diff -Nurb linux-1-11/include/net/sock.h linux/include/net/sock.h --- linux-1-11/include/net/sock.h 2004-11-18 09:55:07.377211480 +0100 +++ linux/include/net/sock.h 2004-11-18 09:55:43.605703912 +0100 @@ -256,6 +256,13 @@ __u32 end_seq; }; +#if 1 +#define UDP_OPT_IN_SOCK 1 +struct udp_opt { + __u32 esp_in_udp; +}; +#endif + struct tcp_opt { int tcp_header_len; /* Bytes of tcp header to send */ @@ -601,6 +608,9 @@ #if defined(CONFIG_SPX) || defined (CONFIG_SPX_MODULE) struct spx_opt af_spx; #endif /* CONFIG_SPX */ +#if 1 + struct udp_opt af_udp; +#endif } tp_pinfo; diff -Nurb linux-1-11/net/Config.in linux/net/Config.in --- linux-1-11/net/Config.in 2004-11-18 09:55:07.545185944 +0100 +++ linux/net/Config.in 2004-11-18 09:55:43.627700568 +0100 @@ -102,4 +102,6 @@ tristate 'Packet Generator (USE WITH CAUTION)' CONFIG_NET_PKTGEN endmenu +bool 'IPSEC NAT-Traversal' CONFIG_IPSEC_NAT_TRAVERSAL + endmenu diff -Nurb linux-1-11/net/ipv4/udp.c linux/net/ipv4/udp.c --- linux-1-11/net/ipv4/udp.c 2004-11-18 09:55:07.958123168 +0100 +++ linux/net/ipv4/udp.c 2004-11-18 09:55:43.638698896 +0100 @@ -804,6 +804,9 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) { +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL + struct udp_opt *tp = &(sk->tp_pinfo.af_udp); +#endif /* * Charge it to the socket, dropping if the queue is full. */ @@ -821,6 +824,40 @@ } #endif +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL + if (tp->esp_in_udp) { + /* + * Set skb->sk and xmit packet to ipsec_rcv. + * + * If ret != 0, ipsec_rcv refused the packet (not ESPinUDP), + * restore skb->sk and fall back to sock_queue_rcv_skb + */ + struct inet_protocol *esp = NULL; + +#if defined(CONFIG_IPSEC) && !defined(CONFIG_IPSEC_MODULE) + /* optomize only when we know it is statically linked */ + extern struct inet_protocol esp_protocol; + esp = &esp_protocol; +#else + for (esp = (struct inet_protocol *)inet_protos[IPPROTO_ESP & (MAX_INET_PROTOS - 1)]; + (esp) && (esp->protocol != IPPROTO_ESP); + esp = esp->next); +#endif + + if (esp && esp->handler) { + struct sock *sav_sk = skb->sk; + skb->sk = sk; + if (esp->handler(skb) == 0) { + skb->sk = sav_sk; + /*not sure we might count ESPinUDP as UDP...*/ + UDP_INC_STATS_BH(UdpInDatagrams); + return 0; + } + skb->sk = sav_sk; + } + } +#endif + if (sock_queue_rcv_skb(sk,skb)<0) { UDP_INC_STATS_BH(UdpInErrors); IP_INC_STATS_BH(IpInDiscards); @@ -1044,13 +1081,49 @@ return len; } +static int udp_setsockopt(struct sock *sk, int level, int optname, + char *optval, int optlen) +{ + struct udp_opt *tp = &(sk->tp_pinfo.af_udp); + int val; + int err = 0; + + if (level != SOL_UDP) + return ip_setsockopt(sk, level, optname, optval, optlen); + + if(optlen<sizeof(int)) + return -EINVAL; + + if (get_user(val, (int *)optval)) + return -EFAULT; + + lock_sock(sk); + + switch(optname) { +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL +#ifndef UDP_ESPINUDP +#define UDP_ESPINUDP 100 +#endif + case UDP_ESPINUDP: + tp->esp_in_udp = val; + break; +#endif + default: + err = -ENOPROTOOPT; + break; + } + + release_sock(sk); + return err; +} + struct proto udp_prot = { name: "UDP", close: udp_close, connect: udp_connect, disconnect: udp_disconnect, ioctl: udp_ioctl, - setsockopt: ip_setsockopt, + setsockopt: udp_setsockopt, getsockopt: ip_getsockopt, sendmsg: udp_sendmsg, recvmsg: udp_recvmsg,