Index: linux-2.6.23.17/include/net/xfrmudp.h =================================================================== --- /dev/null +++ linux-2.6.23.17/include/net/xfrmudp.h @@ -0,0 +1,10 @@ +/* + * pointer to function for type that xfrm4_input wants, to permit + * decoupling of XFRM from udp.c + */ +#define HAVE_XFRM4_UDP_REGISTER + +typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type); +extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func + , xfrm4_rcv_encap_t *oldfunc); +extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func); Index: linux-2.6.23.17/net/ipv4/Kconfig =================================================================== --- linux-2.6.23.17.orig/net/ipv4/Kconfig +++ linux-2.6.23.17/net/ipv4/Kconfig @@ -224,6 +224,12 @@ config NET_IPGRE_BROADCAST Network), but can be distributed all over the Internet. If you want to do that, say Y here and to "IP multicast routing" below. +config IPSEC_NAT_TRAVERSAL + bool "IPSEC NAT-Traversal (KLIPS compatible)" + depends on INET + ---help--- + Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP. + config IP_MROUTE bool "IP: multicast routing" depends on IP_MULTICAST Index: linux-2.6.23.17/net/ipv4/xfrm4_input.c =================================================================== --- linux-2.6.23.17.orig/net/ipv4/xfrm4_input.c +++ linux-2.6.23.17/net/ipv4/xfrm4_input.c @@ -15,6 +15,7 @@ #include #include #include +#include static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) { @@ -161,6 +162,29 @@ drop: return 0; } +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL +static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL; + +int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func, + xfrm4_rcv_encap_t *oldfunc) +{ + if(oldfunc != NULL) + *oldfunc = xfrm4_rcv_encap_func; + + xfrm4_rcv_encap_func = func; + return 0; +} + +int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func) +{ + if(xfrm4_rcv_encap_func != func) + return -1; + + xfrm4_rcv_encap_func = NULL; + return 0; +} +#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */ + /* If it's a keepalive packet, then just eat it. * If it's an encapsulated packet, then pass it to the * IPsec xfrm input. @@ -251,7 +275,13 @@ int xfrm4_udp_encap_rcv(struct sock *sk, iph->protocol = IPPROTO_ESP; /* process ESP */ +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL + if(xfrm4_rcv_encap_func == NULL) + goto drop; + ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type); +#else ret = xfrm4_rcv_encap(skb, encap_type); +#endif return ret; drop: @@ -265,3 +295,8 @@ int xfrm4_rcv(struct sk_buff *skb) } EXPORT_SYMBOL(xfrm4_rcv); + +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL +EXPORT_SYMBOL(udp4_register_esp_rcvencap); +EXPORT_SYMBOL(udp4_unregister_esp_rcvencap); +#endif