mirror of https://github.com/hak5/openwrt.git
92 lines
2.4 KiB
Diff
92 lines
2.4 KiB
Diff
--- /dev/null
|
|
+++ b/include/net/xfrmudp.h
|
|
@@ -0,0 +1,10 @@
|
|
+/*
|
|
+ * pointer to function for type that xfrm4_input wants, to permit
|
|
+ * decoupling of XFRM from udp.c
|
|
+ */
|
|
+#define HAVE_XFRM4_UDP_REGISTER
|
|
+
|
|
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
|
|
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
|
|
+ , xfrm4_rcv_encap_t *oldfunc);
|
|
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
|
|
--- a/net/ipv4/Kconfig
|
|
+++ b/net/ipv4/Kconfig
|
|
@@ -224,6 +224,12 @@ config NET_IPGRE_BROADCAST
|
|
Network), but can be distributed all over the Internet. If you want
|
|
to do that, say Y here and to "IP multicast routing" below.
|
|
|
|
+config IPSEC_NAT_TRAVERSAL
|
|
+ bool "IPSEC NAT-Traversal (KLIPS compatible)"
|
|
+ depends on INET
|
|
+ ---help---
|
|
+ Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
|
|
+
|
|
config IP_MROUTE
|
|
bool "IP: multicast routing"
|
|
depends on IP_MULTICAST
|
|
--- a/net/ipv4/xfrm4_input.c
|
|
+++ b/net/ipv4/xfrm4_input.c
|
|
@@ -15,6 +15,7 @@
|
|
#include <linux/netfilter_ipv4.h>
|
|
#include <net/ip.h>
|
|
#include <net/xfrm.h>
|
|
+#include <net/xfrmudp.h>
|
|
|
|
static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
|
|
{
|
|
@@ -161,6 +162,29 @@ drop:
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
|
|
+
|
|
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
|
|
+ xfrm4_rcv_encap_t *oldfunc)
|
|
+{
|
|
+ if(oldfunc != NULL)
|
|
+ *oldfunc = xfrm4_rcv_encap_func;
|
|
+
|
|
+ xfrm4_rcv_encap_func = func;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
|
|
+{
|
|
+ if(xfrm4_rcv_encap_func != func)
|
|
+ return -1;
|
|
+
|
|
+ xfrm4_rcv_encap_func = NULL;
|
|
+ return 0;
|
|
+}
|
|
+#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
|
|
+
|
|
/* If it's a keepalive packet, then just eat it.
|
|
* If it's an encapsulated packet, then pass it to the
|
|
* IPsec xfrm input.
|
|
@@ -251,7 +275,13 @@ int xfrm4_udp_encap_rcv(struct sock *sk,
|
|
iph->protocol = IPPROTO_ESP;
|
|
|
|
/* process ESP */
|
|
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
+ if(xfrm4_rcv_encap_func == NULL)
|
|
+ goto drop;
|
|
+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
|
|
+#else
|
|
ret = xfrm4_rcv_encap(skb, encap_type);
|
|
+#endif
|
|
return ret;
|
|
|
|
drop:
|
|
@@ -265,3 +295,8 @@ int xfrm4_rcv(struct sk_buff *skb)
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm4_rcv);
|
|
+
|
|
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
|
|
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
|
|
+#endif
|