QUIC branch merge

Roman Arutyunyan arut at nginx.com
Fri May 19 17:33:39 UTC 2023


Hi,

Following the push of quic branch, here's the merge diff.

--
Roman Arutyunyan
-------------- next part --------------
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -5,12 +5,17 @@
 
 if [ $OPENSSL != NONE ]; then
 
+    have=NGX_OPENSSL . auto/have
+    have=NGX_SSL . auto/have
+
+    if [ $USE_OPENSSL_QUIC = YES ]; then
+        have=NGX_QUIC . auto/have
+        have=NGX_QUIC_OPENSSL_COMPAT . auto/have
+    fi
+
     case "$CC" in
 
         cl | bcc32)
-            have=NGX_OPENSSL . auto/have
-            have=NGX_SSL . auto/have
-
             CFLAGS="$CFLAGS -DNO_SYS_TYPES_H"
 
             CORE_INCS="$CORE_INCS $OPENSSL/openssl/include"
@@ -33,9 +38,6 @@ if [ $OPENSSL != NONE ]; then
         ;;
 
         *)
-            have=NGX_OPENSSL . auto/have
-            have=NGX_SSL . auto/have
-
             CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
             CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
             CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
@@ -123,6 +125,35 @@ else
             CORE_INCS="$CORE_INCS $ngx_feature_path"
             CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
             OPENSSL=YES
+
+            if [ $USE_OPENSSL_QUIC = YES ]; then
+
+                ngx_feature="OpenSSL QUIC support"
+                ngx_feature_name="NGX_QUIC"
+                ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
+                . auto/feature
+
+                if [ $ngx_found = no ]; then
+                    have=NGX_QUIC_OPENSSL_COMPAT . auto/have
+
+                    ngx_feature="OpenSSL QUIC compatibility"
+                    ngx_feature_test="SSL_CTX_add_custom_ext(NULL, 0, 0,
+                                                 NULL, NULL, NULL, NULL, NULL)"
+                    . auto/feature
+                fi
+
+                if [ $ngx_found = no ]; then
+cat << END
+
+$0: error: certain modules require OpenSSL QUIC support.
+You can either do not enable the modules, or install the OpenSSL library with
+QUIC support into the system, or build the OpenSSL library with QUIC support
+statically from the source with nginx by using --with-openssl=<path> option.
+
+END
+                        exit 1
+                fi
+            fi
         fi
     fi
 
diff --git a/auto/make b/auto/make
--- a/auto/make
+++ b/auto/make
@@ -6,9 +6,10 @@
 echo "creating $NGX_MAKEFILE"
 
 mkdir -p $NGX_OBJS/src/core $NGX_OBJS/src/event $NGX_OBJS/src/event/modules \
+         $NGX_OBJS/src/event/quic \
          $NGX_OBJS/src/os/unix $NGX_OBJS/src/os/win32 \
-         $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/modules \
-         $NGX_OBJS/src/http/modules/perl \
+         $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/v3 \
+         $NGX_OBJS/src/http/modules $NGX_OBJS/src/http/modules/perl \
          $NGX_OBJS/src/mail \
          $NGX_OBJS/src/stream \
          $NGX_OBJS/src/misc
diff --git a/auto/modules b/auto/modules
--- a/auto/modules
+++ b/auto/modules
@@ -102,7 +102,7 @@ if [ $HTTP = YES ]; then
     fi
 
 
-    if [ $HTTP_V2 = YES ]; then
+    if [ $HTTP_V2 = YES -o $HTTP_V3 = YES ]; then
         HTTP_SRCS="$HTTP_SRCS $HTTP_HUFF_SRCS"
     fi
 
@@ -124,6 +124,7 @@ if [ $HTTP = YES ]; then
     #     ngx_http_header_filter
     #     ngx_http_chunked_filter
     #     ngx_http_v2_filter
+    #     ngx_http_v3_filter
     #     ngx_http_range_header_filter
     #     ngx_http_gzip_filter
     #     ngx_http_postpone_filter
@@ -156,6 +157,7 @@ if [ $HTTP = YES ]; then
                       ngx_http_header_filter_module \
                       ngx_http_chunked_filter_module \
                       ngx_http_v2_filter_module \
+                      ngx_http_v3_filter_module \
                       ngx_http_range_header_filter_module \
                       ngx_http_gzip_filter_module \
                       ngx_http_postpone_filter_module \
@@ -217,6 +219,17 @@ if [ $HTTP = YES ]; then
         . auto/module
     fi
 
+    if [ $HTTP_V3 = YES ]; then
+        ngx_module_name=ngx_http_v3_filter_module
+        ngx_module_incs=
+        ngx_module_deps=
+        ngx_module_srcs=src/http/v3/ngx_http_v3_filter_module.c
+        ngx_module_libs=
+        ngx_module_link=$HTTP_V3
+
+        . auto/module
+    fi
+
     if :; then
         ngx_module_name=ngx_http_range_header_filter_module
         ngx_module_incs=
@@ -426,6 +439,33 @@ if [ $HTTP = YES ]; then
         . auto/module
     fi
 
+    if [ $HTTP_V3 = YES ]; then
+        USE_OPENSSL_QUIC=YES
+        HTTP_SSL=YES
+
+        have=NGX_HTTP_V3 . auto/have
+        have=NGX_HTTP_HEADERS . auto/have
+
+        ngx_module_name=ngx_http_v3_module
+        ngx_module_incs=src/http/v3
+        ngx_module_deps="src/http/v3/ngx_http_v3.h \
+                         src/http/v3/ngx_http_v3_encode.h \
+                         src/http/v3/ngx_http_v3_parse.h \
+                         src/http/v3/ngx_http_v3_table.h \
+                         src/http/v3/ngx_http_v3_uni.h"
+        ngx_module_srcs="src/http/v3/ngx_http_v3.c \
+                         src/http/v3/ngx_http_v3_encode.c \
+                         src/http/v3/ngx_http_v3_parse.c \
+                         src/http/v3/ngx_http_v3_table.c \
+                         src/http/v3/ngx_http_v3_uni.c \
+                         src/http/v3/ngx_http_v3_request.c \
+                         src/http/v3/ngx_http_v3_module.c"
+        ngx_module_libs=
+        ngx_module_link=$HTTP_V3
+
+        . auto/module
+    fi
+
     if :; then
         ngx_module_name=ngx_http_static_module
         ngx_module_incs=
@@ -1272,6 +1312,63 @@ if [ $USE_OPENSSL = YES ]; then
 fi
 
 
+if [ $USE_OPENSSL_QUIC = YES ]; then
+    ngx_module_type=CORE
+    ngx_module_name=ngx_quic_module
+    ngx_module_incs=
+    ngx_module_deps="src/event/quic/ngx_event_quic.h \
+                     src/event/quic/ngx_event_quic_transport.h \
+                     src/event/quic/ngx_event_quic_protection.h \
+                     src/event/quic/ngx_event_quic_connection.h \
+                     src/event/quic/ngx_event_quic_frames.h \
+                     src/event/quic/ngx_event_quic_connid.h \
+                     src/event/quic/ngx_event_quic_migration.h \
+                     src/event/quic/ngx_event_quic_streams.h \
+                     src/event/quic/ngx_event_quic_ssl.h \
+                     src/event/quic/ngx_event_quic_tokens.h \
+                     src/event/quic/ngx_event_quic_ack.h \
+                     src/event/quic/ngx_event_quic_output.h \
+                     src/event/quic/ngx_event_quic_socket.h \
+                     src/event/quic/ngx_event_quic_openssl_compat.h"
+    ngx_module_srcs="src/event/quic/ngx_event_quic.c \
+                     src/event/quic/ngx_event_quic_udp.c \
+                     src/event/quic/ngx_event_quic_transport.c \
+                     src/event/quic/ngx_event_quic_protection.c \
+                     src/event/quic/ngx_event_quic_frames.c \
+                     src/event/quic/ngx_event_quic_connid.c \
+                     src/event/quic/ngx_event_quic_migration.c \
+                     src/event/quic/ngx_event_quic_streams.c \
+                     src/event/quic/ngx_event_quic_ssl.c \
+                     src/event/quic/ngx_event_quic_tokens.c \
+                     src/event/quic/ngx_event_quic_ack.c \
+                     src/event/quic/ngx_event_quic_output.c \
+                     src/event/quic/ngx_event_quic_socket.c \
+                     src/event/quic/ngx_event_quic_openssl_compat.c"
+
+    ngx_module_libs=
+    ngx_module_link=YES
+    ngx_module_order=
+
+    . auto/module
+
+    if [ $QUIC_BPF = YES -a $SO_COOKIE_FOUND = YES ]; then
+        ngx_module_type=CORE
+        ngx_module_name=ngx_quic_bpf_module
+        ngx_module_incs=
+        ngx_module_deps=
+        ngx_module_srcs="src/event/quic/ngx_event_quic_bpf.c \
+                         src/event/quic/ngx_event_quic_bpf_code.c"
+        ngx_module_libs=
+        ngx_module_link=YES
+        ngx_module_order=
+
+        . auto/module
+
+        have=NGX_QUIC_BPF . auto/have
+    fi
+fi
+
+
 if [ $USE_PCRE = YES ]; then
     ngx_module_type=CORE
     ngx_module_name=ngx_regex_module
diff --git a/auto/options b/auto/options
--- a/auto/options
+++ b/auto/options
@@ -45,6 +45,8 @@ USE_THREADS=NO
 
 NGX_FILE_AIO=NO
 
+QUIC_BPF=NO
+
 HTTP=YES
 
 NGX_HTTP_LOG_PATH=
@@ -59,6 +61,7 @@ HTTP_CHARSET=YES
 HTTP_GZIP=YES
 HTTP_SSL=NO
 HTTP_V2=NO
+HTTP_V3=NO
 HTTP_SSI=YES
 HTTP_REALIP=NO
 HTTP_XSLT=NO
@@ -149,6 +152,7 @@ PCRE_JIT=NO
 PCRE2=YES
 
 USE_OPENSSL=NO
+USE_OPENSSL_QUIC=NO
 OPENSSL=NONE
 
 USE_ZLIB=NO
@@ -166,6 +170,8 @@ USE_GEOIP=NO
 NGX_GOOGLE_PERFTOOLS=NO
 NGX_CPP_TEST=NO
 
+SO_COOKIE_FOUND=NO
+
 NGX_LIBATOMIC=NO
 
 NGX_CPU_CACHE_LINE=
@@ -211,6 +217,8 @@ do
 
         --with-file-aio)                 NGX_FILE_AIO=YES           ;;
 
+        --without-quic_bpf_module)       QUIC_BPF=NONE              ;;
+
         --with-ipv6)
             NGX_POST_CONF_MSG="$NGX_POST_CONF_MSG
 $0: warning: the \"--with-ipv6\" option is deprecated"
@@ -228,6 +236,7 @@ do
 
         --with-http_ssl_module)          HTTP_SSL=YES               ;;
         --with-http_v2_module)           HTTP_V2=YES                ;;
+        --with-http_v3_module)           HTTP_V3=YES                ;;
         --with-http_realip_module)       HTTP_REALIP=YES            ;;
         --with-http_addition_module)     HTTP_ADDITION=YES          ;;
         --with-http_xslt_module)         HTTP_XSLT=YES              ;;
@@ -443,8 +452,11 @@ cat << END
 
   --with-file-aio                    enable file AIO support
 
+  --without-quic_bpf_module          disable ngx_quic_bpf_module
+
   --with-http_ssl_module             enable ngx_http_ssl_module
   --with-http_v2_module              enable ngx_http_v2_module
+  --with-http_v3_module              enable ngx_http_v3_module
   --with-http_realip_module          enable ngx_http_realip_module
   --with-http_addition_module        enable ngx_http_addition_module
   --with-http_xslt_module            enable ngx_http_xslt_module
diff --git a/auto/os/linux b/auto/os/linux
--- a/auto/os/linux
+++ b/auto/os/linux
@@ -232,6 +232,50 @@ ngx_feature_test="struct crypt_data  cd;
 ngx_include="sys/vfs.h";     . auto/include
 
 
+# BPF sockhash
+
+ngx_feature="BPF sockhash"
+ngx_feature_name="NGX_HAVE_BPF"
+ngx_feature_run=no
+ngx_feature_incs="#include <linux/bpf.h>
+                  #include <sys/syscall.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="union bpf_attr attr = { 0 };
+
+                  attr.map_flags = 0;
+                  attr.map_type = BPF_MAP_TYPE_SOCKHASH;
+
+                  syscall(__NR_bpf, 0, &attr, 0);"
+. auto/feature
+
+if [ $ngx_found = yes ]; then
+    CORE_SRCS="$CORE_SRCS src/core/ngx_bpf.c"
+    CORE_DEPS="$CORE_DEPS src/core/ngx_bpf.h"
+
+    if [ $QUIC_BPF != NONE ]; then
+        QUIC_BPF=YES
+    fi
+fi
+
+
+ngx_feature="SO_COOKIE"
+ngx_feature_name="NGX_HAVE_SO_COOKIE"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  $NGX_INCLUDE_INTTYPES_H"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="socklen_t optlen = sizeof(uint64_t);
+                  uint64_t cookie;
+                  getsockopt(0, SOL_SOCKET, SO_COOKIE, &cookie, &optlen)"
+. auto/feature
+
+if [ $ngx_found = yes ]; then
+    SO_COOKIE_FOUND=YES
+fi
+
+
 # UDP segmentation offloading
 
 ngx_feature="UDP_SEGMENT"
diff --git a/auto/sources b/auto/sources
--- a/auto/sources
+++ b/auto/sources
@@ -83,7 +83,7 @@ CORE_SRCS="src/core/nginx.c \
 
 EVENT_MODULES="ngx_events_module ngx_event_core_module"
 
-EVENT_INCS="src/event src/event/modules"
+EVENT_INCS="src/event src/event/modules src/event/quic"
 
 EVENT_DEPS="src/event/ngx_event.h \
             src/event/ngx_event_timer.h \
diff --git a/auto/unix b/auto/unix
--- a/auto/unix
+++ b/auto/unix
@@ -448,6 +448,54 @@ ngx_feature_test="setsockopt(0, IPPROTO_
 . auto/feature
 
 
+# IP packet fragmentation
+
+ngx_feature="IP_MTU_DISCOVER"
+ngx_feature_name="NGX_HAVE_IP_MTU_DISCOVER"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  #include <netinet/in.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="(void) IP_PMTUDISC_DO;
+                  setsockopt(0, IPPROTO_IP, IP_MTU_DISCOVER, NULL, 0)"
+. auto/feature
+
+
+ngx_feature="IPV6_MTU_DISCOVER"
+ngx_feature_name="NGX_HAVE_IPV6_MTU_DISCOVER"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  #include <netinet/in.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="(void) IPV6_PMTUDISC_DO;
+                  setsockopt(0, IPPROTO_IPV6, IPV6_MTU_DISCOVER, NULL, 0)"
+. auto/feature
+
+
+ngx_feature="IP_DONTFRAG"
+ngx_feature_name="NGX_HAVE_IP_DONTFRAG"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  #include <netinet/in.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="setsockopt(0, IPPROTO_IP, IP_DONTFRAG, NULL, 0)"
+. auto/feature
+
+
+ngx_feature="IPV6_DONTFRAG"
+ngx_feature_name="NGX_HAVE_IPV6_DONTFRAG"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  #include <netinet/in.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="setsockopt(0, IPPROTO_IP, IPV6_DONTFRAG, NULL, 0)"
+. auto/feature
+
+
 ngx_feature="TCP_DEFER_ACCEPT"
 ngx_feature_name="NGX_HAVE_DEFERRED_ACCEPT"
 ngx_feature_run=no
diff --git a/src/core/nginx.c b/src/core/nginx.c
--- a/src/core/nginx.c
+++ b/src/core/nginx.c
@@ -680,6 +680,9 @@ ngx_exec_new_binary(ngx_cycle_t *cycle, 
 
     ls = cycle->listening.elts;
     for (i = 0; i < cycle->listening.nelts; i++) {
+        if (ls[i].ignore) {
+            continue;
+        }
         p = ngx_sprintf(p, "%ud;", ls[i].fd);
     }
 
diff --git a/src/core/ngx_bpf.c b/src/core/ngx_bpf.c
new file mode 100644
--- /dev/null
+++ b/src/core/ngx_bpf.c
@@ -0,0 +1,143 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+#define NGX_BPF_LOGBUF_SIZE  (16 * 1024)
+
+
+static ngx_inline int
+ngx_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size)
+{
+    return syscall(__NR_bpf, cmd, attr, size);
+}
+
+
+void
+ngx_bpf_program_link(ngx_bpf_program_t *program, const char *symbol, int fd)
+{
+    ngx_uint_t        i;
+    ngx_bpf_reloc_t  *rl;
+
+    rl = program->relocs;
+
+    for (i = 0; i < program->nrelocs; i++) {
+        if (ngx_strcmp(rl[i].name, symbol) == 0) {
+            program->ins[rl[i].offset].src_reg = 1;
+            program->ins[rl[i].offset].imm = fd;
+        }
+    }
+}
+
+
+int
+ngx_bpf_load_program(ngx_log_t *log, ngx_bpf_program_t *program)
+{
+    int             fd;
+    union bpf_attr  attr;
+#if (NGX_DEBUG)
+    char            buf[NGX_BPF_LOGBUF_SIZE];
+#endif
+
+    ngx_memzero(&attr, sizeof(union bpf_attr));
+
+    attr.license = (uintptr_t) program->license;
+    attr.prog_type = program->type;
+    attr.insns = (uintptr_t) program->ins;
+    attr.insn_cnt = program->nins;
+
+#if (NGX_DEBUG)
+    /* for verifier errors */
+    attr.log_buf = (uintptr_t) buf;
+    attr.log_size = NGX_BPF_LOGBUF_SIZE;
+    attr.log_level = 1;
+#endif
+
+    fd = ngx_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+    if (fd < 0) {
+        ngx_log_error(NGX_LOG_ALERT, log, ngx_errno,
+                      "failed to load BPF program");
+
+        ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0,
+                       "bpf verifier: %s", buf);
+
+        return -1;
+    }
+
+    return fd;
+}
+
+
+int
+ngx_bpf_map_create(ngx_log_t *log, enum bpf_map_type type, int key_size,
+    int value_size, int max_entries, uint32_t map_flags)
+{
+    int             fd;
+    union bpf_attr  attr;
+
+    ngx_memzero(&attr, sizeof(union bpf_attr));
+
+    attr.map_type = type;
+    attr.key_size = key_size;
+    attr.value_size = value_size;
+    attr.max_entries = max_entries;
+    attr.map_flags = map_flags;
+
+    fd = ngx_bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
+    if (fd < 0) {
+        ngx_log_error(NGX_LOG_ALERT, log, ngx_errno,
+                      "failed to create BPF map");
+        return NGX_ERROR;
+    }
+
+    return fd;
+}
+
+
+int
+ngx_bpf_map_update(int fd, const void *key, const void *value, uint64_t flags)
+{
+    union bpf_attr attr;
+
+    ngx_memzero(&attr, sizeof(union bpf_attr));
+
+    attr.map_fd = fd;
+    attr.key = (uintptr_t) key;
+    attr.value = (uintptr_t) value;
+    attr.flags = flags;
+
+    return ngx_bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
+}
+
+
+int
+ngx_bpf_map_delete(int fd, const void *key)
+{
+    union bpf_attr attr;
+
+    ngx_memzero(&attr, sizeof(union bpf_attr));
+
+    attr.map_fd = fd;
+    attr.key = (uintptr_t) key;
+
+    return ngx_bpf(BPF_MAP_DELETE_ELEM, &attr, sizeof(attr));
+}
+
+
+int
+ngx_bpf_map_lookup(int fd, const void *key, void *value)
+{
+    union bpf_attr attr;
+
+    ngx_memzero(&attr, sizeof(union bpf_attr));
+
+    attr.map_fd = fd;
+    attr.key = (uintptr_t) key;
+    attr.value = (uintptr_t) value;
+
+    return ngx_bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
+}
diff --git a/src/core/ngx_bpf.h b/src/core/ngx_bpf.h
new file mode 100644
--- /dev/null
+++ b/src/core/ngx_bpf.h
@@ -0,0 +1,43 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_BPF_H_INCLUDED_
+#define _NGX_BPF_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+#include <linux/bpf.h>
+
+
+typedef struct {
+    char                *name;
+    int                  offset;
+} ngx_bpf_reloc_t;
+
+typedef struct {
+    char                *license;
+    enum bpf_prog_type   type;
+    struct bpf_insn     *ins;
+    size_t               nins;
+    ngx_bpf_reloc_t     *relocs;
+    size_t               nrelocs;
+} ngx_bpf_program_t;
+
+
+void ngx_bpf_program_link(ngx_bpf_program_t *program, const char *symbol,
+    int fd);
+int ngx_bpf_load_program(ngx_log_t *log, ngx_bpf_program_t *program);
+
+int ngx_bpf_map_create(ngx_log_t *log, enum bpf_map_type type, int key_size,
+    int value_size, int max_entries, uint32_t map_flags);
+int ngx_bpf_map_update(int fd, const void *key, const void *value,
+    uint64_t flags);
+int ngx_bpf_map_delete(int fd, const void *key);
+int ngx_bpf_map_lookup(int fd, const void *key, void *value);
+
+#endif /* _NGX_BPF_H_INCLUDED_ */
diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -1014,6 +1014,78 @@ ngx_configure_listening_sockets(ngx_cycl
         }
 
 #endif
+
+#if (NGX_HAVE_IP_MTU_DISCOVER)
+
+        if (ls[i].quic && ls[i].sockaddr->sa_family == AF_INET) {
+            value = IP_PMTUDISC_DO;
+
+            if (setsockopt(ls[i].fd, IPPROTO_IP, IP_MTU_DISCOVER,
+                           (const void *) &value, sizeof(int))
+                == -1)
+            {
+                ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
+                              "setsockopt(IP_MTU_DISCOVER) "
+                              "for %V failed, ignored",
+                              &ls[i].addr_text);
+            }
+        }
+
+#elif (NGX_HAVE_IP_DONTFRAG)
+
+        if (ls[i].quic && ls[i].sockaddr->sa_family == AF_INET) {
+            value = 1;
+
+            if (setsockopt(ls[i].fd, IPPROTO_IP, IP_DONTFRAG,
+                           (const void *) &value, sizeof(int))
+                == -1)
+            {
+                ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
+                              "setsockopt(IP_DONTFRAG) "
+                              "for %V failed, ignored",
+                              &ls[i].addr_text);
+            }
+        }
+
+#endif
+
+#if (NGX_HAVE_INET6)
+
+#if (NGX_HAVE_IPV6_MTU_DISCOVER)
+
+        if (ls[i].quic && ls[i].sockaddr->sa_family == AF_INET6) {
+            value = IPV6_PMTUDISC_DO;
+
+            if (setsockopt(ls[i].fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+                           (const void *) &value, sizeof(int))
+                == -1)
+            {
+                ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
+                              "setsockopt(IPV6_MTU_DISCOVER) "
+                              "for %V failed, ignored",
+                              &ls[i].addr_text);
+            }
+        }
+
+#elif (NGX_HAVE_IP_DONTFRAG)
+
+        if (ls[i].quic && ls[i].sockaddr->sa_family == AF_INET6) {
+            value = 1;
+
+            if (setsockopt(ls[i].fd, IPPROTO_IPV6, IPV6_DONTFRAG,
+                           (const void *) &value, sizeof(int))
+                == -1)
+            {
+                ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
+                              "setsockopt(IPV6_DONTFRAG) "
+                              "for %V failed, ignored",
+                              &ls[i].addr_text);
+            }
+        }
+
+#endif
+
+#endif
     }
 
     return;
@@ -1037,6 +1109,12 @@ ngx_close_listening_sockets(ngx_cycle_t 
     ls = cycle->listening.elts;
     for (i = 0; i < cycle->listening.nelts; i++) {
 
+#if (NGX_QUIC)
+        if (ls[i].quic) {
+            continue;
+        }
+#endif
+
         c = ls[i].connection;
 
         if (c) {
diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h
--- a/src/core/ngx_connection.h
+++ b/src/core/ngx_connection.h
@@ -73,6 +73,7 @@ struct ngx_listening_s {
     unsigned            reuseport:1;
     unsigned            add_reuseport:1;
     unsigned            keepalive:2;
+    unsigned            quic:1;
 
     unsigned            deferred_accept:1;
     unsigned            delete_deferred:1;
@@ -147,6 +148,10 @@ struct ngx_connection_s {
 
     ngx_proxy_protocol_t  *proxy_protocol;
 
+#if (NGX_QUIC || NGX_COMPAT)
+    ngx_quic_stream_t     *quic;
+#endif
+
 #if (NGX_SSL || NGX_COMPAT)
     ngx_ssl_connection_t  *ssl;
 #endif
diff --git a/src/core/ngx_core.h b/src/core/ngx_core.h
--- a/src/core/ngx_core.h
+++ b/src/core/ngx_core.h
@@ -27,6 +27,7 @@ typedef struct ngx_connection_s      ngx
 typedef struct ngx_thread_task_s     ngx_thread_task_t;
 typedef struct ngx_ssl_s             ngx_ssl_t;
 typedef struct ngx_proxy_protocol_s  ngx_proxy_protocol_t;
+typedef struct ngx_quic_stream_s     ngx_quic_stream_t;
 typedef struct ngx_ssl_connection_s  ngx_ssl_connection_t;
 typedef struct ngx_udp_connection_s  ngx_udp_connection_t;
 
@@ -82,6 +83,9 @@ typedef void (*ngx_connection_handler_pt
 #include <ngx_resolver.h>
 #if (NGX_OPENSSL)
 #include <ngx_event_openssl.h>
+#if (NGX_QUIC)
+#include <ngx_event_quic.h>
+#endif
 #endif
 #include <ngx_process_cycle.h>
 #include <ngx_conf_file.h>
@@ -91,6 +95,9 @@ typedef void (*ngx_connection_handler_pt
 #include <ngx_connection.h>
 #include <ngx_syslog.h>
 #include <ngx_proxy_protocol.h>
+#if (NGX_HAVE_BPF)
+#include <ngx_bpf.h>
+#endif
 
 
 #define LF     (u_char) '\n'
diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -267,6 +267,18 @@ ngx_process_events_and_timers(ngx_cycle_
 ngx_int_t
 ngx_handle_read_event(ngx_event_t *rev, ngx_uint_t flags)
 {
+#if (NGX_QUIC)
+
+    ngx_connection_t  *c;
+
+    c = rev->data;
+
+    if (c->quic) {
+        return NGX_OK;
+    }
+
+#endif
+
     if (ngx_event_flags & NGX_USE_CLEAR_EVENT) {
 
         /* kqueue, epoll */
@@ -337,9 +349,15 @@ ngx_handle_write_event(ngx_event_t *wev,
 {
     ngx_connection_t  *c;
 
+    c = wev->data;
+
+#if (NGX_QUIC)
+    if (c->quic) {
+        return NGX_OK;
+    }
+#endif
+
     if (lowat) {
-        c = wev->data;
-
         if (ngx_send_lowat(c, lowat) == NGX_ERROR) {
             return NGX_ERROR;
         }
@@ -873,8 +891,16 @@ ngx_event_process_init(ngx_cycle_t *cycl
 
 #else
 
-        rev->handler = (c->type == SOCK_STREAM) ? ngx_event_accept
-                                                : ngx_event_recvmsg;
+        if (c->type == SOCK_STREAM) {
+            rev->handler = ngx_event_accept;
+
+#if (NGX_QUIC)
+        } else if (ls[i].quic) {
+            rev->handler = ngx_quic_recvmsg;
+#endif
+        } else {
+            rev->handler = ngx_event_recvmsg;
+        }
 
 #if (NGX_HAVE_REUSEPORT)
 
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -33,9 +33,6 @@ static int ngx_ssl_new_client_session(ng
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c);
 #endif
-#if (NGX_DEBUG)
-static void ngx_ssl_handshake_log(ngx_connection_t *c);
-#endif
 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf,
@@ -2052,7 +2049,7 @@ ngx_ssl_try_early_data(ngx_connection_t 
 
 #if (NGX_DEBUG)
 
-static void
+void
 ngx_ssl_handshake_log(ngx_connection_t *c)
 {
     char         buf[129], *s, *d;
@@ -3202,6 +3199,13 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     ngx_err_t   err;
     ngx_uint_t  tries;
 
+#if (NGX_QUIC)
+    if (c->quic) {
+        /* QUIC streams inherit SSL object */
+        return NGX_OK;
+    }
+#endif
+
     rc = NGX_OK;
 
     ngx_ssl_ocsp_cleanup(c);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -24,6 +24,14 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/evp.h>
+#if (NGX_QUIC)
+#ifdef OPENSSL_IS_BORINGSSL
+#include <openssl/hkdf.h>
+#include <openssl/chacha.h>
+#else
+#include <openssl/kdf.h>
+#endif
+#endif
 #include <openssl/hmac.h>
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
@@ -302,6 +310,9 @@ ngx_int_t ngx_ssl_get_client_v_remain(ng
 
 
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
+#if (NGX_DEBUG)
+void ngx_ssl_handshake_log(ngx_connection_t *c);
+#endif
 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size);
 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size);
 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit);
diff --git a/src/event/ngx_event_udp.c b/src/event/ngx_event_udp.c
--- a/src/event/ngx_event_udp.c
+++ b/src/event/ngx_event_udp.c
@@ -12,13 +12,6 @@
 
 #if !(NGX_WIN32)
 
-struct ngx_udp_connection_s {
-    ngx_rbtree_node_t   node;
-    ngx_connection_t   *connection;
-    ngx_buf_t          *buffer;
-};
-
-
 static void ngx_close_accepted_udp_connection(ngx_connection_t *c);
 static ssize_t ngx_udp_shared_recv(ngx_connection_t *c, u_char *buf,
     size_t size);
@@ -424,8 +417,8 @@ ngx_udp_rbtree_insert_value(ngx_rbtree_n
             udpt = (ngx_udp_connection_t *) temp;
             ct = udpt->connection;
 
-            rc = ngx_cmp_sockaddr(c->sockaddr, c->socklen,
-                                  ct->sockaddr, ct->socklen, 1);
+            rc = ngx_memn2cmp(udp->key.data, udpt->key.data,
+                              udp->key.len, udpt->key.len);
 
             if (rc == 0 && c->listening->wildcard) {
                 rc = ngx_cmp_sockaddr(c->local_sockaddr, c->local_socklen,
@@ -478,6 +471,8 @@ ngx_insert_udp_connection(ngx_connection
     ngx_crc32_final(hash);
 
     udp->node.key = hash;
+    udp->key.data = (u_char *) c->sockaddr;
+    udp->key.len = c->socklen;
 
     cln = ngx_pool_cleanup_add(c->pool, 0);
     if (cln == NULL) {
diff --git a/src/event/ngx_event_udp.h b/src/event/ngx_event_udp.h
--- a/src/event/ngx_event_udp.h
+++ b/src/event/ngx_event_udp.h
@@ -23,6 +23,14 @@
 #endif
 
 
+struct ngx_udp_connection_s {
+    ngx_rbtree_node_t   node;
+    ngx_connection_t   *connection;
+    ngx_buf_t          *buffer;
+    ngx_str_t           key;
+};
+
+
 #if (NGX_HAVE_ADDRINFO_CMSG)
 
 typedef union {
diff --git a/src/event/quic/bpf/bpfgen.sh b/src/event/quic/bpf/bpfgen.sh
new file mode 100644
--- /dev/null
+++ b/src/event/quic/bpf/bpfgen.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+export LANG=C
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "Usage: PROGNAME=foo LICENSE=bar $0 <bpf object file>"
+    exit 1
+fi
+
+
+self=$0
+filename=$1
+funcname=$PROGNAME
+
+generate_head()
+{
+    cat << END
+/* AUTO-GENERATED, DO NOT EDIT. */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "ngx_bpf.h"
+
+
+END
+}
+
+generate_tail()
+{
+    cat << END
+
+ngx_bpf_program_t $PROGNAME = {
+    .relocs = bpf_reloc_prog_$funcname,
+    .nrelocs = sizeof(bpf_reloc_prog_$funcname)
+               / sizeof(bpf_reloc_prog_$funcname[0]),
+    .ins = bpf_insn_prog_$funcname,
+    .nins = sizeof(bpf_insn_prog_$funcname)
+            / sizeof(bpf_insn_prog_$funcname[0]),
+    .license = "$LICENSE",
+    .type = BPF_PROG_TYPE_SK_REUSEPORT,
+};
+
+END
+}
+
+process_relocations()
+{
+    echo "static ngx_bpf_reloc_t bpf_reloc_prog_$funcname[] = {"
+
+    objdump -r $filename | awk '{
+
+    if (enabled && $NF > 0) {
+        off = strtonum(sprintf("0x%s", $1));
+        name = $3;
+
+        printf("    { \"%s\", %d },\n", name, off/8);
+    }
+
+    if ($1 == "OFFSET") {
+        enabled=1;
+    }
+}'
+    echo "};"
+    echo
+}
+
+process_section()
+{
+    echo "static struct bpf_insn bpf_insn_prog_$funcname[] = {"
+    echo "    /* opcode dst          src         offset imm */"
+
+    section_info=$(objdump -h $filename --section=$funcname | grep "1 $funcname")
+
+    # dd doesn't know hex
+    length=$(printf "%d" 0x$(echo $section_info | cut -d ' ' -f3))
+    offset=$(printf "%d" 0x$(echo $section_info | cut -d ' ' -f6))
+
+    for ins in $(dd if="$filename" bs=1 count=$length skip=$offset status=none | xxd -p -c 8)
+    do
+        opcode=0x${ins:0:2}
+        srcdst=0x${ins:2:2}
+
+        # bytes are dumped in LE order
+        offset=0x${ins:6:2}${ins:4:2}                        # short
+        immedi=0x${ins:14:2}${ins:12:2}${ins:10:2}${ins:8:2} # int
+
+        dst="$(($srcdst & 0xF))"
+        src="$(($srcdst & 0xF0))"
+        src="$(($src >> 4))"
+
+        opcode=$(printf "0x%x" $opcode)
+        dst=$(printf "BPF_REG_%d" $dst)
+        src=$(printf "BPF_REG_%d" $src)
+        offset=$(printf "%d" $offset)
+        immedi=$(printf "0x%x" $immedi)
+
+        printf "    { %4s, %11s, %11s, (int16_t) %6s, %10s },\n" $opcode $dst $src $offset $immedi
+    done
+
+cat << END
+};
+
+END
+}
+
+generate_head
+process_relocations
+process_section
+generate_tail
+
diff --git a/src/event/quic/bpf/makefile b/src/event/quic/bpf/makefile
new file mode 100644
--- /dev/null
+++ b/src/event/quic/bpf/makefile
@@ -0,0 +1,30 @@
+CFLAGS=-O2 -Wall
+
+LICENSE=BSD
+
+PROGNAME=ngx_quic_reuseport_helper
+RESULT=ngx_event_quic_bpf_code
+DEST=../$(RESULT).c
+
+all: $(RESULT)
+
+$(RESULT): $(PROGNAME).o
+	LICENSE=$(LICENSE) PROGNAME=$(PROGNAME) bash ./bpfgen.sh $< > $@
+
+DEFS=-DPROGNAME=\"$(PROGNAME)\"                                               \
+     -DLICENSE_$(LICENSE)                                                     \
+     -DLICENSE=\"$(LICENSE)\"                                                 \
+
+$(PROGNAME).o: $(PROGNAME).c
+	clang $(CFLAGS) $(DEFS) -target bpf -c $< -o $@
+
+install: $(RESULT)
+	cp $(RESULT) $(DEST)
+
+clean:
+	@rm -f $(RESULT) *.o
+
+debug: $(PROGNAME).o
+	llvm-objdump -S -no-show-raw-insn $<
+
+.DELETE_ON_ERROR:
diff --git a/src/event/quic/bpf/ngx_quic_reuseport_helper.c b/src/event/quic/bpf/ngx_quic_reuseport_helper.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/bpf/ngx_quic_reuseport_helper.c
@@ -0,0 +1,140 @@
+#include <errno.h>
+#include <linux/string.h>
+#include <linux/udp.h>
+#include <linux/bpf.h>
+/*
+ * the bpf_helpers.h is not included into linux-headers, only available
+ * with kernel sources in "tools/lib/bpf/bpf_helpers.h" or in libbpf.
+ */
+#include <bpf/bpf_helpers.h>
+
+
+#if !defined(SEC)
+#define SEC(NAME)  __attribute__((section(NAME), used))
+#endif
+
+
+#if defined(LICENSE_GPL)
+
+/*
+ * To see debug:
+ *
+ *  echo 1 > /sys/kernel/debug/tracing/events/bpf_trace/enable
+ *  cat /sys/kernel/debug/tracing/trace_pipe
+ *  echo 0 > /sys/kernel/debug/tracing/events/bpf_trace/enable
+ */
+
+#define debugmsg(fmt, ...)                                                    \
+do {                                                                          \
+    char __buf[] = fmt;                                                       \
+    bpf_trace_printk(__buf, sizeof(__buf), ##__VA_ARGS__);                    \
+} while (0)
+
+#else
+
+#define debugmsg(fmt, ...)
+
+#endif
+
+char _license[] SEC("license") = LICENSE;
+
+/*****************************************************************************/
+
+#define NGX_QUIC_PKT_LONG        0x80  /* header form */
+#define NGX_QUIC_SERVER_CID_LEN  20
+
+
+#define advance_data(nbytes)                                                  \
+    offset += nbytes;                                                         \
+    if (start + offset > end) {                                               \
+        debugmsg("cannot read %ld bytes at offset %ld", nbytes, offset);      \
+        goto failed;                                                          \
+    }                                                                         \
+    data = start + offset - 1;
+
+
+#define ngx_quic_parse_uint64(p)                                              \
+    (((__u64)(p)[0] << 56) |                                                  \
+     ((__u64)(p)[1] << 48) |                                                  \
+     ((__u64)(p)[2] << 40) |                                                  \
+     ((__u64)(p)[3] << 32) |                                                  \
+     ((__u64)(p)[4] << 24) |                                                  \
+     ((__u64)(p)[5] << 16) |                                                  \
+     ((__u64)(p)[6] << 8)  |                                                  \
+     ((__u64)(p)[7]))
+
+/*
+ * actual map object is created by the "bpf" system call,
+ * all pointers to this variable are replaced by the bpf loader
+ */
+struct bpf_map_def SEC("maps") ngx_quic_sockmap;
+
+
+SEC(PROGNAME)
+int ngx_quic_select_socket_by_dcid(struct sk_reuseport_md *ctx)
+{
+    int             rc;
+    __u64           key;
+    size_t          len, offset;
+    unsigned char  *start, *end, *data, *dcid;
+
+    start = ctx->data;
+    end = (unsigned char *) ctx->data_end;
+    offset = 0;
+
+    advance_data(sizeof(struct udphdr)); /* data at UDP header */
+    advance_data(1); /* data at QUIC flags */
+
+    if (data[0] & NGX_QUIC_PKT_LONG) {
+
+        advance_data(4); /* data at QUIC version */
+        advance_data(1); /* data at DCID len */
+
+        len = data[0];   /* read DCID length */
+
+        if (len < 8) {
+            /* it's useless to search for key in such short DCID */
+            return SK_PASS;
+        }
+
+    } else {
+        len = NGX_QUIC_SERVER_CID_LEN;
+    }
+
+    dcid = &data[1];
+    advance_data(len); /* we expect the packet to have full DCID */
+
+    /* make verifier happy */
+    if (dcid + sizeof(__u64) > end) {
+        goto failed;
+    }
+
+    key = ngx_quic_parse_uint64(dcid);
+
+    rc = bpf_sk_select_reuseport(ctx, &ngx_quic_sockmap, &key, 0);
+
+    switch (rc) {
+    case 0:
+        debugmsg("nginx quic socket selected by key 0x%llx", key);
+        return SK_PASS;
+
+    /* kernel returns positive error numbers, errno.h defines positive */
+    case -ENOENT:
+        debugmsg("nginx quic default route for key 0x%llx", key);
+        /* let the default reuseport logic decide which socket to choose */
+        return SK_PASS;
+
+    default:
+        debugmsg("nginx quic bpf_sk_select_reuseport err: %d key 0x%llx",
+                 rc, key);
+        goto failed;
+    }
+
+failed:
+    /*
+     * SK_DROP will generate ICMP, but we may want to process "invalid" packet
+     * in userspace quic to investigate further and finally react properly
+     * (maybe ignore, maybe send something in response or close connection)
+     */
+    return SK_PASS;
+}
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic.c
@@ -0,0 +1,1445 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+static ngx_quic_connection_t *ngx_quic_new_connection(ngx_connection_t *c,
+    ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_handle_stateless_reset(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
+static void ngx_quic_input_handler(ngx_event_t *rev);
+static void ngx_quic_close_handler(ngx_event_t *ev);
+
+static ngx_int_t ngx_quic_handle_datagram(ngx_connection_t *c, ngx_buf_t *b,
+    ngx_quic_conf_t *conf);
+static ngx_int_t ngx_quic_handle_packet(ngx_connection_t *c,
+    ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_handle_payload(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_check_csid(ngx_quic_connection_t *qc,
+    ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_handle_frames(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
+
+static void ngx_quic_push_handler(ngx_event_t *ev);
+
+
+static ngx_core_module_t  ngx_quic_module_ctx = {
+    ngx_string("quic"),
+    NULL,
+    NULL
+};
+
+
+ngx_module_t  ngx_quic_module = {
+    NGX_MODULE_V1,
+    &ngx_quic_module_ctx,                  /* module context */
+    NULL,                                  /* module directives */
+    NGX_CORE_MODULE,                       /* module type */
+    NULL,                                  /* init master */
+    NULL,                                  /* init module */
+    NULL,                                  /* init process */
+    NULL,                                  /* init thread */
+    NULL,                                  /* exit thread */
+    NULL,                                  /* exit process */
+    NULL,                                  /* exit master */
+    NGX_MODULE_V1_PADDING
+};
+
+
+#if (NGX_DEBUG)
+
+void
+ngx_quic_connstate_dbg(ngx_connection_t *c)
+{
+    u_char                 *p, *last;
+    ngx_quic_connection_t  *qc;
+    u_char                  buf[NGX_MAX_ERROR_STR];
+
+    p = buf;
+    last = p + sizeof(buf);
+
+    qc = ngx_quic_get_connection(c);
+
+    p = ngx_slprintf(p, last, "state:");
+
+    if (qc) {
+
+        if (qc->error != (ngx_uint_t) -1) {
+            p = ngx_slprintf(p, last, "%s", qc->error_app ? " app" : "");
+            p = ngx_slprintf(p, last, " error:%ui", qc->error);
+
+            if (qc->error_reason) {
+                p = ngx_slprintf(p, last, " \"%s\"", qc->error_reason);
+            }
+        }
+
+        p = ngx_slprintf(p, last, "%s", qc->shutdown ? " shutdown" : "");
+        p = ngx_slprintf(p, last, "%s", qc->closing ? " closing" : "");
+        p = ngx_slprintf(p, last, "%s", qc->draining ? " draining" : "");
+        p = ngx_slprintf(p, last, "%s", qc->key_phase ? " kp" : "");
+
+    } else {
+        p = ngx_slprintf(p, last, " early");
+    }
+
+    if (c->read->timer_set) {
+        p = ngx_slprintf(p, last,
+                         qc && qc->send_timer_set ? " send:%M" : " read:%M",
+                         c->read->timer.key - ngx_current_msec);
+    }
+
+    if (qc) {
+
+        if (qc->push.timer_set) {
+            p = ngx_slprintf(p, last, " push:%M",
+                             qc->push.timer.key - ngx_current_msec);
+        }
+
+        if (qc->pto.timer_set) {
+            p = ngx_slprintf(p, last, " pto:%M",
+                             qc->pto.timer.key - ngx_current_msec);
+        }
+
+        if (qc->close.timer_set) {
+            p = ngx_slprintf(p, last, " close:%M",
+                             qc->close.timer.key - ngx_current_msec);
+        }
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic %*s", p - buf, buf);
+}
+
+#endif
+
+
+ngx_int_t
+ngx_quic_apply_transport_params(ngx_connection_t *c, ngx_quic_tp_t *ctp)
+{
+    ngx_str_t               scid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    scid.data = qc->path->cid->id;
+    scid.len = qc->path->cid->len;
+
+    if (scid.len != ctp->initial_scid.len
+        || ngx_memcmp(scid.data, ctp->initial_scid.data, scid.len) != 0)
+    {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic client initial_source_connection_id mismatch");
+        return NGX_ERROR;
+    }
+
+    if (ctp->max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE
+        || ctp->max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE)
+    {
+        qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
+        qc->error_reason = "invalid maximum packet size";
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic maximum packet size is invalid");
+        return NGX_ERROR;
+
+    } else if (ctp->max_udp_payload_size > ngx_quic_max_udp_payload(c)) {
+        ctp->max_udp_payload_size = ngx_quic_max_udp_payload(c);
+        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic client maximum packet size truncated");
+    }
+
+    if (ctp->active_connection_id_limit < 2) {
+        qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
+        qc->error_reason = "invalid active_connection_id_limit";
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic active_connection_id_limit is invalid");
+        return NGX_ERROR;
+    }
+
+    if (ctp->ack_delay_exponent > 20) {
+        qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
+        qc->error_reason = "invalid ack_delay_exponent";
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic ack_delay_exponent is invalid");
+        return NGX_ERROR;
+    }
+
+    if (ctp->max_ack_delay >= 16384) {
+        qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
+        qc->error_reason = "invalid max_ack_delay";
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic max_ack_delay is invalid");
+        return NGX_ERROR;
+    }
+
+    if (ctp->max_idle_timeout > 0
+        && ctp->max_idle_timeout < qc->tp.max_idle_timeout)
+    {
+        qc->tp.max_idle_timeout = ctp->max_idle_timeout;
+    }
+
+    qc->streams.server_max_streams_bidi = ctp->initial_max_streams_bidi;
+    qc->streams.server_max_streams_uni = ctp->initial_max_streams_uni;
+
+    ngx_memcpy(&qc->ctp, ctp, sizeof(ngx_quic_tp_t));
+
+    return NGX_OK;
+}
+
+
+void
+ngx_quic_run(ngx_connection_t *c, ngx_quic_conf_t *conf)
+{
+    ngx_int_t               rc;
+    ngx_quic_connection_t  *qc;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic run");
+
+    rc = ngx_quic_handle_datagram(c, c->buffer, conf);
+    if (rc != NGX_OK) {
+        ngx_quic_close_connection(c, rc);
+        return;
+    }
+
+    /* quic connection is now created */
+    qc = ngx_quic_get_connection(c);
+
+    ngx_add_timer(c->read, qc->tp.max_idle_timeout);
+    ngx_quic_connstate_dbg(c);
+
+    c->read->handler = ngx_quic_input_handler;
+
+    return;
+}
+
+
+static ngx_quic_connection_t *
+ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf,
+    ngx_quic_header_t *pkt)
+{
+    ngx_uint_t              i;
+    ngx_quic_tp_t          *ctp;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t));
+    if (qc == NULL) {
+        return NULL;
+    }
+
+    qc->keys = ngx_pcalloc(c->pool, sizeof(ngx_quic_keys_t));
+    if (qc->keys == NULL) {
+        return NULL;
+    }
+
+    qc->version = pkt->version;
+
+    ngx_rbtree_init(&qc->streams.tree, &qc->streams.sentinel,
+                    ngx_quic_rbtree_insert_stream);
+
+    for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+        ngx_queue_init(&qc->send_ctx[i].frames);
+        ngx_queue_init(&qc->send_ctx[i].sending);
+        ngx_queue_init(&qc->send_ctx[i].sent);
+        qc->send_ctx[i].largest_pn = NGX_QUIC_UNSET_PN;
+        qc->send_ctx[i].largest_ack = NGX_QUIC_UNSET_PN;
+        qc->send_ctx[i].largest_range = NGX_QUIC_UNSET_PN;
+        qc->send_ctx[i].pending_ack = NGX_QUIC_UNSET_PN;
+    }
+
+    qc->send_ctx[0].level = ssl_encryption_initial;
+    qc->send_ctx[1].level = ssl_encryption_handshake;
+    qc->send_ctx[2].level = ssl_encryption_application;
+
+    ngx_queue_init(&qc->free_frames);
+
+    qc->avg_rtt = NGX_QUIC_INITIAL_RTT;
+    qc->rttvar = NGX_QUIC_INITIAL_RTT / 2;
+    qc->min_rtt = NGX_TIMER_INFINITE;
+    qc->first_rtt = NGX_TIMER_INFINITE;
+
+    /*
+     * qc->latest_rtt = 0
+     */
+
+    qc->pto.log = c->log;
+    qc->pto.data = c;
+    qc->pto.handler = ngx_quic_pto_handler;
+
+    qc->push.log = c->log;
+    qc->push.data = c;
+    qc->push.handler = ngx_quic_push_handler;
+
+    qc->close.log = c->log;
+    qc->close.data = c;
+    qc->close.handler = ngx_quic_close_handler;
+
+    qc->path_validation.log = c->log;
+    qc->path_validation.data = c;
+    qc->path_validation.handler = ngx_quic_path_validation_handler;
+
+    qc->conf = conf;
+
+    if (ngx_quic_init_transport_params(&qc->tp, conf) != NGX_OK) {
+        return NULL;
+    }
+
+    ctp = &qc->ctp;
+
+    /* defaults to be used before actual client parameters are received */
+    ctp->max_udp_payload_size = ngx_quic_max_udp_payload(c);
+    ctp->ack_delay_exponent = NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT;
+    ctp->max_ack_delay = NGX_QUIC_DEFAULT_MAX_ACK_DELAY;
+    ctp->active_connection_id_limit = 2;
+
+    ngx_queue_init(&qc->streams.uninitialized);
+    ngx_queue_init(&qc->streams.free);
+
+    qc->streams.recv_max_data = qc->tp.initial_max_data;
+    qc->streams.recv_window = qc->streams.recv_max_data;
+
+    qc->streams.client_max_streams_uni = qc->tp.initial_max_streams_uni;
+    qc->streams.client_max_streams_bidi = qc->tp.initial_max_streams_bidi;
+
+    qc->congestion.window = ngx_min(10 * qc->tp.max_udp_payload_size,
+                                    ngx_max(2 * qc->tp.max_udp_payload_size,
+                                            14720));
+    qc->congestion.ssthresh = (size_t) -1;
+    qc->congestion.recovery_start = ngx_current_msec;
+
+    if (pkt->validated && pkt->retried) {
+        qc->tp.retry_scid.len = pkt->dcid.len;
+        qc->tp.retry_scid.data = ngx_pstrdup(c->pool, &pkt->dcid);
+        if (qc->tp.retry_scid.data == NULL) {
+            return NULL;
+        }
+    }
+
+    if (ngx_quic_keys_set_initial_secret(qc->keys, &pkt->dcid, c->log)
+        != NGX_OK)
+    {
+        return NULL;
+    }
+
+    qc->validated = pkt->validated;
+
+    if (ngx_quic_open_sockets(c, qc, pkt) != NGX_OK) {
+        return NULL;
+    }
+
+    c->idle = 1;
+    ngx_reusable_connection(c, 1);
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic connection created");
+
+    return qc;
+}
+
+
+static ngx_int_t
+ngx_quic_handle_stateless_reset(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    u_char                 *tail, ch;
+    ngx_uint_t              i;
+    ngx_queue_t            *q;
+    ngx_quic_client_id_t   *cid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    /* A stateless reset uses an entire UDP datagram */
+    if (!pkt->first) {
+        return NGX_DECLINED;
+    }
+
+    tail = pkt->raw->last - NGX_QUIC_SR_TOKEN_LEN;
+
+    for (q = ngx_queue_head(&qc->client_ids);
+         q != ngx_queue_sentinel(&qc->client_ids);
+         q = ngx_queue_next(q))
+    {
+        cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+
+        if (cid->seqnum == 0 || !cid->used) {
+            /*
+             * No stateless reset token in initial connection id.
+             * Don't accept a token from an unused connection id.
+             */
+            continue;
+        }
+
+        /* constant time comparison */
+
+        for (ch = 0, i = 0; i < NGX_QUIC_SR_TOKEN_LEN; i++) {
+            ch |= tail[i] ^ cid->sr_token[i];
+        }
+
+        if (ch == 0) {
+            return NGX_OK;
+        }
+    }
+
+    return NGX_DECLINED;
+}
+
+
+static void
+ngx_quic_input_handler(ngx_event_t *rev)
+{
+    ngx_int_t               rc;
+    ngx_buf_t              *b;
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, "quic input handler");
+
+    c = rev->data;
+    qc = ngx_quic_get_connection(c);
+
+    c->log->action = "handling quic input";
+
+    if (rev->timedout) {
+        ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT,
+                      "quic client timed out");
+        ngx_quic_close_connection(c, NGX_DONE);
+        return;
+    }
+
+    if (c->close) {
+        c->close = 0;
+
+        if (!ngx_exiting) {
+            qc->error = NGX_QUIC_ERR_NO_ERROR;
+            qc->error_reason = "graceful shutdown";
+            ngx_quic_close_connection(c, NGX_ERROR);
+            return;
+        }
+
+        if (!qc->closing && qc->conf->shutdown) {
+            qc->conf->shutdown(c);
+        }
+
+        return;
+    }
+
+    b = c->udp->buffer;
+    if (b == NULL) {
+        return;
+    }
+
+    rc = ngx_quic_handle_datagram(c, b, NULL);
+
+    if (rc == NGX_ERROR) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+        return;
+    }
+
+    if (rc == NGX_DONE) {
+        return;
+    }
+
+    /* rc == NGX_OK */
+
+    qc->send_timer_set = 0;
+    ngx_add_timer(rev, qc->tp.max_idle_timeout);
+
+    ngx_quic_connstate_dbg(c);
+}
+
+
+void
+ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
+{
+    ngx_uint_t              i;
+    ngx_pool_t             *pool;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc == NULL) {
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic packet rejected rc:%i, cleanup connection", rc);
+        goto quic_done;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic close %s rc:%i",
+                   qc->closing ? "resumed": "initiated", rc);
+
+    if (!qc->closing) {
+
+        /* drop packets from retransmit queues, no ack is expected */
+        for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+            ngx_quic_free_frames(c, &qc->send_ctx[i].frames);
+            ngx_quic_free_frames(c, &qc->send_ctx[i].sent);
+        }
+
+        if (rc == NGX_DONE) {
+
+            /*
+             * RFC 9000, 10.1.  Idle Timeout
+             *
+             *  If a max_idle_timeout is specified by either endpoint in its
+             *  transport parameters (Section 18.2), the connection is silently
+             *  closed and its state is discarded when it remains idle
+             */
+
+            /* this case also handles some errors from ngx_quic_run() */
+
+            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic close silent drain:%d timedout:%d",
+                           qc->draining, c->read->timedout);
+        } else {
+
+            /*
+             * RFC 9000, 10.2.  Immediate Close
+             *
+             *  An endpoint sends a CONNECTION_CLOSE frame (Section 19.19)
+             *  to terminate the connection immediately.
+             */
+
+            qc->error_level = c->ssl ? SSL_quic_read_level(c->ssl->connection)
+                                     : ssl_encryption_initial;
+
+            if (qc->error == (ngx_uint_t) -1) {
+                qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
+                qc->error_app = 0;
+            }
+
+            ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic close immediate term:%d drain:%d "
+                           "%serror:%ui \"%s\"",
+                           rc == NGX_ERROR ? 1 : 0, qc->draining,
+                           qc->error_app ? "app " : "", qc->error,
+                           qc->error_reason ? qc->error_reason : "");
+
+            if (rc == NGX_OK) {
+                ctx = ngx_quic_get_send_ctx(qc, qc->error_level);
+                ngx_add_timer(&qc->close, 3 * ngx_quic_pto(c, ctx));
+            }
+
+            (void) ngx_quic_send_cc(c);
+
+            if (qc->error_level == ssl_encryption_handshake) {
+                /* for clients that might not have handshake keys */
+                qc->error_level = ssl_encryption_initial;
+                (void) ngx_quic_send_cc(c);
+            }
+        }
+
+        qc->closing = 1;
+    }
+
+    if (rc == NGX_ERROR && qc->close.timer_set) {
+        /* do not wait for timer in case of fatal error */
+        ngx_del_timer(&qc->close);
+    }
+
+    if (ngx_quic_close_streams(c, qc) == NGX_AGAIN) {
+        return;
+    }
+
+    if (qc->push.timer_set) {
+        ngx_del_timer(&qc->push);
+    }
+
+    if (qc->pto.timer_set) {
+        ngx_del_timer(&qc->pto);
+    }
+
+    if (qc->path_validation.timer_set) {
+        ngx_del_timer(&qc->path_validation);
+    }
+
+    if (qc->push.posted) {
+        ngx_delete_posted_event(&qc->push);
+    }
+
+    if (qc->close.timer_set) {
+        return;
+    }
+
+    if (qc->close.posted) {
+        ngx_delete_posted_event(&qc->close);
+    }
+
+    ngx_quic_close_sockets(c);
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic close completed");
+
+    /* may be tested from SSL callback during SSL shutdown */
+    c->udp = NULL;
+
+quic_done:
+
+    if (c->ssl) {
+        (void) ngx_ssl_shutdown(c);
+    }
+
+    if (c->read->timer_set) {
+        ngx_del_timer(c->read);
+    }
+
+#if (NGX_STAT_STUB)
+    (void) ngx_atomic_fetch_add(ngx_stat_active, -1);
+#endif
+
+    c->destroyed = 1;
+
+    pool = c->pool;
+
+    ngx_close_connection(c);
+
+    ngx_destroy_pool(pool);
+}
+
+
+void
+ngx_quic_finalize_connection(ngx_connection_t *c, ngx_uint_t err,
+    const char *reason)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc->closing) {
+        return;
+    }
+
+    qc->error = err;
+    qc->error_reason = reason;
+    qc->error_app = 1;
+    qc->error_ftype = 0;
+
+    ngx_post_event(&qc->close, &ngx_posted_events);
+}
+
+
+void
+ngx_quic_shutdown_connection(ngx_connection_t *c, ngx_uint_t err,
+    const char *reason)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    qc->shutdown = 1;
+    qc->shutdown_code = err;
+    qc->shutdown_reason = reason;
+
+    ngx_quic_shutdown_quic(c);
+}
+
+
+static void
+ngx_quic_close_handler(ngx_event_t *ev)
+{
+    ngx_connection_t  *c;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "quic close handler");
+
+    c = ev->data;
+
+    ngx_quic_close_connection(c, NGX_OK);
+}
+
+
+static ngx_int_t
+ngx_quic_handle_datagram(ngx_connection_t *c, ngx_buf_t *b,
+    ngx_quic_conf_t *conf)
+{
+    size_t                  size;
+    u_char                 *p, *start;
+    ngx_int_t               rc;
+    ngx_uint_t              good;
+    ngx_quic_path_t        *path;
+    ngx_quic_header_t       pkt;
+    ngx_quic_connection_t  *qc;
+
+    good = 0;
+    path = NULL;
+
+    size = b->last - b->pos;
+
+    p = start = b->pos;
+
+    while (p < b->last) {
+
+        ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
+        pkt.raw = b;
+        pkt.data = p;
+        pkt.len = b->last - p;
+        pkt.log = c->log;
+        pkt.first = (p == start) ? 1 : 0;
+        pkt.path = path;
+        pkt.flags = p[0];
+        pkt.raw->pos++;
+
+        rc = ngx_quic_handle_packet(c, conf, &pkt);
+
+#if (NGX_DEBUG)
+        if (pkt.parsed) {
+            ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic packet done rc:%i level:%s"
+                           " decr:%d pn:%L perr:%ui",
+                           rc, ngx_quic_level_name(pkt.level),
+                           pkt.decrypted, pkt.pn, pkt.error);
+        } else {
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic packet done rc:%i parse failed", rc);
+        }
+#endif
+
+        if (rc == NGX_ERROR || rc == NGX_DONE) {
+            return rc;
+        }
+
+        if (rc == NGX_OK) {
+            good = 1;
+        }
+
+        path = pkt.path; /* preserve packet path from 1st packet */
+
+        /* NGX_OK || NGX_DECLINED */
+
+        /*
+         * we get NGX_DECLINED when there are no keys [yet] available
+         * to decrypt packet.
+         * Instead of queueing it, we ignore it and rely on the sender's
+         * retransmission:
+         *
+         * RFC 9000, 12.2.  Coalescing Packets
+         *
+         * For example, if decryption fails (because the keys are
+         * not available or for any other reason), the receiver MAY either
+         * discard or buffer the packet for later processing and MUST
+         * attempt to process the remaining packets.
+         *
+         * We also skip packets that don't match connection state
+         * or cannot be parsed properly.
+         */
+
+        /* b->pos is at header end, adjust by actual packet length */
+        b->pos = pkt.data + pkt.len;
+
+        p = b->pos;
+    }
+
+    if (!good) {
+        return NGX_DONE;
+    }
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc) {
+        qc->received += size;
+
+        if ((uint64_t) (c->sent + qc->received) / 8 >
+            (qc->streams.sent + qc->streams.recv_last) + 1048576)
+        {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+
+            qc->error = NGX_QUIC_ERR_NO_ERROR;
+            qc->error_reason = "QUIC flood detected";
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_handle_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
+    ngx_quic_header_t *pkt)
+{
+    ngx_int_t               rc;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    c->log->action = "parsing quic packet";
+
+    rc = ngx_quic_parse_packet(pkt);
+
+    if (rc == NGX_ERROR) {
+        return NGX_DECLINED;
+    }
+
+    pkt->parsed = 1;
+
+    c->log->action = "handling quic packet";
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic packet rx dcid len:%uz %xV",
+                   pkt->dcid.len, &pkt->dcid);
+
+#if (NGX_DEBUG)
+    if (pkt->level != ssl_encryption_application) {
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic packet rx scid len:%uz %xV",
+                       pkt->scid.len, &pkt->scid);
+    }
+
+    if (pkt->level == ssl_encryption_initial) {
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic address validation token len:%uz %xV",
+                       pkt->token.len, &pkt->token);
+    }
+#endif
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc) {
+
+        if (rc == NGX_ABORT) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "quic unsupported version: 0x%xD", pkt->version);
+            return NGX_DECLINED;
+        }
+
+        if (pkt->level != ssl_encryption_application) {
+
+            if (pkt->version != qc->version) {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "quic version mismatch: 0x%xD", pkt->version);
+                return NGX_DECLINED;
+            }
+
+            if (pkt->first) {
+                qsock = ngx_quic_get_socket(c);
+
+                if (ngx_cmp_sockaddr(&qsock->sockaddr.sockaddr, qsock->socklen,
+                                     qc->path->sockaddr, qc->path->socklen, 1)
+                    != NGX_OK)
+                {
+                    /* packet comes from unknown path, possibly migration */
+                    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                                   "quic too early migration attempt");
+                    return NGX_DONE;
+                }
+            }
+
+            if (ngx_quic_check_csid(qc, pkt) != NGX_OK) {
+                return NGX_DECLINED;
+            }
+
+        }
+
+        rc = ngx_quic_handle_payload(c, pkt);
+
+        if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) {
+            if (ngx_quic_handle_stateless_reset(c, pkt) == NGX_OK) {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "quic stateless reset packet detected");
+
+                qc->draining = 1;
+                ngx_quic_close_connection(c, NGX_OK);
+
+                return NGX_OK;
+            }
+        }
+
+        return rc;
+    }
+
+    /* packet does not belong to a connection */
+
+    if (rc == NGX_ABORT) {
+        return ngx_quic_negotiate_version(c, pkt);
+    }
+
+    if (pkt->level == ssl_encryption_application) {
+        return ngx_quic_send_stateless_reset(c, conf, pkt);
+    }
+
+    if (pkt->level != ssl_encryption_initial) {
+        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic expected initial, got handshake");
+        return NGX_ERROR;
+    }
+
+    c->log->action = "handling initial packet";
+
+    if (pkt->dcid.len < NGX_QUIC_CID_LEN_MIN) {
+        /* RFC 9000, 7.2.  Negotiating Connection IDs */
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic too short dcid in initial"
+                      " packet: len:%i", pkt->dcid.len);
+        return NGX_ERROR;
+    }
+
+    /* process retry and initialize connection IDs */
+
+    if (pkt->token.len) {
+
+        rc = ngx_quic_validate_token(c, conf->av_token_key, pkt);
+
+        if (rc == NGX_ERROR) {
+            /* internal error */
+            return NGX_ERROR;
+
+        } else if (rc == NGX_ABORT) {
+            /* token cannot be decrypted */
+            return ngx_quic_send_early_cc(c, pkt,
+                                          NGX_QUIC_ERR_INVALID_TOKEN,
+                                          "cannot decrypt token");
+        } else if (rc == NGX_DECLINED) {
+            /* token is invalid */
+
+            if (pkt->retried) {
+                /* invalid address validation token */
+                return ngx_quic_send_early_cc(c, pkt,
+                                          NGX_QUIC_ERR_INVALID_TOKEN,
+                                          "invalid address validation token");
+            } else if (conf->retry) {
+                /* invalid NEW_TOKEN */
+                return ngx_quic_send_retry(c, conf, pkt);
+            }
+        }
+
+        /* NGX_OK */
+
+    } else if (conf->retry) {
+        return ngx_quic_send_retry(c, conf, pkt);
+
+    } else {
+        pkt->odcid = pkt->dcid;
+    }
+
+    if (ngx_terminate || ngx_exiting) {
+        if (conf->retry) {
+            return ngx_quic_send_retry(c, conf, pkt);
+        }
+
+        return NGX_ERROR;
+    }
+
+    c->log->action = "creating quic connection";
+
+    qc = ngx_quic_new_connection(c, conf, pkt);
+    if (qc == NULL) {
+        return NGX_ERROR;
+    }
+
+    return ngx_quic_handle_payload(c, pkt);
+}
+
+
+static ngx_int_t
+ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    ngx_int_t               rc;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+    static u_char           buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    qc = ngx_quic_get_connection(c);
+
+    qc->error = (ngx_uint_t) -1;
+    qc->error_reason = 0;
+
+    c->log->action = "decrypting packet";
+
+    if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic no %s keys, ignoring packet",
+                      ngx_quic_level_name(pkt->level));
+        return NGX_DECLINED;
+    }
+
+#if !defined (OPENSSL_IS_BORINGSSL)
+    /* OpenSSL provides read keys for an application level before it's ready */
+
+    if (pkt->level == ssl_encryption_application
+        && SSL_quic_read_level(c->ssl->connection)
+           < ssl_encryption_application)
+    {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic no %s keys ready, ignoring packet",
+                      ngx_quic_level_name(pkt->level));
+        return NGX_DECLINED;
+    }
+#endif
+
+    pkt->keys = qc->keys;
+    pkt->key_phase = qc->key_phase;
+    pkt->plaintext = buf;
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    rc = ngx_quic_decrypt(pkt, &ctx->largest_pn);
+    if (rc != NGX_OK) {
+        qc->error = pkt->error;
+        qc->error_reason = "failed to decrypt packet";
+        return rc;
+    }
+
+    pkt->decrypted = 1;
+
+    c->log->action = "handling decrypted packet";
+
+    if (pkt->path == NULL) {
+        rc = ngx_quic_set_path(c, pkt);
+        if (rc != NGX_OK) {
+            return rc;
+        }
+    }
+
+    if (c->ssl == NULL) {
+        if (ngx_quic_init_connection(c) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    if (pkt->level == ssl_encryption_handshake) {
+        /*
+         * RFC 9001, 4.9.1.  Discarding Initial Keys
+         *
+         * The successful use of Handshake packets indicates
+         * that no more Initial packets need to be exchanged
+         */
+        ngx_quic_discard_ctx(c, ssl_encryption_initial);
+
+        if (!qc->path->validated) {
+            qc->path->validated = 1;
+            qc->path->limited = 0;
+            ngx_quic_path_dbg(c, "in handshake", qc->path);
+            ngx_post_event(&qc->push, &ngx_posted_events);
+        }
+    }
+
+    if (qc->closing) {
+        /*
+         * RFC 9000, 10.2.  Immediate Close
+         *
+         * ... delayed or reordered packets are properly discarded.
+         *
+         *  In the closing state, an endpoint retains only enough information
+         *  to generate a packet containing a CONNECTION_CLOSE frame and to
+         *  identify packets as belonging to the connection.
+         */
+
+        qc->error_level = pkt->level;
+        qc->error = NGX_QUIC_ERR_NO_ERROR;
+        qc->error_reason = "connection is closing, packet discarded";
+        qc->error_ftype = 0;
+        qc->error_app = 0;
+
+        return ngx_quic_send_cc(c);
+    }
+
+    pkt->received = ngx_current_msec;
+
+    c->log->action = "handling payload";
+
+    if (pkt->level != ssl_encryption_application) {
+        return ngx_quic_handle_frames(c, pkt);
+    }
+
+    if (!pkt->key_update) {
+        return ngx_quic_handle_frames(c, pkt);
+    }
+
+    /* switch keys and generate next on Key Phase change */
+
+    qc->key_phase ^= 1;
+    ngx_quic_keys_switch(c, qc->keys);
+
+    rc = ngx_quic_handle_frames(c, pkt);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    return ngx_quic_keys_update(c, qc->keys);
+}
+
+
+void
+ngx_quic_discard_ctx(ngx_connection_t *c, enum ssl_encryption_level_t level)
+{
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_quic_keys_available(qc->keys, level)) {
+        return;
+    }
+
+    ngx_quic_keys_discard(qc->keys, level);
+
+    qc->pto_count = 0;
+
+    ctx = ngx_quic_get_send_ctx(qc, level);
+
+    ngx_quic_free_buffer(c, &ctx->crypto);
+
+    while (!ngx_queue_empty(&ctx->sent)) {
+        q = ngx_queue_head(&ctx->sent);
+        ngx_queue_remove(q);
+
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+        ngx_quic_congestion_ack(c, f);
+        ngx_quic_free_frame(c, f);
+    }
+
+    while (!ngx_queue_empty(&ctx->frames)) {
+        q = ngx_queue_head(&ctx->frames);
+        ngx_queue_remove(q);
+
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+        ngx_quic_free_frame(c, f);
+    }
+
+    if (level == ssl_encryption_initial) {
+        /* close temporary listener with odcid */
+        qsock = ngx_quic_find_socket(c, NGX_QUIC_UNSET_PN);
+        if (qsock) {
+            ngx_quic_close_socket(c, qsock);
+        }
+    }
+
+    ctx->send_ack = 0;
+
+    ngx_quic_set_lost_timer(c);
+}
+
+
+static ngx_int_t
+ngx_quic_check_csid(ngx_quic_connection_t *qc, ngx_quic_header_t *pkt)
+{
+    ngx_queue_t           *q;
+    ngx_quic_client_id_t  *cid;
+
+    for (q = ngx_queue_head(&qc->client_ids);
+         q != ngx_queue_sentinel(&qc->client_ids);
+         q = ngx_queue_next(q))
+    {
+        cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+
+        if (pkt->scid.len == cid->len
+            && ngx_memcmp(pkt->scid.data, cid->id, cid->len) == 0)
+        {
+            return NGX_OK;
+        }
+    }
+
+    ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic unexpected quic scid");
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_quic_handle_frames(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    u_char                 *end, *p;
+    ssize_t                 len;
+    ngx_buf_t               buf;
+    ngx_uint_t              do_close, nonprobing;
+    ngx_chain_t             chain;
+    ngx_quic_frame_t        frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    p = pkt->payload.data;
+    end = p + pkt->payload.len;
+
+    do_close = 0;
+    nonprobing = 0;
+
+    while (p < end) {
+
+        c->log->action = "parsing frames";
+
+        ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+        ngx_memzero(&buf, sizeof(ngx_buf_t));
+        buf.temporary = 1;
+
+        chain.buf = &buf;
+        chain.next = NULL;
+        frame.data = &chain;
+
+        len = ngx_quic_parse_frame(pkt, p, end, &frame);
+
+        if (len < 0) {
+            qc->error = pkt->error;
+            return NGX_ERROR;
+        }
+
+        ngx_quic_log_frame(c->log, &frame, 0);
+
+        c->log->action = "handling frames";
+
+        p += len;
+
+        switch (frame.type) {
+        /* probing frames */
+        case NGX_QUIC_FT_PADDING:
+        case NGX_QUIC_FT_PATH_CHALLENGE:
+        case NGX_QUIC_FT_PATH_RESPONSE:
+        case NGX_QUIC_FT_NEW_CONNECTION_ID:
+            break;
+
+        /* non-probing frames */
+        default:
+            nonprobing = 1;
+            break;
+        }
+
+        switch (frame.type) {
+
+        case NGX_QUIC_FT_ACK:
+            if (ngx_quic_handle_ack_frame(c, pkt, &frame) != NGX_OK) {
+                return NGX_ERROR;
+            }
+
+            continue;
+
+        case NGX_QUIC_FT_PADDING:
+            /* no action required */
+            continue;
+
+        case NGX_QUIC_FT_CONNECTION_CLOSE:
+        case NGX_QUIC_FT_CONNECTION_CLOSE_APP:
+            do_close = 1;
+            continue;
+        }
+
+        /* got there with ack-eliciting packet */
+        pkt->need_ack = 1;
+
+        switch (frame.type) {
+
+        case NGX_QUIC_FT_CRYPTO:
+
+            if (ngx_quic_handle_crypto_frame(c, pkt, &frame) != NGX_OK) {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_PING:
+            break;
+
+        case NGX_QUIC_FT_STREAM:
+
+            if (ngx_quic_handle_stream_frame(c, pkt, &frame) != NGX_OK) {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_MAX_DATA:
+
+            if (ngx_quic_handle_max_data_frame(c, &frame.u.max_data) != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_STREAMS_BLOCKED:
+        case NGX_QUIC_FT_STREAMS_BLOCKED2:
+
+            if (ngx_quic_handle_streams_blocked_frame(c, pkt,
+                                                      &frame.u.streams_blocked)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_DATA_BLOCKED:
+
+            if (ngx_quic_handle_data_blocked_frame(c, pkt,
+                                                   &frame.u.data_blocked)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_STREAM_DATA_BLOCKED:
+
+            if (ngx_quic_handle_stream_data_blocked_frame(c, pkt,
+                                                  &frame.u.stream_data_blocked)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_MAX_STREAM_DATA:
+
+            if (ngx_quic_handle_max_stream_data_frame(c, pkt,
+                                                      &frame.u.max_stream_data)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_RESET_STREAM:
+
+            if (ngx_quic_handle_reset_stream_frame(c, pkt,
+                                                   &frame.u.reset_stream)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_STOP_SENDING:
+
+            if (ngx_quic_handle_stop_sending_frame(c, pkt,
+                                                   &frame.u.stop_sending)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_MAX_STREAMS:
+        case NGX_QUIC_FT_MAX_STREAMS2:
+
+            if (ngx_quic_handle_max_streams_frame(c, pkt, &frame.u.max_streams)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_PATH_CHALLENGE:
+
+            if (ngx_quic_handle_path_challenge_frame(c, pkt,
+                                                     &frame.u.path_challenge)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_PATH_RESPONSE:
+
+            if (ngx_quic_handle_path_response_frame(c, &frame.u.path_response)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_NEW_CONNECTION_ID:
+
+            if (ngx_quic_handle_new_connection_id_frame(c, &frame.u.ncid)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        case NGX_QUIC_FT_RETIRE_CONNECTION_ID:
+
+            if (ngx_quic_handle_retire_connection_id_frame(c,
+                                                           &frame.u.retire_cid)
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            break;
+
+        default:
+            ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic missing frame handler");
+            return NGX_ERROR;
+        }
+    }
+
+    if (p != end) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic trailing garbage in payload:%ui bytes", end - p);
+
+        qc->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+        return NGX_ERROR;
+    }
+
+    if (do_close) {
+        qc->draining = 1;
+        ngx_quic_close_connection(c, NGX_OK);
+    }
+
+    if (pkt->path != qc->path && nonprobing) {
+
+        /*
+         * RFC 9000, 9.2.  Initiating Connection Migration
+         *
+         * An endpoint can migrate a connection to a new local
+         * address by sending packets containing non-probing frames
+         * from that address.
+         */
+        if (ngx_quic_handle_migration(c, pkt) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    if (ngx_quic_ack_packet(c, pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_push_handler(ngx_event_t *ev)
+{
+    ngx_connection_t  *c;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "quic push handler");
+
+    c = ev->data;
+
+    if (ngx_quic_output(c) != NGX_OK) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+        return;
+    }
+
+    ngx_quic_connstate_dbg(c);
+}
+
+
+void
+ngx_quic_shutdown_quic(ngx_connection_t *c)
+{
+    ngx_quic_connection_t  *qc;
+
+    if (c->reusable) {
+        qc = ngx_quic_get_connection(c);
+        ngx_quic_finalize_connection(c, qc->shutdown_code, qc->shutdown_reason);
+    }
+}
diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic.h
@@ -0,0 +1,128 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_H_INCLUDED_
+#define _NGX_EVENT_QUIC_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+#define NGX_QUIC_MAX_UDP_PAYLOAD_SIZE        65527
+
+#define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT  3
+#define NGX_QUIC_DEFAULT_MAX_ACK_DELAY       25
+#define NGX_QUIC_DEFAULT_HOST_KEY_LEN        32
+#define NGX_QUIC_SR_KEY_LEN                  32
+#define NGX_QUIC_AV_KEY_LEN                  32
+
+#define NGX_QUIC_SR_TOKEN_LEN                16
+
+#define NGX_QUIC_MIN_INITIAL_SIZE            1200
+
+#define NGX_QUIC_STREAM_SERVER_INITIATED     0x01
+#define NGX_QUIC_STREAM_UNIDIRECTIONAL       0x02
+
+
+typedef ngx_int_t (*ngx_quic_init_pt)(ngx_connection_t *c);
+typedef void (*ngx_quic_shutdown_pt)(ngx_connection_t *c);
+
+
+typedef enum {
+    NGX_QUIC_STREAM_SEND_READY = 0,
+    NGX_QUIC_STREAM_SEND_SEND,
+    NGX_QUIC_STREAM_SEND_DATA_SENT,
+    NGX_QUIC_STREAM_SEND_DATA_RECVD,
+    NGX_QUIC_STREAM_SEND_RESET_SENT,
+    NGX_QUIC_STREAM_SEND_RESET_RECVD
+} ngx_quic_stream_send_state_e;
+
+
+typedef enum {
+    NGX_QUIC_STREAM_RECV_RECV = 0,
+    NGX_QUIC_STREAM_RECV_SIZE_KNOWN,
+    NGX_QUIC_STREAM_RECV_DATA_RECVD,
+    NGX_QUIC_STREAM_RECV_DATA_READ,
+    NGX_QUIC_STREAM_RECV_RESET_RECVD,
+    NGX_QUIC_STREAM_RECV_RESET_READ
+} ngx_quic_stream_recv_state_e;
+
+
+typedef struct {
+    uint64_t                       size;
+    uint64_t                       offset;
+    uint64_t                       last_offset;
+    ngx_chain_t                   *chain;
+    ngx_chain_t                   *last_chain;
+} ngx_quic_buffer_t;
+
+
+typedef struct {
+    ngx_ssl_t                     *ssl;
+
+    ngx_flag_t                     retry;
+    ngx_flag_t                     gso_enabled;
+    ngx_flag_t                     disable_active_migration;
+    ngx_msec_t                     timeout;
+    ngx_str_t                      host_key;
+    size_t                         stream_buffer_size;
+    ngx_uint_t                     max_concurrent_streams_bidi;
+    ngx_uint_t                     max_concurrent_streams_uni;
+    ngx_uint_t                     active_connection_id_limit;
+    ngx_int_t                      stream_close_code;
+    ngx_int_t                      stream_reject_code_uni;
+    ngx_int_t                      stream_reject_code_bidi;
+
+    ngx_quic_init_pt               init;
+    ngx_quic_shutdown_pt           shutdown;
+
+    u_char                         av_token_key[NGX_QUIC_AV_KEY_LEN];
+    u_char                         sr_token_key[NGX_QUIC_SR_KEY_LEN];
+} ngx_quic_conf_t;
+
+
+struct ngx_quic_stream_s {
+    ngx_rbtree_node_t              node;
+    ngx_queue_t                    queue;
+    ngx_connection_t              *parent;
+    ngx_connection_t              *connection;
+    uint64_t                       id;
+    uint64_t                       sent;
+    uint64_t                       acked;
+    uint64_t                       send_max_data;
+    uint64_t                       send_offset;
+    uint64_t                       send_final_size;
+    uint64_t                       recv_max_data;
+    uint64_t                       recv_offset;
+    uint64_t                       recv_window;
+    uint64_t                       recv_last;
+    uint64_t                       recv_final_size;
+    ngx_quic_buffer_t              send;
+    ngx_quic_buffer_t              recv;
+    ngx_quic_stream_send_state_e   send_state;
+    ngx_quic_stream_recv_state_e   recv_state;
+    unsigned                       cancelable:1;
+    unsigned                       fin_acked:1;
+};
+
+
+void ngx_quic_recvmsg(ngx_event_t *ev);
+void ngx_quic_run(ngx_connection_t *c, ngx_quic_conf_t *conf);
+ngx_connection_t *ngx_quic_open_stream(ngx_connection_t *c, ngx_uint_t bidi);
+void ngx_quic_finalize_connection(ngx_connection_t *c, ngx_uint_t err,
+    const char *reason);
+void ngx_quic_shutdown_connection(ngx_connection_t *c, ngx_uint_t err,
+    const char *reason);
+ngx_int_t ngx_quic_reset_stream(ngx_connection_t *c, ngx_uint_t err);
+ngx_int_t ngx_quic_shutdown_stream(ngx_connection_t *c, int how);
+void ngx_quic_cancelable_stream(ngx_connection_t *c);
+ngx_int_t ngx_quic_get_packet_dcid(ngx_log_t *log, u_char *data, size_t len,
+    ngx_str_t *dcid);
+ngx_int_t ngx_quic_derive_key(ngx_log_t *log, const char *label,
+    ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len);
+
+#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_ack.c b/src/event/quic/ngx_event_quic_ack.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_ack.c
@@ -0,0 +1,1192 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#define NGX_QUIC_MAX_ACK_GAP                 2
+
+/* RFC 9002, 6.1.1. Packet Threshold: kPacketThreshold */
+#define NGX_QUIC_PKT_THR                     3 /* packets */
+/* RFC 9002, 6.1.2. Time Threshold: kGranularity */
+#define NGX_QUIC_TIME_GRANULARITY            1 /* ms */
+
+/* RFC 9002, 7.6.1. Duration: kPersistentCongestionThreshold */
+#define NGX_QUIC_PERSISTENT_CONGESTION_THR   3
+
+
+/* send time of ACK'ed packets */
+typedef struct {
+    ngx_msec_t                               max_pn;
+    ngx_msec_t                               oldest;
+    ngx_msec_t                               newest;
+} ngx_quic_ack_stat_t;
+
+
+static ngx_inline ngx_msec_t ngx_quic_lost_threshold(ngx_quic_connection_t *qc);
+static void ngx_quic_rtt_sample(ngx_connection_t *c, ngx_quic_ack_frame_t *ack,
+    enum ssl_encryption_level_t level, ngx_msec_t send_time);
+static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max,
+    ngx_quic_ack_stat_t *st);
+static void ngx_quic_drop_ack_ranges(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx, uint64_t pn);
+static ngx_int_t ngx_quic_detect_lost(ngx_connection_t *c,
+    ngx_quic_ack_stat_t *st);
+static ngx_msec_t ngx_quic_pcg_duration(ngx_connection_t *c);
+static void ngx_quic_persistent_congestion(ngx_connection_t *c);
+static void ngx_quic_congestion_lost(ngx_connection_t *c,
+    ngx_quic_frame_t *frame);
+static void ngx_quic_lost_handler(ngx_event_t *ev);
+
+
+/* RFC 9002, 6.1.2. Time Threshold: kTimeThreshold, kGranularity */
+static ngx_inline ngx_msec_t
+ngx_quic_lost_threshold(ngx_quic_connection_t *qc)
+{
+    ngx_msec_t  thr;
+
+    thr = ngx_max(qc->latest_rtt, qc->avg_rtt);
+    thr += thr >> 3;
+
+    return ngx_max(thr, NGX_QUIC_TIME_GRANULARITY);
+}
+
+
+ngx_int_t
+ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
+    ngx_quic_frame_t *f)
+{
+    ssize_t                 n;
+    u_char                 *pos, *end;
+    uint64_t                min, max, gap, range;
+    ngx_uint_t              i;
+    ngx_quic_ack_stat_t     send_time;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_ack_frame_t   *ack;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_handle_ack_frame level:%d", pkt->level);
+
+    ack = &f->u.ack;
+
+    /*
+     * RFC 9000, 19.3.1.  ACK Ranges
+     *
+     *  If any computed packet number is negative, an endpoint MUST
+     *  generate a connection error of type FRAME_ENCODING_ERROR.
+     */
+
+    if (ack->first_range > ack->largest) {
+        qc->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic invalid first range in ack frame");
+        return NGX_ERROR;
+    }
+
+    min = ack->largest - ack->first_range;
+    max = ack->largest;
+
+    send_time.oldest = NGX_TIMER_INFINITE;
+    send_time.newest = NGX_TIMER_INFINITE;
+
+    if (ngx_quic_handle_ack_frame_range(c, ctx, min, max, &send_time)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    /* RFC 9000, 13.2.4.  Limiting Ranges by Tracking ACK Frames */
+    if (ctx->largest_ack < max || ctx->largest_ack == NGX_QUIC_UNSET_PN) {
+        ctx->largest_ack = max;
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic updated largest received ack:%uL", max);
+
+        /*
+         * RFC 9002, 5.1.  Generating RTT Samples
+         *
+         *  An endpoint generates an RTT sample on receiving an
+         *  ACK frame that meets the following two conditions:
+         *
+         *  - the largest acknowledged packet number is newly acknowledged
+         *  - at least one of the newly acknowledged packets was ack-eliciting.
+         */
+
+        if (send_time.max_pn != NGX_TIMER_INFINITE) {
+            ngx_quic_rtt_sample(c, ack, pkt->level, send_time.max_pn);
+        }
+    }
+
+    if (f->data) {
+        pos = f->data->buf->pos;
+        end = f->data->buf->last;
+
+    } else {
+        pos = NULL;
+        end = NULL;
+    }
+
+    for (i = 0; i < ack->range_count; i++) {
+
+        n = ngx_quic_parse_ack_range(pkt->log, pos, end, &gap, &range);
+        if (n == NGX_ERROR) {
+            return NGX_ERROR;
+        }
+        pos += n;
+
+        if (gap + 2 > min) {
+            qc->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "quic invalid range:%ui in ack frame", i);
+            return NGX_ERROR;
+        }
+
+        max = min - gap - 2;
+
+        if (range > max) {
+            qc->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "quic invalid range:%ui in ack frame", i);
+            return NGX_ERROR;
+        }
+
+        min = max - range;
+
+        if (ngx_quic_handle_ack_frame_range(c, ctx, min, max, &send_time)
+            != NGX_OK)
+        {
+            return NGX_ERROR;
+        }
+    }
+
+    return ngx_quic_detect_lost(c, &send_time);
+}
+
+
+static void
+ngx_quic_rtt_sample(ngx_connection_t *c, ngx_quic_ack_frame_t *ack,
+    enum ssl_encryption_level_t level, ngx_msec_t send_time)
+{
+    ngx_msec_t              latest_rtt, ack_delay, adjusted_rtt, rttvar_sample;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    latest_rtt = ngx_current_msec - send_time;
+    qc->latest_rtt = latest_rtt;
+
+    if (qc->min_rtt == NGX_TIMER_INFINITE) {
+        qc->min_rtt = latest_rtt;
+        qc->avg_rtt = latest_rtt;
+        qc->rttvar = latest_rtt / 2;
+        qc->first_rtt = ngx_current_msec;
+
+    } else {
+        qc->min_rtt = ngx_min(qc->min_rtt, latest_rtt);
+
+        ack_delay = (ack->delay << qc->ctp.ack_delay_exponent) / 1000;
+
+        if (c->ssl->handshaked) {
+            ack_delay = ngx_min(ack_delay, qc->ctp.max_ack_delay);
+        }
+
+        adjusted_rtt = latest_rtt;
+
+        if (qc->min_rtt + ack_delay < latest_rtt) {
+            adjusted_rtt -= ack_delay;
+        }
+
+        qc->avg_rtt += (adjusted_rtt >> 3) - (qc->avg_rtt >> 3);
+        rttvar_sample = ngx_abs((ngx_msec_int_t) (qc->avg_rtt - adjusted_rtt));
+        qc->rttvar += (rttvar_sample >> 2) - (qc->rttvar >> 2);
+    }
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic rtt sample latest:%M min:%M avg:%M var:%M",
+                   latest_rtt, qc->min_rtt, qc->avg_rtt, qc->rttvar);
+}
+
+
+static ngx_int_t
+ngx_quic_handle_ack_frame_range(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    uint64_t min, uint64_t max, ngx_quic_ack_stat_t *st)
+{
+    ngx_uint_t              found;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    st->max_pn = NGX_TIMER_INFINITE;
+    found = 0;
+
+    q = ngx_queue_head(&ctx->sent);
+
+    while (q != ngx_queue_sentinel(&ctx->sent)) {
+
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+        q = ngx_queue_next(q);
+
+        if (f->pnum > max) {
+            break;
+        }
+
+        if (f->pnum >= min) {
+            ngx_quic_congestion_ack(c, f);
+
+            switch (f->type) {
+            case NGX_QUIC_FT_ACK:
+            case NGX_QUIC_FT_ACK_ECN:
+                ngx_quic_drop_ack_ranges(c, ctx, f->u.ack.largest);
+                break;
+
+            case NGX_QUIC_FT_STREAM:
+            case NGX_QUIC_FT_RESET_STREAM:
+                ngx_quic_handle_stream_ack(c, f);
+                break;
+            }
+
+            if (f->pnum == max) {
+                st->max_pn = f->last;
+            }
+
+            /* save earliest and latest send times of frames ack'ed */
+            if (st->oldest == NGX_TIMER_INFINITE || f->last < st->oldest) {
+                st->oldest = f->last;
+            }
+
+            if (st->newest == NGX_TIMER_INFINITE || f->last > st->newest) {
+                st->newest = f->last;
+            }
+
+            ngx_queue_remove(&f->queue);
+            ngx_quic_free_frame(c, f);
+            found = 1;
+        }
+    }
+
+    if (!found) {
+
+        if (max < ctx->pnum) {
+            /* duplicate ACK or ACK for non-ack-eliciting frame */
+            return NGX_OK;
+        }
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic ACK for the packet not sent");
+
+        qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        qc->error_ftype = NGX_QUIC_FT_ACK;
+        qc->error_reason = "unknown packet number";
+
+        return NGX_ERROR;
+    }
+
+    if (!qc->push.timer_set) {
+        ngx_post_event(&qc->push, &ngx_posted_events);
+    }
+
+    qc->pto_count = 0;
+
+    return NGX_OK;
+}
+
+
+void
+ngx_quic_congestion_ack(ngx_connection_t *c, ngx_quic_frame_t *f)
+{
+    ngx_uint_t              blocked;
+    ngx_msec_t              timer;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+
+    if (f->plen == 0) {
+        return;
+    }
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+
+    blocked = (cg->in_flight >= cg->window) ? 1 : 0;
+
+    cg->in_flight -= f->plen;
+
+    timer = f->last - cg->recovery_start;
+
+    if ((ngx_msec_int_t) timer <= 0) {
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic congestion ack recovery win:%uz ss:%z if:%uz",
+                       cg->window, cg->ssthresh, cg->in_flight);
+
+        goto done;
+    }
+
+    if (cg->window < cg->ssthresh) {
+        cg->window += f->plen;
+
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic congestion slow start win:%uz ss:%z if:%uz",
+                       cg->window, cg->ssthresh, cg->in_flight);
+
+    } else {
+        cg->window += qc->tp.max_udp_payload_size * f->plen / cg->window;
+
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic congestion avoidance win:%uz ss:%z if:%uz",
+                       cg->window, cg->ssthresh, cg->in_flight);
+    }
+
+    /* prevent recovery_start from wrapping */
+
+    timer = cg->recovery_start - ngx_current_msec + qc->tp.max_idle_timeout * 2;
+
+    if ((ngx_msec_int_t) timer < 0) {
+        cg->recovery_start = ngx_current_msec - qc->tp.max_idle_timeout * 2;
+    }
+
+done:
+
+    if (blocked && cg->in_flight < cg->window) {
+        ngx_post_event(&qc->push, &ngx_posted_events);
+    }
+}
+
+
+static void
+ngx_quic_drop_ack_ranges(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    uint64_t pn)
+{
+    uint64_t               base;
+    ngx_uint_t             i, smallest, largest;
+    ngx_quic_ack_range_t  *r;
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_drop_ack_ranges pn:%uL largest:%uL"
+                   " fr:%uL nranges:%ui", pn, ctx->largest_range,
+                   ctx->first_range, ctx->nranges);
+
+    base = ctx->largest_range;
+
+    if (base == NGX_QUIC_UNSET_PN) {
+        return;
+    }
+
+    if (ctx->pending_ack != NGX_QUIC_UNSET_PN && pn >= ctx->pending_ack) {
+        ctx->pending_ack = NGX_QUIC_UNSET_PN;
+    }
+
+    largest = base;
+    smallest = largest - ctx->first_range;
+
+    if (pn >= largest) {
+        ctx->largest_range = NGX_QUIC_UNSET_PN;
+        ctx->first_range = 0;
+        ctx->nranges = 0;
+        return;
+    }
+
+    if (pn >= smallest) {
+        ctx->first_range = largest - pn - 1;
+        ctx->nranges = 0;
+        return;
+    }
+
+    for (i = 0; i < ctx->nranges; i++) {
+        r = &ctx->ranges[i];
+
+        largest = smallest - r->gap - 2;
+        smallest = largest - r->range;
+
+        if (pn >= largest) {
+            ctx->nranges = i;
+            return;
+        }
+        if (pn >= smallest) {
+            r->range = largest - pn - 1;
+            ctx->nranges = i + 1;
+            return;
+        }
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
+{
+    ngx_uint_t              i, nlost;
+    ngx_msec_t              now, wait, thr, oldest, newest;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *start;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    now = ngx_current_msec;
+    thr = ngx_quic_lost_threshold(qc);
+
+    /* send time of lost packets across all send contexts */
+    oldest = NGX_TIMER_INFINITE;
+    newest = NGX_TIMER_INFINITE;
+
+    nlost = 0;
+
+    for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+
+        ctx = &qc->send_ctx[i];
+
+        if (ctx->largest_ack == NGX_QUIC_UNSET_PN) {
+            continue;
+        }
+
+        while (!ngx_queue_empty(&ctx->sent)) {
+
+            q = ngx_queue_head(&ctx->sent);
+            start = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+            if (start->pnum > ctx->largest_ack) {
+                break;
+            }
+
+            wait = start->last + thr - now;
+
+            ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic detect_lost pnum:%uL thr:%M wait:%i level:%d",
+                           start->pnum, thr, (ngx_int_t) wait, start->level);
+
+            if ((ngx_msec_int_t) wait > 0
+                && ctx->largest_ack - start->pnum < NGX_QUIC_PKT_THR)
+            {
+                break;
+            }
+
+            if (start->last > qc->first_rtt) {
+
+                if (oldest == NGX_TIMER_INFINITE || start->last < oldest) {
+                    oldest = start->last;
+                }
+
+                if (newest == NGX_TIMER_INFINITE || start->last > newest) {
+                    newest = start->last;
+                }
+
+                nlost++;
+            }
+
+            ngx_quic_resend_frames(c, ctx);
+        }
+    }
+
+
+    /* RFC 9002, 7.6.2.  Establishing Persistent Congestion */
+
+    /*
+     * Once acknowledged, packets are no longer tracked. Thus no send time
+     * information is available for such packets. This limits persistent
+     * congestion algorithm to packets mentioned within ACK ranges of the
+     * latest ACK frame.
+     */
+
+    if (st && nlost >= 2 && (st->newest < oldest || st->oldest > newest)) {
+
+        if (newest - oldest > ngx_quic_pcg_duration(c)) {
+            ngx_quic_persistent_congestion(c);
+        }
+    }
+
+    ngx_quic_set_lost_timer(c);
+
+    return NGX_OK;
+}
+
+
+static ngx_msec_t
+ngx_quic_pcg_duration(ngx_connection_t *c)
+{
+    ngx_msec_t              duration;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    duration = qc->avg_rtt;
+    duration += ngx_max(4 * qc->rttvar, NGX_QUIC_TIME_GRANULARITY);
+    duration += qc->ctp.max_ack_delay;
+    duration *= NGX_QUIC_PERSISTENT_CONGESTION_THR;
+
+    return duration;
+}
+
+
+static void
+ngx_quic_persistent_congestion(ngx_connection_t *c)
+{
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+
+    cg->recovery_start = ngx_current_msec;
+    cg->window = qc->tp.max_udp_payload_size * 2;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic persistent congestion win:%uz", cg->window);
+}
+
+
+void
+ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
+{
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f, *start;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    q = ngx_queue_head(&ctx->sent);
+    start = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic resend packet pnum:%uL", start->pnum);
+
+    ngx_quic_congestion_lost(c, start);
+
+    do {
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        if (f->pnum != start->pnum) {
+            break;
+        }
+
+        q = ngx_queue_next(q);
+
+        ngx_queue_remove(&f->queue);
+
+        switch (f->type) {
+        case NGX_QUIC_FT_ACK:
+        case NGX_QUIC_FT_ACK_ECN:
+            if (ctx->level == ssl_encryption_application) {
+                /* force generation of most recent acknowledgment */
+                ctx->send_ack = NGX_QUIC_MAX_ACK_GAP;
+            }
+
+            ngx_quic_free_frame(c, f);
+            break;
+
+        case NGX_QUIC_FT_PING:
+        case NGX_QUIC_FT_PATH_RESPONSE:
+        case NGX_QUIC_FT_CONNECTION_CLOSE:
+            ngx_quic_free_frame(c, f);
+            break;
+
+        case NGX_QUIC_FT_MAX_DATA:
+            f->u.max_data.max_data = qc->streams.recv_max_data;
+            ngx_quic_queue_frame(qc, f);
+            break;
+
+        case NGX_QUIC_FT_MAX_STREAMS:
+        case NGX_QUIC_FT_MAX_STREAMS2:
+            f->u.max_streams.limit = f->u.max_streams.bidi
+                                     ? qc->streams.client_max_streams_bidi
+                                     : qc->streams.client_max_streams_uni;
+            ngx_quic_queue_frame(qc, f);
+            break;
+
+        case NGX_QUIC_FT_MAX_STREAM_DATA:
+            qs = ngx_quic_find_stream(&qc->streams.tree,
+                                      f->u.max_stream_data.id);
+            if (qs == NULL) {
+                ngx_quic_free_frame(c, f);
+                break;
+            }
+
+            f->u.max_stream_data.limit = qs->recv_max_data;
+            ngx_quic_queue_frame(qc, f);
+            break;
+
+        case NGX_QUIC_FT_STREAM:
+            qs = ngx_quic_find_stream(&qc->streams.tree, f->u.stream.stream_id);
+
+            if (qs) {
+                if (qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
+                    || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
+                {
+                    ngx_quic_free_frame(c, f);
+                    break;
+                }
+            }
+
+            /* fall through */
+
+        default:
+            ngx_queue_insert_tail(&ctx->frames, &f->queue);
+        }
+
+    } while (q != ngx_queue_sentinel(&ctx->sent));
+
+    if (qc->closing) {
+        return;
+    }
+
+    ngx_post_event(&qc->push, &ngx_posted_events);
+}
+
+
+static void
+ngx_quic_congestion_lost(ngx_connection_t *c, ngx_quic_frame_t *f)
+{
+    ngx_uint_t              blocked;
+    ngx_msec_t              timer;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+
+    if (f->plen == 0) {
+        return;
+    }
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+
+    blocked = (cg->in_flight >= cg->window) ? 1 : 0;
+
+    cg->in_flight -= f->plen;
+    f->plen = 0;
+
+    timer = f->last - cg->recovery_start;
+
+    if ((ngx_msec_int_t) timer <= 0) {
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic congestion lost recovery win:%uz ss:%z if:%uz",
+                       cg->window, cg->ssthresh, cg->in_flight);
+
+        goto done;
+    }
+
+    cg->recovery_start = ngx_current_msec;
+    cg->window /= 2;
+
+    if (cg->window < qc->tp.max_udp_payload_size * 2) {
+        cg->window = qc->tp.max_udp_payload_size * 2;
+    }
+
+    cg->ssthresh = cg->window;
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic congestion lost win:%uz ss:%z if:%uz",
+                   cg->window, cg->ssthresh, cg->in_flight);
+
+done:
+
+    if (blocked && cg->in_flight < cg->window) {
+        ngx_post_event(&qc->push, &ngx_posted_events);
+    }
+}
+
+
+void
+ngx_quic_set_lost_timer(ngx_connection_t *c)
+{
+    ngx_uint_t              i;
+    ngx_msec_t              now;
+    ngx_queue_t            *q;
+    ngx_msec_int_t          lost, pto, w;
+    ngx_quic_frame_t       *f;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    now = ngx_current_msec;
+
+    lost = -1;
+    pto = -1;
+
+    for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+        ctx = &qc->send_ctx[i];
+
+        if (ngx_queue_empty(&ctx->sent)) {
+            continue;
+        }
+
+        if (ctx->largest_ack != NGX_QUIC_UNSET_PN) {
+            q = ngx_queue_head(&ctx->sent);
+            f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+            w = (ngx_msec_int_t) (f->last + ngx_quic_lost_threshold(qc) - now);
+
+            if (f->pnum <= ctx->largest_ack) {
+                if (w < 0 || ctx->largest_ack - f->pnum >= NGX_QUIC_PKT_THR) {
+                    w = 0;
+                }
+
+                if (lost == -1 || w < lost) {
+                    lost = w;
+                }
+            }
+        }
+
+        q = ngx_queue_last(&ctx->sent);
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+        w = (ngx_msec_int_t) (f->last + (ngx_quic_pto(c, ctx) << qc->pto_count)
+                              - now);
+
+        if (w < 0) {
+            w = 0;
+        }
+
+        if (pto == -1 || w < pto) {
+            pto = w;
+        }
+    }
+
+    if (qc->pto.timer_set) {
+        ngx_del_timer(&qc->pto);
+    }
+
+    if (lost != -1) {
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic lost timer lost:%M", lost);
+
+        qc->pto.handler = ngx_quic_lost_handler;
+        ngx_add_timer(&qc->pto, lost);
+        return;
+    }
+
+    if (pto != -1) {
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic lost timer pto:%M", pto);
+
+        qc->pto.handler = ngx_quic_pto_handler;
+        ngx_add_timer(&qc->pto, pto);
+        return;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic lost timer unset");
+}
+
+
+ngx_msec_t
+ngx_quic_pto(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
+{
+    ngx_msec_t              duration;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    /* RFC 9002, Appendix A.8.  Setting the Loss Detection Timer */
+
+    duration = qc->avg_rtt;
+    duration += ngx_max(4 * qc->rttvar, NGX_QUIC_TIME_GRANULARITY);
+
+    if (ctx->level == ssl_encryption_application && c->ssl->handshaked) {
+        duration += qc->ctp.max_ack_delay;
+    }
+
+    return duration;
+}
+
+
+static
+void ngx_quic_lost_handler(ngx_event_t *ev)
+{
+    ngx_connection_t  *c;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "quic lost timer");
+
+    c = ev->data;
+
+    if (ngx_quic_detect_lost(c, NULL) != NGX_OK) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+    }
+
+    ngx_quic_connstate_dbg(c);
+}
+
+
+void
+ngx_quic_pto_handler(ngx_event_t *ev)
+{
+    ngx_uint_t              i;
+    ngx_msec_t              now;
+    ngx_queue_t            *q, *next;
+    ngx_connection_t       *c;
+    ngx_quic_frame_t       *f;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "quic pto timer");
+
+    c = ev->data;
+    qc = ngx_quic_get_connection(c);
+    now = ngx_current_msec;
+
+    for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+
+        ctx = &qc->send_ctx[i];
+
+        if (ngx_queue_empty(&ctx->sent)) {
+            continue;
+        }
+
+        q = ngx_queue_head(&ctx->sent);
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        if (f->pnum <= ctx->largest_ack
+            && ctx->largest_ack != NGX_QUIC_UNSET_PN)
+        {
+            continue;
+        }
+
+        if ((ngx_msec_int_t) (f->last + (ngx_quic_pto(c, ctx) << qc->pto_count)
+                              - now) > 0)
+        {
+            continue;
+        }
+
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic pto %s pto_count:%ui",
+                       ngx_quic_level_name(ctx->level), qc->pto_count);
+
+        for (q = ngx_queue_head(&ctx->frames);
+             q != ngx_queue_sentinel(&ctx->frames);
+             /* void */)
+        {
+            next = ngx_queue_next(q);
+            f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+            if (f->type == NGX_QUIC_FT_PING) {
+                ngx_queue_remove(q);
+                ngx_quic_free_frame(c, f);
+            }
+
+            q = next;
+        }
+
+        for (q = ngx_queue_head(&ctx->sent);
+             q != ngx_queue_sentinel(&ctx->sent);
+             /* void */)
+        {
+            next = ngx_queue_next(q);
+            f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+            if (f->type == NGX_QUIC_FT_PING) {
+                ngx_quic_congestion_lost(c, f);
+                ngx_queue_remove(q);
+                ngx_quic_free_frame(c, f);
+            }
+
+            q = next;
+        }
+
+        /* enforce 2 udp datagrams */
+
+        f = ngx_quic_alloc_frame(c);
+        if (f == NULL) {
+            break;
+        }
+
+        f->level = ctx->level;
+        f->type = NGX_QUIC_FT_PING;
+        f->flush = 1;
+
+        ngx_quic_queue_frame(qc, f);
+
+        f = ngx_quic_alloc_frame(c);
+        if (f == NULL) {
+            break;
+        }
+
+        f->level = ctx->level;
+        f->type = NGX_QUIC_FT_PING;
+
+        ngx_quic_queue_frame(qc, f);
+    }
+
+    qc->pto_count++;
+
+    ngx_quic_connstate_dbg(c);
+}
+
+
+ngx_int_t
+ngx_quic_ack_packet(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    uint64_t                base, largest, smallest, gs, ge, gap, range, pn;
+    uint64_t                prev_pending;
+    ngx_uint_t              i, nr;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_ack_range_t   *r;
+    ngx_quic_connection_t  *qc;
+
+    c->log->action = "preparing ack";
+
+    qc = ngx_quic_get_connection(c);
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_ack_packet pn:%uL largest %L fr:%uL"
+                   " nranges:%ui", pkt->pn, (int64_t) ctx->largest_range,
+                   ctx->first_range, ctx->nranges);
+
+    prev_pending = ctx->pending_ack;
+
+    if (pkt->need_ack) {
+
+        ngx_post_event(&qc->push, &ngx_posted_events);
+
+        if (ctx->send_ack == 0) {
+            ctx->ack_delay_start = ngx_current_msec;
+        }
+
+        ctx->send_ack++;
+
+        if (ctx->pending_ack == NGX_QUIC_UNSET_PN
+            || ctx->pending_ack < pkt->pn)
+        {
+            ctx->pending_ack = pkt->pn;
+        }
+    }
+
+    base = ctx->largest_range;
+    pn = pkt->pn;
+
+    if (base == NGX_QUIC_UNSET_PN) {
+        ctx->largest_range = pn;
+        ctx->largest_received = pkt->received;
+        return NGX_OK;
+    }
+
+    if (base == pn) {
+        return NGX_OK;
+    }
+
+    largest = base;
+    smallest = largest - ctx->first_range;
+
+    if (pn > base) {
+
+        if (pn - base == 1) {
+            ctx->first_range++;
+            ctx->largest_range = pn;
+            ctx->largest_received = pkt->received;
+
+            return NGX_OK;
+
+        } else {
+            /* new gap in front of current largest */
+
+            /* no place for new range, send current range as is */
+            if (ctx->nranges == NGX_QUIC_MAX_RANGES) {
+
+                if (prev_pending != NGX_QUIC_UNSET_PN) {
+                    if (ngx_quic_send_ack(c, ctx) != NGX_OK) {
+                        return NGX_ERROR;
+                    }
+                }
+
+                if (prev_pending == ctx->pending_ack || !pkt->need_ack) {
+                    ctx->pending_ack = NGX_QUIC_UNSET_PN;
+                }
+            }
+
+            gap = pn - base - 2;
+            range = ctx->first_range;
+
+            ctx->first_range = 0;
+            ctx->largest_range = pn;
+            ctx->largest_received = pkt->received;
+
+            /* packet is out of order, force send */
+            if (pkt->need_ack) {
+                ctx->send_ack = NGX_QUIC_MAX_ACK_GAP;
+            }
+
+            i = 0;
+
+            goto insert;
+        }
+    }
+
+    /*  pn < base, perform lookup in existing ranges */
+
+    /* packet is out of order */
+    if (pkt->need_ack) {
+        ctx->send_ack = NGX_QUIC_MAX_ACK_GAP;
+    }
+
+    if (pn >= smallest && pn <= largest) {
+        return NGX_OK;
+    }
+
+#if (NGX_SUPPRESS_WARN)
+    r = NULL;
+#endif
+
+    for (i = 0; i < ctx->nranges; i++) {
+        r = &ctx->ranges[i];
+
+        ge = smallest - 1;
+        gs = ge - r->gap;
+
+        if (pn >= gs && pn <= ge) {
+
+            if (gs == ge) {
+                /* gap size is exactly one packet, now filled */
+
+                /* data moves to previous range, current is removed */
+
+                if (i == 0) {
+                    ctx->first_range += r->range + 2;
+
+                } else {
+                    ctx->ranges[i - 1].range += r->range + 2;
+                }
+
+                nr = ctx->nranges - i - 1;
+                if (nr) {
+                    ngx_memmove(&ctx->ranges[i], &ctx->ranges[i + 1],
+                                sizeof(ngx_quic_ack_range_t) * nr);
+                }
+
+                ctx->nranges--;
+
+            } else if (pn == gs) {
+                /* current gap shrinks from tail (current range grows) */
+                r->gap--;
+                r->range++;
+
+            } else if (pn == ge) {
+                /* current gap shrinks from head (previous range grows) */
+                r->gap--;
+
+                if (i == 0) {
+                    ctx->first_range++;
+
+                } else {
+                    ctx->ranges[i - 1].range++;
+                }
+
+            } else {
+                /* current gap is split into two parts */
+
+                gap = ge - pn - 1;
+                range = 0;
+
+                if (ctx->nranges == NGX_QUIC_MAX_RANGES) {
+                    if (prev_pending != NGX_QUIC_UNSET_PN) {
+                        if (ngx_quic_send_ack(c, ctx) != NGX_OK) {
+                            return NGX_ERROR;
+                        }
+                    }
+
+                    if (prev_pending == ctx->pending_ack || !pkt->need_ack) {
+                        ctx->pending_ack = NGX_QUIC_UNSET_PN;
+                    }
+                }
+
+                r->gap = pn - gs - 1;
+                goto insert;
+            }
+
+            return NGX_OK;
+        }
+
+        largest = smallest - r->gap - 2;
+        smallest = largest - r->range;
+
+        if (pn >= smallest && pn <= largest) {
+            /* this packet number is already known */
+            return NGX_OK;
+        }
+
+    }
+
+    if (pn == smallest - 1) {
+        /* extend first or last range */
+
+        if (i == 0) {
+            ctx->first_range++;
+
+        } else {
+            r->range++;
+        }
+
+        return NGX_OK;
+    }
+
+    /* nothing found, add new range at the tail  */
+
+    if (ctx->nranges == NGX_QUIC_MAX_RANGES) {
+        /* packet is too old to keep it */
+
+        if (pkt->need_ack) {
+            return ngx_quic_send_ack_range(c, ctx, pn, pn);
+        }
+
+        return NGX_OK;
+    }
+
+    gap = smallest - 2 - pn;
+    range = 0;
+
+insert:
+
+    if (ctx->nranges < NGX_QUIC_MAX_RANGES) {
+        ctx->nranges++;
+    }
+
+    ngx_memmove(&ctx->ranges[i + 1], &ctx->ranges[i],
+                sizeof(ngx_quic_ack_range_t) * (ctx->nranges - i - 1));
+
+    ctx->ranges[i].gap = gap;
+    ctx->ranges[i].range = range;
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_generate_ack(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
+{
+    ngx_msec_t              delay;
+    ngx_quic_connection_t  *qc;
+
+    if (!ctx->send_ack) {
+        return NGX_OK;
+    }
+
+    if (ctx->level == ssl_encryption_application) {
+
+        delay = ngx_current_msec - ctx->ack_delay_start;
+        qc = ngx_quic_get_connection(c);
+
+        if (ctx->send_ack < NGX_QUIC_MAX_ACK_GAP
+            && delay < qc->tp.max_ack_delay)
+        {
+            if (!qc->push.timer_set && !qc->closing) {
+                ngx_add_timer(&qc->push,
+                              qc->tp.max_ack_delay - delay);
+            }
+
+            return NGX_OK;
+        }
+    }
+
+    if (ngx_quic_send_ack(c, ctx) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ctx->send_ack = 0;
+
+    return NGX_OK;
+}
diff --git a/src/event/quic/ngx_event_quic_ack.h b/src/event/quic/ngx_event_quic_ack.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_ack.h
@@ -0,0 +1,30 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_ACK_H_INCLUDED_
+#define _NGX_EVENT_QUIC_ACK_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_frame_t *f);
+
+void ngx_quic_congestion_ack(ngx_connection_t *c,
+    ngx_quic_frame_t *frame);
+void ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx);
+void ngx_quic_set_lost_timer(ngx_connection_t *c);
+void ngx_quic_pto_handler(ngx_event_t *ev);
+ngx_msec_t ngx_quic_pto(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx);
+
+ngx_int_t ngx_quic_ack_packet(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
+ngx_int_t ngx_quic_generate_ack(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx);
+
+#endif /* _NGX_EVENT_QUIC_ACK_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_bpf.c b/src/event/quic/ngx_event_quic_bpf.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_bpf.c
@@ -0,0 +1,657 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+#define NGX_QUIC_BPF_VARNAME  "NGINX_BPF_MAPS"
+#define NGX_QUIC_BPF_VARSEP    ';'
+#define NGX_QUIC_BPF_ADDRSEP   '#'
+
+
+#define ngx_quic_bpf_get_conf(cycle)                                          \
+    (ngx_quic_bpf_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_quic_bpf_module)
+
+#define ngx_quic_bpf_get_old_conf(cycle)                                      \
+    cycle->old_cycle->conf_ctx ? ngx_quic_bpf_get_conf(cycle->old_cycle)      \
+                               : NULL
+
+#define ngx_core_get_conf(cycle)                                              \
+    (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module)
+
+
+typedef struct {
+    ngx_queue_t           queue;
+    int                   map_fd;
+
+    struct sockaddr      *sockaddr;
+    socklen_t             socklen;
+    ngx_uint_t            unused;     /* unsigned  unused:1; */
+} ngx_quic_sock_group_t;
+
+
+typedef struct {
+    ngx_flag_t            enabled;
+    ngx_uint_t            map_size;
+    ngx_queue_t           groups;     /* of ngx_quic_sock_group_t */
+} ngx_quic_bpf_conf_t;
+
+
+static void *ngx_quic_bpf_create_conf(ngx_cycle_t *cycle);
+static ngx_int_t ngx_quic_bpf_module_init(ngx_cycle_t *cycle);
+
+static void ngx_quic_bpf_cleanup(void *data);
+static ngx_inline void ngx_quic_bpf_close(ngx_log_t *log, int fd,
+    const char *name);
+
+static ngx_quic_sock_group_t *ngx_quic_bpf_find_group(ngx_quic_bpf_conf_t *bcf,
+    ngx_listening_t *ls);
+static ngx_quic_sock_group_t *ngx_quic_bpf_alloc_group(ngx_cycle_t *cycle,
+    struct sockaddr *sa, socklen_t socklen);
+static ngx_quic_sock_group_t *ngx_quic_bpf_create_group(ngx_cycle_t *cycle,
+    ngx_listening_t *ls);
+static ngx_quic_sock_group_t *ngx_quic_bpf_get_group(ngx_cycle_t *cycle,
+    ngx_listening_t *ls);
+static ngx_int_t ngx_quic_bpf_group_add_socket(ngx_cycle_t *cycle,
+    ngx_listening_t *ls);
+static uint64_t ngx_quic_bpf_socket_key(ngx_fd_t fd, ngx_log_t *log);
+
+static ngx_int_t ngx_quic_bpf_export_maps(ngx_cycle_t *cycle);
+static ngx_int_t ngx_quic_bpf_import_maps(ngx_cycle_t *cycle);
+
+extern ngx_bpf_program_t  ngx_quic_reuseport_helper;
+
+
+static ngx_command_t  ngx_quic_bpf_commands[] = {
+
+    { ngx_string("quic_bpf"),
+      NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      0,
+      offsetof(ngx_quic_bpf_conf_t, enabled),
+      NULL },
+
+      ngx_null_command
+};
+
+
+static ngx_core_module_t  ngx_quic_bpf_module_ctx = {
+    ngx_string("quic_bpf"),
+    ngx_quic_bpf_create_conf,
+    NULL
+};
+
+
+ngx_module_t  ngx_quic_bpf_module = {
+    NGX_MODULE_V1,
+    &ngx_quic_bpf_module_ctx,              /* module context */
+    ngx_quic_bpf_commands,                 /* module directives */
+    NGX_CORE_MODULE,                       /* module type */
+    NULL,                                  /* init master */
+    ngx_quic_bpf_module_init,              /* init module */
+    NULL,                                  /* init process */
+    NULL,                                  /* init thread */
+    NULL,                                  /* exit thread */
+    NULL,                                  /* exit process */
+    NULL,                                  /* exit master */
+    NGX_MODULE_V1_PADDING
+};
+
+
+static void *
+ngx_quic_bpf_create_conf(ngx_cycle_t *cycle)
+{
+    ngx_quic_bpf_conf_t  *bcf;
+
+    bcf = ngx_pcalloc(cycle->pool, sizeof(ngx_quic_bpf_conf_t));
+    if (bcf == NULL) {
+        return NULL;
+    }
+
+    bcf->enabled = NGX_CONF_UNSET;
+    bcf->map_size = NGX_CONF_UNSET_UINT;
+
+    ngx_queue_init(&bcf->groups);
+
+    return bcf;
+}
+
+
+static ngx_int_t
+ngx_quic_bpf_module_init(ngx_cycle_t *cycle)
+{
+    ngx_uint_t            i;
+    ngx_listening_t      *ls;
+    ngx_core_conf_t      *ccf;
+    ngx_pool_cleanup_t   *cln;
+    ngx_quic_bpf_conf_t  *bcf;
+
+    if (ngx_test_config) {
+        /*
+         * during config test, SO_REUSEPORT socket option is
+         * not set, thus making further processing meaningless
+         */
+        return NGX_OK;
+    }
+
+    ccf = ngx_core_get_conf(cycle);
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    ngx_conf_init_value(bcf->enabled, 0);
+
+    bcf->map_size = ccf->worker_processes * 4;
+
+    cln = ngx_pool_cleanup_add(cycle->pool, 0);
+    if (cln == NULL) {
+        goto failed;
+    }
+
+    cln->data = bcf;
+    cln->handler = ngx_quic_bpf_cleanup;
+
+    if (ngx_inherited && ngx_is_init_cycle(cycle->old_cycle)) {
+        if (ngx_quic_bpf_import_maps(cycle) != NGX_OK) {
+            goto failed;
+        }
+    }
+
+    ls = cycle->listening.elts;
+
+    for (i = 0; i < cycle->listening.nelts; i++) {
+        if (ls[i].quic && ls[i].reuseport) {
+            if (ngx_quic_bpf_group_add_socket(cycle, &ls[i]) != NGX_OK) {
+                goto failed;
+            }
+        }
+    }
+
+    if (ngx_quic_bpf_export_maps(cycle) != NGX_OK) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    if (ngx_is_init_cycle(cycle->old_cycle)) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                      "ngx_quic_bpf_module failed to initialize, check limits");
+
+        /* refuse to start */
+        return NGX_ERROR;
+    }
+
+    /*
+     * returning error now will lead to master process exiting immediately
+     * leaving worker processes orphaned, what is really unexpected.
+     * Instead, just issue a not about failed initialization and try
+     * to cleanup a bit. Still program can be already loaded to kernel
+     * for some reuseport groups, and there is no way to revert, so
+     * behaviour may be inconsistent.
+     */
+
+    ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                  "ngx_quic_bpf_module failed to initialize properly, ignored."
+                  "please check limits and note that nginx state now "
+                  "can be inconsistent and restart may be required");
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_bpf_cleanup(void *data)
+{
+    ngx_quic_bpf_conf_t  *bcf = (ngx_quic_bpf_conf_t *) data;
+
+    ngx_queue_t            *q;
+    ngx_quic_sock_group_t  *grp;
+
+    for (q = ngx_queue_head(&bcf->groups);
+         q != ngx_queue_sentinel(&bcf->groups);
+         q = ngx_queue_next(q))
+    {
+        grp = ngx_queue_data(q, ngx_quic_sock_group_t, queue);
+
+        ngx_quic_bpf_close(ngx_cycle->log, grp->map_fd, "map");
+    }
+}
+
+
+static ngx_inline void
+ngx_quic_bpf_close(ngx_log_t *log, int fd, const char *name)
+{
+    if (close(fd) != -1) {
+        return;
+    }
+
+    ngx_log_error(NGX_LOG_EMERG, log, ngx_errno,
+                  "quic bpf close %s fd:%d failed", name, fd);
+}
+
+
+static ngx_quic_sock_group_t *
+ngx_quic_bpf_find_group(ngx_quic_bpf_conf_t *bcf, ngx_listening_t *ls)
+{
+    ngx_queue_t            *q;
+    ngx_quic_sock_group_t  *grp;
+
+    for (q = ngx_queue_head(&bcf->groups);
+         q != ngx_queue_sentinel(&bcf->groups);
+         q = ngx_queue_next(q))
+    {
+        grp = ngx_queue_data(q, ngx_quic_sock_group_t, queue);
+
+        if (ngx_cmp_sockaddr(ls->sockaddr, ls->socklen,
+                             grp->sockaddr, grp->socklen, 1)
+            == NGX_OK)
+        {
+            return grp;
+        }
+    }
+
+    return NULL;
+}
+
+
+static ngx_quic_sock_group_t *
+ngx_quic_bpf_alloc_group(ngx_cycle_t *cycle, struct sockaddr *sa,
+    socklen_t socklen)
+{
+    ngx_quic_bpf_conf_t    *bcf;
+    ngx_quic_sock_group_t  *grp;
+
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    grp = ngx_pcalloc(cycle->pool, sizeof(ngx_quic_sock_group_t));
+    if (grp == NULL) {
+        return NULL;
+    }
+
+    grp->socklen = socklen;
+    grp->sockaddr = ngx_palloc(cycle->pool, socklen);
+    if (grp->sockaddr == NULL) {
+        return NULL;
+    }
+    ngx_memcpy(grp->sockaddr, sa, socklen);
+
+    ngx_queue_insert_tail(&bcf->groups, &grp->queue);
+
+    return grp;
+}
+
+
+static ngx_quic_sock_group_t *
+ngx_quic_bpf_create_group(ngx_cycle_t *cycle, ngx_listening_t *ls)
+{
+    int                     progfd, failed, flags, rc;
+    ngx_quic_bpf_conf_t    *bcf;
+    ngx_quic_sock_group_t  *grp;
+
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    if (!bcf->enabled) {
+        return NULL;
+    }
+
+    grp = ngx_quic_bpf_alloc_group(cycle, ls->sockaddr, ls->socklen);
+    if (grp == NULL) {
+        return NULL;
+    }
+
+    grp->map_fd = ngx_bpf_map_create(cycle->log, BPF_MAP_TYPE_SOCKHASH,
+                                     sizeof(uint64_t), sizeof(uint64_t),
+                                     bcf->map_size, 0);
+    if (grp->map_fd == -1) {
+        goto failed;
+    }
+
+    flags = fcntl(grp->map_fd, F_GETFD);
+    if (flags == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, errno,
+                      "quic bpf getfd failed");
+        goto failed;
+    }
+
+    /* need to inherit map during binary upgrade after exec */
+    flags &= ~FD_CLOEXEC;
+
+    rc = fcntl(grp->map_fd, F_SETFD, flags);
+    if (rc == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, errno,
+                      "quic bpf setfd failed");
+        goto failed;
+    }
+
+    ngx_bpf_program_link(&ngx_quic_reuseport_helper,
+                         "ngx_quic_sockmap", grp->map_fd);
+
+    progfd = ngx_bpf_load_program(cycle->log, &ngx_quic_reuseport_helper);
+    if (progfd < 0) {
+        goto failed;
+    }
+
+    failed = 0;
+
+    if (setsockopt(ls->fd, SOL_SOCKET, SO_ATTACH_REUSEPORT_EBPF,
+                   &progfd, sizeof(int))
+        == -1)
+    {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno,
+                      "quic bpf setsockopt(SO_ATTACH_REUSEPORT_EBPF) failed");
+        failed = 1;
+    }
+
+    ngx_quic_bpf_close(cycle->log, progfd, "program");
+
+    if (failed) {
+        goto failed;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+                   "quic bpf sockmap created fd:%d", grp->map_fd);
+    return grp;
+
+failed:
+
+    if (grp->map_fd != -1) {
+        ngx_quic_bpf_close(cycle->log, grp->map_fd, "map");
+    }
+
+    ngx_queue_remove(&grp->queue);
+
+    return NULL;
+}
+
+
+static ngx_quic_sock_group_t *
+ngx_quic_bpf_get_group(ngx_cycle_t *cycle, ngx_listening_t *ls)
+{
+    ngx_quic_bpf_conf_t    *bcf, *old_bcf;
+    ngx_quic_sock_group_t  *grp, *ogrp;
+
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    grp = ngx_quic_bpf_find_group(bcf, ls);
+    if (grp) {
+        return grp;
+    }
+
+    old_bcf = ngx_quic_bpf_get_old_conf(cycle);
+
+    if (old_bcf == NULL) {
+        return ngx_quic_bpf_create_group(cycle, ls);
+    }
+
+    ogrp = ngx_quic_bpf_find_group(old_bcf, ls);
+    if (ogrp == NULL) {
+        return ngx_quic_bpf_create_group(cycle, ls);
+    }
+
+    grp = ngx_quic_bpf_alloc_group(cycle, ls->sockaddr, ls->socklen);
+    if (grp == NULL) {
+        return NULL;
+    }
+
+    grp->map_fd = dup(ogrp->map_fd);
+    if (grp->map_fd == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                      "quic bpf failed to duplicate bpf map descriptor");
+
+        ngx_queue_remove(&grp->queue);
+
+        return NULL;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+                   "quic bpf sockmap fd duplicated old:%d new:%d",
+                   ogrp->map_fd, grp->map_fd);
+
+    return grp;
+}
+
+
+static ngx_int_t
+ngx_quic_bpf_group_add_socket(ngx_cycle_t *cycle,  ngx_listening_t *ls)
+{
+    uint64_t                cookie;
+    ngx_quic_bpf_conf_t    *bcf;
+    ngx_quic_sock_group_t  *grp;
+
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    grp = ngx_quic_bpf_get_group(cycle, ls);
+
+    if (grp == NULL) {
+        if (!bcf->enabled) {
+            return NGX_OK;
+        }
+
+        return NGX_ERROR;
+    }
+
+    grp->unused = 0;
+
+    cookie = ngx_quic_bpf_socket_key(ls->fd, cycle->log);
+    if (cookie == (uint64_t) NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    /* map[cookie] = socket; for use in kernel helper */
+    if (ngx_bpf_map_update(grp->map_fd, &cookie, &ls->fd, BPF_ANY) == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                      "quic bpf failed to update socket map key=%xL", cookie);
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+                 "quic bpf sockmap fd:%d add socket:%d cookie:0x%xL worker:%ui",
+                 grp->map_fd, ls->fd, cookie, ls->worker);
+
+    /* do not inherit this socket */
+    ls->ignore = 1;
+
+    return NGX_OK;
+}
+
+
+static uint64_t
+ngx_quic_bpf_socket_key(ngx_fd_t fd, ngx_log_t *log)
+{
+    uint64_t   cookie;
+    socklen_t  optlen;
+
+    optlen = sizeof(cookie);
+
+    if (getsockopt(fd, SOL_SOCKET, SO_COOKIE, &cookie, &optlen) == -1) {
+        ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
+                      "quic bpf getsockopt(SO_COOKIE) failed");
+
+        return (ngx_uint_t) NGX_ERROR;
+    }
+
+    return cookie;
+}
+
+
+static ngx_int_t
+ngx_quic_bpf_export_maps(ngx_cycle_t *cycle)
+{
+    u_char                 *p, *buf;
+    size_t                  len;
+    ngx_str_t              *var;
+    ngx_queue_t            *q;
+    ngx_core_conf_t        *ccf;
+    ngx_quic_bpf_conf_t    *bcf;
+    ngx_quic_sock_group_t  *grp;
+
+    ccf = ngx_core_get_conf(cycle);
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+    len = sizeof(NGX_QUIC_BPF_VARNAME) + 1;
+
+    q = ngx_queue_head(&bcf->groups);
+
+    while (q != ngx_queue_sentinel(&bcf->groups)) {
+
+        grp = ngx_queue_data(q, ngx_quic_sock_group_t, queue);
+
+        q = ngx_queue_next(q);
+
+        if (grp->unused) {
+            /*
+             * map was inherited, but it is not used in this configuration;
+             * do not pass such map further and drop the group to prevent
+             * interference with changes during reload
+             */
+
+            ngx_quic_bpf_close(cycle->log, grp->map_fd, "map");
+            ngx_queue_remove(&grp->queue);
+
+            continue;
+        }
+
+        len += NGX_INT32_LEN + 1 + NGX_SOCKADDR_STRLEN + 1;
+    }
+
+    len++;
+
+    buf = ngx_palloc(cycle->pool, len);
+    if (buf == NULL) {
+        return NGX_ERROR;
+    }
+
+    p = ngx_cpymem(buf, NGX_QUIC_BPF_VARNAME "=",
+                   sizeof(NGX_QUIC_BPF_VARNAME));
+
+    for (q = ngx_queue_head(&bcf->groups);
+         q != ngx_queue_sentinel(&bcf->groups);
+         q = ngx_queue_next(q))
+    {
+        grp = ngx_queue_data(q, ngx_quic_sock_group_t, queue);
+
+        p = ngx_sprintf(p, "%ud", grp->map_fd);
+
+        *p++ = NGX_QUIC_BPF_ADDRSEP;
+
+        p += ngx_sock_ntop(grp->sockaddr, grp->socklen, p,
+                           NGX_SOCKADDR_STRLEN, 1);
+
+        *p++ = NGX_QUIC_BPF_VARSEP;
+    }
+
+    *p = '\0';
+
+    var = ngx_array_push(&ccf->env);
+    if (var == NULL) {
+        return NGX_ERROR;
+    }
+
+    var->data = buf;
+    var->len = sizeof(NGX_QUIC_BPF_VARNAME) - 1;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_bpf_import_maps(ngx_cycle_t *cycle)
+{
+    int                     s;
+    u_char                 *inherited, *p, *v;
+    ngx_uint_t              in_fd;
+    ngx_addr_t              tmp;
+    ngx_quic_bpf_conf_t    *bcf;
+    ngx_quic_sock_group_t  *grp;
+
+    inherited = (u_char *) getenv(NGX_QUIC_BPF_VARNAME);
+
+    if (inherited == NULL) {
+        return NGX_OK;
+    }
+
+    bcf = ngx_quic_bpf_get_conf(cycle);
+
+#if (NGX_SUPPRESS_WARN)
+    s = -1;
+#endif
+
+    in_fd = 1;
+
+    for (p = inherited, v = p; *p; p++) {
+
+        switch (*p) {
+
+        case NGX_QUIC_BPF_ADDRSEP:
+
+            if (!in_fd) {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                              "quic bpf failed to parse inherited env");
+                return NGX_ERROR;
+            }
+            in_fd = 0;
+
+            s = ngx_atoi(v, p - v);
+            if (s == NGX_ERROR) {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                              "quic bpf failed to parse inherited map fd");
+                return NGX_ERROR;
+            }
+
+            v = p + 1;
+            break;
+
+        case NGX_QUIC_BPF_VARSEP:
+
+            if (in_fd) {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                              "quic bpf failed to parse inherited env");
+                return NGX_ERROR;
+            }
+            in_fd = 1;
+
+            grp = ngx_pcalloc(cycle->pool,
+                              sizeof(ngx_quic_sock_group_t));
+            if (grp == NULL) {
+                return NGX_ERROR;
+            }
+
+            grp->map_fd = s;
+
+            if (ngx_parse_addr_port(cycle->pool, &tmp, v, p - v)
+                != NGX_OK)
+            {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+                              "quic bpf failed to parse inherited"
+                              " address '%*s'", p - v , v);
+
+                ngx_quic_bpf_close(cycle->log, s, "inherited map");
+
+                return NGX_ERROR;
+            }
+
+            grp->sockaddr = tmp.sockaddr;
+            grp->socklen = tmp.socklen;
+
+            grp->unused = 1;
+
+            ngx_queue_insert_tail(&bcf->groups, &grp->queue);
+
+            ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+                           "quic bpf sockmap inherited with "
+                           "fd:%d address:%*s",
+                           grp->map_fd, p - v, v);
+            v = p + 1;
+            break;
+
+        default:
+            break;
+        }
+    }
+
+    return NGX_OK;
+}
diff --git a/src/event/quic/ngx_event_quic_bpf_code.c b/src/event/quic/ngx_event_quic_bpf_code.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_bpf_code.c
@@ -0,0 +1,88 @@
+/* AUTO-GENERATED, DO NOT EDIT. */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "ngx_bpf.h"
+
+
+static ngx_bpf_reloc_t bpf_reloc_prog_ngx_quic_reuseport_helper[] = {
+    { "ngx_quic_sockmap", 55 },
+};
+
+static struct bpf_insn bpf_insn_prog_ngx_quic_reuseport_helper[] = {
+    /* opcode dst          src         offset imm */
+    { 0x79,   BPF_REG_4,   BPF_REG_1, (int16_t)      0,        0x0 },
+    { 0x79,   BPF_REG_3,   BPF_REG_1, (int16_t)      8,        0x0 },
+    { 0xbf,   BPF_REG_2,   BPF_REG_4, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_2,   BPF_REG_0, (int16_t)      0,        0x8 },
+    { 0x2d,   BPF_REG_2,   BPF_REG_3, (int16_t)     54,        0x0 },
+    { 0xbf,   BPF_REG_5,   BPF_REG_4, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_5,   BPF_REG_0, (int16_t)      0,        0x9 },
+    { 0x2d,   BPF_REG_5,   BPF_REG_3, (int16_t)     51,        0x0 },
+    { 0xb7,   BPF_REG_5,   BPF_REG_0, (int16_t)      0,       0x14 },
+    { 0xb7,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,        0x9 },
+    { 0x71,   BPF_REG_6,   BPF_REG_2, (int16_t)      0,        0x0 },
+    { 0x67,   BPF_REG_6,   BPF_REG_0, (int16_t)      0,       0x38 },
+    { 0xc7,   BPF_REG_6,   BPF_REG_0, (int16_t)      0,       0x38 },
+    { 0x65,   BPF_REG_6,   BPF_REG_0, (int16_t)     10, 0xffffffff },
+    { 0xbf,   BPF_REG_2,   BPF_REG_4, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_2,   BPF_REG_0, (int16_t)      0,        0xd },
+    { 0x2d,   BPF_REG_2,   BPF_REG_3, (int16_t)     42,        0x0 },
+    { 0xbf,   BPF_REG_5,   BPF_REG_4, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_5,   BPF_REG_0, (int16_t)      0,        0xe },
+    { 0x2d,   BPF_REG_5,   BPF_REG_3, (int16_t)     39,        0x0 },
+    { 0xb7,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,        0xe },
+    { 0x71,   BPF_REG_5,   BPF_REG_2, (int16_t)      0,        0x0 },
+    { 0xb7,   BPF_REG_6,   BPF_REG_0, (int16_t)      0,        0x8 },
+    { 0x2d,   BPF_REG_6,   BPF_REG_5, (int16_t)     35,        0x0 },
+    {  0xf,   BPF_REG_5,   BPF_REG_0, (int16_t)      0,        0x0 },
+    {  0xf,   BPF_REG_4,   BPF_REG_5, (int16_t)      0,        0x0 },
+    { 0x2d,   BPF_REG_4,   BPF_REG_3, (int16_t)     32,        0x0 },
+    { 0xbf,   BPF_REG_4,   BPF_REG_2, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,        0x9 },
+    { 0x2d,   BPF_REG_4,   BPF_REG_3, (int16_t)     29,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      1,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,       0x38 },
+    { 0x71,   BPF_REG_3,   BPF_REG_2, (int16_t)      2,        0x0 },
+    { 0x67,   BPF_REG_3,   BPF_REG_0, (int16_t)      0,       0x30 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      3,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,       0x28 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      4,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,       0x20 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      5,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,       0x18 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      6,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,       0x10 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_4,   BPF_REG_2, (int16_t)      7,        0x0 },
+    { 0x67,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,        0x8 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_4, (int16_t)      0,        0x0 },
+    { 0x71,   BPF_REG_2,   BPF_REG_2, (int16_t)      8,        0x0 },
+    { 0x4f,   BPF_REG_3,   BPF_REG_2, (int16_t)      0,        0x0 },
+    { 0x7b,  BPF_REG_10,   BPF_REG_3, (int16_t)  65528,        0x0 },
+    { 0xbf,   BPF_REG_3,  BPF_REG_10, (int16_t)      0,        0x0 },
+    {  0x7,   BPF_REG_3,   BPF_REG_0, (int16_t)      0, 0xfffffff8 },
+    { 0x18,   BPF_REG_2,   BPF_REG_0, (int16_t)      0,        0x0 },
+    {  0x0,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,        0x0 },
+    { 0xb7,   BPF_REG_4,   BPF_REG_0, (int16_t)      0,        0x0 },
+    { 0x85,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,       0x52 },
+    { 0xb7,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,        0x1 },
+    { 0x95,   BPF_REG_0,   BPF_REG_0, (int16_t)      0,        0x0 },
+};
+
+
+ngx_bpf_program_t ngx_quic_reuseport_helper = {
+    .relocs = bpf_reloc_prog_ngx_quic_reuseport_helper,
+    .nrelocs = sizeof(bpf_reloc_prog_ngx_quic_reuseport_helper)
+               / sizeof(bpf_reloc_prog_ngx_quic_reuseport_helper[0]),
+    .ins = bpf_insn_prog_ngx_quic_reuseport_helper,
+    .nins = sizeof(bpf_insn_prog_ngx_quic_reuseport_helper)
+            / sizeof(bpf_insn_prog_ngx_quic_reuseport_helper[0]),
+    .license = "BSD",
+    .type = BPF_PROG_TYPE_SK_REUSEPORT,
+};
diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_connection.h
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_CONNECTION_H_INCLUDED_
+#define _NGX_EVENT_QUIC_CONNECTION_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+
+
+/* #define NGX_QUIC_DEBUG_PACKETS */  /* dump packet contents */
+/* #define NGX_QUIC_DEBUG_FRAMES */   /* dump frames contents */
+/* #define NGX_QUIC_DEBUG_ALLOC */    /* log frames and bufs alloc */
+/* #define NGX_QUIC_DEBUG_CRYPTO */
+
+typedef struct ngx_quic_connection_s  ngx_quic_connection_t;
+typedef struct ngx_quic_server_id_s   ngx_quic_server_id_t;
+typedef struct ngx_quic_client_id_s   ngx_quic_client_id_t;
+typedef struct ngx_quic_send_ctx_s    ngx_quic_send_ctx_t;
+typedef struct ngx_quic_socket_s      ngx_quic_socket_t;
+typedef struct ngx_quic_path_s        ngx_quic_path_t;
+typedef struct ngx_quic_keys_s        ngx_quic_keys_t;
+
+#if (NGX_QUIC_OPENSSL_COMPAT)
+#include <ngx_event_quic_openssl_compat.h>
+#endif
+#include <ngx_event_quic_transport.h>
+#include <ngx_event_quic_protection.h>
+#include <ngx_event_quic_frames.h>
+#include <ngx_event_quic_migration.h>
+#include <ngx_event_quic_connid.h>
+#include <ngx_event_quic_streams.h>
+#include <ngx_event_quic_ssl.h>
+#include <ngx_event_quic_tokens.h>
+#include <ngx_event_quic_ack.h>
+#include <ngx_event_quic_output.h>
+#include <ngx_event_quic_socket.h>
+
+
+/* RFC 9002, 6.2.2.  Handshakes and New Paths: kInitialRtt */
+#define NGX_QUIC_INITIAL_RTT                 333 /* ms */
+
+#define NGX_QUIC_UNSET_PN                    (uint64_t) -1
+
+#define NGX_QUIC_SEND_CTX_LAST               (NGX_QUIC_ENCRYPTION_LAST - 1)
+
+/*  0-RTT and 1-RTT data exist in the same packet number space,
+ *  so we have 3 packet number spaces:
+ *
+ *  0 - Initial
+ *  1 - Handshake
+ *  2 - 0-RTT and 1-RTT
+ */
+#define ngx_quic_get_send_ctx(qc, level)                                      \
+    ((level) == ssl_encryption_initial) ? &((qc)->send_ctx[0])                \
+        : (((level) == ssl_encryption_handshake) ? &((qc)->send_ctx[1])       \
+                                                 : &((qc)->send_ctx[2]))
+
+#define ngx_quic_get_connection(c)                                            \
+    (((c)->udp) ? (((ngx_quic_socket_t *)((c)->udp))->quic) : NULL)
+
+#define ngx_quic_get_socket(c)               ((ngx_quic_socket_t *)((c)->udp))
+
+
+struct ngx_quic_client_id_s {
+    ngx_queue_t                       queue;
+    uint64_t                          seqnum;
+    size_t                            len;
+    u_char                            id[NGX_QUIC_CID_LEN_MAX];
+    u_char                            sr_token[NGX_QUIC_SR_TOKEN_LEN];
+    ngx_uint_t                        used;  /* unsigned  used:1; */
+};
+
+
+struct ngx_quic_server_id_s {
+    uint64_t                          seqnum;
+    size_t                            len;
+    u_char                            id[NGX_QUIC_CID_LEN_MAX];
+};
+
+
+struct ngx_quic_path_s {
+    ngx_queue_t                       queue;
+    struct sockaddr                  *sockaddr;
+    ngx_sockaddr_t                    sa;
+    socklen_t                         socklen;
+    ngx_quic_client_id_t             *cid;
+    ngx_msec_t                        expires;
+    ngx_uint_t                        tries;
+    ngx_uint_t                        tag;
+    off_t                             sent;
+    off_t                             received;
+    u_char                            challenge1[8];
+    u_char                            challenge2[8];
+    uint64_t                          seqnum;
+    ngx_str_t                         addr_text;
+    u_char                            text[NGX_SOCKADDR_STRLEN];
+    unsigned                          validated:1;
+    unsigned                          validating:1;
+    unsigned                          limited:1;
+};
+
+
+struct ngx_quic_socket_s {
+    ngx_udp_connection_t              udp;
+    ngx_quic_connection_t            *quic;
+    ngx_queue_t                       queue;
+    ngx_quic_server_id_t              sid;
+    ngx_sockaddr_t                    sockaddr;
+    socklen_t                         socklen;
+    ngx_uint_t                        used; /* unsigned  used:1; */
+};
+
+
+typedef struct {
+    ngx_rbtree_t                      tree;
+    ngx_rbtree_node_t                 sentinel;
+
+    ngx_queue_t                       uninitialized;
+    ngx_queue_t                       free;
+
+    uint64_t                          sent;
+    uint64_t                          recv_offset;
+    uint64_t                          recv_window;
+    uint64_t                          recv_last;
+    uint64_t                          recv_max_data;
+    uint64_t                          send_offset;
+    uint64_t                          send_max_data;
+
+    uint64_t                          server_max_streams_uni;
+    uint64_t                          server_max_streams_bidi;
+    uint64_t                          server_streams_uni;
+    uint64_t                          server_streams_bidi;
+
+    uint64_t                          client_max_streams_uni;
+    uint64_t                          client_max_streams_bidi;
+    uint64_t                          client_streams_uni;
+    uint64_t                          client_streams_bidi;
+
+    ngx_uint_t                        initialized;
+                                                 /* unsigned  initialized:1; */
+} ngx_quic_streams_t;
+
+
+typedef struct {
+    size_t                            in_flight;
+    size_t                            window;
+    size_t                            ssthresh;
+    ngx_msec_t                        recovery_start;
+} ngx_quic_congestion_t;
+
+
+/*
+ * RFC 9000, 12.3.  Packet Numbers
+ *
+ *  Conceptually, a packet number space is the context in which a packet
+ *  can be processed and acknowledged.  Initial packets can only be sent
+ *  with Initial packet protection keys and acknowledged in packets that
+ *  are also Initial packets.
+ */
+struct ngx_quic_send_ctx_s {
+    enum ssl_encryption_level_t       level;
+
+    ngx_quic_buffer_t                 crypto;
+    uint64_t                          crypto_sent;
+
+    uint64_t                          pnum;        /* to be sent */
+    uint64_t                          largest_ack; /* received from peer */
+    uint64_t                          largest_pn;  /* received from peer */
+
+    ngx_queue_t                       frames;      /* generated frames */
+    ngx_queue_t                       sending;     /* frames assigned to pkt */
+    ngx_queue_t                       sent;        /* frames waiting ACK */
+
+    uint64_t                          pending_ack; /* non sent ack-eliciting */
+    uint64_t                          largest_range;
+    uint64_t                          first_range;
+    ngx_msec_t                        largest_received;
+    ngx_msec_t                        ack_delay_start;
+    ngx_uint_t                        nranges;
+    ngx_quic_ack_range_t              ranges[NGX_QUIC_MAX_RANGES];
+    ngx_uint_t                        send_ack;
+};
+
+
+struct ngx_quic_connection_s {
+    uint32_t                          version;
+
+    ngx_quic_path_t                  *path;
+
+    ngx_queue_t                       sockets;
+    ngx_queue_t                       paths;
+    ngx_queue_t                       client_ids;
+    ngx_queue_t                       free_sockets;
+    ngx_queue_t                       free_paths;
+    ngx_queue_t                       free_client_ids;
+
+    ngx_uint_t                        nsockets;
+    ngx_uint_t                        nclient_ids;
+    uint64_t                          max_retired_seqnum;
+    uint64_t                          client_seqnum;
+    uint64_t                          server_seqnum;
+    uint64_t                          path_seqnum;
+
+    ngx_quic_tp_t                     tp;
+    ngx_quic_tp_t                     ctp;
+
+    ngx_quic_send_ctx_t               send_ctx[NGX_QUIC_SEND_CTX_LAST];
+
+    ngx_quic_keys_t                  *keys;
+
+    ngx_quic_conf_t                  *conf;
+
+    ngx_event_t                       push;
+    ngx_event_t                       pto;
+    ngx_event_t                       close;
+    ngx_event_t                       path_validation;
+    ngx_msec_t                        last_cc;
+
+    ngx_msec_t                        first_rtt;
+    ngx_msec_t                        latest_rtt;
+    ngx_msec_t                        avg_rtt;
+    ngx_msec_t                        min_rtt;
+    ngx_msec_t                        rttvar;
+
+    ngx_uint_t                        pto_count;
+
+    ngx_queue_t                       free_frames;
+    ngx_buf_t                        *free_bufs;
+    ngx_buf_t                        *free_shadow_bufs;
+
+    ngx_uint_t                        nframes;
+#ifdef NGX_QUIC_DEBUG_ALLOC
+    ngx_uint_t                        nbufs;
+    ngx_uint_t                        nshadowbufs;
+#endif
+
+#if (NGX_QUIC_OPENSSL_COMPAT)
+    ngx_quic_compat_t                *compat;
+#endif
+
+    ngx_quic_streams_t                streams;
+    ngx_quic_congestion_t             congestion;
+
+    off_t                             received;
+
+    ngx_uint_t                        error;
+    enum ssl_encryption_level_t       error_level;
+    ngx_uint_t                        error_ftype;
+    const char                       *error_reason;
+
+    ngx_uint_t                        shutdown_code;
+    const char                       *shutdown_reason;
+
+    unsigned                          error_app:1;
+    unsigned                          send_timer_set:1;
+    unsigned                          closing:1;
+    unsigned                          shutdown:1;
+    unsigned                          draining:1;
+    unsigned                          key_phase:1;
+    unsigned                          validated:1;
+    unsigned                          client_tp_done:1;
+};
+
+
+ngx_int_t ngx_quic_apply_transport_params(ngx_connection_t *c,
+    ngx_quic_tp_t *ctp);
+void ngx_quic_discard_ctx(ngx_connection_t *c,
+    enum ssl_encryption_level_t level);
+void ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc);
+void ngx_quic_shutdown_quic(ngx_connection_t *c);
+
+#if (NGX_DEBUG)
+void ngx_quic_connstate_dbg(ngx_connection_t *c);
+#else
+#define ngx_quic_connstate_dbg(c)
+#endif
+
+#endif /* _NGX_EVENT_QUIC_CONNECTION_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_connid.c b/src/event/quic/ngx_event_quic_connid.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_connid.c
@@ -0,0 +1,502 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+#define NGX_QUIC_MAX_SERVER_IDS   8
+
+
+#if (NGX_QUIC_BPF)
+static ngx_int_t ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id);
+#endif
+static ngx_int_t ngx_quic_retire_client_id(ngx_connection_t *c,
+    ngx_quic_client_id_t *cid);
+static ngx_quic_client_id_t *ngx_quic_alloc_client_id(ngx_connection_t *c,
+    ngx_quic_connection_t *qc);
+static ngx_int_t ngx_quic_send_server_id(ngx_connection_t *c,
+    ngx_quic_server_id_t *sid);
+
+
+ngx_int_t
+ngx_quic_create_server_id(ngx_connection_t *c, u_char *id)
+{
+    if (RAND_bytes(id, NGX_QUIC_SERVER_CID_LEN) != 1) {
+        return NGX_ERROR;
+    }
+
+#if (NGX_QUIC_BPF)
+    if (ngx_quic_bpf_attach_id(c, id) != NGX_OK) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                      "quic bpf failed to generate socket key");
+        /* ignore error, things still may work */
+    }
+#endif
+
+    return NGX_OK;
+}
+
+
+#if (NGX_QUIC_BPF)
+
+static ngx_int_t
+ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id)
+{
+    int        fd;
+    uint64_t   cookie;
+    socklen_t  optlen;
+
+    fd = c->listening->fd;
+
+    optlen = sizeof(cookie);
+
+    if (getsockopt(fd, SOL_SOCKET, SO_COOKIE, &cookie, &optlen) == -1) {
+        ngx_log_error(NGX_LOG_ERR, c->log, ngx_socket_errno,
+                      "quic getsockopt(SO_COOKIE) failed");
+
+        return NGX_ERROR;
+    }
+
+    ngx_quic_dcid_encode_key(id, cookie);
+
+    return NGX_OK;
+}
+
+#endif
+
+
+ngx_int_t
+ngx_quic_handle_new_connection_id_frame(ngx_connection_t *c,
+    ngx_quic_new_conn_id_frame_t *f)
+{
+    ngx_str_t               id;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_client_id_t   *cid, *item;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (f->seqnum < qc->max_retired_seqnum) {
+        /*
+         * RFC 9000, 19.15.  NEW_CONNECTION_ID Frame
+         *
+         *  An endpoint that receives a NEW_CONNECTION_ID frame with
+         *  a sequence number smaller than the Retire Prior To field
+         *  of a previously received NEW_CONNECTION_ID frame MUST send
+         *  a corresponding RETIRE_CONNECTION_ID frame that retires
+         *  the newly received connection ID, unless it has already
+         *  done so for that sequence number.
+         */
+
+        frame = ngx_quic_alloc_frame(c);
+        if (frame == NULL) {
+            return NGX_ERROR;
+        }
+
+        frame->level = ssl_encryption_application;
+        frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
+        frame->u.retire_cid.sequence_number = f->seqnum;
+
+        ngx_quic_queue_frame(qc, frame);
+
+        goto retire;
+    }
+
+    cid = NULL;
+
+    for (q = ngx_queue_head(&qc->client_ids);
+         q != ngx_queue_sentinel(&qc->client_ids);
+         q = ngx_queue_next(q))
+    {
+        item = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+
+        if (item->seqnum == f->seqnum) {
+            cid = item;
+            break;
+        }
+    }
+
+    if (cid) {
+        /*
+         * Transmission errors, timeouts, and retransmissions might cause the
+         * same NEW_CONNECTION_ID frame to be received multiple times.
+         */
+
+        if (cid->len != f->len
+            || ngx_strncmp(cid->id, f->cid, f->len) != 0
+            || ngx_strncmp(cid->sr_token, f->srt, NGX_QUIC_SR_TOKEN_LEN) != 0)
+        {
+            /*
+             * ..if a sequence number is used for different connection IDs,
+             * the endpoint MAY treat that receipt as a connection error
+             * of type PROTOCOL_VIOLATION.
+             */
+            qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+            qc->error_reason = "seqnum refers to different connection id/token";
+            return NGX_ERROR;
+        }
+
+    } else {
+
+        id.data = f->cid;
+        id.len = f->len;
+
+        if (ngx_quic_create_client_id(c, &id, f->seqnum, f->srt) == NULL) {
+            return NGX_ERROR;
+        }
+    }
+
+retire:
+
+    if (qc->max_retired_seqnum && f->retire <= qc->max_retired_seqnum) {
+        /*
+         * Once a sender indicates a Retire Prior To value, smaller values sent
+         * in subsequent NEW_CONNECTION_ID frames have no effect.  A receiver
+         * MUST ignore any Retire Prior To fields that do not increase the
+         * largest received Retire Prior To value.
+         */
+        goto done;
+    }
+
+    qc->max_retired_seqnum = f->retire;
+
+    q = ngx_queue_head(&qc->client_ids);
+
+    while (q != ngx_queue_sentinel(&qc->client_ids)) {
+
+        cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+        q = ngx_queue_next(q);
+
+        if (cid->seqnum >= f->retire) {
+            continue;
+        }
+
+        if (ngx_quic_retire_client_id(c, cid) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+done:
+
+    if (qc->nclient_ids > qc->tp.active_connection_id_limit) {
+        /*
+         * RFC 9000, 5.1.1.  Issuing Connection IDs
+         *
+         * After processing a NEW_CONNECTION_ID frame and
+         * adding and retiring active connection IDs, if the number of active
+         * connection IDs exceeds the value advertised in its
+         * active_connection_id_limit transport parameter, an endpoint MUST
+         * close the connection with an error of type CONNECTION_ID_LIMIT_ERROR.
+         */
+        qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR;
+        qc->error_reason = "too many connection ids received";
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_retire_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid)
+{
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path;
+    ngx_quic_client_id_t   *new_cid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!cid->used) {
+        return ngx_quic_free_client_id(c, cid);
+    }
+
+    /* we are going to retire client id which is in use */
+
+    q = ngx_queue_head(&qc->paths);
+
+    while (q != ngx_queue_sentinel(&qc->paths)) {
+
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+        q = ngx_queue_next(q);
+
+        if (path->cid != cid) {
+            continue;
+        }
+
+        if (path == qc->path) {
+            /* this is the active path: update it with new CID */
+            new_cid = ngx_quic_next_client_id(c);
+            if (new_cid == NULL) {
+                return NGX_ERROR;
+            }
+
+            qc->path->cid = new_cid;
+            new_cid->used = 1;
+
+            return ngx_quic_free_client_id(c, cid);
+        }
+
+        return ngx_quic_free_path(c, path);
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_quic_client_id_t *
+ngx_quic_alloc_client_id(ngx_connection_t *c, ngx_quic_connection_t *qc)
+{
+    ngx_queue_t           *q;
+    ngx_quic_client_id_t  *cid;
+
+    if (!ngx_queue_empty(&qc->free_client_ids)) {
+
+        q = ngx_queue_head(&qc->free_client_ids);
+        cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+
+        ngx_queue_remove(&cid->queue);
+
+        ngx_memzero(cid, sizeof(ngx_quic_client_id_t));
+
+    } else {
+
+        cid = ngx_pcalloc(c->pool, sizeof(ngx_quic_client_id_t));
+        if (cid == NULL) {
+            return NULL;
+        }
+    }
+
+    return cid;
+}
+
+
+ngx_quic_client_id_t *
+ngx_quic_create_client_id(ngx_connection_t *c, ngx_str_t *id,
+    uint64_t seqnum, u_char *token)
+{
+    ngx_quic_client_id_t   *cid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    cid = ngx_quic_alloc_client_id(c, qc);
+    if (cid == NULL) {
+        return NULL;
+    }
+
+    cid->seqnum = seqnum;
+
+    cid->len = id->len;
+    ngx_memcpy(cid->id, id->data, id->len);
+
+    if (token) {
+        ngx_memcpy(cid->sr_token, token, NGX_QUIC_SR_TOKEN_LEN);
+    }
+
+    ngx_queue_insert_tail(&qc->client_ids, &cid->queue);
+    qc->nclient_ids++;
+
+    if (seqnum > qc->client_seqnum) {
+        qc->client_seqnum = seqnum;
+    }
+
+    ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic cid seq:%uL received id:%uz:%xV:%*xs",
+                    cid->seqnum, id->len, id,
+                    (size_t) NGX_QUIC_SR_TOKEN_LEN, cid->sr_token);
+
+    return cid;
+}
+
+
+ngx_quic_client_id_t *
+ngx_quic_next_client_id(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    ngx_quic_client_id_t   *cid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    for (q = ngx_queue_head(&qc->client_ids);
+         q != ngx_queue_sentinel(&qc->client_ids);
+         q = ngx_queue_next(q))
+    {
+        cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
+
+        if (!cid->used) {
+            return cid;
+        }
+    }
+
+    return NULL;
+}
+
+
+ngx_int_t
+ngx_quic_handle_retire_connection_id_frame(ngx_connection_t *c,
+    ngx_quic_retire_cid_frame_t *f)
+{
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (f->sequence_number >= qc->server_seqnum) {
+        /*
+         * RFC 9000, 19.16.
+         *
+         *  Receipt of a RETIRE_CONNECTION_ID frame containing a sequence
+         *  number greater than any previously sent to the peer MUST be
+         *  treated as a connection error of type PROTOCOL_VIOLATION.
+         */
+        qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        qc->error_reason = "sequence number of id to retire was never issued";
+
+        return NGX_ERROR;
+    }
+
+    qsock = ngx_quic_get_socket(c);
+
+    if (qsock->sid.seqnum == f->sequence_number) {
+
+        /*
+         * RFC 9000, 19.16.
+         *
+         * The sequence number specified in a RETIRE_CONNECTION_ID frame MUST
+         * NOT refer to the Destination Connection ID field of the packet in
+         * which the frame is contained.  The peer MAY treat this as a
+         * connection error of type PROTOCOL_VIOLATION.
+         */
+
+        qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        qc->error_reason = "sequence number of id to retire refers DCID";
+
+        return NGX_ERROR;
+    }
+
+    qsock = ngx_quic_find_socket(c, f->sequence_number);
+    if (qsock == NULL) {
+        return NGX_OK;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic socket seq:%uL is retired", qsock->sid.seqnum);
+
+    ngx_quic_close_socket(c, qsock);
+
+    /* restore socket count up to a limit after deletion */
+    if (ngx_quic_create_sockets(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_create_sockets(ngx_connection_t *c)
+{
+    ngx_uint_t              n;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    n = ngx_min(NGX_QUIC_MAX_SERVER_IDS, qc->ctp.active_connection_id_limit);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic create sockets has:%ui max:%ui", qc->nsockets, n);
+
+    while (qc->nsockets < n) {
+
+        qsock = ngx_quic_create_socket(c, qc);
+        if (qsock == NULL) {
+            return NGX_ERROR;
+        }
+
+        if (ngx_quic_listen(c, qc, qsock) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        if (ngx_quic_send_server_id(c, &qsock->sid) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_send_server_id(ngx_connection_t *c, ngx_quic_server_id_t *sid)
+{
+    ngx_str_t               dcid;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    dcid.len = sid->len;
+    dcid.data = sid->id;
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_NEW_CONNECTION_ID;
+    frame->u.ncid.seqnum = sid->seqnum;
+    frame->u.ncid.retire = 0;
+    frame->u.ncid.len = NGX_QUIC_SERVER_CID_LEN;
+    ngx_memcpy(frame->u.ncid.cid, sid->id, NGX_QUIC_SERVER_CID_LEN);
+
+    if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key,
+                              frame->u.ncid.srt)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_free_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid)
+{
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
+    frame->u.retire_cid.sequence_number = cid->seqnum;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    /* we are no longer going to use this client id */
+
+    ngx_queue_remove(&cid->queue);
+    ngx_queue_insert_head(&qc->free_client_ids, &cid->queue);
+
+    qc->nclient_ids--;
+
+    return NGX_OK;
+}
diff --git a/src/event/quic/ngx_event_quic_connid.h b/src/event/quic/ngx_event_quic_connid.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_connid.h
@@ -0,0 +1,29 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_CONNID_H_INCLUDED_
+#define _NGX_EVENT_QUIC_CONNID_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+ngx_int_t ngx_quic_handle_retire_connection_id_frame(ngx_connection_t *c,
+    ngx_quic_retire_cid_frame_t *f);
+ngx_int_t ngx_quic_handle_new_connection_id_frame(ngx_connection_t *c,
+    ngx_quic_new_conn_id_frame_t *f);
+
+ngx_int_t ngx_quic_create_sockets(ngx_connection_t *c);
+ngx_int_t ngx_quic_create_server_id(ngx_connection_t *c, u_char *id);
+
+ngx_quic_client_id_t *ngx_quic_create_client_id(ngx_connection_t *c,
+    ngx_str_t *id, uint64_t seqnum, u_char *token);
+ngx_quic_client_id_t *ngx_quic_next_client_id(ngx_connection_t *c);
+ngx_int_t ngx_quic_free_client_id(ngx_connection_t *c,
+    ngx_quic_client_id_t *cid);
+
+#endif /* _NGX_EVENT_QUIC_CONNID_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -0,0 +1,894 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#define NGX_QUIC_BUFFER_SIZE  4096
+
+#define ngx_quic_buf_refs(b)         (b)->shadow->num
+#define ngx_quic_buf_inc_refs(b)     ngx_quic_buf_refs(b)++
+#define ngx_quic_buf_dec_refs(b)     ngx_quic_buf_refs(b)--
+#define ngx_quic_buf_set_refs(b, v)  ngx_quic_buf_refs(b) = v
+
+
+static ngx_buf_t *ngx_quic_alloc_buf(ngx_connection_t *c);
+static void ngx_quic_free_buf(ngx_connection_t *c, ngx_buf_t *b);
+static ngx_buf_t *ngx_quic_clone_buf(ngx_connection_t *c, ngx_buf_t *b);
+static ngx_int_t ngx_quic_split_chain(ngx_connection_t *c, ngx_chain_t *cl,
+    off_t offset);
+
+
+static ngx_buf_t *
+ngx_quic_alloc_buf(ngx_connection_t *c)
+{
+    u_char                 *p;
+    ngx_buf_t              *b;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    b = qc->free_bufs;
+
+    if (b) {
+        qc->free_bufs = b->shadow;
+        p = b->start;
+
+    } else {
+        b = qc->free_shadow_bufs;
+
+        if (b) {
+            qc->free_shadow_bufs = b->shadow;
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic use shadow buffer n:%ui %ui",
+                           ++qc->nbufs, --qc->nshadowbufs);
+#endif
+
+        } else {
+            b = ngx_palloc(c->pool, sizeof(ngx_buf_t));
+            if (b == NULL) {
+                return NULL;
+            }
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic new buffer n:%ui", ++qc->nbufs);
+#endif
+        }
+
+        p = ngx_pnalloc(c->pool, NGX_QUIC_BUFFER_SIZE);
+        if (p == NULL) {
+            return NULL;
+        }
+    }
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic alloc buffer %p", b);
+#endif
+
+    ngx_memzero(b, sizeof(ngx_buf_t));
+
+    b->tag = (ngx_buf_tag_t) &ngx_quic_alloc_buf;
+    b->temporary = 1;
+    b->shadow = b;
+
+    b->start = p;
+    b->pos = p;
+    b->last = p;
+    b->end = p + NGX_QUIC_BUFFER_SIZE;
+
+    ngx_quic_buf_set_refs(b, 1);
+
+    return b;
+}
+
+
+static void
+ngx_quic_free_buf(ngx_connection_t *c, ngx_buf_t *b)
+{
+    ngx_buf_t              *shadow;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_quic_buf_dec_refs(b);
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic free buffer %p r:%ui",
+                   b, (ngx_uint_t) ngx_quic_buf_refs(b));
+#endif
+
+    shadow = b->shadow;
+
+    if (ngx_quic_buf_refs(b) == 0) {
+        shadow->shadow = qc->free_bufs;
+        qc->free_bufs = shadow;
+    }
+
+    if (b != shadow) {
+        b->shadow = qc->free_shadow_bufs;
+        qc->free_shadow_bufs = b;
+    }
+
+}
+
+
+static ngx_buf_t *
+ngx_quic_clone_buf(ngx_connection_t *c, ngx_buf_t *b)
+{
+    ngx_buf_t              *nb;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    nb = qc->free_shadow_bufs;
+
+    if (nb) {
+        qc->free_shadow_bufs = nb->shadow;
+
+    } else {
+        nb = ngx_palloc(c->pool, sizeof(ngx_buf_t));
+        if (nb == NULL) {
+            return NULL;
+        }
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic new shadow buffer n:%ui", ++qc->nshadowbufs);
+#endif
+    }
+
+    *nb = *b;
+
+    ngx_quic_buf_inc_refs(b);
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic clone buffer %p %p r:%ui",
+                   b, nb, (ngx_uint_t) ngx_quic_buf_refs(b));
+#endif
+
+    return nb;
+}
+
+
+static ngx_int_t
+ngx_quic_split_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t offset)
+{
+    ngx_buf_t    *b, *tb;
+    ngx_chain_t  *tail;
+
+    b = cl->buf;
+
+    tail = ngx_alloc_chain_link(c->pool);
+    if (tail == NULL) {
+        return NGX_ERROR;
+    }
+
+    tb = ngx_quic_clone_buf(c, b);
+    if (tb == NULL) {
+        return NGX_ERROR;
+    }
+
+    tail->buf = tb;
+
+    tb->pos += offset;
+
+    b->last = tb->pos;
+    b->last_buf = 0;
+
+    tail->next = cl->next;
+    cl->next = tail;
+
+    return NGX_OK;
+}
+
+
+ngx_quic_frame_t *
+ngx_quic_alloc_frame(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_queue_empty(&qc->free_frames)) {
+
+        q = ngx_queue_head(&qc->free_frames);
+        frame = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        ngx_queue_remove(&frame->queue);
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic reuse frame n:%ui", qc->nframes);
+#endif
+
+    } else if (qc->nframes < 10000) {
+        frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
+        if (frame == NULL) {
+            return NULL;
+        }
+
+        ++qc->nframes;
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic alloc frame n:%ui", qc->nframes);
+#endif
+
+    } else {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+        return NULL;
+    }
+
+    ngx_memzero(frame, sizeof(ngx_quic_frame_t));
+
+    return frame;
+}
+
+
+void
+ngx_quic_free_frame(ngx_connection_t *c, ngx_quic_frame_t *frame)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (frame->data) {
+        ngx_quic_free_chain(c, frame->data);
+    }
+
+    ngx_queue_insert_head(&qc->free_frames, &frame->queue);
+
+#ifdef NGX_QUIC_DEBUG_ALLOC
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic free frame n:%ui", qc->nframes);
+#endif
+}
+
+
+void
+ngx_quic_free_chain(ngx_connection_t *c, ngx_chain_t *in)
+{
+    ngx_chain_t  *cl;
+
+    while (in) {
+        cl = in;
+        in = in->next;
+
+        ngx_quic_free_buf(c, cl->buf);
+        ngx_free_chain(c->pool, cl);
+    }
+}
+
+
+void
+ngx_quic_free_frames(ngx_connection_t *c, ngx_queue_t *frames)
+{
+    ngx_queue_t       *q;
+    ngx_quic_frame_t  *f;
+
+    do {
+        q = ngx_queue_head(frames);
+
+        if (q == ngx_queue_sentinel(frames)) {
+            break;
+        }
+
+        ngx_queue_remove(q);
+
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        ngx_quic_free_frame(c, f);
+    } while (1);
+}
+
+
+void
+ngx_quic_queue_frame(ngx_quic_connection_t *qc, ngx_quic_frame_t *frame)
+{
+    ngx_quic_send_ctx_t  *ctx;
+
+    ctx = ngx_quic_get_send_ctx(qc, frame->level);
+
+    ngx_queue_insert_tail(&ctx->frames, &frame->queue);
+
+    frame->len = ngx_quic_create_frame(NULL, frame);
+    /* always succeeds */
+
+    if (qc->closing) {
+        return;
+    }
+
+    ngx_post_event(&qc->push, &ngx_posted_events);
+}
+
+
+ngx_int_t
+ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len)
+{
+    size_t                     shrink;
+    ngx_chain_t               *out;
+    ngx_quic_frame_t          *nf;
+    ngx_quic_buffer_t          qb;
+    ngx_quic_ordered_frame_t  *of, *onf;
+
+    switch (f->type) {
+    case NGX_QUIC_FT_CRYPTO:
+    case NGX_QUIC_FT_STREAM:
+        break;
+
+    default:
+        return NGX_DECLINED;
+    }
+
+    if ((size_t) f->len <= len) {
+        return NGX_OK;
+    }
+
+    shrink = f->len - len;
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic split frame now:%uz need:%uz shrink:%uz",
+                   f->len, len, shrink);
+
+    of = &f->u.ord;
+
+    if (of->length <= shrink) {
+        return NGX_DECLINED;
+    }
+
+    of->length -= shrink;
+    f->len = ngx_quic_create_frame(NULL, f);
+
+    if ((size_t) f->len > len) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0, "could not split QUIC frame");
+        return NGX_ERROR;
+    }
+
+    ngx_memzero(&qb, sizeof(ngx_quic_buffer_t));
+    qb.chain = f->data;
+
+    out = ngx_quic_read_buffer(c, &qb, of->length);
+    if (out == NGX_CHAIN_ERROR) {
+        return NGX_ERROR;
+    }
+
+    f->data = out;
+
+    nf = ngx_quic_alloc_frame(c);
+    if (nf == NULL) {
+        return NGX_ERROR;
+    }
+
+    *nf = *f;
+    onf = &nf->u.ord;
+    onf->offset += of->length;
+    onf->length = shrink;
+    nf->len = ngx_quic_create_frame(NULL, nf);
+    nf->data = qb.chain;
+
+    if (f->type == NGX_QUIC_FT_STREAM) {
+        f->u.stream.fin = 0;
+    }
+
+    ngx_queue_insert_after(&f->queue, &nf->queue);
+
+    return NGX_OK;
+}
+
+
+ngx_chain_t *
+ngx_quic_copy_buffer(ngx_connection_t *c, u_char *data, size_t len)
+{
+    ngx_buf_t          buf;
+    ngx_chain_t        cl, *out;
+    ngx_quic_buffer_t  qb;
+
+    ngx_memzero(&buf, sizeof(ngx_buf_t));
+
+    buf.pos = data;
+    buf.last = buf.pos + len;
+    buf.temporary = 1;
+
+    cl.buf = &buf;
+    cl.next = NULL;
+
+    ngx_memzero(&qb, sizeof(ngx_quic_buffer_t));
+
+    if (ngx_quic_write_buffer(c, &qb, &cl, len, 0) == NGX_CHAIN_ERROR) {
+        return NGX_CHAIN_ERROR;
+    }
+
+    out = ngx_quic_read_buffer(c, &qb, len);
+    if (out == NGX_CHAIN_ERROR) {
+        return NGX_CHAIN_ERROR;
+    }
+
+    ngx_quic_free_buffer(c, &qb);
+
+    return out;
+}
+
+
+ngx_chain_t *
+ngx_quic_read_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb, uint64_t limit)
+{
+    uint64_t      n;
+    ngx_buf_t    *b;
+    ngx_chain_t  *out, **ll;
+
+    out = qb->chain;
+
+    for (ll = &out; *ll; ll = &(*ll)->next) {
+        b = (*ll)->buf;
+
+        if (b->sync) {
+            /* hole */
+            break;
+        }
+
+        if (limit == 0) {
+            break;
+        }
+
+        n = b->last - b->pos;
+
+        if (n > limit) {
+            if (ngx_quic_split_chain(c, *ll, limit) != NGX_OK) {
+                return NGX_CHAIN_ERROR;
+            }
+
+            n = limit;
+        }
+
+        limit -= n;
+        qb->offset += n;
+    }
+
+    if (qb->offset >= qb->last_offset) {
+        qb->last_chain = NULL;
+    }
+
+    qb->chain = *ll;
+    *ll = NULL;
+
+    return out;
+}
+
+
+void
+ngx_quic_skip_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb,
+    uint64_t offset)
+{
+    size_t        n;
+    ngx_buf_t    *b;
+    ngx_chain_t  *cl;
+
+    while (qb->chain) {
+        if (qb->offset >= offset) {
+            break;
+        }
+
+        cl = qb->chain;
+        b = cl->buf;
+        n = b->last - b->pos;
+
+        if (qb->offset + n > offset) {
+            n = offset - qb->offset;
+            b->pos += n;
+            qb->offset += n;
+            break;
+        }
+
+        qb->offset += n;
+        qb->chain = cl->next;
+
+        cl->next = NULL;
+        ngx_quic_free_chain(c, cl);
+    }
+
+    if (qb->chain == NULL) {
+        qb->offset = offset;
+    }
+
+    if (qb->offset >= qb->last_offset) {
+        qb->last_chain = NULL;
+    }
+}
+
+
+ngx_chain_t *
+ngx_quic_alloc_chain(ngx_connection_t *c)
+{
+    ngx_chain_t  *cl;
+
+    cl = ngx_alloc_chain_link(c->pool);
+    if (cl == NULL) {
+        return NULL;
+    }
+
+    cl->buf = ngx_quic_alloc_buf(c);
+    if (cl->buf == NULL) {
+        return NULL;
+    }
+
+    return cl;
+}
+
+
+ngx_chain_t *
+ngx_quic_write_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb,
+    ngx_chain_t *in, uint64_t limit, uint64_t offset)
+{
+    u_char       *p;
+    uint64_t      n, base;
+    ngx_buf_t    *b;
+    ngx_chain_t  *cl, **chain;
+
+    if (qb->last_chain && offset >= qb->last_offset) {
+        base = qb->last_offset;
+        chain = &qb->last_chain;
+
+    } else {
+        base = qb->offset;
+        chain = &qb->chain;
+    }
+
+    while (in && limit) {
+
+        if (offset < base) {
+            n = ngx_min((uint64_t) (in->buf->last - in->buf->pos),
+                        ngx_min(base - offset, limit));
+
+            in->buf->pos += n;
+            offset += n;
+            limit -= n;
+
+            if (in->buf->pos == in->buf->last) {
+                in = in->next;
+            }
+
+            continue;
+        }
+
+        cl = *chain;
+
+        if (cl == NULL) {
+            cl = ngx_quic_alloc_chain(c);
+            if (cl == NULL) {
+                return NGX_CHAIN_ERROR;
+            }
+
+            cl->buf->last = cl->buf->end;
+            cl->buf->sync = 1; /* hole */
+            cl->next = NULL;
+            *chain = cl;
+        }
+
+        b = cl->buf;
+        n = b->last - b->pos;
+
+        if (base + n <= offset) {
+            base += n;
+            chain = &cl->next;
+            continue;
+        }
+
+        if (b->sync && offset > base) {
+            if (ngx_quic_split_chain(c, cl, offset - base) != NGX_OK) {
+                return NGX_CHAIN_ERROR;
+            }
+
+            continue;
+        }
+
+        p = b->pos + (offset - base);
+
+        while (in) {
+
+            if (!ngx_buf_in_memory(in->buf) || in->buf->pos == in->buf->last) {
+                in = in->next;
+                continue;
+            }
+
+            if (p == b->last || limit == 0) {
+                break;
+            }
+
+            n = ngx_min(b->last - p, in->buf->last - in->buf->pos);
+            n = ngx_min(n, limit);
+
+            if (b->sync) {
+                ngx_memcpy(p, in->buf->pos, n);
+                qb->size += n;
+            }
+
+            p += n;
+            in->buf->pos += n;
+            offset += n;
+            limit -= n;
+        }
+
+        if (b->sync && p == b->last) {
+            b->sync = 0;
+            continue;
+        }
+
+        if (b->sync && p != b->pos) {
+            if (ngx_quic_split_chain(c, cl, p - b->pos) != NGX_OK) {
+                return NGX_CHAIN_ERROR;
+            }
+
+            b->sync = 0;
+        }
+    }
+
+    qb->last_offset = base;
+    qb->last_chain = *chain;
+
+    return in;
+}
+
+
+void
+ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb)
+{
+    ngx_quic_free_chain(c, qb->chain);
+
+    qb->chain = NULL;
+}
+
+
+#if (NGX_DEBUG)
+
+void
+ngx_quic_log_frame(ngx_log_t *log, ngx_quic_frame_t *f, ngx_uint_t tx)
+{
+    u_char      *p, *last, *pos, *end;
+    ssize_t      n;
+    uint64_t     gap, range, largest, smallest;
+    ngx_uint_t   i;
+    u_char       buf[NGX_MAX_ERROR_STR];
+
+    p = buf;
+    last = buf + sizeof(buf);
+
+    switch (f->type) {
+
+    case NGX_QUIC_FT_CRYPTO:
+        p = ngx_slprintf(p, last, "CRYPTO len:%uL off:%uL",
+                         f->u.crypto.length, f->u.crypto.offset);
+
+#ifdef NGX_QUIC_DEBUG_FRAMES
+        {
+            ngx_chain_t  *cl;
+
+            p = ngx_slprintf(p, last, " data:");
+
+            for (cl = f->data; cl; cl = cl->next) {
+                p = ngx_slprintf(p, last, "%*xs",
+                                 cl->buf->last - cl->buf->pos, cl->buf->pos);
+            }
+        }
+#endif
+
+        break;
+
+    case NGX_QUIC_FT_PADDING:
+        p = ngx_slprintf(p, last, "PADDING");
+        break;
+
+    case NGX_QUIC_FT_ACK:
+    case NGX_QUIC_FT_ACK_ECN:
+
+        p = ngx_slprintf(p, last, "ACK n:%ui delay:%uL ",
+                         f->u.ack.range_count, f->u.ack.delay);
+
+        if (f->data) {
+            pos = f->data->buf->pos;
+            end = f->data->buf->last;
+
+        } else {
+            pos = NULL;
+            end = NULL;
+        }
+
+        largest = f->u.ack.largest;
+        smallest = f->u.ack.largest - f->u.ack.first_range;
+
+        if (largest == smallest) {
+            p = ngx_slprintf(p, last, "%uL", largest);
+
+        } else {
+            p = ngx_slprintf(p, last, "%uL-%uL", largest, smallest);
+        }
+
+        for (i = 0; i < f->u.ack.range_count; i++) {
+            n = ngx_quic_parse_ack_range(log, pos, end, &gap, &range);
+            if (n == NGX_ERROR) {
+                break;
+            }
+
+            pos += n;
+
+            largest = smallest - gap - 2;
+            smallest = largest - range;
+
+            if (largest == smallest) {
+                p = ngx_slprintf(p, last, " %uL", largest);
+
+            } else {
+                p = ngx_slprintf(p, last, " %uL-%uL", largest, smallest);
+            }
+        }
+
+        if (f->type == NGX_QUIC_FT_ACK_ECN) {
+            p = ngx_slprintf(p, last, " ECN counters ect0:%uL ect1:%uL ce:%uL",
+                             f->u.ack.ect0, f->u.ack.ect1, f->u.ack.ce);
+        }
+        break;
+
+    case NGX_QUIC_FT_PING:
+        p = ngx_slprintf(p, last, "PING");
+        break;
+
+    case NGX_QUIC_FT_NEW_CONNECTION_ID:
+        p = ngx_slprintf(p, last,
+                         "NEW_CONNECTION_ID seq:%uL retire:%uL len:%ud",
+                         f->u.ncid.seqnum, f->u.ncid.retire, f->u.ncid.len);
+        break;
+
+    case NGX_QUIC_FT_RETIRE_CONNECTION_ID:
+        p = ngx_slprintf(p, last, "RETIRE_CONNECTION_ID seqnum:%uL",
+                         f->u.retire_cid.sequence_number);
+        break;
+
+    case NGX_QUIC_FT_CONNECTION_CLOSE:
+    case NGX_QUIC_FT_CONNECTION_CLOSE_APP:
+        p = ngx_slprintf(p, last, "CONNECTION_CLOSE%s err:%ui",
+                         f->type == NGX_QUIC_FT_CONNECTION_CLOSE ? "" : "_APP",
+                         f->u.close.error_code);
+
+        if (f->u.close.reason.len) {
+            p = ngx_slprintf(p, last, " %V", &f->u.close.reason);
+        }
+
+        if (f->type == NGX_QUIC_FT_CONNECTION_CLOSE) {
+            p = ngx_slprintf(p, last, " ft:%ui", f->u.close.frame_type);
+        }
+
+        break;
+
+    case NGX_QUIC_FT_STREAM:
+        p = ngx_slprintf(p, last, "STREAM id:0x%xL", f->u.stream.stream_id);
+
+        if (f->u.stream.off) {
+            p = ngx_slprintf(p, last, " off:%uL", f->u.stream.offset);
+        }
+
+        if (f->u.stream.len) {
+            p = ngx_slprintf(p, last, " len:%uL", f->u.stream.length);
+        }
+
+        if (f->u.stream.fin) {
+            p = ngx_slprintf(p, last, " fin:1");
+        }
+
+#ifdef NGX_QUIC_DEBUG_FRAMES
+        {
+            ngx_chain_t  *cl;
+
+            p = ngx_slprintf(p, last, " data:");
+
+            for (cl = f->data; cl; cl = cl->next) {
+                p = ngx_slprintf(p, last, "%*xs",
+                                 cl->buf->last - cl->buf->pos, cl->buf->pos);
+            }
+        }
+#endif
+
+        break;
+
+    case NGX_QUIC_FT_MAX_DATA:
+        p = ngx_slprintf(p, last, "MAX_DATA max_data:%uL on recv",
+                         f->u.max_data.max_data);
+        break;
+
+    case NGX_QUIC_FT_RESET_STREAM:
+        p = ngx_slprintf(p, last, "RESET_STREAM"
+                        " id:0x%xL error_code:0x%xL final_size:0x%xL",
+                        f->u.reset_stream.id, f->u.reset_stream.error_code,
+                        f->u.reset_stream.final_size);
+        break;
+
+    case NGX_QUIC_FT_STOP_SENDING:
+        p = ngx_slprintf(p, last, "STOP_SENDING id:0x%xL err:0x%xL",
+                         f->u.stop_sending.id, f->u.stop_sending.error_code);
+        break;
+
+    case NGX_QUIC_FT_STREAMS_BLOCKED:
+    case NGX_QUIC_FT_STREAMS_BLOCKED2:
+        p = ngx_slprintf(p, last, "STREAMS_BLOCKED limit:%uL bidi:%ui",
+                         f->u.streams_blocked.limit, f->u.streams_blocked.bidi);
+        break;
+
+    case NGX_QUIC_FT_MAX_STREAMS:
+    case NGX_QUIC_FT_MAX_STREAMS2:
+        p = ngx_slprintf(p, last, "MAX_STREAMS limit:%uL bidi:%ui",
+                         f->u.max_streams.limit, f->u.max_streams.bidi);
+        break;
+
+    case NGX_QUIC_FT_MAX_STREAM_DATA:
+        p = ngx_slprintf(p, last, "MAX_STREAM_DATA id:0x%xL limit:%uL",
+                         f->u.max_stream_data.id, f->u.max_stream_data.limit);
+        break;
+
+
+    case NGX_QUIC_FT_DATA_BLOCKED:
+        p = ngx_slprintf(p, last, "DATA_BLOCKED limit:%uL",
+                         f->u.data_blocked.limit);
+        break;
+
+    case NGX_QUIC_FT_STREAM_DATA_BLOCKED:
+        p = ngx_slprintf(p, last, "STREAM_DATA_BLOCKED id:0x%xL limit:%uL",
+                         f->u.stream_data_blocked.id,
+                         f->u.stream_data_blocked.limit);
+        break;
+
+    case NGX_QUIC_FT_PATH_CHALLENGE:
+        p = ngx_slprintf(p, last, "PATH_CHALLENGE data:0x%*xs",
+                         sizeof(f->u.path_challenge.data),
+                         f->u.path_challenge.data);
+        break;
+
+    case NGX_QUIC_FT_PATH_RESPONSE:
+        p = ngx_slprintf(p, last, "PATH_RESPONSE data:0x%*xs",
+                         sizeof(f->u.path_challenge.data),
+                         f->u.path_challenge.data);
+        break;
+
+    case NGX_QUIC_FT_NEW_TOKEN:
+        p = ngx_slprintf(p, last, "NEW_TOKEN");
+
+#ifdef NGX_QUIC_DEBUG_FRAMES
+        {
+            ngx_chain_t  *cl;
+
+            p = ngx_slprintf(p, last, " token:");
+
+            for (cl = f->data; cl; cl = cl->next) {
+                p = ngx_slprintf(p, last, "%*xs",
+                                 cl->buf->last - cl->buf->pos, cl->buf->pos);
+            }
+        }
+#endif
+
+        break;
+
+    case NGX_QUIC_FT_HANDSHAKE_DONE:
+        p = ngx_slprintf(p, last, "HANDSHAKE DONE");
+        break;
+
+    default:
+        p = ngx_slprintf(p, last, "unknown type 0x%xi", f->type);
+        break;
+    }
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, log, 0, "quic frame %s %s %*s",
+                   tx ? "tx" : "rx", ngx_quic_level_name(f->level),
+                   p - buf, buf);
+}
+
+#endif
diff --git a/src/event/quic/ngx_event_quic_frames.h b/src/event/quic/ngx_event_quic_frames.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_frames.h
@@ -0,0 +1,45 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_FRAMES_H_INCLUDED_
+#define _NGX_EVENT_QUIC_FRAMES_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+typedef ngx_int_t (*ngx_quic_frame_handler_pt)(ngx_connection_t *c,
+    ngx_quic_frame_t *frame, void *data);
+
+
+ngx_quic_frame_t *ngx_quic_alloc_frame(ngx_connection_t *c);
+void ngx_quic_free_frame(ngx_connection_t *c, ngx_quic_frame_t *frame);
+void ngx_quic_free_frames(ngx_connection_t *c, ngx_queue_t *frames);
+void ngx_quic_queue_frame(ngx_quic_connection_t *qc, ngx_quic_frame_t *frame);
+ngx_int_t ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f,
+    size_t len);
+
+ngx_chain_t *ngx_quic_alloc_chain(ngx_connection_t *c);
+void ngx_quic_free_chain(ngx_connection_t *c, ngx_chain_t *in);
+
+ngx_chain_t *ngx_quic_copy_buffer(ngx_connection_t *c, u_char *data,
+    size_t len);
+ngx_chain_t *ngx_quic_read_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb,
+    uint64_t limit);
+ngx_chain_t *ngx_quic_write_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb,
+    ngx_chain_t *in, uint64_t limit, uint64_t offset);
+void ngx_quic_skip_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb,
+    uint64_t offset);
+void ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb);
+
+#if (NGX_DEBUG)
+void ngx_quic_log_frame(ngx_log_t *log, ngx_quic_frame_t *f, ngx_uint_t tx);
+#else
+#define ngx_quic_log_frame(log, f, tx)
+#endif
+
+#endif /* _NGX_EVENT_QUIC_FRAMES_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -0,0 +1,711 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+static void ngx_quic_set_connection_path(ngx_connection_t *c,
+    ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_validate_path(ngx_connection_t *c,
+    ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_send_path_challenge(ngx_connection_t *c,
+    ngx_quic_path_t *path);
+static void ngx_quic_set_path_timer(ngx_connection_t *c);
+static ngx_quic_path_t *ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag);
+
+
+ngx_int_t
+ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f)
+{
+    ngx_quic_frame_t        frame, *fp;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+
+    frame.level = ssl_encryption_application;
+    frame.type = NGX_QUIC_FT_PATH_RESPONSE;
+    frame.u.path_response = *f;
+
+    /*
+     * RFC 9000, 8.2.2.  Path Validation Responses
+     *
+     * A PATH_RESPONSE frame MUST be sent on the network path where the
+     * PATH_CHALLENGE frame was received.
+     */
+
+    /*
+     * An endpoint MUST expand datagrams that contain a PATH_RESPONSE frame
+     * to at least the smallest allowed maximum datagram size of 1200 bytes.
+     */
+    if (ngx_quic_frame_sendto(c, &frame, 1200, pkt->path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (pkt->path == qc->path) {
+        /*
+         * RFC 9000, 9.3.3.  Off-Path Packet Forwarding
+         *
+         * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD
+         * send a non-probing packet in response.
+         */
+
+        fp = ngx_quic_alloc_frame(c);
+        if (fp == NULL) {
+            return NGX_ERROR;
+        }
+
+        fp->level = ssl_encryption_application;
+        fp->type = NGX_QUIC_FT_PING;
+
+        ngx_quic_queue_frame(qc, fp);
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_path_response_frame(ngx_connection_t *c,
+    ngx_quic_path_challenge_frame_t *f)
+{
+    ngx_uint_t              rst;
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path, *prev;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    /*
+     * RFC 9000, 8.2.3.  Successful Path Validation
+     *
+     * A PATH_RESPONSE frame received on any network path validates the path
+     * on which the PATH_CHALLENGE was sent.
+     */
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (!path->validating) {
+            continue;
+        }
+
+        if (ngx_memcmp(path->challenge1, f->data, sizeof(f->data)) == 0
+            || ngx_memcmp(path->challenge2, f->data, sizeof(f->data)) == 0)
+        {
+            goto valid;
+        }
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stale PATH_RESPONSE ignored");
+
+    return NGX_OK;
+
+valid:
+
+    /*
+     * RFC 9000, 9.4.  Loss Detection and Congestion Control
+     *
+     * On confirming a peer's ownership of its new address,
+     * an endpoint MUST immediately reset the congestion controller
+     * and round-trip time estimator for the new path to initial values
+     * unless the only change in the peer's address is its port number.
+     */
+
+    rst = 1;
+
+    prev = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP);
+
+    if (prev != NULL) {
+
+        if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen,
+                             path->sockaddr, path->socklen, 0)
+            == NGX_OK)
+        {
+            /* address did not change */
+            rst = 0;
+        }
+    }
+
+    if (rst) {
+        ngx_memzero(&qc->congestion, sizeof(ngx_quic_congestion_t));
+
+        qc->congestion.window = ngx_min(10 * qc->tp.max_udp_payload_size,
+                                   ngx_max(2 * qc->tp.max_udp_payload_size,
+                                           14720));
+        qc->congestion.ssthresh = (size_t) -1;
+        qc->congestion.recovery_start = ngx_current_msec;
+    }
+
+    /*
+     * RFC 9000, 9.3.  Responding to Connection Migration
+     *
+     *  After verifying a new client address, the server SHOULD
+     *  send new address validation tokens (Section 8) to the client.
+     */
+
+    if (ngx_quic_send_new_token(c, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                  "quic path seq:%uL addr:%V successfully validated",
+                  path->seqnum, &path->addr_text);
+
+    ngx_quic_path_dbg(c, "is validated", path);
+
+    path->validated = 1;
+    path->validating = 0;
+    path->limited = 0;
+
+    ngx_quic_set_path_timer(c);
+
+    return NGX_OK;
+}
+
+
+ngx_quic_path_t *
+ngx_quic_new_path(ngx_connection_t *c,
+    struct sockaddr *sockaddr, socklen_t socklen, ngx_quic_client_id_t *cid)
+{
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_queue_empty(&qc->free_paths)) {
+
+        q = ngx_queue_head(&qc->free_paths);
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        ngx_queue_remove(&path->queue);
+
+        ngx_memzero(path, sizeof(ngx_quic_path_t));
+
+    } else {
+
+        path = ngx_pcalloc(c->pool, sizeof(ngx_quic_path_t));
+        if (path == NULL) {
+            return NULL;
+        }
+    }
+
+    ngx_queue_insert_tail(&qc->paths, &path->queue);
+
+    path->cid = cid;
+    cid->used = 1;
+
+    path->limited = 1;
+
+    path->seqnum = qc->path_seqnum++;
+
+    path->sockaddr = &path->sa.sockaddr;
+    path->socklen = socklen;
+    ngx_memcpy(path->sockaddr, sockaddr, socklen);
+
+    path->addr_text.data = path->text;
+    path->addr_text.len = ngx_sock_ntop(sockaddr, socklen, path->text,
+                                        NGX_SOCKADDR_STRLEN, 1);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic path seq:%uL created addr:%V",
+                   path->seqnum, &path->addr_text);
+    return path;
+}
+
+
+static ngx_quic_path_t *
+ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag)
+{
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (path->tag == tag) {
+            return path;
+        }
+    }
+
+    return NULL;
+}
+
+
+ngx_int_t
+ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    off_t                   len;
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path, *probe;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_client_id_t   *cid;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    qsock = ngx_quic_get_socket(c);
+
+    len = pkt->raw->last - pkt->raw->start;
+
+    if (c->udp->buffer == NULL) {
+        /* first ever packet in connection, path already exists  */
+        path = qc->path;
+        goto update;
+    }
+
+    probe = NULL;
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (ngx_cmp_sockaddr(&qsock->sockaddr.sockaddr, qsock->socklen,
+                             path->sockaddr, path->socklen, 1)
+            == NGX_OK)
+        {
+            goto update;
+        }
+
+        if (path->tag == NGX_QUIC_PATH_PROBE) {
+            probe = path;
+        }
+    }
+
+    /* packet from new path, drop current probe, if any */
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    /*
+     * only accept highest-numbered packets to prevent connection id
+     * exhaustion by excessive probing packets from unknown paths
+     */
+    if (pkt->pn != ctx->largest_pn) {
+        return NGX_DONE;
+    }
+
+    if (probe && ngx_quic_free_path(c, probe) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    /* new path requires new client id */
+    cid = ngx_quic_next_client_id(c);
+    if (cid == NULL) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic no available client ids for new path");
+        /* stop processing of this datagram */
+        return NGX_DONE;
+    }
+
+    path = ngx_quic_new_path(c, &qsock->sockaddr.sockaddr, qsock->socklen, cid);
+    if (path == NULL) {
+        return NGX_ERROR;
+    }
+
+    path->tag = NGX_QUIC_PATH_PROBE;
+
+    /*
+     * client arrived using new path and previously seen DCID,
+     * this indicates NAT rebinding (or bad client)
+     */
+    if (qsock->used) {
+        pkt->rebound = 1;
+    }
+
+update:
+
+    qsock->used = 1;
+    pkt->path = path;
+
+    /* TODO: this may be too late in some cases;
+     *       for example, if error happens during decrypt(), we cannot
+     *       send CC, if error happens in 1st packet, due to amplification
+     *       limit, because path->received = 0
+     *
+     *       should we account garbage as received or only decrypting packets?
+     */
+    path->received += len;
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic packet len:%O via sock seq:%L path seq:%uL",
+                   len, (int64_t) qsock->sid.seqnum, path->seqnum);
+    ngx_quic_path_dbg(c, "status", path);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_free_path(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_queue_remove(&path->queue);
+    ngx_queue_insert_head(&qc->free_paths, &path->queue);
+
+    /*
+     * invalidate CID that is no longer usable for any other path;
+     * this also requests new CIDs from client
+     */
+    if (path->cid) {
+        if (ngx_quic_free_client_id(c, path->cid) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic path seq:%uL addr:%V retired",
+                   path->seqnum, &path->addr_text);
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_set_connection_path(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    ngx_memcpy(c->sockaddr, path->sockaddr, path->socklen);
+    c->socklen = path->socklen;
+
+    if (c->addr_text.data) {
+        c->addr_text.len = ngx_sock_ntop(c->sockaddr, c->socklen,
+                                         c->addr_text.data,
+                                         c->listening->addr_text_max_len, 0);
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic send path set to seq:%uL addr:%V",
+                   path->seqnum, &path->addr_text);
+}
+
+
+ngx_int_t
+ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    ngx_quic_path_t        *next, *bkp;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    /* got non-probing packet via non-active path */
+
+    qc = ngx_quic_get_connection(c);
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    /*
+     * RFC 9000, 9.3.  Responding to Connection Migration
+     *
+     * An endpoint only changes the address to which it sends packets in
+     * response to the highest-numbered non-probing packet.
+     */
+    if (pkt->pn != ctx->largest_pn) {
+        return NGX_OK;
+    }
+
+    next = pkt->path;
+
+    /*
+     * RFC 9000, 9.3.3:
+     *
+     * In response to an apparent migration, endpoints MUST validate the
+     * previously active path using a PATH_CHALLENGE frame.
+     */
+    if (pkt->rebound) {
+
+        /* NAT rebinding: client uses new path with old SID */
+        if (ngx_quic_validate_path(c, qc->path) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    if (qc->path->validated) {
+
+        if (next->tag != NGX_QUIC_PATH_BACKUP) {
+            /* can delete backup path, if any */
+            bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP);
+
+            if (bkp && ngx_quic_free_path(c, bkp) != NGX_OK) {
+                return NGX_ERROR;
+            }
+        }
+
+        qc->path->tag = NGX_QUIC_PATH_BACKUP;
+        ngx_quic_path_dbg(c, "is now backup", qc->path);
+
+    } else {
+        if (ngx_quic_free_path(c, qc->path) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    /* switch active path to migrated */
+    qc->path = next;
+    qc->path->tag = NGX_QUIC_PATH_ACTIVE;
+
+    ngx_quic_set_connection_path(c, next);
+
+    if (!next->validated && !next->validating) {
+        if (ngx_quic_validate_path(c, next) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                  "quic migrated to path seq:%uL addr:%V",
+                  qc->path->seqnum, &qc->path->addr_text);
+
+    ngx_quic_path_dbg(c, "is now active", qc->path);
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_validate_path(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    ngx_msec_t              pto;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic initiated validation of path seq:%uL", path->seqnum);
+
+    path->validating = 1;
+    path->tries = 0;
+
+    if (RAND_bytes(path->challenge1, 8) != 1) {
+        return NGX_ERROR;
+    }
+
+    if (RAND_bytes(path->challenge2, 8) != 1) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_quic_send_path_challenge(c, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+    pto = ngx_max(ngx_quic_pto(c, ctx), 1000);
+
+    path->expires = ngx_current_msec + pto;
+
+    ngx_quic_set_path_timer(c);
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_send_path_challenge(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    ngx_quic_frame_t  frame;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic path seq:%uL send path_challenge tries:%ui",
+                   path->seqnum, path->tries);
+
+    ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+
+    frame.level = ssl_encryption_application;
+    frame.type = NGX_QUIC_FT_PATH_CHALLENGE;
+
+    ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8);
+
+    /*
+     * RFC 9000, 8.2.1.  Initiating Path Validation
+     *
+     * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame
+     * to at least the smallest allowed maximum datagram size of 1200 bytes,
+     * unless the anti-amplification limit for the path does not permit
+     * sending a datagram of this size.
+     */
+
+     /* same applies to PATH_RESPONSE frames */
+    if (ngx_quic_frame_sendto(c, &frame, 1200, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(frame.u.path_challenge.data, path->challenge2, 8);
+
+    if (ngx_quic_frame_sendto(c, &frame, 1200, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_set_path_timer(ngx_connection_t *c)
+{
+    ngx_msec_t              now;
+    ngx_queue_t            *q;
+    ngx_msec_int_t          left, next;
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    now = ngx_current_msec;
+    next = -1;
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (!path->validating) {
+            continue;
+        }
+
+        left = path->expires - now;
+        left = ngx_max(left, 1);
+
+        if (next == -1 || left < next) {
+            next = left;
+        }
+    }
+
+    if (next != -1) {
+        ngx_add_timer(&qc->path_validation, next);
+
+    } else if (qc->path_validation.timer_set) {
+        ngx_del_timer(&qc->path_validation);
+    }
+}
+
+
+void
+ngx_quic_path_validation_handler(ngx_event_t *ev)
+{
+    ngx_msec_t              now;
+    ngx_queue_t            *q;
+    ngx_msec_int_t          left, next, pto;
+    ngx_quic_path_t        *path, *bkp;
+    ngx_connection_t       *c;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    c = ev->data;
+    qc = ngx_quic_get_connection(c);
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+
+    next = -1;
+    now = ngx_current_msec;
+
+    q = ngx_queue_head(&qc->paths);
+
+    while (q != ngx_queue_sentinel(&qc->paths)) {
+
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+        q = ngx_queue_next(q);
+
+        if (!path->validating) {
+            continue;
+        }
+
+        left = path->expires - now;
+
+        if (left > 0) {
+
+            if (next == -1 || left < next) {
+                next = left;
+            }
+
+            continue;
+        }
+
+        if (++path->tries < NGX_QUIC_PATH_RETRIES) {
+            pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries;
+
+            path->expires = ngx_current_msec + pto;
+
+            if (next == -1 || pto < next) {
+                next = pto;
+            }
+
+            /* retransmit */
+            (void) ngx_quic_send_path_challenge(c, path);
+
+            continue;
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ev->log, 0,
+                       "quic path seq:%uL validation failed", path->seqnum);
+
+        /* found expired path */
+
+        path->validated = 0;
+        path->validating = 0;
+        path->limited = 1;
+
+
+        /* RFC 9000, 9.3.2.  On-Path Address Spoofing
+         *
+         * To protect the connection from failing due to such a spurious
+         * migration, an endpoint MUST revert to using the last validated
+         * peer address when validation of a new peer address fails.
+         */
+
+        if (qc->path == path) {
+            /* active path validation failed */
+
+            bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP);
+
+            if (bkp == NULL) {
+                qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH;
+                qc->error_reason = "no viable path";
+                ngx_quic_close_connection(c, NGX_ERROR);
+                return;
+            }
+
+            qc->path = bkp;
+            qc->path->tag = NGX_QUIC_PATH_ACTIVE;
+
+            ngx_quic_set_connection_path(c, qc->path);
+
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "quic path seq:%uL addr:%V is restored from backup",
+                          qc->path->seqnum, &qc->path->addr_text);
+
+            ngx_quic_path_dbg(c, "is active", qc->path);
+        }
+
+        if (ngx_quic_free_path(c, path) != NGX_OK) {
+            ngx_quic_close_connection(c, NGX_ERROR);
+            return;
+        }
+    }
+
+    if (next != -1) {
+        ngx_add_timer(&qc->path_validation, next);
+    }
+}
diff --git a/src/event/quic/ngx_event_quic_migration.h b/src/event/quic/ngx_event_quic_migration.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_migration.h
@@ -0,0 +1,42 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_
+#define _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+#define NGX_QUIC_PATH_RETRIES   3
+
+#define NGX_QUIC_PATH_PROBE     0
+#define NGX_QUIC_PATH_ACTIVE    1
+#define NGX_QUIC_PATH_BACKUP    2
+
+#define ngx_quic_path_dbg(c, msg, path)                                       \
+    ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0,                            \
+                   "quic path seq:%uL %s sent:%O recvd:%O state:%s%s%s",      \
+                   path->seqnum, msg, path->sent, path->received,             \
+                   path->limited ? "L" : "", path->validated ? "V": "N",      \
+                   path->validating ? "R": "");
+
+ngx_int_t ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f);
+ngx_int_t ngx_quic_handle_path_response_frame(ngx_connection_t *c,
+    ngx_quic_path_challenge_frame_t *f);
+
+ngx_quic_path_t *ngx_quic_new_path(ngx_connection_t *c,
+    struct sockaddr *sockaddr, socklen_t socklen, ngx_quic_client_id_t *cid);
+ngx_int_t ngx_quic_free_path(ngx_connection_t *c, ngx_quic_path_t *path);
+
+ngx_int_t ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt);
+ngx_int_t ngx_quic_handle_migration(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
+
+void ngx_quic_path_validation_handler(ngx_event_t *ev);
+
+#endif /* _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c b/src/event/quic/ngx_event_quic_openssl_compat.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -0,0 +1,646 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#if (NGX_QUIC_OPENSSL_COMPAT)
+
+#define NGX_QUIC_COMPAT_RECORD_SIZE          1024
+
+#define NGX_QUIC_COMPAT_SSL_TP_EXT           0x39
+
+#define NGX_QUIC_COMPAT_CLIENT_HANDSHAKE     "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
+#define NGX_QUIC_COMPAT_SERVER_HANDSHAKE     "SERVER_HANDSHAKE_TRAFFIC_SECRET"
+#define NGX_QUIC_COMPAT_CLIENT_APPLICATION   "CLIENT_TRAFFIC_SECRET_0"
+#define NGX_QUIC_COMPAT_SERVER_APPLICATION   "SERVER_TRAFFIC_SECRET_0"
+
+
+typedef struct {
+    ngx_quic_secret_t             secret;
+    ngx_uint_t                    cipher;
+} ngx_quic_compat_keys_t;
+
+
+typedef struct {
+    ngx_log_t                    *log;
+
+    u_char                        type;
+    ngx_str_t                     payload;
+    uint64_t                      number;
+    ngx_quic_compat_keys_t       *keys;
+
+    enum ssl_encryption_level_t   level;
+} ngx_quic_compat_record_t;
+
+
+struct ngx_quic_compat_s {
+    const SSL_QUIC_METHOD        *method;
+
+    enum ssl_encryption_level_t   write_level;
+    enum ssl_encryption_level_t   read_level;
+
+    uint64_t                      read_record;
+    ngx_quic_compat_keys_t        keys;
+
+    ngx_str_t                     tp;
+    ngx_str_t                     ctp;
+};
+
+
+static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line);
+static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
+    ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
+    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
+static int ngx_quic_compat_add_transport_params_callback(SSL *ssl,
+    unsigned int ext_type, unsigned int context, const unsigned char **out,
+    size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg);
+static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl,
+    unsigned int ext_type, unsigned int context, const unsigned char *in,
+    size_t inlen, X509 *x, size_t chainidx, int *al, void *parse_arg);
+static void ngx_quic_compat_message_callback(int write_p, int version,
+    int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
+static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec,
+    u_char *out, ngx_uint_t plain);
+static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec,
+    ngx_str_t *res);
+
+
+ngx_int_t
+ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx)
+{
+    SSL_CTX_set_keylog_callback(ctx, ngx_quic_compat_keylog_callback);
+
+    if (SSL_CTX_has_client_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT)) {
+        return NGX_OK;
+    }
+
+    if (SSL_CTX_add_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT,
+                               SSL_EXT_CLIENT_HELLO
+                               |SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+                               ngx_quic_compat_add_transport_params_callback,
+                               NULL,
+                               NULL,
+                               ngx_quic_compat_parse_transport_params_callback,
+                               NULL)
+        == 0)
+    {
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "SSL_CTX_add_custom_ext() failed");
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line)
+{
+    u_char                        ch, *p, *start, value;
+    size_t                        n;
+    ngx_uint_t                    write;
+    const SSL_CIPHER             *cipher;
+    ngx_quic_compat_t            *com;
+    ngx_connection_t             *c;
+    ngx_quic_connection_t        *qc;
+    enum ssl_encryption_level_t   level;
+    u_char                        secret[EVP_MAX_MD_SIZE];
+
+    c = ngx_ssl_get_connection(ssl);
+    if (c->type != SOCK_DGRAM) {
+        return;
+    }
+
+    p = (u_char *) line;
+
+    for (start = p; *p && *p != ' '; p++);
+
+    n = p - start;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic compat secret %*s", n, start);
+
+    if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_HANDSHAKE) - 1
+        && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_HANDSHAKE, n) == 0)
+    {
+        level = ssl_encryption_handshake;
+        write = 0;
+
+    } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_HANDSHAKE) - 1
+               && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_HANDSHAKE, n) == 0)
+    {
+        level = ssl_encryption_handshake;
+        write = 1;
+
+    } else if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_APPLICATION) - 1
+               && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_APPLICATION, n)
+                  == 0)
+    {
+        level = ssl_encryption_application;
+        write = 0;
+
+    } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_APPLICATION) - 1
+               && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_APPLICATION, n)
+                   == 0)
+    {
+        level = ssl_encryption_application;
+        write = 1;
+
+    } else {
+        return;
+    }
+
+    if (*p++ == '\0') {
+        return;
+    }
+
+    for ( /* void */ ; *p && *p != ' '; p++);
+
+    if (*p++ == '\0') {
+        return;
+    }
+
+    for (n = 0, start = p; *p; p++) {
+        ch = *p;
+
+        if (ch >= '0' && ch <= '9') {
+            value = ch - '0';
+            goto next;
+        }
+
+        ch = (u_char) (ch | 0x20);
+
+        if (ch >= 'a' && ch <= 'f') {
+            value = ch - 'a' + 10;
+            goto next;
+        }
+
+        ngx_log_error(NGX_LOG_EMERG, c->log, 0,
+                      "invalid OpenSSL QUIC secret format");
+
+        return;
+
+    next:
+
+        if ((p - start) % 2) {
+            secret[n++] += value;
+
+        } else {
+            if (n >= EVP_MAX_MD_SIZE) {
+                ngx_log_error(NGX_LOG_EMERG, c->log, 0,
+                              "too big OpenSSL QUIC secret");
+                return;
+            }
+
+            secret[n] = (value << 4);
+        }
+    }
+
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+    cipher = SSL_get_current_cipher(ssl);
+
+    if (write) {
+        com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n);
+        com->write_level = level;
+
+    } else {
+        com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
+        com->read_level = level;
+        com->read_record = 0;
+
+        (void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level,
+                                                     cipher, secret, n);
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
+    ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
+    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
+{
+    ngx_int_t            key_len;
+    ngx_str_t            secret_str;
+    ngx_uint_t           i;
+    ngx_quic_hkdf_t      seq[2];
+    ngx_quic_secret_t   *peer_secret;
+    ngx_quic_ciphers_t   ciphers;
+
+    peer_secret = &keys->secret;
+
+    keys->cipher = SSL_CIPHER_get_id(cipher);
+
+    key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+
+    if (key_len == NGX_ERROR) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
+        return NGX_ERROR;
+    }
+
+    if (sizeof(peer_secret->secret.data) < secret_len) {
+        ngx_log_error(NGX_LOG_ALERT, log, 0,
+                      "unexpected secret len: %uz", secret_len);
+        return NGX_ERROR;
+    }
+
+    peer_secret->secret.len = secret_len;
+    ngx_memcpy(peer_secret->secret.data, secret, secret_len);
+
+    peer_secret->key.len = key_len;
+    peer_secret->iv.len = NGX_QUIC_IV_LEN;
+
+    secret_str.len = secret_len;
+    secret_str.data = (u_char *) secret;
+
+    ngx_quic_hkdf_set(&seq[0], "tls13 key", &peer_secret->key, &secret_str);
+    ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str);
+
+    for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
+        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static int
+ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type,
+    unsigned int context, const unsigned char **out, size_t *outlen, X509 *x,
+    size_t chainidx, int *al, void *add_arg)
+{
+    ngx_connection_t       *c;
+    ngx_quic_compat_t      *com;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    if (c->type != SOCK_DGRAM) {
+        return 0;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic compat add transport params");
+
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+
+    *out = com->tp.data;
+    *outlen = com->tp.len;
+
+    return 1;
+}
+
+
+static int
+ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type,
+    unsigned int context, const unsigned char *in, size_t inlen, X509 *x,
+    size_t chainidx, int *al, void *parse_arg)
+{
+    u_char                 *p;
+    ngx_connection_t       *c;
+    ngx_quic_compat_t      *com;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    if (c->type != SOCK_DGRAM) {
+        return 0;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic compat parse transport params");
+
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+
+    p = ngx_pnalloc(c->pool, inlen);
+    if (p == NULL) {
+        return 0;
+    }
+
+    ngx_memcpy(p, in, inlen);
+
+    com->ctp.data = p;
+    com->ctp.len = inlen;
+
+    return 1;
+}
+
+
+int
+SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
+{
+    BIO                    *rbio, *wbio;
+    ngx_connection_t       *c;
+    ngx_quic_compat_t      *com;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat set method");
+
+    qc = ngx_quic_get_connection(c);
+
+    qc->compat = ngx_pcalloc(c->pool, sizeof(ngx_quic_compat_t));
+    if (qc->compat == NULL) {
+        return 0;
+    }
+
+    com = qc->compat;
+    com->method = quic_method;
+
+    rbio = BIO_new(BIO_s_mem());
+    if (rbio == NULL) {
+        return 0;
+    }
+
+    wbio = BIO_new(BIO_s_null());
+    if (wbio == NULL) {
+        return 0;
+    }
+
+    SSL_set_bio(ssl, rbio, wbio);
+
+    SSL_set_msg_callback(ssl, ngx_quic_compat_message_callback);
+
+    /* early data is not supported */
+    SSL_set_max_early_data(ssl, 0);
+
+    return 1;
+}
+
+
+static void
+ngx_quic_compat_message_callback(int write_p, int version, int content_type,
+    const void *buf, size_t len, SSL *ssl, void *arg)
+{
+    ngx_uint_t                    alert;
+    ngx_connection_t             *c;
+    ngx_quic_compat_t            *com;
+    ngx_quic_connection_t        *qc;
+    enum ssl_encryption_level_t   level;
+
+    if (!write_p) {
+        return;
+    }
+
+    c = ngx_ssl_get_connection(ssl);
+    qc = ngx_quic_get_connection(c);
+
+    if (qc == NULL) {
+        /* closing */
+        return;
+    }
+
+    com = qc->compat;
+    level = com->write_level;
+
+    switch (content_type) {
+
+    case SSL3_RT_HANDSHAKE:
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic compat tx %s len:%uz ",
+                       ngx_quic_level_name(level), len);
+
+        (void) com->method->add_handshake_data(ssl, level, buf, len);
+
+        break;
+
+    case SSL3_RT_ALERT:
+        if (len >= 2) {
+            alert = ((u_char *) buf)[1];
+
+            ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic compat %s alert:%ui len:%uz ",
+                           ngx_quic_level_name(level), alert, len);
+
+            (void) com->method->send_alert(ssl, level, alert);
+        }
+
+        break;
+    }
+}
+
+
+int
+SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
+    const uint8_t *data, size_t len)
+{
+    BIO                       *rbio;
+    size_t                     n;
+    u_char                    *p;
+    ngx_str_t                  res;
+    ngx_connection_t          *c;
+    ngx_quic_compat_t         *com;
+    ngx_quic_connection_t     *qc;
+    ngx_quic_compat_record_t   rec;
+    u_char                     in[NGX_QUIC_COMPAT_RECORD_SIZE + 1];
+    u_char                     out[NGX_QUIC_COMPAT_RECORD_SIZE + 1
+                                   + SSL3_RT_HEADER_LENGTH
+                                   + EVP_GCM_TLS_TAG_LEN];
+
+    c = ngx_ssl_get_connection(ssl);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz",
+                   ngx_quic_level_name(level), len);
+
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+    rbio = SSL_get_rbio(ssl);
+
+    while (len) {
+        ngx_memzero(&rec, sizeof(ngx_quic_compat_record_t));
+
+        rec.type = SSL3_RT_HANDSHAKE;
+        rec.log = c->log;
+        rec.number = com->read_record++;
+        rec.keys = &com->keys;
+
+        if (level == ssl_encryption_initial) {
+            n = ngx_min(len, 65535);
+
+            rec.payload.len = n;
+            rec.payload.data = (u_char *) data;
+
+            ngx_quic_compat_create_header(&rec, out, 1);
+
+            BIO_write(rbio, out, SSL3_RT_HEADER_LENGTH);
+            BIO_write(rbio, data, n);
+
+#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
+            ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic compat record len:%uz %*xs%*xs",
+                           n + SSL3_RT_HEADER_LENGTH,
+                           (size_t) SSL3_RT_HEADER_LENGTH, out, n, data);
+#endif
+
+        } else {
+            n = ngx_min(len, NGX_QUIC_COMPAT_RECORD_SIZE);
+
+            p = ngx_cpymem(in, data, n);
+            *p++ = SSL3_RT_HANDSHAKE;
+
+            rec.payload.len = p - in;
+            rec.payload.data = in;
+
+            res.data = out;
+
+            if (ngx_quic_compat_create_record(&rec, &res) != NGX_OK) {
+                return 0;
+            }
+
+#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
+            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic compat record len:%uz %xV", res.len, &res);
+#endif
+
+            BIO_write(rbio, res.data, res.len);
+        }
+
+        data += n;
+        len -= n;
+    }
+
+    return 1;
+}
+
+
+static size_t
+ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out,
+    ngx_uint_t plain)
+{
+    u_char  type;
+    size_t  len;
+
+    len = rec->payload.len;
+
+    if (plain) {
+        type = rec->type;
+
+    } else {
+        type = SSL3_RT_APPLICATION_DATA;
+        len += EVP_GCM_TLS_TAG_LEN;
+    }
+
+    out[0] = type;
+    out[1] = 0x03;
+    out[2] = 0x03;
+    out[3] = (len >> 8);
+    out[4] = len;
+
+    return 5;
+}
+
+
+static ngx_int_t
+ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res)
+{
+    ngx_str_t            ad, out;
+    ngx_quic_secret_t   *secret;
+    ngx_quic_ciphers_t   ciphers;
+    u_char               nonce[NGX_QUIC_IV_LEN];
+
+    ad.data = res->data;
+    ad.len = ngx_quic_compat_create_header(rec, ad.data, 0);
+
+    out.len = rec->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.data = res->data + ad.len;
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, rec->log, 0,
+                   "quic compat ad len:%uz %xV", ad.len, &ad);
+#endif
+
+    if (ngx_quic_ciphers(rec->keys->cipher, &ciphers, rec->level) == NGX_ERROR)
+    {
+        return NGX_ERROR;
+    }
+
+    secret = &rec->keys->secret;
+
+    ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
+    ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number);
+
+    if (ngx_quic_tls_seal(ciphers.c, secret, &out,
+                          nonce, &rec->payload, &ad, rec->log)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    res->len = ad.len + out.len;
+
+    return NGX_OK;
+}
+
+
+enum ssl_encryption_level_t
+SSL_quic_read_level(const SSL *ssl)
+{
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    qc = ngx_quic_get_connection(c);
+
+    return qc->compat->read_level;
+}
+
+
+enum ssl_encryption_level_t
+SSL_quic_write_level(const SSL *ssl)
+{
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    qc = ngx_quic_get_connection(c);
+
+    return qc->compat->write_level;
+}
+
+
+int
+SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
+    size_t params_len)
+{
+    ngx_connection_t       *c;
+    ngx_quic_compat_t      *com;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+
+    com->tp.len = params_len;
+    com->tp.data = (u_char *) params;
+
+    return 1;
+}
+
+
+void
+SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params,
+    size_t *out_params_len)
+{
+    ngx_connection_t       *c;
+    ngx_quic_compat_t      *com;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection(ssl);
+    qc = ngx_quic_get_connection(c);
+    com = qc->compat;
+
+    *out_params = com->ctp.data;
+    *out_params_len = com->ctp.len;
+}
+
+#endif /* NGX_QUIC_OPENSSL_COMPAT */
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.h b/src/event/quic/ngx_event_quic_openssl_compat.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_openssl_compat.h
@@ -0,0 +1,60 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
+#define _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
+
+#ifdef TLSEXT_TYPE_quic_transport_parameters
+#undef NGX_QUIC_OPENSSL_COMPAT
+#else
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+typedef struct ngx_quic_compat_s  ngx_quic_compat_t;
+
+
+enum ssl_encryption_level_t {
+    ssl_encryption_initial = 0,
+    ssl_encryption_early_data,
+    ssl_encryption_handshake,
+    ssl_encryption_application
+};
+
+
+typedef struct ssl_quic_method_st {
+    int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level,
+                           const SSL_CIPHER *cipher,
+                           const uint8_t *rsecret, size_t secret_len);
+    int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level,
+                            const SSL_CIPHER *cipher,
+                            const uint8_t *wsecret, size_t secret_len);
+    int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level,
+                              const uint8_t *data, size_t len);
+    int (*flush_flight)(SSL *ssl);
+    int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level,
+                      uint8_t alert);
+} SSL_QUIC_METHOD;
+
+
+ngx_int_t ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx);
+
+int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
+int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
+    const uint8_t *data, size_t len);
+enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
+enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
+int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
+    size_t params_len);
+void SSL_get_peer_quic_transport_params(const SSL *ssl,
+    const uint8_t **out_params, size_t *out_params_len);
+
+
+#endif /* TLSEXT_TYPE_quic_transport_parameters */
+
+#endif /* _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_output.c
@@ -0,0 +1,1293 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#define NGX_QUIC_MAX_UDP_PAYLOAD_OUT   1252
+#define NGX_QUIC_MAX_UDP_PAYLOAD_OUT6  1232
+
+#define NGX_QUIC_MAX_UDP_SEGMENT_BUF  65487 /* 65K - IPv6 header */
+#define NGX_QUIC_MAX_SEGMENTS            64 /* UDP_MAX_SEGMENTS */
+
+#define NGX_QUIC_RETRY_TOKEN_LIFETIME     3 /* seconds */
+#define NGX_QUIC_NEW_TOKEN_LIFETIME     600 /* seconds */
+#define NGX_QUIC_RETRY_BUFFER_SIZE      256
+    /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(64) */
+
+/*
+ * RFC 9000, 10.3.  Stateless Reset
+ *
+ * Endpoints MUST discard packets that are too small to be valid QUIC
+ * packets.  With the set of AEAD functions defined in [QUIC-TLS],
+ * short header packets that are smaller than 21 bytes are never valid.
+ */
+#define NGX_QUIC_MIN_PKT_LEN             21
+
+#define NGX_QUIC_MIN_SR_PACKET           43 /* 5 rand + 16 srt + 22 padding */
+#define NGX_QUIC_MAX_SR_PACKET         1200
+
+#define NGX_QUIC_CC_MIN_INTERVAL       1000 /* 1s */
+
+#define NGX_QUIC_SOCKET_RETRY_DELAY      10 /* ms, for NGX_AGAIN on write */
+
+
+static ngx_int_t ngx_quic_create_datagrams(ngx_connection_t *c);
+static void ngx_quic_commit_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx);
+static void ngx_quic_revert_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    uint64_t pnum);
+#if ((NGX_HAVE_UDP_SEGMENT) && (NGX_HAVE_MSGHDR_MSG_CONTROL))
+static ngx_uint_t ngx_quic_allow_segmentation(ngx_connection_t *c);
+static ngx_int_t ngx_quic_create_segments(ngx_connection_t *c);
+static ssize_t ngx_quic_send_segments(ngx_connection_t *c, u_char *buf,
+    size_t len, struct sockaddr *sockaddr, socklen_t socklen, size_t segment);
+#endif
+static ssize_t ngx_quic_output_packet(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx, u_char *data, size_t max, size_t min);
+static void ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    ngx_quic_header_t *pkt, ngx_quic_path_t *path);
+static ngx_uint_t ngx_quic_get_padding_level(ngx_connection_t *c);
+static ssize_t ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len,
+    struct sockaddr *sockaddr, socklen_t socklen);
+static void ngx_quic_set_packet_number(ngx_quic_header_t *pkt,
+    ngx_quic_send_ctx_t *ctx);
+static size_t ngx_quic_path_limit(ngx_connection_t *c, ngx_quic_path_t *path,
+    size_t size);
+
+
+size_t
+ngx_quic_max_udp_payload(ngx_connection_t *c)
+{
+    /* TODO: path MTU discovery */
+
+#if (NGX_HAVE_INET6)
+    if (c->sockaddr->sa_family == AF_INET6) {
+        return NGX_QUIC_MAX_UDP_PAYLOAD_OUT6;
+    }
+#endif
+
+    return NGX_QUIC_MAX_UDP_PAYLOAD_OUT;
+}
+
+
+ngx_int_t
+ngx_quic_output(ngx_connection_t *c)
+{
+    size_t                  in_flight;
+    ngx_int_t               rc;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+
+    c->log->action = "sending frames";
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+
+    in_flight = cg->in_flight;
+
+#if ((NGX_HAVE_UDP_SEGMENT) && (NGX_HAVE_MSGHDR_MSG_CONTROL))
+    if (ngx_quic_allow_segmentation(c)) {
+        rc = ngx_quic_create_segments(c);
+    } else
+#endif
+    {
+        rc = ngx_quic_create_datagrams(c);
+    }
+
+    if (rc != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (in_flight == cg->in_flight || qc->closing) {
+        /* no ack-eliciting data was sent or we are done */
+        return NGX_OK;
+    }
+
+    if (!qc->send_timer_set) {
+        qc->send_timer_set = 1;
+        ngx_add_timer(c->read, qc->tp.max_idle_timeout);
+    }
+
+    ngx_quic_set_lost_timer(c);
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_create_datagrams(ngx_connection_t *c)
+{
+    size_t                  len, min;
+    ssize_t                 n;
+    u_char                 *p;
+    uint64_t                preserved_pnum[NGX_QUIC_SEND_CTX_LAST];
+    ngx_uint_t              i, pad;
+    ngx_quic_path_t        *path;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+    static u_char           dst[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+    path = qc->path;
+
+    while (cg->in_flight < cg->window) {
+
+        p = dst;
+
+        len = ngx_min(qc->ctp.max_udp_payload_size,
+                      NGX_QUIC_MAX_UDP_PAYLOAD_SIZE);
+
+        len = ngx_quic_path_limit(c, path, len);
+
+        pad = ngx_quic_get_padding_level(c);
+
+        for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+
+            ctx = &qc->send_ctx[i];
+
+            preserved_pnum[i] = ctx->pnum;
+
+            if (ngx_quic_generate_ack(c, ctx) != NGX_OK) {
+                return NGX_ERROR;
+            }
+
+            min = (i == pad && p - dst < NGX_QUIC_MIN_INITIAL_SIZE)
+                  ? NGX_QUIC_MIN_INITIAL_SIZE - (p - dst) : 0;
+
+            if (min > len) {
+                /* padding can't be applied - avoid sending the packet */
+
+                while (i-- > 0) {
+                    ctx = &qc->send_ctx[i];
+                    ngx_quic_revert_send(c, ctx, preserved_pnum[i]);
+                }
+
+                return NGX_OK;
+            }
+
+            n = ngx_quic_output_packet(c, ctx, p, len, min);
+            if (n == NGX_ERROR) {
+                return NGX_ERROR;
+            }
+
+            p += n;
+            len -= n;
+        }
+
+        len = p - dst;
+        if (len == 0) {
+            break;
+        }
+
+        n = ngx_quic_send(c, dst, len, path->sockaddr, path->socklen);
+
+        if (n == NGX_ERROR) {
+            return NGX_ERROR;
+        }
+
+        if (n == NGX_AGAIN) {
+            for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+                ngx_quic_revert_send(c, &qc->send_ctx[i], preserved_pnum[i]);
+            }
+
+            ngx_add_timer(&qc->push, NGX_QUIC_SOCKET_RETRY_DELAY);
+            break;
+        }
+
+        for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+            ngx_quic_commit_send(c, &qc->send_ctx[i]);
+        }
+
+        path->sent += len;
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_commit_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
+{
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    cg = &qc->congestion;
+
+    while (!ngx_queue_empty(&ctx->sending)) {
+
+        q = ngx_queue_head(&ctx->sending);
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        ngx_queue_remove(q);
+
+        if (f->pkt_need_ack && !qc->closing) {
+            ngx_queue_insert_tail(&ctx->sent, q);
+
+            cg->in_flight += f->plen;
+
+        } else {
+            ngx_quic_free_frame(c, f);
+        }
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic congestion send if:%uz", cg->in_flight);
+}
+
+
+static void
+ngx_quic_revert_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    uint64_t pnum)
+{
+    ngx_queue_t  *q;
+
+    while (!ngx_queue_empty(&ctx->sending)) {
+
+        q = ngx_queue_last(&ctx->sending);
+        ngx_queue_remove(q);
+        ngx_queue_insert_head(&ctx->frames, q);
+    }
+
+    ctx->pnum = pnum;
+}
+
+
+#if ((NGX_HAVE_UDP_SEGMENT) && (NGX_HAVE_MSGHDR_MSG_CONTROL))
+
+static ngx_uint_t
+ngx_quic_allow_segmentation(ngx_connection_t *c)
+{
+    size_t                  bytes, len;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!qc->conf->gso_enabled) {
+        return 0;
+    }
+
+    if (qc->path->limited) {
+        /* don't even try to be faster on non-validated paths */
+        return 0;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_initial);
+    if (!ngx_queue_empty(&ctx->frames)) {
+        return 0;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_handshake);
+    if (!ngx_queue_empty(&ctx->frames)) {
+        return 0;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+
+    bytes = 0;
+
+    len = ngx_min(qc->ctp.max_udp_payload_size,
+                  NGX_QUIC_MAX_UDP_SEGMENT_BUF);
+
+    for (q = ngx_queue_head(&ctx->frames);
+         q != ngx_queue_sentinel(&ctx->frames);
+         q = ngx_queue_next(q))
+    {
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        bytes += f->len;
+
+        if (bytes > len * 3) {
+            /* require at least ~3 full packets to batch */
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+
+static ngx_int_t
+ngx_quic_create_segments(ngx_connection_t *c)
+{
+    size_t                  len, segsize;
+    ssize_t                 n;
+    u_char                 *p, *end;
+    uint64_t                preserved_pnum;
+    ngx_uint_t              nseg;
+    ngx_quic_path_t        *path;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_congestion_t  *cg;
+    ngx_quic_connection_t  *qc;
+    static u_char           dst[NGX_QUIC_MAX_UDP_SEGMENT_BUF];
+
+    qc = ngx_quic_get_connection(c);
+    cg = &qc->congestion;
+    path = qc->path;
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+
+    if (ngx_quic_generate_ack(c, ctx) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    segsize = ngx_min(qc->ctp.max_udp_payload_size,
+                      NGX_QUIC_MAX_UDP_SEGMENT_BUF);
+    p = dst;
+    end = dst + sizeof(dst);
+
+    nseg = 0;
+
+    preserved_pnum = ctx->pnum;
+
+    for ( ;; ) {
+
+        len = ngx_min(segsize, (size_t) (end - p));
+
+        if (len && cg->in_flight < cg->window) {
+
+            n = ngx_quic_output_packet(c, ctx, p, len, len);
+            if (n == NGX_ERROR) {
+                return NGX_ERROR;
+            }
+
+            if (n) {
+                p += n;
+                nseg++;
+            }
+
+        } else {
+            n = 0;
+        }
+
+        if (p == dst) {
+            break;
+        }
+
+        if (n == 0 || nseg == NGX_QUIC_MAX_SEGMENTS) {
+            n = ngx_quic_send_segments(c, dst, p - dst, path->sockaddr,
+                                       path->socklen, segsize);
+            if (n == NGX_ERROR) {
+                return NGX_ERROR;
+            }
+
+            if (n == NGX_AGAIN) {
+                ngx_quic_revert_send(c, ctx, preserved_pnum);
+
+                ngx_add_timer(&qc->push, NGX_QUIC_SOCKET_RETRY_DELAY);
+                break;
+            }
+
+            ngx_quic_commit_send(c, ctx);
+
+            path->sent += n;
+
+            p = dst;
+            nseg = 0;
+            preserved_pnum = ctx->pnum;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ssize_t
+ngx_quic_send_segments(ngx_connection_t *c, u_char *buf, size_t len,
+    struct sockaddr *sockaddr, socklen_t socklen, size_t segment)
+{
+    size_t           clen;
+    ssize_t          n;
+    uint16_t        *valp;
+    struct iovec     iov;
+    struct msghdr    msg;
+    struct cmsghdr  *cmsg;
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+    char             msg_control[CMSG_SPACE(sizeof(uint16_t))
+                             + CMSG_SPACE(sizeof(ngx_addrinfo_t))];
+#else
+    char             msg_control[CMSG_SPACE(sizeof(uint16_t))];
+#endif
+
+    ngx_memzero(&msg, sizeof(struct msghdr));
+    ngx_memzero(msg_control, sizeof(msg_control));
+
+    iov.iov_len = len;
+    iov.iov_base = buf;
+
+    msg.msg_iov = &iov;
+    msg.msg_iovlen = 1;
+
+    msg.msg_name = sockaddr;
+    msg.msg_namelen = socklen;
+
+    msg.msg_control = msg_control;
+    msg.msg_controllen = sizeof(msg_control);
+
+    cmsg = CMSG_FIRSTHDR(&msg);
+
+    cmsg->cmsg_level = SOL_UDP;
+    cmsg->cmsg_type = UDP_SEGMENT;
+    cmsg->cmsg_len = CMSG_LEN(sizeof(uint16_t));
+
+    clen = CMSG_SPACE(sizeof(uint16_t));
+
+    valp = (void *) CMSG_DATA(cmsg);
+    *valp = segment;
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+    if (c->listening && c->listening->wildcard && c->local_sockaddr) {
+        cmsg = CMSG_NXTHDR(&msg, cmsg);
+        clen += ngx_set_srcaddr_cmsg(cmsg, c->local_sockaddr);
+    }
+#endif
+
+    msg.msg_controllen = clen;
+
+    n = ngx_sendmsg(c, &msg, 0);
+    if (n < 0) {
+        return n;
+    }
+
+    c->sent += n;
+
+    return n;
+}
+
+#endif
+
+
+
+static ngx_uint_t
+ngx_quic_get_padding_level(ngx_connection_t *c)
+{
+    ngx_uint_t              i;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    /*
+     * RFC 9000, 14.1.  Initial Datagram Size
+     *
+     * Similarly, a server MUST expand the payload of all UDP datagrams
+     * carrying ack-eliciting Initial packets to at least the smallest
+     * allowed maximum datagram size of 1200 bytes.
+     */
+
+    qc = ngx_quic_get_connection(c);
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_initial);
+
+    for (q = ngx_queue_head(&ctx->frames);
+         q != ngx_queue_sentinel(&ctx->frames);
+         q = ngx_queue_next(q))
+    {
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        if (f->need_ack) {
+            for (i = 0; i + 1 < NGX_QUIC_SEND_CTX_LAST; i++) {
+                ctx = &qc->send_ctx[i + 1];
+
+                if (ngx_queue_empty(&ctx->frames)) {
+                    break;
+                }
+            }
+
+            return i;
+        }
+    }
+
+    return NGX_QUIC_SEND_CTX_LAST;
+}
+
+
+static ssize_t
+ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    u_char *data, size_t max, size_t min)
+{
+    size_t                  len, pad, min_payload, max_payload;
+    u_char                 *p;
+    ssize_t                 flen;
+    ngx_str_t               res;
+    ngx_int_t               rc;
+    ngx_uint_t              nframes, expand;
+    ngx_msec_t              now;
+    ngx_queue_t            *q;
+    ngx_quic_frame_t       *f;
+    ngx_quic_header_t       pkt;
+    ngx_quic_connection_t  *qc;
+    static u_char           src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    if (ngx_queue_empty(&ctx->frames)) {
+        return 0;
+    }
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic output %s packet max:%uz min:%uz",
+                   ngx_quic_level_name(ctx->level), max, min);
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_quic_init_packet(c, ctx, &pkt, qc->path);
+
+    min_payload = ngx_quic_payload_size(&pkt, min);
+    max_payload = ngx_quic_payload_size(&pkt, max);
+
+    /* RFC 9001, 5.4.2.  Header Protection Sample */
+    pad = 4 - pkt.num_len;
+    min_payload = ngx_max(min_payload, pad);
+
+    if (min_payload > max_payload) {
+        return 0;
+    }
+
+    now = ngx_current_msec;
+    nframes = 0;
+    p = src;
+    len = 0;
+    expand = 0;
+
+    for (q = ngx_queue_head(&ctx->frames);
+         q != ngx_queue_sentinel(&ctx->frames);
+         q = ngx_queue_next(q))
+    {
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        if (!expand && (f->type == NGX_QUIC_FT_PATH_RESPONSE
+                        || f->type == NGX_QUIC_FT_PATH_CHALLENGE))
+        {
+            /*
+             * RFC 9000, 8.2.1.  Initiating Path Validation
+             *
+             * An endpoint MUST expand datagrams that contain a
+             * PATH_CHALLENGE frame to at least the smallest allowed
+             * maximum datagram size of 1200 bytes...
+             *
+             * (same applies to PATH_RESPONSE frames)
+             */
+
+            if (max < 1200) {
+                /* expanded packet will not fit */
+                break;
+            }
+
+            if (min < 1200) {
+                min = 1200;
+
+                min_payload = ngx_quic_payload_size(&pkt, min);
+            }
+
+            expand = 1;
+        }
+
+        if (len >= max_payload) {
+            break;
+        }
+
+        if (len + f->len > max_payload) {
+            rc = ngx_quic_split_frame(c, f, max_payload - len);
+
+            if (rc == NGX_ERROR) {
+                return NGX_ERROR;
+            }
+
+            if (rc == NGX_DECLINED) {
+                break;
+            }
+        }
+
+        if (f->need_ack) {
+            pkt.need_ack = 1;
+        }
+
+        ngx_quic_log_frame(c->log, f, 1);
+
+        flen = ngx_quic_create_frame(p, f);
+        if (flen == -1) {
+            return NGX_ERROR;
+        }
+
+        len += flen;
+        p += flen;
+
+        f->pnum = ctx->pnum;
+        f->first = now;
+        f->last = now;
+        f->plen = 0;
+
+        nframes++;
+
+        if (f->flush) {
+            break;
+        }
+    }
+
+    if (nframes == 0) {
+        return 0;
+    }
+
+    if (len < min_payload) {
+        ngx_memset(p, NGX_QUIC_FT_PADDING, min_payload - len);
+        len = min_payload;
+    }
+
+    pkt.payload.data = src;
+    pkt.payload.len = len;
+
+    res.data = data;
+
+    ngx_log_debug6(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic packet tx %s bytes:%ui"
+                   " need_ack:%d number:%L encoded nl:%d trunc:0x%xD",
+                   ngx_quic_level_name(ctx->level), pkt.payload.len,
+                   pkt.need_ack, pkt.number, pkt.num_len, pkt.trunc);
+
+    if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ctx->pnum++;
+
+    if (pkt.need_ack) {
+        q = ngx_queue_head(&ctx->frames);
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        f->plen = res.len;
+    }
+
+    while (nframes--) {
+        q = ngx_queue_head(&ctx->frames);
+        f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+
+        f->pkt_need_ack = pkt.need_ack;
+
+        ngx_queue_remove(q);
+        ngx_queue_insert_tail(&ctx->sending, q);
+    }
+
+    return res.len;
+}
+
+
+static void
+ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    ngx_quic_header_t *pkt, ngx_quic_path_t *path)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_memzero(pkt, sizeof(ngx_quic_header_t));
+
+    pkt->flags = NGX_QUIC_PKT_FIXED_BIT;
+
+    if (ctx->level == ssl_encryption_initial) {
+        pkt->flags |= NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_INITIAL;
+
+    } else if (ctx->level == ssl_encryption_handshake) {
+        pkt->flags |= NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_HANDSHAKE;
+
+    } else {
+        if (qc->key_phase) {
+            pkt->flags |= NGX_QUIC_PKT_KPHASE;
+        }
+    }
+
+    pkt->dcid.data = path->cid->id;
+    pkt->dcid.len = path->cid->len;
+
+    pkt->scid = qc->tp.initial_scid;
+
+    pkt->version = qc->version;
+    pkt->log = c->log;
+    pkt->level = ctx->level;
+
+    pkt->keys = qc->keys;
+
+    ngx_quic_set_packet_number(pkt, ctx);
+}
+
+
+static ssize_t
+ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len,
+    struct sockaddr *sockaddr, socklen_t socklen)
+{
+    ssize_t          n;
+    struct iovec     iov;
+    struct msghdr    msg;
+#if (NGX_HAVE_ADDRINFO_CMSG)
+    struct cmsghdr  *cmsg;
+    char             msg_control[CMSG_SPACE(sizeof(ngx_addrinfo_t))];
+#endif
+
+    ngx_memzero(&msg, sizeof(struct msghdr));
+
+    iov.iov_len = len;
+    iov.iov_base = buf;
+
+    msg.msg_iov = &iov;
+    msg.msg_iovlen = 1;
+
+    msg.msg_name = sockaddr;
+    msg.msg_namelen = socklen;
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+    if (c->listening && c->listening->wildcard && c->local_sockaddr) {
+
+        msg.msg_control = msg_control;
+        msg.msg_controllen = sizeof(msg_control);
+        ngx_memzero(msg_control, sizeof(msg_control));
+
+        cmsg = CMSG_FIRSTHDR(&msg);
+
+        msg.msg_controllen = ngx_set_srcaddr_cmsg(cmsg, c->local_sockaddr);
+    }
+#endif
+
+    n = ngx_sendmsg(c, &msg, 0);
+    if (n < 0) {
+        return n;
+    }
+
+    c->sent += n;
+
+    return n;
+}
+
+
+static void
+ngx_quic_set_packet_number(ngx_quic_header_t *pkt, ngx_quic_send_ctx_t *ctx)
+{
+    uint64_t  delta;
+
+    delta = ctx->pnum - ctx->largest_ack;
+    pkt->number = ctx->pnum;
+
+    if (delta <= 0x7F) {
+        pkt->num_len = 1;
+        pkt->trunc = ctx->pnum & 0xff;
+
+    } else if (delta <= 0x7FFF) {
+        pkt->num_len = 2;
+        pkt->flags |= 0x1;
+        pkt->trunc = ctx->pnum & 0xffff;
+
+    } else if (delta <= 0x7FFFFF) {
+        pkt->num_len = 3;
+        pkt->flags |= 0x2;
+        pkt->trunc = ctx->pnum & 0xffffff;
+
+    } else {
+        pkt->num_len = 4;
+        pkt->flags |= 0x3;
+        pkt->trunc = ctx->pnum & 0xffffffff;
+    }
+}
+
+
+ngx_int_t
+ngx_quic_negotiate_version(ngx_connection_t *c, ngx_quic_header_t *inpkt)
+{
+    size_t             len;
+    ngx_quic_header_t  pkt;
+    static u_char      buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "sending version negotiation packet");
+
+    pkt.log = c->log;
+    pkt.flags = NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_FIXED_BIT;
+    pkt.dcid = inpkt->scid;
+    pkt.scid = inpkt->dcid;
+
+    len = ngx_quic_create_version_negotiation(&pkt, buf);
+
+#ifdef NGX_QUIC_DEBUG_PACKETS
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic vnego packet to send len:%uz %*xs", len, len, buf);
+#endif
+
+    (void) ngx_quic_send(c, buf, len, c->sockaddr, c->socklen);
+
+    return NGX_DONE;
+}
+
+
+ngx_int_t
+ngx_quic_send_stateless_reset(ngx_connection_t *c, ngx_quic_conf_t *conf,
+    ngx_quic_header_t *pkt)
+{
+    u_char    *token;
+    size_t     len, max;
+    uint16_t   rndbytes;
+    u_char     buf[NGX_QUIC_MAX_SR_PACKET];
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic handle stateless reset output");
+
+    if (pkt->len <= NGX_QUIC_MIN_PKT_LEN) {
+        return NGX_DECLINED;
+    }
+
+    if (pkt->len <= NGX_QUIC_MIN_SR_PACKET) {
+        len = pkt->len - 1;
+
+    } else {
+        max = ngx_min(NGX_QUIC_MAX_SR_PACKET, pkt->len * 3);
+
+        if (RAND_bytes((u_char *) &rndbytes, sizeof(rndbytes)) != 1) {
+            return NGX_ERROR;
+        }
+
+        len = (rndbytes % (max - NGX_QUIC_MIN_SR_PACKET + 1))
+              + NGX_QUIC_MIN_SR_PACKET;
+    }
+
+    if (RAND_bytes(buf, len - NGX_QUIC_SR_TOKEN_LEN) != 1) {
+        return NGX_ERROR;
+    }
+
+    buf[0] &= ~NGX_QUIC_PKT_LONG;
+    buf[0] |= NGX_QUIC_PKT_FIXED_BIT;
+
+    token = &buf[len - NGX_QUIC_SR_TOKEN_LEN];
+
+    if (ngx_quic_new_sr_token(c, &pkt->dcid, conf->sr_token_key, token)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    (void) ngx_quic_send(c, buf, len, c->sockaddr, c->socklen);
+
+    return NGX_DECLINED;
+}
+
+
+ngx_int_t
+ngx_quic_send_cc(ngx_connection_t *c)
+{
+    ngx_quic_frame_t        frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc->draining) {
+        return NGX_OK;
+    }
+
+    if (qc->closing
+        && ngx_current_msec - qc->last_cc < NGX_QUIC_CC_MIN_INTERVAL)
+    {
+        /* dot not send CC too often */
+        return NGX_OK;
+    }
+
+    ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+
+    frame.level = qc->error_level;
+    frame.type = qc->error_app ? NGX_QUIC_FT_CONNECTION_CLOSE_APP
+                               : NGX_QUIC_FT_CONNECTION_CLOSE;
+    frame.u.close.error_code = qc->error;
+    frame.u.close.frame_type = qc->error_ftype;
+
+    if (qc->error_reason) {
+        frame.u.close.reason.len = ngx_strlen(qc->error_reason);
+        frame.u.close.reason.data = (u_char *) qc->error_reason;
+    }
+
+    qc->last_cc = ngx_current_msec;
+
+    return ngx_quic_frame_sendto(c, &frame, 0, qc->path);
+}
+
+
+ngx_int_t
+ngx_quic_send_early_cc(ngx_connection_t *c, ngx_quic_header_t *inpkt,
+    ngx_uint_t err, const char *reason)
+{
+    ssize_t            len;
+    ngx_str_t          res;
+    ngx_quic_keys_t    keys;
+    ngx_quic_frame_t   frame;
+    ngx_quic_header_t  pkt;
+
+    static u_char       src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+    static u_char       dst[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+    ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
+
+    frame.level = inpkt->level;
+    frame.type = NGX_QUIC_FT_CONNECTION_CLOSE;
+    frame.u.close.error_code = err;
+
+    frame.u.close.reason.data = (u_char *) reason;
+    frame.u.close.reason.len = ngx_strlen(reason);
+
+    len = ngx_quic_create_frame(NULL, &frame);
+    if (len > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) {
+        return NGX_ERROR;
+    }
+
+    ngx_quic_log_frame(c->log, &frame, 1);
+
+    len = ngx_quic_create_frame(src, &frame);
+    if (len == -1) {
+        return NGX_ERROR;
+    }
+
+    ngx_memzero(&keys, sizeof(ngx_quic_keys_t));
+
+    pkt.keys = &keys;
+
+    if (ngx_quic_keys_set_initial_secret(pkt.keys, &inpkt->dcid, c->log)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    pkt.flags = NGX_QUIC_PKT_FIXED_BIT | NGX_QUIC_PKT_LONG
+                | NGX_QUIC_PKT_INITIAL;
+
+    pkt.num_len = 1;
+    /*
+     * pkt.num = 0;
+     * pkt.trunc = 0;
+     */
+
+    pkt.version = inpkt->version;
+    pkt.log = c->log;
+    pkt.level = inpkt->level;
+    pkt.dcid = inpkt->scid;
+    pkt.scid = inpkt->dcid;
+    pkt.payload.data = src;
+    pkt.payload.len = len;
+
+    res.data = dst;
+
+    if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_quic_send(c, res.data, res.len, c->sockaddr, c->socklen) < 0) {
+        return NGX_ERROR;
+    }
+
+    return NGX_DONE;
+}
+
+
+ngx_int_t
+ngx_quic_send_retry(ngx_connection_t *c, ngx_quic_conf_t *conf,
+    ngx_quic_header_t *inpkt)
+{
+    time_t             expires;
+    ssize_t            len;
+    ngx_str_t          res, token;
+    ngx_quic_header_t  pkt;
+
+    u_char             buf[NGX_QUIC_RETRY_BUFFER_SIZE];
+    u_char             dcid[NGX_QUIC_SERVER_CID_LEN];
+    u_char             tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
+
+    expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME;
+
+    token.data = tbuf;
+    token.len = NGX_QUIC_TOKEN_BUF_SIZE;
+
+    if (ngx_quic_new_token(c->log, c->sockaddr, c->socklen, conf->av_token_key,
+                           &token, &inpkt->dcid, expires, 1)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
+    pkt.flags = NGX_QUIC_PKT_FIXED_BIT | NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_RETRY;
+    pkt.version = inpkt->version;
+    pkt.log = c->log;
+
+    pkt.odcid = inpkt->dcid;
+    pkt.dcid = inpkt->scid;
+
+    /* TODO: generate routable dcid */
+    if (RAND_bytes(dcid, NGX_QUIC_SERVER_CID_LEN) != 1) {
+        return NGX_ERROR;
+    }
+
+    pkt.scid.len = NGX_QUIC_SERVER_CID_LEN;
+    pkt.scid.data = dcid;
+
+    pkt.token = token;
+
+    res.data = buf;
+
+    if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+#ifdef NGX_QUIC_DEBUG_PACKETS
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic packet to send len:%uz %xV", res.len, &res);
+#endif
+
+    len = ngx_quic_send(c, res.data, res.len, c->sockaddr, c->socklen);
+    if (len < 0) {
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic retry packet sent to %xV", &pkt.dcid);
+
+    /*
+     * RFC 9000, 17.2.5.1.  Sending a Retry Packet
+     *
+     * A server MUST NOT send more than one Retry
+     * packet in response to a single UDP datagram.
+     * NGX_DONE will stop quic_input() from processing further
+     */
+    return NGX_DONE;
+}
+
+
+ngx_int_t
+ngx_quic_send_new_token(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    time_t                  expires;
+    ngx_str_t               token;
+    ngx_chain_t            *out;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    u_char                  tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
+
+    qc = ngx_quic_get_connection(c);
+
+    expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
+
+    token.data = tbuf;
+    token.len = NGX_QUIC_TOKEN_BUF_SIZE;
+
+    if (ngx_quic_new_token(c->log, path->sockaddr, path->socklen,
+                           qc->conf->av_token_key, &token, NULL, expires, 0)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    out = ngx_quic_copy_buffer(c, token.data, token.len);
+    if (out == NGX_CHAIN_ERROR) {
+        return NGX_ERROR;
+    }
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_NEW_TOKEN;
+    frame->data = out;
+    frame->u.token.length = token.len;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_send_ack(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
+{
+    size_t                  len, left;
+    uint64_t                ack_delay;
+    ngx_buf_t              *b;
+    ngx_uint_t              i;
+    ngx_chain_t            *cl, **ll;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ack_delay = ngx_current_msec - ctx->largest_received;
+    ack_delay *= 1000;
+    ack_delay >>= qc->tp.ack_delay_exponent;
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    ll = &frame->data;
+    b = NULL;
+
+    for (i = 0; i < ctx->nranges; i++) {
+        len = ngx_quic_create_ack_range(NULL, ctx->ranges[i].gap,
+                                        ctx->ranges[i].range);
+
+        left = b ? b->end - b->last : 0;
+
+        if (left < len) {
+            cl = ngx_quic_alloc_chain(c);
+            if (cl == NULL) {
+                return NGX_ERROR;
+            }
+
+            *ll = cl;
+            ll = &cl->next;
+
+            b = cl->buf;
+            left = b->end - b->last;
+
+            if (left < len) {
+                return NGX_ERROR;
+            }
+        }
+
+        b->last += ngx_quic_create_ack_range(b->last, ctx->ranges[i].gap,
+                                             ctx->ranges[i].range);
+
+        frame->u.ack.ranges_length += len;
+    }
+
+    *ll = NULL;
+
+    frame->level = ctx->level;
+    frame->type = NGX_QUIC_FT_ACK;
+    frame->u.ack.largest = ctx->largest_range;
+    frame->u.ack.delay = ack_delay;
+    frame->u.ack.range_count = ctx->nranges;
+    frame->u.ack.first_range = ctx->first_range;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_send_ack_range(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
+    uint64_t smallest, uint64_t largest)
+{
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ctx->level;
+    frame->type = NGX_QUIC_FT_ACK;
+    frame->u.ack.largest = largest;
+    frame->u.ack.delay = 0;
+    frame->u.ack.range_count = 0;
+    frame->u.ack.first_range = largest - smallest;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_frame_sendto(ngx_connection_t *c, ngx_quic_frame_t *frame,
+    size_t min, ngx_quic_path_t *path)
+{
+    size_t                  min_payload, pad;
+    ssize_t                 len, sent;
+    ngx_str_t               res;
+    ngx_quic_header_t       pkt;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    static u_char           src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+    static u_char           dst[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+    qc = ngx_quic_get_connection(c);
+    ctx = ngx_quic_get_send_ctx(qc, frame->level);
+
+    ngx_quic_init_packet(c, ctx, &pkt, path);
+
+    min = ngx_quic_path_limit(c, path, min);
+
+    min_payload = min ? ngx_quic_payload_size(&pkt, min) : 0;
+
+    pad = 4 - pkt.num_len;
+    min_payload = ngx_max(min_payload, pad);
+
+    len = ngx_quic_create_frame(NULL, frame);
+    if (len > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) {
+        return NGX_ERROR;
+    }
+
+    ngx_quic_log_frame(c->log, frame, 1);
+
+    len = ngx_quic_create_frame(src, frame);
+    if (len == -1) {
+        return NGX_ERROR;
+    }
+
+    if (len < (ssize_t) min_payload) {
+        ngx_memset(src + len, NGX_QUIC_FT_PADDING, min_payload - len);
+        len = min_payload;
+    }
+
+    pkt.payload.data = src;
+    pkt.payload.len = len;
+
+    res.data = dst;
+
+    if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ctx->pnum++;
+
+    sent = ngx_quic_send(c, res.data, res.len, path->sockaddr, path->socklen);
+    if (sent < 0) {
+        return NGX_ERROR;
+    }
+
+    path->sent += sent;
+
+    return NGX_OK;
+}
+
+
+static size_t
+ngx_quic_path_limit(ngx_connection_t *c, ngx_quic_path_t *path, size_t size)
+{
+    off_t  max;
+
+    if (path->limited) {
+        max = path->received * 3;
+        max = (path->sent >= max) ? 0 : max - path->sent;
+
+        if ((off_t) size > max) {
+            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic path limit %uz - %O", size, max);
+            return max;
+        }
+    }
+
+    return size;
+}
diff --git a/src/event/quic/ngx_event_quic_output.h b/src/event/quic/ngx_event_quic_output.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_output.h
@@ -0,0 +1,40 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_OUTPUT_H_INCLUDED_
+#define _NGX_EVENT_QUIC_OUTPUT_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+size_t ngx_quic_max_udp_payload(ngx_connection_t *c);
+
+ngx_int_t ngx_quic_output(ngx_connection_t *c);
+
+ngx_int_t ngx_quic_negotiate_version(ngx_connection_t *c,
+    ngx_quic_header_t *inpkt);
+
+ngx_int_t ngx_quic_send_stateless_reset(ngx_connection_t *c,
+    ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+ngx_int_t ngx_quic_send_cc(ngx_connection_t *c);
+ngx_int_t ngx_quic_send_early_cc(ngx_connection_t *c,
+    ngx_quic_header_t *inpkt, ngx_uint_t err, const char *reason);
+
+ngx_int_t ngx_quic_send_retry(ngx_connection_t *c,
+    ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+ngx_int_t ngx_quic_send_new_token(ngx_connection_t *c, ngx_quic_path_t *path);
+
+ngx_int_t ngx_quic_send_ack(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx);
+ngx_int_t ngx_quic_send_ack_range(ngx_connection_t *c,
+    ngx_quic_send_ctx_t *ctx, uint64_t smallest, uint64_t largest);
+
+ngx_int_t ngx_quic_frame_sendto(ngx_connection_t *c, ngx_quic_frame_t *frame,
+    size_t min, ngx_quic_path_t *path);
+
+#endif /* _NGX_EVENT_QUIC_OUTPUT_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -0,0 +1,1087 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+/* RFC 9001, 5.4.1.  Header Protection Application: 5-byte mask */
+#define NGX_QUIC_HP_LEN               5
+
+#define NGX_QUIC_AES_128_KEY_LEN      16
+
+#ifndef TLS1_3_CK_AES_128_GCM_SHA256
+#define TLS1_3_CK_AES_128_GCM_SHA256  0x03001301
+#define TLS1_3_CK_AES_256_GCM_SHA384  0x03001302
+#define TLS1_3_CK_CHACHA20_POLY1305_SHA256                                   \
+                                      0x03001303
+#endif
+
+
+static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
+    const EVP_MD *digest, const u_char *prk, size_t prk_len,
+    const u_char *info, size_t info_len);
+static ngx_int_t ngx_hkdf_extract(u_char *out_key, size_t *out_len,
+    const EVP_MD *digest, const u_char *secret, size_t secret_len,
+    const u_char *salt, size_t salt_len);
+
+static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
+    uint64_t *largest_pn);
+
+static ngx_int_t ngx_quic_tls_open(const ngx_quic_cipher_t *cipher,
+    ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
+    ngx_str_t *ad, ngx_log_t *log);
+static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in);
+
+static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
+    ngx_str_t *res);
+static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
+    ngx_str_t *res);
+
+
+ngx_int_t
+ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+    enum ssl_encryption_level_t level)
+{
+    ngx_int_t  len;
+
+    if (level == ssl_encryption_initial) {
+        id = TLS1_3_CK_AES_128_GCM_SHA256;
+    }
+
+    switch (id) {
+
+    case TLS1_3_CK_AES_128_GCM_SHA256:
+#ifdef OPENSSL_IS_BORINGSSL
+        ciphers->c = EVP_aead_aes_128_gcm();
+#else
+        ciphers->c = EVP_aes_128_gcm();
+#endif
+        ciphers->hp = EVP_aes_128_ctr();
+        ciphers->d = EVP_sha256();
+        len = 16;
+        break;
+
+    case TLS1_3_CK_AES_256_GCM_SHA384:
+#ifdef OPENSSL_IS_BORINGSSL
+        ciphers->c = EVP_aead_aes_256_gcm();
+#else
+        ciphers->c = EVP_aes_256_gcm();
+#endif
+        ciphers->hp = EVP_aes_256_ctr();
+        ciphers->d = EVP_sha384();
+        len = 32;
+        break;
+
+    case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
+#ifdef OPENSSL_IS_BORINGSSL
+        ciphers->c = EVP_aead_chacha20_poly1305();
+#else
+        ciphers->c = EVP_chacha20_poly1305();
+#endif
+#ifdef OPENSSL_IS_BORINGSSL
+        ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
+#else
+        ciphers->hp = EVP_chacha20();
+#endif
+        ciphers->d = EVP_sha256();
+        len = 32;
+        break;
+
+    default:
+        return NGX_ERROR;
+    }
+
+    return len;
+}
+
+
+ngx_int_t
+ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret,
+    ngx_log_t *log)
+{
+    size_t              is_len;
+    uint8_t             is[SHA256_DIGEST_LENGTH];
+    ngx_str_t           iss;
+    ngx_uint_t          i;
+    const EVP_MD       *digest;
+    ngx_quic_hkdf_t     seq[8];
+    ngx_quic_secret_t  *client, *server;
+
+    static const uint8_t salt[20] =
+        "\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17"
+        "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a";
+
+    client = &keys->secrets[ssl_encryption_initial].client;
+    server = &keys->secrets[ssl_encryption_initial].server;
+
+    /*
+     * RFC 9001, section 5.  Packet Protection
+     *
+     * Initial packets use AEAD_AES_128_GCM.  The hash function
+     * for HKDF when deriving initial secrets and keys is SHA-256.
+     */
+
+    digest = EVP_sha256();
+    is_len = SHA256_DIGEST_LENGTH;
+
+    if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
+                         salt, sizeof(salt))
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    iss.len = is_len;
+    iss.data = is;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic ngx_quic_set_initial_secret");
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt);
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic initial secret len:%uz %*xs", is_len, is_len, is);
+#endif
+
+    client->secret.len = SHA256_DIGEST_LENGTH;
+    server->secret.len = SHA256_DIGEST_LENGTH;
+
+    client->key.len = NGX_QUIC_AES_128_KEY_LEN;
+    server->key.len = NGX_QUIC_AES_128_KEY_LEN;
+
+    client->hp.len = NGX_QUIC_AES_128_KEY_LEN;
+    server->hp.len = NGX_QUIC_AES_128_KEY_LEN;
+
+    client->iv.len = NGX_QUIC_IV_LEN;
+    server->iv.len = NGX_QUIC_IV_LEN;
+
+    /* labels per RFC 9001, 5.1. Packet Protection Keys */
+    ngx_quic_hkdf_set(&seq[0], "tls13 client in", &client->secret, &iss);
+    ngx_quic_hkdf_set(&seq[1], "tls13 quic key", &client->key, &client->secret);
+    ngx_quic_hkdf_set(&seq[2], "tls13 quic iv", &client->iv, &client->secret);
+    ngx_quic_hkdf_set(&seq[3], "tls13 quic hp", &client->hp, &client->secret);
+    ngx_quic_hkdf_set(&seq[4], "tls13 server in", &server->secret, &iss);
+    ngx_quic_hkdf_set(&seq[5], "tls13 quic key", &server->key, &server->secret);
+    ngx_quic_hkdf_set(&seq[6], "tls13 quic iv", &server->iv, &server->secret);
+    ngx_quic_hkdf_set(&seq[7], "tls13 quic hp", &server->hp, &server->secret);
+
+    for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
+        if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log)
+{
+    size_t    info_len;
+    uint8_t  *p;
+    uint8_t   info[20];
+
+    info_len = 2 + 1 + h->label_len + 1;
+
+    info[0] = 0;
+    info[1] = h->out_len;
+    info[2] = h->label_len;
+
+    p = ngx_cpymem(&info[3], h->label, h->label_len);
+    *p = '\0';
+
+    if (ngx_hkdf_expand(h->out, h->out_len, digest,
+                        h->prk, h->prk_len, info, info_len)
+        != NGX_OK)
+    {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "ngx_hkdf_expand(%*s) failed", h->label_len, h->label);
+        return NGX_ERROR;
+    }
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic expand \"%*s\" len:%uz %*xs",
+                   h->label_len, h->label, h->out_len, h->out_len, h->out);
+#endif
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
+    const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
+{
+#ifdef OPENSSL_IS_BORINGSSL
+
+    if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
+        == 0)
+    {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+
+#else
+
+    EVP_PKEY_CTX  *pctx;
+
+    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+    if (pctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (EVP_PKEY_derive_init(pctx) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
+        goto failed;
+    }
+
+    EVP_PKEY_CTX_free(pctx);
+
+    return NGX_OK;
+
+failed:
+
+    EVP_PKEY_CTX_free(pctx);
+
+    return NGX_ERROR;
+
+#endif
+}
+
+
+static ngx_int_t
+ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
+    const u_char *secret, size_t secret_len, const u_char *salt,
+    size_t salt_len)
+{
+#ifdef OPENSSL_IS_BORINGSSL
+
+    if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
+                     salt_len)
+        == 0)
+    {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+
+#else
+
+    EVP_PKEY_CTX  *pctx;
+
+    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+    if (pctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (EVP_PKEY_derive_init(pctx) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) {
+        goto failed;
+    }
+
+    if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) {
+        goto failed;
+    }
+
+    EVP_PKEY_CTX_free(pctx);
+
+    return NGX_OK;
+
+failed:
+
+    EVP_PKEY_CTX_free(pctx);
+
+    return NGX_ERROR;
+
+#endif
+}
+
+
+static ngx_int_t
+ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
+    ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad,
+    ngx_log_t *log)
+{
+
+#ifdef OPENSSL_IS_BORINGSSL
+    EVP_AEAD_CTX  *ctx;
+
+    ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
+                           EVP_AEAD_DEFAULT_TAG_LENGTH);
+    if (ctx == NULL) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
+                          in->data, in->len, ad->data, ad->len)
+        != 1)
+    {
+        EVP_AEAD_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_open() failed");
+        return NGX_ERROR;
+    }
+
+    EVP_AEAD_CTX_free(ctx);
+#else
+    int              len;
+    u_char          *tag;
+    EVP_CIPHER_CTX  *ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
+        == 0)
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
+                          in->len - EVP_GCM_TLS_TAG_LEN)
+        != 1)
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
+        return NGX_ERROR;
+    }
+
+    out->len = len;
+    tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
+
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
+        == 0)
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed");
+        return NGX_ERROR;
+    }
+
+    out->len += len;
+
+    EVP_CIPHER_CTX_free(ctx);
+#endif
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
+    ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+{
+
+#ifdef OPENSSL_IS_BORINGSSL
+    EVP_AEAD_CTX  *ctx;
+
+    ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
+                           EVP_AEAD_DEFAULT_TAG_LENGTH);
+    if (ctx == NULL) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
+                          in->data, in->len, ad->data, ad->len)
+        != 1)
+    {
+        EVP_AEAD_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_seal() failed");
+        return NGX_ERROR;
+    }
+
+    EVP_AEAD_CTX_free(ctx);
+#else
+    int              len;
+    EVP_CIPHER_CTX  *ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
+        == 0)
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
+        return NGX_ERROR;
+    }
+
+    out->len = len;
+
+    if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_ex failed");
+        return NGX_ERROR;
+    }
+
+    out->len += len;
+
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+                            out->data + in->len)
+        == 0)
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
+        return NGX_ERROR;
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    out->len += EVP_GCM_TLS_TAG_LEN;
+#endif
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in)
+{
+    int              outlen;
+    EVP_CIPHER_CTX  *ctx;
+    u_char           zero[NGX_QUIC_HP_LEN] = {0};
+
+#ifdef OPENSSL_IS_BORINGSSL
+    uint32_t         cnt;
+
+    ngx_memcpy(&cnt, in, sizeof(uint32_t));
+
+    if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
+        CRYPTO_chacha_20(out, zero, NGX_QUIC_HP_LEN, s->hp.data, &in[4], cnt);
+        return NGX_OK;
+    }
+#endif
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, in) != 1) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
+        goto failed;
+    }
+
+    if (!EVP_EncryptUpdate(ctx, out, &outlen, zero, NGX_QUIC_HP_LEN)) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
+        goto failed;
+    }
+
+    if (!EVP_EncryptFinal_ex(ctx, out + NGX_QUIC_HP_LEN, &outlen)) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_Ex() failed");
+        goto failed;
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_OK;
+
+failed:
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
+    ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
+    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
+{
+    ngx_int_t            key_len;
+    ngx_str_t            secret_str;
+    ngx_uint_t           i;
+    ngx_quic_hkdf_t      seq[3];
+    ngx_quic_secret_t   *peer_secret;
+    ngx_quic_ciphers_t   ciphers;
+
+    peer_secret = is_write ? &keys->secrets[level].server
+                           : &keys->secrets[level].client;
+
+    keys->cipher = SSL_CIPHER_get_id(cipher);
+
+    key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+
+    if (key_len == NGX_ERROR) {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
+        return NGX_ERROR;
+    }
+
+    if (sizeof(peer_secret->secret.data) < secret_len) {
+        ngx_log_error(NGX_LOG_ALERT, log, 0,
+                      "unexpected secret len: %uz", secret_len);
+        return NGX_ERROR;
+    }
+
+    peer_secret->secret.len = secret_len;
+    ngx_memcpy(peer_secret->secret.data, secret, secret_len);
+
+    peer_secret->key.len = key_len;
+    peer_secret->iv.len = NGX_QUIC_IV_LEN;
+    peer_secret->hp.len = key_len;
+
+    secret_str.len = secret_len;
+    secret_str.data = (u_char *) secret;
+
+    ngx_quic_hkdf_set(&seq[0], "tls13 quic key",
+                      &peer_secret->key, &secret_str);
+    ngx_quic_hkdf_set(&seq[1], "tls13 quic iv", &peer_secret->iv, &secret_str);
+    ngx_quic_hkdf_set(&seq[2], "tls13 quic hp", &peer_secret->hp, &secret_str);
+
+    for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
+        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_uint_t
+ngx_quic_keys_available(ngx_quic_keys_t *keys,
+    enum ssl_encryption_level_t level)
+{
+    return keys->secrets[level].client.key.len != 0;
+}
+
+
+void
+ngx_quic_keys_discard(ngx_quic_keys_t *keys,
+    enum ssl_encryption_level_t level)
+{
+    keys->secrets[level].client.key.len = 0;
+}
+
+
+void
+ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys)
+{
+    ngx_quic_secrets_t  *current, *next, tmp;
+
+    current = &keys->secrets[ssl_encryption_application];
+    next = &keys->next_key;
+
+    tmp = *current;
+    *current = *next;
+    *next = tmp;
+}
+
+
+ngx_int_t
+ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys)
+{
+    ngx_uint_t           i;
+    ngx_quic_hkdf_t      seq[6];
+    ngx_quic_ciphers_t   ciphers;
+    ngx_quic_secrets_t  *current, *next;
+
+    current = &keys->secrets[ssl_encryption_application];
+    next = &keys->next_key;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update");
+
+    if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application)
+        == NGX_ERROR)
+    {
+        return NGX_ERROR;
+    }
+
+    next->client.secret.len = current->client.secret.len;
+    next->client.key.len = current->client.key.len;
+    next->client.iv.len = NGX_QUIC_IV_LEN;
+    next->client.hp = current->client.hp;
+
+    next->server.secret.len = current->server.secret.len;
+    next->server.key.len = current->server.key.len;
+    next->server.iv.len = NGX_QUIC_IV_LEN;
+    next->server.hp = current->server.hp;
+
+    ngx_quic_hkdf_set(&seq[0], "tls13 quic ku",
+                      &next->client.secret, &current->client.secret);
+    ngx_quic_hkdf_set(&seq[1], "tls13 quic key",
+                      &next->client.key, &next->client.secret);
+    ngx_quic_hkdf_set(&seq[2], "tls13 quic iv",
+                      &next->client.iv, &next->client.secret);
+    ngx_quic_hkdf_set(&seq[3], "tls13 quic ku",
+                      &next->server.secret, &current->server.secret);
+    ngx_quic_hkdf_set(&seq[4], "tls13 quic key",
+                      &next->server.key, &next->server.secret);
+    ngx_quic_hkdf_set(&seq[5], "tls13 quic iv",
+                      &next->server.iv, &next->server.secret);
+
+    for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
+        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
+{
+    u_char              *pnp, *sample;
+    ngx_str_t            ad, out;
+    ngx_uint_t           i;
+    ngx_quic_secret_t   *secret;
+    ngx_quic_ciphers_t   ciphers;
+    u_char               nonce[NGX_QUIC_IV_LEN], mask[NGX_QUIC_HP_LEN];
+
+    ad.data = res->data;
+    ad.len = ngx_quic_create_header(pkt, ad.data, &pnp);
+
+    out.len = pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.data = res->data + ad.len;
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic ad len:%uz %xV", ad.len, &ad);
+#endif
+
+    if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR)
+    {
+        return NGX_ERROR;
+    }
+
+    secret = &pkt->keys->secrets[pkt->level].server;
+
+    ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
+    ngx_quic_compute_nonce(nonce, sizeof(nonce), pkt->number);
+
+    if (ngx_quic_tls_seal(ciphers.c, secret, &out,
+                          nonce, &pkt->payload, &ad, pkt->log)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    sample = &out.data[4 - pkt->num_len];
+    if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    /* RFC 9001, 5.4.1.  Header Protection Application */
+    ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags);
+
+    for (i = 0; i < pkt->num_len; i++) {
+        pnp[i] ^= mask[i + 1];
+    }
+
+    res->len = ad.len + out.len;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
+{
+    u_char              *start;
+    ngx_str_t            ad, itag;
+    ngx_quic_secret_t    secret;
+    ngx_quic_ciphers_t   ciphers;
+
+    /* 5.8.  Retry Packet Integrity */
+    static u_char     key[16] =
+        "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e";
+    static u_char     nonce[NGX_QUIC_IV_LEN] =
+        "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb";
+    static ngx_str_t  in = ngx_string("");
+
+    ad.data = res->data;
+    ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
+
+    itag.data = ad.data + ad.len;
+    itag.len = EVP_GCM_TLS_TAG_LEN;
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic retry itag len:%uz %xV", ad.len, &ad);
+#endif
+
+    if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    secret.key.len = sizeof(key);
+    ngx_memcpy(secret.key.data, key, sizeof(key));
+    secret.iv.len = NGX_QUIC_IV_LEN;
+
+    if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    res->len = itag.data + itag.len - start;
+    res->data = start;
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_derive_key(ngx_log_t *log, const char *label, ngx_str_t *secret,
+    ngx_str_t *salt, u_char *out, size_t len)
+{
+    size_t         is_len, info_len;
+    uint8_t       *p;
+    const EVP_MD  *digest;
+
+    uint8_t        is[SHA256_DIGEST_LENGTH];
+    uint8_t        info[20];
+
+    digest = EVP_sha256();
+    is_len = SHA256_DIGEST_LENGTH;
+
+    if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
+                         salt->data, salt->len)
+        != NGX_OK)
+    {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "ngx_hkdf_extract(%s) failed", label);
+        return NGX_ERROR;
+    }
+
+    info[0] = 0;
+    info[1] = len;
+    info[2] = ngx_strlen(label);
+
+    info_len = 2 + 1 + info[2] + 1;
+
+    if (info_len >= 20) {
+        ngx_log_error(NGX_LOG_INFO, log, 0,
+                      "ngx_quic_create_key label \"%s\" too long", label);
+        return NGX_ERROR;
+    }
+
+    p = ngx_cpymem(&info[3], label, info[2]);
+    *p = '\0';
+
+    if (ngx_hkdf_expand(out, len, digest, is, is_len, info, info_len) != NGX_OK)
+    {
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "ngx_hkdf_expand(%s) failed", label);
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static uint64_t
+ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
+    uint64_t *largest_pn)
+{
+    u_char    *p;
+    uint64_t   truncated_pn, expected_pn, candidate_pn;
+    uint64_t   pn_nbits, pn_win, pn_hwin, pn_mask;
+
+    pn_nbits = ngx_min(len * 8, 62);
+
+    p = *pos;
+    truncated_pn = *p++ ^ *mask++;
+
+    while (--len) {
+        truncated_pn = (truncated_pn << 8) + (*p++ ^ *mask++);
+    }
+
+    *pos = p;
+
+    expected_pn = *largest_pn + 1;
+    pn_win = 1ULL << pn_nbits;
+    pn_hwin = pn_win / 2;
+    pn_mask = pn_win - 1;
+
+    candidate_pn = (expected_pn & ~pn_mask) | truncated_pn;
+
+    if ((int64_t) candidate_pn <= (int64_t) (expected_pn - pn_hwin)
+        && candidate_pn < (1ULL << 62) - pn_win)
+    {
+        candidate_pn += pn_win;
+
+    } else if (candidate_pn > expected_pn + pn_hwin
+               && candidate_pn >= pn_win)
+    {
+        candidate_pn -= pn_win;
+    }
+
+    *largest_pn = ngx_max((int64_t) *largest_pn, (int64_t) candidate_pn);
+
+    return candidate_pn;
+}
+
+
+void
+ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn)
+{
+    nonce[len - 8] ^= (pn >> 56) & 0x3f;
+    nonce[len - 7] ^= (pn >> 48) & 0xff;
+    nonce[len - 6] ^= (pn >> 40) & 0xff;
+    nonce[len - 5] ^= (pn >> 32) & 0xff;
+    nonce[len - 4] ^= (pn >> 24) & 0xff;
+    nonce[len - 3] ^= (pn >> 16) & 0xff;
+    nonce[len - 2] ^= (pn >> 8) & 0xff;
+    nonce[len - 1] ^= pn & 0xff;
+}
+
+
+ngx_int_t
+ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res)
+{
+    if (ngx_quic_pkt_retry(pkt->flags)) {
+        return ngx_quic_create_retry_packet(pkt, res);
+    }
+
+    return ngx_quic_create_packet(pkt, res);
+}
+
+
+ngx_int_t
+ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
+{
+    u_char              *p, *sample;
+    size_t               len;
+    uint64_t             pn, lpn;
+    ngx_int_t            pnl, rc;
+    ngx_str_t            in, ad;
+    ngx_uint_t           key_phase;
+    ngx_quic_secret_t   *secret;
+    ngx_quic_ciphers_t   ciphers;
+    uint8_t              nonce[NGX_QUIC_IV_LEN], mask[NGX_QUIC_HP_LEN];
+
+    if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR)
+    {
+        return NGX_ERROR;
+    }
+
+    secret = &pkt->keys->secrets[pkt->level].client;
+
+    p = pkt->raw->pos;
+    len = pkt->data + pkt->len - p;
+
+    /*
+     * RFC 9001, 5.4.2. Header Protection Sample
+     *           5.4.3. AES-Based Header Protection
+     *           5.4.4. ChaCha20-Based Header Protection
+     *
+     * the Packet Number field is assumed to be 4 bytes long
+     * AES and ChaCha20 algorithms sample 16 bytes
+     */
+
+    if (len < EVP_GCM_TLS_TAG_LEN + 4) {
+        return NGX_DECLINED;
+    }
+
+    sample = p + 4;
+
+    /* header protection */
+
+    if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample)
+        != NGX_OK)
+    {
+        return NGX_DECLINED;
+    }
+
+    pkt->flags ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags);
+
+    if (ngx_quic_short_pkt(pkt->flags)) {
+        key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
+
+        if (key_phase != pkt->key_phase) {
+            secret = &pkt->keys->next_key.client;
+            pkt->key_update = 1;
+        }
+    }
+
+    lpn = *largest_pn;
+
+    pnl = (pkt->flags & 0x03) + 1;
+    pn = ngx_quic_parse_pn(&p, pnl, &mask[1], &lpn);
+
+    pkt->pn = pn;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet rx clearflags:%xd", pkt->flags);
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet rx number:%uL len:%xi", pn, pnl);
+
+    /* packet protection */
+
+    in.data = p;
+    in.len = len - pnl;
+
+    ad.len = p - pkt->data;
+    ad.data = pkt->plaintext;
+
+    ngx_memcpy(ad.data, pkt->data, ad.len);
+    ad.data[0] = pkt->flags;
+
+    do {
+        ad.data[ad.len - pnl] = pn >> (8 * (pnl - 1)) % 256;
+    } while (--pnl);
+
+    ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
+    ngx_quic_compute_nonce(nonce, sizeof(nonce), pn);
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic ad len:%uz %xV", ad.len, &ad);
+#endif
+
+    pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN;
+    pkt->payload.data = pkt->plaintext + ad.len;
+
+    rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,
+                           nonce, &in, &ad, pkt->log);
+    if (rc != NGX_OK) {
+        return NGX_DECLINED;
+    }
+
+    if (pkt->payload.len == 0) {
+        /*
+         * RFC 9000, 12.4.  Frames and Frame Types
+         *
+         * An endpoint MUST treat receipt of a packet containing no
+         * frames as a connection error of type PROTOCOL_VIOLATION.
+         */
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet");
+        pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        return NGX_ERROR;
+    }
+
+    if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) {
+        /*
+         * RFC 9000, Reserved Bits
+         *
+         * An endpoint MUST treat receipt of a packet that has
+         * a non-zero value for these bits, after removing both
+         * packet and header protection, as a connection error
+         * of type PROTOCOL_VIOLATION.
+         */
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic reserved bit set in packet");
+        pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        return NGX_ERROR;
+    }
+
+#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet payload len:%uz %xV",
+                   pkt->payload.len, &pkt->payload);
+#endif
+
+    *largest_pn = lpn;
+
+    return NGX_OK;
+}
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -0,0 +1,114 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
+#define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+#include <ngx_event_quic_transport.h>
+
+
+#define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)
+
+/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */
+#define NGX_QUIC_IV_LEN               12
+
+/* largest hash used in TLS is SHA-384 */
+#define NGX_QUIC_MAX_MD_SIZE          48
+
+
+#ifdef OPENSSL_IS_BORINGSSL
+#define ngx_quic_cipher_t             EVP_AEAD
+#else
+#define ngx_quic_cipher_t             EVP_CIPHER
+#endif
+
+
+typedef struct {
+    size_t                    len;
+    u_char                    data[NGX_QUIC_MAX_MD_SIZE];
+} ngx_quic_md_t;
+
+
+typedef struct {
+    size_t                    len;
+    u_char                    data[NGX_QUIC_IV_LEN];
+} ngx_quic_iv_t;
+
+
+typedef struct {
+    ngx_quic_md_t             secret;
+    ngx_quic_md_t             key;
+    ngx_quic_iv_t             iv;
+    ngx_quic_md_t             hp;
+} ngx_quic_secret_t;
+
+
+typedef struct {
+    ngx_quic_secret_t         client;
+    ngx_quic_secret_t         server;
+} ngx_quic_secrets_t;
+
+
+struct ngx_quic_keys_s {
+    ngx_quic_secrets_t        secrets[NGX_QUIC_ENCRYPTION_LAST];
+    ngx_quic_secrets_t        next_key;
+    ngx_uint_t                cipher;
+};
+
+
+typedef struct {
+    const ngx_quic_cipher_t  *c;
+    const EVP_CIPHER         *hp;
+    const EVP_MD             *d;
+} ngx_quic_ciphers_t;
+
+
+typedef struct {
+    size_t                    out_len;
+    u_char                   *out;
+
+    size_t                    prk_len;
+    const uint8_t            *prk;
+
+    size_t                    label_len;
+    const u_char             *label;
+} ngx_quic_hkdf_t;
+
+#define ngx_quic_hkdf_set(seq, _label, _out, _prk)                            \
+    (seq)->out_len = (_out)->len; (seq)->out = (_out)->data;                  \
+    (seq)->prk_len = (_prk)->len, (seq)->prk = (_prk)->data,                  \
+    (seq)->label_len = (sizeof(_label) - 1); (seq)->label = (u_char *)(_label);
+
+
+ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys,
+    ngx_str_t *secret, ngx_log_t *log);
+ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_log_t *log,
+    ngx_uint_t is_write, ngx_quic_keys_t *keys,
+    enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
+    const uint8_t *secret, size_t secret_len);
+ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
+    enum ssl_encryption_level_t level);
+void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
+    enum ssl_encryption_level_t level);
+void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
+ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys);
+ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
+ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);
+void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
+ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+    enum ssl_encryption_level_t level);
+ngx_int_t ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher,
+    ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
+    ngx_str_t *ad, ngx_log_t *log);
+ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, const EVP_MD *digest,
+    ngx_log_t *log);
+
+
+#endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_socket.c b/src/event/quic/ngx_event_quic_socket.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_socket.c
@@ -0,0 +1,238 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+ngx_int_t
+ngx_quic_open_sockets(ngx_connection_t *c, ngx_quic_connection_t *qc,
+    ngx_quic_header_t *pkt)
+{
+    ngx_quic_socket_t     *qsock, *tmp;
+    ngx_quic_client_id_t  *cid;
+
+    /*
+     * qc->path = NULL
+     *
+     * qc->nclient_ids = 0
+     * qc->nsockets = 0
+     * qc->max_retired_seqnum = 0
+     * qc->client_seqnum = 0
+     */
+
+    ngx_queue_init(&qc->sockets);
+    ngx_queue_init(&qc->free_sockets);
+
+    ngx_queue_init(&qc->paths);
+    ngx_queue_init(&qc->free_paths);
+
+    ngx_queue_init(&qc->client_ids);
+    ngx_queue_init(&qc->free_client_ids);
+
+    qc->tp.original_dcid.len = pkt->odcid.len;
+    qc->tp.original_dcid.data = ngx_pstrdup(c->pool, &pkt->odcid);
+    if (qc->tp.original_dcid.data == NULL) {
+        return NGX_ERROR;
+    }
+
+    /* socket to use for further processing (id auto-generated) */
+    qsock = ngx_quic_create_socket(c, qc);
+    if (qsock == NULL) {
+        return NGX_ERROR;
+    }
+
+    /* socket is listening at new server id */
+    if (ngx_quic_listen(c, qc, qsock) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    qsock->used = 1;
+
+    qc->tp.initial_scid.len = qsock->sid.len;
+    qc->tp.initial_scid.data = ngx_pnalloc(c->pool, qsock->sid.len);
+    if (qc->tp.initial_scid.data == NULL) {
+        goto failed;
+    }
+    ngx_memcpy(qc->tp.initial_scid.data, qsock->sid.id, qsock->sid.len);
+
+    /* for all packets except first, this is set at udp layer */
+    c->udp = &qsock->udp;
+
+    /* ngx_quic_get_connection(c) macro is now usable */
+
+    /* we have a client identified by scid */
+    cid = ngx_quic_create_client_id(c, &pkt->scid, 0, NULL);
+    if (cid == NULL) {
+        goto failed;
+    }
+
+    /* path of the first packet is our initial active path */
+    qc->path = ngx_quic_new_path(c, c->sockaddr, c->socklen, cid);
+    if (qc->path == NULL) {
+        goto failed;
+    }
+
+    qc->path->tag = NGX_QUIC_PATH_ACTIVE;
+
+    if (pkt->validated) {
+        qc->path->validated = 1;
+        qc->path->limited = 0;
+    }
+
+    ngx_quic_path_dbg(c, "set active", qc->path);
+
+    tmp = ngx_pcalloc(c->pool, sizeof(ngx_quic_socket_t));
+    if (tmp == NULL) {
+        goto failed;
+    }
+
+    tmp->sid.seqnum = NGX_QUIC_UNSET_PN; /* temporary socket */
+
+    ngx_memcpy(tmp->sid.id, pkt->odcid.data, pkt->odcid.len);
+    tmp->sid.len = pkt->odcid.len;
+
+    if (ngx_quic_listen(c, qc, tmp) != NGX_OK) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_rbtree_delete(&c->listening->rbtree, &qsock->udp.node);
+    c->udp = NULL;
+
+    return NGX_ERROR;
+}
+
+
+ngx_quic_socket_t *
+ngx_quic_create_socket(ngx_connection_t *c, ngx_quic_connection_t *qc)
+{
+    ngx_queue_t        *q;
+    ngx_quic_socket_t  *sock;
+
+    if (!ngx_queue_empty(&qc->free_sockets)) {
+
+        q = ngx_queue_head(&qc->free_sockets);
+        sock = ngx_queue_data(q, ngx_quic_socket_t, queue);
+
+        ngx_queue_remove(&sock->queue);
+
+        ngx_memzero(sock, sizeof(ngx_quic_socket_t));
+
+    } else {
+
+        sock = ngx_pcalloc(c->pool, sizeof(ngx_quic_socket_t));
+        if (sock == NULL) {
+            return NULL;
+        }
+    }
+
+    sock->sid.len = NGX_QUIC_SERVER_CID_LEN;
+    if (ngx_quic_create_server_id(c, sock->sid.id) != NGX_OK) {
+        return NULL;
+    }
+
+    sock->sid.seqnum = qc->server_seqnum++;
+
+    return sock;
+}
+
+
+void
+ngx_quic_close_socket(ngx_connection_t *c, ngx_quic_socket_t *qsock)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ngx_queue_remove(&qsock->queue);
+    ngx_queue_insert_head(&qc->free_sockets, &qsock->queue);
+
+    ngx_rbtree_delete(&c->listening->rbtree, &qsock->udp.node);
+    qc->nsockets--;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic socket seq:%L closed nsock:%ui",
+                   (int64_t) qsock->sid.seqnum, qc->nsockets);
+}
+
+
+ngx_int_t
+ngx_quic_listen(ngx_connection_t *c, ngx_quic_connection_t *qc,
+    ngx_quic_socket_t *qsock)
+{
+    ngx_str_t              id;
+    ngx_quic_server_id_t  *sid;
+
+    sid = &qsock->sid;
+
+    id.data = sid->id;
+    id.len = sid->len;
+
+    qsock->udp.connection = c;
+    qsock->udp.node.key = ngx_crc32_long(id.data, id.len);
+    qsock->udp.key = id;
+
+    ngx_rbtree_insert(&c->listening->rbtree, &qsock->udp.node);
+
+    ngx_queue_insert_tail(&qc->sockets, &qsock->queue);
+
+    qc->nsockets++;
+    qsock->quic = qc;
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic socket seq:%L listening at sid:%xV nsock:%ui",
+                   (int64_t) sid->seqnum, &id, qc->nsockets);
+
+    return NGX_OK;
+}
+
+
+void
+ngx_quic_close_sockets(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    while (!ngx_queue_empty(&qc->sockets)) {
+        q = ngx_queue_head(&qc->sockets);
+        qsock = ngx_queue_data(q, ngx_quic_socket_t, queue);
+
+        ngx_quic_close_socket(c, qsock);
+    }
+}
+
+
+ngx_quic_socket_t *
+ngx_quic_find_socket(ngx_connection_t *c, uint64_t seqnum)
+{
+    ngx_queue_t            *q;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    for (q = ngx_queue_head(&qc->sockets);
+         q != ngx_queue_sentinel(&qc->sockets);
+         q = ngx_queue_next(q))
+    {
+        qsock = ngx_queue_data(q, ngx_quic_socket_t, queue);
+
+        if (qsock->sid.seqnum == seqnum) {
+            return qsock;
+        }
+    }
+
+    return NULL;
+}
diff --git a/src/event/quic/ngx_event_quic_socket.h b/src/event/quic/ngx_event_quic_socket.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_socket.h
@@ -0,0 +1,28 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_SOCKET_H_INCLUDED_
+#define _NGX_EVENT_QUIC_SOCKET_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+ngx_int_t ngx_quic_open_sockets(ngx_connection_t *c,
+    ngx_quic_connection_t *qc, ngx_quic_header_t *pkt);
+void ngx_quic_close_sockets(ngx_connection_t *c);
+
+ngx_quic_socket_t *ngx_quic_create_socket(ngx_connection_t *c,
+    ngx_quic_connection_t *qc);
+ngx_int_t ngx_quic_listen(ngx_connection_t *c, ngx_quic_connection_t *qc,
+    ngx_quic_socket_t *qsock);
+void ngx_quic_close_socket(ngx_connection_t *c, ngx_quic_socket_t *qsock);
+
+ngx_quic_socket_t *ngx_quic_find_socket(ngx_connection_t *c, uint64_t seqnum);
+
+
+#endif /* _NGX_EVENT_QUIC_SOCKET_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -0,0 +1,600 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#if defined OPENSSL_IS_BORINGSSL                                              \
+    || defined LIBRESSL_VERSION_NUMBER                                        \
+    || NGX_QUIC_OPENSSL_COMPAT
+#define NGX_QUIC_BORINGSSL_API   1
+#endif
+
+
+/*
+ * RFC 9000, 7.5.  Cryptographic Message Buffering
+ *
+ * Implementations MUST support buffering at least 4096 bytes of data
+ */
+#define NGX_QUIC_MAX_BUFFERED    65535
+
+
+#if (NGX_QUIC_BORINGSSL_API)
+static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
+    const uint8_t *secret, size_t secret_len);
+static int ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
+    const uint8_t *secret, size_t secret_len);
+#else
+static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const uint8_t *read_secret,
+    const uint8_t *write_secret, size_t secret_len);
+#endif
+
+static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const uint8_t *data, size_t len);
+static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn);
+static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, uint8_t alert);
+static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data);
+
+
+#if (NGX_QUIC_BORINGSSL_API)
+
+static int
+ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
+    const uint8_t *rsecret, size_t secret_len)
+{
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+    qc = ngx_quic_get_connection(c);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_set_read_secret() level:%d", level);
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic read secret len:%uz %*xs", secret_len,
+                   secret_len, rsecret);
+#endif
+
+    if (ngx_quic_keys_set_encryption_secret(c->log, 0, qc->keys, level,
+                                            cipher, rsecret, secret_len)
+        != NGX_OK)
+    {
+        return 0;
+    }
+
+    return 1;
+}
+
+
+static int
+ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
+    const uint8_t *wsecret, size_t secret_len)
+{
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+    qc = ngx_quic_get_connection(c);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_set_write_secret() level:%d", level);
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic write secret len:%uz %*xs", secret_len,
+                   secret_len, wsecret);
+#endif
+
+    if (ngx_quic_keys_set_encryption_secret(c->log, 1, qc->keys, level,
+                                            cipher, wsecret, secret_len)
+        != NGX_OK)
+    {
+        return 0;
+    }
+
+    return 1;
+}
+
+#else
+
+static int
+ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const uint8_t *rsecret,
+    const uint8_t *wsecret, size_t secret_len)
+{
+    ngx_connection_t       *c;
+    const SSL_CIPHER       *cipher;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+    qc = ngx_quic_get_connection(c);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_set_encryption_secrets() level:%d", level);
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic read secret len:%uz %*xs", secret_len,
+                   secret_len, rsecret);
+#endif
+
+    cipher = SSL_get_current_cipher(ssl_conn);
+
+    if (ngx_quic_keys_set_encryption_secret(c->log, 0, qc->keys, level,
+                                            cipher, rsecret, secret_len)
+        != NGX_OK)
+    {
+        return 0;
+    }
+
+    if (level == ssl_encryption_early_data) {
+        return 1;
+    }
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic write secret len:%uz %*xs", secret_len,
+                   secret_len, wsecret);
+#endif
+
+    if (ngx_quic_keys_set_encryption_secret(c->log, 1, qc->keys, level,
+                                            cipher, wsecret, secret_len)
+        != NGX_OK)
+    {
+        return 0;
+    }
+
+    return 1;
+}
+
+#endif
+
+
+static int
+ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
+    enum ssl_encryption_level_t level, const uint8_t *data, size_t len)
+{
+    u_char                 *p, *end;
+    size_t                  client_params_len;
+    ngx_chain_t            *out;
+    const uint8_t          *client_params;
+    ngx_quic_tp_t           ctp;
+    ngx_quic_frame_t       *frame;
+    ngx_connection_t       *c;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+    unsigned int            alpn_len;
+    const unsigned char    *alpn_data;
+#endif
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+    qc = ngx_quic_get_connection(c);
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_add_handshake_data");
+
+    if (!qc->client_tp_done) {
+        /*
+         * things to do once during handshake: check ALPN and transport
+         * parameters; we want to break handshake if something is wrong
+         * here;
+         */
+
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+
+        SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
+
+        if (alpn_len == 0) {
+            qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
+            qc->error_reason = "unsupported protocol in ALPN extension";
+
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "quic unsupported protocol in ALPN extension");
+            return 0;
+        }
+
+#endif
+
+        SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
+                                           &client_params_len);
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic SSL_get_peer_quic_transport_params():"
+                       " params_len:%ui", client_params_len);
+
+        if (client_params_len == 0) {
+            /* RFC 9001, 8.2.  QUIC Transport Parameters Extension */
+            qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_MISSING_EXTENSION);
+            qc->error_reason = "missing transport parameters";
+
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "missing transport parameters");
+            return 0;
+        }
+
+        p = (u_char *) client_params;
+        end = p + client_params_len;
+
+        /* defaults for parameters not sent by client */
+        ngx_memcpy(&ctp, &qc->ctp, sizeof(ngx_quic_tp_t));
+
+        if (ngx_quic_parse_transport_params(p, end, &ctp, c->log)
+            != NGX_OK)
+        {
+            qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
+            qc->error_reason = "failed to process transport parameters";
+
+            return 0;
+        }
+
+        if (ngx_quic_apply_transport_params(c, &ctp) != NGX_OK) {
+            return 0;
+        }
+
+        qc->client_tp_done = 1;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, level);
+
+    out = ngx_quic_copy_buffer(c, (u_char *) data, len);
+    if (out == NGX_CHAIN_ERROR) {
+        return 0;
+    }
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return 0;
+    }
+
+    frame->data = out;
+    frame->level = level;
+    frame->type = NGX_QUIC_FT_CRYPTO;
+    frame->u.crypto.offset = ctx->crypto_sent;
+    frame->u.crypto.length = len;
+
+    ctx->crypto_sent += len;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return 1;
+}
+
+
+static int
+ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn)
+{
+#if (NGX_DEBUG)
+    ngx_connection_t  *c;
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_flush_flight()");
+#endif
+    return 1;
+}
+
+
+static int
+ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level,
+    uint8_t alert)
+{
+    ngx_connection_t       *c;
+    ngx_quic_connection_t  *qc;
+
+    c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic ngx_quic_send_alert() level:%s alert:%d",
+                   ngx_quic_level_name(level), (int) alert);
+
+    /* already closed on regular shutdown */
+
+    qc = ngx_quic_get_connection(c);
+    if (qc == NULL) {
+        return 1;
+    }
+
+    qc->error = NGX_QUIC_ERR_CRYPTO(alert);
+    qc->error_reason = "handshake failed";
+
+    return 1;
+}
+
+
+ngx_int_t
+ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
+    ngx_quic_frame_t *frame)
+{
+    uint64_t                  last;
+    ngx_chain_t              *cl;
+    ngx_quic_send_ctx_t      *ctx;
+    ngx_quic_connection_t    *qc;
+    ngx_quic_crypto_frame_t  *f;
+
+    qc = ngx_quic_get_connection(c);
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+    f = &frame->u.crypto;
+
+    /* no overflow since both values are 62-bit */
+    last = f->offset + f->length;
+
+    if (last > ctx->crypto.offset + NGX_QUIC_MAX_BUFFERED) {
+        qc->error = NGX_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED;
+        return NGX_ERROR;
+    }
+
+    if (last <= ctx->crypto.offset) {
+        if (pkt->level == ssl_encryption_initial) {
+            /* speeding up handshake completion */
+
+            if (!ngx_queue_empty(&ctx->sent)) {
+                ngx_quic_resend_frames(c, ctx);
+
+                ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_handshake);
+                while (!ngx_queue_empty(&ctx->sent)) {
+                    ngx_quic_resend_frames(c, ctx);
+                }
+            }
+        }
+
+        return NGX_OK;
+    }
+
+    if (f->offset == ctx->crypto.offset) {
+        if (ngx_quic_crypto_input(c, frame->data) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        ngx_quic_skip_buffer(c, &ctx->crypto, last);
+
+    } else {
+        if (ngx_quic_write_buffer(c, &ctx->crypto, frame->data, f->length,
+                                  f->offset)
+            == NGX_CHAIN_ERROR)
+        {
+            return NGX_ERROR;
+        }
+    }
+
+    cl = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);
+
+    if (cl) {
+        if (ngx_quic_crypto_input(c, cl) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        ngx_quic_free_chain(c, cl);
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
+{
+    int                     n, sslerr;
+    ngx_buf_t              *b;
+    ngx_chain_t            *cl;
+    ngx_ssl_conn_t         *ssl_conn;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    ssl_conn = c->ssl->connection;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
+                   (int) SSL_quic_read_level(ssl_conn),
+                   (int) SSL_quic_write_level(ssl_conn));
+
+    for (cl = data; cl; cl = cl->next) {
+        b = cl->buf;
+
+        if (!SSL_provide_quic_data(ssl_conn, SSL_quic_read_level(ssl_conn),
+                                   b->pos, b->last - b->pos))
+        {
+            ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
+                          "SSL_provide_quic_data() failed");
+            return NGX_ERROR;
+        }
+    }
+
+    n = SSL_do_handshake(ssl_conn);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
+                   (int) SSL_quic_read_level(ssl_conn),
+                   (int) SSL_quic_write_level(ssl_conn));
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
+
+    if (n <= 0) {
+        sslerr = SSL_get_error(ssl_conn, n);
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
+                       sslerr);
+
+        if (sslerr != SSL_ERROR_WANT_READ) {
+
+            if (c->ssl->handshake_rejected) {
+                ngx_connection_error(c, 0, "handshake rejected");
+                ERR_clear_error();
+
+                return NGX_ERROR;
+            }
+
+            ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
+            return NGX_ERROR;
+        }
+    }
+
+    if (n <= 0 || SSL_in_init(ssl_conn)) {
+        if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data)
+            && qc->client_tp_done)
+        {
+            if (ngx_quic_init_streams(c) != NGX_OK) {
+                return NGX_ERROR;
+            }
+        }
+
+        return NGX_OK;
+    }
+
+#if (NGX_DEBUG)
+    ngx_ssl_handshake_log(c);
+#endif
+
+    c->ssl->handshaked = 1;
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_HANDSHAKE_DONE;
+    ngx_quic_queue_frame(qc, frame);
+
+    if (qc->conf->retry) {
+        if (ngx_quic_send_new_token(c, qc->path) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    /*
+     * RFC 9001, 9.5.  Header Protection Timing Side Channels
+     *
+     * Generating next keys before a key update is received.
+     */
+
+    if (ngx_quic_keys_update(c, qc->keys) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    /*
+     * RFC 9001, 4.9.2.  Discarding Handshake Keys
+     *
+     * An endpoint MUST discard its Handshake keys
+     * when the TLS handshake is confirmed.
+     */
+    ngx_quic_discard_ctx(c, ssl_encryption_handshake);
+
+    /* start accepting clients on negotiated number of server ids */
+    if (ngx_quic_create_sockets(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_quic_init_streams(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_init_connection(ngx_connection_t *c)
+{
+    u_char                  *p;
+    size_t                   clen;
+    ssize_t                  len;
+    ngx_str_t                dcid;
+    ngx_ssl_conn_t          *ssl_conn;
+    ngx_quic_socket_t       *qsock;
+    ngx_quic_connection_t   *qc;
+    static SSL_QUIC_METHOD   quic_method;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (ngx_ssl_create_connection(qc->conf->ssl, c, 0) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    c->ssl->no_wait_shutdown = 1;
+
+    ssl_conn = c->ssl->connection;
+
+    if (!quic_method.send_alert) {
+#if (NGX_QUIC_BORINGSSL_API)
+        quic_method.set_read_secret = ngx_quic_set_read_secret;
+        quic_method.set_write_secret = ngx_quic_set_write_secret;
+#else
+        quic_method.set_encryption_secrets = ngx_quic_set_encryption_secrets;
+#endif
+        quic_method.add_handshake_data = ngx_quic_add_handshake_data;
+        quic_method.flush_flight = ngx_quic_flush_flight;
+        quic_method.send_alert = ngx_quic_send_alert;
+    }
+
+    if (SSL_set_quic_method(ssl_conn, &quic_method) == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic SSL_set_quic_method() failed");
+        return NGX_ERROR;
+    }
+
+#ifdef OPENSSL_INFO_QUIC
+    if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
+        SSL_set_quic_early_data_enabled(ssl_conn, 1);
+    }
+#endif
+
+    qsock = ngx_quic_get_socket(c);
+
+    dcid.data = qsock->sid.id;
+    dcid.len = qsock->sid.len;
+
+    if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key, qc->tp.sr_token)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    len = ngx_quic_create_transport_params(NULL, NULL, &qc->tp, &clen);
+    /* always succeeds */
+
+    p = ngx_pnalloc(c->pool, len);
+    if (p == NULL) {
+        return NGX_ERROR;
+    }
+
+    len = ngx_quic_create_transport_params(p, p + len, &qc->tp, NULL);
+    if (len < 0) {
+        return NGX_ERROR;
+    }
+
+#ifdef NGX_QUIC_DEBUG_PACKETS
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic transport parameters len:%uz %*xs", len, len, p);
+#endif
+
+    if (SSL_set_quic_transport_params(ssl_conn, p, len) == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic SSL_set_quic_transport_params() failed");
+        return NGX_ERROR;
+    }
+
+#ifdef OPENSSL_IS_BORINGSSL
+    if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic SSL_set_quic_early_data_context() failed");
+        return NGX_ERROR;
+    }
+#endif
+
+    return NGX_OK;
+}
diff --git a/src/event/quic/ngx_event_quic_ssl.h b/src/event/quic/ngx_event_quic_ssl.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_ssl.h
@@ -0,0 +1,19 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_SSL_H_INCLUDED_
+#define _NGX_EVENT_QUIC_SSL_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+ngx_int_t ngx_quic_init_connection(ngx_connection_t *c);
+
+ngx_int_t ngx_quic_handle_crypto_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_frame_t *frame);
+
+#endif /* _NGX_EVENT_QUIC_SSL_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -0,0 +1,1807 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#define NGX_QUIC_STREAM_GONE     (void *) -1
+
+
+static ngx_int_t ngx_quic_do_reset_stream(ngx_quic_stream_t *qs,
+    ngx_uint_t err);
+static ngx_int_t ngx_quic_shutdown_stream_send(ngx_connection_t *c);
+static ngx_int_t ngx_quic_shutdown_stream_recv(ngx_connection_t *c);
+static ngx_quic_stream_t *ngx_quic_get_stream(ngx_connection_t *c, uint64_t id);
+static ngx_int_t ngx_quic_reject_stream(ngx_connection_t *c, uint64_t id);
+static void ngx_quic_init_stream_handler(ngx_event_t *ev);
+static void ngx_quic_init_streams_handler(ngx_connection_t *c);
+static ngx_int_t ngx_quic_do_init_streams(ngx_connection_t *c);
+static ngx_quic_stream_t *ngx_quic_create_stream(ngx_connection_t *c,
+    uint64_t id);
+static void ngx_quic_empty_handler(ngx_event_t *ev);
+static ssize_t ngx_quic_stream_recv(ngx_connection_t *c, u_char *buf,
+    size_t size);
+static ssize_t ngx_quic_stream_send(ngx_connection_t *c, u_char *buf,
+    size_t size);
+static ngx_chain_t *ngx_quic_stream_send_chain(ngx_connection_t *c,
+    ngx_chain_t *in, off_t limit);
+static ngx_int_t ngx_quic_stream_flush(ngx_quic_stream_t *qs);
+static void ngx_quic_stream_cleanup_handler(void *data);
+static ngx_int_t ngx_quic_close_stream(ngx_quic_stream_t *qs);
+static ngx_int_t ngx_quic_can_shutdown(ngx_connection_t *c);
+static ngx_int_t ngx_quic_control_flow(ngx_quic_stream_t *qs, uint64_t last);
+static ngx_int_t ngx_quic_update_flow(ngx_quic_stream_t *qs, uint64_t last);
+static ngx_int_t ngx_quic_update_max_stream_data(ngx_quic_stream_t *qs);
+static ngx_int_t ngx_quic_update_max_data(ngx_connection_t *c);
+static void ngx_quic_set_event(ngx_event_t *ev);
+
+
+ngx_connection_t *
+ngx_quic_open_stream(ngx_connection_t *c, ngx_uint_t bidi)
+{
+    uint64_t                id;
+    ngx_connection_t       *pc, *sc;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    pc = c->quic ? c->quic->parent : c;
+    qc = ngx_quic_get_connection(pc);
+
+    if (qc->closing) {
+        return NULL;
+    }
+
+    if (bidi) {
+        if (qc->streams.server_streams_bidi
+            >= qc->streams.server_max_streams_bidi)
+        {
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic too many server bidi streams:%uL",
+                           qc->streams.server_streams_bidi);
+            return NULL;
+        }
+
+        id = (qc->streams.server_streams_bidi << 2)
+             | NGX_QUIC_STREAM_SERVER_INITIATED;
+
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic creating server bidi stream"
+                       " streams:%uL max:%uL id:0x%xL",
+                       qc->streams.server_streams_bidi,
+                       qc->streams.server_max_streams_bidi, id);
+
+        qc->streams.server_streams_bidi++;
+
+    } else {
+        if (qc->streams.server_streams_uni
+            >= qc->streams.server_max_streams_uni)
+        {
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic too many server uni streams:%uL",
+                           qc->streams.server_streams_uni);
+            return NULL;
+        }
+
+        id = (qc->streams.server_streams_uni << 2)
+             | NGX_QUIC_STREAM_SERVER_INITIATED
+             | NGX_QUIC_STREAM_UNIDIRECTIONAL;
+
+        ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic creating server uni stream"
+                       " streams:%uL max:%uL id:0x%xL",
+                       qc->streams.server_streams_uni,
+                       qc->streams.server_max_streams_uni, id);
+
+        qc->streams.server_streams_uni++;
+    }
+
+    qs = ngx_quic_create_stream(pc, id);
+    if (qs == NULL) {
+        return NULL;
+    }
+
+    sc = qs->connection;
+
+    sc->write->active = 1;
+    sc->write->ready = 1;
+
+    if (bidi) {
+        sc->read->active = 1;
+    }
+
+    return sc;
+}
+
+
+void
+ngx_quic_rbtree_insert_stream(ngx_rbtree_node_t *temp,
+    ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel)
+{
+    ngx_rbtree_node_t  **p;
+    ngx_quic_stream_t   *qn, *qnt;
+
+    for ( ;; ) {
+        qn = (ngx_quic_stream_t *) node;
+        qnt = (ngx_quic_stream_t *) temp;
+
+        p = (qn->id < qnt->id) ? &temp->left : &temp->right;
+
+        if (*p == sentinel) {
+            break;
+        }
+
+        temp = *p;
+    }
+
+    *p = node;
+    node->parent = temp;
+    node->left = sentinel;
+    node->right = sentinel;
+    ngx_rbt_red(node);
+}
+
+
+ngx_quic_stream_t *
+ngx_quic_find_stream(ngx_rbtree_t *rbtree, uint64_t id)
+{
+    ngx_rbtree_node_t  *node, *sentinel;
+    ngx_quic_stream_t  *qn;
+
+    node = rbtree->root;
+    sentinel = rbtree->sentinel;
+
+    while (node != sentinel) {
+        qn = (ngx_quic_stream_t *) node;
+
+        if (id == qn->id) {
+            return qn;
+        }
+
+        node = (id < qn->id) ? node->left : node->right;
+    }
+
+    return NULL;
+}
+
+
+ngx_int_t
+ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
+{
+    ngx_pool_t         *pool;
+    ngx_queue_t        *q;
+    ngx_rbtree_t       *tree;
+    ngx_connection_t   *sc;
+    ngx_rbtree_node_t  *node;
+    ngx_quic_stream_t  *qs;
+
+    while (!ngx_queue_empty(&qc->streams.uninitialized)) {
+        q = ngx_queue_head(&qc->streams.uninitialized);
+        ngx_queue_remove(q);
+
+        qs = ngx_queue_data(q, ngx_quic_stream_t, queue);
+        pool = qs->connection->pool;
+
+        ngx_close_connection(qs->connection);
+        ngx_destroy_pool(pool);
+    }
+
+    tree = &qc->streams.tree;
+
+    if (tree->root == tree->sentinel) {
+        return NGX_OK;
+    }
+
+    node = ngx_rbtree_min(tree->root, tree->sentinel);
+
+    while (node) {
+        qs = (ngx_quic_stream_t *) node;
+        node = ngx_rbtree_next(tree, node);
+        sc = qs->connection;
+
+        qs->recv_state = NGX_QUIC_STREAM_RECV_RESET_RECVD;
+        qs->send_state = NGX_QUIC_STREAM_SEND_RESET_SENT;
+
+        if (sc == NULL) {
+            ngx_quic_close_stream(qs);
+            continue;
+        }
+
+        sc->read->error = 1;
+        sc->write->error = 1;
+
+        ngx_quic_set_event(sc->read);
+        ngx_quic_set_event(sc->write);
+
+        sc->close = 1;
+        sc->read->handler(sc->read);
+    }
+
+    if (tree->root == tree->sentinel) {
+        return NGX_OK;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic connection has active streams");
+
+    return NGX_AGAIN;
+}
+
+
+ngx_int_t
+ngx_quic_reset_stream(ngx_connection_t *c, ngx_uint_t err)
+{
+    return ngx_quic_do_reset_stream(c->quic, err);
+}
+
+
+static ngx_int_t
+ngx_quic_do_reset_stream(ngx_quic_stream_t *qs, ngx_uint_t err)
+{
+    ngx_connection_t       *pc;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    if (qs->send_state == NGX_QUIC_STREAM_SEND_DATA_RECVD
+        || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
+        || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
+    {
+        return NGX_OK;
+    }
+
+    qs->send_state = NGX_QUIC_STREAM_SEND_RESET_SENT;
+    qs->send_final_size = qs->send_offset;
+
+    if (qs->connection) {
+        qs->connection->write->error = 1;
+    }
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL reset", qs->id);
+
+    frame = ngx_quic_alloc_frame(pc);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_RESET_STREAM;
+    frame->u.reset_stream.id = qs->id;
+    frame->u.reset_stream.error_code = err;
+    frame->u.reset_stream.final_size = qs->send_offset;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    ngx_quic_free_buffer(pc, &qs->send);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_shutdown_stream(ngx_connection_t *c, int how)
+{
+    if (how == NGX_RDWR_SHUTDOWN || how == NGX_WRITE_SHUTDOWN) {
+        if (ngx_quic_shutdown_stream_send(c) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    if (how == NGX_RDWR_SHUTDOWN || how == NGX_READ_SHUTDOWN) {
+        if (ngx_quic_shutdown_stream_recv(c) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_shutdown_stream_send(ngx_connection_t *c)
+{
+    ngx_quic_stream_t  *qs;
+
+    qs = c->quic;
+
+    if (qs->send_state != NGX_QUIC_STREAM_SEND_READY
+        && qs->send_state != NGX_QUIC_STREAM_SEND_SEND)
+    {
+        return NGX_OK;
+    }
+
+    qs->send_state = NGX_QUIC_STREAM_SEND_SEND;
+    qs->send_final_size = c->sent;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, qs->parent->log, 0,
+                   "quic stream id:0x%xL send shutdown", qs->id);
+
+    return ngx_quic_stream_flush(qs);
+}
+
+
+static ngx_int_t
+ngx_quic_shutdown_stream_recv(ngx_connection_t *c)
+{
+    ngx_connection_t       *pc;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qs = c->quic;
+
+    if (qs->recv_state != NGX_QUIC_STREAM_RECV_RECV
+        && qs->recv_state != NGX_QUIC_STREAM_RECV_SIZE_KNOWN)
+    {
+        return NGX_OK;
+    }
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (qc->conf->stream_close_code == 0) {
+        return NGX_OK;
+    }
+
+    frame = ngx_quic_alloc_frame(pc);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL recv shutdown", qs->id);
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_STOP_SENDING;
+    frame->u.stop_sending.id = qs->id;
+    frame->u.stop_sending.error_code = qc->conf->stream_close_code;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+static ngx_quic_stream_t *
+ngx_quic_get_stream(ngx_connection_t *c, uint64_t id)
+{
+    uint64_t                min_id;
+    ngx_event_t            *rev;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    qs = ngx_quic_find_stream(&qc->streams.tree, id);
+
+    if (qs) {
+        return qs;
+    }
+
+    if (qc->shutdown || qc->closing) {
+        return NGX_QUIC_STREAM_GONE;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stream id:0x%xL is missing", id);
+
+    if (id & NGX_QUIC_STREAM_UNIDIRECTIONAL) {
+
+        if (id & NGX_QUIC_STREAM_SERVER_INITIATED) {
+            if ((id >> 2) < qc->streams.server_streams_uni) {
+                return NGX_QUIC_STREAM_GONE;
+            }
+
+            qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+            return NULL;
+        }
+
+        if ((id >> 2) < qc->streams.client_streams_uni) {
+            return NGX_QUIC_STREAM_GONE;
+        }
+
+        if ((id >> 2) >= qc->streams.client_max_streams_uni) {
+            qc->error = NGX_QUIC_ERR_STREAM_LIMIT_ERROR;
+            return NULL;
+        }
+
+        min_id = (qc->streams.client_streams_uni << 2)
+                 | NGX_QUIC_STREAM_UNIDIRECTIONAL;
+        qc->streams.client_streams_uni = (id >> 2) + 1;
+
+    } else {
+
+        if (id & NGX_QUIC_STREAM_SERVER_INITIATED) {
+            if ((id >> 2) < qc->streams.server_streams_bidi) {
+                return NGX_QUIC_STREAM_GONE;
+            }
+
+            qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+            return NULL;
+        }
+
+        if ((id >> 2) < qc->streams.client_streams_bidi) {
+            return NGX_QUIC_STREAM_GONE;
+        }
+
+        if ((id >> 2) >= qc->streams.client_max_streams_bidi) {
+            qc->error = NGX_QUIC_ERR_STREAM_LIMIT_ERROR;
+            return NULL;
+        }
+
+        min_id = (qc->streams.client_streams_bidi << 2);
+        qc->streams.client_streams_bidi = (id >> 2) + 1;
+    }
+
+    /*
+     * RFC 9000, 2.1.  Stream Types and Identifiers
+     *
+     * successive streams of each type are created with numerically increasing
+     * stream IDs.  A stream ID that is used out of order results in all
+     * streams of that type with lower-numbered stream IDs also being opened.
+     */
+
+#if (NGX_SUPPRESS_WARN)
+    qs = NULL;
+#endif
+
+    for ( /* void */ ; min_id <= id; min_id += 0x04) {
+
+        qs = ngx_quic_create_stream(c, min_id);
+
+        if (qs == NULL) {
+            if (ngx_quic_reject_stream(c, min_id) != NGX_OK) {
+                return NULL;
+            }
+
+            continue;
+        }
+
+        ngx_queue_insert_tail(&qc->streams.uninitialized, &qs->queue);
+
+        rev = qs->connection->read;
+        rev->handler = ngx_quic_init_stream_handler;
+
+        if (qc->streams.initialized) {
+            ngx_post_event(rev, &ngx_posted_events);
+
+            if (qc->push.posted) {
+                /*
+                 * The posted stream can produce output immediately.
+                 * By postponing the push event, we coalesce the stream
+                 * output with queued frames in one UDP datagram.
+                 */
+
+                ngx_delete_posted_event(&qc->push);
+                ngx_post_event(&qc->push, &ngx_posted_events);
+            }
+        }
+    }
+
+    if (qs == NULL) {
+        return NGX_QUIC_STREAM_GONE;
+    }
+
+    return qs;
+}
+
+
+static ngx_int_t
+ngx_quic_reject_stream(ngx_connection_t *c, uint64_t id)
+{
+    uint64_t                code;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    code = (id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+           ? qc->conf->stream_reject_code_uni
+           : qc->conf->stream_reject_code_bidi;
+
+    if (code == 0) {
+        return NGX_DECLINED;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stream id:0x%xL reject err:0x%xL", id, code);
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_RESET_STREAM;
+    frame->u.reset_stream.id = id;
+    frame->u.reset_stream.error_code = code;
+    frame->u.reset_stream.final_size = 0;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_STOP_SENDING;
+    frame->u.stop_sending.id = id;
+    frame->u.stop_sending.error_code = code;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_init_stream_handler(ngx_event_t *ev)
+{
+    ngx_connection_t   *c;
+    ngx_quic_stream_t  *qs;
+
+    c = ev->data;
+    qs = c->quic;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic init stream");
+
+    if ((qs->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) == 0) {
+        c->write->active = 1;
+        c->write->ready = 1;
+    }
+
+    c->read->active = 1;
+
+    ngx_queue_remove(&qs->queue);
+
+    c->listening->handler(c);
+}
+
+
+ngx_int_t
+ngx_quic_init_streams(ngx_connection_t *c)
+{
+    ngx_int_t               rc;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc->streams.initialized) {
+        return NGX_OK;
+    }
+
+    rc = ngx_ssl_ocsp_validate(c);
+
+    if (rc == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    if (rc == NGX_AGAIN) {
+        c->ssl->handler = ngx_quic_init_streams_handler;
+        return NGX_OK;
+    }
+
+    return ngx_quic_do_init_streams(c);
+}
+
+
+static void
+ngx_quic_init_streams_handler(ngx_connection_t *c)
+{
+    if (ngx_quic_do_init_streams(c) != NGX_OK) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_do_init_streams(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic init streams");
+
+    qc = ngx_quic_get_connection(c);
+
+    if (qc->conf->init) {
+        if (qc->conf->init(c) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    for (q = ngx_queue_head(&qc->streams.uninitialized);
+         q != ngx_queue_sentinel(&qc->streams.uninitialized);
+         q = ngx_queue_next(q))
+    {
+        qs = ngx_queue_data(q, ngx_quic_stream_t, queue);
+        ngx_post_event(qs->connection->read, &ngx_posted_events);
+    }
+
+    qc->streams.initialized = 1;
+
+    return NGX_OK;
+}
+
+
+static ngx_quic_stream_t *
+ngx_quic_create_stream(ngx_connection_t *c, uint64_t id)
+{
+    ngx_str_t               addr_text;
+    ngx_log_t              *log;
+    ngx_pool_t             *pool;
+    ngx_uint_t              reusable;
+    ngx_queue_t            *q;
+    struct sockaddr        *sockaddr;
+    ngx_connection_t       *sc;
+    ngx_quic_stream_t      *qs;
+    ngx_pool_cleanup_t     *cln;
+    ngx_quic_connection_t  *qc;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stream id:0x%xL create", id);
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_queue_empty(&qc->streams.free)) {
+        q = ngx_queue_head(&qc->streams.free);
+        qs = ngx_queue_data(q, ngx_quic_stream_t, queue);
+        ngx_queue_remove(&qs->queue);
+
+    } else {
+        /*
+         * the number of streams is limited by transport
+         * parameters and application requirements
+         */
+
+        qs = ngx_palloc(c->pool, sizeof(ngx_quic_stream_t));
+        if (qs == NULL) {
+            return NULL;
+        }
+    }
+
+    ngx_memzero(qs, sizeof(ngx_quic_stream_t));
+
+    qs->node.key = id;
+    qs->parent = c;
+    qs->id = id;
+    qs->send_final_size = (uint64_t) -1;
+    qs->recv_final_size = (uint64_t) -1;
+
+    pool = ngx_create_pool(NGX_DEFAULT_POOL_SIZE, c->log);
+    if (pool == NULL) {
+        ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+        return NULL;
+    }
+
+    log = ngx_palloc(pool, sizeof(ngx_log_t));
+    if (log == NULL) {
+        ngx_destroy_pool(pool);
+        ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+        return NULL;
+    }
+
+    *log = *c->log;
+    pool->log = log;
+
+    sockaddr = ngx_palloc(pool, c->socklen);
+    if (sockaddr == NULL) {
+        ngx_destroy_pool(pool);
+        ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+        return NULL;
+    }
+
+    ngx_memcpy(sockaddr, c->sockaddr, c->socklen);
+
+    if (c->addr_text.data) {
+        addr_text.data = ngx_pnalloc(pool, c->addr_text.len);
+        if (addr_text.data == NULL) {
+            ngx_destroy_pool(pool);
+            ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+            return NULL;
+        }
+
+        ngx_memcpy(addr_text.data, c->addr_text.data, c->addr_text.len);
+        addr_text.len = c->addr_text.len;
+
+    } else {
+        addr_text.len = 0;
+        addr_text.data = NULL;
+    }
+
+    reusable = c->reusable;
+    ngx_reusable_connection(c, 0);
+
+    sc = ngx_get_connection(c->fd, log);
+    if (sc == NULL) {
+        ngx_destroy_pool(pool);
+        ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+        ngx_reusable_connection(c, reusable);
+        return NULL;
+    }
+
+    qs->connection = sc;
+
+    sc->quic = qs;
+    sc->shared = 1;
+    sc->type = SOCK_STREAM;
+    sc->pool = pool;
+    sc->ssl = c->ssl;
+    sc->sockaddr = sockaddr;
+    sc->socklen = c->socklen;
+    sc->listening = c->listening;
+    sc->addr_text = addr_text;
+    sc->local_sockaddr = c->local_sockaddr;
+    sc->local_socklen = c->local_socklen;
+    sc->number = ngx_atomic_fetch_add(ngx_connection_counter, 1);
+    sc->start_time = c->start_time;
+    sc->tcp_nodelay = NGX_TCP_NODELAY_DISABLED;
+
+    sc->recv = ngx_quic_stream_recv;
+    sc->send = ngx_quic_stream_send;
+    sc->send_chain = ngx_quic_stream_send_chain;
+
+    sc->read->log = log;
+    sc->write->log = log;
+
+    sc->read->handler = ngx_quic_empty_handler;
+    sc->write->handler = ngx_quic_empty_handler;
+
+    log->connection = sc->number;
+
+    if (id & NGX_QUIC_STREAM_UNIDIRECTIONAL) {
+        if (id & NGX_QUIC_STREAM_SERVER_INITIATED) {
+            qs->send_max_data = qc->ctp.initial_max_stream_data_uni;
+            qs->recv_state = NGX_QUIC_STREAM_RECV_DATA_READ;
+            qs->send_state = NGX_QUIC_STREAM_SEND_READY;
+
+        } else {
+            qs->recv_max_data = qc->tp.initial_max_stream_data_uni;
+            qs->recv_state = NGX_QUIC_STREAM_RECV_RECV;
+            qs->send_state = NGX_QUIC_STREAM_SEND_DATA_RECVD;
+        }
+
+    } else {
+        if (id & NGX_QUIC_STREAM_SERVER_INITIATED) {
+            qs->send_max_data = qc->ctp.initial_max_stream_data_bidi_remote;
+            qs->recv_max_data = qc->tp.initial_max_stream_data_bidi_local;
+
+        } else {
+            qs->send_max_data = qc->ctp.initial_max_stream_data_bidi_local;
+            qs->recv_max_data = qc->tp.initial_max_stream_data_bidi_remote;
+        }
+
+        qs->recv_state = NGX_QUIC_STREAM_RECV_RECV;
+        qs->send_state = NGX_QUIC_STREAM_SEND_READY;
+    }
+
+    qs->recv_window = qs->recv_max_data;
+
+    cln = ngx_pool_cleanup_add(pool, 0);
+    if (cln == NULL) {
+        ngx_close_connection(sc);
+        ngx_destroy_pool(pool);
+        ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+        ngx_reusable_connection(c, reusable);
+        return NULL;
+    }
+
+    cln->handler = ngx_quic_stream_cleanup_handler;
+    cln->data = sc;
+
+    ngx_rbtree_insert(&qc->streams.tree, &qs->node);
+
+    return qs;
+}
+
+
+void
+ngx_quic_cancelable_stream(ngx_connection_t *c)
+{
+    ngx_connection_t       *pc;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qs = c->quic;
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (!qs->cancelable) {
+        qs->cancelable = 1;
+
+        if (ngx_quic_can_shutdown(pc) == NGX_OK) {
+            ngx_reusable_connection(pc, 1);
+
+            if (qc->shutdown) {
+                ngx_quic_shutdown_quic(pc);
+            }
+        }
+    }
+}
+
+
+static void
+ngx_quic_empty_handler(ngx_event_t *ev)
+{
+}
+
+
+static ssize_t
+ngx_quic_stream_recv(ngx_connection_t *c, u_char *buf, size_t size)
+{
+    ssize_t             len;
+    ngx_buf_t          *b;
+    ngx_chain_t        *cl, *in;
+    ngx_event_t        *rev;
+    ngx_connection_t   *pc;
+    ngx_quic_stream_t  *qs;
+
+    qs = c->quic;
+    pc = qs->parent;
+    rev = c->read;
+
+    if (qs->recv_state == NGX_QUIC_STREAM_RECV_RESET_RECVD
+        || qs->recv_state == NGX_QUIC_STREAM_RECV_RESET_READ)
+    {
+        qs->recv_state = NGX_QUIC_STREAM_RECV_RESET_READ;
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL recv buf:%uz", qs->id, size);
+
+    if (size == 0) {
+        return 0;
+    }
+
+    in = ngx_quic_read_buffer(pc, &qs->recv, size);
+    if (in == NGX_CHAIN_ERROR) {
+        return NGX_ERROR;
+    }
+
+    len = 0;
+
+    for (cl = in; cl; cl = cl->next) {
+        b = cl->buf;
+        len += b->last - b->pos;
+        buf = ngx_cpymem(buf, b->pos, b->last - b->pos);
+    }
+
+    ngx_quic_free_chain(pc, in);
+
+    if (len == 0) {
+        rev->ready = 0;
+
+        if (qs->recv_state == NGX_QUIC_STREAM_RECV_DATA_RECVD
+            && qs->recv_offset == qs->recv_final_size)
+        {
+            qs->recv_state = NGX_QUIC_STREAM_RECV_DATA_READ;
+        }
+
+        if (qs->recv_state == NGX_QUIC_STREAM_RECV_DATA_READ) {
+            rev->eof = 1;
+            return 0;
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic stream id:0x%xL recv() not ready", qs->id);
+        return NGX_AGAIN;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stream id:0x%xL recv len:%z", qs->id, len);
+
+    if (ngx_quic_update_flow(qs, qs->recv_offset + len) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return len;
+}
+
+
+static ssize_t
+ngx_quic_stream_send(ngx_connection_t *c, u_char *buf, size_t size)
+{
+    ngx_buf_t    b;
+    ngx_chain_t  cl;
+
+    ngx_memzero(&b, sizeof(ngx_buf_t));
+
+    b.memory = 1;
+    b.pos = buf;
+    b.last = buf + size;
+
+    cl.buf = &b;
+    cl.next = NULL;
+
+    if (ngx_quic_stream_send_chain(c, &cl, 0) == NGX_CHAIN_ERROR) {
+        return NGX_ERROR;
+    }
+
+    if (b.pos == buf) {
+        return NGX_AGAIN;
+    }
+
+    return b.pos - buf;
+}
+
+
+static ngx_chain_t *
+ngx_quic_stream_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
+{
+    uint64_t                n, flow;
+    ngx_event_t            *wev;
+    ngx_connection_t       *pc;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qs = c->quic;
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+    wev = c->write;
+
+    if (qs->send_state != NGX_QUIC_STREAM_SEND_READY
+        && qs->send_state != NGX_QUIC_STREAM_SEND_SEND)
+    {
+        wev->error = 1;
+        return NGX_CHAIN_ERROR;
+    }
+
+    qs->send_state = NGX_QUIC_STREAM_SEND_SEND;
+
+    flow = qs->acked + qc->conf->stream_buffer_size - qs->sent;
+
+    if (flow == 0) {
+        wev->ready = 0;
+        return in;
+    }
+
+    if (limit == 0 || limit > (off_t) flow) {
+        limit = flow;
+    }
+
+    n = qs->send.size;
+
+    in = ngx_quic_write_buffer(pc, &qs->send, in, limit, qs->sent);
+    if (in == NGX_CHAIN_ERROR) {
+        return NGX_CHAIN_ERROR;
+    }
+
+    n = qs->send.size - n;
+    c->sent += n;
+    qs->sent += n;
+    qc->streams.sent += n;
+
+    if (flow == n) {
+        wev->ready = 0;
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic send_chain sent:%uL", n);
+
+    if (ngx_quic_stream_flush(qs) != NGX_OK) {
+        return NGX_CHAIN_ERROR;
+    }
+
+    return in;
+}
+
+
+static ngx_int_t
+ngx_quic_stream_flush(ngx_quic_stream_t *qs)
+{
+    off_t                   limit, len;
+    ngx_uint_t              last;
+    ngx_chain_t            *out;
+    ngx_quic_frame_t       *frame;
+    ngx_connection_t       *pc;
+    ngx_quic_connection_t  *qc;
+
+    if (qs->send_state != NGX_QUIC_STREAM_SEND_SEND) {
+        return NGX_OK;
+    }
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (qc->streams.send_max_data == 0) {
+        qc->streams.send_max_data = qc->ctp.initial_max_data;
+    }
+
+    limit = ngx_min(qc->streams.send_max_data - qc->streams.send_offset,
+                    qs->send_max_data - qs->send_offset);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL flush limit:%O", qs->id, limit);
+
+    len = qs->send.offset;
+
+    out = ngx_quic_read_buffer(pc, &qs->send, limit);
+    if (out == NGX_CHAIN_ERROR) {
+        return NGX_ERROR;
+    }
+
+    len = qs->send.offset - len;
+    last = 0;
+
+    if (qs->send_final_size != (uint64_t) -1
+        && qs->send_final_size == qs->send.offset)
+    {
+        qs->send_state = NGX_QUIC_STREAM_SEND_DATA_SENT;
+        last = 1;
+    }
+
+    if (len == 0 && !last) {
+        return NGX_OK;
+    }
+
+    frame = ngx_quic_alloc_frame(pc);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_STREAM;
+    frame->data = out;
+
+    frame->u.stream.off = 1;
+    frame->u.stream.len = 1;
+    frame->u.stream.fin = last;
+
+    frame->u.stream.stream_id = qs->id;
+    frame->u.stream.offset = qs->send_offset;
+    frame->u.stream.length = len;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    qs->send_offset += len;
+    qc->streams.send_offset += len;
+
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL flush len:%O last:%ui",
+                   qs->id, len, last);
+
+    if (qs->connection == NULL) {
+        return ngx_quic_close_stream(qs);
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_stream_cleanup_handler(void *data)
+{
+    ngx_connection_t *c = data;
+
+    ngx_quic_stream_t  *qs;
+
+    qs = c->quic;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, qs->parent->log, 0,
+                   "quic stream id:0x%xL cleanup", qs->id);
+
+    if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+        return;
+    }
+
+    qs->connection = NULL;
+
+    if (ngx_quic_close_stream(qs) != NGX_OK) {
+        ngx_quic_close_connection(c, NGX_ERROR);
+        return;
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_close_stream(ngx_quic_stream_t *qs)
+{
+    ngx_connection_t       *pc;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (!qc->closing) {
+        /* make sure everything is sent and final size is received */
+
+        if (qs->recv_state == NGX_QUIC_STREAM_RECV_RECV) {
+            return NGX_OK;
+        }
+
+        if (qs->send_state != NGX_QUIC_STREAM_SEND_DATA_RECVD
+            && qs->send_state != NGX_QUIC_STREAM_SEND_RESET_RECVD)
+        {
+            return NGX_OK;
+        }
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL close", qs->id);
+
+    ngx_quic_free_buffer(pc, &qs->send);
+    ngx_quic_free_buffer(pc, &qs->recv);
+
+    ngx_rbtree_delete(&qc->streams.tree, &qs->node);
+    ngx_queue_insert_tail(&qc->streams.free, &qs->queue);
+
+    if (qc->closing) {
+        /* schedule handler call to continue ngx_quic_close_connection() */
+        ngx_post_event(&qc->close, &ngx_posted_events);
+        return NGX_OK;
+    }
+
+    if (!pc->reusable && ngx_quic_can_shutdown(pc) == NGX_OK) {
+        ngx_reusable_connection(pc, 1);
+    }
+
+    if (qc->shutdown) {
+        ngx_quic_shutdown_quic(pc);
+        return NGX_OK;
+    }
+
+    if ((qs->id & NGX_QUIC_STREAM_SERVER_INITIATED) == 0) {
+        frame = ngx_quic_alloc_frame(pc);
+        if (frame == NULL) {
+            return NGX_ERROR;
+        }
+
+        frame->level = ssl_encryption_application;
+        frame->type = NGX_QUIC_FT_MAX_STREAMS;
+
+        if (qs->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) {
+            frame->u.max_streams.limit = ++qc->streams.client_max_streams_uni;
+            frame->u.max_streams.bidi = 0;
+
+        } else {
+            frame->u.max_streams.limit = ++qc->streams.client_max_streams_bidi;
+            frame->u.max_streams.bidi = 1;
+        }
+
+        ngx_quic_queue_frame(qc, frame);
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_can_shutdown(ngx_connection_t *c)
+{
+    ngx_rbtree_t           *tree;
+    ngx_rbtree_node_t      *node;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    tree = &qc->streams.tree;
+
+    if (tree->root != tree->sentinel) {
+        for (node = ngx_rbtree_min(tree->root, tree->sentinel);
+             node;
+             node = ngx_rbtree_next(tree, node))
+        {
+            qs = (ngx_quic_stream_t *) node;
+
+            if (!qs->cancelable) {
+                return NGX_DECLINED;
+            }
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_stream_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
+    ngx_quic_frame_t *frame)
+{
+    uint64_t                  last;
+    ngx_quic_stream_t        *qs;
+    ngx_quic_connection_t    *qc;
+    ngx_quic_stream_frame_t  *f;
+
+    qc = ngx_quic_get_connection(c);
+    f = &frame->u.stream;
+
+    if ((f->stream_id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+        && (f->stream_id & NGX_QUIC_STREAM_SERVER_INITIATED))
+    {
+        qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+        return NGX_ERROR;
+    }
+
+    /* no overflow since both values are 62-bit */
+    last = f->offset + f->length;
+
+    qs = ngx_quic_get_stream(c, f->stream_id);
+
+    if (qs == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (qs == NGX_QUIC_STREAM_GONE) {
+        return NGX_OK;
+    }
+
+    if (qs->recv_state != NGX_QUIC_STREAM_RECV_RECV
+        && qs->recv_state != NGX_QUIC_STREAM_RECV_SIZE_KNOWN)
+    {
+        return NGX_OK;
+    }
+
+    if (ngx_quic_control_flow(qs, last) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (qs->recv_final_size != (uint64_t) -1 && last > qs->recv_final_size) {
+        qc->error = NGX_QUIC_ERR_FINAL_SIZE_ERROR;
+        return NGX_ERROR;
+    }
+
+    if (last < qs->recv_offset) {
+        return NGX_OK;
+    }
+
+    if (f->fin) {
+        if (qs->recv_final_size != (uint64_t) -1 && qs->recv_final_size != last)
+        {
+            qc->error = NGX_QUIC_ERR_FINAL_SIZE_ERROR;
+            return NGX_ERROR;
+        }
+
+        if (qs->recv_last > last) {
+            qc->error = NGX_QUIC_ERR_FINAL_SIZE_ERROR;
+            return NGX_ERROR;
+        }
+
+        qs->recv_final_size = last;
+        qs->recv_state = NGX_QUIC_STREAM_RECV_SIZE_KNOWN;
+    }
+
+    if (ngx_quic_write_buffer(c, &qs->recv, frame->data, f->length, f->offset)
+        == NGX_CHAIN_ERROR)
+    {
+        return NGX_ERROR;
+    }
+
+    if (qs->recv_state == NGX_QUIC_STREAM_RECV_SIZE_KNOWN
+        && qs->recv.size == qs->recv_final_size)
+    {
+        qs->recv_state = NGX_QUIC_STREAM_RECV_DATA_RECVD;
+    }
+
+    if (qs->connection == NULL) {
+        return ngx_quic_close_stream(qs);
+    }
+
+    if (f->offset <= qs->recv_offset) {
+        ngx_quic_set_event(qs->connection->read);
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_max_data_frame(ngx_connection_t *c,
+    ngx_quic_max_data_frame_t *f)
+{
+    ngx_rbtree_t           *tree;
+    ngx_rbtree_node_t      *node;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+    tree = &qc->streams.tree;
+
+    if (f->max_data <= qc->streams.send_max_data) {
+        return NGX_OK;
+    }
+
+    if (tree->root == tree->sentinel
+        || qc->streams.send_offset < qc->streams.send_max_data)
+    {
+        /* not blocked on MAX_DATA */
+        qc->streams.send_max_data = f->max_data;
+        return NGX_OK;
+    }
+
+    qc->streams.send_max_data = f->max_data;
+    node = ngx_rbtree_min(tree->root, tree->sentinel);
+
+    while (node && qc->streams.send_offset < qc->streams.send_max_data) {
+
+        qs = (ngx_quic_stream_t *) node;
+        node = ngx_rbtree_next(tree, node);
+
+        if (ngx_quic_stream_flush(qs) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_streams_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_streams_blocked_frame_t *f)
+{
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_data_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_data_blocked_frame_t *f)
+{
+    return ngx_quic_update_max_data(c);
+}
+
+
+ngx_int_t
+ngx_quic_handle_stream_data_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_stream_data_blocked_frame_t *f)
+{
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if ((f->id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+        && (f->id & NGX_QUIC_STREAM_SERVER_INITIATED))
+    {
+        qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+        return NGX_ERROR;
+    }
+
+    qs = ngx_quic_get_stream(c, f->id);
+
+    if (qs == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (qs == NGX_QUIC_STREAM_GONE) {
+        return NGX_OK;
+    }
+
+    return ngx_quic_update_max_stream_data(qs);
+}
+
+
+ngx_int_t
+ngx_quic_handle_max_stream_data_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_max_stream_data_frame_t *f)
+{
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if ((f->id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+        && (f->id & NGX_QUIC_STREAM_SERVER_INITIATED) == 0)
+    {
+        qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+        return NGX_ERROR;
+    }
+
+    qs = ngx_quic_get_stream(c, f->id);
+
+    if (qs == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (qs == NGX_QUIC_STREAM_GONE) {
+        return NGX_OK;
+    }
+
+    if (f->limit <= qs->send_max_data) {
+        return NGX_OK;
+    }
+
+    if (qs->send_offset < qs->send_max_data) {
+        /* not blocked on MAX_STREAM_DATA */
+        qs->send_max_data = f->limit;
+        return NGX_OK;
+    }
+
+    qs->send_max_data = f->limit;
+
+    return ngx_quic_stream_flush(qs);
+}
+
+
+ngx_int_t
+ngx_quic_handle_reset_stream_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_reset_stream_frame_t *f)
+{
+    ngx_event_t            *rev;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if ((f->id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+        && (f->id & NGX_QUIC_STREAM_SERVER_INITIATED))
+    {
+        qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+        return NGX_ERROR;
+    }
+
+    qs = ngx_quic_get_stream(c, f->id);
+
+    if (qs == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (qs == NGX_QUIC_STREAM_GONE) {
+        return NGX_OK;
+    }
+
+    if (qs->recv_state == NGX_QUIC_STREAM_RECV_RESET_RECVD
+        || qs->recv_state == NGX_QUIC_STREAM_RECV_RESET_READ)
+    {
+        return NGX_OK;
+    }
+
+    qs->recv_state = NGX_QUIC_STREAM_RECV_RESET_RECVD;
+
+    if (ngx_quic_control_flow(qs, f->final_size) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (qs->recv_final_size != (uint64_t) -1
+        && qs->recv_final_size != f->final_size)
+    {
+        qc->error = NGX_QUIC_ERR_FINAL_SIZE_ERROR;
+        return NGX_ERROR;
+    }
+
+    if (qs->recv_last > f->final_size) {
+        qc->error = NGX_QUIC_ERR_FINAL_SIZE_ERROR;
+        return NGX_ERROR;
+    }
+
+    qs->recv_final_size = f->final_size;
+
+    if (ngx_quic_update_flow(qs, qs->recv_final_size) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (qs->connection == NULL) {
+        return ngx_quic_close_stream(qs);
+    }
+
+    rev = qs->connection->read;
+    rev->error = 1;
+
+    ngx_quic_set_event(rev);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_stop_sending_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_stop_sending_frame_t *f)
+{
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if ((f->id & NGX_QUIC_STREAM_UNIDIRECTIONAL)
+        && (f->id & NGX_QUIC_STREAM_SERVER_INITIATED) == 0)
+    {
+        qc->error = NGX_QUIC_ERR_STREAM_STATE_ERROR;
+        return NGX_ERROR;
+    }
+
+    qs = ngx_quic_get_stream(c, f->id);
+
+    if (qs == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (qs == NGX_QUIC_STREAM_GONE) {
+        return NGX_OK;
+    }
+
+    if (ngx_quic_do_reset_stream(qs, f->error_code) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (qs->connection == NULL) {
+        return ngx_quic_close_stream(qs);
+    }
+
+    ngx_quic_set_event(qs->connection->write);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_handle_max_streams_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_max_streams_frame_t *f)
+{
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (f->bidi) {
+        if (qc->streams.server_max_streams_bidi < f->limit) {
+            qc->streams.server_max_streams_bidi = f->limit;
+
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic max_streams_bidi:%uL", f->limit);
+        }
+
+    } else {
+        if (qc->streams.server_max_streams_uni < f->limit) {
+            qc->streams.server_max_streams_uni = f->limit;
+
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic max_streams_uni:%uL", f->limit);
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+void
+ngx_quic_handle_stream_ack(ngx_connection_t *c, ngx_quic_frame_t *f)
+{
+    uint64_t                acked;
+    ngx_quic_stream_t      *qs;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    switch (f->type) {
+
+    case NGX_QUIC_FT_RESET_STREAM:
+
+        qs = ngx_quic_find_stream(&qc->streams.tree, f->u.reset_stream.id);
+        if (qs == NULL) {
+            return;
+        }
+
+        qs->send_state = NGX_QUIC_STREAM_SEND_RESET_RECVD;
+
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic stream id:0x%xL ack reset final_size:%uL",
+                       qs->id, f->u.reset_stream.final_size);
+
+        break;
+
+    case NGX_QUIC_FT_STREAM:
+
+        qs = ngx_quic_find_stream(&qc->streams.tree, f->u.stream.stream_id);
+        if (qs == NULL) {
+            return;
+        }
+
+        acked = qs->acked;
+        qs->acked += f->u.stream.length;
+
+        if (f->u.stream.fin) {
+            qs->fin_acked = 1;
+        }
+
+        if (qs->send_state == NGX_QUIC_STREAM_SEND_DATA_SENT
+            && qs->acked == qs->sent && qs->fin_acked)
+        {
+            qs->send_state = NGX_QUIC_STREAM_SEND_DATA_RECVD;
+        }
+
+        ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "quic stream id:0x%xL ack len:%uL fin:%d unacked:%uL",
+                       qs->id, f->u.stream.length, f->u.stream.fin,
+                       qs->sent - qs->acked);
+
+        if (qs->connection
+            && qs->sent - acked == qc->conf->stream_buffer_size
+            && f->u.stream.length > 0)
+        {
+            ngx_quic_set_event(qs->connection->write);
+        }
+
+        break;
+
+    default:
+        return;
+    }
+
+    if (qs->connection == NULL) {
+        ngx_quic_close_stream(qs);
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_control_flow(ngx_quic_stream_t *qs, uint64_t last)
+{
+    uint64_t                len;
+    ngx_connection_t       *pc;
+    ngx_quic_connection_t  *qc;
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (last <= qs->recv_last) {
+        return NGX_OK;
+    }
+
+    len = last - qs->recv_last;
+
+    ngx_log_debug5(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL flow control msd:%uL/%uL md:%uL/%uL",
+                   qs->id, last, qs->recv_max_data, qc->streams.recv_last + len,
+                   qc->streams.recv_max_data);
+
+    qs->recv_last += len;
+
+    if (qs->recv_state == NGX_QUIC_STREAM_RECV_RECV
+        && qs->recv_last > qs->recv_max_data)
+    {
+        qc->error = NGX_QUIC_ERR_FLOW_CONTROL_ERROR;
+        return NGX_ERROR;
+    }
+
+    qc->streams.recv_last += len;
+
+    if (qc->streams.recv_last > qc->streams.recv_max_data) {
+        qc->error = NGX_QUIC_ERR_FLOW_CONTROL_ERROR;
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_update_flow(ngx_quic_stream_t *qs, uint64_t last)
+{
+    uint64_t                len;
+    ngx_connection_t       *pc;
+    ngx_quic_connection_t  *qc;
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (last <= qs->recv_offset) {
+        return NGX_OK;
+    }
+
+    len = last - qs->recv_offset;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL flow update %uL", qs->id, last);
+
+    qs->recv_offset += len;
+
+    if (qs->recv_max_data <= qs->recv_offset + qs->recv_window / 2) {
+        if (ngx_quic_update_max_stream_data(qs) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    qc->streams.recv_offset += len;
+
+    if (qc->streams.recv_max_data
+        <= qc->streams.recv_offset + qc->streams.recv_window / 2)
+    {
+        if (ngx_quic_update_max_data(pc) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_update_max_stream_data(ngx_quic_stream_t *qs)
+{
+    uint64_t                recv_max_data;
+    ngx_connection_t       *pc;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    pc = qs->parent;
+    qc = ngx_quic_get_connection(pc);
+
+    if (qs->recv_state != NGX_QUIC_STREAM_RECV_RECV) {
+        return NGX_OK;
+    }
+
+    recv_max_data = qs->recv_offset + qs->recv_window;
+
+    if (qs->recv_max_data == recv_max_data) {
+        return NGX_OK;
+    }
+
+    qs->recv_max_data = recv_max_data;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0,
+                   "quic stream id:0x%xL flow update msd:%uL",
+                   qs->id, qs->recv_max_data);
+
+    frame = ngx_quic_alloc_frame(pc);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_MAX_STREAM_DATA;
+    frame->u.max_stream_data.id = qs->id;
+    frame->u.max_stream_data.limit = qs->recv_max_data;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_update_max_data(ngx_connection_t *c)
+{
+    uint64_t                recv_max_data;
+    ngx_quic_frame_t       *frame;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    recv_max_data = qc->streams.recv_offset + qc->streams.recv_window;
+
+    if (qc->streams.recv_max_data == recv_max_data) {
+        return NGX_OK;
+    }
+
+    qc->streams.recv_max_data = recv_max_data;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic flow update md:%uL", qc->streams.recv_max_data);
+
+    frame = ngx_quic_alloc_frame(c);
+    if (frame == NULL) {
+        return NGX_ERROR;
+    }
+
+    frame->level = ssl_encryption_application;
+    frame->type = NGX_QUIC_FT_MAX_DATA;
+    frame->u.max_data.max_data = qc->streams.recv_max_data;
+
+    ngx_quic_queue_frame(qc, frame);
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_set_event(ngx_event_t *ev)
+{
+    ev->ready = 1;
+
+    if (ev->active) {
+        ngx_post_event(ev, &ngx_posted_events);
+    }
+}
diff --git a/src/event/quic/ngx_event_quic_streams.h b/src/event/quic/ngx_event_quic_streams.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_streams.h
@@ -0,0 +1,44 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_STREAMS_H_INCLUDED_
+#define _NGX_EVENT_QUIC_STREAMS_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+ngx_int_t ngx_quic_handle_stream_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_frame_t *frame);
+void ngx_quic_handle_stream_ack(ngx_connection_t *c,
+    ngx_quic_frame_t *f);
+ngx_int_t ngx_quic_handle_max_data_frame(ngx_connection_t *c,
+    ngx_quic_max_data_frame_t *f);
+ngx_int_t ngx_quic_handle_streams_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_streams_blocked_frame_t *f);
+ngx_int_t ngx_quic_handle_data_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_data_blocked_frame_t *f);
+ngx_int_t ngx_quic_handle_stream_data_blocked_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_stream_data_blocked_frame_t *f);
+ngx_int_t ngx_quic_handle_max_stream_data_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_max_stream_data_frame_t *f);
+ngx_int_t ngx_quic_handle_reset_stream_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_reset_stream_frame_t *f);
+ngx_int_t ngx_quic_handle_stop_sending_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_stop_sending_frame_t *f);
+ngx_int_t ngx_quic_handle_max_streams_frame(ngx_connection_t *c,
+    ngx_quic_header_t *pkt, ngx_quic_max_streams_frame_t *f);
+
+ngx_int_t ngx_quic_init_streams(ngx_connection_t *c);
+void ngx_quic_rbtree_insert_stream(ngx_rbtree_node_t *temp,
+    ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
+ngx_quic_stream_t *ngx_quic_find_stream(ngx_rbtree_t *rbtree,
+    uint64_t id);
+ngx_int_t ngx_quic_close_streams(ngx_connection_t *c,
+    ngx_quic_connection_t *qc);
+
+#endif /* _NGX_EVENT_QUIC_STREAMS_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_tokens.c b/src/event/quic/ngx_event_quic_tokens.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_tokens.c
@@ -0,0 +1,289 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_sha1.h>
+#include <ngx_event_quic_connection.h>
+
+
+static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
+    ngx_uint_t no_port, u_char buf[20]);
+
+
+ngx_int_t
+ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
+    u_char *token)
+{
+    ngx_str_t  tmp;
+
+    tmp.data = secret;
+    tmp.len = NGX_QUIC_SR_KEY_LEN;
+
+    if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
+                            NGX_QUIC_SR_TOKEN_LEN)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stateless reset token %*xs",
+                    (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
+    socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
+    time_t exp, ngx_uint_t is_retry)
+{
+    int                len, iv_len;
+    u_char            *p, *iv;
+    EVP_CIPHER_CTX    *ctx;
+    const EVP_CIPHER  *cipher;
+
+    u_char             in[NGX_QUIC_MAX_TOKEN_SIZE];
+
+    ngx_quic_address_hash(sockaddr, socklen, !is_retry, in);
+
+    p = in + 20;
+
+    p = ngx_cpymem(p, &exp, sizeof(time_t));
+
+    *p++ = is_retry ? 1 : 0;
+
+    if (odcid) {
+        *p++ = odcid->len;
+        p = ngx_cpymem(p, odcid->data, odcid->len);
+
+    } else {
+        *p++ = 0;
+    }
+
+    len = p - in;
+
+    cipher = EVP_aes_256_cbc();
+    iv_len = NGX_QUIC_AES_256_CBC_IV_LEN;
+
+    if ((size_t) (iv_len + len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE) > token->len)
+    {
+        ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small");
+        return NGX_ERROR;
+    }
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    iv = token->data;
+
+    if (RAND_bytes(iv, iv_len) <= 0
+        || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
+    {
+        EVP_CIPHER_CTX_free(ctx);
+        return NGX_ERROR;
+    }
+
+    token->len = iv_len;
+
+    if (EVP_EncryptUpdate(ctx, token->data + token->len, &len, in, len) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        return NGX_ERROR;
+    }
+
+    token->len += len;
+
+    if (EVP_EncryptFinal_ex(ctx, token->data + token->len, &len) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
+        return NGX_ERROR;
+    }
+
+    token->len += len;
+
+    EVP_CIPHER_CTX_free(ctx);
+
+#ifdef NGX_QUIC_DEBUG_PACKETS
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic new token len:%uz %xV", token->len, token);
+#endif
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
+    ngx_uint_t no_port, u_char buf[20])
+{
+    size_t                len;
+    u_char               *data;
+    ngx_sha1_t            sha1;
+    struct sockaddr_in   *sin;
+#if (NGX_HAVE_INET6)
+    struct sockaddr_in6  *sin6;
+#endif
+
+    len = (size_t) socklen;
+    data = (u_char *) sockaddr;
+
+    if (no_port) {
+        switch (sockaddr->sa_family) {
+
+#if (NGX_HAVE_INET6)
+        case AF_INET6:
+            sin6 = (struct sockaddr_in6 *) sockaddr;
+
+            len = sizeof(struct in6_addr);
+            data = sin6->sin6_addr.s6_addr;
+
+            break;
+#endif
+
+        case AF_INET:
+            sin = (struct sockaddr_in *) sockaddr;
+
+            len = sizeof(in_addr_t);
+            data = (u_char *) &sin->sin_addr;
+
+            break;
+        }
+    }
+
+    ngx_sha1_init(&sha1);
+    ngx_sha1_update(&sha1, data, len);
+    ngx_sha1_final(buf, &sha1);
+}
+
+
+ngx_int_t
+ngx_quic_validate_token(ngx_connection_t *c, u_char *key,
+    ngx_quic_header_t *pkt)
+{
+    int                len, tlen, iv_len;
+    u_char            *iv, *p;
+    time_t             now, exp;
+    size_t             total;
+    ngx_str_t          odcid;
+    EVP_CIPHER_CTX    *ctx;
+    const EVP_CIPHER  *cipher;
+
+    u_char             addr_hash[20];
+    u_char             tdec[NGX_QUIC_MAX_TOKEN_SIZE];
+
+#if NGX_SUPPRESS_WARN
+    ngx_str_null(&odcid);
+#endif
+
+    /* Retry token or NEW_TOKEN in a previous connection */
+
+    cipher = EVP_aes_256_cbc();
+    iv = pkt->token.data;
+    iv_len = NGX_QUIC_AES_256_CBC_IV_LEN;
+
+    /* sanity checks */
+
+    if (pkt->token.len < (size_t) iv_len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE) {
+        goto garbage;
+    }
+
+    if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE) {
+        goto garbage;
+    }
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (!EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv)) {
+        EVP_CIPHER_CTX_free(ctx);
+        return NGX_ERROR;
+    }
+
+    p = pkt->token.data + iv_len;
+    len = pkt->token.len - iv_len;
+
+    if (EVP_DecryptUpdate(ctx, tdec, &len, p, len) != 1) {
+        EVP_CIPHER_CTX_free(ctx);
+        goto garbage;
+    }
+    total = len;
+
+    if (EVP_DecryptFinal_ex(ctx, tdec + len, &tlen) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
+        goto garbage;
+    }
+    total += tlen;
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    if (total < (20 + sizeof(time_t) + 2)) {
+        goto garbage;
+    }
+
+    p = tdec + 20;
+
+    ngx_memcpy(&exp, p, sizeof(time_t));
+    p += sizeof(time_t);
+
+    pkt->retried = (*p++ == 1);
+
+    ngx_quic_address_hash(c->sockaddr, c->socklen, !pkt->retried, addr_hash);
+
+    if (ngx_memcmp(tdec, addr_hash, 20) != 0) {
+        goto bad_token;
+    }
+
+    odcid.len = *p++;
+    if (odcid.len) {
+        if (odcid.len > NGX_QUIC_MAX_CID_LEN) {
+            goto bad_token;
+        }
+
+        if ((size_t)(tdec + total - p) < odcid.len) {
+            goto bad_token;
+        }
+
+        odcid.data = p;
+    }
+
+    now = ngx_time();
+
+    if (now > exp) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token");
+        return NGX_DECLINED;
+    }
+
+    if (odcid.len) {
+        pkt->odcid.len = odcid.len;
+        pkt->odcid.data = pkt->odcid_buf;
+        ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len);
+
+    } else {
+        pkt->odcid = pkt->dcid;
+    }
+
+    pkt->validated = 1;
+
+    return NGX_OK;
+
+garbage:
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token");
+
+    return NGX_ABORT;
+
+bad_token:
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token");
+
+    return NGX_DECLINED;
+}
diff --git a/src/event/quic/ngx_event_quic_tokens.h b/src/event/quic/ngx_event_quic_tokens.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_tokens.h
@@ -0,0 +1,35 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
+#define _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+#define NGX_QUIC_MAX_TOKEN_SIZE              64
+    /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
+
+/* RFC 3602, 2.1 and 2.4 for AES-CBC block size and IV length */
+#define NGX_QUIC_AES_256_CBC_IV_LEN          16
+#define NGX_QUIC_AES_256_CBC_BLOCK_SIZE      16
+
+#define NGX_QUIC_TOKEN_BUF_SIZE             (NGX_QUIC_AES_256_CBC_IV_LEN      \
+                                             + NGX_QUIC_MAX_TOKEN_SIZE        \
+                                             + NGX_QUIC_AES_256_CBC_BLOCK_SIZE)
+
+
+ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
+    u_char *secret, u_char *token);
+ngx_int_t ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
+    socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
+    time_t expires, ngx_uint_t is_retry);
+ngx_int_t ngx_quic_validate_token(ngx_connection_t *c,
+    u_char *key, ngx_quic_header_t *pkt);
+
+#endif /* _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -0,0 +1,2199 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+#define NGX_QUIC_LONG_DCID_LEN_OFFSET  5
+#define NGX_QUIC_LONG_DCID_OFFSET      6
+#define NGX_QUIC_SHORT_DCID_OFFSET     1
+
+#define NGX_QUIC_STREAM_FRAME_FIN      0x01
+#define NGX_QUIC_STREAM_FRAME_LEN      0x02
+#define NGX_QUIC_STREAM_FRAME_OFF      0x04
+
+
+#if (NGX_HAVE_NONALIGNED)
+
+#define ngx_quic_parse_uint16(p)  ntohs(*(uint16_t *) (p))
+#define ngx_quic_parse_uint32(p)  ntohl(*(uint32_t *) (p))
+
+#define ngx_quic_write_uint16  ngx_quic_write_uint16_aligned
+#define ngx_quic_write_uint32  ngx_quic_write_uint32_aligned
+
+#else
+
+#define ngx_quic_parse_uint16(p)  ((p)[0] << 8 | (p)[1])
+#define ngx_quic_parse_uint32(p)                                              \
+    ((uint32_t) (p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3])
+
+#define ngx_quic_write_uint16(p, s)                                           \
+    ((p)[0] = (u_char) ((s) >> 8),                                            \
+     (p)[1] = (u_char)  (s),                                                  \
+     (p) + sizeof(uint16_t))
+
+#define ngx_quic_write_uint32(p, s)                                           \
+    ((p)[0] = (u_char) ((s) >> 24),                                           \
+     (p)[1] = (u_char) ((s) >> 16),                                           \
+     (p)[2] = (u_char) ((s) >> 8),                                            \
+     (p)[3] = (u_char)  (s),                                                  \
+     (p) + sizeof(uint32_t))
+
+#endif
+
+#define ngx_quic_write_uint64(p, s)                                           \
+    ((p)[0] = (u_char) ((s) >> 56),                                           \
+     (p)[1] = (u_char) ((s) >> 48),                                           \
+     (p)[2] = (u_char) ((s) >> 40),                                           \
+     (p)[3] = (u_char) ((s) >> 32),                                           \
+     (p)[4] = (u_char) ((s) >> 24),                                           \
+     (p)[5] = (u_char) ((s) >> 16),                                           \
+     (p)[6] = (u_char) ((s) >> 8),                                            \
+     (p)[7] = (u_char)  (s),                                                  \
+     (p) + sizeof(uint64_t))
+
+#define ngx_quic_write_uint24(p, s)                                           \
+    ((p)[0] = (u_char) ((s) >> 16),                                           \
+     (p)[1] = (u_char) ((s) >> 8),                                            \
+     (p)[2] = (u_char)  (s),                                                  \
+     (p) + 3)
+
+#define ngx_quic_write_uint16_aligned(p, s)                                   \
+    (*(uint16_t *) (p) = htons((uint16_t) (s)), (p) + sizeof(uint16_t))
+
+#define ngx_quic_write_uint32_aligned(p, s)                                   \
+    (*(uint32_t *) (p) = htonl((uint32_t) (s)), (p) + sizeof(uint32_t))
+
+#define ngx_quic_build_int_set(p, value, len, bits)                           \
+    (*(p)++ = ((value >> ((len) * 8)) & 0xff) | ((bits) << 6))
+
+
+static u_char *ngx_quic_parse_int(u_char *pos, u_char *end, uint64_t *out);
+static ngx_uint_t ngx_quic_varint_len(uint64_t value);
+static void ngx_quic_build_int(u_char **pos, uint64_t value);
+
+static u_char *ngx_quic_read_uint8(u_char *pos, u_char *end, uint8_t *value);
+static u_char *ngx_quic_read_uint32(u_char *pos, u_char *end, uint32_t *value);
+static u_char *ngx_quic_read_bytes(u_char *pos, u_char *end, size_t len,
+    u_char **out);
+static u_char *ngx_quic_copy_bytes(u_char *pos, u_char *end, size_t len,
+    u_char *dst);
+
+static ngx_int_t ngx_quic_parse_short_header(ngx_quic_header_t *pkt,
+    size_t dcid_len);
+static ngx_int_t ngx_quic_parse_long_header(ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_supported_version(uint32_t version);
+static ngx_int_t ngx_quic_parse_long_header_v1(ngx_quic_header_t *pkt);
+
+static size_t ngx_quic_create_long_header(ngx_quic_header_t *pkt, u_char *out,
+    u_char **pnp);
+static size_t ngx_quic_create_short_header(ngx_quic_header_t *pkt, u_char *out,
+    u_char **pnp);
+
+static ngx_int_t ngx_quic_frame_allowed(ngx_quic_header_t *pkt,
+    ngx_uint_t frame_type);
+static size_t ngx_quic_create_ping(u_char *p);
+static size_t ngx_quic_create_ack(u_char *p, ngx_quic_ack_frame_t *ack,
+    ngx_chain_t *ranges);
+static size_t ngx_quic_create_reset_stream(u_char *p,
+    ngx_quic_reset_stream_frame_t *rs);
+static size_t ngx_quic_create_stop_sending(u_char *p,
+    ngx_quic_stop_sending_frame_t *ss);
+static size_t ngx_quic_create_crypto(u_char *p,
+    ngx_quic_crypto_frame_t *crypto, ngx_chain_t *data);
+static size_t ngx_quic_create_hs_done(u_char *p);
+static size_t ngx_quic_create_new_token(u_char *p,
+    ngx_quic_new_token_frame_t *token, ngx_chain_t *data);
+static size_t ngx_quic_create_stream(u_char *p, ngx_quic_stream_frame_t *sf,
+    ngx_chain_t *data);
+static size_t ngx_quic_create_max_streams(u_char *p,
+    ngx_quic_max_streams_frame_t *ms);
+static size_t ngx_quic_create_max_stream_data(u_char *p,
+    ngx_quic_max_stream_data_frame_t *ms);
+static size_t ngx_quic_create_max_data(u_char *p,
+    ngx_quic_max_data_frame_t *md);
+static size_t ngx_quic_create_path_challenge(u_char *p,
+    ngx_quic_path_challenge_frame_t *pc);
+static size_t ngx_quic_create_path_response(u_char *p,
+    ngx_quic_path_challenge_frame_t *pc);
+static size_t ngx_quic_create_new_connection_id(u_char *p,
+    ngx_quic_new_conn_id_frame_t *rcid);
+static size_t ngx_quic_create_retire_connection_id(u_char *p,
+    ngx_quic_retire_cid_frame_t *rcid);
+static size_t ngx_quic_create_close(u_char *p, ngx_quic_frame_t *f);
+
+static ngx_int_t ngx_quic_parse_transport_param(u_char *p, u_char *end,
+    uint16_t id, ngx_quic_tp_t *dst);
+
+
+uint32_t  ngx_quic_versions[] = {
+    /* QUICv1 */
+    0x00000001,
+};
+
+#define NGX_QUIC_NVERSIONS \
+    (sizeof(ngx_quic_versions) / sizeof(ngx_quic_versions[0]))
+
+
+static ngx_inline u_char *
+ngx_quic_parse_int(u_char *pos, u_char *end, uint64_t *out)
+{
+    u_char      *p;
+    uint64_t     value;
+    ngx_uint_t   len;
+
+    if (pos >= end) {
+        return NULL;
+    }
+
+    p = pos;
+    len = 1 << (*p >> 6);
+
+    value = *p++ & 0x3f;
+
+    if ((size_t)(end - p) < (len - 1)) {
+        return NULL;
+    }
+
+    while (--len) {
+        value = (value << 8) + *p++;
+    }
+
+    *out = value;
+
+    return p;
+}
+
+
+static ngx_inline u_char *
+ngx_quic_read_uint8(u_char *pos, u_char *end, uint8_t *value)
+{
+    if ((size_t)(end - pos) < 1) {
+        return NULL;
+    }
+
+    *value = *pos;
+
+    return pos + 1;
+}
+
+
+static ngx_inline u_char *
+ngx_quic_read_uint32(u_char *pos, u_char *end, uint32_t *value)
+{
+    if ((size_t)(end - pos) < sizeof(uint32_t)) {
+        return NULL;
+    }
+
+    *value = ngx_quic_parse_uint32(pos);
+
+    return pos + sizeof(uint32_t);
+}
+
+
+static ngx_inline u_char *
+ngx_quic_read_bytes(u_char *pos, u_char *end, size_t len, u_char **out)
+{
+    if ((size_t)(end - pos) < len) {
+        return NULL;
+    }
+
+    *out = pos;
+
+    return pos + len;
+}
+
+
+static u_char *
+ngx_quic_copy_bytes(u_char *pos, u_char *end, size_t len, u_char *dst)
+{
+    if ((size_t)(end - pos) < len) {
+        return NULL;
+    }
+
+    ngx_memcpy(dst, pos, len);
+
+    return pos + len;
+}
+
+
+static ngx_inline ngx_uint_t
+ngx_quic_varint_len(uint64_t value)
+{
+    if (value < (1 << 6)) {
+        return 1;
+    }
+
+    if (value < (1 << 14)) {
+        return 2;
+    }
+
+    if (value < (1 << 30)) {
+        return 4;
+    }
+
+    return 8;
+}
+
+
+static ngx_inline void
+ngx_quic_build_int(u_char **pos, uint64_t value)
+{
+    u_char  *p;
+
+    p = *pos;
+
+    if (value < (1 << 6)) {
+        ngx_quic_build_int_set(p, value, 0, 0);
+
+    } else if (value < (1 << 14)) {
+        ngx_quic_build_int_set(p, value, 1, 1);
+        ngx_quic_build_int_set(p, value, 0, 0);
+
+    } else if (value < (1 << 30)) {
+        ngx_quic_build_int_set(p, value, 3, 2);
+        ngx_quic_build_int_set(p, value, 2, 0);
+        ngx_quic_build_int_set(p, value, 1, 0);
+        ngx_quic_build_int_set(p, value, 0, 0);
+
+    } else {
+        ngx_quic_build_int_set(p, value, 7, 3);
+        ngx_quic_build_int_set(p, value, 6, 0);
+        ngx_quic_build_int_set(p, value, 5, 0);
+        ngx_quic_build_int_set(p, value, 4, 0);
+        ngx_quic_build_int_set(p, value, 3, 0);
+        ngx_quic_build_int_set(p, value, 2, 0);
+        ngx_quic_build_int_set(p, value, 1, 0);
+        ngx_quic_build_int_set(p, value, 0, 0);
+    }
+
+    *pos = p;
+}
+
+
+ngx_int_t
+ngx_quic_parse_packet(ngx_quic_header_t *pkt)
+{
+    if (!ngx_quic_long_pkt(pkt->flags)) {
+        pkt->level = ssl_encryption_application;
+
+        if (ngx_quic_parse_short_header(pkt, NGX_QUIC_SERVER_CID_LEN) != NGX_OK)
+        {
+            return NGX_ERROR;
+        }
+
+        return NGX_OK;
+    }
+
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (!ngx_quic_supported_version(pkt->version)) {
+        return NGX_ABORT;
+    }
+
+    if (ngx_quic_parse_long_header_v1(pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_parse_short_header(ngx_quic_header_t *pkt, size_t dcid_len)
+{
+    u_char  *p, *end;
+
+    p = pkt->raw->pos;
+    end = pkt->data + pkt->len;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet rx short flags:%xd", pkt->flags);
+
+    if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set");
+        return NGX_ERROR;
+    }
+
+    pkt->dcid.len = dcid_len;
+
+    p = ngx_quic_read_bytes(p, end, dcid_len, &pkt->dcid.data);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read dcid");
+        return NGX_ERROR;
+    }
+
+    pkt->raw->pos = p;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_parse_long_header(ngx_quic_header_t *pkt)
+{
+    u_char   *p, *end;
+    uint8_t   idlen;
+
+    p = pkt->raw->pos;
+    end = pkt->data + pkt->len;
+
+    p = ngx_quic_read_uint32(p, end, &pkt->version);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read version");
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet rx long flags:%xd version:%xD",
+                   pkt->flags, pkt->version);
+
+    if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set");
+        return NGX_ERROR;
+    }
+
+    p = ngx_quic_read_uint8(p, end, &idlen);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read dcid len");
+        return NGX_ERROR;
+    }
+
+    if (idlen > NGX_QUIC_CID_LEN_MAX) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet dcid is too long");
+        return NGX_ERROR;
+    }
+
+    pkt->dcid.len = idlen;
+
+    p = ngx_quic_read_bytes(p, end, idlen, &pkt->dcid.data);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read dcid");
+        return NGX_ERROR;
+    }
+
+    p = ngx_quic_read_uint8(p, end, &idlen);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read scid len");
+        return NGX_ERROR;
+    }
+
+    if (idlen > NGX_QUIC_CID_LEN_MAX) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet scid is too long");
+        return NGX_ERROR;
+    }
+
+    pkt->scid.len = idlen;
+
+    p = ngx_quic_read_bytes(p, end, idlen, &pkt->scid.data);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet is too small to read scid");
+        return NGX_ERROR;
+    }
+
+    pkt->raw->pos = p;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_supported_version(uint32_t version)
+{
+    ngx_uint_t  i;
+
+    for (i = 0; i < NGX_QUIC_NVERSIONS; i++) {
+        if (ngx_quic_versions[i] == version) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+
+static ngx_int_t
+ngx_quic_parse_long_header_v1(ngx_quic_header_t *pkt)
+{
+    u_char    *p, *end;
+    uint64_t   varint;
+
+    p = pkt->raw->pos;
+    end = pkt->raw->last;
+
+    pkt->log->action = "parsing quic long header";
+
+    if (ngx_quic_pkt_in(pkt->flags)) {
+
+        if (pkt->len < NGX_QUIC_MIN_INITIAL_SIZE) {
+            ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                          "quic UDP datagram is too small for initial packet");
+            return NGX_DECLINED;
+        }
+
+        p = ngx_quic_parse_int(p, end, &varint);
+        if (p == NULL) {
+            ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                          "quic failed to parse token length");
+            return NGX_ERROR;
+        }
+
+        pkt->token.len = varint;
+
+        p = ngx_quic_read_bytes(p, end, pkt->token.len, &pkt->token.data);
+        if (p == NULL) {
+            ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                          "quic packet too small to read token data");
+            return NGX_ERROR;
+        }
+
+        pkt->level = ssl_encryption_initial;
+
+    } else if (ngx_quic_pkt_zrtt(pkt->flags)) {
+        pkt->level = ssl_encryption_early_data;
+
+    } else if (ngx_quic_pkt_hs(pkt->flags)) {
+        pkt->level = ssl_encryption_handshake;
+
+    } else {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic bad packet type");
+        return NGX_DECLINED;
+    }
+
+    p = ngx_quic_parse_int(p, end, &varint);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic bad packet length");
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                   "quic packet rx %s len:%uL",
+                   ngx_quic_level_name(pkt->level), varint);
+
+    if (varint > (uint64_t) ((pkt->data + pkt->len) - p)) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic truncated %s packet",
+                      ngx_quic_level_name(pkt->level));
+        return NGX_ERROR;
+    }
+
+    pkt->raw->pos = p;
+    pkt->len = p + varint - pkt->data;
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_get_packet_dcid(ngx_log_t *log, u_char *data, size_t n,
+    ngx_str_t *dcid)
+{
+    size_t  len, offset;
+
+    if (n == 0) {
+        goto failed;
+    }
+
+    if (ngx_quic_long_pkt(*data)) {
+        if (n < NGX_QUIC_LONG_DCID_LEN_OFFSET + 1) {
+            goto failed;
+        }
+
+        len = data[NGX_QUIC_LONG_DCID_LEN_OFFSET];
+        offset = NGX_QUIC_LONG_DCID_OFFSET;
+
+    } else {
+        len = NGX_QUIC_SERVER_CID_LEN;
+        offset = NGX_QUIC_SHORT_DCID_OFFSET;
+    }
+
+    if (n < len + offset) {
+        goto failed;
+    }
+
+    dcid->len = len;
+    dcid->data = &data[offset];
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0, "quic malformed packet");
+
+    return NGX_ERROR;
+}
+
+
+size_t
+ngx_quic_create_version_negotiation(ngx_quic_header_t *pkt, u_char *out)
+{
+    u_char      *p, *start;
+    ngx_uint_t   i;
+
+    p = start = out;
+
+    *p++ = pkt->flags;
+
+    /*
+     * The Version field of a Version Negotiation packet
+     * MUST be set to 0x00000000
+     */
+    p = ngx_quic_write_uint32(p, 0);
+
+    *p++ = pkt->dcid.len;
+    p = ngx_cpymem(p, pkt->dcid.data, pkt->dcid.len);
+
+    *p++ = pkt->scid.len;
+    p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
+
+    for (i = 0; i < NGX_QUIC_NVERSIONS; i++) {
+        p = ngx_quic_write_uint32(p, ngx_quic_versions[i]);
+    }
+
+    return p - start;
+}
+
+
+/* returns the amount of payload quic packet of "pkt_len" size may fit or 0 */
+size_t
+ngx_quic_payload_size(ngx_quic_header_t *pkt, size_t pkt_len)
+{
+    size_t  len;
+
+    if (ngx_quic_short_pkt(pkt->flags)) {
+
+        len = 1 + pkt->dcid.len + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+        if (len > pkt_len) {
+            return 0;
+        }
+
+        return pkt_len - len;
+    }
+
+    /* flags, version, dcid and scid with lengths and zero-length token */
+    len = 5 + 2 + pkt->dcid.len + pkt->scid.len
+          + (pkt->level == ssl_encryption_initial ? 1 : 0);
+
+    if (len > pkt_len) {
+        return 0;
+    }
+
+    /* (pkt_len - len) is 'remainder' packet length (see RFC 9000, 17.2) */
+    len += ngx_quic_varint_len(pkt_len - len)
+           + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+
+    if (len > pkt_len) {
+        return 0;
+    }
+
+    return pkt_len - len;
+}
+
+
+size_t
+ngx_quic_create_header(ngx_quic_header_t *pkt, u_char *out, u_char **pnp)
+{
+    return ngx_quic_short_pkt(pkt->flags)
+           ? ngx_quic_create_short_header(pkt, out, pnp)
+           : ngx_quic_create_long_header(pkt, out, pnp);
+}
+
+
+static size_t
+ngx_quic_create_long_header(ngx_quic_header_t *pkt, u_char *out,
+    u_char **pnp)
+{
+    size_t   rem_len;
+    u_char  *p, *start;
+
+    rem_len = pkt->num_len + pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+
+    if (out == NULL) {
+        return 5 + 2 + pkt->dcid.len + pkt->scid.len
+               + ngx_quic_varint_len(rem_len) + pkt->num_len
+               + (pkt->level == ssl_encryption_initial ? 1 : 0);
+    }
+
+    p = start = out;
+
+    *p++ = pkt->flags;
+
+    p = ngx_quic_write_uint32(p, pkt->version);
+
+    *p++ = pkt->dcid.len;
+    p = ngx_cpymem(p, pkt->dcid.data, pkt->dcid.len);
+
+    *p++ = pkt->scid.len;
+    p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
+
+    if (pkt->level == ssl_encryption_initial) {
+        ngx_quic_build_int(&p, 0);
+    }
+
+    ngx_quic_build_int(&p, rem_len);
+
+    *pnp = p;
+
+    switch (pkt->num_len) {
+    case 1:
+        *p++ = pkt->trunc;
+        break;
+    case 2:
+        p = ngx_quic_write_uint16(p, pkt->trunc);
+        break;
+    case 3:
+        p = ngx_quic_write_uint24(p, pkt->trunc);
+        break;
+    case 4:
+        p = ngx_quic_write_uint32(p, pkt->trunc);
+        break;
+    }
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_short_header(ngx_quic_header_t *pkt, u_char *out,
+    u_char **pnp)
+{
+    u_char  *p, *start;
+
+    if (out == NULL) {
+        return 1 + pkt->dcid.len + pkt->num_len;
+    }
+
+    p = start = out;
+
+    *p++ = pkt->flags;
+
+    p = ngx_cpymem(p, pkt->dcid.data, pkt->dcid.len);
+
+    *pnp = p;
+
+    switch (pkt->num_len) {
+    case 1:
+        *p++ = pkt->trunc;
+        break;
+    case 2:
+        p = ngx_quic_write_uint16(p, pkt->trunc);
+        break;
+    case 3:
+        p = ngx_quic_write_uint24(p, pkt->trunc);
+        break;
+    case 4:
+        p = ngx_quic_write_uint32(p, pkt->trunc);
+        break;
+    }
+
+    return p - start;
+}
+
+
+size_t
+ngx_quic_create_retry_itag(ngx_quic_header_t *pkt, u_char *out,
+    u_char **start)
+{
+    u_char  *p;
+
+    p = out;
+
+    *p++ = pkt->odcid.len;
+    p = ngx_cpymem(p, pkt->odcid.data, pkt->odcid.len);
+
+    *start = p;
+
+    *p++ = 0xff;
+
+    p = ngx_quic_write_uint32(p, pkt->version);
+
+    *p++ = pkt->dcid.len;
+    p = ngx_cpymem(p, pkt->dcid.data, pkt->dcid.len);
+
+    *p++ = pkt->scid.len;
+    p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
+
+    p = ngx_cpymem(p, pkt->token.data, pkt->token.len);
+
+    return p - out;
+}
+
+
+ssize_t
+ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
+    ngx_quic_frame_t *f)
+{
+    u_char      *p;
+    uint64_t     varint;
+    ngx_buf_t   *b;
+    ngx_uint_t   i;
+
+    b = f->data->buf;
+
+    p = start;
+
+    p = ngx_quic_parse_int(p, end, &varint);
+    if (p == NULL) {
+        pkt->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic failed to obtain quic frame type");
+        return NGX_ERROR;
+    }
+
+    if (varint > NGX_QUIC_FT_LAST) {
+        pkt->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic unknown frame type 0x%xL", varint);
+        return NGX_ERROR;
+    }
+
+    f->type = varint;
+
+    if (ngx_quic_frame_allowed(pkt, f->type) != NGX_OK) {
+        pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        return NGX_ERROR;
+    }
+
+    switch (f->type) {
+
+    case NGX_QUIC_FT_CRYPTO:
+
+        p = ngx_quic_parse_int(p, end, &f->u.crypto.offset);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.crypto.length);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_read_bytes(p, end, f->u.crypto.length, &b->pos);
+        if (p == NULL) {
+            goto error;
+        }
+
+        b->last = p;
+
+        break;
+
+    case NGX_QUIC_FT_PADDING:
+
+        while (p < end && *p == NGX_QUIC_FT_PADDING) {
+            p++;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_ACK:
+    case NGX_QUIC_FT_ACK_ECN:
+
+        p = ngx_quic_parse_int(p, end, &f->u.ack.largest);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.ack.delay);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.ack.range_count);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.ack.first_range);
+        if (p == NULL) {
+            goto error;
+        }
+
+        b->pos = p;
+
+        /* process all ranges to get bounds, values are ignored */
+        for (i = 0; i < f->u.ack.range_count; i++) {
+
+            p = ngx_quic_parse_int(p, end, &varint);
+            if (p == NULL) {
+                goto error;
+            }
+
+            p = ngx_quic_parse_int(p, end, &varint);
+            if (p == NULL) {
+                goto error;
+            }
+        }
+
+        b->last = p;
+
+        f->u.ack.ranges_length = b->last - b->pos;
+
+        if (f->type == NGX_QUIC_FT_ACK_ECN) {
+
+            p = ngx_quic_parse_int(p, end, &f->u.ack.ect0);
+            if (p == NULL) {
+                goto error;
+            }
+
+            p = ngx_quic_parse_int(p, end, &f->u.ack.ect1);
+            if (p == NULL) {
+                goto error;
+            }
+
+            p = ngx_quic_parse_int(p, end, &f->u.ack.ce);
+            if (p == NULL) {
+                goto error;
+            }
+
+            ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                           "quic ACK ECN counters ect0:%uL ect1:%uL ce:%uL",
+                           f->u.ack.ect0, f->u.ack.ect1, f->u.ack.ce);
+        }
+
+        break;
+
+    case NGX_QUIC_FT_PING:
+        break;
+
+    case NGX_QUIC_FT_NEW_CONNECTION_ID:
+
+        p = ngx_quic_parse_int(p, end, &f->u.ncid.seqnum);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.ncid.retire);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->u.ncid.retire > f->u.ncid.seqnum) {
+            goto error;
+        }
+
+        p = ngx_quic_read_uint8(p, end, &f->u.ncid.len);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->u.ncid.len < 1 || f->u.ncid.len > NGX_QUIC_CID_LEN_MAX) {
+            goto error;
+        }
+
+        p = ngx_quic_copy_bytes(p, end, f->u.ncid.len, f->u.ncid.cid);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_copy_bytes(p, end, NGX_QUIC_SR_TOKEN_LEN, f->u.ncid.srt);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_RETIRE_CONNECTION_ID:
+
+        p = ngx_quic_parse_int(p, end, &f->u.retire_cid.sequence_number);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_CONNECTION_CLOSE:
+    case NGX_QUIC_FT_CONNECTION_CLOSE_APP:
+
+        p = ngx_quic_parse_int(p, end, &f->u.close.error_code);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->type == NGX_QUIC_FT_CONNECTION_CLOSE) {
+            p = ngx_quic_parse_int(p, end, &f->u.close.frame_type);
+            if (p == NULL) {
+                goto error;
+            }
+        }
+
+        p = ngx_quic_parse_int(p, end, &varint);
+        if (p == NULL) {
+            goto error;
+        }
+
+        f->u.close.reason.len = varint;
+
+        p = ngx_quic_read_bytes(p, end, f->u.close.reason.len,
+                                &f->u.close.reason.data);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_STREAM:
+    case NGX_QUIC_FT_STREAM1:
+    case NGX_QUIC_FT_STREAM2:
+    case NGX_QUIC_FT_STREAM3:
+    case NGX_QUIC_FT_STREAM4:
+    case NGX_QUIC_FT_STREAM5:
+    case NGX_QUIC_FT_STREAM6:
+    case NGX_QUIC_FT_STREAM7:
+
+        f->u.stream.fin = (f->type & NGX_QUIC_STREAM_FRAME_FIN) ? 1 : 0;
+
+        p = ngx_quic_parse_int(p, end, &f->u.stream.stream_id);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->type & NGX_QUIC_STREAM_FRAME_OFF) {
+            f->u.stream.off = 1;
+
+            p = ngx_quic_parse_int(p, end, &f->u.stream.offset);
+            if (p == NULL) {
+                goto error;
+            }
+
+        } else {
+            f->u.stream.off = 0;
+            f->u.stream.offset = 0;
+        }
+
+        if (f->type & NGX_QUIC_STREAM_FRAME_LEN) {
+            f->u.stream.len = 1;
+
+            p = ngx_quic_parse_int(p, end, &f->u.stream.length);
+            if (p == NULL) {
+                goto error;
+            }
+
+        } else {
+            f->u.stream.len = 0;
+            f->u.stream.length = end - p; /* up to packet end */
+        }
+
+        p = ngx_quic_read_bytes(p, end, f->u.stream.length, &b->pos);
+        if (p == NULL) {
+            goto error;
+        }
+
+        b->last = p;
+
+        f->type = NGX_QUIC_FT_STREAM;
+        break;
+
+    case NGX_QUIC_FT_MAX_DATA:
+
+        p = ngx_quic_parse_int(p, end, &f->u.max_data.max_data);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_RESET_STREAM:
+
+        p = ngx_quic_parse_int(p, end, &f->u.reset_stream.id);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.reset_stream.error_code);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.reset_stream.final_size);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_STOP_SENDING:
+
+        p = ngx_quic_parse_int(p, end, &f->u.stop_sending.id);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.stop_sending.error_code);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_STREAMS_BLOCKED:
+    case NGX_QUIC_FT_STREAMS_BLOCKED2:
+
+        p = ngx_quic_parse_int(p, end, &f->u.streams_blocked.limit);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->u.streams_blocked.limit > 0x1000000000000000) {
+            goto error;
+        }
+
+        f->u.streams_blocked.bidi =
+                              (f->type == NGX_QUIC_FT_STREAMS_BLOCKED) ? 1 : 0;
+        break;
+
+    case NGX_QUIC_FT_MAX_STREAMS:
+    case NGX_QUIC_FT_MAX_STREAMS2:
+
+        p = ngx_quic_parse_int(p, end, &f->u.max_streams.limit);
+        if (p == NULL) {
+            goto error;
+        }
+
+        if (f->u.max_streams.limit > 0x1000000000000000) {
+            goto error;
+        }
+
+        f->u.max_streams.bidi = (f->type == NGX_QUIC_FT_MAX_STREAMS) ? 1 : 0;
+
+        break;
+
+    case NGX_QUIC_FT_MAX_STREAM_DATA:
+
+        p = ngx_quic_parse_int(p, end, &f->u.max_stream_data.id);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.max_stream_data.limit);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_DATA_BLOCKED:
+
+        p = ngx_quic_parse_int(p, end, &f->u.data_blocked.limit);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_STREAM_DATA_BLOCKED:
+
+        p = ngx_quic_parse_int(p, end, &f->u.stream_data_blocked.id);
+        if (p == NULL) {
+            goto error;
+        }
+
+        p = ngx_quic_parse_int(p, end, &f->u.stream_data_blocked.limit);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_PATH_CHALLENGE:
+
+        p = ngx_quic_copy_bytes(p, end, 8, f->u.path_challenge.data);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    case NGX_QUIC_FT_PATH_RESPONSE:
+
+        p = ngx_quic_copy_bytes(p, end, 8, f->u.path_response.data);
+        if (p == NULL) {
+            goto error;
+        }
+
+        break;
+
+    default:
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic unknown frame type 0x%xi", f->type);
+        return NGX_ERROR;
+    }
+
+    f->level = pkt->level;
+
+    return p - start;
+
+error:
+
+    pkt->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+
+    ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                  "quic failed to parse frame type:0x%xi", f->type);
+
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_quic_frame_allowed(ngx_quic_header_t *pkt, ngx_uint_t frame_type)
+{
+    uint8_t  ptype;
+
+    /*
+     * RFC 9000, 12.4. Frames and Frame Types: Table 3
+     *
+     * Frame permissions per packet: 4 bits: IH01
+     */
+    static uint8_t ngx_quic_frame_masks[] = {
+         /* PADDING  */              0xF,
+         /* PING */                  0xF,
+         /* ACK */                   0xD,
+         /* ACK_ECN */               0xD,
+         /* RESET_STREAM */          0x3,
+         /* STOP_SENDING */          0x3,
+         /* CRYPTO */                0xD,
+         /* NEW_TOKEN */             0x0, /* only sent by server */
+         /* STREAM */                0x3,
+         /* STREAM1 */               0x3,
+         /* STREAM2 */               0x3,
+         /* STREAM3 */               0x3,
+         /* STREAM4 */               0x3,
+         /* STREAM5 */               0x3,
+         /* STREAM6 */               0x3,
+         /* STREAM7 */               0x3,
+         /* MAX_DATA */              0x3,
+         /* MAX_STREAM_DATA */       0x3,
+         /* MAX_STREAMS */           0x3,
+         /* MAX_STREAMS2 */          0x3,
+         /* DATA_BLOCKED */          0x3,
+         /* STREAM_DATA_BLOCKED */   0x3,
+         /* STREAMS_BLOCKED */       0x3,
+         /* STREAMS_BLOCKED2 */      0x3,
+         /* NEW_CONNECTION_ID */     0x3,
+         /* RETIRE_CONNECTION_ID */  0x3,
+         /* PATH_CHALLENGE */        0x3,
+         /* PATH_RESPONSE */         0x1,
+         /* CONNECTION_CLOSE */      0xF,
+         /* CONNECTION_CLOSE2 */     0x3,
+         /* HANDSHAKE_DONE */        0x0, /* only sent by server */
+    };
+
+    if (ngx_quic_long_pkt(pkt->flags)) {
+
+        if (ngx_quic_pkt_in(pkt->flags)) {
+            ptype = 8; /* initial */
+
+        } else if (ngx_quic_pkt_hs(pkt->flags)) {
+            ptype = 4; /* handshake */
+
+        } else {
+            ptype = 2; /* zero-rtt */
+        }
+
+    } else {
+        ptype = 1; /* application data */
+    }
+
+    if (ptype & ngx_quic_frame_masks[frame_type]) {
+        return NGX_OK;
+    }
+
+    ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                  "quic frame type 0x%xi is not "
+                  "allowed in packet with flags 0x%xd",
+                  frame_type, pkt->flags);
+
+    return NGX_DECLINED;
+}
+
+
+ssize_t
+ngx_quic_parse_ack_range(ngx_log_t *log, u_char *start, u_char *end,
+    uint64_t *gap, uint64_t *range)
+{
+    u_char  *p;
+
+    p = start;
+
+    p = ngx_quic_parse_int(p, end, gap);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, log, 0,
+                      "quic failed to parse ack frame gap");
+        return NGX_ERROR;
+    }
+
+    p = ngx_quic_parse_int(p, end, range);
+    if (p == NULL) {
+        ngx_log_error(NGX_LOG_INFO, log, 0,
+                      "quic failed to parse ack frame range");
+        return NGX_ERROR;
+    }
+
+    return p - start;
+}
+
+
+size_t
+ngx_quic_create_ack_range(u_char *p, uint64_t gap, uint64_t range)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(gap);
+        len += ngx_quic_varint_len(range);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, gap);
+    ngx_quic_build_int(&p, range);
+
+    return p - start;
+}
+
+
+ssize_t
+ngx_quic_create_frame(u_char *p, ngx_quic_frame_t *f)
+{
+    /*
+     *  RFC 9002, 2.  Conventions and Definitions
+     *
+     *  Ack-eliciting frames:  All frames other than ACK, PADDING, and
+     *  CONNECTION_CLOSE are considered ack-eliciting.
+     */
+    f->need_ack = 1;
+
+    switch (f->type) {
+    case NGX_QUIC_FT_PING:
+        return ngx_quic_create_ping(p);
+
+    case NGX_QUIC_FT_ACK:
+        f->need_ack = 0;
+        return ngx_quic_create_ack(p, &f->u.ack, f->data);
+
+    case NGX_QUIC_FT_RESET_STREAM:
+        return ngx_quic_create_reset_stream(p, &f->u.reset_stream);
+
+    case NGX_QUIC_FT_STOP_SENDING:
+        return ngx_quic_create_stop_sending(p, &f->u.stop_sending);
+
+    case NGX_QUIC_FT_CRYPTO:
+        return ngx_quic_create_crypto(p, &f->u.crypto, f->data);
+
+    case NGX_QUIC_FT_HANDSHAKE_DONE:
+        return ngx_quic_create_hs_done(p);
+
+    case NGX_QUIC_FT_NEW_TOKEN:
+        return ngx_quic_create_new_token(p, &f->u.token, f->data);
+
+    case NGX_QUIC_FT_STREAM:
+        return ngx_quic_create_stream(p, &f->u.stream, f->data);
+
+    case NGX_QUIC_FT_CONNECTION_CLOSE:
+    case NGX_QUIC_FT_CONNECTION_CLOSE_APP:
+        f->need_ack = 0;
+        return ngx_quic_create_close(p, f);
+
+    case NGX_QUIC_FT_MAX_STREAMS:
+        return ngx_quic_create_max_streams(p, &f->u.max_streams);
+
+    case NGX_QUIC_FT_MAX_STREAM_DATA:
+        return ngx_quic_create_max_stream_data(p, &f->u.max_stream_data);
+
+    case NGX_QUIC_FT_MAX_DATA:
+        return ngx_quic_create_max_data(p, &f->u.max_data);
+
+    case NGX_QUIC_FT_PATH_CHALLENGE:
+        return ngx_quic_create_path_challenge(p, &f->u.path_challenge);
+
+    case NGX_QUIC_FT_PATH_RESPONSE:
+        return ngx_quic_create_path_response(p, &f->u.path_response);
+
+    case NGX_QUIC_FT_NEW_CONNECTION_ID:
+        return ngx_quic_create_new_connection_id(p, &f->u.ncid);
+
+    case NGX_QUIC_FT_RETIRE_CONNECTION_ID:
+        return ngx_quic_create_retire_connection_id(p, &f->u.retire_cid);
+
+    default:
+        /* BUG: unsupported frame type generated */
+        return NGX_ERROR;
+    }
+}
+
+
+static size_t
+ngx_quic_create_ping(u_char *p)
+{
+    u_char  *start;
+
+    if (p == NULL) {
+        return ngx_quic_varint_len(NGX_QUIC_FT_PING);
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_PING);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_ack(u_char *p, ngx_quic_ack_frame_t *ack, ngx_chain_t *ranges)
+{
+    size_t      len;
+    u_char     *start;
+    ngx_buf_t  *b;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_ACK);
+        len += ngx_quic_varint_len(ack->largest);
+        len += ngx_quic_varint_len(ack->delay);
+        len += ngx_quic_varint_len(ack->range_count);
+        len += ngx_quic_varint_len(ack->first_range);
+        len += ack->ranges_length;
+
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_ACK);
+    ngx_quic_build_int(&p, ack->largest);
+    ngx_quic_build_int(&p, ack->delay);
+    ngx_quic_build_int(&p, ack->range_count);
+    ngx_quic_build_int(&p, ack->first_range);
+
+    while (ranges) {
+        b = ranges->buf;
+        p = ngx_cpymem(p, b->pos, b->last - b->pos);
+        ranges = ranges->next;
+    }
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_reset_stream(u_char *p, ngx_quic_reset_stream_frame_t *rs)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_RESET_STREAM);
+        len += ngx_quic_varint_len(rs->id);
+        len += ngx_quic_varint_len(rs->error_code);
+        len += ngx_quic_varint_len(rs->final_size);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_RESET_STREAM);
+    ngx_quic_build_int(&p, rs->id);
+    ngx_quic_build_int(&p, rs->error_code);
+    ngx_quic_build_int(&p, rs->final_size);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_stop_sending(u_char *p, ngx_quic_stop_sending_frame_t *ss)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_STOP_SENDING);
+        len += ngx_quic_varint_len(ss->id);
+        len += ngx_quic_varint_len(ss->error_code);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_STOP_SENDING);
+    ngx_quic_build_int(&p, ss->id);
+    ngx_quic_build_int(&p, ss->error_code);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_crypto(u_char *p, ngx_quic_crypto_frame_t *crypto,
+    ngx_chain_t *data)
+{
+    size_t      len;
+    u_char     *start;
+    ngx_buf_t  *b;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_CRYPTO);
+        len += ngx_quic_varint_len(crypto->offset);
+        len += ngx_quic_varint_len(crypto->length);
+        len += crypto->length;
+
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_CRYPTO);
+    ngx_quic_build_int(&p, crypto->offset);
+    ngx_quic_build_int(&p, crypto->length);
+
+    while (data) {
+        b = data->buf;
+        p = ngx_cpymem(p, b->pos, b->last - b->pos);
+        data = data->next;
+    }
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_hs_done(u_char *p)
+{
+    u_char  *start;
+
+    if (p == NULL) {
+        return ngx_quic_varint_len(NGX_QUIC_FT_HANDSHAKE_DONE);
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_HANDSHAKE_DONE);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_new_token(u_char *p, ngx_quic_new_token_frame_t *token,
+    ngx_chain_t *data)
+{
+    size_t      len;
+    u_char     *start;
+    ngx_buf_t  *b;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_NEW_TOKEN);
+        len += ngx_quic_varint_len(token->length);
+        len += token->length;
+
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_NEW_TOKEN);
+    ngx_quic_build_int(&p, token->length);
+
+    while (data) {
+        b = data->buf;
+        p = ngx_cpymem(p, b->pos, b->last - b->pos);
+        data = data->next;
+    }
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_stream(u_char *p, ngx_quic_stream_frame_t *sf,
+    ngx_chain_t *data)
+{
+    size_t      len;
+    u_char     *start, type;
+    ngx_buf_t  *b;
+
+    type = NGX_QUIC_FT_STREAM;
+
+    if (sf->off) {
+        type |= NGX_QUIC_STREAM_FRAME_OFF;
+    }
+
+    if (sf->len) {
+        type |= NGX_QUIC_STREAM_FRAME_LEN;
+    }
+
+    if (sf->fin) {
+        type |= NGX_QUIC_STREAM_FRAME_FIN;
+    }
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(type);
+        len += ngx_quic_varint_len(sf->stream_id);
+
+        if (sf->off) {
+            len += ngx_quic_varint_len(sf->offset);
+        }
+
+        if (sf->len) {
+            len += ngx_quic_varint_len(sf->length);
+        }
+
+        len += sf->length;
+
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, type);
+    ngx_quic_build_int(&p, sf->stream_id);
+
+    if (sf->off) {
+        ngx_quic_build_int(&p, sf->offset);
+    }
+
+    if (sf->len) {
+        ngx_quic_build_int(&p, sf->length);
+    }
+
+    while (data) {
+        b = data->buf;
+        p = ngx_cpymem(p, b->pos, b->last - b->pos);
+        data = data->next;
+    }
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_max_streams(u_char *p, ngx_quic_max_streams_frame_t *ms)
+{
+    size_t       len;
+    u_char      *start;
+    ngx_uint_t   type;
+
+    type = ms->bidi ? NGX_QUIC_FT_MAX_STREAMS : NGX_QUIC_FT_MAX_STREAMS2;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(type);
+        len += ngx_quic_varint_len(ms->limit);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, type);
+    ngx_quic_build_int(&p, ms->limit);
+
+    return p - start;
+}
+
+
+static ngx_int_t
+ngx_quic_parse_transport_param(u_char *p, u_char *end, uint16_t id,
+    ngx_quic_tp_t *dst)
+{
+    uint64_t   varint;
+    ngx_str_t  str;
+
+    varint = 0;
+    ngx_str_null(&str);
+
+    switch (id) {
+
+    case NGX_QUIC_TP_DISABLE_ACTIVE_MIGRATION:
+        /* zero-length option */
+        if (end - p != 0) {
+            return NGX_ERROR;
+        }
+        dst->disable_active_migration = 1;
+        return NGX_OK;
+
+    case NGX_QUIC_TP_MAX_IDLE_TIMEOUT:
+    case NGX_QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
+    case NGX_QUIC_TP_INITIAL_MAX_DATA:
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI:
+    case NGX_QUIC_TP_INITIAL_MAX_STREAMS_BIDI:
+    case NGX_QUIC_TP_INITIAL_MAX_STREAMS_UNI:
+    case NGX_QUIC_TP_ACK_DELAY_EXPONENT:
+    case NGX_QUIC_TP_MAX_ACK_DELAY:
+    case NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT:
+
+        p = ngx_quic_parse_int(p, end, &varint);
+        if (p == NULL) {
+            return NGX_ERROR;
+        }
+        break;
+
+    case NGX_QUIC_TP_INITIAL_SCID:
+
+        str.len = end - p;
+        str.data = p;
+        break;
+
+    default:
+        return NGX_DECLINED;
+    }
+
+    switch (id) {
+
+    case NGX_QUIC_TP_MAX_IDLE_TIMEOUT:
+        dst->max_idle_timeout = varint;
+        break;
+
+    case NGX_QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
+        dst->max_udp_payload_size = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_DATA:
+        dst->initial_max_data = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
+        dst->initial_max_stream_data_bidi_local = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
+        dst->initial_max_stream_data_bidi_remote = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI:
+        dst->initial_max_stream_data_uni = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_STREAMS_BIDI:
+        dst->initial_max_streams_bidi = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_MAX_STREAMS_UNI:
+        dst->initial_max_streams_uni = varint;
+        break;
+
+    case NGX_QUIC_TP_ACK_DELAY_EXPONENT:
+        dst->ack_delay_exponent = varint;
+        break;
+
+    case NGX_QUIC_TP_MAX_ACK_DELAY:
+        dst->max_ack_delay = varint;
+        break;
+
+    case NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT:
+        dst->active_connection_id_limit = varint;
+        break;
+
+    case NGX_QUIC_TP_INITIAL_SCID:
+        dst->initial_scid = str;
+        break;
+
+    default:
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_quic_parse_transport_params(u_char *p, u_char *end, ngx_quic_tp_t *tp,
+    ngx_log_t *log)
+{
+    uint64_t   id, len;
+    ngx_int_t  rc;
+
+    while (p < end) {
+        p = ngx_quic_parse_int(p, end, &id);
+        if (p == NULL) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse transport param id");
+            return NGX_ERROR;
+        }
+
+        switch (id) {
+        case NGX_QUIC_TP_ORIGINAL_DCID:
+        case NGX_QUIC_TP_PREFERRED_ADDRESS:
+        case NGX_QUIC_TP_RETRY_SCID:
+        case NGX_QUIC_TP_SR_TOKEN:
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic client sent forbidden transport param"
+                          " id:0x%xL", id);
+            return NGX_ERROR;
+        }
+
+        p = ngx_quic_parse_int(p, end, &len);
+        if (p == NULL) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL length", id);
+            return NGX_ERROR;
+        }
+
+        rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
+
+        if (rc == NGX_ERROR) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL data", id);
+            return NGX_ERROR;
+        }
+
+        if (rc == NGX_DECLINED) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic %s transport param id:0x%xL, skipped",
+                          (id % 31 == 27) ? "reserved" : "unknown", id);
+        }
+
+        p += len;
+    }
+
+    if (p != end) {
+        ngx_log_error(NGX_LOG_INFO, log, 0,
+                      "quic trailing garbage in"
+                      " transport parameters: bytes:%ui",
+                      end - p);
+        return NGX_ERROR;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic transport parameters parsed ok");
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp disable active migration: %ui",
+                   tp->disable_active_migration);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0, "quic tp idle_timeout:%ui",
+                   tp->max_idle_timeout);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp max_udp_payload_size:%ui",
+                   tp->max_udp_payload_size);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0, "quic tp max_data:%ui",
+                   tp->initial_max_data);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp max_stream_data_bidi_local:%ui",
+                   tp->initial_max_stream_data_bidi_local);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp max_stream_data_bidi_remote:%ui",
+                   tp->initial_max_stream_data_bidi_remote);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp max_stream_data_uni:%ui",
+                   tp->initial_max_stream_data_uni);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp initial_max_streams_bidi:%ui",
+                   tp->initial_max_streams_bidi);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp initial_max_streams_uni:%ui",
+                   tp->initial_max_streams_uni);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp ack_delay_exponent:%ui",
+                   tp->ack_delay_exponent);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0, "quic tp max_ack_delay:%ui",
+                   tp->max_ack_delay);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp active_connection_id_limit:%ui",
+                   tp->active_connection_id_limit);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
+                   "quic tp initial source_connection_id len:%uz %xV",
+                   tp->initial_scid.len, &tp->initial_scid);
+
+    return NGX_OK;
+}
+
+
+static size_t
+ngx_quic_create_max_stream_data(u_char *p, ngx_quic_max_stream_data_frame_t *ms)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_MAX_STREAM_DATA);
+        len += ngx_quic_varint_len(ms->id);
+        len += ngx_quic_varint_len(ms->limit);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_MAX_STREAM_DATA);
+    ngx_quic_build_int(&p, ms->id);
+    ngx_quic_build_int(&p, ms->limit);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_max_data(u_char *p, ngx_quic_max_data_frame_t *md)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_MAX_DATA);
+        len += ngx_quic_varint_len(md->max_data);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_MAX_DATA);
+    ngx_quic_build_int(&p, md->max_data);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_path_challenge(u_char *p, ngx_quic_path_challenge_frame_t *pc)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_PATH_CHALLENGE);
+        len += sizeof(pc->data);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_PATH_CHALLENGE);
+    p = ngx_cpymem(p, &pc->data, sizeof(pc->data));
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_path_response(u_char *p, ngx_quic_path_challenge_frame_t *pc)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_PATH_RESPONSE);
+        len += sizeof(pc->data);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_PATH_RESPONSE);
+    p = ngx_cpymem(p, &pc->data, sizeof(pc->data));
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_new_connection_id(u_char *p, ngx_quic_new_conn_id_frame_t *ncid)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_NEW_CONNECTION_ID);
+        len += ngx_quic_varint_len(ncid->seqnum);
+        len += ngx_quic_varint_len(ncid->retire);
+        len++;
+        len += ncid->len;
+        len += NGX_QUIC_SR_TOKEN_LEN;
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_NEW_CONNECTION_ID);
+    ngx_quic_build_int(&p, ncid->seqnum);
+    ngx_quic_build_int(&p, ncid->retire);
+    *p++ = ncid->len;
+    p = ngx_cpymem(p, ncid->cid, ncid->len);
+    p = ngx_cpymem(p, ncid->srt, NGX_QUIC_SR_TOKEN_LEN);
+
+    return p - start;
+}
+
+
+static size_t
+ngx_quic_create_retire_connection_id(u_char *p,
+    ngx_quic_retire_cid_frame_t *rcid)
+{
+    size_t   len;
+    u_char  *start;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(NGX_QUIC_FT_RETIRE_CONNECTION_ID);
+        len += ngx_quic_varint_len(rcid->sequence_number);
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, NGX_QUIC_FT_RETIRE_CONNECTION_ID);
+    ngx_quic_build_int(&p, rcid->sequence_number);
+
+    return p - start;
+}
+
+
+ngx_int_t
+ngx_quic_init_transport_params(ngx_quic_tp_t *tp, ngx_quic_conf_t *qcf)
+{
+    ngx_uint_t  nstreams;
+
+    ngx_memzero(tp, sizeof(ngx_quic_tp_t));
+
+    /*
+     * set by ngx_memzero():
+     *
+     *     tp->disable_active_migration = 0;
+     *     tp->original_dcid = { 0, NULL };
+     *     tp->initial_scid = { 0, NULL };
+     *     tp->retry_scid = { 0, NULL };
+     *     tp->sr_token = { 0 }
+     *     tp->sr_enabled = 0
+     *     tp->preferred_address = NULL
+     */
+
+    tp->max_idle_timeout = qcf->timeout;
+
+    tp->max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_SIZE;
+
+    nstreams = qcf->max_concurrent_streams_bidi
+               + qcf->max_concurrent_streams_uni;
+
+    tp->initial_max_data = nstreams * qcf->stream_buffer_size;
+    tp->initial_max_stream_data_bidi_local = qcf->stream_buffer_size;
+    tp->initial_max_stream_data_bidi_remote = qcf->stream_buffer_size;
+    tp->initial_max_stream_data_uni = qcf->stream_buffer_size;
+
+    tp->initial_max_streams_bidi = qcf->max_concurrent_streams_bidi;
+    tp->initial_max_streams_uni = qcf->max_concurrent_streams_uni;
+
+    tp->max_ack_delay = NGX_QUIC_DEFAULT_MAX_ACK_DELAY;
+    tp->ack_delay_exponent = NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT;
+
+    tp->active_connection_id_limit = qcf->active_connection_id_limit;
+    tp->disable_active_migration = qcf->disable_active_migration;
+
+    return NGX_OK;
+}
+
+
+ssize_t
+ngx_quic_create_transport_params(u_char *pos, u_char *end, ngx_quic_tp_t *tp,
+    size_t *clen)
+{
+    u_char  *p;
+    size_t   len;
+
+#define ngx_quic_tp_len(id, value)                                            \
+    ngx_quic_varint_len(id)                                                   \
+    + ngx_quic_varint_len(value)                                              \
+    + ngx_quic_varint_len(ngx_quic_varint_len(value))
+
+#define ngx_quic_tp_vint(id, value)                                           \
+    do {                                                                      \
+        ngx_quic_build_int(&p, id);                                           \
+        ngx_quic_build_int(&p, ngx_quic_varint_len(value));                   \
+        ngx_quic_build_int(&p, value);                                        \
+    } while (0)
+
+#define ngx_quic_tp_strlen(id, value)                                         \
+    ngx_quic_varint_len(id)                                                   \
+    + ngx_quic_varint_len(value.len)                                          \
+    + value.len
+
+#define ngx_quic_tp_str(id, value)                                            \
+    do {                                                                      \
+        ngx_quic_build_int(&p, id);                                           \
+        ngx_quic_build_int(&p, value.len);                                    \
+        p = ngx_cpymem(p, value.data, value.len);                             \
+    } while (0)
+
+    len = ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_DATA, tp->initial_max_data);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_STREAMS_UNI,
+                           tp->initial_max_streams_uni);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_STREAMS_BIDI,
+                           tp->initial_max_streams_bidi);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
+                           tp->initial_max_stream_data_bidi_local);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
+                           tp->initial_max_stream_data_bidi_remote);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI,
+                           tp->initial_max_stream_data_uni);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_MAX_IDLE_TIMEOUT,
+                           tp->max_idle_timeout);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_MAX_UDP_PAYLOAD_SIZE,
+                           tp->max_udp_payload_size);
+
+    if (tp->disable_active_migration) {
+        len += ngx_quic_varint_len(NGX_QUIC_TP_DISABLE_ACTIVE_MIGRATION);
+        len += ngx_quic_varint_len(0);
+    }
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT,
+                           tp->active_connection_id_limit);
+
+    /* transport parameters listed above will be saved in 0-RTT context */
+    if (clen) {
+        *clen = len;
+    }
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_MAX_ACK_DELAY,
+                           tp->max_ack_delay);
+
+    len += ngx_quic_tp_len(NGX_QUIC_TP_ACK_DELAY_EXPONENT,
+                           tp->ack_delay_exponent);
+
+    len += ngx_quic_tp_strlen(NGX_QUIC_TP_ORIGINAL_DCID, tp->original_dcid);
+    len += ngx_quic_tp_strlen(NGX_QUIC_TP_INITIAL_SCID, tp->initial_scid);
+
+    if (tp->retry_scid.len) {
+        len += ngx_quic_tp_strlen(NGX_QUIC_TP_RETRY_SCID, tp->retry_scid);
+    }
+
+    len += ngx_quic_varint_len(NGX_QUIC_TP_SR_TOKEN);
+    len += ngx_quic_varint_len(NGX_QUIC_SR_TOKEN_LEN);
+    len += NGX_QUIC_SR_TOKEN_LEN;
+
+    if (pos == NULL) {
+        return len;
+    }
+
+    p = pos;
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_DATA,
+                     tp->initial_max_data);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_STREAMS_UNI,
+                     tp->initial_max_streams_uni);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_STREAMS_BIDI,
+                     tp->initial_max_streams_bidi);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
+                     tp->initial_max_stream_data_bidi_local);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
+                     tp->initial_max_stream_data_bidi_remote);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI,
+                     tp->initial_max_stream_data_uni);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_MAX_IDLE_TIMEOUT,
+                     tp->max_idle_timeout);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_MAX_UDP_PAYLOAD_SIZE,
+                     tp->max_udp_payload_size);
+
+    if (tp->disable_active_migration) {
+        ngx_quic_build_int(&p, NGX_QUIC_TP_DISABLE_ACTIVE_MIGRATION);
+        ngx_quic_build_int(&p, 0);
+    }
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT,
+                     tp->active_connection_id_limit);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_MAX_ACK_DELAY,
+                     tp->max_ack_delay);
+
+    ngx_quic_tp_vint(NGX_QUIC_TP_ACK_DELAY_EXPONENT,
+                     tp->ack_delay_exponent);
+
+    ngx_quic_tp_str(NGX_QUIC_TP_ORIGINAL_DCID, tp->original_dcid);
+    ngx_quic_tp_str(NGX_QUIC_TP_INITIAL_SCID, tp->initial_scid);
+
+    if (tp->retry_scid.len) {
+        ngx_quic_tp_str(NGX_QUIC_TP_RETRY_SCID, tp->retry_scid);
+    }
+
+    ngx_quic_build_int(&p, NGX_QUIC_TP_SR_TOKEN);
+    ngx_quic_build_int(&p, NGX_QUIC_SR_TOKEN_LEN);
+    p = ngx_cpymem(p, tp->sr_token, NGX_QUIC_SR_TOKEN_LEN);
+
+    return p - pos;
+}
+
+
+static size_t
+ngx_quic_create_close(u_char *p, ngx_quic_frame_t *f)
+{
+    size_t                   len;
+    u_char                  *start;
+    ngx_quic_close_frame_t  *cl;
+
+    cl = &f->u.close;
+
+    if (p == NULL) {
+        len = ngx_quic_varint_len(f->type);
+        len += ngx_quic_varint_len(cl->error_code);
+
+        if (f->type != NGX_QUIC_FT_CONNECTION_CLOSE_APP) {
+            len += ngx_quic_varint_len(cl->frame_type);
+        }
+
+        len += ngx_quic_varint_len(cl->reason.len);
+        len += cl->reason.len;
+
+        return len;
+    }
+
+    start = p;
+
+    ngx_quic_build_int(&p, f->type);
+    ngx_quic_build_int(&p, cl->error_code);
+
+    if (f->type != NGX_QUIC_FT_CONNECTION_CLOSE_APP) {
+        ngx_quic_build_int(&p, cl->frame_type);
+    }
+
+    ngx_quic_build_int(&p, cl->reason.len);
+    p = ngx_cpymem(p, cl->reason.data, cl->reason.len);
+
+    return p - start;
+}
+
+
+void
+ngx_quic_dcid_encode_key(u_char *dcid, uint64_t key)
+{
+    (void) ngx_quic_write_uint64(dcid, key);
+}
diff --git a/src/event/quic/ngx_event_quic_transport.h b/src/event/quic/ngx_event_quic_transport.h
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_transport.h
@@ -0,0 +1,397 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_EVENT_QUIC_TRANSPORT_H_INCLUDED_
+#define _NGX_EVENT_QUIC_TRANSPORT_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+/*
+ * RFC 9000, 17.2.  Long Header Packets
+ *           17.3.  Short Header Packets
+ *
+ * QUIC flags in first byte
+ */
+#define NGX_QUIC_PKT_LONG       0x80  /* header form */
+#define NGX_QUIC_PKT_FIXED_BIT  0x40
+#define NGX_QUIC_PKT_TYPE       0x30  /* in long packet */
+#define NGX_QUIC_PKT_KPHASE     0x04  /* in short packet */
+
+#define ngx_quic_long_pkt(flags)  ((flags) & NGX_QUIC_PKT_LONG)
+#define ngx_quic_short_pkt(flags)  (((flags) & NGX_QUIC_PKT_LONG) == 0)
+
+/* Long packet types */
+#define NGX_QUIC_PKT_INITIAL    0x00
+#define NGX_QUIC_PKT_ZRTT       0x10
+#define NGX_QUIC_PKT_HANDSHAKE  0x20
+#define NGX_QUIC_PKT_RETRY      0x30
+
+#define ngx_quic_pkt_in(flags)                                                \
+    (((flags) & NGX_QUIC_PKT_TYPE) == NGX_QUIC_PKT_INITIAL)
+#define ngx_quic_pkt_zrtt(flags)                                              \
+    (((flags) & NGX_QUIC_PKT_TYPE) == NGX_QUIC_PKT_ZRTT)
+#define ngx_quic_pkt_hs(flags)                                                \
+    (((flags) & NGX_QUIC_PKT_TYPE) == NGX_QUIC_PKT_HANDSHAKE)
+#define ngx_quic_pkt_retry(flags)                                             \
+    (((flags) & NGX_QUIC_PKT_TYPE) == NGX_QUIC_PKT_RETRY)
+
+#define ngx_quic_pkt_rb_mask(flags)                                           \
+    (ngx_quic_long_pkt(flags) ? 0x0C : 0x18)
+#define ngx_quic_pkt_hp_mask(flags)                                           \
+    (ngx_quic_long_pkt(flags) ? 0x0F : 0x1F)
+
+#define ngx_quic_level_name(lvl)                                              \
+    (lvl == ssl_encryption_application) ? "app"                               \
+        : (lvl == ssl_encryption_initial) ? "init"                            \
+            : (lvl == ssl_encryption_handshake) ? "hs" : "early"
+
+#define NGX_QUIC_MAX_CID_LEN                             20
+#define NGX_QUIC_SERVER_CID_LEN                          NGX_QUIC_MAX_CID_LEN
+
+/* 12.4.  Frames and Frame Types */
+#define NGX_QUIC_FT_PADDING                              0x00
+#define NGX_QUIC_FT_PING                                 0x01
+#define NGX_QUIC_FT_ACK                                  0x02
+#define NGX_QUIC_FT_ACK_ECN                              0x03
+#define NGX_QUIC_FT_RESET_STREAM                         0x04
+#define NGX_QUIC_FT_STOP_SENDING                         0x05
+#define NGX_QUIC_FT_CRYPTO                               0x06
+#define NGX_QUIC_FT_NEW_TOKEN                            0x07
+#define NGX_QUIC_FT_STREAM                               0x08
+#define NGX_QUIC_FT_STREAM1                              0x09
+#define NGX_QUIC_FT_STREAM2                              0x0A
+#define NGX_QUIC_FT_STREAM3                              0x0B
+#define NGX_QUIC_FT_STREAM4                              0x0C
+#define NGX_QUIC_FT_STREAM5                              0x0D
+#define NGX_QUIC_FT_STREAM6                              0x0E
+#define NGX_QUIC_FT_STREAM7                              0x0F
+#define NGX_QUIC_FT_MAX_DATA                             0x10
+#define NGX_QUIC_FT_MAX_STREAM_DATA                      0x11
+#define NGX_QUIC_FT_MAX_STREAMS                          0x12
+#define NGX_QUIC_FT_MAX_STREAMS2                         0x13
+#define NGX_QUIC_FT_DATA_BLOCKED                         0x14
+#define NGX_QUIC_FT_STREAM_DATA_BLOCKED                  0x15
+#define NGX_QUIC_FT_STREAMS_BLOCKED                      0x16
+#define NGX_QUIC_FT_STREAMS_BLOCKED2                     0x17
+#define NGX_QUIC_FT_NEW_CONNECTION_ID                    0x18
+#define NGX_QUIC_FT_RETIRE_CONNECTION_ID                 0x19
+#define NGX_QUIC_FT_PATH_CHALLENGE                       0x1A
+#define NGX_QUIC_FT_PATH_RESPONSE                        0x1B
+#define NGX_QUIC_FT_CONNECTION_CLOSE                     0x1C
+#define NGX_QUIC_FT_CONNECTION_CLOSE_APP                 0x1D
+#define NGX_QUIC_FT_HANDSHAKE_DONE                       0x1E
+
+#define NGX_QUIC_FT_LAST  NGX_QUIC_FT_HANDSHAKE_DONE
+
+/* 22.5.  QUIC Transport Error Codes Registry */
+#define NGX_QUIC_ERR_NO_ERROR                            0x00
+#define NGX_QUIC_ERR_INTERNAL_ERROR                      0x01
+#define NGX_QUIC_ERR_CONNECTION_REFUSED                  0x02
+#define NGX_QUIC_ERR_FLOW_CONTROL_ERROR                  0x03
+#define NGX_QUIC_ERR_STREAM_LIMIT_ERROR                  0x04
+#define NGX_QUIC_ERR_STREAM_STATE_ERROR                  0x05
+#define NGX_QUIC_ERR_FINAL_SIZE_ERROR                    0x06
+#define NGX_QUIC_ERR_FRAME_ENCODING_ERROR                0x07
+#define NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR           0x08
+#define NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR           0x09
+#define NGX_QUIC_ERR_PROTOCOL_VIOLATION                  0x0A
+#define NGX_QUIC_ERR_INVALID_TOKEN                       0x0B
+#define NGX_QUIC_ERR_APPLICATION_ERROR                   0x0C
+#define NGX_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED              0x0D
+#define NGX_QUIC_ERR_KEY_UPDATE_ERROR                    0x0E
+#define NGX_QUIC_ERR_AEAD_LIMIT_REACHED                  0x0F
+#define NGX_QUIC_ERR_NO_VIABLE_PATH                      0x10
+
+#define NGX_QUIC_ERR_CRYPTO_ERROR                       0x100
+
+#define NGX_QUIC_ERR_CRYPTO(e)  (NGX_QUIC_ERR_CRYPTO_ERROR + (e))
+
+
+/* 22.3.  QUIC Transport Parameters Registry */
+#define NGX_QUIC_TP_ORIGINAL_DCID                        0x00
+#define NGX_QUIC_TP_MAX_IDLE_TIMEOUT                     0x01
+#define NGX_QUIC_TP_SR_TOKEN                             0x02
+#define NGX_QUIC_TP_MAX_UDP_PAYLOAD_SIZE                 0x03
+#define NGX_QUIC_TP_INITIAL_MAX_DATA                     0x04
+#define NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL   0x05
+#define NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE  0x06
+#define NGX_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI          0x07
+#define NGX_QUIC_TP_INITIAL_MAX_STREAMS_BIDI             0x08
+#define NGX_QUIC_TP_INITIAL_MAX_STREAMS_UNI              0x09
+#define NGX_QUIC_TP_ACK_DELAY_EXPONENT                   0x0A
+#define NGX_QUIC_TP_MAX_ACK_DELAY                        0x0B
+#define NGX_QUIC_TP_DISABLE_ACTIVE_MIGRATION             0x0C
+#define NGX_QUIC_TP_PREFERRED_ADDRESS                    0x0D
+#define NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT           0x0E
+#define NGX_QUIC_TP_INITIAL_SCID                         0x0F
+#define NGX_QUIC_TP_RETRY_SCID                           0x10
+
+#define NGX_QUIC_CID_LEN_MIN                                8
+#define NGX_QUIC_CID_LEN_MAX                               20
+
+#define NGX_QUIC_MAX_RANGES                                10
+
+
+typedef struct {
+    uint64_t                                    gap;
+    uint64_t                                    range;
+} ngx_quic_ack_range_t;
+
+
+typedef struct {
+    uint64_t                                    largest;
+    uint64_t                                    delay;
+    uint64_t                                    range_count;
+    uint64_t                                    first_range;
+    uint64_t                                    ect0;
+    uint64_t                                    ect1;
+    uint64_t                                    ce;
+    uint64_t                                    ranges_length;
+} ngx_quic_ack_frame_t;
+
+
+typedef struct {
+    uint64_t                                    seqnum;
+    uint64_t                                    retire;
+    uint8_t                                     len;
+    u_char                                      cid[NGX_QUIC_CID_LEN_MAX];
+    u_char                                      srt[NGX_QUIC_SR_TOKEN_LEN];
+} ngx_quic_new_conn_id_frame_t;
+
+
+typedef struct {
+    uint64_t                                    length;
+} ngx_quic_new_token_frame_t;
+
+/*
+ * common layout for CRYPTO and STREAM frames;
+ * conceptually, CRYPTO frame is also a stream
+ * frame lacking some properties
+ */
+typedef struct {
+    uint64_t                                    offset;
+    uint64_t                                    length;
+} ngx_quic_ordered_frame_t;
+
+typedef ngx_quic_ordered_frame_t  ngx_quic_crypto_frame_t;
+
+
+typedef struct {
+    /* initial fields same as in ngx_quic_ordered_frame_t */
+    uint64_t                                    offset;
+    uint64_t                                    length;
+
+    uint64_t                                    stream_id;
+    unsigned                                    off:1;
+    unsigned                                    len:1;
+    unsigned                                    fin:1;
+} ngx_quic_stream_frame_t;
+
+
+typedef struct {
+    uint64_t                                    max_data;
+} ngx_quic_max_data_frame_t;
+
+
+typedef struct {
+    uint64_t                                    error_code;
+    uint64_t                                    frame_type;
+    ngx_str_t                                   reason;
+} ngx_quic_close_frame_t;
+
+
+typedef struct {
+    uint64_t                                    id;
+    uint64_t                                    error_code;
+    uint64_t                                    final_size;
+} ngx_quic_reset_stream_frame_t;
+
+
+typedef struct {
+    uint64_t                                    id;
+    uint64_t                                    error_code;
+} ngx_quic_stop_sending_frame_t;
+
+
+typedef struct {
+    uint64_t                                    limit;
+    ngx_uint_t                                  bidi;  /* unsigned: bidi:1 */
+} ngx_quic_streams_blocked_frame_t;
+
+
+typedef struct {
+    uint64_t                                    limit;
+    ngx_uint_t                                  bidi;  /* unsigned: bidi:1 */
+} ngx_quic_max_streams_frame_t;
+
+
+typedef struct {
+    uint64_t                                    id;
+    uint64_t                                    limit;
+} ngx_quic_max_stream_data_frame_t;
+
+
+typedef struct {
+    uint64_t                                    limit;
+} ngx_quic_data_blocked_frame_t;
+
+
+typedef struct {
+    uint64_t                                    id;
+    uint64_t                                    limit;
+} ngx_quic_stream_data_blocked_frame_t;
+
+
+typedef struct {
+    uint64_t                                    sequence_number;
+} ngx_quic_retire_cid_frame_t;
+
+
+typedef struct {
+    u_char                                      data[8];
+} ngx_quic_path_challenge_frame_t;
+
+
+typedef struct ngx_quic_frame_s                 ngx_quic_frame_t;
+
+struct ngx_quic_frame_s {
+    ngx_uint_t                                  type;
+    enum ssl_encryption_level_t                 level;
+    ngx_queue_t                                 queue;
+    uint64_t                                    pnum;
+    size_t                                      plen;
+    ngx_msec_t                                  first;
+    ngx_msec_t                                  last;
+    ssize_t                                     len;
+    unsigned                                    need_ack:1;
+    unsigned                                    pkt_need_ack:1;
+    unsigned                                    flush:1;
+
+    ngx_chain_t                                *data;
+    union {
+        ngx_quic_ack_frame_t                    ack;
+        ngx_quic_crypto_frame_t                 crypto;
+        ngx_quic_ordered_frame_t                ord;
+        ngx_quic_new_conn_id_frame_t            ncid;
+        ngx_quic_new_token_frame_t              token;
+        ngx_quic_stream_frame_t                 stream;
+        ngx_quic_max_data_frame_t               max_data;
+        ngx_quic_close_frame_t                  close;
+        ngx_quic_reset_stream_frame_t           reset_stream;
+        ngx_quic_stop_sending_frame_t           stop_sending;
+        ngx_quic_streams_blocked_frame_t        streams_blocked;
+        ngx_quic_max_streams_frame_t            max_streams;
+        ngx_quic_max_stream_data_frame_t        max_stream_data;
+        ngx_quic_data_blocked_frame_t           data_blocked;
+        ngx_quic_stream_data_blocked_frame_t    stream_data_blocked;
+        ngx_quic_retire_cid_frame_t             retire_cid;
+        ngx_quic_path_challenge_frame_t         path_challenge;
+        ngx_quic_path_challenge_frame_t         path_response;
+    } u;
+};
+
+
+typedef struct {
+    ngx_log_t                                  *log;
+    ngx_quic_path_t                            *path;
+
+    ngx_quic_keys_t                            *keys;
+
+    ngx_msec_t                                  received;
+    uint64_t                                    number;
+    uint8_t                                     num_len;
+    uint32_t                                    trunc;
+    uint8_t                                     flags;
+    uint32_t                                    version;
+    ngx_str_t                                   token;
+    enum ssl_encryption_level_t                 level;
+    ngx_uint_t                                  error;
+
+    /* filled in by parser */
+    ngx_buf_t                                  *raw;   /* udp datagram */
+
+    u_char                                     *data;  /* quic packet */
+    size_t                                      len;
+
+    /* cleartext fields */
+    ngx_str_t                                   odcid; /* retry packet tag */
+    u_char                                      odcid_buf[NGX_QUIC_MAX_CID_LEN];
+    ngx_str_t                                   dcid;
+    ngx_str_t                                   scid;
+    uint64_t                                    pn;
+    u_char                                     *plaintext;
+    ngx_str_t                                   payload; /* decrypted data */
+
+    unsigned                                    need_ack:1;
+    unsigned                                    key_phase:1;
+    unsigned                                    key_update:1;
+    unsigned                                    parsed:1;
+    unsigned                                    decrypted:1;
+    unsigned                                    validated:1;
+    unsigned                                    retried:1;
+    unsigned                                    first:1;
+    unsigned                                    rebound:1;
+} ngx_quic_header_t;
+
+
+typedef struct {
+    ngx_msec_t                 max_idle_timeout;
+    ngx_msec_t                 max_ack_delay;
+
+    size_t                     max_udp_payload_size;
+    size_t                     initial_max_data;
+    size_t                     initial_max_stream_data_bidi_local;
+    size_t                     initial_max_stream_data_bidi_remote;
+    size_t                     initial_max_stream_data_uni;
+    ngx_uint_t                 initial_max_streams_bidi;
+    ngx_uint_t                 initial_max_streams_uni;
+    ngx_uint_t                 ack_delay_exponent;
+    ngx_uint_t                 active_connection_id_limit;
+    ngx_flag_t                 disable_active_migration;
+
+    ngx_str_t                  original_dcid;
+    ngx_str_t                  initial_scid;
+    ngx_str_t                  retry_scid;
+    u_char                     sr_token[NGX_QUIC_SR_TOKEN_LEN];
+
+    /* TODO */
+    void                      *preferred_address;
+} ngx_quic_tp_t;
+
+
+ngx_int_t ngx_quic_parse_packet(ngx_quic_header_t *pkt);
+
+size_t ngx_quic_create_version_negotiation(ngx_quic_header_t *pkt, u_char *out);
+
+size_t ngx_quic_payload_size(ngx_quic_header_t *pkt, size_t pkt_len);
+
+size_t ngx_quic_create_header(ngx_quic_header_t *pkt, u_char *out,
+    u_char **pnp);
+
+size_t ngx_quic_create_retry_itag(ngx_quic_header_t *pkt, u_char *out,
+    u_char **start);
+
+ssize_t ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
+    ngx_quic_frame_t *frame);
+ssize_t ngx_quic_create_frame(u_char *p, ngx_quic_frame_t *f);
+
+ssize_t ngx_quic_parse_ack_range(ngx_log_t *log, u_char *start,
+    u_char *end, uint64_t *gap, uint64_t *range);
+size_t ngx_quic_create_ack_range(u_char *p, uint64_t gap, uint64_t range);
+
+ngx_int_t ngx_quic_init_transport_params(ngx_quic_tp_t *tp,
+    ngx_quic_conf_t *qcf);
+ngx_int_t ngx_quic_parse_transport_params(u_char *p, u_char *end,
+    ngx_quic_tp_t *tp, ngx_log_t *log);
+ssize_t ngx_quic_create_transport_params(u_char *p, u_char *end,
+    ngx_quic_tp_t *tp, size_t *clen);
+
+void ngx_quic_dcid_encode_key(u_char *dcid, uint64_t key);
+
+#endif /* _NGX_EVENT_QUIC_TRANSPORT_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_udp.c b/src/event/quic/ngx_event_quic_udp.c
new file mode 100644
--- /dev/null
+++ b/src/event/quic/ngx_event_quic_udp.c
@@ -0,0 +1,420 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_event.h>
+#include <ngx_event_quic_connection.h>
+
+
+static void ngx_quic_close_accepted_connection(ngx_connection_t *c);
+static ngx_connection_t *ngx_quic_lookup_connection(ngx_listening_t *ls,
+    ngx_str_t *key, struct sockaddr *local_sockaddr, socklen_t local_socklen);
+
+
+void
+ngx_quic_recvmsg(ngx_event_t *ev)
+{
+    ssize_t             n;
+    ngx_str_t           key;
+    ngx_buf_t           buf;
+    ngx_log_t          *log;
+    ngx_err_t           err;
+    socklen_t           socklen, local_socklen;
+    ngx_event_t        *rev, *wev;
+    struct iovec        iov[1];
+    struct msghdr       msg;
+    ngx_sockaddr_t      sa, lsa;
+    struct sockaddr    *sockaddr, *local_sockaddr;
+    ngx_listening_t    *ls;
+    ngx_event_conf_t   *ecf;
+    ngx_connection_t   *c, *lc;
+    ngx_quic_socket_t  *qsock;
+    static u_char       buffer[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+    u_char             msg_control[CMSG_SPACE(sizeof(ngx_addrinfo_t))];
+#endif
+
+    if (ev->timedout) {
+        if (ngx_enable_accept_events((ngx_cycle_t *) ngx_cycle) != NGX_OK) {
+            return;
+        }
+
+        ev->timedout = 0;
+    }
+
+    ecf = ngx_event_get_conf(ngx_cycle->conf_ctx, ngx_event_core_module);
+
+    if (!(ngx_event_flags & NGX_USE_KQUEUE_EVENT)) {
+        ev->available = ecf->multi_accept;
+    }
+
+    lc = ev->data;
+    ls = lc->listening;
+    ev->ready = 0;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
+                   "quic recvmsg on %V, ready: %d",
+                   &ls->addr_text, ev->available);
+
+    do {
+        ngx_memzero(&msg, sizeof(struct msghdr));
+
+        iov[0].iov_base = (void *) buffer;
+        iov[0].iov_len = sizeof(buffer);
+
+        msg.msg_name = &sa;
+        msg.msg_namelen = sizeof(ngx_sockaddr_t);
+        msg.msg_iov = iov;
+        msg.msg_iovlen = 1;
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+        if (ls->wildcard) {
+            msg.msg_control = &msg_control;
+            msg.msg_controllen = sizeof(msg_control);
+
+            ngx_memzero(&msg_control, sizeof(msg_control));
+        }
+#endif
+
+        n = recvmsg(lc->fd, &msg, 0);
+
+        if (n == -1) {
+            err = ngx_socket_errno;
+
+            if (err == NGX_EAGAIN) {
+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, err,
+                               "quic recvmsg() not ready");
+                return;
+            }
+
+            ngx_log_error(NGX_LOG_ALERT, ev->log, err, "quic recvmsg() failed");
+
+            return;
+        }
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+        if (msg.msg_flags & (MSG_TRUNC|MSG_CTRUNC)) {
+            ngx_log_error(NGX_LOG_ALERT, ev->log, 0,
+                          "quic recvmsg() truncated data");
+            continue;
+        }
+#endif
+
+        sockaddr = msg.msg_name;
+        socklen = msg.msg_namelen;
+
+        if (socklen > (socklen_t) sizeof(ngx_sockaddr_t)) {
+            socklen = sizeof(ngx_sockaddr_t);
+        }
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+        if (sockaddr->sa_family == AF_UNIX) {
+            struct sockaddr_un *saun = (struct sockaddr_un *) sockaddr;
+
+            if (socklen <= (socklen_t) offsetof(struct sockaddr_un, sun_path)
+                || saun->sun_path[0] == '\0')
+            {
+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
+                               "unbound unix socket");
+                goto next;
+            }
+        }
+
+#endif
+
+        local_sockaddr = ls->sockaddr;
+        local_socklen = ls->socklen;
+
+#if (NGX_HAVE_ADDRINFO_CMSG)
+
+        if (ls->wildcard) {
+            struct cmsghdr  *cmsg;
+
+            ngx_memcpy(&lsa, local_sockaddr, local_socklen);
+            local_sockaddr = &lsa.sockaddr;
+
+            for (cmsg = CMSG_FIRSTHDR(&msg);
+                 cmsg != NULL;
+                 cmsg = CMSG_NXTHDR(&msg, cmsg))
+            {
+                if (ngx_get_srcaddr_cmsg(cmsg, local_sockaddr) == NGX_OK) {
+                    break;
+                }
+            }
+        }
+
+#endif
+
+        if (ngx_quic_get_packet_dcid(ev->log, buffer, n, &key) != NGX_OK) {
+            goto next;
+        }
+
+        c = ngx_quic_lookup_connection(ls, &key, local_sockaddr, local_socklen);
+
+        if (c) {
+
+#if (NGX_DEBUG)
+            if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
+                ngx_log_handler_pt  handler;
+
+                handler = c->log->handler;
+                c->log->handler = NULL;
+
+                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                               "quic recvmsg: fd:%d n:%z", c->fd, n);
+
+                c->log->handler = handler;
+            }
+#endif
+
+            ngx_memzero(&buf, sizeof(ngx_buf_t));
+
+            buf.pos = buffer;
+            buf.last = buffer + n;
+            buf.start = buf.pos;
+            buf.end = buffer + sizeof(buffer);
+
+            qsock = ngx_quic_get_socket(c);
+
+            ngx_memcpy(&qsock->sockaddr.sockaddr, sockaddr, socklen);
+            qsock->socklen = socklen;
+
+            c->udp->buffer = &buf;
+
+            rev = c->read;
+            rev->ready = 1;
+            rev->active = 0;
+
+            rev->handler(rev);
+
+            if (c->udp) {
+                c->udp->buffer = NULL;
+            }
+
+            rev->ready = 0;
+            rev->active = 1;
+
+            goto next;
+        }
+
+#if (NGX_STAT_STUB)
+        (void) ngx_atomic_fetch_add(ngx_stat_accepted, 1);
+#endif
+
+        ngx_accept_disabled = ngx_cycle->connection_n / 8
+                              - ngx_cycle->free_connection_n;
+
+        c = ngx_get_connection(lc->fd, ev->log);
+        if (c == NULL) {
+            return;
+        }
+
+        c->shared = 1;
+        c->type = SOCK_DGRAM;
+        c->socklen = socklen;
+
+#if (NGX_STAT_STUB)
+        (void) ngx_atomic_fetch_add(ngx_stat_active, 1);
+#endif
+
+        c->pool = ngx_create_pool(ls->pool_size, ev->log);
+        if (c->pool == NULL) {
+            ngx_quic_close_accepted_connection(c);
+            return;
+        }
+
+        c->sockaddr = ngx_palloc(c->pool, NGX_SOCKADDRLEN);
+        if (c->sockaddr == NULL) {
+            ngx_quic_close_accepted_connection(c);
+            return;
+        }
+
+        ngx_memcpy(c->sockaddr, sockaddr, socklen);
+
+        log = ngx_palloc(c->pool, sizeof(ngx_log_t));
+        if (log == NULL) {
+            ngx_quic_close_accepted_connection(c);
+            return;
+        }
+
+        *log = ls->log;
+
+        c->log = log;
+        c->pool->log = log;
+        c->listening = ls;
+
+        if (local_sockaddr == &lsa.sockaddr) {
+            local_sockaddr = ngx_palloc(c->pool, local_socklen);
+            if (local_sockaddr == NULL) {
+                ngx_quic_close_accepted_connection(c);
+                return;
+            }
+
+            ngx_memcpy(local_sockaddr, &lsa, local_socklen);
+        }
+
+        c->local_sockaddr = local_sockaddr;
+        c->local_socklen = local_socklen;
+
+        c->buffer = ngx_create_temp_buf(c->pool, n);
+        if (c->buffer == NULL) {
+            ngx_quic_close_accepted_connection(c);
+            return;
+        }
+
+        c->buffer->last = ngx_cpymem(c->buffer->last, buffer, n);
+
+        rev = c->read;
+        wev = c->write;
+
+        rev->active = 1;
+        wev->ready = 1;
+
+        rev->log = log;
+        wev->log = log;
+
+        /*
+         * TODO: MT: - ngx_atomic_fetch_add()
+         *             or protection by critical section or light mutex
+         *
+         * TODO: MP: - allocated in a shared memory
+         *           - ngx_atomic_fetch_add()
+         *             or protection by critical section or light mutex
+         */
+
+        c->number = ngx_atomic_fetch_add(ngx_connection_counter, 1);
+
+        c->start_time = ngx_current_msec;
+
+#if (NGX_STAT_STUB)
+        (void) ngx_atomic_fetch_add(ngx_stat_handled, 1);
+#endif
+
+        if (ls->addr_ntop) {
+            c->addr_text.data = ngx_pnalloc(c->pool, ls->addr_text_max_len);
+            if (c->addr_text.data == NULL) {
+                ngx_quic_close_accepted_connection(c);
+                return;
+            }
+
+            c->addr_text.len = ngx_sock_ntop(c->sockaddr, c->socklen,
+                                             c->addr_text.data,
+                                             ls->addr_text_max_len, 0);
+            if (c->addr_text.len == 0) {
+                ngx_quic_close_accepted_connection(c);
+                return;
+            }
+        }
+
+#if (NGX_DEBUG)
+        {
+        ngx_str_t  addr;
+        u_char     text[NGX_SOCKADDR_STRLEN];
+
+        ngx_debug_accepted_connection(ecf, c);
+
+        if (log->log_level & NGX_LOG_DEBUG_EVENT) {
+            addr.data = text;
+            addr.len = ngx_sock_ntop(c->sockaddr, c->socklen, text,
+                                     NGX_SOCKADDR_STRLEN, 1);
+
+            ngx_log_debug4(NGX_LOG_DEBUG_EVENT, log, 0,
+                           "*%uA quic recvmsg: %V fd:%d n:%z",
+                           c->number, &addr, c->fd, n);
+        }
+
+        }
+#endif
+
+        log->data = NULL;
+        log->handler = NULL;
+
+        ls->handler(c);
+
+    next:
+
+        if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) {
+            ev->available -= n;
+        }
+
+    } while (ev->available);
+}
+
+
+static void
+ngx_quic_close_accepted_connection(ngx_connection_t *c)
+{
+    ngx_free_connection(c);
+
+    c->fd = (ngx_socket_t) -1;
+
+    if (c->pool) {
+        ngx_destroy_pool(c->pool);
+    }
+
+#if (NGX_STAT_STUB)
+    (void) ngx_atomic_fetch_add(ngx_stat_active, -1);
+#endif
+}
+
+
+static ngx_connection_t *
+ngx_quic_lookup_connection(ngx_listening_t *ls, ngx_str_t *key,
+    struct sockaddr *local_sockaddr, socklen_t local_socklen)
+{
+    uint32_t            hash;
+    ngx_int_t           rc;
+    ngx_connection_t   *c;
+    ngx_rbtree_node_t  *node, *sentinel;
+    ngx_quic_socket_t  *qsock;
+
+    if (key->len == 0) {
+        return NULL;
+    }
+
+    node = ls->rbtree.root;
+    sentinel = ls->rbtree.sentinel;
+    hash = ngx_crc32_long(key->data, key->len);
+
+    while (node != sentinel) {
+
+        if (hash < node->key) {
+            node = node->left;
+            continue;
+        }
+
+        if (hash > node->key) {
+            node = node->right;
+            continue;
+        }
+
+        /* hash == node->key */
+
+        qsock = (ngx_quic_socket_t *) node;
+
+        rc = ngx_memn2cmp(key->data, qsock->sid.id, key->len, qsock->sid.len);
+
+        c = qsock->udp.connection;
+
+        if (rc == 0 && ls->wildcard) {
+            rc = ngx_cmp_sockaddr(local_sockaddr, local_socklen,
+                                  c->local_sockaddr, c->local_socklen, 1);
+        }
+
+        if (rc == 0) {
+            c->udp = &qsock->udp;
+            return c;
+        }
+
+        node = (rc < 0) ? node->left : node->right;
+    }
+
+    return NULL;
+}
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -9,6 +9,10 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
+#if (NGX_QUIC_OPENSSL_COMPAT)
+#include <ngx_event_quic_openssl_compat.h>
+#endif
+
 
 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
     ngx_pool_t *pool, ngx_str_t *s);
@@ -52,6 +56,10 @@ static char *ngx_http_ssl_conf_command_c
     void *data);
 
 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
+#if (NGX_QUIC_OPENSSL_COMPAT)
+static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf,
+    ngx_http_conf_addr_t *addr);
+#endif
 
 
 static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
@@ -419,16 +427,19 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t 
     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
     void *arg)
 {
-    unsigned int            srvlen;
-    unsigned char          *srv;
+    unsigned int             srvlen;
+    unsigned char           *srv;
 #if (NGX_DEBUG)
-    unsigned int            i;
+    unsigned int             i;
 #endif
-#if (NGX_HTTP_V2)
-    ngx_http_connection_t  *hc;
+#if (NGX_HTTP_V2 || NGX_HTTP_V3)
+    ngx_http_connection_t   *hc;
 #endif
-#if (NGX_HTTP_V2 || NGX_DEBUG)
-    ngx_connection_t       *c;
+#if (NGX_HTTP_V3)
+    ngx_http_v3_srv_conf_t  *h3scf;
+#endif
+#if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG)
+    ngx_connection_t        *c;
 
     c = ngx_ssl_get_connection(ssl_conn);
 #endif
@@ -441,14 +452,41 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t 
     }
 #endif
 
-#if (NGX_HTTP_V2)
+#if (NGX_HTTP_V2 || NGX_HTTP_V3)
     hc = c->data;
+#endif
 
+#if (NGX_HTTP_V2)
     if (hc->addr_conf->http2) {
         srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
         srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
     } else
 #endif
+#if (NGX_HTTP_V3)
+    if (hc->addr_conf->quic) {
+
+        h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);
+
+        if (h3scf->enable && h3scf->enable_hq) {
+            srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO
+                                    NGX_HTTP_V3_HQ_ALPN_PROTO;
+            srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO)
+                     - 1;
+
+        } else if (h3scf->enable_hq) {
+            srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO;
+            srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1;
+
+        } else if (h3scf->enable) {
+            srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO;
+            srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1;
+
+        } else {
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+
+    } else
+#endif
     {
         srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
         srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
@@ -1241,6 +1279,7 @@ static ngx_int_t
 ngx_http_ssl_init(ngx_conf_t *cf)
 {
     ngx_uint_t                   a, p, s;
+    const char                  *name;
     ngx_http_conf_addr_t        *addr;
     ngx_http_conf_port_t        *port;
     ngx_http_ssl_srv_conf_t     *sscf;
@@ -1290,22 +1329,44 @@ ngx_http_ssl_init(ngx_conf_t *cf)
         addr = port[p].addrs.elts;
         for (a = 0; a < port[p].addrs.nelts; a++) {
 
-            if (!addr[a].opt.ssl) {
+            if (!addr[a].opt.ssl && !addr[a].opt.quic) {
                 continue;
             }
 
+            if (addr[a].opt.quic) {
+                name = "quic";
+
+#if (NGX_QUIC_OPENSSL_COMPAT)
+                if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) {
+                    return NGX_ERROR;
+                }
+#endif
+
+            } else {
+                name = "ssl";
+            }
+
             cscf = addr[a].default_server;
             sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
 
             if (sscf->certificates) {
+
+                if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) {
+                    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                                  "\"ssl_protocols\" must enable TLSv1.3 for "
+                                  "the \"listen ... %s\" directive in %s:%ui",
+                                  name, cscf->file_name, cscf->line);
+                    return NGX_ERROR;
+                }
+
                 continue;
             }
 
             if (!sscf->reject_handshake) {
                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                               "no \"ssl_certificate\" is defined for "
-                              "the \"listen ... ssl\" directive in %s:%ui",
-                              cscf->file_name, cscf->line);
+                              "the \"listen ... %s\" directive in %s:%ui",
+                              name, cscf->file_name, cscf->line);
                 return NGX_ERROR;
             }
 
@@ -1326,8 +1387,8 @@ ngx_http_ssl_init(ngx_conf_t *cf)
 
                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                               "no \"ssl_certificate\" is defined for "
-                              "the \"listen ... ssl\" directive in %s:%ui",
-                              cscf->file_name, cscf->line);
+                              "the \"listen ... %s\" directive in %s:%ui",
+                              name, cscf->file_name, cscf->line);
                 return NGX_ERROR;
             }
         }
@@ -1335,3 +1396,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
 
     return NGX_OK;
 }
+
+
+#if (NGX_QUIC_OPENSSL_COMPAT)
+
+static ngx_int_t
+ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr)
+{
+    ngx_uint_t                  s;
+    ngx_http_ssl_srv_conf_t    *sscf;
+    ngx_http_core_srv_conf_t  **cscfp, *cscf;
+
+    cscfp = addr->servers.elts;
+    for (s = 0; s < addr->servers.nelts; s++) {
+
+        cscf = cscfp[s];
+        sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
+
+        if (sscf->certificates || sscf->reject_handshake) {
+            if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) {
+                return NGX_ERROR;
+            }
+        }
+    }
+
+    return NGX_OK;
+}
+
+#endif
diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -1200,7 +1200,10 @@ ngx_http_add_listen(ngx_conf_t *cf, ngx_
     port = cmcf->ports->elts;
     for (i = 0; i < cmcf->ports->nelts; i++) {
 
-        if (p != port[i].port || sa->sa_family != port[i].family) {
+        if (p != port[i].port
+            || lsopt->type != port[i].type
+            || sa->sa_family != port[i].family)
+        {
             continue;
         }
 
@@ -1217,6 +1220,7 @@ ngx_http_add_listen(ngx_conf_t *cf, ngx_
     }
 
     port->family = sa->sa_family;
+    port->type = lsopt->type;
     port->port = p;
     port->addrs.elts = NULL;
 
@@ -1237,6 +1241,9 @@ ngx_http_add_addresses(ngx_conf_t *cf, n
 #if (NGX_HTTP_V2)
     ngx_uint_t             http2;
 #endif
+#if (NGX_HTTP_V3)
+    ngx_uint_t             quic;
+#endif
 
     /*
      * we cannot compare whole sockaddr struct's as kernel
@@ -1278,6 +1285,9 @@ ngx_http_add_addresses(ngx_conf_t *cf, n
         protocols |= lsopt->http2 << 2;
         protocols_prev |= addr[i].opt.http2 << 2;
 #endif
+#if (NGX_HTTP_V3)
+        quic = lsopt->quic || addr[i].opt.quic;
+#endif
 
         if (lsopt->set) {
 
@@ -1365,6 +1375,9 @@ ngx_http_add_addresses(ngx_conf_t *cf, n
 #if (NGX_HTTP_V2)
         addr[i].opt.http2 = http2;
 #endif
+#if (NGX_HTTP_V3)
+        addr[i].opt.quic = quic;
+#endif
 
         return NGX_OK;
     }
@@ -1831,6 +1844,7 @@ ngx_http_add_listening(ngx_conf_t *cf, n
     }
 #endif
 
+    ls->type = addr->opt.type;
     ls->backlog = addr->opt.backlog;
     ls->rcvbuf = addr->opt.rcvbuf;
     ls->sndbuf = addr->opt.sndbuf;
@@ -1866,6 +1880,12 @@ ngx_http_add_listening(ngx_conf_t *cf, n
     ls->reuseport = addr->opt.reuseport;
 #endif
 
+    ls->wildcard = addr->opt.wildcard;
+
+#if (NGX_HTTP_V3)
+    ls->quic = addr->opt.quic;
+#endif
+
     return ls;
 }
 
@@ -1898,6 +1918,9 @@ ngx_http_add_addrs(ngx_conf_t *cf, ngx_h
 #if (NGX_HTTP_V2)
         addrs[i].conf.http2 = addr[i].opt.http2;
 #endif
+#if (NGX_HTTP_V3)
+        addrs[i].conf.quic = addr[i].opt.quic;
+#endif
         addrs[i].conf.proxy_protocol = addr[i].opt.proxy_protocol;
 
         if (addr[i].hash.buckets == NULL
@@ -1963,6 +1986,9 @@ ngx_http_add_addrs6(ngx_conf_t *cf, ngx_
 #if (NGX_HTTP_V2)
         addrs6[i].conf.http2 = addr[i].opt.http2;
 #endif
+#if (NGX_HTTP_V3)
+        addrs6[i].conf.quic = addr[i].opt.quic;
+#endif
         addrs6[i].conf.proxy_protocol = addr[i].opt.proxy_protocol;
 
         if (addr[i].hash.buckets == NULL
diff --git a/src/http/ngx_http.h b/src/http/ngx_http.h
--- a/src/http/ngx_http.h
+++ b/src/http/ngx_http.h
@@ -20,6 +20,8 @@ typedef struct ngx_http_file_cache_s  ng
 typedef struct ngx_http_log_ctx_s     ngx_http_log_ctx_t;
 typedef struct ngx_http_chunked_s     ngx_http_chunked_t;
 typedef struct ngx_http_v2_stream_s   ngx_http_v2_stream_t;
+typedef struct ngx_http_v3_parse_s    ngx_http_v3_parse_t;
+typedef struct ngx_http_v3_session_s  ngx_http_v3_session_t;
 
 typedef ngx_int_t (*ngx_http_header_handler_pt)(ngx_http_request_t *r,
     ngx_table_elt_t *h, ngx_uint_t offset);
@@ -38,6 +40,9 @@ typedef u_char *(*ngx_http_log_handler_p
 #if (NGX_HTTP_V2)
 #include <ngx_http_v2.h>
 #endif
+#if (NGX_HTTP_V3)
+#include <ngx_http_v3.h>
+#endif
 #if (NGX_HTTP_CACHE)
 #include <ngx_http_cache.h>
 #endif
@@ -124,6 +129,11 @@ void ngx_http_handler(ngx_http_request_t
 void ngx_http_run_posted_requests(ngx_connection_t *c);
 ngx_int_t ngx_http_post_request(ngx_http_request_t *r,
     ngx_http_posted_request_t *pr);
+ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
+    ngx_str_t *host);
+ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
+    ngx_uint_t alloc);
+void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_free_request(ngx_http_request_t *r, ngx_int_t rc);
 
@@ -167,7 +177,7 @@ ngx_uint_t  ngx_http_degraded(ngx_http_r
 #endif
 
 
-#if (NGX_HTTP_V2)
+#if (NGX_HTTP_V2 || NGX_HTTP_V3)
 ngx_int_t ngx_http_huff_decode(u_char *state, u_char *src, size_t len,
     u_char **dst, ngx_uint_t last, ngx_log_t *log);
 size_t ngx_http_huff_encode(u_char *src, size_t len, u_char *dst,
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3005,6 +3005,7 @@ ngx_http_core_server(ngx_conf_t *cf, ngx
         lsopt.socklen = sizeof(struct sockaddr_in);
 
         lsopt.backlog = NGX_LISTEN_BACKLOG;
+        lsopt.type = SOCK_STREAM;
         lsopt.rcvbuf = -1;
         lsopt.sndbuf = -1;
 #if (NGX_HAVE_SETFIB)
@@ -3986,6 +3987,7 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx
     ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
 
     lsopt.backlog = NGX_LISTEN_BACKLOG;
+    lsopt.type = SOCK_STREAM;
     lsopt.rcvbuf = -1;
     lsopt.sndbuf = -1;
 #if (NGX_HAVE_SETFIB)
@@ -4184,6 +4186,19 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx
 #endif
         }
 
+        if (ngx_strcmp(value[n].data, "quic") == 0) {
+#if (NGX_HTTP_V3)
+            lsopt.quic = 1;
+            lsopt.type = SOCK_DGRAM;
+            continue;
+#else
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "the \"quic\" parameter requires "
+                               "ngx_http_v3_module");
+            return NGX_CONF_ERROR;
+#endif
+        }
+
         if (ngx_strncmp(value[n].data, "so_keepalive=", 13) == 0) {
 
             if (ngx_strcmp(&value[n].data[13], "on") == 0) {
@@ -4285,6 +4300,28 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx
         return NGX_CONF_ERROR;
     }
 
+#if (NGX_HTTP_V3)
+
+    if (lsopt.quic) {
+#if (NGX_HTTP_SSL)
+        if (lsopt.ssl) {
+            return "\"ssl\" parameter is incompatible with \"quic\"";
+        }
+#endif
+
+#if (NGX_HTTP_V2)
+        if (lsopt.http2) {
+            return "\"http2\" parameter is incompatible with \"quic\"";
+        }
+#endif
+
+        if (lsopt.proxy_protocol) {
+            return "\"proxy_protocol\" parameter is incompatible with \"quic\"";
+        }
+    }
+
+#endif
+
     for (n = 0; n < u.naddrs; n++) {
 
         for (i = 0; i < n; i++) {
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -75,6 +75,7 @@ typedef struct {
     unsigned                   wildcard:1;
     unsigned                   ssl:1;
     unsigned                   http2:1;
+    unsigned                   quic:1;
 #if (NGX_HAVE_INET6)
     unsigned                   ipv6only:1;
 #endif
@@ -86,6 +87,7 @@ typedef struct {
     int                        backlog;
     int                        rcvbuf;
     int                        sndbuf;
+    int                        type;
 #if (NGX_HAVE_SETFIB)
     int                        setfib;
 #endif
@@ -237,6 +239,7 @@ struct ngx_http_addr_conf_s {
 
     unsigned                   ssl:1;
     unsigned                   http2:1;
+    unsigned                   quic:1;
     unsigned                   proxy_protocol:1;
 };
 
@@ -266,6 +269,7 @@ typedef struct {
 
 typedef struct {
     ngx_int_t                  family;
+    ngx_int_t                  type;
     in_port_t                  port;
     ngx_array_t                addrs;     /* array of ngx_http_conf_addr_t */
 } ngx_http_conf_port_t;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -29,10 +29,6 @@ static ngx_int_t ngx_http_process_connec
 static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r,
     ngx_table_elt_t *h, ngx_uint_t offset);
 
-static ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
-    ngx_uint_t alloc);
-static ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
-    ngx_str_t *host);
 static ngx_int_t ngx_http_find_virtual_server(ngx_connection_t *c,
     ngx_http_virtual_names_t *virtual_names, ngx_str_t *host,
     ngx_http_request_t *r, ngx_http_core_srv_conf_t **cscfp);
@@ -50,7 +46,6 @@ static void ngx_http_keepalive_handler(n
 static void ngx_http_set_lingering_close(ngx_connection_t *c);
 static void ngx_http_lingering_close_handler(ngx_event_t *ev);
 static ngx_int_t ngx_http_post_action(ngx_http_request_t *r);
-static void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t error);
 static void ngx_http_log_request(ngx_http_request_t *r);
 
 static u_char *ngx_http_log_error(ngx_log_t *log, u_char *buf, size_t len);
@@ -329,6 +324,13 @@ ngx_http_init_connection(ngx_connection_
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (hc->addr_conf->quic) {
+        ngx_http_v3_init_stream(c);
+        return;
+    }
+#endif
+
 #if (NGX_HTTP_SSL)
     {
     ngx_http_ssl_srv_conf_t  *sscf;
@@ -950,6 +952,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 #ifdef SSL_OP_NO_RENEGOTIATION
         SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
 #endif
+
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+#if (NGX_HTTP_V3)
+        if (c->listening->quic) {
+            SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+        }
+#endif
+#endif
     }
 
 done:
@@ -2095,7 +2105,7 @@ ngx_http_process_request(ngx_http_reques
 }
 
 
-static ngx_int_t
+ngx_int_t
 ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
     u_char  *h, ch;
@@ -2187,7 +2197,7 @@ ngx_http_validate_host(ngx_str_t *host, 
 }
 
 
-static ngx_int_t
+ngx_int_t
 ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
 {
     ngx_int_t                  rc;
@@ -2710,6 +2720,13 @@ ngx_http_finalize_connection(ngx_http_re
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (r->connection->quic) {
+        ngx_http_close_request(r, 0);
+        return;
+    }
+#endif
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (r->main->count != 1) {
@@ -2925,6 +2942,20 @@ ngx_http_test_reading(ngx_http_request_t
 
 #endif
 
+#if (NGX_HTTP_V3)
+
+    if (c->quic) {
+        if (rev->error) {
+            c->error = 1;
+            err = 0;
+            goto closed;
+        }
+
+        return;
+    }
+
+#endif
+
 #if (NGX_HAVE_KQUEUE)
 
     if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) {
@@ -3590,7 +3621,7 @@ ngx_http_post_action(ngx_http_request_t 
 }
 
 
-static void
+void
 ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc)
 {
     ngx_connection_t  *c;
@@ -3677,7 +3708,12 @@ ngx_http_free_request(ngx_http_request_t
 
     log->action = "closing request";
 
-    if (r->connection->timedout) {
+    if (r->connection->timedout
+#if (NGX_HTTP_V3)
+        && r->connection->quic == NULL
+#endif
+       )
+    {
         clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
         if (clcf->reset_timedout_connection) {
@@ -3750,6 +3786,12 @@ ngx_http_close_connection(ngx_connection
 
 #endif
 
+#if (NGX_HTTP_V3)
+    if (c->quic) {
+        ngx_http_v3_reset_stream(c);
+    }
+#endif
+
 #if (NGX_STAT_STUB)
     (void) ngx_atomic_fetch_add(ngx_stat_active, -1);
 #endif
diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@@ -24,6 +24,7 @@
 #define NGX_HTTP_VERSION_10                1000
 #define NGX_HTTP_VERSION_11                1001
 #define NGX_HTTP_VERSION_20                2000
+#define NGX_HTTP_VERSION_30                3000
 
 #define NGX_HTTP_UNKNOWN                   0x00000001
 #define NGX_HTTP_GET                       0x00000002
@@ -323,6 +324,10 @@ typedef struct {
 #endif
 #endif
 
+#if (NGX_HTTP_V3 || NGX_COMPAT)
+    ngx_http_v3_session_t            *v3_session;
+#endif
+
     ngx_chain_t                      *busy;
     ngx_int_t                         nbusy;
 
@@ -451,6 +456,7 @@ struct ngx_http_request_s {
 
     ngx_http_connection_t            *http_connection;
     ngx_http_v2_stream_t             *stream;
+    ngx_http_v3_parse_t              *v3_parse;
 
     ngx_http_log_handler_pt           log_handler;
 
@@ -543,6 +549,7 @@ struct ngx_http_request_s {
     unsigned                          request_complete:1;
     unsigned                          request_output:1;
     unsigned                          header_sent:1;
+    unsigned                          response_sent:1;
     unsigned                          expect_tested:1;
     unsigned                          root_tested:1;
     unsigned                          done:1;
diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -92,6 +92,13 @@ ngx_http_read_client_request_body(ngx_ht
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (r->http_version == NGX_HTTP_VERSION_30) {
+        rc = ngx_http_v3_read_request_body(r);
+        goto done;
+    }
+#endif
+
     preread = r->header_in->last - r->header_in->pos;
 
     if (preread) {
@@ -238,6 +245,18 @@ ngx_http_read_unbuffered_request_body(ng
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (r->http_version == NGX_HTTP_VERSION_30) {
+        rc = ngx_http_v3_read_unbuffered_request_body(r);
+
+        if (rc == NGX_OK) {
+            r->reading_body = 0;
+        }
+
+        return rc;
+    }
+#endif
+
     if (r->connection->read->timedout) {
         r->connection->timedout = 1;
         return NGX_HTTP_REQUEST_TIME_OUT;
@@ -625,6 +644,12 @@ ngx_http_discard_request_body(ngx_http_r
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (r->http_version == NGX_HTTP_VERSION_30) {
+        return NGX_OK;
+    }
+#endif
+
     if (ngx_http_test_expect(r) != NGX_OK) {
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
@@ -921,6 +946,9 @@ ngx_http_test_expect(ngx_http_request_t 
 #if (NGX_HTTP_V2)
         || r->stream != NULL
 #endif
+#if (NGX_HTTP_V3)
+        || r->connection->quic != NULL
+#endif
        )
     {
         return NGX_OK;
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -521,6 +521,13 @@ ngx_http_upstream_init(ngx_http_request_
     }
 #endif
 
+#if (NGX_HTTP_V3)
+    if (c->quic) {
+        ngx_http_upstream_init_request(r);
+        return;
+    }
+#endif
+
     if (c->read->timer_set) {
         ngx_del_timer(c->read);
     }
@@ -1354,6 +1361,19 @@ ngx_http_upstream_check_broken_connectio
     }
 #endif
 
+#if (NGX_HTTP_V3)
+
+    if (c->quic) {
+        if (c->write->error) {
+            ngx_http_upstream_finalize_request(r, u,
+                                               NGX_HTTP_CLIENT_CLOSED_REQUEST);
+        }
+
+        return;
+    }
+
+#endif
+
 #if (NGX_HAVE_KQUEUE)
 
     if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) {
diff --git a/src/http/ngx_http_write_filter_module.c b/src/http/ngx_http_write_filter_module.c
--- a/src/http/ngx_http_write_filter_module.c
+++ b/src/http/ngx_http_write_filter_module.c
@@ -240,6 +240,10 @@ ngx_http_write_filter(ngx_http_request_t
             r->out = NULL;
             c->buffered &= ~NGX_HTTP_WRITE_BUFFERED;
 
+            if (last) {
+                r->response_sent = 1;
+            }
+
             return NGX_OK;
         }
 
@@ -346,6 +350,10 @@ ngx_http_write_filter(ngx_http_request_t
 
     c->buffered &= ~NGX_HTTP_WRITE_BUFFERED;
 
+    if (last) {
+        r->response_sent = 1;
+    }
+
     if ((c->buffered & NGX_LOWLEVEL_BUFFERED) && r->postponed == NULL) {
         return NGX_AGAIN;
     }
diff --git a/src/http/v3/ngx_http_v3.c b/src/http/v3/ngx_http_v3.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3.c
@@ -0,0 +1,109 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+static void ngx_http_v3_keepalive_handler(ngx_event_t *ev);
+static void ngx_http_v3_cleanup_session(void *data);
+
+
+ngx_int_t
+ngx_http_v3_init_session(ngx_connection_t *c)
+{
+    ngx_pool_cleanup_t     *cln;
+    ngx_http_connection_t  *hc;
+    ngx_http_v3_session_t  *h3c;
+
+    hc = c->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 init session");
+
+    h3c = ngx_pcalloc(c->pool, sizeof(ngx_http_v3_session_t));
+    if (h3c == NULL) {
+        goto failed;
+    }
+
+    ngx_queue_init(&h3c->blocked);
+
+    h3c->keepalive.log = c->log;
+    h3c->keepalive.data = c;
+    h3c->keepalive.handler = ngx_http_v3_keepalive_handler;
+
+    h3c->table.send_insert_count.log = c->log;
+    h3c->table.send_insert_count.data = c;
+    h3c->table.send_insert_count.handler = ngx_http_v3_inc_insert_count_handler;
+
+    cln = ngx_pool_cleanup_add(c->pool, 0);
+    if (cln == NULL) {
+        goto failed;
+    }
+
+    cln->handler = ngx_http_v3_cleanup_session;
+    cln->data = h3c;
+
+    hc->v3_session = h3c;
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to create http3 session");
+    return NGX_ERROR;
+}
+
+
+static void
+ngx_http_v3_keepalive_handler(ngx_event_t *ev)
+{
+    ngx_connection_t  *c;
+
+    c = ev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 keepalive handler");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                    "keepalive timeout");
+}
+
+
+static void
+ngx_http_v3_cleanup_session(void *data)
+{
+    ngx_http_v3_session_t  *h3c = data;
+
+    ngx_http_v3_cleanup_table(h3c);
+
+    if (h3c->keepalive.timer_set) {
+        ngx_del_timer(&h3c->keepalive);
+    }
+
+    if (h3c->table.send_insert_count.posted) {
+        ngx_delete_posted_event(&h3c->table.send_insert_count);
+    }
+}
+
+
+ngx_int_t
+ngx_http_v3_check_flood(ngx_connection_t *c)
+{
+    ngx_http_v3_session_t  *h3c;
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (h3c->total_bytes / 8 > h3c->payload_bytes + 1048576) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "http3 flood detected");
+
+        ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                        "HTTP/3 flood detected");
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
diff --git a/src/http/v3/ngx_http_v3.h b/src/http/v3/ngx_http_v3.h
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3.h
@@ -0,0 +1,157 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_HTTP_V3_H_INCLUDED_
+#define _NGX_HTTP_V3_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+#include <ngx_http_v3_parse.h>
+#include <ngx_http_v3_encode.h>
+#include <ngx_http_v3_uni.h>
+#include <ngx_http_v3_table.h>
+
+
+#define NGX_HTTP_V3_ALPN_PROTO                     "\x02h3"
+#define NGX_HTTP_V3_HQ_ALPN_PROTO                  "\x0Ahq-interop"
+#define NGX_HTTP_V3_HQ_PROTO                       "hq-interop"
+
+#define NGX_HTTP_V3_VARLEN_INT_LEN                 4
+#define NGX_HTTP_V3_PREFIX_INT_LEN                 11
+
+#define NGX_HTTP_V3_STREAM_CONTROL                 0x00
+#define NGX_HTTP_V3_STREAM_PUSH                    0x01
+#define NGX_HTTP_V3_STREAM_ENCODER                 0x02
+#define NGX_HTTP_V3_STREAM_DECODER                 0x03
+
+#define NGX_HTTP_V3_FRAME_DATA                     0x00
+#define NGX_HTTP_V3_FRAME_HEADERS                  0x01
+#define NGX_HTTP_V3_FRAME_CANCEL_PUSH              0x03
+#define NGX_HTTP_V3_FRAME_SETTINGS                 0x04
+#define NGX_HTTP_V3_FRAME_PUSH_PROMISE             0x05
+#define NGX_HTTP_V3_FRAME_GOAWAY                   0x07
+#define NGX_HTTP_V3_FRAME_MAX_PUSH_ID              0x0d
+
+#define NGX_HTTP_V3_PARAM_MAX_TABLE_CAPACITY       0x01
+#define NGX_HTTP_V3_PARAM_MAX_FIELD_SECTION_SIZE   0x06
+#define NGX_HTTP_V3_PARAM_BLOCKED_STREAMS          0x07
+
+#define NGX_HTTP_V3_MAX_TABLE_CAPACITY             4096
+
+#define NGX_HTTP_V3_STREAM_CLIENT_CONTROL          0
+#define NGX_HTTP_V3_STREAM_SERVER_CONTROL          1
+#define NGX_HTTP_V3_STREAM_CLIENT_ENCODER          2
+#define NGX_HTTP_V3_STREAM_SERVER_ENCODER          3
+#define NGX_HTTP_V3_STREAM_CLIENT_DECODER          4
+#define NGX_HTTP_V3_STREAM_SERVER_DECODER          5
+#define NGX_HTTP_V3_MAX_KNOWN_STREAM               6
+#define NGX_HTTP_V3_MAX_UNI_STREAMS                3
+
+/* HTTP/3 errors */
+#define NGX_HTTP_V3_ERR_NO_ERROR                   0x100
+#define NGX_HTTP_V3_ERR_GENERAL_PROTOCOL_ERROR     0x101
+#define NGX_HTTP_V3_ERR_INTERNAL_ERROR             0x102
+#define NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR      0x103
+#define NGX_HTTP_V3_ERR_CLOSED_CRITICAL_STREAM     0x104
+#define NGX_HTTP_V3_ERR_FRAME_UNEXPECTED           0x105
+#define NGX_HTTP_V3_ERR_FRAME_ERROR                0x106
+#define NGX_HTTP_V3_ERR_EXCESSIVE_LOAD             0x107
+#define NGX_HTTP_V3_ERR_ID_ERROR                   0x108
+#define NGX_HTTP_V3_ERR_SETTINGS_ERROR             0x109
+#define NGX_HTTP_V3_ERR_MISSING_SETTINGS           0x10a
+#define NGX_HTTP_V3_ERR_REQUEST_REJECTED           0x10b
+#define NGX_HTTP_V3_ERR_REQUEST_CANCELLED          0x10c
+#define NGX_HTTP_V3_ERR_REQUEST_INCOMPLETE         0x10d
+#define NGX_HTTP_V3_ERR_CONNECT_ERROR              0x10f
+#define NGX_HTTP_V3_ERR_VERSION_FALLBACK           0x110
+
+/* QPACK errors */
+#define NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED       0x200
+#define NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR       0x201
+#define NGX_HTTP_V3_ERR_DECODER_STREAM_ERROR       0x202
+
+
+#define ngx_http_quic_get_connection(c)                                       \
+    ((ngx_http_connection_t *) ((c)->quic ? (c)->quic->parent->data           \
+                                          : (c)->data))
+
+#define ngx_http_v3_get_session(c)  ngx_http_quic_get_connection(c)->v3_session
+
+#define ngx_http_v3_get_module_loc_conf(c, module)                            \
+    ngx_http_get_module_loc_conf(ngx_http_quic_get_connection(c)->conf_ctx,   \
+                                 module)
+
+#define ngx_http_v3_get_module_srv_conf(c, module)                            \
+    ngx_http_get_module_srv_conf(ngx_http_quic_get_connection(c)->conf_ctx,   \
+                                 module)
+
+#define ngx_http_v3_finalize_connection(c, code, reason)                      \
+    ngx_quic_finalize_connection((c)->quic ? (c)->quic->parent : (c),         \
+                                 code, reason)
+
+#define ngx_http_v3_shutdown_connection(c, code, reason)                      \
+    ngx_quic_shutdown_connection((c)->quic ? (c)->quic->parent : (c),         \
+                                 code, reason)
+
+
+typedef struct {
+    ngx_flag_t                    enable;
+    ngx_flag_t                    enable_hq;
+    size_t                        max_table_capacity;
+    ngx_uint_t                    max_blocked_streams;
+    ngx_uint_t                    max_concurrent_streams;
+    ngx_quic_conf_t               quic;
+} ngx_http_v3_srv_conf_t;
+
+
+struct ngx_http_v3_parse_s {
+    size_t                        header_limit;
+    ngx_http_v3_parse_headers_t   headers;
+    ngx_http_v3_parse_data_t      body;
+    ngx_array_t                  *cookies;
+};
+
+
+struct ngx_http_v3_session_s {
+    ngx_http_v3_dynamic_table_t   table;
+
+    ngx_event_t                   keepalive;
+    ngx_uint_t                    nrequests;
+
+    ngx_queue_t                   blocked;
+    ngx_uint_t                    nblocked;
+
+    uint64_t                      next_request_id;
+
+    off_t                         total_bytes;
+    off_t                         payload_bytes;
+
+    unsigned                      goaway:1;
+    unsigned                      hq:1;
+
+    ngx_connection_t             *known_streams[NGX_HTTP_V3_MAX_KNOWN_STREAM];
+};
+
+
+void ngx_http_v3_init_stream(ngx_connection_t *c);
+void ngx_http_v3_reset_stream(ngx_connection_t *c);
+ngx_int_t ngx_http_v3_init_session(ngx_connection_t *c);
+ngx_int_t ngx_http_v3_check_flood(ngx_connection_t *c);
+ngx_int_t ngx_http_v3_init(ngx_connection_t *c);
+void ngx_http_v3_shutdown(ngx_connection_t *c);
+
+ngx_int_t ngx_http_v3_read_request_body(ngx_http_request_t *r);
+ngx_int_t ngx_http_v3_read_unbuffered_request_body(ngx_http_request_t *r);
+
+
+extern ngx_module_t  ngx_http_v3_module;
+
+
+#endif /* _NGX_HTTP_V3_H_INCLUDED_ */
diff --git a/src/http/v3/ngx_http_v3_encode.c b/src/http/v3/ngx_http_v3_encode.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_encode.c
@@ -0,0 +1,304 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+uintptr_t
+ngx_http_v3_encode_varlen_int(u_char *p, uint64_t value)
+{
+    if (value <= 63) {
+        if (p == NULL) {
+            return 1;
+        }
+
+        *p++ = value;
+        return (uintptr_t) p;
+    }
+
+    if (value <= 16383) {
+        if (p == NULL) {
+            return 2;
+        }
+
+        *p++ = 0x40 | (value >> 8);
+        *p++ = value;
+        return (uintptr_t) p;
+    }
+
+    if (value <= 1073741823) {
+        if (p == NULL) {
+            return 4;
+        }
+
+        *p++ = 0x80 | (value >> 24);
+        *p++ = (value >> 16);
+        *p++ = (value >> 8);
+        *p++ = value;
+        return (uintptr_t) p;
+    }
+
+    if (p == NULL) {
+        return 8;
+    }
+
+    *p++ = 0xc0 | (value >> 56);
+    *p++ = (value >> 48);
+    *p++ = (value >> 40);
+    *p++ = (value >> 32);
+    *p++ = (value >> 24);
+    *p++ = (value >> 16);
+    *p++ = (value >> 8);
+    *p++ = value;
+    return (uintptr_t) p;
+}
+
+
+uintptr_t
+ngx_http_v3_encode_prefix_int(u_char *p, uint64_t value, ngx_uint_t prefix)
+{
+    ngx_uint_t  thresh, n;
+
+    thresh = (1 << prefix) - 1;
+
+    if (value < thresh) {
+        if (p == NULL) {
+            return 1;
+        }
+
+        *p++ |= value;
+        return (uintptr_t) p;
+    }
+
+    value -= thresh;
+
+    if (p == NULL) {
+        for (n = 2; value >= 128; n++) {
+            value >>= 7;
+        }
+
+        return n;
+    }
+
+    *p++ |= thresh;
+
+    while (value >= 128) {
+        *p++ = 0x80 | value;
+        value >>= 7;
+    }
+
+    *p++ = value;
+
+    return (uintptr_t) p;
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_section_prefix(u_char *p, ngx_uint_t insert_count,
+    ngx_uint_t sign, ngx_uint_t delta_base)
+{
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, insert_count, 8)
+               + ngx_http_v3_encode_prefix_int(NULL, delta_base, 7);
+    }
+
+    *p = 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, insert_count, 8);
+
+    *p = sign ? 0x80 : 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, delta_base, 7);
+
+    return (uintptr_t) p;
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_ri(u_char *p, ngx_uint_t dynamic, ngx_uint_t index)
+{
+    /* Indexed Field Line */
+
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, index, 6);
+    }
+
+    *p = dynamic ? 0x80 : 0xc0;
+
+    return ngx_http_v3_encode_prefix_int(p, index, 6);
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_lri(u_char *p, ngx_uint_t dynamic, ngx_uint_t index,
+    u_char *data, size_t len)
+{
+    size_t   hlen;
+    u_char  *p1, *p2;
+
+    /* Literal Field Line With Name Reference */
+
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, index, 4)
+               + ngx_http_v3_encode_prefix_int(NULL, len, 7)
+               + len;
+    }
+
+    *p = dynamic ? 0x40 : 0x50;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, index, 4);
+
+    p1 = p;
+    *p = 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, len, 7);
+
+    if (data) {
+        p2 = p;
+        hlen = ngx_http_huff_encode(data, len, p, 0);
+
+        if (hlen) {
+            p = p1;
+            *p = 0x80;
+            p = (u_char *) ngx_http_v3_encode_prefix_int(p, hlen, 7);
+
+            if (p != p2) {
+                ngx_memmove(p, p2, hlen);
+            }
+
+            p += hlen;
+
+        } else {
+            p = ngx_cpymem(p, data, len);
+        }
+    }
+
+    return (uintptr_t) p;
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_l(u_char *p, ngx_str_t *name, ngx_str_t *value)
+{
+    size_t   hlen;
+    u_char  *p1, *p2;
+
+    /* Literal Field Line With Literal Name */
+
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, name->len, 3)
+               + name->len
+               + ngx_http_v3_encode_prefix_int(NULL, value->len, 7)
+               + value->len;
+    }
+
+    p1 = p;
+    *p = 0x20;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, name->len, 3);
+
+    p2 = p;
+    hlen = ngx_http_huff_encode(name->data, name->len, p, 1);
+
+    if (hlen) {
+        p = p1;
+        *p = 0x28;
+        p = (u_char *) ngx_http_v3_encode_prefix_int(p, hlen, 3);
+
+        if (p != p2) {
+            ngx_memmove(p, p2, hlen);
+        }
+
+        p += hlen;
+
+    } else {
+        ngx_strlow(p, name->data, name->len);
+        p += name->len;
+    }
+
+    p1 = p;
+    *p = 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, value->len, 7);
+
+    p2 = p;
+    hlen = ngx_http_huff_encode(value->data, value->len, p, 0);
+
+    if (hlen) {
+        p = p1;
+        *p = 0x80;
+        p = (u_char *) ngx_http_v3_encode_prefix_int(p, hlen, 7);
+
+        if (p != p2) {
+            ngx_memmove(p, p2, hlen);
+        }
+
+        p += hlen;
+
+    } else {
+        p = ngx_cpymem(p, value->data, value->len);
+    }
+
+    return (uintptr_t) p;
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_pbi(u_char *p, ngx_uint_t index)
+{
+    /* Indexed Field Line With Post-Base Index */
+
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, index, 4);
+    }
+
+    *p = 0x10;
+
+    return ngx_http_v3_encode_prefix_int(p, index, 4);
+}
+
+
+uintptr_t
+ngx_http_v3_encode_field_lpbi(u_char *p, ngx_uint_t index, u_char *data,
+    size_t len)
+{
+    size_t   hlen;
+    u_char  *p1, *p2;
+
+    /* Literal Field Line With Post-Base Name Reference */
+
+    if (p == NULL) {
+        return ngx_http_v3_encode_prefix_int(NULL, index, 3)
+               + ngx_http_v3_encode_prefix_int(NULL, len, 7)
+               + len;
+    }
+
+    *p = 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, index, 3);
+
+    p1 = p;
+    *p = 0;
+    p = (u_char *) ngx_http_v3_encode_prefix_int(p, len, 7);
+
+    if (data) {
+        p2 = p;
+        hlen = ngx_http_huff_encode(data, len, p, 0);
+
+        if (hlen) {
+            p = p1;
+            *p = 0x80;
+            p = (u_char *) ngx_http_v3_encode_prefix_int(p, hlen, 7);
+
+            if (p != p2) {
+                ngx_memmove(p, p2, hlen);
+            }
+
+            p += hlen;
+
+        } else {
+            p = ngx_cpymem(p, data, len);
+        }
+    }
+
+    return (uintptr_t) p;
+}
diff --git a/src/http/v3/ngx_http_v3_encode.h b/src/http/v3/ngx_http_v3_encode.h
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_encode.h
@@ -0,0 +1,34 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_HTTP_V3_ENCODE_H_INCLUDED_
+#define _NGX_HTTP_V3_ENCODE_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+uintptr_t ngx_http_v3_encode_varlen_int(u_char *p, uint64_t value);
+uintptr_t ngx_http_v3_encode_prefix_int(u_char *p, uint64_t value,
+    ngx_uint_t prefix);
+
+uintptr_t ngx_http_v3_encode_field_section_prefix(u_char *p,
+    ngx_uint_t insert_count, ngx_uint_t sign, ngx_uint_t delta_base);
+uintptr_t ngx_http_v3_encode_field_ri(u_char *p, ngx_uint_t dynamic,
+    ngx_uint_t index);
+uintptr_t ngx_http_v3_encode_field_lri(u_char *p, ngx_uint_t dynamic,
+    ngx_uint_t index, u_char *data, size_t len);
+uintptr_t ngx_http_v3_encode_field_l(u_char *p, ngx_str_t *name,
+    ngx_str_t *value);
+uintptr_t ngx_http_v3_encode_field_pbi(u_char *p, ngx_uint_t index);
+uintptr_t ngx_http_v3_encode_field_lpbi(u_char *p, ngx_uint_t index,
+    u_char *data, size_t len);
+
+
+#endif /* _NGX_HTTP_V3_ENCODE_H_INCLUDED_ */
diff --git a/src/http/v3/ngx_http_v3_filter_module.c b/src/http/v3/ngx_http_v3_filter_module.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_filter_module.c
@@ -0,0 +1,851 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+/* static table indices */
+#define NGX_HTTP_V3_HEADER_AUTHORITY                 0
+#define NGX_HTTP_V3_HEADER_PATH_ROOT                 1
+#define NGX_HTTP_V3_HEADER_CONTENT_LENGTH_ZERO       4
+#define NGX_HTTP_V3_HEADER_DATE                      6
+#define NGX_HTTP_V3_HEADER_LAST_MODIFIED             10
+#define NGX_HTTP_V3_HEADER_LOCATION                  12
+#define NGX_HTTP_V3_HEADER_METHOD_GET                17
+#define NGX_HTTP_V3_HEADER_SCHEME_HTTP               22
+#define NGX_HTTP_V3_HEADER_SCHEME_HTTPS              23
+#define NGX_HTTP_V3_HEADER_STATUS_200                25
+#define NGX_HTTP_V3_HEADER_ACCEPT_ENCODING           31
+#define NGX_HTTP_V3_HEADER_CONTENT_TYPE_TEXT_PLAIN   53
+#define NGX_HTTP_V3_HEADER_VARY_ACCEPT_ENCODING      59
+#define NGX_HTTP_V3_HEADER_ACCEPT_LANGUAGE           72
+#define NGX_HTTP_V3_HEADER_SERVER                    92
+#define NGX_HTTP_V3_HEADER_USER_AGENT                95
+
+
+typedef struct {
+    ngx_chain_t         *free;
+    ngx_chain_t         *busy;
+} ngx_http_v3_filter_ctx_t;
+
+
+static ngx_int_t ngx_http_v3_header_filter(ngx_http_request_t *r);
+static ngx_int_t ngx_http_v3_body_filter(ngx_http_request_t *r,
+    ngx_chain_t *in);
+static ngx_chain_t *ngx_http_v3_create_trailers(ngx_http_request_t *r,
+    ngx_http_v3_filter_ctx_t *ctx);
+static ngx_int_t ngx_http_v3_filter_init(ngx_conf_t *cf);
+
+
+static ngx_http_module_t  ngx_http_v3_filter_module_ctx = {
+    NULL,                                  /* preconfiguration */
+    ngx_http_v3_filter_init,               /* postconfiguration */
+
+    NULL,                                  /* create main configuration */
+    NULL,                                  /* init main configuration */
+
+    NULL,                                  /* create server configuration */
+    NULL,                                  /* merge server configuration */
+
+    NULL,                                  /* create location configuration */
+    NULL                                   /* merge location configuration */
+};
+
+
+ngx_module_t  ngx_http_v3_filter_module = {
+    NGX_MODULE_V1,
+    &ngx_http_v3_filter_module_ctx,        /* module context */
+    NULL,                                  /* module directives */
+    NGX_HTTP_MODULE,                       /* module type */
+    NULL,                                  /* init master */
+    NULL,                                  /* init module */
+    NULL,                                  /* init process */
+    NULL,                                  /* init thread */
+    NULL,                                  /* exit thread */
+    NULL,                                  /* exit process */
+    NULL,                                  /* exit master */
+    NGX_MODULE_V1_PADDING
+};
+
+
+static ngx_http_output_header_filter_pt  ngx_http_next_header_filter;
+static ngx_http_output_body_filter_pt    ngx_http_next_body_filter;
+
+
+static ngx_int_t
+ngx_http_v3_header_filter(ngx_http_request_t *r)
+{
+    u_char                    *p;
+    size_t                     len, n;
+    ngx_buf_t                 *b;
+    ngx_str_t                  host, location;
+    ngx_uint_t                 i, port;
+    ngx_chain_t               *out, *hl, *cl, **ll;
+    ngx_list_part_t           *part;
+    ngx_table_elt_t           *header;
+    ngx_connection_t          *c;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_filter_ctx_t  *ctx;
+    ngx_http_core_loc_conf_t  *clcf;
+    ngx_http_core_srv_conf_t  *cscf;
+    u_char                     addr[NGX_SOCKADDR_STRLEN];
+
+    if (r->http_version != NGX_HTTP_VERSION_30) {
+        return ngx_http_next_header_filter(r);
+    }
+
+    if (r->header_sent) {
+        return NGX_OK;
+    }
+
+    r->header_sent = 1;
+
+    if (r != r->main) {
+        return NGX_OK;
+    }
+
+    h3c = ngx_http_v3_get_session(r->connection);
+
+    if (r->method == NGX_HTTP_HEAD) {
+        r->header_only = 1;
+    }
+
+    if (r->headers_out.last_modified_time != -1) {
+        if (r->headers_out.status != NGX_HTTP_OK
+            && r->headers_out.status != NGX_HTTP_PARTIAL_CONTENT
+            && r->headers_out.status != NGX_HTTP_NOT_MODIFIED)
+        {
+            r->headers_out.last_modified_time = -1;
+            r->headers_out.last_modified = NULL;
+        }
+    }
+
+    if (r->headers_out.status == NGX_HTTP_NO_CONTENT) {
+        r->header_only = 1;
+        ngx_str_null(&r->headers_out.content_type);
+        r->headers_out.last_modified_time = -1;
+        r->headers_out.last_modified = NULL;
+        r->headers_out.content_length = NULL;
+        r->headers_out.content_length_n = -1;
+    }
+
+    if (r->headers_out.status == NGX_HTTP_NOT_MODIFIED) {
+        r->header_only = 1;
+    }
+
+    c = r->connection;
+
+    out = NULL;
+    ll = &out;
+
+    len = ngx_http_v3_encode_field_section_prefix(NULL, 0, 0, 0);
+
+    if (r->headers_out.status == NGX_HTTP_OK) {
+        len += ngx_http_v3_encode_field_ri(NULL, 0,
+                                           NGX_HTTP_V3_HEADER_STATUS_200);
+
+    } else {
+        len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                            NGX_HTTP_V3_HEADER_STATUS_200,
+                                            NULL, 3);
+    }
+
+    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+    if (r->headers_out.server == NULL) {
+        if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
+            n = sizeof(NGINX_VER) - 1;
+
+        } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
+            n = sizeof(NGINX_VER_BUILD) - 1;
+
+        } else {
+            n = sizeof("nginx") - 1;
+        }
+
+        len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                            NGX_HTTP_V3_HEADER_SERVER,
+                                            NULL, n);
+    }
+
+    if (r->headers_out.date == NULL) {
+        len += ngx_http_v3_encode_field_lri(NULL, 0, NGX_HTTP_V3_HEADER_DATE,
+                                            NULL, ngx_cached_http_time.len);
+    }
+
+    if (r->headers_out.content_type.len) {
+        n = r->headers_out.content_type.len;
+
+        if (r->headers_out.content_type_len == r->headers_out.content_type.len
+            && r->headers_out.charset.len)
+        {
+            n += sizeof("; charset=") - 1 + r->headers_out.charset.len;
+        }
+
+        len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                    NGX_HTTP_V3_HEADER_CONTENT_TYPE_TEXT_PLAIN,
+                                    NULL, n);
+    }
+
+    if (r->headers_out.content_length == NULL) {
+        if (r->headers_out.content_length_n > 0) {
+            len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                        NGX_HTTP_V3_HEADER_CONTENT_LENGTH_ZERO,
+                                        NULL, NGX_OFF_T_LEN);
+
+        } else if (r->headers_out.content_length_n == 0) {
+            len += ngx_http_v3_encode_field_ri(NULL, 0,
+                                       NGX_HTTP_V3_HEADER_CONTENT_LENGTH_ZERO);
+        }
+    }
+
+    if (r->headers_out.last_modified == NULL
+        && r->headers_out.last_modified_time != -1)
+    {
+        len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                  NGX_HTTP_V3_HEADER_LAST_MODIFIED, NULL,
+                                  sizeof("Mon, 28 Sep 1970 06:00:00 GMT") - 1);
+    }
+
+    if (r->headers_out.location && r->headers_out.location->value.len) {
+
+        if (r->headers_out.location->value.data[0] == '/'
+            && clcf->absolute_redirect)
+        {
+            if (clcf->server_name_in_redirect) {
+                cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+                host = cscf->server_name;
+
+            } else if (r->headers_in.server.len) {
+                host = r->headers_in.server;
+
+            } else {
+                host.len = NGX_SOCKADDR_STRLEN;
+                host.data = addr;
+
+                if (ngx_connection_local_sockaddr(c, &host, 0) != NGX_OK) {
+                    return NGX_ERROR;
+                }
+            }
+
+            port = ngx_inet_get_port(c->local_sockaddr);
+
+            location.len = sizeof("https://") - 1 + host.len
+                           + r->headers_out.location->value.len;
+
+            if (clcf->port_in_redirect) {
+                port = (port == 443) ? 0 : port;
+
+            } else {
+                port = 0;
+            }
+
+            if (port) {
+                location.len += sizeof(":65535") - 1;
+            }
+
+            location.data = ngx_pnalloc(r->pool, location.len);
+            if (location.data == NULL) {
+                return NGX_ERROR;
+            }
+
+            p = ngx_cpymem(location.data, "https://", sizeof("https://") - 1);
+            p = ngx_cpymem(p, host.data, host.len);
+
+            if (port) {
+                p = ngx_sprintf(p, ":%ui", port);
+            }
+
+            p = ngx_cpymem(p, r->headers_out.location->value.data,
+                              r->headers_out.location->value.len);
+
+            /* update r->headers_out.location->value for possible logging */
+
+            r->headers_out.location->value.len = p - location.data;
+            r->headers_out.location->value.data = location.data;
+            ngx_str_set(&r->headers_out.location->key, "Location");
+        }
+
+        r->headers_out.location->hash = 0;
+
+        len += ngx_http_v3_encode_field_lri(NULL, 0,
+                                           NGX_HTTP_V3_HEADER_LOCATION, NULL,
+                                           r->headers_out.location->value.len);
+    }
+
+#if (NGX_HTTP_GZIP)
+    if (r->gzip_vary) {
+        if (clcf->gzip_vary) {
+            len += ngx_http_v3_encode_field_ri(NULL, 0,
+                                      NGX_HTTP_V3_HEADER_VARY_ACCEPT_ENCODING);
+
+        } else {
+            r->gzip_vary = 0;
+        }
+    }
+#endif
+
+    part = &r->headers_out.headers.part;
+    header = part->elts;
+
+    for (i = 0; /* void */; i++) {
+
+        if (i >= part->nelts) {
+            if (part->next == NULL) {
+                break;
+            }
+
+            part = part->next;
+            header = part->elts;
+            i = 0;
+        }
+
+        if (header[i].hash == 0) {
+            continue;
+        }
+
+        len += ngx_http_v3_encode_field_l(NULL, &header[i].key,
+                                          &header[i].value);
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 header len:%uz", len);
+
+    b = ngx_create_temp_buf(r->pool, len);
+    if (b == NULL) {
+        return NGX_ERROR;
+    }
+
+    b->last = (u_char *) ngx_http_v3_encode_field_section_prefix(b->last,
+                                                                 0, 0, 0);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 output header: \":status: %03ui\"",
+                   r->headers_out.status);
+
+    if (r->headers_out.status == NGX_HTTP_OK) {
+        b->last = (u_char *) ngx_http_v3_encode_field_ri(b->last, 0,
+                                                NGX_HTTP_V3_HEADER_STATUS_200);
+
+    } else {
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                                 NGX_HTTP_V3_HEADER_STATUS_200,
+                                                 NULL, 3);
+        b->last = ngx_sprintf(b->last, "%03ui", r->headers_out.status);
+    }
+
+    if (r->headers_out.server == NULL) {
+        if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
+            p = (u_char *) NGINX_VER;
+            n = sizeof(NGINX_VER) - 1;
+
+        } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
+            p = (u_char *) NGINX_VER_BUILD;
+            n = sizeof(NGINX_VER_BUILD) - 1;
+
+        } else {
+            p = (u_char *) "nginx";
+            n = sizeof("nginx") - 1;
+        }
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"server: %*s\"", n, p);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                                     NGX_HTTP_V3_HEADER_SERVER,
+                                                     p, n);
+    }
+
+    if (r->headers_out.date == NULL) {
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"date: %V\"",
+                       &ngx_cached_http_time);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                                     NGX_HTTP_V3_HEADER_DATE,
+                                                     ngx_cached_http_time.data,
+                                                     ngx_cached_http_time.len);
+    }
+
+    if (r->headers_out.content_type.len) {
+        if (r->headers_out.content_type_len == r->headers_out.content_type.len
+            && r->headers_out.charset.len)
+        {
+            n = r->headers_out.content_type.len + sizeof("; charset=") - 1
+                + r->headers_out.charset.len;
+
+            p = ngx_pnalloc(r->pool, n);
+            if (p == NULL) {
+                return NGX_ERROR;
+            }
+
+            p = ngx_cpymem(p, r->headers_out.content_type.data,
+                           r->headers_out.content_type.len);
+
+            p = ngx_cpymem(p, "; charset=", sizeof("; charset=") - 1);
+
+            p = ngx_cpymem(p, r->headers_out.charset.data,
+                           r->headers_out.charset.len);
+
+            /* updated r->headers_out.content_type is also needed for logging */
+
+            r->headers_out.content_type.len = n;
+            r->headers_out.content_type.data = p - n;
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"content-type: %V\"",
+                       &r->headers_out.content_type);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                    NGX_HTTP_V3_HEADER_CONTENT_TYPE_TEXT_PLAIN,
+                                    r->headers_out.content_type.data,
+                                    r->headers_out.content_type.len);
+    }
+
+    if (r->headers_out.content_length == NULL
+        && r->headers_out.content_length_n >= 0)
+    {
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"content-length: %O\"",
+                       r->headers_out.content_length_n);
+
+        if (r->headers_out.content_length_n > 0) {
+            p = ngx_sprintf(b->last, "%O", r->headers_out.content_length_n);
+            n = p - b->last;
+
+            b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                        NGX_HTTP_V3_HEADER_CONTENT_LENGTH_ZERO,
+                                        NULL, n);
+
+            b->last = ngx_sprintf(b->last, "%O",
+                                  r->headers_out.content_length_n);
+
+        } else {
+            b->last = (u_char *) ngx_http_v3_encode_field_ri(b->last, 0,
+                                       NGX_HTTP_V3_HEADER_CONTENT_LENGTH_ZERO);
+        }
+    }
+
+    if (r->headers_out.last_modified == NULL
+        && r->headers_out.last_modified_time != -1)
+    {
+        n = sizeof("Mon, 28 Sep 1970 06:00:00 GMT") - 1;
+
+        p = ngx_pnalloc(r->pool, n);
+        if (p == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_http_time(p, r->headers_out.last_modified_time);
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"last-modified: %*s\"", n, p);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                              NGX_HTTP_V3_HEADER_LAST_MODIFIED,
+                                              p, n);
+    }
+
+    if (r->headers_out.location && r->headers_out.location->value.len) {
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"location: %V\"",
+                       &r->headers_out.location->value);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_lri(b->last, 0,
+                                           NGX_HTTP_V3_HEADER_LOCATION,
+                                           r->headers_out.location->value.data,
+                                           r->headers_out.location->value.len);
+    }
+
+#if (NGX_HTTP_GZIP)
+    if (r->gzip_vary) {
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"vary: Accept-Encoding\"");
+
+        b->last = (u_char *) ngx_http_v3_encode_field_ri(b->last, 0,
+                                      NGX_HTTP_V3_HEADER_VARY_ACCEPT_ENCODING);
+    }
+#endif
+
+    part = &r->headers_out.headers.part;
+    header = part->elts;
+
+    for (i = 0; /* void */; i++) {
+
+        if (i >= part->nelts) {
+            if (part->next == NULL) {
+                break;
+            }
+
+            part = part->next;
+            header = part->elts;
+            i = 0;
+        }
+
+        if (header[i].hash == 0) {
+            continue;
+        }
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 output header: \"%V: %V\"",
+                       &header[i].key, &header[i].value);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_l(b->last,
+                                                        &header[i].key,
+                                                        &header[i].value);
+    }
+
+    if (r->header_only) {
+        b->last_buf = 1;
+    }
+
+    cl = ngx_alloc_chain_link(r->pool);
+    if (cl == NULL) {
+        return NGX_ERROR;
+    }
+
+    cl->buf = b;
+    cl->next = NULL;
+
+    n = b->last - b->pos;
+
+    h3c->payload_bytes += n;
+
+    len = ngx_http_v3_encode_varlen_int(NULL, NGX_HTTP_V3_FRAME_HEADERS)
+          + ngx_http_v3_encode_varlen_int(NULL, n);
+
+    b = ngx_create_temp_buf(r->pool, len);
+    if (b == NULL) {
+        return NGX_ERROR;
+    }
+
+    b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last,
+                                                    NGX_HTTP_V3_FRAME_HEADERS);
+    b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last, n);
+
+    hl = ngx_alloc_chain_link(r->pool);
+    if (hl == NULL) {
+        return NGX_ERROR;
+    }
+
+    hl->buf = b;
+    hl->next = cl;
+
+    *ll = hl;
+    ll = &cl->next;
+
+    if (r->headers_out.content_length_n >= 0
+        && !r->header_only && !r->expect_trailers)
+    {
+        len = ngx_http_v3_encode_varlen_int(NULL, NGX_HTTP_V3_FRAME_DATA)
+              + ngx_http_v3_encode_varlen_int(NULL,
+                                              r->headers_out.content_length_n);
+
+        b = ngx_create_temp_buf(r->pool, len);
+        if (b == NULL) {
+            return NGX_ERROR;
+        }
+
+        b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last,
+                                                       NGX_HTTP_V3_FRAME_DATA);
+        b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last,
+                                              r->headers_out.content_length_n);
+
+        h3c->payload_bytes += r->headers_out.content_length_n;
+        h3c->total_bytes += r->headers_out.content_length_n;
+
+        cl = ngx_alloc_chain_link(r->pool);
+        if (cl == NULL) {
+            return NGX_ERROR;
+        }
+
+        cl->buf = b;
+        cl->next = NULL;
+
+        *ll = cl;
+
+    } else {
+        ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_v3_filter_ctx_t));
+        if (ctx == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_http_set_ctx(r, ctx, ngx_http_v3_filter_module);
+    }
+
+    for (cl = out; cl; cl = cl->next) {
+        h3c->total_bytes += cl->buf->last - cl->buf->pos;
+    }
+
+    return ngx_http_write_filter(r, out);
+}
+
+
+static ngx_int_t
+ngx_http_v3_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
+{
+    u_char                    *chunk;
+    off_t                      size;
+    ngx_int_t                  rc;
+    ngx_buf_t                 *b;
+    ngx_chain_t               *out, *cl, *tl, **ll;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_filter_ctx_t  *ctx;
+
+    if (in == NULL) {
+        return ngx_http_next_body_filter(r, in);
+    }
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_v3_filter_module);
+    if (ctx == NULL) {
+        return ngx_http_next_body_filter(r, in);
+    }
+
+    h3c = ngx_http_v3_get_session(r->connection);
+
+    out = NULL;
+    ll = &out;
+
+    size = 0;
+    cl = in;
+
+    for ( ;; ) {
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 chunk: %O", ngx_buf_size(cl->buf));
+
+        size += ngx_buf_size(cl->buf);
+
+        if (cl->buf->flush
+            || cl->buf->sync
+            || ngx_buf_in_memory(cl->buf)
+            || cl->buf->in_file)
+        {
+            tl = ngx_alloc_chain_link(r->pool);
+            if (tl == NULL) {
+                return NGX_ERROR;
+            }
+
+            tl->buf = cl->buf;
+            *ll = tl;
+            ll = &tl->next;
+        }
+
+        if (cl->next == NULL) {
+            break;
+        }
+
+        cl = cl->next;
+    }
+
+    if (size) {
+        tl = ngx_chain_get_free_buf(r->pool, &ctx->free);
+        if (tl == NULL) {
+            return NGX_ERROR;
+        }
+
+        b = tl->buf;
+        chunk = b->start;
+
+        if (chunk == NULL) {
+            chunk = ngx_palloc(r->pool, NGX_HTTP_V3_VARLEN_INT_LEN * 2);
+            if (chunk == NULL) {
+                return NGX_ERROR;
+            }
+
+            b->start = chunk;
+            b->end = chunk + NGX_HTTP_V3_VARLEN_INT_LEN * 2;
+        }
+
+        b->tag = (ngx_buf_tag_t) &ngx_http_v3_filter_module;
+        b->memory = 0;
+        b->temporary = 1;
+        b->pos = chunk;
+
+        b->last = (u_char *) ngx_http_v3_encode_varlen_int(chunk,
+                                                       NGX_HTTP_V3_FRAME_DATA);
+        b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last, size);
+
+        tl->next = out;
+        out = tl;
+
+        h3c->payload_bytes += size;
+    }
+
+    if (cl->buf->last_buf) {
+        tl = ngx_http_v3_create_trailers(r, ctx);
+        if (tl == NULL) {
+            return NGX_ERROR;
+        }
+
+        cl->buf->last_buf = 0;
+
+        *ll = tl;
+
+    } else {
+        *ll = NULL;
+    }
+
+    for (cl = out; cl; cl = cl->next) {
+        h3c->total_bytes += cl->buf->last - cl->buf->pos;
+    }
+
+    rc = ngx_http_next_body_filter(r, out);
+
+    ngx_chain_update_chains(r->pool, &ctx->free, &ctx->busy, &out,
+                            (ngx_buf_tag_t) &ngx_http_v3_filter_module);
+
+    return rc;
+}
+
+
+static ngx_chain_t *
+ngx_http_v3_create_trailers(ngx_http_request_t *r,
+    ngx_http_v3_filter_ctx_t *ctx)
+{
+    size_t                  len, n;
+    u_char                 *p;
+    ngx_buf_t              *b;
+    ngx_uint_t              i;
+    ngx_chain_t            *cl, *hl;
+    ngx_list_part_t        *part;
+    ngx_table_elt_t        *header;
+    ngx_http_v3_session_t  *h3c;
+
+    h3c = ngx_http_v3_get_session(r->connection);
+
+    len = 0;
+
+    part = &r->headers_out.trailers.part;
+    header = part->elts;
+
+    for (i = 0; /* void */; i++) {
+
+        if (i >= part->nelts) {
+            if (part->next == NULL) {
+                break;
+            }
+
+            part = part->next;
+            header = part->elts;
+            i = 0;
+        }
+
+        if (header[i].hash == 0) {
+            continue;
+        }
+
+        len += ngx_http_v3_encode_field_l(NULL, &header[i].key,
+                                          &header[i].value);
+    }
+
+    cl = ngx_chain_get_free_buf(r->pool, &ctx->free);
+    if (cl == NULL) {
+        return NULL;
+    }
+
+    b = cl->buf;
+
+    b->tag = (ngx_buf_tag_t) &ngx_http_v3_filter_module;
+    b->memory = 0;
+    b->last_buf = 1;
+
+    if (len == 0) {
+        b->temporary = 0;
+        b->pos = b->last = NULL;
+        return cl;
+    }
+
+    b->temporary = 1;
+
+    len += ngx_http_v3_encode_field_section_prefix(NULL, 0, 0, 0);
+
+    b->pos = ngx_palloc(r->pool, len);
+    if (b->pos == NULL) {
+        return NULL;
+    }
+
+    b->last = (u_char *) ngx_http_v3_encode_field_section_prefix(b->pos,
+                                                                 0, 0, 0);
+
+    part = &r->headers_out.trailers.part;
+    header = part->elts;
+
+    for (i = 0; /* void */; i++) {
+
+        if (i >= part->nelts) {
+            if (part->next == NULL) {
+                break;
+            }
+
+            part = part->next;
+            header = part->elts;
+            i = 0;
+        }
+
+        if (header[i].hash == 0) {
+            continue;
+        }
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 output trailer: \"%V: %V\"",
+                       &header[i].key, &header[i].value);
+
+        b->last = (u_char *) ngx_http_v3_encode_field_l(b->last,
+                                                        &header[i].key,
+                                                        &header[i].value);
+    }
+
+    n = b->last - b->pos;
+
+    h3c->payload_bytes += n;
+
+    hl = ngx_chain_get_free_buf(r->pool, &ctx->free);
+    if (hl == NULL) {
+        return NULL;
+    }
+
+    b = hl->buf;
+    p = b->start;
+
+    if (p == NULL) {
+        p = ngx_palloc(r->pool, NGX_HTTP_V3_VARLEN_INT_LEN * 2);
+        if (p == NULL) {
+            return NULL;
+        }
+
+        b->start = p;
+        b->end = p + NGX_HTTP_V3_VARLEN_INT_LEN * 2;
+    }
+
+    b->tag = (ngx_buf_tag_t) &ngx_http_v3_filter_module;
+    b->memory = 0;
+    b->temporary = 1;
+    b->pos = p;
+
+    b->last = (u_char *) ngx_http_v3_encode_varlen_int(p,
+                                                    NGX_HTTP_V3_FRAME_HEADERS);
+    b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last, n);
+
+    hl->next = cl;
+
+    return hl;
+}
+
+
+static ngx_int_t
+ngx_http_v3_filter_init(ngx_conf_t *cf)
+{
+    ngx_http_next_header_filter = ngx_http_top_header_filter;
+    ngx_http_top_header_filter = ngx_http_v3_header_filter;
+
+    ngx_http_next_body_filter = ngx_http_top_body_filter;
+    ngx_http_top_body_filter = ngx_http_v3_body_filter;
+
+    return NGX_OK;
+}
diff --git a/src/http/v3/ngx_http_v3_module.c b/src/http/v3/ngx_http_v3_module.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_module.c
@@ -0,0 +1,389 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
+ * Copyright (C) Roman Arutyunyan
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+static ngx_int_t ngx_http_v3_variable(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_v3_add_variables(ngx_conf_t *cf);
+static void *ngx_http_v3_create_srv_conf(ngx_conf_t *cf);
+static char *ngx_http_v3_merge_srv_conf(ngx_conf_t *cf, void *parent,
+    void *child);
+static char *ngx_http_quic_host_key(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
+
+
+static ngx_command_t  ngx_http_v3_commands[] = {
+
+    { ngx_string("http3"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, enable),
+      NULL },
+
+    { ngx_string("http3_hq"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, enable_hq),
+      NULL },
+
+    { ngx_string("http3_max_concurrent_streams"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, max_concurrent_streams),
+      NULL },
+
+    { ngx_string("http3_stream_buffer_size"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_size_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, quic.stream_buffer_size),
+      NULL },
+
+    { ngx_string("quic_retry"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, quic.retry),
+      NULL },
+
+    { ngx_string("quic_gso"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, quic.gso_enabled),
+      NULL },
+
+    { ngx_string("quic_host_key"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_http_quic_host_key,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      NULL },
+
+    { ngx_string("quic_active_connection_id_limit"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_v3_srv_conf_t, quic.active_connection_id_limit),
+      NULL },
+
+      ngx_null_command
+};
+
+
+static ngx_http_module_t  ngx_http_v3_module_ctx = {
+    ngx_http_v3_add_variables,             /* preconfiguration */
+    NULL,                                  /* postconfiguration */
+
+    NULL,                                  /* create main configuration */
+    NULL,                                  /* init main configuration */
+
+    ngx_http_v3_create_srv_conf,           /* create server configuration */
+    ngx_http_v3_merge_srv_conf,            /* merge server configuration */
+
+    NULL,                                  /* create location configuration */
+    NULL                                   /* merge location configuration */
+};
+
+
+ngx_module_t  ngx_http_v3_module = {
+    NGX_MODULE_V1,
+    &ngx_http_v3_module_ctx,               /* module context */
+    ngx_http_v3_commands,                  /* module directives */
+    NGX_HTTP_MODULE,                       /* module type */
+    NULL,                                  /* init master */
+    NULL,                                  /* init module */
+    NULL,                                  /* init process */
+    NULL,                                  /* init thread */
+    NULL,                                  /* exit thread */
+    NULL,                                  /* exit process */
+    NULL,                                  /* exit master */
+    NGX_MODULE_V1_PADDING
+};
+
+
+static ngx_http_variable_t  ngx_http_v3_vars[] = {
+
+    { ngx_string("http3"), NULL, ngx_http_v3_variable, 0, 0, 0 },
+
+      ngx_http_null_variable
+};
+
+static ngx_str_t  ngx_http_quic_salt = ngx_string("ngx_quic");
+
+
+static ngx_int_t
+ngx_http_v3_variable(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data)
+{
+    ngx_http_v3_session_t  *h3c;
+
+    if (r->connection->quic) {
+        h3c = ngx_http_v3_get_session(r->connection);
+
+        if (h3c->hq) {
+            v->len = sizeof("hq") - 1;
+            v->valid = 1;
+            v->no_cacheable = 0;
+            v->not_found = 0;
+            v->data = (u_char *) "hq";
+
+            return NGX_OK;
+        }
+
+        v->len = sizeof("h3") - 1;
+        v->valid = 1;
+        v->no_cacheable = 0;
+        v->not_found = 0;
+        v->data = (u_char *) "h3";
+
+        return NGX_OK;
+    }
+
+    *v = ngx_http_variable_null_value;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_add_variables(ngx_conf_t *cf)
+{
+    ngx_http_variable_t  *var, *v;
+
+    for (v = ngx_http_v3_vars; v->name.len; v++) {
+        var = ngx_http_add_variable(cf, &v->name, v->flags);
+        if (var == NULL) {
+            return NGX_ERROR;
+        }
+
+        var->get_handler = v->get_handler;
+        var->data = v->data;
+    }
+
+    return NGX_OK;
+}
+
+
+static void *
+ngx_http_v3_create_srv_conf(ngx_conf_t *cf)
+{
+    ngx_http_v3_srv_conf_t  *h3scf;
+
+    h3scf = ngx_pcalloc(cf->pool, sizeof(ngx_http_v3_srv_conf_t));
+    if (h3scf == NULL) {
+        return NULL;
+    }
+
+    /*
+     * set by ngx_pcalloc():
+     *
+     *     h3scf->quic.host_key = { 0, NULL }
+     *     h3scf->quic.stream_reject_code_uni = 0;
+     *     h3scf->quic.disable_active_migration = 0;
+     *     h3scf->quic.timeout = 0;
+     *     h3scf->max_blocked_streams = 0;
+     */
+
+    h3scf->enable = NGX_CONF_UNSET;
+    h3scf->enable_hq = NGX_CONF_UNSET;
+    h3scf->max_table_capacity = NGX_HTTP_V3_MAX_TABLE_CAPACITY;
+    h3scf->max_concurrent_streams = NGX_CONF_UNSET_UINT;
+
+    h3scf->quic.stream_buffer_size = NGX_CONF_UNSET_SIZE;
+    h3scf->quic.max_concurrent_streams_bidi = NGX_CONF_UNSET_UINT;
+    h3scf->quic.max_concurrent_streams_uni = NGX_HTTP_V3_MAX_UNI_STREAMS;
+    h3scf->quic.retry = NGX_CONF_UNSET;
+    h3scf->quic.gso_enabled = NGX_CONF_UNSET;
+    h3scf->quic.stream_close_code = NGX_HTTP_V3_ERR_NO_ERROR;
+    h3scf->quic.stream_reject_code_bidi = NGX_HTTP_V3_ERR_REQUEST_REJECTED;
+    h3scf->quic.active_connection_id_limit = NGX_CONF_UNSET_UINT;
+
+    h3scf->quic.init = ngx_http_v3_init;
+    h3scf->quic.shutdown = ngx_http_v3_shutdown;
+
+    return h3scf;
+}
+
+
+static char *
+ngx_http_v3_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+{
+    ngx_http_v3_srv_conf_t *prev = parent;
+    ngx_http_v3_srv_conf_t *conf = child;
+
+    ngx_http_ssl_srv_conf_t  *sscf;
+
+    ngx_conf_merge_value(conf->enable, prev->enable, 1);
+
+    ngx_conf_merge_value(conf->enable_hq, prev->enable_hq, 0);
+
+    ngx_conf_merge_uint_value(conf->max_concurrent_streams,
+                              prev->max_concurrent_streams, 128);
+
+    conf->max_blocked_streams = conf->max_concurrent_streams;
+
+    ngx_conf_merge_size_value(conf->quic.stream_buffer_size,
+                              prev->quic.stream_buffer_size,
+                              65536);
+
+    conf->quic.max_concurrent_streams_bidi = conf->max_concurrent_streams;
+
+    ngx_conf_merge_value(conf->quic.retry, prev->quic.retry, 0);
+    ngx_conf_merge_value(conf->quic.gso_enabled, prev->quic.gso_enabled, 0);
+
+    ngx_conf_merge_str_value(conf->quic.host_key, prev->quic.host_key, "");
+
+    ngx_conf_merge_uint_value(conf->quic.active_connection_id_limit,
+                              prev->quic.active_connection_id_limit,
+                              2);
+
+    if (conf->quic.host_key.len == 0) {
+
+        conf->quic.host_key.len = NGX_QUIC_DEFAULT_HOST_KEY_LEN;
+        conf->quic.host_key.data = ngx_palloc(cf->pool,
+                                              conf->quic.host_key.len);
+        if (conf->quic.host_key.data == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        if (RAND_bytes(conf->quic.host_key.data, NGX_QUIC_DEFAULT_HOST_KEY_LEN)
+            <= 0)
+        {
+            return NGX_CONF_ERROR;
+        }
+    }
+
+    if (ngx_quic_derive_key(cf->log, "av_token_key",
+                            &conf->quic.host_key, &ngx_http_quic_salt,
+                            conf->quic.av_token_key, NGX_QUIC_AV_KEY_LEN)
+        != NGX_OK)
+    {
+        return NGX_CONF_ERROR;
+    }
+
+    if (ngx_quic_derive_key(cf->log, "sr_token_key",
+                            &conf->quic.host_key, &ngx_http_quic_salt,
+                            conf->quic.sr_token_key, NGX_QUIC_SR_KEY_LEN)
+        != NGX_OK)
+    {
+        return NGX_CONF_ERROR;
+    }
+
+    sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+    conf->quic.ssl = &sscf->ssl;
+
+    return NGX_CONF_OK;
+}
+
+
+static char *
+ngx_http_quic_host_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_http_v3_srv_conf_t  *h3scf = conf;
+
+    u_char           *buf;
+    size_t            size;
+    ssize_t           n;
+    ngx_str_t        *value;
+    ngx_file_t        file;
+    ngx_file_info_t   fi;
+    ngx_quic_conf_t  *qcf;
+
+    qcf = &h3scf->quic;
+
+    if (qcf->host_key.len) {
+        return "is duplicate";
+    }
+
+    buf = NULL;
+#if (NGX_SUPPRESS_WARN)
+    size = 0;
+#endif
+
+    value = cf->args->elts;
+
+    if (ngx_conf_full_name(cf->cycle, &value[1], 1) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
+    ngx_memzero(&file, sizeof(ngx_file_t));
+    file.name = value[1];
+    file.log = cf->log;
+
+    file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
+
+    if (file.fd == NGX_INVALID_FILE) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+                           ngx_open_file_n " \"%V\" failed", &file.name);
+        return NGX_CONF_ERROR;
+    }
+
+    if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
+        ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
+                           ngx_fd_info_n " \"%V\" failed", &file.name);
+        goto failed;
+    }
+
+    size = ngx_file_size(&fi);
+
+    if (size == 0) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                           "\"%V\" zero key size", &file.name);
+        goto failed;
+    }
+
+    buf = ngx_pnalloc(cf->pool, size);
+    if (buf == NULL) {
+        goto failed;
+    }
+
+    n = ngx_read_file(&file, buf, size, 0);
+
+    if (n == NGX_ERROR) {
+        ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
+                           ngx_read_file_n " \"%V\" failed", &file.name);
+        goto failed;
+    }
+
+    if ((size_t) n != size) {
+        ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
+                           ngx_read_file_n " \"%V\" returned only "
+                           "%z bytes instead of %uz", &file.name, n, size);
+        goto failed;
+    }
+
+    qcf->host_key.data = buf;
+    qcf->host_key.len = n;
+
+    if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+        ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
+                      ngx_close_file_n " \"%V\" failed", &file.name);
+    }
+
+    return NGX_CONF_OK;
+
+failed:
+
+    if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+        ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
+                      ngx_close_file_n " \"%V\" failed", &file.name);
+    }
+
+    if (buf) {
+        ngx_explicit_memzero(buf, size);
+    }
+
+    return NGX_CONF_ERROR;
+}
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -0,0 +1,1931 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+#define ngx_http_v3_is_v2_frame(type)                                         \
+    ((type) == 0x02 || (type) == 0x06 || (type) == 0x08 || (type) == 0x09)
+
+
+static void ngx_http_v3_parse_start_local(ngx_buf_t *b, ngx_buf_t *loc,
+    ngx_uint_t n);
+static void ngx_http_v3_parse_end_local(ngx_buf_t *b, ngx_buf_t *loc,
+    ngx_uint_t *n);
+static ngx_int_t ngx_http_v3_parse_skip(ngx_buf_t *b, ngx_uint_t *length);
+
+static ngx_int_t ngx_http_v3_parse_varlen_int(ngx_connection_t *c,
+    ngx_http_v3_parse_varlen_int_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_prefix_int(ngx_connection_t *c,
+    ngx_http_v3_parse_prefix_int_t *st, ngx_uint_t prefix, ngx_buf_t *b);
+
+static ngx_int_t ngx_http_v3_parse_field_section_prefix(ngx_connection_t *c,
+    ngx_http_v3_parse_field_section_prefix_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_rep(ngx_connection_t *c,
+    ngx_http_v3_parse_field_rep_t *st, ngx_uint_t base, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_literal(ngx_connection_t *c,
+    ngx_http_v3_parse_literal_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_ri(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_lri(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_l(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_pbi(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_lpbi(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+
+static ngx_int_t ngx_http_v3_parse_control(ngx_connection_t *c,
+    ngx_http_v3_parse_control_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_settings(ngx_connection_t *c,
+    ngx_http_v3_parse_settings_t *st, ngx_buf_t *b);
+
+static ngx_int_t ngx_http_v3_parse_encoder(ngx_connection_t *c,
+    ngx_http_v3_parse_encoder_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_inr(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+static ngx_int_t ngx_http_v3_parse_field_iln(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b);
+
+static ngx_int_t ngx_http_v3_parse_decoder(ngx_connection_t *c,
+    ngx_http_v3_parse_decoder_t *st, ngx_buf_t *b);
+
+static ngx_int_t ngx_http_v3_parse_lookup(ngx_connection_t *c,
+    ngx_uint_t dynamic, ngx_uint_t index, ngx_str_t *name, ngx_str_t *value);
+
+
+static void
+ngx_http_v3_parse_start_local(ngx_buf_t *b, ngx_buf_t *loc, ngx_uint_t n)
+{
+    *loc = *b;
+
+    if ((size_t) (loc->last - loc->pos) > n) {
+        loc->last = loc->pos + n;
+    }
+}
+
+
+static void
+ngx_http_v3_parse_end_local(ngx_buf_t *b, ngx_buf_t *loc, ngx_uint_t *pn)
+{
+    *pn -= loc->pos - b->pos;
+    b->pos = loc->pos;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_skip(ngx_buf_t *b, ngx_uint_t *length)
+{
+    if ((size_t) (b->last - b->pos) < *length) {
+        *length -= b->last - b->pos;
+        b->pos = b->last;
+        return NGX_AGAIN;
+    }
+
+    b->pos += *length;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_varlen_int(ngx_connection_t *c,
+    ngx_http_v3_parse_varlen_int_t *st, ngx_buf_t *b)
+{
+    u_char  ch;
+    enum {
+        sw_start = 0,
+        sw_length_2,
+        sw_length_3,
+        sw_length_4,
+        sw_length_5,
+        sw_length_6,
+        sw_length_7,
+        sw_length_8
+    };
+
+    for ( ;; ) {
+
+        if (b->pos == b->last) {
+            return NGX_AGAIN;
+        }
+
+        ch = *b->pos++;
+
+        switch (st->state) {
+
+        case sw_start:
+
+            st->value = ch;
+            if (st->value & 0xc0) {
+                st->state = sw_length_2;
+                break;
+            }
+
+            goto done;
+
+        case sw_length_2:
+
+            st->value = (st->value << 8) + ch;
+            if ((st->value & 0xc000) == 0x4000) {
+                st->value &= 0x3fff;
+                goto done;
+            }
+
+            st->state = sw_length_3;
+            break;
+
+        case sw_length_4:
+
+            st->value = (st->value << 8) + ch;
+            if ((st->value & 0xc0000000) == 0x80000000) {
+                st->value &= 0x3fffffff;
+                goto done;
+            }
+
+            st->state = sw_length_5;
+            break;
+
+        case sw_length_3:
+        case sw_length_5:
+        case sw_length_6:
+        case sw_length_7:
+
+            st->value = (st->value << 8) + ch;
+            st->state++;
+            break;
+
+        case sw_length_8:
+
+            st->value = (st->value << 8) + ch;
+            st->value &= 0x3fffffffffffffff;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse varlen int %uL", st->value);
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_prefix_int(ngx_connection_t *c,
+    ngx_http_v3_parse_prefix_int_t *st, ngx_uint_t prefix, ngx_buf_t *b)
+{
+    u_char      ch;
+    ngx_uint_t  mask;
+    enum {
+        sw_start = 0,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        if (b->pos == b->last) {
+            return NGX_AGAIN;
+        }
+
+        ch = *b->pos++;
+
+        switch (st->state) {
+
+        case sw_start:
+
+            mask = (1 << prefix) - 1;
+            st->value = ch & mask;
+
+            if (st->value != mask) {
+                goto done;
+            }
+
+            st->shift = 0;
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            st->value += (uint64_t) (ch & 0x7f) << st->shift;
+
+            if (st->shift == 56
+                && ((ch & 0x80) || (st->value & 0xc000000000000000)))
+            {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "client exceeded integer size limit");
+                return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+            }
+
+            if (ch & 0x80) {
+                st->shift += 7;
+                break;
+            }
+
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse prefix int %uL", st->value);
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+ngx_int_t
+ngx_http_v3_parse_headers(ngx_connection_t *c, ngx_http_v3_parse_headers_t *st,
+    ngx_buf_t *b)
+{
+    ngx_buf_t  loc;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_type,
+        sw_length,
+        sw_skip,
+        sw_prefix,
+        sw_verify,
+        sw_field_rep,
+        sw_done
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse headers");
+
+            st->state = sw_type;
+
+            /* fall through */
+
+        case sw_type:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->type = st->vlint.value;
+
+            if (ngx_http_v3_is_v2_frame(st->type)
+                || st->type == NGX_HTTP_V3_FRAME_DATA
+                || st->type == NGX_HTTP_V3_FRAME_GOAWAY
+                || st->type == NGX_HTTP_V3_FRAME_SETTINGS
+                || st->type == NGX_HTTP_V3_FRAME_MAX_PUSH_ID
+                || st->type == NGX_HTTP_V3_FRAME_CANCEL_PUSH
+                || st->type == NGX_HTTP_V3_FRAME_PUSH_PROMISE)
+            {
+                return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+            }
+
+            st->state = sw_length;
+            break;
+
+        case sw_length:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->length = st->vlint.value;
+
+            ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse headers type:%ui, len:%ui",
+                           st->type, st->length);
+
+            if (st->type != NGX_HTTP_V3_FRAME_HEADERS) {
+                st->state = st->length > 0 ? sw_skip : sw_type;
+                break;
+            }
+
+            if (st->length == 0) {
+                return NGX_HTTP_V3_ERR_FRAME_ERROR;
+            }
+
+            st->state = sw_prefix;
+            break;
+
+        case sw_skip:
+
+            rc = ngx_http_v3_parse_skip(b, &st->length);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_type;
+            break;
+
+        case sw_prefix:
+
+            ngx_http_v3_parse_start_local(b, &loc, st->length);
+
+            rc = ngx_http_v3_parse_field_section_prefix(c, &st->prefix, &loc);
+
+            ngx_http_v3_parse_end_local(b, &loc, &st->length);
+
+            if (st->length == 0 && rc == NGX_AGAIN) {
+                return NGX_HTTP_V3_ERR_FRAME_ERROR;
+            }
+
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_verify;
+            break;
+
+        case sw_verify:
+
+            rc = ngx_http_v3_check_insert_count(c, st->prefix.insert_count);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_field_rep;
+
+            /* fall through */
+
+        case sw_field_rep:
+
+            ngx_http_v3_parse_start_local(b, &loc, st->length);
+
+            rc = ngx_http_v3_parse_field_rep(c, &st->field_rep, st->prefix.base,
+                                             &loc);
+
+            ngx_http_v3_parse_end_local(b, &loc, &st->length);
+
+            if (st->length == 0 && rc == NGX_AGAIN) {
+                return NGX_HTTP_V3_ERR_FRAME_ERROR;
+            }
+
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            if (st->length == 0) {
+                goto done;
+            }
+
+            return NGX_OK;
+        }
+    }
+
+done:
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 parse headers done");
+
+    if (st->prefix.insert_count > 0) {
+        if (ngx_http_v3_send_ack_section(c, c->quic->id) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        ngx_http_v3_ack_insert_count(c, st->prefix.insert_count);
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_section_prefix(ngx_connection_t *c,
+    ngx_http_v3_parse_field_section_prefix_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_req_insert_count,
+        sw_delta_base,
+        sw_read_delta_base
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field section prefix");
+
+            st->state = sw_req_insert_count;
+
+            /* fall through */
+
+        case sw_req_insert_count:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 8, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->insert_count = st->pint.value;
+            st->state = sw_delta_base;
+            break;
+
+        case sw_delta_base:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->sign = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_delta_base;
+
+            /* fall through */
+
+        case sw_read_delta_base:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->delta_base = st->pint.value;
+            goto done;
+        }
+    }
+
+done:
+
+    rc = ngx_http_v3_decode_insert_count(c, &st->insert_count);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    if (st->sign) {
+        if (st->insert_count <= st->delta_base) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent negative base");
+            return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+        }
+
+        st->base = st->insert_count - st->delta_base - 1;
+
+    } else {
+        st->base = st->insert_count + st->delta_base;
+    }
+
+    ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                  "http3 parse field section prefix done "
+                  "insert_count:%ui, sign:%ui, delta_base:%ui, base:%ui",
+                  st->insert_count, st->sign, st->delta_base, st->base);
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_rep(ngx_connection_t *c,
+    ngx_http_v3_parse_field_rep_t *st, ngx_uint_t base, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_field_ri,
+        sw_field_lri,
+        sw_field_l,
+        sw_field_pbi,
+        sw_field_lpbi
+    };
+
+    if (st->state == sw_start) {
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 parse field representation");
+
+        if (b->pos == b->last) {
+            return NGX_AGAIN;
+        }
+
+        ch = *b->pos;
+
+        ngx_memzero(&st->field, sizeof(ngx_http_v3_parse_field_t));
+
+        st->field.base = base;
+
+        if (ch & 0x80) {
+            /* Indexed Field Line */
+
+            st->state = sw_field_ri;
+
+        } else if (ch & 0x40) {
+            /* Literal Field Line With Name Reference */
+
+            st->state = sw_field_lri;
+
+        } else if (ch & 0x20) {
+            /* Literal Field Line With Literal Name */
+
+            st->state = sw_field_l;
+
+        } else if (ch & 0x10) {
+            /* Indexed Field Line With Post-Base Index */
+
+            st->state = sw_field_pbi;
+
+        } else {
+            /* Literal Field Line With Post-Base Name Reference */
+
+            st->state = sw_field_lpbi;
+        }
+    }
+
+    switch (st->state) {
+
+    case sw_field_ri:
+        rc = ngx_http_v3_parse_field_ri(c, &st->field, b);
+        break;
+
+    case sw_field_lri:
+        rc = ngx_http_v3_parse_field_lri(c, &st->field, b);
+        break;
+
+    case sw_field_l:
+        rc = ngx_http_v3_parse_field_l(c, &st->field, b);
+        break;
+
+    case sw_field_pbi:
+        rc = ngx_http_v3_parse_field_pbi(c, &st->field, b);
+        break;
+
+    case sw_field_lpbi:
+        rc = ngx_http_v3_parse_field_lpbi(c, &st->field, b);
+        break;
+
+    default:
+        rc = NGX_OK;
+    }
+
+    if (rc != NGX_DONE) {
+        return rc;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field representation done");
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
+    ngx_buf_t *b)
+{
+    u_char                     ch;
+    ngx_uint_t                 n;
+    ngx_http_core_srv_conf_t  *cscf;
+    enum {
+        sw_start = 0,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse literal huff:%ui, len:%ui",
+                           st->huffman, st->length);
+
+            n = st->length;
+
+            cscf = ngx_http_v3_get_module_srv_conf(c, ngx_http_core_module);
+
+            if (n > cscf->large_client_header_buffers.size) {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "client sent too large field line");
+                return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+            }
+
+            if (st->huffman) {
+                n = n * 8 / 5;
+                st->huffstate = 0;
+            }
+
+            st->last = ngx_pnalloc(c->pool, n + 1);
+            if (st->last == NULL) {
+                return NGX_ERROR;
+            }
+
+            st->value.data = st->last;
+            st->state = sw_value;
+
+            /* fall through */
+
+        case sw_value:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos++;
+
+            if (st->huffman) {
+                if (ngx_http_huff_decode(&st->huffstate, &ch, 1, &st->last,
+                                         st->length == 1, c->log)
+                    != NGX_OK)
+                {
+                    return NGX_ERROR;
+                }
+
+            } else {
+                *st->last++ = ch;
+            }
+
+            if (--st->length) {
+                break;
+            }
+
+            st->value.len = st->last - st->value.data;
+            *st->last = '\0';
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse literal done \"%V\"", &st->value);
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_ri(ngx_connection_t *c, ngx_http_v3_parse_field_t *st,
+    ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_index
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field ri");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->dynamic = (ch & 0x40) ? 0 : 1;
+            st->state = sw_index;
+
+            /* fall through */
+
+        case sw_index:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->index = st->pint.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field ri done %s%ui]",
+                   st->dynamic ? "dynamic[-" : "static[", st->index);
+
+    if (st->dynamic) {
+        st->index = st->base - st->index - 1;
+    }
+
+    rc = ngx_http_v3_parse_lookup(c, st->dynamic, st->index, &st->name,
+                                  &st->value);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_lri(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_index,
+        sw_value_len,
+        sw_read_value_len,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field lri");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->dynamic = (ch & 0x10) ? 0 : 1;
+            st->state = sw_index;
+
+            /* fall through */
+
+        case sw_index:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 4, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->index = st->pint.value;
+            st->state = sw_value_len;
+            break;
+
+        case sw_value_len:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_value_len;
+
+            /* fall through */
+
+        case sw_read_value_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                goto done;
+            }
+
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->value = st->literal.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field lri done %s%ui] \"%V\"",
+                   st->dynamic ? "dynamic[-" : "static[",
+                   st->index, &st->value);
+
+    if (st->dynamic) {
+        st->index = st->base - st->index - 1;
+    }
+
+    rc = ngx_http_v3_parse_lookup(c, st->dynamic, st->index, &st->name, NULL);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_l(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_name_len,
+        sw_name,
+        sw_value_len,
+        sw_read_value_len,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field l");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x08) ? 1 : 0;
+            st->state = sw_name_len;
+
+            /* fall through */
+
+        case sw_name_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 3, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                return NGX_ERROR;
+            }
+
+            st->state = sw_name;
+            break;
+
+        case sw_name:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->name = st->literal.value;
+            st->state = sw_value_len;
+            break;
+
+        case sw_value_len:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_value_len;
+
+            /* fall through */
+
+        case sw_read_value_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                goto done;
+            }
+
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->value = st->literal.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field l done \"%V\" \"%V\"",
+                   &st->name, &st->value);
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_pbi(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_index
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field pbi");
+
+            st->state = sw_index;
+
+            /* fall through */
+
+        case sw_index:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 4, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->index = st->pint.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field pbi done dynamic[+%ui]", st->index);
+
+    rc = ngx_http_v3_parse_lookup(c, 1, st->base + st->index, &st->name,
+                                  &st->value);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_lpbi(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_index,
+        sw_value_len,
+        sw_read_value_len,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field lpbi");
+
+            st->state = sw_index;
+
+            /* fall through */
+
+        case sw_index:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 3, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->index = st->pint.value;
+            st->state = sw_value_len;
+            break;
+
+        case sw_value_len:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_value_len;
+
+            /* fall through */
+
+        case sw_read_value_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                goto done;
+            }
+
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->value = st->literal.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field lpbi done dynamic[+%ui] \"%V\"",
+                   st->index, &st->value);
+
+    rc = ngx_http_v3_parse_lookup(c, 1, st->base + st->index, &st->name, NULL);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_lookup(ngx_connection_t *c, ngx_uint_t dynamic,
+    ngx_uint_t index, ngx_str_t *name, ngx_str_t *value)
+{
+    u_char  *p;
+
+    if (!dynamic) {
+        if (ngx_http_v3_lookup_static(c, index, name, value) != NGX_OK) {
+            return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+        }
+
+        return NGX_OK;
+    }
+
+    if (ngx_http_v3_lookup(c, index, name, value) != NGX_OK) {
+        return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+    }
+
+    if (name) {
+        p = ngx_pnalloc(c->pool, name->len + 1);
+        if (p == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_memcpy(p, name->data, name->len);
+        p[name->len] = '\0';
+        name->data = p;
+    }
+
+    if (value) {
+        p = ngx_pnalloc(c->pool, value->len + 1);
+        if (p == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_memcpy(p, value->data, value->len);
+        p[value->len] = '\0';
+        value->data = p;
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_control(ngx_connection_t *c, ngx_http_v3_parse_control_t *st,
+    ngx_buf_t *b)
+{
+    ngx_buf_t  loc;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_first_type,
+        sw_type,
+        sw_length,
+        sw_settings,
+        sw_skip
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse control");
+
+            st->state = sw_first_type;
+
+            /* fall through */
+
+        case sw_first_type:
+        case sw_type:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->type = st->vlint.value;
+
+            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse frame type:%ui", st->type);
+
+            if (st->state == sw_first_type
+                && st->type != NGX_HTTP_V3_FRAME_SETTINGS)
+            {
+                return NGX_HTTP_V3_ERR_MISSING_SETTINGS;
+            }
+
+            if (st->state != sw_first_type
+                && st->type == NGX_HTTP_V3_FRAME_SETTINGS)
+            {
+                return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+            }
+
+            if (ngx_http_v3_is_v2_frame(st->type)
+                || st->type == NGX_HTTP_V3_FRAME_DATA
+                || st->type == NGX_HTTP_V3_FRAME_HEADERS
+                || st->type == NGX_HTTP_V3_FRAME_PUSH_PROMISE)
+            {
+                return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+            }
+
+            if (st->type == NGX_HTTP_V3_FRAME_CANCEL_PUSH) {
+                return NGX_HTTP_V3_ERR_ID_ERROR;
+            }
+
+            st->state = sw_length;
+            break;
+
+        case sw_length:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse frame len:%uL", st->vlint.value);
+
+            st->length = st->vlint.value;
+            if (st->length == 0) {
+                st->state = sw_type;
+                break;
+            }
+
+            switch (st->type) {
+
+            case NGX_HTTP_V3_FRAME_SETTINGS:
+                st->state = sw_settings;
+                break;
+
+            default:
+                ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                               "http3 parse skip unknown frame");
+                st->state = sw_skip;
+            }
+
+            break;
+
+        case sw_settings:
+
+            ngx_http_v3_parse_start_local(b, &loc, st->length);
+
+            rc = ngx_http_v3_parse_settings(c, &st->settings, &loc);
+
+            ngx_http_v3_parse_end_local(b, &loc, &st->length);
+
+            if (st->length == 0 && rc == NGX_AGAIN) {
+                return NGX_HTTP_V3_ERR_SETTINGS_ERROR;
+            }
+
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            if (st->length == 0) {
+                st->state = sw_type;
+            }
+
+            break;
+
+        case sw_skip:
+
+            rc = ngx_http_v3_parse_skip(b, &st->length);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_type;
+            break;
+        }
+    }
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_settings(ngx_connection_t *c,
+    ngx_http_v3_parse_settings_t *st, ngx_buf_t *b)
+{
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_id,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse settings");
+
+            st->state = sw_id;
+
+            /* fall through */
+
+        case sw_id:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->id = st->vlint.value;
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            if (ngx_http_v3_set_param(c, st->id, st->vlint.value) != NGX_OK) {
+                return NGX_HTTP_V3_ERR_SETTINGS_ERROR;
+            }
+
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 parse settings done");
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_encoder(ngx_connection_t *c, ngx_http_v3_parse_encoder_t *st,
+    ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_inr,
+        sw_iln,
+        sw_capacity,
+        sw_duplicate
+    };
+
+    for ( ;; ) {
+
+        if (st->state == sw_start) {
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse encoder instruction");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            if (ch & 0x80) {
+                /* Insert With Name Reference */
+
+                st->state = sw_inr;
+
+            } else if (ch & 0x40) {
+                /* Insert With Literal Name */
+
+                st->state = sw_iln;
+
+            } else if (ch & 0x20) {
+                /* Set Dynamic Table Capacity */
+
+                st->state = sw_capacity;
+
+            } else {
+                /* Duplicate */
+
+                st->state = sw_duplicate;
+            }
+        }
+
+        switch (st->state) {
+
+        case sw_inr:
+
+            rc = ngx_http_v3_parse_field_inr(c, &st->field, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+
+        case sw_iln:
+
+            rc = ngx_http_v3_parse_field_iln(c, &st->field, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+
+        case sw_capacity:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_set_capacity(c, st->pint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+
+        default: /* sw_duplicate */
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_duplicate(c, st->pint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+        }
+    }
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_inr(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_name_index,
+        sw_value_len,
+        sw_read_value_len,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field inr");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->dynamic = (ch & 0x40) ? 0 : 1;
+            st->state = sw_name_index;
+
+            /* fall through */
+
+        case sw_name_index:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->index = st->pint.value;
+            st->state = sw_value_len;
+            break;
+
+        case sw_value_len:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_value_len;
+
+            /* fall through */
+
+        case sw_read_value_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                st->value.len = 0;
+                goto done;
+            }
+
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->value = st->literal.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field inr done %s[%ui] \"%V\"",
+                   st->dynamic ? "dynamic" : "static",
+                   st->index, &st->value);
+
+    rc = ngx_http_v3_ref_insert(c, st->dynamic, st->index, &st->value);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_field_iln(ngx_connection_t *c,
+    ngx_http_v3_parse_field_t *st, ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_name_len,
+        sw_name,
+        sw_value_len,
+        sw_read_value_len,
+        sw_value
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse field iln");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x20) ? 1 : 0;
+            st->state = sw_name_len;
+
+            /* fall through */
+
+        case sw_name_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                return NGX_ERROR;
+            }
+
+            st->state = sw_name;
+            break;
+
+        case sw_name:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->name = st->literal.value;
+            st->state = sw_value_len;
+            break;
+
+        case sw_value_len:
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            st->literal.huffman = (ch & 0x80) ? 1 : 0;
+            st->state = sw_read_value_len;
+
+            /* fall through */
+
+        case sw_read_value_len:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->literal.length = st->pint.value;
+            if (st->literal.length == 0) {
+                st->value.len = 0;
+                goto done;
+            }
+
+            st->state = sw_value;
+            break;
+
+        case sw_value:
+
+            rc = ngx_http_v3_parse_literal(c, &st->literal, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->value = st->literal.value;
+            goto done;
+        }
+    }
+
+done:
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 parse field iln done \"%V\":\"%V\"",
+                   &st->name, &st->value);
+
+    rc = ngx_http_v3_insert(c, &st->name, &st->value);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+static ngx_int_t
+ngx_http_v3_parse_decoder(ngx_connection_t *c, ngx_http_v3_parse_decoder_t *st,
+    ngx_buf_t *b)
+{
+    u_char     ch;
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_ack_section,
+        sw_cancel_stream,
+        sw_inc_insert_count
+    };
+
+    for ( ;; ) {
+
+        if (st->state == sw_start) {
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse decoder instruction");
+
+            if (b->pos == b->last) {
+                return NGX_AGAIN;
+            }
+
+            ch = *b->pos;
+
+            if (ch & 0x80) {
+                /* Section Acknowledgment */
+
+                st->state = sw_ack_section;
+
+            } else if (ch & 0x40) {
+                /*  Stream Cancellation */
+
+                st->state = sw_cancel_stream;
+
+            }  else {
+                /*  Insert Count Increment */
+
+                st->state = sw_inc_insert_count;
+            }
+        }
+
+        switch (st->state) {
+
+        case sw_ack_section:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_ack_section(c, st->pint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+
+        case sw_cancel_stream:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_cancel_stream(c, st->pint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+
+        case sw_inc_insert_count:
+
+            rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_inc_insert_count(c, st->pint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            st->state = sw_start;
+            break;
+        }
+    }
+}
+
+
+ngx_int_t
+ngx_http_v3_parse_data(ngx_connection_t *c, ngx_http_v3_parse_data_t *st,
+    ngx_buf_t *b)
+{
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_type,
+        sw_length,
+        sw_skip
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 parse data");
+
+            st->state = sw_type;
+
+            /* fall through */
+
+        case sw_type:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->type = st->vlint.value;
+
+            if (st->type == NGX_HTTP_V3_FRAME_HEADERS) {
+                /* trailers */
+                goto done;
+            }
+
+            if (ngx_http_v3_is_v2_frame(st->type)
+                || st->type == NGX_HTTP_V3_FRAME_GOAWAY
+                || st->type == NGX_HTTP_V3_FRAME_SETTINGS
+                || st->type == NGX_HTTP_V3_FRAME_MAX_PUSH_ID
+                || st->type == NGX_HTTP_V3_FRAME_CANCEL_PUSH
+                || st->type == NGX_HTTP_V3_FRAME_PUSH_PROMISE)
+            {
+                return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+            }
+
+            st->state = sw_length;
+            break;
+
+        case sw_length:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->length = st->vlint.value;
+
+            ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 parse data type:%ui, len:%ui",
+                           st->type, st->length);
+
+            if (st->type != NGX_HTTP_V3_FRAME_DATA && st->length > 0) {
+                st->state = sw_skip;
+                break;
+            }
+
+            st->state = sw_type;
+            return NGX_OK;
+
+        case sw_skip:
+
+            rc = ngx_http_v3_parse_skip(b, &st->length);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            st->state = sw_type;
+            break;
+        }
+    }
+
+done:
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 parse data done");
+
+    st->state = sw_start;
+    return NGX_DONE;
+}
+
+
+ngx_int_t
+ngx_http_v3_parse_uni(ngx_connection_t *c, ngx_http_v3_parse_uni_t *st,
+    ngx_buf_t *b)
+{
+    ngx_int_t  rc;
+    enum {
+        sw_start = 0,
+        sw_type,
+        sw_control,
+        sw_encoder,
+        sw_decoder,
+        sw_unknown
+    };
+
+    for ( ;; ) {
+
+        switch (st->state) {
+        case sw_start:
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 parse uni");
+
+            st->state = sw_type;
+
+            /* fall through */
+
+        case sw_type:
+
+            rc = ngx_http_v3_parse_varlen_int(c, &st->vlint, b);
+            if (rc != NGX_DONE) {
+                return rc;
+            }
+
+            rc = ngx_http_v3_register_uni_stream(c, st->vlint.value);
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            switch (st->vlint.value) {
+            case NGX_HTTP_V3_STREAM_CONTROL:
+                st->state = sw_control;
+                break;
+
+            case NGX_HTTP_V3_STREAM_ENCODER:
+                st->state = sw_encoder;
+                break;
+
+            case NGX_HTTP_V3_STREAM_DECODER:
+                st->state = sw_decoder;
+                break;
+
+            default:
+                st->state = sw_unknown;
+            }
+
+            break;
+
+        case sw_control:
+
+            return ngx_http_v3_parse_control(c, &st->u.control, b);
+
+        case sw_encoder:
+
+            return ngx_http_v3_parse_encoder(c, &st->u.encoder, b);
+
+        case sw_decoder:
+
+            return ngx_http_v3_parse_decoder(c, &st->u.decoder, b);
+
+        case sw_unknown:
+
+            b->pos = b->last;
+            return NGX_AGAIN;
+        }
+    }
+}
diff --git a/src/http/v3/ngx_http_v3_parse.h b/src/http/v3/ngx_http_v3_parse.h
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_parse.h
@@ -0,0 +1,146 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_HTTP_V3_PARSE_H_INCLUDED_
+#define _NGX_HTTP_V3_PARSE_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    uint64_t                        value;
+} ngx_http_v3_parse_varlen_int_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      shift;
+    uint64_t                        value;
+} ngx_http_v3_parse_prefix_int_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    uint64_t                        id;
+    ngx_http_v3_parse_varlen_int_t  vlint;
+} ngx_http_v3_parse_settings_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      insert_count;
+    ngx_uint_t                      delta_base;
+    ngx_uint_t                      sign;
+    ngx_uint_t                      base;
+    ngx_http_v3_parse_prefix_int_t  pint;
+} ngx_http_v3_parse_field_section_prefix_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      length;
+    ngx_uint_t                      huffman;
+    ngx_str_t                       value;
+    u_char                         *last;
+    u_char                          huffstate;
+} ngx_http_v3_parse_literal_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      index;
+    ngx_uint_t                      base;
+    ngx_uint_t                      dynamic;
+
+    ngx_str_t                       name;
+    ngx_str_t                       value;
+
+    ngx_http_v3_parse_prefix_int_t  pint;
+    ngx_http_v3_parse_literal_t     literal;
+} ngx_http_v3_parse_field_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_http_v3_parse_field_t       field;
+} ngx_http_v3_parse_field_rep_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      type;
+    ngx_uint_t                      length;
+    ngx_http_v3_parse_varlen_int_t  vlint;
+    ngx_http_v3_parse_field_section_prefix_t  prefix;
+    ngx_http_v3_parse_field_rep_t   field_rep;
+} ngx_http_v3_parse_headers_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_http_v3_parse_field_t       field;
+    ngx_http_v3_parse_prefix_int_t  pint;
+} ngx_http_v3_parse_encoder_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_http_v3_parse_prefix_int_t  pint;
+} ngx_http_v3_parse_decoder_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      type;
+    ngx_uint_t                      length;
+    ngx_http_v3_parse_varlen_int_t  vlint;
+    ngx_http_v3_parse_settings_t    settings;
+} ngx_http_v3_parse_control_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_http_v3_parse_varlen_int_t  vlint;
+    union {
+        ngx_http_v3_parse_encoder_t  encoder;
+        ngx_http_v3_parse_decoder_t  decoder;
+        ngx_http_v3_parse_control_t  control;
+    } u;
+} ngx_http_v3_parse_uni_t;
+
+
+typedef struct {
+    ngx_uint_t                      state;
+    ngx_uint_t                      type;
+    ngx_uint_t                      length;
+    ngx_http_v3_parse_varlen_int_t  vlint;
+} ngx_http_v3_parse_data_t;
+
+
+/*
+ * Parse functions return codes:
+ *   NGX_DONE - parsing done
+ *   NGX_OK - sub-element done
+ *   NGX_AGAIN - more data expected
+ *   NGX_BUSY - waiting for external event
+ *   NGX_ERROR - internal error
+ *   NGX_HTTP_V3_ERROR_XXX - HTTP/3 or QPACK error
+ */
+
+ngx_int_t ngx_http_v3_parse_headers(ngx_connection_t *c,
+    ngx_http_v3_parse_headers_t *st, ngx_buf_t *b);
+ngx_int_t ngx_http_v3_parse_data(ngx_connection_t *c,
+    ngx_http_v3_parse_data_t *st, ngx_buf_t *b);
+ngx_int_t ngx_http_v3_parse_uni(ngx_connection_t *c,
+    ngx_http_v3_parse_uni_t *st, ngx_buf_t *b);
+
+
+#endif /* _NGX_HTTP_V3_PARSE_H_INCLUDED_ */
diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -0,0 +1,1716 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+static void ngx_http_v3_init_request_stream(ngx_connection_t *c);
+static void ngx_http_v3_wait_request_handler(ngx_event_t *rev);
+static void ngx_http_v3_cleanup_connection(void *data);
+static void ngx_http_v3_cleanup_request(void *data);
+static void ngx_http_v3_process_request(ngx_event_t *rev);
+static ngx_int_t ngx_http_v3_process_header(ngx_http_request_t *r,
+    ngx_str_t *name, ngx_str_t *value);
+static ngx_int_t ngx_http_v3_validate_header(ngx_http_request_t *r,
+    ngx_str_t *name, ngx_str_t *value);
+static ngx_int_t ngx_http_v3_process_pseudo_header(ngx_http_request_t *r,
+    ngx_str_t *name, ngx_str_t *value);
+static ngx_int_t ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r);
+static ngx_int_t ngx_http_v3_process_request_header(ngx_http_request_t *r);
+static ngx_int_t ngx_http_v3_cookie(ngx_http_request_t *r, ngx_str_t *value);
+static ngx_int_t ngx_http_v3_construct_cookie_header(ngx_http_request_t *r);
+static void ngx_http_v3_read_client_request_body_handler(ngx_http_request_t *r);
+static ngx_int_t ngx_http_v3_do_read_client_request_body(ngx_http_request_t *r);
+static ngx_int_t ngx_http_v3_request_body_filter(ngx_http_request_t *r,
+    ngx_chain_t *in);
+
+
+static const struct {
+    ngx_str_t   name;
+    ngx_uint_t  method;
+} ngx_http_v3_methods[] = {
+
+    { ngx_string("GET"),       NGX_HTTP_GET },
+    { ngx_string("POST"),      NGX_HTTP_POST },
+    { ngx_string("HEAD"),      NGX_HTTP_HEAD },
+    { ngx_string("OPTIONS"),   NGX_HTTP_OPTIONS },
+    { ngx_string("PROPFIND"),  NGX_HTTP_PROPFIND },
+    { ngx_string("PUT"),       NGX_HTTP_PUT },
+    { ngx_string("MKCOL"),     NGX_HTTP_MKCOL },
+    { ngx_string("DELETE"),    NGX_HTTP_DELETE },
+    { ngx_string("COPY"),      NGX_HTTP_COPY },
+    { ngx_string("MOVE"),      NGX_HTTP_MOVE },
+    { ngx_string("PROPPATCH"), NGX_HTTP_PROPPATCH },
+    { ngx_string("LOCK"),      NGX_HTTP_LOCK },
+    { ngx_string("UNLOCK"),    NGX_HTTP_UNLOCK },
+    { ngx_string("PATCH"),     NGX_HTTP_PATCH },
+    { ngx_string("TRACE"),     NGX_HTTP_TRACE },
+    { ngx_string("CONNECT"),   NGX_HTTP_CONNECT }
+};
+
+
+void
+ngx_http_v3_init_stream(ngx_connection_t *c)
+{
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_connection_t     *hc, *phc;
+    ngx_http_v3_srv_conf_t    *h3scf;
+    ngx_http_core_loc_conf_t  *clcf;
+    ngx_http_core_srv_conf_t  *cscf;
+
+    hc = c->data;
+
+    hc->ssl = 1;
+
+    clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
+    cscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_core_module);
+    h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);
+
+    if (c->quic == NULL) {
+        if (ngx_http_v3_init_session(c) != NGX_OK) {
+            ngx_http_close_connection(c);
+            return;
+        }
+
+        h3c = hc->v3_session;
+        ngx_add_timer(&h3c->keepalive, cscf->client_header_timeout);
+
+        h3scf->quic.timeout = clcf->keepalive_timeout;
+        ngx_quic_run(c, &h3scf->quic);
+        return;
+    }
+
+    phc = ngx_http_quic_get_connection(c);
+
+    if (phc->ssl_servername) {
+        hc->ssl_servername = phc->ssl_servername;
+#if (NGX_PCRE)
+        hc->ssl_servername_regex = phc->ssl_servername_regex;
+#endif
+        hc->conf_ctx = phc->conf_ctx;
+
+        ngx_set_connection_log(c, clcf->error_log);
+    }
+
+    if (c->quic->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) {
+        ngx_http_v3_init_uni_stream(c);
+
+    } else  {
+        ngx_http_v3_init_request_stream(c);
+    }
+}
+
+
+ngx_int_t
+ngx_http_v3_init(ngx_connection_t *c)
+{
+    unsigned int               len;
+    const unsigned char       *data;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_srv_conf_t    *h3scf;
+    ngx_http_core_loc_conf_t  *clcf;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 init");
+
+    h3c = ngx_http_v3_get_session(c);
+    clcf = ngx_http_v3_get_module_loc_conf(c, ngx_http_core_module);
+    ngx_add_timer(&h3c->keepalive, clcf->keepalive_timeout);
+
+    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+    if (h3scf->enable_hq) {
+        if (!h3scf->enable) {
+            h3c->hq = 1;
+            return NGX_OK;
+        }
+
+        SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+
+        if (len == sizeof(NGX_HTTP_V3_HQ_PROTO) - 1
+            && ngx_strncmp(data, NGX_HTTP_V3_HQ_PROTO, len) == 0)
+        {
+            h3c->hq = 1;
+            return NGX_OK;
+        }
+    }
+
+    return ngx_http_v3_send_settings(c);
+}
+
+
+void
+ngx_http_v3_shutdown(ngx_connection_t *c)
+{
+    ngx_http_v3_session_t  *h3c;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 shutdown");
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (h3c == NULL) {
+        ngx_quic_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                     "connection shutdown");
+        return;
+    }
+
+    if (!h3c->goaway) {
+        h3c->goaway = 1;
+
+        if (!h3c->hq) {
+            (void) ngx_http_v3_send_goaway(c, h3c->next_request_id);
+        }
+
+        ngx_http_v3_shutdown_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                        "connection shutdown");
+    }
+}
+
+
+static void
+ngx_http_v3_init_request_stream(ngx_connection_t *c)
+{
+    uint64_t                   n;
+    ngx_event_t               *rev;
+    ngx_pool_cleanup_t        *cln;
+    ngx_http_connection_t     *hc;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_core_loc_conf_t  *clcf;
+    ngx_http_core_srv_conf_t  *cscf;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 init request stream");
+
+#if (NGX_STAT_STUB)
+    (void) ngx_atomic_fetch_add(ngx_stat_active, 1);
+#endif
+
+    hc = c->data;
+
+    clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
+
+    n = c->quic->id >> 2;
+
+    if (n >= clcf->keepalive_requests * 2) {
+        ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                        "too many requests per connection");
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (h3c->goaway) {
+        c->close = 1;
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    h3c->next_request_id = c->quic->id + 0x04;
+
+    if (n + 1 == clcf->keepalive_requests
+        || ngx_current_msec - c->start_time > clcf->keepalive_time)
+    {
+        h3c->goaway = 1;
+
+        if (!h3c->hq) {
+            if (ngx_http_v3_send_goaway(c, h3c->next_request_id) != NGX_OK) {
+                ngx_http_close_connection(c);
+                return;
+            }
+        }
+
+        ngx_http_v3_shutdown_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                        "reached maximum number of requests");
+    }
+
+    cln = ngx_pool_cleanup_add(c->pool, 0);
+    if (cln == NULL) {
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    cln->handler = ngx_http_v3_cleanup_connection;
+    cln->data = c;
+
+    h3c->nrequests++;
+
+    if (h3c->keepalive.timer_set) {
+        ngx_del_timer(&h3c->keepalive);
+    }
+
+    rev = c->read;
+
+    if (!h3c->hq) {
+        rev->handler = ngx_http_v3_wait_request_handler;
+        c->write->handler = ngx_http_empty_handler;
+    }
+
+    if (rev->ready) {
+        rev->handler(rev);
+        return;
+    }
+
+    cscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_core_module);
+
+    ngx_add_timer(rev, cscf->client_header_timeout);
+    ngx_reusable_connection(c, 1);
+
+    if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+        ngx_http_close_connection(c);
+        return;
+    }
+}
+
+
+static void
+ngx_http_v3_wait_request_handler(ngx_event_t *rev)
+{
+    size_t                     size;
+    ssize_t                    n;
+    ngx_buf_t                 *b;
+    ngx_connection_t          *c;
+    ngx_pool_cleanup_t        *cln;
+    ngx_http_request_t        *r;
+    ngx_http_connection_t     *hc;
+    ngx_http_core_srv_conf_t  *cscf;
+
+    c = rev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 wait request handler");
+
+    if (rev->timedout) {
+        ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out");
+        c->timedout = 1;
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    if (c->close) {
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    hc = c->data;
+    cscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_core_module);
+
+    size = cscf->client_header_buffer_size;
+
+    b = c->buffer;
+
+    if (b == NULL) {
+        b = ngx_create_temp_buf(c->pool, size);
+        if (b == NULL) {
+            ngx_http_close_connection(c);
+            return;
+        }
+
+        c->buffer = b;
+
+    } else if (b->start == NULL) {
+
+        b->start = ngx_palloc(c->pool, size);
+        if (b->start == NULL) {
+            ngx_http_close_connection(c);
+            return;
+        }
+
+        b->pos = b->start;
+        b->last = b->start;
+        b->end = b->last + size;
+    }
+
+    n = c->recv(c, b->last, size);
+
+    if (n == NGX_AGAIN) {
+
+        if (!rev->timer_set) {
+            ngx_add_timer(rev, cscf->client_header_timeout);
+            ngx_reusable_connection(c, 1);
+        }
+
+        if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+            ngx_http_close_connection(c);
+            return;
+        }
+
+        /*
+         * We are trying to not hold c->buffer's memory for an idle connection.
+         */
+
+        if (ngx_pfree(c->pool, b->start) == NGX_OK) {
+            b->start = NULL;
+        }
+
+        return;
+    }
+
+    if (n == NGX_ERROR) {
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    if (n == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client closed connection");
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    b->last += n;
+
+    c->log->action = "reading client request";
+
+    ngx_reusable_connection(c, 0);
+
+    r = ngx_http_create_request(c);
+    if (r == NULL) {
+        ngx_http_close_connection(c);
+        return;
+    }
+
+    r->http_version = NGX_HTTP_VERSION_30;
+
+    r->v3_parse = ngx_pcalloc(r->pool, sizeof(ngx_http_v3_parse_t));
+    if (r->v3_parse == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return;
+    }
+
+    r->v3_parse->header_limit = cscf->large_client_header_buffers.size
+                                * cscf->large_client_header_buffers.num;
+
+    c->data = r;
+    c->requests = (c->quic->id >> 2) + 1;
+
+    cln = ngx_pool_cleanup_add(r->pool, 0);
+    if (cln == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return;
+    }
+
+    cln->handler = ngx_http_v3_cleanup_request;
+    cln->data = r;
+
+    rev->handler = ngx_http_v3_process_request;
+    ngx_http_v3_process_request(rev);
+}
+
+
+void
+ngx_http_v3_reset_stream(ngx_connection_t *c)
+{
+    ngx_http_v3_session_t   *h3c;
+    ngx_http_v3_srv_conf_t  *h3scf;
+
+    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (h3scf->max_table_capacity > 0 && !c->read->eof && !h3c->hq
+        && (c->quic->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) == 0)
+    {
+        (void) ngx_http_v3_send_cancel_stream(c, c->quic->id);
+    }
+
+    if (c->timedout) {
+        ngx_quic_reset_stream(c, NGX_HTTP_V3_ERR_GENERAL_PROTOCOL_ERROR);
+
+    } else if (c->close) {
+        ngx_quic_reset_stream(c, NGX_HTTP_V3_ERR_REQUEST_REJECTED);
+
+    } else if (c->requests == 0 || c->error) {
+        ngx_quic_reset_stream(c, NGX_HTTP_V3_ERR_INTERNAL_ERROR);
+    }
+}
+
+
+static void
+ngx_http_v3_cleanup_connection(void *data)
+{
+    ngx_connection_t  *c = data;
+
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_core_loc_conf_t  *clcf;
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (--h3c->nrequests == 0) {
+        clcf = ngx_http_v3_get_module_loc_conf(c, ngx_http_core_module);
+        ngx_add_timer(&h3c->keepalive, clcf->keepalive_timeout);
+    }
+}
+
+
+static void
+ngx_http_v3_cleanup_request(void *data)
+{
+    ngx_http_request_t  *r = data;
+
+    if (!r->response_sent) {
+        r->connection->error = 1;
+    }
+}
+
+
+static void
+ngx_http_v3_process_request(ngx_event_t *rev)
+{
+    u_char                       *p;
+    ssize_t                       n;
+    ngx_buf_t                    *b;
+    ngx_int_t                     rc;
+    ngx_connection_t             *c;
+    ngx_http_request_t           *r;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_core_srv_conf_t     *cscf;
+    ngx_http_v3_parse_headers_t  *st;
+
+    c = rev->data;
+    r = c->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, "http3 process request");
+
+    if (rev->timedout) {
+        ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out");
+        c->timedout = 1;
+        ngx_http_close_request(r, NGX_HTTP_REQUEST_TIME_OUT);
+        return;
+    }
+
+    h3c = ngx_http_v3_get_session(c);
+
+    st = &r->v3_parse->headers;
+
+    b = r->header_in;
+
+    for ( ;; ) {
+
+        if (b->pos == b->last) {
+
+            if (rev->ready) {
+                n = c->recv(c, b->start, b->end - b->start);
+
+            } else {
+                n = NGX_AGAIN;
+            }
+
+            if (n == NGX_AGAIN) {
+                if (!rev->timer_set) {
+                    cscf = ngx_http_get_module_srv_conf(r,
+                                                        ngx_http_core_module);
+                    ngx_add_timer(rev, cscf->client_header_timeout);
+                }
+
+                if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+                    ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+                }
+
+                break;
+            }
+
+            if (n == 0) {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "client prematurely closed connection");
+            }
+
+            if (n == 0 || n == NGX_ERROR) {
+                c->error = 1;
+                c->log->action = "reading client request";
+
+                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                break;
+            }
+
+            b->pos = b->start;
+            b->last = b->start + n;
+        }
+
+        p = b->pos;
+
+        rc = ngx_http_v3_parse_headers(c, st, b);
+
+        if (rc > 0) {
+            ngx_quic_reset_stream(c, rc);
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                          "client sent invalid header");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            break;
+        }
+
+        if (rc == NGX_ERROR) {
+            ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+            break;
+        }
+
+        r->request_length += b->pos - p;
+        h3c->total_bytes += b->pos - p;
+
+        if (ngx_http_v3_check_flood(c) != NGX_OK) {
+            ngx_http_close_request(r, NGX_HTTP_CLOSE);
+            break;
+        }
+
+        if (rc == NGX_BUSY) {
+            if (rev->error) {
+                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                break;
+            }
+
+            if (!rev->timer_set) {
+                cscf = ngx_http_get_module_srv_conf(r,
+                                                    ngx_http_core_module);
+                ngx_add_timer(rev, cscf->client_header_timeout);
+            }
+
+            if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+                ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+            }
+
+            break;
+        }
+
+        if (rc == NGX_AGAIN) {
+            continue;
+        }
+
+        /* rc == NGX_OK || rc == NGX_DONE */
+
+        h3c->payload_bytes += ngx_http_v3_encode_field_l(NULL,
+                                                   &st->field_rep.field.name,
+                                                   &st->field_rep.field.value);
+
+        if (ngx_http_v3_process_header(r, &st->field_rep.field.name,
+                                       &st->field_rep.field.value)
+            != NGX_OK)
+        {
+            break;
+        }
+
+        if (rc == NGX_DONE) {
+            if (ngx_http_v3_process_request_header(r) != NGX_OK) {
+                break;
+            }
+
+            ngx_http_process_request(r);
+            break;
+        }
+    }
+
+    ngx_http_run_posted_requests(c);
+
+    return;
+}
+
+
+static ngx_int_t
+ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
+    ngx_str_t *value)
+{
+    size_t                      len;
+    ngx_table_elt_t            *h;
+    ngx_http_header_t          *hh;
+    ngx_http_core_srv_conf_t   *cscf;
+    ngx_http_core_main_conf_t  *cmcf;
+
+    static ngx_str_t cookie = ngx_string("cookie");
+
+    len = name->len + value->len;
+
+    if (len > r->v3_parse->header_limit) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent too large header");
+        ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+        return NGX_ERROR;
+    }
+
+    r->v3_parse->header_limit -= len;
+
+    if (ngx_http_v3_validate_header(r, name, value) != NGX_OK) {
+        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+        return NGX_ERROR;
+    }
+
+    if (r->invalid_header) {
+        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+        if (cscf->ignore_invalid_headers) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent invalid header: \"%V\"", name);
+
+            return NGX_OK;
+        }
+    }
+
+    if (name->len && name->data[0] == ':') {
+        return ngx_http_v3_process_pseudo_header(r, name, value);
+    }
+
+    if (ngx_http_v3_init_pseudo_headers(r) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (name->len == cookie.len
+        && ngx_memcmp(name->data, cookie.data, cookie.len) == 0)
+    {
+        if (ngx_http_v3_cookie(r, value) != NGX_OK) {
+            ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+            return NGX_ERROR;
+        }
+
+    } else {
+        h = ngx_list_push(&r->headers_in.headers);
+        if (h == NULL) {
+            ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+            return NGX_ERROR;
+        }
+
+        h->key = *name;
+        h->value = *value;
+        h->lowcase_key = h->key.data;
+        h->hash = ngx_hash_key(h->key.data, h->key.len);
+
+        cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
+
+        hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
+                           h->lowcase_key, h->key.len);
+
+        if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
+            return NGX_ERROR;
+        }
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                   "http3 header: \"%V: %V\"", name, value);
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_validate_header(ngx_http_request_t *r, ngx_str_t *name,
+    ngx_str_t *value)
+{
+    u_char                     ch;
+    ngx_uint_t                 i;
+    ngx_http_core_srv_conf_t  *cscf;
+
+    r->invalid_header = 0;
+
+    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+    for (i = (name->data[0] == ':'); i != name->len; i++) {
+        ch = name->data[i];
+
+        if ((ch >= 'a' && ch <= 'z')
+            || (ch == '-')
+            || (ch >= '0' && ch <= '9')
+            || (ch == '_' && cscf->underscores_in_headers))
+        {
+            continue;
+        }
+
+        if (ch <= 0x20 || ch == 0x7f || ch == ':'
+            || (ch >= 'A' && ch <= 'Z'))
+        {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent invalid header name: \"%V\"", name);
+
+            return NGX_ERROR;
+        }
+
+        r->invalid_header = 1;
+    }
+
+    for (i = 0; i != value->len; i++) {
+        ch = value->data[i];
+
+        if (ch == '\0' || ch == LF || ch == CR) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent header \"%V\" with "
+                          "invalid value: \"%V\"", name, value);
+
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_process_pseudo_header(ngx_http_request_t *r, ngx_str_t *name,
+    ngx_str_t *value)
+{
+    u_char      ch, c;
+    ngx_uint_t  i;
+
+    if (r->request_line.len) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent out of order pseudo-headers");
+        goto failed;
+    }
+
+    if (name->len == 7 && ngx_strncmp(name->data, ":method", 7) == 0) {
+
+        if (r->method_name.len) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent duplicate \":method\" header");
+            goto failed;
+        }
+
+        if (value->len == 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent empty \":method\" header");
+            goto failed;
+        }
+
+        r->method_name = *value;
+
+        for (i = 0; i < sizeof(ngx_http_v3_methods)
+                        / sizeof(ngx_http_v3_methods[0]); i++)
+        {
+            if (value->len == ngx_http_v3_methods[i].name.len
+                && ngx_strncmp(value->data,
+                               ngx_http_v3_methods[i].name.data, value->len)
+                   == 0)
+            {
+                r->method = ngx_http_v3_methods[i].method;
+                break;
+            }
+        }
+
+        for (i = 0; i < value->len; i++) {
+            ch = value->data[i];
+
+            if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
+                ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                              "client sent invalid method: \"%V\"", value);
+                goto failed;
+            }
+        }
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 method \"%V\" %ui", value, r->method);
+        return NGX_OK;
+    }
+
+    if (name->len == 5 && ngx_strncmp(name->data, ":path", 5) == 0) {
+
+        if (r->uri_start) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent duplicate \":path\" header");
+            goto failed;
+        }
+
+        if (value->len == 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent empty \":path\" header");
+            goto failed;
+        }
+
+        r->uri_start = value->data;
+        r->uri_end = value->data + value->len;
+
+        if (ngx_http_parse_uri(r) != NGX_OK) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent invalid \":path\" header: \"%V\"",
+                          value);
+            goto failed;
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 path \"%V\"", value);
+        return NGX_OK;
+    }
+
+    if (name->len == 7 && ngx_strncmp(name->data, ":scheme", 7) == 0) {
+
+        if (r->schema.len) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent duplicate \":scheme\" header");
+            goto failed;
+        }
+
+        if (value->len == 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent empty \":scheme\" header");
+            goto failed;
+        }
+
+        for (i = 0; i < value->len; i++) {
+            ch = value->data[i];
+
+            c = (u_char) (ch | 0x20);
+            if (c >= 'a' && c <= 'z') {
+                continue;
+            }
+
+            if (((ch >= '0' && ch <= '9')
+                 || ch == '+' || ch == '-' || ch == '.')
+                && i > 0)
+            {
+                continue;
+            }
+
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent invalid \":scheme\" header: \"%V\"",
+                          value);
+            goto failed;
+        }
+
+        r->schema = *value;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 schema \"%V\"", value);
+        return NGX_OK;
+    }
+
+    if (name->len == 10 && ngx_strncmp(name->data, ":authority", 10) == 0) {
+
+        if (r->host_start) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent duplicate \":authority\" header");
+            goto failed;
+        }
+
+        r->host_start = value->data;
+        r->host_end = value->data + value->len;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 authority \"%V\"", value);
+        return NGX_OK;
+    }
+
+    ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                  "client sent unknown pseudo-header \"%V\"", name);
+
+failed:
+
+    ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
+{
+    size_t      len;
+    u_char     *p;
+    ngx_int_t   rc;
+    ngx_str_t   host;
+
+    if (r->request_line.len) {
+        return NGX_OK;
+    }
+
+    if (r->method_name.len == 0) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent no \":method\" header");
+        goto failed;
+    }
+
+    if (r->schema.len == 0) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent no \":scheme\" header");
+        goto failed;
+    }
+
+    if (r->uri_start == NULL) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent no \":path\" header");
+        goto failed;
+    }
+
+    len = r->method_name.len + 1
+          + (r->uri_end - r->uri_start) + 1
+          + sizeof("HTTP/3.0") - 1;
+
+    p = ngx_pnalloc(r->pool, len);
+    if (p == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return NGX_ERROR;
+    }
+
+    r->request_line.data = p;
+
+    p = ngx_cpymem(p, r->method_name.data, r->method_name.len);
+    *p++ = ' ';
+    p = ngx_cpymem(p, r->uri_start, r->uri_end - r->uri_start);
+    *p++ = ' ';
+    p = ngx_cpymem(p, "HTTP/3.0", sizeof("HTTP/3.0") - 1);
+
+    r->request_line.len = p - r->request_line.data;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                   "http3 request line: \"%V\"", &r->request_line);
+
+    ngx_str_set(&r->http_protocol, "HTTP/3.0");
+
+    if (ngx_http_process_request_uri(r) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (r->host_end) {
+
+        host.len = r->host_end - r->host_start;
+        host.data = r->host_start;
+
+        rc = ngx_http_validate_host(&host, r->pool, 0);
+
+        if (rc == NGX_DECLINED) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent invalid host in request line");
+            goto failed;
+        }
+
+        if (rc == NGX_ERROR) {
+            ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+            return NGX_ERROR;
+        }
+
+        if (ngx_http_set_virtual_server(r, &host) == NGX_ERROR) {
+            return NGX_ERROR;
+        }
+
+        r->headers_in.server = host;
+    }
+
+    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
+                      sizeof(ngx_table_elt_t))
+        != NGX_OK)
+    {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_http_v3_process_request_header(ngx_http_request_t *r)
+{
+    ssize_t                  n;
+    ngx_buf_t               *b;
+    ngx_connection_t        *c;
+    ngx_http_v3_session_t   *h3c;
+    ngx_http_v3_srv_conf_t  *h3scf;
+
+    c = r->connection;
+
+    if (ngx_http_v3_init_pseudo_headers(r) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    h3c = ngx_http_v3_get_session(c);
+    h3scf = ngx_http_get_module_srv_conf(r, ngx_http_v3_module);
+
+    if ((h3c->hq && !h3scf->enable_hq) || (!h3c->hq && !h3scf->enable)) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client attempted to request the server name "
+                      "for which the negotiated protocol is disabled");
+        ngx_http_finalize_request(r, NGX_HTTP_MISDIRECTED_REQUEST);
+        return NGX_ERROR;
+    }
+
+    if (ngx_http_v3_construct_cookie_header(r) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (r->headers_in.server.len == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client sent neither \":authority\" nor \"Host\" header");
+        goto failed;
+    }
+
+    if (r->headers_in.host) {
+        if (r->headers_in.host->value.len != r->headers_in.server.len
+            || ngx_memcmp(r->headers_in.host->value.data,
+                          r->headers_in.server.data,
+                          r->headers_in.server.len)
+               != 0)
+        {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent \":authority\" and \"Host\" headers "
+                          "with different values");
+            goto failed;
+        }
+    }
+
+    if (r->headers_in.content_length) {
+        r->headers_in.content_length_n =
+                            ngx_atoof(r->headers_in.content_length->value.data,
+                                      r->headers_in.content_length->value.len);
+
+        if (r->headers_in.content_length_n == NGX_ERROR) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent invalid \"Content-Length\" header");
+            goto failed;
+        }
+
+    } else {
+        b = r->header_in;
+        n = b->last - b->pos;
+
+        if (n == 0) {
+            n = c->recv(c, b->start, b->end - b->start);
+
+            if (n == NGX_ERROR) {
+                ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+                return NGX_ERROR;
+            }
+
+            if (n > 0) {
+                b->pos = b->start;
+                b->last = b->start + n;
+            }
+        }
+
+        if (n != 0) {
+            r->headers_in.chunked = 1;
+        }
+    }
+
+    if (r->method == NGX_HTTP_CONNECT) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent CONNECT method");
+        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+        return NGX_ERROR;
+    }
+
+    if (r->method == NGX_HTTP_TRACE) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent TRACE method");
+        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_http_v3_cookie(ngx_http_request_t *r, ngx_str_t *value)
+{
+    ngx_str_t    *val;
+    ngx_array_t  *cookies;
+
+    cookies = r->v3_parse->cookies;
+
+    if (cookies == NULL) {
+        cookies = ngx_array_create(r->pool, 2, sizeof(ngx_str_t));
+        if (cookies == NULL) {
+            return NGX_ERROR;
+        }
+
+        r->v3_parse->cookies = cookies;
+    }
+
+    val = ngx_array_push(cookies);
+    if (val == NULL) {
+        return NGX_ERROR;
+    }
+
+    *val = *value;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_construct_cookie_header(ngx_http_request_t *r)
+{
+    u_char                     *buf, *p, *end;
+    size_t                      len;
+    ngx_str_t                  *vals;
+    ngx_uint_t                  i;
+    ngx_array_t                *cookies;
+    ngx_table_elt_t            *h;
+    ngx_http_header_t          *hh;
+    ngx_http_core_main_conf_t  *cmcf;
+
+    static ngx_str_t cookie = ngx_string("cookie");
+
+    cookies = r->v3_parse->cookies;
+
+    if (cookies == NULL) {
+        return NGX_OK;
+    }
+
+    vals = cookies->elts;
+
+    i = 0;
+    len = 0;
+
+    do {
+        len += vals[i].len + 2;
+    } while (++i != cookies->nelts);
+
+    len -= 2;
+
+    buf = ngx_pnalloc(r->pool, len + 1);
+    if (buf == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return NGX_ERROR;
+    }
+
+    p = buf;
+    end = buf + len;
+
+    for (i = 0; /* void */ ; i++) {
+
+        p = ngx_cpymem(p, vals[i].data, vals[i].len);
+
+        if (p == end) {
+            *p = '\0';
+            break;
+        }
+
+        *p++ = ';'; *p++ = ' ';
+    }
+
+    h = ngx_list_push(&r->headers_in.headers);
+    if (h == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return NGX_ERROR;
+    }
+
+    h->hash = ngx_hash(ngx_hash(ngx_hash(ngx_hash(
+                                    ngx_hash('c', 'o'), 'o'), 'k'), 'i'), 'e');
+
+    h->key.len = cookie.len;
+    h->key.data = cookie.data;
+
+    h->value.len = len;
+    h->value.data = buf;
+
+    h->lowcase_key = cookie.data;
+
+    cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
+
+    hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
+                       h->lowcase_key, h->key.len);
+
+    if (hh == NULL) {
+        ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return NGX_ERROR;
+    }
+
+    if (hh->handler(r, h, hh->offset) != NGX_OK) {
+        /*
+         * request has been finalized already
+         * in ngx_http_process_multi_header_lines()
+         */
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_read_request_body(ngx_http_request_t *r)
+{
+    size_t                     preread;
+    ngx_int_t                  rc;
+    ngx_chain_t               *cl, out;
+    ngx_http_request_body_t   *rb;
+    ngx_http_core_loc_conf_t  *clcf;
+
+    rb = r->request_body;
+
+    preread = r->header_in->last - r->header_in->pos;
+
+    if (preread) {
+
+        /* there is the pre-read part of the request body */
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 client request body preread %uz", preread);
+
+        out.buf = r->header_in;
+        out.next = NULL;
+        cl = &out;
+
+    } else {
+        cl = NULL;
+    }
+
+    rc = ngx_http_v3_request_body_filter(r, cl);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    if (rb->rest == 0 && rb->last_saved) {
+        /* the whole request body was pre-read */
+        r->request_body_no_buffering = 0;
+        rb->post_handler(r);
+        return NGX_OK;
+    }
+
+    if (rb->rest < 0) {
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                      "negative request body rest");
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+    rb->buf = ngx_create_temp_buf(r->pool, clcf->client_body_buffer_size);
+    if (rb->buf == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    r->read_event_handler = ngx_http_v3_read_client_request_body_handler;
+    r->write_event_handler = ngx_http_request_empty_handler;
+
+    return ngx_http_v3_do_read_client_request_body(r);
+}
+
+
+static void
+ngx_http_v3_read_client_request_body_handler(ngx_http_request_t *r)
+{
+    ngx_int_t  rc;
+
+    if (r->connection->read->timedout) {
+        r->connection->timedout = 1;
+        ngx_http_finalize_request(r, NGX_HTTP_REQUEST_TIME_OUT);
+        return;
+    }
+
+    rc = ngx_http_v3_do_read_client_request_body(r);
+
+    if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
+        ngx_http_finalize_request(r, rc);
+    }
+}
+
+
+ngx_int_t
+ngx_http_v3_read_unbuffered_request_body(ngx_http_request_t *r)
+{
+    ngx_int_t  rc;
+
+    if (r->connection->read->timedout) {
+        r->connection->timedout = 1;
+        return NGX_HTTP_REQUEST_TIME_OUT;
+    }
+
+    rc = ngx_http_v3_do_read_client_request_body(r);
+
+    if (rc == NGX_OK) {
+        r->reading_body = 0;
+    }
+
+    return rc;
+}
+
+
+static ngx_int_t
+ngx_http_v3_do_read_client_request_body(ngx_http_request_t *r)
+{
+    off_t                      rest;
+    size_t                     size;
+    ssize_t                    n;
+    ngx_int_t                  rc;
+    ngx_uint_t                 flush;
+    ngx_chain_t                out;
+    ngx_connection_t          *c;
+    ngx_http_request_body_t   *rb;
+    ngx_http_core_loc_conf_t  *clcf;
+
+    c = r->connection;
+    rb = r->request_body;
+    flush = 1;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 read client request body");
+
+    for ( ;; ) {
+        for ( ;; ) {
+            if (rb->rest == 0) {
+                break;
+            }
+
+            if (rb->buf->last == rb->buf->end) {
+
+                /* update chains */
+
+                rc = ngx_http_v3_request_body_filter(r, NULL);
+
+                if (rc != NGX_OK) {
+                    return rc;
+                }
+
+                if (rb->busy != NULL) {
+                    if (r->request_body_no_buffering) {
+                        if (c->read->timer_set) {
+                            ngx_del_timer(c->read);
+                        }
+
+                        if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+                            return NGX_HTTP_INTERNAL_SERVER_ERROR;
+                        }
+
+                        return NGX_AGAIN;
+                    }
+
+                    if (rb->filter_need_buffering) {
+                        clcf = ngx_http_get_module_loc_conf(r,
+                                                         ngx_http_core_module);
+                        ngx_add_timer(c->read, clcf->client_body_timeout);
+
+                        if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+                            return NGX_HTTP_INTERNAL_SERVER_ERROR;
+                        }
+
+                        return NGX_AGAIN;
+                    }
+
+                    ngx_log_error(NGX_LOG_ALERT, c->log, 0,
+                                  "busy buffers after request body flush");
+
+                    return NGX_HTTP_INTERNAL_SERVER_ERROR;
+                }
+
+                flush = 0;
+                rb->buf->pos = rb->buf->start;
+                rb->buf->last = rb->buf->start;
+            }
+
+            size = rb->buf->end - rb->buf->last;
+            rest = rb->rest - (rb->buf->last - rb->buf->pos);
+
+            if ((off_t) size > rest) {
+                size = (size_t) rest;
+            }
+
+            if (size == 0) {
+                break;
+            }
+
+            n = c->recv(c, rb->buf->last, size);
+
+            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 client request body recv %z", n);
+
+            if (n == NGX_AGAIN) {
+                break;
+            }
+
+            if (n == 0) {
+                rb->buf->last_buf = 1;
+            }
+
+            if (n == NGX_ERROR) {
+                c->error = 1;
+                return NGX_HTTP_BAD_REQUEST;
+            }
+
+            rb->buf->last += n;
+
+            /* pass buffer to request body filter chain */
+
+            flush = 0;
+            out.buf = rb->buf;
+            out.next = NULL;
+
+            rc = ngx_http_v3_request_body_filter(r, &out);
+
+            if (rc != NGX_OK) {
+                return rc;
+            }
+
+            if (rb->rest == 0) {
+                break;
+            }
+
+            if (rb->buf->last < rb->buf->end) {
+                break;
+            }
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 client request body rest %O", rb->rest);
+
+        if (flush) {
+            rc = ngx_http_v3_request_body_filter(r, NULL);
+
+            if (rc != NGX_OK) {
+                return rc;
+            }
+        }
+
+        if (rb->rest == 0 && rb->last_saved) {
+            break;
+        }
+
+        if (!c->read->ready || rb->rest == 0) {
+
+            clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+            ngx_add_timer(c->read, clcf->client_body_timeout);
+
+            if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+                return NGX_HTTP_INTERNAL_SERVER_ERROR;
+            }
+
+            return NGX_AGAIN;
+        }
+    }
+
+    if (c->read->timer_set) {
+        ngx_del_timer(c->read);
+    }
+
+    if (!r->request_body_no_buffering) {
+        r->read_event_handler = ngx_http_block_reading;
+        rb->post_handler(r);
+    }
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_v3_request_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
+{
+    off_t                      max;
+    size_t                     size;
+    u_char                    *p;
+    ngx_int_t                  rc;
+    ngx_buf_t                 *b;
+    ngx_uint_t                 last;
+    ngx_chain_t               *cl, *out, *tl, **ll;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_request_body_t   *rb;
+    ngx_http_core_loc_conf_t  *clcf;
+    ngx_http_core_srv_conf_t  *cscf;
+    ngx_http_v3_parse_data_t  *st;
+
+    rb = r->request_body;
+    st = &r->v3_parse->body;
+
+    h3c = ngx_http_v3_get_session(r->connection);
+
+    if (rb->rest == -1) {
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "http3 request body filter");
+
+        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+        rb->rest = cscf->large_client_header_buffers.size;
+    }
+
+    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+    max = r->headers_in.content_length_n;
+
+    if (max == -1 && clcf->client_max_body_size) {
+        max = clcf->client_max_body_size;
+    }
+
+    out = NULL;
+    ll = &out;
+    last = 0;
+
+    for (cl = in; cl; cl = cl->next) {
+
+        ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0,
+                       "http3 body buf "
+                       "t:%d f:%d %p, pos %p, size: %z file: %O, size: %O",
+                       cl->buf->temporary, cl->buf->in_file,
+                       cl->buf->start, cl->buf->pos,
+                       cl->buf->last - cl->buf->pos,
+                       cl->buf->file_pos,
+                       cl->buf->file_last - cl->buf->file_pos);
+
+        if (cl->buf->last_buf) {
+            last = 1;
+        }
+
+        b = NULL;
+
+        while (cl->buf->pos < cl->buf->last) {
+
+            if (st->length == 0) {
+                p = cl->buf->pos;
+
+                rc = ngx_http_v3_parse_data(r->connection, st, cl->buf);
+
+                r->request_length += cl->buf->pos - p;
+                h3c->total_bytes += cl->buf->pos - p;
+
+                if (ngx_http_v3_check_flood(r->connection) != NGX_OK) {
+                    return NGX_HTTP_CLOSE;
+                }
+
+                if (rc == NGX_AGAIN) {
+                    continue;
+                }
+
+                if (rc == NGX_DONE) {
+                    last = 1;
+                    goto done;
+                }
+
+                if (rc > 0) {
+                    ngx_quic_reset_stream(r->connection, rc);
+                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                  "client sent invalid body");
+                    return NGX_HTTP_BAD_REQUEST;
+                }
+
+                if (rc == NGX_ERROR) {
+                    return NGX_HTTP_INTERNAL_SERVER_ERROR;
+                }
+
+                /* rc == NGX_OK */
+
+                if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
+                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                  "client intended to send too large "
+                                  "body: %O+%ui bytes",
+                                  rb->received, st->length);
+
+                    return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE;
+                }
+
+                continue;
+            }
+
+            if (b
+                && st->length <= 128
+                && (uint64_t) (cl->buf->last - cl->buf->pos) >= st->length)
+            {
+                rb->received += st->length;
+                r->request_length += st->length;
+                h3c->total_bytes += st->length;
+                h3c->payload_bytes += st->length;
+
+                if (st->length < 8) {
+
+                    while (st->length) {
+                        *b->last++ = *cl->buf->pos++;
+                        st->length--;
+                    }
+
+                } else {
+                    ngx_memmove(b->last, cl->buf->pos, st->length);
+                    b->last += st->length;
+                    cl->buf->pos += st->length;
+                    st->length = 0;
+                }
+
+                continue;
+            }
+
+            tl = ngx_chain_get_free_buf(r->pool, &rb->free);
+            if (tl == NULL) {
+                return NGX_HTTP_INTERNAL_SERVER_ERROR;
+            }
+
+            b = tl->buf;
+
+            ngx_memzero(b, sizeof(ngx_buf_t));
+
+            b->temporary = 1;
+            b->tag = (ngx_buf_tag_t) &ngx_http_read_client_request_body;
+            b->start = cl->buf->pos;
+            b->pos = cl->buf->pos;
+            b->last = cl->buf->last;
+            b->end = cl->buf->end;
+            b->flush = r->request_body_no_buffering;
+
+            *ll = tl;
+            ll = &tl->next;
+
+            size = cl->buf->last - cl->buf->pos;
+
+            if (size > st->length) {
+                cl->buf->pos += (size_t) st->length;
+                rb->received += st->length;
+                r->request_length += st->length;
+                h3c->total_bytes += st->length;
+                h3c->payload_bytes += st->length;
+                st->length = 0;
+
+            } else {
+                st->length -= size;
+                rb->received += size;
+                r->request_length += size;
+                h3c->total_bytes += size;
+                h3c->payload_bytes += size;
+                cl->buf->pos = cl->buf->last;
+            }
+
+            b->last = cl->buf->pos;
+        }
+    }
+
+done:
+
+    if (last) {
+
+        if (st->length > 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client prematurely closed stream");
+            r->connection->error = 1;
+            return NGX_HTTP_BAD_REQUEST;
+        }
+
+        if (r->headers_in.content_length_n == -1) {
+            r->headers_in.content_length_n = rb->received;
+
+        } else if (r->headers_in.content_length_n != rb->received) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent less body data than expected: "
+                          "%O out of %O bytes of request body received",
+                          rb->received, r->headers_in.content_length_n);
+            return NGX_HTTP_BAD_REQUEST;
+        }
+
+        rb->rest = 0;
+
+        tl = ngx_chain_get_free_buf(r->pool, &rb->free);
+        if (tl == NULL) {
+            return NGX_HTTP_INTERNAL_SERVER_ERROR;
+        }
+
+        b = tl->buf;
+
+        ngx_memzero(b, sizeof(ngx_buf_t));
+
+        b->last_buf = 1;
+
+        *ll = tl;
+
+    } else {
+
+        /* set rb->rest, amount of data we want to see next time */
+
+        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+        rb->rest = (off_t) cscf->large_client_header_buffers.size;
+    }
+
+    rc = ngx_http_top_request_body_filter(r, out);
+
+    ngx_chain_update_chains(r->pool, &rb->free, &rb->busy, &out,
+                            (ngx_buf_tag_t) &ngx_http_read_client_request_body);
+
+    return rc;
+}
diff --git a/src/http/v3/ngx_http_v3_table.c b/src/http/v3/ngx_http_v3_table.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_table.c
@@ -0,0 +1,715 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+#define ngx_http_v3_table_entry_size(n, v) ((n)->len + (v)->len + 32)
+
+
+static ngx_int_t ngx_http_v3_evict(ngx_connection_t *c, size_t target);
+static void ngx_http_v3_unblock(void *data);
+static ngx_int_t ngx_http_v3_new_entry(ngx_connection_t *c);
+
+
+typedef struct {
+    ngx_queue_t        queue;
+    ngx_connection_t  *connection;
+    ngx_uint_t        *nblocked;
+} ngx_http_v3_block_t;
+
+
+static ngx_http_v3_field_t  ngx_http_v3_static_table[] = {
+
+    { ngx_string(":authority"),            ngx_string("") },
+    { ngx_string(":path"),                 ngx_string("/") },
+    { ngx_string("age"),                   ngx_string("0") },
+    { ngx_string("content-disposition"),   ngx_string("") },
+    { ngx_string("content-length"),        ngx_string("0") },
+    { ngx_string("cookie"),                ngx_string("") },
+    { ngx_string("date"),                  ngx_string("") },
+    { ngx_string("etag"),                  ngx_string("") },
+    { ngx_string("if-modified-since"),     ngx_string("") },
+    { ngx_string("if-none-match"),         ngx_string("") },
+    { ngx_string("last-modified"),         ngx_string("") },
+    { ngx_string("link"),                  ngx_string("") },
+    { ngx_string("location"),              ngx_string("") },
+    { ngx_string("referer"),               ngx_string("") },
+    { ngx_string("set-cookie"),            ngx_string("") },
+    { ngx_string(":method"),               ngx_string("CONNECT") },
+    { ngx_string(":method"),               ngx_string("DELETE") },
+    { ngx_string(":method"),               ngx_string("GET") },
+    { ngx_string(":method"),               ngx_string("HEAD") },
+    { ngx_string(":method"),               ngx_string("OPTIONS") },
+    { ngx_string(":method"),               ngx_string("POST") },
+    { ngx_string(":method"),               ngx_string("PUT") },
+    { ngx_string(":scheme"),               ngx_string("http") },
+    { ngx_string(":scheme"),               ngx_string("https") },
+    { ngx_string(":status"),               ngx_string("103") },
+    { ngx_string(":status"),               ngx_string("200") },
+    { ngx_string(":status"),               ngx_string("304") },
+    { ngx_string(":status"),               ngx_string("404") },
+    { ngx_string(":status"),               ngx_string("503") },
+    { ngx_string("accept"),                ngx_string("*/*") },
+    { ngx_string("accept"),
+          ngx_string("application/dns-message") },
+    { ngx_string("accept-encoding"),       ngx_string("gzip, deflate, br") },
+    { ngx_string("accept-ranges"),         ngx_string("bytes") },
+    { ngx_string("access-control-allow-headers"),
+                                           ngx_string("cache-control") },
+    { ngx_string("access-control-allow-headers"),
+                                           ngx_string("content-type") },
+    { ngx_string("access-control-allow-origin"),
+                                           ngx_string("*") },
+    { ngx_string("cache-control"),         ngx_string("max-age=0") },
+    { ngx_string("cache-control"),         ngx_string("max-age=2592000") },
+    { ngx_string("cache-control"),         ngx_string("max-age=604800") },
+    { ngx_string("cache-control"),         ngx_string("no-cache") },
+    { ngx_string("cache-control"),         ngx_string("no-store") },
+    { ngx_string("cache-control"),
+          ngx_string("public, max-age=31536000") },
+    { ngx_string("content-encoding"),      ngx_string("br") },
+    { ngx_string("content-encoding"),      ngx_string("gzip") },
+    { ngx_string("content-type"),
+          ngx_string("application/dns-message") },
+    { ngx_string("content-type"),
+          ngx_string("application/javascript") },
+    { ngx_string("content-type"),          ngx_string("application/json") },
+    { ngx_string("content-type"),
+          ngx_string("application/x-www-form-urlencoded") },
+    { ngx_string("content-type"),          ngx_string("image/gif") },
+    { ngx_string("content-type"),          ngx_string("image/jpeg") },
+    { ngx_string("content-type"),          ngx_string("image/png") },
+    { ngx_string("content-type"),          ngx_string("text/css") },
+    { ngx_string("content-type"),
+          ngx_string("text/html;charset=utf-8") },
+    { ngx_string("content-type"),          ngx_string("text/plain") },
+    { ngx_string("content-type"),
+          ngx_string("text/plain;charset=utf-8") },
+    { ngx_string("range"),                 ngx_string("bytes=0-") },
+    { ngx_string("strict-transport-security"),
+                                           ngx_string("max-age=31536000") },
+    { ngx_string("strict-transport-security"),
+          ngx_string("max-age=31536000;includesubdomains") },
+    { ngx_string("strict-transport-security"),
+          ngx_string("max-age=31536000;includesubdomains;preload") },
+    { ngx_string("vary"),                  ngx_string("accept-encoding") },
+    { ngx_string("vary"),                  ngx_string("origin") },
+    { ngx_string("x-content-type-options"),
+                                           ngx_string("nosniff") },
+    { ngx_string("x-xss-protection"),      ngx_string("1;mode=block") },
+    { ngx_string(":status"),               ngx_string("100") },
+    { ngx_string(":status"),               ngx_string("204") },
+    { ngx_string(":status"),               ngx_string("206") },
+    { ngx_string(":status"),               ngx_string("302") },
+    { ngx_string(":status"),               ngx_string("400") },
+    { ngx_string(":status"),               ngx_string("403") },
+    { ngx_string(":status"),               ngx_string("421") },
+    { ngx_string(":status"),               ngx_string("425") },
+    { ngx_string(":status"),               ngx_string("500") },
+    { ngx_string("accept-language"),       ngx_string("") },
+    { ngx_string("access-control-allow-credentials"),
+                                           ngx_string("FALSE") },
+    { ngx_string("access-control-allow-credentials"),
+                                           ngx_string("TRUE") },
+    { ngx_string("access-control-allow-headers"),
+                                           ngx_string("*") },
+    { ngx_string("access-control-allow-methods"),
+                                           ngx_string("get") },
+    { ngx_string("access-control-allow-methods"),
+                                           ngx_string("get, post, options") },
+    { ngx_string("access-control-allow-methods"),
+                                           ngx_string("options") },
+    { ngx_string("access-control-expose-headers"),
+                                           ngx_string("content-length") },
+    { ngx_string("access-control-request-headers"),
+                                           ngx_string("content-type") },
+    { ngx_string("access-control-request-method"),
+                                           ngx_string("get") },
+    { ngx_string("access-control-request-method"),
+                                           ngx_string("post") },
+    { ngx_string("alt-svc"),               ngx_string("clear") },
+    { ngx_string("authorization"),         ngx_string("") },
+    { ngx_string("content-security-policy"),
+          ngx_string("script-src 'none';object-src 'none';base-uri 'none'") },
+    { ngx_string("early-data"),            ngx_string("1") },
+    { ngx_string("expect-ct"),             ngx_string("") },
+    { ngx_string("forwarded"),             ngx_string("") },
+    { ngx_string("if-range"),              ngx_string("") },
+    { ngx_string("origin"),                ngx_string("") },
+    { ngx_string("purpose"),               ngx_string("prefetch") },
+    { ngx_string("server"),                ngx_string("") },
+    { ngx_string("timing-allow-origin"),   ngx_string("*") },
+    { ngx_string("upgrade-insecure-requests"),
+                                           ngx_string("1") },
+    { ngx_string("user-agent"),            ngx_string("") },
+    { ngx_string("x-forwarded-for"),       ngx_string("") },
+    { ngx_string("x-frame-options"),       ngx_string("deny") },
+    { ngx_string("x-frame-options"),       ngx_string("sameorigin") }
+};
+
+
+ngx_int_t
+ngx_http_v3_ref_insert(ngx_connection_t *c, ngx_uint_t dynamic,
+    ngx_uint_t index, ngx_str_t *value)
+{
+    ngx_str_t                     name;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    if (dynamic) {
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 ref insert dynamic[%ui] \"%V\"", index, value);
+
+        h3c = ngx_http_v3_get_session(c);
+        dt = &h3c->table;
+
+        if (dt->base + dt->nelts <= index) {
+            return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+        }
+
+        index = dt->base + dt->nelts - 1 - index;
+
+        if (ngx_http_v3_lookup(c, index, &name, NULL) != NGX_OK) {
+            return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+        }
+
+    } else {
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 ref insert static[%ui] \"%V\"", index, value);
+
+        if (ngx_http_v3_lookup_static(c, index, &name, NULL) != NGX_OK) {
+            return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+        }
+    }
+
+    return ngx_http_v3_insert(c, &name, value);
+}
+
+
+ngx_int_t
+ngx_http_v3_insert(ngx_connection_t *c, ngx_str_t *name, ngx_str_t *value)
+{
+    u_char                       *p;
+    size_t                        size;
+    ngx_http_v3_field_t          *field;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    size = ngx_http_v3_table_entry_size(name, value);
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    if (size > dt->capacity) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                      "not enough dynamic table capacity");
+        return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+    }
+
+    ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 insert [%ui] \"%V\":\"%V\", size:%uz",
+                   dt->base + dt->nelts, name, value, size);
+
+    p = ngx_alloc(sizeof(ngx_http_v3_field_t) + name->len + value->len,
+                  c->log);
+    if (p == NULL) {
+        return NGX_ERROR;
+    }
+
+    field = (ngx_http_v3_field_t *) p;
+
+    field->name.data = p + sizeof(ngx_http_v3_field_t);
+    field->name.len = name->len;
+    field->value.data = ngx_cpymem(field->name.data, name->data, name->len);
+    field->value.len = value->len;
+    ngx_memcpy(field->value.data, value->data, value->len);
+
+    dt->elts[dt->nelts++] = field;
+    dt->size += size;
+
+    dt->insert_count++;
+
+    if (ngx_http_v3_evict(c, dt->capacity) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ngx_post_event(&dt->send_insert_count, &ngx_posted_events);
+
+    if (ngx_http_v3_new_entry(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
+void
+ngx_http_v3_inc_insert_count_handler(ngx_event_t *ev)
+{
+    ngx_connection_t             *c;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    c = ev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 inc insert count handler");
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    if (dt->insert_count > dt->ack_insert_count) {
+        if (ngx_http_v3_send_inc_insert_count(c,
+                                       dt->insert_count - dt->ack_insert_count)
+            != NGX_OK)
+        {
+            return;
+        }
+
+        dt->ack_insert_count = dt->insert_count;
+    }
+}
+
+
+ngx_int_t
+ngx_http_v3_set_capacity(ngx_connection_t *c, ngx_uint_t capacity)
+{
+    ngx_uint_t                     max, prev_max;
+    ngx_http_v3_field_t          **elts;
+    ngx_http_v3_session_t         *h3c;
+    ngx_http_v3_srv_conf_t        *h3scf;
+    ngx_http_v3_dynamic_table_t   *dt;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 set capacity %ui", capacity);
+
+    h3c = ngx_http_v3_get_session(c);
+    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+    if (capacity > h3scf->max_table_capacity) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client exceeded http3_max_table_capacity limit");
+        return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+    }
+
+    if (ngx_http_v3_evict(c, capacity) != NGX_OK) {
+        return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+    }
+
+    dt = &h3c->table;
+    max = capacity / 32;
+    prev_max = dt->capacity / 32;
+
+    if (max > prev_max) {
+        elts = ngx_alloc(max * sizeof(void *), c->log);
+        if (elts == NULL) {
+            return NGX_ERROR;
+        }
+
+        if (dt->elts) {
+            ngx_memcpy(elts, dt->elts, dt->nelts * sizeof(void *));
+            ngx_free(dt->elts);
+        }
+
+        dt->elts = elts;
+    }
+
+    dt->capacity = capacity;
+
+    return NGX_OK;
+}
+
+
+void
+ngx_http_v3_cleanup_table(ngx_http_v3_session_t *h3c)
+{
+    ngx_uint_t                    n;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    dt = &h3c->table;
+
+    if (dt->elts == NULL) {
+        return;
+    }
+
+    for (n = 0; n < dt->nelts; n++) {
+        ngx_free(dt->elts[n]);
+    }
+
+    ngx_free(dt->elts);
+}
+
+
+static ngx_int_t
+ngx_http_v3_evict(ngx_connection_t *c, size_t target)
+{
+    size_t                        size;
+    ngx_uint_t                    n;
+    ngx_http_v3_field_t          *field;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+    n = 0;
+
+    while (dt->size > target) {
+        field = dt->elts[n++];
+        size = ngx_http_v3_table_entry_size(&field->name, &field->value);
+
+        ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 evict [%ui] \"%V\":\"%V\" size:%uz",
+                       dt->base, &field->name, &field->value, size);
+
+        ngx_free(field);
+        dt->size -= size;
+    }
+
+    if (n) {
+        dt->nelts -= n;
+        dt->base += n;
+        ngx_memmove(dt->elts, &dt->elts[n], dt->nelts * sizeof(void *));
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_duplicate(ngx_connection_t *c, ngx_uint_t index)
+{
+    ngx_str_t                     name, value;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 duplicate %ui", index);
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    if (dt->base + dt->nelts <= index) {
+        return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+    }
+
+    index = dt->base + dt->nelts - 1 - index;
+
+    if (ngx_http_v3_lookup(c, index, &name, &value) != NGX_OK) {
+        return NGX_HTTP_V3_ERR_ENCODER_STREAM_ERROR;
+    }
+
+    return ngx_http_v3_insert(c, &name, &value);
+}
+
+
+ngx_int_t
+ngx_http_v3_ack_section(ngx_connection_t *c, ngx_uint_t stream_id)
+{
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 ack section %ui", stream_id);
+
+    /* we do not use dynamic tables */
+
+    return NGX_HTTP_V3_ERR_DECODER_STREAM_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_inc_insert_count(ngx_connection_t *c, ngx_uint_t inc)
+{
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 increment insert count %ui", inc);
+
+    /* we do not use dynamic tables */
+
+    return NGX_HTTP_V3_ERR_DECODER_STREAM_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_lookup_static(ngx_connection_t *c, ngx_uint_t index,
+    ngx_str_t *name, ngx_str_t *value)
+{
+    ngx_uint_t            nelts;
+    ngx_http_v3_field_t  *field;
+
+    nelts = sizeof(ngx_http_v3_static_table)
+            / sizeof(ngx_http_v3_static_table[0]);
+
+    if (index >= nelts) {
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 static[%ui] lookup out of bounds: %ui",
+                       index, nelts);
+        return NGX_ERROR;
+    }
+
+    field = &ngx_http_v3_static_table[index];
+
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 static[%ui] lookup \"%V\":\"%V\"",
+                   index, &field->name, &field->value);
+
+    if (name) {
+        *name = field->name;
+    }
+
+    if (value) {
+        *value = field->value;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_lookup(ngx_connection_t *c, ngx_uint_t index, ngx_str_t *name,
+    ngx_str_t *value)
+{
+    ngx_http_v3_field_t          *field;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    if (index < dt->base || index - dt->base >= dt->nelts) {
+        ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 dynamic[%ui] lookup out of bounds: [%ui,%ui]",
+                       index, dt->base, dt->base + dt->nelts);
+        return NGX_ERROR;
+    }
+
+    field = dt->elts[index - dt->base];
+
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 dynamic[%ui] lookup \"%V\":\"%V\"",
+                   index, &field->name, &field->value);
+
+    if (name) {
+        *name = field->name;
+    }
+
+    if (value) {
+        *value = field->value;
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_decode_insert_count(ngx_connection_t *c, ngx_uint_t *insert_count)
+{
+    ngx_uint_t                    max_entries, full_range, max_value,
+                                  max_wrapped, req_insert_count;
+    ngx_http_v3_srv_conf_t       *h3scf;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    /* QPACK 4.5.1.1. Required Insert Count */
+
+    if (*insert_count == 0) {
+        return NGX_OK;
+    }
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+    max_entries = h3scf->max_table_capacity / 32;
+    full_range = 2 * max_entries;
+
+    if (*insert_count > full_range) {
+        return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+    }
+
+    max_value = dt->base + dt->nelts + max_entries;
+    max_wrapped = (max_value / full_range) * full_range;
+    req_insert_count = max_wrapped + *insert_count - 1;
+
+    if (req_insert_count > max_value) {
+        if (req_insert_count <= full_range) {
+            return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+        }
+
+        req_insert_count -= full_range;
+    }
+
+    if (req_insert_count == 0) {
+        return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 decode insert_count %ui -> %ui",
+                   *insert_count, req_insert_count);
+
+    *insert_count = req_insert_count;
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_check_insert_count(ngx_connection_t *c, ngx_uint_t insert_count)
+{
+    size_t                        n;
+    ngx_pool_cleanup_t           *cln;
+    ngx_http_v3_block_t          *block;
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_srv_conf_t       *h3scf;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    n = dt->base + dt->nelts;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 check insert count req:%ui, have:%ui",
+                   insert_count, n);
+
+    if (n >= insert_count) {
+        return NGX_OK;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 block stream");
+
+    block = NULL;
+
+    for (cln = c->pool->cleanup; cln; cln = cln->next) {
+        if (cln->handler == ngx_http_v3_unblock) {
+            block = cln->data;
+            break;
+        }
+    }
+
+    if (block == NULL) {
+        cln = ngx_pool_cleanup_add(c->pool, sizeof(ngx_http_v3_block_t));
+        if (cln == NULL) {
+            return NGX_ERROR;
+        }
+
+        cln->handler = ngx_http_v3_unblock;
+
+        block = cln->data;
+        block->queue.prev = NULL;
+        block->connection = c;
+        block->nblocked = &h3c->nblocked;
+    }
+
+    if (block->queue.prev == NULL) {
+        h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+        if (h3c->nblocked == h3scf->max_blocked_streams) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client exceeded http3_max_blocked_streams limit");
+
+            ngx_http_v3_finalize_connection(c,
+                                          NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED,
+                                          "too many blocked streams");
+            return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+        }
+
+        h3c->nblocked++;
+        ngx_queue_insert_tail(&h3c->blocked, &block->queue);
+    }
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 blocked:%ui", h3c->nblocked);
+
+    return NGX_BUSY;
+}
+
+
+void
+ngx_http_v3_ack_insert_count(ngx_connection_t *c, uint64_t insert_count)
+{
+    ngx_http_v3_session_t        *h3c;
+    ngx_http_v3_dynamic_table_t  *dt;
+
+    h3c = ngx_http_v3_get_session(c);
+    dt = &h3c->table;
+
+    if (dt->ack_insert_count < insert_count) {
+        dt->ack_insert_count = insert_count;
+    }
+}
+
+
+static void
+ngx_http_v3_unblock(void *data)
+{
+    ngx_http_v3_block_t  *block = data;
+
+    if (block->queue.prev) {
+        ngx_queue_remove(&block->queue);
+        block->queue.prev = NULL;
+        (*block->nblocked)--;
+    }
+}
+
+
+static ngx_int_t
+ngx_http_v3_new_entry(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    ngx_connection_t       *bc;
+    ngx_http_v3_block_t    *block;
+    ngx_http_v3_session_t  *h3c;
+
+    h3c = ngx_http_v3_get_session(c);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 new dynamic entry, blocked:%ui", h3c->nblocked);
+
+    while (!ngx_queue_empty(&h3c->blocked)) {
+        q = ngx_queue_head(&h3c->blocked);
+        block = (ngx_http_v3_block_t *) q;
+        bc = block->connection;
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, bc->log, 0, "http3 unblock stream");
+
+        ngx_http_v3_unblock(block);
+        ngx_post_event(bc->read, &ngx_posted_events);
+    }
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_http_v3_set_param(ngx_connection_t *c, uint64_t id, uint64_t value)
+{
+    switch (id) {
+
+    case NGX_HTTP_V3_PARAM_MAX_TABLE_CAPACITY:
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 param QPACK_MAX_TABLE_CAPACITY:%uL", value);
+        break;
+
+    case NGX_HTTP_V3_PARAM_MAX_FIELD_SECTION_SIZE:
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 param SETTINGS_MAX_FIELD_SECTION_SIZE:%uL",
+                       value);
+        break;
+
+    case NGX_HTTP_V3_PARAM_BLOCKED_STREAMS:
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 param QPACK_BLOCKED_STREAMS:%uL", value);
+        break;
+
+    default:
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 param #%uL:%uL", id, value);
+    }
+
+    return NGX_OK;
+}
diff --git a/src/http/v3/ngx_http_v3_table.h b/src/http/v3/ngx_http_v3_table.h
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_table.h
@@ -0,0 +1,58 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_HTTP_V3_TABLE_H_INCLUDED_
+#define _NGX_HTTP_V3_TABLE_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+typedef struct {
+    ngx_str_t                     name;
+    ngx_str_t                     value;
+} ngx_http_v3_field_t;
+
+
+typedef struct {
+    ngx_http_v3_field_t         **elts;
+    ngx_uint_t                    nelts;
+    ngx_uint_t                    base;
+    size_t                        size;
+    size_t                        capacity;
+    uint64_t                      insert_count;
+    uint64_t                      ack_insert_count;
+    ngx_event_t                   send_insert_count;
+} ngx_http_v3_dynamic_table_t;
+
+
+void ngx_http_v3_inc_insert_count_handler(ngx_event_t *ev);
+void ngx_http_v3_cleanup_table(ngx_http_v3_session_t *h3c);
+ngx_int_t ngx_http_v3_ref_insert(ngx_connection_t *c, ngx_uint_t dynamic,
+    ngx_uint_t index, ngx_str_t *value);
+ngx_int_t ngx_http_v3_insert(ngx_connection_t *c, ngx_str_t *name,
+    ngx_str_t *value);
+ngx_int_t ngx_http_v3_set_capacity(ngx_connection_t *c, ngx_uint_t capacity);
+ngx_int_t ngx_http_v3_duplicate(ngx_connection_t *c, ngx_uint_t index);
+ngx_int_t ngx_http_v3_ack_section(ngx_connection_t *c, ngx_uint_t stream_id);
+ngx_int_t ngx_http_v3_inc_insert_count(ngx_connection_t *c, ngx_uint_t inc);
+ngx_int_t ngx_http_v3_lookup_static(ngx_connection_t *c, ngx_uint_t index,
+    ngx_str_t *name, ngx_str_t *value);
+ngx_int_t ngx_http_v3_lookup(ngx_connection_t *c, ngx_uint_t index,
+    ngx_str_t *name, ngx_str_t *value);
+ngx_int_t ngx_http_v3_decode_insert_count(ngx_connection_t *c,
+    ngx_uint_t *insert_count);
+ngx_int_t ngx_http_v3_check_insert_count(ngx_connection_t *c,
+    ngx_uint_t insert_count);
+void ngx_http_v3_ack_insert_count(ngx_connection_t *c, uint64_t insert_count);
+ngx_int_t ngx_http_v3_set_param(ngx_connection_t *c, uint64_t id,
+    uint64_t value);
+
+
+#endif /* _NGX_HTTP_V3_TABLE_H_INCLUDED_ */
diff --git a/src/http/v3/ngx_http_v3_uni.c b/src/http/v3/ngx_http_v3_uni.c
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_uni.c
@@ -0,0 +1,624 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+typedef struct {
+    ngx_http_v3_parse_uni_t         parse;
+    ngx_int_t                       index;
+} ngx_http_v3_uni_stream_t;
+
+
+static void ngx_http_v3_close_uni_stream(ngx_connection_t *c);
+static void ngx_http_v3_uni_read_handler(ngx_event_t *rev);
+static void ngx_http_v3_uni_dummy_read_handler(ngx_event_t *wev);
+static void ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev);
+static ngx_connection_t *ngx_http_v3_get_uni_stream(ngx_connection_t *c,
+    ngx_uint_t type);
+
+
+void
+ngx_http_v3_init_uni_stream(ngx_connection_t *c)
+{
+    uint64_t                   n;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_uni_stream_t  *us;
+
+    h3c = ngx_http_v3_get_session(c);
+    if (h3c->hq) {
+        ngx_http_v3_finalize_connection(c,
+                                        NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR,
+                                        "uni stream in hq mode");
+        c->data = NULL;
+        ngx_http_v3_close_uni_stream(c);
+        return;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 init uni stream");
+
+    n = c->quic->id >> 2;
+
+    if (n >= NGX_HTTP_V3_MAX_UNI_STREAMS) {
+        ngx_http_v3_finalize_connection(c,
+                                      NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR,
+                                      "reached maximum number of uni streams");
+        c->data = NULL;
+        ngx_http_v3_close_uni_stream(c);
+        return;
+    }
+
+    ngx_quic_cancelable_stream(c);
+
+    us = ngx_pcalloc(c->pool, sizeof(ngx_http_v3_uni_stream_t));
+    if (us == NULL) {
+        ngx_http_v3_finalize_connection(c,
+                                        NGX_HTTP_V3_ERR_INTERNAL_ERROR,
+                                        "memory allocation error");
+        c->data = NULL;
+        ngx_http_v3_close_uni_stream(c);
+        return;
+    }
+
+    us->index = -1;
+
+    c->data = us;
+
+    c->read->handler = ngx_http_v3_uni_read_handler;
+    c->write->handler = ngx_http_v3_uni_dummy_write_handler;
+
+    ngx_http_v3_uni_read_handler(c->read);
+}
+
+
+static void
+ngx_http_v3_close_uni_stream(ngx_connection_t *c)
+{
+    ngx_pool_t                *pool;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_uni_stream_t  *us;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 close stream");
+
+    us = c->data;
+
+    if (us && us->index >= 0) {
+        h3c = ngx_http_v3_get_session(c);
+        h3c->known_streams[us->index] = NULL;
+    }
+
+    c->destroyed = 1;
+
+    pool = c->pool;
+
+    ngx_close_connection(c);
+
+    ngx_destroy_pool(pool);
+}
+
+
+ngx_int_t
+ngx_http_v3_register_uni_stream(ngx_connection_t *c, uint64_t type)
+{
+    ngx_int_t                  index;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_uni_stream_t  *us;
+
+    h3c = ngx_http_v3_get_session(c);
+
+    switch (type) {
+
+    case NGX_HTTP_V3_STREAM_ENCODER:
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 encoder stream");
+        index = NGX_HTTP_V3_STREAM_CLIENT_ENCODER;
+        break;
+
+    case NGX_HTTP_V3_STREAM_DECODER:
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 decoder stream");
+        index = NGX_HTTP_V3_STREAM_CLIENT_DECODER;
+        break;
+
+    case NGX_HTTP_V3_STREAM_CONTROL:
+
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 control stream");
+        index = NGX_HTTP_V3_STREAM_CLIENT_CONTROL;
+
+        break;
+
+    default:
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "http3 stream 0x%02xL", type);
+
+        if (h3c->known_streams[NGX_HTTP_V3_STREAM_CLIENT_ENCODER] == NULL
+            || h3c->known_streams[NGX_HTTP_V3_STREAM_CLIENT_DECODER] == NULL
+            || h3c->known_streams[NGX_HTTP_V3_STREAM_CLIENT_CONTROL] == NULL)
+        {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0, "missing mandatory stream");
+            return NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR;
+        }
+
+        index = -1;
+    }
+
+    if (index >= 0) {
+        if (h3c->known_streams[index]) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0, "stream exists");
+            return NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR;
+        }
+
+        h3c->known_streams[index] = c;
+
+        us = c->data;
+        us->index = index;
+    }
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_http_v3_uni_read_handler(ngx_event_t *rev)
+{
+    u_char                     buf[128];
+    ssize_t                    n;
+    ngx_buf_t                  b;
+    ngx_int_t                  rc;
+    ngx_connection_t          *c;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_uni_stream_t  *us;
+
+    c = rev->data;
+    us = c->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 read handler");
+
+    if (c->close) {
+        ngx_http_v3_close_uni_stream(c);
+        return;
+    }
+
+    ngx_memzero(&b, sizeof(ngx_buf_t));
+
+    while (rev->ready) {
+
+        n = c->recv(c, buf, sizeof(buf));
+
+        if (n == NGX_ERROR) {
+            rc = NGX_HTTP_V3_ERR_INTERNAL_ERROR;
+            goto failed;
+        }
+
+        if (n == 0) {
+            if (us->index >= 0) {
+                rc = NGX_HTTP_V3_ERR_CLOSED_CRITICAL_STREAM;
+                goto failed;
+            }
+
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 read eof");
+            ngx_http_v3_close_uni_stream(c);
+            return;
+        }
+
+        if (n == NGX_AGAIN) {
+            break;
+        }
+
+        b.pos = buf;
+        b.last = buf + n;
+
+        h3c = ngx_http_v3_get_session(c);
+        h3c->total_bytes += n;
+
+        if (ngx_http_v3_check_flood(c) != NGX_OK) {
+            ngx_http_v3_close_uni_stream(c);
+            return;
+        }
+
+        rc = ngx_http_v3_parse_uni(c, &us->parse, &b);
+
+        if (rc == NGX_DONE) {
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "http3 read done");
+            ngx_http_v3_close_uni_stream(c);
+            return;
+        }
+
+        if (rc > 0) {
+            goto failed;
+        }
+
+        if (rc != NGX_AGAIN) {
+            rc = NGX_HTTP_V3_ERR_GENERAL_PROTOCOL_ERROR;
+            goto failed;
+        }
+    }
+
+    if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+        rc = NGX_HTTP_V3_ERR_INTERNAL_ERROR;
+        goto failed;
+    }
+
+    return;
+
+failed:
+
+    ngx_http_v3_finalize_connection(c, rc, "stream error");
+    ngx_http_v3_close_uni_stream(c);
+}
+
+
+static void
+ngx_http_v3_uni_dummy_read_handler(ngx_event_t *rev)
+{
+    u_char             ch;
+    ngx_connection_t  *c;
+
+    c = rev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 dummy read handler");
+
+    if (c->close) {
+        ngx_http_v3_close_uni_stream(c);
+        return;
+    }
+
+    if (rev->ready) {
+        if (c->recv(c, &ch, 1) != 0) {
+            ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR, NULL);
+            ngx_http_v3_close_uni_stream(c);
+            return;
+        }
+    }
+
+    if (ngx_handle_read_event(rev, 0) != NGX_OK) {
+        ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_INTERNAL_ERROR,
+                                        NULL);
+        ngx_http_v3_close_uni_stream(c);
+    }
+}
+
+
+static void
+ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev)
+{
+    ngx_connection_t  *c;
+
+    c = wev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 dummy write handler");
+
+    if (ngx_handle_write_event(wev, 0) != NGX_OK) {
+        ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_INTERNAL_ERROR,
+                                        NULL);
+        ngx_http_v3_close_uni_stream(c);
+    }
+}
+
+
+static ngx_connection_t *
+ngx_http_v3_get_uni_stream(ngx_connection_t *c, ngx_uint_t type)
+{
+    u_char                     buf[NGX_HTTP_V3_VARLEN_INT_LEN];
+    size_t                     n;
+    ngx_int_t                  index;
+    ngx_connection_t          *sc;
+    ngx_http_v3_session_t     *h3c;
+    ngx_http_v3_uni_stream_t  *us;
+
+    switch (type) {
+    case NGX_HTTP_V3_STREAM_ENCODER:
+        index = NGX_HTTP_V3_STREAM_SERVER_ENCODER;
+        break;
+    case NGX_HTTP_V3_STREAM_DECODER:
+        index = NGX_HTTP_V3_STREAM_SERVER_DECODER;
+        break;
+    case NGX_HTTP_V3_STREAM_CONTROL:
+        index = NGX_HTTP_V3_STREAM_SERVER_CONTROL;
+        break;
+    default:
+        index = -1;
+    }
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (index >= 0) {
+        if (h3c->known_streams[index]) {
+            return h3c->known_streams[index];
+        }
+    }
+
+    sc = ngx_quic_open_stream(c, 0);
+    if (sc == NULL) {
+        goto failed;
+    }
+
+    ngx_quic_cancelable_stream(sc);
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 create uni stream, type:%ui", type);
+
+    us = ngx_pcalloc(sc->pool, sizeof(ngx_http_v3_uni_stream_t));
+    if (us == NULL) {
+        goto failed;
+    }
+
+    us->index = index;
+
+    sc->data = us;
+
+    sc->read->handler = ngx_http_v3_uni_dummy_read_handler;
+    sc->write->handler = ngx_http_v3_uni_dummy_write_handler;
+
+    if (index >= 0) {
+        h3c->known_streams[index] = sc;
+    }
+
+    n = (u_char *) ngx_http_v3_encode_varlen_int(buf, type) - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (sc->send(sc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    ngx_post_event(sc->read, &ngx_posted_events);
+
+    return sc;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to create server stream");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_STREAM_CREATION_ERROR,
+                                    "failed to create server stream");
+    if (sc) {
+        ngx_http_v3_close_uni_stream(sc);
+    }
+
+    return NULL;
+}
+
+
+ngx_int_t
+ngx_http_v3_send_settings(ngx_connection_t *c)
+{
+    u_char                  *p, buf[NGX_HTTP_V3_VARLEN_INT_LEN * 6];
+    size_t                   n;
+    ngx_connection_t        *cc;
+    ngx_http_v3_session_t   *h3c;
+    ngx_http_v3_srv_conf_t  *h3scf;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 send settings");
+
+    cc = ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_CONTROL);
+    if (cc == NULL) {
+        return NGX_ERROR;
+    }
+
+    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+
+    n = ngx_http_v3_encode_varlen_int(NULL,
+                                      NGX_HTTP_V3_PARAM_MAX_TABLE_CAPACITY);
+    n += ngx_http_v3_encode_varlen_int(NULL, h3scf->max_table_capacity);
+    n += ngx_http_v3_encode_varlen_int(NULL, NGX_HTTP_V3_PARAM_BLOCKED_STREAMS);
+    n += ngx_http_v3_encode_varlen_int(NULL, h3scf->max_blocked_streams);
+
+    p = (u_char *) ngx_http_v3_encode_varlen_int(buf,
+                                                 NGX_HTTP_V3_FRAME_SETTINGS);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p, n);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p,
+                                         NGX_HTTP_V3_PARAM_MAX_TABLE_CAPACITY);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p, h3scf->max_table_capacity);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p,
+                                            NGX_HTTP_V3_PARAM_BLOCKED_STREAMS);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p, h3scf->max_blocked_streams);
+    n = p - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (cc->send(cc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to send settings");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                    "failed to send settings");
+    ngx_http_v3_close_uni_stream(cc);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_send_goaway(ngx_connection_t *c, uint64_t id)
+{
+    u_char                 *p, buf[NGX_HTTP_V3_VARLEN_INT_LEN * 3];
+    size_t                  n;
+    ngx_connection_t       *cc;
+    ngx_http_v3_session_t  *h3c;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 send goaway %uL", id);
+
+    cc = ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_CONTROL);
+    if (cc == NULL) {
+        return NGX_ERROR;
+    }
+
+    n = ngx_http_v3_encode_varlen_int(NULL, id);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(buf, NGX_HTTP_V3_FRAME_GOAWAY);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p, n);
+    p = (u_char *) ngx_http_v3_encode_varlen_int(p, id);
+    n = p - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (cc->send(cc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to send goaway");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                    "failed to send goaway");
+    ngx_http_v3_close_uni_stream(cc);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_send_ack_section(ngx_connection_t *c, ngx_uint_t stream_id)
+{
+    u_char                  buf[NGX_HTTP_V3_PREFIX_INT_LEN];
+    size_t                  n;
+    ngx_connection_t       *dc;
+    ngx_http_v3_session_t  *h3c;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 send section acknowledgement %ui", stream_id);
+
+    dc = ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_DECODER);
+    if (dc == NULL) {
+        return NGX_ERROR;
+    }
+
+    buf[0] = 0x80;
+    n = (u_char *) ngx_http_v3_encode_prefix_int(buf, stream_id, 7) - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (dc->send(dc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                  "failed to send section acknowledgement");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                    "failed to send section acknowledgement");
+    ngx_http_v3_close_uni_stream(dc);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_send_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id)
+{
+    u_char                  buf[NGX_HTTP_V3_PREFIX_INT_LEN];
+    size_t                  n;
+    ngx_connection_t       *dc;
+    ngx_http_v3_session_t  *h3c;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 send stream cancellation %ui", stream_id);
+
+    dc = ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_DECODER);
+    if (dc == NULL) {
+        return NGX_ERROR;
+    }
+
+    buf[0] = 0x40;
+    n = (u_char *) ngx_http_v3_encode_prefix_int(buf, stream_id, 6) - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (dc->send(dc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to send stream cancellation");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                    "failed to send stream cancellation");
+    ngx_http_v3_close_uni_stream(dc);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_send_inc_insert_count(ngx_connection_t *c, ngx_uint_t inc)
+{
+    u_char                  buf[NGX_HTTP_V3_PREFIX_INT_LEN];
+    size_t                  n;
+    ngx_connection_t       *dc;
+    ngx_http_v3_session_t  *h3c;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 send insert count increment %ui", inc);
+
+    dc = ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_DECODER);
+    if (dc == NULL) {
+        return NGX_ERROR;
+    }
+
+    buf[0] = 0;
+    n = (u_char *) ngx_http_v3_encode_prefix_int(buf, inc, 6) - buf;
+
+    h3c = ngx_http_v3_get_session(c);
+    h3c->total_bytes += n;
+
+    if (dc->send(dc, buf, n) != (ssize_t) n) {
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                  "failed to send insert count increment");
+
+    ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD,
+                                    "failed to send insert count increment");
+    ngx_http_v3_close_uni_stream(dc);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_http_v3_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id)
+{
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "http3 cancel stream %ui", stream_id);
+
+    /* we do not use dynamic tables */
+
+    return NGX_OK;
+}
diff --git a/src/http/v3/ngx_http_v3_uni.h b/src/http/v3/ngx_http_v3_uni.h
new file mode 100644
--- /dev/null
+++ b/src/http/v3/ngx_http_v3_uni.h
@@ -0,0 +1,32 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_HTTP_V3_UNI_H_INCLUDED_
+#define _NGX_HTTP_V3_UNI_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+void ngx_http_v3_init_uni_stream(ngx_connection_t *c);
+ngx_int_t ngx_http_v3_register_uni_stream(ngx_connection_t *c, uint64_t type);
+
+ngx_int_t ngx_http_v3_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id);
+
+ngx_int_t ngx_http_v3_send_settings(ngx_connection_t *c);
+ngx_int_t ngx_http_v3_send_goaway(ngx_connection_t *c, uint64_t id);
+ngx_int_t ngx_http_v3_send_ack_section(ngx_connection_t *c,
+    ngx_uint_t stream_id);
+ngx_int_t ngx_http_v3_send_cancel_stream(ngx_connection_t *c,
+    ngx_uint_t stream_id);
+ngx_int_t ngx_http_v3_send_inc_insert_count(ngx_connection_t *c,
+    ngx_uint_t inc);
+
+
+#endif /* _NGX_HTTP_V3_UNI_H_INCLUDED_ */
diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h
--- a/src/os/unix/ngx_socket.h
+++ b/src/os/unix/ngx_socket.h
@@ -13,6 +13,8 @@
 
 
 #define NGX_WRITE_SHUTDOWN SHUT_WR
+#define NGX_READ_SHUTDOWN  SHUT_RD
+#define NGX_RDWR_SHUTDOWN  SHUT_RDWR
 
 typedef int  ngx_socket_t;
 
diff --git a/src/os/win32/ngx_socket.h b/src/os/win32/ngx_socket.h
--- a/src/os/win32/ngx_socket.h
+++ b/src/os/win32/ngx_socket.h
@@ -14,6 +14,8 @@
 
 
 #define NGX_WRITE_SHUTDOWN SD_SEND
+#define NGX_READ_SHUTDOWN  SD_RECEIVE
+#define NGX_RDWR_SHUTDOWN  SD_BOTH
 
 
 typedef SOCKET  ngx_socket_t;


More information about the nginx-devel mailing list