From d5f39c34a64b8d2ffc17e218c89e0fb52e624097 Mon Sep 17 00:00:00 2001
From: Fabien Thomas <fabient@FreeBSD.org>
Date: Fri, 6 Sep 2019 14:30:23 +0000
Subject: [PATCH] Fix broken window replay check that will allow old packet to
 be accepted. This was introduced in r309144.

Submitted by:	Jean-Francois HREN <jean-francois.hren@stormshield.eu>
Approved by:	ae@
MFC after:	3 days
---
 sys/netipsec/ipsec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 245feb1bdca9..7b7f4d05ea4e 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1323,6 +1323,8 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
 		    __func__, replay->overflow,
 		    ipsec_sa2str(sav, buf, sizeof(buf))));
 	}
+
+	replay->count++;
 	return (0);
 }