 0;
-
-
-void ssl_init(void)
-{
-	BIO *f;
-	static char fname[200];
-
-	if(!ssl_file_init++)pthread_mutex_init(&ssl_file_mutex, NULL);
-
-	pthread_mutex_lock(&ssl_file_mutex);
-	thread_setup();
-	SSLeay_add_ssl_algorithms();
-	SSL_load_error_strings();
-
-	sprintf(fname, "%.128s3proxy.pem", cert_path);
-	f = BIO_new_file(fname, "r");
-	if ( f != NULL ) {
-		if(!(CA_cert=PEM_read_bio_X509(f, NULL, NULL, NULL))){
-			unsigned long err;
-			err=ERR_get_error();
-			fprintf(stderr, "failed to read: %s: [%lu] %s\n", fname, err, ERR_error_string(err, NULL));
-			return;
-		}
-		BIO_free(f);
-	}
-	else {
-		fprintf(stderr, "failed to open: %s\n", fname);
-		return;
-	}
-	name = X509_get_subject_name(CA_cert);
-	sprintf(fname, "%.128s3proxy.key", cert_path);
-	f = BIO_new_file(fname, "rb");
-	if ( f != NULL ) {                                             
-		CA_key = PEM_read_bio_PrivateKey(f, NULL, NULL, NULL);
-		if(!CA_key){
-			unsigned long err;
-			err=ERR_get_error();
-			fprintf(stderr, "failed to read: %s: [%lu] %s\n", fname, err, ERR_error_string(err, NULL));
-			return;
-		}		
-		BIO_free(f);
-	}
-	else {
-		fprintf(stderr, "failed to open: %s\n", fname);
-		return;
-	}
-
-	sprintf(fname, "%.128sserver.key", cert_path);
-	f = BIO_new_file(fname, "rb");
-	if ( f != NULL ) {
-		server_key = PEM_read_bio_PrivateKey(f, &server_key, NULL, NULL);
-		if(!server_key){
-			unsigned long err;
-			err=ERR_get_error();
-			fprintf(stderr, "failed to read: %s: [%lu] %s\n", fname, err, ERR_error_string(err, NULL));
-			return;
-		}		
-		BIO_free(f);
-	}
-	else {
-		fprintf(stderr, "failed to open: %s\n", fname);
-	}
-
-	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-	pthread_mutex_unlock(&ssl_file_mutex);
-}
-
-void ssl_release(void)
-{
-	pthread_mutex_lock(&ssl_file_mutex);
-	if ( CA_cert != NULL ) {
-		X509_free(CA_cert);
-		CA_cert = NULL;
-	}
-	
-	if ( CA_key != NULL ) {
-		EVP_PKEY_free(CA_key);
-		CA_key = NULL;
-	}
-
-	if ( server_key != NULL ) {
-		EVP_PKEY_free(server_key);
-		server_key = NULL;
-	}
-	thread_cleanup();
-	pthread_mutex_unlock(&ssl_file_mutex);
-}
diff --git a/src/plugins/SSLPlugin/my_ssl.h b/src/plugins/SSLPlugin/my_ssl.h
deleted file mode 100644
index 8a89e9e..0000000
--- a/src/plugins/SSLPlugin/my_ssl.h
+++ /dev/null
@@ -1,43 +0,0 @@
-#ifndef __my_ssl_h__
-#define __my_ssl_h__
-
-//
-// opaque connection structure
-//
-typedef void *SSL_CONN;
-//
-// opaque certificate structure
-//
-typedef void *SSL_CERT;
-
-//
-// Create copy of certificate signed by "other" CA
-//
-SSL_CERT ssl_copy_cert(SSL_CERT cert);
-
-//
-// SSL/TLS handshakes
-//
-SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CERT *server_cert, char **errSSL);
-SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CERT server_cert, char **errSSL);
-
-//
-// SSL/TLS Read/Write       
-//
-int ssl_read(SSL_CONN connection, void * buf, int bufsize);
-int ssl_write(SSL_CONN connection, void * buf, int bufsize);
-int ssl_pending(SSL_CONN connection);
-
-//
-// Release of opaque structures
-//
-void ssl_conn_free(SSL_CONN connection);
-void _ssl_cert_free(SSL_CERT cert);
-
-//
-// Global (de)initialization
-//
-void ssl_init(void);
-void ssl_release(void);
-
-#endif // __my_ssl_h__
\ No newline at end of file
diff --git a/src/plugins/SSLPlugin/ssl_plugin.c b/src/plugins/SSLPlugin/ssl_plugin.c
deleted file mode 100644
index 6d7d729..0000000
--- a/src/plugins/SSLPlugin/ssl_plugin.c
+++ /dev/null
@@ -1,427 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2007-2008 by ZARAZA <3APA3A@security.nnov.ru>
-
-   please read License Agreement
-
-*/
-
-#include "../../structures.h"
-#include        /* SSLeay stuff */
-#include 
-#include 
-#include 
-#include 
-#include "../../proxy.h"
-#include "my_ssl.h"
-
-#ifndef _WIN32
-#define WINAPI
-#endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#ifndef isnumber
-#define isnumber(i_n_arg) ((i_n_arg>='0')&&(i_n_arg<='9'))
-#endif
-
-PROXYFUNC tcppmfunc, proxyfunc, smtppfunc, ftpprfunc;
-
-static struct pluginlink * pl;
-
-pthread_mutex_t ssl_mutex;
-
-static int ssl_loaded = 0;
-static int ssl_connect_timeout = 0;
-char *cert_path = "";
-
-typedef struct _ssl_conn {
-	struct SSL_CTX *ctx;
-	struct SSL *ssl;
-} ssl_conn;
-
-struct SSLqueue {
-	struct SSLqueue *next;
-	SOCKET s;
-	SSL_CERT cert;
-	SSL_CONN conn;
-	struct clientparam* param;
-} *SSLq = NULL;
-
-
-/*
- TO DO: use hashtable
-*/
-static struct SSLqueue *searchSSL(SOCKET s){
-	struct SSLqueue *sslq = NULL;
-
-	pthread_mutex_lock(&ssl_mutex);
-	for(sslq = SSLq; sslq; sslq = sslq->next)
-		if(sslq->s == s) break;
-	pthread_mutex_unlock(&ssl_mutex);
-	return sslq;
-}
-
-static void addSSL(SOCKET s, SSL_CERT cert, SSL_CONN conn, struct clientparam* param){
-	struct SSLqueue *sslq;
-
-	sslq = (struct SSLqueue *) malloc(sizeof(struct SSLqueue));
-	sslq->s = s;
-	sslq->cert = cert;
-	sslq->conn = conn;
-	sslq->param = param;
-	pthread_mutex_lock(&ssl_mutex);
-	sslq->next = SSLq;
-	SSLq = sslq;
-	pthread_mutex_unlock(&ssl_mutex);
-}
-
-int delSSL(SOCKET s){
-	struct SSLqueue *sqi, *sqt = NULL;
-
-	if(!SSLq) return 0;
-	pthread_mutex_lock(&ssl_mutex);
-	if(SSLq){
-		if(SSLq->s == s){
-			sqt = SSLq;
-			SSLq = SSLq->next;
-		}
-		else for(sqi = SSLq; sqi->next; sqi = sqi->next){
-			if (sqi->next->s == s){
-				sqt = sqi->next;
-				sqi->next = sqt->next;
-				break;
-			}
-		}
-	}
-	pthread_mutex_unlock(&ssl_mutex);
-	if(sqt) {
-		_ssl_cert_free(sqt->cert);
-		ssl_conn_free(sqt->conn);
-		free(sqt);
-		return 1;
-	}
-	return 0;
-}
-
-struct sockfuncs sso;
-
-#ifdef _WIN32
-static int WINAPI ssl_send(SOCKET s, const void *msg, int len, int flags){
-#else
-static int ssl_send(SOCKET s, const void *msg, size_t len, int flags){
-#endif
-	struct SSLqueue *sslq;
-
-	if ((sslq = searchSSL(s))){
-		int res, err;
-		if((res = ssl_write(sslq->conn, (void *)msg, len)) <= 0){
-			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
-			if (err == SSL_ERROR_WANT_WRITE){
-				seterrno3(EAGAIN);
-				return -1;
-			}
-			else seterrno3(err);
-		}
-		return res;
-	}
-
-	return sso._send(s, msg, len, flags);
-}
-
-
-#ifdef _WIN32
-static int WINAPI ssl_sendto(SOCKET s, const void *msg, int len, int flags, const struct sockaddr *to, int tolen){
-#else
-static int ssl_sendto(SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen){
-#endif
-	struct SSLqueue *sslq;
-
-	if ((sslq = searchSSL(s))){
-		int res, err;
-		if((res = ssl_write(sslq->conn, (void *)msg, len)) <= 0) {
-			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
-			if (err == SSL_ERROR_WANT_WRITE){
-				seterrno3(EAGAIN);
-				return -1;
-			}
-			else seterrno3(err);
-		}
-		return res;
-	}
-
-	return sso._sendto(s, msg, len, flags, to, tolen);
-}
-
-#ifdef _WIN32
-static int WINAPI ssl_recvfrom(SOCKET s, void *msg, int len, int flags, struct sockaddr *from, int *fromlen){
-#else
-static int ssl_recvfrom(SOCKET s, void *msg, size_t len, int flags, struct sockaddr *from, SASIZETYPE *fromlen){
-#endif
-	struct SSLqueue *sslq;
-
-	if ((sslq = searchSSL(s))){
-		int res, err;
-		if((res = ssl_read(sslq->conn, (void *)msg, len)) <= 0) {
-			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
-			if (err == SSL_ERROR_WANT_READ) {
-				seterrno3(EAGAIN);
-				return -1;
-			}
-			else seterrno3(err);
-		}
-		return res;
-	}
-	return sso._recvfrom(s, msg, len, flags, from, fromlen);
-}
-
-#ifdef _WIN32
-static int WINAPI ssl_recv(SOCKET s, void *msg, int len, int flags){
-#else
-static int WINAPI ssl_recv(SOCKET s, void *msg, size_t len, int flags){
-#endif
-	struct SSLqueue *sslq;
-
-	if ((sslq = searchSSL(s))){
-		int res, err;
-		if((res = ssl_read(sslq->conn, (void *)msg, len)) <= 0) {
-			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
-			if (err == SSL_ERROR_WANT_READ) {
-				seterrno3(EAGAIN);
-				return -1;
-			}
-			else seterrno3(err);
-		}
-		return res;
-	}
-
-	return sso._recv(s, msg, len, flags);
-}
-
-static int WINAPI ssl_closesocket(SOCKET s){
-	delSSL(s);
-	return sso._closesocket(s);
-}
-
-static int WINAPI ssl_poll(struct pollfd *fds, unsigned int nfds, int timeout){
-	struct SSLqueue *sslq = NULL;
-	unsigned int i;
-	int ret = 0;
-	for(i = 0; i < nfds; i++){
-		if((fds[i].events & POLLIN) && (sslq = searchSSL(fds[i].fd)) && ssl_pending(sslq->conn)){
-			fds[i].revents = POLLIN;
-			ret++;
-		}
-		else fds[i].revents = 0;
-	}
-	if(ret) return ret;
-
-	ret = sso._poll(fds, nfds, timeout);
-	return ret;
-}
-
-
-int dossl(struct clientparam* param, SSL_CONN* ServerConnp, SSL_CONN* ClientConnp){
- SSL_CERT ServerCert=NULL, FakeCert=NULL;
- SSL_CONN ServerConn, ClientConn;
- char *errSSL=NULL;
- unsigned long ul;
-
-#ifdef _WIN32
- ul = 0; 
- ioctlsocket(param->remsock, FIONBIO, &ul);
- ul = 0;
- ioctlsocket(param->clisock, FIONBIO, &ul);
-#else
- fcntl(param->remsock,F_SETFL,0);
- fcntl(param->clisock,F_SETFL,0);
-#endif
-
- if(ssl_connect_timeout){
-	ul = ((unsigned long)ssl_connect_timeout)*1000;
-	setsockopt(param->remsock, SOL_SOCKET, SO_RCVTIMEO, (char *)&ul, 4);
-	ul = ((unsigned long)ssl_connect_timeout)*1000;
-	setsockopt(param->remsock, SOL_SOCKET, SO_SNDTIMEO, (char *)&ul, 4);
- }
- ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, &ServerCert, &errSSL);
- if ( ServerConn == NULL || ServerCert == NULL ) {
-	param->res = 8011;
-	param->srv->logfunc(param, (unsigned char *)"SSL handshake to server failed");
-	if(ServerConn == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerConn is NULL");
-	if(ServerCert == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerCert is NULL");
-	if(errSSL)param->srv->logfunc(param, (unsigned char *)errSSL);
-	return 1;
- }
- FakeCert = ssl_copy_cert(ServerCert);
- if ( FakeCert == NULL ) {
-	param->res = 8012;
-	_ssl_cert_free(ServerCert);
-	param->srv->logfunc(param, (unsigned char *)"Failed to create certificate copy");
-	ssl_conn_free(ServerConn);
-	return 2;
- }
- ClientConn = ssl_handshake_to_client(param->clisock, FakeCert, &errSSL);
- if ( ClientConn == NULL ) {
-	param->res = 8012;
-	param->srv->logfunc(param, (unsigned char *)"Handshake to client failed");
-	if(errSSL)param->srv->logfunc(param, (unsigned char *)errSSL);
-	_ssl_cert_free(ServerCert);
-	_ssl_cert_free(FakeCert);
-	ssl_conn_free(ServerConn);
-	return 3;
- }
-
-#ifdef _WIN32 
- ul = 1;
- ioctlsocket(param->remsock, FIONBIO, &ul);
- ul = 1;
- ioctlsocket(param->clisock, FIONBIO, &ul);
-#else
- fcntl(param->remsock,F_SETFL,O_NONBLOCK);
- fcntl(param->clisock,F_SETFL,O_NONBLOCK);
-#endif
-
-
- SSL_set_mode((SSL *)((ssl_conn *)ServerConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
- SSL_set_mode((SSL *)((ssl_conn *)ClientConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
- SSL_set_read_ahead((SSL *)((ssl_conn *)ServerConn)->ssl, 0);
- SSL_set_read_ahead((SSL *)((ssl_conn *)ClientConn)->ssl, 0);
- addSSL(param->remsock, ServerCert, ServerConn, param);
- addSSL(param->clisock, FakeCert, ClientConn, param);
- if(ServerConnp)*ServerConnp = ServerConn;
- if(ClientConnp)*ClientConnp = ClientConn;
-
-
- return 0;
-}
-
-
-static void* ssl_filter_open(void * idata, struct srvparam * param){
-	return idata;
-}
-
-
-
-static FILTER_ACTION ssl_filter_client(void *fo, struct clientparam * param, void** fc){
-	return CONTINUE;
-}
-
-static FILTER_ACTION ssl_filter_predata(void *fo, struct clientparam * param){
-	if(param->operation != HTTP_CONNECT) return PASS;
-	if(dossl(param, NULL, NULL)) {
-		return REJECT;
-	}
-	param->redirectfunc = proxyfunc;
-	return HANDLED;
-}
-
-
-static void ssl_filter_clear(void *fo){
-}
-
-static void ssl_filter_close(void *fo){
-}
-
-static struct filter ssl_filter = {
-	NULL,
-	"ssl filter",
-	"ssl filter",
-	ssl_filter_open,
-	ssl_filter_client,
-	NULL, NULL, NULL, ssl_filter_predata, NULL, NULL,
-	ssl_filter_clear, 
-	ssl_filter_close
-};
-
-int mitm = 0;
-int ssl_inited = 0;
-
-static int h_mitm(int argc, unsigned char **argv){
-	if(!ssl_inited) {
-		ssl_init();
-		ssl_inited = 1;
-	}
-	if((mitm&1)) return 1;
-	if(mitm) usleep(100*SLEEPTIME);
-	ssl_filter.next = pl->conf->filters;
-	pl->conf->filters = &ssl_filter;
-	mitm++;
-	return 0;
-}
-
-static int h_nomitm(int argc, unsigned char **argv){
-	struct filter * sf;
-	if(!(mitm&1)) return 1;
-	if(mitm) usleep(100*SLEEPTIME);
-	if(pl->conf->filters == &ssl_filter) pl->conf->filters = ssl_filter.next;
-	else for(sf = pl->conf->filters; sf && sf->next; sf=sf->next){
-		if(sf->next == &ssl_filter) {
-			sf->next = ssl_filter.next;
-			break;
-		}
-	}
-	mitm++;
-	return 0;
-}
-
-static int h_certpath(int argc, unsigned char **argv){
-	size_t len;
-	len = strlen(argv[1]);
-	if(!len || (argv[1][len - 1] != '/' && argv[1][len - 1] != '\\')) return 1;
-	if(cert_path && *cert_path) free(cert_path);
-	cert_path = strdup(argv[1]);
-	return 0;
-}
-
-static struct commands ssl_commandhandlers[] = {
-	{ssl_commandhandlers+1, "ssl_mitm", h_mitm, 1, 1},
-	{ssl_commandhandlers+2, "ssl_nomitm", h_nomitm, 1, 1},
-	{NULL, "ssl_certcache", h_certpath, 2, 2},
-};
-
-
-#ifdef WATCOM
-#pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx]
-#undef PLUGINCALL
-#define PLUGINCALL
-#endif
-
-PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, 
-					 int argc, char** argv){
-
-	pl = pluginlink;
-	if(!ssl_loaded){
-		ssl_loaded = 1;
-		pthread_mutex_init(&ssl_mutex, NULL);
-		memcpy(&sso, pl->so, sizeof(struct sockfuncs));
-		pl->so->_send = ssl_send;
-		pl->so->_recv = ssl_recv;
-		pl->so->_sendto = ssl_sendto;
-		pl->so->_recvfrom = ssl_recvfrom;
-		pl->so->_closesocket = ssl_closesocket;
-		pl->so->_poll = ssl_poll;
-		ssl_commandhandlers[2].next = pl->commandhandlers->next;
-		pl->commandhandlers->next = ssl_commandhandlers;
-	}
-	else {
-		ssl_release();
-		ssl_inited = 0;
-	}
-
-	tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm");	
-	if(!tcppmfunc){return 13;}
-	proxyfunc = (PROXYFUNC)pl->findbyname("proxy");	
-	if(!proxyfunc)proxyfunc = tcppmfunc;
-	smtppfunc = (PROXYFUNC)pl->findbyname("smtpp");	
-	if(!smtppfunc)smtppfunc = tcppmfunc;
-	ftpprfunc = (PROXYFUNC)pl->findbyname("ftppr");	
-	if(!ftpprfunc)ftpprfunc = tcppmfunc;
-
-	return 0;
-		
- }
-#ifdef  __cplusplus
-}
-#endif
diff --git a/src/plugins/StringsPlugin/CMakeLists.txt b/src/plugins/StringsPlugin/CMakeLists.txt
new file mode 100644
index 0000000..1a7becc
--- /dev/null
+++ b/src/plugins/StringsPlugin/CMakeLists.txt
@@ -0,0 +1,4 @@
+# StringsPlugin
+add_3proxy_plugin(StringsPlugin
+    SOURCES StringsPlugin.c
+)
diff --git a/src/plugins/StringsPlugin/StringsPlugin.c b/src/plugins/StringsPlugin/StringsPlugin.c
index e97098d..ccc8705 100644
--- a/src/plugins/StringsPlugin/StringsPlugin.c
+++ b/src/plugins/StringsPlugin/StringsPlugin.c
@@ -32,7 +32,7 @@ char **load_string(FILE *f,int max_count_str, int *countloadstr,
  /*find start service section*/
  while(!feof(f))
    {
-     fgets(tmpbuf1, 1023,f);  
+     if(!fgets(tmpbuf1, 1023,f)) return NULL;
      if ((strstr(tmpbuf1,start))!=NULL)  { i++; break; }
      tmpbuf1[0]='\0';
    }
@@ -51,7 +51,7 @@ char **load_string(FILE *f,int max_count_str, int *countloadstr,
   i=0;
  while ( !feof(f) || i< max_count_str)
    {
-     fgets(tmpbuf1, 1023,f);  
+     if(!fgets(tmpbuf1, 1023,f)) return NULL;
  
      if ((strstr(tmpbuf1,stop))!=NULL)  { break; }
 
diff --git a/src/plugins/TrafficPlugin/CMakeLists.txt b/src/plugins/TrafficPlugin/CMakeLists.txt
new file mode 100644
index 0000000..b2342c1
--- /dev/null
+++ b/src/plugins/TrafficPlugin/CMakeLists.txt
@@ -0,0 +1,4 @@
+# TrafficPlugin
+add_3proxy_plugin(TrafficPlugin
+    SOURCES TrafficPlugin.c
+)
diff --git a/src/plugins/TrafficPlugin/Changelog.txt b/src/plugins/TrafficPlugin/Changelog.txt
index 696b2de..e5c1977 100644
--- a/src/plugins/TrafficPlugin/Changelog.txt
+++ b/src/plugins/TrafficPlugin/Changelog.txt
@@ -1,13 +1,13 @@
 ========================================================================
    	3proxy traffic plugin Changelog
 ========================================================================
-v0.1.2 (2  2007 )
--       3proxy.
--   debug.
+v0.1.2 (2 января 2007 года)
+- Плугин обновлён в соответствии с обновлением 3proxy.
+- Добавлена опция debug.
 
 v0.1.1
--  udp   proxy, tcppm, pop3p
--      .
+- Теперь udp нельзя задавать proxy, tcppm, pop3p
+- Исправлена ошибка с выбором типа соединения.
 
-v0.1.0 beta (10  2006)
- .
\ No newline at end of file
+v0.1.0 beta (10 июля 2006)
+Первый релиз.
\ No newline at end of file
diff --git a/src/plugins/TrafficPlugin/ReadMe.txt b/src/plugins/TrafficPlugin/ReadMe.txt
index c4f4fb1..e00e487 100644
--- a/src/plugins/TrafficPlugin/ReadMe.txt
+++ b/src/plugins/TrafficPlugin/ReadMe.txt
@@ -1,67 +1,67 @@
 ========================================================================
    	3proxy traffic plugin
 ========================================================================
-  3proxy    ,  .
-     (  10%)  ,
-   ,      
-,       4-5 .   ,
-  ,      .
+Как известно 3proxy считает траффик не сетевой, а прикладной.
+Обычно прикладной траффик немного меньше (примерно на 10%) чем сетевой,
+однако в некоторых случаях, например когда пользователи сети играют в
+игры, сетевой траффик может превысить прикладной в 4-5 раз. Это довольно неприятно,
+так как получается, что они за это не платят.
 
-  ,       +. 
-  50-60        15-20  (   )
- 800-900  ( IE).         ,
-    .
+Происходит это потому, что в каждом посланом пакете есть заголовок+данные. Заголовок
+весит порядка 50-60 байт а колличество данных может меняться от 15-20 байт (что характерно для игр)
+до 800-900 байт (у IE). Также колличество данных в пакете зависит от загрузки сети,
+удалённости сервера и прочих причин.
 
-     .     
-            ,
-   .
+Данный плагин может исправить такую ситуацию. Он может умножать счётчик траффика
+при окончании соединения на некоторый коэффициент либо добавлять к данным размеры заголовков пакетов,
+которые прошли по сети.
 
-  :
+Как использовать плагин:
 
- :
+загрузка плагина:
 plugin "TrafficPlugin.dll" start
 
-   :
-     :
-trafcorrect m <> < > <>
-: <>   proxy, socks4, socks45, socks5, tcppm, udppm, pop3p
-                ,      .
-	     *,       .
-     < > - ,     . * - 
-	 <> -     .  .
-	     0   100
+Далее недоходимо добавить правила:
+ДЛЯ РЕЖИМА ДОМНОЖЕНИЯ ТРАФФИКА НА ЧИСЛО:
+trafcorrect m <сервис> <исходящий порт> <коэффициент>
+где: <сервис> может быть proxy, socks4, socks45, socks5, tcppm, udppm, pop3p
+           если сервис указан неверно то считается, что это может быть любой сервис.
+	   можно использовать *, тогда правило будет считаться для любого сервиса.
+     <исходящий порт> - порт, к которому подключается прокси сервер. * - любой
+	 <коэффициент> - число на каоторое домнажается траффик. Обязательный параметр.
+	 Должен быть от больше 0 и меньше 100
 
-   ר   :
-trafcorrect p <>  < > [  ]
-	  - ,    .
-	 [ ] -    .   
-      Ethernal.  .  ,
-      66 .
+ДЛЯ РЕЖИМА С УЧЁТОМ РАЗМЕРА ЗАГОЛОВКОВ ПАКЕТОВ:
+trafcorrect p <сервис>  <исходящий порт> [размер пустого пакета]
+	  - протокол, по которому осуществляется соединение.
+	 [размер пакета] - средний размер пустого пакета. Можно определить захватив
+данные при помощи такой утилиты как Ethernal. Параметр необязателен. Если отсутствует,
+то размер пакета будет считаться равным 66 байт.
 
-  .
- ,        .
-       .
+Режимы можно смешивать.
+Следует учитывать, что плугин создаёт список всех правил изменения траффика.
+Когда происходит окончание соединения выполняется первое подходящее правило.
 
-:
+Пример:
 plugin "TrafficPlugin.dll" start
 trafcorrect m socks5 6112 4.5
 trafcorrect m socks5 * 1.1
 
- :
+следующее неверно:
 plugin "TrafficPlugin.dll" start
 trafcorrect m socks5 * 1.1
 trafcorrect m socks5 6112 4.5
-     .   1    .
+Вторая строчка выполнена никогда не будет. Так как 1 имеет более широкое назначение.
 
-  :
-1.      (  stdout).
-2.     . :
+РЕЖИМ ОТЛАДКИ ПРАВИЛ:
+1. Запускает прокси в оконном режиме (чтобы видеть stdout).
+2. Загрузка плагина должна выглядеть сл. образом:
 plugin "TrafficPlugin.dll" start debug
-3.            .
-   1.
+3. В окне прокси сервера будет написана информация о прохождении правил коррекции траффика.
+Правила нумеруются с 1.
 
 /////////////////////////////////////////////////////////////////////////////
 Copyright:
  (c) Maslov Michael aka Flexx(rus) All rights reserved.
- Plugin was writen on Visual C++ 6.0 SP5
+ Plugin was written on Visual C++ 6.0 SP5
  Using structures.h from 3proxy distr.
\ No newline at end of file
diff --git a/src/plugins/TrafficPlugin/TrafficPlugin.c b/src/plugins/TrafficPlugin/TrafficPlugin.c
index 5cf23aa..c8566ea 100644
--- a/src/plugins/TrafficPlugin/TrafficPlugin.c
+++ b/src/plugins/TrafficPlugin/TrafficPlugin.c
@@ -1,16 +1,16 @@
 /*
 	3proxy Traffic correct plugin v0.1 beta
 	
-	 Maslov Michael aka Flexx(rus)
-	      by 3APA3A
+	Написал Maslov Michael aka Flexx(rus)
+	Формула расчёта траффика по размеру пакета by 3APA3A
 	email: flexx_rus@mail.ru
 	ICQ: 299132764
 	http://3proxy.ru/
 
-	    (    ).  .
-	    ,  .
-	         3proxy.
-	  Copyright .
+	Как работает не знаю (многое зависит от ваших настроек). Никаких гарантий.
+	С плугином можете делать всё, что захочется.
+	Дожен распростроняться только с исходными кодами или вместе с 3proxy.
+	Удалять данный Copyright запрещено.
 */
 
 #include "../../structures.h"
@@ -33,8 +33,8 @@ struct commands * commandhandlers;
 struct pluginlink * pl;
 
 typedef enum {
-	MULTIPLAY, /*      */
-	IPCORRECT, /*       */
+	MULTIPLAY, /* метод коррекции умножением на коффициент */
+	IPCORRECT, /* метод коррекции с учётом размера пакета */
 } TRAFCORRECT_TYPE;
 
 typedef enum {
@@ -84,7 +84,7 @@ int h_trafcorrect(int argc, unsigned char ** argv) {
 	 	if(DBGLEVEL == 1)fprintf(stdout, "See documentation of traffic correct plugin.\n");
 		return 1;
 	}
-	/*      */
+	/* режим умножения траффика на коэффициент */
 	if (!strcmp((char *)argv[1], "m")) {
 		struct trafcorrect * newitem;
 		if (argc < 5) {
@@ -110,7 +110,7 @@ int h_trafcorrect(int argc, unsigned char ** argv) {
 
    	    newitem->port = atoi((char *)argv[3]);
 		newitem->coeff = atof((char *)argv[4]);
-		/*     */
+		/* проверка на корректность ввода */
 		if ((newitem->port>65535) || (newitem->coeff<=0) || (newitem->coeff>100)) {
 			free(newitem);
 			if(DBGLEVEL == 1)fprintf(stdout, "Port must be 0port = atoi((char *)argv[4]);
-		/*    -   */
+		/* последний необязательный параметр - размер пакета */
 		if (argc >= 6) {
 			newitem->psize = atoi((char *)argv[5]);
 		}
@@ -169,7 +169,7 @@ int h_trafcorrect(int argc, unsigned char ** argv) {
 	return 1;
 }
 
-static unsigned short myhtons(unsigned short port) {
+static uint16_t myhtons(uint16_t port) {
   return (port << 8) | (port >> 8);
 }
 
@@ -200,15 +200,15 @@ void mylogfunc(struct clientparam * param, const unsigned char * pz) {
 #endif
 		rule++;
 		if (((g_s == param->service) && (port == myhtons(*SAPORT(¶m->sinsr)))) || 
-			( ((starttrafcorrect->type == UDP) && 
+			( ((starttrafcorrect->con_type == UDP) && 
 				((param->operation == UDPASSOC)||
 				 (param->operation == DNSRESOLVE)||
 				 (param->operation == BIND)||
 				 (param->operation == ICMPASSOC))
-			   )||(starttrafcorrect->type == TCP))) /* TCP support */
+			   )||(starttrafcorrect->con_type == TCP))) /* TCP support */
 		{
-				/*  .    
-				      */
+				/* фильтр подошёл. можно изменять значение траффика
+				   домножаем на число */
 				if (starttrafcorrect->type == MULTIPLAY) {
 #ifndef NOPSTDINT
 					param->statssrv64 = (unsigned)((double)param->statssrv64 *starttrafcorrect->coeff);
@@ -218,7 +218,7 @@ void mylogfunc(struct clientparam * param, const unsigned char * pz) {
 					param->statscli = (unsigned)((double)param->statscli * starttrafcorrect->coeff);
 #endif
 				}
-				/*    */
+				/* с учётом пакетов */
 				if (starttrafcorrect->type == IPCORRECT) {
 					if (starttrafcorrect->con_type == TCP) {
 #ifndef NOPSTDINT
@@ -240,7 +240,7 @@ void mylogfunc(struct clientparam * param, const unsigned char * pz) {
 				}
 				if (DBGLEVEL == 1) {
 #ifndef NOPSTDINT
-					fprintf(stdout, "Port=%hd; Before: srv=%"PRINTF_INT64_MODIFIER"d, cli=%"PRINTF_INT64_MODIFIER"d; After:  srv=%"PRINTF_INT64_MODIFIER"d, cli=%"PRINTF_INT64_MODIFIER"d; nreads=%ld; nwrites=%ld; Rule=%d\n",myhtons(*SAPORT(¶m->sinsr)), statssrv_before, statscli_before, param->statssrv64, param->statscli64,param->nreads,param->nwrites,rule);
+					fprintf(stdout, "Port=%hd; Before: srv=%"PRId64", cli=%"PRId64"; After:  srv=%"PRId64", cli=%"PRId64"; nreads=%ld; nwrites=%ld; Rule=%d\n",myhtons(*SAPORT(¶m->sinsr)), statssrv_before, statscli_before, param->statssrv64, param->statscli64,param->nreads,param->nwrites,rule);
 #else
 					fprintf(stdout, "Port=%hd; Before: srv=%lu, cli=%lu; After:  srv=%lu, cli=%lu; nreads=%ld; nwrites=%ld; Rule=%d\n",myhtons(param->sins.sin_port), statssrv_before, statscli_before, param->statssrv, param->statscli,param->nreads,param->nwrites,rule);
 #endif
@@ -294,7 +294,7 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, char**
 		return 0;
 	}
 	already_loaded = 1;
-	/*   "trafcorrect" */
+	/* добавляем команду "trafcorrect" */
 	starthandler = commandhandlers;
 	for ( ; starthandler->next; starthandler = starthandler->next);
 	trafcorrect_handler.next = NULL;
@@ -304,7 +304,7 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, char**
 	trafcorrect_handler.handler = h_trafcorrect;
 	starthandler->next = &trafcorrect_handler;
 	
-	/*  conf->logfunc,     */
+	/* подменяем conf->logfunc, с целью контролировать траффик */
 	origlogfunc = conf->logfunc;
 	conf->logfunc = mylogfunc;
 	return 0;
diff --git a/src/plugins/TransparentPlugin/CMakeLists.txt b/src/plugins/TransparentPlugin/CMakeLists.txt
new file mode 100644
index 0000000..2f78811
--- /dev/null
+++ b/src/plugins/TransparentPlugin/CMakeLists.txt
@@ -0,0 +1,6 @@
+# TransparentPlugin
+# Works on Linux (with netfilter), BSD and macOS (without netfilter support)
+
+add_3proxy_plugin(TransparentPlugin
+    SOURCES transparent_plugin.c
+)
diff --git a/src/plugins/TransparentPlugin/transparent_plugin.c b/src/plugins/TransparentPlugin/transparent_plugin.c
index 0619bac..7bf9ee8 100644
--- a/src/plugins/TransparentPlugin/transparent_plugin.c
+++ b/src/plugins/TransparentPlugin/transparent_plugin.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2017 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -58,12 +58,14 @@ static FILTER_ACTION transparent_filter_client(void *fo, struct clientparam * pa
 	return REJECT;
 #endif
 #else
-	param->req = param->sincl;
-	param->sincl = param->srv->intsa;
+	if(*SAFAMILY(¶m->sincl) == AF_INET || *SAFAMILY(¶m->sincl) == AF_INET6){
+	    param->req = param->sincl;
+	    param->sincl = param->srv->intsa;
+	}
 #endif
 	pl->myinet_ntop(*SAFAMILY(¶m->req), SAADDR(¶m->req), (char *)addrbuf, sizeof(addrbuf));
 	if(param->hostname) pl->freefunc(param->hostname);
-	param->hostname = pl->strdupfunc(addrbuf);
+	param->hostname = (unsigned char *)pl->strdupfunc(addrbuf);
 	param->sinsr = param->req;
 	return PASS;
 }
@@ -81,7 +83,7 @@ static struct filter transparent_filter = {
 	"Transparent filter",
 	transparent_filter_open,
 	transparent_filter_client, 
-	NULL, NULL, NULL, NULL, NULL, NULL,
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 	transparent_filter_clear, 
 	transparent_filter_close
 };
diff --git a/src/plugins/WindowsAuthentication/CMakeLists.txt b/src/plugins/WindowsAuthentication/CMakeLists.txt
new file mode 100644
index 0000000..7c25f35
--- /dev/null
+++ b/src/plugins/WindowsAuthentication/CMakeLists.txt
@@ -0,0 +1,10 @@
+# WindowsAuthentication
+if(NOT WIN32)
+    message(STATUS "WindowsAuthentication requires Windows, skipping")
+    return()
+endif()
+
+add_3proxy_plugin(WindowsAuthentication
+    SOURCES WindowsAuthentication.c
+    LIBRARIES advapi32
+)
diff --git a/src/plugins/WindowsAuthentication/WindowsAuthentication.c b/src/plugins/WindowsAuthentication/WindowsAuthentication.c
index 818237e..7cd8994 100644
--- a/src/plugins/WindowsAuthentication/WindowsAuthentication.c
+++ b/src/plugins/WindowsAuthentication/WindowsAuthentication.c
@@ -1,6 +1,5 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2007-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2007-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
diff --git a/src/plugins/WindowsAuthentication/copying b/src/plugins/WindowsAuthentication/copying
deleted file mode 100644
index 177ffa7..0000000
--- a/src/plugins/WindowsAuthentication/copying
+++ /dev/null
@@ -1,31 +0,0 @@
-3proxy 0.6 Windows Authentication Plugin Public License Agreement
-
-This software provided "as is" without any guaranties or support.
-
-This software is FREEWARE. You can use it under terms of current version
-of GNU GPL (General Public License) available from 
-http://www.gnu.org/licenses/gpl.txt or under conditions below:
-
-1. You are granted non-exclusive rights to compile, modify, use and
-re-distribute this program.
-2. In case this software is redistributed in binary form, source code
-MUST be available for user for free.
-3. In case this software redistributed embedded in hardware device or
-pre-installed version of operation system and source code is not available,
-documentation MUST refer to http://www.security.nnov.ru/ as a source of
-software.
-4. In case this software is modified or is used as a part of another project
-license MUST NOT be modified.
-5. Authors of this software MAY change terms of this license for future
-versions of this product.
-
-(c) 2000-2009 by 3APA3A (3APA3A@security.nnov.ru)
-(c) 2000-2009 by SECURITY.NNOV (http://www.security.nnov.ru)
-(c) 2000-2009 by Vladimir Dubrovin (vlad@sandy.ru)
-
-
-This software uses:
-  RSA Data Security, Inc. MD4 Message-Digest Algorithm
-  RSA Data Security, Inc. MD5 Message-Digest Algorithm
-
-$Id: copying,v 1.1 2006/02/13 16:08:03 vlad Exp $
diff --git a/src/plugins/utf8tocp1251/CMakeLists.txt b/src/plugins/utf8tocp1251/CMakeLists.txt
new file mode 100644
index 0000000..41b4156
--- /dev/null
+++ b/src/plugins/utf8tocp1251/CMakeLists.txt
@@ -0,0 +1,4 @@
+# utf8tocp1251
+add_3proxy_plugin(utf8tocp1251
+    SOURCES utf8tocp1251.c
+)
diff --git a/src/plugins/utf8tocp1251/utf8tocp1251.c b/src/plugins/utf8tocp1251/utf8tocp1251.c
index 412c927..ba5ae18 100644
--- a/src/plugins/utf8tocp1251/utf8tocp1251.c
+++ b/src/plugins/utf8tocp1251/utf8tocp1251.c
@@ -1,6 +1,5 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2007-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2007-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
diff --git a/src/pop3p.c b/src/pop3p.c
index b433998..40d9723 100644
--- a/src/pop3p.c
+++ b/src/pop3p.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -15,14 +15,14 @@ void * pop3pchild(struct clientparam* param) {
  unsigned char buf[320];
  unsigned char *se;
 
- if(socksend(param->clisock, (unsigned char *)"+OK Proxy\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (611);}
+ if(socksend(param, param->clisock, (unsigned char *)"+OK Proxy\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (611);}
  i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
  while(i > 4 && strncasecmp((char *)buf, "USER", 4)){
 	if(!strncasecmp((char *)buf, "QUIT", 4)){
-		socksend(param->clisock, (unsigned char *)"+OK\r\n", 5,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)"+OK\r\n", 5,conf.timeouts[STRING_S]);	
 		RETURN(0);
 	}
-	socksend(param->clisock, (unsigned char *)"-ERR need USER first\r\n", 22, conf.timeouts[STRING_S]);	
+	socksend(param, param->clisock, (unsigned char *)"-ERR need USER first\r\n", 22, conf.timeouts[STRING_S]);	
 	i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
  }
  if(i<6) {RETURN(612);}
@@ -38,9 +38,9 @@ void * pop3pchild(struct clientparam* param) {
  if( i < 3 ) {RETURN(621);}
  buf[i] = 0;
  if(strncasecmp((char *)buf, "+OK", 3)||!strncasecmp((char *)buf+4, "PROXY", 5)){RETURN(622);}
- if( socksend(param->remsock, (unsigned char *)"USER ", 5, conf.timeouts[STRING_S])!= 5 || 
-	socksend(param->remsock, param->extusername, (int)strlen((char *)param->extusername), conf.timeouts[STRING_S]) <= 0 ||
-	socksend(param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S])!=2)
+ if( socksend(param, param->remsock, (unsigned char *)"USER ", 5, conf.timeouts[STRING_S])!= 5 || 
+	socksend(param, param->remsock, param->extusername, (int)strlen((char *)param->extusername), conf.timeouts[STRING_S]) <= 0 ||
+	socksend(param, param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S])!=2)
 		{RETURN(623);}
  param->statscli64 += (uint64_t)(strlen((char *)param->extusername) + 7);
  param->nwrites++;
@@ -53,7 +53,7 @@ CLEANRET:
  }
  else dolog(param, NULL);
  if(param->clisock != INVALID_SOCKET) {
-	if ((param->res > 0 && param->res < 100) || (param->res > 611 && param->res <700)) socksend(param->clisock, (unsigned char *)"-ERR\r\n", 6,conf.timeouts[STRING_S]);
+	if ((param->res > 0 && param->res < 100) || (param->res > 611 && param->res <700)) socksend(param, param->clisock, (unsigned char *)"-ERR\r\n", 6,conf.timeouts[STRING_S]);
  }
  freeparam(param);
  return (NULL);
diff --git a/src/proxy.c b/src/proxy.c
index fa41e67..1fc5729 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -31,7 +31,7 @@ char * proxy_stringtable[] = {
 	"Content-type: text/html; charset=utf-8\r\n"
 	"\r\n"
 	"503 Service Unavailable\r\n"
-	"
    503 Service Unavailable
    You have exceeded your traffic limit
    \r\n",
+	"
    503 Service Unavailable
    You have exceeded your limits
    \r\n",
 
 /* 3 */	"HTTP/1.0 503 Service Unavailable\r\n"
 	"Connection: close\r\n"
@@ -131,7 +131,7 @@ char * proxy_stringtable[] = {
 	NULL
 };
 
-#define LINESIZE 4096
+#define LINESIZE 32768
 #define BUFSIZE (LINESIZE*2)
 #define FTPBUFSIZE 1536
 
@@ -149,7 +149,7 @@ static void logurl(struct clientparam * param, char * buf, char * req, int ftp){
 	sb = strchr(buf, '\r');
 	if(sb)*sb = 0;
 	if(ftp && (se = strchr(buf + 10, ':')) && (sb = strchr(se, '@')) ) {
-		strcpy(se, sb);
+		memmove(se, sb, strlen(sb)+1);
 	}
  }
  if(param->res != 555 && param->res != 508)dolog(param, (unsigned char *)(req?buf:NULL));
@@ -239,7 +239,7 @@ void * proxychild(struct clientparam* param) {
 
 
  if(param->remsock != INVALID_SOCKET) haveconnection = 1; 
- if(!(buf = myalloc(BUFSIZE))) {RETURN(21);}
+ if(!(buf = malloc(BUFSIZE))) {RETURN(21);}
  bufsize = BUFSIZE;
  anonymous = param->srv->anonymous;
 for(;;){
@@ -253,15 +253,15 @@ for(;;){
 	fds[0].events = POLLIN;
 	fds[1].fd = param->remsock;
 	fds[1].events = POLLIN;
-	res = so._poll(fds, 2, conf.timeouts[STRING_S]*1000);
+	res = param->srv->so._poll(param->sostate, fds, 2, conf.timeouts[STRING_S]*1000);
 	if(res<=0) {
 		RETURN(555);
 	}
 	if((fds[1].revents & (POLLIN|POLLHUP|POLLERR|POLLNVAL))) {
 		if(param->transparent || (!param->redirected && param->redirtype == R_HTTP)) RETURN(555);
 		ckeepalive = 0;
-		so._shutdown(param->remsock, SHUT_RDWR);
-		so._closesocket(param->remsock);
+		param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+		param->srv->so._closesocket(param->sostate, param->remsock);
 		param->remsock = INVALID_SOCKET;
 		param->redirected = 0;
 		param->redirtype = 0;
@@ -282,8 +282,8 @@ for(;;){
 	if(!param->transparent && !param->srv->transparent && (i<=prefix || strncasecmp((char *)buf, (char *)req, prefix))){
 		ckeepalive = 0;
 		if(param->remsock != INVALID_SOCKET){
-			so._shutdown(param->remsock, SHUT_RDWR);
-			so._closesocket(param->remsock);
+			param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 		}
 		param->remsock = INVALID_SOCKET;
 		param->redirected = 0;
@@ -292,9 +292,9 @@ for(;;){
 		memset(¶m->sinsr, 0, sizeof(param->sinsr));
 		memset(¶m->req, 0, sizeof(param->req));
 	}
-	myfree(req);
+	free(req);
  }
- req = (unsigned char *)mystrdup((char *)buf);
+ req = (unsigned char *)strdup((char *)buf);
  if(!req){RETURN(510);}
  if(i<10) {
 	RETURN(511);
@@ -335,12 +335,15 @@ for(;;){
 	prefix = (int)(se - buf);
 	su = (unsigned char*)strrchr((char *)sb, '@');
 	if(su) {
-		su = (unsigned char *)mystrdup((char *)sb);
+		su = (unsigned char *)strdup((char *)sb);
 		decodeurl(su, 0);
-		if(parseconnusername((char *)su, (struct clientparam *)param, 1, (unsigned short)((ftp)?21:80))) RETURN (100);
-		myfree(su);
+		if(parseconnusername((char *)su, (struct clientparam *)param, 1, (uint16_t)((ftp)?21:80))) {
+			free(su);
+			RETURN (100);
+		}
+		free(su);
 	}
-	else if(parsehostname((char *)sb, (struct clientparam *)param, (unsigned short)((ftp)? 21:80))) RETURN(100);
+	else if(parsehostname((char *)sb, (struct clientparam *)param, (uint16_t)((ftp)? 21:80))) RETURN(100);
 	if(!isconnect){
 		if(se==sg)*se-- = ' ';
 		*se = '/';
@@ -373,62 +376,14 @@ for(;;){
 			sb = (unsigned char *)strchr((char *)username, ':');
 			if(sb){
 				*sb = 0;
-				if(param->password)myfree(param->password);
-				param->password = (unsigned char *)mystrdup((char *)sb+1);
+				if(param->password)free(param->password);
+				param->password = (unsigned char *)strdup((char *)sb+1);
 				param->pwtype = 0;
 			}
-			if(param->username)myfree(param->username);
-			param->username = (unsigned char *)mystrdup((char *)username);
+			if(param->username)free(param->username);
+			param->username = (unsigned char *)strdup((char *)username);
 			continue;
 		}
-#ifndef NOCRYPT
-		if(param->srv->usentlm && !strncasecmp((char *)sb, "ntlm", 4)){
-			sb+=4;
-			while(isspace(*sb))sb++;
-			i = de64(sb, username, 1023);
-			if(i<=16)continue;
-			username[i] = 0;
-			if(strncasecmp((char *)username, "NTLMSSP", 8)) continue;
-			if(username[8] == 1) {
-				while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2){
-					if(i> 15 && (!strncasecmp((char *)(buf), "content-length", 14))){
-						buf[i]=0;
-						sscanf((char *)buf + 15, "%"PRINTF_INT64_MODIFIER"u", &contentlength64);
-					}
-				}
-				while( contentlength64 > 0 && (i = sockgetlinebuf(param, CLIENT, buf, (BUFSIZE < contentlength64)? BUFSIZE - 1:(int)contentlength64, '\n', conf.timeouts[STRING_S])) > 0){
-					if ((uint64_t)i > contentlength64) break;
-					contentlength64-=i;
-				}
-				contentlength64 = 0;
-				if(param->password)myfree(param->password);
-				param->password = myalloc(32);
-				param->pwtype = 2;
-				i = (int)strlen(proxy_stringtable[13]);
-				memcpy(buf, proxy_stringtable[13], i);
-				genchallenge(param, (char *)param->password, (char *)buf + i);
-				memcpy(buf + strlen((char *)buf), "\r\n\r\n", 5);
-				socksend(param->clisock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
-				ckeepalive = keepalive = 1;
-				goto REQUESTEND;
-			}
-			if(username[8] == 3 && param->pwtype == 2 && i>=80) {
-				unsigned offset, len;
-
-				len = username[20] + (((unsigned)username[21]) << 8);
-				offset = username[24] + (((unsigned)username[25]) << 8);
-				if(len != 24 || len + offset > (unsigned)i) continue;
-				memcpy(param->password + 8, username + offset, 24);
-				len = username[36] + (((unsigned)username[37]) << 8);
-				offset = username[40] + (((unsigned)username[41]) << 8);
-				if(len> 255 || len + offset > (unsigned)i) continue;
-				if(param->username) myfree(param->username);
-				unicode2text((char *)username+offset, (char *)username+offset, (len>>1));
-				param->username = (unsigned char *)mystrdup((char *)username+offset);
-			}
-			continue;
-		}
-#endif
 	}
 #endif
 	if(!isconnect && (
@@ -448,7 +403,7 @@ for(;;){
 	}
 	if( i > 11 && !strncasecmp((char *)(buf+inbuf),  "Expect: 100", 11)){
 		keepalive = 1;
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[17], (int)strlen(proxy_stringtable[17]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[17], (int)strlen(proxy_stringtable[17]), conf.timeouts[STRING_S]);
 		continue;
 	}
 	if(param->transparent && i > 6 && !strncasecmp((char *)buf + inbuf, "Host:", 5)){
@@ -462,15 +417,19 @@ for(;;){
 			c = *se;
 			*se = 0;
 		}
+		if(param->hostname && (!*param->hostname || isnumber(param->hostname[strlen((char *)param->hostname) - 1]))){
+		    free(param->hostname);
+		    param->hostname = NULL;
+		}
 		if(!param->hostname){
 			if(parsehostname((char *)sb, param, 80)) RETURN(100);
 		}
-		newbuf = myalloc(strlen((char *)req) + strlen((char *)(buf+inbuf)) + 8);
+		newbuf = malloc(strlen((char *)req) + strlen((char *)(buf+inbuf)) + 8);
 		if(newbuf){
 			sp = (unsigned char *)strchr((char *)req+1, '/');
 			memcpy(newbuf, req, (sp - req));
 			sprintf((char*)newbuf + (sp - req), "http://%s%s",sb,sp);
-			myfree(req);
+			free(req);
 			req = newbuf;
 		}
 		if(se)*se = c;
@@ -490,11 +449,11 @@ for(;;){
 			sb = (unsigned char *)strchr((char *)username, ':');
 			if(sb){
 				*sb = 0;
-				if(param->extpassword)myfree(param->extpassword);
-				param->extpassword = (unsigned char *)mystrdup((char *)sb+1);
+				if(param->extpassword)free(param->extpassword);
+				param->extpassword = (unsigned char *)strdup((char *)sb+1);
 			}
-			if(param->extusername)myfree(param->extusername);
-			param->extusername = (unsigned char *)mystrdup((char *)username);
+			if(param->extusername)free(param->extusername);
+			param->extusername = (unsigned char *)strdup((char *)username);
 			continue;
 		}
 	}
@@ -503,7 +462,7 @@ for(;;){
 		if(!sb)continue;
 		++sb;
 		while(isspace(*sb))sb++;
-		sscanf((char *)sb, "%"PRINTF_INT64_MODIFIER"u",&contentlength64);
+		sscanf((char *)sb, "%"SCNu64"",&contentlength64);
 		if(param->maxtrafout64 && (param->maxtrafout64 < param->statscli64 || contentlength64 > param->maxtrafout64 - param->statscli64)){
 			RETURN(10);
 		}
@@ -514,7 +473,7 @@ for(;;){
 		if (bufsize > (LINESIZE * 16)){
 			RETURN (516);
 		}
-		if(!(newbuf = myrealloc(buf, bufsize + BUFSIZE))){RETURN (21);}
+		if(!(newbuf = realloc(buf, bufsize + BUFSIZE))){RETURN (21);}
 		buf = newbuf;
 		bufsize += BUFSIZE;
 	}
@@ -526,6 +485,20 @@ for(;;){
  reqsize = (int)strlen((char *)req);
  reqbufsize = reqsize + 1;
 
+
+ if(param->srv->needuser > 1 && !param->username) {RETURN(4);}
+ if((res = (*param->srv->authfunc)(param))) {
+	if (res <= 10 || haveconnection || param->transparent) RETURN(res);
+	param->srv->so._closesocket(param->sostate, param->remsock);
+	param->remsock = INVALID_SOCKET;
+	param->redirected = 0;
+	param->redirtype = 0;
+	memset(¶m->sinsl, 0, sizeof(param->sinsl));
+	memset(¶m->sinsr, 0, sizeof(param->sinsr));
+	if((res = (*param->srv->authfunc)(param))) RETURN(res);
+ }
+
+
 #ifndef WITHMAIN
 
  action = handlereqfilters(param, &req, &reqbufsize, 0, &reqsize);
@@ -540,19 +513,29 @@ for(;;){
  if(action != PASS) RETURN(517);
  param->nolongdatfilter = 0;
 
+#endif
+
+ if(isconnect && param->redirtype != R_HTTP) {
+	socksend(param, param->clisock, (unsigned char *)proxy_stringtable[8], (int)strlen(proxy_stringtable[8]), conf.timeouts[STRING_S]);
+ }
+
+
+#ifndef WITHMAIN
+ if (param->npredatfilters){
+	action = handlepredatflt(param);
+	if(action == HANDLED){
+		RETURN(0);
+	}
+	if(action != PASS) RETURN(19);
+ }
  
  if (conf.filtermaxsize && contentlength64 > (uint64_t)conf.filtermaxsize) {
 	param->nolongdatfilter = 1;
  }
  else if(param->ndatfilterscli > 0 && contentlength64 > 0){
   uint64_t newlen64;
-  newlen64 = sockfillbuffcli(param, (unsigned long)contentlength64, CONNECTION_S);
+  newlen64 = (uint64_t) sockfillbuffcli(param, (unsigned long)contentlength64, CONNECTION_S);
   if(newlen64 == contentlength64) {
-	action = handlepredatflt(param);
-	if(action == HANDLED){
-		RETURN(0);
-	}
-	if(action != PASS) RETURN(19);
 	action = handledatfltcli(param,  ¶m->clibuf, (int *)¶m->clibufsize, 0, (int *)¶m->cliinbuf);
 	if(action == HANDLED){
 		RETURN(0);
@@ -561,22 +544,11 @@ for(;;){
 	contentlength64 = param->cliinbuf;
 	param->nolongdatfilter = 1;
   }
-  sprintf((char*)buf+strlen((char *)buf), "Content-Length: %"PRINTF_INT64_MODIFIER"u\r\n", contentlength64);
+  sprintf((char*)buf+strlen((char *)buf), "Content-Length: %"PRIu64"\r\n", contentlength64);
  }
 
 #endif
 
- if(param->srv->needuser > 1 && !param->username) {RETURN(4);}
- if((res = (*param->srv->authfunc)(param))) {
-	if (res <= 10 || haveconnection || param->transparent) RETURN(res);
-	so._closesocket(param->remsock);
-	param->remsock = INVALID_SOCKET;
-	param->redirected = 0;
-	param->redirtype = 0;
-	memset(¶m->sinsl, 0, sizeof(param->sinsl));
-	memset(¶m->sinsr, 0, sizeof(param->sinsr));
-	if((res = (*param->srv->authfunc)(param))) RETURN(res);
- }
 
  if(ftp && param->redirtype != R_HTTP){
 	SOCKET s;
@@ -592,14 +564,14 @@ for(;;){
 		}
 	}
 	ckeepalive = 1;
-	if(ftpbase) myfree(ftpbase);
+	if(ftpbase) free(ftpbase);
 	ftpbase = NULL;
 	if(!(sp = (unsigned char *)strchr((char *)ss, ' '))){RETURN(799);}
 	*sp = 0;
 
 	decodeurl(ss, 0);
 	i = (int)strlen((char *)ss);
-	if(!(ftpbase = myalloc(i+2))){RETURN(21);}
+	if(!(ftpbase = malloc(i+2))){RETURN(21);}
 	memcpy(ftpbase, ss, i);
 	if(ftpbase[i-1] != '/') ftpbase[i++] = '/';
 	ftpbase[i] = 0;
@@ -635,13 +607,13 @@ for(;;){
 	}
 	if(ftps == INVALID_SOCKET){RETURN(780);}
 	if(!mode){
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[8], (int)strlen(proxy_stringtable[8]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[8], (int)strlen(proxy_stringtable[8]), conf.timeouts[STRING_S]);
 		s = param->remsock;
 		param->remsock = ftps;
 		if((param->operation == FTP_PUT) && (contentlength64 > 0)) param->waitclient64 = contentlength64;
 		res = mapsocket(param, conf.timeouts[CONNECTION_L]);
 		if (res == 99) res = 0;
-		so._closesocket(ftps);
+		param->srv->so._closesocket(param->sostate, ftps);
 		ftps = INVALID_SOCKET;
 		param->remsock = s;
 	}
@@ -781,15 +753,15 @@ for(;;){
 			if((bufsize - inbuf) < LINESIZE){
 				if (bufsize > 20000){
 					if(!headsent++){
-						socksend(param->clisock, (unsigned char *)proxy_stringtable[9], (int)strlen(proxy_stringtable[9]), conf.timeouts[STRING_S]);
+						socksend(param, param->clisock, (unsigned char *)proxy_stringtable[9], (int)strlen(proxy_stringtable[9]), conf.timeouts[STRING_S]);
 					}
-					if((unsigned)socksend(param->clisock, buf, inbuf, conf.timeouts[STRING_S]) != inbuf){
+					if((unsigned)socksend(param, param->clisock, buf, inbuf, conf.timeouts[STRING_S]) != inbuf){
 						RETURN(781);
 					}
 					inbuf = 0;
 				}
 				else {
-					if(!(newbuf = myrealloc(buf, bufsize + BUFSIZE))){RETURN (21);}
+					if(!(newbuf = realloc(buf, bufsize + BUFSIZE))){RETURN (21);}
 					buf = newbuf;
 					bufsize += BUFSIZE;
 				}
@@ -797,7 +769,7 @@ for(;;){
 		}
 		memcpy(buf+inbuf, "
    ", 4);
 		inbuf += 4;
-		so._closesocket(ftps);
+		param->srv->so._closesocket(param->sostate, ftps);
 		ftps = INVALID_SOCKET;
 		param->remsock = s;
 		if(inbuf){
@@ -812,9 +784,9 @@ for(;;){
 					"Connection: keep-alive\r\n"
 					"Content-Length: %d\r\n\r\n",
 					inbuf);
-				socksend(param->clisock, (unsigned char *)ftpbuf, (int)strlen(ftpbuf), conf.timeouts[STRING_S]);
+				socksend(param, param->clisock, (unsigned char *)ftpbuf, (int)strlen(ftpbuf), conf.timeouts[STRING_S]);
 			}
-			socksend(param->clisock, buf, inbuf, conf.timeouts[STRING_S]);
+			socksend(param, param->clisock, buf, inbuf, conf.timeouts[STRING_S]);
 			if(res){RETURN(res);}
 			if(!headsent)goto REQUESTEND;
 		}
@@ -824,16 +796,15 @@ for(;;){
  }
 
  if(isconnect && param->redirtype != R_HTTP) {
-	socksend(param->clisock, (unsigned char *)proxy_stringtable[8], (int)strlen(proxy_stringtable[8]), conf.timeouts[STRING_S]);
 	if(param->redirectfunc) {
-		if(req)myfree(req);
-		if(buf)myfree(buf);
+		if(req)free(req);
+		if(buf)free(buf);
 		return (*param->redirectfunc)(param);
 	}
 	param->res =  mapsocket(param, conf.timeouts[CONNECTION_L]);
 	if(param->redirectfunc) {
-		if(req)myfree(req);
-		if(buf)myfree(buf);
+		if(req)free(req);
+		if(buf)free(buf);
 		return (*param->redirectfunc)(param);
 	}
 	RETURN(param->res);
@@ -846,11 +817,11 @@ for(;;){
  else {
 #ifdef TCP_CORK
 	int opt = 1;
-	so._setsockopt(param->remsock, IPPROTO_TCP, TCP_CORK, (unsigned char *)&opt, sizeof(int));
+	param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_TCP, TCP_CORK, (unsigned char *)&opt, sizeof(int));
 #endif
 	 redirect = 1;
 	 res = (int)strlen((char *)req);
-	 if(socksend(param->remsock, req , res, conf.timeouts[STRING_L]) != res) {
+	 if(socksend(param, param->remsock, req , res, conf.timeouts[STRING_L]) != res) {
 		RETURN(518);
 	 }
 	 param->statscli64 += res;
@@ -892,13 +863,13 @@ for(;;){
 	sprintf((char*)buf + strlen((char *)buf), "\r\n");
  }
  sprintf((char*)buf+strlen((char *)buf), "\r\n");
- if ((res = socksend(param->remsock, buf+reqlen, (int)strlen((char *)buf+reqlen), conf.timeouts[STRING_S])) != (int)strlen((char *)buf+reqlen)) {
+ if ((res = socksend(param, param->remsock, buf+reqlen, (int)strlen((char *)buf+reqlen), conf.timeouts[STRING_S])) != (int)strlen((char *)buf+reqlen)) {
 	RETURN(518);
  }
 #ifdef TCP_CORK
  {
 	int opt = 0;
-	so._setsockopt(param->remsock, IPPROTO_TCP, TCP_CORK, (unsigned char *)&opt, sizeof(int));
+	param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_TCP, TCP_CORK, (unsigned char *)&opt, sizeof(int));
  }
 #endif
  param->statscli64 += res;
@@ -947,7 +918,7 @@ for(;;){
 		if(!sb)continue;
 		++sb;
 		while(isspace(*sb))sb++;
-		sscanf((char *)sb, "%"PRINTF_INT64_MODIFIER"u", &contentlength64);
+		sscanf((char *)sb, "%"SCNu64"", &contentlength64);
 		hascontent = 1;
 		if(param->unsafefilter && param->ndatfilterssrv > 0) {
 			hascontent = 2;
@@ -972,7 +943,7 @@ for(;;){
 		if (bufsize > 20000){
 			RETURN (516);
 		}
-		if(!(newbuf = myrealloc(buf, bufsize + BUFSIZE))){RETURN (21);}
+		if(!(newbuf = realloc(buf, bufsize + BUFSIZE))){RETURN (21);}
 		buf = newbuf;
 		bufsize += BUFSIZE;
 	}
@@ -1025,7 +996,7 @@ for(;;){
 	}
 	if(action != PASS) RETURN(517);
 	contentlength64 = param->srvinbuf;
-	sprintf((char*)buf+strlen((char *)buf), "Content-Length: %"PRINTF_INT64_MODIFIER"u\r\n", contentlength64);
+	sprintf((char*)buf+strlen((char *)buf), "Content-Length: %"PRIu64"\r\n", contentlength64);
 	hascontent = 1;
   }
  }
@@ -1042,7 +1013,7 @@ for(;;){
 		(hascontent && ckeepalive)?"keep-alive":"close");
 	 }
 	 sprintf((char*)buf + strlen((char *)buf), "\r\n");
-	 if((socksend(param->clisock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])) != (int)strlen((char *)buf)) {
+	 if((socksend(param, param->clisock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])) != (int)strlen((char *)buf)) {
 		RETURN(521);
 	 }
  }
@@ -1051,7 +1022,7 @@ for(;;){
 		if(param->chunked){
 			unsigned char smallbuf[32];
 			while ((i = sockgetlinebuf(param, SERVER, smallbuf, 30, '\n', conf.timeouts[STRING_S])) == 2) {
-				if (socksend(param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
+				if (socksend(param, param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
 					RETURN(533);
 				}
 				if(param->chunked == 2) break;
@@ -1060,19 +1031,19 @@ for(;;){
 				keepalive = 0;
 				break;
 			}
-			if (socksend(param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
+			if (socksend(param, param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
 					RETURN(535);
 			}
 			if(param->chunked == 2) {
 				if((i = sockgetlinebuf(param, SERVER, smallbuf, 30, '\n', conf.timeouts[STRING_S])) != 2) RETURN(534);
-				if (socksend(param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
+				if (socksend(param, param->clisock, smallbuf, i, conf.timeouts[STRING_S]) != i){
 					RETURN(533);
 				}
 				break;
 			}
 			smallbuf[i] = 0;
 			contentlength64 = 0;
-			sscanf((char *)smallbuf, "%"PRINTF_INT64_MODIFIER"x", &contentlength64);
+			sscanf((char *)smallbuf, "%"SCNx64"", &contentlength64);
 			if(contentlength64 == 0) {
 				param->chunked = 2;
 			}
@@ -1099,8 +1070,8 @@ for(;;){
 REQUESTEND:
 
  if((!ckeepalive || !keepalive) && param->remsock != INVALID_SOCKET){
-	so._shutdown(param->remsock, SHUT_RDWR);
-	so._closesocket(param->remsock);
+	param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, param->remsock);
 	param->remsock = INVALID_SOCKET;
 	RETURN(0);
  }
@@ -1113,49 +1084,51 @@ REQUESTEND:
 CLEANRET:
 
  if(param->res != 555 && param->res && param->clisock != INVALID_SOCKET && (param->res < 90 || param->res >=800 || param->res == 100 ||(param->res > 500 && param->res< 800))) {
-	if((param->res>=509 && param->res < 517) || param->res > 900) while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2);
-	if(param->res == 10) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[2], (int)strlen(proxy_stringtable[2]), conf.timeouts[STRING_S]);
+	if((param->res>=509 && param->res < 517) || param->res > 900) {
+		if(buf) while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2);
 	}
-	else if (res == 700 || res == 701){
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[16], (int)strlen(proxy_stringtable[16]), conf.timeouts[STRING_S]);
-		socksend(param->clisock, (unsigned char *)ftpbuf, inftpbuf, conf.timeouts[STRING_S]);
+	if(param->res == 10) {
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[2], (int)strlen(proxy_stringtable[2]), conf.timeouts[STRING_S]);
+	}
+	else if (param->res == 700 || param->res == 701){
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[16], (int)strlen(proxy_stringtable[16]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)ftpbuf, inftpbuf, conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 100 || (param->res >10 && param->res < 20) || (param->res >701 && param->res <= 705)) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[1], (int)strlen(proxy_stringtable[1]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[1], (int)strlen(proxy_stringtable[1]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res >=20 && param->res < 30) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[6], (int)strlen(proxy_stringtable[6]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[6], (int)strlen(proxy_stringtable[6]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res >=30 && param->res < 80) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[5], (int)strlen(proxy_stringtable[5]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[5], (int)strlen(proxy_stringtable[5]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 1 || (!param->srv->needuser && param->res < 10)) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[11], (int)strlen(proxy_stringtable[11]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[11], (int)strlen(proxy_stringtable[11]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res < 10) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[param->srv->usentlm?12:7], (int)strlen(proxy_stringtable[param->srv->usentlm?12:7]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[7], (int)strlen(proxy_stringtable[7]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 999) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[4], (int)strlen(proxy_stringtable[4]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[4], (int)strlen(proxy_stringtable[4]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 519) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[3], (int)strlen(proxy_stringtable[3]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[3], (int)strlen(proxy_stringtable[3]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 517) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[15], (int)strlen(proxy_stringtable[15]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[15], (int)strlen(proxy_stringtable[15]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res == 780) {
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[10], (int)strlen(proxy_stringtable[10]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[10], (int)strlen(proxy_stringtable[10]), conf.timeouts[STRING_S]);
 	}
 	else if(param->res >= 511 && param->res<=516){
-		socksend(param->clisock, (unsigned char *)proxy_stringtable[0], (int)strlen(proxy_stringtable[0]), conf.timeouts[STRING_S]);
+		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[0], (int)strlen(proxy_stringtable[0]), conf.timeouts[STRING_S]);
 	}
  } 
  logurl(param, (char *)buf, (char *)req, ftp);
- if(req)myfree(req);
- if(buf)myfree(buf);
- if(ftpbase)myfree(ftpbase);
+ if(req)free(req);
+ if(buf)free(buf);
+ if(ftpbase)free(ftpbase);
  freeparam(param);
  return (NULL);
 }
diff --git a/src/proxy.h b/src/proxy.h
index 9ff920e..2afbaa9 100644
--- a/src/proxy.h
+++ b/src/proxy.h
@@ -1,13 +1,13 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
-#define COPYRIGHT "(c)3APA3A, Vladimir Dubrovin & 3proxy.ru\n"\
-		 "Documentation and sources: http://3proxy.ru/\n"\
+#define COPYRIGHT "(c)3APA3A, Vladimir Dubrovin & 3proxy.org\n"\
+		 "Documentation and sources: https://3proxy.org/\n"\
 		 "Please read license agreement in \'copying\' file.\n"\
 		 "You may not use this program without accepting license agreement"
 
@@ -15,6 +15,12 @@
 #ifndef _3PROXY_H_
 #define _3PROXY_H_
 #include "version.h"
+
+#ifndef WITH_SSL
+#ifndef NORADIUS
+#define NORADIUS
+#endif
+#endif
 #include 
 #include 
 #include 
@@ -29,8 +35,7 @@
 #define _PASSWORD_LEN 256
 #define MAXNSERVERS 5
 
-#define UDPBUFSIZE 16384
-#define TCPBUFSIZE  8192
+#define TCPBUFSIZE 65536
 #define SRVBUFSIZE (param->srv->bufsize?param->srv->bufsize:((param->service == S_UDPPM)?UDPBUFSIZE:TCPBUFSIZE))
 
 
@@ -45,6 +50,8 @@
 #include 
 #define SASIZETYPE int
 #define SHUT_RDWR SD_BOTH
+#define SHUT_WR SD_SEND
+#define SHUT_RD SD_RECEIVE
 #else
 #ifndef FD_SETSIZE
 #define FD_SETSIZE 4096
@@ -105,7 +112,7 @@ void daemonize(void);
 #endif
 #endif
 
-#ifndef NOODBC
+#ifdef WITH_ODBC
 #ifndef _WIN32
 #include 
 #endif
@@ -114,8 +121,12 @@ void daemonize(void);
 #endif
 
 #ifdef _WIN32
+#ifndef strcasecmp
 #define strcasecmp stricmp
+#endif
+#ifndef strncasecmp
 #define strncasecmp strnicmp
+#endif
 #define seterrno3(x) _set_errno(x)
 #else
 #define seterrno3(x) (errno = x) 
@@ -141,10 +152,18 @@ void daemonize(void);
 
 #define DEFLOGFORMAT "G%y%m%d%H%M%S.%. %p %E %U %C:%c %R:%r %O %I %h %T"
 
-#define myalloc malloc
-#define myfree free
-#define myrealloc realloc
-#define mystrdup strdup
+
+#ifdef _TIME64_T_DEFINED
+#ifdef _MAX__TIME64_T
+#define MAX_COUNTER_TIME (_MAX__TIME64_T)
+#elif defined (MAX__TIME64_T)
+#define MAX_COUNTER_TIME (MAX__TIME64_T)
+#else
+#define MAX_COUNTER_TIME (0x793406fff)
+#endif 
+#else
+#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
+#endif
 
 extern RESOLVFUNC resolvfunc;
 
@@ -154,16 +173,19 @@ extern int timetoexit;
 
 extern struct extparam conf;
 
+extern int timeouts[12];
+
 int sockmap(struct clientparam * param, int timeo, int usesplice);
-int socksend(SOCKET sock, unsigned char * buf, int bufsize, int to);
-int socksendto(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
-int sockrecvfrom(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
+int udpsockmap(struct clientparam * param, int timeo);
+int socksend(struct clientparam *param, SOCKET sock, unsigned char * buf, int bufsize, int to);
+int socksendto(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
+int sockrecvfrom(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
 
 
 int sockgetcharcli(struct clientparam * param, int timeosec, int timeousec);
 int sockgetcharsrv(struct clientparam * param, int timeosec, int timeousec);
-int sockfillbuffcli(struct clientparam * param, unsigned long size, int timeosec);
-int sockfillbuffsrv(struct clientparam * param, unsigned long size, int timeosec);
+unsigned long sockfillbuffcli(struct clientparam * param, unsigned long size, int timeosec);
+unsigned long sockfillbuffsrv(struct clientparam * param, unsigned long size, int timeosec);
 
 int sockgetlinebuf(struct clientparam * param, DIRECTION which, unsigned char * buf, int bufsize, int delim, int to);
 
@@ -191,25 +213,24 @@ int doauth(struct clientparam * param);
 int strongauth(struct clientparam * param);
 void trafcountfunc(struct clientparam *param);
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout);
+int handleredirect(struct clientparam * param, struct ace * acentry);
 
-
-int scanaddr(const unsigned char *s, unsigned long * ip, unsigned long * mask);
+int scanaddr(const unsigned char *s, uint32_t * ip, uint32_t * mask);
 int myinet_ntop(int af, void *src, char *dst, socklen_t size);
 extern struct nserver nservers[MAXNSERVERS];
 extern struct nserver authnserver;
-unsigned long getip(unsigned char *name);
-unsigned long getip46(int family, unsigned char *name,  struct sockaddr *sa);
+uint32_t getip(unsigned char *name);
+uint32_t getip46(int family, unsigned char *name,  struct sockaddr *sa);
 int afdetect(unsigned char *name);
-unsigned long myresolver(int, unsigned char *, unsigned char *);
-unsigned long fakeresolver (int, unsigned char *, unsigned char*);
-int inithashtable(struct hashtable *hashtable, unsigned nhashsize);
+uint32_t myresolver(int, unsigned char *, unsigned char *);
+uint32_t fakeresolver (int, unsigned char *, unsigned char*);
 void freeparam(struct clientparam * param);
 void clearstat(struct clientparam * param);
 void dumpcounters(struct trafcount *tl, int counterd);
 
 int startconnlims (struct clientparam *param);
 void stopconnlims (struct clientparam *param);
-
+int socks5_udp_build_hdr(unsigned char *buf, PROXYSOCKADDRTYPE *addr);
 
 
 extern struct auth authfuncs[];
@@ -219,12 +240,23 @@ extern int paused;
 extern int demon;
 
 unsigned char * mycrypt(const unsigned char *key, const unsigned char *salt, unsigned char *buf);
+#ifdef WITH_SSL
 unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPassword, int tohex);
+#endif
 int de64 (const unsigned char *in, unsigned char *out, int maxlen);
 unsigned char* en64 (const unsigned char *in, unsigned char *out, int inlen);
 void tohex(unsigned char *in, unsigned char *out, int len);
 void fromhex(unsigned char *in, unsigned char *out, int len);
 
+#ifdef _WIN32
+extern HANDLE udpinit;
+#define _3proxy_sem_lock(x) WaitForSingleObject(x, INFINITE)
+#define _3proxy_sem_unlock(x) ReleaseSemaphore(x, 1, NULL)
+#else
+extern _3proxy_mutex_t udpinit;
+#define _3proxy_sem_lock(x) pthread_mutex_lock(&x)
+#define _3proxy_sem_unlock(x) pthread_mutex_unlock(&x)
+#endif
 
 
 int ftplogin(struct clientparam *param, char *buf, int *inbuf);
@@ -242,17 +274,20 @@ void genchallenge(struct clientparam *param, char * challenge, char *buf);
 void mschap(const unsigned char *win_password,
 		 const unsigned char *challenge, unsigned char *response);
 
-struct hashtable;
-void hashadd(struct hashtable *ht, const unsigned char* name, unsigned char* value, time_t expires);
+void destroyhashtable(struct hashtable *ht);
+int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit);
+void hashadd(struct hashtable *ht, void* name, void* value, time_t expires);
+void hashdelete(struct hashtable *ht, void* name);
+int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl);
 
 int parsehost(int family, unsigned char *host, struct sockaddr *sa);
-int parsehostname(char *hostname, struct clientparam *param, unsigned short port);
+int parsehostname(char *hostname, struct clientparam *param, uint16_t port);
 int parseusername(char *username, struct clientparam *param, int extpasswd);
-int parseconnusername(char *username, struct clientparam *param, int extpasswd, unsigned short port);
+int parseconnusername(char *username, struct clientparam *param, int extpasswd, uint16_t port);
 int ACLmatches(struct ace* acentry, struct clientparam * param);
 int checkACL(struct clientparam * param);
 extern int havelog;
-unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, unsigned *retttl, struct clientparam* param, int makeauth);
+uint32_t udpresolve(int af, unsigned char * name, unsigned char * value, uint32_t *retttl, struct clientparam* param, int makeauth);
 
 struct ace * copyacl (struct ace *ac);
 struct auth * copyauth (struct auth *);
@@ -266,6 +301,8 @@ void freepwl(struct passwords *pw);
 void copyfilter(struct filter *, struct srvparam *srv);
 FILTER_ACTION makefilters (struct srvparam *srv, struct clientparam *param);
 FILTER_ACTION handlereqfilters(struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p);
+FILTER_ACTION handleconnectflt(struct clientparam *param);
+FILTER_ACTION handleafterauthflt(struct clientparam *param);
 FILTER_ACTION handlehdrfilterscli(struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p);
 FILTER_ACTION handlehdrfilterssrv(struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p);
 FILTER_ACTION handlepredatflt(struct clientparam *param);
@@ -277,10 +314,11 @@ void srvinit2(struct srvparam * srv, struct clientparam *param);
 void srvfree(struct srvparam * srv);
 unsigned char * dologname (unsigned char *buf, unsigned char *name, const unsigned char *ext, ROTATION lt, time_t t);
 int readconfig(FILE * fp);
-int connectwithpoll(SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to);
+int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to);
 
 
 int myrand(void * entropy, int len);
+uint32_t murmurhash3(const void *key, int len, uint32_t seed);
 
 extern char *copyright;
 
@@ -293,23 +331,23 @@ void * smtppchild(struct clientparam * param);
 void * proxychild(struct clientparam * param);
 void * sockschild(struct clientparam * param);
 void * tcppmchild(struct clientparam * param);
+void * autochild(struct clientparam * param);
 void * udppmchild(struct clientparam * param);
 void * adminchild(struct clientparam * param);
 void * ftpprchild(struct clientparam * param);
+void * tlsprchild(struct clientparam * param);
 
 
 struct datatype;
 struct dictionary;
 struct node;
 struct property;
-extern pthread_mutex_t config_mutex;
-extern pthread_mutex_t bandlim_mutex;
-extern pthread_mutex_t connlim_mutex;
-extern pthread_mutex_t hash_mutex;
-extern pthread_mutex_t tc_mutex;
-extern pthread_mutex_t pwl_mutex;
-extern pthread_mutex_t log_mutex;
-extern pthread_mutex_t rad_mutex;
+extern _3proxy_mutex_t config_mutex;
+extern _3proxy_mutex_t bandlim_mutex;
+extern _3proxy_mutex_t connlim_mutex;
+extern _3proxy_mutex_t tc_mutex;
+extern _3proxy_mutex_t log_mutex;
+extern _3proxy_mutex_t rad_mutex;
 extern struct datatype datatypes[64];
 
 extern struct commands commandhandlers[];
@@ -320,16 +358,13 @@ extern struct commands commandhandlers[];
 #define mapsocket(a,b) sockmap(a,b, 0)
 #endif
 
+#ifdef WITH_UN
+void make_un(const unsigned char *path, struct sockaddr_un * sun);
+#endif
+
 
 extern struct radserver {
-#ifdef NOIPV6
-	struct  sockaddr_in authaddr, logaddr, localaddr;
-#else
-	struct  sockaddr_in6 authaddr, logaddr, localaddr;
-#endif
-/*
-	SOCKET logsock;
-*/
+	PROXYSOCKADDRTYPE authaddr, logaddr, localaddr;
 } radiuslist[MAXRADIUS];
 
 extern char radiussecret[64];
diff --git a/src/proxymain.c b/src/proxymain.c
index 53856db..4f21237 100644
--- a/src/proxymain.c
+++ b/src/proxymain.c
@@ -1,12 +1,15 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2017 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
 #include "proxy.h"
+#ifdef __linux__
+#include 
+#endif
 
 #define param ((struct clientparam *) p)
 #ifdef _WIN32
@@ -22,12 +25,12 @@ void * threadfunc (void *p) {
 	fds.events = POLLIN;
 	fds.revents = 0;
 	for(i=5+(param->srv->maxchild>>10); i; i--){
-		if(so._poll(&fds, 1, 1000*CONNBACK_TO)!=1){
+		if(param->srv->so._poll(param->sostate, &fds, 1, 1000*CONNBACK_TO)!=1){
 			dolog(param, (unsigned char *)"Connect back not received, check connback client");
 			i = 0;
 			break;
 		}
-		param->remsock = so._accept(param->srv->cbsock, (struct sockaddr*)¶m->sinsr, &size);
+		param->remsock = param->srv->so._accept(param->sostate, param->srv->cbsock, (struct sockaddr*)¶m->sinsr, &size);
 		if(param->remsock == INVALID_SOCKET) {
 			dolog(param, (unsigned char *)"Connect back accept() failed");
 			continue;
@@ -45,14 +48,14 @@ void * threadfunc (void *p) {
 		if(param->srv->acl) param->res = checkACL(param);
 		if(param->res){
 			dolog(param, (unsigned char *)"Connect back ACL failed");
-			so._closesocket(param->remsock);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 			continue;
 		}
 #endif
-		if(socksendto(param->remsock, (struct sockaddr*)¶m->sinsr, (unsigned char *)"C", 1, CONNBACK_TO*1000) != 1){
+		if(socksendto(param, param->remsock, (struct sockaddr*)¶m->sinsr, (unsigned char *)"C", 1, CONNBACK_TO*1000) != 1){
 			dolog(param, (unsigned char *)"Connect back sending command failed");
-			so._closesocket(param->remsock);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 			continue;
 		}
@@ -74,6 +77,37 @@ void * threadfunc (void *p) {
 #endif
 #endif
 
+	if(param->srv->haproxy){
+	    char buf[128];
+	    int i;
+	    i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, sizeof(buf)-1, '\n', conf.timeouts[STRING_S]);
+	    if(i > 12 && !strncasecmp(buf, "PROXY TCP", 9)){
+		char *token, *token2=NULL;
+		unsigned short u1=0, u2=0;
+		buf[i] = 0;
+		token = strchr(buf, ' ');
+		if(token) token = strchr(token+1, ' ');
+		if(token) token++;
+		if(token) token2 = strchr(token+1, ' ');
+		if(token2) {
+		    *token2 = 0;
+		    getip46(46, (unsigned char*) token, (struct sockaddr *)¶m->sincr);
+		    token = token2+1;
+		    token2 = strchr(token, ' ');
+		}
+		if(token2) {
+		    *token2 = 0;
+		    getip46(46, (unsigned char *) token, (struct sockaddr *)¶m->sincl);
+		    token = token2+1;
+		    token2 = strchr(token, ' ');
+		}
+		if(token){
+		    sscanf(token,"%hu%hu", &u1, &u2);
+		    if(u1) *SAPORT(¶m->sincr) = htons(u1);
+		    if(u2) *SAPORT(¶m->sincl) = htons(u2);
+		}
+	    }
+	}
 	((struct clientparam *) p)->srv->pf((struct clientparam *)p);
  }
 #ifdef _WIN32
@@ -84,7 +118,6 @@ void * threadfunc (void *p) {
 }
 #undef param
 
-
 struct socketoptions sockopts[] = {
 #ifdef TCP_NODELAY
 	{TCP_NODELAY, "TCP_NODELAY"},
@@ -124,6 +157,15 @@ struct socketoptions sockopts[] = {
 #endif
 #ifdef IP_TRANSPARENT
 	{IP_TRANSPARENT, "IP_TRANSPARENT"},
+#endif
+#ifdef TCP_FASTOPEN
+	{TCP_FASTOPEN, "TCP_FASTOPEN"},
+#endif
+#ifdef TCP_FASTOPEN_CONNECT
+	{TCP_FASTOPEN_CONNECT, "TCP_FASTOPEN_CONNECT"},
+#endif
+#ifdef TCP_MAXSEG
+	{TCP_MAXSEG, "TCP_MAXSEG"},
 #endif
 	{0, NULL}
 };
@@ -147,6 +189,12 @@ void setopts(SOCKET s, int opts){
 	int i, opt, set;
 	for(i = 0; opts >= (opt = (1<logtarget) free(srv->logtarget);
+	if(srv->logformat) free(srv->logformat);
+#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
+	if(srv->ibindtodevice) free(srv->ibindtodevice);
+	if(srv->obindtodevice) free(srv->obindtodevice);
+#endif
+#ifdef __linux__
+	if(srv->inetns) free(srv->inetns);
+	if(srv->onetns) free(srv->onetns);
+#endif
+}
 
 #ifndef MODULEMAINFUNC
 #define MODULEMAINFUNC main
@@ -197,14 +259,13 @@ int MODULEMAINFUNC (int argc, char** argv){
  char *hostname=NULL;
  int opt = 1, isudp = 0, iscbl = 0, iscbc = 0;
  unsigned char *cbc_string = NULL, *cbl_string = NULL;
-#ifndef NOIPV6
- struct sockaddr_in6 cbsa;
-#else
- struct sockaddr_in cbsa;
-#endif
+ PROXYSOCKADDRTYPE cbsa;
  FILE *fp = NULL;
  struct linger lg;
  int nlog = 5000;
+#ifdef __linux__
+ int saved_nsfd = -1;
+#endif
  char loghelp[] =
 #ifdef STDMAIN
 #ifndef _WIN32
@@ -216,13 +277,14 @@ int MODULEMAINFUNC (int argc, char** argv){
 	" -u never ask for username\n"
 	" -u2 always ask for username\n"
 #endif
-#ifdef SO_BINDTODEVICE
+#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
 	" -Di(DEVICENAME) bind internal interface to device, e.g. eth1\n"
 	" -De(DEVICENAME) bind external interface to device, e.g. eth1\n"
 #endif
 #ifdef WITHSLICE
 	" -s Use slice() - faster proxing, but no filtering for data\n"
 #endif
+	"-g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY) - delay GRACE_DELAY milliseconds before polling if average polling size below  GRACE_TRAFF bytes and GRACE_NUM read operations in single directions are detected within 1 second to minimize polling\n"
 	" -fFORMAT logging format (see documentation)\n"
 	" -l log to stderr\n"
 	" -lFILENAME log to FILENAME\n"
@@ -284,6 +346,19 @@ int MODULEMAINFUNC (int argc, char** argv){
  srvinit(&srv, &defparam);
  srv.pf = childdef.pf;
  isudp = childdef.isudp;
+#ifndef NOUDPMAIN
+ if(isudp) {
+	if(!udp_table.ihashtable)inithashtable(&udp_table, 64, 256, 65536);
+	srv.udpbuf = malloc(UDPBUFSIZE);
+	srv.udpbuf2 = malloc(UDPBUFSIZE);
+	if(!srv.udpbuf || !srv.udpbuf2) {
+#ifndef STDMAIN
+		haveerror = 2;
+#endif
+		return 11;
+	}
+ }
+#endif
  srv.service = defparam.service = childdef.service;
  
 #ifndef STDMAIN
@@ -312,7 +387,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 #endif
 #else
  srv.needuser = 0;
- pthread_mutex_init(&log_mutex, NULL);
+ _3proxy_mutex_init(&log_mutex);
 #endif
 
  for (i=1; isun_path)unlink(sun->sun_path);
+	}
+#endif
 	size = sizeof(srv.intsa);
-	for(sleeptime = SLEEPTIME * 100; so._bind(sock, (struct sockaddr*)&srv.intsa, SASIZE(&srv.intsa))==-1; usleep(sleeptime)) {
+	for(sleeptime = SLEEPTIME * 100; srv.so._bind(srv.so.state, sock, (struct sockaddr*)&srv.intsa, SASIZE(&srv.intsa))==-1; usleep(sleeptime)) {
 		sprintf((char *)buf, "bind(): %s", strerror(errno));
-		if(!srv.silent)dolog(&defparam, buf);	
-		sleeptime = (sleeptime<<1);	
+		if(!srv.silent)dolog(&defparam, buf);
+		sleeptime = (sleeptime<<1);
 		if(!sleeptime) {
-			so._closesocket(sock);
+			srv.so._closesocket(srv.so.state, sock);
+			freesrvstrings(&srv, cbc_string, cbl_string);
 			return -3;
 		}
 	}
  	if(!isudp){
- 		if(so._listen (sock, 1 + (srv.maxchild>>4))==-1) {
+		if(srv.so._listen (srv.so.state, sock, srv.backlog?srv.backlog : 1+(srv.maxchild>>3))==-1) {
 			sprintf((char *)buf, "listen(): %s", strerror(errno));
 			if(!srv.silent)dolog(&defparam, buf);
+			srv.so._closesocket(srv.so.state, sock);
+			freesrvstrings(&srv, cbc_string, cbl_string);
 			return -4;
 		}
 	}
-	else 
+#ifndef NOUDPMAIN
+	else
 		defparam.clisock = sock;
+#endif
 
 	if(!srv.silent && !iscbc){
-		sprintf((char *)buf, "Accepting connections [%u/%u]", (unsigned)getpid(), (unsigned)pthread_self());
+		sprintf((char *)buf, "Accepting connections [%"PRIu64"/%"PRIu64"]", (uint64_t)getpid(), (uint64_t)pthread_self());
 		dolog(&defparam, buf);
 	}
  }
+#ifdef __linux__
+ if(saved_nsfd != -1) {
+	if(setns(saved_nsfd, CLONE_NEWNET)) {
+		dolog(&defparam, (unsigned char *)"failed to restore netns");
+		if(srv.service == S_SOCKS) {
+			if(srv.i_nsfd >= 0) { close(srv.i_nsfd); srv.i_nsfd = -1; }
+			srv.saved_nsfd = -1;
+		}
+		close(saved_nsfd);
+		freesrvstrings(&srv, cbc_string, cbl_string);
+		return -14;
+	}
+	if(srv.service != S_SOCKS) {
+		close(saved_nsfd);
+		saved_nsfd = -1;
+	}
+ }
+ if(srv.onetns) {
+	int nsfd = open(srv.onetns, O_RDONLY);
+	if(nsfd == -1) {
+		dolog(&defparam, (unsigned char *)"failed to open onetns");
+		if(srv.service == S_SOCKS) {
+			if(srv.saved_nsfd >= 0) { close(srv.saved_nsfd); srv.saved_nsfd = -1; }
+			if(srv.i_nsfd >= 0) { close(srv.i_nsfd); srv.i_nsfd = -1; }
+		}
+		freesrvstrings(&srv, cbc_string, cbl_string);
+		return -14;
+	}
+	if(setns(nsfd, CLONE_NEWNET)) {
+		dolog(&defparam, (unsigned char *)"failed to setns onetns");
+		close(nsfd);
+		if(srv.service == S_SOCKS) {
+			if(srv.saved_nsfd >= 0) { close(srv.saved_nsfd); srv.saved_nsfd = -1; }
+			if(srv.i_nsfd >= 0) { close(srv.i_nsfd); srv.i_nsfd = -1; }
+		}
+		freesrvstrings(&srv, cbc_string, cbl_string);
+		return -14;
+	}
+	if(srv.service == S_SOCKS) srv.o_nsfd = nsfd;
+	else close(nsfd);
+ }
+#endif
  if(iscbl){
 	parsehost(srv.family, cbl_string, (struct sockaddr *)&cbsa);
-	if((srv.cbsock=so._socket(SASOCK(&cbsa), SOCK_STREAM, IPPROTO_TCP))==INVALID_SOCKET) {
+	if((srv.cbsock=srv.so._socket(srv.so.state, SASOCK(&cbsa), SOCK_STREAM, IPPROTO_TCP))==INVALID_SOCKET) {
 		dolog(&defparam, (unsigned char *)"Failed to allocate connect back socket");
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -6;
 	}
 	opt = 1;
-	so._setsockopt(srv.cbsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
+	srv.so._setsockopt(srv.so.state, srv.cbsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
 #ifdef SO_REUSEPORT
 	opt = 1;
-	so._setsockopt(srv.cbsock, SOL_SOCKET, SO_REUSEPORT, (char *)&opt, sizeof(int));
+	srv.so._setsockopt(srv.so.state, srv.cbsock, SOL_SOCKET, SO_REUSEPORT, (char *)&opt, sizeof(int));
 #endif
 
 	setopts(srv.cbsock, srv.cbssockopts);
 
-	if(so._bind(srv.cbsock, (struct sockaddr*)&cbsa, SASIZE(&cbsa))==-1) {
+	if(srv.so._bind(srv.so.state, srv.cbsock, (struct sockaddr*)&cbsa, SASIZE(&cbsa))==-1) {
 		dolog(&defparam, (unsigned char *)"Failed to bind connect back socket");
+		srv.so._closesocket(srv.so.state, srv.cbsock);
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -7;
 	}
-	if(so._listen(srv.cbsock, 1 + (srv.maxchild>>4))==-1) {
+	if(srv.so._listen(srv.so.state, srv.cbsock, 1 + (srv.maxchild>>4))==-1) {
 		dolog(&defparam, (unsigned char *)"Failed to listen connect back socket");
+		srv.so._closesocket(srv.so.state, srv.cbsock);
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -8;
 	}
  }
@@ -683,7 +898,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 		if (iscbc) break;
 		if (conf.paused != srv.paused) break;
 		if (srv.fds.events & POLLIN) {
-			error = so._poll(&srv.fds, 1, 1000);
+			error = srv.so._poll(srv.so.state, &srv.fds, 1, 1000);
 		}
 		else {
 			usleep(SLEEPTIME);
@@ -702,20 +917,20 @@ int MODULEMAINFUNC (int argc, char** argv){
 	if(!isudp){
 		size = sizeof(defparam.sincr);
 		if(iscbc){
-			new_sock=so._socket(SASOCK(&defparam.sincr), SOCK_STREAM, IPPROTO_TCP);
+			new_sock=so._socket(so.state, SASOCK(&defparam.sincr), SOCK_STREAM, IPPROTO_TCP);
 			if(new_sock != INVALID_SOCKET){
 				setopts(new_sock, srv.cbcsockopts);
 
 				parsehost(srv.family, cbc_string, (struct sockaddr *)&defparam.sincr);
-				if(connectwithpoll(new_sock,(struct sockaddr *)&defparam.sincr,SASIZE(&defparam.sincr),CONNBACK_TO)) {
-					so._closesocket(new_sock);
+				if(connectwithpoll(NULL, new_sock,(struct sockaddr *)&defparam.sincr,SASIZE(&defparam.sincr),CONNBACK_TO)) {
+					so._closesocket(so.state, new_sock);
 					new_sock = INVALID_SOCKET;
 					usleep(SLEEPTIME);
 					continue;
 				}
 
-				if(sockrecvfrom(new_sock,(struct sockaddr*)&defparam.sincr,buf,1,60*1000) != 1 || *buf!='C') {
-					so._closesocket(new_sock);
+				if(sockrecvfrom(NULL, new_sock,(struct sockaddr*)&defparam.sincr,buf,1,60*1000) != 1 || *buf!='C') {
+					so._closesocket(so.state, new_sock);
 					new_sock = INVALID_SOCKET;
 					usleep(SLEEPTIME);
 					continue;
@@ -727,7 +942,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 			}
 		}
 		else {
-			new_sock = so._accept(sock, (struct sockaddr*)&defparam.sincr, &size);
+			new_sock = srv.so._accept(srv.so.state, sock, (struct sockaddr*)&defparam.sincr, &size);
 			if(new_sock == INVALID_SOCKET){
 #ifdef _WIN32
 				switch(WSAGetLastError()){
@@ -775,42 +990,82 @@ int MODULEMAINFUNC (int argc, char** argv){
 			setopts(new_sock, srv.clisockopts);
 		}
 		size = sizeof(defparam.sincl);
-		if(so._getsockname(new_sock, (struct sockaddr *)&defparam.sincl, &size)){
+		if(srv.so._getsockname(srv.so.state, new_sock, (struct sockaddr *)&defparam.sincl, &size)){
 			sprintf((char *)buf, "getsockname(): %s", strerror(errno));
 			if(!srv.silent)dolog(&defparam, buf);
+			srv.so._closesocket(srv.so.state, new_sock);
 			continue;
 		}
+#ifdef WITH_UN
+		if(*SAFAMILY(&defparam.sincl) == AF_UNIX) defparam.sincr = defparam.sincl;
+#endif
 #ifdef _WIN32
 		ioctlsocket(new_sock, FIONBIO, &ul);
 #else
 		fcntl(new_sock,F_SETFL,O_NONBLOCK | fcntl(new_sock,F_GETFL));
 #endif
-		so._setsockopt(new_sock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
-		so._setsockopt(new_sock, SOL_SOCKET, SO_OOBINLINE, (char *)&opt, sizeof(int));
+		lg.l_onoff = 1;
+		lg.l_linger = conf.timeouts[STRING_L];
+
+		srv.so._setsockopt(srv.so.state, new_sock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+		srv.so._setsockopt(srv.so.state, new_sock, SOL_SOCKET, SO_OOBINLINE, (char *)&opt, sizeof(int));
 	}
+#ifndef NOUDPMAIN
 	else {
-		srv.fds.events = 0;
+		struct clientparam *toparam;
+
+		srv.udplen = sockrecvfrom(NULL, srv.srvsock, (struct sockaddr *)&defparam.sincr, srv.udpbuf, UDPBUFSIZE, 0);
+		if(srv.udplen <= 0) continue;
+		_3proxy_sem_lock(udpinit);
+		if(hashresolv(&udp_table, &defparam, &toparam, NULL)) {
+		    int i, len=0;
+		
+		    if(toparam->udp_nhops){
+			for(i=1; i < toparam->udp_nhops; i++){
+			    len+=socks5_udp_build_hdr(srv.udpbuf2+len, &toparam->udp_relay[i-1]);
+    			}
+    			len += socks5_udp_build_hdr(srv.udpbuf2+len, &toparam->req);
+		    }
+		    memcpy(srv.udpbuf2+len, srv.udpbuf, srv.udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : srv.udplen);
+		    len += srv.udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : srv.udplen;
+		    srv.so._sendto(toparam->sostate, toparam->remsock, (char *)srv.udpbuf2, len, 0, (struct sockaddr *)&toparam->sinsr, SASIZE(&toparam->sinsr));
+		    toparam->statscli64 += srv.udplen;
+		    toparam->nwrites++;
+		    _3proxy_sem_unlock(udpinit);
+		    continue;
+		}
 	}
-	if(! (newparam = myalloc (sizeof(defparam)))){
-		if(!isudp) so._closesocket(new_sock);
+#endif
+	if(! (newparam = malloc (sizeof(defparam)))){
+		if(!isudp) srv.so._closesocket(srv.so.state, new_sock);
+#ifndef NOUDPMAIN
+		else {
+			_3proxy_sem_unlock(udpinit);
+		}
+#endif
 		defparam.res = 21;
 		if(!srv.silent)dolog(&defparam, (unsigned char *)"Memory Allocation Failed");
 		usleep(SLEEPTIME);
 		continue;
 	};
 	*newparam = defparam;
-	if(defparam.hostname)newparam->hostname=(unsigned char *)mystrdup((char *)defparam.hostname);
+	if(defparam.hostname)newparam->hostname=(unsigned char *)strdup((char *)defparam.hostname);
 	clearstat(newparam);
 	if(!isudp) newparam->clisock = new_sock;
 #ifndef STDMAIN
 	if(makefilters(&srv, newparam) > CONTINUE){
-		freeparam(newparam);		
+		freeparam(newparam);
+#ifndef NOUDPMAIN
+		if(isudp) {
+			_3proxy_sem_unlock(udpinit);
+		}
+#endif
 		continue;
 	}
 #endif
 	newparam->prev = newparam->next = NULL;
 	error = 0;
-	pthread_mutex_lock(&srv.counter_mutex);
+	_3proxy_mutex_lock(&srv.counter_mutex);
 	if(!srv.child){
 		srv.child = newparam;
 	}
@@ -824,59 +1079,73 @@ int MODULEMAINFUNC (int argc, char** argv){
 #else
 	h = (HANDLE)CreateThread((LPSECURITY_ATTRIBUTES )NULL, (unsigned)(16384 + srv.stacksize), (void *)threadfunc, (void *) newparam, 0, &thread);
 #endif
-	srv.childcount++;
 	if (h) {
-		newparam->threadid = (unsigned)thread;
 		CloseHandle(h);
 	}
 	else {
 		sprintf((char *)buf, "_beginthreadex(): %s", _strerror(NULL));
-		if(!srv.silent)dolog(&defparam, buf);
 		error = 1;
 	}
 #else
 
-	error = pthread_create(&thread, &pa, threadfunc, (void *)newparam);
-	srv.childcount++;
-	if(error){
+	if ((error = pthread_create(&thread, &pa, threadfunc, (void *)newparam))){
 		sprintf((char *)buf, "pthread_create(): %s", strerror(error));
-		if(!srv.silent)dolog(&defparam, buf);
-	}
-	else {
-		newparam->threadid = (unsigned)thread;
 	}
 #endif
-	pthread_mutex_unlock(&srv.counter_mutex);
-	if(error) freeparam(newparam);
-
+	if(error){
+		if(!srv.silent)dolog(&defparam, buf);
+		if(newparam->prev) newparam->prev->next = newparam->next;
+		else srv.child = newparam->next;
+		if(newparam->next) newparam->next->prev = newparam->prev;
+		newparam->srv = NULL;
+#ifndef NOUDPMAIN
+		if(isudp){
+			_3proxy_sem_unlock(udpinit);
+		}
+#endif
+		freeparam(newparam);
+	}
+	else {
+		srv.childcount++;
+		newparam->threadid = (uint64_t)thread;
+	}
+	_3proxy_mutex_unlock(&srv.counter_mutex);
 	memset(&defparam.sincl, 0, sizeof(defparam.sincl));
 	memset(&defparam.sincr, 0, sizeof(defparam.sincr));
-	if(isudp) while(!srv.fds.events)usleep(SLEEPTIME);
  }
 
- if(!srv.silent) srv.logfunc(&defparam, (unsigned char *)"Exiting thread");
-
- srvfree(&srv);
 
 #ifndef STDMAIN
- pthread_mutex_lock(&config_mutex);
+ _3proxy_mutex_lock(&config_mutex);
  if(srv.next)srv.next->prev = srv.prev;
  if(srv.prev)srv.prev->next = srv.next;
  else conf.services = srv.next;
- pthread_mutex_unlock(&config_mutex);
+ _3proxy_mutex_unlock(&config_mutex);
 #endif
 
+ if(!srv.silent) srv.logfunc(&defparam, (unsigned char *)"Exiting thread");
+ srvfree(&srv);
+
 #ifndef _WIN32
  pthread_attr_destroy(&pa);
 #endif
- if(defparam.hostname)myfree(defparam.hostname);
- if(cbc_string)myfree(cbc_string);
- if(cbl_string)myfree(cbl_string);
+ if(defparam.hostname)free(defparam.hostname);
+ if(cbc_string)free(cbc_string);
+ if(cbl_string)free(cbl_string);
  if(fp) fclose(fp);
 
  return 0;
 }
 
+#ifndef NOUDPMAIN
+int udpinited = 0;
+#ifdef _WIN32
+HANDLE udpinit;
+#else
+_3proxy_mutex_t udpinit;
+#endif
+
+#endif
 
 void srvinit(struct srvparam * srv, struct clientparam *param){
 
@@ -885,20 +1154,23 @@ void srvinit(struct srvparam * srv, struct clientparam *param){
  srv->paused = conf.paused;
  srv->logfunc = havelog?conf.logfunc:lognone;
  srv->noforce = conf.noforce;
- srv->logformat = conf.logformat? (unsigned char *)mystrdup((char *)conf.logformat) : NULL;
+ srv->logformat = conf.logformat? (unsigned char *)strdup((char *)conf.logformat) : NULL;
  srv->authfunc = conf.authfunc;
- srv->usentlm = 0;
  srv->maxchild = conf.maxchild;
+ srv->backlog = conf.backlog;
  srv->stacksize = conf.stacksize;
  srv->time_start = time(NULL);
  if(havelog && conf.logtarget){
-	 srv->logtarget = (unsigned char *)mystrdup((char *)conf.logtarget);
+	 srv->logtarget = (unsigned char *)strdup((char *)conf.logtarget);
  }
  srv->srvsock = INVALID_SOCKET;
  srv->logdumpsrv = conf.logdumpsrv;
  srv->logdumpcli = conf.logdumpcli;
- srv->cbsock = INVALID_SOCKET; 
+ srv->cbsock = INVALID_SOCKET;
  srv->needuser = 1;
+#ifdef __linux__
+ srv->saved_nsfd = srv->i_nsfd = srv->o_nsfd = -1;
+#endif
 #ifdef WITHSPLICE
  srv->usesplice = 1;
 #endif
@@ -908,12 +1180,25 @@ void srvinit(struct srvparam * srv, struct clientparam *param){
  param->paused = srv->paused;
  param->remsock = param->clisock = param->ctrlsock = param->ctrlsocksrv = INVALID_SOCKET;
  *SAFAMILY(¶m->req) = *SAFAMILY(¶m->sinsl) = *SAFAMILY(¶m->sinsr) = *SAFAMILY(¶m->sincr) = *SAFAMILY(¶m->sincl) = AF_INET;
- pthread_mutex_init(&srv->counter_mutex, NULL);
+ _3proxy_mutex_init(&srv->counter_mutex);
+#ifndef NOUDPMAIN
+ if(!udpinited){
+#ifdef _WIN32
+    udpinit = CreateSemaphore(NULL, 1, 1, NULL);
+#else
+    _3proxy_mutex_init(&udpinit);
+#endif
+ }
+ udpinited = 1;
+#endif
  srv->intsa = conf.intsa;
  srv->extsa = conf.extsa;
 #ifndef NOIPV6
  srv->extsa6 = conf.extsa6;
 #endif
+ srv->so = so;
+ srv->authcachetime = conf.authcachetime;
+ srv->authcachetype = conf.authcachetype;
 }
 
 void srvinit2(struct srvparam * srv, struct clientparam *param){
@@ -923,11 +1208,11 @@ void srvinit2(struct srvparam * srv, struct clientparam *param){
 		unsigned char* logformat = srv->logformat;
 
 		*s = 0;
-		srv->nonprintable = (unsigned char *)mystrdup((char *)srv->logformat + 1);
+		srv->nonprintable = (unsigned char *)strdup((char *)srv->logformat + 1);
 		srv->replace = s[1];
-		srv->logformat = (unsigned char *)mystrdup(s + 2);
+		srv->logformat = (unsigned char *)strdup(s + 2);
 		*s = '+';
-		myfree(logformat);
+		free(logformat);
 	}
  }
  memset(¶m->sinsl, 0, sizeof(param->sinsl));
@@ -945,9 +1230,14 @@ void srvinit2(struct srvparam * srv, struct clientparam *param){
 }
 
 void srvfree(struct srvparam * srv){
- if(srv->srvsock != INVALID_SOCKET) so._closesocket(srv->srvsock);
+ if(srv->srvsock != INVALID_SOCKET) {
+    so._closesocket(srv->so.state, srv->srvsock);
+#ifdef WITH_UN
+    if(*SAFAMILY(&srv->intsa) == AF_UNIX && *SAADDR(&srv->intsa))unlink((char *)SAADDR(&srv->intsa));
+#endif
+ }
  srv->srvsock = INVALID_SOCKET;
- if(srv->cbsock != INVALID_SOCKET) so._closesocket(srv->cbsock);
+ if(srv->cbsock != INVALID_SOCKET) so._closesocket(srv->so.state, srv->cbsock);
  srv->cbsock = INVALID_SOCKET;
  srv->service = S_ZOMBIE;
  while(srv->child) usleep(SLEEPTIME * 100);
@@ -959,46 +1249,44 @@ void srvfree(struct srvparam * srv){
 		 (*srv->filter[srv->nfilters].filter_close)(srv->filter[srv->nfilters].data);
 		}
 	}
-	myfree(srv->filter);
+	free(srv->filter);
  }
 
  if(srv->acl)freeacl(srv->acl);
  if(srv->authfuncs)freeauth(srv->authfuncs);
 #endif
- pthread_mutex_destroy(&srv->counter_mutex);
- if(srv->target) myfree(srv->target);
- if(srv->logtarget) myfree(srv->logtarget);
- if(srv->logformat) myfree(srv->logformat);
- if(srv->nonprintable) myfree(srv->nonprintable);
-#ifdef SO_BINDTODEVICE
- if(srv->ibindtodevice) myfree(srv->ibindtodevice);
- if(srv->obindtodevice) myfree(srv->obindtodevice);
+ _3proxy_mutex_destroy(&srv->counter_mutex);
+ if(srv->target) free(srv->target);
+ if(srv->logtarget) free(srv->logtarget);
+ if(srv->logformat) free(srv->logformat);
+ if(srv->nonprintable) free(srv->nonprintable);
+#if defined  SO_BINDTODEVICE || defined IP_BOUND_IF
+ if(srv->ibindtodevice) free(srv->ibindtodevice);
+ if(srv->obindtodevice) free(srv->obindtodevice);
+#endif
+#ifdef __linux__
+ if(srv->inetns) free(srv->inetns);
+ if(srv->onetns) free(srv->onetns);
+ if(srv->saved_nsfd >= 0) { close(srv->saved_nsfd); srv->saved_nsfd = -1; }
+ if(srv->i_nsfd >= 0) { close(srv->i_nsfd); srv->i_nsfd = -1; }
+ if(srv->o_nsfd >= 0) { close(srv->o_nsfd); srv->o_nsfd = -1; }
+#endif
+ if(srv->so.freefunc) srv->so.freefunc(srv->so.state);
+#ifndef NOUDPMAIN
+ if(srv->udpbuf) free(srv->udpbuf);
+ if(srv->udpbuf2) free(srv->udpbuf2);
 #endif
 }
 
 
 void freeparam(struct clientparam * param) {
 	if(param->res == 2) return;
-	if(param->datfilterssrv) myfree(param->datfilterssrv);
-#ifndef STDMAIN
-	if(param->reqfilters) myfree(param->reqfilters);
-	if(param->hdrfilterscli) myfree(param->hdrfilterscli);
-	if(param->hdrfilterssrv) myfree(param->hdrfilterssrv);
-	if(param->predatfilters) myfree(param->predatfilters);
-	if(param->datfilterscli) myfree(param->datfilterscli);
-	if(param->filters){
-		if(param->nfilters)while(param->nfilters--){
-			if(param->filters[param->nfilters].filter->filter_clear)
-				(*param->filters[param->nfilters].filter->filter_clear)(param->filters[param->nfilters].data);
-		}
-		myfree(param->filters);
-	}
-	if(conf.connlimiter && (param->res != 95 || param->remsock != INVALID_SOCKET)) stopconnlims(param);
-#endif
-	if(param->clibuf) myfree(param->clibuf);
-	if(param->srvbuf) myfree(param->srvbuf);
 	if(param->srv){
-		pthread_mutex_lock(¶m->srv->counter_mutex);
+		if(param->srv->so.freefunc) param->srv->so.freefunc(param->sostate);
+		_3proxy_mutex_lock(¶m->srv->counter_mutex);
+#ifndef STDMAIN
+		if(param->srv->service == S_UDPPM) hashdelete(&udp_table, param);
+#endif
 		if(param->prev){
 			param->prev->next = param->next;
 		}
@@ -1008,30 +1296,65 @@ void freeparam(struct clientparam * param) {
 			param->next->prev = param->prev;
 		}
 		(param->srv->childcount)--;
-		pthread_mutex_unlock(¶m->srv->counter_mutex);
+		_3proxy_mutex_unlock(¶m->srv->counter_mutex);
 	}
-	if(param->hostname) myfree(param->hostname);
-	if(param->username) myfree(param->username);
-	if(param->password) myfree(param->password);
-	if(param->extusername) myfree(param->extusername);
-	if(param->extpassword) myfree(param->extpassword);
-	if(param->ctrlsocksrv != INVALID_SOCKET && param->ctrlsocksrv != param->remsock) {
-		so._shutdown(param->ctrlsocksrv, SHUT_RDWR);
-		so._closesocket(param->ctrlsocksrv);
+	if(param->clibuf) free(param->clibuf);
+	if(param->srvbuf) free(param->srvbuf);
+	if(param->srv) {
+		if(param->ctrlsocksrv != INVALID_SOCKET && param->ctrlsocksrv != param->remsock) {
+			param->srv->so._shutdown(param->sostate, param->ctrlsocksrv, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->ctrlsocksrv);
+		}
+		if(param->ctrlsock != INVALID_SOCKET && param->ctrlsock != param->clisock) {
+			param->srv->so._shutdown(param->sostate, param->ctrlsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->ctrlsock);
+		}
+		if(param->remsock != INVALID_SOCKET) {
+			param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
+		}
+		if(param->clisock != INVALID_SOCKET) {
+			param->srv->so._shutdown(param->sostate, param->clisock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->clisock);
+		}
 	}
-	if(param->ctrlsock != INVALID_SOCKET && param->ctrlsock != param->clisock) {
-		so._shutdown(param->ctrlsock, SHUT_RDWR);
-		so._closesocket(param->ctrlsock);
+	if(param->datfilterssrv) free(param->datfilterssrv);
+#ifndef STDMAIN
+	if(param->reqfilters) free(param->reqfilters);
+	if(param->connectfilters) free(param->connectfilters);
+	if(param->afterauthfilters) free(param->afterauthfilters);
+	if(param->hdrfilterscli) free(param->hdrfilterscli);
+	if(param->hdrfilterssrv) free(param->hdrfilterssrv);
+	if(param->predatfilters) free(param->predatfilters);
+	if(param->datfilterscli) free(param->datfilterscli);
+	if(param->filters){
+		if(param->nfilters)while(param->nfilters--){
+			if(param->filters[param->nfilters].filter->filter_clear)
+				(*param->filters[param->nfilters].filter->filter_clear)(param->filters[param->nfilters].data);
+		}
+		free(param->filters);
 	}
-	if(param->remsock != INVALID_SOCKET) {
-		so._shutdown(param->remsock, SHUT_RDWR);
-		so._closesocket(param->remsock);
+	if(param->connlim) stopconnlims(param);
+#endif
+	if(param->hostname) free(param->hostname);
+	if(param->username) free(param->username);
+	if(param->password) free(param->password);
+	if(param->extusername) free(param->extusername);
+	if(param->extpassword) free(param->extpassword);
+	free(param);
+}
+
+FILTER_ACTION handleconnectflt(struct clientparam *cparam){
+#ifndef STDMAIN
+	FILTER_ACTION action;
+	int i;
+
+	for(i=0; inconnectfilters ;i++){
+		action =  (*cparam->connectfilters[i]->filter->filter_connect)(cparam->connectfilters[i]->data, cparam);
+		if(action!=CONTINUE) return action;
 	}
-	if(param->clisock != INVALID_SOCKET) {
-		so._shutdown(param->clisock, SHUT_RDWR);
-		so._closesocket(param->clisock);
-	}
-	myfree(param);
+#endif
+	return PASS;
 }
 
 
@@ -1039,7 +1362,7 @@ void freeparam(struct clientparam * param) {
 static void * itcopy (void * from, size_t size){
 	void * ret;
 	if(!from) return NULL;
-	ret = myalloc(size);
+	ret = malloc(size);
 	if(ret)	memcpy(ret, from, size);
 	return ret;
 }
@@ -1110,7 +1433,7 @@ struct ace * copyacl (struct ace *ac){
 		if(!ac->users) goto ERRORUSERS;
 		for(ul = ac->users; ul; ul = ul->next){
 			if(ul->user) {
-				ul->user = (unsigned char*)mystrdup((char *)ul->user);
+				ul->user = (unsigned char*)strdup((char *)ul->user);
 				if(!ul->user) {
 					ul->next = NULL;
 					goto ERRORUSERS;
@@ -1127,7 +1450,7 @@ struct ace * copyacl (struct ace *ac){
 		if(!ac->dstnames) goto ERRORDSTNAMES;
 		for(hst = ac->dstnames; hst; hst = hst->next){
 			if(hst->name) {
-				hst->name = (unsigned char*)mystrdup((char *)hst->name);
+				hst->name = (unsigned char*)strdup((char *)hst->name);
 				if(!hst->name) {
 					hst->next = NULL;
 					goto ERRORDSTNAMES;
@@ -1144,7 +1467,7 @@ struct ace * copyacl (struct ace *ac){
 		if(!ac->chains) goto ERRORCHAINS;
 		for(ch = ac->chains; ch; ch = ch->next){
 			if(ch->extuser){
-				ch->extuser = (unsigned char*)mystrdup((char *)ch->extuser);
+				ch->extuser = (unsigned char*)strdup((char *)ch->extuser);
 				if(!ch->extuser){
 					ch->extpass = NULL;
 					ch->exthost = NULL;
@@ -1153,7 +1476,7 @@ struct ace * copyacl (struct ace *ac){
 				}
 			}
 			if(ch->extpass){
-				ch->extpass = (unsigned char*)mystrdup((char *)ch->extpass);
+				ch->extpass = (unsigned char*)strdup((char *)ch->extpass);
 				if(!ch->extpass){
 					ch->exthost = NULL;
 					ch->next = NULL;
@@ -1161,7 +1484,7 @@ struct ace * copyacl (struct ace *ac){
 				}
 			}
 			if(ch->exthost){
-				ch->exthost = (unsigned char*)mystrdup((char *)ch->exthost);
+				ch->exthost = (unsigned char*)strdup((char *)ch->exthost);
 				if(!ch->exthost){
 					ch->next = NULL;
 					goto ERRORCHAINS;
@@ -1206,7 +1529,7 @@ void copyfilter (struct filter *filter, struct srvparam *srv){
 
  if(!filter) return;
  for(srv->filter = filter; srv->filter; srv->filter = srv->filter->next) nfilters++;
- srv->filter = myalloc(sizeof(struct filter) * nfilters);
+ srv->filter = malloc(sizeof(struct filter) * nfilters);
  if(!srv->filter) return;
 
  for(; filter; filter = filter->next){
@@ -1219,6 +1542,8 @@ void copyfilter (struct filter *filter, struct srvparam *srv){
 	if(srv->nfilters>0)srv->filter[srv->nfilters - 1].next = srv->filter + srv->nfilters;
 	srv->nfilters++;
 	if(filter->filter_request)srv->nreqfilters++;
+	if(filter->filter_connect)srv->nconnectfilters++;
+	if(filter->filter_afterauth)srv->nafterauthfilters++;
 	if(filter->filter_header_srv)srv->nhdrfilterssrv++;
 	if(filter->filter_header_cli)srv->nhdrfilterscli++;
 	if(filter->filter_predata)srv->npredatfilters++;
@@ -1234,13 +1559,15 @@ FILTER_ACTION makefilters (struct srvparam *srv, struct clientparam *param){
 
 	if(!srv->nfilters) return PASS;
 
-	if(!(param->filters = myalloc(sizeof(struct filterp) * srv->nfilters)) ||
-	   (srv->nreqfilters && !(param->reqfilters = myalloc(sizeof(struct filterp *) * srv->nreqfilters))) ||
-	   (srv->nhdrfilterssrv && !(param->hdrfilterssrv = myalloc(sizeof(struct filterp *) * srv->nhdrfilterssrv))) ||
-	   (srv->nhdrfilterscli && !(param->hdrfilterscli = myalloc(sizeof(struct filterp *) * srv->nhdrfilterscli))) ||
-	   (srv->npredatfilters && !(param->predatfilters = myalloc(sizeof(struct filterp *) * srv->npredatfilters))) ||
-	   (srv->ndatfilterssrv && !(param->datfilterssrv = myalloc(sizeof(struct filterp *) * srv->ndatfilterssrv))) ||
-	   (srv->ndatfilterscli && !(param->datfilterscli = myalloc(sizeof(struct filterp *) * srv->ndatfilterscli)))
+	if(!(param->filters = malloc(sizeof(struct filterp) * srv->nfilters)) ||
+	   (srv->nreqfilters && !(param->reqfilters = malloc(sizeof(struct filterp *) * srv->nreqfilters))) ||
+	   (srv->nconnectfilters && !(param->connectfilters = malloc(sizeof(struct filterp *) * srv->nconnectfilters))) ||
+	   (srv->nafterauthfilters && !(param->afterauthfilters = malloc(sizeof(struct filterp *) * srv->nafterauthfilters))) ||
+	   (srv->nhdrfilterssrv && !(param->hdrfilterssrv = malloc(sizeof(struct filterp *) * srv->nhdrfilterssrv))) ||
+	   (srv->nhdrfilterscli && !(param->hdrfilterscli = malloc(sizeof(struct filterp *) * srv->nhdrfilterscli))) ||
+	   (srv->npredatfilters && !(param->predatfilters = malloc(sizeof(struct filterp *) * srv->npredatfilters))) ||
+	   (srv->ndatfilterssrv && !(param->datfilterssrv = malloc(sizeof(struct filterp *) * srv->ndatfilterssrv))) ||
+	   (srv->ndatfilterscli && !(param->datfilterscli = malloc(sizeof(struct filterp *) * srv->ndatfilterscli)))
 	  ){
 		param->res = 21;
 		return REJECT;
@@ -1253,6 +1580,8 @@ FILTER_ACTION makefilters (struct srvparam *srv, struct clientparam *param){
 		if(action > CONTINUE) return action;
 		param->filters[param->nfilters].filter = srv->filter + i;
 		if(srv->filter[i].filter_request)param->reqfilters[param->nreqfilters++] = param->filters + param->nfilters;
+		if(srv->filter[i].filter_connect)param->connectfilters[param->nconnectfilters++] = param->filters + param->nfilters;
+		if(srv->filter[i].filter_afterauth)param->afterauthfilters[param->nafterauthfilters++] = param->filters + param->nfilters;
 		if(srv->filter[i].filter_header_cli)param->hdrfilterscli[param->nhdrfilterscli++] = param->filters + param->nfilters;
 		if(srv->filter[i].filter_header_srv)param->hdrfilterssrv[param->nhdrfilterssrv++] = param->filters + param->nfilters;
 		if(srv->filter[i].filter_predata)param->predatfilters[param->npredatfilters++] = param->filters + param->nfilters;
@@ -1264,7 +1593,7 @@ FILTER_ACTION makefilters (struct srvparam *srv, struct clientparam *param){
 }
 
 void * itfree(void *data, void * retval){
-	myfree(data);
+	free(data);
 	return retval;
 }
 
@@ -1285,19 +1614,33 @@ void freeacl(struct ace *ac){
 		for(pl = ac->ports; pl; pl = (struct portlist *)itfree(pl, pl->next));
 		for(pel = ac->periods; pel; pel = (struct period *)itfree(pel, pel->next));
 		for(ul = ac->users; ul; ul = (struct userlist *)itfree(ul, ul->next)){
-			if(ul->user)myfree(ul->user);
+			if(ul->user)free(ul->user);
 		}
 		for(hst = ac->dstnames; hst; hst = (struct hostname *)itfree(hst, hst->next)){
-			if(hst->name)myfree(hst->name);
+			if(hst->name)free(hst->name);
 		}
 		for(ch = ac->chains; ch; ch = (struct chain *) itfree(ch, ch->next)){
-			if(ch->extuser) myfree(ch->extuser);
-			if(ch->extpass) myfree(ch->extpass);
-			if(ch->exthost) myfree(ch->exthost);
+			if(ch->extuser) free(ch->extuser);
+			if(ch->extpass) free(ch->extpass);
+			if(ch->exthost) free(ch->exthost);
 		}
 	}
 }
 
+FILTER_ACTION handleafterauthflt(struct clientparam *cparam){
+#ifndef STDMAIN
+	FILTER_ACTION action;
+	int i;
+
+	for(i=0; inafterauthfilters ;i++){
+		action =  (*cparam->afterauthfilters[i]->filter->filter_afterauth)(cparam->afterauthfilters[i]->data, cparam);
+		if(action!=CONTINUE) return action;
+	}
+#endif
+	return PASS;
+}
+
+
 FILTER_ACTION handlereqfilters(struct clientparam *param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
 	FILTER_ACTION action;
 	int i;
@@ -1338,6 +1681,8 @@ FILTER_ACTION handlepredatflt(struct clientparam *cparam){
 	FILTER_ACTION action;
 	int i;
 
+	if(cparam->predatdone) return PASS;
+	cparam->predatdone = 1;
 	for(i=0; inpredatfilters ;i++){
 		action =  (*cparam->predatfilters[i]->filter->filter_predata)(cparam->predatfilters[i]->data, cparam);
 		if(action!=CONTINUE) return action;
diff --git a/src/redirect.c b/src/redirect.c
new file mode 100644
index 0000000..a18b9ee
--- /dev/null
+++ b/src/redirect.c
@@ -0,0 +1,418 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+static FILTER_ACTION (*ext_ssl_parent)(struct clientparam * param) = NULL;
+
+static FILTER_ACTION ssl_parent(struct clientparam * param){
+    if(ext_ssl_parent) return ext_ssl_parent(param);
+    ext_ssl_parent = pluginlink.findbyname("ssl_parent");
+    if(ext_ssl_parent) return ext_ssl_parent(param);
+    return REJECT;
+}
+
+int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){
+	unsigned char *buf;
+	unsigned char *username;
+	int res;
+	int len=0;
+	unsigned char * user, *pass;
+
+	user = redir->extuser;
+	pass = redir->extpass;
+	if (!param->srvbufsize){
+		param->srvbufsize = SRVBUFSIZE;
+		param->srvbuf = malloc(param->srvbufsize);
+		if(!param->srvbuf) return 21;
+	}
+	buf = param->srvbuf;
+	username = buf + 2048;
+	if(user) {
+		if (*user == '*') {
+			if(!param->username) return 4;
+			user = param->username;
+			pass = param->password;
+		}
+	}
+	if(redir->secure){
+	    res = ssl_parent(param);
+	    if(res != PASS) return res;
+	}
+	switch(redir->type){
+		case R_TCP:
+		case R_HTTP:
+			return 0;
+		case R_CONNECT:
+		case R_CONNECTP:
+		{
+			len = sprintf((char *)buf, "CONNECT ");
+			if(redir->type == R_CONNECTP && hostname) {
+				char * needreplace;
+				needreplace = strchr((char *)hostname, ':');
+				if(needreplace) buf[len++] = '[';
+				len += sprintf((char *)buf + len, "%.256s", (char *)hostname);
+				if(needreplace) buf[len++] = ']';
+			}
+			else {
+				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = '[';
+				len += myinet_ntop(*SAFAMILY(addr), SAADDR(addr), (char *)buf+len, 256);
+				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = ']';
+			}
+			len += sprintf((char *)buf + len,
+				":%hu HTTP/1.0\r\nConnection: keep-alive\r\n", ntohs(*SAPORT(addr)));
+			if(user){
+				len += sprintf((char *)buf + len, "Proxy-Authorization: Basic ");
+				sprintf((char *)username, "%.128s:%.128s", user, pass?pass:(unsigned char *)"");
+				en64(username, buf+len, (int)strlen((char *)username));
+				len = (int)strlen((char *)buf);
+				len += sprintf((char *)buf + len, "\r\n");
+			}
+			len += sprintf((char *)buf + len, "\r\n");
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
+				return 31;
+			param->statssrv64+=len;
+			param->nwrites++;
+			if((res = sockgetlinebuf(param, SERVER,buf,13,'\n',conf.timeouts[CHAIN_TO])) < 13)
+				return 32;
+			if(buf[9] != '2') return 33;
+			while((res = sockgetlinebuf(param, SERVER,buf,1023,'\n', conf.timeouts[CHAIN_TO])) > 2);
+			if(res <= 0) return 34;
+			return 0;
+		}
+		case R_SOCKS4:
+		case R_SOCKS4P:
+		case R_SOCKS4B:
+		{
+
+			if(*SAFAMILY(addr) != AF_INET) return 44;
+			buf[0] = 4;
+			buf[1] = 1;
+			memcpy(buf+2, SAPORT(addr), 2);
+			if(redir->type == R_SOCKS4P && hostname) {
+				buf[4] = buf[5] = buf[6] = 0;
+				buf[7] = 3;
+			}
+			else memcpy(buf+4, SAADDR(addr), 4);
+			if(!user)user = (unsigned char *)"anonymous";
+			len = (int)strlen((char *)user) + 1;
+			memcpy(buf+8, user, len);
+			len += 8;
+			if(redir->type == R_SOCKS4P && hostname) {
+				int hostnamelen;
+
+				hostnamelen = (int)strlen((char *)hostname) + 1;
+				if(hostnamelen > 255) hostnamelen = 255;
+				memcpy(buf+len, hostname, hostnamelen);
+				len += hostnamelen;
+			}
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
+				return 41;
+			}
+			param->statssrv64+=len;
+			param->nwrites++;
+			if((len = sockgetlinebuf(param, SERVER, buf, (redir->type == R_SOCKS4B)? 3:8, EOF, conf.timeouts[CHAIN_TO])) != ((redir->type == R_SOCKS4B)? 3:8)){
+				return 42;
+			}
+			if(buf[1] != 90) {
+				return 43;
+			}
+
+		}
+		return 0;
+
+		case R_SOCKS5:
+		case R_SOCKS5P:
+		case R_SOCKS5B:
+		{
+		 int inbuf = 0;
+		 int atyp;
+		 int skip_port = 0;
+			buf[0] = 5;
+			buf[1] = user? 1 : 0;
+			buf[2] = 2;
+			if(socksend(param, param->remsock, buf, user?3:2, conf.timeouts[CHAIN_TO]) < 2){
+				return 51;
+			}
+			param->statssrv64+=3;
+			param->nwrites++;
+			if(sockgetlinebuf(param, SERVER, buf, 2, EOF, conf.timeouts[CHAIN_TO]) != 2){
+				return 52;
+			}
+			if(buf[0] != 5) {
+				return 53;
+			}
+			if(buf[1] != 0 && !(buf[1] == 2 && user)){
+				return 54;
+			}
+			if(buf[1] == 2){
+				buf[inbuf++] = 1;
+				buf[inbuf] = (unsigned char)strlen((char *)user);
+				memcpy(buf+inbuf+1, user, buf[inbuf]);
+				inbuf += buf[inbuf] + 1;
+				buf[inbuf] = pass?(unsigned char)strlen((char *)pass):0;
+				if(pass)memcpy(buf+inbuf+1, pass, buf[inbuf]);
+				inbuf += buf[inbuf] + 1;
+				if(socksend(param, param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
+					return 51;
+				}
+				param->statssrv64+=inbuf;
+				param->nwrites++;
+				if(sockgetlinebuf(param, SERVER, buf, 2, EOF, 60) != 2){
+					return 55;
+				}
+				if(buf[0] != 1 || buf[1] != 0) {
+					return 56;
+				}
+			}
+			buf[0] = 5;
+			buf[1] = (param->operation == UDPASSOC) ? 3 : 1;
+			buf[2] = 0;
+			if (param->operation == UDPASSOC) {
+				buf[3] = 1;
+				memset(buf + 4, 0, 6);
+				len = 10;
+				skip_port = 1;
+			} else if(redir->type == R_SOCKS5P && hostname) {
+				buf[3] = 3;
+				len = (int)strlen((char *)hostname);
+				if(len > 255) len = 255;
+				buf[4] = len;
+				memcpy(buf + 5, hostname, len);
+				len += 5;
+			}
+			else {
+				len = 3;
+				buf[len++] = (*SAFAMILY(addr) == AF_INET)? 1 : 4;
+				memcpy(buf+len, SAADDR(addr), SAADDRLEN(addr));
+				len += SAADDRLEN(addr);
+			}
+			if (!skip_port) {
+				memcpy(buf+len, SAPORT(addr), 2);
+				len += 2;
+			}
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
+				return 51;
+			}
+			param->statssrv64+=len;
+			param->nwrites++;
+			if(sockgetlinebuf(param, SERVER, buf, 4, EOF, conf.timeouts[CHAIN_TO]) != 4){
+				return 57;
+			}
+			if(buf[0] != 5) {
+				return 53;
+			}
+			if(buf[1] != 0) {
+				return 60 + (buf[1] % 10);
+			}
+			atyp = buf[3];
+			switch (buf[3]) {
+			case 1:
+			    if (redir->type == R_SOCKS5B ||  sockgetlinebuf(param, SERVER, buf, 6, EOF, conf.timeouts[CHAIN_TO]) == 6)
+				    break;
+			    return 59;
+			case 3:
+			    if (sockgetlinebuf(param, SERVER, buf, 1, EOF, conf.timeouts[CHAIN_TO]) != 1) return 59;
+			    len = (unsigned char)buf[4];
+			    if (sockgetlinebuf(param, SERVER, buf, len + 2, EOF, conf.timeouts[CHAIN_TO]) != len + 2) return 59;
+			    break;
+			case 4:
+			    if (sockgetlinebuf(param, SERVER, buf, 18, EOF, conf.timeouts[CHAIN_TO]) == 18)
+				    break;
+			    return 59;
+			default:
+			    return 58;
+			}
+			if (param->operation == UDPASSOC && (redir->type == R_SOCKS5 || redir->type == R_SOCKS5P) && param->udp_nhops < 3) {
+				PROXYSOCKADDRTYPE *relay = ¶m->udp_relay[param->udp_nhops];
+				memset(relay, 0, sizeof(*relay));
+				if (atyp == 1) {
+					*SAFAMILY(relay) = AF_INET;
+					memcpy(SAADDR(relay), buf, 4);
+					memcpy(SAPORT(relay), buf + 4, 2);
+					if (param->udp_nhops == 0) {
+					    param->sinsr = *relay;
+					}
+					param->udp_nhops++;
+				} else if (atyp == 4) {
+					*SAFAMILY(relay) = AF_INET6;
+					memcpy(SAADDR(relay), buf, 16);
+					memcpy(SAPORT(relay), buf + 16, 2);
+					if (param->udp_nhops == 0) param->sinsr = *relay;
+					param->udp_nhops++;
+				}
+			}
+			return 0;
+		}
+
+		default:
+
+			return 30;
+	}
+}
+
+
+int handleredirect(struct clientparam * param, struct ace * acentry){
+	int connected = 0;
+	int weight = 1000;
+	int res;
+	int done = 0;
+	int ha = 0;
+	struct chain * cur;
+	struct chain * redir = NULL;
+	int r2;
+	int saved = 0;
+
+	if(param->remsock != INVALID_SOCKET && param->operation != UDPASSOC) {
+	}
+	if((SAISNULL(¶m->req) || !*SAPORT(¶m->req)) && param->operation != UDPASSOC) {
+		return 100;
+	}
+
+	r2 = (myrand(param, sizeof(struct clientparam))%1000);
+
+	for(cur = acentry->chains; cur; cur=cur->next){
+		if(((weight = weight - cur->weight) > r2)|| done) {
+			if(weight <= 0) {
+				weight += 1000;
+				done = 0;
+				r2 = (myrand(param, sizeof(struct clientparam))%1000);
+			}
+			continue;
+		}
+		param->redirected++;
+		done = 1;
+		if(weight <= 0) {
+			weight += 1000;
+			done = 0;
+			r2 = (myrand(param, sizeof(struct clientparam))%1000);
+		}
+		if(!connected){
+			if(cur->type == R_EXTIP){
+				param->sinsl = cur->addr;
+				if(SAISNULL(¶m->sinsl) && (*SAFAMILY(¶m->sincr) == AF_INET || *SAFAMILY(¶m->sincr) == AF_INET6))param->sinsl = param->sincr;
+#ifndef NOIPV6
+				else if(cur->cidr && *SAFAMILY(¶m->sinsl) == AF_INET6){
+					uint16_t c;
+					int i;
+
+					for(i = 0; i < 8; i++){
+						if(i==4)myrand(¶m->sincr, sizeof(param->sincr));
+						else if(i==6) myrand(¶m->req, sizeof(param->req));
+
+						if(i*16 >= cur->cidr) ((uint16_t *)SAADDR(¶m->sinsl))[i] |= rand();
+						else if ((i+1)*16 >  cur->cidr){
+							c = rand();
+							c >>= (cur->cidr - (i*16));
+							c |= ntohs(((uint16_t *)SAADDR(¶m->sinsl))[i]);
+							((uint16_t *)SAADDR(¶m->sinsl))[i] = htons(c);
+						}
+					}
+				}
+#endif
+				if(cur->next)continue;
+				return 0;
+			}
+			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
+				int i;
+				if(cur->extuser){
+					if(param->extusername)
+						free(param->extusername);
+					param->extusername = (unsigned char *)strdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
+					if(cur->extpass){
+						if(param->extpassword)
+							free(param->extpassword);
+						param->extpassword = (unsigned char *)strdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
+					}
+					if(*cur->extuser == '*' && !param->username) return 4;
+				}
+
+				for(i=0; redirs[i].name; i++){
+				    if(cur->type == redirs[i].redir) {
+					param->redirectfunc = redirs[i].func;
+					break;
+				    }
+				}
+				if(cur->type == R_HA){
+				    ha = 1;
+				}
+				if(cur->next)continue;
+				if(!ha) return 0;
+			}
+			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
+				uint16_t port = *SAPORT(¶m->sinsr);
+				param->sinsr = cur->addr;
+				*SAPORT(¶m->sinsr) = port;
+			}
+			else if(SAISNULL(&cur->addr) && *SAPORT(&cur->addr)) *SAPORT(¶m->sinsr) = *SAPORT(&cur->addr);
+			else {
+				param->sinsr = cur->addr;
+			}
+			if(param->operation == UDPASSOC){
+			    SOCKET s;
+			    s = param->remsock;
+			    param->remsock = INVALID_SOCKET;
+			    param->ctrlsocksrv = s;
+			    saved = 1;
+			}
+			if((res = alwaysauth(param))){
+				return (res >= 10)? res : 60+res;
+			}
+			if(ha) {
+			    char buf[128];
+			    int len;
+			    len = sprintf(buf, "PROXY %s ",
+				*SAFAMILY(¶m->sincr) == AF_INET6 ? "TCP6" : "TCP4");
+			    len += myinet_ntop(*SAFAMILY(¶m->sincr), SAADDR(¶m->sincr), buf+len, sizeof(buf) - len);
+			    buf[len++] = ' ';
+			    len += myinet_ntop(*SAFAMILY(¶m->sincl), SAADDR(¶m->sincl), buf+len, sizeof(buf) - len);
+			    len += sprintf(buf + len, " %hu %hu\r\n",
+				ntohs(*SAPORT(¶m->sincr)),
+				ntohs(*SAPORT(¶m->sincl))
+			    );
+			    if(socksend(param, param->remsock, (unsigned char *)buf, len, conf.timeouts[CHAIN_TO])!=len) return 39;
+			    return 0;
+			}
+		}
+		else {
+			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
+			if(res) return res;
+		}
+		redir = cur;
+		param->redirtype = redir->type;
+		if(redir->type == R_TCP || redir->type ==R_HTTP) {
+			if(cur->extuser){
+				if(*cur -> extuser == '*' && !param->username) return 4;
+				if(param->extusername)
+					free(param->extusername);
+				param->extusername = (unsigned char *)strdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
+				if(cur->extpass){
+					if(param->extpassword)
+						free(param->extpassword);
+					param->extpassword = (unsigned char *)strdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
+				}
+			}
+			if(redir->secure) return ssl_parent(param);
+			return 0;
+		}
+		connected = 1;
+	}
+
+	if(!connected || !redir) return 0;
+	res =  clientnegotiate(redir, param, (struct sockaddr *)¶m->req, param->hostname);
+	if(saved){
+	    SOCKET s;
+
+	    s = param->ctrlsocksrv;
+	    param->ctrlsocksrv = param->remsock;
+	    param->remsock = s;
+	    param->operation = UDPASSOC;
+	}
+	return res;
+
+}
diff --git a/src/resolve.c b/src/resolve.c
new file mode 100644
index 0000000..d7f6f19
--- /dev/null
+++ b/src/resolve.c
@@ -0,0 +1,201 @@
+#include "proxy.h"
+
+struct nserver nservers[MAXNSERVERS] = {{{0},0}, {{0},0}, {{0},0}, {{0},0}, {{0},0}};
+struct nserver authnserver;
+
+
+uint32_t udpresolve(int af, unsigned char * name, unsigned char * value, uint32_t *retttl, struct clientparam* param, int makeauth){
+
+    int i,n;
+    uint32_t retval;
+
+    if((af == AF_INET) && (retval = hashresolv(&dns_table, name, value, retttl))) {
+	return retval;
+    }
+    if((af == AF_INET6) && (retval = hashresolv(&dns6_table, name, value, retttl))) {
+	return retval;
+    }
+    n = (makeauth && !SAISNULL(&authnserver.addr))? 1 : numservers;
+    for(i=0; isinsl : &addr;
+	sinsr = (param && !makeauth)? ¶m->sinsr : &addr;
+	memset(sinsl, 0, sizeof(addr));
+	memset(sinsr, 0, sizeof(addr));
+	
+
+	if(makeauth && !SAISNULL(&authnserver.addr)){
+	    usetcp = authnserver.usetcp;
+	    *SAFAMILY(sinsl) = *SAFAMILY(&authnserver.addr);
+	}
+	else {
+	    usetcp = nservers[i].usetcp;
+	    *SAFAMILY(sinsl) = *SAFAMILY(&nservers[i].addr);
+	}
+	if((sock=so._socket(so.state, SASOCK(sinsl), usetcp?SOCK_STREAM:SOCK_DGRAM, usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) break;
+	if(so._bind(so.state, sock,(struct sockaddr *)sinsl,SASIZE(sinsl))){
+	    so._shutdown(so.state, sock, SHUT_RDWR);
+	    so._closesocket(so.state, sock);
+	    break;
+	}
+	if(makeauth && !SAISNULL(&authnserver.addr)){
+	    *sinsr = authnserver.addr;
+	}
+	else {
+	    *sinsr = nservers[i].addr;
+	}
+	if(usetcp){
+	    if(connectwithpoll(NULL, sock,(struct sockaddr *)sinsr,SASIZE(sinsr),conf.timeouts[CONNECT_TO])) {
+		so._shutdown(so.state, sock, SHUT_RDWR);
+		so._closesocket(so.state, sock);
+		break;
+	    }
+#ifdef TCP_NODELAY
+	    {
+		int opt = 1;
+		setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&opt, sizeof(opt));
+	    }
+#endif
+	}
+	len = (int)strlen((char *)name);
+	
+	serial = myrand(name,len);
+	*(unsigned short*)buf = serial; /* query id */
+	buf[2] = 1; 			/* recursive */
+	buf[3] = 0;
+	buf[4] = 0;
+	buf[5] = 1;			/* 1 request */
+	buf[6] = buf[7] = 0;		/* no replies */
+	buf[8] = buf[9] = 0;		/* no ns count */
+	buf[10] = buf[11] = 0;		/* no additional */
+	if(len > 255) {
+	    len = 255;
+	}
+	memcpy(buf + 13, name, len);
+	len += 13;
+	buf[len] = 0;
+	for(s2 = buf + 12; (s1 = (unsigned char *)strchr((char *)s2 + 1, '.')); s2 = s1)*s2 = (unsigned char)((s1 - s2) - 1);
+	*s2 = (len - (int)(s2 - buf)) - 1;
+	len++;
+	buf[len++] = 0;
+	buf[len++] = (makeauth == 1)? 0x0c : (af==AF_INET6? 0x1c:0x01);/* PTR:host address */
+	buf[len++] = 0;
+	buf[len++] = 1;			/* INET */
+	if(usetcp){
+	    buf-=2;
+	    *(unsigned short*)buf = htons(len);
+	    len+=2;
+	}
+
+	if(socksendto(NULL, sock, (struct sockaddr *)sinsr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
+	    so._shutdown(so.state, sock, SHUT_RDWR);
+	    so._closesocket(so.state, sock);
+	    continue;
+	}
+	if(param) param->statscli64 += len;
+	len = sockrecvfrom(NULL, sock, (struct sockaddr *)sinsr, buf, 4096, conf.timeouts[DNS_TO]*1000);
+	so._shutdown(so.state, sock, SHUT_RDWR);
+	so._closesocket(so.state, sock);
+	if(len <= 13) {
+	    continue;
+	}
+	if(param) param->statssrv64 += len;
+	if(usetcp){
+	    unsigned short us;
+	    us = ntohs(*(unsigned short*)buf);
+	    len-=2;
+	    buf+=2;
+	    if(us > 4096 || us < len || (us > len && sockrecvfrom(NULL, sock, (struct sockaddr *)sinsr, buf+len, us-len, conf.timeouts[DNS_TO]*1000) != us-len)) {
+		continue;
+	    }
+	}
+	if(*(unsigned short *)buf != serial)continue;
+	if((na = buf[7] + (((unsigned short)buf[6])<<8)) < 1) {
+	    return 0;
+	}
+	nq = buf[5] + (((unsigned short)buf[4])<<8);
+	if (nq != 1) {
+	    continue;			/* we did only 1 request */
+	}
+	for(k = 13; k= len) {
+	    continue;
+	}
+	k += 4;
+	if(na > 255) na = 255;			/* somebody is very evil */
+	for (j = 0; j < na; j++) {		/* now there should be answers */
+	    while(buf[k] < 192 && buf[k] !=0 && (k+buf[k]+14) < len) k+= (buf[k] + 1);
+	    if(!buf[k]) k--;
+	    if((k+(af == AF_INET6?28:16)) > len) {
+		break;
+	    }
+	    flen = buf[k+11] + (((unsigned short)buf[k+10])<<8);
+	    if((k+12+flen) > len) {
+		break;
+	    }
+	    if(makeauth != 1){
+		if(buf[k+2] != 0 || buf[k+3] != (af == AF_INET6?0x1c:0x1) || flen != (af == AF_INET6?16:4)) {
+		    k+= (12 + flen);
+		    continue; 		/* we need A IPv4 */
+		}
+		ttl = ntohl(*(uint32_t *)(buf + k + 6));
+		memcpy(value, buf + k + 12, af == AF_INET6? 16:4);
+		if(ttl < 0 || ttl > (3600*12)) ttl = 3600*12;
+		if(!ttl) ttl = 1;
+		hashadd(af == AF_INET6?&dns6_table:&dns_table, name, value, conf.time+ttl);
+		if(retttl) *retttl = ttl;
+		return 1;
+	    }
+	    else {
+		
+		if(buf[k+2] != 0 || buf[k+3] != 0x0c) {
+		    k+= (12 + flen);
+		    continue; 		/* we need A PTR */
+		}
+		for (s2 = buf + k + 12; s2 < (buf + k + 12 + len) && *s2; ){
+		    s1 = s2 + ((unsigned)*s2) + 1;
+		    *s2 = '.';
+		    s2 = s1;
+		}
+		*s2 = 0;
+		if(param->username)free(param->username);
+		param->username = (unsigned char *)strdup ((char *)buf + k + 13);
+		
+		return udpresolve(af,param->username, value, NULL, NULL, 2);
+	    }
+	}
+    }
+    return 0;
+}
+
+uint32_t myresolver(int af, unsigned char * name, unsigned char * value){
+ return udpresolve(af, name, value, NULL, NULL, 0);
+}
+
+uint32_t fakeresolver (int af, unsigned char *name, unsigned char * value){
+ memset(value, 0, af == AF_INET6? 16 : 4);
+ if(af == AF_INET6){
+    memset(value, 0, 16);
+    value[15] = 2;
+ }
+ else {
+    value[0] = 127;
+    value[1] = 0;
+    value[2] = 0;
+    value[3] = 2;
+ }
+ return 1;
+}
\ No newline at end of file
diff --git a/src/smtpp.c b/src/smtpp.c
index 01519ca..1f57514 100644
--- a/src/smtpp.c
+++ b/src/smtpp.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -19,26 +19,26 @@ int readreply (struct clientparam* param) {
  unsigned char * buf;
  int res, i, bufsize = 640;
 
- if(!(buf = myalloc(bufsize))) return 0;
+ if(!(buf = malloc(bufsize))) return 0;
  do {
 	i = sockgetlinebuf(param, SERVER, buf, bufsize-1, '\n', conf.timeouts[STRING_L]);
 	if(i < 1) break;
 #ifndef WITHMAIN
 	res = handlehdrfilterssrv(param, &buf, &bufsize, 0, &i);
 	if(res != PASS) {
-		myfree(buf);
+		free(buf);
 		return -1;
 	}
 #endif
-	socksend(param->clisock, buf, i, conf.timeouts[STRING_S]);	
+	socksend(param, param->clisock, buf, i, conf.timeouts[STRING_S]);	
  } while (i > 3 && buf[3] == '-');
  if(i < 3) {
-	myfree(buf);
+	free(buf);
 	return 0;
  }
  buf[i] = 0;
  res = atoi((char *)buf);
- myfree(buf);
+ free(buf);
  return res;
 }
 
@@ -47,24 +47,24 @@ int readcommand (struct clientparam* param) {
  int res, i, bufsize = 320;
  int ret = 1;
 
- if(!(buf = myalloc(bufsize))) return 0;
+ if(!(buf = malloc(bufsize))) return 0;
  i = sockgetlinebuf(param, CLIENT, buf, bufsize-1, '\n', conf.timeouts[STRING_L]);
  if(i < 4) return 0;
 #ifndef WITHMAIN
  if(!strncasecmp((char *)buf, "MAIL", 4) || !strncasecmp((char *)buf, "RCPT", 4) || !strncasecmp((char *)buf, "STARTTLS", 8) || !strncasecmp((char *)buf, "TURN", 4)){
 	res = handlehdrfilterscli(param, &buf, &bufsize, 0, &i);
 	if(res != PASS) {
-		myfree(buf);
+		free(buf);
 		if(res == HANDLED) return 2;
 		return -1;
 	}
  }
 #endif
- socksend(param->remsock, buf, i, conf.timeouts[STRING_S]);	
- myfree(buf);
+ socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S]);	
  if(!strncasecmp((char *)buf, "STARTTLS", 8) || !strncasecmp((char *)buf, "TURN", 4)){
 	ret = 22;
  }
+ free(buf);
  return ret;
 }
 
@@ -72,24 +72,24 @@ int readdata (struct clientparam* param) {
  unsigned char * buf;
  int res, i, bufsize = 4096;
 
- if(!(buf = myalloc(bufsize))) return 0;
+ if(!(buf = malloc(bufsize))) return 0;
  while ((i = sockgetlinebuf(param, CLIENT, buf, bufsize-1, '\n', conf.timeouts[STRING_L])) > 0 && !(i==3 && buf[0] == '.')){
 #ifndef WITHMAIN
 	res = handledatfltcli(param, &buf, &bufsize, 0, &i);
 	if(res != PASS) {
-		myfree(buf);
+		free(buf);
 		if(res == HANDLED) return 1;
 		return -1;
 	}
 #endif
-	socksendto(param->remsock, (struct sockaddr *)¶m->sinsr, buf, i, conf.timeouts[STRING_S]);	
+	socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S]);	
  } 
  if(i < 1) {
-	myfree(buf);
+	free(buf);
 	return 0;
  }
- socksend(param->remsock, buf, i, conf.timeouts[STRING_S]);	
- myfree(buf);
+ socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S]);	
+ free(buf);
  return 1;
 }
 
@@ -101,31 +101,31 @@ void * smtppchild(struct clientparam* param) {
  char * command = NULL;
  int login = 0;
 
- if(socksend(param->clisock, (unsigned char *)"220 Proxy\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (611);}
+ if(socksend(param, param->clisock, (unsigned char *)"220 Proxy\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (611);}
  i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
  while(i > 4 && (strncasecmp((char *)buf, "AUTH PLAIN", 10) || !(login = 2)) && (strncasecmp((char *)buf, "AUTH LOGIN", 10) || !(login = 1))){
 	if(!strncasecmp((char *)buf, "QUIT", 4)){
-		socksend(param->clisock, (unsigned char *)"221 Proxy\r\n", 11,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)"221 Proxy\r\n", 11,conf.timeouts[STRING_S]);	
 		RETURN(0);
 	}
 	else if(!strncasecmp((char *)buf, "HELO ", 5)){
-		socksend(param->clisock, (unsigned char *)"250 Proxy\r\n", 11,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)"250 Proxy\r\n", 11,conf.timeouts[STRING_S]);	
 	}
 	else if(!strncasecmp((char *)buf, "EHLO ", 5)){
-		socksend(param->clisock, (unsigned char *)ehlo, sizeof(ehlo) - 1,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)ehlo, sizeof(ehlo) - 1,conf.timeouts[STRING_S]);	
 	}
-	else if(!param->hostname) socksend(param->clisock, (unsigned char *)"571 need AUTH first\r\n", 22, conf.timeouts[STRING_S]);	
+	else if(!param->hostname) socksend(param, param->clisock, (unsigned char *)"571 need AUTH first\r\n", 22, conf.timeouts[STRING_S]);	
 	else {
 		login = -1;
 		buf[i] = 0;
-		command = mystrdup((char *)buf);
+		command = strdup((char *)buf);
 		break;
 	}
 	i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
  }
  if(!login) {RETURN(662);}
  if(login == 1){
-	socksend(param->clisock, (unsigned char *)"334 VXNlcm5hbWU6\r\n", 18,conf.timeouts[STRING_S]);	
+	socksend(param, param->clisock, (unsigned char *)"334 VXNlcm5hbWU6\r\n", 18,conf.timeouts[STRING_S]);	
 	i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
 	if(i < 3) {RETURN(663);}
 	buf[i-2] = 0;
@@ -133,15 +133,15 @@ void * smtppchild(struct clientparam* param) {
 	if(i < 1) {RETURN(664);}
 	username[i] = 0;
 	parseconnusername((char *)username, param, 0, 25);
-	socksend(param->clisock, (unsigned char *)"334 UGFzc3dvcmQ6\r\n", 18,conf.timeouts[STRING_S]);	
+	socksend(param, param->clisock, (unsigned char *)"334 UGFzc3dvcmQ6\r\n", 18,conf.timeouts[STRING_S]);	
 	i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
 	if(i < 2) {RETURN(665);}
 	buf[i-2] = 0;
 	i = de64(buf,username,255);
 	if(i < 0) {RETURN(666);}
 	username[i] = 0;
-	if(param->extpassword) myfree(param->extpassword);
-	param->extpassword = (unsigned char *)mystrdup((char *)username);
+	if(param->extpassword) free(param->extpassword);
+	param->extpassword = (unsigned char *)strdup((char *)username);
  }
  else if(login == 2){
 	if(i > 13) {
@@ -149,7 +149,7 @@ void * smtppchild(struct clientparam* param) {
 		i = de64(buf+11,username,255);
 	}
 	else {
-		socksend(param->clisock, (unsigned char *)"334\r\n", 5,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)"334\r\n", 5,conf.timeouts[STRING_S]);	
 		i = sockgetlinebuf(param, CLIENT, buf, sizeof(buf) - 10, '\n', conf.timeouts[STRING_S]);
 		if(i < 3) {RETURN(667);}
 		buf[i-2] = 0;
@@ -160,8 +160,8 @@ void * smtppchild(struct clientparam* param) {
 	parseconnusername((char *)username+1, param, 0, 25);
 	res = (int)strlen((char *)username+1) + 2;
 	if(res < i){
-		if(param->extpassword) myfree(param->extpassword);
-		param->extpassword = (unsigned char *)mystrdup((char *)username + res);
+		if(param->extpassword) free(param->extpassword);
+		param->extpassword = (unsigned char *)strdup((char *)username + res);
 	}
  }
 
@@ -189,7 +189,7 @@ void * smtppchild(struct clientparam* param) {
  i = sprintf((char *)buf, "EHLO [");
  i += myinet_ntop(*SAFAMILY(¶m->sinsl), SAADDR(¶m->sinsl), (char *)buf+strlen((char *)buf), 64);
  i += sprintf((char *)buf+strlen((char *)buf), "]\r\n");
- if(socksend(param->remsock, buf, i, conf.timeouts[STRING_S])!= i) {RETURN(673);}
+ if(socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S])!= i) {RETURN(673);}
  param->statscli64+=i;
  param->nwrites++;
  login = 0;
@@ -204,29 +204,29 @@ void * smtppchild(struct clientparam* param) {
  if(i<3) {RETURN(672);}
  if(!command || (param->extusername && param->extpassword)){
 	if(!param->extusername || !*param->extusername || !param->extpassword || !*param->extpassword || !login){
-		socksend(param->clisock, (unsigned char *)"235 auth required\r\n", 19,conf.timeouts[STRING_S]);	
+		socksend(param, param->clisock, (unsigned char *)"235 auth required\r\n", 19,conf.timeouts[STRING_S]);	
 	}
 	if ((login & 1)) {
-		socksend(param->remsock, (unsigned char *)"AUTH LOGIN\r\n", 12, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, (unsigned char *)"AUTH LOGIN\r\n", 12, conf.timeouts[STRING_S]);
  param->statscli64+=12;
 		param->nwrites++;
 		i = sockgetlinebuf(param, SERVER, buf, sizeof(buf) - 1, '\n', conf.timeouts[STRING_L]);
 		if(i<4 || strncasecmp((char *)buf, "334", 3)) {RETURN(680);}
 		en64(param->extusername, buf, (int)strlen((char *)param->extusername));
-		socksend(param->remsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
-		socksend(param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
  param->statscli64+=(i+2);
 		param->nwrites+=2;
 		i = sockgetlinebuf(param, SERVER, buf, sizeof(buf) - 1, '\n', conf.timeouts[STRING_L]);
 		if(i<4 || strncasecmp((char *)buf, "334", 3)) {RETURN(681);}
 		en64(param->extpassword, buf, (int)strlen((char *)param->extpassword));
-		socksend(param->remsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
-		socksend(param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
  param->statscli64+=(i+2);
 		param->nwrites+=2;
 	}
 	else if((login & 2)){
-		socksend(param->remsock, (unsigned char *)"AUTH PLAIN\r\n", 12, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, (unsigned char *)"AUTH PLAIN\r\n", 12, conf.timeouts[STRING_S]);
  param->statscli64+=(12);
 		param->nwrites++;
 		i = sockgetlinebuf(param, SERVER, buf, sizeof(buf) - 1, '\n', conf.timeouts[STRING_L]);
@@ -240,8 +240,8 @@ void * smtppchild(struct clientparam* param) {
 		i+=res;
 		en64(username, buf, i);
 		i = (int)strlen((char *)buf);
-		socksend(param->remsock, buf, i, conf.timeouts[STRING_S]);
-		socksend(param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S]);
+		socksend(param, param->remsock, (unsigned char *)"\r\n", 2, conf.timeouts[STRING_S]);
  param->statscli64+=(i+2);
 		param->nwrites+=2;
 	}
@@ -266,7 +266,7 @@ void * smtppchild(struct clientparam* param) {
 	}
 #endif
 	i = (int)strlen(command);
-	if(res != 2) socksend(param->remsock, (unsigned char *)command, i, conf.timeouts[STRING_S]);
+	if(res != 2) socksend(param, param->remsock, (unsigned char *)command, i, conf.timeouts[STRING_S]);
  }
 #ifndef WITHMAIN
 
@@ -296,9 +296,9 @@ CLEANRET:
  }
  else dolog(param, NULL);
  if(param->clisock != INVALID_SOCKET) {
-	if ((param->res > 0 && param->res < 100) || (param->res > 661 && param->res <700)) socksend(param->clisock, (unsigned char *)"571 \r\n", 6,conf.timeouts[STRING_S]);
+	if ((param->res > 0 && param->res < 100) || (param->res > 661 && param->res <700)) socksend(param, param->clisock, (unsigned char *)"571 \r\n", 6,conf.timeouts[STRING_S]);
  }
- if(command) myfree(command);
+ if(command) free(command);
  freeparam(param);
  return (NULL);
 }
diff --git a/src/sockgetchar.c b/src/sockgetchar.c
index da2105c..ef3808b 100644
--- a/src/sockgetchar.c
+++ b/src/sockgetchar.c
@@ -1,13 +1,13 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 */
 
 #include "proxy.h"
 
-int socksend(SOCKET sock, unsigned char * buf, int bufsize, int to){
+int socksend(struct clientparam *param, SOCKET sock, unsigned char * buf, int bufsize, int to){
  int sent = 0;
  int res;
  struct pollfd fds;
@@ -16,10 +16,10 @@ int socksend(SOCKET sock, unsigned char * buf, int bufsize, int to){
  fds.events = POLLOUT;
  do {
 	if(conf.timetoexit) return 0;
-	res = so._poll(&fds, 1, to*1000);
+	res = param?param->srv->so._poll(param->sostate, &fds, 1, to*1000):so._poll(so.state, &fds, 1, to*1000);
 	if(res < 0 && (errno == EAGAIN || errno == EINTR)) continue;
 	if(res < 1) break;
-	res = so._send(sock, (char *)buf + sent, bufsize - sent, 0);
+	res = param?param->srv->so._send(param->sostate, sock, (char *)buf + sent, bufsize - sent, 0) : so._send(so.state, sock, (char *)buf + sent, bufsize - sent, 0);
 	if(res < 0) {
 		if(errno == EAGAIN || errno == EINTR) continue;
 		break;
@@ -30,7 +30,7 @@ int socksend(SOCKET sock, unsigned char * buf, int bufsize, int to){
 }
 
 
-int socksendto(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to){
+int socksendto(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to){
  int sent = 0;
  int res;
  struct pollfd fds;
@@ -39,10 +39,10 @@ int socksendto(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufs
  do {
 	if(conf.timetoexit) return 0;
 	fds.events = POLLOUT;
- 	res = so._poll(&fds, 1, to);
+	res = param?param->srv->so._poll(param->sostate, &fds, 1, to):so._poll(so.state, &fds, 1, to);
 	if(res < 0 && (errno == EAGAIN || errno == EINTR)) continue;
 	if(res < 1) break;
-	res = so._sendto(sock, (char *)buf + sent, bufsize - sent, 0, sin, SASIZE(sin));
+	res = param?param->srv->so._sendto(param->sostate, sock, (char *)buf + sent, bufsize - sent, 0, sin, SASIZE(sin)):so._sendto(so.state, sock, (char *)buf + sent, bufsize - sent, 0, sin, SASIZE(sin)); 
 	if(res < 0) {
 		if(errno !=  EAGAIN && errno != EINTR) break;
 		continue;
@@ -52,7 +52,7 @@ int socksendto(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufs
  return sent;
 }
 
-int sockrecvfrom(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to){
+int sockrecvfrom(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to){
 	struct pollfd fds;
 	SASIZETYPE sasize;
 	int res;
@@ -60,10 +60,11 @@ int sockrecvfrom(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bu
 	fds.fd = sock;
 	fds.events = POLLIN;
 	if(conf.timetoexit) return EOF;
-	if (so._poll(&fds, 1, to)<1) return 0;
+	res = param?param->srv->so._poll(param->sostate, &fds, 1, to):so._poll(so.state, &fds, 1, to);
+	if (res<1) return 0;
 	sasize = SASIZE(sin);
 	do {
-		res = so._recvfrom(sock, (char *)buf, bufsize, 0, (struct sockaddr *)sin, &sasize);
+		res = param?param->srv->so._recvfrom(param->sostate, sock, (char *)buf, bufsize, 0, (struct sockaddr *)sin, &sasize):so._recvfrom(so.state, sock, (char *)buf, bufsize, 0, (struct sockaddr *)sin, &sasize);
 	} while (res < 0 && (errno == EAGAIN || errno == EINTR));
 	return res;
 }
@@ -72,7 +73,7 @@ int sockgetcharcli(struct clientparam * param, int timeosec, int timeousec){
 	int len;
 
 	if(!param->clibuf){
-		if(!(param->clibuf = myalloc(SRVBUFSIZE))) return 0;
+		if(!(param->clibuf = malloc(SRVBUFSIZE))) return 0;
 		param->clibufsize = SRVBUFSIZE;
 		param->clioffset = param->cliinbuf = 0;
 	}
@@ -80,13 +81,13 @@ int sockgetcharcli(struct clientparam * param, int timeosec, int timeousec){
 		return (int)param->clibuf[param->clioffset++];
 	}
 	param->clioffset = param->cliinbuf = 0;
-	if ((len = sockrecvfrom(param->clisock, (struct sockaddr *)¶m->sincr, param->clibuf, param->clibufsize, timeosec*1000 + timeousec))<=0) return EOF;
+	if ((len = sockrecvfrom(param, param->clisock, (struct sockaddr *)¶m->sincr, param->clibuf, param->clibufsize, timeosec*1000 + timeousec))<=0) return EOF;
 	param->cliinbuf = len;
 	param->clioffset = 1;
 	return (int)*param->clibuf;
 }
 
-int sockfillbuffcli(struct clientparam * param, unsigned long size, int timeosec){
+unsigned long sockfillbuffcli(struct clientparam * param, unsigned long size, int timeosec){
 	int len;
 
 	if(!param->clibuf) return 0;
@@ -100,13 +101,13 @@ int sockfillbuffcli(struct clientparam * param, unsigned long size, int timeosec
 	}
 	if(size <= param->cliinbuf) return size;
 	size -= param->cliinbuf;
-	if((len = sockrecvfrom(param->clisock, (struct sockaddr *)¶m->sincr, param->clibuf + param->cliinbuf, (param->clibufsize - param->cliinbuf) < size? param->clibufsize - param->cliinbuf:size, timeosec*1000)) > 0){
+	if((len = sockrecvfrom(param, param->clisock, (struct sockaddr *)¶m->sincr, param->clibuf + param->cliinbuf, (param->clibufsize - param->cliinbuf) < size? param->clibufsize - param->cliinbuf:size, timeosec*1000)) > 0){
 		param->cliinbuf += len;
 	}
 	return param->cliinbuf;
 }
 
-int sockfillbuffsrv(struct clientparam * param, unsigned long size, int timeosec){
+unsigned long sockfillbuffsrv(struct clientparam * param, unsigned long size, int timeosec){
 	int len;
 
 	if(!param->srvbuf) return 0;
@@ -120,7 +121,7 @@ int sockfillbuffsrv(struct clientparam * param, unsigned long size, int timeosec
 	}
 	if(size <= param->srvinbuf) return size;
 	size -= param->srvinbuf;
-	if((len = sockrecvfrom(param->remsock, (struct sockaddr *)¶m->sinsr, param->srvbuf + param->srvinbuf, (param->srvbufsize - param->srvinbuf) < size? param->srvbufsize - param->srvinbuf:size, timeosec*1000)) > 0){
+	if((len = sockrecvfrom(param, param->remsock, (struct sockaddr *)¶m->sinsr, param->srvbuf + param->srvinbuf, (param->srvbufsize - param->srvinbuf) < size? param->srvbufsize - param->srvinbuf:size, timeosec*1000)) > 0){
 		param->srvinbuf += len;
 		param->nreads++;
 		param->statssrv64 += len;
@@ -136,7 +137,7 @@ int sockgetcharsrv(struct clientparam * param, int timeosec, int timeousec){
 	if(!param->srvbuf){
 		bufsize = SRVBUFSIZE;
 		if(param->ndatfilterssrv > 0 && bufsize < 32768) bufsize = 32768;
-		if(!(param->srvbuf = myalloc(bufsize))) return 0;
+		if(!(param->srvbuf = malloc(bufsize))) return 0;
 		param->srvbufsize = bufsize;
 		param->srvoffset = param->srvinbuf = 0;
 		
@@ -145,7 +146,7 @@ int sockgetcharsrv(struct clientparam * param, int timeosec, int timeousec){
 		return (int)param->srvbuf[param->srvoffset++];
 	}
 	param->srvoffset = param->srvinbuf = 0;
-	if ((len = sockrecvfrom(param->remsock, (struct sockaddr *)¶m->sinsr, param->srvbuf, param->srvbufsize, timeosec*1000 + timeousec))<=0) return EOF;
+	if ((len = sockrecvfrom(param, param->remsock, (struct sockaddr *)¶m->sinsr, param->srvbuf, param->srvbufsize, timeosec*1000 + timeousec))<=0) return EOF;
 	param->srvinbuf = len;
 	param->srvoffset = 1;
 	param->nreads++;
diff --git a/src/sockmap.c b/src/sockmap.c
index 77234ea..c406ca5 100644
--- a/src/sockmap.c
+++ b/src/sockmap.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2020 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -50,16 +50,20 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
  int FROMCLIENT = 1, TOCLIENTBUF = 1, FROMCLIENTBUF = 1, TOSERVER = 1, 
 	FROMSERVER = 1, TOSERVERBUF = 1, FROMSERVERBUF = 1, TOCLIENT = 1;
  int HASERROR=0;
- int CLIENTTERM = 0, SERVERTERM = 0;
+ int CLIENTTERMREAD = 0, CLIENTTERMWRITE = 0, SERVERTERMREAD = 0, SERVERTERMWRITE = 0;
  int after = 0;
- struct pollfd fds[6];
+ struct pollfd fds[8];
  struct pollfd *fdsp = fds;
  int fdsc = 0;
  int sleeptime = 0;
  FILTER_ACTION action;
- int res;
+ int res = 0;
  SASIZETYPE sasize;
  int needaction = 0;
+ int graceclinum=0, gracesrvnum=0, graceclitraf=0, gracesrvtraf=0;
+ time_t gracetime = 0;
+ int cli_events = 0;
+ int srv_events = 0;
 
 #ifdef WITHSPLICE
  uint64_t inclientpipe = 0, inserverpipe = 0;
@@ -67,7 +71,7 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
  int pipesrv[2] = {-1,-1};
  int pipecli[2] = {-1,-1};
 
- if(param->operation == UDPASSOC || (!param->nolongdatfilter && (param->ndatfilterscli > 0 || param->ndatfilterssrv))) usesplice = 0;
+ if((!param->nolongdatfilter && (param->ndatfilterscli > 0 || param->ndatfilterssrv))) usesplice = 0;
  if(usesplice){
 	TOCLIENTPIPE = FROMCLIENTPIPE = TOSERVERPIPE = FROMSERVERPIPE = 1;
 	TOCLIENTBUF = TOSERVERBUF = 0;
@@ -93,20 +97,16 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
 	TOSERVER = 0;
 	FROMCLIENT = 0;
  }
- if(param->operation == UDPASSOC && param->srv->singlepacket){
-	fromclient = inclientbuf;
-	FROMCLIENT = 0;
- }
  if(inserverbuf >= fromserver) FROMSERVER = 0;
  if(inclientbuf >= fromclient) FROMCLIENT = 0;
 #ifdef WITHSPLICE
  if(!usesplice)
 #endif
  {
-	if(fromserver && !param->srvbuf && (!(param->srvbuf=myalloc(SRVBUFSIZE)) || !(param->srvbufsize = SRVBUFSIZE))){
+	if(fromserver && !param->srvbuf && (!(param->srvbuf=malloc(SRVBUFSIZE)) || !(param->srvbufsize = SRVBUFSIZE))){
 		RETURN (21);
 	}
-	if(fromclient && !param->clibuf && (!(param->clibuf=myalloc(SRVBUFSIZE)) || !(param->clibufsize = SRVBUFSIZE))){
+	if(fromclient && !param->clibuf && (!(param->clibuf=malloc(SRVBUFSIZE)) || !(param->clibufsize = SRVBUFSIZE))){
 		RETURN (21);
 	}
 
@@ -123,24 +123,24 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
  if(action != PASS) RETURN(19);
 
  while(
-	((!CLIENTTERM) && fromserver && (inserverbuf 
+	((!CLIENTTERMWRITE) && fromserver && (inserverbuf
 #ifdef WITHSPLICE
-		|| inserverpipe 
+		|| inserverpipe
 #endif
-		|| (!SERVERTERM )))
+		|| (!SERVERTERMREAD )))
 	||
-	((!SERVERTERM) && fromclient && (inclientbuf 
+	((!SERVERTERMWRITE) && fromclient && (inclientbuf
 #ifdef WITHSPLICE
-		|| inclientpipe 
+		|| inclientpipe
 #endif
-		|| (!CLIENTTERM )))
+		|| (!CLIENTTERMREAD )))
  ){
 
 
 #if WITHLOG > 1
 sprintf(logbuf, "int FROMCLIENT = %d, TOCLIENTBUF = %d, FROMCLIENTBUF = %d, TOSERVER = %d, "
 	"FROMSERVER = %d, TOSERVERBUF = %d, FROMSERVERBUF = %d, TOCLIENT = %d; inclientbuf=%d; "
-	"inserverbuf=%d, CLIENTTERM = %d, SERVERTERM =%d, fromserver=%u, fromclient=%u"
+	"inserverbuf=%d, CLIENTTERMREAD=%d CLIENTTERMWRITE=%d SERVERTERMREAD=%d SERVERTERMWRITE=%d fromserver=%u, fromclient=%u"
 #ifdef WITHSPLICE
 	 ", inserverpipe=%d, inclentpipe=%d "
 	"TOCLIENTPIPE=%d FROMCLIENTPIPE==%d TOSERVERPIPE==%d FROMSERVERPIPE=%d"
@@ -148,7 +148,7 @@ sprintf(logbuf, "int FROMCLIENT = %d, TOCLIENTBUF = %d, FROMCLIENTBUF = %d, TOSE
 	,
  FROMCLIENT, TOCLIENTBUF, FROMCLIENTBUF, TOSERVER, 
 	FROMSERVER, TOSERVERBUF, FROMSERVERBUF, TOCLIENT, 
-	(int)inclientbuf, (int)inserverbuf, CLIENTTERM, SERVERTERM, 
+	(int)inclientbuf, (int)inserverbuf, CLIENTTERMREAD, CLIENTTERMWRITE, SERVERTERMREAD, SERVERTERMWRITE, 
 	(unsigned)fromserver, (unsigned)fromclient
 #ifdef WITHSPLICE
 	,(int)inserverpipe, (int)inclientpipe,
@@ -158,6 +158,18 @@ sprintf(logbuf, "int FROMCLIENT = %d, TOCLIENTBUF = %d, FROMCLIENTBUF = %d, TOSE
 log(logbuf);
 #endif
 
+	if(needaction && param->srv->gracedelay && !sleeptime){
+		if(gracetime != conf.time){
+		    gracetime = conf.time;
+		    graceclinum=gracesrvnum=graceclitraf=gracesrvtraf=0;
+		}
+		else {
+		    if( (graceclinum && graceclitraf && graceclinum>=param->srv->gracenum && (!param->srv->gracetraf || graceclitraf/graceclinum <= param->srv->gracetraf)) ||
+			(gracesrvnum && gracesrvtraf && gracesrvnum>=param->srv->gracenum && (!param->srv->gracetraf || gracesrvtraf/gracesrvnum <= param->srv->gracetraf))) {
+			    sleeptime = param->srv->gracedelay;
+			}
+		}
+	}
 	if(needaction > 2 && !sleeptime){
 		if(needaction > (MAXFAILATTEMPT+1)){RETURN (93);}
 		sleeptime = (1<<(needaction-2));
@@ -167,7 +179,7 @@ log(logbuf);
 		memset(fds, 0, sizeof(fds));
 		fds[0].fd = param->clisock;
 		fds[1].fd = param->remsock;
-		so._poll(fds, 2, sleeptime);
+		param->srv->so._poll(param->sostate, fds, 2, sleeptime);
 		sleeptime = 0;
 	}
 	if((param->srv->logdumpsrv && (param->statssrv64 > param->srv->logdumpsrv)) ||
@@ -200,12 +212,13 @@ log("send to server from buf");
 			param->clioffset = param->cliinbuf = 0;
 			if(fromclient) TOCLIENTBUF = 1;
 		}
-		sasize = sizeof(param->sinsr);
-		res = so._sendto(param->remsock, (char *)param->clibuf + param->clioffset, (int)MIN(inclientbuf, fromclient), 0, (struct sockaddr*)¶m->sinsr, sasize);
+		sasize = SASIZE(¶m->sinsr);
+		res = param->srv->so._sendto(param->sostate, param->remsock, (char *)param->clibuf + param->clioffset, (int)MIN(inclientbuf, fromclient), 0, (struct sockaddr*)¶m->sinsr, sasize);
 		if(res <= 0) {
 			TOSERVER = 0;
 			if(errno && errno != EAGAIN && errno != EINTR){
-				SERVERTERM = 1;
+				SERVERTERMREAD = 1;
+				SERVERTERMWRITE = 1;
 				HASERROR |= 2;
 			}
 		}
@@ -245,12 +258,13 @@ log("send to client from buf");
 			param->srvinbuf = param->srvoffset = 0;
 			continue;
 		}
-		sasize = sizeof(param->sincr);
-		res = so._sendto(param->clisock, (char *)param->srvbuf + param->srvoffset, (int)MIN(inserverbuf,fromserver), 0, (struct sockaddr*)¶m->sincr, sasize);
+		sasize = SASIZE(¶m->sincr);
+		res = param->srv->so._sendto(param->sostate, param->clisock, (char *)param->srvbuf + param->srvoffset, (int)MIN(inserverbuf,fromserver), 0, (struct sockaddr*)¶m->sincr, sasize);
 		if(res <= 0) {
 			TOCLIENT = 0;
 			if(errno && errno != EAGAIN && errno != EINTR){
-				CLIENTTERM = 1;
+				CLIENTTERMREAD = 1;
+				CLIENTTERMWRITE = 1;
 				HASERROR |= 1;
 			}
 
@@ -299,6 +313,11 @@ log(logbuf);
 			}
 			else {
 				FROMCLIENTPIPE = TOSERVER = 0;
+				if(errno && errno != EINTR && errno != EAGAIN) {
+					SERVERTERMREAD = 1;
+					SERVERTERMWRITE = 1;
+					HASERROR |= 2;
+				}
 			}
 		}
 		if(inserverpipe && !inserverbuf && FROMSERVERPIPE && TOCLIENT){
@@ -324,6 +343,11 @@ log(logbuf);
 			}
 			else {
 				FROMSERVERPIPE = TOCLIENT = 0;
+				if(errno && errno != EINTR && errno != EAGAIN) {
+					CLIENTTERMREAD = 1;
+					CLIENTTERMWRITE = 1;
+					HASERROR |= 1;
+				}
 			}
 		}
 		if(fromclient>inclientpipe && FROMCLIENT && TOCLIENTPIPE){
@@ -346,7 +370,12 @@ log(logbuf);
 			if(res <= 0) {
 				FROMCLIENT = TOCLIENTPIPE = 0;
 				if(res == 0 && !errno) {
-					CLIENTTERM = 1;
+					CLIENTTERMREAD = 1;
+					continue;
+				}
+				if(errno && errno != EINTR && errno != EAGAIN) {
+					CLIENTTERMREAD = 1;
+					CLIENTTERMWRITE = 1;
 					continue;
 				}
 			}
@@ -354,6 +383,9 @@ log(logbuf);
 #ifdef WITHLOG
 log("done read from client to pipe");
 #endif
+				graceclinum++;
+				graceclitraf += res;
+				gracesrvnum = gracesrvtraf = 0;
 				inclientpipe += res;
 				if(inclientpipe >= MAXSPLICE) TOCLIENTPIPE = 0;
 				needaction = 0;
@@ -367,7 +399,7 @@ log("done read from client to pipe");
 #ifdef WITHLOG
 log("read from server to pipe\n");
 #endif
-			res = splice(param->remsock, NULL, pipesrv[1], NULL, MIN(MAXSPLICE - inclientpipe, fromserver - inserverpipe), SPLICE_F_NONBLOCK|SPLICE_F_MOVE);
+			res = splice(param->remsock, NULL, pipesrv[1], NULL, MIN(MAXSPLICE - inserverpipe, fromserver - inserverpipe), SPLICE_F_NONBLOCK|SPLICE_F_MOVE);
 #ifdef WITHLOG
 log("server to pipe splice finished\n");
 #if WITHLOG > 1
@@ -380,7 +412,12 @@ log(logbuf);
 			if(res <= 0) {
 				FROMSERVER = TOSERVERPIPE = 0;
 				if(res == 0 && !errno) {
-					SERVERTERM = 1;
+					SERVERTERMREAD = 1;
+					continue;
+				}
+				if(errno && errno != EINTR && errno != EAGAIN) {
+					SERVERTERMREAD = 1;
+					SERVERTERMWRITE = 1;
 					continue;
 				}
 			}
@@ -388,6 +425,9 @@ log(logbuf);
 #ifdef WITHLOG
 log("done read from server to pipe\n");
 #endif
+				gracesrvnum++;
+				gracesrvtraf += res;
+				graceclinum = graceclitraf = 0;
 			    	param->nreads++;
 				param->statssrv64 += res;
 				inserverpipe += res;
@@ -397,10 +437,6 @@ log("done read from server to pipe\n");
 					sl1 = (*param->bandlimfunc)(param, res, 0);
 					if(sl1 > sleeptime) sleeptime = sl1;
 		    		}
- 				if(param->operation == UDPASSOC && param->srv->singlepacket){
-					fromserver = inserverpipe;
-					FROMSERVER = 0;
-				}
 				needaction = 0;
 				continue;
 			}
@@ -414,11 +450,16 @@ log("done read from server to pipe\n");
 log("read from client to buf");
 #endif
 			sasize = sizeof(param->sincr);
-			res = so._recvfrom(param->clisock, (char *)param->clibuf + param->cliinbuf, (int)MIN((uint64_t)param->clibufsize - param->cliinbuf, fromclient-inclientbuf), 0, (struct sockaddr *)¶m->sincr, &sasize);
+			res = param->srv->so._recvfrom(param->sostate, param->clisock, (char *)param->clibuf + param->cliinbuf, (int)MIN((uint64_t)param->clibufsize - param->cliinbuf, fromclient-inclientbuf), 0, (struct sockaddr *)¶m->sincr, &sasize);
 			if(res <= 0) {
 				FROMCLIENT = 0;
-				if(res == 0 || (errno && errno != EINTR && errno !=EAGAIN)){
-					CLIENTTERM = 1;
+				if(res == 0) {
+					CLIENTTERMREAD = 1;
+					continue;
+				}
+				if(errno && errno != EINTR && errno !=EAGAIN){
+					CLIENTTERMREAD = 1;
+					CLIENTTERMWRITE = 1;
 					continue;
 				}
 			}
@@ -426,6 +467,9 @@ log("read from client to buf");
 #ifdef WITHLOG
 log("done read from client to buf");
 #endif
+				graceclinum++;
+				graceclitraf += res;
+				gracesrvnum = gracesrvtraf = 0;
 				inclientbuf += res;
 				param->cliinbuf += res;
 				if(param->clibufsize == param->cliinbuf) TOCLIENTBUF = 0;
@@ -439,11 +483,16 @@ log("done read from client to buf");
 log("read from server to buf");
 #endif
 			sasize = sizeof(param->sinsr);
-			res = so._recvfrom(param->remsock, (char *)param->srvbuf + param->srvinbuf, (int)MIN((uint64_t)param->srvbufsize - param->srvinbuf, fromserver-inserverbuf), 0, (struct sockaddr *)¶m->sinsr, &sasize);
+			res = param->srv->so._recvfrom(param->sostate, param->remsock, (char *)param->srvbuf + param->srvinbuf, (int)MIN((uint64_t)param->srvbufsize - param->srvinbuf, fromserver-inserverbuf), 0, (struct sockaddr *)¶m->sinsr, &sasize);
 			if(res <= 0) {
 				FROMSERVER = 0;
-				if(res == 0 || (errno && errno != EINTR && errno !=EAGAIN)) {
-					SERVERTERM = 1;
+				if(res == 0) {
+					SERVERTERMREAD = 1;
+					continue;
+				}
+				if(errno && errno != EINTR && errno !=EAGAIN) {
+					SERVERTERMREAD = 1;
+					SERVERTERMWRITE = 1;
 					continue;
 				}
 			}
@@ -451,6 +500,9 @@ log("read from server to buf");
 #ifdef WITHLOG
 log("done read from server to buf");
 #endif
+				gracesrvnum++;
+				gracesrvtraf += res;
+				graceclinum = graceclitraf = 0;
 			    	param->nreads++;
 				param->statssrv64 += res;
 				inserverbuf += res;
@@ -461,51 +513,66 @@ log("done read from server to buf");
 					if(sl1 > sleeptime) sleeptime = sl1;
 		    		}
 				if(param->srvbufsize == param->srvinbuf) TOSERVERBUF = 0;
- 				if(param->operation == UDPASSOC && param->srv->singlepacket){
-					fromserver = inserverbuf;
-					FROMSERVER = 0;
-				}
 				needaction = 0;
 				continue;
 			}
 		}
 	}
-	for(after = 0; after < 2; after ++){
+	if (CLIENTTERMREAD && !inclientbuf
+#ifdef WITHSPLICE
+		&& !inclientpipe
+#endif
+		&& !SERVERTERMWRITE) {
+		SERVERTERMWRITE = 1;
+		param->srv->so._shutdown(param->sostate, param->remsock, SHUT_WR);
+	}
+	if (SERVERTERMREAD && !inserverbuf
+#ifdef WITHSPLICE
+		&& !inserverpipe
+#endif
+		&& !CLIENTTERMWRITE) {
+		CLIENTTERMWRITE = 1;
+		param->srv->so._shutdown(param->sostate, param->clisock, SHUT_WR);
+	}
+	for(after = 0, cli_events=0, srv_events=0; after < 2; after ++){
 		fdsc = 0;
+		
 		if(!after){
 			memset(fds, 0, sizeof(fds));
 		}
-		if(!CLIENTTERM){
+//		if(!CLIENTTERMREAD || !CLIENTTERMWRITE){
 			if(!after){
-				fds[fdsc].fd = param->clisock;
-				if(fromclient && !FROMCLIENT && ((
+				if(fromclient && !CLIENTTERMREAD && !FROMCLIENT && ((
 #ifdef WITHSPLICE
-					!usesplice && 
+					!usesplice &&
 #endif
-					TOCLIENTBUF) 
+					TOCLIENTBUF)
 #ifdef WITHSPLICE
 					|| (usesplice)
 #endif
-						)){
-#ifdef WITHLOG
-log("wait reading from client");
-#endif
-							fds[fdsc].events |= (POLLIN);
-						}
-				if(!TOCLIENT && (inserverbuf
+						))
+					cli_events |= POLLIN;
+				if(!TOCLIENT && !CLIENTTERMWRITE && (inserverbuf
 #ifdef WITHSPLICE
 					|| inserverpipe
 #endif
-						)){
+						))
+					cli_events |= POLLOUT;
+				if(cli_events){
+					fds[fdsc].fd = param->clisock;
+					fds[fdsc].events = cli_events;
 #ifdef WITHLOG
+if(cli_events & POLLIN)
+log("wait reading from client");
+if(cli_events & POLLOUT)
 log("wait writing to client");
 #endif
-							fds[fdsc].events |= POLLOUT;
-						}
+				}
 			}
-			else{
+			else if(cli_events){
 				if(fds[fdsc].revents &  (POLLERR|POLLNVAL)) {
-					CLIENTTERM = 1;
+					CLIENTTERMREAD = 1;
+					CLIENTTERMWRITE = 1;
 					HASERROR |= 1;
 				}
 				else {
@@ -523,47 +590,52 @@ log("ready to write to client");
 					}
 					if(fds[fdsc].revents &  (POLLHUP)) {
 						if(fds[fdsc].events & POLLIN) FROMCLIENT = 1;
-						if(fds[fdsc].events & POLLOUT) CLIENTTERM = 1;
+						if(fds[fdsc].events & POLLOUT) CLIENTTERMWRITE = 1;
 					}
 				}
+			} else if(fds[fdsc].revents & (POLLERR|POLLNVAL|POLLHUP)) {
+				CLIENTTERMREAD = 1;
+				CLIENTTERMWRITE = 1;
 			}
 			fdsc++;
-		}
-		if(!SERVERTERM){
+
+//		if(!SERVERTERMREAD || !SERVERTERMWRITE){
 			if(!after){
-				fds[fdsc].fd = param->remsock;
-				if(fromserver && !FROMSERVER && ((
+				if(fromserver && !SERVERTERMREAD && !FROMSERVER && ((
 #ifdef WITHSPLICE
-					!usesplice && 
+					!usesplice &&
 #endif
-					TOSERVERBUF) 
+					TOSERVERBUF)
 #ifdef WITHSPLICE
 					|| (usesplice)
 #endif
-						)){
-#ifdef WITHLOG
-log("wait reading from server");
-#endif
-							fds[fdsc].events |= (POLLIN);
-						}
-				if(!TOSERVER && (inclientbuf
+						))
+					srv_events |= POLLIN;
+				if(!TOSERVER && !SERVERTERMWRITE && (inclientbuf
 #ifdef WITHSPLICE
 					|| inclientpipe
 #endif
-						)){
+						))
+					srv_events |= POLLOUT;
+				if(srv_events){
+					fds[fdsc].fd = param->remsock;
+					fds[fdsc].events = srv_events;
 #ifdef WITHLOG
+if(srv_events & POLLIN)
+log("wait reading from server");
+if(srv_events & POLLOUT)
 log("wait writing from server");
 #endif
-							fds[fdsc].events |= POLLOUT;
-						}
+				}
 			}
-			else{
+			else if(srv_events){
 				if(fds[fdsc].revents &  (POLLERR|POLLNVAL)) {
 #ifdef WITHLOG
 log("poll from server failed");
 #endif
 
-					SERVERTERM = 1;
+					SERVERTERMREAD = 1;
+					SERVERTERMWRITE = 1;
 					HASERROR |=2;
 				}
 				else {
@@ -584,12 +656,15 @@ log("ready to write to server");
 log("server terminated connection");
 #endif
 						if(fds[fdsc].events & POLLIN) FROMSERVER = 1;
-						if(fds[fdsc].events & POLLOUT) SERVERTERM = 1;
+						if(fds[fdsc].events & POLLOUT) SERVERTERMWRITE = 1;
 					}
 				}
+			} else if(fds[fdsc].revents & (POLLERR|POLLNVAL|POLLHUP)) {
+				SERVERTERMREAD = 1;
+				SERVERTERMWRITE = 1;
 			}
 			fdsc++;
-		}
+//		}
 #ifdef WITHSPLICE
 		if(usesplice){
 			if(fromclient>inclientpipe && !TOCLIENTPIPE && inclientpipe < MAXSPLICE){
@@ -672,6 +747,24 @@ log("ready reading from server pipe");
 			}
 		}
 #endif
+		if(param->ctrlsock != INVALID_SOCKET) {
+			if(!after) {
+				fds[fdsc].fd = param->ctrlsock;
+				fds[fdsc].events = POLLIN;
+			} else if(fds[fdsc].revents) {
+				CLIENTTERMREAD = CLIENTTERMWRITE = SERVERTERMREAD = SERVERTERMWRITE = 1;
+			}
+			fdsc++;
+		}
+		if(param->ctrlsocksrv != INVALID_SOCKET) {
+			if(!after) {
+				fds[fdsc].fd = param->ctrlsocksrv;
+				fds[fdsc].events = POLLIN;
+			} else if(fds[fdsc].revents) {
+				CLIENTTERMREAD = CLIENTTERMWRITE = SERVERTERMREAD = SERVERTERMWRITE = 1;
+			}
+			fdsc++;
+		}
 		if(!after){
 			if(!fdsc) RETURN(90);
 
@@ -681,7 +774,7 @@ log("ready reading from server pipe");
 #ifdef WITHLOG
 log("entering poll");
 #endif
-			res = so._poll(fds, fdsc, timeo*1000);
+			res = param->srv->so._poll(param->sostate, fds, fdsc, timeo*1000);
 #ifdef WITHLOG
 log("leaving poll");
 #endif
@@ -712,6 +805,9 @@ log("timeout");
  else if(inclientpipe || inserverpipe) res = 94;
 #endif
 
+ if((param->nwrites > 0 && !SERVERTERMWRITE) || (param->nreads > 0 && !CLIENTTERMWRITE))
+	usleep(SLEEPTIME * 10);
+
 CLEANRET:
 
 #ifdef WITHSPLICE
diff --git a/src/socks.c b/src/socks.c
index 9b59a30..8452407 100644
--- a/src/socks.c
+++ b/src/socks.c
@@ -1,19 +1,37 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
 */
 
 #include "proxy.h"
+#ifdef __linux__
+#include 
+#endif
 
 #define RETURN(xxx) { param->res = xxx; goto CLEANRET; }
 
 unsigned char * commands[] = {(unsigned char *)"UNKNOWN", (unsigned char *)"CONNECT", (unsigned char *)"BIND", (unsigned char *)"UDPMAP"};
 
 #define BUFSIZE 1024
-#define LARGEBUFSIZE 67000
+
+#if SOCKSTRACE > 0
+char tracebuf[256];
+#endif
+
+
+static void printcommand(unsigned char * buf, int command, struct clientparam *param){
+    sprintf((char *)buf, "%s ", commands[command]);
+    if(param->hostname){
+	sprintf((char *)buf + strlen((char *)buf), "%.256s", param->hostname);
+    }
+    else 
+	myinet_ntop(*SAFAMILY(¶m->req), SAADDR(¶m->req), (char *)buf + strlen((char *)buf), 64);
+    sprintf((char *)buf+strlen((char *)buf), ":%hu", ntohs(*SAPORT(¶m->req)));
+
+}
 
 void * sockschild(struct clientparam* param) {
  int res;
@@ -21,24 +39,20 @@ void * sockschild(struct clientparam* param) {
  SOCKET s;
  unsigned size;
  SASIZETYPE sasize;
- unsigned short port = 0;
+ uint16_t port = 0;
  unsigned char * buf=NULL;
  unsigned char c;
  unsigned char command=0;
  struct pollfd fds[3];
  int ver=0;
  int havepass = 0;
-#ifndef NOIPV6
- struct sockaddr_in6 sin = {AF_INET6};
-#else
- struct sockaddr_in sin = {AF_INET};
-#endif
+ PROXYSOCKADDRTYPE sin;
  int len;
 
 
  param->service = S_SOCKS;
 
- if(!(buf = myalloc(BUFSIZE))) {RETURN(21);}
+ if(!(buf = malloc(BUFSIZE))) {RETURN(21);}
  memset(buf, 0, BUFSIZE);
  if ((ver = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0)) != 5 && ver != 4) {
 	RETURN(401);
@@ -54,7 +68,7 @@ void * sockschild(struct clientparam* param) {
 	 }
 	 buf[0] = 5;
 	 buf[1] = (param->srv->needuser > 1 && !havepass)? 255 : havepass;
-	 if(socksend(param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(401);}
+	 if(socksend(param, param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(401);}
 	 if (param->srv->needuser > 1 && !havepass) RETURN(4);
 	 if (havepass) {
 		if (((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0))) != 1) {
@@ -63,18 +77,24 @@ void * sockschild(struct clientparam* param) {
 		if ((i = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(451);}
 		if (i && (unsigned)(res = sockgetlinebuf(param, CLIENT, buf, i, 0, conf.timeouts[STRING_S])) != i){RETURN(441);};
 		buf[i] = 0;
-		if(!param->username)param->username = (unsigned char *)mystrdup((char *)buf);
+		if(!param->username) {
+			param->username = (unsigned char *)strdup((char *)buf);
+			if(!param->username){RETURN(21);}
+		}
 		if ((i = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(445);}
 		if (i && (unsigned)(res = sockgetlinebuf(param, CLIENT, buf, i, 0, conf.timeouts[STRING_S])) != i){RETURN(441);};
 		buf[i] = 0;
-		if(!param->password)param->password = (unsigned char *)mystrdup((char *)buf);
+		if(!param->password) {
+			param->password = (unsigned char *)strdup((char *)buf);
+			if(!param->password){RETURN(21);}
+		}
 		buf[0] = 1;
 		buf[1] = 0;
-		if(socksend(param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(481);}
+		if(socksend(param, param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(481);}
 	 }
 	 if ((c = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0)) != 5) {
 		RETURN(421);
-         } /* version */
+         }
  }
  if( (command = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) < 1 || command > 3){command = 0; RETURN(407);} /* command */
  if(ver == 5){
@@ -86,7 +106,7 @@ void * sockschild(struct clientparam* param) {
 	buf[0] = (unsigned char) res;
 	if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);}
 	buf[1] = (unsigned char) res;
-	port = *(unsigned short*)buf;
+	memcpy(&port, buf, 2);
 	c = 1;
  }
  
@@ -132,32 +152,38 @@ void * sockschild(struct clientparam* param) {
 			buf[i] = (unsigned char)res;
 		}
 		buf[i] = 0;
-		if(!getip46(param->srv->family, buf, (struct sockaddr *) ¶m->req)) RETURN(100);
+		if(command == 2 && param->srv->family != 6 && (!strcmp((char *)buf, "0.0.0.0") || !strcmp((char *)buf, "0"))) param->req = param->srv->extsa;
+		else if(!getip46(param->srv->family, buf, (struct sockaddr *) ¶m->req)) RETURN(100);
 		param->sinsr = param->req;
 		break;
 	default:
 		RETURN(997);
  }
- if(param->hostname)myfree(param->hostname);
- param->hostname = (unsigned char *)mystrdup((char *)buf);
+ if(param->hostname)free(param->hostname);
+ param->hostname = (unsigned char *)strdup((char *)buf);
+ if(!param->hostname){RETURN(21);}
  if (ver == 5) {
 	 if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);}
 	 buf[0] = (unsigned char) res;
 	 if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);}
 	 buf[1] = (unsigned char) res;
-	 port = *(unsigned short*)buf;
+	 memcpy(&port, buf, 2);
 
  }
  else {
-	sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
+	if(sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]) < 0) {RETURN(441);}
 	buf[127] = 0;
-	if(param->srv->needuser && *buf && !param->username)param->username = (unsigned char *)mystrdup((char *)buf);
+	if(param->srv->needuser && *buf && !param->username) {
+		param->username = (unsigned char *)strdup((char *)buf);
+		if(!param->username){RETURN(21);}
+	}
 	if(!memcmp(SAADDR(¶m->req), "\0\0\0", 3)){
 		param->service = S_SOCKS45;
-		sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
+		if(sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]) < 0) {RETURN(441);}
 		buf[127] = 0;
-		if(param->hostname)myfree(param->hostname);
-		param->hostname = (unsigned char *)mystrdup((char *)buf);
+		if(param->hostname)free(param->hostname);
+		param->hostname = (unsigned char *)strdup((char *)buf);
+		if(!param->hostname){RETURN(21);}
 		if(!getip46(param->srv->family, buf, (struct sockaddr *) ¶m->req)) RETURN(100);
 		param->sinsr = param->req;
 	}
@@ -173,11 +199,17 @@ void * sockschild(struct clientparam* param) {
 	case 3:
 
 #ifndef NOIPV6	 
-	 param->sinsl = *SAFAMILY(¶m->req)==AF_INET6? param->srv->extsa6 : (SAISNULL(¶m->srv->extNat)?param->srv->extsa:param->srv->extNat);
+	 param->sinsl = *SAFAMILY(¶m->req)==AF_INET6? param->srv->extsa6 : param->srv->extsa;
 #else
-	 param->sinsl = SAISNULL(¶m->srv->extNat)?param->srv->extsa:param->srv->extNat;
+	 param->sinsl = param->srv->extsa;
 #endif
-	 if ((param->remsock=so._socket(SASOCK(¶m->req), command == 2? SOCK_STREAM:SOCK_DGRAM, command == 2?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
+#ifdef __linux__
+	 if(command == 3 && param->srv->o_nsfd >= 0) {
+		if(param->srv->saved_nsfd >= 0 && setns(param->srv->saved_nsfd, CLONE_NEWNET)) {RETURN(11);}
+		if(setns(param->srv->o_nsfd, CLONE_NEWNET)) {RETURN(11);}
+	 }
+#endif
+	 if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(¶m->req), command == 2? SOCK_STREAM:SOCK_DGRAM, command == 2?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
 	 param->operation = command == 2?BIND:UDPASSOC;
 #ifdef REUSE
 	if (command == 2){
@@ -185,11 +217,11 @@ void * sockschild(struct clientparam* param) {
 
 #ifdef SO_REUSEADDR
 		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEADDR, (unsigned char *)&opt, sizeof(int));
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEADDR, (unsigned char *)&opt, sizeof(int));
 #endif
 #ifdef SO_REUSEPORT
 		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
 #endif
 	}
 #endif
@@ -203,24 +235,46 @@ void * sockschild(struct clientparam* param) {
 	RETURN(res);
  }
 
+#ifndef WITHMAIN
+ if(param->nreqfilters && buf){
+    int reqbufsize = BUFSIZE, reqsize, action;
+
+    printcommand(buf, command, param);
+    reqsize = strlen((char *)buf);
+    action = handlereqfilters(param, &buf, &reqbufsize, 0, &reqsize);
+    if(action == HANDLED){
+	RETURN(0);
+    }
+    if(action != PASS) RETURN(517);
+ }
+#endif
+
  if(command > 1) {
-	if(so._bind(param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {
+	if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {
 		*SAPORT(¶m->sinsl) = 0;
-		if(so._bind(param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl)))RETURN (12);
+		if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl)))RETURN (12);
 #if SOCKSTRACE > 0
-fprintf(stderr, "%hu bound to communicate with server\n", *SAPORT(¶m->sins));
+fprintf(stderr, "%hu bound to communicate with server\n", *SAPORT(¶m->sinsl));
 fflush(stderr);
 #endif
 	}
 	sasize = SASIZE(¶m->sinsl);
-	so._getsockname(param->remsock, (struct sockaddr *)¶m->sinsl,  &sasize);
+	param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsl,  &sasize);
 	if(command == 3) {
 		param->ctrlsock = param->clisock;
-		param->clisock = so._socket(SASOCK(¶m->sincr), SOCK_DGRAM, IPPROTO_UDP);
+#ifdef __linux__
+		if(param->srv->i_nsfd >= 0) {
+			if(param->srv->saved_nsfd >= 0 && setns(param->srv->saved_nsfd, CLONE_NEWNET)) {RETURN(11);}
+			if(setns(param->srv->i_nsfd, CLONE_NEWNET)) {RETURN(11);}
+		}
+#endif
+		param->clisock = param->srv->so._socket(param->sostate, SASOCK(¶m->sincr), SOCK_DGRAM, IPPROTO_UDP);
 		if(param->clisock == INVALID_SOCKET) {RETURN(11);}
 		sin = param->sincl;
 		*SAPORT(&sin) = 0;
-		if(so._bind(param->clisock,(struct sockaddr *)&sin,SASIZE(&sin))) {RETURN (12);}
+		if(param->srv->so._bind(param->sostate, param->clisock,(struct sockaddr *)&sin,SASIZE(&sin))) {RETURN (12);}
+		sasize = SASIZE(&sin);
+		param->srv->so._getsockname(param->sostate, param->clisock, (struct sockaddr *)&sin, &sasize);
 #if SOCKSTRACE > 0
 fprintf(stderr, "%hu binded to communicate with client\n",
 			ntohs(*SAPORT(&sin))
@@ -231,20 +285,40 @@ fflush(stderr);
  }
  param->res = 0;
 
+
+
+
+
+
 CLEANRET:
 
- if(param->clisock != INVALID_SOCKET){
+ if(param->clisock != INVALID_SOCKET && buf){
 	int repcode;
 
 	sasize = sizeof(sin);
-	if(command != 3 && param->remsock != INVALID_SOCKET) so._getsockname(param->remsock, (struct sockaddr *)&sin,  &sasize);
-	else so._getsockname(param->clisock, (struct sockaddr *)&sin,  &sasize);
+	if(command != 3 && param->remsock != INVALID_SOCKET) param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)&sin,  &sasize);
+	if(!SAISNULL(¶m->srv->extNat)){
+	    uint16_t port;
+	    port = *SAPORT(&sin);
+	    sin = param->srv->extNat;
+	    *SAPORT(&sin) = port;
+	}
+	else {
+	    param->srv->so._getsockname(param->sostate, param->clisock, (struct sockaddr *)&sin,  &sasize);
+	    if(!SAISNULL(¶m->srv->intNat)){
+		uint16_t port;
+		port = *SAPORT(&sin);
+		sin = param->srv->intNat;
+		*SAPORT(&sin) = port;
+	    }
+	}    
 #if SOCKSTRACE > 0
+myinet_ntop(*SAFAMILY(&sin), SAADDR(&sin), tracebuf, SASIZE(&sin));
 fprintf(stderr, "Sending confirmation to client with code %d for %s with %s:%hu\n",
 			param->res,
 			commands[command],
-			inet_ntoa(sin.sin_addr),
-			ntohs(sin.sin_port)
+			tracebuf,
+			ntohs(*SAPORT(&sin))
 	);
 fflush(stderr);
 #endif
@@ -253,6 +327,8 @@ fflush(stderr);
 	else if (param->res < 20) repcode = 5;
 	else if (param->res < 30) repcode = 1;
 	else if (param->res < 100) repcode = 4;
+	else if (param->res == 100) repcode = 4;
+	else if (param->res == 997) repcode = 8;
 	else repcode = param->res%10;
 
 	if(ver == 5){
@@ -262,54 +338,85 @@ fflush(stderr);
 		buf[3] = (*SAFAMILY(&sin) == AF_INET)?1:4;
 		memcpy(buf+4, SAADDR(&sin), SAADDRLEN(&sin));
 		memcpy(buf+4+SAADDRLEN(&sin), SAPORT(&sin), 2);
-		socksend((command == 3)?param->ctrlsock:param->clisock, buf, 6+SAADDRLEN(&sin), conf.timeouts[STRING_S]);
+		socksend(param, (command == 3)?param->ctrlsock:param->clisock, buf, 6+SAADDRLEN(&sin), conf.timeouts[STRING_S]);
 	}
 	else{
 		buf[0] = 0;
 		buf[1] = 90 + !!(repcode);
-		memcpy(buf+2, SAPORT(&sin), 2);
-		memcpy(buf+4, SAADDR(&sin), 4);
-		socksend(param->clisock, buf, 8, conf.timeouts[STRING_S]);
+		if(*SAFAMILY(&sin) == AF_INET){
+			memcpy(buf+2, SAPORT(&sin), 2);
+			memcpy(buf+4, SAADDR(&sin), 4);
+		} else {
+			memset(buf+2, 0, 6);
+			param->res = 997;
+		}
+		socksend(param, param->clisock, buf, 8, conf.timeouts[STRING_S]);
 	}
 
+
+
+	if (param->npredatfilters){
+	    int action;
+	    
+	    action = handlepredatflt(param);
+	    if(action == HANDLED){
+    		param->res = 0;	    
+	    }
+	    if(action != PASS){
+		param->res = 19;
+	    }
+	}
 	if (param->res == 0) {
 		switch(command) {
 			case 1:
 				if(param->redirectfunc){
-					if(buf)myfree(buf);
-					return (*param->redirectfunc)(param);
+					void *ret = (*param->redirectfunc)(param);
+					if(buf)free(buf);
+					return ret;
 				}
 				param->res = mapsocket(param, conf.timeouts[CONNECTION_L]);
 				break;
 			case 2:
-				so._listen (param->remsock, 1);
+				param->srv->so._listen (param->sostate, param->remsock, 1);
 				
 				fds[0].fd = param->remsock;
 				fds[1].fd = param->clisock;
 				fds[0].events = fds[1].events = POLLIN;
-				res = so._poll(fds, 2, conf.timeouts[CONNECTION_L] * 1000);
+				res = param->srv->so._poll(param->sostate, fds, 2, conf.timeouts[CONNECTION_L] * 1000);
 				if (res < 1 || fds[1].revents) {
 					res = 460;
 					break;
 				}
 				sasize = sizeof(param->sinsr);
-				s = so._accept(param->remsock, (struct sockaddr *)¶m->sinsr, &sasize);
-				so._closesocket(param->remsock);
+				s = param->srv->so._accept(param->sostate, param->remsock, (struct sockaddr *)¶m->sinsr, &sasize);
+				param->srv->so._closesocket(param->sostate, param->remsock);
 				param->remsock = s;
 				if(s == INVALID_SOCKET) {
 					param->res = 462;
 					break;
 				}
-				if(SAISNULL(¶m->req) &&
+				if(!SAISNULL(¶m->req) &&
 				 memcmp(SAADDR(¶m->req),SAADDR(¶m->sinsr),SAADDRLEN(¶m->req))) {
 					param->res = 470;
 					break;
 				}
+				{
+#ifdef _WIN32
+                    		    unsigned long ul=1;
+                    		    ioctlsocket(param->remsock, FIONBIO, &ul);
+#else
+                    		    {
+					int flags = fcntl(param->remsock, F_GETFL);
+					if(flags != -1) fcntl(param->remsock, F_SETFL, O_NONBLOCK | flags);
+				    }
+#endif
+            			}
+
 #if SOCKSTRACE > 0
 fprintf(stderr, "Sending incoming connection to client with code %d for %s with %hu\n",
 			param->res,
 			commands[command],
-			*SAPORT(param->sins);
+			*SAPORT(¶m->sinsr)
 	);
 fflush(stderr);
 #endif
@@ -317,120 +424,19 @@ fflush(stderr);
 					buf[3] = (*SAFAMILY(¶m->sinsr) == AF_INET)?1:4;
 					memcpy(buf+4, SAADDR(¶m->sinsr), SAADDRLEN(¶m->sinsr));
 					memcpy(buf+4+SAADDRLEN(¶m->sinsr), SAPORT(¶m->sinsr), 2);
-					socksend(param->clisock, buf, 6+SAADDRLEN(¶m->sinsr), conf.timeouts[STRING_S]);
+					socksend(param, param->clisock, buf, 6+SAADDRLEN(¶m->sinsr), conf.timeouts[STRING_S]);
 				}
 				else {
 					memcpy (buf+2, SAPORT(¶m->sinsr), 2);
 					memcpy (buf+4, SAADDR(¶m->sinsr), 4);
-					socksend(param->clisock, buf, 8, conf.timeouts[STRING_S]);
+					socksend(param, param->clisock, buf, 8, conf.timeouts[STRING_S]);
 				}
 
 				param->res = mapsocket(param, conf.timeouts[CONNECTION_S]);
 				break;
 			case 3:
 				param->sinsr = param->req;
-				myfree(buf);
-				if(!(buf = myalloc(LARGEBUFSIZE))) {RETURN(21);}
-				sin = param->sincr;
-
-				for(;;){
-					fds[0].fd = param->remsock;
-					fds[1].fd = param->clisock;
-					fds[2].fd = param->ctrlsock;
-					fds[2].events = fds[1].events = fds[0].events = POLLIN;
-
-					res = so._poll(fds, 3, conf.timeouts[CONNECTION_L]*1000);
-					if(res <= 0) {
-						param->res = 463;
-						break;
-					}
-					if (fds[2].revents) {
-						param->res = 0;
-						break;
-					}
-					if (fds[1].revents) {
-						sasize = sizeof(sin);
-						if((len = so._recvfrom(param->clisock, (char *)buf, 65535, 0, (struct sockaddr *)&sin, &sasize)) <= 10) {
-							param->res = 464;
-							break;
-						}
-						if(SAADDRLEN(&sin) != SAADDRLEN(¶m->sincr) || memcmp(SAADDR(&sin), SAADDR(¶m->sincr), SAADDRLEN(&sin))){
-							param->res = 465;
-							break;
-						}
-						if(buf[0] || buf[1] || buf[2]) {
-							param->res = 466;
-							break;
-						}
-						size = 4;
-						switch(buf[3]) {
-							case 4:
-								size = 16;
-							case 1:
-								i = 4+size;
-								memcpy(SAADDR(¶m->sinsr), buf+4, size);
-								*SAFAMILY(¶m->sinsr) = (size == 4)?AF_INET:AF_INET6;
-								break;
-							case 3:
-								size = buf[4];
-								for (i=4; size; i++, size--){
-									buf[i] = buf[i+1];
-								}
-								buf[i++] = 0;
-								if(!getip46(param->srv->family, buf+4, (struct sockaddr *) ¶m->sinsr)) RETURN(100);
-								break;
-							default:
-								RETURN(997);
-						 }
-
-						memcpy(SAPORT(¶m->sinsr), buf+i, 2);
-						i+=2;
-
-						sasize = sizeof(param->sinsr);
-						if(len > (int)i){
-							socksendto(param->remsock, (struct sockaddr *)¶m->sinsr, buf+i, len - i, conf.timeouts[SINGLEBYTE_L]*1000);
-							param->statscli64+=(len - i);
-							param->nwrites++;
-#if SOCKSTRACE > 1
-fprintf(stderr, "UDP packet relayed from client to %s:%hu size %d, header %d\n",
-			inet_ntoa(param->sins.sin_addr),
-			ntohs(param->sins.sin_port),
-			(len - i),
-			i
-	);
-fprintf(stderr, "client address is assumed to be %s:%hu\n",
-			inet_ntoa(sin.sin_addr),
-			ntohs(sin.sin_port)
-	);
-fflush(stderr);
-#endif
-						}
-
-					}
-					if (fds[0].revents) {
-						sasize = sizeof(param->sinsr);
-						buf[0]=buf[1]=buf[2]=0;
-						buf[3]=(*SAFAMILY(¶m->sinsl) == AF_INET)?1:4;
-						if((len = so._recvfrom(param->remsock, (char *)buf+6+SAADDRLEN(¶m->sinsl), 65535 - (6+SAADDRLEN(¶m->sinsl)), 0, (struct sockaddr *)¶m->sinsr, &sasize)) <= 0) {
-							param->res = 468;
-							break;
-						}
-						param->statssrv64+=len;
-						param->nreads++;
-						memcpy(buf+4, SAADDR(¶m->sinsr), SAADDRLEN(¶m->sinsr));
-						memcpy(buf+4+SAADDRLEN(¶m->sinsr), SAPORT(¶m->sinsr), 2);
-						sasize = sizeof(sin);
-						socksendto(param->clisock, (struct sockaddr *)&sin, buf, len + 6 + SAADDRLEN(¶m->sinsr), conf.timeouts[SINGLEBYTE_L]*1000);
-#if SOCKSTRACE > 1
-fprintf(stderr, "UDP packet relayed to client from %hu size %d\n",
-			ntohs(*SAPORT(¶m->sinsr)),
-			len
-	);
-fflush(stderr);
-#endif
-
-					}
-				}
+				param->res = udpsockmap(param, conf.timeouts[CONNECTION_L]);
 				break;
 			default:
 				param->res = 417;
@@ -441,15 +447,10 @@ fflush(stderr);
  
  if(command > 3) command = 0;
  if(buf){
-	 sprintf((char *)buf, "%s ", commands[command]);
-	 if(param->hostname){
-	  sprintf((char *)buf + strlen((char *)buf), "%.265s", param->hostname);
-	 }
-	 else 
-		myinet_ntop(*SAFAMILY(¶m->req), SAADDR(¶m->req), (char *)buf + strlen((char *)buf), 64);
-         sprintf((char *)buf+strlen((char *)buf), ":%hu", ntohs(*SAPORT(¶m->req)));
+	 printcommand(buf, command, param);
+
 	 dolog(param, buf);
-	 myfree(buf);
+	 free(buf);
  }
  freeparam(param);
  return (NULL);
@@ -461,7 +462,9 @@ struct proxydef childdef = {
 	1080,
 	0,
 	S_SOCKS,
-	"-N(EXTERNAL_IP) External NAT address to report to client for BIND\n"
+	"-Ne(EXTERNAL_IP) External NAT address (between 3proxy and destination server) to report to client for CONNECT / BIND\n"
+	"-Ni(INTERNAL_IP) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC\n"
+	"NAT is required to map IP-to-IP without port translation\n"
 };
 #include "proxymain.c"
 #endif
diff --git a/src/sql.c b/src/sql.c
new file mode 100644
index 0000000..9862fa8
--- /dev/null
+++ b/src/sql.c
@@ -0,0 +1,152 @@
+#include "proxy.h"
+#ifdef WITH_ODBC
+
+SQLHENV  henv = NULL;
+SQLHSTMT hstmt = NULL;
+SQLHDBC hdbc = NULL;
+char * sqlstring = NULL;
+
+
+void close_sql(){
+    if(hstmt) {
+	SQLFreeHandle(SQL_HANDLE_STMT, hstmt);
+	hstmt = NULL;
+    }
+    if(hdbc){
+	SQLDisconnect(hdbc);
+	SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
+	hdbc = NULL;
+    }
+    if(henv) {
+	SQLFreeHandle(SQL_HANDLE_ENV, henv);
+	henv = NULL;
+    }
+}
+
+int attempt = 0;
+time_t attempt_time = 0;
+
+int init_sql(char * s){
+    SQLRETURN  retcode;
+    char * datasource;
+    char * username;
+    char * password;
+    char * string;
+
+    if(!s) return 0;
+    if(!sqlstring || strcmp(sqlstring, s)){
+	string = sqlstring;
+	sqlstring=strdup(s);
+	if(string)free(string);
+    }
+
+    if(hstmt || hdbc || henv) close_sql();
+    attempt++;
+    attempt_time = time(0);
+    if(!henv){
+	retcode = SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HANDLE, &henv);
+	if (!henv || (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO)){
+	    henv = NULL;
+	    return 0;
+	}
+	retcode = SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION, (void*)SQL_OV_ODBC3, 0); 
+
+	if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO) {
+	    return 0;
+	}
+    }
+    if(!hdbc){
+	retcode = SQLAllocHandle(SQL_HANDLE_DBC, henv, &hdbc); 
+	if (!hdbc || (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO)) {
+	    hdbc = NULL;
+	    SQLFreeHandle(SQL_HANDLE_ENV, henv);
+	    henv = NULL;
+	    return 0;
+	}
+            SQLSetConnectAttr(hdbc, SQL_LOGIN_TIMEOUT, (void*)15, 0);
+    }
+    string = strdup(sqlstring);
+    if(!string) return 0;
+    datasource = strtok(string, ",");
+    username = strtok(NULL, ",");
+    password = strtok(NULL, ",");
+    
+
+         /* Connect to data source */
+        retcode = SQLConnect(hdbc, (SQLCHAR*) datasource, (SQLSMALLINT)strlen(datasource),
+                (SQLCHAR*) username, (SQLSMALLINT)((username)?strlen(username):0),
+                (SQLCHAR*) password, (SQLSMALLINT)((password)?strlen(password):0));
+
+    free(string);
+    if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO){
+	SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
+	hdbc = NULL;
+	SQLFreeHandle(SQL_HANDLE_ENV, henv);
+	henv = NULL;
+	return 0;
+    }
+        retcode = SQLAllocHandle(SQL_HANDLE_STMT, hdbc, &hstmt); 
+        if (retcode != SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO){
+	close_sql();
+	return 0;
+    }
+    return 1;
+}
+
+void sqlerr (char *buf){
+    if(conf.stdlog){
+	fprintf(conf.stdlog, "%s\n", buf);
+	fflush(conf.stdlog);
+    }
+    _3proxy_mutex_unlock(&log_mutex);
+}
+
+unsigned char statbuf[8192];
+
+void logsql(struct clientparam * param, const unsigned char *s) {
+    SQLRETURN ret;
+    int len;
+
+
+    if(param->nolog) return;
+    _3proxy_mutex_lock(&log_mutex);
+    len = dobuf(param, statbuf, s, (unsigned char *)"\'");
+
+    if(attempt > 5){
+	time_t t;
+
+	t = time(0);
+	if (t - attempt_time < 180){
+	    sqlerr((char *)statbuf);
+	    return;
+	}
+    }
+    if(!hstmt){
+	if(!init_sql(sqlstring)) {
+	    sqlerr((char *)statbuf);
+	    return;
+	}
+    }
+    if(hstmt){
+	ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
+	if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
+	    close_sql();
+	    if(!init_sql(sqlstring)){
+		sqlerr((char *)statbuf);
+		return;
+	    }
+	    if(hstmt) {
+		ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
+		if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
+		    sqlerr((char *)statbuf);
+		    return;
+		}
+		attempt = 0;
+	    }
+	}
+	attempt = 0;
+    }
+    _3proxy_mutex_unlock(&log_mutex);
+}
+
+#endif
\ No newline at end of file
diff --git a/src/ssl.c b/src/ssl.c
new file mode 100644
index 0000000..65f38c2
--- /dev/null
+++ b/src/ssl.c
@@ -0,0 +1,1239 @@
+/*
+   (c) 2007-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "structures.h"
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "proxy.h"
+#include "ssl.h"
+
+#ifndef _WIN32
+#define WINAPI
+#endif
+
+#ifndef isnumber
+#define isnumber(i_n_arg) ((i_n_arg>='0')&&(i_n_arg<='9'))
+#endif
+
+PROXYFUNC tcppmfunc, proxyfunc, smtppfunc, ftpprfunc;
+
+static struct pluginlink * pl;
+
+static struct alpn client_alpn_protos;
+
+static int ssl_loaded = 0;
+static char *certcache = NULL;
+static char *srvcert = NULL;
+static char *srvkey = NULL;
+static char *clicert = NULL;
+static char *clikey = NULL;
+static char *server_ca_file = NULL;
+static char *server_ca_dir = NULL;
+static char *server_ca_store = NULL;
+static char *server_ca_key = NULL;
+static char *client_ca_file = NULL;
+static char *client_ca_dir = NULL;
+static char *client_ca_store = NULL;
+static int mitm = 0;
+static int serv = 0;
+static int cli = 0;
+static int ssl_inited = 0;
+static int client_min_proto_version = 0;
+static int client_max_proto_version = 0;
+static int server_min_proto_version = 0;
+static int server_max_proto_version = 0;
+static int client_verify = 0;
+static int server_verify = 0;
+static char * client_ciphersuites = NULL;
+static char * server_ciphersuites = NULL;
+static char * client_cipher_list = NULL;
+static char * server_cipher_list = NULL;
+static char * client_sni = NULL;
+static int client_mode = 0;
+
+
+struct SSLsock {
+	SOCKET s;
+	SSL_CONN conn;
+};
+
+struct SSLstate {
+	struct SSLsock cli, srv;
+	struct clientparam* param;
+	SSL_CONFIG *config;
+};
+
+
+#define STATE ((struct SSLstate *)(state))
+
+static struct SSLsock *searchSSL(void* state, SOCKET s){
+    if(!state || s == INVALID_SOCKET) return NULL;
+    if(STATE->cli.s == s) return &STATE->cli;
+    if(STATE->srv.s == s) return &STATE->srv;
+    return NULL;
+}
+
+#define SOSTATE ((struct SSLstate *)(param->sostate))
+
+static void addSSL(
+    SOCKET cli_s, SSL_CONN cli_conn,
+    SOCKET srv_s, SSL_CONN srv_conn,
+    struct clientparam* param){
+	if(!param->sostate) return;
+	if (cli_s != INVALID_SOCKET){
+	    SOSTATE->cli.s = cli_s;
+	    SOSTATE->cli.conn = cli_conn;
+	}
+	if (srv_s != INVALID_SOCKET){
+	    SOSTATE->srv.s = srv_s;
+	    SOSTATE->srv.conn = srv_conn;
+	}
+}
+
+void delSSL(void *state, SOCKET s){
+    if(!state || s == INVALID_SOCKET) return;
+    if(STATE->cli.s == s && STATE->cli.conn) {
+	ssl_conn_free(STATE->cli.conn);
+	STATE->cli.conn = NULL;
+	STATE->cli.s = INVALID_SOCKET;
+    }
+    else if(STATE->srv.s == s && STATE->srv.conn) {
+	ssl_conn_free(STATE->srv.conn);
+	STATE->srv.conn = NULL;
+	STATE->srv.s = INVALID_SOCKET;
+    }
+}
+
+struct sockfuncs sso;
+
+#ifdef _WIN32
+static int WINAPI ssl_send(void *state, SOCKET s, const char *msg, int len, int flags){
+#else
+static ssize_t  ssl_send(void *state, SOCKET s, const void *msg, size_t len, int flags){
+#endif
+	struct SSLsock *sslq;
+
+	if ((sslq = searchSSL(state, s))){
+		int res, err;
+		if((res = ssl_write(sslq->conn, (void *)msg, len)) <= 0){
+			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
+			if (err == SSL_ERROR_WANT_WRITE){
+				seterrno3(EAGAIN);
+				return -1;
+			}
+			else seterrno3(err);
+		}
+		return res;
+	}
+
+	return sso._send(sso.state, s, msg, len, flags);
+}
+
+
+#ifdef _WIN32
+static int WINAPI ssl_sendto(void *state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen){
+#else
+static ssize_t ssl_sendto(void *state, SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen){
+#endif
+	struct SSLsock *sslq;
+
+	if ((sslq = searchSSL(state, s))){
+		int res, err;
+		if((res = ssl_write(sslq->conn, (void *)msg, len)) <= 0) {
+			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
+			if (err == SSL_ERROR_WANT_WRITE){
+				seterrno3(EAGAIN);
+				return -1;
+			}
+			else seterrno3(err);
+		}
+		return res;
+	}
+
+	return sso._sendto(sso.state, s, msg, len, flags, to, tolen);
+}
+
+#ifdef _WIN32
+static int WINAPI ssl_recvfrom(void *state, SOCKET s, char *msg, int len, int flags, struct sockaddr *from, int *fromlen){
+#else
+static ssize_t  ssl_recvfrom(void *state, SOCKET s, void *msg, size_t len, int flags, struct sockaddr *from, SASIZETYPE *fromlen){
+#endif
+	struct SSLsock *sslq;
+
+	if ((sslq = searchSSL(state, s))){
+		int res, err;
+		if((res = ssl_read(sslq->conn, (void *)msg, len)) <= 0) {
+			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
+			if (err == SSL_ERROR_WANT_READ) {
+				seterrno3(EAGAIN);
+				return -1;
+			}
+			else seterrno3(err);
+		}
+		return res;
+	}
+	return sso._recvfrom(sso.state, s, msg, len, flags, from, fromlen);
+}
+
+#ifdef _WIN32
+static int WINAPI ssl_recv(void *state, SOCKET s, char *msg, int len, int flags){
+#else
+static ssize_t ssl_recv(void *state, SOCKET s, void *msg, size_t len, int flags){
+#endif
+	struct SSLsock *sslq;
+
+	if ((sslq = searchSSL(state,s))){
+		int res, err;
+		if((res = ssl_read(sslq->conn, (void *)msg, len)) <= 0) {
+			err = SSL_get_error((SSL *)((ssl_conn*)sslq->conn)->ssl, res);
+			if (err == SSL_ERROR_WANT_READ) {
+				seterrno3(EAGAIN);
+				return -1;
+			}
+			else seterrno3(err);
+		}
+		return res;
+	}
+
+	return sso._recv(sso.state, s, msg, len, flags);
+}
+
+static int WINAPI ssl_shutdown(void *state, SOCKET s, int how){
+	delSSL(state, s);
+	return sso._shutdown(sso.state, s, how);
+}
+
+static int WINAPI ssl_closesocket(void *state, SOCKET s){
+	delSSL(state, s);
+	return sso._closesocket(sso.state, s);
+}
+
+#ifdef _WIN32
+static int WINAPI ssl_poll(void *state, struct pollfd *fds, unsigned int nfds, int timeout){
+#else
+static int ssl_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
+#endif
+	struct SSLsock *sslq = NULL;
+	unsigned int i;
+	int ret = 0;
+	for(i = 0; i < nfds; i++){
+		if((fds[i].events & POLLIN) && (sslq = searchSSL(state, fds[i].fd)) && ssl_pending(sslq->conn)){
+			fds[i].revents = POLLIN;
+			ret++;
+		}
+		else fds[i].revents = 0;
+	}
+	if(ret) return ret;
+
+	ret = sso._poll(state, fds, nfds, timeout);
+	return ret;
+}
+
+SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, SSL_CERT *server_cert, char **errSSL)
+{
+    int err = 0;
+    ssl_conn *conn;
+
+    *errSSL = NULL;
+
+    conn = (ssl_conn *)malloc(sizeof(ssl_conn));
+    if ( conn == NULL ){
+	return NULL;
+    }
+    conn->ctx = NULL;
+    conn->ssl = SSL_new(config->srv_ctx);
+    if ( conn->ssl == NULL ) {
+	free(conn);
+	return NULL;
+    }
+    if(hostname && *hostname && config->client_verify){
+        X509_VERIFY_PARAM *param;
+
+        param = SSL_get0_param(conn->ssl);
+        X509_VERIFY_PARAM_set1_host(param, hostname, strlen(hostname));
+    }
+
+    if(!SSL_set_fd(conn->ssl, s)){
+	ssl_conn_free(conn);
+	*errSSL = getSSLErr();
+	return NULL;
+    }
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL
+    if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
+#endif
+
+    do {
+	struct pollfd fds[1] = {{INVALID_SOCKET}};
+	int sslerr;
+
+	err = SSL_connect(conn->ssl);
+	if (err != -1) break;
+	sslerr  = SSL_get_error(conn->ssl, err);
+	if(sslerr == SSL_ERROR_WANT_READ){
+	    fds[0].fd = s;
+	    fds[0].events = POLLIN;
+	}
+	else if(sslerr == SSL_ERROR_WANT_WRITE){
+	    fds[0].fd = s;
+	    fds[0].events = POLLOUT;
+	}
+	else break;
+	if(sso._poll(sso.state, fds, 1, pl->conf->timeouts[CONNECT_TO]*1000) <= 0 ||  !(fds[0].revents & (POLLOUT|POLLIN))) break;
+    } while (err == -1);
+
+    if ( err != 1 ) {
+	*errSSL = getSSLErr();
+	ssl_conn_free(conn);
+	return NULL;
+    }
+
+    if(server_cert){
+        X509 *cert;
+        cert = SSL_get_peer_certificate(conn->ssl);
+        if(!cert) {
+	ssl_conn_free(conn);
+	return NULL;
+        }
+
+        *server_cert = cert;
+    }
+
+    return conn;
+}
+
+
+SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
+    int err = 0;
+    X509 *cert;
+    ssl_conn *conn;
+
+    *errSSL = NULL;
+
+    conn = (ssl_conn *)malloc(sizeof(ssl_conn));
+    if ( conn == NULL )
+	return NULL;
+
+    conn->ctx = NULL;
+    conn->ssl = NULL;
+    if(!config->cli_ctx){
+        conn->ctx = ssl_cli_ctx(config, server_cert, server_key, errSSL);
+        if(!conn->ctx){
+	ssl_conn_free(conn);
+	return NULL;
+        }
+    }
+
+    conn->ssl = SSL_new(config->cli_ctx?config->cli_ctx : conn->ctx);
+    if ( conn->ssl == NULL ) {
+	*errSSL = getSSLErr();
+	if(conn->ctx)SSL_CTX_free(conn->ctx);
+	free(conn);
+	return NULL;
+    }
+
+    SSL_set_fd(conn->ssl, s);
+
+    do {
+	struct pollfd fds[1] = {{INVALID_SOCKET}};
+	int sslerr;
+
+	err = SSL_accept(conn->ssl);
+	if (err != -1) break;
+	sslerr  = SSL_get_error(conn->ssl, err);
+	if(sslerr == SSL_ERROR_WANT_READ){
+	    fds[0].fd = s;
+	    fds[0].events = POLLIN;
+	}
+	else if(sslerr == SSL_ERROR_WANT_WRITE){
+	    fds[0].fd = s;
+	    fds[0].events = POLLOUT;
+	}
+	else break;
+	if(sso._poll(sso.state, fds, 1, pl->conf->timeouts[CONNECT_TO]*1000) <= 0 ||  !(fds[0].revents & (POLLOUT|POLLIN))) break;
+    } while (err == -1);
+
+
+    if ( err != 1 ) {
+	*errSSL = getSSLErr();
+	ssl_conn_free(conn);
+	return NULL;
+    }
+
+    cert = SSL_get_peer_certificate(conn->ssl);
+
+    if ( cert != NULL )
+	X509_free(cert);
+
+    return conn;
+}
+
+
+#define PCONF (((struct SSLstate *)param->sostate)->config)
+
+SSL_CONN dosrvcon(struct clientparam* param, SSL_CERT* cert){
+ SSL_CONN ServerConn;
+ char *errSSL=NULL;
+
+ ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, PCONF, cert, &errSSL);
+ if ( ServerConn == NULL) {
+	if(ServerConn) ssl_conn_free(ServerConn);
+	param->res = 8011;
+	param->srv->logfunc(param, (unsigned char *)"SSL handshake to server failed");
+	if(ServerConn == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerConn is NULL");
+	if(cert && *cert == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerCert is NULL");
+	if(errSSL)param->srv->logfunc(param, (unsigned char *)errSSL);
+	return NULL;
+ }
+
+ SSL_set_mode((SSL *)((ssl_conn *)ServerConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
+ SSL_set_read_ahead((SSL *)((ssl_conn *)ServerConn)->ssl, 0);
+
+ return ServerConn;
+}
+
+int domitm(struct clientparam* param){
+ SSL_CERT ServerCert=NULL, FakeCert=NULL;
+ SSL_CONN ServerConn, ClientConn;
+ char *errSSL=NULL;
+
+ ServerConn = dosrvcon(param, &ServerCert);
+ if(!ServerConn) return 1;
+ FakeCert = ssl_copy_cert(ServerCert, PCONF);
+ _ssl_cert_free(ServerCert);
+ if ( FakeCert == NULL ) {
+	param->res = 8012;
+	param->srv->logfunc(param, (unsigned char *)"Failed to create certificate copy");
+	ssl_conn_free(ServerConn);
+	return 2;
+ }
+
+ ClientConn = ssl_handshake_to_client(param->clisock, PCONF, FakeCert, PCONF->server_key?PCONF->server_key:PCONF->CA_key, &errSSL);
+
+ _ssl_cert_free(FakeCert);
+ if ( ClientConn == NULL ) {
+	param->res = 8012;
+	param->srv->logfunc(param, (unsigned char *)"Handshake to client failed");
+	if(errSSL)param->srv->logfunc(param, (unsigned char *)errSSL);
+	ssl_conn_free(ServerConn);
+	return 3;
+ }
+
+ SSL_set_mode((SSL *)((ssl_conn *)ClientConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
+ SSL_set_read_ahead((SSL *)((ssl_conn *)ClientConn)->ssl, 0);
+
+ addSSL(param->clisock, ClientConn, param->remsock, ServerConn, param);
+
+ return 0;
+}
+
+int docli(struct clientparam* param){
+
+ SSL_CONN ServerConn;
+ SSL_CERT ServerCert=NULL;
+ unsigned char *hostname;
+ hostname = param->hostname;
+ param->hostname = (unsigned char *)PCONF->client_sni;
+ ServerConn = dosrvcon(param, &ServerCert);
+ param->hostname = hostname;
+ _ssl_cert_free(ServerCert);
+
+ if(!ServerConn) return 1;
+
+ addSSL(INVALID_SOCKET, NULL, param->remsock, ServerConn, param);
+ return 0;
+}
+
+X509 * getCert (const char *fname){
+    BIO *f;
+    X509 *CA_cert;
+
+    f = BIO_new_file(fname, "r");
+    if(!f) return NULL;
+    CA_cert=PEM_read_bio_X509(f, NULL, NULL, NULL);
+    BIO_free(f);
+    return CA_cert;
+}
+
+EVP_PKEY * getKey(const char *fname){
+    BIO *f;
+    EVP_PKEY *key;
+
+    f = BIO_new_file(fname, "r");
+    if(!f) return NULL;
+    key = PEM_read_bio_PrivateKey(f, NULL, NULL, NULL);
+    BIO_free(f);
+
+    return key;
+}
+
+static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx){
+    return preverify_ok;
+}
+
+
+SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
+    SSL_CTX *ctx;
+    int err = 0;
+
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+    ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
+    if (!ctx) {
+	*errSSL = getSSLErr();
+	return NULL;
+    }
+
+    if(server_cert) {
+        err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
+	if ( err <= 0 ) {
+	    *errSSL = getSSLErr();
+	    SSL_CTX_free(ctx);
+	    return NULL;
+	}
+    }
+
+    err = SSL_CTX_use_PrivateKey(ctx, server_key);
+    if ( err <= 0 ) {
+	*errSSL = getSSLErr();
+	SSL_CTX_free(ctx);
+	return NULL;
+    }
+    if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
+    if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
+    if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+    if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
+#endif
+    if(config->server_verify){
+                if(config->server_ca_file || config->server_ca_dir){
+                    SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
+                }
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                else if(config->server_ca_store){
+                    SSL_CTX_load_verify_store(ctx, config->server_ca_store);
+                }
+#endif
+                else
+                    SSL_CTX_set_default_verify_paths(ctx);
+                SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, NULL);
+    }
+    return ctx;
+}
+
+
+static void* ssl_filter_open(void * idata, struct srvparam * srv){
+	char fname[256];
+	char *errSSL;
+	struct ssl_config *sc;
+
+	sc = malloc(sizeof(struct ssl_config));
+	if(!sc) return NULL;
+	memset(sc, 0, sizeof(struct ssl_config));
+	if(certcache) sc->certcache = strdup(certcache);
+	sc->client_min_proto_version = client_min_proto_version;
+	sc->client_max_proto_version = client_max_proto_version;
+	sc->server_min_proto_version = server_min_proto_version;
+	sc->server_max_proto_version = server_max_proto_version;
+	sc->client_mode = client_mode;
+	sc->client_verify = client_verify;
+	sc->server_verify = server_verify;
+	if(client_ciphersuites) sc->client_ciphersuites = strdup(client_ciphersuites);
+	if(server_ciphersuites) sc->server_ciphersuites = strdup(server_ciphersuites);
+	if(client_cipher_list) sc->client_cipher_list = strdup(client_cipher_list);
+	if(server_cipher_list) sc->server_cipher_list = strdup(server_cipher_list);
+	if(srvkey){
+	    sc->server_key = getKey(srvkey);
+	    if(!sc->server_key){
+		fprintf(stderr, "failed to read: %s\n", srvkey);
+		return sc;
+	    }
+	}
+	if(clikey){
+	    sc->client_key = getKey(clikey);
+	    if(!sc->client_key){
+		fprintf(stderr, "failed to read: %s\n", clikey);
+		return sc;
+	    }
+	}
+	if(client_ca_file)sc->client_ca_file =strdup(client_ca_file);
+	if(client_ca_dir)sc->client_ca_dir = strdup(client_ca_dir);
+	if(client_ca_store)sc->client_ca_store = strdup(client_ca_store);
+	if(server_ca_file)sc->server_ca_file = strdup(server_ca_file);
+	if(server_ca_dir)sc->server_ca_dir = strdup(server_ca_dir);
+	if(server_ca_store)sc->server_ca_store = strdup(server_ca_store);
+
+	if(client_sni)sc->client_sni=strdup(client_sni);
+	if(client_alpn_protos.protos_len){
+	    sc->client_alpn_protos = client_alpn_protos;
+	    sc->client_alpn_protos.protos = malloc(client_alpn_protos.protos_len);
+	    if(!sc->client_alpn_protos.protos) sc->client_alpn_protos.protos_len = 0;
+	    else memcpy(sc->client_alpn_protos.protos, client_alpn_protos.protos, client_alpn_protos.protos_len);
+	}
+
+
+	if(mitm){
+	    if(!server_ca_file){
+		if(!certcache) {
+		    return sc;
+		}
+		sprintf(fname, "%.240s3proxy.pem", certcache);
+	    }
+	    sc->CA_cert = getCert(server_ca_file?server_ca_file:fname);
+	    if(!sc->CA_cert){
+		fprintf(stderr, "failed to read: %s\n", server_ca_file?server_ca_file:fname);
+		return sc;
+	    }
+	    if(!server_ca_key){
+		if(!certcache) {
+		    return sc;
+		}
+		sprintf(fname, "%.240s3proxy.key", sc->certcache);
+	    }
+	    sc->CA_key = getKey(server_ca_key?server_ca_key:fname);
+	    if(!sc->CA_key){
+		fprintf(stderr, "failed to read: %s\n", server_ca_key?server_ca_key:fname);
+		return sc;
+	    }
+	    if(!sc->server_key && sc->certcache){
+		sprintf(fname, "%.128sserver.key", sc->certcache);
+		sc->server_key = getKey(fname);
+	    }
+	    sc->mitm = 1;
+	}
+	if(cli){
+	    if(clicert){
+		sc->client_cert = getCert(clicert);
+		if(!sc->client_cert){
+		    fprintf(stderr, "failed to read client cert from: %s\n", clicert);
+		    return sc;
+		}
+		if(!sc->client_key){
+		    fprintf(stderr, "no client key\n");
+		    return sc;
+		}
+	    }
+	    sc->cli = 1;
+	}
+	if(serv){
+	    if(!srvcert || !srvkey) return sc;
+	    if(!sc->server_key){
+		return sc;
+	    }
+	    if(!(sc->cli_ctx = ssl_cli_ctx(sc, NULL, sc->server_key, &errSSL))){
+		fprintf(stderr, "failed to create context: %s\n", errSSL);
+		return sc;
+	    }
+	    if(SSL_CTX_use_certificate_chain_file(sc->cli_ctx, srvcert) != 1){
+		fprintf(stderr, "failed to read server cert: %s\n", srvcert);
+		return sc;
+	    }
+	    sc->serv = 1;
+	}
+	if(mitm || cli || serv){
+	    srv->so._send = ssl_send;
+	    srv->so._recv = ssl_recv;
+	    srv->so._sendto = ssl_sendto;
+	    srv->so._recvfrom = ssl_recvfrom;
+	    srv->so._shutdown = ssl_shutdown;
+	    srv->so._closesocket = ssl_closesocket;
+	    srv->so._poll = ssl_poll;
+	}
+	if(sc && (sc->mitm || sc->cli)){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	    sc->srv_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+	    sc->srv_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+	    if ( sc->srv_ctx == NULL ) {
+		fprintf(stderr, "failed to set client context\n");
+		sc->mitm = sc->cli = 0;
+	    }
+	    if(sc->client_cert){
+		SSL_CTX_use_certificate(sc->srv_ctx, (X509 *) sc->client_cert);
+		SSL_CTX_use_PrivateKey(sc->srv_ctx, sc->client_key);
+	    }
+	    if(sc->client_min_proto_version)SSL_CTX_set_min_proto_version(sc->srv_ctx, sc->client_min_proto_version);
+	    if(sc->client_max_proto_version)SSL_CTX_set_max_proto_version(sc->srv_ctx, sc->client_max_proto_version);
+	    if(sc->client_cipher_list)SSL_CTX_set_cipher_list(sc->srv_ctx, sc->client_cipher_list);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	    if(sc->client_ciphersuites)SSL_CTX_set_ciphersuites(sc->srv_ctx, sc->client_ciphersuites);
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
+	    if(sc->client_alpn_protos.protos_len)SSL_CTX_set_alpn_protos(sc->srv_ctx, sc->client_alpn_protos.protos, sc->client_alpn_protos.protos_len);
+#endif
+	    if(sc->client_verify){
+		if(sc->client_ca_file || sc->client_ca_dir){
+		    SSL_CTX_load_verify_locations(sc->srv_ctx, sc->client_ca_file, sc->client_ca_dir);
+		}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		else if(sc->client_ca_store){
+		    SSL_CTX_load_verify_store(sc->srv_ctx, sc->client_ca_store);
+		}
+#endif
+		else
+		    SSL_CTX_set_default_verify_paths(sc->srv_ctx);
+		    SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+	    }
+	}
+#ifdef WITHSPLICE
+	srv->usesplice = 0;
+#endif
+	return sc;
+}
+
+
+
+static FILTER_ACTION ssl_filter_client(void *fo, struct clientparam * param, void** fc){
+	struct SSLstate *ssls;
+
+	ssls = (struct SSLstate *) malloc(sizeof(struct SSLstate));
+	memset(ssls, 0, sizeof(struct SSLstate));
+	ssls->config = fo;
+	ssls->param = param;
+	param->sostate = ssls;
+	*fc = ssls;
+	if(ssls->config->serv){
+	    SSL_CONN ClientConn;
+	    char *err;
+
+	    ClientConn = ssl_handshake_to_client(param->clisock, ssls->config, NULL, NULL, &err);
+	    if ( ClientConn == NULL ) {
+		param->res = 8013;
+		param->srv->logfunc(param, (unsigned char *)"Handshake to client failed");
+		if(err)param->srv->logfunc(param, (unsigned char *)err);
+		return REJECT;
+	    }
+	    SSL_set_mode((SSL *)((ssl_conn *)ClientConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
+	    SSL_set_read_ahead((SSL *)((ssl_conn *)ClientConn)->ssl, 0);
+	    addSSL(param->clisock, ClientConn, INVALID_SOCKET, NULL, param);
+	}
+	return CONTINUE;
+}
+
+static FILTER_ACTION ssl_filter_connect(void *fc, struct clientparam * param){
+	if(PCONF->cli && !client_mode) {
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
+}
+
+static FILTER_ACTION ssl_filter_afterauth(void *fc, struct clientparam * param){
+	if(PCONF->cli && client_mode == 1) {
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
+}
+
+static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){
+
+	if(param->operation != HTTP_CONNECT && param->operation != CONNECT) return PASS;
+	if(PCONF->mitm){
+	    if(domitm(param)) {
+		return REJECT;
+	    }
+	    if(!param->redirectfunc) param->redirectfunc = proxyfunc;
+	    return CONTINUE;
+	}
+	else if(PCONF->cli && client_mode == 2) {
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
+}
+
+static FILTER_ACTION ssl_parent(struct clientparam * param){
+	if(PCONF->cli && client_mode == 3) {
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
+}
+
+static void ssl_filter_clear(void *state){
+    struct clientparam *param;
+
+    if(!state) return;
+    param = STATE->param;
+    free(state);
+    param->sostate = NULL;
+}
+
+#define CONFIG ((SSL_CONFIG *)fo)
+
+static void ssl_filter_close(void *fo){
+    free(CONFIG->certcache);
+    if ( CONFIG->CA_cert != NULL ) {
+	X509_free(CONFIG->CA_cert);
+    }
+    if ( CONFIG->server_cert != NULL ) {
+	X509_free(CONFIG->server_cert);
+    }
+    if ( CONFIG->client_cert != NULL ) {
+	X509_free(CONFIG->server_cert);
+    }
+    if ( CONFIG->CA_key != NULL ) {
+	EVP_PKEY_free(CONFIG->CA_key);
+    }
+    if ( CONFIG->server_key != NULL ) {
+	EVP_PKEY_free(CONFIG->server_key);
+    }
+    if ( CONFIG->client_key != NULL ) {
+	EVP_PKEY_free(CONFIG->server_key);
+    }
+    if ( CONFIG->srv_ctx != NULL ) {
+	SSL_CTX_free(CONFIG->srv_ctx);
+    }
+    if ( CONFIG->cli_ctx != NULL ) {
+	SSL_CTX_free(CONFIG->cli_ctx);
+    }
+    free(CONFIG->client_ciphersuites);
+    free(CONFIG->server_ciphersuites);
+    free(CONFIG->client_cipher_list);
+    free(CONFIG->server_cipher_list);
+    free(CONFIG->client_ca_file);
+    free(CONFIG->client_ca_dir);
+    free(CONFIG->client_ca_store);
+    free(CONFIG->client_sni);
+    if(CONFIG->client_alpn_protos.protos_len){
+	free(CONFIG->client_alpn_protos.protos);
+	CONFIG->client_alpn_protos.protos = NULL;
+	CONFIG->client_alpn_protos.protos_len = 0;
+    }
+    free(fo);
+}
+
+static struct filter ssl_filter = {
+	NULL,
+	"ssl filter",
+	"ssl_filter",
+	ssl_filter_open,
+	ssl_filter_client,
+	NULL,
+	ssl_filter_connect,
+	ssl_filter_afterauth,
+	NULL, NULL,
+	ssl_filter_predata,
+	NULL, NULL,
+	ssl_filter_clear,
+	ssl_filter_close
+};
+
+int filterset = 0;
+
+static void setfilters(){
+	filterset++;
+	if(filterset > 1) return;
+	ssl_filter.next = pl->conf->filters;
+	pl->conf->filters = &ssl_filter;
+	sso = *pl->so;
+}
+
+static void unsetfilters(){
+	struct filter * sf;
+
+	if(!filterset) return;
+	filterset--;
+	if(filterset > 0) return;
+	if(pl->conf->filters == &ssl_filter) pl->conf->filters = ssl_filter.next;
+	else for(sf = pl->conf->filters; sf && sf->next; sf=sf->next){
+		if(sf->next == &ssl_filter) {
+			sf->next = ssl_filter.next;
+			break;
+		}
+	}
+}
+
+static int h_mitm(int argc, unsigned char **argv){
+	if(mitm) return 0;
+	if(serv) return 2;
+	mitm = 1;
+	setfilters();
+	return 0;
+}
+
+static int h_nomitm(int argc, unsigned char **argv){
+	if(!mitm) return 0;
+	mitm = 0;
+	unsetfilters();
+	return 0;
+}
+
+static int h_serv(int argc, unsigned char **argv){
+	if(serv) return 0;
+	if(mitm) return 2;
+	serv = 1;
+	setfilters();
+	return 0;
+}
+
+static int h_noserv(int argc, unsigned char **argv){
+	if(!serv) return 0;
+	serv = 0;
+	unsetfilters();
+	return 0;
+}
+
+static int h_cli(int argc, unsigned char **argv){
+	if(cli) return 0;
+	if(mitm) return 2;
+	cli = 1;
+	setfilters();
+	return 0;
+}
+
+static int h_nocli(int argc, unsigned char **argv){
+	if(!cli) return 0;
+	cli = 0;
+	unsetfilters();
+	return 0;
+}
+
+
+static int h_certcache(int argc, unsigned char **argv){
+	size_t len;
+	len = strlen((char *)argv[1]);
+	if(!len || (argv[1][len - 1] != '/' && argv[1][len - 1] != '\\')) return 1;
+	if(certcache) free(certcache);
+	certcache = strdup((char *)argv[1]);
+	return 0;
+}
+
+static int h_srvcert(int argc, unsigned char **argv){
+	free(srvcert);
+	srvcert = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_srvkey(int argc, unsigned char **argv){
+	free(srvkey);
+	srvkey = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_clicert(int argc, unsigned char **argv){
+	free(clicert);
+	clicert = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_clikey(int argc, unsigned char **argv){
+	free(clikey);
+	clikey = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+
+static int h_client_cipher_list(int argc, unsigned char **argv){
+	free(client_cipher_list);
+	client_cipher_list = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_cipher_list(int argc, unsigned char **argv){
+	free(server_cipher_list);
+	server_cipher_list = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_ciphersuites(int argc, unsigned char **argv){
+	free(client_ciphersuites);
+	client_ciphersuites = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_ciphersuites(int argc, unsigned char **argv){
+	free(server_ciphersuites);
+	server_ciphersuites = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_ca_file(int argc, unsigned char **argv){
+	free(server_ca_file);
+	server_ca_file = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_ca_key(int argc, unsigned char **argv){
+	free(server_ca_key);
+	server_ca_key = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_ca_file(int argc, unsigned char **argv){
+	free(client_ca_file);
+	client_ca_file = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_ca_dir(int argc, unsigned char **argv){
+	free(client_ca_dir);
+	client_ca_dir = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_ca_store(int argc, unsigned char **argv){
+	free(client_ca_store);
+	client_ca_store = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_sni(int argc, unsigned char **argv){
+	free(client_sni);
+	client_sni = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_alpn(int argc, unsigned char **argv){
+    int len, i;
+
+    if(client_alpn_protos.protos_len){
+	free(client_alpn_protos.protos);
+	client_alpn_protos.protos = NULL;
+	client_alpn_protos.protos_len = 0;
+    }
+    if(argc <= 1) return 0;
+
+    for(len = argc - 1, i = 1; i < argc; i++){
+	len += strlen((char *)argv[i]);
+    }
+
+    if(!(client_alpn_protos.protos = malloc(len))) return 10;
+
+    for(len = 0, i = 1; i < argc; i++){
+	int l;
+
+	l = strlen((char *)argv[i]);
+	if(l >= 255) return 2;
+	client_alpn_protos.protos[len++] = l;
+	memcpy(client_alpn_protos.protos + len, argv[i], l);
+	len += l;
+    }
+    client_alpn_protos.protos_len = len;
+
+    return 0;
+}
+
+static int h_server_ca_dir(int argc, unsigned char **argv){
+	free(server_ca_dir);
+	server_ca_dir = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_ca_store(int argc, unsigned char **argv){
+	free(server_ca_store);
+	server_ca_store = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+struct vermap{
+    char *sver;
+    int iver;
+} versions[] = {
+#ifdef SSL3_VERSION
+    {"SSLv3",SSL3_VERSION},
+#endif
+
+#ifdef TLS1_VERSION
+    {"TLSv1",TLS1_VERSION},
+#endif
+
+#ifdef TLS1_1_VERSION
+    {"TLSv1.1",TLS1_1_VERSION},
+#endif
+
+#ifdef TLS1_2_VERSION
+    {"TLSv1.2",TLS1_2_VERSION},
+#endif
+
+#ifdef TLS1_3_VERSION
+    {"TLSv1.3",TLS1_3_VERSION},
+#endif
+
+    {NULL, 0}
+};
+
+int string_to_version(unsigned char *ver){
+    int i;
+    for (i=0; versions[i].sver; i++){
+	if(!strcasecmp(versions[i].sver, (char *)ver)) return versions[i].iver;
+    }
+    return 0;
+}
+
+static int h_client_min_proto_version(int argc, unsigned char **argv){
+	client_min_proto_version = argc>1? string_to_version(argv[1]) : 0;
+	return 0;
+}
+
+static int h_client_max_proto_version(int argc, unsigned char **argv){
+	client_max_proto_version = argc>1? string_to_version(argv[1]) : 0;
+	return 0;
+}
+
+static int h_server_min_proto_version(int argc, unsigned char **argv){
+	server_min_proto_version = argc>1? string_to_version(argv[1]) : 0;
+	return 0;
+}
+
+static int h_server_max_proto_version(int argc, unsigned char **argv){
+	server_max_proto_version = argc>1? string_to_version(argv[1]) : 0;
+	return 0;
+}
+
+static int h_client_verify(int argc, unsigned char **argv){
+	client_verify = 1;
+	return 0;
+}
+static int h_no_client_verify(int argc, unsigned char **argv){
+	client_verify = 0;
+	return 0;
+}
+
+static int h_server_verify(int argc, unsigned char **argv){
+	server_verify = 1;
+	return 0;
+}
+
+static int h_client_mode(int argc, unsigned char **argv){
+	client_mode = 0;
+	if(argc <= 1) return 0;
+	client_mode = atoi((char *)argv[1]);
+	return 0;
+}
+
+
+static int h_no_server_verify(int argc, unsigned char **argv){
+	server_verify = 0;
+	return 0;
+}
+
+static struct commands ssl_commandhandlers[] = {
+	{ssl_commandhandlers+1, "ssl_mitm", h_mitm, 1, 1},
+	{ssl_commandhandlers+2, "ssl_nomitm", h_nomitm, 1, 1},
+	{ssl_commandhandlers+3, "ssl_serv", h_serv, 1, 1},
+	{ssl_commandhandlers+4, "ssl_noserv", h_noserv, 1, 1},
+	{ssl_commandhandlers+5, "ssl_server_cert", h_srvcert, 1, 2},
+	{ssl_commandhandlers+6, "ssl_server_key", h_srvkey, 1, 2},
+	{ssl_commandhandlers+7, "ssl_server_ca_file", h_server_ca_file, 1, 2},
+	{ssl_commandhandlers+8, "ssl_server_ca_key", h_server_ca_key, 1, 2},
+	{ssl_commandhandlers+9, "ssl_client_ca_file", h_client_ca_file, 1, 2},
+	{ssl_commandhandlers+10, "ssl_client_ca_dir", h_client_ca_dir, 1, 2},
+	{ssl_commandhandlers+11, "ssl_client_ca_store", h_client_ca_store, 1, 2},
+	{ssl_commandhandlers+12, "ssl_client_ciphersuites", h_client_ciphersuites, 1, 2},
+	{ssl_commandhandlers+13, "ssl_server_ciphersuites", h_server_ciphersuites, 1, 2},
+	{ssl_commandhandlers+14, "ssl_client_cipher_list", h_client_cipher_list, 1, 2},
+	{ssl_commandhandlers+15, "ssl_server_cipher_list", h_server_cipher_list, 1, 2},
+	{ssl_commandhandlers+16, "ssl_client_min_proto_version", h_client_min_proto_version, 1, 2},
+	{ssl_commandhandlers+17, "ssl_server_min_proto_version", h_server_min_proto_version, 1, 2},
+	{ssl_commandhandlers+18, "ssl_client_max_proto_version", h_client_max_proto_version, 1, 2},
+	{ssl_commandhandlers+19, "ssl_server_max_proto_version", h_server_max_proto_version, 1, 2},
+	{ssl_commandhandlers+20, "ssl_client_verify", h_client_verify, 1, 1},
+	{ssl_commandhandlers+21, "ssl_client_no_verify", h_no_client_verify, 1, 1},
+	{ssl_commandhandlers+22, "ssl_cli", h_cli, 1, 1},
+	{ssl_commandhandlers+23, "ssl_nocli", h_nocli, 1, 1},
+	{ssl_commandhandlers+24, "ssl_client_cert", h_clicert, 1, 2},
+	{ssl_commandhandlers+25, "ssl_client_key", h_clikey, 1, 2},
+	{ssl_commandhandlers+26, "ssl_server", h_serv, 1, 1},
+	{ssl_commandhandlers+27, "ssl_noserver", h_noserv, 1, 1},
+	{ssl_commandhandlers+28, "ssl_client", h_cli, 1, 1},
+	{ssl_commandhandlers+29, "ssl_noclient", h_nocli, 1, 1},
+	{ssl_commandhandlers+30, "ssl_server_verify", h_server_verify, 1, 1},
+	{ssl_commandhandlers+31, "ssl_server_no_verify", h_no_server_verify, 1, 1},
+	{ssl_commandhandlers+32, "ssl_server_ca_dir", h_server_ca_dir, 1, 2},
+	{ssl_commandhandlers+33, "ssl_server_ca_store", h_server_ca_store, 1, 2},
+	{ssl_commandhandlers+34, "ssl_client_sni", h_client_sni, 1, 2},
+	{ssl_commandhandlers+35, "ssl_client_alpn", h_client_alpn, 1, 0},
+	{ssl_commandhandlers+36, "ssl_client_mode", h_client_mode, 1, 2},
+	{NULL, "ssl_certcache", h_certcache, 2, 2},
+};
+
+static struct symbol ssl_symbols[] = {
+        {NULL, "ssl_parent", (void *)&ssl_parent},
+};
+
+
+void ssl_install(void){
+
+	h_nomitm(0, NULL);
+	h_noserv(0, NULL);
+	h_nocli(0, NULL);
+
+	pl = &pluginlink;
+
+	free(certcache);
+	certcache = NULL;
+	free(srvcert);
+	srvcert = NULL;
+	free(srvkey);
+	srvkey = NULL;
+	free(clicert);
+	clicert = NULL;
+	free(clikey);
+	clikey = NULL;
+	client_min_proto_version = 0;
+	client_max_proto_version = 0;
+	server_min_proto_version = 0;
+	server_max_proto_version = 0;
+	client_verify = 0;
+	server_verify = 0;
+	client_mode = 0;
+	free(client_ciphersuites);
+	client_ciphersuites = NULL;
+	free(server_ciphersuites);
+	server_ciphersuites = NULL;
+	free(client_cipher_list);
+	client_cipher_list = NULL;
+	free(server_cipher_list);
+	server_cipher_list = NULL;
+	free(server_ca_file);
+	server_ca_file = NULL;
+	free(server_ca_key);
+	server_ca_key = NULL;
+	free(client_ca_file);
+	client_ca_file = NULL;
+	free(client_ca_dir);
+	client_ca_dir = NULL;
+	free(client_ca_store);
+	client_ca_store = NULL;
+	free(server_ca_dir);
+	server_ca_dir = NULL;
+	free(server_ca_store);
+	server_ca_store = NULL;
+
+
+	if(!ssl_loaded){
+		ssl_loaded = 1;
+		ssl_init();
+		ssl_commandhandlers[(sizeof(ssl_commandhandlers)/sizeof(struct commands))-1].next = pl->commandhandlers->next;
+		pl->commandhandlers->next = ssl_commandhandlers;
+		ssl_symbols[0].next = pl->symbols.next;
+		pl->symbols.next = ssl_symbols;
+	}
+
+	tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm");
+	if(!tcppmfunc) return;
+	proxyfunc = (PROXYFUNC)pl->findbyname("proxy");
+	if(!proxyfunc)proxyfunc = tcppmfunc;
+	smtppfunc = (PROXYFUNC)pl->findbyname("smtpp");
+	if(!smtppfunc)smtppfunc = tcppmfunc;
+	ftpprfunc = (PROXYFUNC)pl->findbyname("ftppr");
+	if(!ftpprfunc)ftpprfunc = tcppmfunc;
+
+ }
diff --git a/src/ssl.h b/src/ssl.h
new file mode 100644
index 0000000..ff7468a
--- /dev/null
+++ b/src/ssl.h
@@ -0,0 +1,97 @@
+#ifndef __ssl_h__
+#define __ssl_h__
+
+//
+// opaque connection structure
+//
+typedef void *SSL_CONN;
+//
+// opaque certificate structure
+//
+typedef void *SSL_CERT;
+
+typedef struct _ssl_conn {
+	SSL_CTX *ctx;
+	SSL *ssl;
+} ssl_conn;
+
+struct alpn {
+    unsigned char *protos;
+    unsigned int protos_len;
+};
+
+struct ssl_config {
+    X509 *CA_cert;
+    X509 *server_cert;
+    X509 *client_cert;
+    EVP_PKEY *CA_key;
+    EVP_PKEY *server_key;
+    EVP_PKEY *client_key;
+    SSL_CTX *cli_ctx;
+    SSL_CTX *srv_ctx;
+    char *certcache;
+    char * client_ciphersuites;
+    char * server_ciphersuites;
+    char * client_cipher_list;
+    char * server_cipher_list;
+    char * client_ca_file;
+    char * client_ca_dir;
+    char * client_ca_store;
+    char * server_ca_file;
+    char * server_ca_dir;
+    char * server_ca_store;
+    char * client_sni;
+    struct alpn client_alpn_protos;
+    int mitm;
+    int serv;
+    int cli;
+    int client_min_proto_version;
+    int client_max_proto_version;
+    int server_min_proto_version;
+    int server_max_proto_version;
+    int client_verify;
+    int server_verify;
+    int client_mode;
+};
+
+typedef struct ssl_config SSL_CONFIG;
+
+
+//
+// Create copy of certificate signed by "other" CA
+//
+SSL_CERT ssl_copy_cert(SSL_CERT cert, SSL_CONFIG *config);
+
+//
+// SSL/TLS handshakes
+//
+SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key,char** errSSL);
+SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char **errSSL);
+SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, SSL_CERT *server_cert, char **errSSL);
+
+//
+// SSL/TLS Read/Write
+//
+int ssl_read(SSL_CONN connection, void * buf, int bufsize);
+int ssl_write(SSL_CONN connection, void * buf, int bufsize);
+int ssl_pending(SSL_CONN connection);
+
+//
+// Release of opaque structures
+//
+void ssl_conn_free(SSL_CONN connection);
+void _ssl_cert_free(SSL_CERT cert);
+
+//
+// Global (de)initialization
+//
+void ssl_init(void);
+char * getSSLErr(void);
+
+//
+// Built-in SSL installation (called from 3proxy.c)
+//
+void ssl_install(void);
+
+extern struct sockfuncs sso;
+#endif // __ssl_h__
diff --git a/src/ssllib.c b/src/ssllib.c
new file mode 100644
index 0000000..8e050d6
--- /dev/null
+++ b/src/ssllib.c
@@ -0,0 +1,312 @@
+/*
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#define _CRT_SECURE_NO_WARNINGS
+
+#include "structures.h"
+#include 
+#include 
+#ifndef _WIN32
+#include 
+#endif
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include 
+#endif
+
+#include "proxy.h"
+#include "ssl.h"
+
+
+_3proxy_mutex_t ssl_file_mutex;
+
+
+static char errbuf[256];
+
+static char hexMap[] = {
+                          '0', '1', '2', '3', '4', '5', '6', '7',
+                          '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
+                        };
+
+static BIO *bio_err=NULL;
+
+
+
+char * getSSLErr(){
+    return ERR_error_string(ERR_get_error(), errbuf);
+}
+
+static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length)
+{
+	char *p;
+	size_t i;
+
+	if ( str_length < ( (bin_length*2)+1) )
+		return 0;
+
+	p = str;
+	for ( i=0; i < bin_length; ++i )
+	{
+		*p++ = hexMap[(*(unsigned char *)bin) >> 4];
+		*p++ = hexMap[(*(unsigned char *)bin) & 0xf];
+		++bin;
+	}
+
+	*p = 0;
+
+	return p - str;
+}
+
+static int add_ext(X509 *cert, int nid, char *value)
+{
+	X509_EXTENSION *ex;
+	X509V3_CTX ctx;
+	/* This sets the 'context' of the extensions. */
+	/* No configuration database */
+	X509V3_set_ctx_nodb(&ctx);
+	/* Issuer and subject certs: both the target since it is self signed,
+	 * no request and no CRL
+	 */
+	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
+	ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
+	if (!ex)
+		return 0;
+
+	X509_add_ext(cert,ex,-1);
+	X509_EXTENSION_free(ex);
+	return 1;
+}
+
+void del_ext(X509 *dst_cert, int nid, int where){
+	int ex;
+
+	ex = X509_get_ext_by_NID(dst_cert, nid, where);
+	if(ex>=0){
+		X509_EXTENSION *ext;
+		if((ext = X509_delete_ext(dst_cert, ex))) X509_EXTENSION_free(ext);
+	}
+
+}
+
+SSL_CERT ssl_copy_cert(SSL_CERT cert, SSL_CONFIG *config)
+{
+	int err = -1;
+	BIO *fcache;
+	X509 *src_cert = (X509 *) cert;
+	X509 *dst_cert = NULL;
+
+	EVP_PKEY *pk = NULL;
+	RSA *rsa = NULL;
+
+	int hash_size = 20;
+	unsigned char hash_sha1[20];
+	char hash_name_sha1[(20*2) + 1];
+	char cache_name[256];
+
+	err = X509_digest(src_cert, EVP_sha1(), hash_sha1, NULL);
+	if(!err){
+		return NULL;
+	}
+
+	if(config->certcache){
+	    bin2hex(hash_sha1, 20, hash_name_sha1, sizeof(hash_name_sha1));
+	    sprintf(cache_name, "%s%s.pem", config->certcache, hash_name_sha1);
+	    /* check if certificate is already cached */
+	    fcache = BIO_new_file(cache_name, "rb");
+	    if ( fcache != NULL ) {
+#ifndef _WIN32
+		flock(BIO_get_fd(fcache, NULL), LOCK_SH);
+#endif
+		dst_cert = PEM_read_bio_X509(fcache, &dst_cert, NULL, NULL);
+#ifndef _WIN32
+		flock(BIO_get_fd(fcache, NULL), LOCK_UN);
+#endif
+		BIO_free(fcache);
+		if ( dst_cert != NULL ){
+			return dst_cert;
+		}
+	    }
+	}
+	/* proceed if certificate is not cached */
+	dst_cert = X509_dup(src_cert);
+	if ( dst_cert == NULL ) {
+		return NULL;
+	}
+	del_ext(dst_cert, NID_crl_distribution_points, -1);
+	del_ext(dst_cert, NID_info_access, -1);
+	del_ext(dst_cert, NID_authority_key_identifier, -1);
+	del_ext(dst_cert, NID_certificate_policies, 0);
+
+	err = X509_set_pubkey(dst_cert, config->server_key?config->server_key:config->CA_key);
+	if ( err == 0 ) {
+		X509_free(dst_cert);
+		return NULL;
+	}
+
+
+	err = X509_set_issuer_name(dst_cert, X509_get_subject_name(config->CA_cert));
+	if(!err){
+		X509_free(dst_cert);
+		return NULL;
+	}
+	err = X509_sign(dst_cert, config->CA_key, EVP_sha256());
+	if(!err){
+		X509_free(dst_cert);
+		return NULL;
+	}
+
+	/* write to cache */
+
+	if(config->certcache){
+	    fcache = BIO_new_file(cache_name, "wb");
+	    if ( fcache != NULL ) {
+#ifndef _WIN32
+		flock(BIO_get_fd(fcache, NULL), LOCK_EX);
+#endif
+		PEM_write_bio_X509(fcache, dst_cert);
+#ifndef _WIN32
+		flock(BIO_get_fd(fcache, NULL), LOCK_UN);
+#endif
+		BIO_free(fcache);
+	    }
+	}
+	return dst_cert;
+}
+
+int ssl_read(SSL_CONN connection, void * buf, int bufsize)
+{
+	ssl_conn *conn = (ssl_conn *) connection;
+
+	return SSL_read(conn->ssl, buf, bufsize);
+}
+
+int ssl_write(SSL_CONN connection, void * buf, int bufsize)
+{
+	ssl_conn *conn = (ssl_conn *) connection;
+
+	return SSL_write(conn->ssl, buf, bufsize);
+}
+int ssl_pending(SSL_CONN connection)
+{
+	ssl_conn *conn = (ssl_conn *) connection;
+
+	return SSL_pending(conn->ssl);
+}
+
+void ssl_conn_free(SSL_CONN connection)
+{
+	ssl_conn *conn = (ssl_conn *) connection;
+
+	if(conn){
+		if(conn->ssl){
+			SSL_shutdown(conn->ssl);
+			SSL_free(conn->ssl);
+		}
+		if(conn->ctx) SSL_CTX_free(conn->ctx);
+		free(conn);
+	}
+}
+
+void _ssl_cert_free(SSL_CERT cert)
+{
+	X509_free((X509 *)cert);
+}
+
+
+
+/* This array will store all of the mutexes available to OpenSSL. */
+static _3proxy_mutex_t *mutex_buf= NULL;
+
+
+static void locking_function(int mode, int n, const char * file, int line)
+{
+  if (mode & CRYPTO_LOCK)
+    _3proxy_mutex_lock(mutex_buf + n);
+  else
+    _3proxy_mutex_unlock(mutex_buf + n);
+}
+
+static unsigned long id_function(void)
+{
+#ifdef _WIN32
+  return ((unsigned long)GetCurrentThreadId());
+#else
+  return ((unsigned long)pthread_self());
+#endif
+}
+
+int thread_setup(void)
+{
+  int i;
+
+  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(_3proxy_mutex_t));
+  if (!mutex_buf)
+    return 0;
+  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
+    _3proxy_mutex_init(mutex_buf +i);
+  CRYPTO_set_id_callback(id_function);
+  CRYPTO_set_locking_callback(locking_function);
+  return 1;
+}
+
+int thread_cleanup(void)
+{
+  int i;
+
+  if (!mutex_buf)
+    return 0;
+  CRYPTO_set_id_callback(NULL);
+  CRYPTO_set_locking_callback(NULL);
+  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
+    _3proxy_mutex_destroy(mutex_buf +i);
+  free(mutex_buf);
+  mutex_buf = NULL;
+  return 1;
+}
+
+
+
+int ssl_file_init = 0;
+
+int ssl_init_done = 0;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+extern EVP_MD *md4_hash;
+extern EVP_MD *md5_hash;
+#endif
+
+
+void ssl_init()
+{
+	if(!ssl_init_done){
+	    
+	    ssl_init_done = 1;
+	    thread_setup();
+	    SSLeay_add_ssl_algorithms();
+	    SSL_load_error_strings();
+	    _3proxy_mutex_init(&ssl_file_mutex);
+	    bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	    OSSL_PROVIDER_load(NULL, "legacy");
+	    OSSL_PROVIDER_load(NULL, "default");
+	    md4_hash = EVP_MD_fetch(NULL, "MD4", NULL);
+	    if (md4_hash == NULL) {
+    		fprintf(stderr, "Error fetching MD4\n");
+	    }
+	    md5_hash = EVP_MD_fetch(NULL, "MD5", NULL);
+	    if (md5_hash == NULL) {
+    		fprintf(stderr, "Error fetching MD5\n");
+	    }
+#endif
+    	}
+}
diff --git a/src/stringtable.c b/src/stringtable.c
index 4bfc7c2..a28b081 100644
--- a/src/stringtable.c
+++ b/src/stringtable.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -28,9 +28,9 @@ unsigned char * strings[] = {
 /* 15 */	(unsigned char *)"DNSPR",
 /* 16 */	(unsigned char *)"FTPPR",
 /* 17 */	(unsigned char *)"SMTPP",
-/* 18 */	(unsigned char *)"ZOMBIE",
-/* 19 */	NULL,
-/* 20 */	NULL,
+/* 18 */	(unsigned char *)"AUTO",
+/* 19 */	(unsigned char *)"TLSPR",
+/* 20 */	(unsigned char *)"ZOMBIE",
 /* 21 */	NULL,
 /* 22 */	NULL,
 /* 23 */	NULL,
@@ -61,9 +61,9 @@ unsigned char * strings[] = {
 	"is coded right now. What you see is a part of work that is done\n"
 	"already.\n"
 	"
    Please send all your comments to\n"
-	"3proxy@security.nnov.ru\n"
+	"3proxy@3proxy.org\n"
 	"
    Documentation:\n"
-	"http://3proxy.ru/\n"
+	"http://3proxy.org/\n"
 	"",
 /* 36 */	NULL,
 /* 37 */	NULL,
diff --git a/src/structures.h b/src/structures.h
index 61a4f31..e9adae8 100644
--- a/src/structures.h
+++ b/src/structures.h
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -15,8 +15,8 @@
 #include 
 #include 
 #include 
-#ifndef PRINTF_INT64_MODIFIER
-#define PRINTF_INT64_MODIFIER "ll"
+#ifndef PRId64
+#include 
 #endif
 #ifdef  __cplusplus
 extern "C" {
@@ -31,32 +31,25 @@ extern "C" {
 #include 
 #include 
 #include 
+#ifdef IP_BOUND_IF
+#include 
+#endif
 #define SASIZETYPE socklen_t
 #define SOCKET int
 #define INVALID_SOCKET  (-1)
-#ifdef WITH_LINUX_FUTEX
-#define _GNU_SOURCE
-#include 
-#include 
-#include 
-#include 
-#define pthread_mutex_t int
-#define pthread_mutex_init(x, y) (*(x)=0)
-#define pthread_mutex_destroy(x) (*(x)=0)
-#define pthread_mutex_lock(x) mutex_lock(x)
-#define pthread_mutex_unlock(x) mutex_unlock(x)
-int mutex_lock(int *val);
-int mutex_unlock(int *val);
-#else
-#endif
+#define _3proxy_mutex_t pthread_mutex_t
+#define _3proxy_mutex_init(x) pthread_mutex_init(x,NULL)
+#define _3proxy_mutex_destroy pthread_mutex_destroy
+#define _3proxy_mutex_lock pthread_mutex_lock
+#define _3proxy_mutex_unlock pthread_mutex_unlock
 #else
 #include 
-#include 
-#define pthread_mutex_t CRITICAL_SECTION
-#define pthread_mutex_init(x, y) InitializeCriticalSection(x)
-#define pthread_mutex_lock(x) EnterCriticalSection(x)
-#define pthread_mutex_unlock(x) LeaveCriticalSection(x)
-#define pthread_mutex_destroy(x) DeleteCriticalSection(x)
+#include 
+#define _3proxy_mutex_t CRITICAL_SECTION
+#define _3proxy_mutex_init(x) InitializeCriticalSection(x)
+#define _3proxy_mutex_lock(x) EnterCriticalSection(x)
+#define _3proxy_mutex_unlock(x) LeaveCriticalSection(x)
+#define _3proxy_mutex_destroy(x) DeleteCriticalSection(x)
 #ifdef MSVC
 #pragma warning (disable : 4996)
 #endif
@@ -103,6 +96,9 @@ int
 #endif
 #endif
 
+#ifdef WITH_UN
+#include 
+#endif
 
 #define ALLOW		0
 #define DENY		1
@@ -138,25 +134,57 @@ int
 #define DNSRESOLVE	0x00100000
 #define ADMIN		0x01000000
 
+#ifdef NO_UN
+#undef WITH_UN
+#endif
 
 #define SAFAMILY(sa) (&(((struct sockaddr_in *)sa)->sin_family))
 
-#ifndef NOIPV6
-#define SAPORT(sa)  (((struct sockaddr_in *)sa)->sin_family == AF_INET6? &((struct sockaddr_in6 *)sa)->sin6_port : &((struct sockaddr_in *)sa)->sin_port)
-#define SAADDR(sa)  (((struct sockaddr_in *)sa)->sin_family == AF_INET6? (unsigned char *)&((struct sockaddr_in6 *)sa)->sin6_addr : (unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr)
-#define SAADDRLEN(sa) (((struct sockaddr_in *)sa)->sin_family == AF_INET6? 16:4)
-#define SASOCK(sa) (((struct sockaddr_in *)sa)->sin_family == AF_INET6? PF_INET6:PF_INET)
-#define SASIZE(sa) (((struct sockaddr_in *)sa)->sin_family == AF_INET6? sizeof(struct sockaddr_in6):sizeof(struct sockaddr_in))
-#define SAISNULL(sa) (!memcmp(((struct sockaddr_in *)sa)->sin_family == AF_INET6? (unsigned char *)&((struct sockaddr_in6 *)sa)->sin6_addr : (unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr, NULLADDR,  (((struct sockaddr_in *)sa)->sin_family == AF_INET6? 16:4))) 
+#ifdef WITH_UN
+#define	UN_SAPORT(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? (uint16_t *)(((uint8_t *)(sa)) + sizeof(struct sockaddr_storage) - 2) :
+#define	UN_SAADDR(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? (unsigned char *)((struct sockaddr_un *)sa)->sun_path :
+#define	UN_SAADDRLEN(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? (int)sizeof(((struct sockaddr_un *)sa)->sun_path) :
+#define	UN_SASOCK(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? PF_UNIX :
+#define	UN_SASIZE(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? sizeof(struct sockaddr_un) :
+#define	UN_SAISNULL(sa) (((struct sockaddr_un *)sa)->sun_family == AF_UNIX)? (((struct sockaddr_un *)sa)->sun_path[0] == 0 && ((struct sockaddr_un *)sa)->sun_path[1] == 0) :
 #else
-#define SAPORT(sa)  (&((struct sockaddr_in *)sa)->sin_port)
-#define SAADDR(sa)  ((unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr)
-#define SAADDRLEN(sa) (4)
-#define SASOCK(sa) (PF_INET)
-#define SASIZE(sa) (sizeof(struct sockaddr_in))
-#define SAISNULL(sa) (((struct sockaddr_in *)sa)->sin_addr.s_addr == 0) 
+#define UN_SAPORT(sa)
+#define UN_SAADDR(sa)
+#define	UN_SAADDRLEN(sa)
+#define UN_SASOCK(sa)
+#define	UN_SASIZE(sa)
+#define UN_SAISNULL(sa)
 #endif
 
+#ifndef NOIPV6
+#define SAPORT(sa)  ( UN_SAPORT(sa) ((struct sockaddr_in *)sa)->sin_family == AF_INET6? &((struct sockaddr_in6 *)sa)->sin6_port : &((struct sockaddr_in *)sa)->sin_port)
+#define SAADDR(sa)  ( UN_SAADDR(sa) ((struct sockaddr_in *)sa)->sin_family == AF_INET6? (unsigned char *)&((struct sockaddr_in6 *)sa)->sin6_addr : (unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr)
+#define SAADDRLEN(sa) ( UN_SAADDRLEN(sa) ((struct sockaddr_in *)sa)->sin_family == AF_INET6? 16:4)
+#define SASOCK(sa) ( UN_SASOCK(sa) ((struct sockaddr_in *)sa)->sin_family == AF_INET6? PF_INET6:PF_INET)
+#define SASIZE(sa) ( UN_SASIZE(sa) ((struct sockaddr_in *)sa)->sin_family == AF_INET6? sizeof(struct sockaddr_in6):sizeof(struct sockaddr_in))
+#define SAISNULL(sa) ( UN_SAISNULL(sa) !memcmp(((struct sockaddr_in *)sa)->sin_family == AF_INET6? (unsigned char *)&((struct sockaddr_in6 *)sa)->sin6_addr : (unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr, NULLADDR,  (((struct sockaddr_in *)sa)->sin_family == AF_INET6? 16:4))) 
+#else
+#define SAPORT(sa)  ( UN_SAPORT(sa) &((struct sockaddr_in *)sa)->sin_port)
+#define SAADDR(sa)  ( UN_SAADDR(sa) (unsigned char *)&((struct sockaddr_in *)sa)->sin_addr.s_addr)
+#define SAADDRLEN(sa) ( UN_SAADDRLEN(sa) 4)
+#define SASOCK(sa) ( UN_SASOCK(sa) PF_INET)
+#define SASIZE(sa) ( UN_SASIZE(sa) sizeof(struct sockaddr_in))
+#define SAISNULL(sa) ( UN_SAISNULL(sa) ((struct sockaddr_in *)sa)->sin_addr.s_addr == 0) 
+#endif
+
+#ifdef WITH_UN
+#define PROXYSOCKADDRTYPE struct sockaddr_storage
+#else
+#ifndef NOIPv6
+#define PROXYSOCKADDRTYPE struct sockaddr_in6
+#else
+#define PROXYSOCKADDRTYPE struct sockaddr_in
+#endif
+#endif
+
+#define MAX_HASH_SIZE (64)
+#define UDPBUFSIZE 16384
+
 extern char* NULLADDR;
 typedef enum {
 	CLIENT,
@@ -165,10 +193,10 @@ typedef enum {
 
 
 typedef enum {
-	S_NOSERVICE,
+	S_NOSERVICE = 0,
 	S_PROXY,
 	S_TCPPM,
-	S_POP3P,
+	S_POP3P = 3,
 	S_SOCKS4 = 4,	/* =4 */
 	S_SOCKS5 = 5,	/* =5 */
 	S_UDPPM,
@@ -178,11 +206,14 @@ typedef enum {
 	S_DNSPR,
 	S_FTPPR,
 	S_SMTPP,
-	S_REVLI,
-	S_REVCO,
+	S_AUTO,
+	S_TLSPR,
 	S_ZOMBIE
 }PROXYSERVICE;
 
+#define MAX_SERVICE S_ZOMBIE
+
+
 struct clientparam;
 struct node;
 struct symbol;
@@ -192,7 +223,7 @@ struct srvparam;
 typedef void (*LOGFUNC)(struct clientparam * param, const unsigned char *);
 typedef int (*AUTHFUNC)(struct clientparam * param);
 typedef void * (*REDIRECTFUNC)(struct clientparam * param);
-typedef unsigned long (*RESOLVFUNC)(int af, unsigned char *name, unsigned char *value);
+typedef uint32_t (*RESOLVFUNC)(int af, unsigned char *name, unsigned char *value);
 typedef unsigned (*BANDLIMFUNC)(struct clientparam * param, unsigned nbytesin, unsigned nbytesout);
 typedef void (*TRAFCOUNTFUNC)(struct clientparam * param);
 typedef void * (*EXTENDFUNC) (struct node *node);
@@ -224,19 +255,14 @@ struct auth {
 struct iplist {
 	struct iplist *next;
 	int family;
-#ifndef NOIPV6
-	struct in6_addr ip_from;
-	struct in6_addr ip_to;
-#else
-	struct in_addr ip_from;
-	struct in_addr ip_to;
-#endif
+	PROXYSOCKADDRTYPE ip_from;
+	PROXYSOCKADDRTYPE ip_to;
 };
 
 struct portlist {
 	struct portlist * next;
-	unsigned short startport;
-	unsigned short endport;
+	uint16_t startport;
+	uint16_t endport;
 };
 
 struct userlist {
@@ -261,7 +287,7 @@ struct passwords {
 };
 
 typedef enum {
-	R_TCP,
+	R_TCP = 1,
 	R_CONNECT,
 	R_SOCKS4,
 	R_SOCKS5,
@@ -275,17 +301,26 @@ typedef enum {
 	R_SOCKS4B,
 	R_SOCKS5B,
 	R_ADMIN,
-	R_EXTIP
+	R_EXTIP,
+	R_TLS,
+	R_HA,
+	R_DNS
 } REDIRTYPE;
 
+struct redirdesc {
+    REDIRTYPE redir;
+    char * name;
+    void * (*func)(struct clientparam *);
+};
+
+extern struct redirdesc redirs[];
+
+
 struct chain {
 	struct chain * next;
 	int type;
-#ifndef NOIPV6
-	struct sockaddr_in6 addr;
-#else
-	struct sockaddr_in addr;
-#endif
+	int secure;
+	PROXYSOCKADDRTYPE addr;
 	unsigned char * exthost;
 	unsigned char * extuser;
 	unsigned char * extpass;
@@ -366,11 +401,7 @@ struct trafcount {
 };
 
 struct nserver {
-#ifndef NOIPV6
-	struct sockaddr_in6 addr;
-#else
-	struct sockaddr_in addr;
-#endif
+	PROXYSOCKADDRTYPE addr;
 	int usetcp;
 };
 extern int numservers;
@@ -378,7 +409,7 @@ extern int numservers;
 typedef void * (* PROXYFUNC)(struct clientparam *);
 
 typedef enum {
-	PASS,
+	PASS = 0,
 	CONTINUE,
 	HANDLED,
 	REJECT,
@@ -398,6 +429,8 @@ struct filter {
 	FILTER_OPEN *filter_open;
 	FILTER_CLIENT *filter_client;
 	FILTER_BUFFER *filter_request;
+	FILTER_PREDATA *filter_connect;
+	FILTER_PREDATA *filter_afterauth;
 	FILTER_BUFFER *filter_header_cli;
 	FILTER_BUFFER *filter_header_srv;
 	FILTER_PREDATA *filter_predata;
@@ -414,7 +447,69 @@ struct filterp {
 
 #define MAX_FILTERS 16
 
+
+struct sockfuncs {
+	void * state;
+	void (*freefunc)(void* state);
+#ifdef _WIN32
+	SOCKET (WINAPI *_socket)(void* state, int domain, int type, int protocol);
+	SOCKET (WINAPI *_accept)(void* state, SOCKET s, struct sockaddr * addr, int * addrlen);
+	int (WINAPI *_bind)(void* state, SOCKET s, const struct sockaddr *addr, int addrlen);
+	int (WINAPI *_listen)(void* state, SOCKET s, int backlog);
+	int (WINAPI *_connect)(void* state, SOCKET s, const struct sockaddr *name, int namelen);
+	int (WINAPI *_getpeername)(void* state, SOCKET s, struct sockaddr * name, int * namelen);
+	int (WINAPI *_getsockname)(void* state, SOCKET s, struct sockaddr * name, int * namelen);
+   	int (WINAPI *_getsockopt)(void* state, SOCKET s, int level, int optname, char * optval, int * optlen);
+	int (WINAPI *_setsockopt)(void* state, SOCKET s, int level, int optname, const char *optval, int optlen);
+	int (WINAPI *_poll)(void* state, struct pollfd *fds, unsigned int nfds, int timeout);
+	int (WINAPI *_send)(void* state, SOCKET s, const char *msg, int len, int flags);
+	int  (WINAPI *_sendto)(void* state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen);
+	int  (WINAPI *_recv)(void* state, SOCKET s, char *buf, int len, int flags);
+	int  (WINAPI *_recvfrom)(void* state, SOCKET s, char * buf, int len, int flags, struct sockaddr * from, int * fromlen);
+	int (WINAPI *_shutdown)(void* state, SOCKET s, int how);
+	int (WINAPI *_closesocket)(void* state, SOCKET s);
+#else
+	SOCKET (*_socket)(void* state, int domain, int type, int protocol);
+	SOCKET (*_accept)(void* state, SOCKET s, struct sockaddr * addr, socklen_t * addrlen);
+	int (*_bind)(void* state, SOCKET s, const struct sockaddr *addr, socklen_t addrlen);
+	int (*_listen)(void* state, SOCKET s, int backlog);
+	int (*_connect)(void* state, SOCKET s, const struct sockaddr *name, socklen_t namelen);
+	int (*_getpeername)(void* state, SOCKET s, struct sockaddr * name, socklen_t * namelen);
+	int (*_getsockname)(void* state, SOCKET s, struct sockaddr * name, socklen_t * namelen);
+   	int (*_getsockopt)(void* state, SOCKET s, int level, int optname, void * optval, socklen_t * optlen);
+	int (*_setsockopt)(void* state, int s, int level, int optname, const void *optval, socklen_t optlen);
+	int (*_poll)(void* state, struct pollfd *fds, nfds_t nfds, int timeout);
+	ssize_t (*_send)(void* state, SOCKET s, const void *msg, size_t len, int flags);
+	ssize_t (*_sendto)(void* state, SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen);
+	ssize_t (*_recv)(void* state, SOCKET s, void *buf, size_t len, int flags);
+	ssize_t (*_recvfrom)(void* state, SOCKET s, void * buf, size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen);
+	int (*_shutdown)(void* state, SOCKET s, int how);
+	int (*_closesocket)(void* state, SOCKET s);
+#endif
+};
+
+extern struct sockfuncs so;
+
+struct hashtable {
+	void (*index2hash_add)(const struct hashtable *ht, void *index, uint8_t *hash);
+	void (*index2hash_search)(const struct hashtable *ht, void *index, uint8_t *hash);
+	unsigned recsize;
+	unsigned hash_size;
+	unsigned poolsize;
+	unsigned tablesize;
+	unsigned growlimit;
+	uint32_t * ihashtable;
+	uint8_t * hashvalues;
+	uint8_t * hashhashvalues;
+	_3proxy_mutex_t hash_mutex;
+	time_t compacted;
+	uint32_t ihashhashempty;
+	uint32_t ihashempty;
+	uint32_t entropy;
+};
+
 struct srvparam {
+	struct sockfuncs so;
 	struct srvparam *next;
 	struct srvparam *prev;
 	struct clientparam *child;
@@ -425,40 +520,46 @@ struct srvparam {
 	SOCKET srvsock, cbsock;
 	int childcount;
 	int maxchild;
+	int backlog;
 	int paused, version;
-	int singlepacket;
-	int usentlm;
+	int s_option;
 	int needuser;
 	int silent;
 	int transparent;
-	int nfilters, nreqfilters, nhdrfilterscli, nhdrfilterssrv, npredatfilters, ndatfilterscli, ndatfilterssrv;
+	int nfilters, nreqfilters, nconnectfilters, nafterauthfilters, nhdrfilterscli, nhdrfilterssrv, npredatfilters, ndatfilterscli, ndatfilterssrv;
 	int family;
 	int stacksize;
 	int noforce;
 	int anonymous;
 	int clisockopts, srvsockopts, lissockopts, cbcsockopts, cbssockopts;
+	int gracetraf, gracenum, gracedelay;
+	int requirecert;
+	int haproxy;
 #ifdef WITHSPLICE
 	int usesplice;
 #endif
 	unsigned bufsize;
+	unsigned authcachetype, authcachetime;
 	unsigned logdumpsrv, logdumpcli;
+	PROXYSOCKADDRTYPE intsa, intNat, extNat;
 #ifndef NOIPV6
-	struct sockaddr_in6 intsa;
-	struct sockaddr_in6 extsa6;
-	struct sockaddr_in6 extsa;
-	struct sockaddr_in6 extNat;
-#else
-	struct sockaddr_in intsa;
-	struct sockaddr_in extsa;
-	struct sockaddr_in extNat;
+	PROXYSOCKADDRTYPE extsa6;
 #endif
-	pthread_mutex_t counter_mutex;
+	PROXYSOCKADDRTYPE extsa;
+	_3proxy_mutex_t counter_mutex;
 	struct pollfd fds;
 	FILE *stdlog;
 	unsigned char * target;
-#ifdef SO_BINDTODEVICE
+#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
 	char * ibindtodevice;
 	char * obindtodevice;
+#endif
+#ifdef __linux__
+	char * inetns;
+	char * onetns;
+	int saved_nsfd;
+	int i_nsfd;
+	int o_nsfd;
 #endif
 	struct auth *authenticate;
 	struct pollfd * srvfds;
@@ -468,14 +569,18 @@ struct srvparam {
 	unsigned char * logformat;
 	unsigned char * logtarget;
 	unsigned char * nonprintable;
-	unsigned short targetport;
+	uint16_t targetport;
 	unsigned char replace;
 	time_t time_start;
+	unsigned char *udpbuf;
+	unsigned char *udpbuf2;
+	int udplen;
 };
 
 struct clientparam {
 	struct clientparam	*next,
 				*prev;
+	void * sostate;
 	struct srvparam *srv;
 	REDIRECTFUNC redirectfunc;
 	BANDLIMFUNC bandlimfunc;
@@ -483,7 +588,7 @@ struct clientparam {
 
 
 	struct filterp	*filters,
-			**reqfilters,
+			**reqfilters, **connectfilters, **afterauthfilters,
 			**hdrfilterscli, **hdrfilterssrv,
 			**predatfilters, **datfilterscli, **datfilterssrv;
 
@@ -498,18 +603,22 @@ struct clientparam {
 
 	uint64_t	waitclient64,
 			waitserver64,
-			cycles;
+			cycles,
+			threadid;
+	uint8_t hash[MAX_HASH_SIZE];
 
 	int	redirected,
 		operation,
-		nfilters, nreqfilters, nhdrfilterscli, nhdrfilterssrv, npredatfilters, ndatfilterscli, ndatfilterssrv,
+		nfilters,
+		nreqfilters, nconnectfilters, nafterauthfilters,
+		nhdrfilterscli, nhdrfilterssrv,
+		npredatfilters, ndatfilterscli, ndatfilterssrv,
 		unsafefilter,
 		bandlimver;
 
 	int	res,
 		status;
 	int	pwtype,
-		threadid,
 		weight,
 		nolog,
 		nolongdatfilter,
@@ -517,7 +626,9 @@ struct clientparam {
 		transparent,
 		chunked,
 		paused,
-		version;
+		version,
+		connlim,
+		predatdone;
 
 	unsigned char 	*hostname,
 			*username,
@@ -537,11 +648,8 @@ struct clientparam {
 	uint64_t
 			maxtrafin64,
 			maxtrafout64;
-#ifndef NOIPV6
-	struct sockaddr_in6	sincl, sincr, sinsl, sinsr, req;
-#else
-	struct sockaddr_in	sincl, sincr, sinsl, sinsr, req;
-#endif
+	PROXYSOCKADDRTYPE sincl, sincr;
+	PROXYSOCKADDRTYPE	sinsl, sinsr, req;
 
 	uint64_t	statscli64,
 			statssrv64;
@@ -553,6 +661,8 @@ struct clientparam {
 	struct bandlim	*bandlims[MAXBANDLIMS],
 			*bandlimsout[MAXBANDLIMS];
 
+	PROXYSOCKADDRTYPE udp_relay[3];
+	int udp_nhops;
 	time_t time_start;
 };
 
@@ -564,7 +674,12 @@ struct filemon {
 
 
 struct extparam {
-	int timeouts[12];
+#ifdef _WIN32
+	HANDLE threadinit;
+#else
+	_3proxy_mutex_t threadinit;
+#endif
+	int *timeouts;
 	struct ace * acl;
 	char * conffile;
 	struct bandlim * bandlimiter,  *bandlimiterout;
@@ -572,21 +687,20 @@ struct extparam {
 	struct trafcount * trafcounter;
 	struct srvparam *services;
 	int stacksize,
-		threadinit, counterd, haveerror, rotate, paused, archiverc,
-		demon, maxchild, needreload, timetoexit, version, noforce, bandlimver, parentretries;
-	int authcachetype, authcachetime;
+		counterd, haveerror, rotate, paused, archiverc,
+		demon, maxchild, backlog, needreload, timetoexit, version, noforce, bandlimver, parentretries;
+	unsigned authcachetype, authcachetime;
 	int filtermaxsize;
+	int gracetraf, gracenum, gracedelay;
+	int maxseg;
 	unsigned char *logname, **archiver;
 	ROTATION logtype, countertype;
 	char * counterfile;
+	PROXYSOCKADDRTYPE intsa;
 #ifndef NOIPV6
-	struct sockaddr_in6 intsa;
-	struct sockaddr_in6 extsa6;
-	struct sockaddr_in6 extsa;
-#else
-	struct sockaddr_in intsa;
-	struct sockaddr_in extsa;
+	PROXYSOCKADDRTYPE extsa6;
 #endif
+	PROXYSOCKADDRTYPE extsa;
 	struct passwords *pwl;
 	struct auth * authenticate;
 	AUTHFUNC authfunc;
@@ -606,7 +720,6 @@ struct extparam {
 };
 
 struct property {
-	struct property * next;
 	char * name;
 	EXTENDFUNC e_f;
 	int type;
@@ -618,6 +731,7 @@ struct datatype {
 	EXTENDFUNC i_f;
 	PRINTFUNC p_f;
 	struct property * properties;
+	unsigned properties_count;
 };
 
 struct node {
@@ -651,7 +765,7 @@ struct symbol {
 
 struct proxydef {
 	PROXYFUNC pf;
-	unsigned short port;
+	uint16_t port;
 	int isudp;
 	int service;
 	char * helpmessage;
@@ -664,64 +778,26 @@ struct child {
 	unsigned char **argv;
 };
 
-struct hashentry {
-	unsigned char hash[sizeof(unsigned)*4];
-	time_t expires;
-	struct hashentry *next;
-	char value[4];
-};
-
-struct hashtable {
-	unsigned hashsize;
-	unsigned recsize;
-	unsigned rnd[4];
-	struct hashentry ** hashtable;
-	void * hashvalues;
-	struct hashentry * hashempty;
-};
 
 extern struct hashtable dns_table;
 extern struct hashtable dns6_table;
+extern struct hashtable auth_table;
+extern struct hashtable pwl_table;
+extern struct hashtable udp_table;
 
-struct sockfuncs {
-#ifdef _WIN32
-	SOCKET (WINAPI *_socket)(int domain, int type, int protocol);
-	SOCKET (WINAPI *_accept)(SOCKET s, struct sockaddr * addr, int * addrlen);
-	int (WINAPI *_bind)(SOCKET s, const struct sockaddr *addr, int addrlen);
-	int (WINAPI *_listen)(SOCKET s, int backlog);
-	int (WINAPI *_connect)(SOCKET s, const struct sockaddr *name, int namelen);
-	int (WINAPI *_getpeername)(SOCKET s, struct sockaddr * name, int * namelen);
-	int (WINAPI *_getsockname)(SOCKET s, struct sockaddr * name, int * namelen);
-   	int (WINAPI *_getsockopt)(SOCKET s, int level, int optname, char * optval, int * optlen);
-	int (WINAPI *_setsockopt)(SOCKET s, int level, int optname, const char *optval, int optlen);
-	int (WINAPI *_poll)(struct pollfd *fds, unsigned int nfds, int timeout);
-	int (WINAPI *_send)(SOCKET s, const char *msg, int len, int flags);
-	int  (WINAPI *_sendto)(SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen);
-	int  (WINAPI *_recv)(SOCKET s, char *buf, int len, int flags);
-	int  (WINAPI *_recvfrom)(SOCKET s, char * buf, int len, int flags, struct sockaddr * from, int * fromlen);
-	int (WINAPI *_shutdown)(SOCKET s, int how);
-	int (WINAPI *_closesocket)(SOCKET s);
+struct authcache {
+        unsigned char username[64];
+#ifndef NOIPv6
+        uint8_t sincr_addr[16];
+        uint8_t sinsl_addr[16];
 #else
-	SOCKET (*_socket)(int domain, int type, int protocol);
-	SOCKET (*_accept)(SOCKET s, struct sockaddr * addr, socklen_t * addrlen);
-	int (*_bind)(SOCKET s, const struct sockaddr *addr, socklen_t addrlen);
-	int (*_listen)(SOCKET s, int backlog);
-	int (*_connect)(SOCKET s, const struct sockaddr *name, socklen_t namelen);
-	int (*_getpeername)(SOCKET s, struct sockaddr * name, socklen_t * namelen);
-	int (*_getsockname)(SOCKET s, struct sockaddr * name, socklen_t * namelen);
-   	int (*_getsockopt)(SOCKET s, int level, int optname, void * optval, socklen_t * optlen);
-	int (*_setsockopt)(int s, int level, int optname, const void *optval, socklen_t optlen);
-	int (*_poll)(struct pollfd *fds, unsigned int nfds, int timeout);
-	size_t (*_send)(SOCKET s, const void *msg, size_t len, int flags);
-	size_t (*_sendto)(SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen);
-	size_t (*_recv)(SOCKET s, void *buf, size_t len, int flags);
-	size_t (*_recvfrom)(SOCKET s, void * buf, size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen);
-	int (*_shutdown)(SOCKET s, int how);
-	int (*_closesocket)(SOCKET s);
+        uint8_t sincr_addr[4];
+        uint8_t sinsl_addr[4];
 #endif
+        uint16_t sincr_family;
+        uint16_t sinsl_family;
 };
 
-extern struct sockfuncs so;
 struct pluginlink {
 	struct symbol symbols;
 	struct extparam *conf;
@@ -730,23 +806,21 @@ struct pluginlink {
 	struct auth *authfuncs;
 	struct commands * commandhandlers;
 	void * (*findbyname)(const char *name);
-	int (*socksend)(SOCKET sock, unsigned char * buf, int bufsize, int to);
-	int (*socksendto)(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
-	int (*sockrecvfrom)(SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
+	int (*socksend)(struct clientparam *param, SOCKET sock, unsigned char * buf, int bufsize, int to);
+	int (*socksendto)(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
+	int (*sockrecvfrom)(struct clientparam *param, SOCKET sock, struct sockaddr * sin, unsigned char * buf, int bufsize, int to);
 	int (*sockgetcharcli)(struct clientparam * param, int timeosec, int timeousec);
 	int (*sockgetcharsrv)(struct clientparam * param, int timeosec, int timeousec);
 	int (*sockgetlinebuf)(struct clientparam * param, DIRECTION which, unsigned char * buf, int bufsize, int delim, int to);
 	int (*myinet_ntop)(int af, void *src, char *dst, socklen_t size);
 	int (*dobuf)(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec);
 	int (*dobuf2)(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec, struct tm* tm, char * format);
-	int (*scanaddr)(const unsigned char *s, unsigned long * ip, unsigned long * mask);
-	unsigned long (*getip46)(int family, unsigned char *name,  struct sockaddr *sa);
+	int (*scanaddr)(const unsigned char *s, uint32_t * ip, uint32_t * mask);
+	uint32_t (*getip46)(int family, unsigned char *name,  struct sockaddr *sa);
 	int (*sockmap)(struct clientparam * param, int timeo, int usesplice);
 	int (*ACLMatches)(struct ace* acentry, struct clientparam * param);
 	int (*alwaysauth)(struct clientparam * param);
 	int (*checkACL)(struct clientparam * param);
-	void (*nametohash)(const unsigned char * name, unsigned char *hash);
-	unsigned (*hashindex)(const unsigned char* hash);
 	unsigned char* (*en64)(const unsigned char *in, unsigned char *out, int inlen);
 	int (*de64)(const unsigned char *in, unsigned char *out, int maxlen);
 	void (*tohex)(unsigned char *in, unsigned char *out, int len);
@@ -766,9 +840,9 @@ struct pluginlink {
 	struct proxydef * childdef;
 	int (*start_proxy_thread)(struct child * chp);
 	void (*freeparam)(struct clientparam * param);
-	int (*parsehostname)(char *hostname, struct clientparam *param, unsigned short port);
+	int (*parsehostname)(char *hostname, struct clientparam *param, uint16_t port);
 	int (*parseusername)(char *username, struct clientparam *param, int extpasswd);
-	int (*parseconnusername)(char *username, struct clientparam *param, int extpasswd, unsigned short port);
+	int (*parseconnusername)(char *username, struct clientparam *param, int extpasswd, uint16_t port);
 	struct sockfuncs *so;
 	unsigned char * (*dologname) (unsigned char *buf, unsigned char *name, const unsigned char *ext, ROTATION lt, time_t t);
 };
@@ -827,7 +901,9 @@ typedef enum {
 	TYPE_WEEKDAYS,
 	TYPE_TIME,
 	TYPE_PERIOD,
-	TYPE_SERVER
+	TYPE_SERVER,
+	TYPE_PASSWORD,
+	TYPE_HOSTNAME
 }DATA_TYPE;
 
 #ifdef  __cplusplus
diff --git a/src/tcppm.c b/src/tcppm.c
index a53cd65..3aa6929 100644
--- a/src/tcppm.c
+++ b/src/tcppm.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -16,10 +16,33 @@
 void * tcppmchild(struct clientparam* param) {
  int res;
 
- if(!param->hostname && parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport))) RETURN(100);
+ if(!param->hostname){ 
+#ifdef WITH_UN
+    if(!strncmp((char *)param->srv->target, "unix:", 5)){
+	make_un(param->srv->target + 5, (struct sockaddr_un *)¶m->sinsr);
+	make_un(param->srv->target + 5, (struct sockaddr_un *)¶m->req);
+	param->hostname = (unsigned char *)strdup((char *)param->srv->target);
+    } else
+#endif
+    if(
+	parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport))
+    ) RETURN(100);
+ }
  param->operation = CONNECT;
  res = (*param->srv->authfunc)(param);
  if(res) {RETURN(res);}
+ if (param->npredatfilters){
+	int action;
+        action = handlepredatflt(param);
+        if(action == HANDLED){
+                RETURN(0);
+        }
+        if(action != PASS) RETURN(19);
+ }
+ if(param->redirectfunc){
+    return (*param->redirectfunc)(param);
+ }
+
  RETURN (mapsocket(param, conf.timeouts[CONNECTION_L]));
 CLEANRET:
  
diff --git a/src/tlspr.c b/src/tlspr.c
new file mode 100644
index 0000000..45f7966
--- /dev/null
+++ b/src/tlspr.c
@@ -0,0 +1,300 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+#ifndef PORTMAP
+#define PORTMAP
+#endif
+#define RETURN(xxx) { param->res = xxx; goto CLEANRET; }
+
+unsigned size16(unsigned char *buf){
+    unsigned res;
+    res = (((unsigned)buf[0]) << 8) + +buf[1];
+    return res;
+}
+
+int readtls(struct clientparam *param, int direction, unsigned char *buf, int bufsize){
+    int res = 0;
+    int len;
+    
+    if(bufsize < 3) return -1;
+    res = sockgetlinebuf(param, direction, buf, 3, EOF, conf.timeouts[STRING_S]);
+    if(res !=3 || buf[0] != 22 || buf[1] != 3) return -2;
+    len = size16(buf+3);
+    if((len+3) > bufsize) return -3;
+    res = sockgetlinebuf(param, direction, buf+3, len, EOF, conf.timeouts[STRING_S]);
+    if(res != len) return -4;
+    return len+3;
+}
+
+#define BSIZE (4096)
+#define SNILEN (256)
+#define PROTOLEN (32)
+
+
+int parsehello(int type, unsigned char *hello, unsigned len, char *sni, int * snipos, int *lv, char * proto){
+    unsigned offset;
+    unsigned hlen, slen, cslen, elen, snllen, snlen, alpnlen;
+    int snifound=0;
+    
+    if(len < 64) return -1;
+    if(hello[5] != type) return -2;
+    if(hello[6] != 0) return -3;
+    hlen = size16(hello+7);
+    if((hlen+9) != len) return -4;
+    offset = 9;
+    if(hello[offset] != 3) return -5;
+    *lv = hello[offset+1];
+    offset += 34;
+    slen = hello[offset];
+    if((offset + slen + 3) > len) return -6;
+    offset += (slen+1);
+    if(type == 1){
+	cslen = size16(hello+offset);
+        if((offset + cslen + 3) > len) return -7;
+	offset += (cslen+2);
+	cslen = hello[offset];
+	if((offset + cslen + 3) > len) return -8;
+	offset += (cslen+1);
+    }
+    else if(type == 2){
+	offset += 3;
+    }
+    elen = size16(hello+offset);
+    offset += 2;
+    if(elen+offset != len) return -9;
+    while(elen > 1){
+	unsigned xlen;
+	xlen = size16(hello+offset+2);
+	if(xlen+4 > elen) return -10;
+	if(type == 1 && hello[offset] == 0 && hello[offset+1] == 0){
+	    snllen=size16(hello+offset+4);
+	    if(snllen>3){
+		if(snllen+2 != xlen) return -12;
+		if(hello[offset+6] != 0) return -13;
+		snlen=size16(hello+offset+7);
+		if(snlen + 3 > snllen) return -14;
+		if(snlen+1 > SNILEN) return -15;
+		memcpy(sni, hello + offset + 9, snlen);
+		*snipos = offset + 9;
+		sni[snlen] = 0;
+		snifound = snlen;
+	    }
+	}
+	else if(hello[offset] == 0 && hello[offset+1] == 43){
+	    if(xlen>2){
+    		*lv = hello[offset+6];
+	    }
+	    else if(xlen==2){
+    		*lv = hello[offset+5];
+	    }
+	}
+	else if(hello[offset] == 0 && hello[offset+1] == 16){
+	    alpnlen=hello[offset+6];
+	    if(alpnlen+7>elen) return -16;
+	    if(alpnlen+1>PROTOLEN) return -17;
+	    memcpy(proto, hello+offset+7, alpnlen);
+	    proto[alpnlen] = 0;
+	}
+	offset += (xlen+4);
+	elen -= (xlen+4);
+    }
+    return snifound;
+}
+
+int tlstobufcli(struct clientparam *param){
+    unsigned long  len, newlen;
+    if(!param->clibuf){
+	if(!(param->clibuf = malloc(SRVBUFSIZE))) return -1;
+        param->clibufsize = SRVBUFSIZE;
+	param->clioffset = param->cliinbuf = 0;
+    }
+    if(param->srvinbuf != param->srvoffset){
+	len = socksend(param, param->clisock, param->srvbuf+param->srvoffset,param->srvinbuf-param->srvoffset, conf.timeouts[STRING_S]);
+	if(len != param->srvinbuf-param->srvoffset){
+	    return -2;
+	}
+	param->srvinbuf = param->srvoffset = 0;
+    }
+    len = sockfillbuffcli(param, 5, conf.timeouts[STRING_S]);
+    if(len < 5) return -2;
+    if(param->clibuf[1] != 3) {
+	return -3;
+    }
+    else {
+	len = 5 + size16(param->clibuf+3);
+        if(len > param->clibufsize) return -4;
+	for(newlen=param->cliinbuf; newlen < len; newlen=param->cliinbuf){
+	    sockfillbuffcli(param, len, conf.timeouts[STRING_S]);
+	    if(param->cliinbuf <= newlen) return -5;
+	}
+    }
+    return (int)len;
+}
+
+int tlstobufsrv(struct clientparam *param){
+    unsigned long len, newlen;
+
+    if(param->cliinbuf != param->clioffset){
+	len = socksend(param, param->remsock, param->clibuf+param->clioffset,param->cliinbuf-param->clioffset, conf.timeouts[STRING_S]);
+	if(len != param->cliinbuf-param->clioffset){
+	    return -1;
+	}
+	param->cliinbuf = param->clioffset = 0;
+    }
+    if(!param->srvbuf){
+        if(!(param->srvbuf = malloc(SRVBUFSIZE))) return -1;
+	param->srvbufsize = SRVBUFSIZE;
+	param->srvoffset = param->srvinbuf = 0;
+    }
+    len = sockfillbuffsrv(param, 5, conf.timeouts[STRING_S]);
+    if(len < 5) return -3;
+    if(param->srvbuf[1] != 3) {
+	return -4;
+    }
+    else {
+	len = 5 + size16(param->srvbuf+3);
+	if(len > param->srvbufsize) return -5;
+	for(newlen=param->srvinbuf; newlen < len; newlen=param->srvinbuf){
+	    sockfillbuffsrv(param, len, conf.timeouts[STRING_S]);
+	    if(param->srvinbuf <= newlen) return -6;
+	}
+    }
+    return (int)len;
+}
+
+void * tlsprchild(struct clientparam* param) {
+ int res;
+ char sni[SNILEN];
+ char req[SNILEN+PROTOLEN+16];
+ int lv=-1;
+ char proto[PROTOLEN]="-";
+ int snipos = 0;
+ 
+ res = tlstobufcli(param);
+ if(res <= 0 || param->clibuf[0] != 22){
+     if(param->srv->requirecert)RETURN(300-res);
+ }
+ else {
+    lv = param->clibuf[2];
+    res = parsehello(1, param->clibuf, (unsigned)res, sni, &snipos, &lv, proto);
+    if(res > 0){
+	if(param->hostname){
+	    free(param->hostname);
+	    param->hostname = NULL;
+	}
+	else if (parsehostname(sni, param, param->srv->targetport? ntohs(param->srv->targetport):443)) RETURN (100);
+	if (!param->hostname)param->hostname = (unsigned char *)strdup(sni);
+	if(param->srv->s_option && snipos && res > 1){
+	    int len;
+	    
+	    len = socksend(param, param->remsock, param->clibuf+param->clioffset,snipos + (res/2), conf.timeouts[STRING_S]);
+	    if(len != snipos + (res/2)){
+		RETURN(310);
+	    }
+	    param->clioffset += snipos + (res/2);
+
+	}
+    }
+    else if (res < 0 && param->srv->requirecert) RETURN(310-res);
+ }
+ param->operation = CONNECT;
+ param->redirectfunc = NULL;
+ res = (*param->srv->authfunc)(param);
+ if(res) {RETURN(res);}
+ if (param->npredatfilters){
+	int action;
+        action = handlepredatflt(param);
+        if(action == HANDLED){
+                RETURN(0);
+        }
+        if(action != PASS) RETURN(19);
+ }
+ if(param->redirectfunc && param->redirectfunc != tlsprchild){
+    return (*param->redirectfunc)(param);
+ }
+ 
+ if(param->srv->requirecert > 1){
+    res = tlstobufsrv(param);
+    if(res <= 0 || param->srvbuf[0] != 22) RETURN(340-res);
+    lv = param->srvbuf[2];
+    res = parsehello(2, param->srvbuf, (unsigned)res, sni, &snipos, &lv, proto);
+    if (res < 0) RETURN(350-res);
+ }
+ if(param->srv->requirecert > 2){
+    int srvcert=0, clicert=0, reqcert=0, len, done;
+    if(lv > 3) RETURN(370);
+    for(done=0;!done;) {
+	len = param->srvinbuf;
+	if(socksend(param, param->clisock, param->srvbuf,len, conf.timeouts[STRING_S]) != len) RETURN(371);
+	param->srvinbuf = 0;
+	res = tlstobufsrv(param);
+	if(res <= 0) RETURN(380-res);
+	if(param->srvbuf[0]!= 22) break;
+	switch(param->srvbuf[5]){
+	    case 11:
+		/* process server certificates here */
+		if(param->srvbuf[6]||param->srvbuf[7]||param->srvbuf[8]>64) srvcert = 1;
+		break;
+	    case 13:
+		reqcert = 1;
+		break;
+	    case 14:
+		done = 1;
+		break;
+	    default:
+		break;
+	}
+    }
+    if(!srvcert) RETURN(373);
+    if(param->srv->requirecert > 3){
+	if(!reqcert) RETURN(374);
+    	for(done=0;!done;) {
+	    res = tlstobufcli(param);
+	    if(res <= 0) RETURN(390-res);
+	    len = res;
+	    if(param->clibuf[0]!= 22) break;
+	    switch(param->clibuf[5]){
+		case 11:
+		    /* process client certificates here */
+		    if(param->clibuf[6]||param->clibuf[7]||param->clibuf[8]>64)clicert = 1;
+		    break;
+		case 14:
+		    done = 1;
+		    break;
+		default:
+		    break;
+	    }
+	    if(done) break;
+	    if(socksend(param, param->remsock, param->clibuf,len, conf.timeouts[STRING_S]) != len) RETURN(375);
+	    param->cliinbuf = 0;
+	}
+	if(!clicert) RETURN(375);
+    }
+ }
+
+ RETURN (mapsocket(param, conf.timeouts[CONNECTION_L]));
+CLEANRET:
+ 
+ sprintf(req, "%sv%d.%d %s %s", lv<0?"NONE":lv?"TLS":"SSL", lv<0?0:lv?1:3, lv<0?0:lv?lv-1:0, param->hostname?(char *)param->hostname:"-", proto);
+ dolog(param, (unsigned char *)req);
+ freeparam(param);
+ return (NULL);
+}
+
+#ifdef WITHMAIN
+struct proxydef childdef = {
+	tlsprchild,
+	1443,
+	0,
+	S_TLSPR,
+	""
+};
+#include "proxymain.c"
+#endif
diff --git a/src/udppm.c b/src/udppm.c
index 4b252ef..dacdd7c 100644
--- a/src/udppm.c
+++ b/src/udppm.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -17,92 +17,74 @@
 #define RETURN(xxx) { param->res = xxx; goto CLEANRET; }
 
 
-struct udpmap {
-	struct udpmap *next;
-	time_t updated;
-	SOCKET s;
-	int single;
-	unsigned long cliip;
-	unsigned short cliport;
-};
+static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    uint32_t m1, m2;
+    m1 = murmurhash3(SAADDR(¶m->srv->intsa), SAADDRLEN(¶m->srv->intsa), 0x3a3a3a3a);
+    m1 = murmurhash3(SAPORT(¶m->sincr), 2, m1);
+    m2 = murmurhash3(SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr), m1);
+    m2 = murmurhash3(SAPORT(¶m->srv->intsa), 2, m2);
+    memcpy(hash, &m1, 4);
+    memcpy(hash+4, &m2, 4);
+}
 
+struct hashtable udp_table =  {udpparam2hash, udpparam2hash, sizeof(struct clientparam *), 8};
+int socks5_udp_build_hdr(unsigned char *buf, PROXYSOCKADDRTYPE *addr);
 
 void * udppmchild(struct clientparam* param) {
- unsigned char *buf = NULL;
- int res, i;
-#ifdef _WIN32
- SASIZETYPE size;
- unsigned long ul = 1;
-#endif
- struct udpmap *udpmappings = NULL;
- struct pollfd fds[256];
+	int authres;
+	int i;
+	int len = 0;
 
-
- if(!param->hostname && parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport))) RETURN(100);
- if (SAISNULL(¶m->req)) {
-	param->srv->fds.events = POLLIN;
-	RETURN (100);
- }
- if(!param->clibuf && (!(param->clibuf=myalloc(UDPBUFSIZE)) || !(param->clibufsize = UDPBUFSIZE))){
-	param->srv->fds.events = POLLIN;
-	RETURN (21);
- }
- param->cliinbuf = param->clioffset = 0;
- i = sockrecvfrom(param->srv->srvsock, (struct sockaddr *)¶m->sincr, param->clibuf, param->clibufsize, 0);
- if(i<=0){
-	param->srv->fds.events = POLLIN;
-	RETURN (214);
- }
- param->cliinbuf = i;
-
-#ifdef _WIN32
-	if((param->clisock=so._socket(SASOCK(¶m->sincr), SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
-		RETURN(818);
-	}
-	if(so._setsockopt(param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
-	ioctlsocket(param->clisock, FIONBIO, &ul);
-	size = sizeof(param->sinsl);
-	if(so._getsockname(param->srv->srvsock, (struct sockaddr *)¶m->sinsl, &size)) {RETURN(21);};
-	if(so._bind(param->clisock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {
-		RETURN(822);
-	}
-#else
-	param->clisock = param->srv->srvsock;
-#endif
+	if(parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport))) { RETURN(201) }
 
 #ifndef NOIPV6
- memcpy(¶m->sinsl, *SAFAMILY(¶m->req) == AF_INET? (struct sockaddr *)¶m->srv->extsa : (struct sockaddr *)¶m->srv->extsa6, SASIZE(¶m->req));
+	memcpy(¶m->sinsl, *SAFAMILY(¶m->req) == AF_INET6 ? (struct sockaddr *)¶m->srv->extsa6 : (struct sockaddr *)¶m->srv->extsa, SASIZE(¶m->req));
 #else
- memcpy(¶m->sinsl, ¶m->srv->extsa, SASIZE(¶m->req));
+	memcpy(¶m->sinsl, (struct sockaddr *)¶m->srv->extsa, SASIZE(¶m->req));
 #endif
- *SAPORT(¶m->sinsl) = 0;
- if ((param->remsock=so._socket(SASOCK(¶m->sinsl), SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
- if(so._bind(param->remsock,(struct sockaddr *)¶m->sinsl,SASIZE(¶m->sinsl))) {RETURN (12);}
+	*SAPORT(¶m->sinsl) = 0;
+	param->remsock = param->srv->so._socket(param->srv->so.state, SASOCK(¶m->sinsl), SOCK_DGRAM, IPPROTO_UDP);
+	if(param->remsock == INVALID_SOCKET) { RETURN(202); }
+	if(param->srv->so._bind(param->srv->so.state, param->remsock, (struct sockaddr *)¶m->sinsl, SASIZE(¶m->sinsl))) { RETURN(203); }
 #ifdef _WIN32
-	ioctlsocket(param->remsock, FIONBIO, &ul);
+	{ unsigned long ul2 = 1; ioctlsocket(param->remsock, FIONBIO, &ul2); }
 #else
-	fcntl(param->remsock,F_SETFL,O_NONBLOCK | fcntl(param->remsock,F_GETFL));
+	fcntl(param->remsock, F_SETFL, O_NONBLOCK | fcntl(param->remsock, F_GETFL));
 #endif
- memcpy(¶m->sinsr, ¶m->req, sizeof(param->req));
-
- param->operation = UDPASSOC;
- if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
- if(param->srv->singlepacket) {
-	param->srv->fds.events = POLLIN;
- }
-
- param->res = mapsocket(param, conf.timeouts[(param->srv->singlepacket)?SINGLEBYTE_L:STRING_L]);
- if(!param->srv->singlepacket) {
-	param->srv->fds.events = POLLIN;
- }
+	memcpy(¶m->sinsr, ¶m->req, sizeof(param->req));
+	param->operation = UDPASSOC;
+	authres = (*param->srv->authfunc)(param);
+	if(authres) { RETURN(authres); }
+	if(!param->srv->s_option)hashadd(&udp_table, param, ¶m, MAX_COUNTER_TIME);
+	if(!param->srvbuf){
+	    if(!(param->srvbuf = malloc(UDPBUFSIZE)))RETURN(11);
+	    param->srvbufsize = UDPBUFSIZE;
+	}
+	if(param->udp_nhops){
+	    for(i=1; i < param->udp_nhops; i++){
+		len+=socks5_udp_build_hdr(param->srvbuf+len, ¶m->udp_relay[i-1]);
+	    }
+	    len += socks5_udp_build_hdr(param->srvbuf+len, ¶m->req);
+	}
+	memcpy(param->srvbuf+len, param->srv->udpbuf, param->srv->udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : param->srv->udplen);
+	len += param->srv->udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : param->srv->udplen;
+	param->srv->so._sendto(param->sostate, param->remsock, (char *)param->srvbuf, len, 0, (struct sockaddr *)¶m->sinsr, SASIZE(¶m->sinsr));
+	_3proxy_sem_unlock(udpinit);
+	param->statscli64 += param->srvinbuf;
+	param->srvinbuf = 0;
+	param->nwrites++;
+	param->clisock = param->srv->srvsock;
+	param->waitserver64 = 0x7fffffffffffffff;
+	param->res = udpsockmap(param, conf.timeouts[STRING_L]);
+	_3proxy_sem_lock(udpinit);
+	if(!param->srv->s_option)hashdelete(&udp_table, param);
 
 CLEANRET:
 
- if(buf)myfree(buf);
+ _3proxy_sem_unlock(udpinit);
  dolog(param, NULL);
-#ifndef _WIN32
  param->clisock = INVALID_SOCKET;
-#endif
  freeparam(param);
  return (NULL);
 }
diff --git a/src/udpsockmap.c b/src/udpsockmap.c
new file mode 100644
index 0000000..5e8e30a
--- /dev/null
+++ b/src/udpsockmap.c
@@ -0,0 +1,223 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int socks5_udp_build_hdr(unsigned char *buf, PROXYSOCKADDRTYPE *addr)
+{
+	buf[0] = buf[1] = buf[2] = 0;
+	buf[3] = (*SAFAMILY(addr) == AF_INET) ? 1 : 4;
+	memcpy(buf + 4, SAADDR(addr), SAADDRLEN(addr));
+	memcpy(buf + 4 + SAADDRLEN(addr), SAPORT(addr), 2);
+	return 4 + SAADDRLEN(addr) + 2;
+}
+
+static int socks5_udp_skip_hdr(unsigned char *buf, int len)
+{
+	int addr_len;
+	if (len < 4) return -1;
+	switch (buf[3]) {
+	case 1: addr_len = 4;  break;
+	case 4: addr_len = 16; break;
+	case 3:
+		if (len < 5) return -1;
+		addr_len = 1 + (unsigned char)buf[4];
+		break;
+	default: return -1;
+	}
+	int off = 4 + addr_len + 2;
+	return (off <= len) ? off : -1;
+}
+
+/*
+ * udpsockmap: bidirectional UDP relay.
+ *
+ * param->udp_nhops selects the relay mode:
+ *    0  direct SOCKS5 relay (strip/add headers)
+ *    1  one parent SOCKS5 proxy (pass datagrams unchanged)
+ *    2  two parent proxies (prepend 1 header / strip 1 header)
+ *    3  three parent proxies (prepend 2 headers / strip 2 headers)
+ *
+ * param->waitserver64   non-zero: skip client socket polling (server→client only)
+ * param->srv->s_option non-zero: return after first datagram sent to client
+ * param->ctrlsock    TCP control socket from the client; INVALID_SOCKET if none.
+ */
+int udpsockmap(struct clientparam *param, int timeo)
+{
+	PROXYSOCKADDRTYPE sin;
+	PROXYSOCKADDRTYPE from;
+	struct pollfd fds[4];
+	SASIZETYPE sasize;
+	int len, res, nfds;
+	int nhops = param->udp_nhops;
+	int clisock_idx = -1, ctrlsock_idx = -1, ctrlsocksrv_idx = -1;
+	int firstpacket = 1;
+	
+	if(param->srv->service == S_UDPPM) nhops++;
+	if (param->srvbufsize < UDPBUFSIZE) {
+		unsigned char *newbuf = realloc(param->srvbuf, UDPBUFSIZE);
+		if (!newbuf) return 21;
+		param->srvbuf = newbuf;
+		param->srvbufsize = UDPBUFSIZE;
+	}
+	sin = param->sincr;
+
+	/* Build poll array once — sockets don't change across iterations */
+	nfds = 0;
+	fds[nfds].fd = param->remsock;    /* always index 0 */
+	fds[nfds].events = POLLIN;
+	nfds++;
+
+	if (!param->waitserver64) {
+		fds[nfds].fd = param->clisock;
+		fds[nfds].events = POLLIN;
+		clisock_idx = nfds++;
+	}
+
+	if (param->ctrlsock != INVALID_SOCKET) {
+		fds[nfds].fd = param->ctrlsock;
+		fds[nfds].events = POLLIN;
+		ctrlsock_idx = nfds++;
+	}
+
+	if (param->ctrlsocksrv != INVALID_SOCKET) {
+		fds[nfds].fd = param->ctrlsocksrv;
+		fds[nfds].events = POLLIN;
+		ctrlsocksrv_idx = nfds++;
+	}
+
+	for (;;) {
+		res = param->srv->so._poll(param->sostate, fds, nfds, timeo * 1000);
+		if (res < 0) return 481;
+		if (res == 0) return 92;
+
+		/* datagram from client */
+		if (clisock_idx >= 0 && fds[clisock_idx].revents) {
+			int recvoff = 0, k;
+			sasize = sizeof(sin);
+			for (k = 1; k < nhops; k++)
+				recvoff += 4 + (int)SAADDRLEN(¶m->udp_relay[k]) + 2;
+			len = param->srv->so._recvfrom(param->sostate, param->clisock,
+				(char *)param->srvbuf + recvoff, UDPBUFSIZE - recvoff,
+				0, (struct sockaddr *)&sin, &sasize);
+			if (len <= 0) return 482;
+
+			if (SAADDRLEN(&sin) != SAADDRLEN(¶m->sincr) ||
+			    memcmp(SAADDR(&sin), SAADDR(¶m->sincr), SAADDRLEN(&sin)))
+				continue;
+			if (firstpacket) {
+				if (!SAISNULL(¶m->req) && *SAPORT(¶m->req) &&
+				    SAADDRLEN(¶m->req) == SAADDRLEN(&sin) &&
+				    !memcmp(SAADDR(¶m->req), SAADDR(&sin), SAADDRLEN(¶m->req)) &&
+				    memcmp(SAPORT(¶m->req), SAPORT(&sin), 2))
+					continue;
+				param->sincr = sin;
+				firstpacket = 0;
+			} else if (memcmp(SAPORT(&sin), SAPORT(¶m->sincr), 2)) {
+				continue;
+			}
+
+			if (nhops == 0) {
+				int i;
+				if (len < 10 || param->srvbuf[0] || param->srvbuf[1] || param->srvbuf[2])
+					return 483;
+				switch (param->srvbuf[3]) {
+				case 1:
+					*SAFAMILY(¶m->sinsr) = AF_INET;
+					memcpy(SAADDR(¶m->sinsr), param->srvbuf + 4, 4);
+					i = 8;
+					break;
+				case 4:
+					if (len < 22) return 484;
+					*SAFAMILY(¶m->sinsr) = AF_INET6;
+					memcpy(SAADDR(¶m->sinsr), param->srvbuf + 4, 16);
+					i = 20;
+					break;
+				case 3: {
+					int sz = param->srvbuf[4], j;
+					if (len < 7 + sz) return 485;
+					for (j = 4; j < 4 + sz; j++) param->srvbuf[j] = param->srvbuf[j + 1];
+					param->srvbuf[4 + sz] = 0;
+					i = 5 + sz;
+					if (!getip46(param->srv->family, param->srvbuf + 4,
+					             (struct sockaddr *)¶m->sinsr))
+						return 100;
+					break;
+				}
+				default: return 997;
+				}
+				memcpy(SAPORT(¶m->sinsr), param->srvbuf + i, 2);
+				i += 2;
+				if (len > i) {
+					param->srv->so._sendto(param->sostate, param->remsock,
+					           (char *)param->srvbuf + i, len - i, 0,
+					           (struct sockaddr *)¶m->sinsr, SASIZE(¶m->sinsr));
+					param->statscli64 += (len - i);
+					param->nwrites++;
+				}
+			} else {
+				int off = 0;
+				for (k = 1; k < nhops; k++)
+					off += socks5_udp_build_hdr(param->srvbuf + off, ¶m->udp_relay[k]);
+				param->srv->so._sendto(param->sostate, param->remsock,
+				           (char *)param->srvbuf, off + len, 0,
+				           (struct sockaddr *)¶m->udp_relay[0], SASIZE(¶m->udp_relay[0]));
+				param->statscli64 += len;
+				param->nwrites++;
+			}
+		}
+
+		/* datagram from server / parent relay */
+		if (fds[0].revents) {
+			int hdrsize = (nhops == 0) ? 4 + (int)SAADDRLEN(¶m->sinsr) + 2 : 0;
+			int sendoff = 0, sendlen;
+			sasize = sizeof(from);
+			if (hdrsize > UDPBUFSIZE) return 468;
+			len = param->srv->so._recvfrom(param->sostate, param->remsock,
+				(char *)param->srvbuf + hdrsize, UDPBUFSIZE - hdrsize, 0,
+				(struct sockaddr *)&from, &sasize);
+			if (len <= 0) return 486;
+			if (nhops >= 1) {
+				if (!SAISNULL(¶m->sinsr) && *SAPORT(¶m->sinsr)) {
+					if (SAADDRLEN(&from) != SAADDRLEN(¶m->sinsr) ||
+					    memcmp(SAADDR(&from), SAADDR(¶m->sinsr), SAADDRLEN(&from)) ||
+					    memcmp(SAPORT(&from), SAPORT(¶m->sinsr), 2))
+						continue;
+				}
+			}
+			param->statssrv64 += len;
+			param->nreads++;
+			sendlen = len;
+			if (nhops == 0) {
+				param->srvbuf[0] = param->srvbuf[1] = param->srvbuf[2] = 0;
+				param->srvbuf[3] = (*SAFAMILY(¶m->sinsr) == AF_INET) ? 1 : 4;
+				memcpy(param->srvbuf + 4, SAADDR(¶m->sinsr), SAADDRLEN(¶m->sinsr));
+				memcpy(param->srvbuf + 4 + SAADDRLEN(¶m->sinsr), SAPORT(¶m->sinsr), 2);
+				sendlen = len + hdrsize;
+			} else if (nhops >= 2) {
+				int off = 0, k;
+				for (k = 1; k < nhops; k++) {
+					int next = socks5_udp_skip_hdr(param->srvbuf + off, len - off);
+					if (next < 0) break;
+					off += next;
+				}
+				sendoff = off;
+				sendlen = len - off;
+			}
+			if (sendlen > 0)
+				param->srv->so._sendto(param->sostate, param->clisock,
+				           (char *)param->srvbuf + sendoff, sendlen, 0,
+				           (struct sockaddr *)&sin, SASIZE(&sin));
+			if (param->srv->s_option && param->srv->service == S_UDPPM) return 0;
+		}
+
+		if ((ctrlsock_idx >= 0 && fds[ctrlsock_idx].revents) ||
+		    (ctrlsocksrv_idx >= 0 && fds[ctrlsocksrv_idx].revents)) return 0;
+	}
+	return 0;
+}
diff --git a/src/version.h b/src/version.h
index 8e3996c..05a8bf9 100644
--- a/src/version.h
+++ b/src/version.h
@@ -1,12 +1,14 @@
 #ifndef VERSION
-#define VERSION "3proxy-0.9.3"
+#define VERSION "3proxy-0.9.6"
 #endif
 #ifndef BUILDDATE
 #define BUILDDATE ""
 #endif
 #define MAJOR3PROXY 0
 #define SUBMAJOR3PROXY 9
-#define MINOR3PROXY 3
+#define MINOR3PROXY 6
 #define SUBMINOR3PROXY 0
-#define RELEASE3PROXY "3proxy-0.9.3(" BUILDDATE ")\0"
-#define YEAR3PROXY "2021"
+#define RELEASE3PROXY "3proxy-0.9.6(" BUILDDATE ")\0"
+#ifndef YEAR3PROXY
+#define YEAR3PROXY "2026"
+#endif
diff --git a/src/webadmin.c b/src/webadmin.c
index 936ef2a..98103d4 100644
--- a/src/webadmin.c
+++ b/src/webadmin.c
@@ -1,6 +1,6 @@
 /*
-   3APA3A simpliest proxy server
-   (c) 2002-2016 by Vladimir Dubrovin <3proxy@3proxy.ru>
+   3APA3A simplest proxy server
+   (c) 2002-2026 by Vladimir Dubrovin 
 
    please read License Agreement
 
@@ -55,12 +55,12 @@ char * aceaction (int action){
 
 static void stdpr(struct printparam* pp, char *buf, int inbuf){
 	if((pp->inbuf + inbuf > 1024) || !buf) {
-		socksend(pp->cp->clisock, (unsigned char *)pp->buf, pp->inbuf, conf.timeouts[STRING_S]);
+		socksend(pp->cp, pp->cp->clisock, (unsigned char *)pp->buf, pp->inbuf, conf.timeouts[STRING_S]);
 		pp->inbuf = 0;
 		if(!buf) return;
 	}
 	if(inbuf >= 1000){
-		socksend(pp->cp->clisock, (unsigned char *)buf, inbuf, conf.timeouts[STRING_S]);		
+		socksend(pp->cp, pp->cp->clisock, (unsigned char *)buf, inbuf, conf.timeouts[STRING_S]);		
 	}
 	else {
 		memcpy(pp->buf + pp->inbuf, buf, inbuf);
@@ -134,7 +134,7 @@ static void printstr(struct printparam* pp, char* str){
 static void printval(void *value, int type, int level, struct printparam* pp){
 	struct node pn, cn;
 	struct property *p;
-	int i;
+	int i, pi;
 
 	pn.iteration = NULL;
 	pn.parent = NULL;
@@ -142,7 +142,8 @@ static void printval(void *value, int type, int level, struct printparam* pp){
 	pn.value =  value;
 
 	printstr(pp, "");
-	for(p = datatypes[type].properties; p; ) {
+	for(pi = 0; pi < (int)datatypes[type].properties_count; ) {
+		p = datatypes[type].properties + pi;
 		cn.iteration = NULL;
 		cn.parent = &pn;
 		cn.type = p->type;
@@ -171,7 +172,7 @@ static void printval(void *value, int type, int level, struct printparam* pp){
 				if(!strcmp(p->name, "next")){
 /*					printstr(pp, "\n"); */
 					printstr(pp, "\n");
-					p = datatypes[type].properties;
+					pi = 0;
 					pn.value = value = cn.value;
 					continue;
 				}
@@ -182,7 +183,7 @@ static void printval(void *value, int type, int level, struct printparam* pp){
 				}
 			}
 		}
-		p=p->next;
+		pi++;
 	}
 	printstr(pp, "");
 }
@@ -378,11 +379,11 @@ void * adminchild(struct clientparam* param) {
  int limited = 0;
 
 
- limited =param->srv->singlepacket;
+ limited =param->srv->s_option;
  pp.inbuf = 0;
  pp.cp = param;
 
- buf = myalloc(LINESIZE);
+ buf = malloc(LINESIZE);
  if(!buf) {RETURN(555);}
  i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, LINESIZE - 1, '\n', conf.timeouts[STRING_S]);
  if(i<5 || ((buf[0]!='G' || buf[1]!='E' || buf[2]!='T' || buf[3]!=' ' || buf[4]!='/') && 
@@ -396,7 +397,7 @@ void * adminchild(struct clientparam* param) {
 	RETURN(702);
  }
  *sb = 0;
- req = mystrdup(buf + ((*buf == 'P')? 6 : 5));
+ req = strdup(buf + ((*buf == 'P')? 6 : 5));
  while((i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, LINESIZE - 1, '\n', conf.timeouts[STRING_S])) > 2){
 	buf[i] = 0;
 	if(i > 19 && (!strncasecmp(buf, "authorization", 13))){
@@ -415,11 +416,11 @@ void * adminchild(struct clientparam* param) {
 		sb = strchr((char *)username, ':');
 		if(sb){
 			*sb = 0;
-			if(param->password)myfree(param->password);
-			param->password = (unsigned char *)mystrdup(sb+1);
+			if(param->password)free(param->password);
+			param->password = (unsigned char *)strdup(sb+1);
 		}
-		if(param->username) myfree(param->username);
-		param->username = (unsigned char *)mystrdup(username);
+		if(param->username) free(param->username);
+		param->username = (unsigned char *)strdup(username);
 		continue;
 	}
 	else if(i > 15 && (!strncasecmp(buf, "content-length:", 15))){
@@ -510,9 +511,9 @@ void * adminchild(struct clientparam* param) {
 			 }
 			 else {
 			  inbuf += sprintf(buf+inbuf,	
-					"%"PRINTF_INT64_MODIFIER"u"
+					"%"PRIu64""
 					"MB%s"
-					"%"PRINTF_INT64_MODIFIER"u.%"PRINTF_INT64_MODIFIER"u"
+					"%"PRIu64".%"PRIu64""
 					"%s",
 				 cp->traflim64 / (1024 * 1024),
 				 rotations[cp->type],
@@ -593,7 +594,7 @@ void * adminchild(struct clientparam* param) {
 			if(writable && !error){
 				fflush(writable);
 #ifndef _WINCE
-				ftruncate(fileno(writable), ftell(writable));
+				if(ftruncate(fileno(writable), ftell(writable))){}
 #endif
 			}
 			printstr(&pp, error?    "
    Config file is not writable
    Make sure you have \"writable\" command in configuration file":
@@ -611,9 +612,9 @@ CLEANRET:
 
 
  printstr(&pp, NULL);
- if(buf) myfree(buf);
+ if(buf) free(buf);
  dolog(param, (unsigned char *)req);
- if(req)myfree(req);
+ if(req)free(req);
  freeparam(param);
  return (NULL);
 }