--- -	Wed Jul 30 14:49:34 2008
+++ vfs_zfsacl.c	Wed Jul 30 12:56:11 2008
@@ -31,6 +31,80 @@
 
 #define ZFSACL_MODULE_NAME "zfsacl"
 
+/* zfsacl - module parameters (s)
+ * can be set on share using the prefix "zfsacl:"
+ * acesort = { dontcare | ntfs [default] }
+ *  dontcare = ZFS/NFSv4 ACEs are stored into the NTFS ACL "as is"
+ *  ntfs = ZFS/NFSv4 ACEs are stored into the NTFS ACL in the manner
+ *         usual on the NTFS ("deny" ACEs are located before the any
+ *         other ACE types ; "mask == 0" ACEs are not stored into the
+ *         NTFS ACL)
+ */
+#define ZFSACL_PARAM_TYPE_NAME	ZFSACL_MODULE_NAME
+
+enum zfsacl_acesort_enum {e_dontcare=0, e_ntfs=1};
+
+typedef struct _zfsacl_vfs_params {
+	enum zfsacl_acesort_enum acesort;
+} zfsacl_vfs_params;
+
+/*
+ * Gather special parameters for ZFS ACL handling
+ */
+static int zfsacl_get_vfs_params(
+        const char *type_name,
+        files_struct *fsp,
+        zfsacl_vfs_params *params
+)
+{
+	static const struct enum_list enum_zfsacl_acesort[] = {
+		{ e_dontcare, "dontcare" },
+		{ e_ntfs,     "ntfs"     },
+	};
+
+	memset(params, 0, sizeof(zfsacl_vfs_params));
+	params->acesort = (enum zfsacl_acesort_enum)lp_parm_enum(
+		SNUM(fsp->conn), type_name,
+		"acesort", enum_zfsacl_acesort, e_ntfs);
+
+	DEBUG(10, ("acesort: %s\n",
+		enum_zfsacl_acesort[params->acesort].name));
+
+	return 0;
+}
+
+
+/* zfs_add_zfs_ace2smbnfs4_acl
+ * add a ZFS/NFSv4 ACE into the SMB4ACL_T list
+ * return non-0 status if fail
+ */
+static int zfs_add_zfs_ace2smbnfs4_acl(ace_t *zfsace, SMB4ACL_T *pacl)
+{
+	SMB_ACE4PROP_T aceprop;
+
+	aceprop.aceType  = (uint32) zfsace->a_type;
+	aceprop.aceFlags = (uint32) zfsace->a_flags;
+	aceprop.aceMask  = (uint32) zfsace->a_access_mask;
+	aceprop.who.id   = (uint32) zfsace->a_who;
+
+	if(aceprop.aceFlags & ACE_OWNER) {
+		aceprop.flags = SMB_ACE4_ID_SPECIAL;
+		aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
+	} else if(aceprop.aceFlags & ACE_GROUP) {
+		aceprop.flags = SMB_ACE4_ID_SPECIAL;
+		aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
+	} else if(aceprop.aceFlags & ACE_EVERYONE) {
+		aceprop.flags = SMB_ACE4_ID_SPECIAL;
+		aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
+	} else {
+		aceprop.flags	= 0;
+	}
+
+	if(smb_add_ace4(pacl, &aceprop) == NULL) return 1;
+
+	return 0;
+}
+
 /* zfs_get_nt_acl()
  * read the local file's acls and return it in NT form
  * using the NFSv4 format conversion
@@ -42,6 +116,7 @@
 	ace_t *acebuf;
 	SMB4ACL_T *pacl;
 	TALLOC_CTX	*mem_ctx;
+	zfsacl_vfs_params params;
 
 	/* read the number of file aces */
 	if((naces = acl(fsp->fsp_name, ACE_GETACLCNT, 0, NULL)) == -1) {
@@ -68,27 +143,40 @@
 	}
 	/* create SMB4ACL data */
 	if((pacl = smb_create_smb4acl()) == NULL) return 0;
-	for(i=0; i<naces; i++) {
-		SMB_ACE4PROP_T aceprop;
 
-		aceprop.aceType  = (uint32) acebuf[i].a_type;
-		aceprop.aceFlags = (uint32) acebuf[i].a_flags;
-		aceprop.aceMask  = (uint32) acebuf[i].a_access_mask;
-		aceprop.who.id   = (uint32) acebuf[i].a_who;
+	/* Special behaviours*/
+	if(zfsacl_get_vfs_params(ZFSACL_PARAM_TYPE_NAME, fsp, &params))
+		return 0;
 
-		if(aceprop.aceFlags & ACE_OWNER) {
-			aceprop.flags = SMB_ACE4_ID_SPECIAL;
-			aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
-		} else if(aceprop.aceFlags & ACE_GROUP) {
-			aceprop.flags = SMB_ACE4_ID_SPECIAL;
-			aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
-		} else if(aceprop.aceFlags & ACE_EVERYONE) {
-			aceprop.flags = SMB_ACE4_ID_SPECIAL;
-			aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
-		} else {
-			aceprop.flags	= 0;
+	if(params.acesort == e_dontcare) {
+
+	    for(i=0; i<naces; i++) {
+		if(zfs_add_zfs_ace2smbnfs4_acl(acebuf +i, pacl))
+			return 0;
+	    }
+
+	} else { /* params.acesort == e_ntfs (default behaviour) */
+
+	    /* first of all we will place all "deny" and non-0 ACEs
+	     * into the "pacl" buffer
+	     */
+	    for(i=0; i<naces; i++) {
+		if(acebuf[i].a_access_mask &&
+		   acebuf[i].a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
+			if(zfs_add_zfs_ace2smbnfs4_acl(acebuf +i, pacl))
+				return 0;
 		}
-		if(smb_add_ace4(pacl, &aceprop) == NULL) return 0;
+	    }
+	    /* than we will place all "non-deny" and non-0 ACEs
+	     * into the "pacl" buffer
+	     */
+	    for(i=0; i<naces; i++) {
+		if(acebuf[i].a_access_mask &&
+		   acebuf[i].a_type != ACE_ACCESS_DENIED_ACE_TYPE) {
+			if(zfs_add_zfs_ace2smbnfs4_acl(acebuf +i, pacl))
+				return 0;
+		}
+	    }
 	}
 
 	return smb_get_nt_acl_nfs4(fsp, security_info, ppdesc, pacl);
@@ -312,6 +400,7 @@
 #endif
 		(void)
 {
-	return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "zfsacl",
-				zfsacl_ops);
+	return smb_register_vfs(SMB_VFS_INTERFACE_VERSION,
+			ZFSACL_MODULE_NAME ,
+			zfsacl_ops);
 }