svn commit: r308911 - in projects/ipsec/sys: netinet netinet6

Mon Nov 21 07:16:34 UTC 2016

Author: ae
Date: Mon Nov 21 07:16:32 2016
New Revision: 308911
URL: https://svnweb.freebsd.org/changeset/base/308911

Log:
  Modify comments to reflect the reality.

Modified:
  projects/ipsec/sys/netinet/ip_ipsec.c
  projects/ipsec/sys/netinet6/ip6_ipsec.c

Modified: projects/ipsec/sys/netinet/ip_ipsec.c
==============================================================================

--- projects/ipsec/sys/netinet/ip_ipsec.c	Mon Nov 21 06:47:57 2016	(r308910)
+++ projects/ipsec/sys/netinet/ip_ipsec.c	Mon Nov 21 07:16:32 2016	(r308911)
@@ -195,8 +195,11 @@ ip_ipsec_output(struct mbuf *m, struct i
 			/*
 			 * Hack: -EINVAL is used to signal that a packet
 			 * should be silently discarded.  This is typically
-			 * because we asked key management for an SA and
-			 * it was delayed (e.g. kicked up to IKE).
+			 * because we have DISCARD policy or asked key
+			 * management for an SP and it was delayed (e.g.
+			 * kicked up to IKE).
+			 * XXX: maybe return EACCES to the caller would
+			 *      be more useful?
 			 */
 			if (*error == -EINVAL)
 				*error = 0;
@@ -270,8 +273,11 @@ ip_ipsec_forward(struct mbuf *m, int *er
 			/*
 			 * Hack: -EINVAL is used to signal that a packet
 			 * should be silently discarded.  This is typically
-			 * because we asked key management for an SA and
-			 * it was delayed (e.g. kicked up to IKE).
+			 * because we have DISCARD policy or asked key
+			 * management for an SP and it was delayed (e.g.
+			 * kicked up to IKE).
+			 * XXX: maybe return EACCES to the caller would
+			 *      be more useful?
 			 */
 			if (*error == -EINVAL)
 				*error = 0;

Modified: projects/ipsec/sys/netinet6/ip6_ipsec.c
==============================================================================
--- projects/ipsec/sys/netinet6/ip6_ipsec.c	Mon Nov 21 06:47:57 2016	(r308910)
+++ projects/ipsec/sys/netinet6/ip6_ipsec.c	Mon Nov 21 07:16:32 2016	(r308911)
@@ -195,8 +195,11 @@ ip6_ipsec_output(struct mbuf *m, struct 
 			/*
 			 * Hack: -EINVAL is used to signal that a packet
 			 * should be silently discarded.  This is typically
-			 * because we asked key management for an SA and
-			 * it was delayed (e.g. kicked up to IKE).
+			 * because we have DISCARD policy or asked key
+			 * management for an SP and it was delayed (e.g.
+			 * kicked up to IKE).
+			 * XXX: maybe return EACCES to the caller would
+			 *      be more useful?
 			 */
 			if (*error == -EINVAL)
 				*error = 0;
@@ -277,8 +280,11 @@ ip6_ipsec_forward(struct mbuf *m, int *e
 			/*
 			 * Hack: -EINVAL is used to signal that a packet
 			 * should be silently discarded.  This is typically
-			 * because we asked key management for an SA and
-			 * it was delayed (e.g. kicked up to IKE).
+			 * because we have DISCARD policy or asked key
+			 * management for an SP and it was delayed (e.g.
+			 * kicked up to IKE).
+			 * XXX: maybe return EACCES to the caller would
+			 *      be more useful?
 			 */
 			if (*error == -EINVAL)
 				*error = 0;
