summaryrefslogtreecommitdiff
path: root/target/linux/generic-2.6/patches-2.6.23/120-openswan-2.4.0.kernel-2.6-natt.patch
blob: 879073333febf3b3d27146a64c746cf2d512f41e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Index: linux-2.6.23.17/include/net/xfrmudp.h
===================================================================
--- /dev/null
+++ linux-2.6.23.17/include/net/xfrmudp.h
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
Index: linux-2.6.23.17/net/ipv4/Kconfig
===================================================================
--- linux-2.6.23.17.orig/net/ipv4/Kconfig
+++ linux-2.6.23.17/net/ipv4/Kconfig
@@ -224,6 +224,12 @@ config NET_IPGRE_BROADCAST
 	  Network), but can be distributed all over the Internet. If you want
 	  to do that, say Y here and to "IP multicast routing" below.
 
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
 config IP_MROUTE
 	bool "IP: multicast routing"
 	depends on IP_MULTICAST
Index: linux-2.6.23.17/net/ipv4/xfrm4_input.c
===================================================================
--- linux-2.6.23.17.orig/net/ipv4/xfrm4_input.c
+++ linux-2.6.23.17/net/ipv4/xfrm4_input.c
@@ -15,6 +15,7 @@
 #include <linux/netfilter_ipv4.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
+#include <net/xfrmudp.h>
 
 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
 {
@@ -161,6 +162,29 @@ drop:
 	return 0;
 }
 
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
+			       xfrm4_rcv_encap_t *oldfunc)
+{
+	if(oldfunc != NULL)
+		*oldfunc = xfrm4_rcv_encap_func;
+
+	xfrm4_rcv_encap_func = func;
+	return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+	if(xfrm4_rcv_encap_func != func)
+		return -1;
+
+	xfrm4_rcv_encap_func = NULL;
+	return 0;
+}
+#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
+
 /* If it's a keepalive packet, then just eat it.
  * If it's an encapsulated packet, then pass it to the
  * IPsec xfrm input.
@@ -251,7 +275,13 @@ int xfrm4_udp_encap_rcv(struct sock *sk,
 	iph->protocol = IPPROTO_ESP;
 
 	/* process ESP */
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if(xfrm4_rcv_encap_func == NULL)
+		goto drop;
+	ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+#else
 	ret = xfrm4_rcv_encap(skb, encap_type);
+#endif
 	return ret;
 
 drop:
@@ -265,3 +295,8 @@ int xfrm4_rcv(struct sk_buff *skb)
 }
 
 EXPORT_SYMBOL(xfrm4_rcv);
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif