summaryrefslogtreecommitdiffstats
path: root/sys/netipsec
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/ah_var.h9
-rw-r--r--sys/netipsec/esp_var.h6
-rw-r--r--sys/netipsec/ipcomp_var.h6
-rw-r--r--sys/netipsec/ipip_var.h8
-rw-r--r--sys/netipsec/ipsec.c244
-rw-r--r--sys/netipsec/ipsec.h52
-rw-r--r--sys/netipsec/ipsec6.h19
-rw-r--r--sys/netipsec/ipsec_input.c7
-rw-r--r--sys/netipsec/ipsec_mbuf.c5
-rw-r--r--sys/netipsec/ipsec_output.c9
-rw-r--r--sys/netipsec/key.c209
-rw-r--r--sys/netipsec/key_debug.c2
-rw-r--r--sys/netipsec/key_debug.h3
-rw-r--r--sys/netipsec/keysock.c23
-rw-r--r--sys/netipsec/keysock.h8
-rw-r--r--sys/netipsec/vipsec.h184
-rw-r--r--sys/netipsec/xform_ah.c54
-rw-r--r--sys/netipsec/xform_esp.c57
-rw-r--r--sys/netipsec/xform_ipcomp.c39
-rw-r--r--sys/netipsec/xform_ipip.c40
-rw-r--r--sys/netipsec/xform_tcp.c3
21 files changed, 274 insertions, 713 deletions
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h
index 5a8c06e..974cc6c 100644
--- a/sys/netipsec/ah_var.h
+++ b/sys/netipsec/ah_var.h
@@ -71,8 +71,11 @@ struct ahstat {
};
#ifdef _KERNEL
-extern int ah_enable;
-extern int ah_cleartos;
-extern struct ahstat ahstat;
+VNET_DECLARE(int, ah_enable);
+#define V_ah_enable VNET_GET(ah_enable)
+VNET_DECLARE(int, ah_cleartos);
+#define V_ah_cleartos VNET_GET(ah_cleartos)
+VNET_DECLARE(struct ahstat, ahstat);
+#define V_ahstat VNET_GET(ahstat)
#endif /* _KERNEL */
#endif /*_NETIPSEC_AH_VAR_H_*/
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h
index 278b996..66fcd39 100644
--- a/sys/netipsec/esp_var.h
+++ b/sys/netipsec/esp_var.h
@@ -72,7 +72,9 @@ struct espstat {
};
#ifdef _KERNEL
-extern int esp_enable;
-extern struct espstat espstat;
+VNET_DECLARE(int, esp_enable);
+#define V_esp_enable VNET_GET(esp_enable)
+VNET_DECLARE(struct espstat, espstat);
+#define V_espstat VNET_GET(espstat)
#endif /* _KERNEL */
#endif /*_NETIPSEC_ESP_VAR_H_*/
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index 6a506bb..d70c6a2 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -61,7 +61,9 @@ struct ipcompstat {
};
#ifdef _KERNEL
-extern int ipcomp_enable;
-extern struct ipcompstat ipcompstat;
+VNET_DECLARE(int, ipcomp_enable);
+#define V_ipcomp_enable VNET_GET(ipcomp_enable)
+VNET_DECLARE(struct ipcompstat, ipcompstat);
+#define V_ipcompstat VNET_GET(ipcompstat)
#endif /* _KERNEL */
#endif /*_NETIPSEC_IPCOMP_VAR_H_*/
diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h
index 3d4ee15..a620b72 100644
--- a/sys/netipsec/ipip_var.h
+++ b/sys/netipsec/ipip_var.h
@@ -59,9 +59,9 @@ struct ipipstat
};
#ifdef _KERNEL
-extern int ipip_allow;
-#ifdef VIMAGE_GLOBALS
-extern struct ipipstat ipipstat;
-#endif
+VNET_DECLARE(int, ipip_allow);
+#define V_ipip_allow VNET_GET(ipip_allow)
+VNET_DECLARE(struct ipipstat, ipipstat);
+#define V_ipipstat VNET_GET(ipipstat)
#endif /* _KERNEL */
#endif /* _NETINET_IPIP_H_ */
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index dabd5b6..4a7001e 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -57,6 +57,7 @@
#include <net/if.h>
#include <net/route.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -97,30 +98,25 @@
#include <opencrypto/cryptodev.h>
-#ifndef VIMAGE
-#ifndef VIMAGE_GLOBALS
-struct vnet_ipsec vnet_ipsec_0;
-#endif
-#endif
-
-static int ipsec_iattach(const void *);
-#ifdef VIMAGE
-static int ipsec_idetach(const void *);
+#ifdef IPSEC_DEBUG
+VNET_DEFINE(int, ipsec_debug) = 1;
+#else
+VNET_DEFINE(int, ipsec_debug) = 0;
#endif
-
-#ifdef VIMAGE_GLOBALS
/* NB: name changed so netstat doesn't use it. */
-struct ipsecstat ipsec4stat;
-struct secpolicy ip4_def_policy;
-int ipsec_debug;
-int ip4_ah_offsetmask;
-int ip4_ipsec_dfbit;
-int ip4_esp_trans_deflev;
-int ip4_esp_net_deflev;
-int ip4_ah_trans_deflev;
-int ip4_ah_net_deflev;
-int ip4_ipsec_ecn;
-int ip4_esp_randpad;
+VNET_DEFINE(struct ipsecstat, ipsec4stat);
+VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */
+/* DF bit on encap. 0: clear 1: set 2: copy */
+VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
+VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(struct secpolicy, ip4_def_policy);
+/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
+VNET_DEFINE(int, ip4_esp_randpad) = -1;
+
/*
* Crypto support requirements:
*
@@ -128,80 +124,74 @@ int ip4_esp_randpad;
* -1 require software support
* 0 take anything
*/
-int crypto_support;
-#endif /* VIMAGE_GLOBALS */
+VNET_DEFINE(int, crypto_support) = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
SYSCTL_DECL(_net_inet_ipsec);
/* net.inet.ipsec */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY,
- def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy,
+ CTLFLAG_RW, &VNET_NAME(ip4_def_policy).policy, 0,
"IPsec default policy.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV,
- esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
+ CTLFLAG_RW, &VNET_NAME(ip4_esp_trans_deflev), 0,
"Default ESP transport mode level");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV,
- esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
+ CTLFLAG_RW, &VNET_NAME(ip4_esp_net_deflev), 0,
"Default ESP tunnel mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV,
- ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
+ CTLFLAG_RW, &VNET_NAME(ip4_ah_trans_deflev), 0,
"AH transfer mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
- ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
+ CTLFLAG_RW, &VNET_NAME(ip4_ah_net_deflev), 0,
"AH tunnel mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
- ah_cleartos, CTLFLAG_RW, ah_cleartos, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
+ CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
"If set clear type-of-service field when doing AH computation.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
- ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
+ CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
"If not set clear offset field mask when doing AH computation.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT,
- dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
+ CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
"Do not fragment bit on encap.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN,
- ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
+ CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
"Explicit Congestion Notification handling.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG,
- debug, CTLFLAG_RW, ipsec_debug, 0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug,
+ CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
"Enable IPsec debugging output when set.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
- crypto_support, CTLFLAG_RW, crypto_support,0,
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, crypto_support,
+ CTLFLAG_RW, &VNET_NAME(crypto_support), 0,
"Crypto driver selection.");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
- ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat,
+SYSCTL_VNET_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats,
+ CTLFLAG_RD, &VNET_NAME(ipsec4stat), ipsecstat,
"IPsec IPv4 statistics.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
- filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0,
- "If set filter packets from an IPsec tunnel.");
#ifdef REGRESSION
-#ifdef VIMAGE_GLOBALS
-int ipsec_replay;
-int ipsec_integrity;
-#endif
/*
* When set to 1, IPsec will send packets with the same sequence number.
* This allows to verify if the other side has proper replay attacks detection.
*/
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
- CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
+VNET_DEFINE(int, ipsec_replay) = 0;
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_replay,
+ CTLFLAG_RW, &VNET_NAME(ipsec_replay), 0,
+ "Emulate replay attack");
/*
* When set 1, IPsec will send packets with corrupted HMAC.
* This allows to verify if the other side properly detects modified packets.
*/
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
- CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+VNET_DEFINE(int, ipsec_integrity) = 0;
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_integrity,
+ CTLFLAG_RW, &VNET_NAME(ipsec_integrity), 0,
+ "Emulate man-in-the-middle attack");
#endif
#ifdef INET6
-#ifdef VIMAGE_GLOBALS
-struct ipsecstat ipsec6stat;
-int ip6_esp_trans_deflev;
-int ip6_esp_net_deflev;
-int ip6_ah_trans_deflev;
-int ip6_ah_net_deflev;
-int ip6_ipsec_ecn;
-#endif
+VNET_DEFINE(struct ipsecstat, ipsec6stat);
+VNET_DEFINE(int, ip6_esp_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_esp_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
SYSCTL_DECL(_net_inet6_ipsec6);
@@ -210,33 +200,30 @@ SYSCTL_DECL(_net_inet6_ipsec6);
SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics.");
#endif /* COMPAT_KAME */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
- def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW,
+ &VNET_NAME(ip4_def_policy).policy, 0,
"IPsec default policy.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV,
- esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV,
+ esp_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_trans_deflev), 0,
"Default ESP transport mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV,
- esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV,
+ esp_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_net_deflev), 0,
"Default ESP tunnel mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV,
- ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV,
+ ah_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_trans_deflev), 0,
"AH transfer mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV,
- ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV,
+ ah_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_net_deflev), 0,
"AH tunnel mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN,
- ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
+ ecn, CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn), 0,
"Explicit Congestion Notification handling.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
- debug, CTLFLAG_RW, ipsec_debug, 0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW,
+ &VNET_NAME(ipsec_debug), 0,
"Enable IPsec debugging output when set.");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
- ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
+SYSCTL_VNET_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
+ ipsecstats, CTLFLAG_RD, &VNET_NAME(ipsec6stat), ipsecstat,
"IPsec IPv6 statistics.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
- filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0,
- "If set filter packets from an IPsec tunnel.");
#endif /* INET6 */
static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@@ -253,72 +240,22 @@ static void vshiftl __P((unsigned char *, int, int));
MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
-#ifndef VIMAGE_GLOBALS
+static int ipsec_iattach(const void *);
+#ifdef VIMAGE
static const vnet_modinfo_t vnet_ipsec_modinfo = {
.vmi_id = VNET_MOD_IPSEC,
.vmi_name = "ipsec",
- .vmi_size = sizeof(struct vnet_ipsec),
.vmi_dependson = VNET_MOD_INET, /* XXX revisit - INET6 ? */
.vmi_iattach = ipsec_iattach,
-#ifdef VIMAGE
- .vmi_idetach = ipsec_idetach
-#endif
};
-#endif /* !VIMAGE_GLOBALS */
-
-void
-ipsec_init(void)
-{
- INIT_VNET_IPSEC(curvnet);
-
-#ifdef IPSEC_DEBUG
- V_ipsec_debug = 1;
-#else
- V_ipsec_debug = 0;
#endif
- V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */
- V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
- V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
- V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
- V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
- V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
- V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
- V_ip4_esp_randpad = -1;
-#ifdef IPSEC_FILTERTUNNEL
- V_ip4_ipsec_filtertunnel = 1;
-#else
- V_ip4_ipsec_filtertunnel = 0;
-#endif
-
- V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
-
-#ifdef REGRESSION
- V_ipsec_replay = 0;
- V_ipsec_integrity = 0;
-#endif
-
-#ifdef INET6
- V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
- V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
- V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
- V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
- V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
-#ifdef IPSEC_FILTERTUNNEL
- V_ip6_ipsec6_filtertunnel = 1;
-#else
- V_ip6_ipsec6_filtertunnel = 0;
-#endif
-#endif
-}
-
/*
* Return a held reference to the default SP.
*/
static struct secpolicy *
key_allocsp_default(const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -384,7 +321,6 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir)
static struct secpolicy *
ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
{
- INIT_VNET_IPSEC(curvnet);
struct inpcbpolicy *pcbsp;
struct secpolicy *currsp = NULL; /* Policy on socket. */
struct secpolicy *sp;
@@ -482,7 +418,6 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
struct secpolicy *
ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicyindex spidx;
struct secpolicy *sp;
@@ -515,7 +450,6 @@ struct secpolicy *
ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
struct inpcb *inp)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
*error = 0;
@@ -587,7 +521,6 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp)
static int
ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
{
- INIT_VNET_IPSEC(curvnet);
struct ip *ip = NULL;
struct ip ipbuf;
u_int v;
@@ -778,7 +711,6 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
static void
ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
{
- INIT_VNET_IPSEC(curvnet);
int off, nxt;
struct tcphdr th;
struct udphdr uh;
@@ -891,7 +823,6 @@ ipsec_delpcbpolicy(struct inpcbpolicy *p)
int
ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
{
- INIT_VNET_IPSEC(curvnet);
struct inpcbpolicy *new;
/* Sanity check. */
@@ -1030,7 +961,6 @@ static int
ipsec_set_policy_internal(struct secpolicy **pcb_sp, int optname,
caddr_t request, size_t len, struct ucred *cred)
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy *newsp = NULL;
int error;
@@ -1079,7 +1009,6 @@ int
ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request,
size_t len, struct ucred *cred)
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy **pcb_sp;
@@ -1111,7 +1040,6 @@ int
ipsec_get_policy(struct inpcb *inp, caddr_t request, size_t len,
struct mbuf **mp)
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy *pcb_sp;
@@ -1182,7 +1110,6 @@ ipsec_delete_pcbpolicy(struct inpcb *inp)
u_int
ipsec_get_reqlevel(struct ipsecrequest *isr)
{
- INIT_VNET_IPSEC(curvnet);
u_int level = 0;
u_int esp_trans_deflev, esp_net_deflev;
u_int ah_trans_deflev, ah_net_deflev;
@@ -1287,7 +1214,6 @@ ipsec_get_reqlevel(struct ipsecrequest *isr)
int
ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
{
- INIT_VNET_IPSEC(curvnet);
struct ipsecrequest *isr;
int need_auth;
@@ -1390,7 +1316,6 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
int
ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
{
- INIT_VNET_IPSEC(curvnet);
int result;
result = ipsec46_in_reject(m, inp);
@@ -1409,7 +1334,6 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
int
ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
{
- INIT_VNET_IPSEC(curvnet);
int result;
result = ipsec46_in_reject(m, inp);
@@ -1428,7 +1352,6 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
static size_t
ipsec_hdrsiz_internal(struct secpolicy *sp)
{
- INIT_VNET_IPSEC(curvnet);
struct ipsecrequest *isr;
size_t size;
@@ -1491,7 +1414,6 @@ ipsec_hdrsiz_internal(struct secpolicy *sp)
size_t
ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
int error;
size_t size;
@@ -1591,7 +1513,6 @@ ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
int
ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
{
- INIT_VNET_IPSEC(curvnet);
struct secreplay *replay;
u_int32_t diff;
int fr;
@@ -1791,10 +1712,10 @@ ipsec_dumpmbuf(struct mbuf *m)
}
static void
-ipsec_attach(void)
+ipsec_attach(const void *unused __unused)
{
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
vnet_mod_register(&vnet_ipsec_modinfo);
#else
ipsec_iattach(NULL);
@@ -1804,7 +1725,6 @@ ipsec_attach(void)
static int
ipsec_iattach(const void *unused __unused)
{
- INIT_VNET_IPSEC(curvnet);
SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
V_ip4_def_policy.refcnt = 1; /* NB: disallow free. */
@@ -1812,16 +1732,6 @@ ipsec_iattach(const void *unused __unused)
return (0);
}
-#ifdef VIMAGE
-static int
-ipsec_idetach(const void *unused __unused)
-{
-
- /* XXX revisit this! */
-
- return (0);
-}
-#endif
SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index c869ec8..03df7bc 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -332,25 +332,40 @@ struct ipsec_history {
u_int32_t ih_spi;
};
-extern int ipsec_debug;
-#ifdef REGRESSION
-extern int ipsec_replay;
-extern int ipsec_integrity;
-#endif
+VNET_DECLARE(int, ipsec_debug);
+#define V_ipsec_debug VNET_GET(ipsec_debug)
+VNET_DECLARE(struct ipsecstat, ipsec4stat);
+#define V_ipsec4stat VNET_GET(ipsec4stat)
+VNET_DECLARE(int, ip4_ah_offsetmask);
+#define V_ip4_ah_offsetmask VNET_GET(ip4_ah_offsetmask)
+VNET_DECLARE(int, ip4_ipsec_dfbit);
+#define V_ip4_ipsec_dfbit VNET_GET(ip4_ipsec_dfbit)
+VNET_DECLARE(int, ip4_esp_trans_deflev);
+#define V_ip4_esp_trans_deflev VNET_GET(ip4_esp_trans_deflev)
+VNET_DECLARE(int, ip4_esp_net_deflev);
+#define V_ip4_esp_net_deflev VNET_GET(ip4_esp_net_deflev)
+VNET_DECLARE(int, ip4_ah_trans_deflev);
+#define V_ip4_ah_trans_deflev VNET_GET(ip4_ah_trans_deflev)
+VNET_DECLARE(int, ip4_ah_net_deflev);
+#define V_ip4_ah_net_deflev VNET_GET(ip4_ah_net_deflev)
+VNET_DECLARE(struct secpolicy, ip4_def_policy);
+#define V_ip4_def_policy VNET_GET(ip4_def_policy)
+VNET_DECLARE(int, ip4_ipsec_ecn);
+#define V_ip4_ipsec_ecn VNET_GET(ip4_ipsec_ecn)
+VNET_DECLARE(int, ip4_esp_randpad);
+#define V_ip4_esp_randpad VNET_GET(ip4_esp_randpad)
+
+VNET_DECLARE(int, crypto_support);
+#define V_crypto_support VNET_GET(crypto_support)
-extern struct ipsecstat ipsec4stat;
-extern struct secpolicy ip4_def_policy;
-extern int ip4_esp_trans_deflev;
-extern int ip4_esp_net_deflev;
-extern int ip4_ah_trans_deflev;
-extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
-extern int ip4_ah_offsetmask;
-extern int ip4_ipsec_dfbit;
-extern int ip4_ipsec_ecn;
-extern int ip4_ipsec_filtertunnel;
-extern int ip4_esp_randpad;
-extern int crypto_support;
+
+#ifdef REGRESSION
+VNET_DECLARE(int, ipsec_replay);
+#define V_ipsec_replay VNET_GET(ipsec_replay)
+VNET_DECLARE(int, ipsec_integrity);
+#define V_ipsec_integrity VNET_GET(ipsec_integrity)
+#endif
#define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0)
/* for openbsd compatibility */
@@ -360,7 +375,6 @@ extern struct ipsecrequest *ipsec_newisr(void);
extern void ipsec_delisr(struct ipsecrequest *);
struct tdb_ident;
-extern void ipsec_init(void);
extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
struct inpcb;
extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,
@@ -434,8 +448,6 @@ extern char *ipsec_dump_policy __P((caddr_t, char *));
extern const char *ipsec_strerror __P((void));
-#else
-#include <netipsec/vipsec.h>
#endif /* ! KERNEL */
#endif /* _NETIPSEC_IPSEC_H_ */
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index 2f49463..a04cbec 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -41,13 +41,18 @@
#include <netipsec/keydb.h>
#ifdef _KERNEL
-extern struct ipsecstat ipsec6stat;
-extern int ip6_esp_trans_deflev;
-extern int ip6_esp_net_deflev;
-extern int ip6_ah_trans_deflev;
-extern int ip6_ah_net_deflev;
-extern int ip6_ipsec_ecn;
-extern int ip6_ipsec6_filtertunnel;
+VNET_DECLARE(struct ipsecstat, ipsec6stat);
+#define V_ipsec6stat VNET_GET(ipsec6stat)
+VNET_DECLARE(int, ip6_esp_trans_deflev);
+#define V_ip6_esp_trans_deflev VNET_GET(ip6_esp_trans_deflev)
+VNET_DECLARE(int, ip6_esp_net_deflev);
+#define V_ip6_esp_net_deflev VNET_GET(ip6_esp_net_deflev)
+VNET_DECLARE(int, ip6_ah_trans_deflev);
+#define V_ip6_ah_trans_deflev VNET_GET(ip6_ah_trans_deflev)
+VNET_DECLARE(int, ip6_ah_net_deflev);
+#define V_ip6_ah_net_deflev VNET_GET(ip6_ah_net_deflev)
+VNET_DECLARE(int, ip6_ipsec_ecn);
+#define V_ip6_ipsec_ecn VNET_GET(ip6_ipsec_ecn)
struct inpcb;
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 4ec169b..78f023a 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -60,6 +60,7 @@
#include <net/pfil.h>
#include <net/route.h>
#include <net/netisr.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -74,7 +75,6 @@
#include <netinet/in_pcb.h>
#ifdef INET6
#include <netinet/icmp6.h>
-#include <netinet6/vinet6.h>
#endif
#include <netipsec/ipsec.h>
@@ -116,7 +116,6 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
- INIT_VNET_IPSEC(curvnet);
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
@@ -295,7 +294,6 @@ int
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
int skip, int protoff, struct m_tag *mt)
{
- INIT_VNET_IPSEC(curvnet);
int prot, af, sproto;
struct ip *ip;
struct m_tag *mtag;
@@ -518,7 +516,6 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
int
ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
{
- INIT_VNET_IPSEC(curvnet);
int l = 0;
int protoff;
struct ip6_ext ip6e;
@@ -569,8 +566,6 @@ int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
struct m_tag *mt)
{
- INIT_VNET_INET6(curvnet);
- INIT_VNET_IPSEC(curvnet);
int prot, af, sproto;
struct ip6_hdr *ip6;
struct m_tag *mtag;
diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c
index d813c92..1b92881 100644
--- a/sys/netipsec/ipsec_mbuf.c
+++ b/sys/netipsec/ipsec_mbuf.c
@@ -39,6 +39,8 @@
#include <sys/vimage.h>
#include <net/route.h>
+#include <net/vnet.h>
+
#include <netinet/in.h>
#include <netipsec/ipsec.h>
@@ -54,7 +56,6 @@
struct mbuf *
m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *m;
unsigned remain;
@@ -158,7 +159,6 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
caddr_t
m_pad(struct mbuf *m, int n)
{
- INIT_VNET_IPSEC(curvnet);
register struct mbuf *m0, *m1;
register int len, pad;
caddr_t retval;
@@ -231,7 +231,6 @@ m_pad(struct mbuf *m, int n)
int
m_striphdr(struct mbuf *m, int skip, int hlen)
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *m1;
int roff;
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index b953786..f689fb2 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -47,6 +47,7 @@
#include <net/if.h>
#include <net/pfil.h>
#include <net/route.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -65,7 +66,6 @@
#include <netinet/in_pcb.h>
#ifdef INET6
#include <netinet/icmp6.h>
-#include <netinet6/vinet6.h>
#endif
#include <netipsec/ipsec.h>
@@ -96,7 +96,6 @@
int
ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
{
- INIT_VNET_IPSEC(curvnet);
struct tdb_ident *tdbi;
struct m_tag *mtag;
struct secasvar *sav;
@@ -264,7 +263,6 @@ ipsec_nextisr(
{
#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav;
IPSECREQUEST_LOCK_ASSERT(isr);
@@ -408,7 +406,6 @@ ipsec4_process_packet(
int flags,
int tunalready)
{
- INIT_VNET_IPSEC(curvnet);
struct secasindex saidx;
struct secasvar *sav;
struct ip *ip;
@@ -622,7 +619,6 @@ ipsec6_output_trans(
int flags,
int *tun)
{
- INIT_VNET_IPSEC(curvnet);
struct ipsecrequest *isr;
struct secasindex saidx;
int error = 0;
@@ -690,7 +686,6 @@ bad:
static int
ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
{
- INIT_VNET_IPSEC(curvnet);
struct ip6_hdr *oip6;
struct ip6_hdr *ip6;
size_t plen;
@@ -760,8 +755,6 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
int
ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
{
- INIT_VNET_INET6(curvnet);
- INIT_VNET_IPSEC(curvnet);
struct ip6_hdr *ip6;
struct ipsecrequest *isr;
struct secasindex saidx;
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 3dc6878..07a5945 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -61,6 +61,7 @@
#include <net/if.h>
#include <net/route.h>
#include <net/raw_cb.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -75,11 +76,9 @@
#ifdef INET
#include <netinet/in_pcb.h>
-#include <netinet/vinet.h>
#endif
#ifdef INET6
#include <netinet6/in6_pcb.h>
-#include <netinet6/vinet6.h>
#endif /* INET6 */
#include <net/pfkeyv2.h>
@@ -99,7 +98,6 @@
/* randomness */
#include <sys/random.h>
-#include <sys/vimage.h>
#define FULLMASK 0xff
#define _BITS(bytes) ((bytes) << 3)
@@ -115,31 +113,37 @@
* field hits 0 (= no external reference other than from SA header.
*/
-#ifdef VIMAGE_GLOBALS
-u_int32_t key_debug_level;
-static u_int key_spi_trycnt;
-static u_int32_t key_spi_minval;
-static u_int32_t key_spi_maxval;
-static u_int32_t policy_id;
-static u_int key_int_random;
-static u_int key_larval_lifetime;
-static int key_blockacq_count;
-static int key_blockacq_lifetime;
-static int key_preferred_oldsa;
-
-static u_int32_t acq_seq;
-
-static int ipsec_esp_keymin;
-static int ipsec_esp_auth;
-static int ipsec_ah_keymin;
-
-static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */
-static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
-static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */
-static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
-#endif /* VIMAGE_GLOBALS */
-
+VNET_DEFINE(u_int32_t, key_debug_level) = 0;
+static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
+#define V_key_spi_trycnt VNET_GET(key_spi_trycnt)
+static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
+#define V_key_spi_minval VNET_GET(key_spi_minval)
+static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */
+#define V_key_spi_maxval VNET_GET(key_spi_maxval)
+static VNET_DEFINE(u_int32_t, policy_id) = 0;
+#define V_policy_id VNET_GET(policy_id)
+/*interval to initialize randseed,1(m)*/
+static VNET_DEFINE(u_int, key_int_random) = 60;
+#define V_key_int_random VNET_GET(key_int_random)
+/* interval to expire acquiring, 30(s)*/
+static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
+#define V_key_larval_lifetime VNET_GET(key_larval_lifetime)
+/* counter for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_count) = 10;
+#define V_key_blockacq_count VNET_GET(key_blockacq_count)
+/* lifetime for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
+#define V_key_blockacq_lifetime VNET_GET(key_blockacq_lifetime)
+/* preferred old sa rather than new sa.*/
+static VNET_DEFINE(int, key_preferred_oldsa) = 1;
+#define V_key_preferred_oldsa VNET_GET(key_preferred_oldsa)
+
+static VNET_DEFINE(u_int32_t, acq_seq) = 0;
+#define V_acq_seq VNET_GET(acq_seq)
+
+ /* SPD */
+static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]);
+#define V_sptree VNET_GET(sptree)
static struct mtx sptree_lock;
#define SPTREE_LOCK_INIT() \
mtx_init(&sptree_lock, "sptree", \
@@ -149,6 +153,8 @@ static struct mtx sptree_lock;
#define SPTREE_UNLOCK() mtx_unlock(&sptree_lock)
#define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED)
+static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */
+#define V_sahtree VNET_GET(sahtree)
static struct mtx sahtree_lock;
#define SAHTREE_LOCK_INIT() \
mtx_init(&sahtree_lock, "sahtree", \
@@ -159,6 +165,8 @@ static struct mtx sahtree_lock;
#define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED)
/* registed list */
+static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
+#define V_regtree VNET_GET(regtree)
static struct mtx regtree_lock;
#define REGTREE_LOCK_INIT() \
mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -167,6 +175,8 @@ static struct mtx regtree_lock;
#define REGTREE_UNLOCK() mtx_unlock(&regtree_lock)
#define REGTREE_LOCK_ASSERT() mtx_assert(&regtree_lock, MA_OWNED)
+static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */
+#define V_acqtree VNET_GET(acqtree)
static struct mtx acq_lock;
#define ACQ_LOCK_INIT() \
mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -175,6 +185,9 @@ static struct mtx acq_lock;
#define ACQ_UNLOCK() mtx_unlock(&acq_lock)
#define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED)
+ /* SP acquiring list */
+static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
+#define V_spacqtree VNET_GET(spacqtree)
static struct mtx spacq_lock;
#define SPACQ_LOCK_INIT() \
mtx_init(&spacq_lock, "spacqtree", \
@@ -257,56 +270,63 @@ static const int maxsize[] = {
sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
};
+static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
+#define V_ipsec_esp_keymin VNET_GET(ipsec_esp_keymin)
+static VNET_DEFINE(int, ipsec_esp_auth) = 0;
+#define V_ipsec_esp_auth VNET_GET(ipsec_esp_auth)
+static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
+#define V_ipsec_ah_keymin VNET_GET(ipsec_ah_keymin)
+
#ifdef SYSCTL_DECL
SYSCTL_DECL(_net_key);
#endif
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL, debug,
- CTLFLAG_RW, key_debug_level, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug,
+ CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, "");
/* max count of trial for the decision of spi value */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt,
- CTLFLAG_RW, key_spi_trycnt, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
+ CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, "");
/* minimum spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE,
- spi_minval, CTLFLAG_RW, key_spi_minval, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE,
+ spi_minval, CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, "");
/* maximun spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE,
- spi_maxval, CTLFLAG_RW, key_spi_maxval, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE,
+ spi_maxval, CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, "");
/* interval to initialize randseed */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT,
- int_random, CTLFLAG_RW, key_int_random, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT,
+ int_random, CTLFLAG_RW, &VNET_NAME(key_int_random), 0, "");
/* lifetime for larval SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME,
- larval_lifetime, CTLFLAG_RW, key_larval_lifetime, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME,
+ larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, "");
/* counter for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT,
- blockacq_count, CTLFLAG_RW, key_blockacq_count, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,
+ blockacq_count, CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, "");
/* lifetime for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME,
- blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,
+ blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
/* ESP auth */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH, esp_auth,
- CTLFLAG_RW, ipsec_esp_auth, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth,
+ CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, "");
/* minimum ESP key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN,
- esp_keymin, CTLFLAG_RW, ipsec_esp_keymin, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN,
+ esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, "");
/* minimum AH key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN, ah_keymin,
- CTLFLAG_RW, ipsec_ah_keymin, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin,
+ CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, "");
/* perfered old SA rather than new SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA,
- preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa, 0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA,
+ preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, "");
#define __LIST_CHAINED(elm) \
(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
@@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp)
int
key_havesp(u_int dir)
{
- INIT_VNET_IPSEC(curvnet);
return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
LIST_FIRST(&V_sptree[dir]) != NULL : 1);
@@ -595,7 +614,6 @@ key_havesp(u_int dir)
struct secpolicy *
key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi,
u_int dir,
const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
IPSEC_ASSERT(dst != NULL, ("null dst"));
@@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc,
const struct sockaddr *idst,
const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
const int dir = IPSEC_DIR_INBOUND;
struct ipsecrequest *r1, *r2, *p;
@@ -791,7 +807,6 @@ done:
int
key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
{
- INIT_VNET_IPSEC(curvnet);
u_int level;
int error;
@@ -887,7 +902,6 @@ static struct secasvar *
key_allocsa_policy(const struct secasindex *saidx)
{
#define N(a) _ARRAYLEN(a)
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, arraysize;
@@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx)
static struct secasvar *
key_do_allocsa_policy(struct secashead *sah, u_int state)
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav, *nextsav, *candidate, *d;
/* initilize */
@@ -1081,7 +1094,6 @@ key_allocsa(
u_int32_t spi,
const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, arraysize, state;
@@ -1160,7 +1172,6 @@ done:
void
_key_freesp(struct secpolicy **spp, const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp = *spp;
IPSEC_ASSERT(sp != NULL, ("null sp"));
@@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag)
void
key_freeso(struct socket *so)
{
- INIT_VNET_IPSEC(curvnet);
IPSEC_ASSERT(so != NULL, ("null so"));
switch (so->so_proto->pr_domain->dom_family) {
@@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp)
void
key_freesav(struct secasvar **psav, const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav = *psav;
IPSEC_ASSERT(sav != NULL, ("null sav"));
@@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp)
static struct secpolicy *
key_getsp(struct secpolicyindex *spidx)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx)
static struct secpolicy *
key_getspbyid(u_int32_t id)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
SPTREE_LOCK();
@@ -1353,7 +1360,6 @@ done:
struct secpolicy *
key_newsp(const char* where, int tag)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *newsp = NULL;
newsp = (struct secpolicy *)
@@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error)
size_t len;
int *error;
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *newsp;
IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
@@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_address *src0, *dst0;
struct sadb_x_policy *xpl0, *xpl;
struct sadb_lifetime *lft = NULL;
@@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp)
static u_int32_t
key_getnewspid()
{
- INIT_VNET_IPSEC(curvnet);
u_int32_t newid = 0;
int count = V_key_spi_trycnt; /* XXX */
struct secpolicy *sp;
@@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_address *src0, *dst0;
struct sadb_x_policy *xpl0;
struct secpolicyindex spidx;
@@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
u_int32_t id;
struct secpolicy *sp;
@@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
u_int32_t id;
struct secpolicy *sp;
struct mbuf *n;
@@ -2315,7 +2315,6 @@ int
key_spdacquire(sp)
struct secpolicy *sp;
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *result = NULL, *m;
struct secspacq *newspacq;
@@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_msg *newmsg;
struct secpolicy *sp;
u_int dir;
@@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
int cnt;
u_int dir;
@@ -2704,7 +2701,6 @@ static struct secashead *
key_newsah(saidx)
struct secasindex *saidx;
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *newsah;
IPSEC_ASSERT(saidx != NULL, ("null saidx"));
@@ -2733,7 +2729,6 @@ static void
key_delsah(sah)
struct secashead *sah;
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav, *nextsav;
u_int stateidx;
int zombie = 0;
@@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag)
const char* where;
int tag;
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *newsav;
const struct sadb_sa *xsa;
@@ -2962,7 +2956,6 @@ static struct secashead *
key_getsah(saidx)
struct secasindex *saidx;
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
SAHTREE_LOCK();
@@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi)
struct secasindex *saidx;
u_int32_t spi;
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
struct secasvar *sav;
@@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi)
struct secashead *sah;
u_int32_t spi;
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav;
u_int stateidx, state;
@@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
int error = 0;
IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp)
static int
key_mature(struct secasvar *sav)
{
- INIT_VNET_IPSEC(curvnet);
int error;
/* check SPI value */
@@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type)
u_int16_t
key_portfromsaddr(struct sockaddr *sa)
{
- INIT_VNET_IPSEC(curvnet);
switch (sa->sa_family) {
#ifdef INET
@@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa)
static void
key_porttosaddr(struct sockaddr *sa, u_int16_t port)
{
- INIT_VNET_IPSEC(curvnet);
switch (sa->sa_family) {
#ifdef INET
@@ -3868,7 +3855,6 @@ struct seckey *
key_dup_keymsg(const struct sadb_key *src, u_int len,
struct malloc_type *type)
{
- INIT_VNET_IPSEC(curvnet);
struct seckey *dst;
dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
if (dst != NULL) {
@@ -3902,7 +3888,6 @@ static struct seclifetime *
key_dup_lifemsg(const struct sadb_lifetime *src,
struct malloc_type *type)
{
- INIT_VNET_IPSEC(curvnet);
struct seclifetime *dst = NULL;
dst = (struct seclifetime *)malloc(sizeof(struct seclifetime),
@@ -3928,7 +3913,6 @@ key_ismyaddr(sa)
struct sockaddr *sa;
{
#ifdef INET
- INIT_VNET_INET(curvnet);
struct sockaddr_in *sin;
struct in_ifaddr *ia;
#endif
@@ -3976,7 +3960,6 @@ static int
key_ismyaddr6(sin6)
struct sockaddr_in6 *sin6;
{
- INIT_VNET_INET6(curvnet);
struct in6_ifaddr *ia;
#if 0
struct in6_multi *in6m;
@@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits)
static void
key_flush_spd(time_t now)
{
- INIT_VNET_IPSEC(curvnet);
static u_int16_t sptree_scangen = 0;
u_int16_t gen = sptree_scangen++;
struct secpolicy *sp;
@@ -4373,7 +4355,6 @@ restart:
static void
key_flush_sad(time_t now)
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah, *nextsah;
struct secasvar *sav, *nextsav;
@@ -4511,7 +4492,6 @@ key_flush_sad(time_t now)
static void
key_flush_acq(time_t now)
{
- INIT_VNET_IPSEC(curvnet);
struct secacq *acq, *nextacq;
/* ACQ tree */
@@ -4530,7 +4510,6 @@ key_flush_acq(time_t now)
static void
key_flush_spacq(time_t now)
{
- INIT_VNET_IPSEC(curvnet);
struct secspacq *acq, *nextacq;
/* SP ACQ tree */
@@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_address *src0, *dst0;
struct secasindex saidx;
struct secashead *newsah;
@@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx)
struct sadb_spirange *spirange;
struct secasindex *saidx;
{
- INIT_VNET_IPSEC(curvnet);
u_int32_t newspi;
u_int32_t min, max;
int count = V_key_spi_trycnt;
@@ -4995,7 +4972,6 @@ key_update(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_sa *sa0;
struct sadb_address *src0, *dst0;
#ifdef IPSEC_NAT_T
@@ -5286,7 +5262,6 @@ key_add(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_sa *sa0;
struct sadb_address *src0, *dst0;
#ifdef IPSEC_NAT_T
@@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
const struct sadb_ident *idsrc, *iddst;
int idsrclen, iddstlen;
@@ -5624,7 +5598,6 @@ key_delete(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_sa *sa0;
struct sadb_address *src0, *dst0;
struct secasindex saidx;
@@ -5770,7 +5743,6 @@ static int
key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp,
u_int16_t proto)
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_address *src0, *dst0;
struct secasindex saidx;
struct secashead *sah;
@@ -5894,7 +5866,6 @@ key_get(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_sa *sa0;
struct sadb_address *src0, *dst0;
struct secasindex saidx;
@@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb)
static struct mbuf *
key_getcomb_esp()
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_comb *comb;
struct enc_xform *algo;
struct mbuf *result = NULL, *m, *n;
@@ -6116,7 +6086,6 @@ key_getsizes_ah(
u_int16_t* min,
u_int16_t* max)
{
- INIT_VNET_IPSEC(curvnet);
*min = *max = ah->keysize;
if (ah->keysize == 0) {
@@ -6142,7 +6111,6 @@ key_getsizes_ah(
static struct mbuf *
key_getcomb_ah()
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_comb *comb;
struct auth_hash *algo;
struct mbuf *m;
@@ -6303,7 +6271,6 @@ key_getprop(saidx)
static int
key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *result = NULL, *m;
struct secacq *newacq;
u_int8_t satype;
@@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
static struct secacq *
key_newacq(const struct secasindex *saidx)
{
- INIT_VNET_IPSEC(curvnet);
struct secacq *newacq;
/* get new entry */
@@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx)
static struct secacq *
key_getacq(const struct secasindex *saidx)
{
- INIT_VNET_IPSEC(curvnet);
struct secacq *acq;
ACQ_LOCK();
@@ -6518,7 +6483,6 @@ static struct secacq *
key_getacqbyseq(seq)
u_int32_t seq;
{
- INIT_VNET_IPSEC(curvnet);
struct secacq *acq;
ACQ_LOCK();
@@ -6535,7 +6499,6 @@ static struct secspacq *
key_newspacq(spidx)
struct secpolicyindex *spidx;
{
- INIT_VNET_IPSEC(curvnet);
struct secspacq *acq;
/* get new entry */
@@ -6562,7 +6525,6 @@ static struct secspacq *
key_getspacq(spidx)
struct secpolicyindex *spidx;
{
- INIT_VNET_IPSEC(curvnet);
struct secspacq *acq;
SPACQ_LOCK();
@@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
const struct sadb_address *src0, *dst0;
struct secasindex saidx;
struct secashead *sah;
@@ -6756,7 +6717,6 @@ key_register(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct secreg *reg, *newreg = 0;
IPSEC_ASSERT(so != NULL, ("null socket"));
@@ -6911,7 +6871,6 @@ key_register(so, m, mhp)
void
key_freereg(struct socket *so)
{
- INIT_VNET_IPSEC(curvnet);
struct secreg *reg;
int i;
@@ -7087,7 +7046,6 @@ key_flush(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_msg *newmsg;
struct secashead *sah, *nextsah;
struct secasvar *sav, *nextsav;
@@ -7171,7 +7129,6 @@ key_dump(so, m, mhp)
struct mbuf *m;
const struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
struct secasvar *sav;
u_int16_t proto;
@@ -7352,7 +7309,6 @@ key_parse(m, so)
struct mbuf *m;
struct socket *so;
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_msg *msg;
struct sadb_msghdr mh;
u_int orglen;
@@ -7624,7 +7580,6 @@ key_align(m, mhp)
struct mbuf *m;
struct sadb_msghdr *mhp;
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *n;
struct sadb_ext *ext;
size_t off, end;
@@ -7792,26 +7747,8 @@ key_validate_ext(ext, len)
void
key_init(void)
{
- INIT_VNET_IPSEC(curvnet);
int i;
- V_key_debug_level = 0;
- V_key_spi_trycnt = 1000;
- V_key_spi_minval = 0x100;
- V_key_spi_maxval = 0x0fffffff; /* XXX */
- V_policy_id = 0;
- V_key_int_random = 60; /*interval to initialize randseed,1(m)*/
- V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
- V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
- V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
- V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/
-
- V_acq_seq = 0;
-
- V_ipsec_esp_keymin = 256;
- V_ipsec_esp_auth = 0;
- V_ipsec_ah_keymin = 128;
-
for (i = 0; i < IPSEC_DIR_MAX; i++)
LIST_INIT(&V_sptree[i]);
@@ -7850,7 +7787,6 @@ key_init(void)
void
key_destroy(void)
{
- INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp, *nextsp;
struct secspacq *acq, *nextacq;
struct secashead *sah, *nextsah;
@@ -7984,7 +7920,6 @@ void
key_sa_routechange(dst)
struct sockaddr *dst;
{
- INIT_VNET_IPSEC(curvnet);
struct secashead *sah;
struct route *ro;
diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index a13a88a..da5dd75 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -44,9 +44,9 @@
#include <sys/queue.h>
#endif
#include <sys/socket.h>
-#include <sys/vimage.h>
#include <net/route.h>
+#include <net/vnet.h>
#include <netipsec/key_var.h>
#include <netipsec/key_debug.h>
diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h
index 6ca0fe2..3082cc3 100644
--- a/sys/netipsec/key_debug.h
+++ b/sys/netipsec/key_debug.h
@@ -56,7 +56,8 @@
#define KEYDEBUG(lev,arg) \
do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0)
-extern u_int32_t key_debug_level;
+VNET_DECLARE(u_int32_t, key_debug_level);
+#define V_key_debug_level VNET_GET(key_debug_level)
#endif /*_KERNEL*/
struct sadb_msg;
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index bb7cb00..1c79421 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -67,22 +67,25 @@
#include <machine/stdarg.h>
-#ifdef VIMAGE_GLOBALS
-static struct key_cb key_cb;
-struct pfkeystat pfkeystat;
-#endif
+struct key_cb {
+ int key_count;
+ int any_count;
+};
+static VNET_DEFINE(struct key_cb, key_cb);
+#define V_key_cb VNET_GET(key_cb)
-static struct sockaddr key_src = { 2, PF_KEY };
+static struct sockaddr key_src = { 2, PF_KEY, };
static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
+VNET_DEFINE(struct pfkeystat, pfkeystat);
+
/*
* key_output()
*/
int
key_output(struct mbuf *m, struct socket *so)
{
- INIT_VNET_IPSEC(curvnet);
struct sadb_msg *msg;
int len, error = 0;
@@ -136,7 +139,6 @@ key_sendup0(rp, m, promisc)
struct mbuf *m;
int promisc;
{
- INIT_VNET_IPSEC(curvnet);
int error;
if (promisc) {
@@ -181,7 +183,6 @@ key_sendup(so, msg, len, target)
u_int len;
int target; /*target of the resulting message*/
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *m, *n, *mprev;
int tlen;
@@ -270,8 +271,6 @@ key_sendup_mbuf(so, m, target)
struct mbuf *m;
int target;
{
- INIT_VNET_NET(curvnet);
- INIT_VNET_IPSEC(curvnet);
struct mbuf *n;
struct keycb *kp;
int sendup;
@@ -389,7 +388,6 @@ key_abort(struct socket *so)
static int
key_attach(struct socket *so, int proto, struct thread *td)
{
- INIT_VNET_IPSEC(curvnet);
struct keycb *kp;
int error;
@@ -464,7 +462,6 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
static void
key_detach(struct socket *so)
{
- INIT_VNET_IPSEC(curvnet);
struct keycb *kp = (struct keycb *)sotorawcb(so);
KASSERT(kp != NULL, ("key_detach: kp == NULL"));
@@ -567,10 +564,8 @@ struct protosw keysw[] = {
static void
key_init0(void)
{
- INIT_VNET_IPSEC(curvnet);
bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
- ipsec_init();
key_init();
}
diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h
index 1097206..bcc274b 100644
--- a/sys/netipsec/keysock.h
+++ b/sys/netipsec/keysock.h
@@ -58,11 +58,6 @@ struct pfkeystat {
u_quad_t sockerr; /* # of socket related errors */
};
-struct key_cb {
- int key_count;
- int any_count;
-};
-
#define KEY_SENDUP_ONE 0
#define KEY_SENDUP_ALL 1
#define KEY_SENDUP_REGISTERED 2
@@ -74,7 +69,8 @@ struct keycb {
int kp_registered; /* registered socket */
};
-extern struct pfkeystat pfkeystat;
+VNET_DECLARE(struct pfkeystat, pfkeystat);
+#define V_pfkeystat VNET_GET(pfkeystat)
extern int key_output(struct mbuf *m, struct socket *so);
extern int key_usrreq __P((struct socket *,
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
deleted file mode 100644
index 4a643e5..0000000
--- a/sys/netipsec/vipsec.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (c) 2007-2008 University of Zagreb
- * Copyright (c) 2007-2008 FreeBSD Foundation
- *
- * This software was developed by the University of Zagreb and the
- * FreeBSD Foundation under sponsorship by the Stichting NLnet and the
- * FreeBSD Foundation.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#ifndef _NETIPSEC_VIPSEC_H_
-#define _NETIPSEC_VIPSEC_H_
-
-#include <sys/protosw.h>
-
-#include <net/pfkeyv2.h>
-#include <net/raw_cb.h>
-
-#include <netipsec/ah_var.h>
-#include <netipsec/esp_var.h>
-#include <netipsec/ipcomp_var.h>
-#include <netipsec/ipip_var.h>
-#include <netipsec/ipsec.h>
-#include <netipsec/keysock.h>
-
-struct vnet_ipsec {
- int _ipsec_debug;
- struct ipsecstat _ipsec4stat;
- struct secpolicy _ip4_def_policy;
-
- int _ip4_esp_trans_deflev;
- int _ip4_esp_net_deflev;
- int _ip4_ah_trans_deflev;
- int _ip4_ah_net_deflev;
- int _ip4_ah_offsetmask;
- int _ip4_ipsec_dfbit;
- int _ip4_ipsec_ecn;
- int _ip4_ipsec_filtertunnel;
- int _ip4_esp_randpad;
-
- int _ipsec_replay;
- int _ipsec_integrity;
- int _crypto_support;
-
- u_int32_t _key_debug_level;
- u_int _key_spi_trycnt;
- u_int32_t _key_spi_minval;
- u_int32_t _key_spi_maxval;
- u_int32_t _policy_id;
- u_int _key_int_random;
- u_int _key_larval_lifetime;
- int _key_blockacq_count;
- int _key_blockacq_lifetime;
- int _key_preferred_oldsa;
- u_int32_t _acq_seq;
-
- int _esp_enable;
- struct espstat _espstat;
- int _esp_max_ivlen;
- int _ipsec_esp_keymin;
- int _ipsec_esp_auth;
- int _ipsec_ah_keymin;
- int _ipip_allow;
- struct ipipstat _ipipstat;
-
- struct ipsecstat _ipsec6stat;
- int _ip6_esp_trans_deflev;
- int _ip6_esp_net_deflev;
- int _ip6_ah_trans_deflev;
- int _ip6_ah_net_deflev;
- int _ip6_ipsec_ecn;
- int _ip6_ipsec6_filtertunnel;
-
- int _ah_enable;
- int _ah_cleartos;
- struct ahstat _ahstat;
-
- int _ipcomp_enable;
- struct ipcompstat _ipcompstat;
-
- struct pfkeystat _pfkeystat;
- struct key_cb _key_cb;
- LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX];
- LIST_HEAD(, secashead) _sahtree;
- LIST_HEAD(, secreg) _regtree[SADB_SATYPE_MAX + 1];
- LIST_HEAD(, secacq) _acqtree;
- LIST_HEAD(, secspacq) _spacqtree;
-};
-
-/* Size guard. See sys/vimage.h. */
-VIMAGE_CTASSERT(SIZEOF_vnet_ipsec, sizeof(struct vnet_ipsec));
-
-#ifndef VIMAGE
-#ifndef VIMAGE_GLOBALS
-extern struct vnet_ipsec vnet_ipsec_0;
-#endif
-#endif
-
-/*
- * Symbol translation macros
- */
-#define INIT_VNET_IPSEC(vnet) \
- INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec)
-
-#define VNET_IPSEC(sym) VSYM(vnet_ipsec, sym)
-
-#define V_acq_seq VNET_IPSEC(acq_seq)
-#define V_acqtree VNET_IPSEC(acqtree)
-#define V_ah_cleartos VNET_IPSEC(ah_cleartos)
-#define V_ah_enable VNET_IPSEC(ah_enable)
-#define V_ahstat VNET_IPSEC(ahstat)
-#define V_crypto_support VNET_IPSEC(crypto_support)
-#define V_esp_enable VNET_IPSEC(esp_enable)
-#define V_esp_max_ivlen VNET_IPSEC(esp_max_ivlen)
-#define V_espstat VNET_IPSEC(espstat)
-#define V_ip4_ah_net_deflev VNET_IPSEC(ip4_ah_net_deflev)
-#define V_ip4_ah_offsetmask VNET_IPSEC(ip4_ah_offsetmask)
-#define V_ip4_ah_trans_deflev VNET_IPSEC(ip4_ah_trans_deflev)
-#define V_ip4_def_policy VNET_IPSEC(ip4_def_policy)
-#define V_ip4_esp_net_deflev VNET_IPSEC(ip4_esp_net_deflev)
-#define V_ip4_esp_randpad VNET_IPSEC(ip4_esp_randpad)
-#define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev)
-#define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit)
-#define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn)
-#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel)
-#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev)
-#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev)
-#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev)
-#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad)
-#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev)
-#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn)
-#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel)
-#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable)
-#define V_ipcompstat VNET_IPSEC(ipcompstat)
-#define V_ipip_allow VNET_IPSEC(ipip_allow)
-#define V_ipipstat VNET_IPSEC(ipipstat)
-#define V_ipsec4stat VNET_IPSEC(ipsec4stat)
-#define V_ipsec6stat VNET_IPSEC(ipsec6stat)
-#define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin)
-#define V_ipsec_debug VNET_IPSEC(ipsec_debug)
-#define V_ipsec_esp_auth VNET_IPSEC(ipsec_esp_auth)
-#define V_ipsec_esp_keymin VNET_IPSEC(ipsec_esp_keymin)
-#define V_ipsec_integrity VNET_IPSEC(ipsec_integrity)
-#define V_ipsec_replay VNET_IPSEC(ipsec_replay)
-#define V_key_blockacq_count VNET_IPSEC(key_blockacq_count)
-#define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime)
-#define V_key_cb VNET_IPSEC(key_cb)
-#define V_key_debug_level VNET_IPSEC(key_debug_level)
-#define V_key_int_random VNET_IPSEC(key_int_random)
-#define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime)
-#define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa)
-#define V_key_spi_maxval VNET_IPSEC(key_spi_maxval)
-#define V_key_spi_minval VNET_IPSEC(key_spi_minval)
-#define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt)
-#define V_pfkeystat VNET_IPSEC(pfkeystat)
-#define V_policy_id VNET_IPSEC(policy_id)
-#define V_regtree VNET_IPSEC(regtree)
-#define V_sahtree VNET_IPSEC(sahtree)
-#define V_spacqtree VNET_IPSEC(spacqtree)
-#define V_sptree VNET_IPSEC(sptree)
-
-#endif /* !_NETIPSEC_VIPSEC_H_ */
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 07d7001..658c92c 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -49,6 +49,7 @@
#include <sys/vimage.h>
#include <net/if.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -73,17 +74,6 @@
#include <opencrypto/cryptodev.h>
-static int ah_iattach(const void *);
-
-#ifndef VIMAGE_GLOBALS
-static const vnet_modinfo_t vnet_ah_modinfo = {
- .vmi_id = VNET_MOD_AH,
- .vmi_name = "ipsec_ah",
- .vmi_dependson = VNET_MOD_IPSEC,
- .vmi_iattach = ah_iattach
-};
-#endif /* !VIMAGE_GLOBALS */
-
/*
* Return header size in bytes. The old protocol did not support
* the replay counter; the new protocol always includes the counter.
@@ -99,19 +89,17 @@ static const vnet_modinfo_t vnet_ah_modinfo = {
#define AUTHSIZE(sav) \
((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
-#ifdef VIMAGE_GLOBALS
-int ah_enable;
-int ah_cleartos;
-struct ahstat ahstat;
-#endif
+VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */
+VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */
+VNET_DEFINE(struct ahstat, ahstat);
SYSCTL_DECL(_net_inet_ah);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
- ah_enable, CTLFLAG_RW, ah_enable, 0, "");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
- ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS,
- stats, CTLFLAG_RD, ahstat, ahstat, "");
+SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
+ ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
+SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
+ ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, "");
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
@@ -173,7 +161,6 @@ ah_hdrsiz(struct secasvar *sav)
int
ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
{
- INIT_VNET_IPSEC(curvnet);
struct auth_hash *thash;
int keylen;
@@ -228,7 +215,6 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
static int
ah_init(struct secasvar *sav, struct xformsw *xsp)
{
- INIT_VNET_IPSEC(curvnet);
struct cryptoini cria;
int error;
@@ -263,7 +249,6 @@ ah_zeroize(struct secasvar *sav)
static int
ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
{
- INIT_VNET_IPSEC(curvnet);
struct mbuf *m = *m0;
unsigned char *ptr;
int off, count;
@@ -568,7 +553,6 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
static int
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
- INIT_VNET_IPSEC(curvnet);
struct auth_hash *ahx;
struct tdb_ident *tdbi;
struct tdb_crypto *tc;
@@ -738,7 +722,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ah_input_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
int rplen, error, skip, protoff;
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m;
@@ -901,7 +884,6 @@ ah_output(
int skip,
int protoff)
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav;
struct auth_hash *ahx;
struct cryptodesc *crda;
@@ -1128,7 +1110,6 @@ bad:
static int
ah_output_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
int skip, protoff, error;
struct tdb_crypto *tc;
struct ipsecrequest *isr;
@@ -1232,21 +1213,6 @@ ah_attach(void)
{
xform_register(&ah_xformsw);
-#ifndef VIMAGE_GLOBALS
- vnet_mod_register(&vnet_ah_modinfo);
-#else
- ah_iattach(NULL);
-#endif
}
-static int
-ah_iattach(const void *unused __unused)
-{
- INIT_VNET_IPSEC(curvnet);
-
- V_ah_enable = 1; /* control flow of packets with AH */
- V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */
-
- return (0);
-}
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 6508c14..afb9d2d 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -49,6 +49,7 @@
#include <sys/vimage.h>
#include <net/if.h>
+#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -76,30 +77,21 @@
#include <opencrypto/cryptodev.h>
#include <opencrypto/xform.h>
-#ifdef VIMAGE_GLOBALS
-struct espstat espstat;
-static int esp_max_ivlen; /* max iv length over all algorithms */
-int esp_enable;
-#endif
+VNET_DEFINE(int, esp_enable) = 1;
+VNET_DEFINE(struct espstat, espstat);
SYSCTL_DECL(_net_inet_esp);
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
- esp_enable, CTLFLAG_RW, esp_enable, 0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
- stats, CTLFLAG_RD, espstat, espstat, "");
+SYSCTL_VNET_INT(_net_inet_esp, OID_AUTO,
+ esp_enable, CTLFLAG_RW, &VNET_NAME(esp_enable), 0, "");
+SYSCTL_VNET_STRUCT(_net_inet_esp, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, &VNET_NAME(espstat), espstat, "");
+
+/* max iv length over all algorithms */
+static VNET_DEFINE(int, esp_max_ivlen) = 0;
+#define V_esp_max_ivlen VNET_GET(esp_max_ivlen)
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
-static int esp_iattach(const void *);
-
-#ifndef VIMAGE_GLOBALS
-static const vnet_modinfo_t vnet_esp_modinfo = {
- .vmi_id = VNET_MOD_ESP,
- .vmi_name = "ipsec_esp",
- .vmi_dependson = VNET_MOD_IPSEC,
- .vmi_iattach = esp_iattach
-};
-#endif /* !VIMAGE_GLOBALS */
/*
* NB: this is public for use by the PF_KEY support.
@@ -134,7 +126,6 @@ esp_algorithm_lookup(int alg)
size_t
esp_hdrsiz(struct secasvar *sav)
{
- INIT_VNET_IPSEC(curvnet);
size_t size;
if (sav != NULL) {
@@ -169,7 +160,6 @@ esp_hdrsiz(struct secasvar *sav)
static int
esp_init(struct secasvar *sav, struct xformsw *xsp)
{
- INIT_VNET_IPSEC(curvnet);
struct enc_xform *txform;
struct cryptoini cria, crie;
int keylen;
@@ -280,7 +270,6 @@ esp_zeroize(struct secasvar *sav)
static int
esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
- INIT_VNET_IPSEC(curvnet);
struct auth_hash *esph;
struct enc_xform *espx;
struct tdb_ident *tdbi;
@@ -463,7 +452,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
esp_input_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
int hlen, skip, protoff, error;
struct mbuf *m;
@@ -667,7 +655,6 @@ esp_output(
int protoff
)
{
- INIT_VNET_IPSEC(curvnet);
struct enc_xform *espx;
struct auth_hash *esph;
int hlen, rlen, plen, padding, blks, alen, i, roff;
@@ -898,7 +885,6 @@ bad:
static int
esp_output_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
struct tdb_crypto *tc;
struct ipsecrequest *isr;
struct secasvar *sav;
@@ -1000,27 +986,10 @@ static struct xformsw esp_xformsw = {
static void
esp_attach(void)
{
-
- xform_register(&esp_xformsw);
-#ifndef VIMAGE_GLOBALS
- vnet_mod_register(&vnet_esp_modinfo);
-#else
- esp_iattach(NULL);
-#endif
-}
-
-static int
-esp_iattach(const void *unused __unused)
-{
- INIT_VNET_IPSEC(curvnet);
-
#define MAXIV(xform) \
if (xform.blocksize > V_esp_max_ivlen) \
V_esp_max_ivlen = xform.blocksize \
- V_esp_enable = 1;
- V_esp_max_ivlen = 0;
-
MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */
MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */
MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */
@@ -1029,8 +998,8 @@ esp_iattach(const void *unused __unused)
MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */
MAXIV(enc_xform_null); /* SADB_EALG_NULL */
MAXIV(enc_xform_camellia); /* SADB_X_EALG_CAMELLIACBC */
-#undef MAXIV
- return (0);
+ xform_register(&esp_xformsw);
+#undef MAXIV
}
SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 8e2f1c4..2ea83e0 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -49,6 +49,8 @@
#include <netinet/ip_var.h>
#include <net/route.h>
+#include <net/vnet.h>
+
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@@ -67,29 +69,25 @@
#include <opencrypto/deflate.h>
#include <opencrypto/xform.h>
-#ifdef VIMAGE_GLOBALS
-int ipcomp_enable;
-struct ipcompstat ipcompstat;
-#endif
+VNET_DEFINE(int, ipcomp_enable) = 0;
+VNET_DEFINE(struct ipcompstat, ipcompstat);
SYSCTL_DECL(_net_inet_ipcomp);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
- ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,
- stats, CTLFLAG_RD, ipcompstat, ipcompstat, "");
+SYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO,
+ ipcomp_enable, CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, &VNET_NAME(ipcompstat), ipcompstat, "");
static int ipcomp_input_cb(struct cryptop *crp);
static int ipcomp_output_cb(struct cryptop *crp);
-static int ipcomp_iattach(const void *);
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
static const vnet_modinfo_t vnet_ipcomp_modinfo = {
.vmi_id = VNET_MOD_IPCOMP,
.vmi_name = "ipsec_ipcomp",
.vmi_dependson = VNET_MOD_IPSEC,
- .vmi_iattach = ipcomp_iattach
};
-#endif /* !VIMAGE_GLOBALS */
+#endif
struct comp_algo *
ipcomp_algorithm_lookup(int alg)
@@ -109,7 +107,6 @@ ipcomp_algorithm_lookup(int alg)
static int
ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
{
- INIT_VNET_IPSEC(curvnet);
struct comp_algo *tcomp;
struct cryptoini cric;
@@ -150,7 +147,6 @@ ipcomp_zeroize(struct secasvar *sav)
static int
ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
- INIT_VNET_IPSEC(curvnet);
struct tdb_crypto *tc;
struct cryptodesc *crdc;
struct cryptop *crp;
@@ -221,7 +217,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ipcomp_input_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
struct cryptodesc *crd;
struct tdb_crypto *tc;
int skip, protoff;
@@ -342,7 +337,6 @@ ipcomp_output(
int protoff
)
{
- INIT_VNET_IPSEC(curvnet);
struct secasvar *sav;
struct comp_algo *ipcompx;
int error, ralen, hlen, maxpacketsize, roff;
@@ -501,7 +495,6 @@ bad:
static int
ipcomp_output_cb(struct cryptop *crp)
{
- INIT_VNET_IPSEC(curvnet);
struct tdb_crypto *tc;
struct ipsecrequest *isr;
struct secasvar *sav;
@@ -611,19 +604,9 @@ ipcomp_attach(void)
{
xform_register(&ipcomp_xformsw);
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
vnet_mod_register(&vnet_ipcomp_modinfo);
-#else
- ipcomp_iattach(NULL);
#endif
}
-static int
-ipcomp_iattach(const void *unused __unused)
-{
- INIT_VNET_IPSEC(curvnet);
-
- V_ipcomp_enable = 0;
- return (0);
-}
SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index d9cf8c6..8de23ec 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -68,7 +68,6 @@
#ifdef MROUTING
#include <netinet/ip_mroute.h>
#endif
-#include <netinet/vinet.h>
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@@ -92,31 +91,27 @@
* We can control the acceptance of IP4 packets by altering the sysctl
* net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
*/
-#ifdef VIMAGE_GLOBALS
-int ipip_allow;
-struct ipipstat ipipstat;
-#endif
+VNET_DEFINE(int, ipip_allow) = 0;
+VNET_DEFINE(struct ipipstat, ipipstat);
SYSCTL_DECL(_net_inet_ipip);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
- ipip_allow, CTLFLAG_RW, ipip_allow, 0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS,
- stats, CTLFLAG_RD, ipipstat, ipipstat, "");
+SYSCTL_VNET_INT(_net_inet_ipip, OID_AUTO,
+ ipip_allow, CTLFLAG_RW, &VNET_NAME(ipip_allow), 0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, &VNET_NAME(ipipstat), ipipstat, "");
/* XXX IPCOMP */
#define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
-static int ipe4_iattach(const void *);
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
static const vnet_modinfo_t vnet_ipip_modinfo = {
.vmi_id = VNET_MOD_IPIP,
.vmi_name = "ipsec_ipip",
.vmi_dependson = VNET_MOD_IPSEC,
- .vmi_iattach = ipe4_iattach
};
-#endif /* !VIMAGE_GLOBALS */
+#endif
#ifdef INET6
/*
@@ -169,8 +164,6 @@ ip4_input(struct mbuf *m, int off)
static void
_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
{
- INIT_VNET_NET(curvnet);
- INIT_VNET_IPSEC(curvnet);
#ifdef INET
register struct sockaddr_in *sin;
#endif
@@ -424,10 +417,6 @@ ipip_output(
int protoff
)
{
- INIT_VNET_IPSEC(curvnet);
-#ifdef INET
- INIT_VNET_INET(curvnet);
-#endif /* INET */
struct secasvar *sav;
u_int8_t tp, otos;
struct secasindex *saidx;
@@ -708,15 +697,6 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
}
-static int
-ipe4_iattach(const void *unused __unused)
-{
- INIT_VNET_IPSEC(curvnet);
-
- V_ipip_allow = 0;
- return (0);
-}
-
static void
ipe4_attach(void)
{
@@ -730,10 +710,8 @@ ipe4_attach(void)
(void) encap_attach_func(AF_INET6, -1,
ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
#endif
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
vnet_mod_register(&vnet_ipip_modinfo);
-#else
- ipe4_iattach(NULL);
#endif
}
SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 35a4d43..1fad954 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -49,6 +49,8 @@
#include <netinet/tcp_var.h>
#include <net/route.h>
+#include <net/vnet.h>
+
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@@ -83,7 +85,6 @@
static int
tcpsignature_init(struct secasvar *sav, struct xformsw *xsp)
{
- INIT_VNET_IPSEC(curvnet);
int keylen;
if (sav->spi != htonl(TCP_SIG_SPI)) {
OpenPOWER on IntegriCloud