From 04aed87cb69144ab93c42da733f9444bc99a0441 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Fri, 12 Aug 2011 15:42:14 +0200
Subject: [PATCH] xt_pknock: support UDPLITE

---
 doc/changelog.txt             | 1 +
 extensions/pknock/xt_pknock.c | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/doc/changelog.txt b/doc/changelog.txt
index ccbb93e..860f9a6 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -4,6 +4,7 @@ HEAD
 - xt_CHECKSUM: abort build when the feature is already provided by mainline
 - xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used
 - xt_TEE: abort build when the feature is already provided by mainline
+- xt_pknock: support UDPLITE
 - xt_psd: restore functionality with UDP
 - xt_psd: support UDPLITE
 - update to ipset 6.8
diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c
index b6f6802..8ef9ce3 100644
--- a/extensions/pknock/xt_pknock.c
+++ b/extensions/pknock/xt_pknock.c
@@ -881,7 +881,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 
 	/* If security is needed. */
 	if (info->option & XT_PKNOCK_OPENSECRET ) {
-		if (hdr->proto != IPPROTO_UDP)
+		if (hdr->proto != IPPROTO_UDP && hdr->proto != IPPROTO_UDPLITE)
 			return false;
 
 		if (!pass_security(peer, info, hdr->payload, hdr->payload_len))
@@ -982,6 +982,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		break;
 
 	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
 #ifdef PK_CRYPTO
 		hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
 		break;
@@ -1013,7 +1014,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		goto out;
 	}
 
-	if (iph->protocol == IPPROTO_UDP) {
+	if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_UDPLITE) {
 		hdr.payload = (void *)iph + hdr_len;
 		hdr.payload_len = skb->len - hdr_len;
 	}
@@ -1022,7 +1023,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 	if (info->option & XT_PKNOCK_KNOCKPORT) {
 		if ((ret = is_allowed(peer))) {
 			if (info->option & XT_PKNOCK_CLOSESECRET &&
-							iph->protocol == IPPROTO_UDP)
+			    (iph->protocol == IPPROTO_UDP ||
+			    iph->protocol == IPPROTO_UDPLITE))
 			{
 				if (is_close_knock(peer, info, hdr.payload, hdr.payload_len))
 				{