Subject: Re: packet handling for IPsec NAT-T
To: Emmanuel Dreyfus <firstname.lastname@example.org>
From: mouss <email@example.com>
Date: 09/24/2004 21:02:53
Emmanuel Dreyfus wrote:
> I'm still working on IPsec NAT-T. It works by encapsulating ESP packets in
> UDP. When it receives an UDP packet on a socket that has already been flagged
> as ESP over UDP capable, the kernel must remove the UDP header and give
> the ESP packet to the ESP input function.
> I have a hook in udp4_realinput that does this (m if the mbuf, off is the
> offset of the UDP payload, as off in udp4_realinput())
> len = m->m_len - off;
> data = m->m_data + off;
> remove = sizeof(struct udphdr);
> memmove(&m->m_data[off - remove], &m->m_data[off], len - remove);
m_adj() would be enough, no?
but I don't see why you need this anyway. Isn't
skip = off + sizeof(struct udphdr);
supposed to do it all?
My understanding is that after the udp header comes a "normal" and
correct esp packet, so you don't need to touch its ip_len and ip_p, and
you just need to skip the udp header. Or am I missing something?
BTW What if you get a UDP packet to the same port, but which is not an
encapsulated ESP packet? Is this considered an error? I guess it is an
error, as it seems hard to manage both cases with a single socket.
> ip = (struct ip *)m->m_data;
> ip->ip_len = htons(ntohs(ip->ip_len) - remove);
> ip->ip_p = IPPROTO_ESP;
> m->m_len -= remove;
> m->m_pkthdr.len -= remove;
> esp4_input(m, off - remove);
> If there anything wrong there? I'm not sure I'm doing the right thing with
> the mbuf.