diff options
| author | ae <ae@FreeBSD.org> | 2014-11-20 18:49:11 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2014-11-20 18:49:11 +0000 |
| commit | b634635a73c9af335c794449b95fa6c02663e42a (patch) | |
| tree | 06147572ea2d690b79a67d3d15b531d01d0db0fa /sys/netipsec/ipsec_output.c | |
| parent | 84d8d047ba855b0e24f1009141363b9d5e1dcf29 (diff) | |
| download | FreeBSD-src-b634635a73c9af335c794449b95fa6c02663e42a.zip FreeBSD-src-b634635a73c9af335c794449b95fa6c02663e42a.tar.gz | |
MFC r274434:
Fix ips_out_nosa errors accounting.
MFC r274454:
ipsec6_process_packet is called before ip6_output fixes ip6_plen.
Update ip6_plen before bpf processing to be able see correct value.
MFC r274455:
We don't return sp pointer, thus NULL assignment isn't needed.
And reference to sp will be freed at the end.
MFC r274465:
Remove redundant ip6_plen initialization.
MFC r274466:
Strip IP header only when we act in tunnel mode.
MFC r274467:
Count statistics for the specific address family.
Sponsored by: Yandex LLC
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 77dbe03..39a8631 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -164,11 +164,11 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) * doing further processing. */ if (isr->next) { - IPSECSTAT_INC(ips_out_bundlesa); /* XXX-BZ currently only support same AF bundles. */ switch (saidx->dst.sa.sa_family) { #ifdef INET case AF_INET: + IPSECSTAT_INC(ips_out_bundlesa); return ipsec4_process_packet(m, isr->next, 0, 0); /* NOTREACHED */ #endif @@ -176,6 +176,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) #ifdef INET6 case AF_INET6: /* XXX */ + IPSEC6STAT_INC(ips_out_bundlesa); return ipsec6_process_packet(m, isr->next); /* NOTREACHED */ #endif /* INET6 */ @@ -357,7 +358,16 @@ again: * this packet because it is responsibility for * upper layer to retransmit the packet. */ - IPSECSTAT_INC(ips_out_nosa); + switch(af) { + case AF_INET: + IPSECSTAT_INC(ips_out_nosa); + break; +#ifdef INET6 + case AF_INET6: + IPSEC6STAT_INC(ips_out_nosa); + break; +#endif + } goto bad; } sav = isr->sav; @@ -639,6 +649,8 @@ ipsec6_process_packet( sav = isr->sav; dst = &sav->sah->saidx.dst; + ip6 = mtod(m, struct ip6_hdr *); + ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); #ifdef DEV_ENC encif->if_opackets++; encif->if_obytes += m->m_pkthdr.len; @@ -650,8 +662,6 @@ ipsec6_process_packet( goto bad; #endif /* DEV_ENC */ - ip6 = mtod(m, struct ip6_hdr *); /* XXX */ - /* Do the appropriate encapsulation, if necessary */ if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ dst->sa.sa_family != AF_INET6 || /* PF mismatch */ @@ -674,9 +684,6 @@ ipsec6_process_packet( goto bad; } - ip6 = mtod(m, struct ip6_hdr *); - ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); - /* Encapsulate the packet */ error = ipip_output(m, isr, &mp, 0, 0); if (mp == NULL && !error) { |
