[NETFILTER]: Handle NAT in IPsec policy checks

extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);

extern int nf_unregister_queue_rerouter(int pf);

#include <net/flow.h>

extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);

static inline void

nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)

{

#ifdef CONFIG_IP_NF_NAT_NEEDED

	void (*decodefn)(struct sk_buff *, struct flowi *);

	if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL)

		decodefn(skb, fl);

#endif

}

#ifdef CONFIG_PROC_FS

#include <linux/proc_fs.h>

extern struct proc_dir_entry *proc_net_netfilter;

#else /* !CONFIG_NETFILTER */

#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)

static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}

static inline void

nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}

#endif /*CONFIG_NETFILTER*/

#endif /*__KERNEL__*/

	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))

		goto discard_and_relse;

	nf_reset(skb);

	return sk_receive_skb(sk, skb);

		kfree_skb(sk->sk_send_head);

		sk->sk_send_head = NULL;

	}

	nf_reset(skb);

	/* Clean up a referenced DCCP bind bucket. */

	if (inet_csk(sk)->icsk_bind_hash != NULL)

}

EXPORT_SYMBOL(ip_route_me_harder);

void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);

EXPORT_SYMBOL(ip_nat_decode_session);

/*

 * Extra routing may needed on local out, as the QUEUE target never

 * returns control to the table.

			         : ((hooknum) == NF_IP_LOCAL_IN ? "LOCAL_IN"  \

				    : "*ERROR*")))

#ifdef CONFIG_XFRM

static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)

{

	struct ip_conntrack *ct;

	struct ip_conntrack_tuple *t;

	enum ip_conntrack_info ctinfo;

	enum ip_conntrack_dir dir;

	unsigned long statusbit;

	ct = ip_conntrack_get(skb, &ctinfo);

	if (ct == NULL)

		return;

	dir = CTINFO2DIR(ctinfo);

	t = &ct->tuplehash[dir].tuple;

	if (dir == IP_CT_DIR_ORIGINAL)

		statusbit = IPS_DST_NAT;

	else

		statusbit = IPS_SRC_NAT;

	if (ct->status & statusbit) {

		fl->fl4_dst = t->dst.ip;

		if (t->dst.protonum == IPPROTO_TCP ||

		    t->dst.protonum == IPPROTO_UDP)

			fl->fl_ip_dport = t->dst.u.tcp.port;

	}

	statusbit ^= IPS_NAT_MASK;

	if (ct->status & statusbit) {

		fl->fl4_src = t->src.ip;

		if (t->dst.protonum == IPPROTO_TCP ||

		    t->dst.protonum == IPPROTO_UDP)

			fl->fl_ip_sport = t->src.u.tcp.port;

	}

}

#endif

static unsigned int

ip_nat_fn(unsigned int hooknum,

	  struct sk_buff **pskb,

	if (!init) goto cleanup;

#ifdef CONFIG_XFRM

	BUG_ON(ip_nat_decode_session != NULL);

	ip_nat_decode_session = nat_decode_session;

#endif

	ret = ip_nat_rule_init();

	if (ret < 0) {

		printk("ip_nat_init: can't setup rules.\n");

		goto cleanup_nothing;

		goto cleanup_decode_session;

	}

	ret = nf_register_hook(&ip_nat_in_ops);

	if (ret < 0) {

	nf_unregister_hook(&ip_nat_in_ops);

 cleanup_rule_init:

	ip_nat_rule_cleanup();

 cleanup_nothing:

 cleanup_decode_session:

#ifdef CONFIG_XFRM

	ip_nat_decode_session = NULL;

	synchronize_net();

#endif

	return ret;

}

#include <linux/workqueue.h>

#include <linux/notifier.h>

#include <linux/netdevice.h>

#include <linux/netfilter.h>

#include <linux/module.h>

#include <net/xfrm.h>

#include <net/ip.h>

	if (xfrm_decode_session(skb, &fl, family) < 0)

		return 0;

	nf_nat_decode_session(skb, &fl, family);

	sk_sid = security_sk_sid(sk, &fl, fl_dir);