DSCP value is not copied from UDP header to IPSEC UDP-ecap ESP Header

Issue

We have a strict requirement to have the ESP / UDP encap ESP packet DSCP value be the same in the outer packet as the inner UDP packet.

We have UDP traffic flowing through our RHEL VPN Gateway VM with a DSCP value set, this packet is encrypted into ESP and then UDP encapsulated and forwarded out to the network.

As a gateway, we do not want the MVPN to change/modify the DSCP values. The Per Hop Behavior in this case is to copy whatever the DSCP value is on the packet that arrived at us and make sure that value is set in the outgoing UDP-encapsulated ESP packet. What we found is the DSCP value is copied if we are doing ESP (not UDP encapsulated) and was working as expected.

When testing in a network that required NAT Traversal, the IPsec protocol adds a UDP header to the ESP packeting, and this is when we are losing the DSCP value in the outer packet.

I only had a few moments to look through the code, but I found 2 functions that may be at work here:

linux-2.6.32-431.23.3.el6/net/ipv4/esp4.c
esp_output() and esp_init_state()