Author: eri Date: Thu Jul 30 20:56:27 2015 New Revision: 286095 URL: https://svnweb.freebsd.org/changeset/base/286095
Log: Correct IPSec SA statistic keeping The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs. When there are multiple transformations being done the statistic keeping might be wrong. This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken. Differential Revision: https://reviews.freebsd.org/D3239 Reviewed by: ae, gnn Approved by: gnn(mentor) Modified: head/sys/netipsec/ipsec_output.c Modified: head/sys/netipsec/ipsec_output.c ============================================================================== --- head/sys/netipsec/ipsec_output.c Thu Jul 30 19:52:43 2015 (r286094) +++ head/sys/netipsec/ipsec_output.c Thu Jul 30 20:56:27 2015 (r286095) @@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struc tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struc goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the _______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
