Subject: Re: packet handling for IPsec NAT-T
To: mouss <>
From: Emmanuel Dreyfus <>
List: tech-kern
Date: 09/25/2004 00:09:36
mouss <> wrote:

> but I don't see why you need this anyway. Isn't
>       skip = off + sizeof(struct udphdr);
>       esp4_input(m, skip);
> supposed to do it all?
> My understanding is that after the udp header comes a "normal" and 
> correct esp packet, so you don't need to touch its ip_len and ip_p, and
> you just need to skip the udp header. Or am I missing something?

Hey, that's nifty. I'll give it a try on monday.
> BTW What if you get a UDP packet to the same port, but which is not an
> encapsulated ESP packet? Is this considered an error? I guess it is an
> error, as it seems hard to manage both cases with a single socket.

I didn't posted all the code :)

This treatment only occur for data that goes to a socket that has been
flaged as receiving ESP over UDP (it's flaged by userland, with

The userlevel socket owner might want to get non ESP traffic on the
socket. In that case the sender has to add a non ESP market at the
beginning of the UDP payload. The kernel will detect that and the packet
will be handed to userlevel instead of being sent to esp4_input. 

Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.