Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Jun 2013 11:44:17 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r252028 - head/sys/netipsec
Message-ID:  <201306201144.r5KBiH1h096244@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ae
Date: Thu Jun 20 11:44:16 2013
New Revision: 252028
URL: http://svnweb.freebsd.org/changeset/base/252028

Log:
  Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,
  PFKEY.
  
  MFC after:	2 weeks

Modified:
  head/sys/netipsec/ah_var.h
  head/sys/netipsec/esp_var.h
  head/sys/netipsec/ipcomp_var.h
  head/sys/netipsec/ipip_var.h
  head/sys/netipsec/ipsec_input.c
  head/sys/netipsec/ipsec_output.c
  head/sys/netipsec/key.c
  head/sys/netipsec/keysock.c
  head/sys/netipsec/keysock.h
  head/sys/netipsec/xform_ah.c
  head/sys/netipsec/xform_esp.c
  head/sys/netipsec/xform_ipcomp.c
  head/sys/netipsec/xform_ipip.c

Modified: head/sys/netipsec/ah_var.h
==============================================================================
--- head/sys/netipsec/ah_var.h	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/ah_var.h	Thu Jun 20 11:44:16 2013	(r252028)
@@ -75,6 +75,8 @@ VNET_DECLARE(int, ah_enable);
 VNET_DECLARE(int, ah_cleartos);
 VNET_DECLARE(struct ahstat, ahstat);
 
+#define	AHSTAT_ADD(name, val)	V_ahstat.name += (val)
+#define	AHSTAT_INC(name)	AHSTAT_ADD(name, 1)
 #define	V_ah_enable		VNET(ah_enable)
 #define	V_ah_cleartos		VNET(ah_cleartos)
 #define	V_ahstat		VNET(ahstat)

Modified: head/sys/netipsec/esp_var.h
==============================================================================
--- head/sys/netipsec/esp_var.h	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/esp_var.h	Thu Jun 20 11:44:16 2013	(r252028)
@@ -75,6 +75,8 @@ struct espstat {
 VNET_DECLARE(int, esp_enable);
 VNET_DECLARE(struct espstat, espstat);
 
+#define	ESPSTAT_ADD(name, val)	V_espstat.name += (val)
+#define	ESPSTAT_INC(name)	ESPSTAT_ADD(name, 1)
 #define	V_esp_enable	VNET(esp_enable)
 #define	V_espstat	VNET(espstat)
 #endif /* _KERNEL */

Modified: head/sys/netipsec/ipcomp_var.h
==============================================================================
--- head/sys/netipsec/ipcomp_var.h	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/ipcomp_var.h	Thu Jun 20 11:44:16 2013	(r252028)
@@ -68,6 +68,8 @@ struct ipcompstat {
 VNET_DECLARE(int, ipcomp_enable);
 VNET_DECLARE(struct ipcompstat, ipcompstat);
 
+#define	IPCOMPSTAT_ADD(name, val)	V_ipcompstat.name += (val)
+#define	IPCOMPSTAT_INC(name)		IPCOMPSTAT_ADD(name, 1)
 #define	V_ipcomp_enable		VNET(ipcomp_enable)
 #define	V_ipcompstat		VNET(ipcompstat)
 #endif /* _KERNEL */

Modified: head/sys/netipsec/ipip_var.h
==============================================================================
--- head/sys/netipsec/ipip_var.h	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/ipip_var.h	Thu Jun 20 11:44:16 2013	(r252028)
@@ -62,6 +62,8 @@ struct ipipstat
 VNET_DECLARE(int, ipip_allow);
 VNET_DECLARE(struct ipipstat, ipipstat);
 
+#define	IPIPSTAT_ADD(name, val)	V_ipipstat.name += (val)
+#define	IPIPSTAT_INC(name)	IPIPSTAT_ADD(name, 1)
 #define	V_ipip_allow		VNET(ipip_allow)
 #define	V_ipipstat		VNET(ipipstat)
 #endif /* _KERNEL */

Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/ipsec_input.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -99,8 +99,14 @@
 #endif
 
 
-#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
-			    (p) == IPPROTO_AH ? (y)++ : (z)++)
+#define	IPSEC_ISTAT(proto, name)	do {	\
+	if ((proto) == IPPROTO_ESP)		\
+		ESPSTAT_INC(esps_##name);	\
+	else if ((proto) == IPPROTO_AH)		\
+		AHSTAT_INC(ahs_##name);		\
+	else					\
+		IPCOMPSTAT_INC(ipcomps_##name);	\
+} while (0)
 
 #ifdef INET
 static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
@@ -125,8 +131,7 @@ ipsec_common_input(struct mbuf *m, int s
 #endif
 #endif
 
-	IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
-		V_ipcompstat.ipcomps_input);
+	IPSEC_ISTAT(sproto, input);
 
 	IPSEC_ASSERT(m != NULL, ("null packet"));
 
@@ -138,15 +143,13 @@ ipsec_common_input(struct mbuf *m, int s
 	    (sproto == IPPROTO_AH && !V_ah_enable) ||
 	    (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
-		    V_ipcompstat.ipcomps_pdrops);
+		IPSEC_ISTAT(sproto, pdrops);
 		return EOPNOTSUPP;
 	}
 
 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
-		    V_ipcompstat.ipcomps_hdrops);
+		IPSEC_ISTAT(sproto, hdrops);
 		DPRINTF(("%s: packet too small\n", __func__));
 		return EINVAL;
 	}
@@ -197,8 +200,7 @@ ipsec_common_input(struct mbuf *m, int s
 	default:
 		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
-		    V_ipcompstat.ipcomps_nopf);
+		IPSEC_ISTAT(sproto, nopf);
 		return EPFNOSUPPORT;
 	}
 
@@ -208,8 +210,7 @@ ipsec_common_input(struct mbuf *m, int s
 		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
 			  __func__, ipsec_address(&dst_address),
 			  (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
-		    V_ipcompstat.ipcomps_notdb);
+		IPSEC_ISTAT(sproto, notdb);
 		m_freem(m);
 		return ENOENT;
 	}
@@ -218,8 +219,7 @@ ipsec_common_input(struct mbuf *m, int s
 		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
 			 __func__, ipsec_address(&dst_address),
 			 (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
-		    V_ipcompstat.ipcomps_noxform);
+		IPSEC_ISTAT(sproto, noxform);
 		KEY_FREESAV(&sav);
 		m_freem(m);
 		return ENXIO;
@@ -321,8 +321,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
-		    V_ipcompstat.ipcomps_badkcr);
+		IPSEC_ISTAT(sproto, badkcr);
 		KEY_FREESAV(&sav);
 		return EINVAL;
 	}
@@ -336,8 +335,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
 			    __func__, ipsec_address(&sav->sah->saidx.dst),
 			    (u_long) ntohl(sav->spi)));
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
-			    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = ENOBUFS;
 			goto bad;
 		}
@@ -357,9 +355,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		struct ip ipn;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops,
-			    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = EINVAL;
 			goto bad;
 		}
@@ -388,9 +384,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			    ipsp_address(saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    V_ahstat.ahs_pdrops,
-			    V_ipcompstat.ipcomps_pdrops);
+			IPSEC_ISTAT(sproto, pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -401,9 +395,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		struct ip6_hdr ip6n;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops,
-			    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = EINVAL;
 			goto bad;
 		}
@@ -430,9 +422,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    V_ahstat.ahs_pdrops,
-			    V_ipcompstat.ipcomps_pdrops);
+			IPSEC_ISTAT(sproto, pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -453,8 +443,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		    sizeof(struct tdb_ident), M_NOWAIT);
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = ENOMEM;
 			goto bad;
 		}
@@ -494,9 +483,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	 * Re-dispatch via software interrupt.
 	 */
 	if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) {
-		IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
-			    V_ipcompstat.ipcomps_qfull);
-
+		IPSEC_ISTAT(sproto, qfull);
 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
 			__func__, sproto));
 		return error;
@@ -548,9 +535,7 @@ ipsec6_common_input(struct mbuf **mp, in
 		if (protoff + l != *offp) {
 			DPRINTF(("%s: bad packet header chain, protoff %u, "
 				"l %u, off %u\n", __func__, protoff, l, *offp));
-			IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
-				    V_ahstat.ahs_hdrops,
-				    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(proto, hdrops);
 			m_freem(*mp);
 			*mp = NULL;
 			return IPPROTO_DONE;
@@ -595,8 +580,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
-		    V_ipcompstat.ipcomps_badkcr);
+		IPSEC_ISTAT(sproto, badkcr);
 		error = EINVAL;
 		goto bad;
 	}
@@ -609,8 +593,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 		    __func__, ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
 
-		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
-		    V_ipcompstat.ipcomps_hdrops);
+		IPSEC_ISTAT(sproto, hdrops);
 		error = EACCES;
 		goto bad;
 	}
@@ -628,9 +611,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 		struct ip ipn;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops,
-			    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = EINVAL;
 			goto bad;
 		}
@@ -655,8 +636,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
-			    V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
+			IPSEC_ISTAT(sproto, pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -668,9 +648,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 		struct ip6_hdr ip6n;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops,
-			    V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = EINVAL;
 			goto bad;
 		}
@@ -697,8 +675,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
+			IPSEC_ISTAT(sproto, pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -718,8 +695,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 		    sizeof(struct tdb_ident), M_NOWAIT);
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
+			IPSEC_ISTAT(sproto, hdrops);
 			error = ENOMEM;
 			goto bad;
 		}

Modified: head/sys/netipsec/ipsec_output.c
==============================================================================
--- head/sys/netipsec/ipsec_output.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/ipsec_output.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -276,8 +276,14 @@ ipsec_nextisr(
 	int *error
 )
 {
-#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
-			    isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
+#define	IPSEC_OSTAT(name)	do {		\
+	if (isr->saidx.proto == IPPROTO_ESP)	\
+		ESPSTAT_INC(esps_##name);	\
+	else if (isr->saidx.proto == IPPROTO_AH)\
+		AHSTAT_INC(ahs_##name);		\
+	else					\
+		IPCOMPSTAT_INC(ipcomps_##name);	\
+} while (0)
 	struct secasvar *sav;
 
 	IPSECREQUEST_LOCK_ASSERT(isr);
@@ -385,8 +391,7 @@ again:
 	    (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
 		DPRINTF(("%s: IPsec outbound packet dropped due"
 			" to policy (check your sysctls)\n", __func__));
-		IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
-		    V_ipcompstat.ipcomps_pdrops);
+		IPSEC_OSTAT(pdrops);
 		*error = EHOSTUNREACH;
 		goto bad;
 	}
@@ -397,8 +402,7 @@ again:
 	 */
 	if (sav->tdb_xform == NULL) {
 		DPRINTF(("%s: no transform for SA\n", __func__));
-		IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
-		    V_ipcompstat.ipcomps_noxform);
+		IPSEC_OSTAT(noxform);
 		*error = EHOSTUNREACH;
 		goto bad;
 	}

Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/key.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -7316,7 +7316,7 @@ key_parse(m, so)
 	if ((m->m_flags & M_PKTHDR) == 0 ||
 	    m->m_pkthdr.len != m->m_pkthdr.len) {
 		ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__));
-		V_pfkeystat.out_invlen++;
+		PFKEYSTAT_INC(out_invlen);
 		error = EINVAL;
 		goto senderror;
 	}
@@ -7324,7 +7324,7 @@ key_parse(m, so)
 	if (msg->sadb_msg_version != PF_KEY_V2) {
 		ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n",
 		    __func__, msg->sadb_msg_version));
-		V_pfkeystat.out_invver++;
+		PFKEYSTAT_INC(out_invver);
 		error = EINVAL;
 		goto senderror;
 	}
@@ -7332,7 +7332,7 @@ key_parse(m, so)
 	if (msg->sadb_msg_type > SADB_MAX) {
 		ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
 		    __func__, msg->sadb_msg_type));
-		V_pfkeystat.out_invmsgtype++;
+		PFKEYSTAT_INC(out_invmsgtype);
 		error = EINVAL;
 		goto senderror;
 	}
@@ -7385,7 +7385,7 @@ key_parse(m, so)
 			ipseclog((LOG_DEBUG, "%s: must specify satype "
 			    "when msg type=%u.\n", __func__,
 			    msg->sadb_msg_type));
-			V_pfkeystat.out_invsatype++;
+			PFKEYSTAT_INC(out_invsatype);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7405,7 +7405,7 @@ key_parse(m, so)
 		case SADB_X_SPDDELETE2:
 			ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
 				__func__, msg->sadb_msg_type));
-			V_pfkeystat.out_invsatype++;
+			PFKEYSTAT_INC(out_invsatype);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7416,7 +7416,7 @@ key_parse(m, so)
 	case SADB_SATYPE_MIP:
 		ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n",
 			__func__, msg->sadb_msg_satype));
-		V_pfkeystat.out_invsatype++;
+		PFKEYSTAT_INC(out_invsatype);
 		error = EOPNOTSUPP;
 		goto senderror;
 	case 1:	/* XXX: What does it do? */
@@ -7426,7 +7426,7 @@ key_parse(m, so)
 	default:
 		ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
 			__func__, msg->sadb_msg_satype));
-		V_pfkeystat.out_invsatype++;
+		PFKEYSTAT_INC(out_invsatype);
 		error = EINVAL;
 		goto senderror;
 	}
@@ -7444,7 +7444,7 @@ key_parse(m, so)
 		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
 			ipseclog((LOG_DEBUG, "%s: upper layer protocol "
 				"mismatched.\n", __func__));
-			V_pfkeystat.out_invaddr++;
+			PFKEYSTAT_INC(out_invaddr);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7454,7 +7454,7 @@ key_parse(m, so)
 		    PFKEY_ADDR_SADDR(dst0)->sa_family) {
 			ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
 				__func__));
-			V_pfkeystat.out_invaddr++;
+			PFKEYSTAT_INC(out_invaddr);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7462,7 +7462,7 @@ key_parse(m, so)
 		    PFKEY_ADDR_SADDR(dst0)->sa_len) {
 			ipseclog((LOG_DEBUG, "%s: address struct size "
 				"mismatched.\n", __func__));
-			V_pfkeystat.out_invaddr++;
+			PFKEYSTAT_INC(out_invaddr);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7471,7 +7471,7 @@ key_parse(m, so)
 		case AF_INET:
 			if (PFKEY_ADDR_SADDR(src0)->sa_len !=
 			    sizeof(struct sockaddr_in)) {
-				V_pfkeystat.out_invaddr++;
+				PFKEYSTAT_INC(out_invaddr);
 				error = EINVAL;
 				goto senderror;
 			}
@@ -7479,7 +7479,7 @@ key_parse(m, so)
 		case AF_INET6:
 			if (PFKEY_ADDR_SADDR(src0)->sa_len !=
 			    sizeof(struct sockaddr_in6)) {
-				V_pfkeystat.out_invaddr++;
+				PFKEYSTAT_INC(out_invaddr);
 				error = EINVAL;
 				goto senderror;
 			}
@@ -7487,7 +7487,7 @@ key_parse(m, so)
 		default:
 			ipseclog((LOG_DEBUG, "%s: unsupported address family\n",
 				__func__));
-			V_pfkeystat.out_invaddr++;
+			PFKEYSTAT_INC(out_invaddr);
 			error = EAFNOSUPPORT;
 			goto senderror;
 		}
@@ -7509,7 +7509,7 @@ key_parse(m, so)
 		    dst0->sadb_address_prefixlen > plen) {
 			ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n",
 				__func__));
-			V_pfkeystat.out_invaddr++;
+			PFKEYSTAT_INC(out_invaddr);
 			error = EINVAL;
 			goto senderror;
 		}
@@ -7522,7 +7522,7 @@ key_parse(m, so)
 
 	if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) ||
 	    key_typesw[msg->sadb_msg_type] == NULL) {
-		V_pfkeystat.out_invmsgtype++;
+		PFKEYSTAT_INC(out_invmsgtype);
 		error = EINVAL;
 		goto senderror;
 	}
@@ -7624,7 +7624,7 @@ key_align(m, mhp)
 				ipseclog((LOG_DEBUG, "%s: duplicate ext_type "
 					"%u\n", __func__, ext->sadb_ext_type));
 				m_freem(m);
-				V_pfkeystat.out_dupext++;
+				PFKEYSTAT_INC(out_dupext);
 				return EINVAL;
 			}
 			break;
@@ -7632,7 +7632,7 @@ key_align(m, mhp)
 			ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n",
 				__func__, ext->sadb_ext_type));
 			m_freem(m);
-			V_pfkeystat.out_invexttype++;
+			PFKEYSTAT_INC(out_invexttype);
 			return EINVAL;
 		}
 
@@ -7640,7 +7640,7 @@ key_align(m, mhp)
 
 		if (key_validate_ext(ext, extlen)) {
 			m_freem(m);
-			V_pfkeystat.out_invlen++;
+			PFKEYSTAT_INC(out_invlen);
 			return EINVAL;
 		}
 
@@ -7658,7 +7658,7 @@ key_align(m, mhp)
 
 	if (off != end) {
 		m_freem(m);
-		V_pfkeystat.out_invlen++;
+		PFKEYSTAT_INC(out_invlen);
 		return EINVAL;
 	}
 

Modified: head/sys/netipsec/keysock.c
==============================================================================
--- head/sys/netipsec/keysock.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/keysock.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -91,19 +91,19 @@ key_output(struct mbuf *m, struct socket
 	if (m == 0)
 		panic("%s: NULL pointer was passed.\n", __func__);
 
-	V_pfkeystat.out_total++;
-	V_pfkeystat.out_bytes += m->m_pkthdr.len;
+	PFKEYSTAT_INC(out_total);
+	PFKEYSTAT_ADD(out_bytes, m->m_pkthdr.len);
 
 	len = m->m_pkthdr.len;
 	if (len < sizeof(struct sadb_msg)) {
-		V_pfkeystat.out_tooshort++;
+		PFKEYSTAT_INC(out_tooshort);
 		error = EINVAL;
 		goto end;
 	}
 
 	if (m->m_len < sizeof(struct sadb_msg)) {
 		if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) {
-			V_pfkeystat.out_nomem++;
+			PFKEYSTAT_INC(out_nomem);
 			error = ENOBUFS;
 			goto end;
 		}
@@ -114,9 +114,9 @@ key_output(struct mbuf *m, struct socket
 	KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
 
 	msg = mtod(m, struct sadb_msg *);
-	V_pfkeystat.out_msgtype[msg->sadb_msg_type]++;
+	PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]);
 	if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) {
-		V_pfkeystat.out_invlen++;
+		PFKEYSTAT_INC(out_invlen);
 		error = EINVAL;
 		goto end;
 	}
@@ -147,7 +147,7 @@ key_sendup0(rp, m, promisc)
 		if (m && m->m_len < sizeof(struct sadb_msg))
 			m = m_pullup(m, sizeof(struct sadb_msg));
 		if (!m) {
-			V_pfkeystat.in_nomem++;
+			PFKEYSTAT_INC(in_nomem);
 			m_freem(m);
 			return ENOBUFS;
 		}
@@ -160,12 +160,12 @@ key_sendup0(rp, m, promisc)
 		pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
 		/* pid and seq? */
 
-		V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
+		PFKEYSTAT_INC(in_msgtype[pmsg->sadb_msg_type]);
 	}
 
 	if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
 	    m, NULL)) {
-		V_pfkeystat.in_nomem++;
+		PFKEYSTAT_INC(in_nomem);
 		m_freem(m);
 		error = ENOBUFS;
 	} else
@@ -197,9 +197,9 @@ key_sendup(so, msg, len, target)
 	 * we increment statistics here, just in case we have ENOBUFS
 	 * in this function.
 	 */
-	V_pfkeystat.in_total++;
-	V_pfkeystat.in_bytes += len;
-	V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
+	PFKEYSTAT_INC(in_total);
+	PFKEYSTAT_ADD(in_bytes, len);
+	PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
 
 	/*
 	 * Get mbuf chain whenever possible (not clusters),
@@ -216,14 +216,14 @@ key_sendup(so, msg, len, target)
 		if (tlen == len) {
 			MGETHDR(n, M_NOWAIT, MT_DATA);
 			if (n == NULL) {
-				V_pfkeystat.in_nomem++;
+				PFKEYSTAT_INC(in_nomem);
 				return ENOBUFS;
 			}
 			n->m_len = MHLEN;
 		} else {
 			MGET(n, M_NOWAIT, MT_DATA);
 			if (n == NULL) {
-				V_pfkeystat.in_nomem++;
+				PFKEYSTAT_INC(in_nomem);
 				return ENOBUFS;
 			}
 			n->m_len = MLEN;
@@ -233,7 +233,7 @@ key_sendup(so, msg, len, target)
 			if ((n->m_flags & M_EXT) == 0) {
 				m_free(n);
 				m_freem(m);
-				V_pfkeystat.in_nomem++;
+				PFKEYSTAT_INC(in_nomem);
 				return ENOBUFS;
 			}
 			n->m_len = MCLBYTES;
@@ -256,9 +256,9 @@ key_sendup(so, msg, len, target)
 	m_copyback(m, 0, len, (caddr_t)msg);
 
 	/* avoid duplicated statistics */
-	V_pfkeystat.in_total--;
-	V_pfkeystat.in_bytes -= len;
-	V_pfkeystat.in_msgtype[msg->sadb_msg_type]--;
+	PFKEYSTAT_ADD(in_total, -1);
+	PFKEYSTAT_ADD(in_bytes, -len);
+	PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1);
 
 	return key_sendup_mbuf(so, m, target);
 }
@@ -281,19 +281,19 @@ key_sendup_mbuf(so, m, target)
 	if (so == NULL && target == KEY_SENDUP_ONE)
 		panic("%s: NULL pointer was passed.\n", __func__);
 
-	V_pfkeystat.in_total++;
-	V_pfkeystat.in_bytes += m->m_pkthdr.len;
+	PFKEYSTAT_INC(in_total);
+	PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len);
 	if (m->m_len < sizeof(struct sadb_msg)) {
 		m = m_pullup(m, sizeof(struct sadb_msg));
 		if (m == NULL) {
-			V_pfkeystat.in_nomem++;
+			PFKEYSTAT_INC(in_nomem);
 			return ENOBUFS;
 		}
 	}
 	if (m->m_len >= sizeof(struct sadb_msg)) {
 		struct sadb_msg *msg;
 		msg = mtod(m, struct sadb_msg *);
-		V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
+		PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
 	}
 	mtx_lock(&rawcb_mtx);
 	LIST_FOREACH(rp, &V_rawcb_list, list)
@@ -338,14 +338,14 @@ key_sendup_mbuf(so, m, target)
 				sendup++;
 			break;
 		}
-		V_pfkeystat.in_msgtarget[target]++;
+		PFKEYSTAT_INC(in_msgtarget[target]);
 
 		if (!sendup)
 			continue;
 
 		if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
 			m_freem(m);
-			V_pfkeystat.in_nomem++;
+			PFKEYSTAT_INC(in_nomem);
 			mtx_unlock(&rawcb_mtx);
 			return ENOBUFS;
 		}

Modified: head/sys/netipsec/keysock.h
==============================================================================
--- head/sys/netipsec/keysock.h	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/keysock.h	Thu Jun 20 11:44:16 2013	(r252028)
@@ -70,6 +70,8 @@ struct keycb {
 };
 
 VNET_DECLARE(struct pfkeystat, pfkeystat);
+#define	PFKEYSTAT_ADD(name, val)	V_pfkeystat.name += (val)
+#define	PFKEYSTAT_INC(name)		PFKEYSTAT_ADD(name, 1)
 #define	V_pfkeystat		VNET(pfkeystat)
 
 extern int key_output(struct mbuf *m, struct socket *so);

Modified: head/sys/netipsec/xform_ah.c
==============================================================================
--- head/sys/netipsec/xform_ah.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/xform_ah.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -583,14 +583,14 @@ ah_input(struct mbuf *m, struct secasvar
 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
 	if (ah == NULL) {
 		DPRINTF(("ah_input: cannot pullup header\n"));
-		V_ahstat.ahs_hdrops++;		/*XXX*/
+		AHSTAT_INC(ahs_hdrops);		/*XXX*/
 		m_freem(m);
 		return ENOBUFS;
 	}
 
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
-		V_ahstat.ahs_replay++;
+		AHSTAT_INC(ahs_replay);
 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
 			  ipsec_logsastr(sav)));
 		m_freem(m);
@@ -607,17 +607,17 @@ ah_input(struct mbuf *m, struct secasvar
 			hl, (u_long) (authsize + rplen - sizeof (struct ah)),
 			ipsec_address(&sav->sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
-		V_ahstat.ahs_badauthl++;
+		AHSTAT_INC(ahs_badauthl);
 		m_freem(m);
 		return EACCES;
 	}
-	V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
+	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
 
 	/* Get crypto descriptors. */
 	crp = crypto_getreq(1);
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		m_freem(m);
 		return ENOBUFS;
 	}
@@ -657,7 +657,7 @@ ah_input(struct mbuf *m, struct secasvar
 	}
 	if (tc == NULL) {
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		crypto_freereq(crp);
 		m_freem(m);
 		return ENOBUFS;
@@ -681,7 +681,7 @@ ah_input(struct mbuf *m, struct secasvar
 		    skip, ahx->type, 0);
 		if (error != 0) {
 			/* NB: mbuf is free'd by ah_massage_headers */
-			V_ahstat.ahs_hdrops++;
+			AHSTAT_INC(ahs_hdrops);
 			free(tc, M_XDATA);
 			crypto_freereq(crp);
 			return error;
@@ -760,19 +760,19 @@ ah_input_cb(struct cryptop *crp)
 		if (crp->crp_etype == EAGAIN)
 			return (crypto_dispatch(crp));
 
-		V_ahstat.ahs_noxform++;
+		AHSTAT_INC(ahs_noxform);
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
 	} else {
-		V_ahstat.ahs_hist[sav->alg_auth]++;
+		AHSTAT_INC(ahs_hist[sav->alg_auth]);
 		crypto_freereq(crp);		/* No longer needed. */
 		crp = NULL;
 	}
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
@@ -798,7 +798,7 @@ ah_input_cb(struct cryptop *crp)
 			    "in SA %s/%08lx\n", __func__,
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
-			V_ahstat.ahs_badauth++;
+			AHSTAT_INC(ahs_badauth);
 			error = EACCES;
 			goto bad;
 		}
@@ -829,7 +829,7 @@ ah_input_cb(struct cryptop *crp)
 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
 			   sizeof (seq), (caddr_t) &seq);
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
-			V_ahstat.ahs_replay++;
+			AHSTAT_INC(ahs_replay);
 			error = ENOBUFS;			/*XXX as above*/
 			goto bad;
 		}
@@ -843,7 +843,7 @@ ah_input_cb(struct cryptop *crp)
 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
 
-		V_ahstat.ahs_hdrops++;
+		AHSTAT_INC(ahs_hdrops);
 		goto bad;
 	}
 
@@ -904,7 +904,7 @@ ah_output(
 	ahx = sav->tdb_authalgxform;
 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
 
-	V_ahstat.ahs_output++;
+	AHSTAT_INC(ahs_output);
 
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
@@ -927,7 +927,7 @@ ah_output(
 		    sav->sah->saidx.dst.sa.sa_family,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		V_ahstat.ahs_nopf++;
+		AHSTAT_INC(ahs_nopf);
 		error = EPFNOSUPPORT;
 		goto bad;
 	}
@@ -938,20 +938,20 @@ ah_output(
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi),
 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
-		V_ahstat.ahs_toobig++;
+		AHSTAT_INC(ahs_toobig);
 		error = EMSGSIZE;
 		goto bad;
 	}
 
 	/* Update the counters. */
-	V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
+	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
 
 	m = m_unshare(m, M_NOWAIT);
 	if (m == NULL) {
 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		V_ahstat.ahs_hdrops++;
+		AHSTAT_INC(ahs_hdrops);
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -964,7 +964,7 @@ ah_output(
 		    rplen + authsize,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		V_ahstat.ahs_hdrops++;		/*XXX differs from openbsd */
+		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -992,7 +992,7 @@ ah_output(
 				__func__,
 				ipsec_address(&sav->sah->saidx.dst),
 				(u_long) ntohl(sav->spi)));
-			V_ahstat.ahs_wrap++;
+			AHSTAT_INC(ahs_wrap);
 			error = EINVAL;
 			goto bad;
 		}
@@ -1009,7 +1009,7 @@ ah_output(
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
 			__func__));
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1031,7 +1031,7 @@ ah_output(
 	if (tc == NULL) {
 		crypto_freereq(crp);
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1135,7 +1135,7 @@ ah_output_cb(struct cryptop *crp)
 	sav = tc->tc_sav;
 	/* With the isr lock released SA pointer can be updated. */
 	if (sav != isr->sav) {
-		V_ahstat.ahs_notdb++;
+		AHSTAT_INC(ahs_notdb);
 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
@@ -1151,7 +1151,7 @@ ah_output_cb(struct cryptop *crp)
 			return (crypto_dispatch(crp));
 		}
 
-		V_ahstat.ahs_noxform++;
+		AHSTAT_INC(ahs_noxform);
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
@@ -1159,12 +1159,12 @@ ah_output_cb(struct cryptop *crp)
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		V_ahstat.ahs_crypto++;
+		AHSTAT_INC(ahs_crypto);
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
 	}
-	V_ahstat.ahs_hist[sav->alg_auth]++;
+	AHSTAT_INC(ahs_hist[sav->alg_auth]);
 
 	/*
 	 * Copy original headers (with the new protocol number) back

Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c	Thu Jun 20 11:24:38 2013	(r252027)
+++ head/sys/netipsec/xform_esp.c	Thu Jun 20 11:44:16 2013	(r252028)
@@ -279,7 +279,7 @@ esp_input(struct mbuf *m, struct secasva
 	if ( (skip&3) || (m->m_pkthdr.len&3) ){
 		DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
 				__func__, skip, m->m_pkthdr.len));
-		V_espstat.esps_badilen++;
+		ESPSTAT_INC(esps_badilen);
 		m_freem(m);
 		return EINVAL;
 	}
@@ -325,7 +325,7 @@ esp_input(struct mbuf *m, struct secasva
 		    plen, espx->blocksize,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		V_espstat.esps_badilen++;
+		ESPSTAT_INC(esps_badilen);
 		m_freem(m);
 		return EINVAL;
 	}
@@ -336,13 +336,13 @@ esp_input(struct mbuf *m, struct secasva
 	if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
 		DPRINTF(("%s: packet replay check for %s\n", __func__,
 		    ipsec_logsastr(sav)));	/*XXX*/
-		V_espstat.esps_replay++;
+		ESPSTAT_INC(esps_replay);
 		m_freem(m);
 		return ENOBUFS;		/*XXX*/
 	}
 
 	/* Update the counters */
-	V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen);
+	ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
 
 	/* Find out if we've already done crypto */
 	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@@ -361,7 +361,7 @@ esp_input(struct mbuf *m, struct secasva
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
 			__func__));
-		V_espstat.esps_crypto++;
+		ESPSTAT_INC(esps_crypto);
 		m_freem(m);
 		return ENOBUFS;
 	}
@@ -376,7 +376,7 @@ esp_input(struct mbuf *m, struct secasva
 	if (tc == NULL) {
 		crypto_freereq(crp);
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		V_espstat.esps_crypto++;
+		ESPSTAT_INC(esps_crypto);
 		m_freem(m);
 		return ENOBUFS;
 	}
@@ -492,7 +492,7 @@ esp_input_cb(struct cryptop *crp)
 		if (crp->crp_etype == EAGAIN)
 			return (crypto_dispatch(crp));
 
-		V_espstat.esps_noxform++;
+		ESPSTAT_INC(esps_noxform);
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
@@ -500,12 +500,12 @@ esp_input_cb(struct cryptop *crp)
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		V_espstat.esps_crypto++;
+		ESPSTAT_INC(esps_crypto);
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
 	}
-	V_espstat.esps_hist[sav->alg_enc]++;
+	ESPSTAT_INC(esps_hist[sav->alg_enc]);
 
 	/* If authentication was performed, check now. */
 	if (esph != NULL) {
@@ -524,7 +524,7 @@ esp_input_cb(struct cryptop *crp)
 		 * the verification for us.  Otherwise we need to
 		 * check the authentication calculation.
 		 */
-		V_ahstat.ahs_hist[sav->alg_auth]++;
+		AHSTAT_INC(ahs_hist[sav->alg_auth]);
 		if (mtag == NULL) {
 			/* Copy the authenticator from the packet */
 			m_copydata(m, m->m_pkthdr.len - alen,
@@ -539,7 +539,7 @@ esp_input_cb(struct cryptop *crp)
 				    __func__,
 				    ipsec_address(&saidx->dst),
 				    (u_long) ntohl(sav->spi)));
-				V_espstat.esps_badauth++;
+				ESPSTAT_INC(esps_badauth);
 				error = EACCES;
 				goto bad;
 			}
@@ -569,7 +569,7 @@ esp_input_cb(struct cryptop *crp)
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
 			DPRINTF(("%s: packet replay check for %s\n", __func__,
 			    ipsec_logsastr(sav)));
-			V_espstat.esps_replay++;
+			ESPSTAT_INC(esps_replay);
 			error = ENOBUFS;
 			goto bad;
 		}
@@ -584,7 +584,7 @@ esp_input_cb(struct cryptop *crp)
 	/* Remove the ESP header and IV from the mbuf. */
 	error = m_striphdr(m, skip, hlen);
 	if (error) {
-		V_espstat.esps_hdrops++;
+		ESPSTAT_INC(esps_hdrops);
 		DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306201144.r5KBiH1h096244>