Step 1.5 of importing the network stack virtualization infrastructure

from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
author: zec <zec@FreeBSD.org> 2008-10-02 15:37:58 +0000
committer: zec <zec@FreeBSD.org> 2008-10-02 15:37:58 +0000
commit: 8797d4caecd5881e312923ee1d07be3de68755dc (patch)
tree: 53fef93d1ff076abec439159e0a765427992dee1 /sys/netipsec
parent: e682bfadb0a191a81290af2b846d8610ef3aff5c (diff)
download: FreeBSD-src-8797d4caecd5881e312923ee1d07be3de68755dc.zip
FreeBSD-src-8797d4caecd5881e312923ee1d07be3de68755dc.tar.gz
12 files changed, 448 insertions, 99 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index f973688..b752a67 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -126,36 +126,42 @@ int	crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
 SYSCTL_DECL(_net_inet_ipsec);
 
 /* net.inet.ipsec */
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
-    def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0,
-    "IPsec default policy.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
-    CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "Default ESP transport mode level");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
-    CTLFLAG_RW, &ip4_esp_net_deflev, 0, "Default ESP tunnel mode level.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
-    CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "AH transfer mode default level.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
-    CTLFLAG_RW, &ip4_ah_net_deflev, 0, "AH tunnel mode default level.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
-    ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0,
-    "If set clear type-of-service field when doing AH computation.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
-    ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0,
-    "If not set clear offset field mask when doing AH computation.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
-    dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "Do not fragment bit on encap.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
-    ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0,
-    "Explicit Congestion Notification handling.");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
-    debug, CTLFLAG_RW, &ipsec_debug, 0,
-    "Enable IPsec debugging output when set.");
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
-    crypto_support, CTLFLAG_RW, &crypto_support, 0,
-    "Crypto driver selection.");
-SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
-    ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, "IPsec IPv4 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY,
+	def_policy, CTLFLAG_RW, ip4_def_policy.policy,  0,
+	"IPsec default policy.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV,
+	esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev,	0,
+	"Default ESP transport mode level");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV,
+	esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev,	0,
+	"Default ESP tunnel mode level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV,
+	ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev,	0,
+	"AH transfer mode default level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
+	ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev,	0,
+	"AH tunnel mode default level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
+	ah_cleartos, CTLFLAG_RW,	ah_cleartos,	0,
+	"If set clear type-of-service field when doing AH computation.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
+	ah_offsetmask, CTLFLAG_RW,	ip4_ah_offsetmask,	0,
+	"If not set clear offset field mask when doing AH computation.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT,
+	dfbit, CTLFLAG_RW,	ip4_ipsec_dfbit,	0,
+	"Do not fragment bit on encap.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN,
+	ecn, CTLFLAG_RW,	ip4_ipsec_ecn,	0,
+	"Explicit Congestion Notification handling.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG,
+	debug, CTLFLAG_RW,	ipsec_debug,	0,
+	"Enable IPsec debugging output when set.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	crypto_support,	CTLFLAG_RW,	crypto_support,0,
+	"Crypto driver selection.");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat,	
+	"IPsec IPv4 statistics.");
 
 #ifdef REGRESSION
 /*
@@ -163,15 +169,15 @@ SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
  * This allows to verify if the other side has proper replay attacks detection.
  */
 int ipsec_replay = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0,
-    "Emulate replay attack");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
+	CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
 /*
  * When set 1, IPsec will send packets with corrupted HMAC.
  * This allows to verify if the other side properly detects modified packets.
  */
 int ipsec_integrity = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
-    &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
+	CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
 #endif
 
 #ifdef INET6 
@@ -189,24 +195,30 @@ SYSCTL_DECL(_net_inet6_ipsec6);
 SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
     0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics.");
 #endif /* COMPAT_KAME */
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
-    def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "IPsec default policy.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
-    CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "Default ESP transport mode level.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
-    CTLFLAG_RW, &ip6_esp_net_deflev, 0, "Default ESP tunnel mode level.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
-    CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "AH transfer mode default level.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
-    CTLFLAG_RW, &ip6_ah_net_deflev, 0, "AH tunnel mode default level.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
-    ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0,
-    "Explicit Congestion Notification handling.");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
-    debug, CTLFLAG_RW, &ipsec_debug, 0,
-    "Enable IPsec debugging output when set.");
-SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
-    ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "IPsec IPv6 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
+	def_policy, CTLFLAG_RW,	ip4_def_policy.policy,	0,
+	"IPsec default policy.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, 
+	esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev,	0,
+	"Default ESP transport mode level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, 
+	esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev,	0,
+	"Default ESP tunnel mode level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, 
+	ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev,	0,
+	"AH transfer mode default level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, 
+	ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev,	0,
+	"AH tunnel mode default level.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN,
+	ecn, CTLFLAG_RW, ip6_ipsec_ecn,	0,
+	"Explicit Congestion Notification handling.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
+	debug, CTLFLAG_RW,	ipsec_debug,	0,
+	"Enable IPsec debugging output when set.");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
+	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
+	"IPsec IPv6 statistics.");
 #endif /* INET6 */
 
 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
@@ -236,6 +248,7 @@ MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
 static struct secpolicy *
 key_allocsp_default(const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -305,6 +318,7 @@ ipsec_getpolicybysock(m, dir, inp, error)
 	struct inpcb *inp;
 	int *error;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *pcbsp = NULL;
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *sp;
@@ -415,6 +429,7 @@ ipsec_getpolicybyaddr(m, dir, flag, error)
 	int flag;
 	int *error;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicyindex spidx;
 	struct secpolicy *sp;
 
@@ -450,6 +465,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp)
 	int *error;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	*error = 0;
@@ -521,6 +537,7 @@ ipsec6_setspidx_in6pcb(m, pcb)
 	struct mbuf *m;
 	struct in6pcb *pcb;
 {
+	//INIT_VNET_IPSEC(curvnet);
 	struct secpolicyindex *spidx;
 	int error;
 
@@ -564,6 +581,7 @@ ipsec_setspidx(m, spidx, needport)
 	struct secpolicyindex *spidx;
 	int needport;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ip *ip = NULL;
 	struct ip ipbuf;
 	u_int v;
@@ -757,6 +775,7 @@ ipsec6_get_ulp(m, spidx, needport)
 	struct secpolicyindex *spidx;
 	int needport;
 {
+	INIT_VNET_IPSEC(curvnet);
 	int off, nxt;
 	struct tcphdr th;
 	struct udphdr uh;
@@ -873,6 +892,7 @@ ipsec_init_policy(so, pcb_sp)
 	struct socket *so;
 	struct inpcbpolicy **pcb_sp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *new;
 
 	/* sanity check. */
@@ -1016,6 +1036,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, cred)
 	size_t len;
 	struct ucred *cred;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *newsp = NULL;
 	int error;
@@ -1065,6 +1086,7 @@ ipsec_get_policy(pcb_sp, mp)
 	struct secpolicy *pcb_sp;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 
 	/* sanity check. */
 	if (pcb_sp == NULL || mp == NULL)
@@ -1091,6 +1113,7 @@ ipsec4_set_policy(inp, optname, request, len, cred)
 	size_t len;
 	struct ucred *cred;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
 
@@ -1125,6 +1148,7 @@ ipsec4_get_policy(inp, request, len, mp)
 	size_t len;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *pcb_sp;
 
@@ -1184,6 +1208,7 @@ ipsec6_set_policy(in6p, optname, request, len, cred)
 	size_t len;
 	struct ucred *cred;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
 
@@ -1218,6 +1243,7 @@ ipsec6_get_policy(in6p, request, len, mp)
 	size_t len;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *pcb_sp;
 
@@ -1276,6 +1302,7 @@ u_int
 ipsec_get_reqlevel(isr)
 	struct ipsecrequest *isr;
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int level = 0;
 	u_int esp_trans_deflev, esp_net_deflev;
 	u_int ah_trans_deflev, ah_net_deflev;
@@ -1380,6 +1407,7 @@ ipsec_get_reqlevel(isr)
 int
 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	int need_auth;
 
@@ -1455,6 +1483,7 @@ ipsec4_in_reject(m, inp)
 	struct mbuf *m;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	int result;
@@ -1493,6 +1522,7 @@ ipsec6_in_reject(m, inp)
 	struct mbuf *m;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = NULL;
 	int error;
 	int result;
@@ -1530,6 +1560,7 @@ ipsec6_in_reject(m, inp)
 static size_t
 ipsec_hdrsiz(struct secpolicy *sp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	size_t siz;
 
@@ -1592,6 +1623,7 @@ ipsec4_hdrsiz(m, dir, inp)
 	u_int dir;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	size_t size;
@@ -1632,6 +1664,7 @@ ipsec6_hdrsiz(m, dir, in6p)
 	u_int dir;
 	struct in6pcb *in6p;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	size_t size;
@@ -1731,6 +1764,7 @@ ipsec_updatereplay(seq, sav)
 	u_int32_t seq;
 	struct secasvar *sav;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secreplay *replay;
 	u_int32_t diff;
 	int fr;
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 6f04611..f6346f8 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -433,6 +433,9 @@ extern int ipsec_get_policylen __P((caddr_t));
 extern char *ipsec_dump_policy __P((caddr_t, char *));
 
 extern const char *ipsec_strerror __P((void));
-#endif /* !_KERNEL */
+
+#else
+#include <netipsec/vipsec.h>
+#endif /* ! KERNEL */
 
 #endif /* _NETIPSEC_IPSEC_H_ */
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 0041698..0c37aef 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -113,6 +113,7 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
+	INIT_VNET_IPSEC(curvnet);
 	union sockaddr_union dst_address;
 	struct secasvar *sav;
 	u_int32_t spi;
@@ -282,6 +283,7 @@ int
 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff, struct m_tag *mt)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip *ip;
 	struct m_tag *mtag;
@@ -504,6 +506,7 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
 int
 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int l = 0;
 	int protoff;
 	struct ip6_ext ip6e;
@@ -554,6 +557,8 @@ int
 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
     struct m_tag *mt)
 {
+	INIT_VNET_INET6(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip6_hdr *ip6;
 	struct m_tag *mtag;
diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c
index 79c1928..322df11 100644
--- a/sys/netipsec/ipsec_mbuf.c
+++ b/sys/netipsec/ipsec_mbuf.c
@@ -54,6 +54,7 @@
 struct mbuf *
 m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m;
 	unsigned remain;
 
@@ -156,6 +157,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
 caddr_t
 m_pad(struct mbuf *m, int n)
 {
+	INIT_VNET_IPSEC(curvnet);
 	register struct mbuf *m0, *m1;
 	register int len, pad;
 	caddr_t retval;
@@ -228,6 +230,7 @@ m_pad(struct mbuf *m, int n)
 int
 m_striphdr(struct mbuf *m, int skip, int hlen)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m1;
 	int roff;
 
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 88ff2f6..7b79294 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -91,6 +91,7 @@
 int
 ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct tdb_ident *tdbi;
 	struct m_tag *mtag;
 	struct secasvar *sav;
@@ -207,6 +208,7 @@ ipsec_nextisr(
 {
 #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
 			    isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 
 	IPSECREQUEST_LOCK_ASSERT(isr);
@@ -350,6 +352,7 @@ ipsec4_process_packet(
 	int flags,
 	int tunalready)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasindex saidx;
 	struct secasvar *sav;
 	struct ip *ip;
@@ -563,6 +566,7 @@ ipsec6_output_trans(
 	int flags,
 	int *tun)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	struct secasindex saidx;
 	int error = 0;
@@ -630,6 +634,7 @@ bad:
 static int
 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ip6_hdr *oip6;
 	struct ip6_hdr *ip6;
 	size_t plen;
@@ -699,6 +704,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
 int
 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
 {
+	INIT_VNET_INET6(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	struct ip6_hdr *ip6;
 	struct ipsecrequest *isr;
 	struct secasindex saidx;
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index e575cdc..c3cba60 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -56,6 +56,7 @@
 #include <sys/queue.h>
 #include <sys/refcount.h>
 #include <sys/syslog.h>
+#include <sys/vimage.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -243,52 +244,52 @@ static int ipsec_ah_keymin = 128;
 SYSCTL_DECL(_net_key);
 #endif
 
-SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL,	debug,	CTLFLAG_RW, \
-	&key_debug_level,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL,	debug,
+	CTLFLAG_RW, key_debug_level,	0,	"");
 
 /* max count of trial for the decision of spi value */
-SYSCTL_INT(_net_key, KEYCTL_SPI_TRY,		spi_trycnt,	CTLFLAG_RW, \
-	&key_spi_trycnt,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt,
+	CTLFLAG_RW, key_spi_trycnt,	0,	"");
 
 /* minimum spi value to allocate automatically. */
-SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE,	spi_minval,	CTLFLAG_RW, \
-	&key_spi_minval,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE,
+	spi_minval,	CTLFLAG_RW, key_spi_minval,	0,	"");
 
 /* maximun spi value to allocate automatically. */
-SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE,	spi_maxval,	CTLFLAG_RW, \
-	&key_spi_maxval,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE,
+	spi_maxval,	CTLFLAG_RW, key_spi_maxval,	0,	"");
 
 /* interval to initialize randseed */
-SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT,	int_random,	CTLFLAG_RW, \
-	&key_int_random,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT,
+	int_random,	CTLFLAG_RW, key_int_random,	0,	"");
 
 /* lifetime for larval SA */
-SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME,	larval_lifetime, CTLFLAG_RW, \
-	&key_larval_lifetime,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME,
+	larval_lifetime, CTLFLAG_RW, key_larval_lifetime,	0,	"");
 
 /* counter for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,	blockacq_count,	CTLFLAG_RW, \
-	&key_blockacq_count,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT,
+	blockacq_count,	CTLFLAG_RW, key_blockacq_count,	0,	"");
 
 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,	blockacq_lifetime, CTLFLAG_RW, \
-	&key_blockacq_lifetime,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME,
+	blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime,	0, "");
 
 /* ESP auth */
-SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH,	esp_auth, CTLFLAG_RW, \
-	&ipsec_esp_auth,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH,	esp_auth,
+	CTLFLAG_RW, ipsec_esp_auth,	0,	"");
 
 /* minimum ESP key length */
-SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN,	esp_keymin, CTLFLAG_RW, \
-	&ipsec_esp_keymin,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN,
+	esp_keymin, CTLFLAG_RW, ipsec_esp_keymin,	0,	"");
 
 /* minimum AH key length */
-SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN,	ah_keymin, CTLFLAG_RW, \
-	&ipsec_ah_keymin,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
+	CTLFLAG_RW, ipsec_ah_keymin,	0,	"");
 
 /* perfered old SA rather than new SA */
-SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA,	preferred_oldsa, CTLFLAG_RW,\
-	&key_preferred_oldsa,	0,	"");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA,
+	preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa,	0,	"");
 
 #define __LIST_CHAINED(elm) \
 	(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
@@ -554,6 +555,8 @@ key_addref(struct secpolicy *sp)
 int
 key_havesp(u_int dir)
 {
+	INIT_VNET_IPSEC(curvnet);
+
 	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
 		LIST_FIRST(&V_sptree[dir]) != NULL : 1);
 }
@@ -568,6 +571,7 @@ key_havesp(u_int dir)
 struct secpolicy *
 key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -624,6 +628,7 @@ key_allocsp2(u_int32_t spi,
 	     u_int dir,
 	     const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(dst != NULL, ("null dst"));
@@ -685,6 +690,7 @@ key_gettunnel(const struct sockaddr *osrc,
 	      const struct sockaddr *idst,
 	      const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	const int dir = IPSEC_DIR_INBOUND;
 	struct ipsecrequest *r1, *r2, *p;
@@ -759,6 +765,7 @@ done:
 int
 key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int level;
 	int error;
 
@@ -854,6 +861,7 @@ static struct secasvar *
 key_allocsa_policy(const struct secasindex *saidx)
 {
 #define	N(a)	_ARRAYLEN(a)
+	INIT_VNET_IPSEC(curvnet);	
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize;
@@ -901,6 +909,7 @@ key_allocsa_policy(const struct secasindex *saidx)
 static struct secasvar *
 key_do_allocsa_policy(struct secashead *sah, u_int state)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav, *candidate, *d;
 
 	/* initilize */
@@ -1046,6 +1055,7 @@ key_allocsa(
 	u_int32_t spi,
 	const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize, state;
@@ -1115,6 +1125,7 @@ done:
 void
 _key_freesp(struct secpolicy **spp, const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = *spp;
 
 	IPSEC_ASSERT(sp != NULL, ("null sp"));
@@ -1140,6 +1151,7 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag)
 void
 key_freeso(struct socket *so)
 {
+	INIT_VNET_IPSEC(curvnet);
 	IPSEC_ASSERT(so != NULL, ("null so"));
 
 	switch (so->so_proto->pr_domain->dom_family) {
@@ -1208,6 +1220,7 @@ key_freesp_so(struct secpolicy **sp)
 void
 key_freesav(struct secasvar **psav, const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav = *psav;
 
 	IPSEC_ASSERT(sav != NULL, ("null sav"));
@@ -1266,6 +1279,7 @@ key_delsp(struct secpolicy *sp)
 static struct secpolicy *
 key_getsp(struct secpolicyindex *spidx)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -1292,6 +1306,7 @@ key_getsp(struct secpolicyindex *spidx)
 static struct secpolicy *
 key_getspbyid(u_int32_t id)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	SPTREE_LOCK();
@@ -1321,6 +1336,7 @@ done:
 struct secpolicy *
 key_newsp(const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp = NULL;
 
 	newsp = (struct secpolicy *)
@@ -1355,6 +1371,7 @@ key_msg2sp(xpl0, len, error)
 	size_t len;
 	int *error;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp;
 
 	IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
@@ -1752,6 +1769,7 @@ key_spdadd(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0, *xpl;
 	struct sadb_lifetime *lft = NULL;
@@ -1974,6 +1992,7 @@ key_spdadd(so, m, mhp)
 static u_int32_t
 key_getnewspid()
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newid = 0;
 	int count = V_key_spi_trycnt;	/* XXX */
 	struct secpolicy *sp;
@@ -2015,6 +2034,7 @@ key_spddelete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0;
 	struct secpolicyindex spidx;
@@ -2113,6 +2133,7 @@ key_spddelete2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 
@@ -2205,6 +2226,7 @@ key_spdget(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
@@ -2256,6 +2278,7 @@ int
 key_spdacquire(sp)
 	struct secpolicy *sp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secspacq *newspacq;
 
@@ -2318,6 +2341,7 @@ key_spdflush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secpolicy *sp;
 	u_int dir;
@@ -2370,6 +2394,7 @@ key_spddump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int cnt;
 	u_int dir;
@@ -2632,6 +2657,7 @@ static struct secashead *
 key_newsah(saidx)
 	struct secasindex *saidx;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *newsah;
 
 	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
@@ -2660,6 +2686,7 @@ static void
 key_delsah(sah)
 	struct secashead *sah;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav;
 	u_int stateidx;
 	int zombie = 0;
@@ -2716,6 +2743,7 @@ key_newsav(m, mhp, sah, errp, where, tag)
 	const char* where;
 	int tag;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
 
@@ -2882,6 +2910,7 @@ static struct secashead *
 key_getsah(saidx)
 	struct secasindex *saidx;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 
 	SAHTREE_LOCK();
@@ -2908,6 +2937,7 @@ key_checkspidup(saidx, spi)
 	struct secasindex *saidx;
 	u_int32_t spi;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 
@@ -2944,6 +2974,7 @@ key_getsavbyspi(sah, spi)
 	struct secashead *sah;
 	u_int32_t spi;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	u_int stateidx, state;
 
@@ -2987,6 +3018,7 @@ key_setsaval(sav, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	int error = 0;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -3219,6 +3251,7 @@ key_setsaval(sav, m, mhp)
 static int
 key_mature(struct secasvar *sav)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	/* check SPI value */
@@ -3649,6 +3682,7 @@ struct seckey *
 key_dup_keymsg(const struct sadb_key *src, u_int len,
 	       struct malloc_type *type)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct seckey *dst;
 	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
 	if (dst != NULL) {
@@ -3682,6 +3716,7 @@ static struct seclifetime *
 key_dup_lifemsg(const struct sadb_lifetime *src,
 		 struct malloc_type *type)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct seclifetime *dst = NULL;
 
 	dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), 
@@ -3707,6 +3742,7 @@ key_ismyaddr(sa)
 	struct sockaddr *sa;
 {
 #ifdef INET
+	INIT_VNET_INET(curvnet);
 	struct sockaddr_in *sin;
 	struct in_ifaddr *ia;
 #endif
@@ -3751,6 +3787,7 @@ static int
 key_ismyaddr6(sin6)
 	struct sockaddr_in6 *sin6;
 {
+	INIT_VNET_INET6(curvnet);
 	struct in6_ifaddr *ia;
 	struct in6_multi *in6m;
 
@@ -4072,6 +4109,7 @@ key_bbcmp(const void *a1, const void *a2, u_int bits)
 static void
 key_flush_spd(time_t now)
 {
+	INIT_VNET_IPSEC(curvnet);
 	static u_int16_t sptree_scangen = 0;
 	u_int16_t gen = sptree_scangen++;
 	struct secpolicy *sp;
@@ -4109,6 +4147,7 @@ restart:
 static void
 key_flush_sad(time_t now)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
 
@@ -4247,6 +4286,7 @@ key_flush_sad(time_t now)
 static void
 key_flush_acq(time_t now)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq, *nextacq;
 
 	/* ACQ tree */
@@ -4265,6 +4305,7 @@ key_flush_acq(time_t now)
 static void
 key_flush_spacq(time_t now)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq, *nextacq;
 
 	/* SP ACQ tree */
@@ -4289,12 +4330,17 @@ key_flush_spacq(time_t now)
 void
 key_timehandler(void)
 {
+	VNET_ITERATOR_DECL(vnet_iter);
 	time_t now = time_second;
 
-	key_flush_spd(now);
-	key_flush_sad(now);
-	key_flush_acq(now);
-	key_flush_spacq(now);
+	VNET_FOREACH(vnet_iter) {
+		CURVNET_SET(vnet_iter);
+		key_flush_spd(now);
+		key_flush_sad(now);
+		key_flush_acq(now);
+		key_flush_spacq(now);
+		CURVNET_RESTORE();
+	}
 
 #ifndef IPSEC_DEBUG2
 	/* do exchange to tick time !! */
@@ -4407,6 +4453,7 @@ key_getspi(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *newsah;
@@ -4601,6 +4648,7 @@ key_do_getnewspi(spirange, saidx)
 	struct sadb_spirange *spirange;
 	struct secasindex *saidx;
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newspi;
 	u_int32_t min, max;
 	int count = V_key_spi_trycnt;
@@ -4682,6 +4730,7 @@ key_update(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -4880,6 +4929,7 @@ key_add(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5003,6 +5053,7 @@ key_setident(sah, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_ident *idsrc, *iddst;
 	int idsrclen, iddstlen;
 
@@ -5125,6 +5176,7 @@ key_delete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5236,6 +5288,7 @@ key_delete_all(so, m, mhp, proto)
 	const struct sadb_msghdr *mhp;
 	u_int16_t proto;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -5321,6 +5374,7 @@ key_get(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5426,6 +5480,7 @@ key_getcomb_setlifetime(comb)
 static struct mbuf *
 key_getcomb_esp()
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct enc_xform *algo;
 	struct mbuf *result = NULL, *m, *n;
@@ -5504,6 +5559,8 @@ key_getsizes_ah(
 	u_int16_t* min,
 	u_int16_t* max)
 {
+	INIT_VNET_IPSEC(curvnet);
+
 	*min = *max = ah->keysize;
 	if (ah->keysize == 0) {
 		/*
@@ -5528,6 +5585,7 @@ key_getsizes_ah(
 static struct mbuf *
 key_getcomb_ah()
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct auth_hash *algo;
 	struct mbuf *m;
@@ -5688,6 +5746,7 @@ key_getprop(saidx)
 static int
 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secacq *newacq;
 	u_int8_t satype;
@@ -5853,6 +5912,7 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 static struct secacq *
 key_newacq(const struct secasindex *saidx)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secacq *newacq;
 
 	/* get new entry */
@@ -5879,6 +5939,7 @@ key_newacq(const struct secasindex *saidx)
 static struct secacq *
 key_getacq(const struct secasindex *saidx)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -5895,6 +5956,7 @@ static struct secacq *
 key_getacqbyseq(seq)
 	u_int32_t seq;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -5911,6 +5973,7 @@ static struct secspacq *
 key_newspacq(spidx)
 	struct secpolicyindex *spidx;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	/* get new entry */
@@ -5937,6 +6000,7 @@ static struct secspacq *
 key_getspacq(spidx)
 	struct secpolicyindex *spidx;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	SPACQ_LOCK();
@@ -5971,6 +6035,7 @@ key_acquire2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -6092,6 +6157,7 @@ key_register(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg, *newreg = 0;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
@@ -6246,6 +6312,7 @@ key_register(so, m, mhp)
 void
 key_freereg(struct socket *so)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg;
 	int i;
 
@@ -6417,6 +6484,7 @@ key_flush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
@@ -6500,6 +6568,7 @@ key_dump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int16_t proto;
@@ -6680,6 +6749,7 @@ key_parse(m, so)
 	struct mbuf *m;
 	struct socket *so;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	struct sadb_msghdr mh;
 	u_int orglen;
@@ -6951,6 +7021,7 @@ key_align(m, mhp)
 	struct mbuf *m;
 	struct sadb_msghdr *mhp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct sadb_ext *ext;
 	size_t off, end;
@@ -7110,6 +7181,7 @@ key_validate_ext(ext, len)
 void
 key_init(void)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int i;
 
 	SPTREE_LOCK_INIT();
@@ -7215,6 +7287,7 @@ void
 key_sa_routechange(dst)
 	struct sockaddr *dst;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct route *ro;
 
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index c86791e..2f74261 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -52,13 +52,17 @@
 #include <sys/systm.h>
 #include <sys/vimage.h>
 
+#include <net/if.h>
 #include <net/raw_cb.h>
 #include <net/route.h>
 
+#include <netinet/in.h>
+
 #include <net/pfkeyv2.h>
 #include <netipsec/key.h>
 #include <netipsec/keysock.h>
 #include <netipsec/key_debug.h>
+#include <netipsec/ipsec.h>
 
 #include <machine/stdarg.h>
 
@@ -80,6 +84,7 @@ struct pfkeystat pfkeystat;
 int
 key_output(struct mbuf *m, struct socket *so)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	int len, error = 0;
 
@@ -133,6 +138,7 @@ key_sendup0(rp, m, promisc)
 	struct mbuf *m;
 	int promisc;
 {
+	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	if (promisc) {
@@ -177,6 +183,7 @@ key_sendup(so, msg, len, target)
 	u_int len;
 	int target;	/*target of the resulting message*/
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m, *n, *mprev;
 	int tlen;
 
@@ -265,6 +272,8 @@ key_sendup_mbuf(so, m, target)
 	struct mbuf *m;
 	int target;
 {
+	INIT_VNET_NET(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct keycb *kp;
 	int sendup;
@@ -382,6 +391,7 @@ key_abort(struct socket *so)
 static int
 key_attach(struct socket *so, int proto, struct thread *td)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct keycb *kp;
 	int error;
 
@@ -456,6 +466,7 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 static void
 key_detach(struct socket *so)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct keycb *kp = (struct keycb *)sotorawcb(so);
 
 	KASSERT(kp != NULL, ("key_detach: kp == NULL"));
@@ -558,6 +569,7 @@ struct protosw keysw[] = {
 static void
 key_init0(void)
 {
+	INIT_VNET_IPSEC(curvnet);
 	bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
 	key_init();
 }
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
new file mode 100644
index 0000000..5a007ce
--- /dev/null
+++ b/sys/netipsec/vipsec.h
@@ -0,0 +1,188 @@
+/*
+ * Copyright (c) 2007-2008 University of Zagreb
+ * Copyright (c) 2007-2008 FreeBSD Foundation
+ *
+ * This software was developed by the University of Zagreb and the
+ * FreeBSD Foundation under sponsorship by the Stichting NLnet and the
+ * FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef _NETIPSEC_VIPSEC_H_
+#define _NETIPSEC_VIPSEC_H_
+
+#ifdef VIMAGE
+#include <sys/proc.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+
+#include <netipsec/ipsec.h>
+#include <netipsec/esp_var.h>
+#include <netipsec/ah_var.h>
+#include <netipsec/ipcomp_var.h>
+#include <netipsec/ipip_var.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+#include <net/route.h>
+#include <net/raw_cb.h>
+
+#include <netipsec/keysock.h>
+
+struct vnet_ipsec {
+	int			_ipsec_debug;
+	struct	ipsecstat	_ipsec4stat;
+	struct	secpolicy 	_ip4_def_policy;
+
+	int			_ip4_esp_trans_deflev;
+	int			_ip4_esp_net_deflev;
+	int			_ip4_ah_trans_deflev;
+	int			_ip4_ah_net_deflev;
+	int			_ip4_ah_offsetmask;
+	int			_ip4_ipsec_dfbit;
+	int			_ip4_ipsec_ecn;
+	int			_ip4_esp_randpad;
+
+	int			_ipsec_replay;
+	int			_ipsec_integrity;
+	int			_crypto_support;
+
+	u_int32_t		_key_debug_level;	
+	u_int			_key_spi_trycnt;
+	u_int32_t		_key_spi_minval;
+	u_int32_t		_key_spi_maxval;  
+	u_int32_t		_policy_id;
+	u_int			_key_int_random;   
+	u_int			_key_larval_lifetime; 
+	int			_key_blockacq_count;
+	int			_key_blockacq_lifetime;
+	int			_key_preferred_oldsa;
+	u_int32_t		_acq_seq;
+
+	u_int			_saorder_state_alive[3];
+	u_int			_saorder_state_any[4];
+	int			_esp_enable;
+	struct espstat		_espstat;
+	int			_esp_max_ivlen;
+	int			_ipsec_esp_keymin;
+	int			_ipsec_esp_auth;
+	int			_ipsec_ah_keymin;
+	int			_ipip_allow;
+	struct ipipstat		_ipipstat;
+
+	struct ipsecstat	_ipsec6stat;
+	int			_ip6_esp_trans_deflev;
+	int			_ip6_esp_net_deflev;
+	int			_ip6_ah_trans_deflev;
+	int			_ip6_ah_net_deflev;
+	int			_ip6_ipsec_ecn;
+	int			_ip6_esp_randpad;
+
+	int			_ah_enable;
+	int			_ah_cleartos;
+	struct ahstat		_ahstat;
+
+	int			_ipcomp_enable;
+	struct ipcompstat	_ipcompstat;
+
+	struct pfkeystat	_pfkeystat;
+	struct key_cb		_key_cb;
+	struct sockaddr		_key_dst;
+	struct sockaddr		_key_src;
+
+	LIST_HEAD(, secpolicy)	_sptree[IPSEC_DIR_MAX];
+	LIST_HEAD(, secashead)	_sahtree;
+	LIST_HEAD(, secreg)	_regtree[SADB_SATYPE_MAX + 1];
+	LIST_HEAD(, secacq)	_acqtree;
+	LIST_HEAD(, secspacq)	_spacqtree;
+};
+#endif
+
+/*
+ * Symbol translation macros
+ */
+#define	INIT_VNET_IPSEC(vnet) \
+	INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec)
+
+#define	VNET_IPSEC(sym)	VSYM(vnet_ipsec, sym)
+
+#define	V_acq_seq			VNET_IPSEC(acq_seq)
+#define	V_acqtree			VNET_IPSEC(acqtree)
+#define	V_ah_cleartos			VNET_IPSEC(ah_cleartos)
+#define	V_ah_enable			VNET_IPSEC(ah_enable)
+#define	V_ahstat			VNET_IPSEC(ahstat)
+#define	V_crypto_support		VNET_IPSEC(crypto_support)
+#define	V_esp_enable			VNET_IPSEC(esp_enable)
+#define	V_esp_max_ivlen			VNET_IPSEC(esp_max_ivlen)
+#define	V_espstat			VNET_IPSEC(espstat)
+#define	V_ip4_ah_net_deflev		VNET_IPSEC(ip4_ah_net_deflev)
+#define	V_ip4_ah_offsetmask		VNET_IPSEC(ip4_ah_offsetmask)
+#define	V_ip4_ah_trans_deflev		VNET_IPSEC(ip4_ah_trans_deflev)
+#define	V_ip4_def_policy		VNET_IPSEC(ip4_def_policy)
+#define	V_ip4_esp_net_deflev		VNET_IPSEC(ip4_esp_net_deflev)
+#define	V_ip4_esp_randpad		VNET_IPSEC(ip4_esp_randpad)
+#define	V_ip4_esp_trans_deflev		VNET_IPSEC(ip4_esp_trans_deflev)
+#define	V_ip4_ipsec_dfbit		VNET_IPSEC(ip4_ipsec_dfbit)
+#define	V_ip4_ipsec_ecn			VNET_IPSEC(ip4_ipsec_ecn)
+#define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
+#define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
+#define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
+#define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
+#define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
+#define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
+#define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
+#define	V_ipcompstat			VNET_IPSEC(ipcompstat)
+#define	V_ipip_allow			VNET_IPSEC(ipip_allow)
+#define	V_ipipstat			VNET_IPSEC(ipipstat)
+#define	V_ipsec4stat			VNET_IPSEC(ipsec4stat)
+#define	V_ipsec6stat			VNET_IPSEC(ipsec6stat)
+#define	V_ipsec_ah_keymin		VNET_IPSEC(ipsec_ah_keymin)
+#define	V_ipsec_debug			VNET_IPSEC(ipsec_debug)
+#define	V_ipsec_esp_auth		VNET_IPSEC(ipsec_esp_auth)
+#define	V_ipsec_esp_keymin		VNET_IPSEC(ipsec_esp_keymin)
+#define	V_ipsec_integrity		VNET_IPSEC(ipsec_integrity)
+#define	V_ipsec_replay			VNET_IPSEC(ipsec_replay)
+#define	V_key_blockacq_count		VNET_IPSEC(key_blockacq_count)
+#define	V_key_blockacq_lifetime		VNET_IPSEC(key_blockacq_lifetime)
+#define	V_key_cb			VNET_IPSEC(key_cb)
+#define	V_key_debug_level		VNET_IPSEC(key_debug_level)
+#define	V_key_dst			VNET_IPSEC(key_dst)
+#define	V_key_int_random		VNET_IPSEC(key_int_random)
+#define	V_key_larval_lifetime		VNET_IPSEC(key_larval_lifetime)
+#define	V_key_preferred_oldsa		VNET_IPSEC(key_preferred_oldsa)
+#define	V_key_spi_maxval		VNET_IPSEC(key_spi_maxval)	
+#define	V_key_spi_minval		VNET_IPSEC(key_spi_minval)
+#define	V_key_spi_trycnt		VNET_IPSEC(key_spi_trycnt)
+#define	V_key_src			VNET_IPSEC(key_src)
+#define	V_pfkeystat			VNET_IPSEC(pfkeystat)
+#define	V_policy_id			VNET_IPSEC(policy_id)
+#define	V_regtree			VNET_IPSEC(regtree)
+#define	V_sahtree			VNET_IPSEC(sahtree)
+#define	V_saorder_state_alive		VNET_IPSEC(saorder_state_alive)
+#define	V_saorder_state_any		VNET_IPSEC(saorder_state_any)
+#define	V_spacqtree			VNET_IPSEC(spacqtree)
+#define	V_sptree			VNET_IPSEC(sptree)
+
+#endif /* !_NETIPSEC_VIPSEC_H_ */
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 4f87db6f..76fecb1 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -93,12 +93,12 @@ int	ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
 struct	ahstat ahstat;
 
 SYSCTL_DECL(_net_inet_ah);
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
-	ah_enable,	CTLFLAG_RW,	&ah_enable,	0, "");
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
-	ah_cleartos,	CTLFLAG_RW,	&ah_cleartos,	0, "");
-SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	&ahstat,	ahstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+	ah_enable,	CTLFLAG_RW,	ah_enable,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+	ah_cleartos,	CTLFLAG_RW,	ah_cleartos,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	ahstat,	ahstat, "");
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 
@@ -160,6 +160,7 @@ ah_hdrsiz(struct secasvar *sav)
 int
 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *thash;
 	int keylen;
 
@@ -214,6 +215,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
 static int
 ah_init(struct secasvar *sav, struct xformsw *xsp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct cryptoini cria;
 	int error;
 
@@ -248,6 +250,7 @@ ah_zeroize(struct secasvar *sav)
 static int
 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m = *m0;
 	unsigned char *ptr;
 	int off, count;
@@ -552,6 +555,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 static int
 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *ahx;
 	struct tdb_ident *tdbi;
 	struct tdb_crypto *tc;
@@ -721,6 +725,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 ah_input_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int rplen, error, skip, protoff;
 	unsigned char calc[AH_ALEN_MAX];
 	struct mbuf *m;
@@ -883,6 +888,7 @@ ah_output(
 	int skip,
 	int protoff)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	struct auth_hash *ahx;
 	struct cryptodesc *crda;
@@ -1109,6 +1115,7 @@ bad:
 static int
 ah_output_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int skip, protoff, error;
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 3ac01c6..21cc82f 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -80,10 +80,10 @@ int	esp_enable = 1;
 struct	espstat espstat;
 
 SYSCTL_DECL(_net_inet_esp);
-SYSCTL_INT(_net_inet_esp, OID_AUTO,
-	esp_enable,	CTLFLAG_RW,	&esp_enable,	0, "");
-SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	&espstat,	espstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
+	esp_enable,	CTLFLAG_RW,	esp_enable,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	espstat,	espstat, "");
 
 static	int esp_max_ivlen;		/* max iv length over all algorithms */
 
@@ -123,6 +123,7 @@ esp_algorithm_lookup(int alg)
 size_t
 esp_hdrsiz(struct secasvar *sav)
 {
+	INIT_VNET_IPSEC(curvnet);
 	size_t size;
 
 	if (sav != NULL) {
@@ -157,6 +158,7 @@ esp_hdrsiz(struct secasvar *sav)
 static int
 esp_init(struct secasvar *sav, struct xformsw *xsp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct enc_xform *txform;
 	struct cryptoini cria, crie;
 	int keylen;
@@ -267,6 +269,7 @@ esp_zeroize(struct secasvar *sav)
 static int
 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *esph;
 	struct enc_xform *espx;
 	struct tdb_ident *tdbi;
@@ -449,6 +452,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 esp_input_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
 	int hlen, skip, protoff, error;
 	struct mbuf *m;
@@ -652,6 +656,7 @@ esp_output(
 	int protoff
 )
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct enc_xform *espx;
 	struct auth_hash *esph;
 	int hlen, rlen, plen, padding, blks, alen, i, roff;
@@ -882,6 +887,7 @@ bad:
 static int
 esp_output_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 2882af8..3492924 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -71,10 +71,10 @@ int	ipcomp_enable = 0;
 struct	ipcompstat ipcompstat;
 
 SYSCTL_DECL(_net_inet_ipcomp);
-SYSCTL_INT(_net_inet_ipcomp, OID_AUTO,
-	ipcomp_enable,	CTLFLAG_RW,	&ipcomp_enable,	0, "");
-SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	&ipcompstat,	ipcompstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
+	ipcomp_enable,	CTLFLAG_RW,	ipcomp_enable,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	ipcompstat,	ipcompstat, "");
 
 static int ipcomp_input_cb(struct cryptop *crp);
 static int ipcomp_output_cb(struct cryptop *crp);
@@ -97,6 +97,7 @@ ipcomp_algorithm_lookup(int alg)
 static int
 ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct comp_algo *tcomp;
 	struct cryptoini cric;
 
@@ -137,6 +138,7 @@ ipcomp_zeroize(struct secasvar *sav)
 static int
 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct cryptodesc *crdc;
 	struct cryptop *crp;
@@ -207,6 +209,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 ipcomp_input_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct cryptodesc *crd;
 	struct tdb_crypto *tc;
 	int skip, protoff;
@@ -327,6 +330,7 @@ ipcomp_output(
 	int protoff
 )
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	struct comp_algo *ipcompx;
 	int error, ralen, hlen, maxpacketsize, roff;
@@ -485,6 +489,7 @@ bad:
 static int
 ipcomp_output_cb(struct cryptop *crp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index cb9256d..568d42e 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -95,10 +95,10 @@ int	ipip_allow = 0;
 struct	ipipstat ipipstat;
 
 SYSCTL_DECL(_net_inet_ipip);
-SYSCTL_INT(_net_inet_ipip, OID_AUTO,
-	ipip_allow,	CTLFLAG_RW,	&ipip_allow,	0, "");
-SYSCTL_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	&ipipstat,	ipipstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
+	ipip_allow,	CTLFLAG_RW,	ipip_allow,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	ipipstat,	ipipstat, "");
 
 /* XXX IPCOMP */
 #define	M_IPSEC	(M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
@@ -156,6 +156,8 @@ ip4_input(struct mbuf *m, int off)
 static void
 _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 {
+	INIT_VNET_NET(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	register struct sockaddr_in *sin;
 	register struct ifnet *ifp;
 	register struct ifaddr *ifa;
@@ -407,6 +409,10 @@ ipip_output(
 	int protoff
 )
 {
+	INIT_VNET_IPSEC(curvnet);
+#ifdef INET
+	INIT_VNET_INET(curvnet);
+#endif /* INET */
 	struct secasvar *sav;
 	u_int8_t tp, otos;
 	struct secasindex *saidx;
author	zec <zec@FreeBSD.org>	2008-10-02 15:37:58 +0000
committer	zec <zec@FreeBSD.org>	2008-10-02 15:37:58 +0000
commit	8797d4caecd5881e312923ee1d07be3de68755dc (patch)
tree	53fef93d1ff076abec439159e0a765427992dee1 /sys/netipsec
parent	e682bfadb0a191a81290af2b846d8610ef3aff5c (diff)
download	FreeBSD-src-8797d4caecd5881e312923ee1d07be3de68755dc.zip FreeBSD-src-8797d4caecd5881e312923ee1d07be3de68755dc.tar.gz