buildroot/package/openswan/linux-2.6.22.6-openswan-2.4.9.kernel-2.6-natt.patch

diff -rdupN linux-2.6.22.6.oorig/include/net/xfrmudp.h linux-2.6.22.6/include/net/xfrmudp.h
--- linux-2.6.22.6.oorig/include/net/xfrmudp.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.22.6/include/net/xfrmudp.h	2007-09-17 06:10:19.000000000 +0200
@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
diff -rdupN linux-2.6.22.6.oorig/net/ipv4/Kconfig linux-2.6.22.6/net/ipv4/Kconfig
--- linux-2.6.22.6.oorig/net/ipv4/Kconfig	2007-08-31 08:21:01.000000000 +0200
+++ linux-2.6.22.6/net/ipv4/Kconfig	2007-09-17 06:13:08.000000000 +0200
@@ -362,6 +360,15 @@ config SYN_COOKIES
 
 	  If unsure, say N.
 
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
+	  server is really overloaded. If this happens frequently better turn
+	  them off.
+
 config INET_AH
 	tristate "IP: AH transformation"
 	select XFRM
diff -rdupN linux-2.6.22.6.oorig/net/ipv4/udp.c linux-2.6.22.6/net/ipv4/udp.c
--- linux-2.6.22.6.oorig/net/ipv4/udp.c	2007-08-31 08:21:01.000000000 +0200
+++ linux-2.6.22.6/net/ipv4/udp.c	2007-09-17 06:10:19.000000000 +0200
@@ -108,6 +108,7 @@
  */
 
 DEFINE_SNMP_STAT(struct udp_mib, udp_statistics) __read_mostly;
+#include <net/xfrmudp.h>
 
 struct hlist_head udp_hash[UDP_HTABLE_SIZE];
 DEFINE_RWLOCK(udp_hash_lock);
@@ -919,6 +920,44 @@ int udp_disconnect(struct sock *sk, int 
 	return 0;
 }
 
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+/* if XFRM isn't a module, then register it directly. */
+#if !defined(CONFIG_XFRM_MODULE) 
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
+#else
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+#endif
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+			       , xfrm4_rcv_encap_t *oldfunc)
+{
+  if(oldfunc != NULL) {
+    *oldfunc = xfrm4_rcv_encap_func;
+  }
+
+#if 0
+  if(xfrm4_rcv_encap_func != NULL)
+    return -1;
+#endif
+
+  xfrm4_rcv_encap_func = func;
+  return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+  if(xfrm4_rcv_encap_func != func)
+    return -1;
+
+  xfrm4_rcv_encap_func = NULL;
+  return 0;
+}
+#endif /* CONFIG_XFRM || defined(CONFIG_IPSEC_NAT_TRAVERSAL)*/
+
+
 /* return:
  * 	1  if the UDP system should process it
  *	0  if we should drop this packet
@@ -926,9 +965,9 @@ int udp_disconnect(struct sock *sk, int 
  */
 static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 {
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
 	return 1;
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
 	struct udp_sock *up = udp_sk(sk);
 	struct udphdr *uh;
 	struct iphdr *iph;
@@ -1056,10 +1095,14 @@ int udp_queue_rcv_skb(struct sock * sk, 
 			return 0;
 		}
 		if (ret < 0) {
-			/* process the ESP packet */
-			ret = xfrm4_rcv_encap(skb, up->encap_type);
-			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
-			return -ret;
+ 			if(xfrm4_rcv_encap_func != NULL) {
+ 			  ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+ 			  UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
+ 			} else {
+ 			  UDP_INC_STATS_BH(UDP_MIB_INERRORS, up->pcflag);
+ 			  ret = 1;
+ 			}
+			return ret;
 		}
 		/* FALLTHROUGH -- it's a UDP Packet */
 	}
@@ -1742,3 +1785,9 @@ EXPORT_SYMBOL(udp_poll);
 EXPORT_SYMBOL(udp_proc_register);
 EXPORT_SYMBOL(udp_proc_unregister);
 #endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+