PORTREVISION=	1

diff --git a/acls.c b/acls.c

index 4303c2a7..a2f966a1 100644

--- a/acls.c

+++ b/acls.c

@@ -31,6 +31,7 @@ extern int list_only;

 extern int orig_umask;

 extern int numeric_ids;

 extern int inc_recurse;

+extern int protocol_version;

 extern int preserve_devices;

 extern int preserve_specials;

@@ -78,20 +79,35 @@ typedef struct rsync_acl {

 	uchar other_obj;

 } rsync_acl;

+typedef struct nfs4_acl {

+	char *nfs4_acl_text;

+	ssize_t nfs4_acl_len;

+} nfs4_acl;

+

 typedef struct {

 	rsync_acl racl;

 	SMB_ACL_T sacl;

 } acl_duo;

+typedef struct {

+	nfs4_acl nacl;

+	SMB_ACL_T sacl;

+} nfs4_duo;

+

 static const rsync_acl empty_rsync_acl = {

 	{NULL, 0}, NO_ENTRY, NO_ENTRY, NO_ENTRY, NO_ENTRY

 };

+static const nfs4_acl empty_nfs4_acl = {

+	NULL, -1

+};

 static item_list access_acl_list = EMPTY_ITEM_LIST;

 static item_list default_acl_list = EMPTY_ITEM_LIST;

+static item_list nfs4_acl_list = EMPTY_ITEM_LIST;

 static size_t prior_access_count = (size_t)-1;

 static size_t prior_default_count = (size_t)-1;

+static size_t prior_nfs4_count = (size_t)-1;

 /* === Calculations on ACL types === */

@@ -112,6 +128,18 @@ static const char *str_acl_type(SMB_ACL_TYPE_T type)

 	return "unknown ACL type!";

 }

+#define OTHER_TYPE(t) (SMB_ACL_TYPE_ACCESS+SMB_ACL_TYPE_DEFAULT-(t))

+#define BUMP_TYPE(t) ((t = OTHER_TYPE(t)) == SMB_ACL_TYPE_DEFAULT)

+

+static int old_count_racl_entries(const rsync_acl *racl)

+{

+	return racl->names.count

+	     + (racl->user_obj != NO_ENTRY)

+	     + (racl->group_obj != NO_ENTRY)

+	     + (racl->mask_obj != NO_ENTRY)

+	     + (racl->other_obj != NO_ENTRY);

+}

+

 static int calc_sacl_entries(const rsync_acl *racl)

 {

 	/* A System ACL always gets user/group/other permission entries. */

@@ -173,6 +201,17 @@ static rsync_acl *create_racl(void)

 	return racl;

 }

+static nfs4_acl *create_nfs4_acl(void)

+{

+	nfs4_acl *nacl = new(nfs4_acl);

+

+	if (!nacl)

+		out_of_memory("create_nfs4_acl");

+	*nacl = empty_nfs4_acl;

+

+	return nacl;

+}

+

 static BOOL ida_entries_equal(const ida_entries *ial1, const ida_entries *ial2)

 {

 	id_access *ida1, *ida2;

@@ -197,6 +236,11 @@ static BOOL rsync_acl_equal(const rsync_acl *racl1, const rsync_acl *racl2)

 	    && ida_entries_equal(&racl1->names, &racl2->names);

 }

+static BOOL nfs4_acl_equal(const nfs4_acl *nacl1, const nfs4_acl *nacl2)

+{

+	return (strcmp(nacl1->nfs4_acl_text, nacl2->nfs4_acl_text) == 0);

+}

+

 /* Are the extended (non-permission-bit) entries equal?  If so, the rest of

  * the ACL will be handled by the normal mode-preservation code.  This is

  * only meaningful for access ACLs!  Note: the 1st arg is a fully-populated

@@ -230,6 +274,13 @@ static void rsync_acl_free(rsync_acl *racl)

 	*racl = empty_rsync_acl;

 }

+static void nfs4_acl_free(nfs4_acl *nacl)

+{

+	if (nacl->nfs4_acl_text)

+		free(nacl->nfs4_acl_text);

+	*nacl = empty_nfs4_acl;

+}

+

 void free_acl(stat_x *sxp)

 {

 	if (sxp->acc_acl) {

@@ -242,6 +293,11 @@ void free_acl(stat_x *sxp)

 		free(sxp->def_acl);

 		sxp->def_acl = NULL;

 	}

+	if (sxp->nfs4_acl) {

+		nfs4_acl_free(sxp->nfs4_acl);

+		free(sxp->nfs4_acl);

+		sxp->nfs4_acl = NULL;

+	}

 }

 #ifdef SMB_ACL_NEED_SORT

@@ -469,6 +525,26 @@ static int find_matching_rsync_acl(const rsync_acl *racl, SMB_ACL_TYPE_T type,

 	return *match;

 }

+static int find_matching_nfs4_acl(const nfs4_acl *nacl, const item_list *nfs4_acl_list)

+{

+	static int nfs4_match = -1;

+	int *match = &nfs4_match;

+	size_t count = nfs4_acl_list->count;

+

+	if (*match == -1)

+		*match = nfs4_acl_list->count - 1;

+	while (count--) {

+		nfs4_acl *base = nfs4_acl_list->items;

+		if (nfs4_acl_equal(base + *match, nacl))

+			return *match;

+		if (!(*match)--)

+			*match = nfs4_acl_list->count - 1;

+	}

+

+	*match = -1;

+	return *match;

+}

+

 static int get_rsync_acl(const char *fname, rsync_acl *racl,

 			 SMB_ACL_TYPE_T type, mode_t mode)

 {

@@ -537,6 +613,21 @@ static int get_rsync_acl(const char *fname, rsync_acl *racl,

 /* Return the Access Control List for the given filename. */

 int get_acl(const char *fname, stat_x *sxp)

 {

+	if (sys_acl_get_brand_file(fname, &sxp->brand) < 0)

+		return -1;

+

+	if (sxp->brand == SMB_ACL_BRAND_NFS4) {

+		SMB_ACL_T sacl;

+		if ((sacl = sys_acl_get_file(fname, SMB_ACL_TYPE_NFS4)) == NULL)

+			return -1;

+

+		sxp->nfs4_acl = create_nfs4_acl();

+		sxp->nfs4_acl->nfs4_acl_text = acl_to_text(sacl, &sxp->nfs4_acl->nfs4_acl_len);

+

+		sys_acl_free_acl(sacl);

+		return 0;

+	}

+

 	sxp->acc_acl = create_racl();

 	if (S_ISREG(sxp->st.st_mode) || S_ISDIR(sxp->st.st_mode)) {

@@ -574,6 +665,96 @@ int get_acl(const char *fname, stat_x *sxp)

 	return 0;

 }

+/* === OLD Send functions === */

+

+/* Send the ida list over the file descriptor. */

+static void old_send_ida_entries(int f, const ida_entries *idal, char tag_char)

+{

+	id_access *ida;

+	size_t count = idal->count;

+	for (ida = idal->idas; count--; ida++) {

+		if (tag_char == 'U') {

+			if (!(ida->access & NAME_IS_USER))

+				continue;

+			add_uid(ida->id);

+		} else {

+			if (ida->access & NAME_IS_USER)

+				continue;

+			add_gid(ida->id);

+		}

+		write_byte(f, tag_char);

+		write_byte(f, ida->access);

+		write_int(f, ida->id);

+	}

+}

+

+/* Send an rsync ACL over the file descriptor. */

+static void old_send_rsync_acl(int f, const rsync_acl *racl)

+{

+	size_t count = old_count_racl_entries(racl);

+	write_int(f, count);

+	if (racl->user_obj != NO_ENTRY) {

+		write_byte(f, 'u');

+		write_byte(f, racl->user_obj);

+	}

+	old_send_ida_entries(f, &racl->names, 'U');

+	if (racl->group_obj != NO_ENTRY) {

+		write_byte(f, 'g');

+		write_byte(f, racl->group_obj);

+	}

+	old_send_ida_entries(f, &racl->names, 'G');

+	if (racl->mask_obj != NO_ENTRY) {

+		write_byte(f, 'm');

+		write_byte(f, racl->mask_obj);

+	}

+	if (racl->other_obj != NO_ENTRY) {

+		write_byte(f, 'o');

+		write_byte(f, racl->other_obj);

+	}

+}

+

+/* Send the ACL from the stat_x structure down the indicated file descriptor.

+ * This also frees the ACL data. */

+void old_send_acl(stat_x *sxp, int f)

+{

+	SMB_ACL_TYPE_T type;

+	rsync_acl *racl, *new_racl;

+	item_list *racl_list;

+	int ndx;

+

+	type = SMB_ACL_TYPE_ACCESS;

+	racl = sxp->acc_acl;

+	racl_list = &access_acl_list;

+	do {

+		if (!racl) {

+			racl = new(rsync_acl);

+			if (!racl)

+				out_of_memory("send_acl");

+			*racl = empty_rsync_acl;

+			if (type == SMB_ACL_TYPE_ACCESS) {

+				rsync_acl_fake_perms(racl, sxp->st.st_mode);

+				sxp->acc_acl = racl;

+			} else

+				sxp->def_acl = racl;

+		}

+

+		if ((ndx = find_matching_rsync_acl(racl, type, racl_list)) != -1) {

+			write_byte(f, type == SMB_ACL_TYPE_ACCESS ? 'a' : 'd');

+			write_int(f, ndx);

+		} else {

+			new_racl = EXPAND_ITEM_LIST(racl_list, rsync_acl, 1000);

+			write_byte(f, type == SMB_ACL_TYPE_ACCESS ? 'A' : 'D');

+			old_send_rsync_acl(f, racl);

+			*new_racl = *racl;

+			*racl = empty_rsync_acl;

+		}

+		racl = sxp->def_acl;

+		racl_list = &default_acl_list;

+	} while (BUMP_TYPE(type) && S_ISDIR(sxp->st.st_mode));

+

+	free_acl(sxp);

+}

+

 /* === Send functions === */

 /* Send the ida list over the file descriptor. */

@@ -645,10 +826,40 @@ static void send_rsync_acl(int f, rsync_acl *racl, SMB_ACL_TYPE_T type,

 	}

 }

+static void send_nfs4_acl(int f, nfs4_acl *nacl, item_list *nfs4_list)

+{

+	int ndx = find_matching_nfs4_acl(nacl, nfs4_list);

+

+	/* Send 0 (-1 + 1) to indicate that literal ACL data follows. */

+	write_varint(f, ndx + 1);

+

+	if (ndx < 0) {

+		nfs4_acl *new_nacl = EXPAND_ITEM_LIST(&nfs4_acl_list, nfs4_acl, 1000);

+

+		write_varint(f, nacl->nfs4_acl_len);

+		write_buf(f, nacl->nfs4_acl_text, nacl->nfs4_acl_len);

+

+		*new_nacl = *nacl;

+		*nacl = empty_nfs4_acl;

+	}

+}

+

+

 /* Send the ACL from the stat_x structure down the indicated file descriptor.

  * This also frees the ACL data. */

 void send_acl(int f, stat_x *sxp)

 {

+	if (protocol_version < 30) {

+		old_send_acl(sxp, f);

+		return;

+	}

+

+	if (sxp->brand == SMB_ACL_BRAND_NFS4) {

+		write_varint(f, SMB_ACL_TYPE_NFS4);

+		send_nfs4_acl(f, sxp->nfs4_acl, &nfs4_acl_list);

+		return;

+	}

+

 	if (!sxp->acc_acl) {

 		sxp->acc_acl = create_racl();

 		rsync_acl_fake_perms(sxp->acc_acl, sxp->st.st_mode);

@@ -656,16 +867,172 @@ void send_acl(int f, stat_x *sxp)

 	/* Avoid sending values that can be inferred from other data. */

 	rsync_acl_strip_perms(sxp);

+	write_varint(f, SMB_ACL_TYPE_ACCESS);

 	send_rsync_acl(f, sxp->acc_acl, SMB_ACL_TYPE_ACCESS, &access_acl_list);

 	if (S_ISDIR(sxp->st.st_mode)) {

 		if (!sxp->def_acl)

 			sxp->def_acl = create_racl();

+		write_varint(f, SMB_ACL_TYPE_DEFAULT);

 		send_rsync_acl(f, sxp->def_acl, SMB_ACL_TYPE_DEFAULT, &default_acl_list);

 	}

 }

+/* === OLD Receive functions */

+

+static void old_recv_rsync_acl(rsync_acl *racl, int f)

+{

+	static item_list temp_ida_list = EMPTY_ITEM_LIST;

+	SMB_ACL_TAG_T tag_type = 0;

+	uchar computed_mask_bits = 0;

+	id_access *ida;

+	size_t count;

+

+	if (!(count = read_int(f)))

+		return;

+

+	while (count--) {

+		char tag = read_byte(f);

+		uchar access = read_byte(f);

+		if (access & ~ (4 | 2 | 1)) {

+			rprintf(FERROR, "old_recv_rsync_acl: bogus permset %o\n",

+				access);

+			exit_cleanup(RERR_STREAMIO);

+		}

+		switch (tag) {

+		case 'u':

+			if (racl->user_obj != NO_ENTRY) {

+				rprintf(FERROR, "old_recv_rsync_acl: error: duplicate USER_OBJ entry\n");

+				exit_cleanup(RERR_STREAMIO);

+			}

+			racl->user_obj = access;

+			continue;

+		case 'U':

+			tag_type = SMB_ACL_USER;

+			break;

+		case 'g':

+			if (racl->group_obj != NO_ENTRY) {

+				rprintf(FERROR, "old_recv_rsync_acl: error: duplicate GROUP_OBJ entry\n");

+				exit_cleanup(RERR_STREAMIO);

+			}

+			racl->group_obj = access;

+			continue;

+		case 'G':

+			tag_type = SMB_ACL_GROUP;

+			break;

+		case 'm':

+			if (racl->mask_obj != NO_ENTRY) {

+				rprintf(FERROR, "old_recv_rsync_acl: error: duplicate MASK entry\n");

+				exit_cleanup(RERR_STREAMIO);

+			}

+			racl->mask_obj = access;

+			continue;

+		case 'o':

+			if (racl->other_obj != NO_ENTRY) {

+				rprintf(FERROR, "old_recv_rsync_acl: error: duplicate OTHER entry\n");

+				exit_cleanup(RERR_STREAMIO);

+			}

+			racl->other_obj = access;

+			continue;

+		default:

+			rprintf(FERROR, "old_recv_rsync_acl: unknown tag %c\n",

+				tag);

+			exit_cleanup(RERR_STREAMIO);

+		}

+		ida = EXPAND_ITEM_LIST(&temp_ida_list, id_access, -10);

+		ida->access = access | (tag_type == SMB_ACL_USER ? NAME_IS_USER : 0);

+		ida->id = read_int(f);

+		computed_mask_bits |= access;

+	}

+

+	/* Transfer the count id_access items out of the temp_ida_list

+	 * into the names ida_entries list in racl. */

+	if (temp_ida_list.count) {

+#ifdef SMB_ACL_NEED_SORT

+		if (temp_ida_list.count > 1) {

+			qsort(temp_ida_list.items, temp_ida_list.count,

+			      sizeof (id_access), id_access_sorter);

+		}

+#endif

+		if (!(racl->names.idas = new_array(id_access, temp_ida_list.count)))

+			out_of_memory("unpack_smb_acl");

+		memcpy(racl->names.idas, temp_ida_list.items,

+		       temp_ida_list.count * sizeof (id_access));

+	} else

+		racl->names.idas = NULL;

+

+	racl->names.count = temp_ida_list.count;

+

+	/* Truncate the temporary list now that its idas have been saved. */

+	temp_ida_list.count = 0;

+

+	if (!racl->names.count) {

+		/* If we received a superfluous mask, throw it away. */

+		if (racl->mask_obj != NO_ENTRY) {

+			/* Mask off the group perms with it first. */

+			racl->group_obj &= racl->mask_obj | NO_ENTRY;

+			racl->mask_obj = NO_ENTRY;

+		}

+	} else if (racl->mask_obj == NO_ENTRY) /* Must be non-empty with lists. */

+		racl->mask_obj = (computed_mask_bits | racl->group_obj) & 7;

+}

+

+/* Receive the ACL info the sender has included for this file-list entry. */

+void old_recv_acl(struct file_struct *file, int f)

+{

+	SMB_ACL_TYPE_T type;

+	item_list *racl_list;

+

+	if (S_ISLNK(file->mode))

+		return;

+

+	type = SMB_ACL_TYPE_ACCESS;

+	racl_list = &access_acl_list;

+	do {

+		char tag = read_byte(f);

+		int ndx;

+

+		if (tag == 'A' || tag == 'a') {

+			if (type != SMB_ACL_TYPE_ACCESS) {

+				rprintf(FERROR, "receive_acl %s: duplicate access ACL\n",

+					f_name(file, NULL));

+				exit_cleanup(RERR_STREAMIO);

+			}

+		} else if (tag == 'D' || tag == 'd') {

+			if (type == SMB_ACL_TYPE_ACCESS) {

+				rprintf(FERROR, "receive_acl %s: expecting access ACL; got default\n",

+					f_name(file, NULL));

+				exit_cleanup(RERR_STREAMIO);

+			}

+		} else {

+			rprintf(FERROR, "receive_acl %s: unknown ACL type tag: %c\n",

+				f_name(file, NULL), tag);

+			exit_cleanup(RERR_STREAMIO);

+		}

+		if (tag == 'A' || tag == 'D') {

+			acl_duo *duo_item;

+			ndx = racl_list->count;

+			duo_item = EXPAND_ITEM_LIST(racl_list, acl_duo, 1000);

+			duo_item->racl = empty_rsync_acl;

+			old_recv_rsync_acl(&duo_item->racl, f);

+			duo_item->sacl = NULL;

+		} else {

+			ndx = read_int(f);

+			if (ndx < 0 || (size_t)ndx >= racl_list->count) {

+				rprintf(FERROR, "receive_acl %s: %s ACL index %d out of range\n",

+					f_name(file, NULL), str_acl_type(type), ndx);

+				exit_cleanup(RERR_STREAMIO);

+			}

+		}

+		if (type == SMB_ACL_TYPE_ACCESS)

+			F_ACL(file) = ndx;

+		else

+			F_DIR_DEFACL(file) = ndx;

+		racl_list = &default_acl_list;

+	} while (BUMP_TYPE(type) && S_ISDIR(file->mode));

+}

+

 /* === Receive functions === */

 static uint32 recv_acl_access(int f, uchar *name_follows_ptr)

@@ -779,10 +1146,58 @@ static int recv_rsync_acl(int f, item_list *racl_list, SMB_ACL_TYPE_T type, mode

 	return ndx;

 }

+

+static int recv_nfs4_acl(int f, item_list *nfs4_acl_list, struct file_struct *file __unused)

+{

+	nfs4_duo *duo_item;

+	int ndx = read_varint(f);

+

+	if (ndx < 0 || (size_t)ndx > nfs4_acl_list->count) {

+		rprintf(FERROR_XFER, "recv_nfs4_index: %s ACL index %d > %d\n",

+			str_acl_type(SMB_ACL_TYPE_NFS4), ndx, (int)nfs4_acl_list->count);

+		exit_cleanup(RERR_STREAMIO);

+	}

+

+	if (ndx != 0)

+		return ndx - 1;

+

+	ndx = nfs4_acl_list->count;

+	duo_item = EXPAND_ITEM_LIST(nfs4_acl_list, nfs4_duo, 1000);

+	duo_item->nacl = empty_nfs4_acl;

+

+	duo_item->nacl.nfs4_acl_len = read_varint(f);

+	duo_item->nacl.nfs4_acl_text = new_array(char, duo_item->nacl.nfs4_acl_len + 1);

+	if (!duo_item->nacl.nfs4_acl_text)

+		out_of_memory("recv_nfs4_acl");

+

+	read_buf(f, duo_item->nacl.nfs4_acl_text, duo_item->nacl.nfs4_acl_len);

+	duo_item->nacl.nfs4_acl_text[duo_item->nacl.nfs4_acl_len] = 0;

+

+	duo_item->sacl = NULL;

+	return ndx;

+}

+

+

 /* Receive the ACL info the sender has included for this file-list entry. */

 void receive_acl(int f, struct file_struct *file)

 {

-	F_ACL(file) = recv_rsync_acl(f, &access_acl_list, SMB_ACL_TYPE_ACCESS, file->mode);

+	int ndx;

+	SMB_ACL_TYPE_T type;

+

+	if (protocol_version < 30) {

+		old_recv_acl(file, f);

+		return;

+	}

+

+	type = read_varint(f);

+	if (type == SMB_ACL_TYPE_NFS4){

+		ndx = recv_nfs4_acl(f, &nfs4_acl_list, file);

+		F_ACL(file) = ndx;

+		return;

+	}

+

+	ndx = recv_rsync_acl(f, &access_acl_list, SMB_ACL_TYPE_ACCESS, file->mode);

+	F_ACL(file) = ndx;

 	if (S_ISDIR(file->mode))

 		F_DIR_DEFACL(file) = recv_rsync_acl(f, &default_acl_list, SMB_ACL_TYPE_DEFAULT, 0);

@@ -806,10 +1221,37 @@ static int cache_rsync_acl(rsync_acl *racl, SMB_ACL_TYPE_T type, item_list *racl

 	return ndx;

 }

+static int cache_nfs4_acl(nfs4_acl *nacl, item_list *nfs4_list)

+{

+	int ndx;

+

+	if (!nacl)

+		ndx = -1;

+	else if ((ndx = find_matching_nfs4_acl(nacl, nfs4_list)) == -1) {

+		nfs4_duo *new_duo;

+		ndx = nfs4_list->count;

+		new_duo = EXPAND_ITEM_LIST(nfs4_list, nfs4_duo, 1000);

+		new_duo->nacl = *nacl;

+		new_duo->sacl = NULL;

+		*nacl = empty_nfs4_acl;

+	}

+

+	return ndx;

+}

+

+

 /* Turn the ACL data in stat_x into cached ACL data, setting the index

  * values in the file struct. */

 void cache_tmp_acl(struct file_struct *file, stat_x *sxp)

 {

+	if (sxp->brand == SMB_ACL_BRAND_NFS4) {

+		if (prior_nfs4_count == (size_t)-1)

+			prior_nfs4_count = nfs4_acl_list.count;

+

+		F_ACL(file) = cache_nfs4_acl(sxp->nfs4_acl, &nfs4_acl_list);

+		return;

+	}

+

 	if (prior_access_count == (size_t)-1)

 		prior_access_count = access_acl_list.count;

@@ -837,6 +1279,21 @@ static void uncache_duo_acls(item_list *duo_list, size_t start)

 	}

 }

+static void uncache_nfs4_acls(item_list *nfs4_list, size_t start)

+{

+	nfs4_duo *nfs4_item = nfs4_list->items;

+	nfs4_duo *nfs4_start = nfs4_item + start;

+

+	nfs4_item += nfs4_list->count;

+	nfs4_list->count = start;

+

+	while (nfs4_item-- > nfs4_start) {

+		nfs4_acl_free(&nfs4_item->nacl);

+		if (nfs4_item->sacl)

+			sys_acl_free_acl(nfs4_item->sacl);

+	}

+}

+

 void uncache_tmp_acls(void)

 {

 	if (prior_access_count != (size_t)-1) {

@@ -848,6 +1305,10 @@ void uncache_tmp_acls(void)

 		uncache_duo_acls(&default_acl_list, prior_default_count);

 		prior_default_count = (size_t)-1;

 	}

+	if (prior_nfs4_count != (size_t)-1) {

+		uncache_nfs4_acls(&nfs4_acl_list, prior_nfs4_count);

+		prior_nfs4_count = (size_t)-1;

+	}

 }

 #ifndef HAVE_OSX_ACLS

@@ -999,6 +1460,7 @@ static int set_rsync_acl(const char *fname, acl_duo *duo_item,

 	return 0;

 }

+

 /* Given a fname, this sets extended access ACL entries, the default ACL (for a

  * dir), and the regular mode bits on the file.  Call this with fname set to

  * NULL to just check if the ACL is different.

@@ -1018,6 +1480,32 @@ int set_acl(const char *fname, const struct file_struct *file, stat_x *sxp, mode

 		return -1;

 	}

+	if (sxp->brand == SMB_ACL_BRAND_NFS4) {

+		ndx = F_ACL(file);

+		if (ndx >= 0 && (size_t)ndx < nfs4_acl_list.count) {

+			nfs4_duo *duo_item = nfs4_acl_list.items;

+			duo_item += ndx;

+			changed = 1;

+

+			if (!duo_item->sacl) {

+				duo_item->sacl = acl_from_text(duo_item->nacl.nfs4_acl_text);

+				if (!duo_item->sacl)

+					return -1;

+			}

+

+			if (!dry_run && fname) {

+				if (sys_acl_set_file(fname, SMB_ACL_TYPE_NFS4, duo_item->sacl) < 0) {

+					rsyserr(FERROR_XFER, errno, "set_acl: sys_acl_set_file(%s, %s)",

+						fname, str_acl_type(SMB_ACL_TYPE_NFS4));

+					return -1;

+				}

+

+				return changed;

+			}

+		}

+	}

+

+

 	ndx = F_ACL(file);

 	if (ndx >= 0 && (size_t)ndx < access_acl_list.count) {

 		acl_duo *duo_item = access_acl_list.items;

diff --git a/hlink.c b/hlink.c

index adec89b0..8d3982b2 100644

--- a/hlink.c

+++ b/hlink.c

@@ -422,7 +422,9 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,

 				else {

 					sxp->acc_acl = alt_sx.acc_acl;

 					sxp->def_acl = alt_sx.def_acl;

+					sxp->nfs4_acl = alt_sx.nfs4_acl;

 					alt_sx.acc_acl = alt_sx.def_acl = NULL;

+					alt_sx.nfs4_acl = NULL;

 				}

 			}

 #endif

diff --git a/ifuncs.h b/ifuncs.h

index 4037639b..fd3afb61 100644

--- a/ifuncs.h

+++ b/ifuncs.h

@@ -77,6 +77,7 @@ init_stat_x(stat_x *sx_p)

 {

 #ifdef SUPPORT_ACLS

 	sx_p->acc_acl = sx_p->def_acl = NULL;

+	sx_p->nfs4_acl = NULL;

 #endif

 #ifdef SUPPORT_XATTRS

 	sx_p->xattr = NULL;

diff --git a/lib/sysacls.c b/lib/sysacls.c

index c23864fe..f049fbad 100644

--- a/lib/sysacls.c

+++ b/lib/sysacls.c

@@ -80,12 +80,36 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)

 	return acl_get_file(path_p, type);

 }

-#if 0

 SMB_ACL_T sys_acl_get_fd(int fd)

 {

 	return acl_get_fd(fd);

 }

-#endif

+

+int sys_acl_get_brand( SMB_ACL_T the_acl, int *brand_p)

+{

+	return acl_get_brand_np(the_acl, brand_p);

+}

+

+int sys_acl_get_brand_file( const char *path_p, int *brand_p)

+{

+	int fd;

+	acl_t acl;

+

+	if ((fd = open(path_p, O_RDONLY|O_NONBLOCK)) < 0)

+		return -1;

+	if ((acl = acl_get_fd(fd)) == NULL) {

+		close(fd);

+		return -1;

+	}

+	close(fd);

+	if (acl_get_brand_np(acl, brand_p) < 0) {

+		acl_free(acl);

+		return -1;

+	}

+

+	acl_free(acl);

+	return 0;

+}

 #if defined(HAVE_ACL_GET_PERM_NP)

 #define acl_get_perm(p, b) acl_get_perm_np(p, b)

diff --git a/lib/sysacls.h b/lib/sysacls.h

index 8865dae4..76a6e31f 100644

--- a/lib/sysacls.h

+++ b/lib/sysacls.h

@@ -48,6 +48,7 @@

 #define SMB_ACL_GROUP_OBJ	ACL_GROUP_OBJ

 #define SMB_ACL_OTHER		ACL_OTHER

 #define SMB_ACL_MASK		ACL_MASK

+#define SMB_ACL_EVERYONE	ACL_EVERYONE

 #define SMB_ACL_T		acl_t

@@ -58,6 +59,11 @@

 #define SMB_ACL_TYPE_ACCESS	ACL_TYPE_ACCESS

 #define SMB_ACL_TYPE_DEFAULT	ACL_TYPE_DEFAULT

+#define	SMB_ACL_TYPE_NFS4	ACL_TYPE_NFS4

+

+#define	SMB_ACL_BRAND_UNKNOWN	ACL_BRAND_UNKNOWN

+#define	SMB_ACL_BRAND_POSIX	ACL_BRAND_POSIX

+#define	SMB_ACL_BRAND_NFS4	ACL_BRAND_NFS4

 #define SMB_ACL_VALID_NAME_BITS	(4 | 2 | 1)

 #define SMB_ACL_VALID_OBJ_BITS	(4 | 2 | 1)

@@ -294,6 +300,8 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b

 SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type);

 SMB_ACL_T sys_acl_get_fd(int fd);

 SMB_ACL_T sys_acl_init(int count);

+int sys_acl_get_brand( SMB_ACL_T the_acl, int *brand_p);

+int sys_acl_get_brand_file( const char *path_p, int *brand_p);

 int sys_acl_create_entry(SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry);

 int sys_acl_set_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype, uint32 bits, id_t u_g_id);

 int sys_acl_set_access_bits(SMB_ACL_ENTRY_T entry, uint32 bits);

diff --git a/rsync.c b/rsync.c

index e7f1f96a..41818ea4 100644

--- a/rsync.c

+++ b/rsync.c

@@ -627,19 +627,6 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,

 	}

 #endif

-#ifdef SUPPORT_ACLS

-	/* It's OK to call set_acl() now, even for a dir, as the generator

-	 * will enable owner-writability using chmod, if necessary.

-	 * 

-	 * If set_acl() changes permission bits in the process of setting

-	 * an access ACL, it changes sxp->st.st_mode so we know whether we

-	 * need to chmod(). */

-	if (preserve_acls && !S_ISLNK(new_mode)) {

-		if (set_acl(fname, file, sxp, new_mode) > 0)

-			updated |= UPDATED_ACLS;

-	}

-#endif

-

 #ifdef HAVE_CHMOD

 	if (!BITS_EQUAL(sxp->st.st_mode, new_mode, CHMOD_BITS)) {

 		int ret = am_root < 0 ? 0 : do_chmod(fname, new_mode);

@@ -654,6 +641,19 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,

 	}

 #endif

+#ifdef SUPPORT_ACLS

+	/* It's OK to call set_acl() now, even for a dir, as the generator

+	 * will enable owner-writability using chmod, if necessary.

+	 *

+	 * If set_acl() changes permission bits in the process of setting

+	 * an access ACL, it changes sxp->st.st_mode so we know whether we

+	 * need to chmod(). */

+	if (preserve_acls && !S_ISLNK(new_mode)) {

+		if (set_acl(fname, file, sxp, new_mode) > 0)

+			updated |= UPDATED_ACLS;

+	}

+#endif

+

 	if (INFO_GTE(NAME, 2) && flags & ATTRS_REPORT) {

 		if (updated)

 			rprintf(FCLIENT, "%s\n", fname);

diff --git a/rsync.h b/rsync.h

index 0f5304ee..45dd050b 100644

--- a/rsync.h

+++ b/rsync.h

@@ -1119,13 +1119,22 @@ typedef struct {

 #ifdef SUPPORT_ACLS

     struct rsync_acl *acc_acl; /* access ACL */

     struct rsync_acl *def_acl; /* default ACL */

+    struct nfs4_acl *nfs4_acl; /* NFSv4 ACL */

+    int brand;

 #endif

 #ifdef SUPPORT_XATTRS

     item_list *xattr;

 #endif

 } stat_x;

-#define ACL_READY(sx) ((sx).acc_acl != NULL)

+#ifdef SUPPORT_ACLS

+#include "lib/sysacls.h"

+#endif

+

+#define ACL_READY_POSIX(sx) ((sx).acc_acl != NULL)

+#define ACL_READY_NFS4(sx) ((sx).nfs4_acl != NULL)

+#define ACL_READY(sx) (((sx).brand == SMB_ACL_BRAND_NFS4) ? (ACL_READY_NFS4(sx)) : (ACL_READY_POSIX(sx)))

+

 #define XATTR_READY(sx) ((sx).xattr != NULL)

 #define CLVL_NOT_SPECIFIED INT_MIN