diff options
author | zec <zec@FreeBSD.org> | 2009-04-06 22:29:41 +0000 |
---|---|---|
committer | zec <zec@FreeBSD.org> | 2009-04-06 22:29:41 +0000 |
commit | c85551e0bc714ce0e1634c2d308b1616c8dd88ca (patch) | |
tree | 1b479c98f577a974d301743e3161bc32e49c0e64 /sys/netipsec | |
parent | f28ea657e983e90686b8309747fd1c6ad718135c (diff) | |
download | FreeBSD-src-c85551e0bc714ce0e1634c2d308b1616c8dd88ca.zip FreeBSD-src-c85551e0bc714ce0e1634c2d308b1616c8dd88ca.tar.gz |
First pass at separating per-vnet initializer functions
from existing functions for initializing global state.
At this stage, the new per-vnet initializer functions are
directly called from the existing global initialization code,
which should in most cases result in compiler inlining those
new functions, hence yielding a near-zero functional change.
Modify the existing initializer functions which are invoked via
protosw, like ip_init() et. al., to allow them to be invoked
multiple times, i.e. per each vnet. Global state, if any,
is initialized only if such functions are called within the
context of vnet0, which will be determined via the
IS_DEFAULT_VNET(curvnet) check (currently always true).
While here, V_irtualize a few remaining global UMA zones
used by net/netinet/netipsec networking code. While it is
not yet clear to me or anybody else whether this is the right
thing to do, at this stage this makes the code more readable,
and makes it easier to track uncollected UMA-zone-backed
objects on vnet removal. In the long run, it's quite possible
that some form of shared use of UMA zone pools among multiple
vnets should be considered.
Bump __FreeBSD_version due to changes in layout of structs
vnet_ipfw, vnet_inet and vnet_net.
Approved by: julian (mentor)
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 12 | ||||
-rw-r--r-- | sys/netipsec/key.c | 15 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 13 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 17 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 12 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 12 |
6 files changed, 68 insertions, 13 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 00ce8de..85d2897 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -103,6 +103,8 @@ struct vnet_ipsec vnet_ipsec_0; #endif #endif +static int ipsec_iattach(const void *); + #ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it. */ struct ipsecstat ipsec4stat; @@ -1758,8 +1760,18 @@ static void ipsec_attach(void) { + ipsec_iattach(NULL); +} + +static int +ipsec_iattach(const void *unused __unused) +{ + INIT_VNET_IPSEC(curvnet); + SECPOLICY_LOCK_INIT(&V_ip4_def_policy); V_ip4_def_policy.refcnt = 1; /* NB: disallow free. */ + + return (0); } SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL); diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 95a5df6..70b68a8 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -7171,12 +7171,6 @@ key_init(void) V_ipsec_esp_auth = 0; V_ipsec_ah_keymin = 128; - SPTREE_LOCK_INIT(); - REGTREE_LOCK_INIT(); - SAHTREE_LOCK_INIT(); - ACQ_LOCK_INIT(); - SPACQ_LOCK_INIT(); - for (i = 0; i < IPSEC_DIR_MAX; i++) LIST_INIT(&V_sptree[i]); @@ -7192,6 +7186,15 @@ key_init(void) V_ip4_def_policy.policy = IPSEC_POLICY_NONE; V_ip4_def_policy.refcnt++; /*never reclaim this*/ + if (!IS_DEFAULT_VNET(curvnet)) + return; + + SPTREE_LOCK_INIT(); + REGTREE_LOCK_INIT(); + SAHTREE_LOCK_INIT(); + ACQ_LOCK_INIT(); + SPACQ_LOCK_INIT(); + #ifndef IPSEC_DEBUG2 timeout((void *)key_timehandler, (void *)0, hz); #endif /*IPSEC_DEBUG2*/ diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 3a4c7dc..365ac13 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -73,6 +73,8 @@ #include <opencrypto/cryptodev.h> +static int ah_iattach(const void *); + /* * Return header size in bytes. The old protocol did not support * the replay counter; the new protocol always includes the counter. @@ -1220,9 +1222,18 @@ static void ah_attach(void) { + xform_register(&ah_xformsw); + ah_iattach(NULL); +} + +static int +ah_iattach(const void *unused __unused) +{ + INIT_VNET_IPSEC(curvnet); + V_ah_enable = 1; /* control flow of packets with AH */ V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ - xform_register(&ah_xformsw); + return (0); } SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 98a2240..46ab8d8 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -90,6 +90,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); +static int esp_iattach(const void *); /* * NB: this is public for use by the PF_KEY support. @@ -990,9 +991,19 @@ static struct xformsw esp_xformsw = { static void esp_attach(void) { + + xform_register(&esp_xformsw); + esp_iattach(NULL); +} + +static int +esp_iattach(const void *unused __unused) +{ + INIT_VNET_IPSEC(curvnet); + #define MAXIV(xform) \ if (xform.blocksize > V_esp_max_ivlen) \ - V_esp_max_ivlen = xform.blocksize \ + V_esp_max_ivlen = xform.blocksize \ V_esp_enable = 1; V_esp_max_ivlen = 0; @@ -1005,8 +1016,8 @@ esp_attach(void) MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */ MAXIV(enc_xform_null); /* SADB_EALG_NULL */ MAXIV(enc_xform_camellia); /* SADB_X_EALG_CAMELLIACBC */ - - xform_register(&esp_xformsw); #undef MAXIV + + return (0); } SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL); diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index d64abf0f..c4f0591 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -80,6 +80,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS, static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); +static int ipcomp_iattach(const void *); struct comp_algo * ipcomp_algorithm_lookup(int alg) @@ -600,7 +601,16 @@ static void ipcomp_attach(void) { - V_ipcomp_enable = 0; xform_register(&ipcomp_xformsw); + ipcomp_iattach(NULL); +} + +static int +ipcomp_iattach(const void *unused __unused) +{ + INIT_VNET_IPSEC(curvnet); + + V_ipcomp_enable = 0; + return (0); } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index cbc447c..f7949ec 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -697,11 +697,18 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } -static void -ipe4_attach(void) +static int +ipe4_iattach(const void *unused __unused) { + INIT_VNET_IPSEC(curvnet); V_ipip_allow = 0; + return (0); +} + +static void +ipe4_attach(void) +{ xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ @@ -712,6 +719,7 @@ ipe4_attach(void) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif + ipe4_iattach(NULL); } SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL); #endif /* IPSEC */ |