diff options
| author | eri <eri@FreeBSD.org> | 2015-07-30 20:56:27 +0000 |
|---|---|---|
| committer | eri <eri@FreeBSD.org> | 2015-07-30 20:56:27 +0000 |
| commit | 37e3e3f76e862102cb1cc17045936361488f8f33 (patch) | |
| tree | 6e4b1a2a551af52be6adcc7822f602855d7951fc /sys/netipsec/ipsec_output.c | |
| parent | c31894c74212e2dde0e307e23eee2228db47979e (diff) | |
| download | FreeBSD-src-37e3e3f76e862102cb1cc17045936361488f8f33.zip FreeBSD-src-37e3e3f76e862102cb1cc17045936361488f8f33.tar.gz | |
Correct IPSec SA statistic keeping
The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs.
When there are multiple transformations being done the statistic keeping might be wrong.
This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken.
Differential Revision: https://reviews.freebsd.org/D3239
Reviewed by: ae, gnn
Approved by: gnn(mentor)
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index ae36070..a6611a7 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the |
