linux-4.1-tfw.patch

diff --git a/Documentation/CodingStyle b/Documentation/CodingStyle
index f4b78ea..b10de96 100644
--- a/Documentation/CodingStyle
+++ b/Documentation/CodingStyle
@@ -1,5 +1,5 @@
-
-		Linux kernel coding style
+		Tempesta coding style
+	(based on Linux kernel coding style)
 
 This is a short document describing the preferred coding style for the
 linux kernel.  Coding style is very personal, and I won't _force_ my
@@ -86,6 +86,17 @@ are placed substantially to the right. The same applies to function headers
 with a long argument list. However, never break user-visible strings such as
 printk messages, because that breaks the ability to grep for them.
 
+Functions calls on multiple lines must have the arguments aligned properly on
+the second and subsequent lines (see https://lkml.org/lkml/2013/6/6/703),
+this means:
+
+	function(arg1, arg2,
+		 arg3, arg4);
+
+You must use the appropriate number of TAB and space characters to achieve this
+proper column alignment, rather than only using TAB characters as you have done
+here.
+
 
 		Chapter 3: Placing Braces and Spaces
 
@@ -116,7 +127,8 @@ while, do).  E.g.:
 However, there is one special case, namely functions: they have the
 opening brace at the beginning of the next line, thus:
 
-	int function(int x)
+	int
+	function(int x)
 	{
 		body of function
 	}
@@ -139,9 +151,11 @@ and
 
 	if (x == y) {
 		..
-	} else if (x > y) {
+	}
+	else if (x > y) {
 		...
-	} else {
+	}
+	else {
 		....
 	}
 
@@ -153,6 +167,9 @@ supply of new-lines on your screen is not a renewable resource (think
 25-line terminal screens here), you have more empty lines to put
 comments on.
 
+However, please note that else-if statements begins at new line to make
+conditions more explicit and improve code readability.
+
 Do not unnecessarily use braces where a single statement will do.
 
 	if (condition)
@@ -272,76 +289,27 @@ See chapter 6 (Functions).
 
 		Chapter 5: Typedefs
 
-Please don't use things like "vps_t".
-It's a _mistake_ to use typedef for structures and pointers. When you see a
+Linux kernel frowns on CamelCase and so we in general, but type names.
+Tempesta uses CamelCase usually prefixed with "Tfw" for type names and uses
+typedefs for them. So instead of
 
 	vps_t a;
-
-in the source, what does it mean?
-In contrast, if it says
-
 	struct virtual_container *a;
 
-you can actually tell what "a" is.
-
-Lots of people think that typedefs "help readability". Not so. They are
-useful only for:
-
- (a) totally opaque objects (where the typedef is actively used to _hide_
-     what the object is).
-
-     Example: "pte_t" etc. opaque objects that you can only access using
-     the proper accessor functions.
-
-     NOTE! Opaqueness and "accessor functions" are not good in themselves.
-     The reason we have them for things like pte_t etc. is that there
-     really is absolutely _zero_ portably accessible information there.
-
- (b) Clear integer types, where the abstraction _helps_ avoid confusion
-     whether it is "int" or "long".
-
-     u8/u16/u32 are perfectly fine typedefs, although they fit into
-     category (d) better than here.
-
-     NOTE! Again - there needs to be a _reason_ for this. If something is
-     "unsigned long", then there's no reason to do
-
-	typedef unsigned long myflags_t;
-
-     but if there is a clear reason for why it under certain circumstances
-     might be an "unsigned int" and under other configurations might be
-     "unsigned long", then by all means go ahead and use a typedef.
-
- (c) when you use sparse to literally create a _new_ type for
-     type-checking.
-
- (d) New types which are identical to standard C99 types, in certain
-     exceptional circumstances.
+we write
 
-     Although it would only take a short amount of time for the eyes and
-     brain to become accustomed to the standard types like 'uint32_t',
-     some people object to their use anyway.
+	TfwVps a;
+	TfwVirtualContainer *a;
 
-     Therefore, the Linux-specific 'u8/u16/u32/u64' types and their
-     signed equivalents which are identical to standard types are
-     permitted -- although they are not mandatory in new code of your
-     own.
+CamelCase helps to identify type name from other names while "_t" suffix just
+makes the name longer. We also use C++ for user-space code and this is quite
+unusual practice in C++ to write something like
 
-     When editing existing code which already uses one or the other set
-     of types, you should conform to the existing choices in that code.
+	struct A a(0);
+	class B b(a);
 
- (e) Types safe for use in userspace.
-
-     In certain structures which are visible to userspace, we cannot
-     require C99 types and cannot use the 'u32' form above. Thus, we
-     use __u32 and similar types in all structures which are shared
-     with userspace.
-
-Maybe there are other cases too, but the rule should basically be to NEVER
-EVER use a typedef unless you can clearly match one of those rules.
-
-In general, a pointer, or a struct that has elements that can reasonably
-be directly accessed should _never_ be a typedef.
+And we're trying to be good for C as well as for C++. Typedefs make C code
+look closer to C++ and that's also good for us.
 
 
 		Chapter 6: Functions
@@ -375,7 +343,8 @@ In source files, separate functions with one blank line.  If the function is
 exported, the EXPORT* macro for it should follow immediately after the closing
 function brace line.  E.g.:
 
-	int system_is_up(void)
+	int
+	system_is_up(void)
 	{
 		return system_state == SYSTEM_RUNNING;
 	}
@@ -385,6 +354,31 @@ In function prototypes, include parameter names with their data types.
 Although this is not required by the C language, it is preferred in Linux
 because it is a simple way to add valuable information for the reader.
 
+Let's consider following *bad* example of C++ function definition:
+
+	template<typename T> inline SomeOtherTemplate<arg1, arg2> the_function(
+		int a, char b, char c)
+	{
+		.....
+	}
+
+In this example function type occupies almost full line, so there is no space
+for name of the function and its arguments. To make function declarations more
+convinient we place template argumenta at first line, function return type at
+the second one and the function name with its arguments at the last line:
+
+	template<typename T>
+	inline SomeOtherTemplate<arg1, arg2>
+	the_function(int a, char b,
+		     char c)
+	{
+		.....
+	}
+
+Please note that if some function arguments ("c" at the example above) don't
+fit one line, they are placed at the next line with identation by tabs and
+spaces to the first argument.
+
 
 		Chapter 7: Centralized exiting of functions
 
@@ -408,7 +402,8 @@ The rationale for using gotos is:
     modifications are prevented
 - saves the compiler work to optimize redundant code away ;)
 
-	int fun(int a)
+	int
+	fun(int a)
 	{
 		int result = 0;
 		char *buffer;
@@ -462,7 +457,8 @@ See the files Documentation/kernel-doc-nano-HOWTO.txt and scripts/kernel-doc
 for details.
 
 Linux style for comments is the C89 "/* ... */" style.
-Don't use C99-style "// ..." comments.
+However, in application-level code you can use C99 or C++-style "// ..."
+comments.
 
 The preferred style for long (multi-line) comments is:
 
@@ -475,16 +471,6 @@ The preferred style for long (multi-line) comments is:
 	 * with beginning and ending almost-blank lines.
 	 */
 
-For files in net/ and drivers/net/ the preferred style for long (multi-line)
-comments is a little different.
-
-	/* The preferred comment style for files in net/ and drivers/net
-	 * looks like this.
-	 *
-	 * It is nearly the same as the generally preferred comment style,
-	 * but there is no initial almost-blank line.
-	 */
-
 It's also important to comment data, whether they are basic types or derived
 types.  To this end, use just one data declaration per line (no commas for
 multiple data declarations).  This leaves you room for a small comment on each
@@ -568,7 +554,15 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
-Seriously dangerous features (such as write support for certain
+Features that might still be considered unstable should be defined as
+dependent on "EXPERIMENTAL":
+
+config SLUB
+	depends on EXPERIMENTAL && !ARCH_USES_SLAB_PAGE_STRUCT
+	bool "SLUB (Unqueued Allocator)"
+	...
+
+while seriously dangerous features (such as write support for certain
 filesystems) should advertise this prominently in their prompt string:
 
 config ADFS_FS_RW
@@ -716,9 +710,8 @@ used.
 		Chapter 14: Allocating memory
 
 The kernel provides the following general purpose memory allocators:
-kmalloc(), kzalloc(), kmalloc_array(), kcalloc(), vmalloc(), and
-vzalloc().  Please refer to the API documentation for further information
-about them.
+kmalloc(), kzalloc(), kcalloc(), vmalloc(), and vzalloc().  Please refer to
+the API documentation for further information about them.
 
 The preferred form for passing a size of a struct is the following:
 
@@ -732,17 +725,6 @@ Casting the return value which is a void pointer is redundant. The conversion
 from void pointer to any other pointer type is guaranteed by the C programming
 language.
 
-The preferred form for allocating an array is the following:
-
-	p = kmalloc_array(n, sizeof(...), ...);
-
-The preferred form for allocating a zeroed array is the following:
-
-	p = kcalloc(n, sizeof(...), ...);
-
-Both forms check for overflow on the allocation size n * sizeof(...),
-and return NULL if that occurred.
-
 
 		Chapter 15: The inline disease
 
@@ -823,7 +805,109 @@ need them.  Feel free to peruse that header file to see what else is already
 defined that you shouldn't reproduce in your code.
 
 
-		Chapter 18:  Editor modelines and other cruft
+		Chapter 18: C++ and other stuff
+
+We use the same coding style for kernel C and application C++ programming, so
+we adjust the original guide with some C++ specific things.
+
+Althought Linux kernel doesn't like capital letters and typedefs for structures,
+it is uncommon for C++ to write
+
+	struct virtual_container *a;
+
+or similarly
+
+	class virtual_container *a;
+
+so to keep consistency between structures and classes we should write
+
+	virtual_container_t *a;
+
+where virtual_container_t is a class typedef'ed structure. To be able to tell
+what "a" is we name classes and structures the same way, using CamelCase.
+So "a" becomes
+
+	VirtualContainer *a.
+
+C++ projects are often includes C, C++/STL, Boost and/or other header files.
+It is desired to sort them as: firstly C-headers, then standard C++ headers,
+headers from other standard libraries and lastly the project's internal headers:
+
+	#include <stdio.h>
+	#include <stdlib.h>
+
+	#include <iostream>
+	#include <vector>
+
+	#include <boost/bind.hpp>
+
+	#include "daemon.h"
+	#include "mem.h"
+
+It is also good idea to sort includes alhpabetically.
+
+By the way, C++ is very powerfull tool which in many cases uses TIMTOWTDI (There
+Is More Than One Way To Do It) concept. For example in some cases you can use
+simple C-array, STL vector or Boost array. In such cases keep you code as simple
+as possibly. It means that if there is no difference, then you should prefer
+C-array to STL vector and STL vector to Boost array.
+
+If a code operates with many function pointers, then it is sometimes difficult
+to find which function a pointer reffers to. So to simplify code navigation
+function pointer types must be defined as <type_name>_t, functions which are
+used with the types should be named as <some_prefix>_<type_name> and variables
+of the type as <some_prefix>_<type_name> or <type_name>_<some_suffix>. E.g.:
+
+	typedef void (*some_func_t)(void);
+
+	void xxx_some_func(void) {};
+	void yyy_some_func(void) {};
+
+	some_func_t var1_some_func = xxx_some_func;
+	some_func_t some_func_var2 = yyy_some_func;
+
+This way it is pretty simple to grep whole code for all functions which can be
+refered by "var1_some_func". Exception of the rule could be variable names
+defined and used in one function scope.
+
+In Linux kernel pointer specifier "*" is placed near to the argument name.
+There is no reason to treat C++ reference "&" differently. So prefer this style
+
+	int &func();
+	int *a, &b = a;
+
+to this *bad* style:
+
+	int& func();
+	int* a, & b = a;
+
+In C++ class methods (special type of function) can operate with global, local,
+or the class memebers. So to differentiate class members from global and local
+variables it is a good idea to use "_" suffix:
+
+	class A {
+		int a_;
+	};
+
+Exception safiness. All functions, which don't throw exceptions,  mandatory MUST
+specify it with noexcept statement:
+
+	void func() noexcept;
+
+Yes, it makes risk to get unexpected exception. But such exceptions must be
+tested and fixed during test phase. And, yes, each time when you need to modify
+source code of a function you have to check that your changes don't affect
+the function exception specification. However, it is much simplier to analyze
+which work flow could lead to and to which exceptions.
+
+Do not use following stupid safe programming for conditions:
+
+	if (5 == a)
+
+It makes code hard to read, but prevents very rare type of misprint.
+
+
+		Chapter 19:  Editor modelines and other cruft
 
 Some editors can interpret configuration information embedded in source files,
 indicated with special markers.  For example, emacs interprets lines marked
@@ -850,7 +934,7 @@ own custom mode, or may have some other magic method for making indentation
 work correctly.
 
 
-		Chapter 19:  Inline assembly
+		Chapter 20:  Inline assembly
 
 In architecture-specific code, you may need to use inline assembly to interface
 with CPU or platform functionality.  Don't hesitate to do so when necessary.
@@ -879,7 +963,7 @@ next instruction in the assembly output:
 	     : /* outputs */ : /* inputs */ : /* clobbers */);
 
 
-		Chapter 20: Conditional Compilation
+		Chapter 21: Conditional Compilation
 
 Wherever possible, don't use preprocessor conditionals (#if, #ifdef) in .c
 files; doing so makes code harder to read and logic harder to follow.  Instead,
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index cd03a0f..6465166 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3554,6 +3554,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 
 	tdfx=		[HW,DRM]
 
+	tempesta_dbmem=	[KNL]
+			Order of 2MB memory blocks reserved on each NUMA node
+			for Tempesta database. Huge pages are used if
+			possible.
+
 	test_suspend=	[SUSPEND][,N]
 			Specify "mem" (for Suspend-to-RAM) or "standby" (for
 			standby suspend) or "freeze" (for suspend type freeze)
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 6c9cb60..505dfd3 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1128,7 +1128,11 @@ ENTRY(do_softirq_own_stack)
 	incl PER_CPU_VAR(irq_count)
 	cmove PER_CPU_VAR(irq_stack_ptr),%rsp
 	push  %rbp			# backlink for old unwinder
+#ifdef CONFIG_SECURITY_TEMPESTA
+	call __tempesta_do_softirq_fpusafe
+#else
 	call __do_softirq
+#endif
 	leaveq
 	CFI_RESTORE		rbp
 	CFI_DEF_CFA_REGISTER	rsp
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
index 394e643..7c7f954 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
@@ -74,6 +74,26 @@ static inline void stack_overflow_check(struct pt_regs *regs)
 #endif
 }
 
+#ifdef CONFIG_SECURITY_TEMPESTA
+/* Tempesta supports x86-64 only. */
+#include <asm/i387.h>
+
+void
+__tempesta_do_softirq_fpusafe(void)
+{
+	/*
+	 * Switch FPU context once per budget packets to let Tempesta
+	 * run many vector operations w/o costly FPU switches.
+	 * Eager FPU must be enabled.
+	 */
+	kernel_fpu_begin();
+
+	__do_softirq();
+
+	kernel_fpu_end();
+}
+#endif
+
 bool handle_irq(unsigned irq, struct pt_regs *regs)
 {
 	struct irq_desc *desc;
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
index 87a815b..84b7399 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -565,7 +565,7 @@ static void __init setup_init_fpu_buf(void)
 	xsave_state_booting(init_xstate_buf, -1);
 }
 
-static enum { AUTO, ENABLE, DISABLE } eagerfpu = AUTO;
+static enum { AUTO, ENABLE, DISABLE } eagerfpu = ENABLE;
 static int __init eager_fpu_setup(char *s)
 {
 	if (!strcmp(s, "on"))
diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
index 950ae45..0f1f587 100644
--- a/include/linux/interrupt.h
+++ b/include/linux/interrupt.h
@@ -402,13 +402,13 @@ extern bool force_irqthreads;
    tasklets are more than enough. F.e. all serial device BHs et
    al. should be converted to tasklets, not to softirqs.
  */
-
+/* Tempesta: process RX before TX to proxy traffic in one softirq shot. */
 enum
 {
 	HI_SOFTIRQ=0,
 	TIMER_SOFTIRQ,
-	NET_TX_SOFTIRQ,
 	NET_RX_SOFTIRQ,
+	NET_TX_SOFTIRQ,
 	BLOCK_SOFTIRQ,
 	BLOCK_IOPOLL_SOFTIRQ,
 	TASKLET_SOFTIRQ,
@@ -452,7 +452,7 @@ extern void softirq_init(void);
 extern void __raise_softirq_irqoff(unsigned int nr);
 
 extern void raise_softirq_irqoff(unsigned int nr);
-extern void raise_softirq(unsigned int nr);
+void raise_softirq(unsigned int nr);
 
 DECLARE_PER_CPU(struct task_struct *, ksoftirqd);
 
diff --git a/include/linux/net.h b/include/linux/net.h
index 738ea48..7944e97 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -192,6 +192,8 @@ struct net_proto_family {
 	struct module	*owner;
 };
 
+extern const struct net_proto_family *get_proto_family(int family);
+
 struct iovec;
 struct kvec;
 
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 4307e20..f915c87 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -538,8 +538,12 @@ struct sk_buff {
 	 * layer. Please put your private variables there. If you
 	 * want to keep them across layers you have to do a skb_clone()
 	 * first. This is owned by whoever has the skb queued ATM.
+	 *
+	 * Tempesta. Extend the control block from original 48 bytes to
+	 * 64, so we can place our own control block at the end of @cb
+	 * and safely pass the skb to TCP and IP layers.
 	 */
-	char			cb[48] __aligned(8);
+	char			cb[64] __aligned(8);
 
 	unsigned long		_skb_refdst;
 	void			(*destructor)(struct sk_buff *skb);
@@ -567,8 +571,10 @@ struct sk_buff {
 				fclone:2,
 				peeked:1,
 				head_frag:1,
+#ifdef CONFIG_SECURITY_TEMPESTA
+				skb_page:1,
+#endif
 				xmit_more:1;
-	/* one bit hole */
 	kmemcheck_bitfield_end(flags1);
 
 	/* fields enclosed in headers_start/headers_end are copied
@@ -3452,5 +3458,28 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
 			       skb_network_header(skb);
 	return hdr_len + skb_gso_transport_seglen(skb);
 }
+
+/*
+ * ------------------------------------------------------------------------
+ * 		Tempesta FW
+ * ------------------------------------------------------------------------
+ */
+/*
+ * We use this additional skb list to be able to reference skbs which are
+ * processed by standard Linux TCP/IP stack w/o skb cloning.
+ */
+typedef struct {
+	struct sk_buff	*next;
+	struct sk_buff	*prev;
+} SsSkbCb;
+
+#define TFW_SKB_CB(s)		((SsSkbCb *)((s)->cb + sizeof((s)->cb)	\
+						      - sizeof(SsSkbCb)))
+#define TFW_SKB_CB_INIT(skb)						\
+do {									\
+	TFW_SKB_CB(skb)->prev = NULL;					\
+	TFW_SKB_CB(skb)->next = NULL;					\
+} while (0)
+
 #endif	/* __KERNEL__ */
 #endif	/* _LINUX_SKBUFF_H */
diff --git a/include/linux/tempesta.h b/include/linux/tempesta.h
new file mode 100644
index 0000000..55049bd
--- /dev/null
+++ b/include/linux/tempesta.h
@@ -0,0 +1,54 @@
+/**
+ * Linux interface for Tempesta FW.
+ *
+ * Copyright (C) 2014 NatSys Lab. (info@natsys-lab.com).
+ * Copyright (C) 2015-2016 Tempesta Technologies, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59
+ * Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+#ifndef __TEMPESTA_H__
+#define __TEMPESTA_H__
+
+#include <net/sock.h>
+
+typedef void (*TempestaTxAction)(void);
+
+typedef struct {
+	int (*sk_alloc)(struct sock *sk);
+	void (*sk_free)(struct sock *sk);
+	int (*sock_tcp_rcv)(struct sock *sk, struct sk_buff *skb);
+} TempestaOps;
+
+typedef struct {
+	unsigned long	addr;
+	unsigned long	pages; /* number of 4KB pages */
+} TempestaMapping;
+
+/* Security hooks. */
+int tempesta_new_clntsk(struct sock *newsk);
+void tempesta_register_ops(TempestaOps *tops);
+void tempesta_unregister_ops(TempestaOps *tops);
+
+/* Network hooks. */
+void tempesta_set_tx_action(TempestaTxAction action);
+void tempesta_del_tx_action(void);
+
+/* Memory management. */
+void tempesta_reserve_pages(void);
+void tempesta_reserve_vmpages(void);
+int tempesta_get_mapping(int node, TempestaMapping **tm);
+
+#endif /* __TEMPESTA_H__ */
+
diff --git a/include/net/sock.h b/include/net/sock.h
index ed01a01..60a4392 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -849,9 +849,14 @@ static inline int sk_backlog_rcv(struct sock *sk, struct sk_buff *skb)
 	return sk->sk_backlog_rcv(sk, skb);
 }
 
+#define TFW_SK_CPU_INIT	USHRT_MAX
+
 static inline void sk_incoming_cpu_update(struct sock *sk)
 {
-	sk->sk_incoming_cpu = raw_smp_processor_id();
+#ifdef CONFIG_SECURITY_TEMPESTA
+	if (sk->sk_incoming_cpu == TFW_SK_CPU_INIT)
+#endif
+		sk->sk_incoming_cpu = raw_smp_processor_id();
 }
 
 static inline void sock_rps_record_flow_hash(__u32 hash)
@@ -1697,8 +1702,7 @@ unsigned long sock_i_ino(struct sock *sk);
 static inline struct dst_entry *
 __sk_dst_get(struct sock *sk)
 {
-	return rcu_dereference_check(sk->sk_dst_cache, sock_owned_by_user(sk) ||
-						       lockdep_is_held(&sk->sk_lock.slock));
+	return rcu_dereference_raw(sk->sk_dst_cache);
 }
 
 static inline struct dst_entry *
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 6d204f3..ab4c696 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -340,6 +340,7 @@ static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
 }
 
 extern struct proto tcp_prot;
+extern struct proto tcpv6_prot;
 
 #define TCP_INC_STATS(net, field)	SNMP_INC_STATS((net)->mib.tcp_statistics, field)
 #define TCP_INC_STATS_BH(net, field)	SNMP_INC_STATS_BH((net)->mib.tcp_statistics, field)
@@ -578,6 +579,16 @@ static inline int tcp_bound_to_half_wnd(struct tcp_sock *tp, int pktsize)
 /* tcp.c */
 void tcp_get_info(struct sock *, struct tcp_info *);
 
+/* Routines required by Tempesta FW. */
+void tcp_cleanup_rbuf(struct sock *sk, int copied);
+extern void tcp_push(struct sock *sk, int flags, int mss_now, int nonagle,
+		     int size_goal);
+extern int tcp_send_mss(struct sock *sk, int *size_goal, int flags);
+extern void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb);
+extern void tcp_init_nondata_skb(struct sk_buff *skb, u32 seq, u8 flags);
+extern void tcp_queue_skb(struct sock *sk, struct sk_buff *skb);
+extern int tcp_close_state(struct sock *sk);
+
 /* Read 'sendfile()'-style from a TCP socket */
 typedef int (*sk_read_actor_t)(read_descriptor_t *, struct sk_buff *,
 				unsigned int, size_t);
diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h
index 1a85940..909e081 100644
--- a/include/uapi/linux/netlink.h
+++ b/include/uapi/linux/netlink.h
@@ -27,6 +27,7 @@
 #define NETLINK_ECRYPTFS	19
 #define NETLINK_RDMA		20
 #define NETLINK_CRYPTO		21	/* Crypto layer */
+#define NETLINK_TEMPESTA	22
 
 #define NETLINK_INET_DIAG	NETLINK_SOCK_DIAG
 
diff --git a/init/main.c b/init/main.c
index 2a89545..0a24b7d 100644
--- a/init/main.c
+++ b/init/main.c
@@ -88,6 +88,8 @@
 #include <asm/sections.h>
 #include <asm/cacheflush.h>
 
+#include <linux/tempesta.h>
+
 static int kernel_init(void *);
 
 extern void init_IRQ(void);
@@ -482,11 +484,25 @@ static void __init mm_init(void)
 	 */
 	page_ext_init_flatmem();
 	mem_init();
+
+	/*
+	 * Tempesta: reserve pages just when zones are initialized
+	 * to get continous address space of huge pages.
+	 */
+#ifdef CONFIG_SECURITY_TEMPESTA
+	tempesta_reserve_pages();
+#endif
+
 	kmem_cache_init();
 	percpu_init_late();
 	pgtable_init();
 	vmalloc_init();
 	ioremap_huge_init();
+
+	/* Try vmalloc() if the previous one failed. */
+#ifdef CONFIG_SECURITY_TEMPESTA
+	tempesta_reserve_vmpages();
+#endif
 }
 
 asmlinkage __visible void __init start_kernel(void)
diff --git a/kernel/softirq.c b/kernel/softirq.c
index 479e443..f951010 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -423,6 +423,7 @@ void raise_softirq(unsigned int nr)
 	raise_softirq_irqoff(nr);
 	local_irq_restore(flags);
 }
+EXPORT_SYMBOL(raise_softirq);
 
 void __raise_softirq_irqoff(unsigned int nr)
 {
diff --git a/mm/Makefile b/mm/Makefile
index 98c4eae..33cf154 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -78,3 +78,4 @@ obj-$(CONFIG_CMA)	+= cma.o
 obj-$(CONFIG_MEMORY_BALLOON) += balloon_compaction.o
 obj-$(CONFIG_PAGE_EXTENSION) += page_ext.o
 obj-$(CONFIG_CMA_DEBUGFS) += cma_debug.o
+obj-$(CONFIG_SECURITY_TEMPESTA) += tempesta_mm.o
diff --git a/mm/tempesta_mm.c b/mm/tempesta_mm.c
new file mode 100644
index 0000000..3909f7f
--- /dev/null
+++ b/mm/tempesta_mm.c
@@ -0,0 +1,284 @@
+/**
+ *		Tempesta Memory Reservation
+ *
+ * Copyright (C) 2015 Tempesta Technologies, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59
+ * Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+#include <linux/gfp.h>
+#include <linux/hugetlb.h>
+#include <linux/tempesta.h>
+#include <linux/topology.h>
+#include <linux/vmalloc.h>
+
+#include "internal.h"
+
+#define MAX_PGORDER		16	/* 128GB per one table */
+#define MIN_PGORDER		0	/* 2MB - one extent */
+#define DEFAULT_PGORDER		8	/* 512MB */
+/* Modern processors support up to 1.5TB of RAM, be ready for 2TB. */
+#define GREEDY_ARNUM		(1024 * 1024 + 1)
+#define PGNUM			(1 << pgorder)
+#define PGNUM4K			(PGNUM * (1 << HUGETLB_PAGE_ORDER))
+
+static int pgorder = DEFAULT_PGORDER;
+static gfp_t gfp_f = GFP_HIGHUSER | __GFP_COMP | __GFP_THISNODE | __GFP_ZERO
+		     | __GFP_REPEAT |__GFP_NOWARN;
+static TempestaMapping map[MAX_NUMNODES];
+/*
+ * Modern x86-64 has not more than 512GB RAM per physical node.
+ * This is very large amount of memory, but it will be freed when
+ * initialization phase ends.
+ */
+static struct page *greedy[GREEDY_ARNUM] __initdata = { 0 };
+
+static int __init
+tempesta_setup_pages(char *str)
+{
+	get_option(&str, &pgorder);
+	if (pgorder < MIN_PGORDER) {
+		pr_err("Tempesta: bad dbmem value %d, must be [%d:%d]\n",
+		       pgorder, MIN_PGORDER, MAX_PGORDER);
+		pgorder = MIN_PGORDER;
+	}
+	if (pgorder > MAX_PGORDER) {
+		pr_err("Tempesta: bad dbmem value %d, must be [%d:%d]\n",
+		       pgorder, MIN_PGORDER, MAX_PGORDER);
+		pgorder = MAX_PGORDER;
+	}
+
+	return 1;
+}
+__setup("tempesta_dbmem=", tempesta_setup_pages);
+
+/**
+ * The code is somewhat stollen from mm/hugetlb.c.
+ */
+static struct page *
+tempesta_alloc_hpage(int nid)
+{
+	struct page *p;
+
+	p = alloc_pages_exact_node(nid, gfp_f, HUGETLB_PAGE_ORDER);
+	if (!p)
+		return NULL;
+
+	if (arch_prepare_hugepage(p)) {
+		pr_err("Tempesta: cannot prepare hugepage %p at node %d\n",
+		       p, nid);
+		return NULL;
+	}
+
+	count_vm_event(HTLB_BUDDY_PGALLOC);
+
+	__ClearPageReserved(p);
+	prep_compound_page(p, HUGETLB_PAGE_ORDER);
+
+	/* Acquire the page immediately. */
+	set_page_refcounted(p);
+
+	return p;
+}
+
+static void
+tempesta_free_hpage(struct page *p)
+{
+	__free_pages(p, HUGETLB_PAGE_ORDER);
+}
+
+/**
+ * Greedely alloc huge pages and try to find continous region organized
+ * by sorted set of allocated pages. When the region is found, all pages
+ * out of it are returned to system.
+ */
+static struct page *
+tempesta_alloc_contmem(int nid)
+{
+	long min = -1, start = -1, curr = 0, end = -1, max = -1;
+	struct page *p;
+
+	while (1) {
+		p = tempesta_alloc_hpage(nid);
+		if (!p)
+			goto err;
+		curr = ((long)page_address(p) - PAGE_OFFSET) >> HPAGE_SHIFT;
+		/*
+		 * The first kernel mapped page is always reserved.
+		 * Keep untouched (zero) bounds for faster lookups.
+		 */
+		BUG_ON(curr < 1 || curr >= GREEDY_ARNUM);
+		greedy[curr] = p;
+
+		/* First time initialization. */
+		if (min < 0) {
+			min = start = end = max = curr;
+		} else {
+			/* Update bounds for faster pages return. */
+			if (min > curr)
+				min = curr;
+			if (max < curr)
+				max = curr;
+			/* Update continous memory segment bounds. */
+			if (curr == end + 1) {
+				while (end <= max && greedy[end + 1])
+					++end;
+			}
+			else if (curr + 1 == start) {
+				while (start >= min && greedy[start - 1])
+					--start;
+			}
+			else {
+				/* Try to find new continous segment. */
+				long i, d_max = 0, good_start = start = min;
+				for (i = min; i <= max; ++i) {
+					if (greedy[i]) {
+						if (start == -1)
+							start = i;
+						end = i;
+						if (i - start + 1 == PGNUM)
+							break;
+						continue;
+					}
+
+					if (start > 0 && end - start > d_max) {
+						good_start = start;
+						d_max = end - start;
+					}
+					start = -1;
+				}
+				if (end - start < d_max) {
+					start = good_start;
+					end = start + d_max;
+				}
+			}
+		}
+
+		if (end - start + 1 == PGNUM)
+			break; /* continous space is built! */
+	}
+
+	/* Return unnecessary pages. */
+	BUG_ON(min < 0 || start < 0 || end < 0 || max < 0);
+	for ( ; min < start; ++min)
+		if (greedy[min]) {
+			tempesta_free_hpage(greedy[min]);
+			greedy[min] = NULL;
+		}
+	for ( ; max > end; --max)
+		if (greedy[max]) {
+			tempesta_free_hpage(greedy[max]);
+			greedy[max] = NULL;
+		}
+	return greedy[start];
+
+err:
+	pr_err("Tempesta: cannot allocate %u continous huge pages at node"
+	       " %d\n", PGNUM, nid);
+	for ( ; min >= 0 && min <= max; ++min)
+		if (greedy[min]) {
+			tempesta_free_hpage(greedy[min]);
+			greedy[min] = NULL;
+		}
+	return NULL;
+}
+
+/**
+ * Allocate continous virtual space of huge pages for Tempesta.
+ * We do not use giantic 1GB pages since not all modern x86-64 CPUs
+ * allows them in virtualized mode.
+ *
+ * TODO try firstly to allocate giantic pages, next huge pages and finally
+ * fallback to common 4KB pages allocation if previous tries failed.
+ */
+void __init
+tempesta_reserve_pages(void)
+{
+	int nid;
+	struct page *p;
+
+	for_each_online_node(nid) {
+		p = tempesta_alloc_contmem(nid);
+		if (!p)
+			goto err;
+
+		map[nid].addr = (unsigned long)page_address(p);
+		map[nid].pages = PGNUM4K;
+
+		pr_info("Tempesta: allocated huge pages space %p %luMB at node"
+			" %d\n", page_address(p),
+			PGNUM4K * PAGE_SIZE / (1024 * 1024), nid);
+	}
+
+	return;
+err:
+	for_each_online_node(nid) {
+		struct page *pend;
+		if (!map[nid].addr)
+			continue;
+		for (p = virt_to_page(map[nid].addr), pend = p + PGNUM4K;
+		     p < pend; p += 1 << HUGETLB_PAGE_ORDER)
+			tempesta_free_hpage(p);
+	}
+	memset(map, 0, sizeof(map));
+}
+
+/**
+ * Allocates necessary space if tempesta_reserve_pages() failed.
+ */
+void __init
+tempesta_reserve_vmpages(void)
+{
+	int nid, maps = 0;
+	size_t vmsize = PGNUM * (1 << HPAGE_SHIFT);
+
+	for_each_online_node(nid)
+		maps += !!map[nid].addr;
+
+	BUG_ON(maps && maps < nr_online_nodes);
+	if (maps == nr_online_nodes)
+		return;
+
+	for_each_online_node(nid) {
+		pr_warn("Tempesta: allocate %u vmalloc pages at node %d\n",
+			PGNUM4K, nid);
+
+		map[nid].addr = (unsigned long)vzalloc_node(vmsize, nid);
+		if (!map[nid].addr)
+			goto err;
+		map[nid].pages = PGNUM4K;
+	}
+
+	return;
+err:
+	pr_err("Tempesta: cannot vmalloc area of %lu bytes at node %d\n",
+	       vmsize, nid);
+	for_each_online_node(nid)
+		if (map[nid].addr)
+			vfree((void *)map[nid].addr);
+	memset(map, 0, sizeof(map));
+}
+
+int
+tempesta_get_mapping(int nid, TempestaMapping **tm)
+{
+	if (unlikely(!map[nid].addr))
+		return -ENOMEM;
+
+	*tm = &map[nid];
+
+	return 0;
+}
+EXPORT_SYMBOL(tempesta_get_mapping);
+
diff --git a/net/core/dev.c b/net/core/dev.c
index a42b232..a40e64b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3443,6 +3443,27 @@ int netif_rx_ni(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(netif_rx_ni);
 
+#ifdef CONFIG_SECURITY_TEMPESTA
+#include <linux/tempesta.h>
+
+static TempestaTxAction __rcu tempesta_tx_action = NULL;
+
+void
+tempesta_set_tx_action(TempestaTxAction action)
+{
+	rcu_assign_pointer(tempesta_tx_action, action);
+}
+EXPORT_SYMBOL(tempesta_set_tx_action);
+
+void
+tempesta_del_tx_action(void)
+{
+	rcu_assign_pointer(tempesta_tx_action, NULL);
+	synchronize_rcu();
+}
+EXPORT_SYMBOL(tempesta_del_tx_action);
+#endif
+
 static void net_tx_action(struct softirq_action *h)
 {
 	struct softnet_data *sd = this_cpu_ptr(&softnet_data);
@@ -3468,6 +3489,20 @@ static void net_tx_action(struct softirq_action *h)
 		}
 	}
 
+#ifdef CONFIG_SECURITY_TEMPESTA
+	{
+		TempestaTxAction action;
+
+		rcu_read_lock();
+
+		action = rcu_dereference(tempesta_tx_action);
+		if (likely(action))
+			action();
+
+		rcu_read_unlock();
+	}
+#endif
+
 	if (sd->output_queue) {
 		struct Qdisc *head;
 
@@ -4175,7 +4210,12 @@ static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb)
 
 	case GRO_MERGED_FREE:
 		if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD)
-			kmem_cache_free(skbuff_head_cache, skb);
+#ifdef CONFIG_SECURITY_TEMPESTA
+			if (skb->skb_page)
+				put_page(virt_to_head_page(skb));
+			else
+#endif
+				kmem_cache_free(skbuff_head_cache, skb);
 		else
 			__kfree_skb(skb);
 		break;
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index b42f0e2..ef4362e 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -210,3 +210,4 @@ void reqsk_fastopen_remove(struct sock *sk, struct request_sock *req,
 out:
 	spin_unlock_bh(&fastopenq->lock);
 }
+EXPORT_SYMBOL(reqsk_fastopen_remove);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 075d2e7..910bf00 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -78,7 +78,9 @@
 #include <linux/user_namespace.h>
 
 struct kmem_cache *skbuff_head_cache __read_mostly;
+#ifndef CONFIG_SECURITY_TEMPESTA
 static struct kmem_cache *skbuff_fclone_cache __read_mostly;
+#endif
 
 /**
  *	skb_panic - private function for out-of-line support
@@ -112,6 +114,7 @@ static void skb_under_panic(struct sk_buff *skb, unsigned int sz, void *addr)
 	skb_panic(skb, sz, addr, __func__);
 }
 
+#ifndef CONFIG_SECURITY_TEMPESTA
 /*
  * kmalloc_reserve is a wrapper around kmalloc_node_track_caller that tells
  * the caller if emergency pfmemalloc reserves are being used. If it is and
@@ -148,6 +151,132 @@ out:
 
 	return obj;
 }
+#else
+/*
+ * Chunks of size 512B, 1KB and 2KB.
+ * Typical sk_buff requires ~248B or ~504B (for fclone),
+ * skb_shared_info is ~320B.
+ */
+#define PG_LISTS_N		3
+#define PG_CHUNK_BITS		(PAGE_SHIFT - 3)
+#define PG_CHUNK_SZ		(1 << PG_CHUNK_BITS)
+#define PG_CHUNK_MASK		(~(PG_CHUNK_SZ - 1))
+#define PG_ALLOC_SZ(s)		(((s) + (PG_CHUNK_SZ - 1)) & PG_CHUNK_MASK)
+#define PG_CHUNK_NUM(s)		(PG_ALLOC_SZ(s) >> PG_CHUNK_BITS)
+#define PG_POOL_HLIM_BASE	256
+
+/**
+ * @lh		- list head of chunk pool;
+ * @count	- current number of chunks in @lh;
+ * @h_limit	- hard limit for size of @lh;
+ * @max		- current maximum allowed size of the list, can be 0.
+ */
+typedef struct {
+	struct list_head	lh;
+	unsigned int		count;
+	unsigned int		h_limit;
+	unsigned int		max;
+} TfwSkbMemPool;
+
+static DEFINE_PER_CPU(TfwSkbMemPool [PG_LISTS_N], pg_mpool);
+
+static bool
+__pg_pool_grow(TfwSkbMemPool *pool)
+{
+	if (!pool->count) {
+		/* Too few chunks were provisioned. */
+		unsigned int n = max(pool->max, 1U) << 1; /* start from 2 */
+		pool->max = (n > pool->h_limit) ? pool->h_limit : n;
+		return false;
+	}
+	if (pool->max < pool->h_limit)
+		++pool->max;
+	return true;
+}
+
+static bool
+__pg_pool_shrink(TfwSkbMemPool *pool)
+{
+	if (unlikely(pool->count >= pool->max)) {
+		/* Producers are much faster consumers right now. */
+		pool->max >>= 1;
+		while (pool->count > pool->max) {
+			struct list_head *pc = pool->lh.next;
+			list_del(pc);
+			put_page(virt_to_page(pc));
+			--pool->count;
+		}
+		return false;
+	}
+	/*
+	 * Producers and consumers look balanced.
+	 * Slowly reduce provisioning.
+	 */
+	if (pool->max)
+		--pool->max;
+	return true;
+}
+
+static void *
+__pg_skb_alloc(unsigned int size, gfp_t gfp_mask, int node)
+{
+	char *ptr;
+	struct page *pg;
+	TfwSkbMemPool *pools;
+	unsigned int c, cn, o, l, po;
+
+	cn = PG_CHUNK_NUM(size);
+	po = get_order(PG_ALLOC_SZ(size));
+
+	local_bh_disable();
+	pools = this_cpu_ptr(pg_mpool);
+
+	for (o = (cn == 1) ? 0 : (cn == 2) ? 1 : (cn <= 4) ? 2 : PG_LISTS_N;
+	     o < PG_LISTS_N; ++o)
+	{
+		struct list_head *pc;
+		if (!__pg_pool_grow(&pools[o]))
+			continue;
+
+		pc = pools[o].lh.next;
+		list_del(pc);
+		--pools[o].count;
+		ptr = (char *)pc;
+		goto assign_tail_chunks;
+	}
+
+	local_bh_enable();
+
+	pg = alloc_pages_node(node, gfp_mask, po);
+	if (!pg)
+		return NULL;
+	ptr = (char *)page_address(pg);
+	if (po)
+		return ptr; /* don't try to split compound page */
+	o = PAGE_SHIFT - PG_CHUNK_BITS;
+
+	local_bh_disable();
+	pools = this_cpu_ptr(pg_mpool);
+
+assign_tail_chunks:
+	/* Split and store small tail chunks. */
+	for (c = cn, cn = 1 << o, l = PG_LISTS_N - 1; c < cn; c += (1 << l)) {
+		struct list_head *chunk;
+		while (c + (1 << l) > cn)
+			--l;
+		chunk = (struct list_head *)(ptr + PG_CHUNK_SZ * c);
+		if (__pg_pool_shrink(&pools[l])) {
+			get_page(virt_to_page(chunk));
+			list_add(chunk, &pools[l].lh);
+			++pools[l].count;
+		}
+	}
+
+	local_bh_enable();
+
+	return ptr;
+}
+#endif
 
 /* 	Allocate a new skbuff. We do this ourselves so we can fill in a few
  *	'private' fields and also do memory statistics to find all the
@@ -180,6 +309,49 @@ out:
 	return skb;
 }
 
+static void
+__alloc_skb_init(struct sk_buff *skb, u8 *data, unsigned int size,
+		 int flags, bool pfmemalloc)
+{
+	struct skb_shared_info *shinfo;
+
+	/*
+	 * Only clear those fields we need to clear, not those that we will
+	 * actually initialise below. Hence, don't put any more fields after
+	 * the tail pointer in struct sk_buff!
+	 */
+	memset(skb, 0, offsetof(struct sk_buff, tail));
+	/* Account for allocated memory : skb + skb->head */
+	skb->truesize = SKB_TRUESIZE(size);
+	skb->pfmemalloc = pfmemalloc;
+	atomic_set(&skb->users, 1);
+	skb->head = data;
+	skb->data = data;
+	skb_reset_tail_pointer(skb);
+	skb->end = skb->tail + size;
+	skb->mac_header = (typeof(skb->mac_header))~0U;
+	skb->transport_header = (typeof(skb->transport_header))~0U;
+
+	/* make sure we initialize shinfo sequentially */
+	shinfo = skb_shinfo(skb);
+	memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
+	atomic_set(&shinfo->dataref, 1);
+	kmemcheck_annotate_variable(shinfo->destructor_arg);
+
+	if (flags & SKB_ALLOC_FCLONE) {
+		struct sk_buff_fclones *fclones;
+
+		fclones = container_of(skb, struct sk_buff_fclones, skb1);
+
+		kmemcheck_annotate_bitfield(&fclones->skb2, flags1);
+		skb->fclone = SKB_FCLONE_ORIG;
+		atomic_set(&fclones->fclone_ref, 1);
+
+		fclones->skb2.fclone = SKB_FCLONE_CLONE;
+		fclones->skb2.pfmemalloc = pfmemalloc;
+	}
+}
+
 /**
  *	__alloc_skb	-	allocate a network buffer
  *	@size: size to allocate
@@ -197,6 +369,7 @@ out:
  *	Buffers may only be allocated from interrupts using a @gfp_mask of
  *	%GFP_ATOMIC.
  */
+#ifndef CONFIG_SECURITY_TEMPESTA
 struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
 			    int flags, int node)
 {
@@ -235,41 +408,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
 	size = SKB_WITH_OVERHEAD(ksize(data));
 	prefetchw(data + size);
 
-	/*
-	 * Only clear those fields we need to clear, not those that we will
-	 * actually initialise below. Hence, don't put any more fields after
-	 * the tail pointer in struct sk_buff!
-	 */
-	memset(skb, 0, offsetof(struct sk_buff, tail));
-	/* Account for allocated memory : skb + skb->head */
-	skb->truesize = SKB_TRUESIZE(size);
-	skb->pfmemalloc = pfmemalloc;
-	atomic_set(&skb->users, 1);
-	skb->head = data;
-	skb->data = data;
-	skb_reset_tail_pointer(skb);
-	skb->end = skb->tail + size;
-	skb->mac_header = (typeof(skb->mac_header))~0U;
-	skb->transport_header = (typeof(skb->transport_header))~0U;
-
-	/* make sure we initialize shinfo sequentially */
-	shinfo = skb_shinfo(skb);
-	memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
-	atomic_set(&shinfo->dataref, 1);
-	kmemcheck_annotate_variable(shinfo->destructor_arg);
-
-	if (flags & SKB_ALLOC_FCLONE) {
-		struct sk_buff_fclones *fclones;
-
-		fclones = container_of(skb, struct sk_buff_fclones, skb1);
-
-		kmemcheck_annotate_bitfield(&fclones->skb2, flags1);
-		skb->fclone = SKB_FCLONE_ORIG;
-		atomic_set(&fclones->fclone_ref, 1);
-
-		fclones->skb2.fclone = SKB_FCLONE_CLONE;
-		fclones->skb2.pfmemalloc = pfmemalloc;
-	}
+	__alloc_skb_init(skb, data, size, flags, pfmemalloc);
 out:
 	return skb;
 nodata:
@@ -277,6 +416,42 @@ nodata:
 	skb = NULL;
 	goto out;
 }
+#else
+/**
+ * Tempesta: allocate skb on the same page with data to improve space locality
+ * and make head data fragmentation easier.
+ */
+struct sk_buff *
+__alloc_skb(unsigned int size, gfp_t gfp_mask, int flags, int node)
+{
+	struct sk_buff *skb;
+	struct page *pg;
+	u8 *data;
+	size_t skb_sz = (flags & SKB_ALLOC_FCLONE)
+			? SKB_DATA_ALIGN(sizeof(struct sk_buff_fclones))
+			: SKB_DATA_ALIGN(sizeof(struct sk_buff));
+	size_t shi_sz = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+	size_t n = skb_sz + shi_sz + SKB_DATA_ALIGN(size);
+
+	if (sk_memalloc_socks() && (flags & SKB_ALLOC_RX))
+		gfp_mask |= __GFP_MEMALLOC;
+
+	if (!(skb = __pg_skb_alloc(n, gfp_mask, node)))
+		return NULL;
+
+	data = (u8 *)skb + skb_sz;
+	size = SKB_WITH_OVERHEAD(PG_ALLOC_SZ(n) - skb_sz);
+	prefetchw(data + size);
+
+	pg = virt_to_head_page(data);
+	get_page(pg);
+	__alloc_skb_init(skb, data, size, flags, page_is_pfmemalloc(pg));
+	skb->head_frag = 1;
+	skb->skb_page = 1;
+
+	return skb;
+}
+#endif
 EXPORT_SYMBOL(__alloc_skb);
 
 /**
@@ -657,7 +832,12 @@ static void kfree_skbmem(struct sk_buff *skb)
 
 	switch (skb->fclone) {
 	case SKB_FCLONE_UNAVAILABLE:
-		kmem_cache_free(skbuff_head_cache, skb);
+#ifdef CONFIG_SECURITY_TEMPESTA
+		if (skb->skb_page)
+			put_page(virt_to_head_page(skb));
+		else
+#endif
+			kmem_cache_free(skbuff_head_cache, skb);
 		return;
 
 	case SKB_FCLONE_ORIG:
@@ -678,7 +858,12 @@ static void kfree_skbmem(struct sk_buff *skb)
 	if (!atomic_dec_and_test(&fclones->fclone_ref))
 		return;
 fastpath:
+#ifdef CONFIG_SECURITY_TEMPESTA
+	BUG_ON(!skb->skb_page);
+	put_page(virt_to_head_page(skb));
+#else
 	kmem_cache_free(skbuff_fclone_cache, fclones);
+#endif
 }
 
 static void skb_release_head_state(struct sk_buff *skb)
@@ -807,7 +992,8 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 	new->tstamp		= old->tstamp;
 	/* We do not copy old->sk */
 	new->dev		= old->dev;
-	memcpy(new->cb, old->cb, sizeof(old->cb));
+	memcpy(new->cb, old->cb, sizeof(old->cb) - sizeof(SsSkbCb));
+	TFW_SKB_CB_INIT(new);
 	skb_dst_copy(new, old);
 #ifdef CONFIG_XFRM
 	new->sp			= secpath_get(old->sp);
@@ -902,6 +1088,9 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
 struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src)
 {
 	skb_release_all(dst);
+#ifdef CONFIG_SECURITY_TEMPESTA
+	dst->skb_page = src->skb_page;
+#endif
 	return __skb_clone(dst, src);
 }
 EXPORT_SYMBOL_GPL(skb_morph);
@@ -995,6 +1184,9 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
 	    atomic_read(&fclones->fclone_ref) == 1) {
 		n = &fclones->skb2;
 		atomic_set(&fclones->fclone_ref, 2);
+#ifdef CONFIG_SECURITY_TEMPESTA
+		n->skb_page = skb->skb_page;
+#endif
 	} else {
 		if (skb_pfmemalloc(skb))
 			gfp_mask |= __GFP_MEMALLOC;
@@ -1005,6 +1197,9 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
 
 		kmemcheck_annotate_bitfield(n, flags1);
 		n->fclone = SKB_FCLONE_UNAVAILABLE;
+#ifdef CONFIG_SECURITY_TEMPESTA
+		n->skb_page = 0;
+#endif
 	}
 
 	return __skb_clone(n, skb);
@@ -1175,15 +1370,22 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	if (skb_shared(skb))
 		BUG();
 
-	size = SKB_DATA_ALIGN(size);
+	size = SKB_DATA_ALIGN(size)
+	       + SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
 
 	if (skb_pfmemalloc(skb))
 		gfp_mask |= __GFP_MEMALLOC;
-	data = kmalloc_reserve(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
-			       gfp_mask, NUMA_NO_NODE, NULL);
+#ifdef CONFIG_SECURITY_TEMPESTA
+	data = __pg_skb_alloc(size, gfp_mask, NUMA_NO_NODE);
+	if (!data)
+		goto nodata;
+	size = SKB_WITH_OVERHEAD(PG_ALLOC_SZ(size));
+#else
+	data = kmalloc_reserve(size, gfp_mask, NUMA_NO_NODE, NULL);
 	if (!data)
 		goto nodata;
 	size = SKB_WITH_OVERHEAD(ksize(data));
+#endif
 
 	/* Copy only real data... and, alas, header. This should be
 	 * optimized for the cases when header is void.
@@ -1216,7 +1418,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	off = (data + nhead) - skb->head;
 
 	skb->head     = data;
+#ifdef CONFIG_SECURITY_TEMPESTA
+	skb->head_frag = 1;
+#else
 	skb->head_frag = 0;
+#endif
 	skb->data    += off;
 #ifdef NET_SKBUFF_DATA_USES_OFFSET
 	skb->end      = size;
@@ -1233,7 +1439,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	return 0;
 
 nofrags:
+#ifdef CONFIG_SECURITY_TEMPESTA
+	put_page(virt_to_head_page(data));
+#else
 	kfree(data);
+#endif
 nodata:
 	return -ENOMEM;
 }
@@ -3333,16 +3543,31 @@ done:
 
 void __init skb_init(void)
 {
-	skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
-					      sizeof(struct sk_buff),
-					      0,
-					      SLAB_HWCACHE_ALIGN|SLAB_PANIC,
-					      NULL);
+#ifdef CONFIG_SECURITY_TEMPESTA
+	int cpu, l;
+	for_each_possible_cpu(cpu)
+		for (l = 0; l < PG_LISTS_N; ++l) {
+			TfwSkbMemPool *pool = per_cpu_ptr(&pg_mpool[l], cpu);
+			INIT_LIST_HEAD(&pool->lh);
+			/*
+			 * Large chunks are also can be used to get smaller
+			 * chunks, so we cache them more aggressively.
+			 */
+			pool->h_limit = PG_POOL_HLIM_BASE << l;
+		}
+#else
 	skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
 						sizeof(struct sk_buff_fclones),
 						0,
 						SLAB_HWCACHE_ALIGN|SLAB_PANIC,
 						NULL);
+#endif
+
+	skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
+					      sizeof(struct sk_buff),
+					      0,
+					      SLAB_HWCACHE_ALIGN|SLAB_PANIC,
+					      NULL);
 }
 
 /**
@@ -4042,7 +4267,12 @@ void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
 {
 	if (head_stolen) {
 		skb_release_head_state(skb);
-		kmem_cache_free(skbuff_head_cache, skb);
+#ifdef CONFIG_SECURITY_TEMPESTA
+		if (skb->skb_page)
+			put_page(virt_to_head_page(skb));
+		else
+#endif
+			kmem_cache_free(skbuff_head_cache, skb);
 	} else {
 		__kfree_skb(skb);
 	}
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index bb2ce74..29f7ce1 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -282,6 +282,7 @@
 #include <net/busy_poll.h>
 
 int sysctl_tcp_fin_timeout __read_mostly = TCP_FIN_TIMEOUT;
+EXPORT_SYMBOL_GPL(sysctl_tcp_fin_timeout);
 
 int sysctl_tcp_min_tso_segs __read_mostly = 2;
 
@@ -601,11 +602,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
 }
 EXPORT_SYMBOL(tcp_ioctl);
 
-static inline void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb)
+void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb)
 {
 	TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_PSH;
 	tp->pushed_seq = tp->write_seq;
 }
+EXPORT_SYMBOL(tcp_mark_push);
 
 static inline bool forced_push(const struct tcp_sock *tp)
 {
@@ -654,8 +656,8 @@ static bool tcp_should_autocork(struct sock *sk, struct sk_buff *skb,
 	       atomic_read(&sk->sk_wmem_alloc) > skb->truesize;
 }
 
-static void tcp_push(struct sock *sk, int flags, int mss_now,
-		     int nonagle, int size_goal)
+void tcp_push(struct sock *sk, int flags, int mss_now, int nonagle,
+	      int size_goal)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
 	struct sk_buff *skb;
@@ -688,6 +690,7 @@ static void tcp_push(struct sock *sk, int flags, int mss_now,
 
 	__tcp_push_pending_frames(sk, mss_now, nonagle);
 }
+EXPORT_SYMBOL(tcp_push);
 
 static int tcp_splice_data_recv(read_descriptor_t *rd_desc, struct sk_buff *skb,
 				unsigned int offset, size_t len)
@@ -860,7 +863,7 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
 	return max(size_goal, mss_now);
 }
 
-static int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
+int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
 {
 	int mss_now;
 
@@ -869,6 +872,7 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
 
 	return mss_now;
 }
+EXPORT_SYMBOL(tcp_send_mss);
 
 static ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
 				size_t size, int flags)
@@ -1353,7 +1357,7 @@ static int tcp_peek_sndq(struct sock *sk, struct msghdr *msg, int len)
  * calculation of whether or not we must ACK for the sake of
  * a window update.
  */
-static void tcp_cleanup_rbuf(struct sock *sk, int copied)
+void tcp_cleanup_rbuf(struct sock *sk, int copied)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
 	bool time_to_ack = false;
@@ -1410,6 +1414,7 @@ static void tcp_cleanup_rbuf(struct sock *sk, int copied)
 	if (time_to_ack)
 		tcp_send_ack(sk);
 }
+EXPORT_SYMBOL(tcp_cleanup_rbuf);
 
 static void tcp_prequeue_process(struct sock *sk)
 {
@@ -1932,7 +1937,7 @@ static const unsigned char new_state[16] = {
   [TCP_NEW_SYN_RECV]	= TCP_CLOSE,	/* should not happen ! */
 };
 
-static int tcp_close_state(struct sock *sk)
+int tcp_close_state(struct sock *sk)
 {
 	int next = (int)new_state[sk->sk_state];
 	int ns = next & TCP_STATE_MASK;
@@ -1941,6 +1946,7 @@ static int tcp_close_state(struct sock *sk)
 
 	return next & TCP_ACTION_FIN;
 }
+EXPORT_SYMBOL(tcp_close_state);
 
 /*
  *	Shutdown the sending side of a connection. Much like close except
@@ -1980,6 +1986,7 @@ bool tcp_check_oom(struct sock *sk, int shift)
 		net_info_ratelimited("out of memory -- consider tuning tcp_mem\n");
 	return too_many_orphans || out_of_socket_memory;
 }
+EXPORT_SYMBOL(tcp_check_oom);
 
 void tcp_close(struct sock *sk, long timeout)
 {
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c9ab964..9f44b3e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -614,6 +614,7 @@ new_measure:
 	tp->rcvq_space.seq = tp->copied_seq;
 	tp->rcvq_space.time = tcp_time_stamp;
 }
+EXPORT_SYMBOL(tcp_rcv_space_adjust);
 
 /* There is something which you must keep in mind when you analyze the
  * behavior of the tp->ato delayed ack timeout interval.  When a
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 441ca6f..65f7be9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -62,6 +62,7 @@
 #include <linux/init.h>
 #include <linux/times.h>
 #include <linux/slab.h>
+#include <linux/tempesta.h>
 
 #include <net/net_namespace.h>
 #include <net/icmp.h>
@@ -157,8 +158,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 		return -EAFNOSUPPORT;
 
 	nexthop = daddr = usin->sin_addr.s_addr;
-	inet_opt = rcu_dereference_protected(inet->inet_opt,
-					     sock_owned_by_user(sk));
+	inet_opt = rcu_dereference_raw(inet->inet_opt);
 	if (inet_opt && inet_opt->opt.srr) {
 		if (!daddr)
 			return -EINVAL;
@@ -875,9 +875,7 @@ struct tcp_md5sig_key *tcp_md5_do_lookup(struct sock *sk,
 	const struct tcp_md5sig_info *md5sig;
 
 	/* caller either holds rcu_read_lock() or socket lock */
-	md5sig = rcu_dereference_check(tp->md5sig_info,
-				       sock_owned_by_user(sk) ||
-				       lockdep_is_held(&sk->sk_lock.slock));
+	md5sig = rcu_dereference_raw(tp->md5sig_info);
 	if (!md5sig)
 		return NULL;
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1318,6 +1316,14 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 	}
 #endif
 
+#ifdef CONFIG_SECURITY_TEMPESTA
+	/*
+	 * We need already initialized socket addresses,
+	 * so there is no appropriate security hook.
+	 */
+	if (tempesta_new_clntsk(newsk))
+		goto put_and_exit;
+#endif
 	if (__inet_inherit_port(sk, newsk) < 0)
 		goto put_and_exit;
 	__inet_hash_nolisten(newsk, NULL);
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 17e7339..c017159 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -352,6 +352,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
 	tcp_update_metrics(sk);
 	tcp_done(sk);
 }
+EXPORT_SYMBOL(tcp_time_wait);
 
 void tcp_twsk_destructor(struct sock *sk)
 {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 986440b..ac3af77 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -391,7 +391,7 @@ static void tcp_ecn_send(struct sock *sk, struct sk_buff *skb,
 /* Constructs common control bits of non-data skb. If SYN/FIN is present,
  * auto increment end seqno.
  */
-static void tcp_init_nondata_skb(struct sk_buff *skb, u32 seq, u8 flags)
+void tcp_init_nondata_skb(struct sk_buff *skb, u32 seq, u8 flags)
 {
 	struct skb_shared_info *shinfo = skb_shinfo(skb);
 
@@ -410,6 +410,7 @@ static void tcp_init_nondata_skb(struct sk_buff *skb, u32 seq, u8 flags)
 		seq++;
 	TCP_SKB_CB(skb)->end_seq = seq;
 }
+EXPORT_SYMBOL(tcp_init_nondata_skb);
 
 static inline bool tcp_urg_mode(const struct tcp_sock *tp)
 {
@@ -1043,7 +1044,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
  * NOTE: probe0 timer is not checked, do not forget tcp_push_pending_frames,
  * otherwise socket can stall.
  */
-static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
+void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
 
@@ -1054,6 +1055,7 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
 	sk->sk_wmem_queued += skb->truesize;
 	sk_mem_charge(sk, skb->truesize);
 }
+EXPORT_SYMBOL(tcp_queue_skb);
 
 /* Initialize TSO segments for a packet. */
 static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb,
@@ -1449,6 +1451,7 @@ unsigned int tcp_current_mss(struct sock *sk)
 
 	return mss_now;
 }
+EXPORT_SYMBOL(tcp_current_mss);
 
 /* RFC2861, slow part. Adjust cwnd, after it was not full during one rto.
  * As additional protections, we do not touch cwnd in retransmission phases,
@@ -2305,6 +2308,7 @@ void __tcp_push_pending_frames(struct sock *sk, unsigned int cur_mss,
 			   sk_gfp_atomic(sk, GFP_ATOMIC)))
 		tcp_check_probe_timer(sk);
 }
+EXPORT_SYMBOL(__tcp_push_pending_frames);
 
 /* Send _single_ skb sitting at the send head. This function requires
  * true push pending frames to setup probe timer etc.
@@ -2900,6 +2904,7 @@ void tcp_send_active_reset(struct sock *sk, gfp_t priority)
 
 	TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTRSTS);
 }
+EXPORT_SYMBOL(tcp_send_active_reset);
 
 /* Send a crossed SYN-ACK during socket establishment.
  * WARNING: This routine must only be called when we have already sent
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e541d68..f382d15 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -69,6 +69,7 @@
 
 #include <linux/crypto.h>
 #include <linux/scatterlist.h>
+#include <linux/tempesta.h>
 
 static void	tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb);
 static void	tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
@@ -1164,7 +1165,17 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 			       sk_gfp_atomic(sk, GFP_ATOMIC));
 	}
 #endif
-
+#ifdef CONFIG_SECURITY_TEMPESTA
+	/*
+	 * We need already initialized socket addresses,
+	 * so there is no appropriate security hook.
+	 */
+	if (tempesta_new_clntsk(newsk)) {
+		inet_csk_prepare_forced_close(newsk);
+		tcp_done(newsk);
+		goto out;
+	}
+#endif
 	if (__inet_inherit_port(sk, newsk) < 0) {
 		inet_csk_prepare_forced_close(newsk);
 		tcp_done(newsk);
@@ -1868,6 +1879,7 @@ struct proto tcpv6_prot = {
 #endif
 	.clear_sk		= tcp_v6_clear_sk,
 };
+EXPORT_SYMBOL(tcpv6_prot);
 
 static const struct inet6_protocol tcpv6_protocol = {
 	.early_demux	=	tcp_v6_early_demux,
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d139c43..cd02ab8 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2367,7 +2367,6 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 	 * sendmsg(), but that's what we've got...
 	 */
 	if (netlink_tx_is_mmaped(sk) &&
-	    msg->msg_iter.type == ITER_IOVEC &&
 	    msg->msg_iter.nr_segs == 1 &&
 	    msg->msg_iter.iov->iov_base == NULL) {
 		err = netlink_mmap_sendmsg(sk, msg, dst_portid, dst_group,
@@ -2728,8 +2727,13 @@ static int netlink_dump(struct sock *sk)
 	 * dump to use the excess space makes it difficult for a user to have a
 	 * reasonable static buffer based on the expected largest dump of a
 	 * single netdev. The outcome is MSG_TRUNC error.
+	 *
+	 * NETLINK_MMAP expects the same address offsets in kernel and user
+	 * spaces, so don't move skb data pointers for mmaped sockets.
 	 */
-	skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+	if (!netlink_rx_is_mmaped(sk))
+		skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+
 	netlink_skb_set_owner_r(skb, sk);
 
 	len = cb->dump(skb, cb);
diff --git a/net/socket.c b/net/socket.c
index 884e329..421ee32 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -162,6 +162,12 @@ static const struct file_operations socket_file_ops = {
 static DEFINE_SPINLOCK(net_family_lock);
 static const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
 
+const struct net_proto_family *get_proto_family(int family)
+{
+	return rcu_dereference(net_families[family]);
+}
+EXPORT_SYMBOL(get_proto_family);
+
 /*
  *	Statistics counters of the socket lists
  */
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c5ec977..621bfa5 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -159,6 +159,7 @@ GetOptions(
 
 help(0) if ($help);
 
+$check = 1;
 $fix = 1 if ($fix_inplace);
 $check_orig = $check;
 
@@ -3258,18 +3259,6 @@ sub process {
 			}
 		}
 
-# check for new typedefs, only function parameters and sparse annotations
-# make sense.
-		if ($line =~ /\btypedef\s/ &&
-		    $line !~ /\btypedef\s+$Type\s*\(\s*\*?$Ident\s*\)\s*\(/ &&
-		    $line !~ /\btypedef\s+$Type\s+$Ident\s*\(/ &&
-		    $line !~ /\b$typeTypedefs\b/ &&
-		    $line !~ /\b$typeOtherOSTypedefs\b/ &&
-		    $line !~ /\b__bitwise(?:__|)\b/) {
-			WARN("NEW_TYPEDEFS",
-			     "do not add new typedefs\n" . $herecurr);
-		}
-
 # * goes on variable not on type
 		# (char*[ const])
 		while ($line =~ m{(\($NonptrType(\s*(?:$Modifier\b\s*|\*\s*)+)\))}g) {
@@ -4387,19 +4376,6 @@ sub process {
 				}
 			}
 
-# check for macros with flow control, but without ## concatenation
-# ## concatenation is commonly a macro that defines a function so ignore those
-			if ($has_flow_statement && !$has_arg_concat) {
-				my $herectx = $here . "\n";
-				my $cnt = statement_rawlines($ctx);
-
-				for (my $n = 0; $n < $cnt; $n++) {
-					$herectx .= raw_line($linenr, $n) . "\n";
-				}
-				WARN("MACRO_WITH_FLOW_CONTROL",
-				     "Macros with flow control statements should be avoided\n" . "$herectx");
-			}
-
 # check for line continuations outside of #defines, preprocessor #, and asm
 
 		} else {
@@ -4450,17 +4426,6 @@ sub process {
 					WARN("DO_WHILE_MACRO_WITH_TRAILING_SEMICOLON",
 					     "do {} while (0) macros should not be semicolon terminated\n" . "$herectx");
 				}
-			} elsif ($dstat =~ /^\+\s*#\s*define\s+$Ident.*;\s*$/) {
-				$ctx =~ s/\n*$//;
-				my $cnt = statement_rawlines($ctx);
-				my $herectx = $here . "\n";
-
-				for (my $n = 0; $n < $cnt; $n++) {
-					$herectx .= raw_line($linenr, $n) . "\n";
-				}
-
-				WARN("TRAILING_SEMICOLON",
-				     "macros should not use a trailing semicolon\n" . "$herectx");
 			}
 		}
 
diff --git a/security/Kconfig b/security/Kconfig
index bf4ec46..be76e61 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -123,22 +123,26 @@ source security/smack/Kconfig
 source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
 source security/yama/Kconfig
+source security/tempesta/Kconfig
 
 source security/integrity/Kconfig
 
 choice
 	prompt "Default security module"
+	default DEFAULT_SECURITY_TEMPESTA if SECURITY_TEMPESTA
 	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 	default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
-	default DEFAULT_SECURITY_DAC
 
 	help
 	  Select the security module that will be used by default if the
 	  kernel parameter security= is not specified.
 
+	config DEFAULT_SECURITY_TEMPESTA
+		bool "Tempesta FW" if SECURITY_TEMPESTA=y
+
 	config DEFAULT_SECURITY_SELINUX
 		bool "SELinux" if SECURITY_SELINUX=y
 
@@ -161,6 +165,7 @@ endchoice
 
 config DEFAULT_SECURITY
 	string
+	default "tempesta" if DEFAULT_SECURITY_TEMPESTA
 	default "selinux" if DEFAULT_SECURITY_SELINUX
 	default "smack" if DEFAULT_SECURITY_SMACK
 	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
diff --git a/security/Makefile b/security/Makefile
index 05f1c93..a93bf93 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
+subdir-$(CONFIG_SECURITY_TEMPESTA)	+= tempesta
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT)			+= lsm_audit.o
 obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
+obj-$(CONFIG_SECURITY_TEMPESTA)		+= tempesta/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists
diff --git a/security/security.c b/security/security.c
index 8e9b1f4..4d2ee48 100644
--- a/security/security.c
+++ b/security/security.c
@@ -26,6 +26,7 @@
 #include <linux/personality.h>
 #include <linux/backing-dev.h>
 #include <net/flow.h>
+#include <net/sock.h>
 
 #define MAX_LSM_EVM_XATTR	2
 
@@ -1254,6 +1255,8 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 
 int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
 {
+	sk->sk_security = NULL;
+
 	return security_ops->sk_alloc_security(sk, family, priority);
 }
 
diff --git a/security/tempesta/Kconfig b/security/tempesta/Kconfig
new file mode 100644
index 0000000..0fa2cb4
--- /dev/null
+++ b/security/tempesta/Kconfig
@@ -0,0 +1,14 @@
+config SECURITY_TEMPESTA
+	bool "Tempesta FW Support"
+	depends on SECURITY && NET && INET
+	select SECURITY_NETWORK
+	select RPS
+	select CRYPTO
+	select CRYPTO_HMAC
+	select CRYPTO_SHA1
+	select CRYPTO_SHA1_SSSE3
+	default y
+	help
+	  This selects Tempesta FW security module.
+	  Further information may be found at https://github.com/natsys/tempesta
+	  If you are unsure how to answer this question, answer N.
diff --git a/security/tempesta/Makefile b/security/tempesta/Makefile
new file mode 100644
index 0000000..4c439ac
--- /dev/null
+++ b/security/tempesta/Makefile
@@ -0,0 +1,3 @@
+obj-y := tempesta.o
+
+tempesta-y := tempesta_lsm.o
diff --git a/security/tempesta/tempesta_lsm.c b/security/tempesta/tempesta_lsm.c
new file mode 100644
index 0000000..c8dc8ef
--- /dev/null
+++ b/security/tempesta/tempesta_lsm.c
@@ -0,0 +1,134 @@
+/**
+ *		Tempesta FW
+ *
+ * Copyright (C) 2014 NatSys Lab. (info@natsys-lab.com).
+ * Copyright (C) 2015 Tempesta Technologies, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59
+ * Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+#include <linux/ipv6.h>
+#include <linux/security.h>
+#include <linux/spinlock.h>
+#include <linux/tempesta.h>
+
+static TempestaOps __rcu *tempesta_ops = NULL;
+static DEFINE_SPINLOCK(tops_lock);
+
+void
+tempesta_register_ops(TempestaOps *tops)
+{
+	spin_lock(&tops_lock);
+
+	BUG_ON(tempesta_ops);
+
+	rcu_assign_pointer(tempesta_ops, tops);
+
+	spin_unlock(&tops_lock);
+}
+EXPORT_SYMBOL(tempesta_register_ops);
+
+void
+tempesta_unregister_ops(TempestaOps *tops)
+{
+	spin_lock(&tops_lock);
+
+	BUG_ON(tempesta_ops != tops);
+
+	rcu_assign_pointer(tempesta_ops, NULL);
+
+	spin_unlock(&tops_lock);
+
+	/*
+	 * tempesta_ops is called in softirq only, so if there are some users
+	 * of the structures then they are active on their CPUs.
+	 * After the below we can be sure that nobody refers @tops and we can
+	 * go forward and destroy it.
+	 */
+	synchronize_rcu();
+}
+EXPORT_SYMBOL(tempesta_unregister_ops);
+
+int
+tempesta_new_clntsk(struct sock *newsk)
+{
+	int r = 0;
+
+	TempestaOps *tops;
+
+	WARN_ON(newsk->sk_security);
+
+	rcu_read_lock();
+
+	tops = rcu_dereference(tempesta_ops);
+	if (likely(tops))
+		r = tops->sk_alloc(newsk);
+
+	rcu_read_unlock();
+
+	return r;
+}
+EXPORT_SYMBOL(tempesta_new_clntsk);
+
+static void
+tempesta_sk_free(struct sock *sk)
+{
+	TempestaOps *tops;
+
+	if (!sk->sk_security)
+		return;
+
+	rcu_read_lock();
+
+	tops = rcu_dereference(tempesta_ops);
+	if (likely(tops))
+		tops->sk_free(sk);
+
+	rcu_read_unlock();
+}
+
+static int
+tempesta_sock_tcp_rcv(struct sock *sk, struct sk_buff *skb)
+{
+	int r = 0;
+	TempestaOps *tops;
+
+	rcu_read_lock();
+
+	tops = rcu_dereference(tempesta_ops);
+	if (likely(tops)) {
+		if (skb->protocol == htons(ETH_P_IP))
+			r = tops->sock_tcp_rcv(sk, skb);
+	}
+
+	rcu_read_unlock();
+
+	return r;
+}
+
+static struct security_operations tempesta_sec_ops __read_mostly = {
+	.sk_free_security	= tempesta_sk_free,
+	.socket_sock_rcv_skb	= tempesta_sock_tcp_rcv,
+};
+
+static __init int
+tempesta_init(void)
+{
+	if (register_security(&tempesta_sec_ops))
+		panic("Tempesta: kernel security registration failed.\n");
+
+	return 0;
+}
+
+security_initcall(tempesta_init);