From 5639fecfb3e859a85e38e40c2869d11cb72625f0 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 14 Jul 2008 23:53:15 +0200
Subject: [PATCH] Add natt patch disabled iptables for collectd disabled initrd
 size optimization

---
 config/kernel/kernel.config.i586              |   3 +-
 config/kernel/kernel.config.i586.smp          |   3 +-
 lfs/collectd                                  |   4 +-
 lfs/initrd                                    |   6 +-
 lfs/ipp2p                                     |   2 +-
 lfs/linux                                     |   2 +-
 make.sh                                       |   2 +-
 .../openswan-2.4.x.kernel-2.6.23-natt.patch   | 204 ++++++++++++++++++
 8 files changed, 217 insertions(+), 9 deletions(-)
 create mode 100755 src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch

diff --git a/config/kernel/kernel.config.i586 b/config/kernel/kernel.config.i586
index 6e8fea7a4d..c97dfa32ab 100644
--- a/config/kernel/kernel.config.i586
+++ b/config/kernel/kernel.config.i586
@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Linux kernel version: 2.6.24.7
-# Sun Jul 13 09:32:56 2008
+# Mon Jul 14 10:58:23 2008
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -433,6 +433,7 @@ CONFIG_INET_ESP=m
 CONFIG_INET_IPCOMP=m
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
+CONFIG_IPSEC_NAT_TRAVERSAL=y
 CONFIG_INET_XFRM_MODE_TRANSPORT=y
 CONFIG_INET_XFRM_MODE_TUNNEL=y
 CONFIG_INET_XFRM_MODE_BEET=y
diff --git a/config/kernel/kernel.config.i586.smp b/config/kernel/kernel.config.i586.smp
index 3e7af0c5ac..17409c3387 100644
--- a/config/kernel/kernel.config.i586.smp
+++ b/config/kernel/kernel.config.i586.smp
@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Linux kernel version: 2.6.24.7
-# Sun Jul 13 09:11:25 2008
+# Mon Jul 14 11:01:33 2008
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -444,6 +444,7 @@ CONFIG_INET_ESP=m
 CONFIG_INET_IPCOMP=m
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
+CONFIG_IPSEC_NAT_TRAVERSAL=y
 CONFIG_INET_XFRM_MODE_TRANSPORT=y
 CONFIG_INET_XFRM_MODE_TUNNEL=y
 CONFIG_INET_XFRM_MODE_BEET=y
diff --git a/lfs/collectd b/lfs/collectd
index 0e35c6c2ed..6a0ba4903a 100644
--- a/lfs/collectd
+++ b/lfs/collectd
@@ -78,11 +78,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var \
-		--disable-{apple_sensors,csv,ipvs,mbmon,memcached,mysql} \
+		--disable-{apple_sensors,csv,iptables,ipvs,mbmon,memcached,mysql} \
 		--disable-{netlink,nginx,nut,perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--disable-{perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--enable-{apcups,battery,cpu{,freq},df,disk,dns,email,entropy,exec,hddtemp} \
-		--enable-{interface,iptables,irq,load,logfile,memory,multimeter} \
+		--enable-{interface,irq,load,logfile,memory,multimeter} \
 		--enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \
 		--enable-{tcpconns,unixsock,users} \
 		--with-rrdtool=/usr/share/rrdtool-1.2.15 --enable-debug
diff --git a/lfs/initrd b/lfs/initrd
index 6b8e91b579..df84dd1f6a 100644
--- a/lfs/initrd
+++ b/lfs/initrd
@@ -63,8 +63,10 @@ $(TARGET) :
 	depmod -a -F /boot/System.map-$(KVER)-ipfire-smp $(KVER)-ipfire-smp
 	
 	cp -a /lib/modules/$(KVER)-ipfire/ /install/initrd/lib/modules/
-	rm -rf /install/initrd/lib/modules/$(KVER)-ipfire/{build,source,misc/*,kernel/{crypro,sound,net,drivers/{media,video}}} \
-		/install/initrd/lib/modules/$(KVER)-ipfire/kernel/drivers/message/fusion/mptlan*
+	
+#	removed initrd size optimization for testing if sata works again
+#	rm -rf /install/initrd/lib/modules/$(KVER)-ipfire/{build,source,misc/*,kernel/{crypro,sound,net,drivers/{media,video}}} \
+#		/install/initrd/lib/modules/$(KVER)-ipfire/kernel/drivers/message/fusion/mptlan*
 
 	cp /opt/$(MACHINE)-uClibc/lib/libgcc_s.so.1 /install/initrd/lib/
 
diff --git a/lfs/ipp2p b/lfs/ipp2p
index f130192508..b64f5c5ec2 100644
--- a/lfs/ipp2p
+++ b/lfs/ipp2p
@@ -60,7 +60,7 @@ $(TARGET) :
 	@rm -rf $(DIR_APP) && mkdir -p $(DIR_APP)
 	@cp -vf $(DIR_SRC)/src/ipp2p/* $(DIR_APP)
 	cd $(DIR_SRC) && rm -rf iptables-*
-	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.3.8.tar.bz2
+	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.4.0.tar.bz2
 	cd $(DIR_SRC) && ln -sf iptables-* iptables
 ifeq "$(SMP)" "1"
 	cd $(DIR_APP) && make ipt_ipp2p.ko
diff --git a/lfs/linux b/lfs/linux
index 08665415e2..78e4468d08 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -101,7 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 #	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.20.21-zd1211-usrobotics-usbid.patch
 
 	# Openswan nat-t
-#	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.6.14-kernel-2.6.24.7-natt.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
 
 	# Reiser4
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/reiser4-for-2.6.24.patch
diff --git a/make.sh b/make.sh
index 1d4cbb04d2..62752807ca 100755
--- a/make.sh
+++ b/make.sh
@@ -421,7 +421,7 @@ buildipfire() {
   ipfiremake whatmask
   ipfiremake iptables
   ipfiremake libupnp
-  ipfiremake ipp2p			IPT=1
+#  ipfiremake ipp2p			IPT=1
   ipfiremake linux-igd
   ipfiremake ipaddr
   ipfiremake iptstate
diff --git a/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch b/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
new file mode 100755
index 0000000000..e0c1fc95b9
--- /dev/null
+++ b/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
@@ -0,0 +1,204 @@
+Index: linux-2.6.x/net/ipv4/Kconfig
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/Kconfig,v
+retrieving revision 1.1.1.28
+retrieving revision 1.10
+diff -u -r1.1.1.28 -r1.10
+--- linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 00:54:30 -0000	1.1.1.28
++++ linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 04:53:57 -0000	1.10
+@@ -367,6 +367,12 @@
+ 	tristate
+ 	default n
+ 
++config IPSEC_NAT_TRAVERSAL
++	bool "IPSEC NAT-Traversal (KLIPS compatible)"
++	depends on INET
++	---help---
++          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
++
+ config INET_XFRM_MODE_TRANSPORT
+ 	tristate "IP: IPsec transport mode"
+ 	default y
+Index: linux-2.6.x/net/ipv4/udp.c
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/udp.c,v
+retrieving revision 1.1.1.46
+diff -u -r1.1.1.46 udp.c
+--- linux-2.6.x/net/ipv4/udp.c	10 Oct 2007 00:54:30 -0000	1.1.1.46
++++ linux-2.6.x/net/ipv4/udp.c	9 Nov 2007 00:11:33 -0000
+@@ -102,6 +102,7 @@
+ #include <net/route.h>
+ #include <net/checksum.h>
+ #include <net/xfrm.h>
++#include <net/xfrmudp.h>
+ #include "udp_impl.h"
+ 
+ /*
+@@ -920,6 +921,128 @@
+ 	return 0;
+ }
+ 
++#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++
++static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
++
++/*
++ * de-encapsulate and pass to the registered xfrm4_rcv_encap_func function.
++ * Most of this code stolen from net/ipv4/xfrm4_input.c
++ * which is attributed to YOSHIFUJI Hideaki @USAGI, and
++ * Derek Atkins <derek@ihtfp.com>
++ */
++
++static int xfrm4_udp_encap_rcv_wrapper(struct sock *sk, struct sk_buff *skb)
++{
++	struct udp_sock *up = udp_sk(sk);
++	struct udphdr *uh;
++	struct iphdr *iph;
++	int iphlen, len;
++	int ret;
++
++	__u8 *udpdata;
++	__be32 *udpdata32;
++	__u16 encap_type = up->encap_type;
++
++	/* if this is not encapsulated socket, then just return now */
++	if (!encap_type && !xfrm4_rcv_encap_func)
++		return 1;
++
++	/* If this is a paged skb, make sure we pull up
++	 * whatever data we need to look at. */
++	len = skb->len - sizeof(struct udphdr);
++	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
++		return 1;
++
++	/* Now we can get the pointers */
++	uh = udp_hdr(skb);
++	udpdata = (__u8 *)uh + sizeof(struct udphdr);
++	udpdata32 = (__be32 *)udpdata;
++
++	switch (encap_type) {
++	default:
++	case UDP_ENCAP_ESPINUDP:
++		/* Check if this is a keepalive packet.  If so, eat it. */
++		if (len == 1 && udpdata[0] == 0xff) {
++			goto drop;
++		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
++			/* ESP Packet without Non-ESP header */
++			len = sizeof(struct udphdr);
++		} else
++			/* Must be an IKE packet.. pass it through */
++			return 1;
++		break;
++	case UDP_ENCAP_ESPINUDP_NON_IKE:
++		/* Check if this is a keepalive packet.  If so, eat it. */
++		if (len == 1 && udpdata[0] == 0xff) {
++			goto drop;
++		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
++			   udpdata32[0] == 0 && udpdata32[1] == 0) {
++
++			/* ESP Packet with Non-IKE marker */
++			len = sizeof(struct udphdr) + 2 * sizeof(u32);
++		} else
++			/* Must be an IKE packet.. pass it through */
++			return 1;
++		break;
++	}
++
++	/* At this point we are sure that this is an ESPinUDP packet,
++	 * so we need to remove 'len' bytes from the packet (the UDP
++	 * header and optional ESP marker bytes) and then modify the
++	 * protocol to ESP, and then call into the transform receiver.
++	 */
++	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
++		goto drop;
++
++	/* Now we can update and verify the packet length... */
++	iph = ip_hdr(skb);
++	iphlen = iph->ihl << 2;
++	iph->tot_len = htons(ntohs(iph->tot_len) - len);
++	if (skb->len < iphlen + len) {
++		/* packet is too small!?! */
++		goto drop;
++	}
++
++	/* pull the data buffer up to the ESP header and set the
++	 * transport header to point to ESP.  Keep UDP on the stack
++	 * for later.
++	 */
++	__skb_pull(skb, len);
++	skb_reset_transport_header(skb);
++
++	/* modify the protocol (it's ESP!) */
++	iph->protocol = IPPROTO_ESP;
++
++	/* process ESP */
++	ret = (*xfrm4_rcv_encap_func)(skb, encap_type);
++	return ret;
++
++drop:
++	kfree_skb(skb);
++	return 0;
++}
++
++int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
++		xfrm4_rcv_encap_t *oldfunc)
++{
++	if (oldfunc != NULL)
++		*oldfunc = xfrm4_rcv_encap_func;
++	xfrm4_rcv_encap_func = func;
++	return 0;
++}
++
++int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
++{
++	if (xfrm4_rcv_encap_func != func)
++		return -1;
++
++	xfrm4_rcv_encap_func = NULL;
++	return 0;
++}
++
++#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
++
+ /* returns:
+  *  -1: error
+  *   0: success
+@@ -1252,6 +1375,11 @@
+ 		case 0:
+ 		case UDP_ENCAP_ESPINUDP:
+ 		case UDP_ENCAP_ESPINUDP_NON_IKE:
++#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++			if (xfrm4_rcv_encap_func)
++				up->encap_rcv = xfrm4_udp_encap_rcv_wrapper;
++			else
++#endif
+ 			up->encap_rcv = xfrm4_udp_encap_rcv;
+ 			/* FALLTHROUGH */
+ 		case UDP_ENCAP_L2TPINUDP:
+@@ -1648,3 +1776,9 @@
+ EXPORT_SYMBOL(udp_proc_register);
+ EXPORT_SYMBOL(udp_proc_unregister);
+ #endif
++
++#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++EXPORT_SYMBOL(udp4_register_esp_rcvencap);
++EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
++#endif
++
+Index: linux-2.6.x/include/net/xfrmudp.h
+===================================================================
+RCS file: linux-2.6.x/include/net/xfrmudp.h
+diff -N linux-2.6.x/include/net/xfrmudp.h
+--- /dev/null	1 Jan 1970 00:00:00 -0000
++++ linux-2.6.x/include/net/xfrmudp.h	3 Nov 2005 01:55:55 -0000	1.1
+@@ -0,0 +1,10 @@
++/*
++ * pointer to function for type that xfrm4_input wants, to permit
++ * decoupling of XFRM from udp.c
++ */
++#define HAVE_XFRM4_UDP_REGISTER
++
++typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
++extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
++				      , xfrm4_rcv_encap_t *oldfunc);
++extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
-- 
2.39.2