buildroot/package/openswan/linux-2.6.21.5-openswan-2.4.8.kernel-2.6-natt.patch

diff -rduNp linux-2.6.21.5.orig/include/net/xfrmudp.h linux-2.6.21.5/include/net/xfrmudp.h
--- linux-2.6.21.5.orig/include/net/xfrmudp.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.5/include/net/xfrmudp.h	2007-06-21 10:53:38.000000000 +0200
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
diff -rduNp linux-2.6.21.5.orig/net/ipv4/Kconfig linux-2.6.21.5/net/ipv4/Kconfig
--- linux-2.6.21.5.orig/net/ipv4/Kconfig	2007-06-11 20:37:06.000000000 +0200
+++ linux-2.6.21.5/net/ipv4/Kconfig	2007-06-21 10:53:38.000000000 +0200
@@ -349,6 +349,12 @@ config SYN_COOKIES
 	  be taken as absolute truth.
 
 	  SYN cookies may prevent correct error reporting on clients when the
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
 	  server is really overloaded. If this happens frequently better turn
 	  them off.
 
diff -rduNp linux-2.6.21.5.orig/net/ipv4/udp.c linux-2.6.21.5/net/ipv4/udp.c
--- linux-2.6.21.5.orig/net/ipv4/udp.c	2007-06-11 20:37:06.000000000 +0200
+++ linux-2.6.21.5/net/ipv4/udp.c	2007-06-21 10:56:18.000000000 +0200
@@ -108,6 +108,7 @@
  */
 
 DEFINE_SNMP_STAT(struct udp_mib, udp_statistics) __read_mostly;
+#include <net/xfrmudp.h>
 
 struct hlist_head udp_hash[UDP_HTABLE_SIZE];
 DEFINE_RWLOCK(udp_hash_lock);
@@ -915,6 +916,44 @@ int udp_disconnect(struct sock *sk, int 
 	return 0;
 }
 
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+/* if XFRM isn't a module, then register it directly. */
+#if !defined(CONFIG_XFRM_MODULE) 
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
+#else
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+#endif
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+			       , xfrm4_rcv_encap_t *oldfunc)
+{
+  if(oldfunc != NULL) {
+    *oldfunc = xfrm4_rcv_encap_func;
+  }
+
+#if 0
+  if(xfrm4_rcv_encap_func != NULL)
+    return -1;
+#endif
+
+  xfrm4_rcv_encap_func = func;
+  return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+  if(xfrm4_rcv_encap_func != func)
+    return -1;
+
+  xfrm4_rcv_encap_func = NULL;
+  return 0;
+}
+#endif /* CONFIG_XFRM || defined(CONFIG_IPSEC_NAT_TRAVERSAL)*/
+
+
 /* return:
  * 	1  if the the UDP system should process it
  *	0  if we should drop this packet
@@ -922,9 +961,9 @@ int udp_disconnect(struct sock *sk, int 
  */
 static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 {
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
 	return 1;
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
 	struct udp_sock *up = udp_sk(sk);
 	struct udphdr *uh;
 	struct iphdr *iph;
@@ -1052,9 +1091,14 @@ int udp_queue_rcv_skb(struct sock * sk, 
 		}
 		if (ret < 0) {
 			/* process the ESP packet */
-			ret = xfrm4_rcv_encap(skb, up->encap_type);
-			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
-			return -ret;
+			if (xfrm4_rcv_encap_func != NULL) {
+				ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
+			} else {
+				UDP_INC_STATS_BH(UDP_MIB_INERRORS, up->pcflag);
+				ret = 1;
+			}
+			return ret;
 		}
 		/* FALLTHROUGH -- it's a UDP Packet */
 	}
@@ -1733,3 +1777,9 @@ EXPORT_SYMBOL(udp_poll);
 EXPORT_SYMBOL(udp_proc_register);
 EXPORT_SYMBOL(udp_proc_unregister);
 #endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+