On Wed, 02 Apr 2008 09:46:23 +0200, Vincent Bernat <[EMAIL PROTECTED]> wrote:
> Well, this does not work on 2.6.24 because Openswan is not yet compatible
> with 2.6.24:
> http://bugs.xelerance.com/view.php?id=912
> http://bugs.xelerance.com/view.php?id=894
>
> I hope this will be fixed soon. I suppose that 2.5.x has the same bug.
I have tested your package on 2.6.22. It works fine. However
linux-patch-openswan does not apply NATT patch because the patch is broken
with recent 2.6.22 but this is a problem upstream. Here is a working patch
for 2.6.22.19 but I am not sure how to apply this cleanly. Maybe you could
try several patch and apply the one which is working. If you need a patch
for this behaviour, I can work on it.
Thanks.
packaging/utils/nattpatch 2.6
--- /dev/null Tue Mar 11 13:02:56 2003
+++ nat-t/include/net/xfrmudp.h Mon Feb 9 13:51:03 2004
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
--- /distros/kernel/linux-2.6.11.2/net/ipv4/Kconfig 2005-03-09
03:12:33.000000000 -0500
+++ swan26/net/ipv4/Kconfig 2005-04-04 18:46:13.000000000 -0400
@@ -351,2 +351,8 @@
+config IPSEC_NAT_TRAVERSAL
+ bool "IPSEC NAT-Traversal (KLIPS compatible)"
+ depends on INET
+ ---help---
+ Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
config IP_TCPDIAG
--- plain26/net/ipv4/udp.c.orig 2006-01-02 22:21:10.000000000 -0500
+++ plain26/net/ipv4/udp.c 2006-01-12 20:18:57.000000000 -0500
@@ -110,2 +110,3 @@
#include <net/xfrm.h>
+#include <net/xfrmudp.h>
@@ -894,6 +897,44 @@
sk_common_release(sk);
}
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+/* if XFRM isn't a module, then register it directly. */
+#if !defined(CONFIG_XFRM_MODULE)
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
+#else
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+#endif
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc)
+{
+ if(oldfunc != NULL) {
+ *oldfunc = xfrm4_rcv_encap_func;
+ }
+
+#if 0
+ if(xfrm4_rcv_encap_func != NULL)
+ return -1;
+#endif
+
+ xfrm4_rcv_encap_func = func;
+ return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+ if(xfrm4_rcv_encap_func != func)
+ return -1;
+
+ xfrm4_rcv_encap_func = NULL;
+ return 0;
+}
+#endif /* CONFIG_XFRM || defined(CONFIG_IPSEC_NAT_TRAVERSAL)*/
+
+
/* return:
* 1 if the the UDP system should process it
* 0 if we should drop this packet
@@ -901,9 +940,9 @@
*/
static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
{
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
return 1;
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
struct udp_sock *up = udp_sk(sk);
struct udphdr *uh;
struct iphdr *iph;
@@ -1021,10 +1060,14 @@
return 0;
}
if (ret < 0) {
- /* process the ESP packet */
- ret = xfrm4_rcv_encap(skb, up->encap_type);
- UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
- return -ret;
+ if(xfrm4_rcv_encap_func != NULL) {
+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
+ } else {
+ UDP_INC_STATS_BH(UDP_MIB_INERRORS, up->pcflag);
+ ret = 1;
+ }
+ return ret;
}
/* FALLTHROUGH -- it's a UDP Packet */
}
@@ -1571,3 +1613,9 @@
EXPORT_SYMBOL(udp_proc_register);
EXPORT_SYMBOL(udp_proc_unregister);
#endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+
