[Openswan dev] Yet another update to 26sec build

Nate Carlson natecars at natecarlson.com
Thu Jul 1 15:23:18 CEST 2004


OK, I took Ferdinand's Makefile updates, and updated them a bit more 
myself. This Makefile will read out of defconfig to figure out what files 
to build, and apply the proper defines automatically. I've also fixed the 
ipcomp problem - had to move zconf.h to the includes directory.

Files:
------
Makefile:				updated makefile.
defconfig:				replacement defconfig file.
move-files-zlib:			move zconf.h to the new location.
openswan-head-26klips-new.patch:	patches to build under 2.6.
openswan-26klips-fix-zconf.patch:	patch to move zconf.h to includes.

See previous messages for build instructions.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------
-------------- next part --------------
mv lib/zlib/zconf.h include/zlib/
-------------- next part --------------
diff -Naur openswan-2/linux/include/zlib/zlib.h openswan-2.nate/linux/include/zlib/zlib.h
--- openswan-2/linux/include/zlib/zlib.h	2002-04-24 02:36:48.000000000 -0500
+++ openswan-2.nate/linux/include/zlib/zlib.h	2004-07-01 13:53:57.000000000 -0500
@@ -31,7 +31,7 @@
 #ifndef _ZLIB_H
 #define _ZLIB_H
 
-#include "zconf.h"
+#include <zlib/zconf.h>
 
 #ifdef __cplusplus
 extern "C" {
diff -Naur openswan-2/linux/lib/zlib/adler32.c openswan-2.nate/linux/lib/zlib/adler32.c
--- openswan-2/linux/lib/zlib/adler32.c	2002-04-24 02:55:32.000000000 -0500
+++ openswan-2.nate/linux/lib/zlib/adler32.c	2004-07-01 13:53:50.000000000 -0500
@@ -6,7 +6,7 @@
 /* @(#) $Id: adler32.c,v 1.4 2002/04/24 07:55:32 mcr Exp $ */
 
 #include <zlib/zlib.h>
-#include "zconf.h"
+#include <zlib/zconf.h>
 
 #define BASE 65521L /* largest prime smaller than 65536 */
 #define NMAX 5552
-------------- next part --------------
diff -Naur openswan-2/linux/include/openswan/ipsec_kern24.h openswan-2.nate/linux/include/openswan/ipsec_kern24.h
--- openswan-2/linux/include/openswan/ipsec_kern24.h	1969-12-31 18:00:00.000000000 -0600
+++ openswan-2.nate/linux/include/openswan/ipsec_kern24.h	2004-07-01 14:01:33.000000000 -0500
@@ -0,0 +1,43 @@
+/*
+ * @(#) routines to makes kernel 2.4 compatible with 2.6 usage.
+
+ * Copyright (C) 2004 Michael Richardson <mcr at sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_kern24.h,v 1.1 2004/02/22 06:49:15 mcr Exp $
+ */
+
+#ifndef _IPSEC_KERN24_H
+
+#ifndef NET_26
+#define sk_receive_queue  receive_queue
+#define sk_destruct       destruct
+#define sk_reuse          reuse
+#define sk_zapped         zapped
+#define sk_family         family
+#define sk_protocol       protocol
+#define sk_protinfo       protinfo
+#define sk_sleep          sleep
+#define sk_state_change   state_change
+#define sk_shutdown       shutdown
+#define sk_err            err
+#define sk_stamp          stamp
+#define sk_socket         socket
+#define sk_sndbuf         sndbuf
+#define sock_flag(sk, flag)  sk->dead
+#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next)
+#endif
+
+#define _IPSEC_KERN24_H 1
+
+#endif /* _IPSEC_KERN24_H */
+
diff -Naur openswan-2/linux/include/openswan/ipsec_kversion.h openswan-2.nate/linux/include/openswan/ipsec_kversion.h
--- openswan-2/linux/include/openswan/ipsec_kversion.h	2004-07-01 13:59:00.000000000 -0500
+++ openswan-2.nate/linux/include/openswan/ipsec_kversion.h	2004-07-01 14:01:33.000000000 -0500
@@ -108,6 +108,7 @@
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
 #define HAVE_NETDEV_PRINTK 1
+#define NET_26
 #endif
 
 #ifdef NET_21
@@ -129,7 +130,11 @@
 #endif /* NET_21 */
 
 #ifdef NETDEV_23
-# define device net_device
+#if 0
+#ifndef NETDEV_25
+#define device net_device
+#endif
+#endif
 # define ipsec_dev_get dev_get_by_name
 # define __ipsec_dev_get __dev_get_by_name
 # define ipsec_dev_put(x) dev_put(x)
diff -Naur openswan-2/linux/include/openswan/ipsec_rcv.h openswan-2.nate/linux/include/openswan/ipsec_rcv.h
--- openswan-2/linux/include/openswan/ipsec_rcv.h	2004-07-01 13:59:00.000000000 -0500
+++ openswan-2.nate/linux/include/openswan/ipsec_rcv.h	2004-07-01 14:01:33.000000000 -0500
@@ -123,7 +123,7 @@
 #ifdef NET_21
 	  unsigned short xlen);
 #else /* NET_21 */
-	  struct device *dev,
+	  struct net_device *dev,
 	  struct options *opt, 
 	  __u32 daddr,
 	  unsigned short len,
diff -Naur openswan-2/linux/include/openswan/ipsec_tunnel.h openswan-2.nate/linux/include/openswan/ipsec_tunnel.h
--- openswan-2/linux/include/openswan/ipsec_tunnel.h	2004-07-01 13:59:00.000000000 -0500
+++ openswan-2.nate/linux/include/openswan/ipsec_tunnel.h	2004-07-01 14:01:33.000000000 -0500
@@ -70,13 +70,13 @@
 struct ipsecpriv
 {
 	struct sk_buff_head sendq;
-	struct device *dev;
+	struct net_device *dev;
 	struct wait_queue *wait_queue;
 	char locked;
 	int  (*hard_start_xmit) (struct sk_buff *skb,
-		struct device *dev);
+		struct net_device *dev);
 	int  (*hard_header) (struct sk_buff *skb,
-		struct device *dev,
+		struct net_device *dev,
 		unsigned short type,
 		void *daddr,
 		void *saddr,
@@ -84,23 +84,27 @@
 #ifdef NET_21
 	int  (*rebuild_header)(struct sk_buff *skb);
 #else /* NET_21 */
-	int  (*rebuild_header)(void *buff, struct device *dev,
+	int  (*rebuild_header)(void *buff, struct net_device *dev,
 			unsigned long raddr, struct sk_buff *skb);
 #endif /* NET_21 */
-	int  (*set_mac_address)(struct device *dev, void *addr);
+	int  (*set_mac_address)(struct net_device *dev, void *addr);
 #ifndef NET_21
-	void (*header_cache_bind)(struct hh_cache **hhp, struct device *dev,
-				 unsigned short htype, __u32 daddr);
+	void (*header_cache_bind)(struct hh_cache **hhp
+				 , struct net_device *dev
+				 , unsigned short htype
+				 , __u32 daddr);
 #endif /* !NET_21 */
-	void (*header_cache_update)(struct hh_cache *hh, struct device *dev, unsigned char *  haddr);
-	struct net_device_stats *(*get_stats)(struct device *dev);
+	void (*header_cache_update)(struct hh_cache *hh
+				   , struct net_device *dev
+				   , unsigned char *  haddr);
+	struct net_device_stats *(*get_stats)(struct net_device *dev);
 	struct net_device_stats mystats;
 	int mtu;	/* What is the desired MTU? */
 };
 
 extern char ipsec_tunnel_c_version[];
 
-extern struct device *ipsecdevices[IPSEC_NUM_IF];
+extern struct net_device *ipsecdevices[IPSEC_NUM_IF];
 
 int ipsec_tunnel_init_devices(void);
 
@@ -108,7 +112,8 @@
 
 extern /* void */ int ipsec_init(void);
 
-extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev);
+extern int ipsec_tunnel_start_xmit(struct sk_buff *skb
+				  , struct net_device *dev);
 
 #ifdef CONFIG_IPSEC_DEBUG
 extern int debug_tunnel;
diff -Naur openswan-2/linux/include/openswan/ipsec_xmit.h openswan-2.nate/linux/include/openswan/ipsec_xmit.h
--- openswan-2/linux/include/openswan/ipsec_xmit.h	2004-07-01 13:59:00.000000000 -0500
+++ openswan-2.nate/linux/include/openswan/ipsec_xmit.h	2004-07-01 14:01:33.000000000 -0500
@@ -56,7 +56,7 @@
 struct ipsec_xmit_state
 {
 	struct sk_buff *skb;		/* working skb pointer */
-	struct device *dev;		/* working dev pointer */
+	struct net_device *dev;		/* working dev pointer */
 	struct ipsecpriv *prv;		/* Our device' private space */
 	struct sk_buff *oskb;		/* Original skb pointer */
 	struct net_device_stats *stats;	/* This device's statistics */
@@ -87,8 +87,8 @@
 	size_t sa_len;
 	int hard_header_stripped;	/* has the hard header been removed yet? */
 	int hard_header_len;
-	struct device *physdev;
-/*	struct device *virtdev; */
+	struct net_device *physdev;
+/*	struct net_device *virtdev; */
 	short physmtu;
 	short mtudiff;
 #ifdef NET_21
diff -Naur openswan-2/linux/include/openswan.h openswan-2.nate/linux/include/openswan.h
--- openswan-2/linux/include/openswan.h	2004-07-01 13:58:59.000000000 -0500
+++ openswan-2.nate/linux/include/openswan.h	2004-07-01 14:01:33.000000000 -0500
@@ -151,6 +151,7 @@
 #		define	SPI_HOLD	259
 #		define	SPI_TRAP	260
 #		define  SPI_TRAPSUBNET  261
+#		define  SPI_PASSTRAP	262
 	int proto;		/* C. protocol */
 #		define	SA_ESP	50	/* IPPROTO_ESP */
 #		define	SA_AH	51	/* IPPROTO_AH */
diff -Naur openswan-2/linux/include/pfkey.h openswan-2.nate/linux/include/pfkey.h
--- openswan-2/linux/include/pfkey.h	2004-07-01 13:58:59.000000000 -0500
+++ openswan-2.nate/linux/include/pfkey.h	2004-07-01 14:01:33.000000000 -0500
@@ -25,7 +25,6 @@
 extern /* void */ int pfkey_init(void);
 extern /* void */ int pfkey_cleanup(void);
 
-extern struct sock *pfkey_sock_list;
 struct socket_list
 {
 	struct socket *socketp;
@@ -142,7 +141,7 @@
 	struct sock	*sk;
 };
 
-#define key_pid(sk) ((struct key_opt*)&((sk)->protinfo))->key_pid
+#define key_pid(sk) ((struct key_opt*)&((sk)->sk_protinfo))->key_pid
 
 /* XXX-mcr this is not an alignment, this is because the count is in 64-bit
  * words.
diff -Naur openswan-2/linux/net/ipsec/ipsec_ah.c openswan-2.nate/linux/net/ipsec/ipsec_ah.c
--- openswan-2/linux/net/ipsec/ipsec_ah.c	2004-07-01 13:59:02.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_ah.c	2004-07-01 14:01:34.000000000 -0500
@@ -36,6 +36,7 @@
 #include <linux/etherdevice.h>	/* eth_type_trans */
 #include <linux/ip.h>		/* struct iphdr */
 #include <linux/skbuff.h>
+#include <net/protocol.h>
 #include <openswan.h>
 #ifdef SPINLOCK
 # ifdef SPINLOCK_23
@@ -336,6 +337,12 @@
 	},
 };
 
+#ifdef NET_26
+struct inet_protocol ah_protocol = {
+	.handler = ipsec_rcv,
+	.no_policy = 1,
+};
+#else
 struct inet_protocol ah_protocol =
 {
 	ipsec_rcv,				/* AH handler */
@@ -350,6 +357,7 @@
 	"AH"				/* name */
 #endif
 };
+#endif
 
 #endif /* CONFIG_IPSEC_AH */
 
diff -Naur openswan-2/linux/net/ipsec/ipsec_alg.c openswan-2.nate/linux/net/ipsec/ipsec_alg.c
--- openswan-2/linux/net/ipsec/ipsec_alg.c	2004-07-01 13:59:02.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_alg.c	2004-07-01 14:01:34.000000000 -0500
@@ -89,13 +89,13 @@
  */
 static void __ipsec_alg_usage_inc(struct ipsec_alg *ixt) {
 	if (ixt->ixt_module)
-		__MOD_INC_USE_COUNT(ixt->ixt_module);
+		MOD_INC_USE_COUNT;
 	atomic_inc(&ixt->ixt_refcnt);
 }
 static void __ipsec_alg_usage_dec(struct ipsec_alg *ixt) {
 	atomic_dec(&ixt->ixt_refcnt);
 	if (ixt->ixt_module)
-		__MOD_DEC_USE_COUNT(ixt->ixt_module);
+		MOD_DEC_USE_COUNT;
 }
 /*
  * 	simple hash function, optimized for 0-hash (1 list) special
diff -Naur openswan-2/linux/net/ipsec/ipsec_esp.c openswan-2.nate/linux/net/ipsec/ipsec_esp.c
--- openswan-2/linux/net/ipsec/ipsec_esp.c	2004-07-01 13:59:03.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_esp.c	2004-07-01 14:01:34.000000000 -0500
@@ -51,6 +51,7 @@
 #endif /* NET21 */
 #include <asm/checksum.h>
 #include <net/ip.h>
+#include <net/protocol.h>
 
 #include "openswan/radij.h"
 #include "openswan/ipsec_encap.h"
@@ -528,6 +529,12 @@
 	},
 };
 
+#ifdef NET_26
+struct inet_protocol esp_protocol = {
+  .handler = ipsec_rcv,
+  .no_policy = 1,
+};
+#else
 struct inet_protocol esp_protocol =
 {
 	ipsec_rcv,			/* ESP handler		*/
@@ -543,7 +550,7 @@
 #endif
 };
 
-
+#endif /* !NET_26 */
 
 #endif /* !CONFIG_IPSEC_ESP */
 
diff -Naur openswan-2/linux/net/ipsec/ipsec_init.c openswan-2.nate/linux/net/ipsec/ipsec_init.c
--- openswan-2/linux/net/ipsec/ipsec_init.c	2004-07-01 13:59:03.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_init.c	2004-07-01 14:01:34.000000000 -0500
@@ -24,6 +24,8 @@
 #include <linux/version.h>
 #include <linux/module.h>
 #include <linux/kernel.h> /* printk() */
+#include <linux/skbuff.h>
+#include <net/protocol.h>
 
 #include "openswan/ipsec_param.h"
 
@@ -40,7 +42,6 @@
 #include <linux/etherdevice.h> /* eth_type_trans */
 #include <linux/ip.h>          /* struct iphdr */
 #include <linux/in.h>          /* struct sockaddr_in */
-#include <linux/skbuff.h>
 #include <linux/random.h>       /* get_random_bytes() */
 #include <openswan.h>
 
@@ -158,8 +159,13 @@
 int
 ipsec_init(void)
 {
+	static int inited=0;
 	int error = 0;
 	unsigned char seed[256];
+
+	if(inited) return 0;
+	inited++;
+
 #ifdef CONFIG_IPSEC_ENC_3DES
 	extern int des_check_key;
 
@@ -286,9 +292,8 @@
 	return error;
 }
 
-#ifdef MODULE
-int
-init_module(void)
+static int
+init_ipsec(void)
 {
 	int error = 0;
 
@@ -297,8 +302,8 @@
 	return error;
 }
 
-int
-cleanup_module(void)
+static void
+exit_ipsec(void)
 {
 	int error = 0;
 
@@ -310,10 +315,10 @@
 
 	KLIPS_PRINT(1, "klips_info:cleanup_module: "
 		    "ipsec module unloaded.\n");
-
-	return error;
 }
-#endif /* MODULE */
+
+module_init(init_ipsec)
+module_exit(exit_ipsec)
 
 /*
  * $Log: ipsec_init.c,v $
diff -Naur openswan-2/linux/net/ipsec/ipsec_mast.c openswan-2.nate/linux/net/ipsec/ipsec_mast.c
--- openswan-2/linux/net/ipsec/ipsec_mast.c	2004-07-01 13:59:03.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_mast.c	2004-07-01 14:01:34.000000000 -0500
@@ -74,7 +74,7 @@
 int ipsec_maxdevice_count = -1;
 
 DEBUG_NO_STATIC int
-ipsec_mast_open(struct device *dev)
+ipsec_mast_open(struct net_device *dev)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -95,7 +95,7 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_mast_close(struct device *dev)
+ipsec_mast_close(struct net_device *dev)
 {
 	MOD_DEC_USE_COUNT;
 	return 0;
@@ -215,7 +215,9 @@
  *	and that skb is filled properly by that function.
  */
 int
-ipsec_mast_start_xmit(struct sk_buff *skb, struct device *dev, IPsecSAref_t SAref)
+ipsec_mast_start_xmit(struct sk_buff *skb
+		     , struct net_device *dev
+		     , IPsecSAref_t SAref)
 {
 	struct ipsec_xmit_state ixs_mem;
 	struct ipsec_xmit_state *ixs = &ixs_mem;
@@ -241,7 +243,7 @@
 #endif
 
 DEBUG_NO_STATIC struct net_device_stats *
-ipsec_mast_get_stats(struct device *dev)
+ipsec_mast_get_stats(struct net_device *dev)
 {
 	return &(((struct ipsecpriv *)(dev->priv))->mystats);
 }
@@ -252,11 +254,15 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_mast_hard_header(struct sk_buff *skb, struct device *dev,
-	unsigned short type, void *daddr, void *saddr, unsigned len)
+ipsec_mast_hard_header(struct sk_buff *skb
+		      , struct net_device *dev,
+		      , unsigned short type
+		      , void *daddr
+		      , void *saddr
+		      , unsigned len)
 {
 	struct ipsecpriv *prv = dev->priv;
-	struct device *tmp;
+	struct net_device *tmp;
 	int ret;
 	struct net_device_stats *stats;	/* This device's statistics */
 	
@@ -329,7 +335,7 @@
 			return -ENODEV;
 		}
 		
-#define da ((struct device *)(prv->dev))->dev_addr
+#define da ((struct net_device *)(prv->dev))->dev_addr
 		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
 			    "klips_debug:ipsec_mast_hard_header: "
 			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
@@ -360,7 +366,7 @@
 ipsec_mast_rebuild_header(struct sk_buff *skb)
 {
 	struct ipsecpriv *prv = skb->dev->priv;
-	struct device *tmp;
+	struct net_device *tmp;
 	int ret;
 	struct net_device_stats *stats;	/* This device's statistics */
 	
@@ -420,7 +426,7 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_mast_set_mac_address(struct device *dev, void *addr)
+ipsec_mast_set_mac_address(struct net_device *dev, void *addr)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -469,7 +475,9 @@
 }
 
 DEBUG_NO_STATIC void
-ipsec_mast_cache_update(struct hh_cache *hh, struct device *dev, unsigned char *  haddr)
+ipsec_mast_cache_update(struct hh_cache *hh
+		       , struct net_device *dev
+		       , unsigned char *  haddr)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -530,7 +538,8 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_mast_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
+ipsec_mast_neigh_setup_dev(struct net_device *dev
+		          , struct neigh_parms *p)
 {
 	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
 		    "klips_debug:ipsec_mast_neigh_setup_dev: "
@@ -550,7 +559,8 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_mast_attach(struct device *dev, struct device *physdev)
+ipsec_mast_attach(struct net_device *dev
+		 , struct net_device *physdev)
 {
         int i;
 	struct ipsecpriv *prv = dev->priv;
@@ -633,7 +643,7 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_mast_detach(struct device *dev)
+ipsec_mast_detach(struct net_device *dev)
 {
         int i;
 	struct ipsecpriv *prv = dev->priv;
@@ -710,7 +720,7 @@
 ipsec_mast_clear(void)
 {
 	int i;
-	struct device *ipsecdev = NULL, *prvdev;
+	struct net_device *ipsecdev = NULL, *prvdev;
 	struct ipsecpriv *prv;
 	char name[9];
 	int ret;
@@ -722,7 +732,7 @@
 		sprintf(name, IPSEC_DEV_FORMAT, i);
 		if((ipsecdev = ipsec_dev_get(name)) != NULL) {
 			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
-				prvdev = (struct device *)(prv->dev);
+				prvdev = (struct net_device *)(prv->dev);
 				if(prvdev) {
 					KLIPS_PRINT(debug_mast & DB_MAST_INIT,
 						    "klips_debug:ipsec_mast_clear: "
@@ -743,11 +753,12 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_mast_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
+ipsec_mast_ioctl(struct net_device *dev
+		, struct ifreq *ifr, int cmd)
 {
 	struct ipsecmastconf *cf = (struct ipsecmastconf *)&ifr->ifr_data;
 	struct ipsecpriv *prv = dev->priv;
-	struct device *them; /* physical device */
+	struct net_device *them; /* physical device */
 #ifdef CONFIG_IP_ALIAS
 	char *colon;
 	char realphysname[IFNAMSIZ];
@@ -839,8 +850,8 @@
 int
 ipsec_mast_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
 {
-	struct device *dev = ptr;
-	struct device *ipsec_dev;
+	struct net_device *dev = ptr;
+	struct net_device *ipsec_dev;
 	struct ipsecpriv *priv;
 	char name[9];
 	int i;
@@ -893,7 +904,7 @@
 				priv = (struct ipsecpriv *)(ipsec_dev->priv);
 				if(priv) {
 					;
-					if(((struct device *)(priv->dev)) == dev) {
+					if(((struct net_device *)(priv->dev)) == dev) {
 						/* dev_close(ipsec_dev); */
 						/* return */ ipsec_mast_detach(ipsec_dev);
 						KLIPS_PRINT(debug_mast & DB_MAST_INIT,
@@ -978,7 +989,7 @@
  */
  
 int
-ipsec_mast_init(struct device *dev)
+ipsec_mast_init(struct net_device *dev)
 {
 	int i;
 
@@ -1030,7 +1041,7 @@
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 int
-ipsec_mast_probe(struct device *dev)
+ipsec_mast_probe(struct net_device *dev)
 {
 	ipsec_mast_init(dev); 
 	return 0;
@@ -1049,7 +1060,7 @@
 	int error = 0;
 	int i;
 	char name[10];
-	struct device *dev_mast;
+	struct net_device *dev_mast;
 	
 	for(i = 0; i < ipsec_mastdevice_count; i++) {
 		sprintf(name, MAST_DEV_FORMAT, i);
diff -Naur openswan-2/linux/net/ipsec/ipsec_proc.c openswan-2.nate/linux/net/ipsec/ipsec_proc.c
--- openswan-2/linux/net/ipsec/ipsec_proc.c	2004-07-01 13:59:03.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_proc.c	2004-07-01 14:01:34.000000000 -0500
@@ -531,7 +531,7 @@
 	off_t begin = 0;
 	int i;
 	char name[9];
-	struct device *dev, *privdev;
+	struct net_device *dev, *privdev;
 	struct ipsecpriv *priv;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
@@ -550,7 +550,7 @@
 			len += ipsec_snprintf(buffer+len, length-len, "%s",
 				       dev->name);
 			if(priv) {
-				privdev = (struct device *)(priv->dev);
+				privdev = (struct net_device *)(priv->dev);
 				len += ipsec_snprintf(buffer+len, length-len, " -> %s",
 					       privdev ? privdev->name : "NULL");
 				len += ipsec_snprintf(buffer+len, length-len, " mtu=%d(%d) -> %d",
diff -Naur openswan-2/linux/net/ipsec/ipsec_rcv.c openswan-2.nate/linux/net/ipsec/ipsec_rcv.c
--- openswan-2/linux/net/ipsec/ipsec_rcv.c	2004-07-01 13:59:03.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_rcv.c	2004-07-01 14:01:34.000000000 -0500
@@ -89,7 +89,8 @@
 int sysctl_ipsec_inbound_policy_check = 1;
 
 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-#include <linux/udp.h>
+#include <net/udp.h>
+#include <net/tcp.h>
 #endif
 
 #ifdef CONFIG_IPSEC_DEBUG
@@ -748,22 +749,24 @@
 #ifdef NET_21
 ipsec_rcv(struct sk_buff *skb, unsigned short xlen)
 #else /* NET_21 */
-ipsec_rcv(struct sk_buff *skb, struct device *dev, struct options *opt,
-		__u32 daddr_unused, unsigned short xlen, __u32 saddr,
+ipsec_rcv(struct sk_buff *skb
+	 , struct net_device *dev
+	 , struct options *opt
+	 , __u32 daddr_unused, unsigned short xlen, __u32 saddr,
 				   int redo, struct inet_protocol *protocol)
 #endif /* NET_21 */
 #endif /* PROTO_HANDLER_SINGLE_PARM */
 {
 #ifdef NET_21
 #ifdef CONFIG_IPSEC_DEBUG
-	struct device *dev = skb->dev;
+	struct net_device *dev = skb->dev;
 #endif /* CONFIG_IPSEC_DEBUG */
 #endif /* NET_21 */
 	unsigned char protoc;
 	struct iphdr *ipp;
 	struct ipsec_sa *ipsp = NULL;
 	struct net_device_stats *stats = NULL;		/* This device's statistics */
-	struct device *ipsecdev = NULL, *prvdev;
+	struct net_device *ipsecdev = NULL, *prvdev;
 	struct ipsecpriv *prv;
 	char name[9];
 	int i;
@@ -1037,7 +1040,7 @@
 					    name);
 			}
 			prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
-			prvdev = prv ? (struct device *)(prv->dev) : NULL;
+			prvdev = prv ? (struct net_device *)(prv->dev) : NULL;
 
 #if 0
 			KLIPS_PRINT(debug_rcv && prvdev,
diff -Naur openswan-2/linux/net/ipsec/ipsec_tunnel.c openswan-2.nate/linux/net/ipsec/ipsec_tunnel.c
--- openswan-2/linux/net/ipsec/ipsec_tunnel.c	2004-07-01 13:59:04.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/ipsec_tunnel.c	2004-07-01 14:01:34.000000000 -0500
@@ -32,12 +32,12 @@
 #include <linux/errno.h>  /* error codes */
 #include <linux/types.h>  /* size_t */
 #include <linux/interrupt.h> /* mark_bh */
+#include <net/tcp.h>
+#include <net/udp.h>
 
 #include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
 #include <linux/etherdevice.h> /* eth_type_trans */
 #include <linux/ip.h>          /* struct iphdr */
-#include <linux/tcp.h>         /* struct tcphdr */
-#include <linux/udp.h>         /* struct udphdr */
 #include <linux/skbuff.h>
 #include <openswan.h>
 #ifdef NET_21
@@ -80,6 +80,11 @@
 #include <linux/udp.h>
 #endif
 
+#ifndef TRUE
+#define TRUE 1
+#define FALSE 0
+#endif
+
 static __u32 zeroes[64];
 
 #ifdef CONFIG_IPSEC_DEBUG
@@ -87,7 +92,7 @@
 #endif /* CONFIG_IPSEC_DEBUG */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_open(struct device *dev)
+ipsec_tunnel_open(struct net_device *dev)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -98,7 +103,8 @@
 	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 		    "klips_debug:ipsec_tunnel_open: "
 		    "dev = %s, prv->dev = %s\n",
-		    dev->name, prv->dev?prv->dev->name:"NONE");
+		    dev->name,
+		    prv->dev?prv->dev->name:"NONE");
 
 	if (prv->dev == NULL)
 		return -ENODEV;
@@ -108,7 +114,7 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_close(struct device *dev)
+ipsec_tunnel_close(struct net_device *dev)
 {
 	MOD_DEC_USE_COUNT;
 	return 0;
@@ -179,6 +185,10 @@
 enum ipsec_xmit_value
 ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
 {
+	unsigned int bypass;
+
+	bypass = FALSE;
+
 	/*
 	 * First things first -- look us up in the erouting tables.
 	 */
@@ -198,27 +208,102 @@
 	
 	ixs->eroute = ipsec_findroute(&ixs->matcher);
 
-	if(ixs->iph->protocol == IPPROTO_UDP) {
+ 	/* extract information for later */
+ 	if(ixs->iph->protocol == IPPROTO_UDP) {
+		struct udphdr *t = NULL;
+
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:udp port check: "
+			    "fragoff: %d len: %d>%d \n",
+			    ntohs(ixs->iph->frag_off) & IP_OFFSET,
+			    (ixs->skb->len - ixs->hard_header_len),
+			    (ixs->iph->ihl << 2) + sizeof(struct udphdr));
+		
+		if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
+		   ((ixs->skb->len - ixs->hard_header_len) >=
+		    ((ixs->iph->ihl << 2) + sizeof(struct udphdr))))
+		{
+			t =((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:udp port in packet: "
+				    "port %d -> %d\n",
+				    ntohs(t->source), ntohs(t->dest));
+		}
+
+		ixs->sport=0; ixs->dport=0;
+
 		if(ixs->skb->sk) {
-			ixs->sport=ntohs(ixs->skb->sk->sport);
-			ixs->dport=ntohs(ixs->skb->sk->dport);
-		} else if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
-			  ((ixs->skb->len - ixs->hard_header_len) >=
-			   ((ixs->iph->ihl << 2) + sizeof(struct udphdr)))) {
-			ixs->sport=ntohs(((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)))->source);
-			ixs->dport=ntohs(((struct udphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl<<2)))->dest);
-		} else {
-			ixs->sport=0; ixs->dport=0;
+#ifdef NET_26
+			struct udp_sock *us;
+			
+			us = (struct udp_sock *)ixs->skb->sk;
+
+			ixs->sport = ntohs(us->inet.sport);
+			ixs->dport = ntohs(us->inet.dport);
+#else
+			ixs->sport = ntohs(ixs->skb->sk->sport);
+			ixs->dport = ntohs(ixs->skb->sk->dport);
+#endif
+
+		} 
+
+		if(t != NULL) {
+			if(ixs->sport == 0) {
+				ixs->sport = ntohs(t->source);
+			}
+			if(ixs->dport == 0) {
+				ixs->dport = ntohs(t->dest);
+			}
 		}
 	}
+	
+	/*
+	 * practically identical to above, but let's be careful about
+	 * tcp vs udp headers
+	 */
+	if(ixs->iph->protocol == IPPROTO_TCP) {
+		struct tcphdr *t = NULL;
 
+		if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
+		   ((ixs->skb->len - ixs->hard_header_len) >=
+		    ((ixs->iph->ihl << 2) + sizeof(struct tcphdr)))) {
+			t =((struct tcphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
+		}
+
+		ixs->sport=0; ixs->dport=0;
+
+		if(ixs->skb->sk) {
+#ifdef NET_26
+			struct tcp_tw_bucket *tw;
+			
+			tw = (struct tcp_tw_bucket *)ixs->skb->sk;
+
+			ixs->sport = ntohs(tw->tw_sport);
+			ixs->dport = ntohs(tw->tw_dport);
+#else
+			ixs->sport = ntohs(ixs->skb->sk->sport);
+			ixs->dport = ntohs(ixs->skb->sk->dport);
+#endif
+		} 
+
+		if(t != NULL) {
+			if(ixs->sport == 0) {
+				ixs->sport = ntohs(t->source);
+			}
+			if(ixs->dport == 0) {
+				ixs->dport = ntohs(t->dest);
+			}
+		}
+	}
+	
 	/* default to a %drop eroute */
 	ixs->outgoing_said.proto = IPPROTO_INT;
 	ixs->outgoing_said.spi = htonl(SPI_DROP);
 	ixs->outgoing_said.dst.u.v4.sin_addr.s_addr = INADDR_ANY;
+
 	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 		    "klips_debug:ipsec_xmit_SAlookup: "
-		    "checking for local udp/500 IKE packet "
+		    "checking for local udp/500 IKE packet or local DNS "
 		    "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
 		    ntohl((unsigned int)ixs->iph->saddr),
 		    ixs->eroute,
@@ -229,33 +314,90 @@
 		    ixs->dport); 
 
 	/*
-	 * Quick cheat for now...are we udp/500? If so, let it through
+	 * cheat for now...are we udp/500? If so, let it through
 	 * without interference since it is most likely an IKE packet.
 	 */
 
 	if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
-	    && (!ixs->eroute
+	    && (ixs->eroute==NULL
 		|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
 		|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
 
-	    && ((ixs->sport == 500) || (ixs->sport == 4500))) {
+	    && ((ixs->iph->protocol == IPPROTO_UDP) && ((ixs->sport == 500) || (ixs->sport == 4500)))) {
 		/* Whatever the eroute, this is an IKE message
 		 * from us (i.e. not being forwarded).
 		 * Furthermore, if there is a tunnel eroute,
 		 * the destination is the peer for this eroute.
 		 * So %pass the packet: modify the default %drop.
 		 */
+
 		ixs->outgoing_said.spi = htonl(SPI_PASS);
 		if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 				    "klips_debug:ipsec_xmit_SAlookup: "
 				    "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
 		}
-	} else if (ixs->eroute) {
+ 		bypass = TRUE;
+ 	}
+ 
+ 	/*
+ 	 *
+ 	 * if we are udp/53 or tcp/53, also let it through a %trap or %hold,
+ 	 * since it is DNS, but *also* follow the %trap.
+ 	 * 
+ 	 * we do not do this for tunnels, only %trap's and %hold's.
+ 	 *
+ 	 */
+ 
+ 	if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
+ 	    && (ixs->eroute==NULL
+ 		|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
+ 		|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
+ 	    && ((ixs->iph->protocol == IPPROTO_UDP
+ 		 || ixs->iph->protocol == IPPROTO_TCP)
+ 		&& ixs->dport == 53)) {
+ 		
+ 		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ 			    "klips_debug:ipsec_xmit_SAlookup: "
+ 			    "possible DNS packet\n");
+ 
+ 		if(ixs->eroute)
+ 		{
+ 			if(ixs->eroute->er_said.spi == htonl(SPI_TRAP)
+ 			   || ixs->eroute->er_said.spi == htonl(SPI_HOLD))
+ 			{
+ 				ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
+ 				bypass = TRUE;
+ 			}
+ 		}
+ 		else
+ 		{
+ 			ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
+ 			bypass = TRUE;
+ 		}
+ 				
+ 		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ 			    "klips_debug:ipsec_xmit_SAlookup: "
+ 			    "bypass = %d\n", bypass);
+ 
+ 		if(bypass
+ 		   && !(ixs->skb->sk)
+ 		   && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0))
+ 		{
+ 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ 				    "klips_debug:ipsec_xmit_SAlookup: "
+ 				    "local port 53 (probably DNS) passthrough:"
+ 				    "base fragment, rest of fragments will "
+ 				    "probably get filtered.\n");
+ 		}
+ 	}
+ 
+ 	if (bypass==FALSE && ixs->eroute) {
 		ixs->eroute->er_count++;
 		ixs->eroute->er_lasttime = jiffies/HZ;
 		if(ixs->eroute->er_said.proto==IPPROTO_INT
-		   && ixs->eroute->er_said.spi==htonl(SPI_HOLD)) {
+		   && ixs->eroute->er_said.spi==htonl(SPI_HOLD))
+		{
 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 				    "klips_debug:ipsec_xmit_SAlookup: "
 				    "shunt SA of HOLD: skb stored in HOLD.\n");
@@ -270,6 +412,7 @@
 		}
 		ixs->outgoing_said = ixs->eroute->er_said;
 		ixs->eroute_pid = ixs->eroute->er_pid;
+
 		/* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
 		if(ixs->outgoing_said.proto==IPPROTO_INT
 		   && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
@@ -279,7 +422,8 @@
 			ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
 			ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
 			ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
-			if (ixs->ips.ips_ident_s.len) {
+			if (ixs->ips.ips_ident_s.len)
+			{
 				len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_xmit_SAlookup: "
@@ -298,7 +442,8 @@
 			ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
 			ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
 			ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
-			if (ixs->ips.ips_ident_d.len) {
+			if (ixs->ips.ips_ident_d.len)
+			{
 				len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_xmit_SAlookup: "
@@ -542,7 +687,8 @@
  *	and that skb is filled properly by that function.
  */
 int
-ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
+ipsec_tunnel_start_xmit(struct sk_buff *skb
+		       , struct net_device *dev)
 {
 	struct ipsec_xmit_state ixs_mem;
 	struct ipsec_xmit_state *ixs = &ixs_mem;
@@ -642,7 +788,7 @@
 }
 
 DEBUG_NO_STATIC struct net_device_stats *
-ipsec_tunnel_get_stats(struct device *dev)
+ipsec_tunnel_get_stats(struct net_device *dev)
 {
 	return &(((struct ipsecpriv *)(dev->priv))->mystats);
 }
@@ -653,11 +799,11 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
+ipsec_tunnel_hard_header(struct sk_buff *skb, struct net_device *dev,
 	unsigned short type, void *daddr, void *saddr, unsigned len)
 {
 	struct ipsecpriv *prv = dev->priv;
-	struct device *tmp;
+	struct net_device *tmp;
 	int ret;
 	struct net_device_stats *stats;	/* This device's statistics */
 	
@@ -737,7 +883,7 @@
 			return -ENODEV;
 		}
 		
-#define da ((struct device *)(prv->dev))->dev_addr
+#define da ((struct net_device *)(prv->dev))->dev_addr
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_hard_header: "
 			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
@@ -775,12 +921,12 @@
 #ifdef NET_21
 ipsec_tunnel_rebuild_header(struct sk_buff *skb)
 #else /* NET_21 */
-ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
+ipsec_tunnel_rebuild_header(void *buff, struct net_device *dev,
 			unsigned long raddr, struct sk_buff *skb)
 #endif /* NET_21 */
 {
 	struct ipsecpriv *prv = skb->dev->priv;
-	struct device *tmp;
+	struct net_device *tmp;
 	int ret;
 	struct net_device_stats *stats;	/* This device's statistics */
 	
@@ -858,7 +1004,7 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
+ipsec_tunnel_set_mac_address(struct net_device *dev, void *addr)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -908,7 +1054,7 @@
 
 #ifndef NET_21
 DEBUG_NO_STATIC void
-ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
+ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct net_device *dev,
 				 unsigned short htype, __u32 daddr)
 {
 	struct ipsecpriv *prv = dev->priv;
@@ -960,7 +1106,7 @@
 
 
 DEBUG_NO_STATIC void
-ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char *  haddr)
+ipsec_tunnel_cache_update(struct hh_cache *hh, struct net_device *dev, unsigned char *  haddr)
 {
 	struct ipsecpriv *prv = dev->priv;
 	
@@ -1022,7 +1168,7 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
+ipsec_tunnel_neigh_setup_dev(struct net_device *dev, struct neigh_parms *p)
 {
 	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 		    "klips_debug:ipsec_tunnel_neigh_setup_dev: "
@@ -1043,7 +1189,7 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_attach(struct device *dev, struct device *physdev)
+ipsec_tunnel_attach(struct net_device *dev, struct net_device *physdev)
 {
         int i;
 	struct ipsecpriv *prv = dev->priv;
@@ -1136,7 +1282,7 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_detach(struct device *dev)
+ipsec_tunnel_detach(struct net_device *dev)
 {
         int i;
 	struct ipsecpriv *prv = dev->priv;
@@ -1162,7 +1308,6 @@
 		    prv->dev ? prv->dev->name : "NULL",
 		    dev->name);
 
-	ipsec_dev_put(prv->dev);
 	prv->dev = NULL;
 	prv->hard_start_xmit = NULL;
 	prv->get_stats = NULL;
@@ -1223,7 +1368,7 @@
 ipsec_tunnel_clear(void)
 {
 	int i;
-	struct device *ipsecdev = NULL, *prvdev;
+	struct net_device *ipsecdev = NULL, *prvdev;
 	struct ipsecpriv *prv;
 	char name[9];
 	int ret;
@@ -1232,10 +1377,10 @@
 		    "klips_debug:ipsec_tunnel_clear: .\n");
 
 	for(i = 0; i < IPSEC_NUM_IF; i++) {
-   	        ipsecdev = ipsecdevices[i];
-		if(ipsecdev != NULL) {
+		sprintf(name, IPSEC_DEV_FORMAT, i);
+		if((ipsecdev = ipsec_dev_get(name)) != NULL) {
 			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
-				prvdev = (struct device *)(prv->dev);
+				prvdev = (struct net_device *)(prv->dev);
 				if(prvdev) {
 					KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 						    "klips_debug:ipsec_tunnel_clear: "
@@ -1256,11 +1401,11 @@
 }
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
+ipsec_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 {
 	struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
 	struct ipsecpriv *prv = dev->priv;
-	struct device *them; /* physical device */
+	struct net_device *them; /* physical device */
 #ifdef CONFIG_IP_ALIAS
 	char *colon;
 	char realphysname[IFNAMSIZ];
@@ -1300,7 +1445,6 @@
 				    "klips_debug:ipsec_tunnel_ioctl: "
 				    "physical device %s requested is null\n",
 				    cf->cf_name);
-			ipsec_dev_put(them);
 			return -ENXIO;
 		}
 		
@@ -1310,7 +1454,6 @@
 				    "klips_debug:ipsec_tunnel_ioctl: "
 				    "physical device %s requested is not up.\n",
 				    cf->cf_name);
-			ipsec_dev_put(them);
 			return -ENXIO;
 		}
 #endif
@@ -1320,7 +1463,6 @@
 				    "klips_debug:ipsec_tunnel_ioctl: "
 				    "virtual device is already connected to %s.\n",
 				    prv->dev->name ? prv->dev->name : "NULL");
-			ipsec_dev_put(them);
 			return -EBUSY;
 		}
 		return ipsec_tunnel_attach(dev, them);
@@ -1355,8 +1497,8 @@
 int
 ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
 {
-	struct device *dev = ptr;
-	struct device *ipsec_dev;
+	struct net_device *dev = ptr;
+	struct net_device *ipsec_dev;
 	struct ipsecpriv *priv;
 	int i;
 
@@ -1411,7 +1553,7 @@
 				priv = (struct ipsecpriv *)(ipsec_dev->priv);
 				if(priv) {
 					;
-					if(((struct device *)(priv->dev)) == dev) {
+					if(((struct net_device *)(priv->dev)) == dev) {
 						/* dev_close(ipsec_dev); */
 						/* return */ ipsec_tunnel_detach(ipsec_dev);
 						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
@@ -1498,7 +1640,7 @@
  */
  
 int
-ipsec_tunnel_init(struct device *dev)
+ipsec_tunnel_init(struct net_device *dev)
 {
 	int i;
 
@@ -1552,15 +1694,6 @@
 
 	/* New-style flags. */
 	dev->flags		= IFF_NOARP /* 0 */ /* Petr Novak */;
-#ifdef NET_21
-	dev_init_buffers(dev);
-#else /* NET_21 */
-	dev->family		= AF_INET;
-	dev->pa_addr		= 0;
-	dev->pa_brdaddr 	= 0;
-	dev->pa_mask		= 0;
-	dev->pa_alen		= 4;
-#endif /* NET_21 */
 
 	/* We're done.  Have I forgotten anything? */
 	return 0;
@@ -1571,31 +1704,33 @@
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 int
-ipsec_tunnel_probe(struct device *dev)
+ipsec_tunnel_probe(struct net_device *dev)
 {
 	ipsec_tunnel_init(dev); 
 	return 0;
 }
 
-struct device *ipsecdevices[IPSEC_NUM_IF];
+struct net_device *ipsecdevices[IPSEC_NUM_IF];
 
 int 
 ipsec_tunnel_init_devices(void)
 {
 	int i;
 	char name[IFNAMSIZ];
-	struct device *dev_ipsec;
+	struct net_device *dev_ipsec;
 	
 	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 		    "klips_debug:ipsec_tunnel_init_devices: "
 		    "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
 		    IPSEC_NUM_IF,
-		    (unsigned long) (sizeof(struct device) + IFNAMSIZ),
+		    (unsigned long) (sizeof(struct net_device) + IFNAMSIZ),
 		    IFNAMSIZ);
 
 	for(i = 0; i < IPSEC_NUM_IF; i++) {
 		sprintf(name, IPSEC_DEV_FORMAT, i);
-		dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL);
+		
+		dev_ipsec = (struct net_device*)kmalloc(sizeof(struct net_device), GFP_KERNEL);
+
 		if (dev_ipsec == NULL) {
 			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 				    "klips_debug:ipsec_tunnel_init_devices: "
@@ -1603,7 +1738,7 @@
 				    name);
 			return -ENOMEM;
 		}
-		memset((caddr_t)dev_ipsec, 0, sizeof(struct device));
+		memset((caddr_t)dev_ipsec, 0, sizeof(struct net_device));
 #ifdef NETDEV_23
 		strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
 #else /* NETDEV_23 */
@@ -1618,6 +1753,9 @@
 		memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
 		strncpy(dev_ipsec->name, name, IFNAMSIZ);
 #endif /* NETDEV_23 */
+
+		SET_MODULE_OWNER(dev_ipsec);
+		
 		dev_ipsec->next = NULL;
 		dev_ipsec->init = &ipsec_tunnel_probe;
 		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
@@ -1652,7 +1790,7 @@
 	int error = 0;
 	int i;
 	char name[32];
-	struct device *dev_ipsec;
+	struct net_device *dev_ipsec;
 	
 	for(i = 0; i < IPSEC_NUM_IF; i++) {
    	        dev_ipsec = ipsecdevices[i];
diff -Naur openswan-2/linux/net/ipsec/pfkey_v2.c openswan-2.nate/linux/net/ipsec/pfkey_v2.c
--- openswan-2/linux/net/ipsec/pfkey_v2.c	2004-07-01 13:59:04.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/pfkey_v2.c	2004-07-01 14:01:34.000000000 -0500
@@ -87,7 +87,19 @@
 #endif /* SOCKOPS_WRAPPED */
 
 extern struct proto_ops pfkey_ops;
+
+#ifdef NET_26
+HLIST_HEAD(pfkey_sock_list);
+static DECLARE_WAIT_QUEUE_HEAD(pfkey_sock_wait);
+static rwlock_t pfkey_sock_lock = RW_LOCK_UNLOCKED;
+static atomic_t pfkey_sock_users = ATOMIC_INIT(0);
+#else
+extern struct proto_ops pfkey_ops;
 struct sock *pfkey_sock_list = NULL;
+#endif
+
+#include "openswan/ipsec_kern24.h"
+
 struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
 
 struct socket_list *pfkey_open_sockets = NULL;
@@ -95,6 +107,51 @@
 
 int pfkey_msg_interp(struct sock *, struct sadb_msg *, struct sadb_msg **);
 
+#ifdef NET_26
+static void pfkey_sock_list_grab(void)
+{
+	write_lock_bh(&pfkey_sock_lock);
+
+	if (atomic_read(&pfkey_sock_users)) {
+		DECLARE_WAITQUEUE(wait, current);
+
+		add_wait_queue_exclusive(&pfkey_sock_wait, &wait);
+		for(;;) {
+			set_current_state(TASK_UNINTERRUPTIBLE);
+			if (atomic_read(&pfkey_sock_users) == 0)
+				break;
+			write_unlock_bh(&pfkey_sock_lock);
+			schedule();
+			write_lock_bh(&pfkey_sock_lock);
+		}
+
+		__set_current_state(TASK_RUNNING);
+		remove_wait_queue(&pfkey_sock_wait, &wait);
+	}
+}
+
+static __inline__ void pfkey_sock_list_ungrab(void)
+{
+	write_unlock_bh(&pfkey_sock_lock);
+	wake_up(&pfkey_sock_wait);
+}
+
+static __inline__ void pfkey_lock_sock_list(void)
+{
+	/* read_lock() synchronizes us to pfkey_table_grab */
+
+	read_lock(&pfkey_sock_lock);
+	atomic_inc(&pfkey_sock_users);
+	read_unlock(&pfkey_sock_lock);
+}
+
+static __inline__ void pfkey_unlock_sock_list(void)
+{
+	if (atomic_dec_and_test(&pfkey_sock_users))
+		wake_up(&pfkey_sock_wait);
+}
+#endif
+
 int
 pfkey_list_remove_socket(struct socket *socketp, struct socket_list **sockets)
 {
@@ -315,10 +372,16 @@
 		    "klips_debug:pfkey_insert_socket: "
 		    "sk=0p%p\n",
 		    sk);
+#ifdef NET_26
+	pfkey_sock_list_grab();
+	sk_add_node(sk, &pfkey_sock_list);
+	pfkey_sock_list_ungrab();
+#else
 	cli();
 	sk->next=pfkey_sock_list;
 	pfkey_sock_list=sk;
 	sti();
+#endif
 }
 
 DEBUG_NO_STATIC void
@@ -328,6 +391,11 @@
 	
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_remove_socket: .\n");
+#ifdef NET_26
+	pfkey_sock_list_grab();
+	sk_del_node_init(sk);
+	pfkey_sock_list_ungrab();
+#else
 	cli();
 	s=&pfkey_sock_list;
 
@@ -344,6 +412,8 @@
 		s=&((*s)->next);
 	}
 	sti();
+#endif
+
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_remove_socket: "
 		    "not found.\n");
@@ -366,10 +436,11 @@
 		    "klips_debug:pfkey_destroy_socket: "
 		    "sk(0p%p)->(&0p%p)receive_queue.{next=0p%p,prev=0p%p}.\n",
 		    sk,
-		    &(sk->receive_queue),
-		    sk->receive_queue.next,
-		    sk->receive_queue.prev);
-	while(sk && ((skb=skb_dequeue(&(sk->receive_queue)))!=NULL)) {
+		    &(sk->sk_receive_queue),
+		    sk->sk_receive_queue.next,
+		    sk->sk_receive_queue.prev);
+
+	while(sk && ((skb=skb_dequeue(&(sk->sk_receive_queue)))!=NULL)) {
 #ifdef NET_21
 #ifdef CONFIG_IPSEC_DEBUG
 		if(debug_pfkey && sysctl_ipsec_debug_verbose) {
@@ -441,7 +512,11 @@
 		ipsec_kfree_skb(skb);
 	}
 
+#ifdef NET_26
+	sock_set_flag(sk, SOCK_DEAD);
+#else
 	sk->dead = 1;
+#endif
 	sk_free(sk);
 
 	KLIPS_PRINT(debug_pfkey,
@@ -571,12 +646,20 @@
 #ifdef NET_21
 	sock->state = SS_UNCONNECTED;
 #endif /* NET_21 */
+
 	MOD_INC_USE_COUNT;
+
 #ifdef NET_21
-	if((sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1)) == NULL)
+#ifdef NET_26
+	sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1, NULL);
+#else
+	sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1);
+#endif
 #else /* NET_21 */
-	if((sk=(struct sock *)sk_alloc(GFP_KERNEL)) == NULL)
+	sk=(struct sock *)sk_alloc(GFP_KERNEL);
 #endif /* NET_21 */
+
+	if(sk == NULL)
 	{
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_create: "
@@ -592,39 +675,42 @@
 #ifdef NET_21
 	sock_init_data(sock, sk);
 
-	sk->destruct = NULL;
-	sk->reuse = 1;
+	sk->sk_destruct = NULL;
+	sk->sk_reuse = 1;
 	sock->ops = &pfkey_ops;
 
-	sk->zapped=0;
-	sk->family = PF_KEY;
+	sk->sk_zapped=0;
+	sk->sk_family = PF_KEY;
 /*	sk->num = protocol; */
-	sk->protocol = protocol;
+	sk->sk_protocol = protocol;
 	key_pid(sk) = current->pid;
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_create: "
 		    "sock->fasync_list=0p%p sk->sleep=0p%p.\n",
 		    sock->fasync_list,
-		    sk->sleep);
+		    sk->sk_sleep);
 #else /* NET_21 */
 	sk->type=sock->type;
 	init_timer(&sk->timer);
-	skb_queue_head_init(&sk->write_queue);
-	skb_queue_head_init(&sk->receive_queue);
+	skb_queue_head_init(&sk->sk_write_queue);
+	skb_queue_head_init(&sk->sk_receive_queue);
 	skb_queue_head_init(&sk->back_log);
-	sk->rcvbuf=SK_RMEM_MAX;
-	sk->sndbuf=SK_WMEM_MAX;
-	sk->allocation=GFP_KERNEL;
-	sk->state=TCP_CLOSE;
-	sk->priority=SOPRI_NORMAL;
-	sk->state_change=pfkey_state_change;
-	sk->data_ready=pfkey_data_ready;
-	sk->write_space=pfkey_write_space;
-	sk->error_report=pfkey_state_change;
+	sk->sk_rcvbuf=SK_RMEM_MAX;
+	sk->sk_sndbuf=SK_WMEM_MAX;
+	sk->sk_allocation=GFP_KERNEL;
+	sk->sk_state=TCP_CLOSE;
+	sk->sk_priority=SOPRI_NORMAL;
+	sk->sk_state_change=pfkey_state_change;
+	sk->sk_data_ready=pfkey_data_ready;
+	sk->sk_write_space=pfkey_write_space;
+	sk->sk_error_report=pfkey_state_change;
+#ifndef NET_26
 	sk->mtu=4096;
 	sk->socket=sock;
+#endif
+
 	sock->data=(void *)sk;
-	sk->sleep=sock->wait;
+	sk->sk_sleep=sock->wait;
 #endif /* NET_21 */
 
 	pfkey_insert_socket(sk);
@@ -713,10 +799,10 @@
 		    "sock=0p%p sk=0p%p\n", sock, sk);
 
 #ifdef NET_21
-	if(!sk->dead)
+	if(sock_flag(sk, SOCK_DEAD))
 #endif /* NET_21 */
-		if(sk->state_change) {
-			sk->state_change(sk);
+		if(sk->sk_state_change) {
+			sk->sk_state_change(sk);
 		}
 
 #ifdef NET_21
@@ -859,13 +945,13 @@
 	mode++;
 	
 	if(mode&SEND_SHUTDOWN) {
-		sk->shutdown|=SEND_SHUTDOWN;
-		sk->state_change(sk);
+		sk->sk_shutdown|=SEND_SHUTDOWN;
+		sk->sk_state_change(sk);
 	}
 
 	if(mode&RCV_SHUTDOWN) {
-		sk->shutdown|=RCV_SHUTDOWN;
-		sk->state_change(sk);
+		sk->sk_shutdown|=RCV_SHUTDOWN;
+		sk->sk_state_change(sk);
 	}
 	return 0;
 }
@@ -957,7 +1043,11 @@
 		
 DEBUG_NO_STATIC int
 #ifdef NET_21
+#ifdef NET_26
+pfkey_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, int len)
+#else
 pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, struct scm_cookie *scm)
+#endif
 #else /* NET_21 */
 pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, int nonblock, int flags)
 #endif /* NET_21 */
@@ -995,7 +1085,7 @@
 
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_sendmsg: .\n");
-	if(sk->err) {
+	if(sk->sk_err) {
 		error = sock_error(sk);
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_sendmsg: "
@@ -1023,7 +1113,7 @@
 		SENDERR(EINVAL);
 	}
 		
-	if(sk->shutdown & SEND_SHUTDOWN) {
+	if(sk->sk_shutdown & SEND_SHUTDOWN) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_sendmsg: "
 			    "shutdown.\n");
@@ -1165,7 +1255,18 @@
 		
 DEBUG_NO_STATIC int
 #ifdef NET_21
-pfkey_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags, struct scm_cookie *scm)
+#ifdef NET_26
+pfkey_recvmsg(struct kiocb *kiocb
+	      , struct socket *sock
+	      , struct msghdr *msg
+	      , size_t size
+	      , int flags)
+#else
+pfkey_recvmsg(struct socket *sock
+	      , struct msghdr *msg
+	      , int size, int flags
+	      , struct scm_cookie *scm)
+#endif
 #else /* NET_21 */
 pfkey_recvmsg(struct socket *sock, struct msghdr *msg, int size, int noblock, int flags, int *addr_len)
 #endif /* NET_21 */
@@ -1224,10 +1325,10 @@
 	}
 #endif /* NET_21 */
 		
-	if(sk->err) {
+	if(sk->sk_err) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_sendmsg: "
-			    "sk->err=%d.\n", sk->err);
+			    "sk->sk_err=%d.\n", sk->sk_err);
 		return sock_error(sk);
 	}
 
@@ -1245,7 +1346,7 @@
 #endif /* NET_21 */
 
 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, size);
-        sk->stamp=skb->stamp;
+        sk->sk_stamp=skb->stamp;
 
 	skb_free_datagram(sk, skb);
 	return size;
@@ -1336,9 +1437,12 @@
 )
 {
 	const int max_content = length > 0? length-1 : 0;
+#ifdef NET_26
+	struct hlist_node *node;
+#endif
 	off_t begin=0;
 	int len=0;
-	struct sock *sk=pfkey_sock_list;
+	struct sock *sk;
 	
 #ifdef CONFIG_IPSEC_DEBUG
 	if(!sysctl_ipsec_debug_verbose) {
@@ -1352,46 +1456,41 @@
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
 	
-	while(sk!=NULL) {
+	sk_for_each(sk, node, &pfkey_sock_list) {
+
 #ifdef CONFIG_IPSEC_DEBUG
 		if(!sysctl_ipsec_debug_verbose) {
 #endif /* CONFIG_IPSEC_DEBUG */
 		len += ipsec_snprintf(buffer+len, length-len,
-			     "%8p %5d %8p %8p %8p %d %d %d %5d %08lX %8X %2X\n",
+			     "%8p %5d %8p %d %d %5d %08lX %8X %2X\n",
 			     sk,
 			     key_pid(sk),
-			     sk->socket,
-			     sk->next,
-			     sk->prev,
-			     sk->err,
-			     sk->num,
-			     sk->protocol,
-			     sk->sndbuf,
-			     sk->socket->flags,
-			     sk->socket->type,
-			     sk->socket->state);
+			     sk->sk_socket,
+			     sk->sk_err,
+			     sk->sk_protocol,
+			     sk->sk_sndbuf,
+			     sk->sk_socket->flags,
+			     sk->sk_socket->type,
+			     sk->sk_socket->state);
 #ifdef CONFIG_IPSEC_DEBUG
 		} else {
 			len += ipsec_snprintf(buffer+len, length-len,
-			     "%8p %5d %d %8p %8p %8p %8p %d %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
+			     "%8p %5d %d %8p %8p %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
 			     sk,
 			     key_pid(sk),
-			     sk->dead,
-			     sk->sleep,
-			     sk->socket,
-			     sk->next,
-			     sk->prev,
-			     sk->err,
-			     sk->reuse,
-			     sk->zapped,
-			     sk->num,
-			     sk->protocol,
-			     sk->sndbuf,
-			     (unsigned int)sk->stamp.tv_sec,
-			     (unsigned int)sk->stamp.tv_usec,
-			     sk->socket->flags,
-			     sk->socket->type,
-			     sk->socket->state);
+			     sock_flag(sk, SOCK_DEAD),
+			     sk->sk_sleep,
+			     sk->sk_socket,
+			     sk->sk_err,
+			     sk->sk_reuse,
+			     sk->sk_zapped,
+			     sk->sk_protocol,
+			     sk->sk_sndbuf,
+			     (unsigned int)sk->sk_stamp.tv_sec,
+			     (unsigned int)sk->sk_stamp.tv_usec,
+			     sk->sk_socket->flags,
+			     sk->sk_socket->type,
+			     sk->sk_socket->state);
 		}
 #endif /* CONFIG_IPSEC_DEBUG */
 		
@@ -1411,7 +1510,7 @@
                                begin = pos;
                        }
                 } 
-		sk=sk->next;
+		//sk=sk->next;
 
         }
 
diff -Naur openswan-2/linux/net/ipsec/pfkey_v2_parser.c openswan-2.nate/linux/net/ipsec/pfkey_v2_parser.c
--- openswan-2/linux/net/ipsec/pfkey_v2_parser.c	2004-07-01 13:59:04.000000000 -0500
+++ openswan-2.nate/linux/net/ipsec/pfkey_v2_parser.c	2004-07-01 14:01:34.000000000 -0500
@@ -85,7 +85,7 @@
 
 #include "openswan/ipsec_proto.h"
 #include "openswan/ipsec_alg.h"
-
+#include "openswan/ipsec_kern24.h"
 
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
@@ -1710,7 +1710,7 @@
 		SENDERR(-error);
 	}
 	
-	if((error = pfkey_upmsg(sk->socket, pfkey_reply))) {
+	if((error = pfkey_upmsg(sk->sk_socket, pfkey_reply))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
 			    "failed to send the get reply message\n");
 		SENDERR(-error);
@@ -1798,7 +1798,7 @@
 		SENDERR(EINVAL);
 	}
 
-	if(!pfkey_list_insert_socket(sk->socket,
+	if(!pfkey_list_insert_socket(sk->sk_socket,
 				 &(pfkey_registered_sockets[satype]))) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_register_parse: "
-------------- next part --------------
# Makefile for KLIPS kernel code as a module    for 2.6 kernels
#
# Makefile for KLIPS kernel code as a module
# Copyright (C) 1998, 1999, 2000,2001  Richard Guy Briggs.
# Copyright (C) 2002-2004	Michael Richardson <mcr at freeswan.org>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: Makefile.fs2_6,v 1.3 2004/02/24 17:17:04 mcr Exp $
#
# Note! Dependencies are done automagically by 'make dep', which also
# removes any old dependencies. DON'T put your own dependencies here
# unless it's something special (ie not a .c file).
#

FREESWANSRCDIR=.
KLIPS_TOP=.
-include ${FREESWANSRCDIR}/Makefile.ver

include $(SUBDIRS)/defconfig

ifndef TOPDIR
TOPDIR:=/lib/modules/`uname -r`/build
endif
export TOPDIR

LIBFREESWANDIR=../../../linux/lib/libfreeswan
LIBDESDIR=../../crypto/ciphers/des
LIBZLIBDIR=../../lib/zlib
# Might need this too someday
# LIBOPENSWANDIR=../../../lib/libopenswan
LIBAESDIR=../../crypto/ciphers/aes

KERNEL_INCLUDES= $(TOPDIR)/include
INCLUDES = -I$(KERNEL_INCLUDES) -I$(SUBDIRS)/../../include 
VERSION = $(shell grep UTS_RELEASE $(KERNEL_INCLUDES)/linux/version.h | cut -d '"' -f2)
MDIR = /lib/modules/$(VERSION)/kernel/net/ipv4/

# brought in from defconfig now.
# always force it on
#CONFIG_IPSEC:=m
#CONFIG_IPSEC_ESP:=y
#CONFIG_IPSEC_AH:=y
#CONFIG_IPSEC_IPIP:=y
#CONFIG_IPSEC_ALG:=y
#CONFIG_IPSEC_ENC_CRYPTOAPI:=y
#CONFIG_IPSEC_ENC_3DES:=y

obj-$(CONFIG_IPSEC) := ipsec.o

ipsec-objs-y :=
ipsec-objs-m := 
ipsec-objs-$(CONFIG_IPSEC) += ipsec_init.o ipsec_sa.o ipsec_radij.o radij.o
ipsec-objs-$(CONFIG_IPSEC) += ipsec_life.o ipsec_proc.o
ipsec-objs-$(CONFIG_IPSEC) += ipsec_tunnel.o ipsec_xmit.o ipsec_rcv.o ipsec_ipip.o
ipsec-objs-$(CONFIG_IPSEC) += sysctl_net_ipsec.o 
ipsec-objs-$(CONFIG_IPSEC) += pfkey_v2.o pfkey_v2_parser.o pfkey_v2_ext_process.o 
ipsec-objs-$(CONFIG_IPSEC) += version.o

ipsec-objs-$(CONFIG_IPSEC_AH) += ipsec_ah.o
ipsec-objs-$(CONFIG_IPSEC_ESP) += ipsec_esp.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += ipsec_ipcomp.o

ipsec-objs-$(CONFIG_IPSEC_ALG) += ipsec_alg.o
ipsec-objs-$(CONFIG_IPSEC_ENC_AES) += ipsec_alg_aes.o
ipsec-objs-$(CONFIG_IPSEC_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o

ipsec-objs-$(CONFIG_IPSEC_AUTH_HMAC_MD5) += ipsec_md5c.o
ipsec-objs-$(CONFIG_IPSEC_AUTH_HMAC_SHA1) += ipsec_sha1.o

ipsec-objs-$(CONFIG_IPSEC_ENC_3DES) += $(LIBDESDIR)/cbc_enc.o
ipsec-objs-$(CONFIG_IPSEC_ENC_3DES) += $(LIBDESDIR)/ecb_enc.o
ipsec-objs-$(CONFIG_IPSEC_ENC_3DES) += $(LIBDESDIR)/set_key.o

ifeq (${SUBARCH},i386)
ipsec-objs-$(CONFIG_IPSEC_ENC_3DES) += $(LIBDESDIR)/dx86unix.o
else
ipsec-objs-$(CONFIG_IPSEC_ENC_3DES) += $(LIBDESDIR)/des_enc.o
endif

ipsec-objs-$(CONFIG_IPSEC) += $(LIBFREESWANDIR)/satot.o $(LIBFREESWANDIR)/addrtot.o $(LIBFREESWANDIR)/ultot.o $(LIBFREESWANDIR)/addrtypeof.o $(LIBFREESWANDIR)/anyaddr.o
ipsec-objs-$(CONFIG_IPSEC) += $(LIBFREESWANDIR)/initaddr.o $(LIBFREESWANDIR)/ultoa.o $(LIBFREESWANDIR)/addrtoa.o $(LIBFREESWANDIR)/subnettoa.o $(LIBFREESWANDIR)/subnetof.o
ipsec-objs-$(CONFIG_IPSEC) += $(LIBFREESWANDIR)/goodmask.o $(LIBFREESWANDIR)/datatot.o $(LIBFREESWANDIR)/rangetoa.o $(LIBFREESWANDIR)/prng.o $(LIBFREESWANDIR)/pfkey_v2_parse.o
ipsec-objs-$(CONFIG_IPSEC) += $(LIBFREESWANDIR)/pfkey_v2_build.o $(LIBFREESWANDIR)/pfkey_v2_debug.o $(LIBFREESWANDIR)/pfkey_v2_ext_bits.o

# IPcomp stuff
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += ipcomp.o 
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/adler32.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/deflate.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/infblock.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/infcodes.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/inffast.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/inflate.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/inftrees.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/infutil.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/trees.o
ipsec-objs-$(CONFIG_IPSEC_IPCOMP) += $(LIBZLIBDIR)/zutil.o

ipsec-objs := $(ipsec-objs-y) $(ipsec-objs-m)

macros-y :=
macros-m :=

macros-$(CONFIG_IPSEC) += -DCONFIG_IPSEC
macros-$(CONFIG_IPSEC_ESP) += -DCONFIG_IPSEC_ESP
macros-$(CONFIG_IPSEC_AH) += -DCONFIG_IPSEC_AH
macros-$(CONFIG_IPSEC_ALG) += -DCONFIG_IPSEC_ALG
macros-$(CONFIG_IPSEC_DEBUG) += -DCONFIG_IPSEC_DEBUG
macros-$(CONFIG_IPSEC_IPIP) += -DCONFIG_IPSEC_IPIP
macros-$(CONFIG_IPSEC_AUTH_HMAC_MD5) += -DCONFIG_IPSEC_AUTH_HMAC_MD5
macros-$(CONFIG_IPSEC_AUTH_HMAC_SHA1) += -DCONFIG_IPSEC_AUTH_HMAC_SHA1
macros-$(CONFIG_IPSEC_ENC_3DES) += -DCONFIG_IPSEC_ENC_3DES
macros-$(CONFIG_IPSEC_ENC_CRYPTOAPI) += -DCONFIG_IPSEC_ENC_CRYPTOAPI
macros-$(CONFIG_IPSEC_ENC_3DES) += -DCONFIG_IPSEC_ENC_3DES
macros-$(CONFIG_IPSEC_IPCOMP) += -DCONFIG_IPSEC_IPCOMP -DIPCOMP_PREFIX
macros-$(CONFIG_IPSEC_NAT_TRAVERSAL) += -DCONFIG_IPSEC_NAT_TRAVERSAL

EXTRA_CFLAGS += $(INCLUDES) \
		$(macros-y) $(macros-m)

#
# $Log: Makefile.fs2_6,v $
# Revision 1.3  2004/02/24 17:17:04  mcr
# 	s/CONFIG_IPSEC/CONFIG_IPSEC/ as 26sec uses "CONFIG_IPSEC" to
# 	turn it on/off as well.
#
# Revision 1.2  2004/02/22 06:50:42  mcr
# 	kernel 2.6 port - merged with 2.4 code.
#
# Revision 1.1.2.1  2004/02/20 02:07:53  mcr
# 	module configuration for KLIPS 2.6
#
#
# Local Variables:
# compile-command: "(cd ../../.. && source umlsetup.sh && make -C ${POOLSPACE} module/ipsec.o)"
# End Variables:
#

-------------- next part --------------

#
# RCSID $Id: defconfig,v 1.24 2004/04/06 02:49:25 mcr Exp $
#

#
# FreeS/WAN IPSec implementation, KLIPS kernel config defaults
#

#
# First, lets override stuff already set or not in the kernel config.
#
# We can't even think about leaving this off...
CONFIG_INET=y

#
# This must be on for subnet protection.
CONFIG_IP_FORWARD=y

# Shut off IPSEC masquerading if it has been enabled, since it will 
# break the compile.  IPPROTO_ESP and IPPROTO_AH were included in 
# net/ipv4/ip_masq.c when they should have gone into include/linux/in.h.
CONFIG_IP_MASQUERADE_IPSEC=n

#
# Next, lets set the recommended FreeS/WAN configuration.
#

# To config as static (preferred), 'y'.  To config as module, 'm'.
CONFIG_IPSEC=m

# To do tunnel mode IPSec, this must be enabled.
CONFIG_IPSEC_IPIP=y

# To enable authentication, say 'y'.   (Highly recommended)
CONFIG_IPSEC_AH=y

# Authentication algorithm(s):
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y

# To enable encryption, say 'y'.   (Highly recommended)
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_AH=y

# Encryption algorithm(s):
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_ENC_CRYPTOAPI=y
#CONFIG_IPSEC_ENC_AES=y

# modular algo extensions (and new ALGOs)
CONFIG_IPSEC_ALG=y
CONFIG_IPSEC_ALG_3DES=m
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_ALG_AES=m
#CONFIG_IPSEC_ENC_AES=y
CONFIG_IPSEC_ALG_TWOFISH=m
CONFIG_IPSEC_ALG_BLOWFISH=m
CONFIG_IPSEC_ALG_SERPENT=m
CONFIG_IPSEC_ALG_MD5=m
CONFIG_IPSEC_ALG_SHA1=m
CONFIG_IPSEC_ALG_SHA2=m
#CONFIG_IPSEC_ALG_CAST=n
#CONFIG_IPSEC_ALG_NULL=n

# Use CryptoAPI for ALG?
CONFIG_IPSEC_ALG_CRYPTOAPI=m


# IP Compression: new, probably still has minor bugs.
CONFIG_IPSEC_IPCOMP=y

# To enable userspace-switchable KLIPS debugging, say 'y'.
CONFIG_IPSEC_DEBUG=y

# NAT Traversal
CONFIG_IPSEC_NAT_TRAVERSAL=n

#
#
# $Log: defconfig,v $
# Revision 1.24  2004/04/06 02:49:25  mcr
# 	pullup of algo code from alg-branch.
#
# Revision 1.23.2.2  2004/04/05 04:30:46  mcr
# 	patches for alg-branch to compile/work with 2.x openswan
#
# Revision 1.23.2.1  2003/12/22 15:25:52  jjo
# . Merged algo-0.8.1-rc11-test1 into alg-branch
#
# Revision 1.23  2003/12/10 01:14:27  mcr
# 	NAT-traversal patches to KLIPS.
#
# Revision 1.22  2003/02/24 19:37:27  mcr
# 	changed default compilation mode to static.
#
# Revision 1.21  2002/04/24 07:36:27  mcr
# Moved from ./klips/net/ipsec/defconfig,v
#
# Revision 1.20  2002/04/02 04:07:40  mcr
# 	default build is now 'm'odule for KLIPS
#
# Revision 1.19  2002/03/08 18:57:17  rgb
# Added a blank line at the beginning of the file to make it easier for
# other projects to patch ./arch/i386/defconfig, for example
# LIDS+grSecurity requested by Jason Pattie.
#
# Revision 1.18  2000/11/30 17:26:56  rgb
# Cleaned out unused options and enabled ipcomp by default.
#
# Revision 1.17  2000/09/15 11:37:01  rgb
# Merge in heavily modified Svenning Soerensen's <svenning at post5.tele.dk>
# IPCOMP zlib deflate code.
#
# Revision 1.16  2000/09/08 19:12:55  rgb
# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
#
# Revision 1.15  2000/05/24 19:37:13  rgb
# *** empty log message ***
#
# Revision 1.14  2000/05/11 21:14:57  henry
# just commenting the FOOBAR=y lines out is not enough
#
# Revision 1.13  2000/05/10 20:17:58  rgb
# Comment out netlink defaults, which are no longer needed.
#
# Revision 1.12  2000/05/10 19:13:38  rgb
# Added configure option to shut off no eroute passthrough.
#
# Revision 1.11  2000/03/16 07:09:46  rgb
# Hardcode PF_KEYv2 support.
# Disable IPSEC_ICMP by default.
# Remove DES config option from defaults file.
#
# Revision 1.10  2000/01/11 03:09:42  rgb
# Added a default of 'y' to PF_KEYv2 keying I/F.
#
# Revision 1.9  1999/05/08 21:23:12  rgb
# Added support for 2.2.x kernels.
#
# Revision 1.8  1999/04/06 04:54:25  rgb
# Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
# patch shell fixes.
#
#


More information about the Dev mailing list