diff options
| author | Ermal Luçi <eri@FreeBSD.org> | 2015-07-30 20:56:27 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@FreeBSD.org> | 2015-07-30 20:56:27 +0000 |
| commit | 59959de526d5f0a9490e5e2c8a7dece961d8db7b (patch) | |
| tree | 6e4b1a2a551af52be6adcc7822f602855d7951fc /sys/netipsec/ipsec_output.c | |
| parent | 4ae1e3c75294c5442c4e94430ec4ff8b7f3a930c (diff) | |
| download | src-59959de526d5f0a9490e5e2c8a7dece961d8db7b.tar.gz src-59959de526d5f0a9490e5e2c8a7dece961d8db7b.zip | |
Correct IPSec SA statistic keeping
The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs.
When there are multiple transformations being done the statistic keeping might be wrong.
This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken.
Differential Revision: https://reviews.freebsd.org/D3239
Reviewed by: ae, gnn
Approved by: gnn(mentor)
Notes
Notes:
svn path=/head/; revision=286095
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index ae360700b629..a6611a7e7fcb 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the |