ipsec6_process_packet is called before ip6_output fixes ip6_plen.

Update ip6_plen before bpf processing to be able see correct value.

MFC after:	1 week
Sponsored by:	Yandex LLC

1 files changed, 2 insertions, 5 deletions

diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 83735b0..87cc7e8 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -649,6 +649,8 @@ ipsec6_process_packet(
 	sav = isr->sav;
 	dst = &sav->sah->saidx.dst;
 
+	ip6 = mtod(m, struct ip6_hdr *);
+	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
 #ifdef DEV_ENC
 	if_inc_counter(encif, IFCOUNTER_OPACKETS, 1);
 	if_inc_counter(encif, IFCOUNTER_OBYTES, m->m_pkthdr.len);
@@ -660,8 +662,6 @@ ipsec6_process_packet(
 		goto bad;
 #endif /* DEV_ENC */
 
-	ip6 = mtod(m, struct ip6_hdr *); /* XXX */
-
 	/* Do the appropriate encapsulation, if necessary */
 	if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
 	    dst->sa.sa_family != AF_INET6 ||        /* PF mismatch */
@@ -684,9 +684,6 @@ ipsec6_process_packet(
 			goto bad;
 		}
 
-		ip6 = mtod(m, struct ip6_hdr *);
-		ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
-
 		/* Encapsulate the packet */
 		error = ipip_output(m, isr, &mp, 0, 0);
 		if (mp == NULL && !error) {