Subject: Re: packet handling for IPsec NAT-T
To: Emmanuel Dreyfus <>
From: mouss <>
List: tech-kern
Date: 09/24/2004 21:02:53
Emmanuel Dreyfus wrote:

> Hi
> I'm still working on IPsec NAT-T. It works by encapsulating ESP packets in 
> UDP. When it receives an UDP packet on a socket that has already been flagged
> as ESP over UDP capable, the kernel must remove the UDP header and give
> the ESP packet to the ESP input function.
> I have a hook in udp4_realinput that does this (m if the mbuf, off is the
> offset of the UDP payload, as off in udp4_realinput())
> len = m->m_len - off;
> data = m->m_data + off;
> remove = sizeof(struct udphdr);
> memmove(&m->m_data[off - remove], &m->m_data[off], len - remove);

m_adj() would be enough, no?

but I don't see why you need this anyway. Isn't
	skip = off + sizeof(struct udphdr);
	esp4_input(m, skip);
supposed to do it all?

My understanding is that after the udp header comes a "normal" and 
correct esp packet, so you don't need to touch its ip_len and ip_p, and 
you just need to skip the udp header. Or am I missing something?

BTW What if you get a UDP packet to the same port, but which is not an 
encapsulated ESP packet? Is this considered an error? I guess it is an 
error, as it seems hard to manage both cases with a single socket.

> ip = (struct ip *)m->m_data;
> ip->ip_len = htons(ntohs(ip->ip_len) - remove);
> ip->ip_p = IPPROTO_ESP;
> m->m_len -= remove;
> m->m_pkthdr.len -= remove;
> esp4_input(m, off - remove);
> If there anything wrong there? I'm not sure I'm doing the right thing with
> the mbuf.