D25444.id73674.diff
View Options

	Index: head/sys/netipsec/ipsec_input.c
	===================================================================
	--- head/sys/netipsec/ipsec_input.c
	+++ head/sys/netipsec/ipsec_input.c
	@@ -278,6 +278,7 @@
	int protoff)
	{
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
	+ struct epoch_tracker et;
	struct ipsec_ctx_data ctx;
	struct xform_history *xh;
	struct secasindex *saidx;
	@@ -424,7 +425,9 @@
	if (saidx->mode == IPSEC_MODE_TUNNEL)
	error = ipsec_if_input(m, sav, af);
	if (error == 0) {
	+ NET_EPOCH_ENTER(et);
	error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
	+ NET_EPOCH_EXIT(et);
	if (error) {
	IPSEC_ISTAT(sproto, qfull);
	DPRINTF(("%s: queue full; proto %u packet dropped\n",
	@@ -489,6 +492,7 @@
	int protoff)
	{
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
	+ struct epoch_tracker et;
	struct ipsec_ctx_data ctx;
	struct xform_history *xh;
	struct secasindex *saidx;
	@@ -621,8 +625,10 @@
	if (saidx->mode == IPSEC_MODE_TUNNEL)
	error = ipsec_if_input(m, sav, af);
	if (error == 0) {
	+ NET_EPOCH_ENTER(et);
	error = netisr_queue_src(isr_prot,
	(uintptr_t)sav->spi, m);
	+ NET_EPOCH_EXIT(et);
	if (error) {
	IPSEC_ISTAT(sproto, qfull);
	DPRINTF(("%s: queue full; proto %u packet"
	@@ -638,11 +644,12 @@
	*/
	nest = 0;
	nxt = nxt8;
	+ NET_EPOCH_ENTER(et);
	while (nxt != IPPROTO_DONE) {
	if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
	IP6STAT_INC(ip6s_toomanyhdr);
	error = EINVAL;
	- goto bad;
	+ goto bad_epoch;
	}

	/*
	@@ -653,7 +660,7 @@
	IP6STAT_INC(ip6s_tooshort);
	in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
	error = EINVAL;
	- goto bad;
	+ goto bad_epoch;
	}
	/*
	* Enforce IPsec policy checking if we are seeing last header.
	@@ -663,12 +670,15 @@
	if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
	ipsec6_in_reject(m, NULL)) {
	error = EINVAL;
	- goto bad;
	+ goto bad_epoch;
	}
	nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
	}
	+ NET_EPOCH_EXIT(et);
	key_freesav(&sav);
	return (0);
	+bad_epoch:
	+ NET_EPOCH_EXIT(et);
	bad:
	key_freesav(&sav);
	if (m)
	Index: head/sys/netipsec/ipsec_output.c
	===================================================================
	--- head/sys/netipsec/ipsec_output.c
	+++ head/sys/netipsec/ipsec_output.c
	@@ -688,6 +688,7 @@
	ipsec_process_done(struct mbuf m, struct secpolicy sp, struct secasvar *sav,
	u_int idx)
	{
	+ struct epoch_tracker et;
	struct xform_history *xh;
	struct secasindex *saidx;
	struct m_tag *mtag;
	@@ -789,19 +790,25 @@
	* We're done with IPsec processing, transmit the packet using the
	* appropriate network protocol (IP or IPv6).
	*/
	+ NET_EPOCH_ENTER(et);
	switch (saidx->dst.sa.sa_family) {
	#ifdef INET
	case AF_INET:
	key_freesav(&sav);
	- return ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
	+ error = ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
	+ break;
	#endif /* INET */
	#ifdef INET6
	case AF_INET6:
	key_freesav(&sav);
	- return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
	+ error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
	+ break;
	#endif /* INET6 */
	+ default:
	+ panic("ipsec_process_done");
	}
	- panic("ipsec_process_done");
	+ NET_EPOCH_EXIT(et);
	+ return (error);
	bad:
	m_freem(m);
	key_freesav(&sav);

File Metadata

Mime Type: text/plain
Expires: Sat, Jan 31, 8:13 PM (10 h, 17 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28174468
Default Alt Text: D25444.id73674.diff (3 KB)

D25444.id73674.diff
No OneTemporary
Actions

D25444.id73674.diff
View Options

File Metadata

Event Timeline

D25444.id73674.diffNo OneTemporaryActions

D25444.id73674.diffView Options

File Metadata

Event Timeline

D25444.id73674.diff
No OneTemporary
Actions

D25444.id73674.diff
View Options