Subject: packet handling for IPsec NAT-T
To: None <tech-kern@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: tech-kern
Date: 09/24/2004 15:24:23
Hi
I'm still working on IPsec NAT-T. It works by encapsulating ESP packets in
UDP. When it receives an UDP packet on a socket that has already been flagged
as ESP over UDP capable, the kernel must remove the UDP header and give
the ESP packet to the ESP input function.
I have a hook in udp4_realinput that does this (m if the mbuf, off is the
offset of the UDP payload, as off in udp4_realinput())
len = m->m_len - off;
data = m->m_data + off;
remove = sizeof(struct udphdr);
memmove(&m->m_data[off - remove], &m->m_data[off], len - remove);
ip = (struct ip *)m->m_data;
ip->ip_len = htons(ntohs(ip->ip_len) - remove);
ip->ip_p = IPPROTO_ESP;
m->m_len -= remove;
m->m_pkthdr.len -= remove;
esp4_input(m, off - remove);
If there anything wrong there? I'm not sure I'm doing the right thing with
the mbuf.
--
Emmanuel Dreyfus
manu@netbsd.org