diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-16 08:13:20 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 12:09:47 -0500 |
commit | bc17e19fafe6200202458ce3c13db42565f9e966 (patch) | |
tree | 26152a33de33f80c525fab5b4ff3d634aba6a217 /sys/netipsec/ipsec_output.c | |
parent | 3ea55b2f2e728e5b8ffd683de15aaae03c7ed71a (diff) | |
download | FreeBSD-src-bc17e19fafe6200202458ce3c13db42565f9e966.zip FreeBSD-src-bc17e19fafe6200202458ce3c13db42565f9e966.tar.gz |
MFC r286095:
Correct IPSec SA statistic keeping
The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs.
When there are multiple transformations being done the statistic keeping might be wrong.
This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken.
Differential Revision: https://reviews.freebsd.org/D3239
Reviewed by: ae, gnn
Approved by: gnn(mentor)
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
-rw-r--r-- | sys/netipsec/ipsec_output.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 64709dc..7fc61ac 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -157,6 +157,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -201,7 +203,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the |