diff --git a/src/acl.c b/src/acl.c
new file mode 100644
index 0000000..2912f08
--- /dev/null
+++ b/src/acl.c
@@ -0,0 +1,637 @@
+/*
+ * ACL management functions.
+ *
+ * Copyright 2000-2007 Willy Tarreau <w@1wt.eu>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <common/config.h>
+#include <common/mini-clist.h>
+#include <common/standard.h>
+
+#include <proto/acl.h>
+
+#include <types/acl.h>
+#include <types/proxy.h>
+#include <types/session.h>
+
+/* List head of all known ACL keywords */
+static struct acl_kw_list acl_keywords = {
+	.list = LIST_HEAD_INIT(acl_keywords.list)
+};
+
+
+/* This one always returns 1 because its only purpose is to check that the
+ * value is present, which is already checked by getval().
+ */
+int acl_match_pst(struct acl_test *test, struct acl_pattern *pattern)
+{
+	return 1;
+}
+
+/* NB: For two strings to be identical, it is required that their lengths match */
+int acl_match_str(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if (pattern->len != test->len)
+		return 0;
+	if (strncmp(pattern->ptr.str, test->ptr, test->len) == 0)
+		return 1;
+	return 0;
+}
+
+/* Checks that the pattern matches the beginning of the tested string. */
+int acl_match_beg(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if (pattern->len > test->len)
+		return 0;
+	if (strncmp(pattern->ptr.str, test->ptr, pattern->len) != 0)
+		return 0;
+	return 1;
+}
+
+/* Checks that the pattern matches the end of the tested string. */
+int acl_match_end(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if (pattern->len > test->len)
+		return 0;
+	if (strncmp(pattern->ptr.str, test->ptr + test->len - pattern->len, pattern->len) != 0)
+		return 0;
+	return 1;
+}
+
+/* Checks that the pattern is included inside the tested string.
+ * NB: Suboptimal, should be rewritten using a Boyer-Moore method.
+ */
+int acl_match_sub(struct acl_test *test, struct acl_pattern *pattern)
+{
+	char *end;
+	char *c;
+
+	if (pattern->len > test->len)
+		return 0;
+
+	end = test->ptr + test->len - pattern->len;
+	for (c = test->ptr; c <= end; c++) {
+		if (*c != *pattern->ptr.str)
+			continue;
+		if (strncmp(pattern->ptr.str, c, pattern->len) == 0)
+			return 1;
+	}
+	return 0;
+}
+
+/* This one is used by other real functions. It checks that the pattern is
+ * included inside the tested string, but enclosed between the specified
+ * delimitor, or a '/' or a '?' or at the beginning or end of the string.
+ * The delimitor is stripped at the beginning or end of the pattern are
+ * ignored.
+ */
+static int match_word(struct acl_test *test, struct acl_pattern *pattern, char delim)
+{
+	int may_match;
+	char *c, *end;
+	char *ps;
+	int pl;
+
+	pl = pattern->len;
+	ps = pattern->ptr.str;
+	while (pl > 0 && *ps == delim) {
+		pl--;
+		ps++;
+	}
+
+	while (pl > 0 && *(ps + pl - 1) == delim)
+		pl--;
+
+	if (pl > test->len)
+		return 0;
+
+	may_match = 1;
+	end = test->ptr + test->len - pl;
+	for (c = test->ptr; c <= end; c++) {
+		if (*c == '/' || *c == delim || *c == '?') {
+			may_match = 1;
+			continue;
+		}
+		if (may_match && (*c == *ps) &&
+		    (strncmp(ps, c, pl) == 0) &&
+		    (c == end || c[pl] == '/' || c[pl] == delim || c[pl] == '?'))
+				return 1;
+
+		may_match = 0;
+	}
+	return 0;
+}
+
+/* Checks that the pattern is included inside the tested string, but enclosed
+ * between slashes or at the beginning or end of the string. Slashes at the
+ * beginning or end of the pattern are ignored.
+ */
+int acl_match_dir(struct acl_test *test, struct acl_pattern *pattern)
+{
+	return match_word(test, pattern, '/');
+}
+
+/* Checks that the pattern is included inside the tested string, but enclosed
+ * between dots or at the beginning or end of the string. Dots at the beginning
+ * or end of the pattern are ignored.
+ */
+int acl_match_dom(struct acl_test *test, struct acl_pattern *pattern)
+{
+	return match_word(test, pattern, '.');
+}
+
+/* Checks that the integer in <test> is included between min and max */
+int acl_match_range(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if ((pattern->val.range.min <= test->i) &&
+	    (test->i <= pattern->val.range.max))
+		return 1;
+	return 0;
+}
+
+int acl_match_min(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if (pattern->val.range.min <= test->i)
+		return 1;
+	return 0;
+}
+
+int acl_match_max(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if (test->i <= pattern->val.range.max)
+		return 1;
+	return 0;
+}
+
+/* Parse a string. It is allocated and duplicated. */
+int acl_parse_str(const char *text, struct acl_pattern *pattern)
+{
+	int len;
+
+	len  = strlen(text);
+
+	pattern->ptr.str = strdup(text);
+	if (!pattern->ptr.str)
+		return 0;
+	pattern->len = len;
+	return 1;
+}
+
+/* Parse an integer. It is put both in min and max. */
+int acl_parse_int(const char *text, struct acl_pattern *pattern)
+{
+	pattern->val.range.min = pattern->val.range.max = __str2ui(text);
+	return 1;
+}
+
+/* Parse a range of integers delimited by either ':' or '-'. If only one
+ * integer is read, it is set as both min and max.
+ */
+int acl_parse_range(const char *text, struct acl_pattern *pattern)
+{
+	unsigned int i, j, last;
+
+	last = i = 0;
+	while (1) {
+                j = (*text++);
+		if ((j == '-' || j == ':') && !last) {
+			last++;
+			pattern->val.range.min = i;
+			i = 0;
+			continue;
+		}
+		j -= '0';
+                if (j > 9)
+			// also catches the terminating zero
+                        break;
+                i *= 10;
+                i += j;
+        }
+	if (!last)
+		pattern->val.range.min = i;
+	pattern->val.range.max = i;
+	return 1;
+}
+
+/*
+ * Registers the ACL keyword list <kwl> as a list of valid keywords for next
+ * parsing sessions.
+ */
+void acl_register_keywords(struct acl_kw_list *kwl)
+{
+	LIST_ADDQ(&acl_keywords.list, &kwl->list);
+}
+
+/*
+ * Unregisters the ACL keyword list <kwl> from the list of valid keywords.
+ */
+void acl_unregister_keywords(struct acl_kw_list *kwl)
+{
+	LIST_DEL(&kwl->list);
+	LIST_INIT(&kwl->list);
+}
+
+/* Return a pointer to the ACL <name> within the list starting at <head>, or
+ * NULL if not found.
+ */
+struct acl *find_acl_by_name(const char *name, struct list *head)
+{
+	struct acl *acl;
+	list_for_each_entry(acl, head, list) {
+		if (strcmp(acl->name, name) == 0)
+			return acl;
+	}
+	return NULL;
+}
+
+/* Return a pointer to the ACL keyword <kw>, or NULL if not found. Note that if
+ * <kw> contains an opening parenthesis, only the left part of it is checked.
+ */
+struct acl_keyword *find_acl_kw(const char *kw)
+{
+	int index;
+	const char *kwend;
+	struct acl_kw_list *kwl;
+
+	kwend = strchr(kw, '(');
+	if (!kwend)
+		kwend = kw + strlen(kw);
+
+	list_for_each_entry(kwl, &acl_keywords.list, list) {
+		for (index = 0; kwl->kw[index].kw != NULL; index++) {
+			if ((strncmp(kwl->kw[index].kw, kw, kwend - kw) == 0) &&
+			    kwl->kw[index].kw[kwend-kw] == 0)
+				return &kwl->kw[index];
+		}
+	}
+	return NULL;
+}
+
+static void free_pattern(struct acl_pattern *pat)
+{
+	if (pat->ptr.ptr)
+		free(pat->ptr.ptr);
+	free(pat);
+}
+
+static void free_pattern_list(struct list *head)
+{
+	struct acl_pattern *pat, *tmp;
+	list_for_each_entry_safe(pat, tmp, head, list)
+		free_pattern(pat);
+}
+
+static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
+{
+	free_pattern_list(&expr->patterns);
+	LIST_INIT(&expr->patterns);
+	if (expr->arg.str)
+		free(expr->arg.str);
+	expr->kw->use_cnt--;
+	return expr;
+}
+
+/* Parse an ACL expression starting at <args>[0], and return it.
+ * Right now, the only accepted syntax is :
+ * <subject> [<value>...]
+ */
+struct acl_expr *parse_acl_expr(const char **args)
+{
+	__label__ out_return, out_free_expr, out_free_pattern;
+	struct acl_expr *expr;
+	struct acl_keyword *aclkw;
+	struct acl_pattern *pattern;
+	const char *arg;
+
+	aclkw = find_acl_kw(args[0]);
+	if (!aclkw || !aclkw->parse)
+		goto out_return;
+
+	expr = (struct acl_expr *)calloc(1, sizeof(*expr));
+	if (!expr)
+		goto out_return;
+
+	expr->kw = aclkw;
+	aclkw->use_cnt++;
+	LIST_INIT(&expr->patterns);
+	expr->arg.str = NULL;
+
+	arg = strchr(args[0], '(');
+	if (arg != NULL) {
+		char *end, *arg2;
+		/* there is an argument in the form "subject(arg)" */
+		arg++;
+		end = strchr(arg, ')');
+		if (!end)
+			goto out_free_expr;
+		arg2 = (char *)calloc(1, end - arg + 1);
+		if (!arg2)
+			goto out_free_expr;
+		memcpy(arg2, arg, end - arg);
+		arg2[end-arg] = '\0';
+		expr->arg.str = arg2;
+	}
+
+	/* now parse all patterns */
+	args++;
+	while (**args) {
+		pattern = (struct acl_pattern *)calloc(1, sizeof(*pattern));
+		if (!pattern)
+			goto out_free_expr;
+		if (!aclkw->parse(*args, pattern))
+			goto out_free_pattern;
+		LIST_ADDQ(&expr->patterns, &pattern->list);
+		args++;
+	}
+
+	return expr;
+
+ out_free_pattern:
+	free_pattern(pattern);
+ out_free_expr:
+	prune_acl_expr(expr);
+	free(expr);
+ out_return:
+	return NULL;
+}
+
+/* Parse an ACL with the name starting at <args>[0], and with a list of already
+ * known ACLs in <acl>. If the ACL was not in the list, it will be added.
+ * A pointer to that ACL is returned.
+ *
+ * args syntax: <aclname> <acl_expr>
+ */
+struct acl *parse_acl(const char **args, struct list *known_acl)
+{
+	__label__ out_return, out_free_acl_expr, out_free_name;
+	struct acl *cur_acl;
+	struct acl_expr *acl_expr;
+	char *name;
+
+	acl_expr = parse_acl_expr(args + 1);
+	if (!acl_expr)
+		goto out_return;
+
+	cur_acl = find_acl_by_name(args[0], known_acl);
+	if (!cur_acl) {
+		name = strdup(args[0]);
+		if (!name)
+			goto out_free_acl_expr;
+		cur_acl = (struct acl *)calloc(1, sizeof(*cur_acl));
+		if (cur_acl == NULL)
+			goto out_free_name;
+
+		LIST_INIT(&cur_acl->expr);
+		LIST_ADDQ(known_acl, &cur_acl->list);
+		cur_acl->name = name;
+	}
+
+	LIST_ADDQ(&cur_acl->expr, &acl_expr->list);
+	return cur_acl;
+
+ out_free_name:
+	free(name);
+ out_free_acl_expr:
+	prune_acl_expr(acl_expr);
+	free(acl_expr);
+ out_return:
+	return NULL;
+}
+
+
+/* Purge everything in the acl_cond <cond>, then return <cond>. */
+struct acl_cond *prune_acl_cond(struct acl_cond *cond)
+{
+	struct acl_term_suite *suite, *tmp_suite;
+	struct acl_term *term, *tmp_term;
+
+	/* iterate through all term suites and free all terms and all suites */
+	list_for_each_entry_safe(suite, tmp_suite, &cond->suites, list) {
+		list_for_each_entry_safe(term, tmp_term, &suite->terms, list)
+			free(term);
+		free(suite);
+	}
+	return cond;
+}
+
+/* Parse an ACL condition starting at <args>[0], relying on a list of already
+ * known ACLs passed in <known_acl>. The new condition is returned (or NULL in
+ * case of low memory). Supports multiple conditions separated by "or".
+ */
+struct acl_cond *parse_acl_cond(const char **args, struct list *known_acl, int pol)
+{
+	__label__ out_return, out_free_suite, out_free_term;
+	int arg;
+	int neg = 0;
+	const char *word;
+	struct acl *cur_acl;
+	struct acl_term *cur_term;
+	struct acl_term_suite *cur_suite;
+	struct acl_cond *cond;
+
+	cond = (struct acl_cond *)calloc(1, sizeof(*cond));
+	if (cond == NULL)
+		goto out_return;
+
+	LIST_INIT(&cond->list);
+	LIST_INIT(&cond->suites);
+	cond->pol = pol;
+
+	cur_suite = NULL;
+	for (arg = 0; *args[arg]; arg++) {
+		word = args[arg];
+
+		/* remove as many exclamation marks as we can */
+		while (*word == '!') {
+			neg = !neg;
+			word++;
+		}
+
+		/* an empty word is allowed because we cannot force the user to
+		 * always think about not leaving exclamation marks alone.
+		 */
+		if (!*word)
+			continue;
+
+		if (strcasecmp(word, "or") == 0) {
+			/* new term suite */
+			cur_suite = NULL;
+			neg = 0;
+			continue;
+		}
+
+		/* search for <word> in the known ACL names */
+		cur_acl = find_acl_by_name(word, known_acl);
+		if (cur_acl == NULL)
+			goto out_free_suite;
+
+		cur_term = (struct acl_term *)calloc(1, sizeof(*cur_term));
+		if (cur_term == NULL)
+			goto out_free_suite;
+
+		cur_term->acl = cur_acl;
+		cur_term->neg = neg;
+
+		if (!cur_suite) {
+			cur_suite = (struct acl_term_suite *)calloc(1, sizeof(*cur_suite));
+			if (cur_term == NULL)
+				goto out_free_term;
+			LIST_INIT(&cur_suite->terms);
+			LIST_ADDQ(&cond->suites, &cur_suite->list);
+		}
+		LIST_ADDQ(&cur_suite->terms, &cur_term->list);
+	}
+
+	return cond;
+
+ out_free_term:
+	free(cur_term);
+ out_free_suite:
+	prune_acl_cond(cond);
+	free(cond);
+ out_return:
+	return NULL;
+}
+
+/* Execute condition <cond> and return 0 if test fails or 1 if test succeeds.
+ * This function only computes the condition, it does not apply the polarity
+ * required by IF/UNLESS, it's up to the caller to do this.
+ */
+int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, void *l7)
+{
+	__label__ fetch_next;
+	struct acl_term_suite *suite;
+	struct acl_term *term;
+	struct acl_expr *expr;
+	struct acl *acl;
+	struct acl_pattern *pattern;
+	struct acl_test test;
+	int acl_res, pat_res, suite_res, cond_res;
+
+	/* we're doing a logical OR between conditions so we initialize to FAIL */
+	cond_res = ACL_PAT_FAIL;
+	list_for_each_entry(suite, &cond->suites, list) {
+		/* evaluate condition suite <suite>. We stop at the first term
+		 * which does not return ACL_PAT_PASS.
+		 */
+
+		/* we're doing a logical AND between terms, so we must set the
+		 * initial value to PASS.
+		 */
+		suite_res = ACL_PAT_PASS;
+		list_for_each_entry(term, &suite->terms, list) {
+			acl = term->acl;
+
+			/* FIXME: use cache !
+			 * check acl->cache_idx for this.
+			 */
+
+			/* ACL result not cached. Let's scan all the expressions
+			 * and use the first one to match.
+			 */
+			acl_res = ACL_PAT_FAIL;
+			list_for_each_entry(expr, &acl->expr, list) {
+				test.flags = test.len = 0;
+			fetch_next:
+				if (!expr->kw->fetch(px, l4, l7, expr->arg.str, &test))
+					continue;
+
+				/* apply all tests to this value */
+				list_for_each_entry(pattern, &expr->patterns, list) {
+					pat_res = expr->kw->match(&test, pattern);
+
+					if (pat_res & ACL_PAT_MISS) {
+						/* there is at least one test which might be worth retrying later. */
+						acl_res |= ACL_PAT_MISS;
+						continue;
+					} else if (pat_res & ACL_PAT_PASS) {
+						/* we found one ! */
+						acl_res |= ACL_PAT_PASS;
+						break;
+					}
+				}
+				/*
+				 * OK now we have the result of this expression in expr_res.
+				 *  - we have the PASS bit set if at least one pattern matched ;
+				 *  - we have the MISS bit set if at least one pattern may match
+				 *    later so that we should not cache a failure ;
+				 *
+				 * Then if (PASS || !MISS) we can cache the result, and put
+				 * (test.flags & ACL_TEST_F_VOLATILE) in the cache flags.
+				 *
+				 * FIXME: implement cache.
+				 *
+				 */
+
+				/* now we may have some cleanup to do */
+				if (test.flags & ACL_TEST_F_MUST_FREE) {
+					free(test.ptr);
+					test.len = 0;
+				}
+
+				if (acl_res & ACL_PAT_PASS)
+					break;
+
+				/* prepare to test another expression */
+				acl_res = ACL_PAT_FAIL;
+
+				if (test.flags & ACL_TEST_F_FETCH_MORE)
+					goto fetch_next;
+			}
+			/*
+			 * Here we have the result of an ACL (cached or not).
+			 * ACLs are combined, negated or not, to form conditions.
+			 */
+
+			acl_res &= ACL_PAT_PASS;
+			if (term->neg)
+				acl_res ^= ACL_PAT_PASS;
+
+			suite_res &= acl_res;
+			if (!(suite_res & ACL_PAT_PASS))
+				break;
+		}
+		cond_res |= suite_res;
+		if (cond_res & ACL_PAT_PASS)
+			break;
+	}
+
+	return (cond_res & ACL_PAT_PASS) ? 1 : 0;
+}
+
+
+/************************************************************************/
+/*             All supported keywords must be declared here.            */
+/************************************************************************/
+
+/* Note: must not be declared <const> as its list will be overwritten */
+static struct acl_kw_list acl_kws = {{ },{
+#if 0
+	{ "time",       acl_parse_time,  acl_fetch_time,   acl_match_time  },
+#endif
+	{ NULL, NULL, NULL, NULL }
+}};
+
+
+__attribute__((constructor))
+static void __acl_init(void)
+{
+	acl_register_keywords(&acl_kws);
+}
+
+
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ * End:
+ */