1 files changed, 17 insertions, 7 deletions

diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index 57a5044..e763187 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -30,6 +30,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_inet6.h"
 #include "opt_ipsec.h"
 
 #include <sys/param.h>
@@ -46,6 +47,7 @@ __FBSDID("$FreeBSD$");
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -72,13 +74,25 @@ __FBSDID("$FreeBSD$");
 
 #include <netinet6/ip6_ipsec.h>
 #include <netinet6/ip6_var.h>
-#include <netinet6/vinet6.h>
 
 extern	struct protosw inet6sw[];
 
-#ifdef VIMAGE_GLOBALS
-int ip6_ipsec6_filtertunnel;
+
+#ifdef INET6 
+#ifdef IPSEC
+#ifdef IPSEC_FILTERTUNNEL
+static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1;
+#else
+static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0;
 #endif
+#define	V_ip6_ipsec6_filtertunnel	VNET_GET(ip6_ipsec6_filtertunnel)
+
+SYSCTL_DECL(_net_inet6_ipsec6);
+SYSCTL_VNET_INT(_net_inet6_ipsec6, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, &VNET_NAME(ip6_ipsec6_filtertunnel),  0,
+	"If set filter packets from an IPsec tunnel.");
+#endif /* IPSEC */
+#endif /* INET6 */
 
 /*
  * Check if we have to jump over firewall processing for this packet.
@@ -89,7 +103,6 @@ int
 ip6_ipsec_filtertunnel(struct mbuf *m)
 {
 #if defined(IPSEC)
-	INIT_VNET_IPSEC(curvnet);
 
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
@@ -111,8 +124,6 @@ int
 ip6_ipsec_fwd(struct mbuf *m)
 {
 #ifdef IPSEC
-	INIT_VNET_INET6(curvnet);
-	INIT_VNET_IPSEC(curvnet);
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
@@ -158,7 +169,6 @@ int
 ip6_ipsec_input(struct mbuf *m, int nxt)
 {
 #ifdef IPSEC
-	INIT_VNET_IPSEC(curvnet);
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;