Author: ae Date: Thu Dec 11 19:20:13 2014 New Revision: 275716 URL: https://svnweb.freebsd.org/changeset/base/275716
Log: Do not count security policy violation twice. ipsec*_in_reject() do this by their own. Obtained from: Yandex LLC Sponsored by: Yandex LLC Modified: head/sys/netinet/sctp_input.c head/sys/netinet/tcp_input.c head/sys/netinet/udp_usrreq.c head/sys/netinet6/raw_ip6.c head/sys/netinet6/udp6_usrreq.c Modified: head/sys/netinet/sctp_input.c ============================================================================== --- head/sys/netinet/sctp_input.c Thu Dec 11 19:09:57 2014 (r275715) +++ head/sys/netinet/sctp_input.c Thu Dec 11 19:20:13 2014 (r275716) @@ -5698,7 +5698,6 @@ sctp_common_input_processing(struct mbuf #ifdef INET case AF_INET: if (ipsec4_in_reject(m, &inp->ip_inp.inp)) { - IPSECSTAT_INC(ips_in_polvio); SCTP_STAT_INCR(sctps_hdrops); goto out; } @@ -5707,7 +5706,6 @@ sctp_common_input_processing(struct mbuf #ifdef INET6 case AF_INET6: if (ipsec6_in_reject(m, &inp->ip_inp.inp)) { - IPSEC6STAT_INC(ips_in_polvio); SCTP_STAT_INCR(sctps_hdrops); goto out; } Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Thu Dec 11 19:09:57 2014 (r275715) +++ head/sys/netinet/tcp_input.c Thu Dec 11 19:20:13 2014 (r275716) @@ -894,12 +894,10 @@ findpcb: #ifdef IPSEC #ifdef INET6 if (isipv6 && ipsec6_in_reject(m, inp)) { - IPSEC6STAT_INC(ips_in_polvio); goto dropunlock; } else #endif /* INET6 */ if (ipsec4_in_reject(m, inp) != 0) { - IPSECSTAT_INC(ips_in_polvio); goto dropunlock; } #endif /* IPSEC */ Modified: head/sys/netinet/udp_usrreq.c ============================================================================== --- head/sys/netinet/udp_usrreq.c Thu Dec 11 19:09:57 2014 (r275715) +++ head/sys/netinet/udp_usrreq.c Thu Dec 11 19:20:13 2014 (r275716) @@ -323,7 +323,6 @@ udp_append(struct inpcb *inp, struct ip /* Check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { m_freem(n); - IPSECSTAT_INC(ips_in_polvio); return; } #ifdef IPSEC_NAT_T Modified: head/sys/netinet6/raw_ip6.c ============================================================================== --- head/sys/netinet6/raw_ip6.c Thu Dec 11 19:09:57 2014 (r275715) +++ head/sys/netinet6/raw_ip6.c Thu Dec 11 19:20:13 2014 (r275716) @@ -264,7 +264,6 @@ rip6_input(struct mbuf **mp, int *offp, */ if (n && ipsec6_in_reject(n, last)) { m_freem(n); - IPSEC6STAT_INC(ips_in_polvio); /* Do not inject data into pcb. */ } else #endif /* IPSEC */ @@ -296,7 +295,6 @@ rip6_input(struct mbuf **mp, int *offp, */ if ((last != NULL) && ipsec6_in_reject(m, last)) { m_freem(m); - IPSEC6STAT_INC(ips_in_polvio); IP6STAT_DEC(ip6s_delivered); /* Do not inject data into pcb. */ INP_RUNLOCK(last); Modified: head/sys/netinet6/udp6_usrreq.c ============================================================================== --- head/sys/netinet6/udp6_usrreq.c Thu Dec 11 19:09:57 2014 (r275715) +++ head/sys/netinet6/udp6_usrreq.c Thu Dec 11 19:20:13 2014 (r275716) @@ -158,7 +158,6 @@ udp6_append(struct inpcb *inp, struct mb /* Check AH/ESP integrity. */ if (ipsec6_in_reject(n, inp)) { m_freem(n); - IPSEC6STAT_INC(ips_in_polvio); return; } #endif /* IPSEC */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"