]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/openswan-2.6.20-nat-t.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Stop dhcpcd before starting if it was running
[people/pmueller/ipfire-2.x.git] / src / patches / openswan-2.6.20-nat-t.patch
1 diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h openswan-2.6.20/linux/include/openswan/ipsec_kversion.h
2 --- openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h 2009-02-10 05:54:47.000000000 +0100
3 +++ openswan-2.6.20/linux/include/openswan/ipsec_kversion.h 2009-03-14 22:36:22.000000000 +0100
4 @@ -302,9 +302,11 @@
5 # define HAVE_KMEM_CACHE_MACRO
6
7 /* Try using the new kernel encaps hook for nat-t, instead of udp.c */
8 -# ifdef NOT_YET_FINISHED
9 -# define HAVE_UDP_ENCAP_CONVERT
10 -# endif
11 +#if !defined(CONFIG_IPSEC_NAT_TRAVERSAL) || CONFIG_IPSEC_NAT_TRAVERSAL == 0
12 +# define HAVE_UDP_ENCAP_CONVERT
13 +#else
14 +# warning "It seems you are using a post 2.6.22 kernel with the NAT-T-patch - please consider using the new ENCAP nat-traversal code"
15 +#endif
16
17 #endif
18
19 diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_param.h openswan-2.6.20/linux/include/openswan/ipsec_param.h
20 --- openswan-2.6.20.org/linux/include/openswan/ipsec_param.h 2009-02-10 05:54:47.000000000 +0100
21 +++ openswan-2.6.20/linux/include/openswan/ipsec_param.h 2009-03-14 22:36:22.000000000 +0100
22 @@ -76,6 +76,12 @@
23 #endif /* __KERNEL__ */
24
25 /*
26 + * These constants are used to indicate what type of NAT-T code is used
27 + */
28 +#define NAT_OLD_STYLE 1
29 +#define NAT_NEW_STYLE 2
30 +
31 +/*
32 * This is for the SA reference table. This number is related to the
33 * maximum number of SAs that KLIPS can concurrently deal with, plus enough
34 * space for keeping expired SAs around.
35 @@ -252,6 +258,10 @@
36 #endif
37 #endif
38
39 +#ifdef HAVE_UDP_ENCAP_CONVERT
40 +# define NAT_TRAVERSAL 1
41 +#endif
42 +
43 #ifndef IPSEC_DEFAULT_TTL
44 #define IPSEC_DEFAULT_TTL 64
45 #endif
46 diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h openswan-2.6.20/linux/include/openswan/ipsec_rcv.h
47 --- openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h 2009-02-10 05:54:47.000000000 +0100
48 +++ openswan-2.6.20/linux/include/openswan/ipsec_rcv.h 2009-03-14 22:36:22.000000000 +0100
49 @@ -136,7 +136,7 @@
50 struct ipcomphdr *compp;
51 } ipcompstuff;
52 } protostuff;
53 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
54 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
55 __u8 natt_type;
56 __u16 natt_sport;
57 __u16 natt_dport;
58 diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h
59 --- openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h 2009-02-10 05:54:47.000000000 +0100
60 +++ openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h 2009-03-14 22:36:22.000000000 +0100
61 @@ -44,6 +44,12 @@
62 #define cf_name cf_u.cfu_name
63 };
64
65 +struct nattraversalconf
66 +{
67 + uint32_t cf_fd;
68 + uint32_t cf_type;
69 +};
70 +
71 #define IPSEC_SET_DEV (SIOCDEVPRIVATE)
72 #define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
73 #define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
74 diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h openswan-2.6.20/linux/include/openswan/ipsec_xmit.h
75 --- openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h 2009-02-10 05:54:47.000000000 +0100
76 +++ openswan-2.6.20/linux/include/openswan/ipsec_xmit.h 2009-03-14 22:36:22.000000000 +0100
77 @@ -124,7 +124,7 @@
78 #endif /* NET_21 */
79 uint32_t eroute_pid;
80 struct ipsec_sa ips;
81 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
82 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
83 uint8_t natt_type;
84 uint8_t natt_head;
85 uint16_t natt_sport;
86 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c openswan-2.6.20/linux/net/ipsec/ipsec_mast.c
87 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c 2009-02-10 05:54:47.000000000 +0100
88 +++ openswan-2.6.20/linux/net/ipsec/ipsec_mast.c 2009-03-14 22:36:22.000000000 +0100
89 @@ -235,7 +235,7 @@
90 goto cleanup;
91 }
92
93 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
94 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
95 /* do any final NAT-encapsulation */
96 stat = ipsec_nat_encap(ixs);
97 if(stat != IPSEC_XMIT_OK) {
98 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c openswan-2.6.20/linux/net/ipsec/ipsec_proc.c
99 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c 2009-02-10 05:54:47.000000000 +0100
100 +++ openswan-2.6.20/linux/net/ipsec/ipsec_proc.c 2009-03-14 22:36:22.000000000 +0100
101 @@ -368,7 +368,7 @@
102 }
103 #endif /* CONFIG_KLIPS_IPCOMP */
104
105 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
106 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
107 {
108 char *natttype_name;
109
110 @@ -635,11 +635,15 @@
111 return len;
112 }
113
114 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
115 -unsigned int natt_available = 1;
116 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
117 +unsigned int natt_available = NAT_OLD_STYLE;
118 +#else
119 +#if defined(HAVE_UDP_ENCAP_CONVERT)
120 +unsigned int natt_available = NAT_NEW_STYLE;
121 #else
122 unsigned int natt_available = 0;
123 #endif
124 +#endif
125 module_param(natt_available,int,0644);
126
127 IPSEC_PROCFS_DEBUG_NO_STATIC
128 @@ -654,11 +658,15 @@
129
130 len += ipsec_snprintf(buffer + len,
131 length-len, "%d\n",
132 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
133 - 1
134 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
135 + NAT_OLD_STYLE
136 +#else
137 +#if defined(HAVE_UDP_ENCAP_CONVERT)
138 + NAT_NEW_STYLE
139 #else
140 0
141 #endif
142 +#endif
143 );
144
145 *start = buffer + (offset - begin); /* Start of wanted data */
146 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c
147 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c 2009-02-10 05:54:47.000000000 +0100
148 +++ openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c 2009-03-14 22:41:35.000000000 +0100
149 @@ -1054,7 +1054,7 @@
150 irs->sa_len ? irs->sa : " (error)");
151 }
152
153 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
154 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
155 if (irs->proto == IPPROTO_ESP) {
156 KLIPS_PRINT(debug_rcv,
157 "klips_debug:ipsec_rcv: "
158 @@ -1172,7 +1172,7 @@
159 * if skb->sk is guaranteed to be valid here.
160 * 2005-04-16: mcr@xelerance.com
161 */
162 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
163 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
164 /*
165 *
166 * XXX we should ONLY update pluto if the SA passes all checks,
167 @@ -1638,7 +1638,7 @@
168 }
169 #endif /* CONFIG_KLIPS_IPCOMP */
170
171 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
172 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
173 if ((irs->natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
174 /**
175 * NAT-Traversal and Transport Mode:
176 @@ -1943,7 +1943,116 @@
177 */
178 int klips26_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
179 {
180 - return klips26_rcv_encap(skb, udp_sk(sk)->encap_type);
181 + struct udp_sock *up = udp_sk(sk);
182 + struct udphdr *uh;
183 + struct iphdr *iph;
184 + int iphlen, len;
185 + int ret;
186 +
187 + __u8 *udpdata;
188 + __be32 *udpdata32;
189 + __u16 encap_type = up->encap_type;
190 +
191 + /* if this is not encapsulated socket, then just return now */
192 + if (!encap_type)
193 + return 1;
194 +
195 + /* If this is a paged skb, make sure we pull up
196 + * whatever data we need to look at. */
197 + len = skb->len - sizeof(struct udphdr);
198 + if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
199 + return 1;
200 +
201 + /* Now we can get the pointers */
202 + uh = udp_hdr(skb);
203 + udpdata = (__u8 *)uh + sizeof(struct udphdr);
204 + udpdata32 = (__be32 *)udpdata;
205 +
206 + switch (encap_type) {
207 + default:
208 + case UDP_ENCAP_ESPINUDP:
209 + /* Check if this is a keepalive packet. If so, eat it. */
210 + if (len == 1 && udpdata[0] == 0xff) {
211 + KLIPS_PRINT(debug_rcv,
212 + "UDP_ENCAP_ESPINUDP: keepalive packet detected\n");
213 + goto drop;
214 + } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
215 + KLIPS_PRINT(debug_rcv,
216 + "UDP_ENCAP_ESPINUDP: ESP IN UDP packet detected\n");
217 + /* ESP Packet without Non-ESP header */
218 + len = sizeof(struct udphdr);
219 + } else {
220 + /* Must be an IKE packet.. pass it through */
221 + KLIPS_PRINT(debug_rcv,
222 + "UDP_ENCAP_ESPINUDP: IKE packet detected\n");
223 + return 1;
224 + }
225 + break;
226 + case UDP_ENCAP_ESPINUDP_NON_IKE:
227 + KLIPS_PRINT(debug_rcv,
228 + "UDP_ENCAP_ESPINUDP_NON_IKE: %d\n",
229 + udpdata32[0]);
230 + /* Check if this is a keepalive packet. If so, eat it. */
231 + if (len == 1 && udpdata[0] == 0xff) {
232 + KLIPS_PRINT(debug_rcv,
233 + "UDP_ENCAP_ESPINUDP_NON_IKE: keepalive packet detected\n");
234 + goto drop;
235 + } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
236 + udpdata32[0] == 0 && udpdata32[1] == 0) {
237 + KLIPS_PRINT(debug_rcv,
238 + "UDP_ENCAP_ESPINUDP_NON_IKE: ESP IN UDP NON IKE packet detected\n");
239 + /* ESP Packet with Non-IKE marker */
240 + len = sizeof(struct udphdr) + 2 * sizeof(u32);
241 + } else {
242 + /* Must be an IKE packet.. pass it through */
243 + KLIPS_PRINT(debug_rcv,
244 + "UDP_ENCAP_ESPINUDP_NON_IKE: IKE packet detected\n");
245 + return 1;
246 + }
247 + break;
248 + }
249 +
250 + /* At this point we are sure that this is an ESPinUDP packet,
251 + * so we need to remove 'len' bytes from the packet (the UDP
252 + * header and optional ESP marker bytes) and then modify the
253 + * protocol to ESP, and then call into the transform receiver.
254 + */
255 + if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) {
256 + KLIPS_PRINT(debug_rcv,
257 + "clone or expand problem\n");
258 + goto drop;
259 + }
260 +
261 + /* Now we can update and verify the packet length... */
262 + iph = ip_hdr(skb);
263 + iphlen = iph->ihl << 2;
264 + iph->tot_len = htons(ntohs(iph->tot_len) - len);
265 + if (skb->len < iphlen + len) {
266 + /* packet is too small!?! */
267 + KLIPS_PRINT(debug_rcv,
268 + "packet too small\n");
269 + goto drop;
270 + }
271 +
272 + /* pull the data buffer up to the ESP header and set the
273 + * transport header to point to ESP. Keep UDP on the stack
274 + * for later.
275 + */
276 + __skb_pull(skb, len);
277 + skb_reset_transport_header(skb);
278 +
279 + /* modify the protocol (it's ESP!) */
280 + iph->protocol = IPPROTO_ESP;
281 +
282 + /* process ESP */
283 + KLIPS_PRINT(debug_rcv,
284 + "starting processing ESP packet\n");
285 + ret = klips26_rcv_encap(skb, encap_type);
286 + return ret;
287 +
288 +drop:
289 + kfree_skb(skb);
290 + return 0;
291 }
292
293 int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type)
294 @@ -2011,7 +2120,7 @@
295
296 irs->hard_header_len = skb->dev->hard_header_len;
297
298 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
299 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
300 switch(encap_type) {
301 case UDP_ENCAP_ESPINUDP:
302 irs->natt_type = ESPINUDP_WITH_NON_ESP;
303 @@ -2143,7 +2252,7 @@
304 irs->said.proto = 0;
305
306 irs->hard_header_len = 0;
307 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
308 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
309 irs->natt_type = 0;
310 irs->natt_len = 0;
311 #endif
312 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c openswan-2.6.20/linux/net/ipsec/ipsec_sa.c
313 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c 2009-02-10 05:54:47.000000000 +0100
314 +++ openswan-2.6.20/linux/net/ipsec/ipsec_sa.c 2009-03-14 22:36:22.000000000 +0100
315 @@ -1011,7 +1011,7 @@
316 }
317 ips->ips_addr_p = NULL;
318
319 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
320 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
321 if(ips->ips_natt_oa) {
322 memset((caddr_t)(ips->ips_natt_oa), 0, ips->ips_natt_oa_size);
323 kfree(ips->ips_natt_oa);
324 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c
325 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c 2009-02-10 05:54:47.000000000 +0100
326 +++ openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c 2009-03-14 22:36:22.000000000 +0100
327 @@ -99,6 +99,11 @@
328 #include <linux/udp.h>
329 #endif
330
331 +#ifdef HAVE_UDP_ENCAP_CONVERT
332 +#include <linux/file.h>
333 +#include "openswan/ipsec_rcv.h"
334 +#endif
335 +
336 static __u32 zeroes[64];
337
338 DEBUG_NO_STATIC int
339 @@ -571,7 +576,7 @@
340 return;
341 }
342
343 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
344 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
345 stat = ipsec_nat_encap(ixs);
346 if(stat != IPSEC_XMIT_OK) {
347 goto cleanup;
348 @@ -1403,19 +1408,27 @@
349
350 #ifdef HAVE_UDP_ENCAP_CONVERT
351 case IPSEC_UDP_ENCAP_CONVERT:
352 - {
353 - unsigned int *socknum =(unsigned int *)&ifr->ifr_data;
354 + {
355 + struct nattraversalconf *nf = (struct nattraversalconf *)&ifr->ifr_data;
356 + unsigned int socknum = nf->cf_fd;
357 + unsigned int encaptype = nf->cf_type;
358 struct socket *sock;
359 + struct sock *sk;
360 int err, fput_needed;
361
362 /* that's a static function in socket.c
363 * sock = sockfd_lookup_light(*socknum, &err, &fput_needed); */
364 - sock = sockfd_lookup(*socknum, &err);
365 + sock = sockfd_lookup(socknum, &err);
366 + KLIPS_PRINT(debug_tunnel
367 + , "socknum: %u, err: %d\n"
368 + , socknum, err);
369 if (!sock)
370 goto encap_out;
371
372 + sk = sock->sk;
373 +
374 /* check that it's a UDP socket */
375 - udp_sk(sk)->encap_type = UDP_ENCAP_ESPINUDP_NON_IKE;
376 + udp_sk(sk)->encap_type = encaptype;
377 udp_sk(sk)->encap_rcv = klips26_udp_encap_rcv;
378
379 KLIPS_PRINT(debug_tunnel
380 @@ -1976,7 +1989,7 @@
381 ixs->ips.ips_ident_s.data = NULL;
382 ixs->ips.ips_ident_d.data = NULL;
383 ixs->outgoing_said.proto = 0;
384 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
385 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
386 ixs->natt_type = 0, ixs->natt_head = 0;
387 ixs->natt_sport = 0, ixs->natt_dport = 0;
388 #endif
389 diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c
390 --- openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c 2009-02-10 05:54:47.000000000 +0100
391 +++ openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c 2009-03-14 22:36:22.000000000 +0100
392 @@ -1597,7 +1597,7 @@
393 ixs->tailroom += ixs->blocksize != 1 ?
394 ((ixs->blocksize - ((ixs->pyldsz + 2) % ixs->blocksize)) % ixs->blocksize) + 2 :
395 ((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
396 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
397 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
398 if ((ixs->ipsp->ips_natt_type) && (!ixs->natt_type)) {
399 ixs->natt_type = ixs->ipsp->ips_natt_type;
400 ixs->natt_sport = ixs->ipsp->ips_natt_sport;
401 @@ -1762,7 +1762,7 @@
402 }
403 #endif /* MSS_HACK */
404
405 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
406 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
407 if ((ixs->natt_type) && (ixs->outgoing_said.proto != IPPROTO_IPIP)) {
408 /**
409 * NAT-Traversal and Transport Mode:
410 @@ -1929,7 +1929,7 @@
411 }
412 #endif /* NETDEV_23 */
413
414 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
415 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
416 enum ipsec_xmit_value ipsec_nat_encap(struct ipsec_xmit_state *ixs)
417 {
418 if (ixs->natt_type && ixs->natt_head) {
419 diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c
420 --- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c 2009-02-10 05:54:47.000000000 +0100
421 +++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c 2009-03-14 22:36:22.000000000 +0100
422 @@ -716,7 +716,7 @@
423 }
424
425
426 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
427 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
428 int
429 pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
430 {
431 diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c
432 --- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c 2009-02-10 05:54:47.000000000 +0100
433 +++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c 2009-03-14 22:36:22.000000000 +0100
434 @@ -405,7 +405,7 @@
435 struct sadb_msg *pfkey_reply = NULL;
436 struct socket_list *pfkey_socketsp;
437 uint8_t satype = ((struct sadb_msg*)extensions[K_SADB_EXT_RESERVED])->sadb_msg_satype;
438 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
439 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
440 struct ipsec_sa *nat_t_ips_saved = NULL;
441 #endif
442 KLIPS_PRINT(debug_pfkey,
443 @@ -453,7 +453,7 @@
444 sa_len ? sa : " (error)",
445 extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
446
447 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
448 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
449 if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) {
450 KLIPS_PRINT(debug_pfkey,
451 "klips_debug:pfkey_update_parse: only updating NAT-T ports "
452 @@ -622,7 +622,7 @@
453 pfkey_socketsp->socketp);
454 }
455
456 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
457 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
458 if (nat_t_ips_saved) {
459 /**
460 * As we _really_ update existing SA, we keep tdbq and need to delete
461 @@ -2547,7 +2547,7 @@
462 return error;
463 }
464
465 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
466 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
467 int
468 pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr,
469 __u16 sport)
470 @@ -2707,7 +2707,7 @@
471 pfkey_address_process,
472 pfkey_x_debug_process,
473 pfkey_x_protocol_process,
474 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
475 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
476 pfkey_x_nat_t_type_process,
477 pfkey_x_nat_t_port_process,
478 pfkey_x_nat_t_port_process,
479 @@ -2812,7 +2812,7 @@
480 pfkey_x_addflow_parse,
481 pfkey_x_delflow_parse,
482 pfkey_x_msg_debug_parse,
483 -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
484 +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
485 pfkey_x_nat_t_new_mapping_parse,
486 #else
487 NULL,
488 diff -Naur openswan-2.6.20.org/programs/pluto/nat_traversal.c openswan-2.6.20/programs/pluto/nat_traversal.c
489 --- openswan-2.6.20.org/programs/pluto/nat_traversal.c 2009-02-10 05:54:47.000000000 +0100
490 +++ openswan-2.6.20/programs/pluto/nat_traversal.c 2009-03-14 22:36:22.000000000 +0100
491 @@ -24,11 +24,15 @@
492 #include <string.h>
493 #include <unistd.h>
494 #include <signal.h> /* used only if MSG_NOSIGNAL not defined */
495 +#include <sys/ioctl.h>
496 +#include <net/if.h>
497
498 #include <openswan.h>
499 #include <openswan/ipsec_policy.h>
500 #include <openswan/pfkeyv2.h>
501 #include <openswan/pfkey.h>
502 +#include <openswan/ipsec_param.h>
503 +#include <openswan/ipsec_tunnel.h>
504
505 #include "sysdep.h"
506 #include "constants.h"
507 @@ -68,6 +72,8 @@
508
509 #define DEFAULT_KEEP_ALIVE_PERIOD 20
510
511 +static unsigned int nat_traversal_type = 0;
512 +
513 bool nat_traversal_enabled = FALSE;
514 bool nat_traversal_support_non_ike = FALSE;
515 bool nat_traversal_support_port_floating = FALSE;
516 @@ -101,6 +107,10 @@
517 nat_traversal_support_port_floating=FALSE;
518 openswan_log(" KLIPS does not have NAT-Traversal built in (see /proc/net/ipsec/natt)\n");
519 }
520 + else {
521 + nat_traversal_type = atoi(&n);
522 + openswan_log(" KLIPS using NAT-Traversal Method %c\n", n);
523 + }
524 fclose(f);
525 }
526 }
527 @@ -667,7 +677,22 @@
528 int nat_traversal_espinudp_socket (int sk, const char *fam, u_int32_t type)
529 {
530 int r;
531 - r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
532 + if (nat_traversal_type == NAT_OLD_STYLE) {
533 + loglog(RC_LOG_SERIOUS,
534 + "NAT-Traversal: Trying old style NAT-T");
535 + r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
536 + }
537 + if (nat_traversal_type == NAT_NEW_STYLE) {
538 + loglog(RC_LOG_SERIOUS,
539 + "NAT-Traversal: Trying new style NAT-T");
540 + struct ifreq ifr;
541 + struct nattraversalconf *ntc=(struct nattraversalconf *)&ifr.ifr_data;
542 + memset(&ifr, 0, sizeof(ifr));
543 + strcpy(ifr.ifr_name, "ipsec0");
544 + ntc->cf_fd = sk;
545 + ntc->cf_type = type;
546 + r = ioctl(sk, IPSEC_UDP_ENCAP_CONVERT, &ifr);
547 + }
548 if ((r<0) && (errno == ENOPROTOOPT)) {
549 loglog(RC_LOG_SERIOUS,
550 "NAT-Traversal: ESPINUDP(%d) not supported by kernel for family %s"
Peter's tree of IPFire 2.x