diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c05af4e..1032190 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,7 +3,7 @@ variables:
   GIT_STRATEGY: "clone"
   BUILD_PADDING_PREFIX: /tmp/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX/
   INSTALL_PREFIX: "/home/mesasoft/sapp_run/"
-  INSTALL_DEPENDENCY_LIBRARY: libMESA_handle_logger-devel  libcjson-devel libMESA_field_stat2-devel sapp  sapp-devel framework_env  libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel  librdkafka-devel libmaatframe-devel quic-devel  mesa_sip-devel gtp-devel libMESA_htable-devel libasan
+  INSTALL_DEPENDENCY_LIBRARY: libMESA_handle_logger-devel  libcjson-devel libMESA_field_stat2-devel sapp  sapp-devel framework_env  libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel  librdkafka-devel libmaatframe-devel quic-devel  mesa_sip-devel gtp-devel libMESA_htable-devel libasan mrzcpd
 
 stages:
 - build
diff --git a/CMakeLists.txt b/CMakeLists.txt
index f0d2652..92676fa 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ endif()
 
 set(CMAKE_INSTALL_PREFIX /home/mesasoft/sapp_run)
 
+add_subdirectory(support)
 add_subdirectory(src) 
 
 SET(CPACK_RPM_LIBRARIES_PRE_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/cmake/PreInstall.sh")
@@ -52,6 +53,12 @@ install(FILES bin/app_l7_proto_id.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgco
 install(FILES bin/tsg_l7_protocol.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
 install(FILES bin/tsg_maat.json DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
 
+install(FILES bin/HTTP200.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
+install(FILES bin/HTTP204.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
+install(FILES bin/HTTP303.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
+install(FILES bin/HTTP403.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
+install(FILES bin/HTTP404.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
+
 install(FILES inc/tsg_send_log.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)
 install(FILES inc/tsg_rule.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)
 install(FILES inc/tsg_statistic.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)
diff --git a/bin/HTTP200.html b/bin/HTTP200.html
new file mode 100644
index 0000000..a474544
--- /dev/null
+++ b/bin/HTTP200.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<!-- Powerd by MESA Lab -->
+<head>
+    <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title> Successfull | 200 - OK </title>
+</head>
+<body>
+    <div class="cover"><h1> Successfull 200 <small>Successfully 200</small></h1><p class="lead">The requested resource accesss Successfully (TSG-{{cfg_id}}:{{msg}}).</p></div>
+</body>
+</html>
diff --git a/bin/HTTP204.html b/bin/HTTP204.html
new file mode 100644
index 0000000..598aa84
--- /dev/null
+++ b/bin/HTTP204.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<!-- Powerd by MESA Lab -->
+<head>
+    <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>We've got some trouble | 204 - Not Content </title>
+</head>
+<body>
+    <div class="cover"><h1>Not Content <small>Error 204</small></h1><p class="lead">The requested resource requires an authentication (TSG-{{cfg_id}}:{{msg}}).</p></div>
+</body>
+</html>
diff --git a/bin/HTTP303.html b/bin/HTTP303.html
new file mode 100644
index 0000000..89b3028
--- /dev/null
+++ b/bin/HTTP303.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<!-- Powerd by MESA Lab -->
+<head>
+    <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>  303 See Other </title>
+</head>
+<body>
+    <div class="cover"><h1> 303 See Other <small>303 See Other</small></h1><p class="lead">The requested resource accesss Successfully (TSG-{{cfg_id}}:{{msg}}).</p></div>
+</body>
+</html>
diff --git a/bin/HTTP403.html b/bin/HTTP403.html
new file mode 100644
index 0000000..6102c62
--- /dev/null
+++ b/bin/HTTP403.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<!-- Powerd by MESA Lab -->
+<head>
+    <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>We've got some trouble | 403 - Access Denied</title>
+</head>
+<body>
+    <div class="cover"><h1>Access Denied <small>Error 403</small></h1><p class="lead">The requested resource requires an authentication (TSG-{{cfg_id}}:{{msg}}).</p></div>
+</body>
+</html>
diff --git a/bin/HTTP404.html b/bin/HTTP404.html
new file mode 100644
index 0000000..7977ec6
--- /dev/null
+++ b/bin/HTTP404.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<!-- Powerd by MESA Lab -->
+<head>
+    <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>We've got some trouble | 404 - Resource not found</title>
+</head>
+<body>
+    <div class="cover"><h1>Resource not found <small>Error 404 </small></h1><p class="lead">The requested resource could not be found but may be available again in the future (TSG-{{cfg_id}}:{{msg}}).</p></div>
+</body>
+</html>
diff --git a/bin/main.conf b/bin/main.conf
index 25e85d7..1c4a557 100644
--- a/bin/main.conf
+++ b/bin/main.conf
@@ -37,4 +37,10 @@ APP_BRIDGE_NAME="APP_BRIDGE"
 POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
 L7_RPTOCOL_FILE="./tsgconf/tsg_l7_protocol.conf"
 DEVICE_SN_FILENAME="/opt/tsg/etc/tsg_sn.json"
-DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'"
\ No newline at end of file
+DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'"
+
+[TRAFFIC_MIRROR]
+TRAFFIC_MIRROR_ENABLE=1
+NIC_NAME="eth_vf_mirr"
+APP_NAME="TSG_MIRROR"
+DEFAULT_VLAN_ID=1023
\ No newline at end of file
diff --git a/ci/travis.sh b/ci/travis.sh
index 24fe71f..a82796a 100644
--- a/ci/travis.sh
+++ b/ci/travis.sh
@@ -36,6 +36,7 @@ env | sort
 if [ -n "${INSTALL_DEPENDENCY_LIBRARY}" ]; then
 	yum install -y $INSTALL_DEPENDENCY_LIBRARY
 	source /etc/profile.d/framework.sh
+  source /etc/profile.d/mrzcpd.sh
 fi
 
 if [ $ASAN_OPTION ];then
@@ -58,7 +59,7 @@ if [ -n "${PACKAGE}" ]; then
 	make package
 fi
 
-if [ -n "${UPLOAD_RPM}" ]; then	
+if [ -n "${UPLOAD_RPM}" ]; then
 	cp ~/rpm_upload_tools.py ./
 	python3 rpm_upload_tools.py ${PULP3_REPO_NAME} ${PULP3_DIST_NAME} *.rpm
 fi
diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h
index d6a67ae..172bfd6 100644
--- a/inc/tsg_rule.h
+++ b/inc/tsg_rule.h
@@ -24,9 +24,17 @@ enum TSG_METHOD_TYPE
 	TSG_METHOD_TYPE_BLOCK,
 	TSG_METHOD_TYPE_RESET,
 	TSG_METHOD_TYPE_ALERT,
+	TSG_METHOD_TYPE_RATE_LINIT,
 	TSG_METHOD_TYPE_MAX
 };
 
+enum TSG_DENY_TYPE
+{
+	TSG_DENY_TYPE_MESSAGE=0,
+	TSG_DENY_TYPE_PROFILE,
+	TSG_DENY_TYPE_REDIRECT_TO,
+	TSG_DENY_TYPE_MAX
+};
 struct identify_info
 {
 	tsg_protocol_t proto;	//enum _tsg_protocol (tsg_types.h)
@@ -34,15 +42,37 @@ struct identify_info
 	char domain[MAX_DOAMIN_LEN];
 };
 
-struct compile_user_region
+struct deny_user_region
 {
 	int code;
+	enum TSG_DENY_TYPE type;
+	union
+	{
+		char *message;
+		char *redirect_url_to;
+		int profile_id;
+		int bytes_per_sec;
+		void *para;
+	};
+};
+
+struct monitor_user_region
+{
+	int enabled;
+	int mirror_vlan_id;
+};
+
+struct compile_user_region
+{	
 	int ref_cnt;
-	int html_profile;
-	char protocol[32];
-	char method[32];
-	char *message;
-	Maat_rule_t *result;
+	enum TSG_METHOD_TYPE method_type;
+	union	
+	{
+		struct deny_user_region *deny;		
+		struct monitor_user_region *mirror;		
+		struct Maat_rule_t *result;				//XJ default policy
+		void *user_region_para;
+	};
 };
 
 typedef	enum _PULL_RESULT_TYPE
@@ -85,10 +115,21 @@ int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_re
 //return NULL if none exists, otherwise return one deny rule;
 struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num);
 
+enum ACTION_RETURN_TYPE
+{
+	ACTION_RETURN_TYPE_PROT=0,
+	ACTION_RETURN_TYPE_APP
+};
+unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *a_packet);
+
 int tsg_get_method_id(char *method);
 
+int tsg_free_compile_user_region(const struct Maat_rule_t *rule, struct compile_user_region *user_region);
+struct compile_user_region *tsg_get_compile_user_region(const Maat_feather_t maat_feather,	struct Maat_rule_t *result);
+
 int tsg_get_fqdn_category_id(Maat_feather_t maat_feather, char *fqdn, unsigned int *category_id, int category_id_num, void *logger, int thread_seq);
 int tsg_scan_app_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq);
 int tsg_scan_fqdn_category_id(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned int *category_id, int category_id_num, int thread_seq);
+int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, int thread_seq);
 
 #endif
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 837f221..b9489c3 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -2,18 +2,18 @@ cmake_minimum_required(VERSION 2.8)
 
 add_definitions(-fPIC)
 
-set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp) 
+set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp tsg_traffic_mirror.cpp tsg_send_raw_packet.cpp tsg_action.cpp)
 
 include_directories(${CMAKE_SOURCE_DIR}/inc)
 include_directories(/opt/MESA/include/MESA/)
 
-set(TSG_MASTER_DEPEND_DYN_LIB  MESA_handle_logger MESA_prof_load maatframe pthread MESA_field_stat2 rdkafka cjson)
+set(TSG_MASTER_DEPEND_DYN_LIB  MESA_handle_logger MESA_prof_load maatframe pthread MESA_field_stat2 rdkafka cjson marsio)
 
 set(CMAKE_INSTALL_PREFIX /home/mesasoft/sapp_run)
 
 add_library(tsg_master SHARED ${SRC})
 set_target_properties(tsg_master PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/src/version.map")
-target_link_libraries(tsg_master ${TSG_MASTER_DEPEND_DYN_LIB})
+target_link_libraries(tsg_master ${TSG_MASTER_DEPEND_DYN_LIB} ctemplate-static)
 set_target_properties(tsg_master  PROPERTIES PREFIX "")
 
 install(TARGETS tsg_master LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/plug/platform/tsg_master COMPONENT LIBRARIES)
diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
new file mode 100644
index 0000000..e5973b0
--- /dev/null
+++ b/src/tsg_action.cpp
@@ -0,0 +1,648 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <netinet/ip6.h>
+#include <sys/stat.h>
+#include <arpa/inet.h>
+
+#include <MESA/http.h>
+#include <MESA/ftp.h>
+#include <MESA/ssl.h>
+#include <MESA/mail.h>
+#include <MESA/gquic.h>
+#include "MESA/mesa_sip.h"
+#include <MESA/stream.h>
+#include <MESA/MESA_handle_logger.h>
+
+#include "app_label.h"
+#include "tsg_rule.h"
+#include "tsg_entry.h"
+#include "tsg_statistic.h"
+
+extern "C" int sendpacket_do_checksum(unsigned char *buf, int protocol, int len);
+
+static int set_drop_stream(const struct streaminfo *a_stream)
+{
+	int opt_value=1;
+	MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
+	MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
+	MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
+
+	return 0;
+				
+}
+
+static int get_http_header(char *buff, int len, int code, char *user_define)
+{
+	int used_len=0;
+	
+	switch(code)
+	{
+		case	200:
+			used_len=snprintf(buff, len, "HTTP/1.1 %d OK\r\nContent-Type: text/html\r\n\r\n", code);
+			break;
+		case	204:
+			used_len=snprintf(buff, len, "HTTP/1.1 %d No Content\r\nContent-Type: text/html\r\n\r\n", code);
+			break;
+		case	403:
+			used_len=snprintf(buff, len, "HTTP/1.1 %d Forbidden\r\nContent-Type: text/html\r\n\r\n", code);
+			break;
+		case	404:
+			used_len=snprintf(buff, len, "HTTP/1.1 %d Not Found\r\nContent-Type: text/html\r\n\r\n", code);
+			break;
+		case	302:			
+			used_len=snprintf(buff, len, "HTTP/1.1 %d Moved Temporarily\r\nContent-Type: text/html\r\nLocation: %s\r\n\r\n", code, user_define);
+			break;
+		case	303:			
+			used_len=snprintf(buff, len, "HTTP/1.1 %d See Other\r\nLocation: %s\r\n\r\n", code, user_define);
+			break;
+		default:
+			break;
+	}
+
+	return used_len;
+}
+
+static int get_tcp_mss_option(const struct streaminfo *a_stream, int type, void *out)
+{
+	int i=0,ret=0;
+	int tcp_opt_num=0;
+	struct tcp_option *tcp_opt=NULL;
+	
+	ret=MESA_get_stream_opt(a_stream, MSO_TCP_SYN_OPT, (void *)&tcp_opt, &tcp_opt_num);
+	if(ret>0)
+	{
+		for(i=0; i<tcp_opt_num; i++)
+		{
+			if(tcp_opt[i].type!=type)
+			{
+				continue;
+			}
+			
+			switch(tcp_opt[i].type)
+			{
+				case	TCP_OPT_MSS:
+					*(short *)out=tcp_opt[i].short_value;
+					return 1;
+					break;
+				default:
+					break;
+			}
+		}
+	}				
+
+	return 0;
+}
+
+static void template_generate(int status_code, int cfg_id, const char* msg, char **page_buff, size_t *page_size, int thread_seq)
+{
+	ctemplate::TemplateDictionary dict("pg_page_dict");	//dict is automatically finalized after function returned.
+	dict.SetIntValue("cfg_id", cfg_id);
+
+	if (NULL == msg)
+	{
+		dict.SetValue("msg", "NULL");
+	}
+	else
+	{
+		dict.SetValue("msg", msg);
+	}
+	std::string output;
+	ctemplate::Template * tpl = NULL;
+
+	switch (status_code)
+	{
+		case 403:
+			tpl = g_tsg_para.tpl_403;
+			tpl->Expand(&output, &dict);
+			break;
+		case 404: 
+			tpl = g_tsg_para.tpl_404;
+			tpl->Expand(&output, &dict);
+			break;
+		case 200: 
+			tpl = g_tsg_para.tpl_200;
+			tpl->Expand(&output, &dict);
+			break;
+		case 204: 
+			tpl = g_tsg_para.tpl_204;
+			tpl->Expand(&output, &dict);
+			break;
+		case 303:
+			tpl = g_tsg_para.tpl_303;
+			tpl->Expand(&output, &dict);
+			break;
+		default: return;
+	}
+
+	
+	*page_size=output.length()+1;
+	
+	char *_page_buff=(char *)dictator_malloc(thread_seq, (*page_size)*sizeof(char));
+	memcpy(_page_buff, output.c_str(), *page_size);
+
+	*page_buff=_page_buff;
+	
+	return ;
+}
+
+static int get_response_pages(struct Maat_rule_t *p_result, struct compile_user_region *user_region, char **payload, int thread_seq)
+{
+	char key[16]={0};
+	int payload_len=0;
+	struct http_response_pages *res_pages=NULL;
+
+	switch(user_region->deny->type)
+	{
+		case	TSG_DENY_TYPE_MESSAGE:
+			template_generate(user_region->deny->code, p_result->config_id, user_region->deny->message, payload, (size_t *)&payload_len, thread_seq);
+			return payload_len;
+			break;
+		case	TSG_DENY_TYPE_PROFILE:
+			break;
+		default:
+			break;
+	}
+
+	snprintf(key, sizeof(key), "%d", user_region->deny->profile_id);
+	res_pages=(struct http_response_pages *)Maat_plugin_get_EX_data(g_tsg_maat_feather,g_tsg_para.table_id[TABLE_RESPONSE_PAGES], key);
+	if(res_pages!=NULL)
+	{
+		switch(res_pages->format)
+		{
+			case	HTTP_RESPONSE_FORMAT_HTML:
+				*payload=(char *)dictator_malloc(thread_seq, res_pages->content_len);
+				memcpy(*payload, res_pages->content, res_pages->content_len);
+				payload_len=res_pages->content_len;
+				break;
+			case	HTTP_RESPONSE_FORMAT_TEMPLATE:
+				template_generate(user_region->deny->code, p_result->config_id, res_pages->content, payload, (size_t *)&payload_len, thread_seq);
+				break;
+			default:
+				break;
+		}
+
+		http_response_pages_free(g_tsg_para.table_id[TABLE_RESPONSE_PAGES], (MAAT_PLUGIN_EX_DATA *)&res_pages, 0, NULL);
+	}
+
+	return payload_len;
+}
+
+static int set_tcp_flags(char *packet, int ip_tcp_hdr_len)
+{	
+	struct tcphdr *tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20));  // tcp header=20 bytes
+
+	tcp->fin=1;
+	tcp->psh=0;
+	tcp->ack=1;
+
+	return 0;
+}
+
+static int reverse_ip_tcp_header(char *message, int ip_tcp_hdr_len, int v4_or_v6)
+{	
+	int ip_hdr_len=0;
+	struct tcphdr *tcp=NULL;
+	struct iphdr *ipv4=NULL;
+	struct ip6_hdr *ipv6=NULL;
+	struct in6_addr ipv6_addr;
+	unsigned short port=0;	
+	unsigned int seq=0,addr=0;
+
+	switch(v4_or_v6)
+	{
+		case	4:
+			ipv4=(struct iphdr *)message;
+			ip_hdr_len=ipv4->ihl*4;
+
+			addr=ipv4->saddr;
+			ipv4->saddr=ipv4->daddr;
+			ipv4->daddr=addr;
+			break;
+		case	6:
+			ipv6=(struct ip6_hdr *)message;
+			ip_hdr_len=sizeof(struct ip6_hdr);
+
+			memcpy((void *)&ipv6_addr, (void *)&(ipv6->ip6_src), sizeof(struct in6_addr));
+			memcpy((void *)&(ipv6->ip6_src), (void *)&(ipv6->ip6_dst), sizeof(struct in6_addr));
+			memcpy((void *)&(ipv6->ip6_dst), (void *)&ipv6_addr, sizeof(struct in6_addr));
+			break;
+		default:
+			return -1;
+			break;
+	}
+
+	tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
+	port=tcp->source;
+	tcp->source=tcp->dest;
+	tcp->dest=port;
+
+	seq=tcp->seq;
+	tcp->seq=tcp->ack_seq;
+	tcp->ack_seq=seq;
+
+	return 0;
+}
+
+static int copy_ip_tcp_header(const struct streaminfo *a_stream, const void *a_packet, char *message, int *ip_tcp_hdr_len, int *v4_or_v6)
+{
+	int ip_hdr_len=0,tcp_hdr_len=0;
+	int tcp_hdr_len_tmp=0;
+	unsigned short total_len=0;
+
+	struct iphdr *ipv4=NULL;
+	struct ip6_hdr *ipv6=NULL;
+
+	switch(a_stream->addr.addrtype)
+	{
+		case	ADDR_TYPE_IPV4:
+		case	__ADDR_TYPE_IP_PAIR_V4:
+			(*v4_or_v6)=4;
+			ipv4=(struct iphdr *)a_packet;
+			ip_hdr_len=ipv4->ihl*4;
+			total_len=ipv4->tot_len;
+			break;
+		case	ADDR_TYPE_IPV6:
+		case	__ADDR_TYPE_IP_PAIR_V6:
+			(*v4_or_v6)=6;
+			ipv6=(struct ip6_hdr *)a_packet;
+			ip_hdr_len=sizeof(struct ip6_hdr);
+			total_len=ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen;
+			break;
+		default:
+			return -1;
+			break;
+	}
+
+	memcpy(message, a_packet, ip_hdr_len);
+	
+	struct tcphdr * tcp=(struct tcphdr *)((char *)a_packet+ip_hdr_len);
+	tcp_hdr_len_tmp=tcp->doff*4;
+	tcp_hdr_len=20;
+
+	memcpy(message+ip_hdr_len, (char *)a_packet+ip_hdr_len, tcp_hdr_len);/*skip tcp option*/
+	tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
+	tcp->doff=5;
+
+	if((*v4_or_v6)==4)
+	{
+		tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-ip_hdr_len-tcp_hdr_len_tmp);	// length of packet payload
+	}
+	else
+	{
+		tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-tcp_hdr_len_tmp);	// length of packet payload
+	}
+	
+	(*ip_tcp_hdr_len)=ip_hdr_len+tcp_hdr_len;
+
+	return 0;
+}
+
+
+static unsigned char send_inject_packet(const struct streaminfo *a_stream, enum sapp_inject_opt sio, char *payload, int payload_len)
+{
+	int ret=0;
+	unsigned char raw_route_dir=0;
+	if(payload==NULL || payload_len<=0)
+	{
+		return -1;
+	}
+
+	raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
+	ret=sapp_inject_pkt((struct streaminfo *)a_stream, sio, payload, payload_len, raw_route_dir);
+	if(ret<=0)
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_FAILED], 0, FS_OP_ADD, 1); 
+		return -1;	
+	}
+
+	FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_SUCCESS], 0, FS_OP_ADD, 1); 
+	
+	return 0;
+}
+
+static int send_reponse_packet(const struct streaminfo *a_stream, char *packet, int payload_len, int v4_or_v6, int ip_tcp_hdr_len, int http_hdr_len)
+{
+	struct iphdr *ipv4=NULL;
+	struct ip6_hdr *ipv6=NULL;
+	struct tcphdr *tcp=NULL;
+
+	tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20));  // tcp header=20 bytes
+
+	if(v4_or_v6==4)
+	{
+		ipv4=(struct iphdr *)packet;
+		ipv4->tot_len=htons(ip_tcp_hdr_len+http_hdr_len+payload_len);							
+		sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
+		sendpacket_do_checksum((unsigned char *)packet, IPPROTO_IP, ipv4->ihl*4);
+	}
+	else
+	{
+		ipv6=(struct ip6_hdr *)packet;
+		ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen=htons(20+http_hdr_len+payload_len);	//tcp_hdr_len=20
+		sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
+	}
+
+	send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, packet, ip_tcp_hdr_len+http_hdr_len+payload_len);
+
+	tcp->seq=htonl(ntohl(tcp->seq)+http_hdr_len+payload_len);
+	
+	return ip_tcp_hdr_len+http_hdr_len+payload_len;
+}
+
+static int build_response_pages(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
+{
+	char *payload=NULL;
+	char message[1024*64]={0};
+	int v4_or_v6=0;
+	int http_hdr_len=0;
+	int payload_len=0;
+	int ip_tcp_hdr_len=0;
+	int i=0,one_payload_len=0;
+	int ret=0,send_pkt_len=0;
+	short max_segment_size=1400;
+
+	ret=copy_ip_tcp_header(a_stream, a_packet, message, &ip_tcp_hdr_len, &v4_or_v6);
+	if(ret!=0)
+	{
+		return 0;
+	}
+	
+	if(a_stream->curdir==DIR_C2S)
+	{
+		reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
+	}
+
+	http_hdr_len=get_http_header(message+ip_tcp_hdr_len, sizeof(message)-ip_tcp_hdr_len, user_region->deny->code, NULL);
+	payload_len=get_response_pages(p_result, user_region, &payload, a_stream->threadnum);
+	//TLD_append(TLD_handle, (char *)"http_action_file_size", (void *)(long)payload_len, TLD_TYPE_LONG);
+	
+	get_tcp_mss_option(a_stream, TCP_OPT_MSS, (void *)&max_segment_size);
+	
+	for(i=0; i<payload_len; i+=one_payload_len)
+	{
+		one_payload_len=MIN(payload_len-i, max_segment_size-http_hdr_len);
+		memcpy((char *)message+ip_tcp_hdr_len+http_hdr_len, payload+i, one_payload_len);
+		
+		send_pkt_len+=send_reponse_packet(a_stream, message, one_payload_len, v4_or_v6, ip_tcp_hdr_len, http_hdr_len);
+		http_hdr_len=0;
+	}
+	
+	if(payload!=NULL)
+	{
+		dictator_free(a_stream->threadnum, payload);
+		payload=NULL;
+	}	
+	
+	set_tcp_flags(message, ip_tcp_hdr_len);
+	send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
+	
+	reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
+	send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
+	
+	return send_pkt_len;
+}
+
+static int get_content_303(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, char *url, char *http_hdr, int http_hdr_len)
+{
+	int used_len=0;
+	char *tmp_buff=NULL;
+	char ip_str[128]={0};
+	std::string output;
+	struct _session_attribute_label_t *attr_label=NULL;
+
+	ctemplate::Template *tpl_303=ctemplate::Template::StringToTemplate(url, strlen(url), ctemplate::DO_NOT_STRIP);
+	ctemplate::TemplateDictionary dict_303("url_dict");	//dict is automatically finalized after function returned.
+	
+	dict_303.SetIntValue("tsg_policy_id", p_result->config_id);
+
+	attr_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id);
+	if(attr_label!=NULL && attr_label->client_subscribe_id!=NULL)
+	{
+		dict_303.SetFormattedValue("tsg_subscriber_id", "%s", attr_label->client_subscribe_id->subscribe_id);
+	}
+	else
+	{
+		dict_303.SetFormattedValue("tsg_subscriber_id", "%s", "");
+	}
+
+
+	switch(a_stream->addr.addrtype)
+	{
+		case	ADDR_TYPE_IPV4: 			
+			inet_ntop(AF_INET, (const void *)&(a_stream->addr.ipv4->saddr), ip_str, sizeof(ip_str));
+			dict_303.SetFormattedValue("tsg_client_ip", "%s", ip_str);
+			break;
+		case	ADDR_TYPE_IPV6: 			
+			inet_ntop(AF_INET6, (const void *)(a_stream->addr.ipv6->saddr), ip_str, sizeof(ip_str));
+			dict_303.SetFormattedValue("tsg_client_ip", "%s", ip_str);
+			break;
+		default:
+			dict_303.SetFormattedValue("tsg_client_ip", "%s", "");
+			break;
+	}
+
+	tpl_303->Expand(&output, &dict_303);
+
+	used_len=output.length();
+	tmp_buff=(char *)dictator_malloc(a_stream->threadnum, (used_len+1)*sizeof(char));
+	memcpy(tmp_buff, output.c_str(), used_len);
+	tmp_buff[used_len]='\0';
+
+	used_len=get_http_header(http_hdr, http_hdr_len, 303, tmp_buff);
+
+	dictator_free(a_stream->threadnum, tmp_buff);
+	tmp_buff=NULL;
+
+	return used_len;
+}
+
+static unsigned char do_action_reset(const struct streaminfo *a_stream, Maat_rule_t *p_result)
+{
+	int ret=0,opt_value=0;
+	struct rst_tcp_para rst_paras={0};
+
+	if(a_stream->type==STREAM_TYPE_TCP)
+	{
+		rst_paras.rst_pkt_num=1;
+		rst_paras.signature_seed1=65535;
+		rst_paras.signature_seed2=13;
+		rst_paras.th_flags=4;
+		rst_paras.__pad_no_use=0;
+		rst_paras.dir=DIR_DOUBLE;
+		ret=MESA_rst_tcp((struct streaminfo *)a_stream, &rst_paras, sizeof(rst_paras));
+		if(ret<0)
+		{
+			MESA_handle_runtime_log(g_tsg_para.logger,
+											RLOG_LV_FATAL,
+											"RST_TCP",
+											"Send RST failed policy_id: %d service: %d action: %d addr: %s",
+											p_result->config_id,
+											p_result->service_id,
+											(unsigned char)p_result->action,
+											PRINTADDR(a_stream, g_tsg_para.level)
+										);
+		}
+
+		opt_value=1;
+		MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
+	}
+
+	set_drop_stream(a_stream);
+
+	return APP_STATE_DROPPKT|APP_STATE_DROPME;
+}
+
+static unsigned char do_action_block_mail(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
+{
+	char *payload=NULL;
+
+	switch(user_region->deny->code)
+	{
+		case	550:
+			payload=(char *)"550 Mail was identified as spam.\r\n";
+			break;
+		case	551:
+			payload=(char *)"551 User not local; please try <forward-path>\r\n";
+			break;
+		default:
+			break;
+	}
+
+	if(payload!=NULL)
+	{
+		send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload));
+	}
+	
+	return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
+}
+
+static unsigned char do_action_block_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
+{
+	int send_pkt_len=0;
+
+	switch(user_region->deny->code)
+	{
+		case	200:
+		case	204:
+		case	403:
+		case	404:
+			send_pkt_len=build_response_pages(a_stream, p_result, user_region, a_packet);
+			tsg_set_statistic_opt(send_pkt_len, ((user_region->method_type==TSG_METHOD_TYPE_ALERT) ? OPT_TYPE_ALERT_BYTES : OPT_TYPE_BLOCK_BYTES), a_stream->threadnum);
+			break;
+		default:
+			break;
+	}
+	
+	return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
+}
+
+static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
+{
+	if(user_region==NULL || user_region->deny==NULL)
+	{
+		return do_action_reset(a_stream, p_result);
+	}
+	
+	switch(protocol)
+	{
+		case	PROTO_HTTP:
+			return do_action_block_http(a_stream, p_result, user_region, a_packet);
+			break;
+		case	PROTO_POP3:
+		case	PROTO_IMAP:
+		case	PROTO_SMTP:
+		case	PROTO_MAIL:
+			return do_action_block_mail(a_stream, p_result, user_region);
+			break;
+		default:
+			break;
+	}
+
+	set_drop_stream(a_stream);
+
+	return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
+}
+
+static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
+{
+	int used_http_hdr_len=0;
+	char http_hdr[1024]={0};
+
+	switch(user_region->deny->code)
+	{
+		case	302:
+			used_http_hdr_len=get_http_header(http_hdr, sizeof(http_hdr), user_region->deny->code, user_region->deny->redirect_url_to);			
+			send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len);
+			break;
+		case	303:			
+			used_http_hdr_len=get_content_303(a_stream, p_result, user_region->deny->redirect_url_to, http_hdr, sizeof(http_hdr));
+			send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len);
+			break;
+		default:
+			break;
+	}
+	
+	return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
+}
+
+static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol)
+{
+	if(user_region==NULL || user_region->deny==NULL)
+	{
+		return do_action_reset(a_stream, p_result);
+	}
+
+	switch(protocol)
+	{
+		case	PROTO_HTTP:
+			do_action_redirect_http(a_stream, p_result, user_region);
+			break;
+		default:
+			break;
+	}
+
+	set_drop_stream(a_stream); 
+
+	return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
+}
+
+unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *a_packet)
+{
+	unsigned char state=APP_STATE_GIVEME;
+	int method_type=TSG_METHOD_TYPE_RESET;
+	struct compile_user_region *user_region=NULL;
+
+	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
+	if(user_region!=NULL)
+	{
+		method_type=user_region->method_type;
+	}
+	
+	switch(method_type)
+	{
+		case	TSG_METHOD_TYPE_DROP:
+		case	TSG_METHOD_TYPE_RESET:
+			state=do_action_reset(a_stream, p_result);
+			break;
+		case	TSG_METHOD_TYPE_BLOCK:
+		case	TSG_METHOD_TYPE_ALERT:
+			state=do_action_block_xxx(a_stream, p_result, user_region, protocol, a_packet);
+			break;
+		case	TSG_METHOD_TYPE_REDIRECTION:
+			state=do_action_redirect_xxx( a_stream, p_result, user_region, protocol);
+			break;
+		default:
+			break;
+	}
+
+	security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
+
+	state= ((type==ACTION_RETURN_TYPE_PROT) ? (PROT_STATE_DROPME|PROT_STATE_DROPPKT) : (PROT_STATE_DROPME|PROT_STATE_DROPPKT));
+	
+	return state;
+}
+
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index b681d4a..caf6fac 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -69,7 +69,13 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{0, TSG_FS2_TCP_LINKS, "tcp_links"},
 										 {0, TSG_FS2_APP_DPKT_RESULT, "D_result"},
 										 {0, TSG_FS2_APP_Q_RESULT, "Q_result"},
 										 {0, TSG_FS2_APP_USER_RESULT, "U_result"},
-										 {0, TSG_FS2_APP_BUILT_IN_RESULT, "B_result"}
+										 {0, TSG_FS2_APP_BUILT_IN_RESULT, "B_result"},
+										 {0, TSG_FS2_INJECT_PKT_SUCCESS, "inject_succuess"},
+										 {0, TSG_FS2_INJECT_PKT_FAILED, "inject_failed"},
+										 {0, TSG_FS2_MIRRORED_PKT_SUCCESS, "mirror_pkt_suc"},
+										 {0, TSG_FS2_MIRRORED_PKT_FAILED, "mirror_pkt_fai"},
+										 {0, TSG_FS2_MIRRORED_BYTE_SUCCESS, "mirror_byte_suc"},
+										 {0, TSG_FS2_MIRRORED_BYTE_FAILED, "mirror_byte_fai"}
 										};
 
 id2field_t g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"}, 
@@ -259,18 +265,6 @@ static int is_hited_allow(struct Maat_rule_t *result, int hit_cnt)
 	return 0;
 }
 
-
-static int set_drop_stream(const struct streaminfo *a_stream)
-{
-	int opt_value=1;
-	MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
-	MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
-	MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
-
-	return 0;
-				
-}
-
 static int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data)
 {
 	if(a_stream==NULL || project_id<0)
@@ -345,6 +339,24 @@ static int get_default_policy(int compile_id, struct Maat_rule_t *result)
 	return 0;
 }
 
+int set_vlan_id_to_project(const struct streaminfo *a_stream, struct tcpall_context *context, int *vlan_id, int vlan_id_num, int thread_seq)
+{
+	int num=0;
+	context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
+	if(context==NULL)
+	{
+		context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
+		memset(context, 0, sizeof(struct tcpall_context));
+		set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)context);
+	}
+
+	num=MIN(vlan_id_num, MAX_RESULT_NUM-context->vlan_id_num);
+	memcpy(context->vlan_id+context->vlan_id_num, vlan_id, num);
+	context->vlan_id_num+=num;
+
+	return 0;
+}
+
 static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, char *domain, tsg_protocol_t proto, int thread_seq)
 {
 	tsg_log_t log_msg;	
@@ -602,72 +614,6 @@ static void copy_bypass_result(const struct streaminfo *a_stream, struct master_
 	return ;
 }
 
-static unsigned char deal_deny_action(const struct streaminfo *a_stream, struct master_context *context, Maat_rule_t *p_result)
-{
-	int ret=0,opt_value=0;
-	struct rst_tcp_para rst_paras;
-	unsigned char state=APP_STATE_GIVEME;
-	int method_type=TSG_METHOD_TYPE_UNKNOWN;
-	struct compile_user_region *user_region=NULL;
-
-	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
-	if(user_region!=NULL)
-	{
-		method_type=tsg_get_method_id(user_region->method);		
-		security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
-	}
-	else
-	{
-		method_type=TSG_METHOD_TYPE_RESET;
-	}
-	
-	switch(method_type)
-	{
-		case	TSG_METHOD_TYPE_DROP:
-			set_drop_stream(a_stream);
-			state=APP_STATE_DROPPKT|APP_STATE_DROPME;
-			break;
-		case	TSG_METHOD_TYPE_RESET:
-			if(a_stream->type==STREAM_TYPE_TCP)
-			{
-				rst_paras.rst_pkt_num=1;
-				rst_paras.signature_seed1=65535;
-				rst_paras.signature_seed2=13;
-				rst_paras.th_flags=4;
-				rst_paras.__pad_no_use=0;
-				rst_paras.dir=DIR_DOUBLE;
-				ret=MESA_rst_tcp((struct streaminfo *)a_stream, &rst_paras, sizeof(rst_paras));
-				if(ret<0)
-				{
-					MESA_handle_runtime_log(g_tsg_para.logger,
-													RLOG_LV_FATAL,
-													"RST_TCP",
-													"Send RST failed policy_id: %d service: %d action: %d addr: %s",
-													p_result->config_id,
-													p_result->service_id,
-													(unsigned char)p_result->action,
-													PRINTADDR(a_stream, g_tsg_para.level)
-												);
-				}
-
-				opt_value=1;
-				MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
-			}
-
-			set_drop_stream(a_stream);
-			state=APP_STATE_DROPPKT|APP_STATE_DROPME;
-			break;
-		case	TSG_METHOD_TYPE_BLOCK:
-		case	TSG_METHOD_TYPE_ALERT:
-		case	TSG_METHOD_TYPE_REDIRECTION:
-			break;
-		default:
-			break;
-	}
-
-	return state;
-}
-
 static int l7_protocol_mapper(const char *filename)
 {
 	int ret=0;
@@ -1256,7 +1202,7 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 	return hit_num;
 }
 
-static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, void *a_packet)
+static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
 {
 	Maat_rule_t *p_result=NULL;
 	unsigned char state=APP_STATE_GIVEME;
@@ -1268,7 +1214,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 		switch((unsigned char)p_result->action)
 		{
 			case	TSG_ACTION_DENY:
-				state=deal_deny_action(a_stream, context, p_result);
+				state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet);
 				if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT)
 				{
 					context->hit_cnt=0;
@@ -1291,6 +1237,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 					break;
 				}
 				copy_monitor_result(a_stream, context, result, hit_num, a_stream->threadnum);
+				tsg_notify_hited_monitor_result(a_stream, result, hit_num, a_stream->threadnum);
 				break;
 			case	TSG_ACTION_BYPASS:
 				copy_bypass_result(a_stream, context, p_result, a_stream->threadnum);				
@@ -1540,40 +1487,62 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo
 	return tsg_master_entry(a_udp, pme, thread_seq, a_packet);
 }
 
-extern "C" unsigned char TSG_MASTER_TCPALL_ENTRY(struct streaminfo *a_tcp, void **pme, int thread_seq,const void *ip_hdr)
+extern "C" unsigned char TSG_MASTER_TCPALL_ENTRY(const struct streaminfo *a_tcp, void **pme, int thread_seq, const void *a_packet)
 {
-	struct tcphdr *tcp=NULL;
-
-	if(ip_hdr==NULL || a_tcp==NULL)
-	{
-		return APP_STATE_GIVEME;
-	}
-	
-	switch(a_tcp->addr.addrtype)
-	{
-		case	ADDR_TYPE_IPV4:		
-			tcp=(struct tcphdr *)MESA_net_jump_to_layer(ip_hdr, __ADDR_TYPE_IP_PAIR_V4, ADDR_TYPE_TCP);				
-			break;
-		case	ADDR_TYPE_IPV6:				
-			tcp=(struct tcphdr *)MESA_net_jump_to_layer(ip_hdr, __ADDR_TYPE_IP_PAIR_V6, ADDR_TYPE_TCP);
-			break;
-		default:
-			return APP_STATE_GIVEME;
-			break;
-	}
-	
-	if(!(tcp->syn))
-	{
-		set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY, NULL, a_tcp->threadnum);
-		set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_ASN, NULL, a_tcp->threadnum);
-		set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_LOCATION, NULL, a_tcp->threadnum);
-		set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_MLTS_USER_INFO, NULL, a_tcp->threadnum);
-		set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_SUBSCRIBER_ID, NULL, a_tcp->threadnum);
+	int hit_num=0;
+	int vlan_id_num=0;
+	int vlan_id[MAX_RESULT_NUM]={0};
+	scan_status_t scan_mid=NULL;
+	struct Maat_rule_t *p_result=NULL;	
+	unsigned char state=APP_STATE_GIVEME;
+	struct Maat_rule_t result[MAX_RESULT_NUM]={0};
+	struct tcpall_context *context=(struct tcpall_context *)(*pme);
 		
-		return APP_STATE_DROPME;
+	if(a_tcp->pktstate==OP_STATE_PENDING)
+	{
+		hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_tcp, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM);
+		if(hit_num>0)
+		{
+			p_result=tsg_policy_decision_criteria(result, hit_num);
+			switch(p_result->action)
+			{
+				case	TSG_ACTION_DENY:
+					state=tsg_deal_deny_action(a_tcp, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
+					master_send_log(a_tcp, p_result, hit_num, NULL, PROTO_UNKONWN, thread_seq);
+					break;
+				case	TSG_ACTION_MONITOR:
+					vlan_id_num=tsg_get_vlan_id_by_monitor_rule(g_tsg_maat_feather, result, hit_num, vlan_id, MAX_RESULT_NUM);
+					if(vlan_id_num<=0)
+					{
+						break;
+					}
+
+					set_vlan_id_to_project(a_tcp, context, vlan_id, vlan_id_num, thread_seq);
+					*pme=(void *)(context);
+
+					tsg_send_raw_packet(a_tcp, context->vlan_id, context->vlan_id_num, thread_seq);
+					break;
+				default:
+					break;
+			}
+		}
+		
+		Maat_clean_status(&scan_mid);
+		scan_mid=NULL;
+	}
+	
+	if(context!=NULL && context->vlan_id_num>0)
+	{
+		tsg_send_raw_packet(a_tcp, context->vlan_id, context->vlan_id_num, thread_seq);
 	}
 
-	return APP_STATE_GIVEME;
+	if(a_tcp->pktstate==OP_STATE_CLOSE && (*pme)!=NULL)
+	{
+		dictator_free(thread_seq, *pme);
+		*pme=NULL;
+	}
+	
+	return state;
 }
 
 extern "C" int TSG_MASTER_INIT()
@@ -1673,6 +1642,13 @@ extern "C" int TSG_MASTER_INIT()
 		return -1;
 	}
 
+	g_tsg_para.tcpall_project_id=project_producer_register("TSG_TCPALL_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label);
+	if(g_tsg_para.tcpall_project_id<0)
+	{
+		MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "CONTEXT_LABEL", "project_customer_register is error, context label: %s","TSG_TCPALL_CONTEXT");
+		return -1;
+	}
+
 	g_tsg_para.gather_app_project_id=project_producer_register("APP_IDENTIFY_RESULT", PROJECT_VAL_TYPE_STRUCT, free_gather_app_result);
 	if(g_tsg_para.gather_app_project_id<0)
 	{
@@ -1680,6 +1656,23 @@ extern "C" int TSG_MASTER_INIT()
 		return -1;
 	}
 
+	char page_path[256];
+	memset(page_path, 0, sizeof(page_path));
+	MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE403", page_path, sizeof(page_path), "./tsgconf/HTTP403.html");
+	g_tsg_para.tpl_403 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
+	
+	memset(page_path, 0, sizeof(page_path));
+	MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE404", page_path, sizeof(page_path), "./tsgconf/HTTP404.html");
+	g_tsg_para.tpl_404 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
+
+	memset(page_path, 0, sizeof(page_path));
+	MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE200", page_path, sizeof(page_path), "./tsgconf/HTTP200.html");
+	g_tsg_para.tpl_200 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
+
+	memset(page_path, 0, sizeof(page_path));
+	MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE204", page_path, sizeof(page_path), "./tsgconf/HTTP204.html");
+	g_tsg_para.tpl_204 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
+
 	ret=tsg_rule_init(tsg_conffile, g_tsg_para.logger);
 	if(ret<0)
 	{
@@ -1741,7 +1734,7 @@ extern "C" int TSG_MASTER_INIT()
 
 	for(i=0; i<thread_num; i++)
 	{
-		FS_operate(g_tsg_para.fs2_handle,g_tsg_log_instance ->fs_status_ids[i], 0, FS_OP_SET, g_tsg_log_instance->send_log_percent[i]);
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_log_instance->fs_status_ids[i], 0, FS_OP_SET, g_tsg_log_instance->send_log_percent[i]);
 	}
 	
 	ret=tsg_statistic_init(tsg_conffile, g_tsg_para.logger);
@@ -1760,7 +1753,12 @@ extern "C" int TSG_MASTER_INIT()
 		MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "INIT_GTP_HASH", "tsg_gtp_signaling_hash_init failed ...");
 		return -1;
 	}
-	
+
+	ret=tsg_send_raw_packet_init(tsg_conffile, g_tsg_para.logger);
+	if(ret<0)
+	{
+		return -1;
+	}
 	return 0;
 }
 
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index bb83e25..61da852 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -3,12 +3,14 @@
 
 #include <MESA/Maat_rule.h>
 #include <MESA/field_stat2.h>
+#include <ctemplate/template.h>
 
 #include "uthash.h"
 #include "tsg_rule.h"
 #include "app_label.h"
 #include "tsg_label.h"
 #include "tsg_statistic.h"
+#include "tsg_traffic_mirror.h"
 
 #if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
 #define atomic_inc(x) __sync_add_and_fetch((x),1)
@@ -60,6 +62,7 @@ enum MASTER_TABLE{
 	TABLE_GTP_APN,
 	TABLE_GTP_IMSI,
 	TABLE_GTP_PHONE_NUMBER,
+	TABLE_RESPONSE_PAGES,
 	TABLE_MAX
 };
 
@@ -84,6 +87,12 @@ enum TSG_FS2_TYPE{
 	TSG_FS2_APP_Q_RESULT,
 	TSG_FS2_APP_USER_RESULT,
 	TSG_FS2_APP_BUILT_IN_RESULT,
+	TSG_FS2_INJECT_PKT_SUCCESS,
+	TSG_FS2_INJECT_PKT_FAILED,
+	TSG_FS2_MIRRORED_PKT_SUCCESS,
+	TSG_FS2_MIRRORED_PKT_FAILED,
+	TSG_FS2_MIRRORED_BYTE_SUCCESS,
+	TSG_FS2_MIRRORED_BYTE_FAILED,
 	TSG_FS2_MAX
 };
 
@@ -99,6 +108,12 @@ enum TSG_ATTRIBUTE_TYPE
 	_MAX_TSG_ATTRIBUTE_TYPE
 };
 
+enum HTTP_RESPONSE_FORMAT
+{
+	HTTP_RESPONSE_FORMAT_TEMPLATE=0,
+	HTTP_RESPONSE_FORMAT_HTML
+};
+
 struct _str2index
 {
 	int index;
@@ -127,6 +142,16 @@ struct _fqdn_category_t
 	char fqdn[MAX_DOAMIN_LEN/8];
 };
 
+struct http_response_pages
+{
+	int profile_id;
+	int content_len;
+	int ref_cnt;	
+	enum HTTP_RESPONSE_FORMAT format;
+	char *content;
+};
+
+
 struct master_context
 {
 	tsg_protocol_t proto;
@@ -139,10 +164,17 @@ struct master_context
 	struct timespec last_scan_time;
 };
 
+struct tcpall_context
+{
+	int vlan_id_num;
+	int vlan_id[MAX_RESULT_NUM];
+};
+
 #define	_MAX_TABLE_NAME_LEN	64
 typedef	struct _tsg_para
 {
-	int level;	
+	int level;
+	short mirror_switch;
 	unsigned short timeout;
 	int app_dict_field_num;
 	int device_id;
@@ -158,6 +190,7 @@ typedef	struct _tsg_para
 	int priority_project_id;
 	int internal_project_id;
 	int context_project_id;
+	int tcpall_project_id;
 	int linkinfo_project_id;
 	int gather_app_project_id;
 	int app_bridge_id;
@@ -172,6 +205,10 @@ typedef	struct _tsg_para
 	screen_stat_handle_t fs2_handle;
 	struct l7_protocol *name_by_id;
 	struct l7_protocol *id_by_name;
+	struct traffic_mirror *mirror_handle;
+	ctemplate::Template *tpl_403,*tpl_404;
+	ctemplate::Template *tpl_200,*tpl_204;
+	ctemplate::Template *tpl_303;
 }g_tsg_para_t;
 
 extern g_tsg_para_t g_tsg_para;
@@ -261,6 +298,7 @@ typedef	struct _tsg_statistic
 
 int tsg_statistic_init(const char *conffile, void *logger);
 int tsg_gtp_signaling_hash_init(const char* conffile, void *logger);
+int tsg_send_raw_packet_init(const char* conffile, void *logger);
 
 //parent_app_name.app_name
 int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_parent);
@@ -269,7 +307,10 @@ void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void*
 void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
 void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
 void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
+void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
+int set_vlan_id_to_project(const struct streaminfo *a_stream, struct tcpall_context *context, int *vlan_id, int vlan_id_num, int thread_seq);
 void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
+
 struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq);
 int tsg_scan_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num);
 int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, char *domain, Maat_rule_t *result, int result_num,  scan_status_t *mid, int table_id, int thread_seq);
@@ -282,5 +323,7 @@ int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct s
 int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA *client_location, MAAT_PLUGIN_EX_DATA *server_location);
 int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn);
 int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct _subscribe_id_info_t **source_subscribe_id, struct _subscribe_id_info_t **dest_subscribe_id);
+int tsg_send_raw_packet(const struct streaminfo *a_stream, int *vlan_id, int vlan_id_num, int thread_seq);
+int tsg_get_vlan_id_by_monitor_rule(Maat_feather_t maat_feather, struct Maat_rule_t *result, int result_num, int *vlan_id, int vlan_id_num);
 
 #endif
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index 821e078..0ecf975 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -37,7 +37,8 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={	{TSG_METHOD_TYPE_UNK
 													{TSG_METHOD_TYPE_REDIRECTION, 8, (char *)"redirect"},
 													{TSG_METHOD_TYPE_BLOCK, 5, (char *)"block"},
 													{TSG_METHOD_TYPE_RESET, 3, (char *)"rst"},
-													{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"}
+													{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"},
+													{TSG_METHOD_TYPE_ALERT, 10, (char *)"rate_limit"}
 	};
 
 static char* str_unescape(char* s)
@@ -556,75 +557,170 @@ void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, voi
 	return;
 }
 
-void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
-{	
-	int len=0;
-	cJSON *object=NULL, *item=NULL;
-	struct compile_user_region *user_region=NULL;
-	
-	if(rule!=NULL)
+static int get_string_from_json(cJSON *object, const char *key, char **value)
+{
+	if(object==NULL || key==NULL)
 	{
-		if(srv_def_large!=NULL && strlen(srv_def_large)>2)
-		{
-			object=cJSON_Parse(srv_def_large);
-			if(object!=NULL)
-			{				
-				user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
-				atomic_inc(&user_region->ref_cnt);
+		return 0;
+	}
+	int len=0;
+	cJSON *item=cJSON_GetObjectItem(object, key);
+	if(item!=NULL)
+	{
+		len=strlen(item->valuestring);
+		(*value)=(char *)malloc(len+1);
+		memcpy((*value), item->valuestring, len);
+		(*value)[len]='\0';
 
-				item=cJSON_GetObjectItem(object, "method");
-				if(item!=NULL)
-				{
-					len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1);
-					memcpy(user_region->method, item->valuestring, len);
-				}
+		return 1;
+	}
 
-				item=cJSON_GetObjectItem(object, "protocol");
-				if(item!=NULL)
-				{
-					len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1);
-					memcpy(user_region->protocol, item->valuestring, len);
-				}
+	return 0;
+}
 
-				item=cJSON_GetObjectItem(object, "message");
-				if(item!=NULL)
-				{
-					len=strlen(item->valuestring)+1;
-					user_region->message=(char *)calloc(1, len);
-					memcpy(user_region->message, item->valuestring, len-1);
-				}
+static int get_integer_from_json(cJSON *object, const char *key, int *value)
+{
+	if(object==NULL || key==NULL || (value)==NULL)
+	{
+		return 0;
+	}
+	
+	cJSON *item=cJSON_GetObjectItem(object, key);
+	if(item!=NULL)
+	{
+		(*value)=item->valueint;
+		return 1;
+	}
 
-				item=cJSON_GetObjectItem(object, "code");
-				if(item!=NULL)
-				{
-					user_region->code=item->valueint;
-				}
+	return 0;
+}
 
-				item=cJSON_GetObjectItem(object, "html_profile");
-				if(item!=NULL)
-				{
-					user_region->html_profile=item->valueint;
-				}
+static struct compile_user_region *parse_monitor_user_region(cJSON *object)
+{
+	cJSON *mirror_item=NULL;
+	struct compile_user_region *user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
+	mirror_item=cJSON_GetObjectItem(object, "packet_mirror");
+	if(mirror_item)
+	{
+		user_region->mirror=(struct monitor_user_region *)calloc(1, sizeof(struct monitor_user_region));
+		get_integer_from_json(mirror_item, "enable", &(user_region->mirror->enabled));		
+		get_integer_from_json(mirror_item, "mirror_vlan", &(user_region->mirror->mirror_vlan_id));
+	}
 
-				cJSON_Delete(object);
-				object=NULL;
-			}
-		}
+	return user_region;
+}
 
-		if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
-		{
-			if(user_region==NULL)
+static struct compile_user_region *parse_deny_user_region(cJSON *object)
+{
+	int ret=0;
+	cJSON *item=NULL;	
+	struct compile_user_region *user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
+	
+	item=cJSON_GetObjectItem(object, "method");
+	if(item!=NULL)
+	{
+		user_region->method_type=(TSG_METHOD_TYPE)tsg_get_method_id(item->valuestring);
+	}
+
+	switch(user_region->method_type)
+	{
+		case	TSG_METHOD_TYPE_ALERT:
+		case	TSG_METHOD_TYPE_BLOCK:
+			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
+			get_integer_from_json(object, "code", &(user_region->deny->code));
+			ret=get_integer_from_json(object, "html_profile", &(user_region->deny->profile_id));
+			if(ret==1)
 			{
-				user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));				
-				atomic_inc(&user_region->ref_cnt);
+				user_region->deny->type=TSG_DENY_TYPE_PROFILE;
+				break;
 			}
 			
-			user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
-			memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
-		}
-
-		*ad=(MAAT_RULE_EX_DATA)user_region;
+			ret=get_string_from_json(object, "message", &(user_region->deny->message));
+			if(ret==1)
+			{
+				user_region->deny->type=TSG_DENY_TYPE_MESSAGE;
+				break;
+			}
+			
+			user_region->deny->type=TSG_DENY_TYPE_MAX;
+			break;
+		case	TSG_METHOD_TYPE_REDIRECTION:
+			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
+			get_integer_from_json(object, "code", &(user_region->deny->code));
+			ret=get_string_from_json(object, "redirect_url", &(user_region->deny->redirect_url_to));
+			if(ret==1)
+			{
+				user_region->deny->type=TSG_DENY_TYPE_REDIRECT_TO;
+				break;
+			}
+			ret=get_string_from_json(object, "to", &(user_region->deny->redirect_url_to));
+			if(ret==1)
+			{
+				user_region->deny->type=TSG_DENY_TYPE_REDIRECT_TO;
+				break;
+			}
+			break;
+		case	TSG_METHOD_TYPE_RATE_LINIT:
+			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
+			get_integer_from_json(object, "bytes_per_sec", &(user_region->deny->bytes_per_sec));
+			break;
+		case	TSG_METHOD_TYPE_DROP:
+		case	TSG_METHOD_TYPE_RESET:
+			break;
+		default:
+			break;
 	}
+	
+	return user_region;
+}
+
+void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
+{
+	cJSON *object=NULL;
+	struct compile_user_region *user_region=NULL;
+	
+	if(rule==NULL)
+	{
+		return ;
+	}
+	
+	if(srv_def_large!=NULL && strlen(srv_def_large)>2)
+	{
+		object=cJSON_Parse(srv_def_large);
+		if(object!=NULL)
+		{				
+			switch(rule->action)
+			{
+				case	TSG_ACTION_DENY:
+					user_region=parse_deny_user_region(object);
+					atomic_inc(&user_region->ref_cnt);
+					break;
+				case	TSG_ACTION_MONITOR:
+					user_region=parse_monitor_user_region(object);
+					atomic_inc(&user_region->ref_cnt);
+					break; 
+				default:
+					break;
+			}
+
+			cJSON_Delete(object);
+			object=NULL;
+		}
+	}
+
+	if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
+	{
+		if(user_region==NULL)
+		{
+			user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));				
+			atomic_inc(&user_region->ref_cnt);
+		}
+		
+		user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
+		memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
+	}
+
+	*ad=(MAAT_RULE_EX_DATA)user_region;
 
 	return ;
 }
@@ -639,32 +735,183 @@ void security_compile_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *fro
 	}
 }
 
+static void free_deny_user_region(struct deny_user_region *deny)
+{
+	if(deny==NULL)
+	{
+		return ;
+	}
+
+	switch(deny->type)
+	{
+		case	TSG_DENY_TYPE_MESSAGE:
+		case	TSG_DENY_TYPE_REDIRECT_TO:
+			if(deny->para)
+			{
+				free(deny->para);
+				deny->para=NULL;
+			}
+			break;
+		default:
+			break;
+	}
+
+}
+
 void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
 {
 	struct compile_user_region *user_region=(struct compile_user_region *)(*ad);
-	if(user_region!=NULL)
+	if(user_region==NULL)
 	{
-		atomic_dec(&user_region->ref_cnt);
-		if(user_region->ref_cnt<=0)
-		{
-			if(user_region->message!=NULL)
-			{
-				free(user_region->message);
-				user_region->message=NULL;
-			}
+		return ;
+	}
+	
+	atomic_dec(&user_region->ref_cnt);
+	if(user_region->ref_cnt>0)
+	{
+		return ;
+	}
+	
+	switch(user_region->method_type)
+	{
+		case	TSG_METHOD_TYPE_ALERT:
+		case	TSG_METHOD_TYPE_BLOCK:
+		case	TSG_METHOD_TYPE_RATE_LINIT:
+		case	TSG_METHOD_TYPE_REDIRECTION:
+			free_deny_user_region(user_region->deny);
+			break;
+		default:
+			break;
+	}
+	
+	if(user_region->user_region_para!=NULL)
+	{
+		free(user_region->user_region_para);
+		user_region->user_region_para=NULL;
+	}
+	
+	free(*ad);
+	*ad=NULL;
+		
+}
 
-			if(user_region->result!=NULL)
-			{
-				free(user_region->result);
-				user_region->result=NULL;
-			}
-			
-			free(*ad);
-			*ad=NULL;
-		}
+static char *get_pages_content(const char *filename, int *filelen)
+{
+	FILE *file = NULL;
+	long length = 0;
+	char *content = NULL;
+	size_t read_chars = 0;
+	file = fopen(filename, "rb");
+	if(file == NULL)
+	{
+		goto cleanup;
+	}
+	if(fseek(file, 0, SEEK_END) != 0)
+	{
+		goto cleanup;
+	}
+	length = ftell(file);
+	if(length < 0)
+	{
+		goto cleanup;
+	}
+	if(fseek(file, 0, SEEK_SET) != 0) 
+	{
+		goto cleanup;
+	} 
+	content = (char*)malloc((size_t)length + sizeof("")); 
+	if(content == NULL)
+	{
+		goto cleanup;
+	}
+	read_chars = fread(content, sizeof(char), (size_t)length, file);
+	if ((long)read_chars != length)
+	{
+		free(content);
+		content = NULL;
+		goto cleanup;
+	}
+	*filelen = read_chars;
+	content[read_chars] = '\0';
+cleanup:
+	if (file != NULL)
+	{
+		fclose(file);
+	}
+
+	return content;
+}
+
+
+void http_response_pages_dup(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
+{
+	struct http_response_pages *res_pages=(struct http_response_pages *)*from;
+
+	if(*from!=NULL)
+	{
+		*to=*from;
+		atomic_inc(&res_pages->ref_cnt);
 	}
 }
 
+void http_response_pages_new(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+	int ret=0;
+	void *logger=argp;
+	int is_valid;
+	char format[256]={0};
+	char path[1024]={0};
+	char profile_name[256]={0};
+	struct http_response_pages *res_pages=NULL;
+
+	res_pages=(struct http_response_pages *)calloc(1, sizeof(struct http_response_pages));
+	
+	ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%d", &res_pages->profile_id, profile_name, format, path, &is_valid);
+	if(ret!=5)
+	{
+		free(res_pages);
+		res_pages=NULL;
+		if(logger!=NULL)
+		{
+			MESA_handle_runtime_log(logger, 
+									RLOG_LV_FATAL,
+									"RESPONSE_PAGES",
+									"Parse response pages failed, ret: %d table_id: %d key: %s table_line: %s",
+									ret,
+									table_id,
+									key,
+									table_line
+									);
+		}
+		return;
+	}
+	
+	if((strncasecmp(format, "template", strlen(format)))==0)
+	{
+		res_pages->format=HTTP_RESPONSE_FORMAT_TEMPLATE;
+	}
+	else
+	{
+		res_pages->format=HTTP_RESPONSE_FORMAT_HTML;
+	}
+	
+	atomic_inc(&res_pages->ref_cnt);
+	res_pages->content=get_pages_content(path, &res_pages->content_len);
+	*ad=(MAAT_PLUGIN_EX_DATA)res_pages;
+}
+
+void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+	struct http_response_pages *res_pages=(struct http_response_pages *)*ad;
+
+	atomic_dec(&res_pages->ref_cnt);
+	if(res_pages->ref_cnt<=0)
+	{
+		free(res_pages->content);
+		free(*ad);
+		*ad=NULL;	
+	}
+}
 
 static int get_fqdn_category_id(Maat_feather_t maat_feather, int table_id, char *fqdn, unsigned int *category_id, int category_id_num, void *logger, int thread_seq)
 {
@@ -858,6 +1105,8 @@ int tsg_rule_init(const char* conffile, void *logger)
 	MESA_load_profile_string_def(conffile, "MAAT", "GTP_APN", g_tsg_para.table_name[TABLE_GTP_APN], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_APN");
 	MESA_load_profile_string_def(conffile, "MAAT", "GTP_IMSI", g_tsg_para.table_name[TABLE_GTP_IMSI], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_IMSI");
 	MESA_load_profile_string_def(conffile, "MAAT", "GTP_PHONE_NUMBER", g_tsg_para.table_name[TABLE_GTP_PHONE_NUMBER], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_PHONE_NUMBER");
+	MESA_load_profile_string_def(conffile, "MAAT", "GTP_PHONE_NUMBER", g_tsg_para.table_name[TABLE_GTP_PHONE_NUMBER], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_PHONE_NUMBER");
+	MESA_load_profile_string_def(conffile, "MAAT", "RESPONSE_PAGES_TABLE", g_tsg_para.table_name[TABLE_RESPONSE_PAGES], _MAX_TABLE_NAME_LEN, "TSG_PROFILE_RESPONSE_PAGES");
 
 	//init static maat feather
 	g_tsg_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_STATIC", (char *)"STATIC", logger);
@@ -980,6 +1229,25 @@ int tsg_rule_init(const char* conffile, void *logger)
 								); 
 		return -1;		
 	}
+	
+	ret=Maat_plugin_EX_register(g_tsg_maat_feather,
+							g_tsg_para.table_id[TABLE_RESPONSE_PAGES],
+							http_response_pages_new,
+							http_response_pages_free,
+							http_response_pages_dup,
+							NULL,
+							0,
+							logger);
+	if(ret<0)
+	{
+		MESA_handle_runtime_log(logger, 
+								RLOG_LV_FATAL,
+								"RESPONSE_PAGES",
+								"Maat_plugin_EX_register failed, table_name: %s table_id: %d",
+								g_tsg_para.table_name[TABLE_RESPONSE_PAGES],
+								g_tsg_para.table_id[TABLE_RESPONSE_PAGES]); 
+		return -1;		
+	}
 
 	//init dynamic maat feather
 	g_tsg_dynamic_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_DYNAMIC", (char *)"DYNAMIC", logger);
@@ -1778,3 +2046,40 @@ int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_p
 
 	return offset;
 }
+
+int tsg_free_compile_user_region(const struct Maat_rule_t *rule, struct compile_user_region *user_region)
+{
+	security_compile_free(0,  rule, NULL , (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
+
+	return 0;
+}
+
+struct compile_user_region *tsg_get_compile_user_region(const Maat_feather_t maat_feather,  struct Maat_rule_t *result)
+{
+	return ((struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]));
+}
+
+int tsg_get_vlan_id_by_monitor_rule(Maat_feather_t maat_feather, struct Maat_rule_t *result, int result_num, int *vlan_id, int vlan_id_num)
+{
+	int i=0,count=0;
+	struct compile_user_region *user_region=NULL;
+
+	for(i=0; i<result_num && count<vlan_id_num; i++)
+	{
+		if(result[i].action!=TSG_ACTION_MONITOR)
+		{
+			continue;
+		}
+		
+		user_region=tsg_get_compile_user_region(maat_feather, &(result[i]));
+		if(user_region!=NULL)
+		{
+			vlan_id[count++]=user_region->mirror->mirror_vlan_id;
+			tsg_free_compile_user_region(&(result[i]), user_region);
+			user_region=NULL;
+		}
+	}
+	
+	return count;
+}
+
diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h
index 209be8b..5414a95 100644
--- a/src/tsg_send_log_internal.h
+++ b/src/tsg_send_log_internal.h
@@ -105,6 +105,8 @@ typedef enum _tsg_log_field_id
 	LOG_COMMON_GTP_IMEI,
 	LOG_COMMON_GTP_MSISDN,	//PHONE_NUMBER
 	LOG_COMMON_USERDEFINE_APP,
+	LOG_COMMON_MIRRORED_PKTS,
+	LOG_COMMON_MIRRORED_BYTES,
 	LOG_COMMON_MAX
 }tsg_log_field_id_t;
 
diff --git a/src/tsg_send_raw_packet.cpp b/src/tsg_send_raw_packet.cpp
new file mode 100644
index 0000000..352e5e0
--- /dev/null
+++ b/src/tsg_send_raw_packet.cpp
@@ -0,0 +1,107 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <MESA/MESA_prof_load.h>
+#include <MESA/MESA_handle_logger.h>
+
+#include "tsg_rule.h"
+#include "tsg_entry.h"
+
+
+static int send_raw_packet(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq)
+{
+	int ret=tsg_traffic_mirror_send_burst(ttm, (char *)pkt_ptr, pkt_len, vlan_array, vlan_num, thread_seq);		
+	if(ret==TRRAFFIC_MIRROR_SEND_SUCCESS)
+	{				
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_PKT_SUCCESS], 0, FS_OP_ADD, 1);
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_BYTE_SUCCESS], 0, FS_OP_ADD, pkt_len); 		
+	}
+	else
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_PKT_FAILED], 0, FS_OP_ADD, 1);
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_BYTE_FAILED], 0, FS_OP_ADD, pkt_len);
+
+		return -1;
+	}
+
+	return 0;
+}
+
+int tsg_send_raw_packet(const struct streaminfo *a_stream, int *vlan_id, int vlan_id_num, int thread_seq)
+{
+	int ret=0;
+	void *p_eth_rawpkt=NULL;
+	int eth_rawpkt_len=0;
+	raw_ipfrag_list_t *frag_pkt=NULL;
+	
+	if(g_tsg_para.mirror_switch==0)
+	{
+		return 0;
+	}
+
+	ret=get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &p_eth_rawpkt);
+	switch(0)
+	{
+		case	0:
+			ret=get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_TOT_LEN, &eth_rawpkt_len);
+			if(ret<0)
+			{
+				break;
+			}
+			
+			send_raw_packet(g_tsg_para.mirror_handle, (char *)p_eth_rawpkt, eth_rawpkt_len, vlan_id, vlan_id_num, thread_seq);
+			break;
+		case	1:
+			frag_pkt=(raw_ipfrag_list_t *)p_eth_rawpkt;
+			while(frag_pkt)
+			{
+				send_raw_packet(g_tsg_para.mirror_handle, (char *)(frag_pkt->frag_packet), frag_pkt->pkt_len, vlan_id, vlan_id_num, thread_seq);				
+				frag_pkt = frag_pkt->next;
+			}
+			break;
+		default:
+			break;
+	}
+		
+	return 0;
+}
+
+int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, int thread_seq)
+{
+	if(g_tsg_para.mirror_switch==0)
+	{
+		return 0;
+	}
+
+	int vlan_id_num=0;
+	int vlan_id[MAX_RESULT_NUM]={0};
+	struct tcpall_context *context=NULL;
+
+	vlan_id_num=tsg_get_vlan_id_by_monitor_rule(g_tsg_maat_feather, result, result_num, vlan_id, MAX_RESULT_NUM);
+	if(vlan_id_num<=0)
+	{
+		return 0;
+	}
+
+	set_vlan_id_to_project(a_stream, context, vlan_id, vlan_id_num, thread_seq);
+
+	return 1;
+}
+
+int tsg_send_raw_packet_init(const char* conffile, void *logger)
+{
+	MESA_load_profile_short_def(conffile, "TRAFFIC_MIRROR", "TRAFFIC_MIRROR_ENABLE", &g_tsg_para.mirror_switch, 0);
+	if(g_tsg_para.mirror_switch==0)
+	{
+		return 0;
+	}
+	
+	g_tsg_para.mirror_handle=tsg_traffic_mirror_init(conffile, g_tsg_para.logger);
+	if(g_tsg_para.mirror_handle==NULL)
+	{
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/src/tsg_traffic_mirror.cpp b/src/tsg_traffic_mirror.cpp
new file mode 100644
index 0000000..93f9f81
--- /dev/null
+++ b/src/tsg_traffic_mirror.cpp
@@ -0,0 +1,167 @@
+#include <marsio.h>
+#include <stdio.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <stream.h>
+
+#include <MESA/MESA_prof_load.h>
+#include <MESA/MESA_handle_logger.h>
+
+#include "tsg_traffic_mirror.h"
+
+#define BURST_MAX       64
+#define PREDICT_FALSE(x) __builtin_expect((x),0)
+#define PREDICT_TRUE(x) __builtin_expect((x),1)
+
+struct traffic_mirror
+{
+  struct mr_instance * mr_instance;
+  struct mr_vdev * dev_handler;
+  struct mr_sendpath * to_dev_sendpath;
+  char app_name[64];
+  char nic_name[32];
+  int nr_thread;
+  int default_vlan_id;
+};
+
+struct traffic_mirror *tsg_traffic_mirror_init(const char *conffile, void *logger)
+{
+  int ret=0,traffic_mirror_enable=TRRAFFIC_MIRROR_DISABLE;
+  struct traffic_mirror *ttm = NULL;
+
+  ttm=(struct traffic_mirror *)calloc(1, sizeof(struct traffic_mirror));
+
+  if (conffile == NULL)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Conffile Path Is Null !!!");
+    goto init_error;
+  }
+
+  MESA_load_profile_int_def(conffile, "TRAFFIC_MIRROR", "TRAFFIC_MIRROR_ENABLE", &traffic_mirror_enable, 0);
+  if (traffic_mirror_enable != TRRAFFIC_MIRROR_ENABLE)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Traffic Mirror Is Disable !!!");
+    goto init_error;
+  }
+
+  MESA_load_profile_string_def(conffile, "TRAFFIC_MIRROR", "NIC_NAME", ttm->nic_name, sizeof(ttm->nic_name), "lo");
+  if (ttm->nic_name == NULL)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Traffic Mirror Cfg No Setting Nic Name !!!");
+    goto init_error;
+  }
+
+  MESA_load_profile_string_def(conffile, "TRAFFIC_MIRROR", "APP_NAME", ttm->app_name, sizeof(ttm->app_name),"tsg_traffic_mirror");
+
+  MESA_load_profile_int_def(conffile, "TRAFFIC_MIRROR", "DEFAULT_VLAN_ID", &ttm->default_vlan_id, 0);
+
+  ttm->mr_instance = marsio_create();
+  if (ttm->mr_instance == NULL)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Create Error !!!");
+    goto init_error;
+  }
+
+  ret = marsio_init(ttm->mr_instance, ttm->app_name);
+  if (ret < 0)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Init Error !!!");
+    goto init_error;
+  }
+
+  ttm->nr_thread = get_thread_count();
+  if (ttm->nr_thread <= 0)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Get Thread Count Error :%d",ttm->nr_thread);
+    goto init_error;
+  }
+
+  ttm->dev_handler = marsio_open_device(ttm->mr_instance, ttm->nic_name, 0, ttm->nr_thread);
+  if (ttm->dev_handler == NULL)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Open Device Error :%s",ttm->nic_name);
+    goto init_error;
+  }
+
+  ttm->to_dev_sendpath = marsio_sendpath_create_by_vdev(ttm->dev_handler);
+  if (ttm->to_dev_sendpath == NULL)
+  {
+    MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Create Sendpath Error !!!");
+    goto init_error;
+  }
+  return ttm;
+
+init_error:
+  if (ttm->mr_instance != NULL)
+  {
+    marsio_destory(ttm->mr_instance);
+  }
+
+  free(ttm);
+
+  return NULL;
+}
+
+int tsg_traffic_mirror_send_burst(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq)
+{
+  int i=0,ret=0,tx_buffer_num=0;
+  marsio_buff_t * tx_buff[BURST_MAX];
+  int *vlan_tag_array = NULL;
+
+  if (PREDICT_FALSE((ttm == NULL) || (ttm->to_dev_sendpath == NULL)))
+  {
+    return SEND_ERROR_NOT_INIT;
+  }
+  if (PREDICT_FALSE(thread_seq >= ttm->nr_thread))
+  {
+    return SEND_ERROR_THREAD_SEQ_ERR;
+  }
+  if (PREDICT_FALSE(pkt_ptr == NULL))
+  {
+    return SEND_ERROR_PKT_BUFFER_IS_NULL;
+  }
+  if (PREDICT_FALSE(pkt_len == 0))
+  {
+    return SEND_ERROR_PKT_LEN_ERROR;
+  }
+  if (PREDICT_FALSE(vlan_num > BURST_MAX))
+  {
+    return SEND_ERROR_VLAN_NUM_EXCEED_BURST_MAX;
+  }
+
+  if (PREDICT_FALSE((vlan_num <= 1) || (vlan_array == NULL)))
+  {
+    tx_buffer_num = 1;
+    vlan_tag_array = &ttm->default_vlan_id;
+  }
+  else
+  {
+    tx_buffer_num = vlan_num;
+    vlan_tag_array = vlan_array;
+  }
+
+  ret = marsio_buff_malloc_global(ttm->mr_instance, tx_buff, tx_buffer_num, MARSIO_SOCKET_ID_ANY, MARSIO_LCORE_ID_ANY);
+  if (PREDICT_FALSE(ret < 0 ))
+  {
+    return SEND_ERROR_BUFF_MALLOC_ERROR;
+  }
+
+  for (i = 0; i < tx_buffer_num; i++)
+  {
+    unsigned int vlan_id = vlan_tag_array[i];
+    marsio_buff_t * tx_buff_ptr = tx_buff[i];
+    char * tx_buff_begin = marsio_buff_append(tx_buff_ptr, pkt_len);
+    memcpy(tx_buff_begin, pkt_ptr, pkt_len);
+    marsio_buff_set_metadata(tx_buff_ptr,MR_BUFF_METADATA_VLAN_TCI,&vlan_id,sizeof(vlan_id));
+  }
+
+  ret = marsio_send_burst_with_options(ttm->to_dev_sendpath, thread_seq, tx_buff, tx_buffer_num, MARSIO_SEND_OPT_FAST);
+  if (PREDICT_FALSE(ret < 0))
+  {
+    return TRRAFFIC_MIRROR_SEND_ERROR_DROP;
+  }
+
+  return TRRAFFIC_MIRROR_SEND_SUCCESS;
+}
\ No newline at end of file
diff --git a/src/tsg_traffic_mirror.h b/src/tsg_traffic_mirror.h
new file mode 100644
index 0000000..69f2bce
--- /dev/null
+++ b/src/tsg_traffic_mirror.h
@@ -0,0 +1,23 @@
+#ifndef __TSG_TRAFFIC_MIRROR_H__
+#define __TSG_TRAFFIC_MIRROR_H__
+
+#define TRRAFFIC_MIRROR_DISABLE 0
+#define TRRAFFIC_MIRROR_ENABLE 1
+
+#define TRRAFFIC_MIRROR_SEND_SUCCESS 0
+#define SEND_ERROR_NOT_INIT -1
+#define SEND_ERROR_THREAD_SEQ_ERR -2
+#define SEND_ERROR_PKT_BUFFER_IS_NULL -3
+#define SEND_ERROR_PKT_LEN_ERROR -4
+#define SEND_ERROR_VLAN_BUFFER_IS_NULL -5
+#define SEND_ERROR_VLAN_NUM_ERROR -6
+#define SEND_ERROR_VLAN_NUM_EXCEED_BURST_MAX -7
+#define SEND_ERROR_BUFF_MALLOC_ERROR -8
+#define TRRAFFIC_MIRROR_SEND_ERROR_DROP -9
+
+struct traffic_mirror;
+
+struct traffic_mirror *tsg_traffic_mirror_init(const char *conffile, void *logger);
+int tsg_traffic_mirror_send_burst(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq);
+
+#endif
\ No newline at end of file
diff --git a/support/CMakeLists.txt b/support/CMakeLists.txt
new file mode 100644
index 0000000..438be62
--- /dev/null
+++ b/support/CMakeLists.txt
@@ -0,0 +1,17 @@
+include(ExternalProject)
+
+### ctemplate
+ExternalProject_Add(ctemplate PREFIX ctemplate
+        URL ${CMAKE_CURRENT_SOURCE_DIR}/ctemplate-2.3.tar.gz
+        URL_MD5 3b91f3c1e7aa55cb4c2957acf77d6b9a
+        BUILD_COMMAND sh autogen.sh
+        CONFIGURE_COMMAND CPPFLAGS=-fPIC ./configure --prefix=<INSTALL_DIR> CFLAGS=-fPIC CXXFLAGS=-fPIC  LDFLAGS=-fPIC
+        BUILD_IN_SOURCE 1)
+
+ExternalProject_Get_Property(ctemplate INSTALL_DIR)
+file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
+
+add_library(ctemplate-static STATIC IMPORTED GLOBAL)
+add_dependencies(ctemplate-static ctemplate)
+set_property(TARGET ctemplate-static PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libctemplate.a)
+set_property(TARGET ctemplate-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
diff --git a/support/ctemplate-2.3.tar.gz b/support/ctemplate-2.3.tar.gz
new file mode 100644
index 0000000..6ec1a72
Binary files /dev/null and b/support/ctemplate-2.3.tar.gz differ