From 75479480b81c7af50effedbb47d09fee2c4e5c29 Mon Sep 17 00:00:00 2001
From: Bart Trojanowski <bart@jukie.net>
Date: Fri, 14 Jul 2006 16:33:41 -0400
Subject: [PATCH] This fixes a NATT+ESP bug in rcv path.

We only want to test NATT policy on the ESP packet.  Doing so on the
bundled SA breaks because the next layer does not know anything about
NATT.

Fix just puts an if(proto == IPPROTO_ESP) around the NATT policy check.
---
 net/ipsec/ipsec_rcv.c |   56 +++++++++++++++++++++++++++++++++++--------------
 1 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/net/ipsec/ipsec_rcv.c b/net/ipsec/ipsec_rcv.c
index aa54728..a5ace37 100644
--- a/net/ipsec/ipsec_rcv.c
+++ b/net/ipsec/ipsec_rcv.c
@@ -365,22 +365,24 @@ #endif /* CONFIG_KLIPS_ALG */
 
 
 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-		KLIPS_PRINT(debug_rcv,
-			"klips_debug:ipsec_rcv: "
-			"natt_type=%u tdbp->ips_natt_type=%u : %s\n",
-			irs->natt_type, newipsp->ips_natt_type,
-			(irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
-		if (irs->natt_type != newipsp->ips_natt_type) {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s does not agree with expected NAT-T policy.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			ipsec_sa_put(newipsp);
-			return IPSEC_RCV_FAILEDINBOUND;
-		}
+                if (proto == IPPROTO_ESP) {
+                        KLIPS_PRINT(debug_rcv,
+                                "klips_debug:ipsec_rcv: "
+                                "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
+                                irs->natt_type, newipsp->ips_natt_type,
+                                (irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
+                        if (irs->natt_type != newipsp->ips_natt_type) {
+                                KLIPS_PRINT(debug_rcv,
+                                            "klips_debug:ipsec_rcv: "
+                                            "SA:%s does not agree with expected NAT-T policy.\n",
+                                            irs->sa_len ? irs->sa : " (error)");
+                                if(irs->stats) {
+                                        irs->stats->rx_dropped++;
+                                }
+                                ipsec_sa_put(newipsp);
+                                return IPSEC_RCV_FAILEDINBOUND;
+                        }
+                }
 #endif		 
 	}
 
@@ -1185,6 +1187,28 @@ #if defined(CONFIG_NETFILTER_DEBUG) && d
 	skb->nf_debug = 0;
 #endif /* CONFIG_NETFILTER_DEBUG */
 #endif /* SKB_RESET_NFCT */
+
+#if 0
+        if(skb && skb->nh.iph) {
+                struct iphdr *iph = skb->nh.iph;
+                unsigned short csum;
+
+                csum = ip_fast_csum((u8 *)iph, iph->ihl);
+                if (unlikely(csum)) {
+                        printk (KERN_WARNING "klips_error:ipsec_rcv: "
+                                        " BAD CSUM 0x%04x, RECALCULATING!\n", csum);
+
+                        ipp->check = 0;	/* NOTE: this will be included in checksum */
+                        ipp->check = ip_fast_csum((u8 *)iph, iph->ihl);
+                        printk (KERN_WARNING "klips_error:ipsec_rcv: "
+                                        " SET TO 0x%04x\n", ipp->check);
+                } else {
+                        printk (KERN_WARNING "klips_error:ipsec_rcv: "
+                                        " GOOD CSUM 0x%04x\n", csum);
+                }
+        }
+#endif
+
 	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
 		    "klips_debug:ipsec_rcv: "
 		    "netif_rx() called.\n");
-- 
1.4.1