Switch back to Kernel 2.6.23.16 + openswan 2.4.13

config/install/rc

@@ -32,10 +32,11 @@ ln -s /proc/kcore /dev/core
 echo "Starting syslogd"
 syslogd -O /dev/tty4
 
-echo "Load scsi_mod & libata"
-modprobe scsi_mod
-modprobe libata
+echo "Loading scsi_mod & libata"
+/sbin/modprobe scsi_mod
+/sbin/modprobe libata
 
+sleep 1
 echo "Starting udev daemon"
 /sbin/udevd --daemon
 /sbin/udevtrigger
@@ -46,5 +47,6 @@ for file in /dev/.udev/failed/*/uevent ; do
 	echo "add" >"${file}"
 done 2>/dev/null
 /sbin/udevsettle
+sleep 2
 
 echo "Loading Installer..."

config/rootfiles/common/collectd

@@ -35,7 +35,7 @@ usr/lib/collectd/hddtemp.so
 #usr/lib/collectd/interface.la
 usr/lib/collectd/interface.so
 #usr/lib/collectd/iptables.la
-#usr/lib/collectd/iptables.so #### temporary disabled ####
+usr/lib/collectd/iptables.so
 #usr/lib/collectd/irq.la
 usr/lib/collectd/irq.so
 #usr/lib/collectd/load.la

config/rootfiles/common/ipp2p

@@ -1,3 +1,3 @@
 #lib/modules/2.6.16/kernel/net/ipv4/netfilter/ipt_ipp2p.ko
-#lib/iptables/libipt_ipp2p.so
+#lib/iptables/libipt_ipp2p.so # doesnt work with kernel 2.6.23.17
 #lib/modules/2.6.16-smp/kernel/net/ipv4/netfilter/ipt_ipp2p.ko

config/rootfiles/common/kqemu

@@ -1,2 +1,2 @@
-lib/modules/KVER-ipfire/misc/kqemu.ko
+#lib/modules/KVER-ipfire/misc/kqemu.ko	# doesnt work in non-smp mode yet
 lib/modules/KVER-ipfire-smp/misc/kqemu.ko

config/rootfiles/core/16/files

@@ -1,9 +0,0 @@
-lib/modules/KVER-ipfire/kernel/net/ipsec/ipsec.ko
-lib/modules/KVER-ipfire-smp/kernel/net/ipsec/ipsec.ko
-usr/lib/ipsec
-usr/libexec/ipsec
-usr/sbin/ipsec
-var/run/pluto
-lib/libpcre.so.0
-lib/libpcre.so.0.0.1
-usr/lib/libpcre.so

config/rootfiles/core/16/update.sh

@@ -2,5 +2,4 @@
 . /opt/pakfire/lib/functions.sh
 /usr/local/bin/backupctrl exclude >/dev/null 2>&1
 extract_files
-perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
-/etc/init.d/mISDN config
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"

config/rootfiles/updater/filelists/collectd

@@ -35,7 +35,7 @@ usr/lib/collectd/hddtemp.so
 #usr/lib/collectd/interface.la
 usr/lib/collectd/interface.so
 #usr/lib/collectd/iptables.la
-#usr/lib/collectd/iptables.so #### temporary disabled ####
+usr/lib/collectd/iptables.so
 #usr/lib/collectd/irq.la
 usr/lib/collectd/irq.so
 #usr/lib/collectd/load.la

config/rootfiles/updater/update.sh

@@ -26,7 +26,7 @@
 #
 OLDVERSION=`grep "version = " /opt/pakfire/etc/pakfire.conf | cut -d'"' -f2`
 NEWVERSION="2.3"
-KVER="2.6.24.7"
+KVER="2.6.23.17"
 ROOT=`grep "root=" /boot/grub/grub.conf | cut -d"=" -f2 | cut -d" " -f1 | tail -n 1`
 MOUNT=`grep "kernel" /boot/grub/grub.conf | tail -n 1`
 # Nur den letzten Parameter verwenden

lfs/collectd

@@ -78,11 +78,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var \
-		--disable-{apple_sensors,csv,iptables,ipvs,mbmon,memcached,mysql} \
+		--disable-{apple_sensors,csv,ipvs,mbmon,memcached,mysql} \
 		--disable-{netlink,nginx,nut,perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--disable-{perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--enable-{apcups,battery,cpu{,freq},df,disk,dns,email,entropy,exec,hddtemp} \
-		--enable-{interface,irq,load,logfile,memory,multimeter} \
+		--enable-{interface,iptables,irq,load,logfile,memory,multimeter} \
 		--enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \
 		--enable-{tcpconns,unixsock,users} \
 		--with-rrdtool=/usr/share/rrdtool-1.2.15 --enable-debug

lfs/ipp2p

@@ -60,7 +60,7 @@ $(TARGET) :
 	@rm -rf $(DIR_APP) && mkdir -p $(DIR_APP)
 	@cp -vf $(DIR_SRC)/src/ipp2p/* $(DIR_APP)
 	cd $(DIR_SRC) && rm -rf iptables-*
-	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.4.0.tar.bz2
+	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.3.8.tar.bz2
 	cd $(DIR_SRC) && ln -sf iptables-* iptables
 ifeq "$(SMP)" "1"
 	cd $(DIR_APP) && make ipt_ipp2p.ko

lfs/iptables

@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.4.0
+VER        = 1.3.8
 
 THISAPP    = iptables-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -37,18 +37,18 @@ TARGET     = $(DIR_INFO)/$(THISAPP)
 ###############################################################################
 objects = 	$(DL_FILE) \
 			netfilter-layer7-v2.18.tar.gz \
-			libnfnetlink-0.0.39.tar.bz2 \
-			libnetfilter_queue-0.0.16.tar.bz2
+			libnfnetlink-0.0.25.tar.bz2 \
+			libnetfilter_queue-0.0.13.tar.bz2
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 netfilter-layer7-v2.18.tar.gz 		= $(URL_IPFIRE)/netfilter-layer7-v2.18.tar.gz
-libnfnetlink-0.0.39.tar.bz2		= $(URL_IPFIRE)/libnfnetlink-0.0.39.tar.bz2
-libnetfilter_queue-0.0.16.tar.bz2	= $(URL_IPFIRE)/libnetfilter_queue-0.0.16.tar.bz2
+libnfnetlink-0.0.25.tar.bz2		= $(URL_IPFIRE)/libnfnetlink-0.0.25.tar.bz2
+libnetfilter_queue-0.0.13.tar.bz2	= $(URL_IPFIRE)/libnetfilter_queue-0.0.13.tar.bz2
 
-$(DL_FILE)_MD5 = 90cfa8a554a29b0b859a625e701af2a7
+$(DL_FILE)_MD5 = 0a9209f928002e5eee9cdff8fef4d4b3
 netfilter-layer7-v2.18.tar.gz_MD5 = 8d2e2c00f5c20e8c0852998035aeffd2
-libnfnetlink-0.0.39.tar.bz2_MD5 = 348fed8c1edbe5b873ffc7b192140093
-libnetfilter_queue-0.0.16.tar.bz2_MD5 = b36664e6cd39edbfe46b416a86118add
+libnfnetlink-0.0.25.tar.bz2_MD5 = fc915a2e66d282e524af6ef939042d7d
+libnetfilter_queue-0.0.13.tar.bz2_MD5 = 660cbfd3dc8c10bf9b1803cd2b688256
 
 install : $(TARGET)
 
@@ -77,17 +77,15 @@ $(subst %,%_MD5,$(objects)) :
 
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
-	@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.39 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.16
+	@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.25 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.13
 
 	@cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.18.tar.gz
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/netfilter-layer7-v2.18/iptables-1.3-for-kernel-2.6.20forward-layer7-2.18.patch
 
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/netfilter-layer7-v2.18/iptables-1.4-for-kernel-2.6.20forward-layer7-2.18.patch
-	chmod +x $(DIR_APP)/extensions/.layer7-test*
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.3.6-imq.diff
+	chmod +x $(DIR_APP)/extensions/.IMQ-test*  $(DIR_APP)/extensions/.layer7-test*
 
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.3.0-imq1.diff
-	chmod +x $(DIR_APP)/extensions/.IMQ-test*
-	
 	# hack to disable IPv6 compilation as the configuration variable does not work when ip6.h is present
 	cd $(DIR_APP) && sed -i -e 's/DO_IPV6:=1/DO_IPV6:=0/' Makefile
 	cd $(DIR_APP) && make BINDIR=/sbin MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux LIBDIR=/lib $(MAKETUNING)
@@ -97,15 +95,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && cp -vf include/libiptc/{libiptc.h,ipt_kernel_headers.h} \
 		/usr/include/libiptc
 
-	cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnfnetlink-0.0.39.tar.bz2
-	cd $(DIR_SRC)/libnfnetlink-0.0.39 && ./configure --prefix=/usr
-	cd $(DIR_SRC)/libnfnetlink-0.0.39 && make
-	cd $(DIR_SRC)/libnfnetlink-0.0.39 && make install
+	cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnfnetlink-0.0.25.tar.bz2
+	cd $(DIR_SRC)/libnfnetlink-0.0.25 && ./configure --prefix=/usr
+	cd $(DIR_SRC)/libnfnetlink-0.0.25 && make
+	cd $(DIR_SRC)/libnfnetlink-0.0.25 && make install
 
-	cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnetfilter_queue-0.0.16.tar.bz2
-	cd $(DIR_SRC)/libnetfilter_queue-0.0.16 && ./configure --prefix=/usr
-	cd $(DIR_SRC)/libnetfilter_queue-0.0.16 && make
-	cd $(DIR_SRC)/libnetfilter_queue-0.0.16 && make install
-	@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.39 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.16
+	cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnetfilter_queue-0.0.13.tar.bz2
+	cd $(DIR_SRC)/libnetfilter_queue-0.0.13 && ./configure --prefix=/usr
+	cd $(DIR_SRC)/libnetfilter_queue-0.0.13 && make
+	cd $(DIR_SRC)/libnetfilter_queue-0.0.13 && make install
+	@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.25 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.13
 	@$(POSTBUILD)
-

lfs/klibc

@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.5.10
+VER        = 1.5
 
 THISAPP    = klibc-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -42,7 +42,7 @@ objects = $(DL_FILE) \
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 klibc-extras-2.2.tar.gz = $(DL_FROM)/klibc-extras-2.2.tar.gz
 
-$(DL_FILE)_MD5 = baf6b522e427aae9c8f511b9c57193bd
+$(DL_FILE)_MD5 = d55ce89c0656a7d6896ec0b2af07b5dc
 klibc-extras-2.2.tar.gz_MD5 = 7e5042978531048c369f59ca1a13055b
 
 install : $(TARGET)

lfs/kqemu

@@ -78,16 +78,16 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	
-ifeq "$(SMP)" "1"
-	mkdir -p /lib/modules/$(KVER)-ipfire-smp/misc/
-	cd $(DIR_APP) && ./configure --prefix=/usr --kernel-path=/lib/modules/$(KVER)-ipfire-smp/build/
+	cd $(DIR_APP) && ./configure --prefix=/usr --kernel-path=/usr/src/linux
 	cd $(DIR_APP) && make $(MAKETUNING)
+		
+ifeq "$(SMP)" "1"
+#	cd $(DIR_APP) && ./configure --prefix=/usr --kernel-path=/lib/modules/$(KVER)-ipfire-smp/build/
+#	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && install -m 644 kqemu.ko /lib/modules/$(KVER)-ipfire-smp/misc/
 else
-	mkdir -p /lib/modules/$(KVER)-ipfire/misc/
-	cd $(DIR_APP) && ./configure --prefix=/usr --kernel-path=/lib/modules/$(KVER)-ipfire/build/
-	cd $(DIR_APP) && make $(MAKETUNING)
+#	cd $(DIR_APP) && ./configure --prefix=/usr --kernel-path=/lib/modules/$(KVER)-ipfire/build/
+#	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && install -m 644 kqemu.ko /lib/modules/$(KVER)-ipfire/misc/
 endif
 	

lfs/linux

@@ -24,8 +24,8 @@
 
 include Config
 
-PATCHLEVEL = .7
-VER        = 2.6.24.7
+PATCHLEVEL = .17
+VER        = 2.6.23.17
 
 THISAPP    = linux-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -58,7 +58,7 @@ patch-2.6.16-nath323-1.3.bz2		= $(URL_IPFIRE)/patch-2.6.16-nath323-1.3.bz2
 squashfs3.3.tgz				= $(URL_IPFIRE)/squashfs3.3.tgz
 mISDN-1_1_8.tar.gz			= $(URL_IPFIRE)/mISDN-1_1_8.tar.gz
 
-$(DL_FILE)_MD5				= 40a73780d51525d28d36dec852c680c4
+$(DL_FILE)_MD5				= a0300a393ac91ce9c64bf31522b45e2e
 netfilter-layer7-v2.18.tar.gz_MD5	= 8d2e2c00f5c20e8c0852998035aeffd2
 patch-2.6.16-nath323-1.3.bz2_MD5	= f926409ff703a307baf54b57ab75d138
 squashfs3.3.tgz_MD5			= 95c40fca0d886893631b5de14a0af25b
@@ -97,20 +97,16 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Security fix for CIFS & Netfilter SNMP
 #	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.20.21-additional_check_on_BER_decoding.patch
 
-	# Add USB ID of US-Robotics USR805423 to ZD1211 driver
-#	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.20.21-zd1211-usrobotics-usbid.patch
-
-	# Openswan
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.6.16dr2-2.6.24-kernel.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.6.16dr2-2.6.24-natt.patch
+	# Openswan nat-t
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
 
 	# Reiser4
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/reiser4-for-2.6.24.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/reiser4-for-2.6.23.patch
 
 	# SquashFS
 	cd $(DIR_SRC) && rm -rf squashfs*
 	cd $(DIR_SRC) && tar xfz $(DIR_DL)/squashfs3.3.tgz
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/squashfs3.3/kernel-patches/linux-2.6.24/squashfs3.3-patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/squashfs3.3/kernel-patches/linux-2.6.23/squashfs3.3-patch
 
 	# ip_conntrack permissions from 440 to 444
 #	cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/ip_conntrack_standalone-patch-for-ipfire.patch
@@ -122,7 +118,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Linux Intermediate Queueing Device
 ifeq "$(XEN)" ""
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.24-imq.diff
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.23-imq.diff
 endif
 
 	# mISDN

lfs/openswan

@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.6.16dr2
+VER        = 2.4.13
 
 THISAPP    = openswan-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 8bf347f1d2219dd9277adb2b34720bf9
+$(DL_FILE)_MD5 = 0c2505cf2639a7de051e815f41e8e1f4
 
 install : $(TARGET)
 
@@ -78,13 +78,14 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ifeq "$(KMOD)" "1"
+	cd $(DIR_APP) && make KERNELSRC=/usr/src/linux module
+	cd $(DIR_APP) && make minstall
+else
 	cd $(DIR_APP) && sed -i \
 		-e 's%^INC_USRLOCAL.*$$%INC_USRLOCAL=/usr%' \
-		-e 's%^USERCOMPILE.*$$%USERCOMPILE=$(CFLAGS)%' Makefile.inc
-
-	cd $(DIR_APP) && sed -e 's/-Werror//g' -i programs/Makefile.program
-	cd $(DIR_APP) && sed -e 's/-Werror//g' -i lib/liblwres/Makefile
-
+		-e 's%^USERCOMPILE.*$$%USERCOMPILE=$(CFLAGS)%' \
+		-e 's%^KLIPSCOMPILE.*$$%KLIPSCOMPILE=$(CFLAGS)%' Makefile.inc
 	cd $(DIR_APP) && make programs
 	cd $(DIR_APP) && make install
 	
@@ -99,9 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
 	ln -sf $(CONFIG_ROOT)/crls  /etc/ipsec.d/crls
 	
-	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.14-startklips-1.patch
-	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.14-updown-1.patch
-#	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.9-updown_x509-1.patch
-#	cd /etc/ipsec.d/policies && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.9-clear-1.patch
+	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.12-startklips-1.patch
+	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.9-updown-1.patch
+	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.9-updown_x509-1.patch
+	cd /etc/ipsec.d/policies && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.4.9-clear-1.patch
+endif	
 	#@rm -rf $(DIR_APP)
 	@$(POSTBUILD)

make.sh

@@ -334,10 +334,10 @@ buildipfire() {
   ipfiremake rp-pppoe
   ipfiremake unzip
   ipfiremake linux			SMP=1
-#  ipfiremake linux-fusion		SMP=1
+  ipfiremake linux-fusion		SMP=1
 #  ipfiremake ipp2p			SMP=1
-#  ipfiremake r8169			SMP=1
-#  ipfiremake r8168			SMP=1
+  ipfiremake r8169			SMP=1
+  ipfiremake r8168			SMP=1
 #  ipfiremake atl1			SMP=1
   ipfiremake atl2			SMP=1
   ipfiremake kqemu			SMP=1
@@ -345,13 +345,13 @@ buildipfire() {
   ipfiremake madwifi                    SMP=1
   ipfiremake sane		KMOD=1	SMP=1
   ipfiremake linux
-#  ipfiremake linux-fusion
+  ipfiremake linux-fusion
 #  ipfiremake ipp2p
-#  ipfiremake r8169
-#  ipfiremake r8168
+  ipfiremake r8169
+  ipfiremake r8168
 #  ipfiremake atl1
   ipfiremake atl2
-  ipfiremake kqemu
+#  ipfiremake kqemu
   ipfiremake v4l-dvb
   ipfiremake madwifi
   ipfiremake sane		KMOD=1

src/install+setup/install/main.c

@@ -116,6 +116,9 @@ int main(int argc, char *argv[])
 	mysystem("/sbin/modprobe usb-storage");
 	mysystem("/sbin/modprobe usbhid");
 
+	mysystem("/bin/sleep 3"); 
+	mysystem("/sbin/modprobe ahci"); // SATA AHCI Host controller
+
 	mysystem("/sbin/modprobe iso9660"); // CDROM
 	mysystem("/sbin/modprobe ext2"); // Boot patition
 	mysystem("/sbin/modprobe vfat"); // USB key

src/patches/iptables-1.3.6-imq.diff

@@ -0,0 +1,221 @@
+--- iptables-1.3.6.orig/extensions.orig/.IMQ-test6	Thu Jan  1 01:00:00 1970
++++ iptables-1.3.6/extensions/.IMQ-test6	Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ
+--- iptables-1.3.6.orig/extensions.orig/libip6t_IMQ.c	Thu Jan  1 01:00:00 1970
++++ iptables-1.3.6/extensions/libip6t_IMQ.c	Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,101 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++	printf(
++"IMQ target v%s options:\n"
++"  --todev <N>		enqueue to imq<N>, defaults to 0\n", 
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++	{ "todev", 1, 0, '1' },
++	{ 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct ip6t_entry_target *t, unsigned int *nfcache)
++{
++	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
++
++	mr->todev = 0;
++	*nfcache |= NFC_UNKNOWN;
++}
++
++/* Function which parses command options; returns true if it
++   ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++      const struct ip6t_entry *entry,
++      struct ip6t_entry_target **target)
++{
++	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
++	
++	switch(c) {
++	case '1':
++		if (check_inverse(optarg, &invert, NULL, 0))
++			exit_error(PARAMETER_PROBLEM,
++				   "Unexpected `!' after --todev");
++		mr->todev=atoi(optarg);
++		break;
++	default:
++		return 0;
++	}
++	return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const struct ip6t_ip6 *ip,
++      const struct ip6t_entry_target *target,
++      int numeric)
++{
++	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++	printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
++{
++	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++	printf("--todev %u", mr->todev);
++}
++
++static struct ip6tables_target imq = {
++	.next		= NULL,
++	.name		= "IMQ",
++	.version	= IPTABLES_VERSION,
++	.size		= IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++	.help		= &help,
++	.init		= &init,
++	.parse		= &parse,
++	.final_check	= &final_check,
++	.print		= &print,
++	.save		= &save,
++	.extra_opts	= opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++	register_target6(&imq);
++}
+--- iptables-1.3.6.orig/extensions.orig/.IMQ-test	Thu Jan  1 01:00:00 1970
++++ iptables-1.3.6/extensions/.IMQ-test	Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ
+--- iptables-1.3.6.orig/extensions.orig/libipt_IMQ.c	Thu Jan  1 01:00:00 1970
++++ iptables-1.3.6/extensions/libipt_IMQ.c	Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,101 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++	printf(
++"IMQ target v%s options:\n"
++"  --todev <N>		enqueue to imq<N>, defaults to 0\n", 
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++	{ "todev", 1, 0, '1' },
++	{ 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct ipt_entry_target *t, unsigned int *nfcache)
++{
++	struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
++
++	mr->todev = 0;
++	*nfcache |= NFC_UNKNOWN;
++}
++
++/* Function which parses command options; returns true if it
++   ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++      const struct ipt_entry *entry,
++      struct ipt_entry_target **target)
++{
++	struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
++	
++	switch(c) {
++	case '1':
++		if (check_inverse(optarg, &invert, NULL, 0))
++			exit_error(PARAMETER_PROBLEM,
++				   "Unexpected `!' after --todev");
++		mr->todev=atoi(optarg);
++		break;
++	default:
++		return 0;
++	}
++	return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const struct ipt_ip *ip,
++      const struct ipt_entry_target *target,
++      int numeric)
++{
++	struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++	printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
++{
++	struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++	printf("--todev %u", mr->todev);
++}
++
++static struct iptables_target imq = {
++	.next		= NULL,
++	.name		= "IMQ",
++	.version	= IPTABLES_VERSION,
++	.size		= IPT_ALIGN(sizeof(struct ipt_imq_info)),
++	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_imq_info)),
++	.help		= &help,
++	.init		= &init,
++	.parse		= &parse,
++	.final_check	= &final_check,
++	.print		= &print,
++	.save		= &save,
++	.extra_opts	= opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++	register_target(&imq);
++}
+

src/patches/linux-2.6.23-imq.diff

@@ -0,0 +1,864 @@
+diff -Naurw linux-2.6.23/drivers/net/imq.c linux-2.6.23.imq/drivers/net/imq.c
+--- linux-2.6.23/drivers/net/imq.c	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/drivers/net/imq.c	2007-10-01 09:59:23.000000000 -0300
+@@ -0,0 +1,400 @@
++/*
++ *             Pseudo-driver for the intermediate queue device.
++ *
++ *             This program is free software; you can redistribute it and/or
++ *             modify it under the terms of the GNU General Public License
++ *             as published by the Free Software Foundation; either version
++ *             2 of the License, or (at your option) any later version.
++ *
++ * Authors:    Patrick McHardy, <kaber@trash.net>
++ *
++ *            The first version was written by Martin Devera, <devik@cdi.cz>
++ *
++ * Credits:    Jan Rafaj <imq2t@cedric.vabo.cz>
++ *              - Update patch to 2.4.21
++ *             Sebastian Strollo <sstrollo@nortelnetworks.com>
++ *              - Fix "Dead-loop on netdevice imq"-issue
++ *             Marcel Sebek <sebek64@post.cz>
++ *              - Update to 2.6.2-rc1
++ *
++ *	       After some time of inactivity there is a group taking care
++ *	       of IMQ again: http://www.linuximq.net
++ *
++ *
++ *	       2004/06/30 - New version of IMQ patch to kernels <=2.6.7 including
++ *	       the following changes:
++ *
++ *	       - Correction of ipv6 support "+"s issue (Hasso Tepper)
++ *	       - Correction of imq_init_devs() issue that resulted in
++ *	       kernel OOPS unloading IMQ as module (Norbert Buchmuller)
++ *	       - Addition of functionality to choose number of IMQ devices
++ *	       during kernel config (Andre Correa)
++ *	       - Addition of functionality to choose how IMQ hooks on
++ *	       PRE and POSTROUTING (after or before NAT) (Andre Correa)
++ *	       - Cosmetic corrections (Norbert Buchmuller) (Andre Correa)
++ *
++ *
++ *             2005/12/16 - IMQ versions between 2.6.7 and 2.6.13 were
++ *             released with almost no problems. 2.6.14-x was released
++ *             with some important changes: nfcache was removed; After
++ *             some weeks of trouble we figured out that some IMQ fields
++ *             in skb were missing in skbuff.c - skb_clone and copy_skb_header.
++ *             These functions are correctly patched by this new patch version.
++ *
++ *             Thanks for all who helped to figure out all the problems with
++ *             2.6.14.x: Patrick McHardy, Rune Kock, VeNoMouS, Max CtRiX,
++ *             Kevin Shanahan, Richard Lucassen, Valery Dachev (hopefully
++ *             I didn't forget anybody). I apologize again for my lack of time.
++ *
++ *             More info at: http://www.linuximq.net/ (Andre Correa)
++ */
++
++#include <linux/module.h>
++#include <linux/kernel.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/netdevice.h>
++#include <linux/rtnetlink.h>
++#include <linux/if_arp.h>
++#include <linux/netfilter.h>
++#include <linux/netfilter_ipv4.h>
++#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
++	#include <linux/netfilter_ipv6.h>
++#endif
++#include <linux/imq.h>
++#include <net/pkt_sched.h>
++
++extern int qdisc_restart1(struct net_device *dev);
++
++static nf_hookfn imq_nf_hook;
++
++static struct nf_hook_ops imq_ingress_ipv4 = {
++	.hook		= imq_nf_hook,
++	.owner		= THIS_MODULE,
++	.pf		= PF_INET,
++	.hooknum	= NF_IP_PRE_ROUTING,
++#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
++	.priority	= NF_IP_PRI_MANGLE + 1
++#else
++	.priority	= NF_IP_PRI_NAT_DST + 1
++#endif
++};
++
++static struct nf_hook_ops imq_egress_ipv4 = {
++	.hook		= imq_nf_hook,
++	.owner		= THIS_MODULE,
++	.pf		= PF_INET,
++	.hooknum	= NF_IP_POST_ROUTING,
++#if defined(CONFIG_IMQ_BEHAVIOR_AA) || defined(CONFIG_IMQ_BEHAVIOR_BA)
++	.priority	= NF_IP_PRI_LAST
++#else
++	.priority	= NF_IP_PRI_NAT_SRC - 1
++#endif
++};
++
++#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
++static struct nf_hook_ops imq_ingress_ipv6 = {
++	.hook		= imq_nf_hook,
++	.owner		= THIS_MODULE,
++	.pf		= PF_INET6,
++	.hooknum	= NF_IP6_PRE_ROUTING,
++#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
++	.priority	= NF_IP6_PRI_MANGLE + 1
++#else
++	.priority	= NF_IP6_PRI_NAT_DST + 1
++#endif
++};
++
++static struct nf_hook_ops imq_egress_ipv6 = {
++	.hook		= imq_nf_hook,
++	.owner		= THIS_MODULE,
++	.pf		= PF_INET6,
++	.hooknum	= NF_IP6_POST_ROUTING,
++#if defined(CONFIG_IMQ_BEHAVIOR_AA) || defined(CONFIG_IMQ_BEHAVIOR_BA)
++	.priority	= NF_IP6_PRI_LAST
++#else
++	.priority	= NF_IP6_PRI_NAT_SRC - 1
++#endif
++};
++#endif
++
++#if defined(CONFIG_IMQ_NUM_DEVS)
++static unsigned int numdevs = CONFIG_IMQ_NUM_DEVS;
++#else
++static unsigned int numdevs = 16;
++#endif
++
++static struct net_device *imq_devs;
++
++static struct net_device_stats *imq_get_stats(struct net_device *dev)
++{
++	return (struct net_device_stats *)dev->priv;
++}
++
++/* called for packets kfree'd in qdiscs at places other than enqueue */
++static void imq_skb_destructor(struct sk_buff *skb)
++{
++	struct nf_info *info = skb->nf_info;
++
++	if (info) {
++		if (info->indev)
++			dev_put(info->indev);
++		if (info->outdev)
++			dev_put(info->outdev);
++		kfree(info);
++	}
++}
++
++static int imq_dev_xmit(struct sk_buff *skb, struct net_device *dev)
++{
++	struct net_device_stats *stats = (struct net_device_stats*) dev->priv;
++
++	stats->tx_bytes += skb->len;
++	stats->tx_packets++;
++
++	skb->imq_flags = 0;
++	skb->destructor = NULL;
++
++	dev->trans_start = jiffies;
++	nf_reinject(skb, skb->nf_info, NF_ACCEPT);
++	return 0;
++}
++
++static int imq_nf_queue(struct sk_buff *skb, struct nf_info *info, unsigned queue_num, void *data)
++{
++	struct net_device *dev;
++	struct net_device_stats *stats;
++	struct sk_buff *skb2 = NULL;
++	struct Qdisc *q;
++	unsigned int index = skb->imq_flags&IMQ_F_IFMASK;
++	int ret = -1;
++
++	if (index > numdevs)
++		return -1;
++
++	dev = imq_devs + index;
++	if (!(dev->flags & IFF_UP)) {
++		skb->imq_flags = 0;
++		nf_reinject(skb, info, NF_ACCEPT);
++		return 0;
++	}
++	dev->last_rx = jiffies;
++
++	if (skb->destructor) {
++		skb2 = skb;
++		skb = skb_clone(skb, GFP_ATOMIC);
++		if (!skb)
++			return -1;
++	}
++	skb->nf_info = info;
++
++	stats = (struct net_device_stats *)dev->priv;
++	stats->rx_bytes+= skb->len;
++	stats->rx_packets++;
++
++	spin_lock_bh(&dev->queue_lock);
++	q = dev->qdisc;
++	if (q->enqueue) {
++		q->enqueue(skb_get(skb), q);
++		if (skb_shared(skb)) {
++			skb->destructor = imq_skb_destructor;
++			kfree_skb(skb);
++			ret = 0;
++		}
++	}
++	if (spin_is_locked(&dev->_xmit_lock))
++		netif_schedule(dev);
++	else
++		while (!netif_queue_stopped(dev) && qdisc_restart1(dev) < 0)
++			/* NOTHING */;
++
++	spin_unlock_bh(&dev->queue_lock);
++
++	if (skb2)
++		kfree_skb(ret ? skb : skb2);
++
++	return ret;
++}
++
++static struct nf_queue_handler nfqh = {
++	.name  = "imq",
++	.outfn = imq_nf_queue,
++};
++
++static unsigned int imq_nf_hook(unsigned int hook, struct sk_buff **pskb,
++				const struct net_device *indev,
++				const struct net_device *outdev,
++				int (*okfn)(struct sk_buff *))
++{
++	if ((*pskb)->imq_flags & IMQ_F_ENQUEUE)
++		return NF_QUEUE;
++
++	return NF_ACCEPT;
++}
++
++
++static int __init imq_init_hooks(void)
++{
++	int err;
++
++	err = nf_register_queue_handler(PF_INET, &nfqh);
++	if (err > 0)
++		goto err1;
++	if ((err = nf_register_hook(&imq_ingress_ipv4)))
++		goto err2;
++	if ((err = nf_register_hook(&imq_egress_ipv4)))
++		goto err3;
++#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
++	if ((err = nf_register_queue_handler(PF_INET6, &nfqh)))
++		goto err4;
++	if ((err = nf_register_hook(&imq_ingress_ipv6)))
++		goto err5;
++	if ((err = nf_register_hook(&imq_egress_ipv6)))
++		goto err6;
++#endif
++
++	return 0;
++
++#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
++err6:
++	nf_unregister_hook(&imq_ingress_ipv6);
++err5:
++	nf_unregister_queue_handler(PF_INET6, &nfqh);
++err4:
++	nf_unregister_hook(&imq_egress_ipv4);
++#endif
++err3:
++	nf_unregister_hook(&imq_ingress_ipv4);
++err2:
++	nf_unregister_queue_handler(PF_INET, &nfqh);
++err1:
++	return err;
++}
++
++static void __exit imq_unhook(void)
++{
++#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
++	nf_unregister_hook(&imq_ingress_ipv6);
++	nf_unregister_hook(&imq_egress_ipv6);
++	nf_unregister_queue_handler(PF_INET6, &nfqh);
++#endif
++	nf_unregister_hook(&imq_ingress_ipv4);
++	nf_unregister_hook(&imq_egress_ipv4);
++	nf_unregister_queue_handler(PF_INET, &nfqh);
++}
++
++static int __init imq_dev_init(struct net_device *dev)
++{
++	dev->hard_start_xmit    = imq_dev_xmit;
++	dev->type               = ARPHRD_VOID;
++	dev->mtu                = 16000;
++	dev->tx_queue_len       = 11000;
++	dev->flags              = IFF_NOARP;
++	dev->priv = kzalloc(sizeof(struct net_device_stats), GFP_KERNEL);
++	if (dev->priv == NULL)
++		return -ENOMEM;
++	dev->get_stats          = imq_get_stats;
++
++	return 0;
++}
++
++static void imq_dev_uninit(struct net_device *dev)
++{
++	kfree(dev->priv);
++}
++
++static int __init imq_init_devs(void)
++{
++	struct net_device *dev;
++	int i,j;
++	j = numdevs;
++
++	if (!numdevs || numdevs > IMQ_MAX_DEVS) {
++		printk(KERN_ERR "IMQ: numdevs has to be betweed 1 and %u\n",
++		       IMQ_MAX_DEVS);
++		return -EINVAL;
++	}
++
++	imq_devs = kzalloc(sizeof(struct net_device) * numdevs, GFP_KERNEL);
++	if (!imq_devs)
++		return -ENOMEM;
++
++	/* we start counting at zero */
++	numdevs--;
++
++	for (i = 0, dev = imq_devs; i <= numdevs; i++, dev++) {
++		SET_MODULE_OWNER(dev);
++		strcpy(dev->name, "imq%d");
++		dev->init   = imq_dev_init;
++		dev->uninit = imq_dev_uninit;
++
++		if (register_netdev(dev) < 0)
++			goto err_register;
++	}
++	printk(KERN_INFO "IMQ starting with %u devices...\n", j);
++	return 0;
++
++err_register:
++	for (; i; i--)
++		unregister_netdev(--dev);
++	kfree(imq_devs);
++	return -EIO;
++}
++
++static void imq_cleanup_devs(void)
++{
++	int i;
++	struct net_device *dev = imq_devs;
++
++	for (i = 0; i <= numdevs; i++)
++		unregister_netdev(dev++);
++
++	kfree(imq_devs);
++}
++
++static int __init imq_init_module(void)
++{
++	int err;
++
++	if ((err = imq_init_devs())) {
++		printk(KERN_ERR "IMQ: Error trying imq_init_devs()\n");
++		return err;
++	}
++	if ((err = imq_init_hooks())) {
++		printk(KERN_ERR "IMQ: Error trying imq_init_hooks()\n");
++		imq_cleanup_devs();
++		return err;
++	}
++
++	printk(KERN_INFO "IMQ driver loaded successfully.\n");
++
++#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
++	printk(KERN_INFO "\tHooking IMQ before NAT on PREROUTING.\n");
++#else
++	printk(KERN_INFO "\tHooking IMQ after NAT on PREROUTING.\n");
++#endif
++#if defined(CONFIG_IMQ_BEHAVIOR_AB) || defined(CONFIG_IMQ_BEHAVIOR_BB)
++	printk(KERN_INFO "\tHooking IMQ before NAT on POSTROUTING.\n");
++#else
++	printk(KERN_INFO "\tHooking IMQ after NAT on POSTROUTING.\n");
++#endif
++
++	return 0;
++}
++
++static void __exit imq_cleanup_module(void)
++{
++	imq_unhook();
++	imq_cleanup_devs();
++	printk(KERN_INFO "IMQ driver unloaded successfully.\n");
++}
++
++
++module_init(imq_init_module);
++module_exit(imq_cleanup_module);
++
++module_param(numdevs, int, 16);
++MODULE_PARM_DESC(numdevs, "number of IMQ devices (how many imq* devices will be created)");
++MODULE_AUTHOR("http://www.linuximq.net");
++MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See http://www.linuximq.net/ for more information.");
++MODULE_LICENSE("GPL");
+diff -Naurw linux-2.6.23/drivers/net/Kconfig linux-2.6.23.imq/drivers/net/Kconfig
+--- linux-2.6.23/drivers/net/Kconfig	2007-10-01 09:04:50.000000000 -0300
++++ linux-2.6.23.imq/drivers/net/Kconfig	2007-10-01 09:55:14.000000000 -0300
+@@ -112,6 +112,129 @@
+ 	  To compile this driver as a module, choose M here: the module
+ 	  will be called eql.  If unsure, say N.
+ 
++config IMQ
++	tristate "IMQ (intermediate queueing device) support"
++	depends on NETDEVICES && NETFILTER
++	---help---
++	  The IMQ device(s) is used as placeholder for QoS queueing
++	  disciplines. Every packet entering/leaving the IP stack can be
++	  directed through the IMQ device where it's enqueued/dequeued to the
++	  attached qdisc. This allows you to treat network devices as classes
++	  and distribute bandwidth among them. Iptables is used to specify
++	  through which IMQ device, if any, packets travel.
++
++	  More information at: http://www.linuximq.net/
++
++	  To compile this driver as a module, choose M here: the module
++	  will be called imq.  If unsure, say N.
++
++choice
++	prompt "IMQ behavior (PRE/POSTROUTING)"
++	depends on IMQ
++	default IMQ_BEHAVIOR_AB
++	help
++
++		This settings defines how IMQ behaves in respect to its
++		hooking in PREROUTING and POSTROUTING.
++
++		IMQ can work in any of the following ways:
++
++		    PREROUTING   |      POSTROUTING
++		-----------------|-------------------
++		#1  After NAT    |      After NAT
++		#2  After NAT    |      Before NAT
++		#3  Before NAT   |      After NAT
++		#4  Before NAT   |      Before NAT
++
++		The default behavior is to hook before NAT on PREROUTING
++		and after NAT on POSTROUTING (#3).
++
++		This settings are specially usefull when trying to use IMQ
++		to shape NATed clients.
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_AA
++	bool "IMQ AA"
++	help
++		This settings defines how IMQ behaves in respect to its
++		hooking in PREROUTING and POSTROUTING.
++
++		Choosing this option will make IMQ hook like this:
++
++		PREROUTING:   After NAT
++		POSTROUTING:  After NAT
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_AB
++	bool "IMQ AB"
++	help
++		This settings defines how IMQ behaves in respect to its
++		hooking in PREROUTING and POSTROUTING.
++
++		Choosing this option will make IMQ hook like this:
++
++		PREROUTING:   After NAT
++		POSTROUTING:  Before NAT
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_BA
++	bool "IMQ BA"
++	help
++		This settings defines how IMQ behaves in respect to its
++		hooking in PREROUTING and POSTROUTING.
++
++		Choosing this option will make IMQ hook like this:
++
++		PREROUTING:   Before NAT
++		POSTROUTING:  After NAT
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_BB
++	bool "IMQ BB"
++	help
++		This settings defines how IMQ behaves in respect to its
++		hooking in PREROUTING and POSTROUTING.
++
++		Choosing this option will make IMQ hook like this:
++
++		PREROUTING:   Before NAT
++		POSTROUTING:  Before NAT
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
++endchoice
++
++config IMQ_NUM_DEVS
++
++	int "Number of IMQ devices"
++	range 2 16
++	depends on IMQ
++	default "16"
++	help
++
++		This settings defines how many IMQ devices will be
++		created.
++
++		The default value is 16.
++
++		More information can be found at: www.linuximq.net
++
++		If not sure leave the default settings alone.
++
+ config TUN
+ 	tristate "Universal TUN/TAP device driver support"
+ 	select CRC32
+diff -Naurw linux-2.6.23/drivers/net/Makefile linux-2.6.23.imq/drivers/net/Makefile
+--- linux-2.6.23/drivers/net/Makefile	2007-10-01 09:04:50.000000000 -0300
++++ linux-2.6.23.imq/drivers/net/Makefile	2007-10-01 09:55:14.000000000 -0300
+@@ -131,6 +131,7 @@
+ obj-$(CONFIG_XEN_NETDEV_FRONTEND) += xen-netfront.o
+ 
+ obj-$(CONFIG_DUMMY) += dummy.o
++obj-$(CONFIG_IMQ) += imq.o
+ obj-$(CONFIG_IFB) += ifb.o
+ obj-$(CONFIG_MACVLAN) += macvlan.o
+ obj-$(CONFIG_DE600) += de600.o
+diff -Naurw linux-2.6.23/include/linux/imq.h linux-2.6.23.imq/include/linux/imq.h
+--- linux-2.6.23/include/linux/imq.h	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/include/linux/imq.h	2007-10-01 09:55:14.000000000 -0300
+@@ -0,0 +1,9 @@
++#ifndef _IMQ_H
++#define _IMQ_H
++
++#define IMQ_MAX_DEVS   16
++
++#define IMQ_F_IFMASK   0x7f
++#define IMQ_F_ENQUEUE  0x80
++
++#endif /* _IMQ_H */
+diff -Naurw linux-2.6.23/include/linux/netfilter_ipv4/ipt_IMQ.h linux-2.6.23.imq/include/linux/netfilter_ipv4/ipt_IMQ.h
+--- linux-2.6.23/include/linux/netfilter_ipv4/ipt_IMQ.h	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/include/linux/netfilter_ipv4/ipt_IMQ.h	2007-10-01 09:55:14.000000000 -0300
+@@ -0,0 +1,8 @@
++#ifndef _IPT_IMQ_H
++#define _IPT_IMQ_H
++
++struct ipt_imq_info {
++	unsigned int todev;     /* target imq device */
++};
++
++#endif /* _IPT_IMQ_H */
+diff -Naurw linux-2.6.23/include/linux/netfilter_ipv6/ip6t_IMQ.h linux-2.6.23.imq/include/linux/netfilter_ipv6/ip6t_IMQ.h
+--- linux-2.6.23/include/linux/netfilter_ipv6/ip6t_IMQ.h	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/include/linux/netfilter_ipv6/ip6t_IMQ.h	2007-10-01 09:55:14.000000000 -0300
+@@ -0,0 +1,8 @@
++#ifndef _IP6T_IMQ_H
++#define _IP6T_IMQ_H
++
++struct ip6t_imq_info {
++	unsigned int todev;     /* target imq device */
++};
++
++#endif /* _IP6T_IMQ_H */
+diff -Naurw linux-2.6.23/include/linux/skbuff.h linux-2.6.23.imq/include/linux/skbuff.h
+--- linux-2.6.23/include/linux/skbuff.h	2007-10-01 09:05:08.000000000 -0300
++++ linux-2.6.23.imq/include/linux/skbuff.h	2007-10-01 09:55:14.000000000 -0300
+@@ -296,6 +296,10 @@
+ 	struct nf_conntrack	*nfct;
+ 	struct sk_buff		*nfct_reasm;
+ #endif
++#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
++	unsigned char		imq_flags;
++	struct nf_info		*nf_info;
++#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	struct nf_bridge_info	*nf_bridge;
+ #endif
+@@ -1726,6 +1730,10 @@
+ 	dst->nfct_reasm = src->nfct_reasm;
+ 	nf_conntrack_get_reasm(src->nfct_reasm);
+ #endif
++#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
++	dst->imq_flags = src->imq_flags;
++	dst->nf_info = src->nf_info;
++#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	dst->nf_bridge  = src->nf_bridge;
+ 	nf_bridge_get(src->nf_bridge);
+diff -Naurw linux-2.6.23/net/core/dev.c linux-2.6.23.imq/net/core/dev.c
+--- linux-2.6.23/net/core/dev.c	2007-10-01 09:05:10.000000000 -0300
++++ linux-2.6.23.imq/net/core/dev.c	2007-10-01 09:55:14.000000000 -0300
+@@ -94,6 +94,9 @@
+ #include <linux/skbuff.h>
+ #include <net/sock.h>
+ #include <linux/rtnetlink.h>
++#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
++#include <linux/imq.h>
++#endif
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
+ #include <linux/stat.h>
+@@ -1462,7 +1465,11 @@
+ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ 	if (likely(!skb->next)) {
+-		if (!list_empty(&ptype_all))
++		if (!list_empty(&ptype_all)
++#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
++		    && !(skb->imq_flags & IMQ_F_ENQUEUE)
++#endif
++		    )
+ 			dev_queue_xmit_nit(skb, dev);
+ 
+ 		if (netif_needs_gso(dev, skb)) {
+diff -Naurw linux-2.6.23/net/ipv4/netfilter/ipt_IMQ.c linux-2.6.23.imq/net/ipv4/netfilter/ipt_IMQ.c
+--- linux-2.6.23/net/ipv4/netfilter/ipt_IMQ.c	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/net/ipv4/netfilter/ipt_IMQ.c	2007-10-01 09:55:14.000000000 -0300
+@@ -0,0 +1,69 @@
++/*
++ * This target marks packets to be enqueued to an imq device
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++#include <linux/imq.h>
++
++static unsigned int imq_target(struct sk_buff **pskb,
++			       const struct net_device *in,
++			       const struct net_device *out,
++			       unsigned int hooknum,
++			       const struct xt_target *target,
++			       const void *targinfo)
++{
++	struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo;
++
++	(*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE;
++
++	return XT_CONTINUE;
++}
++
++static bool imq_checkentry(const char *tablename,
++			  const void *e,
++			  const struct xt_target *target,
++			  void *targinfo,
++			  unsigned int hook_mask)
++{
++	struct ipt_imq_info *mr;
++
++	mr = (struct ipt_imq_info*)targinfo;
++
++	if (mr->todev > IMQ_MAX_DEVS) {
++		printk(KERN_WARNING
++		       "IMQ: invalid device specified, highest is %u\n",
++		       IMQ_MAX_DEVS);
++		return 0;
++	}
++
++	return 1;
++}
++
++static struct xt_target ipt_imq_reg = {
++	.name		= "IMQ",
++	.family		= AF_INET,
++	.target		= imq_target,
++	.targetsize	= sizeof(struct ipt_imq_info),
++	.checkentry	= imq_checkentry,
++	.me		= THIS_MODULE,
++	.table		= "mangle"
++};
++
++static int __init init(void)
++{
++	return xt_register_target(&ipt_imq_reg);
++}
++
++static void __exit fini(void)
++{
++	xt_unregister_target(&ipt_imq_reg);
++}
++
++module_init(init);
++module_exit(fini);
++
++MODULE_AUTHOR("http://www.linuximq.net");
++MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See http://www.linuximq.net/ for more information.");
++MODULE_LICENSE("GPL");
+diff -Naurw linux-2.6.23/net/ipv4/netfilter/Kconfig linux-2.6.23.imq/net/ipv4/netfilter/Kconfig
+--- linux-2.6.23/net/ipv4/netfilter/Kconfig	2007-10-01 09:05:12.000000000 -0300
++++ linux-2.6.23.imq/net/ipv4/netfilter/Kconfig	2007-10-01 09:55:14.000000000 -0300
+@@ -311,6 +311,17 @@
+ 
+ 	  To compile it as a module, choose M here.  If unsure, say N.
+ 
++config IP_NF_TARGET_IMQ
++       tristate "IMQ target support"
++       depends on IP_NF_MANGLE
++       help
++         This option adds a `IMQ' target which is used to specify if and
++         to which IMQ device packets should get enqueued/dequeued.
++
++	 For more information visit: http://www.linuximq.net/
++
++         To compile it as a module, choose M here.  If unsure, say N.
++
+ config IP_NF_TARGET_TOS
+ 	tristate "TOS target support"
+ 	depends on IP_NF_MANGLE
+diff -Naurw linux-2.6.23/net/ipv4/netfilter/Makefile linux-2.6.23.imq/net/ipv4/netfilter/Makefile
+--- linux-2.6.23/net/ipv4/netfilter/Makefile	2007-10-01 09:03:13.000000000 -0300
++++ linux-2.6.23.imq/net/ipv4/netfilter/Makefile	2007-10-01 09:55:14.000000000 -0300
+@@ -54,6 +54,7 @@
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+ obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
+ obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
++obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o
+ obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
+ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
+ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
+diff -Naurw linux-2.6.23/net/ipv6/netfilter/ip6t_IMQ.c linux-2.6.23.imq/net/ipv6/netfilter/ip6t_IMQ.c
+--- linux-2.6.23/net/ipv6/netfilter/ip6t_IMQ.c	1969-12-31 21:00:00.000000000 -0300
++++ linux-2.6.23.imq/net/ipv6/netfilter/ip6t_IMQ.c	2007-10-01 09:55:14.000000000 -0300
+@@ -0,0 +1,69 @@
++/*
++ * This target marks packets to be enqueued to an imq device
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++#include <linux/imq.h>
++
++static unsigned int imq_target(struct sk_buff **pskb,
++			       const struct net_device *in,
++			       const struct net_device *out,
++			       unsigned int hooknum,
++			       const struct xt_target *target,
++			       const void *targinfo)
++{
++	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)targinfo;
++
++	(*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE;
++
++	return XT_CONTINUE;
++}
++
++static bool imq_checkentry(const char *tablename,
++			  const void *entry,
++			  const struct xt_target *target,
++			  void *targinfo,
++			  unsigned int hook_mask)
++{
++	struct ip6t_imq_info *mr;
++
++	mr = (struct ip6t_imq_info*)targinfo;
++
++	if (mr->todev > IMQ_MAX_DEVS) {
++		printk(KERN_WARNING
++		       "IMQ: invalid device specified, highest is %u\n",
++		       IMQ_MAX_DEVS);
++		return 0;
++	}
++
++	return 1;
++}
++
++static struct xt_target ip6t_imq_reg = {
++	.name           = "IMQ",
++	.family		= AF_INET6,
++	.target         = imq_target,
++	.targetsize	= sizeof(struct ip6t_imq_info),
++	.table		= "mangle",
++	.checkentry     = imq_checkentry,
++	.me             = THIS_MODULE
++};
++
++static int __init init(void)
++{
++	return xt_register_target(&ip6t_imq_reg);
++}
++
++static void __exit fini(void)
++{
++	xt_unregister_target(&ip6t_imq_reg);
++}
++
++module_init(init);
++module_exit(fini);
++
++MODULE_AUTHOR("http://www.linuximq.net");
++MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See http://www.linuximq.net/ for more information.");
++MODULE_LICENSE("GPL");
+diff -Naurw linux-2.6.23/net/ipv6/netfilter/Kconfig linux-2.6.23.imq/net/ipv6/netfilter/Kconfig
+--- linux-2.6.23/net/ipv6/netfilter/Kconfig	2007-10-01 09:03:12.000000000 -0300
++++ linux-2.6.23.imq/net/ipv6/netfilter/Kconfig	2007-10-01 09:55:14.000000000 -0300
+@@ -173,6 +173,15 @@
+ 
+ 	  To compile it as a module, choose M here.  If unsure, say N.
+ 
++config IP6_NF_TARGET_IMQ
++	tristate "IMQ target support"
++	depends on IP6_NF_MANGLE
++	help
++          This option adds a `IMQ' target which is used to specify if and
++          to which imq device packets should get enqueued/dequeued.
++
++          To compile it as a module, choose M here.  If unsure, say N.
++
+ config IP6_NF_TARGET_HL
+ 	tristate  'HL (hoplimit) target support'
+ 	depends on IP6_NF_MANGLE
+diff -Naurw linux-2.6.23/net/ipv6/netfilter/Makefile linux-2.6.23.imq/net/ipv6/netfilter/Makefile
+--- linux-2.6.23/net/ipv6/netfilter/Makefile	2007-10-01 09:03:12.000000000 -0300
++++ linux-2.6.23.imq/net/ipv6/netfilter/Makefile	2007-10-01 09:55:14.000000000 -0300
+@@ -13,6 +13,7 @@
+ obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
+ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
+ obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
++obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
+ obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
+ obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
+ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
+diff -Naurw linux-2.6.23/net/sched/sch_generic.c linux-2.6.23.imq/net/sched/sch_generic.c
+--- linux-2.6.23/net/sched/sch_generic.c	2007-10-01 09:05:14.000000000 -0300
++++ linux-2.6.23.imq/net/sched/sch_generic.c	2007-10-01 09:55:14.000000000 -0300
+@@ -190,6 +190,11 @@
+ 	return ret;
+ }
+ 
++int qdisc_restart1(struct net_device *dev)
++{
++	return qdisc_restart(dev);
++}
++
+ void __qdisc_run(struct net_device *dev)
+ {
+ 	do {
+@@ -619,3 +624,4 @@
+ EXPORT_SYMBOL(qdisc_reset);
+ EXPORT_SYMBOL(qdisc_lock_tree);
+ EXPORT_SYMBOL(qdisc_unlock_tree);
++EXPORT_SYMBOL(qdisc_restart1);

src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch

@@ -0,0 +1,204 @@
+Index: linux-2.6.x/net/ipv4/Kconfig
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/Kconfig,v
+retrieving revision 1.1.1.28
+retrieving revision 1.10
+diff -u -r1.1.1.28 -r1.10
+--- linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 00:54:30 -0000	1.1.1.28
++++ linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 04:53:57 -0000	1.10
+@@ -367,6 +367,12 @@
+ 	tristate
+ 	default n
+ 
++config IPSEC_NAT_TRAVERSAL
++	bool "IPSEC NAT-Traversal (KLIPS compatible)"
++	depends on INET
++	---help---
++          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
++
+ config INET_XFRM_MODE_TRANSPORT
+ 	tristate "IP: IPsec transport mode"
+ 	default y
+Index: linux-2.6.x/net/ipv4/udp.c
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/udp.c,v
+retrieving revision 1.1.1.46
+diff -u -r1.1.1.46 udp.c
+--- linux-2.6.x/net/ipv4/udp.c	10 Oct 2007 00:54:30 -0000	1.1.1.46
++++ linux-2.6.x/net/ipv4/udp.c	9 Nov 2007 00:11:33 -0000
+@@ -102,6 +102,7 @@
+ #include <net/route.h>
+ #include <net/checksum.h>
+ #include <net/xfrm.h>
++#include <net/xfrmudp.h>
+ #include "udp_impl.h"
+ 
+ /*
+@@ -920,6 +921,128 @@
+ 	return 0;
+ }
+ 
++#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++
++static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
++
++/*
++ * de-encapsulate and pass to the registered xfrm4_rcv_encap_func function.
++ * Most of this code stolen from net/ipv4/xfrm4_input.c
++ * which is attributed to YOSHIFUJI Hideaki @USAGI, and
++ * Derek Atkins <derek@ihtfp.com>
++ */
++
++static int xfrm4_udp_encap_rcv_wrapper(struct sock *sk, struct sk_buff *skb)
++{
++	struct udp_sock *up = udp_sk(sk);
++	struct udphdr *uh;
++	struct iphdr *iph;
++	int iphlen, len;
++	int ret;
++
++	__u8 *udpdata;
++	__be32 *udpdata32;
++	__u16 encap_type = up->encap_type;
++
++	/* if this is not encapsulated socket, then just return now */
++	if (!encap_type && !xfrm4_rcv_encap_func)
++		return 1;
++
++	/* If this is a paged skb, make sure we pull up
++	 * whatever data we need to look at. */
++	len = skb->len - sizeof(struct udphdr);
++	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
++		return 1;
++
++	/* Now we can get the pointers */
++	uh = udp_hdr(skb);
++	udpdata = (__u8 *)uh + sizeof(struct udphdr);
++	udpdata32 = (__be32 *)udpdata;
++
++	switch (encap_type) {
++	default:
++	case UDP_ENCAP_ESPINUDP:
++		/* Check if this is a keepalive packet.  If so, eat it. */
++		if (len == 1 && udpdata[0] == 0xff) {
++			goto drop;
++		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
++			/* ESP Packet without Non-ESP header */
++			len = sizeof(struct udphdr);
++		} else
++			/* Must be an IKE packet.. pass it through */
++			return 1;
++		break;
++	case UDP_ENCAP_ESPINUDP_NON_IKE:
++		/* Check if this is a keepalive packet.  If so, eat it. */
++		if (len == 1 && udpdata[0] == 0xff) {
++			goto drop;
++		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
++			   udpdata32[0] == 0 && udpdata32[1] == 0) {
++
++			/* ESP Packet with Non-IKE marker */
++			len = sizeof(struct udphdr) + 2 * sizeof(u32);
++		} else
++			/* Must be an IKE packet.. pass it through */
++			return 1;
++		break;
++	}
++
++	/* At this point we are sure that this is an ESPinUDP packet,
++	 * so we need to remove 'len' bytes from the packet (the UDP
++	 * header and optional ESP marker bytes) and then modify the
++	 * protocol to ESP, and then call into the transform receiver.
++	 */
++	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
++		goto drop;
++
++	/* Now we can update and verify the packet length... */
++	iph = ip_hdr(skb);
++	iphlen = iph->ihl << 2;
++	iph->tot_len = htons(ntohs(iph->tot_len) - len);
++	if (skb->len < iphlen + len) {
++		/* packet is too small!?! */
++		goto drop;
++	}
++
++	/* pull the data buffer up to the ESP header and set the
++	 * transport header to point to ESP.  Keep UDP on the stack
++	 * for later.
++	 */
++	__skb_pull(skb, len);
++	skb_reset_transport_header(skb);
++
++	/* modify the protocol (it's ESP!) */
++	iph->protocol = IPPROTO_ESP;
++
++	/* process ESP */
++	ret = (*xfrm4_rcv_encap_func)(skb, encap_type);
++	return ret;
++
++drop:
++	kfree_skb(skb);
++	return 0;
++}
++
++int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
++		xfrm4_rcv_encap_t *oldfunc)
++{
++	if (oldfunc != NULL)
++		*oldfunc = xfrm4_rcv_encap_func;
++	xfrm4_rcv_encap_func = func;
++	return 0;
++}
++
++int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
++{
++	if (xfrm4_rcv_encap_func != func)
++		return -1;
++
++	xfrm4_rcv_encap_func = NULL;
++	return 0;
++}
++
++#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
++
+ /* returns:
+  *  -1: error
+  *   0: success
+@@ -1252,6 +1375,11 @@
+ 		case 0:
+ 		case UDP_ENCAP_ESPINUDP:
+ 		case UDP_ENCAP_ESPINUDP_NON_IKE:
++#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++			if (xfrm4_rcv_encap_func)
++				up->encap_rcv = xfrm4_udp_encap_rcv_wrapper;
++			else
++#endif
+ 			up->encap_rcv = xfrm4_udp_encap_rcv;
+ 			/* FALLTHROUGH */
+ 		case UDP_ENCAP_L2TPINUDP:
+@@ -1648,3 +1776,9 @@
+ EXPORT_SYMBOL(udp_proc_register);
+ EXPORT_SYMBOL(udp_proc_unregister);
+ #endif
++
++#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++EXPORT_SYMBOL(udp4_register_esp_rcvencap);
++EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
++#endif
++
+Index: linux-2.6.x/include/net/xfrmudp.h
+===================================================================
+RCS file: linux-2.6.x/include/net/xfrmudp.h
+diff -N linux-2.6.x/include/net/xfrmudp.h
+--- /dev/null	1 Jan 1970 00:00:00 -0000
++++ linux-2.6.x/include/net/xfrmudp.h	3 Nov 2005 01:55:55 -0000	1.1
+@@ -0,0 +1,10 @@
++/*
++ * pointer to function for type that xfrm4_input wants, to permit
++ * decoupling of XFRM from udp.c
++ */
++#define HAVE_XFRM4_UDP_REGISTER
++
++typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
++extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
++				      , xfrm4_rcv_encap_t *oldfunc);
++extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);