Add natt patch

disabled iptables for collectd disabled initrd size optimization
2026-04-19 23:43:00 +02:00 · 2008-07-14 23:53:15 +02:00
parent 2bdf7ab873
commit 5639fecfb3
8 changed files with 217 additions and 9 deletions
--- a/config/kernel/kernel.config.i586
+++ b/config/kernel/kernel.config.i586
@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Linux kernel version: 2.6.24.7
-# Sun Jul 13 09:32:56 2008
+# Mon Jul 14 10:58:23 2008
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -433,6 +433,7 @@ CONFIG_INET_ESP=m
 CONFIG_INET_IPCOMP=m
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
+CONFIG_IPSEC_NAT_TRAVERSAL=y
 CONFIG_INET_XFRM_MODE_TRANSPORT=y
 CONFIG_INET_XFRM_MODE_TUNNEL=y
 CONFIG_INET_XFRM_MODE_BEET=y
--- a/config/kernel/kernel.config.i586.smp
+++ b/config/kernel/kernel.config.i586.smp
@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Linux kernel version: 2.6.24.7
-# Sun Jul 13 09:11:25 2008
+# Mon Jul 14 11:01:33 2008
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -444,6 +444,7 @@ CONFIG_INET_ESP=m
 CONFIG_INET_IPCOMP=m
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
+CONFIG_IPSEC_NAT_TRAVERSAL=y
 CONFIG_INET_XFRM_MODE_TRANSPORT=y
 CONFIG_INET_XFRM_MODE_TUNNEL=y
 CONFIG_INET_XFRM_MODE_BEET=y
--- a/lfs/collectd
+++ b/lfs/collectd
@@ -78,11 +78,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var \
-		--disable-{apple_sensors,csv,ipvs,mbmon,memcached,mysql} \
+		--disable-{apple_sensors,csv,iptables,ipvs,mbmon,memcached,mysql} \
 		--disable-{netlink,nginx,nut,perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--disable-{perl,serial,snmp,tape,vserver,wireless,xmms} \
 		--enable-{apcups,battery,cpu{,freq},df,disk,dns,email,entropy,exec,hddtemp} \
-		--enable-{interface,iptables,irq,load,logfile,memory,multimeter} \
+		--enable-{interface,irq,load,logfile,memory,multimeter} \
 		--enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \
 		--enable-{tcpconns,unixsock,users} \
 		--with-rrdtool=/usr/share/rrdtool-1.2.15 --enable-debug
--- a/lfs/initrd
+++ b/lfs/initrd
@@ -63,8 +63,10 @@ $(TARGET) :
 	depmod -a -F /boot/System.map-$(KVER)-ipfire-smp $(KVER)-ipfire-smp
 	
 	cp -a /lib/modules/$(KVER)-ipfire/ /install/initrd/lib/modules/
-	rm -rf /install/initrd/lib/modules/$(KVER)-ipfire/{build,source,misc/*,kernel/{crypro,sound,net,drivers/{media,video}}} \
-		/install/initrd/lib/modules/$(KVER)-ipfire/kernel/drivers/message/fusion/mptlan*
+	
+#	removed initrd size optimization for testing if sata works again
+#	rm -rf /install/initrd/lib/modules/$(KVER)-ipfire/{build,source,misc/*,kernel/{crypro,sound,net,drivers/{media,video}}} \
+#		/install/initrd/lib/modules/$(KVER)-ipfire/kernel/drivers/message/fusion/mptlan*

 	cp /opt/$(MACHINE)-uClibc/lib/libgcc_s.so.1 /install/initrd/lib/

--- a/lfs/ipp2p
+++ b/lfs/ipp2p
@@ -60,7 +60,7 @@ $(TARGET) :
 	@rm -rf $(DIR_APP) && mkdir -p $(DIR_APP)
 	@cp -vf $(DIR_SRC)/src/ipp2p/* $(DIR_APP)
 	cd $(DIR_SRC) && rm -rf iptables-*
-	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.3.8.tar.bz2
+	cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.4.0.tar.bz2
 	cd $(DIR_SRC) && ln -sf iptables-* iptables
 ifeq "$(SMP)" "1"
 	cd $(DIR_APP) && make ipt_ipp2p.ko
--- a/lfs/linux
+++ b/lfs/linux
@@ -101,7 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 #	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.20.21-zd1211-usrobotics-usbid.patch

 	# Openswan nat-t
-#	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.6.14-kernel-2.6.24.7-natt.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch

 	# Reiser4
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/reiser4-for-2.6.24.patch
--- a/make.sh
+++ b/make.sh
@@ -421,7 +421,7 @@ buildipfire() {
  ipfiremake whatmask
  ipfiremake iptables
  ipfiremake libupnp
-  ipfiremake ipp2p			IPT=1
+#  ipfiremake ipp2p			IPT=1
  ipfiremake linux-igd
  ipfiremake ipaddr
  ipfiremake iptstate
--- a/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
+++ b/src/patches/openswan-2.4.x.kernel-2.6.23-natt.patch
@@ -0,0 +1,204 @@
+Index: linux-2.6.x/net/ipv4/Kconfig
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/Kconfig,v
+retrieving revision 1.1.1.28
+retrieving revision 1.10
+diff -u -r1.1.1.28 -r1.10
+--- linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 00:54:30 -0000	1.1.1.28
+++ linux-2.6.x/net/ipv4/Kconfig	10 Oct 2007 04:53:57 -0000	1.10
+@@ -367,6 +367,12 @@
+ 	tristate
+ 	default n
+ 
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
+ config INET_XFRM_MODE_TRANSPORT
+ 	tristate "IP: IPsec transport mode"
+ 	default y
+Index: linux-2.6.x/net/ipv4/udp.c
+===================================================================
+RCS file: /cvs/sw/linux-2.6.x/net/ipv4/udp.c,v
+retrieving revision 1.1.1.46
+diff -u -r1.1.1.46 udp.c
+--- linux-2.6.x/net/ipv4/udp.c	10 Oct 2007 00:54:30 -0000	1.1.1.46
+++ linux-2.6.x/net/ipv4/udp.c	9 Nov 2007 00:11:33 -0000
+@@ -102,6 +102,7 @@
+ #include <net/route.h>
+ #include <net/checksum.h>
+ #include <net/xfrm.h>
+#include <net/xfrmudp.h>
+ #include "udp_impl.h"
+ 
+ /*
+@@ -920,6 +921,128 @@
+ 	return 0;
+ }
+ 
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+
+/*
+ * de-encapsulate and pass to the registered xfrm4_rcv_encap_func function.
+ * Most of this code stolen from net/ipv4/xfrm4_input.c
+ * which is attributed to YOSHIFUJI Hideaki @USAGI, and
+ * Derek Atkins <derek@ihtfp.com>
+ */
+
+static int xfrm4_udp_encap_rcv_wrapper(struct sock *sk, struct sk_buff *skb)
+{
+	struct udp_sock *up = udp_sk(sk);
+	struct udphdr *uh;
+	struct iphdr *iph;
+	int iphlen, len;
+	int ret;
+
+	__u8 *udpdata;
+	__be32 *udpdata32;
+	__u16 encap_type = up->encap_type;
+
+	/* if this is not encapsulated socket, then just return now */
+	if (!encap_type && !xfrm4_rcv_encap_func)
+		return 1;
+
+	/* If this is a paged skb, make sure we pull up
+	 * whatever data we need to look at. */
+	len = skb->len - sizeof(struct udphdr);
+	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
+		return 1;
+
+	/* Now we can get the pointers */
+	uh = udp_hdr(skb);
+	udpdata = (__u8 *)uh + sizeof(struct udphdr);
+	udpdata32 = (__be32 *)udpdata;
+
+	switch (encap_type) {
+	default:
+	case UDP_ENCAP_ESPINUDP:
+		/* Check if this is a keepalive packet.  If so, eat it. */
+		if (len == 1 && udpdata[0] == 0xff) {
+			goto drop;
+		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
+			/* ESP Packet without Non-ESP header */
+			len = sizeof(struct udphdr);
+		} else
+			/* Must be an IKE packet.. pass it through */
+			return 1;
+		break;
+	case UDP_ENCAP_ESPINUDP_NON_IKE:
+		/* Check if this is a keepalive packet.  If so, eat it. */
+		if (len == 1 && udpdata[0] == 0xff) {
+			goto drop;
+		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
+			   udpdata32[0] == 0 && udpdata32[1] == 0) {
+
+			/* ESP Packet with Non-IKE marker */
+			len = sizeof(struct udphdr) + 2 * sizeof(u32);
+		} else
+			/* Must be an IKE packet.. pass it through */
+			return 1;
+		break;
+	}
+
+	/* At this point we are sure that this is an ESPinUDP packet,
+	 * so we need to remove 'len' bytes from the packet (the UDP
+	 * header and optional ESP marker bytes) and then modify the
+	 * protocol to ESP, and then call into the transform receiver.
+	 */
+	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+		goto drop;
+
+	/* Now we can update and verify the packet length... */
+	iph = ip_hdr(skb);
+	iphlen = iph->ihl << 2;
+	iph->tot_len = htons(ntohs(iph->tot_len) - len);
+	if (skb->len < iphlen + len) {
+		/* packet is too small!?! */
+		goto drop;
+	}
+
+	/* pull the data buffer up to the ESP header and set the
+	 * transport header to point to ESP.  Keep UDP on the stack
+	 * for later.
+	 */
+	__skb_pull(skb, len);
+	skb_reset_transport_header(skb);
+
+	/* modify the protocol (it's ESP!) */
+	iph->protocol = IPPROTO_ESP;
+
+	/* process ESP */
+	ret = (*xfrm4_rcv_encap_func)(skb, encap_type);
+	return ret;
+
+drop:
+	kfree_skb(skb);
+	return 0;
+}
+
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func,
+		xfrm4_rcv_encap_t *oldfunc)
+{
+	if (oldfunc != NULL)
+		*oldfunc = xfrm4_rcv_encap_func;
+	xfrm4_rcv_encap_func = func;
+	return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
+{
+	if (xfrm4_rcv_encap_func != func)
+		return -1;
+
+	xfrm4_rcv_encap_func = NULL;
+	return 0;
+}
+
+#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+
+ /* returns:
+  *  -1: error
+  *   0: success
+@@ -1252,6 +1375,11 @@
+ 		case 0:
+ 		case UDP_ENCAP_ESPINUDP:
+ 		case UDP_ENCAP_ESPINUDP_NON_IKE:
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+			if (xfrm4_rcv_encap_func)
+				up->encap_rcv = xfrm4_udp_encap_rcv_wrapper;
+			else
+#endif
+ 			up->encap_rcv = xfrm4_udp_encap_rcv;
+ 			/* FALLTHROUGH */
+ 		case UDP_ENCAP_L2TPINUDP:
+@@ -1648,3 +1776,9 @@
+ EXPORT_SYMBOL(udp_proc_register);
+ EXPORT_SYMBOL(udp_proc_unregister);
+ #endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+
+Index: linux-2.6.x/include/net/xfrmudp.h
+===================================================================
+RCS file: linux-2.6.x/include/net/xfrmudp.h
+diff -N linux-2.6.x/include/net/xfrmudp.h
+--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ linux-2.6.x/include/net/xfrmudp.h	3 Nov 2005 01:55:55 -0000	1.1
+@@ -0,0 +1,10 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);