diff options
author | rwatson <rwatson@FreeBSD.org> | 2009-07-14 22:48:30 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2009-07-14 22:48:30 +0000 |
commit | 57ca4583e728cab422fba8f15de10bd0b637b3dd (patch) | |
tree | 13848f891fb2f7a396281b31633563d0f764ff65 /sys/netipsec | |
parent | ef443476d9706035ac219f0280ef0b817dda7a6d (diff) | |
download | FreeBSD-src-57ca4583e728cab422fba8f15de10bd0b637b3dd.zip FreeBSD-src-57ca4583e728cab422fba8f15de10bd0b637b3dd.tar.gz |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ah_var.h | 9 | ||||
-rw-r--r-- | sys/netipsec/esp_var.h | 6 | ||||
-rw-r--r-- | sys/netipsec/ipcomp_var.h | 6 | ||||
-rw-r--r-- | sys/netipsec/ipip_var.h | 8 | ||||
-rw-r--r-- | sys/netipsec/ipsec.c | 244 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 52 | ||||
-rw-r--r-- | sys/netipsec/ipsec6.h | 19 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 7 | ||||
-rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 5 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 9 | ||||
-rw-r--r-- | sys/netipsec/key.c | 209 | ||||
-rw-r--r-- | sys/netipsec/key_debug.c | 2 | ||||
-rw-r--r-- | sys/netipsec/key_debug.h | 3 | ||||
-rw-r--r-- | sys/netipsec/keysock.c | 23 | ||||
-rw-r--r-- | sys/netipsec/keysock.h | 8 | ||||
-rw-r--r-- | sys/netipsec/vipsec.h | 184 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 54 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 57 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 39 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 40 | ||||
-rw-r--r-- | sys/netipsec/xform_tcp.c | 3 |
21 files changed, 274 insertions, 713 deletions
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h index 5a8c06e..974cc6c 100644 --- a/sys/netipsec/ah_var.h +++ b/sys/netipsec/ah_var.h @@ -71,8 +71,11 @@ struct ahstat { }; #ifdef _KERNEL -extern int ah_enable; -extern int ah_cleartos; -extern struct ahstat ahstat; +VNET_DECLARE(int, ah_enable); +#define V_ah_enable VNET_GET(ah_enable) +VNET_DECLARE(int, ah_cleartos); +#define V_ah_cleartos VNET_GET(ah_cleartos) +VNET_DECLARE(struct ahstat, ahstat); +#define V_ahstat VNET_GET(ahstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_AH_VAR_H_*/ diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h index 278b996..66fcd39 100644 --- a/sys/netipsec/esp_var.h +++ b/sys/netipsec/esp_var.h @@ -72,7 +72,9 @@ struct espstat { }; #ifdef _KERNEL -extern int esp_enable; -extern struct espstat espstat; +VNET_DECLARE(int, esp_enable); +#define V_esp_enable VNET_GET(esp_enable) +VNET_DECLARE(struct espstat, espstat); +#define V_espstat VNET_GET(espstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_ESP_VAR_H_*/ diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h index 6a506bb..d70c6a2 100644 --- a/sys/netipsec/ipcomp_var.h +++ b/sys/netipsec/ipcomp_var.h @@ -61,7 +61,9 @@ struct ipcompstat { }; #ifdef _KERNEL -extern int ipcomp_enable; -extern struct ipcompstat ipcompstat; +VNET_DECLARE(int, ipcomp_enable); +#define V_ipcomp_enable VNET_GET(ipcomp_enable) +VNET_DECLARE(struct ipcompstat, ipcompstat); +#define V_ipcompstat VNET_GET(ipcompstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_IPCOMP_VAR_H_*/ diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h index 3d4ee15..a620b72 100644 --- a/sys/netipsec/ipip_var.h +++ b/sys/netipsec/ipip_var.h @@ -59,9 +59,9 @@ struct ipipstat }; #ifdef _KERNEL -extern int ipip_allow; -#ifdef VIMAGE_GLOBALS -extern struct ipipstat ipipstat; -#endif +VNET_DECLARE(int, ipip_allow); +#define V_ipip_allow VNET_GET(ipip_allow) +VNET_DECLARE(struct ipipstat, ipipstat); +#define V_ipipstat VNET_GET(ipipstat) #endif /* _KERNEL */ #endif /* _NETINET_IPIP_H_ */ diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index dabd5b6..4a7001e 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -57,6 +57,7 @@ #include <net/if.h> #include <net/route.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -97,30 +98,25 @@ #include <opencrypto/cryptodev.h> -#ifndef VIMAGE -#ifndef VIMAGE_GLOBALS -struct vnet_ipsec vnet_ipsec_0; -#endif -#endif - -static int ipsec_iattach(const void *); -#ifdef VIMAGE -static int ipsec_idetach(const void *); +#ifdef IPSEC_DEBUG +VNET_DEFINE(int, ipsec_debug) = 1; +#else +VNET_DEFINE(int, ipsec_debug) = 0; #endif - -#ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it. */ -struct ipsecstat ipsec4stat; -struct secpolicy ip4_def_policy; -int ipsec_debug; -int ip4_ah_offsetmask; -int ip4_ipsec_dfbit; -int ip4_esp_trans_deflev; -int ip4_esp_net_deflev; -int ip4_ah_trans_deflev; -int ip4_ah_net_deflev; -int ip4_ipsec_ecn; -int ip4_esp_randpad; +VNET_DEFINE(struct ipsecstat, ipsec4stat); +VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ +/* DF bit on encap. 0: clear 1: set 2: copy */ +VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; +VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(struct secpolicy, ip4_def_policy); +/* ECN ignore(-1)/forbidden(0)/allowed(1) */ +VNET_DEFINE(int, ip4_ipsec_ecn) = 0; +VNET_DEFINE(int, ip4_esp_randpad) = -1; + /* * Crypto support requirements: * @@ -128,80 +124,74 @@ int ip4_esp_randpad; * -1 require software support * 0 take anything */ -int crypto_support; -#endif /* VIMAGE_GLOBALS */ +VNET_DEFINE(int, crypto_support) = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; SYSCTL_DECL(_net_inet_ipsec); /* net.inet.ipsec */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, + CTLFLAG_RW, &VNET_NAME(ip4_def_policy).policy, 0, "IPsec default policy."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, - esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_esp_trans_deflev), 0, "Default ESP transport mode level"); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, - esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_esp_net_deflev), 0, "Default ESP tunnel mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, - ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_ah_trans_deflev), 0, "AH transfer mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, - ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_ah_net_deflev), 0, "AH tunnel mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS, - ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, + CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set clear type-of-service field when doing AH computation."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, - ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, + CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, "If not set clear offset field mask when doing AH computation."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT, - dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit, + CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0, "Do not fragment bit on encap."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN, - ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn, + CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, ipsec_debug, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, + CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - crypto_support, CTLFLAG_RW, crypto_support,0, +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, crypto_support, + CTLFLAG_RW, &VNET_NAME(crypto_support), 0, "Crypto driver selection."); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, +SYSCTL_VNET_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats, + CTLFLAG_RD, &VNET_NAME(ipsec4stat), ipsecstat, "IPsec IPv4 statistics."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0, - "If set filter packets from an IPsec tunnel."); #ifdef REGRESSION -#ifdef VIMAGE_GLOBALS -int ipsec_replay; -int ipsec_integrity; -#endif /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, - CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); +VNET_DEFINE(int, ipsec_replay) = 0; +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_replay, + CTLFLAG_RW, &VNET_NAME(ipsec_replay), 0, + "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, - CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); +VNET_DEFINE(int, ipsec_integrity) = 0; +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_integrity, + CTLFLAG_RW, &VNET_NAME(ipsec_integrity), 0, + "Emulate man-in-the-middle attack"); #endif #ifdef INET6 -#ifdef VIMAGE_GLOBALS -struct ipsecstat ipsec6stat; -int ip6_esp_trans_deflev; -int ip6_esp_net_deflev; -int ip6_ah_trans_deflev; -int ip6_ah_net_deflev; -int ip6_ipsec_ecn; -#endif +VNET_DEFINE(struct ipsecstat, ipsec6stat); +VNET_DEFINE(int, ip6_esp_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_esp_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ SYSCTL_DECL(_net_inet6_ipsec6); @@ -210,33 +200,30 @@ SYSCTL_DECL(_net_inet6_ipsec6); SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics."); #endif /* COMPAT_KAME */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW, + &VNET_NAME(ip4_def_policy).policy, 0, "IPsec default policy."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, - esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_trans_deflev), 0, "Default ESP transport mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, - esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_net_deflev), 0, "Default ESP tunnel mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, - ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_trans_deflev), 0, "AH transfer mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, - ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_net_deflev), 0, "AH tunnel mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN, - ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_ECN, + ecn, CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, ipsec_debug, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW, + &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, - ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, +SYSCTL_VNET_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, &VNET_NAME(ipsec6stat), ipsecstat, "IPsec IPv6 statistics."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO, - filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0, - "If set filter packets from an IPsec tunnel."); #endif /* INET6 */ static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *)); @@ -253,72 +240,22 @@ static void vshiftl __P((unsigned char *, int, int)); MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); -#ifndef VIMAGE_GLOBALS +static int ipsec_iattach(const void *); +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipsec_modinfo = { .vmi_id = VNET_MOD_IPSEC, .vmi_name = "ipsec", - .vmi_size = sizeof(struct vnet_ipsec), .vmi_dependson = VNET_MOD_INET, /* XXX revisit - INET6 ? */ .vmi_iattach = ipsec_iattach, -#ifdef VIMAGE - .vmi_idetach = ipsec_idetach -#endif }; -#endif /* !VIMAGE_GLOBALS */ - -void -ipsec_init(void) -{ - INIT_VNET_IPSEC(curvnet); - -#ifdef IPSEC_DEBUG - V_ipsec_debug = 1; -#else - V_ipsec_debug = 0; #endif - V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ - V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ - V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; - V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; - V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; - V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; - V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ - V_ip4_esp_randpad = -1; -#ifdef IPSEC_FILTERTUNNEL - V_ip4_ipsec_filtertunnel = 1; -#else - V_ip4_ipsec_filtertunnel = 0; -#endif - - V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; - -#ifdef REGRESSION - V_ipsec_replay = 0; - V_ipsec_integrity = 0; -#endif - -#ifdef INET6 - V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; - V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; - V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; - V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; - V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -#ifdef IPSEC_FILTERTUNNEL - V_ip6_ipsec6_filtertunnel = 1; -#else - V_ip6_ipsec6_filtertunnel = 0; -#endif -#endif -} - /* * Return a held reference to the default SP. */ static struct secpolicy * key_allocsp_default(const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; KEYDEBUG(KEYDEBUG_IPSEC_STAMP, @@ -384,7 +321,6 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) static struct secpolicy * ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) { - INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *pcbsp; struct secpolicy *currsp = NULL; /* Policy on socket. */ struct secpolicy *sp; @@ -482,7 +418,6 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) { - INIT_VNET_IPSEC(curvnet); struct secpolicyindex spidx; struct secpolicy *sp; @@ -515,7 +450,6 @@ struct secpolicy * ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; *error = 0; @@ -587,7 +521,6 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp) static int ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) { - INIT_VNET_IPSEC(curvnet); struct ip *ip = NULL; struct ip ipbuf; u_int v; @@ -778,7 +711,6 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) { - INIT_VNET_IPSEC(curvnet); int off, nxt; struct tcphdr th; struct udphdr uh; @@ -891,7 +823,6 @@ ipsec_delpcbpolicy(struct inpcbpolicy *p) int ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp) { - INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *new; /* Sanity check. */ @@ -1030,7 +961,6 @@ static int ipsec_set_policy_internal(struct secpolicy **pcb_sp, int optname, caddr_t request, size_t len, struct ucred *cred) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *newsp = NULL; int error; @@ -1079,7 +1009,6 @@ int ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len, struct ucred *cred) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1111,7 +1040,6 @@ int ipsec_get_policy(struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1182,7 +1110,6 @@ ipsec_delete_pcbpolicy(struct inpcb *inp) u_int ipsec_get_reqlevel(struct ipsecrequest *isr) { - INIT_VNET_IPSEC(curvnet); u_int level = 0; u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; @@ -1287,7 +1214,6 @@ ipsec_get_reqlevel(struct ipsecrequest *isr) int ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; int need_auth; @@ -1390,7 +1316,6 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) int ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); int result; result = ipsec46_in_reject(m, inp); @@ -1409,7 +1334,6 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) int ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); int result; result = ipsec46_in_reject(m, inp); @@ -1428,7 +1352,6 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) static size_t ipsec_hdrsiz_internal(struct secpolicy *sp) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; size_t size; @@ -1491,7 +1414,6 @@ ipsec_hdrsiz_internal(struct secpolicy *sp) size_t ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1591,7 +1513,6 @@ ipsec_chkreplay(u_int32_t seq, struct secasvar *sav) int ipsec_updatereplay(u_int32_t seq, struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); struct secreplay *replay; u_int32_t diff; int fr; @@ -1791,10 +1712,10 @@ ipsec_dumpmbuf(struct mbuf *m) } static void -ipsec_attach(void) +ipsec_attach(const void *unused __unused) { -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipsec_modinfo); #else ipsec_iattach(NULL); @@ -1804,7 +1725,6 @@ ipsec_attach(void) static int ipsec_iattach(const void *unused __unused) { - INIT_VNET_IPSEC(curvnet); SECPOLICY_LOCK_INIT(&V_ip4_def_policy); V_ip4_def_policy.refcnt = 1; /* NB: disallow free. */ @@ -1812,16 +1732,6 @@ ipsec_iattach(const void *unused __unused) return (0); } -#ifdef VIMAGE -static int -ipsec_idetach(const void *unused __unused) -{ - - /* XXX revisit this! */ - - return (0); -} -#endif SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index c869ec8..03df7bc 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -332,25 +332,40 @@ struct ipsec_history { u_int32_t ih_spi; }; -extern int ipsec_debug; -#ifdef REGRESSION -extern int ipsec_replay; -extern int ipsec_integrity; -#endif +VNET_DECLARE(int, ipsec_debug); +#define V_ipsec_debug VNET_GET(ipsec_debug) +VNET_DECLARE(struct ipsecstat, ipsec4stat); +#define V_ipsec4stat VNET_GET(ipsec4stat) +VNET_DECLARE(int, ip4_ah_offsetmask); +#define V_ip4_ah_offsetmask VNET_GET(ip4_ah_offsetmask) +VNET_DECLARE(int, ip4_ipsec_dfbit); +#define V_ip4_ipsec_dfbit VNET_GET(ip4_ipsec_dfbit) +VNET_DECLARE(int, ip4_esp_trans_deflev); +#define V_ip4_esp_trans_deflev VNET_GET(ip4_esp_trans_deflev) +VNET_DECLARE(int, ip4_esp_net_deflev); +#define V_ip4_esp_net_deflev VNET_GET(ip4_esp_net_deflev) +VNET_DECLARE(int, ip4_ah_trans_deflev); +#define V_ip4_ah_trans_deflev VNET_GET(ip4_ah_trans_deflev) +VNET_DECLARE(int, ip4_ah_net_deflev); +#define V_ip4_ah_net_deflev VNET_GET(ip4_ah_net_deflev) +VNET_DECLARE(struct secpolicy, ip4_def_policy); +#define V_ip4_def_policy VNET_GET(ip4_def_policy) +VNET_DECLARE(int, ip4_ipsec_ecn); +#define V_ip4_ipsec_ecn VNET_GET(ip4_ipsec_ecn) +VNET_DECLARE(int, ip4_esp_randpad); +#define V_ip4_esp_randpad VNET_GET(ip4_esp_randpad) + +VNET_DECLARE(int, crypto_support); +#define V_crypto_support VNET_GET(crypto_support) -extern struct ipsecstat ipsec4stat; -extern struct secpolicy ip4_def_policy; -extern int ip4_esp_trans_deflev; -extern int ip4_esp_net_deflev; -extern int ip4_ah_trans_deflev; -extern int ip4_ah_net_deflev; extern int ip4_ah_cleartos; -extern int ip4_ah_offsetmask; -extern int ip4_ipsec_dfbit; -extern int ip4_ipsec_ecn; -extern int ip4_ipsec_filtertunnel; -extern int ip4_esp_randpad; -extern int crypto_support; + +#ifdef REGRESSION +VNET_DECLARE(int, ipsec_replay); +#define V_ipsec_replay VNET_GET(ipsec_replay) +VNET_DECLARE(int, ipsec_integrity); +#define V_ipsec_integrity VNET_GET(ipsec_integrity) +#endif #define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0) /* for openbsd compatibility */ @@ -360,7 +375,6 @@ extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; -extern void ipsec_init(void); extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int)); struct inpcb; extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int, @@ -434,8 +448,6 @@ extern char *ipsec_dump_policy __P((caddr_t, char *)); extern const char *ipsec_strerror __P((void)); -#else -#include <netipsec/vipsec.h> #endif /* ! KERNEL */ #endif /* _NETIPSEC_IPSEC_H_ */ diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index 2f49463..a04cbec 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -41,13 +41,18 @@ #include <netipsec/keydb.h> #ifdef _KERNEL -extern struct ipsecstat ipsec6stat; -extern int ip6_esp_trans_deflev; -extern int ip6_esp_net_deflev; -extern int ip6_ah_trans_deflev; -extern int ip6_ah_net_deflev; -extern int ip6_ipsec_ecn; -extern int ip6_ipsec6_filtertunnel; +VNET_DECLARE(struct ipsecstat, ipsec6stat); +#define V_ipsec6stat VNET_GET(ipsec6stat) +VNET_DECLARE(int, ip6_esp_trans_deflev); +#define V_ip6_esp_trans_deflev VNET_GET(ip6_esp_trans_deflev) +VNET_DECLARE(int, ip6_esp_net_deflev); +#define V_ip6_esp_net_deflev VNET_GET(ip6_esp_net_deflev) +VNET_DECLARE(int, ip6_ah_trans_deflev); +#define V_ip6_ah_trans_deflev VNET_GET(ip6_ah_trans_deflev) +VNET_DECLARE(int, ip6_ah_net_deflev); +#define V_ip6_ah_net_deflev VNET_GET(ip6_ah_net_deflev) +VNET_DECLARE(int, ip6_ipsec_ecn); +#define V_ip6_ipsec_ecn VNET_GET(ip6_ipsec_ecn) struct inpcb; diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 4ec169b..78f023a 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -60,6 +60,7 @@ #include <net/pfil.h> #include <net/route.h> #include <net/netisr.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -74,7 +75,6 @@ #include <netinet/in_pcb.h> #ifdef INET6 #include <netinet/icmp6.h> -#include <netinet6/vinet6.h> #endif #include <netipsec/ipsec.h> @@ -116,7 +116,6 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { - INIT_VNET_IPSEC(curvnet); union sockaddr_union dst_address; struct secasvar *sav; u_int32_t spi; @@ -295,7 +294,6 @@ int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { - INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip *ip; struct m_tag *mtag; @@ -518,7 +516,6 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) int ipsec6_common_input(struct mbuf **mp, int *offp, int proto) { - INIT_VNET_IPSEC(curvnet); int l = 0; int protoff; struct ip6_ext ip6e; @@ -569,8 +566,6 @@ int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { - INIT_VNET_INET6(curvnet); - INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip6_hdr *ip6; struct m_tag *mtag; diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index d813c92..1b92881 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -39,6 +39,8 @@ #include <sys/vimage.h> #include <net/route.h> +#include <net/vnet.h> + #include <netinet/in.h> #include <netipsec/ipsec.h> @@ -54,7 +56,6 @@ struct mbuf * m_makespace(struct mbuf *m0, int skip, int hlen, int *off) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m; unsigned remain; @@ -158,7 +159,6 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) caddr_t m_pad(struct mbuf *m, int n) { - INIT_VNET_IPSEC(curvnet); register struct mbuf *m0, *m1; register int len, pad; caddr_t retval; @@ -231,7 +231,6 @@ m_pad(struct mbuf *m, int n) int m_striphdr(struct mbuf *m, int skip, int hlen) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m1; int roff; diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index b953786..f689fb2 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -47,6 +47,7 @@ #include <net/if.h> #include <net/pfil.h> #include <net/route.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -65,7 +66,6 @@ #include <netinet/in_pcb.h> #ifdef INET6 #include <netinet/icmp6.h> -#include <netinet6/vinet6.h> #endif #include <netipsec/ipsec.h> @@ -96,7 +96,6 @@ int ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) { - INIT_VNET_IPSEC(curvnet); struct tdb_ident *tdbi; struct m_tag *mtag; struct secasvar *sav; @@ -264,7 +263,6 @@ ipsec_nextisr( { #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \ isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; IPSECREQUEST_LOCK_ASSERT(isr); @@ -408,7 +406,6 @@ ipsec4_process_packet( int flags, int tunalready) { - INIT_VNET_IPSEC(curvnet); struct secasindex saidx; struct secasvar *sav; struct ip *ip; @@ -622,7 +619,6 @@ ipsec6_output_trans( int flags, int *tun) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; struct secasindex saidx; int error = 0; @@ -690,7 +686,6 @@ bad: static int ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); struct ip6_hdr *oip6; struct ip6_hdr *ip6; size_t plen; @@ -760,8 +755,6 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) int ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags) { - INIT_VNET_INET6(curvnet); - INIT_VNET_IPSEC(curvnet); struct ip6_hdr *ip6; struct ipsecrequest *isr; struct secasindex saidx; diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 3dc6878..07a5945 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -61,6 +61,7 @@ #include <net/if.h> #include <net/route.h> #include <net/raw_cb.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -75,11 +76,9 @@ #ifdef INET #include <netinet/in_pcb.h> -#include <netinet/vinet.h> #endif #ifdef INET6 #include <netinet6/in6_pcb.h> -#include <netinet6/vinet6.h> #endif /* INET6 */ #include <net/pfkeyv2.h> @@ -99,7 +98,6 @@ /* randomness */ #include <sys/random.h> -#include <sys/vimage.h> #define FULLMASK 0xff #define _BITS(bytes) ((bytes) << 3) @@ -115,31 +113,37 @@ * field hits 0 (= no external reference other than from SA header. */ -#ifdef VIMAGE_GLOBALS -u_int32_t key_debug_level; -static u_int key_spi_trycnt; -static u_int32_t key_spi_minval; -static u_int32_t key_spi_maxval; -static u_int32_t policy_id; -static u_int key_int_random; -static u_int key_larval_lifetime; -static int key_blockacq_count; -static int key_blockacq_lifetime; -static int key_preferred_oldsa; - -static u_int32_t acq_seq; - -static int ipsec_esp_keymin; -static int ipsec_esp_auth; -static int ipsec_ah_keymin; - -static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */ -static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ -static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; -static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ -static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ -#endif /* VIMAGE_GLOBALS */ - +VNET_DEFINE(u_int32_t, key_debug_level) = 0; +static VNET_DEFINE(u_int, key_spi_trycnt) = 1000; +#define V_key_spi_trycnt VNET_GET(key_spi_trycnt) +static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100; +#define V_key_spi_minval VNET_GET(key_spi_minval) +static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ +#define V_key_spi_maxval VNET_GET(key_spi_maxval) +static VNET_DEFINE(u_int32_t, policy_id) = 0; +#define V_policy_id VNET_GET(policy_id) +/*interval to initialize randseed,1(m)*/ +static VNET_DEFINE(u_int, key_int_random) = 60; +#define V_key_int_random VNET_GET(key_int_random) +/* interval to expire acquiring, 30(s)*/ +static VNET_DEFINE(u_int, key_larval_lifetime) = 30; +#define V_key_larval_lifetime VNET_GET(key_larval_lifetime) +/* counter for blocking SADB_ACQUIRE.*/ +static VNET_DEFINE(int, key_blockacq_count) = 10; +#define V_key_blockacq_count VNET_GET(key_blockacq_count) +/* lifetime for blocking SADB_ACQUIRE.*/ +static VNET_DEFINE(int, key_blockacq_lifetime) = 20; +#define V_key_blockacq_lifetime VNET_GET(key_blockacq_lifetime) +/* preferred old sa rather than new sa.*/ +static VNET_DEFINE(int, key_preferred_oldsa) = 1; +#define V_key_preferred_oldsa VNET_GET(key_preferred_oldsa) + +static VNET_DEFINE(u_int32_t, acq_seq) = 0; +#define V_acq_seq VNET_GET(acq_seq) + + /* SPD */ +static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]); +#define V_sptree VNET_GET(sptree) static struct mtx sptree_lock; #define SPTREE_LOCK_INIT() \ mtx_init(&sptree_lock, "sptree", \ @@ -149,6 +153,8 @@ static struct mtx sptree_lock; #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) +static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */ +#define V_sahtree VNET_GET(sahtree) static struct mtx sahtree_lock; #define SAHTREE_LOCK_INIT() \ mtx_init(&sahtree_lock, "sahtree", \ @@ -159,6 +165,8 @@ static struct mtx sahtree_lock; #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) /* registed list */ +static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); +#define V_regtree VNET_GET(regtree) static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) @@ -167,6 +175,8 @@ static struct mtx regtree_lock; #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) +static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */ +#define V_acqtree VNET_GET(acqtree) static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) @@ -175,6 +185,9 @@ static struct mtx acq_lock; #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) + /* SP acquiring list */ +static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree); +#define V_spacqtree VNET_GET(spacqtree) static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ mtx_init(&spacq_lock, "spacqtree", \ @@ -257,56 +270,63 @@ static const int maxsize[] = { sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ }; +static VNET_DEFINE(int, ipsec_esp_keymin) = 256; +#define V_ipsec_esp_keymin VNET_GET(ipsec_esp_keymin) +static VNET_DEFINE(int, ipsec_esp_auth) = 0; +#define V_ipsec_esp_auth VNET_GET(ipsec_esp_auth) +static VNET_DEFINE(int, ipsec_ah_keymin) = 128; +#define V_ipsec_ah_keymin VNET_GET(ipsec_ah_keymin) + #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL, debug, - CTLFLAG_RW, key_debug_level, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, + CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); /* max count of trial for the decision of spi value */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt, - CTLFLAG_RW, key_spi_trycnt, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, + CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, ""); /* minimum spi value to allocate automatically. */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE, - spi_minval, CTLFLAG_RW, key_spi_minval, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE, + spi_minval, CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, ""); /* maximun spi value to allocate automatically. */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE, - spi_maxval, CTLFLAG_RW, key_spi_maxval, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE, + spi_maxval, CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, ""); /* interval to initialize randseed */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT, - int_random, CTLFLAG_RW, key_int_random, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT, + int_random, CTLFLAG_RW, &VNET_NAME(key_int_random), 0, ""); /* lifetime for larval SA */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME, - larval_lifetime, CTLFLAG_RW, key_larval_lifetime, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME, + larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, ""); /* counter for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT, - blockacq_count, CTLFLAG_RW, key_blockacq_count, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, + blockacq_count, CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, ""); /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME, - blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, + blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, ""); /* ESP auth */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH, esp_auth, - CTLFLAG_RW, ipsec_esp_auth, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, + CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, ""); /* minimum ESP key length */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN, - esp_keymin, CTLFLAG_RW, ipsec_esp_keymin, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN, + esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, ""); /* minimum AH key length */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN, ah_keymin, - CTLFLAG_RW, ipsec_ah_keymin, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, + CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, ""); /* perfered old SA rather than new SA */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA, - preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA, + preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, ""); #define __LIST_CHAINED(elm) \ (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) @@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp) int key_havesp(u_int dir) { - INIT_VNET_IPSEC(curvnet); return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? LIST_FIRST(&V_sptree[dir]) != NULL : 1); @@ -595,7 +614,6 @@ key_havesp(u_int dir) struct secpolicy * key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi, u_int dir, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(dst != NULL, ("null dst")); @@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc, const struct sockaddr *idst, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; const int dir = IPSEC_DIR_INBOUND; struct ipsecrequest *r1, *r2, *p; @@ -791,7 +807,6 @@ done: int key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); u_int level; int error; @@ -887,7 +902,6 @@ static struct secasvar * key_allocsa_policy(const struct secasindex *saidx) { #define N(a) _ARRAYLEN(a) - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize; @@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx) static struct secasvar * key_do_allocsa_policy(struct secashead *sah, u_int state) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav, *candidate, *d; /* initilize */ @@ -1081,7 +1094,6 @@ key_allocsa( u_int32_t spi, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize, state; @@ -1160,7 +1172,6 @@ done: void _key_freesp(struct secpolicy **spp, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp = *spp; IPSEC_ASSERT(sp != NULL, ("null sp")); @@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag) void key_freeso(struct socket *so) { - INIT_VNET_IPSEC(curvnet); IPSEC_ASSERT(so != NULL, ("null so")); switch (so->so_proto->pr_domain->dom_family) { @@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp) void key_freesav(struct secasvar **psav, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav = *psav; IPSEC_ASSERT(sav != NULL, ("null sav")); @@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp) static struct secpolicy * key_getsp(struct secpolicyindex *spidx) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx) static struct secpolicy * key_getspbyid(u_int32_t id) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; SPTREE_LOCK(); @@ -1353,7 +1360,6 @@ done: struct secpolicy * key_newsp(const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp = NULL; newsp = (struct secpolicy *) @@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error) size_t len; int *error; { - INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp; IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); @@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0, *xpl; struct sadb_lifetime *lft = NULL; @@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp) static u_int32_t key_getnewspid() { - INIT_VNET_IPSEC(curvnet); u_int32_t newid = 0; int count = V_key_spi_trycnt; /* XXX */ struct secpolicy *sp; @@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0; struct secpolicyindex spidx; @@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; @@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; struct mbuf *n; @@ -2315,7 +2315,6 @@ int key_spdacquire(sp) struct secpolicy *sp; { - INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secspacq *newspacq; @@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secpolicy *sp; u_int dir; @@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int cnt; u_int dir; @@ -2704,7 +2701,6 @@ static struct secashead * key_newsah(saidx) struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); struct secashead *newsah; IPSEC_ASSERT(saidx != NULL, ("null saidx")); @@ -2733,7 +2729,6 @@ static void key_delsah(sah) struct secashead *sah; { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav; u_int stateidx; int zombie = 0; @@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag) const char* where; int tag; { - INIT_VNET_IPSEC(curvnet); struct secasvar *newsav; const struct sadb_sa *xsa; @@ -2962,7 +2956,6 @@ static struct secashead * key_getsah(saidx) struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; SAHTREE_LOCK(); @@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi) struct secasindex *saidx; u_int32_t spi; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; @@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi) struct secashead *sah; u_int32_t spi; { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; u_int stateidx, state; @@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); int error = 0; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp) static int key_mature(struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); int error; /* check SPI value */ @@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type) u_int16_t key_portfromsaddr(struct sockaddr *sa) { - INIT_VNET_IPSEC(curvnet); switch (sa->sa_family) { #ifdef INET @@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa) static void key_porttosaddr(struct sockaddr *sa, u_int16_t port) { - INIT_VNET_IPSEC(curvnet); switch (sa->sa_family) { #ifdef INET @@ -3868,7 +3855,6 @@ struct seckey * key_dup_keymsg(const struct sadb_key *src, u_int len, struct malloc_type *type) { - INIT_VNET_IPSEC(curvnet); struct seckey *dst; dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); if (dst != NULL) { @@ -3902,7 +3888,6 @@ static struct seclifetime * key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) { - INIT_VNET_IPSEC(curvnet); struct seclifetime *dst = NULL; dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), @@ -3928,7 +3913,6 @@ key_ismyaddr(sa) struct sockaddr *sa; { #ifdef INET - INIT_VNET_INET(curvnet); struct sockaddr_in *sin; struct in_ifaddr *ia; #endif @@ -3976,7 +3960,6 @@ static int key_ismyaddr6(sin6) struct sockaddr_in6 *sin6; { - INIT_VNET_INET6(curvnet); struct in6_ifaddr *ia; #if 0 struct in6_multi *in6m; @@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits) static void key_flush_spd(time_t now) { - INIT_VNET_IPSEC(curvnet); static u_int16_t sptree_scangen = 0; u_int16_t gen = sptree_scangen++; struct secpolicy *sp; @@ -4373,7 +4355,6 @@ restart: static void key_flush_sad(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -4511,7 +4492,6 @@ key_flush_sad(time_t now) static void key_flush_acq(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secacq *acq, *nextacq; /* ACQ tree */ @@ -4530,7 +4510,6 @@ key_flush_acq(time_t now) static void key_flush_spacq(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq, *nextacq; /* SP ACQ tree */ @@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *newsah; @@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx) struct sadb_spirange *spirange; struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); u_int32_t newspi; u_int32_t min, max; int count = V_key_spi_trycnt; @@ -4995,7 +4972,6 @@ key_update(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; #ifdef IPSEC_NAT_T @@ -5286,7 +5262,6 @@ key_add(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; #ifdef IPSEC_NAT_T @@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); const struct sadb_ident *idsrc, *iddst; int idsrclen, iddstlen; @@ -5624,7 +5598,6 @@ key_delete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -5770,7 +5743,6 @@ static int key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp, u_int16_t proto) { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -5894,7 +5866,6 @@ key_get(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb) static struct mbuf * key_getcomb_esp() { - INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct enc_xform *algo; struct mbuf *result = NULL, *m, *n; @@ -6116,7 +6086,6 @@ key_getsizes_ah( u_int16_t* min, u_int16_t* max) { - INIT_VNET_IPSEC(curvnet); *min = *max = ah->keysize; if (ah->keysize == 0) { @@ -6142,7 +6111,6 @@ key_getsizes_ah( static struct mbuf * key_getcomb_ah() { - INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct auth_hash *algo; struct mbuf *m; @@ -6303,7 +6271,6 @@ key_getprop(saidx) static int key_acquire(const struct secasindex *saidx, struct secpolicy *sp) { - INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secacq *newacq; u_int8_t satype; @@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) static struct secacq * key_newacq(const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); struct secacq *newacq; /* get new entry */ @@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx) static struct secacq * key_getacq(const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -6518,7 +6483,6 @@ static struct secacq * key_getacqbyseq(seq) u_int32_t seq; { - INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -6535,7 +6499,6 @@ static struct secspacq * key_newspacq(spidx) struct secpolicyindex *spidx; { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq; /* get new entry */ @@ -6562,7 +6525,6 @@ static struct secspacq * key_getspacq(spidx) struct secpolicyindex *spidx; { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq; SPACQ_LOCK(); @@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); const struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -6756,7 +6717,6 @@ key_register(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secreg *reg, *newreg = 0; IPSEC_ASSERT(so != NULL, ("null socket")); @@ -6911,7 +6871,6 @@ key_register(so, m, mhp) void key_freereg(struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct secreg *reg; int i; @@ -7087,7 +7046,6 @@ key_flush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -7171,7 +7129,6 @@ key_dump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int16_t proto; @@ -7352,7 +7309,6 @@ key_parse(m, so) struct mbuf *m; struct socket *so; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; struct sadb_msghdr mh; u_int orglen; @@ -7624,7 +7580,6 @@ key_align(m, mhp) struct mbuf *m; struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct sadb_ext *ext; size_t off, end; @@ -7792,26 +7747,8 @@ key_validate_ext(ext, len) void key_init(void) { - INIT_VNET_IPSEC(curvnet); int i; - V_key_debug_level = 0; - V_key_spi_trycnt = 1000; - V_key_spi_minval = 0x100; - V_key_spi_maxval = 0x0fffffff; /* XXX */ - V_policy_id = 0; - V_key_int_random = 60; /*interval to initialize randseed,1(m)*/ - V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ - V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ - V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ - V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/ - - V_acq_seq = 0; - - V_ipsec_esp_keymin = 256; - V_ipsec_esp_auth = 0; - V_ipsec_ah_keymin = 128; - for (i = 0; i < IPSEC_DIR_MAX; i++) LIST_INIT(&V_sptree[i]); @@ -7850,7 +7787,6 @@ key_init(void) void key_destroy(void) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp, *nextsp; struct secspacq *acq, *nextacq; struct secashead *sah, *nextsah; @@ -7984,7 +7920,6 @@ void key_sa_routechange(dst) struct sockaddr *dst; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct route *ro; diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index a13a88a..da5dd75 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -44,9 +44,9 @@ #include <sys/queue.h> #endif #include <sys/socket.h> -#include <sys/vimage.h> #include <net/route.h> +#include <net/vnet.h> #include <netipsec/key_var.h> #include <netipsec/key_debug.h> diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h index 6ca0fe2..3082cc3 100644 --- a/sys/netipsec/key_debug.h +++ b/sys/netipsec/key_debug.h @@ -56,7 +56,8 @@ #define KEYDEBUG(lev,arg) \ do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0) -extern u_int32_t key_debug_level; +VNET_DECLARE(u_int32_t, key_debug_level); +#define V_key_debug_level VNET_GET(key_debug_level) #endif /*_KERNEL*/ struct sadb_msg; diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index bb7cb00..1c79421 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -67,22 +67,25 @@ #include <machine/stdarg.h> -#ifdef VIMAGE_GLOBALS -static struct key_cb key_cb; -struct pfkeystat pfkeystat; -#endif +struct key_cb { + int key_count; + int any_count; +}; +static VNET_DEFINE(struct key_cb, key_cb); +#define V_key_cb VNET_GET(key_cb) -static struct sockaddr key_src = { 2, PF_KEY }; +static struct sockaddr key_src = { 2, PF_KEY, }; static int key_sendup0 __P((struct rawcb *, struct mbuf *, int)); +VNET_DEFINE(struct pfkeystat, pfkeystat); + /* * key_output() */ int key_output(struct mbuf *m, struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; int len, error = 0; @@ -136,7 +139,6 @@ key_sendup0(rp, m, promisc) struct mbuf *m; int promisc; { - INIT_VNET_IPSEC(curvnet); int error; if (promisc) { @@ -181,7 +183,6 @@ key_sendup(so, msg, len, target) u_int len; int target; /*target of the resulting message*/ { - INIT_VNET_IPSEC(curvnet); struct mbuf *m, *n, *mprev; int tlen; @@ -270,8 +271,6 @@ key_sendup_mbuf(so, m, target) struct mbuf *m; int target; { - INIT_VNET_NET(curvnet); - INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct keycb *kp; int sendup; @@ -389,7 +388,6 @@ key_abort(struct socket *so) static int key_attach(struct socket *so, int proto, struct thread *td) { - INIT_VNET_IPSEC(curvnet); struct keycb *kp; int error; @@ -464,7 +462,6 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td) static void key_detach(struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct keycb *kp = (struct keycb *)sotorawcb(so); KASSERT(kp != NULL, ("key_detach: kp == NULL")); @@ -567,10 +564,8 @@ struct protosw keysw[] = { static void key_init0(void) { - INIT_VNET_IPSEC(curvnet); bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); - ipsec_init(); key_init(); } diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h index 1097206..bcc274b 100644 --- a/sys/netipsec/keysock.h +++ b/sys/netipsec/keysock.h @@ -58,11 +58,6 @@ struct pfkeystat { u_quad_t sockerr; /* # of socket related errors */ }; -struct key_cb { - int key_count; - int any_count; -}; - #define KEY_SENDUP_ONE 0 #define KEY_SENDUP_ALL 1 #define KEY_SENDUP_REGISTERED 2 @@ -74,7 +69,8 @@ struct keycb { int kp_registered; /* registered socket */ }; -extern struct pfkeystat pfkeystat; +VNET_DECLARE(struct pfkeystat, pfkeystat); +#define V_pfkeystat VNET_GET(pfkeystat) extern int key_output(struct mbuf *m, struct socket *so); extern int key_usrreq __P((struct socket *, diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h deleted file mode 100644 index 4a643e5..0000000 --- a/sys/netipsec/vipsec.h +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 2007-2008 University of Zagreb - * Copyright (c) 2007-2008 FreeBSD Foundation - * - * This software was developed by the University of Zagreb and the - * FreeBSD Foundation under sponsorship by the Stichting NLnet and the - * FreeBSD Foundation. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#ifndef _NETIPSEC_VIPSEC_H_ -#define _NETIPSEC_VIPSEC_H_ - -#include <sys/protosw.h> - -#include <net/pfkeyv2.h> -#include <net/raw_cb.h> - -#include <netipsec/ah_var.h> -#include <netipsec/esp_var.h> -#include <netipsec/ipcomp_var.h> -#include <netipsec/ipip_var.h> -#include <netipsec/ipsec.h> -#include <netipsec/keysock.h> - -struct vnet_ipsec { - int _ipsec_debug; - struct ipsecstat _ipsec4stat; - struct secpolicy _ip4_def_policy; - - int _ip4_esp_trans_deflev; - int _ip4_esp_net_deflev; - int _ip4_ah_trans_deflev; - int _ip4_ah_net_deflev; - int _ip4_ah_offsetmask; - int _ip4_ipsec_dfbit; - int _ip4_ipsec_ecn; - int _ip4_ipsec_filtertunnel; - int _ip4_esp_randpad; - - int _ipsec_replay; - int _ipsec_integrity; - int _crypto_support; - - u_int32_t _key_debug_level; - u_int _key_spi_trycnt; - u_int32_t _key_spi_minval; - u_int32_t _key_spi_maxval; - u_int32_t _policy_id; - u_int _key_int_random; - u_int _key_larval_lifetime; - int _key_blockacq_count; - int _key_blockacq_lifetime; - int _key_preferred_oldsa; - u_int32_t _acq_seq; - - int _esp_enable; - struct espstat _espstat; - int _esp_max_ivlen; - int _ipsec_esp_keymin; - int _ipsec_esp_auth; - int _ipsec_ah_keymin; - int _ipip_allow; - struct ipipstat _ipipstat; - - struct ipsecstat _ipsec6stat; - int _ip6_esp_trans_deflev; - int _ip6_esp_net_deflev; - int _ip6_ah_trans_deflev; - int _ip6_ah_net_deflev; - int _ip6_ipsec_ecn; - int _ip6_ipsec6_filtertunnel; - - int _ah_enable; - int _ah_cleartos; - struct ahstat _ahstat; - - int _ipcomp_enable; - struct ipcompstat _ipcompstat; - - struct pfkeystat _pfkeystat; - struct key_cb _key_cb; - LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX]; - LIST_HEAD(, secashead) _sahtree; - LIST_HEAD(, secreg) _regtree[SADB_SATYPE_MAX + 1]; - LIST_HEAD(, secacq) _acqtree; - LIST_HEAD(, secspacq) _spacqtree; -}; - -/* Size guard. See sys/vimage.h. */ -VIMAGE_CTASSERT(SIZEOF_vnet_ipsec, sizeof(struct vnet_ipsec)); - -#ifndef VIMAGE -#ifndef VIMAGE_GLOBALS -extern struct vnet_ipsec vnet_ipsec_0; -#endif -#endif - -/* - * Symbol translation macros - */ -#define INIT_VNET_IPSEC(vnet) \ - INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec) - -#define VNET_IPSEC(sym) VSYM(vnet_ipsec, sym) - -#define V_acq_seq VNET_IPSEC(acq_seq) -#define V_acqtree VNET_IPSEC(acqtree) -#define V_ah_cleartos VNET_IPSEC(ah_cleartos) -#define V_ah_enable VNET_IPSEC(ah_enable) -#define V_ahstat VNET_IPSEC(ahstat) -#define V_crypto_support VNET_IPSEC(crypto_support) -#define V_esp_enable VNET_IPSEC(esp_enable) -#define V_esp_max_ivlen VNET_IPSEC(esp_max_ivlen) -#define V_espstat VNET_IPSEC(espstat) -#define V_ip4_ah_net_deflev VNET_IPSEC(ip4_ah_net_deflev) -#define V_ip4_ah_offsetmask VNET_IPSEC(ip4_ah_offsetmask) -#define V_ip4_ah_trans_deflev VNET_IPSEC(ip4_ah_trans_deflev) -#define V_ip4_def_policy VNET_IPSEC(ip4_def_policy) -#define V_ip4_esp_net_deflev VNET_IPSEC(ip4_esp_net_deflev) -#define V_ip4_esp_randpad VNET_IPSEC(ip4_esp_randpad) -#define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev) -#define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit) -#define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn) -#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel) -#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) -#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) -#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) -#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) -#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) -#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) -#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel) -#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) -#define V_ipcompstat VNET_IPSEC(ipcompstat) -#define V_ipip_allow VNET_IPSEC(ipip_allow) -#define V_ipipstat VNET_IPSEC(ipipstat) -#define V_ipsec4stat VNET_IPSEC(ipsec4stat) -#define V_ipsec6stat VNET_IPSEC(ipsec6stat) -#define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin) -#define V_ipsec_debug VNET_IPSEC(ipsec_debug) -#define V_ipsec_esp_auth VNET_IPSEC(ipsec_esp_auth) -#define V_ipsec_esp_keymin VNET_IPSEC(ipsec_esp_keymin) -#define V_ipsec_integrity VNET_IPSEC(ipsec_integrity) -#define V_ipsec_replay VNET_IPSEC(ipsec_replay) -#define V_key_blockacq_count VNET_IPSEC(key_blockacq_count) -#define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime) -#define V_key_cb VNET_IPSEC(key_cb) -#define V_key_debug_level VNET_IPSEC(key_debug_level) -#define V_key_int_random VNET_IPSEC(key_int_random) -#define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime) -#define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa) -#define V_key_spi_maxval VNET_IPSEC(key_spi_maxval) -#define V_key_spi_minval VNET_IPSEC(key_spi_minval) -#define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt) -#define V_pfkeystat VNET_IPSEC(pfkeystat) -#define V_policy_id VNET_IPSEC(policy_id) -#define V_regtree VNET_IPSEC(regtree) -#define V_sahtree VNET_IPSEC(sahtree) -#define V_spacqtree VNET_IPSEC(spacqtree) -#define V_sptree VNET_IPSEC(sptree) - -#endif /* !_NETIPSEC_VIPSEC_H_ */ diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 07d7001..658c92c 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -49,6 +49,7 @@ #include <sys/vimage.h> #include <net/if.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -73,17 +74,6 @@ #include <opencrypto/cryptodev.h> -static int ah_iattach(const void *); - -#ifndef VIMAGE_GLOBALS -static const vnet_modinfo_t vnet_ah_modinfo = { - .vmi_id = VNET_MOD_AH, - .vmi_name = "ipsec_ah", - .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ah_iattach -}; -#endif /* !VIMAGE_GLOBALS */ - /* * Return header size in bytes. The old protocol did not support * the replay counter; the new protocol always includes the counter. @@ -99,19 +89,17 @@ static const vnet_modinfo_t vnet_ah_modinfo = { #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) -#ifdef VIMAGE_GLOBALS -int ah_enable; -int ah_cleartos; -struct ahstat ahstat; -#endif +VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ +VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ +VNET_DEFINE(struct ahstat, ahstat); SYSCTL_DECL(_net_inet_ah); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, - ah_enable, CTLFLAG_RW, ah_enable, 0, ""); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, - ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS, - stats, CTLFLAG_RD, ahstat, ahstat, ""); +SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, + ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); +SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, + ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -173,7 +161,6 @@ ah_hdrsiz(struct secasvar *sav) int ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *thash; int keylen; @@ -228,7 +215,6 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) static int ah_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct cryptoini cria; int error; @@ -263,7 +249,6 @@ ah_zeroize(struct secasvar *sav) static int ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m = *m0; unsigned char *ptr; int off, count; @@ -568,7 +553,6 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *ahx; struct tdb_ident *tdbi; struct tdb_crypto *tc; @@ -738,7 +722,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ah_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); int rplen, error, skip, protoff; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; @@ -901,7 +884,6 @@ ah_output( int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct auth_hash *ahx; struct cryptodesc *crda; @@ -1128,7 +1110,6 @@ bad: static int ah_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); int skip, protoff, error; struct tdb_crypto *tc; struct ipsecrequest *isr; @@ -1232,21 +1213,6 @@ ah_attach(void) { xform_register(&ah_xformsw); -#ifndef VIMAGE_GLOBALS - vnet_mod_register(&vnet_ah_modinfo); -#else - ah_iattach(NULL); -#endif } -static int -ah_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ah_enable = 1; /* control flow of packets with AH */ - V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ - - return (0); -} SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 6508c14..afb9d2d 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -49,6 +49,7 @@ #include <sys/vimage.h> #include <net/if.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -76,30 +77,21 @@ #include <opencrypto/cryptodev.h> #include <opencrypto/xform.h> -#ifdef VIMAGE_GLOBALS -struct espstat espstat; -static int esp_max_ivlen; /* max iv length over all algorithms */ -int esp_enable; -#endif +VNET_DEFINE(int, esp_enable) = 1; +VNET_DEFINE(struct espstat, espstat); SYSCTL_DECL(_net_inet_esp); -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, - esp_enable, CTLFLAG_RW, esp_enable, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, - stats, CTLFLAG_RD, espstat, espstat, ""); +SYSCTL_VNET_INT(_net_inet_esp, OID_AUTO, + esp_enable, CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_esp, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(espstat), espstat, ""); + +/* max iv length over all algorithms */ +static VNET_DEFINE(int, esp_max_ivlen) = 0; +#define V_esp_max_ivlen VNET_GET(esp_max_ivlen) static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); -static int esp_iattach(const void *); - -#ifndef VIMAGE_GLOBALS -static const vnet_modinfo_t vnet_esp_modinfo = { - .vmi_id = VNET_MOD_ESP, - .vmi_name = "ipsec_esp", - .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = esp_iattach -}; -#endif /* !VIMAGE_GLOBALS */ /* * NB: this is public for use by the PF_KEY support. @@ -134,7 +126,6 @@ esp_algorithm_lookup(int alg) size_t esp_hdrsiz(struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); size_t size; if (sav != NULL) { @@ -169,7 +160,6 @@ esp_hdrsiz(struct secasvar *sav) static int esp_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct enc_xform *txform; struct cryptoini cria, crie; int keylen; @@ -280,7 +270,6 @@ esp_zeroize(struct secasvar *sav) static int esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *esph; struct enc_xform *espx; struct tdb_ident *tdbi; @@ -463,7 +452,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int esp_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; int hlen, skip, protoff, error; struct mbuf *m; @@ -667,7 +655,6 @@ esp_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); struct enc_xform *espx; struct auth_hash *esph; int hlen, rlen, plen, padding, blks, alen, i, roff; @@ -898,7 +885,6 @@ bad: static int esp_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; @@ -1000,27 +986,10 @@ static struct xformsw esp_xformsw = { static void esp_attach(void) { - - xform_register(&esp_xformsw); -#ifndef VIMAGE_GLOBALS - vnet_mod_register(&vnet_esp_modinfo); -#else - esp_iattach(NULL); -#endif -} - -static int -esp_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - #define MAXIV(xform) \ if (xform.blocksize > V_esp_max_ivlen) \ V_esp_max_ivlen = xform.blocksize \ - V_esp_enable = 1; - V_esp_max_ivlen = 0; - MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ @@ -1029,8 +998,8 @@ esp_iattach(const void *unused __unused) MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */ MAXIV(enc_xform_null); /* SADB_EALG_NULL */ MAXIV(enc_xform_camellia); /* SADB_X_EALG_CAMELLIACBC */ -#undef MAXIV - return (0); + xform_register(&esp_xformsw); +#undef MAXIV } SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL); diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 8e2f1c4..2ea83e0 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -49,6 +49,8 @@ #include <netinet/ip_var.h> #include <net/route.h> +#include <net/vnet.h> + #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -67,29 +69,25 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> -#ifdef VIMAGE_GLOBALS -int ipcomp_enable; -struct ipcompstat ipcompstat; -#endif +VNET_DEFINE(int, ipcomp_enable) = 0; +VNET_DEFINE(struct ipcompstat, ipcompstat); SYSCTL_DECL(_net_inet_ipcomp); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, - ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS, - stats, CTLFLAG_RD, ipcompstat, ipcompstat, ""); +SYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO, + ipcomp_enable, CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ipcompstat), ipcompstat, ""); static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); -static int ipcomp_iattach(const void *); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipcomp_modinfo = { .vmi_id = VNET_MOD_IPCOMP, .vmi_name = "ipsec_ipcomp", .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ipcomp_iattach }; -#endif /* !VIMAGE_GLOBALS */ +#endif struct comp_algo * ipcomp_algorithm_lookup(int alg) @@ -109,7 +107,6 @@ ipcomp_algorithm_lookup(int alg) static int ipcomp_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct comp_algo *tcomp; struct cryptoini cric; @@ -150,7 +147,6 @@ ipcomp_zeroize(struct secasvar *sav) static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; @@ -221,7 +217,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ipcomp_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct cryptodesc *crd; struct tdb_crypto *tc; int skip, protoff; @@ -342,7 +337,6 @@ ipcomp_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize, roff; @@ -501,7 +495,6 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; @@ -611,19 +604,9 @@ ipcomp_attach(void) { xform_register(&ipcomp_xformsw); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipcomp_modinfo); -#else - ipcomp_iattach(NULL); #endif } -static int -ipcomp_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ipcomp_enable = 0; - return (0); -} SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index d9cf8c6..8de23ec 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -68,7 +68,6 @@ #ifdef MROUTING #include <netinet/ip_mroute.h> #endif -#include <netinet/vinet.h> #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -92,31 +91,27 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -#ifdef VIMAGE_GLOBALS -int ipip_allow; -struct ipipstat ipipstat; -#endif +VNET_DEFINE(int, ipip_allow) = 0; +VNET_DEFINE(struct ipipstat, ipipstat); SYSCTL_DECL(_net_inet_ipip); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, - ipip_allow, CTLFLAG_RW, ipip_allow, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS, - stats, CTLFLAG_RD, ipipstat, ipipstat, ""); +SYSCTL_VNET_INT(_net_inet_ipip, OID_AUTO, + ipip_allow, CTLFLAG_RW, &VNET_NAME(ipip_allow), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ipip, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ipipstat), ipipstat, ""); /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp); -static int ipe4_iattach(const void *); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipip_modinfo = { .vmi_id = VNET_MOD_IPIP, .vmi_name = "ipsec_ipip", .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ipe4_iattach }; -#endif /* !VIMAGE_GLOBALS */ +#endif #ifdef INET6 /* @@ -169,8 +164,6 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { - INIT_VNET_NET(curvnet); - INIT_VNET_IPSEC(curvnet); #ifdef INET register struct sockaddr_in *sin; #endif @@ -424,10 +417,6 @@ ipip_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); -#ifdef INET - INIT_VNET_INET(curvnet); -#endif /* INET */ struct secasvar *sav; u_int8_t tp, otos; struct secasindex *saidx; @@ -708,15 +697,6 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } -static int -ipe4_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ipip_allow = 0; - return (0); -} - static void ipe4_attach(void) { @@ -730,10 +710,8 @@ ipe4_attach(void) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipip_modinfo); -#else - ipe4_iattach(NULL); #endif } SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL); diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index 35a4d43..1fad954 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -49,6 +49,8 @@ #include <netinet/tcp_var.h> #include <net/route.h> +#include <net/vnet.h> + #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -83,7 +85,6 @@ static int tcpsignature_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); int keylen; if (sav->spi != htonl(TCP_SIG_SPI)) { |