[people/teissler/ipfire-2.x.git] / src / patches / openswan-2.4.7.kernel-2.6-natt.patch

packaging/utils/nattpatch 2.6
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ nat-t/include/net/xfrmudp.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
--- /distros/kernel/linux-2.6.11.2/net/ipv4/Kconfig	2005-03-09 03:12:33.000000000 -0500
+++ swan26/net/ipv4/Kconfig	2005-04-04 18:46:13.000000000 -0400
@@ -351,2 +351,8 @@
 
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
 config IP_TCPDIAG
--- plain26/net/ipv4/udp.c.orig	2006-01-02 22:21:10.000000000 -0500
+++ plain26/net/ipv4/udp.c	2006-01-10 20:07:21.000000000 -0500
@@ -108,11 +108,14 @@
 #include <net/inet_common.h>
 #include <net/checksum.h>
 #include <net/xfrm.h>
+#include <net/xfrmudp.h>
 
 /*
  *	Snmp MIB for the UDP layer
  */
 
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
+
 DEFINE_SNMP_STAT(struct udp_mib, udp_statistics) __read_mostly;
 
 struct hlist_head udp_hash[UDP_HTABLE_SIZE];
@@ -894,6 +897,42 @@
 	sk_common_release(sk);
 }
 
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+/* if XFRM isn't a module, then register it directly. */
+#if 0 && !defined(CONFIG_XFRM_MODULE) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
+#else
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+#endif
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+			       , xfrm4_rcv_encap_t *oldfunc)
+{
+  if(oldfunc != NULL) {
+    *oldfunc = xfrm4_rcv_encap_func;
+  }
+
+#if 0
+  if(xfrm4_rcv_encap_func != NULL)
+    return -1;
+#endif
+
+  xfrm4_rcv_encap_func = func;
+  return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+  if(xfrm4_rcv_encap_func != func)
+    return -1;
+
+  xfrm4_rcv_encap_func = NULL;
+  return 0;
+}
+#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+
+
 /* return:
  * 	1  if the the UDP system should process it
  *	0  if we should drop this packet
@@ -901,9 +940,9 @@
  */
 static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 {
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
 	return 1; 
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
 	struct udp_sock *up = udp_sk(sk);
   	struct udphdr *uh = skb->h.uh;
 	struct iphdr *iph;
@@ -915,11 +954,11 @@
 
 	/* if we're overly short, let UDP handle it */
 	len = skb->len - sizeof(struct udphdr);
 	if (len <= 0)
-		return 1;
+		return 2;
 
 	/* if this is not encapsulated socket, then just return now */
 	if (!encap_type)
-		return 1;
+		return 3;
 
 	len = skb->tail - udpdata;
@@ -934,7 +973,7 @@
 			len = sizeof(struct udphdr);
 		} else
 			/* Must be an IKE packet.. pass it through */
-			return 1;
+			return 4;
 		break;
 	case UDP_ENCAP_ESPINUDP_NON_IKE:
 		/* Check if this is a keepalive packet.  If so, eat it. */
@@ -947,7 +986,7 @@
 			len = sizeof(struct udphdr) + 2 * sizeof(u32);
 		} else
 			/* Must be an IKE packet.. pass it through */
-			return 1;
+			return 5;
 		break;
 	}
 
@@ -1021,10 +1060,14 @@
 			return 0;
 		}
 		if (ret < 0) {
-			/* process the ESP packet */
-			ret = xfrm4_rcv_encap(skb, up->encap_type);
-			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
-			return -ret;
+ 			if(xfrm4_rcv_encap_func != NULL) {
+ 			  ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+ 			  UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ 			} else {
+ 			  UDP_INC_STATS_BH(UDP_MIB_INERRORS);
+ 			  ret = 1;
+ 			}
+			return ret;
 		}
 		/* FALLTHROUGH -- it's a UDP Packet */
 	}
@@ -1114,7 +1157,6 @@
 /*
  *	All we need to do is get the socket, and then do a checksum. 
  */
- 
 int udp_rcv(struct sk_buff *skb)
 {
   	struct sock *sk;
@@ -1571,3 +1613,9 @@
 EXPORT_SYMBOL(udp_proc_register);
 EXPORT_SYMBOL(udp_proc_unregister);
 #endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+
Commit	Line	Data
376e42ce MT	1	packaging/utils/nattpatch 2.6
	2	--- /dev/null Tue Mar 11 13:02:56 2003
	3	+++ nat-t/include/net/xfrmudp.h Mon Feb 9 13:51:03 2004
	4	@@ -0,0 +1,10 @@
	5	+/*
	6	+ * pointer to function for type that xfrm4_input wants, to permit
	7	+ * decoupling of XFRM from udp.c
	8	+ */
	9	+#define HAVE_XFRM4_UDP_REGISTER
	10	+
	11	+typedef int (xfrm4_rcv_encap_t)(struct sk_buff skb, __u16 encap_type);
	12	+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
	13	+ , xfrm4_rcv_encap_t *oldfunc);
	14	+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
	15	--- /distros/kernel/linux-2.6.11.2/net/ipv4/Kconfig 2005-03-09 03:12:33.000000000 -0500
	16	+++ swan26/net/ipv4/Kconfig 2005-04-04 18:46:13.000000000 -0400
	17	@@ -351,2 +351,8 @@
	18
	19	+config IPSEC_NAT_TRAVERSAL
	20	+ bool "IPSEC NAT-Traversal (KLIPS compatible)"
	21	+ depends on INET
	22	+ ---help---
	23	+ Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
	24	+
	25	config IP_TCPDIAG
	26	--- plain26/net/ipv4/udp.c.orig 2006-01-02 22:21:10.000000000 -0500
	27	+++ plain26/net/ipv4/udp.c 2006-01-10 20:07:21.000000000 -0500
	28	@@ -108,11 +108,14 @@
	29	#include <net/inet_common.h>
	30	#include <net/checksum.h>
	31	#include <net/xfrm.h>
	32	+#include <net/xfrmudp.h>
	33
	34	/*
	35	* Snmp MIB for the UDP layer
	36	*/
	37
	38	+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
	39	+
	40	DEFINE_SNMP_STAT(struct udp_mib, udp_statistics) __read_mostly;
	41
	42	struct hlist_head udp_hash[UDP_HTABLE_SIZE];
	43	@@ -894,6 +897,42 @@
	44	sk_common_release(sk);
	45	}
	46
	47	+#if defined(CONFIG_XFRM) \|\| defined(CONFIG_IPSEC_NAT_TRAVERSAL)
	48	+
	49	+/* if XFRM isn't a module, then register it directly. */
	50	+#if 0 && !defined(CONFIG_XFRM_MODULE) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
	51	+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
	52	+#else
	53	+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
	54	+#endif
	55	+
	56	+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
	57	+ , xfrm4_rcv_encap_t *oldfunc)
	58	+{
	59	+ if(oldfunc != NULL) {
	60	+ *oldfunc = xfrm4_rcv_encap_func;
	61	+ }
	62	+
	63	+#if 0
	64	+ if(xfrm4_rcv_encap_func != NULL)
65	+ return -1;
66	+#endif
67	+
68	+ xfrm4_rcv_encap_func = func;
69	+ return 0;
70	+}
71	+
72	+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
73	+{
74	+ if(xfrm4_rcv_encap_func != func)
75	+ return -1;
76	+
77	+ xfrm4_rcv_encap_func = NULL;
78	+ return 0;
79	+}
80	+#endif /* CONFIG_XFRM_MODULE \|\| CONFIG_IPSEC_NAT_TRAVERSAL */
81	+
82	+
83	/* return:
84	* 1 if the the UDP system should process it
85	* 0 if we should drop this packet
86	@@ -901,9 +940,9 @@
87	*/
88	static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
89	{
90	-#ifndef CONFIG_XFRM
91	+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
92	return 1;
93	-#else
94	+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
95	struct udp_sock *up = udp_sk(sk);
96	struct udphdr *uh = skb->h.uh;
97	struct iphdr *iph;
98	@@ -915,11 +954,11 @@
99
100	/* if we're overly short, let UDP handle it */
101	len = skb->len - sizeof(struct udphdr);
102	if (len <= 0)
103	- return 1;
104	+ return 2;
105
106	/* if this is not encapsulated socket, then just return now */
107	if (!encap_type)
108	- return 1;
109	+ return 3;
110
111	len = skb->tail - udpdata;
112	@@ -934,7 +973,7 @@
113	len = sizeof(struct udphdr);
114	} else
115	/* Must be an IKE packet.. pass it through */
116	- return 1;
117	+ return 4;
118	break;
119	case UDP_ENCAP_ESPINUDP_NON_IKE:
120	/* Check if this is a keepalive packet. If so, eat it. */
121	@@ -947,7 +986,7 @@
122	len = sizeof(struct udphdr) + 2 * sizeof(u32);
123	} else
124	/* Must be an IKE packet.. pass it through */
125	- return 1;
126	+ return 5;
127	break;
128	}
129
130	@@ -1021,10 +1060,14 @@
131	return 0;
132	}
133	if (ret < 0) {
134	- /* process the ESP packet */
135	- ret = xfrm4_rcv_encap(skb, up->encap_type);
136	- UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
137	- return -ret;
138	+ if(xfrm4_rcv_encap_func != NULL) {
139	+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
140	+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
141	+ } else {
142	+ UDP_INC_STATS_BH(UDP_MIB_INERRORS);
143	+ ret = 1;
144	+ }
145	+ return ret;
146	}
147	/* FALLTHROUGH -- it's a UDP Packet */
148	}
149	@@ -1114,7 +1157,6 @@
150	/*
151	* All we need to do is get the socket, and then do a checksum.
152	*/
153	-
154	int udp_rcv(struct sk_buff *skb)
155	{
156	struct sock *sk;
157	@@ -1571,3 +1613,9 @@
158	EXPORT_SYMBOL(udp_proc_register);
159	EXPORT_SYMBOL(udp_proc_unregister);
160	#endif
161	+
162	+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
163	+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
164	+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
165	+#endif
166	+