Correct IPSec SA statistic keeping

The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs. When there are multiple transformations being done the statistic keeping might be wrong. This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken. Differential Revision: https://reviews.freebsd.org/D3239 Reviewed by: ae, gnn Approved by: gnn(mentor)
svn path=/head/; revision=286095
2015-07-30 20:56:27 +00:00 · 2015-07-30 20:56:27 +00:00 · 59959de526 · 2020-12-20 02:59:44 +00:00
commit 59959de526
parent 4ae1e3c752
1 changed files with 2 additions and 1 deletions
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	tdbi->spi = sav->spi;
 	m_tag_prepend(m, mtag);

+	key_sa_recordxfer(sav, m);		/* record data transfer */
+
 	/*
 	 * If there's another (bundled) SA to apply, do so.
 	 * Note that this puts a burden on the kernel stack size.
@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 			goto bad;
 		}
 	}
-	key_sa_recordxfer(sav, m);		/* record data transfer */

 	/*
 	 * We're done with IPsec processing, transmit the packet using the