Hi

I'm still working on IPsec NAT-T. It works by encapsulating ESP packets in 
UDP. When it receives an UDP packet on a socket that has already been flagged
as ESP over UDP capable, the kernel must remove the UDP header and give
the ESP packet to the ESP input function.

I have a hook in udp4_realinput that does this (m if the mbuf, off is the
offset of the UDP payload, as off in udp4_realinput())

len = m->m_len - off;
data = m->m_data + off;
remove = sizeof(struct udphdr);

memmove(&m->m_data[off - remove], &m->m_data[off], len - remove);
ip = (struct ip *)m->m_data;
ip->ip_len = htons(ntohs(ip->ip_len) - remove);
ip->ip_p = IPPROTO_ESP;

m->m_len -= remove;
m->m_pkthdr.len -= remove;

esp4_input(m, off - remove);

If there anything wrong there? I'm not sure I'm doing the right thing with
the mbuf. 

-- 
Emmanuel Dreyfus
manu@netbsd.org