From owner-svn-src-all@freebsd.org Thu Jul 30 20:56:28 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D9B59AE4AA; Thu, 30 Jul 2015 20:56:28 +0000 (UTC) (envelope-from eri@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 558A21DEF; Thu, 30 Jul 2015 20:56:28 +0000 (UTC) (envelope-from eri@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6UKuSQ9027612; Thu, 30 Jul 2015 20:56:28 GMT (envelope-from eri@FreeBSD.org) Received: (from eri@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6UKuS4Z027611; Thu, 30 Jul 2015 20:56:28 GMT (envelope-from eri@FreeBSD.org) Message-Id: <201507302056.t6UKuS4Z027611@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eri set sender to eri@FreeBSD.org using -f From: Ermal Luçi Date: Thu, 30 Jul 2015 20:56:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r286095 - head/sys/netipsec X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2015 20:56:28 -0000 Author: eri Date: Thu Jul 30 20:56:27 2015 New Revision: 286095 URL: https://svnweb.freebsd.org/changeset/base/286095 Log: Correct IPSec SA statistic keeping The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs. When there are multiple transformations being done the statistic keeping might be wrong. This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken. Differential Revision: https://reviews.freebsd.org/D3239 Reviewed by: ae, gnn Approved by: gnn(mentor) Modified: head/sys/netipsec/ipsec_output.c Modified: head/sys/netipsec/ipsec_output.c ============================================================================== --- head/sys/netipsec/ipsec_output.c Thu Jul 30 19:52:43 2015 (r286094) +++ head/sys/netipsec/ipsec_output.c Thu Jul 30 20:56:27 2015 (r286095) @@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struc tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struc goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the