ipsec6_process_packet is called before ip6_output fixes ip6_plen.

Update ip6_plen before bpf processing to be able see correct value.

MFC after:	1 week
Sponsored by:	Yandex LLC
This commit is contained in:
ae 2014-11-12 22:51:30 +00:00
parent 76d74e0d6c
commit 2188ffe3d0

View File

@ -649,6 +649,8 @@ ipsec6_process_packet(
sav = isr->sav;
dst = &sav->sah->saidx.dst;
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
#ifdef DEV_ENC
if_inc_counter(encif, IFCOUNTER_OPACKETS, 1);
if_inc_counter(encif, IFCOUNTER_OBYTES, m->m_pkthdr.len);
@ -660,8 +662,6 @@ ipsec6_process_packet(
goto bad;
#endif /* DEV_ENC */
ip6 = mtod(m, struct ip6_hdr *); /* XXX */
/* Do the appropriate encapsulation, if necessary */
if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
dst->sa.sa_family != AF_INET6 || /* PF mismatch */
@ -684,9 +684,6 @@ ipsec6_process_packet(
goto bad;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
/* Encapsulate the packet */
error = ipip_output(m, isr, &mp, 0, 0);
if (mp == NULL && !error) {