Build on Jeff Roberson's linker-set based dynamic per-CPU allocator

(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator.  Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...).  This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.

Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack.  Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory.  Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.

Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy.  Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address.  When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.

This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.

Bump __FreeBSD_version and update UPDATING.

Portions submitted by:  bz
Reviewed by:            bz, zec
Discussed with:         gnn, jamie, jeff, jhb, julian, sam
Suggested by:           peter
Approved by:            re (kensmith)

1 files changed, 72 insertions, 137 deletions

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 3dc6878..07a5945 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -61,6 +61,7 @@
 #include <net/if.h>
 #include <net/route.h>
 #include <net/raw_cb.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -75,11 +76,9 @@
 
 #ifdef INET
 #include <netinet/in_pcb.h>
-#include <netinet/vinet.h>
 #endif
 #ifdef INET6
 #include <netinet6/in6_pcb.h>
-#include <netinet6/vinet6.h>
 #endif /* INET6 */
 
 #include <net/pfkeyv2.h>
@@ -99,7 +98,6 @@
 
 /* randomness */
 #include <sys/random.h>
-#include <sys/vimage.h>
 
 #define FULLMASK	0xff
 #define	_BITS(bytes)	((bytes) << 3)
@@ -115,31 +113,37 @@
  *   field hits 0 (= no external reference other than from SA header.
  */
 
-#ifdef VIMAGE_GLOBALS
-u_int32_t key_debug_level;
-static u_int key_spi_trycnt;
-static u_int32_t key_spi_minval;
-static u_int32_t key_spi_maxval;
-static u_int32_t policy_id;
-static u_int key_int_random;
-static u_int key_larval_lifetime;
-static int key_blockacq_count;
-static int key_blockacq_lifetime;
-static int key_preferred_oldsa;
-
-static u_int32_t acq_seq;
-
-static int ipsec_esp_keymin;
-static int ipsec_esp_auth;
-static int ipsec_ah_keymin;
-
-static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX];	/* SPD */
-static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
-static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
-static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
-#endif /* VIMAGE_GLOBALS */
-
+VNET_DEFINE(u_int32_t, key_debug_level) = 0;
+static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
+#define	V_key_spi_trycnt	VNET_GET(key_spi_trycnt)
+static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
+#define	V_key_spi_minval	VNET_GET(key_spi_minval)
+static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff;	/* XXX */
+#define	V_key_spi_maxval	VNET_GET(key_spi_maxval)
+static VNET_DEFINE(u_int32_t, policy_id) = 0;
+#define	V_policy_id		VNET_GET(policy_id)
+/*interval to initialize randseed,1(m)*/
+static VNET_DEFINE(u_int, key_int_random) = 60;
+#define	V_key_int_random	VNET_GET(key_int_random)
+/* interval to expire acquiring, 30(s)*/
+static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
+#define	V_key_larval_lifetime	VNET_GET(key_larval_lifetime)
+/* counter for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_count) = 10;
+#define	V_key_blockacq_count	VNET_GET(key_blockacq_count)
+/* lifetime for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
+#define	V_key_blockacq_lifetime	VNET_GET(key_blockacq_lifetime)
+/* preferred old sa rather than new sa.*/
+static VNET_DEFINE(int, key_preferred_oldsa) = 1;
+#define	V_key_preferred_oldsa	VNET_GET(key_preferred_oldsa)
+
+static VNET_DEFINE(u_int32_t, acq_seq) = 0;
+#define	V_acq_seq		VNET_GET(acq_seq)
+
+								/* SPD */
+static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]);
+#define	V_sptree		VNET_GET(sptree)
 static struct mtx sptree_lock;
 #define	SPTREE_LOCK_INIT() \
 	mtx_init(&sptree_lock, "sptree", \
@@ -149,6 +153,8 @@ static struct mtx sptree_lock;
 #define	SPTREE_UNLOCK()	mtx_unlock(&sptree_lock)
 #define	SPTREE_LOCK_ASSERT()	mtx_assert(&sptree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree);	/* SAD */
+#define	V_sahtree		VNET_GET(sahtree)
 static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_INIT() \
 	mtx_init(&sahtree_lock, "sahtree", \
@@ -159,6 +165,8 @@ static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_ASSERT()	mtx_assert(&sahtree_lock, MA_OWNED)
 
 							/* registed list */
+static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
+#define	V_regtree		VNET_GET(regtree)
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
 	mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -167,6 +175,8 @@ static struct mtx regtree_lock;
 #define	REGTREE_UNLOCK()	mtx_unlock(&regtree_lock)
 #define	REGTREE_LOCK_ASSERT()	mtx_assert(&regtree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */
+#define	V_acqtree		VNET_GET(acqtree)
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
 	mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -175,6 +185,9 @@ static struct mtx acq_lock;
 #define	ACQ_UNLOCK()		mtx_unlock(&acq_lock)
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
+							/* SP acquiring list */
+static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
+#define	V_spacqtree		VNET_GET(spacqtree)
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
 	mtx_init(&spacq_lock, "spacqtree", \
@@ -257,56 +270,63 @@ static const int maxsize[] = {
 	sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
 };
 
+static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
+#define	V_ipsec_esp_keymin	VNET_GET(ipsec_esp_keymin)
+static VNET_DEFINE(int, ipsec_esp_auth) = 0;
+#define	V_ipsec_esp_auth	VNET_GET(ipsec_esp_auth)
+static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
+#define	V_ipsec_ah_keymin	VNET_GET(ipsec_ah_keymin)
+
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
 
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL,	debug,
-	CTLFLAG_RW, key_debug_level,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL,	debug,
+	CTLFLAG_RW, &VNET_NAME(key_debug_level),	0,	"");
 
 /* max count of trial for the decision of spi value */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt,
-	CTLFLAG_RW, key_spi_trycnt,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
+	CTLFLAG_RW, &VNET_NAME(key_spi_trycnt),	0,	"");
 
 /* minimum spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE,
-	spi_minval,	CTLFLAG_RW, key_spi_minval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE,
+	spi_minval,	CTLFLAG_RW, &VNET_NAME(key_spi_minval),	0,	"");
 
 /* maximun spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE,
-	spi_maxval,	CTLFLAG_RW, key_spi_maxval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE,
+	spi_maxval,	CTLFLAG_RW, &VNET_NAME(key_spi_maxval),	0,	"");
 
 /* interval to initialize randseed */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT,
-	int_random,	CTLFLAG_RW, key_int_random,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT,
+	int_random,	CTLFLAG_RW, &VNET_NAME(key_int_random),	0,	"");
 
 /* lifetime for larval SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME,
-	larval_lifetime, CTLFLAG_RW, key_larval_lifetime,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME,
+	larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime),	0, "");
 
 /* counter for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT,
-	blockacq_count,	CTLFLAG_RW, key_blockacq_count,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,
+	blockacq_count,	CTLFLAG_RW, &VNET_NAME(key_blockacq_count),	0, "");
 
 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME,
-	blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime,	0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,
+	blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
 
 /* ESP auth */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH,	esp_auth,
-	CTLFLAG_RW, ipsec_esp_auth,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH,	esp_auth,
+	CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth),	0,	"");
 
 /* minimum ESP key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN,
-	esp_keymin, CTLFLAG_RW, ipsec_esp_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN,
+	esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin),	0,	"");
 
 /* minimum AH key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
-	CTLFLAG_RW, ipsec_ah_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
+	CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin),	0,	"");
 
 /* perfered old SA rather than new SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA,
-	preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA,
+	preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa),	0, "");
 
 #define __LIST_CHAINED(elm) \
 	(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
@@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp)
 int
 key_havesp(u_int dir)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
 		LIST_FIRST(&V_sptree[dir]) != NULL : 1);
@@ -595,7 +614,6 @@ key_havesp(u_int dir)
 struct secpolicy *
 key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi,
 	     u_int dir,
 	     const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(dst != NULL, ("null dst"));
@@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc,
 	      const struct sockaddr *idst,
 	      const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	const int dir = IPSEC_DIR_INBOUND;
 	struct ipsecrequest *r1, *r2, *p;
@@ -791,7 +807,6 @@ done:
 int
 key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int level;
 	int error;
 
@@ -887,7 +902,6 @@ static struct secasvar *
 key_allocsa_policy(const struct secasindex *saidx)
 {
 #define	N(a)	_ARRAYLEN(a)
-	INIT_VNET_IPSEC(curvnet);	
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize;
@@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx)
 static struct secasvar *
 key_do_allocsa_policy(struct secashead *sah, u_int state)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav, *candidate, *d;
 
 	/* initilize */
@@ -1081,7 +1094,6 @@ key_allocsa(
 	u_int32_t spi,
 	const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize, state;
@@ -1160,7 +1172,6 @@ done:
 void
 _key_freesp(struct secpolicy **spp, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = *spp;
 
 	IPSEC_ASSERT(sp != NULL, ("null sp"));
@@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag)
 void
 key_freeso(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	IPSEC_ASSERT(so != NULL, ("null so"));
 
 	switch (so->so_proto->pr_domain->dom_family) {
@@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp)
 void
 key_freesav(struct secasvar **psav, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav = *psav;
 
 	IPSEC_ASSERT(sav != NULL, ("null sav"));
@@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp)
 static struct secpolicy *
 key_getsp(struct secpolicyindex *spidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx)
 static struct secpolicy *
 key_getspbyid(u_int32_t id)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	SPTREE_LOCK();
@@ -1353,7 +1360,6 @@ done:
 struct secpolicy *
 key_newsp(const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp = NULL;
 
 	newsp = (struct secpolicy *)
@@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error)
 	size_t len;
 	int *error;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp;
 
 	IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
@@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0, *xpl;
 	struct sadb_lifetime *lft = NULL;
@@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp)
 static u_int32_t
 key_getnewspid()
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newid = 0;
 	int count = V_key_spi_trycnt;	/* XXX */
 	struct secpolicy *sp;
@@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0;
 	struct secpolicyindex spidx;
@@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 
@@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
@@ -2315,7 +2315,6 @@ int
 key_spdacquire(sp)
 	struct secpolicy *sp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secspacq *newspacq;
 
@@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secpolicy *sp;
 	u_int dir;
@@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int cnt;
 	u_int dir;
@@ -2704,7 +2701,6 @@ static struct secashead *
 key_newsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *newsah;
 
 	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
@@ -2733,7 +2729,6 @@ static void
 key_delsah(sah)
 	struct secashead *sah;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav;
 	u_int stateidx;
 	int zombie = 0;
@@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag)
 	const char* where;
 	int tag;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
 
@@ -2962,7 +2956,6 @@ static struct secashead *
 key_getsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 
 	SAHTREE_LOCK();
@@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi)
 	struct secasindex *saidx;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 
@@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi)
 	struct secashead *sah;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	u_int stateidx, state;
 
@@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error = 0;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp)
 static int
 key_mature(struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	/* check SPI value */
@@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type)
 u_int16_t 
 key_portfromsaddr(struct sockaddr *sa)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa)
 static void
 key_porttosaddr(struct sockaddr *sa, u_int16_t port)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3868,7 +3855,6 @@ struct seckey *
 key_dup_keymsg(const struct sadb_key *src, u_int len,
 	       struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seckey *dst;
 	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
 	if (dst != NULL) {
@@ -3902,7 +3888,6 @@ static struct seclifetime *
 key_dup_lifemsg(const struct sadb_lifetime *src,
 		 struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seclifetime *dst = NULL;
 
 	dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), 
@@ -3928,7 +3913,6 @@ key_ismyaddr(sa)
 	struct sockaddr *sa;
 {
 #ifdef INET
-	INIT_VNET_INET(curvnet);
 	struct sockaddr_in *sin;
 	struct in_ifaddr *ia;
 #endif
@@ -3976,7 +3960,6 @@ static int
 key_ismyaddr6(sin6)
 	struct sockaddr_in6 *sin6;
 {
-	INIT_VNET_INET6(curvnet);
 	struct in6_ifaddr *ia;
 #if 0
 	struct in6_multi *in6m;
@@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits)
 static void
 key_flush_spd(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	static u_int16_t sptree_scangen = 0;
 	u_int16_t gen = sptree_scangen++;
 	struct secpolicy *sp;
@@ -4373,7 +4355,6 @@ restart:
 static void
 key_flush_sad(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
 
@@ -4511,7 +4492,6 @@ key_flush_sad(time_t now)
 static void
 key_flush_acq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq, *nextacq;
 
 	/* ACQ tree */
@@ -4530,7 +4510,6 @@ key_flush_acq(time_t now)
 static void
 key_flush_spacq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq, *nextacq;
 
 	/* SP ACQ tree */
@@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *newsah;
@@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx)
 	struct sadb_spirange *spirange;
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newspi;
 	u_int32_t min, max;
 	int count = V_key_spi_trycnt;
@@ -4995,7 +4972,6 @@ key_update(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5286,7 +5262,6 @@ key_add(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_ident *idsrc, *iddst;
 	int idsrclen, iddstlen;
 
@@ -5624,7 +5598,6 @@ key_delete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5770,7 +5743,6 @@ static int
 key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp,
     u_int16_t proto)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -5894,7 +5866,6 @@ key_get(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb)
 static struct mbuf *
 key_getcomb_esp()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct enc_xform *algo;
 	struct mbuf *result = NULL, *m, *n;
@@ -6116,7 +6086,6 @@ key_getsizes_ah(
 	u_int16_t* min,
 	u_int16_t* max)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	*min = *max = ah->keysize;
 	if (ah->keysize == 0) {
@@ -6142,7 +6111,6 @@ key_getsizes_ah(
 static struct mbuf *
 key_getcomb_ah()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct auth_hash *algo;
 	struct mbuf *m;
@@ -6303,7 +6271,6 @@ key_getprop(saidx)
 static int
 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secacq *newacq;
 	u_int8_t satype;
@@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 static struct secacq *
 key_newacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *newacq;
 
 	/* get new entry */
@@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx)
 static struct secacq *
 key_getacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6518,7 +6483,6 @@ static struct secacq *
 key_getacqbyseq(seq)
 	u_int32_t seq;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6535,7 +6499,6 @@ static struct secspacq *
 key_newspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	/* get new entry */
@@ -6562,7 +6525,6 @@ static struct secspacq *
 key_getspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	SPACQ_LOCK();
@@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -6756,7 +6717,6 @@ key_register(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg, *newreg = 0;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
@@ -6911,7 +6871,6 @@ key_register(so, m, mhp)
 void
 key_freereg(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg;
 	int i;
 
@@ -7087,7 +7046,6 @@ key_flush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
@@ -7171,7 +7129,6 @@ key_dump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int16_t proto;
@@ -7352,7 +7309,6 @@ key_parse(m, so)
 	struct mbuf *m;
 	struct socket *so;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	struct sadb_msghdr mh;
 	u_int orglen;
@@ -7624,7 +7580,6 @@ key_align(m, mhp)
 	struct mbuf *m;
 	struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct sadb_ext *ext;
 	size_t off, end;
@@ -7792,26 +7747,8 @@ key_validate_ext(ext, len)
 void
 key_init(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int i;
 
-	V_key_debug_level = 0;
-	V_key_spi_trycnt = 1000;
-	V_key_spi_minval = 0x100;
-	V_key_spi_maxval = 0x0fffffff;	/* XXX */
-	V_policy_id = 0;
-	V_key_int_random = 60;		/*interval to initialize randseed,1(m)*/
-	V_key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
-	V_key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
-	V_key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
-	V_key_preferred_oldsa = 1;	/* preferred old sa rather than new sa*/
-
-	V_acq_seq = 0;
-
-	V_ipsec_esp_keymin = 256;
-	V_ipsec_esp_auth = 0;
-	V_ipsec_ah_keymin = 128;
-
 	for (i = 0; i < IPSEC_DIR_MAX; i++)
 		LIST_INIT(&V_sptree[i]);
 
@@ -7850,7 +7787,6 @@ key_init(void)
 void
 key_destroy(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp, *nextsp;
 	struct secspacq *acq, *nextacq;
 	struct secashead *sah, *nextsah;
@@ -7984,7 +7920,6 @@ void
 key_sa_routechange(dst)
 	struct sockaddr *dst;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct route *ro;