openwrt/target/linux/generic-2.6/patches-2.6.23/120-openswan-2.4.0.kernel-2.6-natt.patch

98 lines
2.8 KiB
Diff
Raw Normal View History

Index: linux-2.6.23.17/include/net/xfrmudp.h
===================================================================
--- /dev/null
+++ linux-2.6.23.17/include/net/xfrmudp.h
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
Index: linux-2.6.23.17/net/ipv4/Kconfig
===================================================================
--- linux-2.6.23.17.orig/net/ipv4/Kconfig
+++ linux-2.6.23.17/net/ipv4/Kconfig
@@ -224,6 +224,12 @@ config NET_IPGRE_BROADCAST
Network), but can be distributed all over the Internet. If you want
to do that, say Y here and to "IP multicast routing" below.
+config IPSEC_NAT_TRAVERSAL
+ bool "IPSEC NAT-Traversal (KLIPS compatible)"
+ depends on INET
+ ---help---
+ Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
config IP_MROUTE
bool "IP: multicast routing"
depends on IP_MULTICAST
Index: linux-2.6.23.17/net/ipv4/xfrm4_input.c
===================================================================
--- linux-2.6.23.17.orig/net/ipv4/xfrm4_input.c
+++ linux-2.6.23.17/net/ipv4/xfrm4_input.c
@@ -15,6 +15,7 @@
#include <linux/netfilter_ipv4.h>
#include <net/ip.h>
#include <net/xfrm.h>
+#include <net/xfrmudp.h>
static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
{
@@ -161,6 +162,29 @@ drop:
return 0;
}
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
+ xfrm4_rcv_encap_t *oldfunc)
+{
+ if(oldfunc != NULL)
+ *oldfunc = xfrm4_rcv_encap_func;
+
+ xfrm4_rcv_encap_func = func;
+ return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+ if(xfrm4_rcv_encap_func != func)
+ return -1;
+
+ xfrm4_rcv_encap_func = NULL;
+ return 0;
+}
+#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
+
/* If it's a keepalive packet, then just eat it.
* If it's an encapsulated packet, then pass it to the
* IPsec xfrm input.
@@ -251,7 +275,13 @@ int xfrm4_udp_encap_rcv(struct sock *sk,
iph->protocol = IPPROTO_ESP;
/* process ESP */
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+ if(xfrm4_rcv_encap_func == NULL)
+ goto drop;
+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+#else
ret = xfrm4_rcv_encap(skb, encap_type);
+#endif
return ret;
drop:
@@ -265,3 +295,8 @@ int xfrm4_rcv(struct sk_buff *skb)
}
EXPORT_SYMBOL(xfrm4_rcv);
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif