First pass at separating per-vnet initializer functions

        from existing functions for initializing global state.

        At this stage, the new per-vnet initializer functions are
	directly called from the existing global initialization code,
	which should in most cases result in compiler inlining those
	new functions, hence yielding a near-zero functional change.

        Modify the existing initializer functions which are invoked via
        protosw, like ip_init() et. al., to allow them to be invoked
	multiple times, i.e. per each vnet.  Global state, if any,
	is initialized only if such functions are called within the
	context of vnet0, which will be determined via the
	IS_DEFAULT_VNET(curvnet) check (currently always true).

        While here, V_irtualize a few remaining global UMA zones
        used by net/netinet/netipsec networking code.  While it is
        not yet clear to me or anybody else whether this is the right
        thing to do, at this stage this makes the code more readable,
        and makes it easier to track uncollected UMA-zone-backed
        objects on vnet removal.  In the long run, it's quite possible
        that some form of shared use of UMA zone pools among multiple
        vnets should be considered.

	Bump __FreeBSD_version due to changes in layout of structs
	vnet_ipfw, vnet_inet and vnet_net.

Approved by:	julian (mentor)

6 files changed, 68 insertions, 13 deletions

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 00ce8de..85d2897 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -103,6 +103,8 @@ struct vnet_ipsec vnet_ipsec_0;
 #endif
 #endif
 
+static int ipsec_iattach(const void *);
+
 #ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it. */
 struct ipsecstat ipsec4stat;
@@ -1758,8 +1760,18 @@ static void
 ipsec_attach(void)
 {
 
+	ipsec_iattach(NULL);
+}
+
+static int
+ipsec_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 	SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
 	V_ip4_def_policy.refcnt = 1;			/* NB: disallow free. */
+
+	return (0);
 }
 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);
 
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 95a5df6..70b68a8 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -7171,12 +7171,6 @@ key_init(void)
 	V_ipsec_esp_auth = 0;
 	V_ipsec_ah_keymin = 128;
 
-	SPTREE_LOCK_INIT();
-	REGTREE_LOCK_INIT();
-	SAHTREE_LOCK_INIT();
-	ACQ_LOCK_INIT();
-	SPACQ_LOCK_INIT();
-
 	for (i = 0; i < IPSEC_DIR_MAX; i++)
 		LIST_INIT(&V_sptree[i]);
 
@@ -7192,6 +7186,15 @@ key_init(void)
 	V_ip4_def_policy.policy = IPSEC_POLICY_NONE;
 	V_ip4_def_policy.refcnt++;	/*never reclaim this*/
 
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
+	SPTREE_LOCK_INIT();
+	REGTREE_LOCK_INIT();
+	SAHTREE_LOCK_INIT();
+	ACQ_LOCK_INIT();
+	SPACQ_LOCK_INIT();
+
 #ifndef IPSEC_DEBUG2
 	timeout((void *)key_timehandler, (void *)0, hz);
 #endif /*IPSEC_DEBUG2*/
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 3a4c7dc..365ac13 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -73,6 +73,8 @@
 
 #include <opencrypto/cryptodev.h>
 
+static int ah_iattach(const void *);
+
 /*
  * Return header size in bytes.  The old protocol did not support
  * the replay counter; the new protocol always includes the counter.
@@ -1220,9 +1222,18 @@ static void
 ah_attach(void)
 {
 
+	xform_register(&ah_xformsw);
+	ah_iattach(NULL);
+}
+
+static int
+ah_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 	V_ah_enable = 1;	/* control flow of packets with AH */
 	V_ah_cleartos = 1;	/* clear ip_tos when doing AH calc */
 
-	xform_register(&ah_xformsw);
+	return (0);
 }
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 98a2240..46ab8d8 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -90,6 +90,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
 
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
+static int esp_iattach(const void *);
 
 /*
  * NB: this is public for use by the PF_KEY support.
@@ -990,9 +991,19 @@ static struct xformsw esp_xformsw = {
 static void
 esp_attach(void)
 {
+
+	xform_register(&esp_xformsw);
+	esp_iattach(NULL);
+}
+
+static int
+esp_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 #define	MAXIV(xform)					\
 	if (xform.blocksize > V_esp_max_ivlen)		\
-		V_esp_max_ivlen = xform.blocksize		\
+		V_esp_max_ivlen = xform.blocksize	\
 
 	V_esp_enable = 1;
 	V_esp_max_ivlen = 0;
@@ -1005,8 +1016,8 @@ esp_attach(void)
 	MAXIV(enc_xform_skipjack);	/* SADB_X_EALG_SKIPJACK */
 	MAXIV(enc_xform_null);		/* SADB_EALG_NULL */
 	MAXIV(enc_xform_camellia);	/* SADB_X_EALG_CAMELLIACBC */
-
-	xform_register(&esp_xformsw);
 #undef MAXIV
+
+	return (0);
 }
 SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index d64abf0f..c4f0591 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -80,6 +80,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,
 
 static int ipcomp_input_cb(struct cryptop *crp);
 static int ipcomp_output_cb(struct cryptop *crp);
+static int ipcomp_iattach(const void *);
 
 struct comp_algo *
 ipcomp_algorithm_lookup(int alg)
@@ -600,7 +601,16 @@ static void
 ipcomp_attach(void)
 {
 
-	V_ipcomp_enable = 0;
 	xform_register(&ipcomp_xformsw);
+	ipcomp_iattach(NULL);
+}
+
+static int
+ipcomp_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
+	V_ipcomp_enable = 0;
+	return (0);
 }
 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index cbc447c..f7949ec 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -697,11 +697,18 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
 	return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
 }
 
-static void
-ipe4_attach(void)
+static int
+ipe4_iattach(const void *unused __unused)
 {
+	INIT_VNET_IPSEC(curvnet);
 
 	V_ipip_allow = 0;
+	return (0);
+}
+
+static void
+ipe4_attach(void)
+{
 
 	xform_register(&ipe4_xformsw);
 	/* attach to encapsulation framework */
@@ -712,6 +719,7 @@ ipe4_attach(void)
 	(void) encap_attach_func(AF_INET6, -1,
 		ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
 #endif
+	ipe4_iattach(NULL);
 }
 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
 #endif	/* IPSEC */