[Openswan Users] 2.4.8 klips and natt patches don't seem to work on kernels 2.6.20+

Tue May 29 17:10:52 EDT 2007

Perhaps I'm just missing something and OpenSWAN's klips and natt
patches aren't supposed to work on new kernels, but, after OpenSWAN
2.4.8 came out and Fedora Core 6's updated kernel is 2.6.20, I wanted
to build a new kernel with the klips and natt patches before I
installed OpenSWAN 2.4.8.

[root at myserver /]# cd /usr/local/src/
[root at myserver src]# wget
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.3.tar.bz2
[root at myserver src]# tar jxvf linux-2.6.21.3.tar.bz2
[root at myserver src]# cd linux-2.6.21.3
[root at myserver linux-2.6.21.3]# gunzip openswan-2.4.8.kernel-2.6-*
[root at myserver linux-2.6.21.3]# patch -p1 -s <
openswan-2.4.8.kernel-2.6-klips.patch
[root at myserver linux-2.6.21.3]# patch -p1 -s <
openswan-2.4.8.kernel-2.6-natt.patch
3 out of 6 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej
[root at myserver linux-2.6.21.3]# cat net/ipv4/udp.c.rej
***************
*** 922,930 ****
   */
  static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
  {
- #ifndef CONFIG_XFRM
        return 1;
- #else
        struct udp_sock *up = udp_sk(sk);
        struct udphdr *uh = skb->h.uh;
        struct iphdr *iph;
--- 961,969 ----
   */
  static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
  {
+ #if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
        return 1;
+ #else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
        struct udp_sock *up = udp_sk(sk);
        struct udphdr *uh = skb->h.uh;
        struct iphdr *iph;
***************
*** 1042,1051 ****
                        return 0;
                }
                if (ret < 0) {
-                       /* process the ESP packet */
-                       ret = xfrm4_rcv_encap(skb, up->encap_type);
-                       UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
-                       return -ret;
                }
                /* FALLTHROUGH -- it's a UDP Packet */
        }
--- 1081,1094 ----
                        return 0;
                }
                if (ret < 0) {
+                       if(xfrm4_rcv_encap_func != NULL) {
+                         ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+                         UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+                       } else {
+                         UDP_INC_STATS_BH(UDP_MIB_INERRORS);
+                         ret = 1;
+                       }
+                       return ret;
                }
                /* FALLTHROUGH -- it's a UDP Packet */
        }
***************
*** 1135,1141 ****
  /*
   *    All we need to do is get the socket, and then do a checksum.
   */
-
  int udp_rcv(struct sk_buff *skb)
  {
        struct sock *sk;
--- 1178,1183 ----
  /*
   *    All we need to do is get the socket, and then do a checksum.
   */
  int udp_rcv(struct sk_buff *skb)
  {
        struct sock *sk;

This same thing happens to 2.6.20.  2.6.18 is the only one I can get
working.  Any idea on when there will be a fix for this -- or is this
not supposed to work?  Fill me in!  Thanks