]>
Commit | Line | Data |
---|---|---|
be792e40 AF |
1 | diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h openswan-2.6.20/linux/include/openswan/ipsec_kversion.h |
2 | --- openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h 2009-02-10 05:54:47.000000000 +0100 | |
3 | +++ openswan-2.6.20/linux/include/openswan/ipsec_kversion.h 2009-03-14 22:36:22.000000000 +0100 | |
4 | @@ -302,9 +302,11 @@ | |
5 | # define HAVE_KMEM_CACHE_MACRO | |
6 | ||
7 | /* Try using the new kernel encaps hook for nat-t, instead of udp.c */ | |
8 | -# ifdef NOT_YET_FINISHED | |
9 | -# define HAVE_UDP_ENCAP_CONVERT | |
10 | -# endif | |
11 | +#if !defined(CONFIG_IPSEC_NAT_TRAVERSAL) || CONFIG_IPSEC_NAT_TRAVERSAL == 0 | |
12 | +# define HAVE_UDP_ENCAP_CONVERT | |
13 | +#else | |
14 | +# warning "It seems you are using a post 2.6.22 kernel with the NAT-T-patch - please consider using the new ENCAP nat-traversal code" | |
15 | +#endif | |
16 | ||
17 | #endif | |
18 | ||
19 | diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_param.h openswan-2.6.20/linux/include/openswan/ipsec_param.h | |
20 | --- openswan-2.6.20.org/linux/include/openswan/ipsec_param.h 2009-02-10 05:54:47.000000000 +0100 | |
21 | +++ openswan-2.6.20/linux/include/openswan/ipsec_param.h 2009-03-14 22:36:22.000000000 +0100 | |
22 | @@ -76,6 +76,12 @@ | |
23 | #endif /* __KERNEL__ */ | |
24 | ||
25 | /* | |
26 | + * These constants are used to indicate what type of NAT-T code is used | |
27 | + */ | |
28 | +#define NAT_OLD_STYLE 1 | |
29 | +#define NAT_NEW_STYLE 2 | |
30 | + | |
31 | +/* | |
32 | * This is for the SA reference table. This number is related to the | |
33 | * maximum number of SAs that KLIPS can concurrently deal with, plus enough | |
34 | * space for keeping expired SAs around. | |
35 | @@ -252,6 +258,10 @@ | |
36 | #endif | |
37 | #endif | |
38 | ||
39 | +#ifdef HAVE_UDP_ENCAP_CONVERT | |
40 | +# define NAT_TRAVERSAL 1 | |
41 | +#endif | |
42 | + | |
43 | #ifndef IPSEC_DEFAULT_TTL | |
44 | #define IPSEC_DEFAULT_TTL 64 | |
45 | #endif | |
46 | diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h openswan-2.6.20/linux/include/openswan/ipsec_rcv.h | |
47 | --- openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h 2009-02-10 05:54:47.000000000 +0100 | |
48 | +++ openswan-2.6.20/linux/include/openswan/ipsec_rcv.h 2009-03-14 22:36:22.000000000 +0100 | |
49 | @@ -136,7 +136,7 @@ | |
50 | struct ipcomphdr *compp; | |
51 | } ipcompstuff; | |
52 | } protostuff; | |
53 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
54 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
55 | __u8 natt_type; | |
56 | __u16 natt_sport; | |
57 | __u16 natt_dport; | |
58 | diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h | |
59 | --- openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h 2009-02-10 05:54:47.000000000 +0100 | |
60 | +++ openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h 2009-03-14 22:36:22.000000000 +0100 | |
61 | @@ -44,6 +44,12 @@ | |
62 | #define cf_name cf_u.cfu_name | |
63 | }; | |
64 | ||
65 | +struct nattraversalconf | |
66 | +{ | |
67 | + uint32_t cf_fd; | |
68 | + uint32_t cf_type; | |
69 | +}; | |
70 | + | |
71 | #define IPSEC_SET_DEV (SIOCDEVPRIVATE) | |
72 | #define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1) | |
73 | #define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2) | |
74 | diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h openswan-2.6.20/linux/include/openswan/ipsec_xmit.h | |
75 | --- openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h 2009-02-10 05:54:47.000000000 +0100 | |
76 | +++ openswan-2.6.20/linux/include/openswan/ipsec_xmit.h 2009-03-14 22:36:22.000000000 +0100 | |
77 | @@ -124,7 +124,7 @@ | |
78 | #endif /* NET_21 */ | |
79 | uint32_t eroute_pid; | |
80 | struct ipsec_sa ips; | |
81 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
82 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
83 | uint8_t natt_type; | |
84 | uint8_t natt_head; | |
85 | uint16_t natt_sport; | |
86 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c openswan-2.6.20/linux/net/ipsec/ipsec_mast.c | |
87 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c 2009-02-10 05:54:47.000000000 +0100 | |
88 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_mast.c 2009-03-14 22:36:22.000000000 +0100 | |
89 | @@ -235,7 +235,7 @@ | |
90 | goto cleanup; | |
91 | } | |
92 | ||
93 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
94 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
95 | /* do any final NAT-encapsulation */ | |
96 | stat = ipsec_nat_encap(ixs); | |
97 | if(stat != IPSEC_XMIT_OK) { | |
98 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c openswan-2.6.20/linux/net/ipsec/ipsec_proc.c | |
99 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c 2009-02-10 05:54:47.000000000 +0100 | |
100 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_proc.c 2009-03-14 22:36:22.000000000 +0100 | |
101 | @@ -368,7 +368,7 @@ | |
102 | } | |
103 | #endif /* CONFIG_KLIPS_IPCOMP */ | |
104 | ||
105 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
106 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
107 | { | |
108 | char *natttype_name; | |
109 | ||
110 | @@ -635,11 +635,15 @@ | |
111 | return len; | |
112 | } | |
113 | ||
114 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
115 | -unsigned int natt_available = 1; | |
116 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) | |
117 | +unsigned int natt_available = NAT_OLD_STYLE; | |
118 | +#else | |
119 | +#if defined(HAVE_UDP_ENCAP_CONVERT) | |
120 | +unsigned int natt_available = NAT_NEW_STYLE; | |
121 | #else | |
122 | unsigned int natt_available = 0; | |
123 | #endif | |
124 | +#endif | |
125 | module_param(natt_available,int,0644); | |
126 | ||
127 | IPSEC_PROCFS_DEBUG_NO_STATIC | |
128 | @@ -654,11 +658,15 @@ | |
129 | ||
130 | len += ipsec_snprintf(buffer + len, | |
131 | length-len, "%d\n", | |
132 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
133 | - 1 | |
134 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) | |
135 | + NAT_OLD_STYLE | |
136 | +#else | |
137 | +#if defined(HAVE_UDP_ENCAP_CONVERT) | |
138 | + NAT_NEW_STYLE | |
139 | #else | |
140 | 0 | |
141 | #endif | |
142 | +#endif | |
143 | ); | |
144 | ||
145 | *start = buffer + (offset - begin); /* Start of wanted data */ | |
146 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c | |
147 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c 2009-02-10 05:54:47.000000000 +0100 | |
148 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c 2009-03-14 22:41:35.000000000 +0100 | |
149 | @@ -1054,7 +1054,7 @@ | |
150 | irs->sa_len ? irs->sa : " (error)"); | |
151 | } | |
152 | ||
153 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
154 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
155 | if (irs->proto == IPPROTO_ESP) { | |
156 | KLIPS_PRINT(debug_rcv, | |
157 | "klips_debug:ipsec_rcv: " | |
158 | @@ -1172,7 +1172,7 @@ | |
159 | * if skb->sk is guaranteed to be valid here. | |
160 | * 2005-04-16: mcr@xelerance.com | |
161 | */ | |
162 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
163 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
164 | /* | |
165 | * | |
166 | * XXX we should ONLY update pluto if the SA passes all checks, | |
167 | @@ -1638,7 +1638,7 @@ | |
168 | } | |
169 | #endif /* CONFIG_KLIPS_IPCOMP */ | |
170 | ||
171 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
172 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
173 | if ((irs->natt_type) && (ipp->protocol != IPPROTO_IPIP)) { | |
174 | /** | |
175 | * NAT-Traversal and Transport Mode: | |
176 | @@ -1943,7 +1943,116 @@ | |
177 | */ | |
178 | int klips26_udp_encap_rcv(struct sock *sk, struct sk_buff *skb) | |
179 | { | |
180 | - return klips26_rcv_encap(skb, udp_sk(sk)->encap_type); | |
181 | + struct udp_sock *up = udp_sk(sk); | |
182 | + struct udphdr *uh; | |
183 | + struct iphdr *iph; | |
184 | + int iphlen, len; | |
185 | + int ret; | |
186 | + | |
187 | + __u8 *udpdata; | |
188 | + __be32 *udpdata32; | |
189 | + __u16 encap_type = up->encap_type; | |
190 | + | |
191 | + /* if this is not encapsulated socket, then just return now */ | |
192 | + if (!encap_type) | |
193 | + return 1; | |
194 | + | |
195 | + /* If this is a paged skb, make sure we pull up | |
196 | + * whatever data we need to look at. */ | |
197 | + len = skb->len - sizeof(struct udphdr); | |
198 | + if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8))) | |
199 | + return 1; | |
200 | + | |
201 | + /* Now we can get the pointers */ | |
202 | + uh = udp_hdr(skb); | |
203 | + udpdata = (__u8 *)uh + sizeof(struct udphdr); | |
204 | + udpdata32 = (__be32 *)udpdata; | |
205 | + | |
206 | + switch (encap_type) { | |
207 | + default: | |
208 | + case UDP_ENCAP_ESPINUDP: | |
209 | + /* Check if this is a keepalive packet. If so, eat it. */ | |
210 | + if (len == 1 && udpdata[0] == 0xff) { | |
211 | + KLIPS_PRINT(debug_rcv, | |
212 | + "UDP_ENCAP_ESPINUDP: keepalive packet detected\n"); | |
213 | + goto drop; | |
214 | + } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) { | |
215 | + KLIPS_PRINT(debug_rcv, | |
216 | + "UDP_ENCAP_ESPINUDP: ESP IN UDP packet detected\n"); | |
217 | + /* ESP Packet without Non-ESP header */ | |
218 | + len = sizeof(struct udphdr); | |
219 | + } else { | |
220 | + /* Must be an IKE packet.. pass it through */ | |
221 | + KLIPS_PRINT(debug_rcv, | |
222 | + "UDP_ENCAP_ESPINUDP: IKE packet detected\n"); | |
223 | + return 1; | |
224 | + } | |
225 | + break; | |
226 | + case UDP_ENCAP_ESPINUDP_NON_IKE: | |
227 | + KLIPS_PRINT(debug_rcv, | |
228 | + "UDP_ENCAP_ESPINUDP_NON_IKE: %d\n", | |
229 | + udpdata32[0]); | |
230 | + /* Check if this is a keepalive packet. If so, eat it. */ | |
231 | + if (len == 1 && udpdata[0] == 0xff) { | |
232 | + KLIPS_PRINT(debug_rcv, | |
233 | + "UDP_ENCAP_ESPINUDP_NON_IKE: keepalive packet detected\n"); | |
234 | + goto drop; | |
235 | + } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) && | |
236 | + udpdata32[0] == 0 && udpdata32[1] == 0) { | |
237 | + KLIPS_PRINT(debug_rcv, | |
238 | + "UDP_ENCAP_ESPINUDP_NON_IKE: ESP IN UDP NON IKE packet detected\n"); | |
239 | + /* ESP Packet with Non-IKE marker */ | |
240 | + len = sizeof(struct udphdr) + 2 * sizeof(u32); | |
241 | + } else { | |
242 | + /* Must be an IKE packet.. pass it through */ | |
243 | + KLIPS_PRINT(debug_rcv, | |
244 | + "UDP_ENCAP_ESPINUDP_NON_IKE: IKE packet detected\n"); | |
245 | + return 1; | |
246 | + } | |
247 | + break; | |
248 | + } | |
249 | + | |
250 | + /* At this point we are sure that this is an ESPinUDP packet, | |
251 | + * so we need to remove 'len' bytes from the packet (the UDP | |
252 | + * header and optional ESP marker bytes) and then modify the | |
253 | + * protocol to ESP, and then call into the transform receiver. | |
254 | + */ | |
255 | + if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) { | |
256 | + KLIPS_PRINT(debug_rcv, | |
257 | + "clone or expand problem\n"); | |
258 | + goto drop; | |
259 | + } | |
260 | + | |
261 | + /* Now we can update and verify the packet length... */ | |
262 | + iph = ip_hdr(skb); | |
263 | + iphlen = iph->ihl << 2; | |
264 | + iph->tot_len = htons(ntohs(iph->tot_len) - len); | |
265 | + if (skb->len < iphlen + len) { | |
266 | + /* packet is too small!?! */ | |
267 | + KLIPS_PRINT(debug_rcv, | |
268 | + "packet too small\n"); | |
269 | + goto drop; | |
270 | + } | |
271 | + | |
272 | + /* pull the data buffer up to the ESP header and set the | |
273 | + * transport header to point to ESP. Keep UDP on the stack | |
274 | + * for later. | |
275 | + */ | |
276 | + __skb_pull(skb, len); | |
277 | + skb_reset_transport_header(skb); | |
278 | + | |
279 | + /* modify the protocol (it's ESP!) */ | |
280 | + iph->protocol = IPPROTO_ESP; | |
281 | + | |
282 | + /* process ESP */ | |
283 | + KLIPS_PRINT(debug_rcv, | |
284 | + "starting processing ESP packet\n"); | |
285 | + ret = klips26_rcv_encap(skb, encap_type); | |
286 | + return ret; | |
287 | + | |
288 | +drop: | |
289 | + kfree_skb(skb); | |
290 | + return 0; | |
291 | } | |
292 | ||
293 | int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type) | |
294 | @@ -2011,7 +2120,7 @@ | |
295 | ||
296 | irs->hard_header_len = skb->dev->hard_header_len; | |
297 | ||
298 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
299 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
300 | switch(encap_type) { | |
301 | case UDP_ENCAP_ESPINUDP: | |
302 | irs->natt_type = ESPINUDP_WITH_NON_ESP; | |
303 | @@ -2143,7 +2252,7 @@ | |
304 | irs->said.proto = 0; | |
305 | ||
306 | irs->hard_header_len = 0; | |
307 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
308 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
309 | irs->natt_type = 0; | |
310 | irs->natt_len = 0; | |
311 | #endif | |
312 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c openswan-2.6.20/linux/net/ipsec/ipsec_sa.c | |
313 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c 2009-02-10 05:54:47.000000000 +0100 | |
314 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_sa.c 2009-03-14 22:36:22.000000000 +0100 | |
315 | @@ -1011,7 +1011,7 @@ | |
316 | } | |
317 | ips->ips_addr_p = NULL; | |
318 | ||
319 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
320 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
321 | if(ips->ips_natt_oa) { | |
322 | memset((caddr_t)(ips->ips_natt_oa), 0, ips->ips_natt_oa_size); | |
323 | kfree(ips->ips_natt_oa); | |
324 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c | |
325 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c 2009-02-10 05:54:47.000000000 +0100 | |
326 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c 2009-03-14 22:36:22.000000000 +0100 | |
327 | @@ -99,6 +99,11 @@ | |
328 | #include <linux/udp.h> | |
329 | #endif | |
330 | ||
331 | +#ifdef HAVE_UDP_ENCAP_CONVERT | |
332 | +#include <linux/file.h> | |
333 | +#include "openswan/ipsec_rcv.h" | |
334 | +#endif | |
335 | + | |
336 | static __u32 zeroes[64]; | |
337 | ||
338 | DEBUG_NO_STATIC int | |
339 | @@ -571,7 +576,7 @@ | |
340 | return; | |
341 | } | |
342 | ||
343 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
344 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
345 | stat = ipsec_nat_encap(ixs); | |
346 | if(stat != IPSEC_XMIT_OK) { | |
347 | goto cleanup; | |
348 | @@ -1403,19 +1408,27 @@ | |
349 | ||
350 | #ifdef HAVE_UDP_ENCAP_CONVERT | |
351 | case IPSEC_UDP_ENCAP_CONVERT: | |
352 | - { | |
353 | - unsigned int *socknum =(unsigned int *)&ifr->ifr_data; | |
354 | + { | |
355 | + struct nattraversalconf *nf = (struct nattraversalconf *)&ifr->ifr_data; | |
356 | + unsigned int socknum = nf->cf_fd; | |
357 | + unsigned int encaptype = nf->cf_type; | |
358 | struct socket *sock; | |
359 | + struct sock *sk; | |
360 | int err, fput_needed; | |
361 | ||
362 | /* that's a static function in socket.c | |
363 | * sock = sockfd_lookup_light(*socknum, &err, &fput_needed); */ | |
364 | - sock = sockfd_lookup(*socknum, &err); | |
365 | + sock = sockfd_lookup(socknum, &err); | |
366 | + KLIPS_PRINT(debug_tunnel | |
367 | + , "socknum: %u, err: %d\n" | |
368 | + , socknum, err); | |
369 | if (!sock) | |
370 | goto encap_out; | |
371 | ||
372 | + sk = sock->sk; | |
373 | + | |
374 | /* check that it's a UDP socket */ | |
375 | - udp_sk(sk)->encap_type = UDP_ENCAP_ESPINUDP_NON_IKE; | |
376 | + udp_sk(sk)->encap_type = encaptype; | |
377 | udp_sk(sk)->encap_rcv = klips26_udp_encap_rcv; | |
378 | ||
379 | KLIPS_PRINT(debug_tunnel | |
380 | @@ -1976,7 +1989,7 @@ | |
381 | ixs->ips.ips_ident_s.data = NULL; | |
382 | ixs->ips.ips_ident_d.data = NULL; | |
383 | ixs->outgoing_said.proto = 0; | |
384 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
385 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
386 | ixs->natt_type = 0, ixs->natt_head = 0; | |
387 | ixs->natt_sport = 0, ixs->natt_dport = 0; | |
388 | #endif | |
389 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c | |
390 | --- openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c 2009-02-10 05:54:47.000000000 +0100 | |
391 | +++ openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c 2009-03-14 22:36:22.000000000 +0100 | |
392 | @@ -1597,7 +1597,7 @@ | |
393 | ixs->tailroom += ixs->blocksize != 1 ? | |
394 | ((ixs->blocksize - ((ixs->pyldsz + 2) % ixs->blocksize)) % ixs->blocksize) + 2 : | |
395 | ((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2; | |
396 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
397 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
398 | if ((ixs->ipsp->ips_natt_type) && (!ixs->natt_type)) { | |
399 | ixs->natt_type = ixs->ipsp->ips_natt_type; | |
400 | ixs->natt_sport = ixs->ipsp->ips_natt_sport; | |
401 | @@ -1762,7 +1762,7 @@ | |
402 | } | |
403 | #endif /* MSS_HACK */ | |
404 | ||
405 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
406 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
407 | if ((ixs->natt_type) && (ixs->outgoing_said.proto != IPPROTO_IPIP)) { | |
408 | /** | |
409 | * NAT-Traversal and Transport Mode: | |
410 | @@ -1929,7 +1929,7 @@ | |
411 | } | |
412 | #endif /* NETDEV_23 */ | |
413 | ||
414 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
415 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
416 | enum ipsec_xmit_value ipsec_nat_encap(struct ipsec_xmit_state *ixs) | |
417 | { | |
418 | if (ixs->natt_type && ixs->natt_head) { | |
419 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c | |
420 | --- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c 2009-02-10 05:54:47.000000000 +0100 | |
421 | +++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c 2009-03-14 22:36:22.000000000 +0100 | |
422 | @@ -716,7 +716,7 @@ | |
423 | } | |
424 | ||
425 | ||
426 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
427 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
428 | int | |
429 | pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr) | |
430 | { | |
431 | diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c | |
432 | --- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c 2009-02-10 05:54:47.000000000 +0100 | |
433 | +++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c 2009-03-14 22:36:22.000000000 +0100 | |
434 | @@ -405,7 +405,7 @@ | |
435 | struct sadb_msg *pfkey_reply = NULL; | |
436 | struct socket_list *pfkey_socketsp; | |
437 | uint8_t satype = ((struct sadb_msg*)extensions[K_SADB_EXT_RESERVED])->sadb_msg_satype; | |
438 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
439 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
440 | struct ipsec_sa *nat_t_ips_saved = NULL; | |
441 | #endif | |
442 | KLIPS_PRINT(debug_pfkey, | |
443 | @@ -453,7 +453,7 @@ | |
444 | sa_len ? sa : " (error)", | |
445 | extr->ips->ips_flags & EMT_INBOUND ? "in" : "out"); | |
446 | ||
447 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
448 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
449 | if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) { | |
450 | KLIPS_PRINT(debug_pfkey, | |
451 | "klips_debug:pfkey_update_parse: only updating NAT-T ports " | |
452 | @@ -622,7 +622,7 @@ | |
453 | pfkey_socketsp->socketp); | |
454 | } | |
455 | ||
456 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
457 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
458 | if (nat_t_ips_saved) { | |
459 | /** | |
460 | * As we _really_ update existing SA, we keep tdbq and need to delete | |
461 | @@ -2547,7 +2547,7 @@ | |
462 | return error; | |
463 | } | |
464 | ||
465 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
466 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
467 | int | |
468 | pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr, | |
469 | __u16 sport) | |
470 | @@ -2707,7 +2707,7 @@ | |
471 | pfkey_address_process, | |
472 | pfkey_x_debug_process, | |
473 | pfkey_x_protocol_process, | |
474 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
475 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
476 | pfkey_x_nat_t_type_process, | |
477 | pfkey_x_nat_t_port_process, | |
478 | pfkey_x_nat_t_port_process, | |
479 | @@ -2812,7 +2812,7 @@ | |
480 | pfkey_x_addflow_parse, | |
481 | pfkey_x_delflow_parse, | |
482 | pfkey_x_msg_debug_parse, | |
483 | -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL | |
484 | +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT) | |
485 | pfkey_x_nat_t_new_mapping_parse, | |
486 | #else | |
487 | NULL, | |
488 | diff -Naur openswan-2.6.20.org/programs/pluto/nat_traversal.c openswan-2.6.20/programs/pluto/nat_traversal.c | |
489 | --- openswan-2.6.20.org/programs/pluto/nat_traversal.c 2009-02-10 05:54:47.000000000 +0100 | |
490 | +++ openswan-2.6.20/programs/pluto/nat_traversal.c 2009-03-14 22:36:22.000000000 +0100 | |
491 | @@ -24,11 +24,15 @@ | |
492 | #include <string.h> | |
493 | #include <unistd.h> | |
494 | #include <signal.h> /* used only if MSG_NOSIGNAL not defined */ | |
495 | +#include <sys/ioctl.h> | |
496 | +#include <net/if.h> | |
497 | ||
498 | #include <openswan.h> | |
499 | #include <openswan/ipsec_policy.h> | |
500 | #include <openswan/pfkeyv2.h> | |
501 | #include <openswan/pfkey.h> | |
502 | +#include <openswan/ipsec_param.h> | |
503 | +#include <openswan/ipsec_tunnel.h> | |
504 | ||
505 | #include "sysdep.h" | |
506 | #include "constants.h" | |
507 | @@ -68,6 +72,8 @@ | |
508 | ||
509 | #define DEFAULT_KEEP_ALIVE_PERIOD 20 | |
510 | ||
511 | +static unsigned int nat_traversal_type = 0; | |
512 | + | |
513 | bool nat_traversal_enabled = FALSE; | |
514 | bool nat_traversal_support_non_ike = FALSE; | |
515 | bool nat_traversal_support_port_floating = FALSE; | |
516 | @@ -101,6 +107,10 @@ | |
517 | nat_traversal_support_port_floating=FALSE; | |
518 | openswan_log(" KLIPS does not have NAT-Traversal built in (see /proc/net/ipsec/natt)\n"); | |
519 | } | |
520 | + else { | |
521 | + nat_traversal_type = atoi(&n); | |
522 | + openswan_log(" KLIPS using NAT-Traversal Method %c\n", n); | |
523 | + } | |
524 | fclose(f); | |
525 | } | |
526 | } | |
527 | @@ -667,7 +677,22 @@ | |
528 | int nat_traversal_espinudp_socket (int sk, const char *fam, u_int32_t type) | |
529 | { | |
530 | int r; | |
531 | - r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type)); | |
532 | + if (nat_traversal_type == NAT_OLD_STYLE) { | |
533 | + loglog(RC_LOG_SERIOUS, | |
534 | + "NAT-Traversal: Trying old style NAT-T"); | |
535 | + r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type)); | |
536 | + } | |
537 | + if (nat_traversal_type == NAT_NEW_STYLE) { | |
538 | + loglog(RC_LOG_SERIOUS, | |
539 | + "NAT-Traversal: Trying new style NAT-T"); | |
540 | + struct ifreq ifr; | |
541 | + struct nattraversalconf *ntc=(struct nattraversalconf *)&ifr.ifr_data; | |
542 | + memset(&ifr, 0, sizeof(ifr)); | |
543 | + strcpy(ifr.ifr_name, "ipsec0"); | |
544 | + ntc->cf_fd = sk; | |
545 | + ntc->cf_type = type; | |
546 | + r = ioctl(sk, IPSEC_UDP_ENCAP_CONVERT, &ifr); | |
547 | + } | |
548 | if ((r<0) && (errno == ENOPROTOOPT)) { | |
549 | loglog(RC_LOG_SERIOUS, | |
550 | "NAT-Traversal: ESPINUDP(%d) not supported by kernel for family %s" |